SIGSEGV in Gtid_index_writer::write_current_node on SET GLOBAL binlog_checksum (opt builds)

# mysqld options required for replay: --log_bin

use test;

SET default_storage_engine=InnoDB;

CREATE DATABASE transforms;

drop table if exists t,t2;

SET sql_mode=0;

CREATE  TABLE t (x INT);

XA START 'a';

XA END 'a';

SET pseudo_slave_mode=1;

XA PREPARE 'a';

CREATE  TABLE t2 AS VALUES (5),(6),(7);

# DROP TABLE CURTIME;

CREATE TABLE foo (a INT,b INT,c DATE,d INT,aa BLOB,bb BLOB,cc BLOB,dd BLOB,aaa CHAR(12),bbb BINARY (20),ccc VARCHAR(50),ddd VARCHAR(3000));

TRUNCATE t2;

XA START 'a','a',2;

create temporary table t2 SELECT 1 t;

INSERT INTO foo VALUES (1,1,0,1,0,1,0,1,'a','a','a','a');

CREATE TEMPORARY TABLE t (y INT);

INSERT t VALUES (1),(2),(3);

XA END 'a','a',2;

XA PREPARE 'a','a',2;

DROP TABLE t;

FLUSH LOGS;

XA COMMIT 'a','a',2;

SET GLOBAL binlog_checksum=CRC32;

Core was generated by `/test/MDEV-35915_6_MD240925-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd --no-d'.

Program terminated with signal SIGSEGV, Segmentation fault.

#0  0x000059364ab7579d in Gtid_index_writer::write_current_node (this=this@entry=0x77f3c4023860, level=level@entry=0, is_root=true)at /test/bb-12.2-nikita-global-tmp_opt/sql/gtid_index.cc:406

406	  Index_node *n= nodes[level];

[Current thread is 1 (LWP 2055023)]

(gdb) bt

#0  0x000059364ab7579d in Gtid_index_writer::write_current_node (this=this@entry=0x77f3c4023860, level=level@entry=0, is_root=true)at /test/bb-12.2-nikita-global-tmp_opt/sql/gtid_index.cc:406

#1  0x000059364ab751c9 in Gtid_index_writer::close (this=0x77f3c4023860)at /test/bb-12.2-nikita-global-tmp_opt/sql/gtid_index.cc:288

#2  0x000059364a6bc069 in binlog_background_thread (arg=<optimized out>)at /test/bb-12.2-nikita-global-tmp_opt/sql/log.cc:11570

#3  0x000059364aca2bb9 in pfs_spawn_thread (arg=0x59364d01f868)at /test/bb-12.2-nikita-global-tmp_opt/storage/perfschema/pfs.cc:2198

#4  0x000077f4fb69ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447

#5  0x000077f4fb729c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

==2055245==ERROR: AddressSanitizer: heap-use-after-free on address 0x6ec6cb847228 at pc 0x6486fad1a1da bp 0x6d55dd3002c0 sp 0x6d55dd3002b8

WRITE of size 8 at 0x6ec6cb847228 thread T13

    #0 0x6486fad1a1d9 in std::__atomic_base<long>::store(long, std::memory_order) /usr/lib/gcc/x86_64-linux-gnu/14/../../../../include/c++/14/bits/atomic_base.h:477:2

    #1 0x6486fad1a1d9 in Atomic_relaxed<long>::store(long, std::memory_order) /test/bb-12.2-nikita-global-tmp_opt_san/include/my_atomic_wrapper.h:47:7

    #2 0x6486fad1a1d9 in Atomic_relaxed<long>::operator=(long) /test/bb-12.2-nikita-global-tmp_opt_san/include/my_atomic_wrapper.h:49:34

    #3 0x6486fad1a1d9 in trx_t::commit_tables() /test/bb-12.2-nikita-global-tmp_opt_san/storage/innobase/trx/trx0trx.cc:1286:25

    #4 0x6486fad13377 in trx_t::commit_in_memory(mtr_t const*) /test/bb-12.2-nikita-global-tmp_opt_san/storage/innobase/trx/trx0trx.cc:1437:7

    #5 0x6486fad13377 in trx_t::commit_low(mtr_t*) /test/bb-12.2-nikita-global-tmp_opt_san/storage/innobase/trx/trx0trx.cc:1594:3

    #6 0x6486fad0bbbe in trx_t::commit_persist() /test/bb-12.2-nikita-global-tmp_opt_san/storage/innobase/trx/trx0trx.cc:1608:3

    #7 0x6486fad0bbbe in trx_t::commit() /test/bb-12.2-nikita-global-tmp_opt_san/storage/innobase/trx/trx0trx.cc:1617:3

    #8 0x6486fad0bbbe in trx_commit_for_mysql(trx_t*) /test/bb-12.2-nikita-global-tmp_opt_san/storage/innobase/trx/trx0trx.cc:1732:10

    #9 0x6486fa45b96e in innobase_commit_by_xid(xid_t*) /test/bb-12.2-nikita-global-tmp_opt_san/storage/innobase/handler/ha_innodb.cc:17350:3

    #10 0x6486f816af40 in xacommit_handlerton(THD*, transaction_participant*, void*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/handler.cc:2469:5

    #11 0x6486f815ba1b in tp_foreach(THD*, bool (*)(THD*, transaction_participant*, void*), void*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/handler.cc:894:17

    #12 0x6486f816add8 in ha_commit_or_rollback_by_xid(xid_t*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/handler.cc:2501:3

    #13 0x6486f9d35a81 in trans_xa_commit(THD*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/xa.cc:686:7

    #14 0x6486f9097781 in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:5728:25

    #15 0x6486f90791a5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:7894:18

    #16 0x6486f9071368 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1882:7

    #17 0x6486f907b0e0 in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1421:17

    #18 0x6486f98a5d2c in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1414:11

    #19 0x6486f98a5846 in handle_one_connection /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1326:5

    #20 0x6486f805a38a in asan_thread_start(void*) crtstuff.c

    #21 0x7156cca9ca93 in start_thread nptl/pthread_create.c:447:8

    #22 0x7156ccb29c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

0x6ec6cb847228 is located 680 bytes inside of 704-byte region [0x6ec6cb846f80,0x6ec6cb847240)

freed by thread T13 here:

    #0 0x6486f805c86a in free (/test/MDEV-35915_6_UBASAN_MD240925-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd+0x2fcd86a) (BuildId: 4bfbf791ce5d52e12fa19b8ce4aeef87e4172058)

    #1 0x6486fa5efe8b in mem_heap_free(mem_block_info_t*) /test/bb-12.2-nikita-global-tmp_opt_san/storage/innobase/include/mem0mem.inl:344:3

    #2 0x6486fa522ac1 in dict_sys_t::remove(dict_table_t*, bool, bool) /test/bb-12.2-nikita-global-tmp_opt_san/storage/innobase/dict/dict0dict.cc:1756:2

    #3 0x6486fa42626f in ha_innobase::delete_table(char const*) /test/bb-12.2-nikita-global-tmp_opt_san/storage/innobase/handler/ha_innodb.cc:13546:14

    #4 0x6486f815b173 in hton_drop_table(handlerton*, char const*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/handler.cc:580:20

    #5 0x6486f9d11c27 in THD::rm_temporary_table(handlerton*, char const*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/temporary_tables.cc:852:7

    #6 0x6486f9d09172 in THD::free_tmp_table_share(TMP_TABLE_SHARE*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/temporary_tables.cc:1765:12

    #7 0x6486f9d11908 in THD::drop_tmp_table_share(TABLE*, TMP_TABLE_SHARE*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/temporary_tables.cc:820:11

    #8 0x6486f955a4d3 in mysql_rm_table_no_locks(THD*, TABLE_LIST*, st_mysql_const_lex_string const*, st_ddl_log_state*, bool, bool, bool, bool, bool, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_table.cc:1516:16

    #9 0x6486f9558455 in mysql_rm_table(THD*, TABLE_LIST*, bool, bool, bool, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_table.cc:1265:10

    #10 0x6486f909e3c5 in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:4772:10

    #11 0x6486f90791a5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:7894:18

    #12 0x6486f9071368 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1882:7

    #13 0x6486f907b0e0 in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1421:17

    #14 0x6486f98a5d2c in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1414:11

    #15 0x6486f98a5846 in handle_one_connection /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1326:5

    #16 0x6486f805a38a in asan_thread_start(void*) crtstuff.c

previously allocated by thread T13 here:

    #0 0x6486f805cb08 in malloc (/test/MDEV-35915_6_UBASAN_MD240925-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd+0x2fcdb08) (BuildId: 4bfbf791ce5d52e12fa19b8ce4aeef87e4172058)

    #1 0x6486fa9b116a in mem_heap_create_block_func(mem_block_info_t*, unsigned long, unsigned long) /test/bb-12.2-nikita-global-tmp_opt_san/storage/innobase/mem/mem0mem.cc:275:37

    #2 0x6486fa9b191c in mem_heap_add_block(mem_block_info_t*, unsigned long) /test/bb-12.2-nikita-global-tmp_opt_san/storage/innobase/mem/mem0mem.cc:361:14

    #3 0x6486fa5eeacc in mem_heap_alloc(mem_block_info_t*, unsigned long) /test/bb-12.2-nikita-global-tmp_opt_san/storage/innobase/include/mem0mem.inl:179:11

    #4 0x6486fa5eca61 in mem_heap_zalloc(mem_block_info_t*, unsigned long) /test/bb-12.2-nikita-global-tmp_opt_san/storage/innobase/include/mem0mem.inl:149:16

    #5 0x6486fa5eca61 in dict_table_t::create(st_::span<char const> const&, fil_space_t*, unsigned long, unsigned long, unsigned long, unsigned long) /test/bb-12.2-nikita-global-tmp_opt_san/storage/innobase/dict/dict0mem.cc:145:6

    #6 0x6486fa46e98b in create_table_info_t::create_table_def() /test/bb-12.2-nikita-global-tmp_opt_san/storage/innobase/handler/ha_innodb.cc:10644:10

    #7 0x6486fa4207cd in create_table_info_t::create_table(bool, bool) /test/bb-12.2-nikita-global-tmp_opt_san/storage/innobase/handler/ha_innodb.cc:12774:10

    #8 0x6486fa3e0996 in ha_innobase::create(char const*, TABLE*, HA_CREATE_INFO*, bool, trx_t*) /test/bb-12.2-nikita-global-tmp_opt_san/storage/innobase/handler/ha_innodb.cc:13283:17

    #9 0x6486f818bb71 in handler::ha_create(char const*, TABLE*, HA_CREATE_INFO*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/handler.cc:5974:14

    #10 0x6486f8194bde in ha_create_table_from_share(THD*, TABLE_SHARE*, HA_CREATE_INFO*, unsigned int*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/handler.cc:6427:26

    #11 0x6486f8193619 in ha_create_table(THD*, char const*, char const*, char const*, HA_CREATE_INFO*, st_mysql_const_unsigned_lex_string*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/handler.cc:6494:15

    #12 0x6486f957fa17 in create_table_impl(THD*, st_ddl_log_state*, st_ddl_log_state*, Lex_ident_db const&, Lex_ident_table const&, Lex_ident_db const&, Lex_ident_table const&, st_mysql_const_lex_string const&, DDL_options_st, HA_CREATE_INFO*, Alter_info*, int, bool*, st_key**, unsigned int*, st_mysql_const_unsigned_lex_string*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_table.cc:5015:11

    #13 0x6486f957caba in mysql_create_table_no_lock(THD*, st_ddl_log_state*, st_ddl_log_state*, Table_specification_st*, Alter_info*, bool*, int, TABLE_LIST*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_table.cc:5117:8

    #14 0x6486f95fb794 in mysql_create_table(THD*, TABLE_LIST*, Table_specification_st*, Alter_info*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_table.cc:5363:7

    #15 0x6486f95f41ff in Sql_cmd_create_table_like::execute(THD*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_table.cc:14026:12

    #16 0x6486f9095a9f in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:5861:26

    #17 0x6486f90791a5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:7894:18

    #18 0x6486f9071368 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1882:7

    #19 0x6486f907b0e0 in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1421:17

    #20 0x6486f98a5d2c in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1414:11

    #21 0x6486f98a5846 in handle_one_connection /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1326:5

    #22 0x6486f805a38a in asan_thread_start(void*) crtstuff.c

Thread T13 created by T0 here:

    #0 0x6486f8040a85 in pthread_create (/test/MDEV-35915_6_UBASAN_MD240925-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd+0x2fb1a85) (BuildId: 4bfbf791ce5d52e12fa19b8ce4aeef87e4172058)

    #1 0x6486f80b30b9 in create_thread_to_handle_connection(CONNECT*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/mysqld.cc:6272:19

    #2 0x6486f80b43fa in handle_connections_sockets() /test/bb-12.2-nikita-global-tmp_opt_san/sql/mysqld.cc:6508:9

    #3 0x6486f80b2800 in run_main_loop() /test/bb-12.2-nikita-global-tmp_opt_san/sql/mysqld.cc:5750:3

    #4 0x6486f80a933e in mysqld_main(int, char**) /test/bb-12.2-nikita-global-tmp_opt_san/sql/mysqld.cc:6173:3

    #5 0x7156cca2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

    #6 0x7156cca2a28a in __libc_start_main csu/../csu/libc-start.c:360:3

    #7 0x6486f7fb7394 in _start (/test/MDEV-35915_6_UBASAN_MD240925-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd+0x2f28394) (BuildId: 4bfbf791ce5d52e12fa19b8ce4aeef87e4172058)

SUMMARY: AddressSanitizer: heap-use-after-free /test/bb-12.2-nikita-global-tmp_opt_san/include/my_atomic_wrapper.h:47:7 in Atomic_relaxed<long>::store(long, std::memory_order)

Shadow bytes around the buggy address:

  0x6ec6cb846f80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x6ec6cb847000: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x6ec6cb847080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x6ec6cb847100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x6ec6cb847180: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

=>0x6ec6cb847200: fd fd fd fd fd[fd]fd fd fa fa fa fa fa fa fa fa

  0x6ec6cb847280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x6ec6cb847300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x6ec6cb847380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x6ec6cb847400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x6ec6cb847480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07 

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

==2055245==ABORTING