Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-37719

use-after-free on logged CREATE OR REPLACE TEMPORARY TABLE LIKE not-logged-table

    XMLWordPrintable

Details

    • Not for Release Notes
    • Q4/2025 Server Maintenance

    Description

      --source include/have_binlog_format_statement.inc
      		 
      set binlog_format='MIXED';
      		 
      create temporary table t1 (x int);
      		 
      create temporary table t2 (y int);
      		 
      set create_tmp_table_binlog_formats='MIXED';
      		 
      create or replace temporary table t2 like t1;
      		 
      drop table t1, t2;

      Also with using Global temporary tables (on feature or preview branch):

      --source include/have_binlog_format_statement.inc
      		 
      CREATE GLOBAL TEMPORARY TABLE t1 (c INT);
      		 
      CREATE TEMPORARY TABLE t2 (d INT);
      		 
      CREATE OR REPLACE TEMPORARY TABLE t2 LIKE t1;
      		 
      DROP TABLE t1, t2;  # Cleanup

      Leads, 1 in 2 sporadically, to:

      MDEV-35915-6 CS 12.2.0 ed3c63488a1613377d92ee3ade3fe6870e39b4db (Optimized, Clang 21.1.0-20250811) Build 24/09/2025

      		 
      Core was generated by `/test/MDEV-35915_6_MD240925-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd --defa'.
      		 
      Program terminated with signal SIGSEGV, Segmentation fault.
      		 
      #0  0x000059a3451d6486 in mysql_create_like_table (thd=thd@entry=0x7fdcc4000c68, table=0x7fdcc40133b0, src_table=src_table@entry=0x7fdcc4013b28, create_info=create_info@entry=0x7fdd02853ba0)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_table.cc:6116
      		 
      6116	          if (table->table->file->extra(HA_EXTRA_ADD_CHILDREN_LIST))
      		 
      [Current thread is 1 (LWP 1301242)]
      		 
      (gdb) bt
      		 
      #0  0x000059a3451d6486 in mysql_create_like_table (thd=thd@entry=0x7fdcc4000c68, table=0x7fdcc40133b0, src_table=src_table@entry=0x7fdcc4013b28, create_info=create_info@entry=0x7fdd02853ba0)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_table.cc:6116
      		 
      #1  0x000059a3451d5461 in Sql_cmd_create_table_like::execute (this=<optimized out>, thd=0x7fdcc4000c68)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_table.cc:13980
      		 
      #2  0x000059a3450fab1c in mysql_execute_command (thd=thd@entry=0x7fdcc4000c68, is_called_from_prepared_stmt=false)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_parse.cc:5861
      		 
      #3  0x000059a3450f5dc4 in mysql_parse (thd=thd@entry=0x7fdcc4000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x7fdd02854420)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_parse.cc:7894
      		 
      #4  0x000059a3450f456d in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x7fdcc4000c68, packet=packet@entry=0x7fdcc4008a99 "CREATE OR REPLACE TEMPORARY TABLE t2 LIKE t1", packet_length=packet_length@entry=44, blocking=true)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_parse.cc:1882
      		 
      #5  0x000059a3450f6241 in do_command (thd=thd@entry=0x7fdcc4000c68, blocking=true) at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_parse.cc:1421
      		 
      #6  0x000059a34524c30d in do_handle_one_connection (connect=<optimized out>, connect@entry=0x59a3480686d8, put_in_cache=true)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_connect.cc:1414
      		 
      #7  0x000059a34524c0cf in handle_one_connection (arg=arg@entry=0x59a3480686d8)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_connect.cc:1326
      		 
      #8  0x000059a345410bb9 in pfs_spawn_thread (arg=0x59a34800b7f8)at /test/bb-12.2-nikita-global-tmp_opt/storage/perfschema/pfs.cc:2198
      		 
      #9  0x00007fdd08c9ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
      		 
      #10 0x00007fdd08d29c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

      MDEV-35915-6 CS 12.2.0 ed3c63488a1613377d92ee3ade3fe6870e39b4db (Debug, Clang 21.1.0-20250811) Build 24/09/2025

      		 
      Core was generated by `/test/MDEV-35915_6_MD240925-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd --defa'.
      		 
      Program terminated with signal SIGSEGV, Segmentation fault.
      		 
      #0  0x000061f40a5bd289 in mysql_create_like_table (thd=0x746da0000d58, table=0x746da0016cd0, src_table=0x746da0017448, create_info=0x746ddc54cfa8)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_table.cc:6116
      		 
      6116	          if (table->table->file->extra(HA_EXTRA_ADD_CHILDREN_LIST))
      		 
      [Current thread is 1 (LWP 1301196)]
      		 
      (gdb) bt
      		 
      #0  0x000061f40a5bd289 in mysql_create_like_table (thd=0x746da0000d58, table=0x746da0016cd0, src_table=0x746da0017448, create_info=0x746ddc54cfa8)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_table.cc:6116
      		 
      #1  0x000061f40a5bbf84 in Sql_cmd_create_table_like::execute (this=0x746da0016c58, thd=0x746da0000d58)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_table.cc:13980
      		 
      #2  0x000061f40a488dc5 in mysql_execute_command (thd=0x746da0000d58, is_called_from_prepared_stmt=false)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_parse.cc:5861
      		 
      #3  0x000061f40a47a088 in mysql_parse (thd=0x746da0000d58, rawbuf=0x746da0016ba0 "CREATE OR REPLACE TEMPORARY TABLE t2 LIKE t1", length=44, parser_state=0x746ddc54ea10)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_parse.cc:7894
      		 
      #4  0x000061f40a477869 in dispatch_command (command=COM_QUERY, thd=0x746da0000d58, packet=0x746da01c9879 "CREATE OR REPLACE TEMPORARY TABLE t2 LIKE t1", packet_length=44, blocking=true)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_parse.cc:1882
      		 
      #5  0x000061f40a47ab0a in do_command (thd=0x746da0000d58, blocking=true)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_parse.cc:1421
      		 
      #6  0x000061f40a66d3ee in do_handle_one_connection (connect=0x61f40d3d75b8, put_in_cache=true)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_connect.cc:1414
      		 
      #7  0x000061f40a66d1d1 in handle_one_connection (arg=0x61f40d5ba988)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_connect.cc:1326
      		 
      #8  0x0000746ddd69ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
      		 
      #9  0x0000746ddd729c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

      MDEV-35915-6 CS 12.2.0 ed3c63488a1613377d92ee3ade3fe6870e39b4db (Optimized, UBASAN, Clang 21.1.0-20250811) Build 24/09/2025

      		 
      ==1455819==ERROR: AddressSanitizer: heap-use-after-free on address 0x7b9066a68da0 at pc 0x637d887638de bp 0x7a0043d003d0 sp 0x7a0043d003c8
      		 
      READ of size 8 at 0x7b9066a68da0 thread T6
      		 
          #0 0x637d887638dd in mysql_create_like_table(THD*, TABLE_LIST*, TABLE_LIST*, Table_specification_st*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_table.cc:6116:29
      		 
          #1 0x637d8875c658 in Sql_cmd_create_table_like::execute(THD*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_table.cc:13980:12
      		 
          #2 0x637d881fea9f in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:5861:26
      		 
          #3 0x637d881e21a5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:7894:18
      		 
          #4 0x637d881da368 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1882:7
      		 
          #5 0x637d881e40e0 in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1421:17
      		 
          #6 0x637d88a0ed2c in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1414:11
      		 
          #7 0x637d88a0e846 in handle_one_connection /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1326:5
      		 
          #8 0x637d871c338a in asan_thread_start(void*) crtstuff.c
      		 
          #9 0x7e0067c9ca93 in start_thread nptl/pthread_create.c:447:8
      		 
          #10 0x7e0067d29c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
      		 
       
      		 
      0x7b9066a68da0 is located 32 bytes inside of 1064-byte region [0x7b9066a68d80,0x7b9066a691a8)
      		 
      freed by thread T6 here:
      		 
          #0 0x637d871c586a in free (/test/MDEV-35915_6_UBASAN_MD240925-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd+0x2fcd86a) (BuildId: 4bfbf791ce5d52e12fa19b8ce4aeef87e4172058)
      		 
          #1 0x637d88e7a76c in THD::close_temporary_table(TABLE*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/temporary_tables.cc:1449:3
      		 
          #2 0x637d88e7a76c in THD::free_temporary_table(TABLE*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/temporary_tables.cc:1804:3
      		 
          #3 0x637d88e7a76c in THD::drop_tmp_table_share(TABLE*, TMP_TABLE_SHARE*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/temporary_tables.cc:811:5
      		 
          #4 0x637d886e77f6 in create_table_impl(THD*, st_ddl_log_state*, st_ddl_log_state*, Lex_ident_db const&, Lex_ident_table const&, Lex_ident_db const&, Lex_ident_table const&, st_mysql_const_lex_string const&, DDL_options_st, HA_CREATE_INFO*, Alter_info*, int, bool*, st_key**, unsigned int*, st_mysql_const_unsigned_lex_string*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_table.cc:4800:18
      		 
          #5 0x637d886e5aba in mysql_create_table_no_lock(THD*, st_ddl_log_state*, st_ddl_log_state*, Table_specification_st*, Alter_info*, bool*, int, TABLE_LIST*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_table.cc:5117:8
      		 
          #6 0x637d887608fd in mysql_create_like_table(THD*, TABLE_LIST*, TABLE_LIST*, Table_specification_st*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_table.cc:5945:10
      		 
          #7 0x637d8875c658 in Sql_cmd_create_table_like::execute(THD*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_table.cc:13980:12
      		 
          #8 0x637d881fea9f in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:5861:26
      		 
          #9 0x637d881e21a5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:7894:18
      		 
          #10 0x637d881da368 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1882:7
      		 
          #11 0x637d881e40e0 in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1421:17
      		 
          #12 0x637d88a0ed2c in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1414:11
      		 
          #13 0x637d88a0e846 in handle_one_connection /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1326:5
      		 
          #14 0x637d871c338a in asan_thread_start(void*) crtstuff.c
      		 
       
      		 
      previously allocated by thread T6 here:
      		 
          #0 0x637d871c5b08 in malloc (/test/MDEV-35915_6_UBASAN_MD240925-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd+0x2fcdb08) (BuildId: 4bfbf791ce5d52e12fa19b8ce4aeef87e4172058)
      		 
          #1 0x637d8a174ce5 in my_malloc /test/bb-12.2-nikita-global-tmp_opt_san/mysys/my_malloc.c:93:29
      		 
          #2 0x637d88e718e4 in THD::open_temporary_table(TMP_TABLE_SHARE*, Lex_ident_table const&) /test/bb-12.2-nikita-global-tmp_opt_san/sql/temporary_tables.cc:1313:26
      		 
          #3 0x637d88e7099f in THD::create_and_open_tmp_table(st_mysql_const_unsigned_lex_string*, char const*, Lex_ident_db const&, Lex_ident_table const&, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/temporary_tables.cc:139:12
      		 
          #4 0x637d886e8b8b in create_table_impl(THD*, st_ddl_log_state*, st_ddl_log_state*, Lex_ident_db const&, Lex_ident_table const&, Lex_ident_db const&, Lex_ident_table const&, st_mysql_const_lex_string const&, DDL_options_st, HA_CREATE_INFO*, Alter_info*, int, bool*, st_key**, unsigned int*, st_mysql_const_unsigned_lex_string*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_table.cc:5029:24
      		 
          #5 0x637d886e5aba in mysql_create_table_no_lock(THD*, st_ddl_log_state*, st_ddl_log_state*, Table_specification_st*, Alter_info*, bool*, int, TABLE_LIST*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_table.cc:5117:8
      		 
          #6 0x637d88764794 in mysql_create_table(THD*, TABLE_LIST*, Table_specification_st*, Alter_info*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_table.cc:5363:7
      		 
          #7 0x637d8875d1ff in Sql_cmd_create_table_like::execute(THD*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_table.cc:14026:12
      		 
          #8 0x637d881fea9f in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:5861:26
      		 
          #9 0x637d881e21a5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:7894:18
      		 
          #10 0x637d881da368 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1882:7
      		 
          #11 0x637d881e40e0 in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1421:17
      		 
          #12 0x637d88a0ed2c in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1414:11
      		 
          #13 0x637d88a0e846 in handle_one_connection /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1326:5
      		 
          #14 0x637d871c338a in asan_thread_start(void*) crtstuff.c
      		 
       
      		 
      Thread T6 created by T0 here:
      		 
          #0 0x637d871a9a85 in pthread_create (/test/MDEV-35915_6_UBASAN_MD240925-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd+0x2fb1a85) (BuildId: 4bfbf791ce5d52e12fa19b8ce4aeef87e4172058)
      		 
          #1 0x637d8721c0b9 in create_thread_to_handle_connection(CONNECT*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/mysqld.cc:6272:19
      		 
          #2 0x637d8721d3fa in handle_connections_sockets() /test/bb-12.2-nikita-global-tmp_opt_san/sql/mysqld.cc:6508:9
      		 
          #3 0x637d8721b800 in run_main_loop() /test/bb-12.2-nikita-global-tmp_opt_san/sql/mysqld.cc:5750:3
      		 
          #4 0x637d8721233e in mysqld_main(int, char**) /test/bb-12.2-nikita-global-tmp_opt_san/sql/mysqld.cc:6173:3
      		 
          #5 0x7e0067c2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
      		 
          #6 0x7e0067c2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
      		 
          #7 0x637d87120394 in _start (/test/MDEV-35915_6_UBASAN_MD240925-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd+0x2f28394) (BuildId: 4bfbf791ce5d52e12fa19b8ce4aeef87e4172058)
      		 
       
      		 
      SUMMARY: AddressSanitizer: heap-use-after-free /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_table.cc:6116:29 in mysql_create_like_table(THD*, TABLE_LIST*, TABLE_LIST*, Table_specification_st*)
      		 
      Shadow bytes around the buggy address:
      		 
        0x7b9066a68b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x7b9066a68b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x7b9066a68c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x7b9066a68c80: 00 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x7b9066a68d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
      =>0x7b9066a68d80: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x7b9066a68e00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x7b9066a68e80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x7b9066a68f00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x7b9066a68f80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x7b9066a69000: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
      Shadow byte legend (one shadow byte represents 8 application bytes):
      		 
        Addressable:           00
      		 
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
      		 
        Freed heap region:       fd
      		 
        Stack left redzone:      f1
      		 
        Stack mid redzone:       f2
      		 
        Stack right redzone:     f3
      		 
        Stack after return:      f5
      		 
        Stack use after scope:   f8
      		 
        Global redzone:          f9
      		 
        Global init order:       f6
      		 
        Poisoned by user:        f7
      		 
        Container overflow:      fc
      		 
        Array cookie:            ac
      		 
        Intra object redzone:    bb
      		 
        ASan internal:           fe
      		 
        Left alloca redzone:     ca
      		 
        Right alloca redzone:    cb
      		 
      ==1455819==ABORTING

      MDEV-35915-6 CS 12.2.0 ed3c63488a1613377d92ee3ade3fe6870e39b4db (Debug, UBASAN, Clang 21.1.0-20250811) Build 24/09/2025

      		 
      ==1812299==ERROR: AddressSanitizer: heap-use-after-free on address 0x7b99eda692a0 at pc 0x562a343e857a bp 0x7a09cad00210 sp 0x7a09cad00208
      		 
      READ of size 8 at 0x7b99eda692a0 thread T6
      		 
          #0 0x562a343e8579 in mysql_create_like_table(THD*, TABLE_LIST*, TABLE_LIST*, Table_specification_st*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_table.cc:6116:29
      		 
          #1 0x562a343e06c1 in Sql_cmd_create_table_like::execute(THD*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_table.cc:13980:12
      		 
          #2 0x562a33eaa2e7 in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:5861:26
      		 
          #3 0x562a33e8d438 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:7894:18
      		 
          #4 0x562a33e86bfc in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1882:7
      		 
          #5 0x562a33e8f86a in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1421:17
      		 
          #6 0x562a34694a0c in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1414:11
      		 
          #7 0x562a34694515 in handle_one_connection /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1326:5
      		 
          #8 0x562a32e4d69a in asan_thread_start(void*) crtstuff.c
      		 
          #9 0x7e09eea9ca93 in start_thread nptl/pthread_create.c:447:8
      		 
          #10 0x7e09eeb29c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
      		 
       
      		 
      0x7b99eda692a0 is located 32 bytes inside of 1064-byte region [0x7b99eda69280,0x7b99eda696a8)
      		 
      freed by thread T6 here:
      		 
          #0 0x562a32e4fb7a in free (/test/MDEV-35915_6_UBASAN_MD240925-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd+0x3b98b7a) (BuildId: 3477130517231f52562047c940098bd8db8a39e1)
      		 
          #1 0x562a34b163b0 in THD::close_temporary_table(TABLE*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/temporary_tables.cc:1449:3
      		 
          #2 0x562a34b13b68 in THD::free_temporary_table(TABLE*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/temporary_tables.cc:1804:3
      		 
          #3 0x562a34b13b68 in THD::drop_tmp_table_share(TABLE*, TMP_TABLE_SHARE*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/temporary_tables.cc:811:5
      		 
          #4 0x562a34372e52 in create_table_impl(THD*, st_ddl_log_state*, st_ddl_log_state*, Lex_ident_db const&, Lex_ident_table const&, Lex_ident_db const&, Lex_ident_table const&, st_mysql_const_lex_string const&, DDL_options_st, HA_CREATE_INFO*, Alter_info*, int, bool*, st_key**, unsigned int*, st_mysql_const_unsigned_lex_string*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_table.cc:4800:18
      		 
          #5 0x562a34370b21 in mysql_create_table_no_lock(THD*, st_ddl_log_state*, st_ddl_log_state*, Table_specification_st*, Alter_info*, bool*, int, TABLE_LIST*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_table.cc:5117:8
      		 
          #6 0x562a343e478d in mysql_create_like_table(THD*, TABLE_LIST*, TABLE_LIST*, Table_specification_st*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_table.cc:5945:10
      		 
          #7 0x562a343e06c1 in Sql_cmd_create_table_like::execute(THD*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_table.cc:13980:12
      		 
          #8 0x562a33eaa2e7 in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:5861:26
      		 
          #9 0x562a33e8d438 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:7894:18
      		 
          #10 0x562a33e86bfc in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1882:7
      		 
          #11 0x562a33e8f86a in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1421:17
      		 
          #12 0x562a34694a0c in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1414:11
      		 
          #13 0x562a34694515 in handle_one_connection /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1326:5
      		 
          #14 0x562a32e4d69a in asan_thread_start(void*) crtstuff.c
      		 
       
      		 
      previously allocated by thread T6 here:
      		 
          #0 0x562a32e4fe18 in malloc (/test/MDEV-35915_6_UBASAN_MD240925-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd+0x3b98e18) (BuildId: 3477130517231f52562047c940098bd8db8a39e1)
      		 
          #1 0x562a3600f9b1 in my_malloc /test/bb-12.2-nikita-global-tmp_dbg_san/mysys/my_malloc.c:93:29
      		 
          #2 0x562a34b0a734 in THD::open_temporary_table(TMP_TABLE_SHARE*, Lex_ident_table const&) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/temporary_tables.cc:1313:26
      		 
          #3 0x562a34b0975f in THD::create_and_open_tmp_table(st_mysql_const_unsigned_lex_string*, char const*, Lex_ident_db const&, Lex_ident_table const&, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/temporary_tables.cc:139:12
      		 
          #4 0x562a3437409a in create_table_impl(THD*, st_ddl_log_state*, st_ddl_log_state*, Lex_ident_db const&, Lex_ident_table const&, Lex_ident_db const&, Lex_ident_table const&, st_mysql_const_lex_string const&, DDL_options_st, HA_CREATE_INFO*, Alter_info*, int, bool*, st_key**, unsigned int*, st_mysql_const_unsigned_lex_string*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_table.cc:5029:24
      		 
          #5 0x562a34370b21 in mysql_create_table_no_lock(THD*, st_ddl_log_state*, st_ddl_log_state*, Table_specification_st*, Alter_info*, bool*, int, TABLE_LIST*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_table.cc:5117:8
      		 
          #6 0x562a343e9227 in mysql_create_table(THD*, TABLE_LIST*, Table_specification_st*, Alter_info*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_table.cc:5363:7
      		 
          #7 0x562a343e1067 in Sql_cmd_create_table_like::execute(THD*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_table.cc:14026:12
      		 
          #8 0x562a33eaa2e7 in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:5861:26
      		 
          #9 0x562a33e8d438 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:7894:18
      		 
          #10 0x562a33e86bfc in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1882:7
      		 
          #11 0x562a33e8f86a in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1421:17
      		 
          #12 0x562a34694a0c in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1414:11
      		 
          #13 0x562a34694515 in handle_one_connection /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1326:5
      		 
          #14 0x562a32e4d69a in asan_thread_start(void*) crtstuff.c
      		 
       
      		 
      Thread T6 created by T0 here:
      		 
          #0 0x562a32e33d95 in pthread_create (/test/MDEV-35915_6_UBASAN_MD240925-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd+0x3b7cd95) (BuildId: 3477130517231f52562047c940098bd8db8a39e1)
      		 
          #1 0x562a32ea76ec in create_thread_to_handle_connection(CONNECT*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mysqld.cc:6272:19
      		 
          #2 0x562a32ea8775 in handle_connections_sockets() /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mysqld.cc:6508:9
      		 
          #3 0x562a32ea6cfa in run_main_loop() /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mysqld.cc:5750:3
      		 
          #4 0x562a32e9c6ae in mysqld_main(int, char**) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mysqld.cc:6173:3
      		 
          #5 0x7e09eea2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
      		 
          #6 0x7e09eea2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
      		 
          #7 0x562a32daa6a4 in _start (/test/MDEV-35915_6_UBASAN_MD240925-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd+0x3af36a4) (BuildId: 3477130517231f52562047c940098bd8db8a39e1)
      		 
       
      		 
      SUMMARY: AddressSanitizer: heap-use-after-free /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_table.cc:6116:29 in mysql_create_like_table(THD*, TABLE_LIST*, TABLE_LIST*, Table_specification_st*)
      		 
      Shadow bytes around the buggy address:
      		 
        0x7b99eda69000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x7b99eda69080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x7b99eda69100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x7b99eda69180: 00 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x7b99eda69200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
      =>0x7b99eda69280: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x7b99eda69300: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x7b99eda69380: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x7b99eda69400: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x7b99eda69480: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x7b99eda69500: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
      Shadow byte legend (one shadow byte represents 8 application bytes):
      		 
        Addressable:           00
      		 
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
      		 
        Freed heap region:       fd
      		 
        Stack left redzone:      f1
      		 
        Stack mid redzone:       f2
      		 
        Stack right redzone:     f3
      		 
        Stack after return:      f5
      		 
        Stack use after scope:   f8
      		 
        Global redzone:          f9
      		 
        Global init order:       f6
      		 
        Poisoned by user:        f7
      		 
        Container overflow:      fc
      		 
        Array cookie:            ac
      		 
        Intra object redzone:    bb
      		 
        ASan internal:           fe
      		 
        Left alloca redzone:     ca
      		 
        Right alloca redzone:    cb
      		 
      ==1812299==ABORTING

      Attachments

        Issue Links

          is caused by

          New Feature - A new feature of the product, which has yet to be developed. MDEV-36099 Ensure that creation and usage of temporary tables in replication is predictable

          • Major - Major loss of function.
          • Closed
          relates to

          New Feature - A new feature of the product, which has yet to be developed. MDEV-35915 Implement Global temporary tables

          • Critical - Crashes, loss of data, severe memory leak.
          • In Testing

          Bug - A problem which impairs or prevents the functions of the product. MDEV-36980 Assertion `thd->mdl_context.is_lock_owner()...fails in close_thread_table, SIGSEGV in mysql_create_like_table

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-37348 Logged CREATE TEMPORARY TABLE LIKE from unlogged table fails

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Activity

            People

              monty Michael Widenius
              Roel Roel Van de Paar
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.