Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-37720

SIGSEGV in MDL_lock::reschedule_waiters, Assertion `mdl_ticket->m_duration == MDL_TRANSACTION && duration != MDL_TRANSACTION' failed and ASAN heap-use-after-free in I_P_List and MDL_context::set_lock_duration

    XMLWordPrintable

Details

    • Not for Release Notes
    • Q4/2025 Server Maintenance

    Description

      --source include/have_innodb.inc
      		 
      CREATE GLOBAL TEMPORARY TABLE t (c INT) ENGINE=InnoDB;
      		 
      XA START 'a';
      		 
      SET GLOBAL innodb_force_primary_key=1;
      		 
      SELECT * FROM t;
      		 
      SET pseudo_slave_mode=1;
      		 
      XA END 'a';
      		 
      XA PREPARE 'a';
      		 
      LOCK TABLE t WRITE;
      		 
      CREATE OR REPLACE GLOBAL TEMPORARY TABLE t (c TEXT) ENGINE=InnoDB;
      		 
      DROP TABLE t;  # Cleanup

      Leads to:

      MDEV-35915-6 CS 12.2.0 ed3c63488a1613377d92ee3ade3fe6870e39b4db (Optimized, Clang 21.1.0-20250811) Build 24/09/2025

      		 
      Core was generated by `/test/MDEV-35915_6_MD240925-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd --defa'.
      		 
      Program terminated with signal SIGSEGV, Segmentation fault.
      		 
      #0  0x00005f5b05a10c6b in MDL_lock::reschedule_waiters (this=this@entry=0x7f8890248eb8)at /test/bb-12.2-nikita-global-tmp_opt/sql/mdl.cc:1981
      		 
      1981	  bitmap_t hog_lock_types= m_strategy->hog_lock_types_bitmap();
      		 
      [Current thread is 1 (LWP 2661939)]
      		 
      (gdb) bt
      		 
      #0  0x00005f5b05a10c6b in MDL_lock::reschedule_waiters (this=this@entry=0x7f8890248eb8)at /test/bb-12.2-nikita-global-tmp_opt/sql/mdl.cc:1981
      		 
      #1  0x00005f5b05a11298 in MDL_lock::remove_ticket (this=this@entry=0x7f8890248eb8, pins=pins@entry=0x5f5b07465020, list=list@entry=&MDL_lock::m_granted, ticket=ticket@entry=0x7f889025b9d0)at /test/bb-12.2-nikita-global-tmp_opt/sql/mdl.cc:2524
      		 
      #2  0x00005f5b05a12de7 in MDL_lock::release (this=0x7f8890248eb8, pins=0x5f5b07465020, ticket=0x7f889025b9d0)at /test/bb-12.2-nikita-global-tmp_opt/sql/mdl.cc:1420
      		 
      #3  MDL_context::release_lock (this=<optimized out>, duration=<optimized out>, ticket=0x7f889025b9d0)at /test/bb-12.2-nikita-global-tmp_opt/sql/mdl.cc:3495
      		 
      #4  0x00005f5b05af4e81 in THD::free_tmp_table_share (this=this@entry=0x7f8890000c68, share=0x7f889023af58, delete_table=<optimized out>)at /test/bb-12.2-nikita-global-tmp_opt/sql/temporary_tables.cc:1776
      		 
      #5  0x00005f5b05af6940 in THD::close_temporary_tables (this=0x7f8890000c68)at /test/bb-12.2-nikita-global-tmp_opt/sql/temporary_tables.cc:682
      		 
      #6  0x00005f5b057f7f9f in THD::cleanup (this=0x7f8890000c68)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_class.cc:1692
      		 
      #7  0x00005f5b055bb48e in unlink_thd (thd=0x0, thd@entry=0x7f8890000c68)at /test/bb-12.2-nikita-global-tmp_opt/sql/mysqld.cc:2868
      		 
      #8  0x00005f5b05a0738d in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5f5b078dced8, put_in_cache=true)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_connect.cc:1425
      		 
      #9  0x00005f5b05a070cf in handle_one_connection (arg=arg@entry=0x5f5b078dced8)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_connect.cc:1326
      		 
      #10 0x00005f5b05bcbbb9 in pfs_spawn_thread (arg=0x5f5b0787bf28)at /test/bb-12.2-nikita-global-tmp_opt/storage/perfschema/pfs.cc:2198
      		 
      #11 0x00007f897109ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
      		 
      #12 0x00007f8971129c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

      MDEV-35915-6 CS 12.2.0 ed3c63488a1613377d92ee3ade3fe6870e39b4db (Debug, Clang 21.1.0-20250811) Build 24/09/2025

      		 
      mariadbd: /test/bb-12.2-nikita-global-tmp_dbg/sql/mdl.cc:3781: void MDL_context::set_lock_duration(MDL_ticket *, enum_mdl_duration): Assertion `mdl_ticket->m_duration == MDL_TRANSACTION && duration != MDL_TRANSACTION' failed.

      MDEV-35915-6 CS 12.2.0 ed3c63488a1613377d92ee3ade3fe6870e39b4db (Debug, Clang 21.1.0-20250811) Build 24/09/2025

      		 
      Core was generated by `/test/MDEV-35915_6_MD240925-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd --defa'.
      		 
      Program terminated with signal SIGABRT, Aborted.
      		 
      #0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44
      		 
       
      		 
      [Current thread is 1 (LWP 2661237)]
      		 
      (gdb) bt
      		 
      #0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44
      		 
      #1  __pthread_kill_internal (signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:78
      		 
      #2  __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6)at ./nptl/pthread_kill.c:89
      		 
      #3  0x00007d0f9c64526e in __GI_raise (sig=sig@entry=6)at ../sysdeps/posix/raise.c:26
      		 
      #4  0x00007d0f9c6288ff in __GI_abort () at ./stdlib/abort.c:79
      		 
      #5  0x00007d0f9c62881b in __assert_fail_base (fmt=0x7d0f9c7d01e8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x5894b0dd407a "mdl_ticket->m_duration == MDL_TRANSACTION && duration != MDL_TRANSACTION", file=file@entry=0x5894b0ca9e13 "/test/bb-12.2-nikita-global-tmp_dbg/sql/mdl.cc", line=line@entry=3781, function=function@entry=0x5894b0cd4fce "void MDL_context::set_lock_duration(MDL_ticket *, enum_mdl_duration)") at ./assert/assert.c:94
      		 
      #6  0x00007d0f9c63b507 in __assert_fail (assertion=0x5894b0dd407a "mdl_ticket->m_duration == MDL_TRANSACTION && duration != MDL_TRANSACTION", file=0x5894b0ca9e13 "/test/bb-12.2-nikita-global-tmp_dbg/sql/mdl.cc", line=3781, function=0x5894b0cd4fce "void MDL_context::set_lock_duration(MDL_ticket *, enum_mdl_duration)") at ./assert/assert.c:103
      		 
      #7  0x00005894b1b7eb52 in MDL_context::set_lock_duration (this=0x7d0ec8000f70, mdl_ticket=0x7d0ec803b150, duration=MDL_EXPLICIT)at /test/bb-12.2-nikita-global-tmp_dbg/sql/mdl.cc:3780
      		 
      #8  0x00005894b1cc071a in THD::global_tmp_tables_set_explicit_lock_duration (this=0x7d0ec8000d58)at /test/bb-12.2-nikita-global-tmp_dbg/sql/temporary_tables.cc:377
      		 
      #9  0x00005894b18515b4 in THD::leave_locked_tables_mode (this=0x7d0ec8000d58)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_class.cc:6569
      		 
      #10 0x00005894b182163e in Locked_tables_list::unlock_locked_tables (this=0x7d0ec8004f68, thd=0x7d0ec8000d58)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_base.cc:2762
      		 
      #11 0x00005894b182177b in Locked_tables_list::unlock_locked_table (this=0x7d0ec8004f68, thd=0x7d0ec8000d58, mdl_ticket=0x7d0ec80a8cd0)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_base.cc:2810
      		 
      #12 0x00005894b1abcfad in mysql_create_table (thd=0x7d0ec8000d58, create_table=0x7d0ec8016c58, create_info=0x7d0f9a27efa8, alter_info=0x7d0f9a27ee30)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_table.cc:5423
      		 
      #13 0x00005894b1abb230 in Sql_cmd_create_table_like::execute (this=0x7d0ec8016be0, thd=0x7d0ec8000d58)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_table.cc:14026
      		 
      #14 0x00005894b1987dc5 in mysql_execute_command (thd=0x7d0ec8000d58, is_called_from_prepared_stmt=false)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_parse.cc:5861
      		 
      #15 0x00005894b1979088 in mysql_parse (thd=0x7d0ec8000d58, rawbuf=0x7d0ec8016b00 "CREATE OR REPLACE GLOBAL TEMPORARY TABLE t (c TEXT) ENGINE=InnoDB", length=65, parser_state=0x7d0f9a280a10)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_parse.cc:7894
      		 
      #16 0x00005894b1976869 in dispatch_command (command=COM_QUERY, thd=0x7d0ec8000d58, packet=0x7d0ec81ca559 "CREATE OR REPLACE GLOBAL TEMPORARY TABLE t (c TEXT) ENGINE=InnoDB", packet_length=65, blocking=true)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_parse.cc:1882
      		 
      #17 0x00005894b1979b0a in do_command (thd=0x7d0ec8000d58, blocking=true)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_parse.cc:1421
      		 
      #18 0x00005894b1b6c3ee in do_handle_one_connection (connect=0x5894b3a0d8c8, put_in_cache=true)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_connect.cc:1414
      		 
      #19 0x00005894b1b6c1d1 in handle_one_connection (arg=0x5894b3a1b4f8)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_connect.cc:1326
      		 
      #20 0x00007d0f9c69ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
      		 
      #21 0x00007d0f9c729c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

      MDEV-35915-6 CS 12.2.0 ed3c63488a1613377d92ee3ade3fe6870e39b4db (Optimized, UBASAN, Clang 21.1.0-20250811) Build 24/09/2025

      		 
      ==2664290==ERROR: AddressSanitizer: heap-use-after-free on address 0x731fcb62fb38 at pc 0x64afa6892ad3 bp 0x729f10d00320 sp 0x729f10d00318
      		 
      READ of size 8 at 0x731fcb62fb38 thread T11
      		 
          #0 0x64afa6892ad2 in I_P_List<MDL_ticket, I_P_List_adapter<MDL_ticket, &MDL_ticket::next_in_context, &MDL_ticket::prev_in_context>, I_P_List_null_counter, I_P_List_no_push_back<MDL_ticket>>::remove(MDL_ticket*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_plist.h:124:14
      		 
          #1 0x64afa688f0fd in MDL_context::set_lock_duration(MDL_ticket*, enum_mdl_duration) /test/bb-12.2-nikita-global-tmp_opt_san/sql/mdl.cc:3783:30
      		 
          #2 0x64afa6cb7a33 in THD::global_tmp_tables_set_explicit_lock_duration() /test/bb-12.2-nikita-global-tmp_opt_san/sql/temporary_tables.cc:377:17
      		 
          #3 0x64afa5bfea55 in THD::leave_locked_tables_mode() /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_class.cc:6569:7
      		 
          #4 0x64afa5b41e81 in Locked_tables_list::unlock_locked_tables(THD*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.cc:2762:8
      		 
          #5 0x64afa65a79e5 in mysql_create_table(THD*, TABLE_LIST*, Table_specification_st*, Alter_info*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_table.cc:5423:38
      		 
          #6 0x64afa659f1ff in Sql_cmd_create_table_like::execute(THD*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_table.cc:14026:12
      		 
          #7 0x64afa6040a9f in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:5861:26
      		 
          #8 0x64afa60241a5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:7894:18
      		 
          #9 0x64afa601c368 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1882:7
      		 
          #10 0x64afa60260e0 in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1421:17
      		 
          #11 0x64afa6850d2c in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1414:11
      		 
          #12 0x64afa6850846 in handle_one_connection /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1326:5
      		 
          #13 0x64afa500538a in asan_thread_start(void*) crtstuff.c
      		 
          #14 0x769fcc89ca93 in start_thread nptl/pthread_create.c:447:8
      		 
          #15 0x769fcc929c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
      		 
       
      		 
      0x731fcb62fb38 is located 24 bytes inside of 88-byte region [0x731fcb62fb20,0x731fcb62fb78)
      		 
      freed by thread T11 here:
      		 
          #0 0x64afa504c916 in operator delete(void*, unsigned long) (/test/MDEV-35915_6_UBASAN_MD240925-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd+0x3012916) (BuildId: 4bfbf791ce5d52e12fa19b8ce4aeef87e4172058)
      		 
          #1 0x64afa688e7a3 in MDL_context::release_all_locks_for_name(MDL_ticket*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/mdl.cc:3573:7
      		 
          #2 0x64afa5b42212 in Locked_tables_list::unlock_locked_table(THD*, MDL_ticket*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.cc:2806:22
      		 
          #3 0x64afa65a79e5 in mysql_create_table(THD*, TABLE_LIST*, Table_specification_st*, Alter_info*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_table.cc:5423:38
      		 
          #4 0x64afa659f1ff in Sql_cmd_create_table_like::execute(THD*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_table.cc:14026:12
      		 
          #5 0x64afa6040a9f in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:5861:26
      		 
          #6 0x64afa60241a5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:7894:18
      		 
          #7 0x64afa601c368 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1882:7
      		 
          #8 0x64afa60260e0 in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1421:17
      		 
          #9 0x64afa6850d2c in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1414:11
      		 
          #10 0x64afa6850846 in handle_one_connection /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1326:5
      		 
          #11 0x64afa500538a in asan_thread_start(void*) crtstuff.c
      		 
       
      		 
      previously allocated by thread T11 here:
      		 
          #0 0x64afa504bed1 in operator new(unsigned long, std::nothrow_t const&) (/test/MDEV-35915_6_UBASAN_MD240925-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd+0x3011ed1) (BuildId: 4bfbf791ce5d52e12fa19b8ce4aeef87e4172058)
      		 
          #1 0x64afa6889b8f in MDL_context::clone_ticket(MDL_request*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/mdl.cc:2798:17
      		 
          #2 0x64afa652f93d in open_global_temporary_table(THD*, TABLE_SHARE*, TABLE_LIST*, MDL_ticket*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_table.cc:6319:26
      		 
          #3 0x64afa5b3c04e in open_table(THD*, TABLE_LIST*, Open_table_context*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.cc:2351:22
      		 
          #4 0x64afa5b4e744 in open_and_process_table(THD*, TABLE_LIST*, unsigned int*, unsigned int, Prelocking_strategy*, bool, Open_table_context*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.cc:4308:14
      		 
          #5 0x64afa5b4e744 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.cc:4791:14
      		 
          #6 0x64afa5b5cae5 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.cc:5779:7
      		 
          #7 0x64afa560bc43 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.h:544:10
      		 
          #8 0x64afa605d01a in execute_sqlcom_select(THD*, TABLE_LIST*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:6092:14
      		 
          #9 0x64afa6040c73 in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:3954:12
      		 
          #10 0x64afa60241a5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:7894:18
      		 
          #11 0x64afa601c368 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1882:7
      		 
          #12 0x64afa60260e0 in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1421:17
      		 
          #13 0x64afa6850d2c in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1414:11
      		 
          #14 0x64afa6850846 in handle_one_connection /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1326:5
      		 
          #15 0x64afa500538a in asan_thread_start(void*) crtstuff.c
      		 
       
      		 
      Thread T11 created by T0 here:
      		 
          #0 0x64afa4feba85 in pthread_create (/test/MDEV-35915_6_UBASAN_MD240925-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd+0x2fb1a85) (BuildId: 4bfbf791ce5d52e12fa19b8ce4aeef87e4172058)
      		 
          #1 0x64afa505e0b9 in create_thread_to_handle_connection(CONNECT*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/mysqld.cc:6272:19
      		 
          #2 0x64afa505f3fa in handle_connections_sockets() /test/bb-12.2-nikita-global-tmp_opt_san/sql/mysqld.cc:6508:9
      		 
          #3 0x64afa505d800 in run_main_loop() /test/bb-12.2-nikita-global-tmp_opt_san/sql/mysqld.cc:5750:3
      		 
          #4 0x64afa505433e in mysqld_main(int, char**) /test/bb-12.2-nikita-global-tmp_opt_san/sql/mysqld.cc:6173:3
      		 
          #5 0x769fcc82a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
      		 
          #6 0x769fcc82a28a in __libc_start_main csu/../csu/libc-start.c:360:3
      		 
          #7 0x64afa4f62394 in _start (/test/MDEV-35915_6_UBASAN_MD240925-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd+0x2f28394) (BuildId: 4bfbf791ce5d52e12fa19b8ce4aeef87e4172058)
      		 
       
      		 
      SUMMARY: AddressSanitizer: heap-use-after-free /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_plist.h:124:14 in I_P_List<MDL_ticket, I_P_List_adapter<MDL_ticket, &MDL_ticket::next_in_context, &MDL_ticket::prev_in_context>, I_P_List_null_counter, I_P_List_no_push_back<MDL_ticket>>::remove(MDL_ticket*)
      		 
      Shadow bytes around the buggy address:
      		 
        0x731fcb62f880: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
      		 
        0x731fcb62f900: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
      		 
        0x731fcb62f980: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
      		 
        0x731fcb62fa00: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
      		 
        0x731fcb62fa80: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
      		 
      =>0x731fcb62fb00: fa fa fa fa fd fd fd[fd]fd fd fd fd fd fd fd fa
      		 
        0x731fcb62fb80: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
      		 
        0x731fcb62fc00: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
      		 
        0x731fcb62fc80: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
      		 
        0x731fcb62fd00: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
      		 
        0x731fcb62fd80: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
      		 
      Shadow byte legend (one shadow byte represents 8 application bytes):
      		 
        Addressable:           00
      		 
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
      		 
        Freed heap region:       fd
      		 
        Stack left redzone:      f1
      		 
        Stack mid redzone:       f2
      		 
        Stack right redzone:     f3
      		 
        Stack after return:      f5
      		 
        Stack use after scope:   f8
      		 
        Global redzone:          f9
      		 
        Global init order:       f6
      		 
        Poisoned by user:        f7
      		 
        Container overflow:      fc
      		 
        Array cookie:            ac
      		 
        Intra object redzone:    bb
      		 
        ASan internal:           fe
      		 
        Left alloca redzone:     ca
      		 
        Right alloca redzone:    cb
      		 
      ==2664290==ABORTING

      MDEV-35915-6 CS 12.2.0 ed3c63488a1613377d92ee3ade3fe6870e39b4db (Debug, UBASAN, Clang 21.1.0-20250811) Build 24/09/2025

      		 
      ==2666070==ERROR: AddressSanitizer: heap-use-after-free on address 0x7345a2e303c8 at pc 0x56888cc60c58 bp 0x72c4e8500160 sp 0x72c4e8500158
      		 
      READ of size 4 at 0x7345a2e303c8 thread T11
      		 
          #0 0x56888cc60c57 in MDL_context::set_lock_duration(MDL_ticket*, enum_mdl_duration) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mdl.cc:3780:3
      		 
          #1 0x56888d097b4f in THD::global_tmp_tables_set_explicit_lock_duration() /test/bb-12.2-nikita-global-tmp_dbg_san/sql/temporary_tables.cc:377:17
      		 
          #2 0x56888bff951f in THD::leave_locked_tables_mode() /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_class.cc:6569:7
      		 
          #3 0x56888bf33318 in Locked_tables_list::unlock_locked_tables(THD*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_base.cc:2762:8
      		 
          #4 0x56888c97358d in mysql_create_table(THD*, TABLE_LIST*, Table_specification_st*, Alter_info*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_table.cc:5423:38
      		 
          #5 0x56888c96a067 in Sql_cmd_create_table_like::execute(THD*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_table.cc:14026:12
      		 
          #6 0x56888c4332e7 in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:5861:26
      		 
          #7 0x56888c416438 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:7894:18
      		 
          #8 0x56888c40fbfc in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1882:7
      		 
          #9 0x56888c41886a in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1421:17
      		 
          #10 0x56888cc1da0c in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1414:11
      		 
          #11 0x56888cc1d515 in handle_one_connection /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1326:5
      		 
          #12 0x56888b3d669a in asan_thread_start(void*) crtstuff.c
      		 
          #13 0x76c5a409ca93 in start_thread nptl/pthread_create.c:447:8
      		 
          #14 0x76c5a4129c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
      		 
       
      		 
      0x7345a2e303c8 is located 40 bytes inside of 96-byte region [0x7345a2e303a0,0x7345a2e30400)
      		 
      freed by thread T11 here:
      		 
          #0 0x56888b41dc26 in operator delete(void*, unsigned long) (/test/MDEV-35915_6_UBASAN_MD240925-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd+0x3bddc26) (BuildId: 3477130517231f52562047c940098bd8db8a39e1)
      		 
          #1 0x56888cc5f668 in MDL_context::release_all_locks_for_name(MDL_ticket*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mdl.cc:3573:7
      		 
          #2 0x56888bf33a9d in Locked_tables_list::unlock_locked_table(THD*, MDL_ticket*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_base.cc:2806:22
      		 
          #3 0x56888c97358d in mysql_create_table(THD*, TABLE_LIST*, Table_specification_st*, Alter_info*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_table.cc:5423:38
      		 
          #4 0x56888c96a067 in Sql_cmd_create_table_like::execute(THD*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_table.cc:14026:12
      		 
          #5 0x56888c4332e7 in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:5861:26
      		 
          #6 0x56888c416438 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:7894:18
      		 
          #7 0x56888c40fbfc in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1882:7
      		 
          #8 0x56888c41886a in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1421:17
      		 
          #9 0x56888cc1da0c in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1414:11
      		 
          #10 0x56888cc1d515 in handle_one_connection /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1326:5
      		 
          #11 0x56888b3d669a in asan_thread_start(void*) crtstuff.c
      		 
       
      		 
      previously allocated by thread T11 here:
      		 
          #0 0x56888b41d1e1 in operator new(unsigned long, std::nothrow_t const&) (/test/MDEV-35915_6_UBASAN_MD240925-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd+0x3bdd1e1) (BuildId: 3477130517231f52562047c940098bd8db8a39e1)
      		 
          #1 0x56888cc596ef in MDL_context::clone_ticket(MDL_request*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mdl.cc:2798:17
      		 
          #2 0x56888c901f36 in open_global_temporary_table(THD*, TABLE_SHARE*, TABLE_LIST*, MDL_ticket*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_table.cc:6319:26
      		 
          #3 0x56888bf2d5e2 in open_table(THD*, TABLE_LIST*, Open_table_context*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_base.cc:2351:22
      		 
          #4 0x56888bf40845 in open_and_process_table(THD*, TABLE_LIST*, unsigned int*, unsigned int, Prelocking_strategy*, bool, Open_table_context*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_base.cc:4308:14
      		 
          #5 0x56888bf40845 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_base.cc:4791:14
      		 
          #6 0x56888bf50ac1 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_base.cc:5779:7
      		 
          #7 0x56888ba1a8e4 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_base.h:544:10
      		 
          #8 0x56888c451423 in execute_sqlcom_select(THD*, TABLE_LIST*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:6092:14
      		 
          #9 0x56888c43cd98 in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:3954:12
      		 
          #10 0x56888c416438 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:7894:18
      		 
          #11 0x56888c40fbfc in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1882:7
      		 
          #12 0x56888c41886a in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1421:17
      		 
          #13 0x56888cc1da0c in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1414:11
      		 
          #14 0x56888cc1d515 in handle_one_connection /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1326:5
      		 
          #15 0x56888b3d669a in asan_thread_start(void*) crtstuff.c
      		 
       
      		 
      Thread T11 created by T0 here:
      		 
          #0 0x56888b3bcd95 in pthread_create (/test/MDEV-35915_6_UBASAN_MD240925-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd+0x3b7cd95) (BuildId: 3477130517231f52562047c940098bd8db8a39e1)
      		 
          #1 0x56888b4306ec in create_thread_to_handle_connection(CONNECT*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mysqld.cc:6272:19
      		 
          #2 0x56888b431775 in handle_connections_sockets() /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mysqld.cc:6508:9
      		 
          #3 0x56888b42fcfa in run_main_loop() /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mysqld.cc:5750:3
      		 
          #4 0x56888b4256ae in mysqld_main(int, char**) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mysqld.cc:6173:3
      		 
          #5 0x76c5a402a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
      		 
          #6 0x76c5a402a28a in __libc_start_main csu/../csu/libc-start.c:360:3
      		 
          #7 0x56888b3336a4 in _start (/test/MDEV-35915_6_UBASAN_MD240925-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd+0x3af36a4) (BuildId: 3477130517231f52562047c940098bd8db8a39e1)
      		 
       
      		 
      SUMMARY: AddressSanitizer: heap-use-after-free /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mdl.cc:3780:3 in MDL_context::set_lock_duration(MDL_ticket*, enum_mdl_duration)
      		 
      Shadow bytes around the buggy address:
      		 
        0x7345a2e30100: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
      		 
        0x7345a2e30180: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x7345a2e30200: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x7345a2e30280: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
      		 
        0x7345a2e30300: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
      		 
      =>0x7345a2e30380: fa fa fa fa fd fd fd fd fd[fd]fd fd fd fd fd fd
      		 
        0x7345a2e30400: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x7345a2e30480: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x7345a2e30500: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x7345a2e30580: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x7345a2e30600: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
      		 
      Shadow byte legend (one shadow byte represents 8 application bytes):
      		 
        Addressable:           00
      		 
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
      		 
        Freed heap region:       fd
      		 
        Stack left redzone:      f1
      		 
        Stack mid redzone:       f2
      		 
        Stack right redzone:     f3
      		 
        Stack after return:      f5
      		 
        Stack use after scope:   f8
      		 
        Global redzone:          f9
      		 
        Global init order:       f6
      		 
        Poisoned by user:        f7
      		 
        Container overflow:      fc
      		 
        Array cookie:            ac
      		 
        Intra object redzone:    bb
      		 
        ASan internal:           fe
      		 
        Left alloca redzone:     ca
      		 
        Right alloca redzone:    cb
      		 
      ==2666070==ABORTING

      Attachments

        Issue Links

          is caused by

          Bug - A problem which impairs or prevents the functions of the product. MDEV-35046 SIGSEGV in list_delete in optimized builds when using pseudo_slave_mode

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed
          relates to

          New Feature - A new feature of the product, which has yet to be developed. MDEV-35915 Implement Global temporary tables

          • Critical - Crashes, loss of data, severe memory leak.
          • In Testing

          Bug - A problem which impairs or prevents the functions of the product. MDEV-37596 enforce_storage_engine has an effect on child global temporary tables

          • Critical - Crashes, loss of data, severe memory leak.
          • In Testing

          Bug - A problem which impairs or prevents the functions of the product. MDEV-37668 SIGSEGV on DROP TABLE GTT under LOCK TABLES and different server_id

          • Critical - Crashes, loss of data, severe memory leak.
          • Stalled

          Activity

            People

              Elkin Andrei Elkin
              Roel Roel Van de Paar
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.