Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-37872

SIGSEGV in MDL_context::release_loc, Assertion `mdl_ticket->m_duration == MDL_TRANSACTION && duration != MDL_TRANSACTION' failed, ASAN heap-use-after-free in I_P_List on CoR

    XMLWordPrintable

Details

    • Not for Release Notes
    • Q4/2025 Server Maintenance

    Description

      Please use the CLI for reproduction. MTR does not reproduce the issue. No special mariadbd options required (binlog is not required).

      SET sql_mode='', enforce_storage_engine=MyISAM;
      		 
      CREATE GLOBAL TEMPORARY TABLE t (x INT) ON COMMIT PRESERVE ROWS;
      		 
      SELECT * FROM t;
      		 
      SET pseudo_thread_id=0;
      		 
      LOCK TABLES t WRITE;
      		 
      SET sql_mode='TRADITIONAL';
      		 
      CREATE OR REPLACE TABLE t (x INT);  # ASAN
      		 
      SHUTDOWN;  # SIGSEGV

      Leads to:

      MDEV-35915-7 CS 12.2.0 87e89a3e8300009e00c1c480ffbb2062db9a87ec (Optimized, Clang 21.1.3-20250923) Build 14/10/2025

      		 
      Core was generated by `/test/MDEV-35915_7_MD141025-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd --no-d'.
      		 
      Program terminated with signal SIGSEGV, Segmentation fault.
      		 
      #0  0x00005a125fd4c1e0 in MDL_context::release_lock (this=this@entry=0x70760c000e78, duration=<optimized out>, ticket=0x70760c016bf0)at /test/bb-12.2-nikita-global-tmp_opt/sql/mdl.cc:3498
      		 
       
      		 
      [Current thread is 1 (LWP 659616)]
      		 
      (gdb) bt
      		 
      #0  0x00005a125fd4c1e0 in MDL_context::release_lock (this=this@entry=0x70760c000e78, duration=<optimized out>, ticket=0x70760c016bf0)at /test/bb-12.2-nikita-global-tmp_opt/sql/mdl.cc:3498
      		 
      #1  0x00005a125fd4c5ac in MDL_context::release_locks_stored_before (this=0x70760c000e78, duration=MDL_TRANSACTION, sentinel=0x0)at /test/bb-12.2-nikita-global-tmp_opt/sql/mdl.cc:3545
      		 
      #2  MDL_context::release_transactional_locks (this=0x70760c000e78, thd=<optimized out>) at /test/bb-12.2-nikita-global-tmp_opt/sql/mdl.cc:3722
      		 
      #3  0x00005a125fbeeb20 in THD::release_transactional_locks (this=<optimized out>)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_class.h:5609
      		 
      #4  0x00005a125fbeeb20 in mysql_execute_command (thd=thd@entry=0x70760c000c68, is_called_from_prepared_stmt=<optimized out>)
      		 
      #5  0x00005a125fbea1d4 in mysql_parse (thd=thd@entry=0x70760c000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x70773c218420)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_parse.cc:7895
      		 
      #6  0x00005a125fbe897d in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x70760c000c68, packet=packet@entry=0x70760c0089f9 "SHUTDOWN", packet_length=packet_length@entry=8, blocking=true)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_parse.cc:1882
      		 
      #7  0x00005a125fbea651 in do_command (thd=thd@entry=0x70760c000c68, blocking=true) at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_parse.cc:1421
      		 
      #8  0x00005a125fd4074d in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5a1263770e18, put_in_cache=true)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_connect.cc:1414
      		 
      #9  0x00005a125fd4050f in handle_one_connection (arg=arg@entry=0x5a1263770e18)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_connect.cc:1326
      		 
      #10 0x00005a125ff05349 in pfs_spawn_thread (arg=0x5a1263720ab8)at /test/bb-12.2-nikita-global-tmp_opt/storage/perfschema/pfs.cc:2198
      		 
      #11 0x000070773f09ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
      		 
      #12 0x000070773f129c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

      MDEV-35915-7 CS 12.2.0 87e89a3e8300009e00c1c480ffbb2062db9a87ec (Debug, Clang 21.1.3-20250923) Build 14/10/2025

      		 
      mariadbd: /test/bb-12.2-nikita-global-tmp_dbg/sql/mdl.cc:3781: void MDL_context::set_lock_duration(MDL_ticket *, enum_mdl_duration): Assertion `mdl_ticket->m_duration == MDL_TRANSACTION && duration != MDL_TRANSACTION' failed.

      MDEV-35915-7 CS 12.2.0 87e89a3e8300009e00c1c480ffbb2062db9a87ec (Debug, Clang 21.1.3-20250923) Build 14/10/2025

      		 
      Core was generated by `/test/MDEV-35915_7_MD141025-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd --no-d'.
      		 
      Program terminated with signal SIGABRT, Aborted.
      		 
      #0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44
      		 
       
      		 
      [Current thread is 1 (LWP 659867)]
      		 
      (gdb) bt
      		 
      #0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44
      		 
      #1  __pthread_kill_internal (signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:78
      		 
      #2  __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6)at ./nptl/pthread_kill.c:89
      		 
      #3  0x00007ec275e4526e in __GI_raise (sig=sig@entry=6)at ../sysdeps/posix/raise.c:26
      		 
      #4  0x00007ec275e288ff in __GI_abort () at ./stdlib/abort.c:79
      		 
      #5  0x00007ec275e2881b in __assert_fail_base (fmt=0x7ec275fd01e8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x55f9ae3e82dc "mdl_ticket->m_duration == MDL_TRANSACTION && duration != MDL_TRANSACTION", file=file@entry=0x55f9ae2bdf53 "/test/bb-12.2-nikita-global-tmp_dbg/sql/mdl.cc", line=line@entry=3781, function=function@entry=0x55f9ae2e9153 "void MDL_context::set_lock_duration(MDL_ticket *, enum_mdl_duration)") at ./assert/assert.c:94
      		 
      #6  0x00007ec275e3b507 in __assert_fail (assertion=0x55f9ae3e82dc "mdl_ticket->m_duration == MDL_TRANSACTION && duration != MDL_TRANSACTION", file=0x55f9ae2bdf53 "/test/bb-12.2-nikita-global-tmp_dbg/sql/mdl.cc", line=3781, function=0x55f9ae2e9153 "void MDL_context::set_lock_duration(MDL_ticket *, enum_mdl_duration)") at ./assert/assert.c:103
      		 
      #7  0x000055f9af193152 in MDL_context::set_lock_duration (this=0x7ec148000f70, mdl_ticket=0x7ec1480197b0, duration=MDL_EXPLICIT)at /test/bb-12.2-nikita-global-tmp_dbg/sql/mdl.cc:3780
      		 
      #8  0x000055f9af2d4d6a in THD::global_tmp_tables_set_explicit_lock_duration (this=0x7ec148000d58)at /test/bb-12.2-nikita-global-tmp_dbg/sql/temporary_tables.cc:377
      		 
      #9  0x000055f9aee659b4 in THD::leave_locked_tables_mode (this=0x7ec148000d58)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_class.cc:6569
      		 
      #10 0x000055f9aee35a3e in Locked_tables_list::unlock_locked_tables (this=0x7ec148004f68, thd=0x7ec148000d58)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_base.cc:2762
      		 
      #11 0x000055f9aee35b7b in Locked_tables_list::unlock_locked_table (this=0x7ec148004f68, thd=0x7ec148000d58, mdl_ticket=0x55f9b12323e0)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_base.cc:2810
      		 
      #12 0x000055f9af0d156d in mysql_create_table (thd=0x7ec148000d58, create_table=0x7ec148019f98, create_info=0x7ec27432ffa8, alter_info=0x7ec27432fe30)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_table.cc:5425
      		 
      #13 0x000055f9af0cf7c0 in Sql_cmd_create_table_like::execute (this=0x7ec148019f20, thd=0x7ec148000d58)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_table.cc:14043
      		 
      #14 0x000055f9aef9c2ae in mysql_execute_command (thd=0x7ec148000d58, is_called_from_prepared_stmt=false)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_parse.cc:5862
      		 
      #15 0x000055f9aef8d538 in mysql_parse (thd=0x7ec148000d58, rawbuf=0x7ec148019e80 "CREATE OR REPLACE TABLE t (x INT)", length=33, parser_state=0x7ec274331a10)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_parse.cc:7895
      		 
      #16 0x000055f9aef8ad19 in dispatch_command (command=COM_QUERY, thd=0x7ec148000d58, packet=0x7ec14800b1f9 "CREATE OR REPLACE TABLE t (x INT)", packet_length=33, blocking=true)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_parse.cc:1882
      		 
      #17 0x000055f9aef8dfba in do_command (thd=0x7ec148000d58, blocking=true)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_parse.cc:1421
      		 
      #18 0x000055f9af1809ee in do_handle_one_connection (connect=0x55f9b1221358, put_in_cache=true)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_connect.cc:1414
      		 
      #19 0x000055f9af1807d1 in handle_one_connection (arg=0x55f9b12323f8)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_connect.cc:1326
      		 
      #20 0x00007ec275e9ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
      		 
      #21 0x00007ec275f29c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

      MDEV-35915-7 CS 12.2.0 87e89a3e8300009e00c1c480ffbb2062db9a87ec (Optimized, UBASAN, Clang 21.1.3-20250923) Build 14/10/2025

      		 
      ==660245==ERROR: AddressSanitizer: heap-use-after-free on address 0x79175ee2c438 at pc 0x577891601233 bp 0x789672900300 sp 0x7896729002f8
      		 
      READ of size 8 at 0x79175ee2c438 thread T12
      		 
          #0 0x577891601232 in I_P_List<MDL_ticket, I_P_List_adapter<MDL_ticket, &MDL_ticket::next_in_context, &MDL_ticket::prev_in_context>, I_P_List_null_counter, I_P_List_no_push_back<MDL_ticket>>::remove(MDL_ticket*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_plist.h:124:14
      		 
          #1 0x5778915fd85d in MDL_context::set_lock_duration(MDL_ticket*, enum_mdl_duration) /test/bb-12.2-nikita-global-tmp_opt_san/sql/mdl.cc:3783:30
      		 
          #2 0x577891a26423 in THD::global_tmp_tables_set_explicit_lock_duration() /test/bb-12.2-nikita-global-tmp_opt_san/sql/temporary_tables.cc:377:17
      		 
          #3 0x57789096ccb5 in THD::leave_locked_tables_mode() /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_class.cc:6569:7
      		 
          #4 0x5778908b00e1 in Locked_tables_list::unlock_locked_tables(THD*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.cc:2762:8
      		 
          #5 0x5778913160a5 in mysql_create_table(THD*, TABLE_LIST*, Table_specification_st*, Alter_info*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_table.cc:5425:38
      		 
          #6 0x57789130db76 in Sql_cmd_create_table_like::execute(THD*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_table.cc:14043:12
      		 
          #7 0x577890daee4f in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:5862:26
      		 
          #8 0x577890d92545 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:7895:18
      		 
          #9 0x577890d8a708 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1882:7
      		 
          #10 0x577890d94480 in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1421:17
      		 
          #11 0x5778915bf48c in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1414:11
      		 
          #12 0x5778915befa6 in handle_one_connection /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1326:5
      		 
          #13 0x57788fd735ea in asan_thread_start(void*) crtstuff.c
      		 
          #14 0x7c976009ca93 in start_thread nptl/pthread_create.c:447:8
      		 
          #15 0x7c9760129c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
      		 
       
      		 
      0x79175ee2c438 is located 24 bytes inside of 88-byte region [0x79175ee2c420,0x79175ee2c478)
      		 
      freed by thread T12 here:
      		 
          #0 0x57788fdbab76 in operator delete(void*, unsigned long) (/test/MDEV-35915_7_UBASAN_MD141025-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd+0x3013b76) (BuildId: 9ce5923b9c6488539df89c3decc205367c77e88c)
      		 
          #1 0x5778915fcf03 in MDL_context::release_all_locks_for_name(MDL_ticket*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/mdl.cc:3573:7
      		 
          #2 0x5778908b0472 in Locked_tables_list::unlock_locked_table(THD*, MDL_ticket*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.cc:2806:22
      		 
          #3 0x5778913160a5 in mysql_create_table(THD*, TABLE_LIST*, Table_specification_st*, Alter_info*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_table.cc:5425:38
      		 
          #4 0x57789130db76 in Sql_cmd_create_table_like::execute(THD*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_table.cc:14043:12
      		 
          #5 0x577890daee4f in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:5862:26
      		 
          #6 0x577890d92545 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:7895:18
      		 
          #7 0x577890d8a708 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1882:7
      		 
          #8 0x577890d94480 in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1421:17
      		 
          #9 0x5778915bf48c in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1414:11
      		 
          #10 0x5778915befa6 in handle_one_connection /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1326:5
      		 
          #11 0x57788fd735ea in asan_thread_start(void*) crtstuff.c
      		 
       
      		 
      previously allocated by thread T12 here:
      		 
          #0 0x57788fdba131 in operator new(unsigned long, std::nothrow_t const&) (/test/MDEV-35915_7_UBASAN_MD141025-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd+0x3013131) (BuildId: 9ce5923b9c6488539df89c3decc205367c77e88c)
      		 
          #1 0x5778915f82ef in MDL_context::clone_ticket(MDL_request*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/mdl.cc:2798:17
      		 
          #2 0x57789129df72 in open_global_temporary_table(THD*, TABLE_SHARE*, TABLE_LIST*, MDL_ticket*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_table.cc:6334:26
      		 
          #3 0x5778908aa2ae in open_table(THD*, TABLE_LIST*, Open_table_context*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.cc:2351:22
      		 
          #4 0x5778908bc9a4 in open_and_process_table(THD*, TABLE_LIST*, unsigned int*, unsigned int, Prelocking_strategy*, bool, Open_table_context*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.cc:4308:14
      		 
          #5 0x5778908bc9a4 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.cc:4791:14
      		 
          #6 0x5778908cad45 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.cc:5779:7
      		 
          #7 0x577890379ea3 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.h:544:10
      		 
          #8 0x577890dcb44a in execute_sqlcom_select(THD*, TABLE_LIST*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:6093:14
      		 
          #9 0x577890daf026 in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:3955:12
      		 
          #10 0x577890d92545 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:7895:18
      		 
          #11 0x577890d8a708 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1882:7
      		 
          #12 0x577890d94480 in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1421:17
      		 
          #13 0x5778915bf48c in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1414:11
      		 
          #14 0x5778915befa6 in handle_one_connection /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1326:5
      		 
          #15 0x57788fd735ea in asan_thread_start(void*) crtstuff.c
      		 
       
      		 
      Thread T12 created by T0 here:
      		 
          #0 0x57788fd59ce5 in pthread_create (/test/MDEV-35915_7_UBASAN_MD141025-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd+0x2fb2ce5) (BuildId: 9ce5923b9c6488539df89c3decc205367c77e88c)
      		 
          #1 0x57788fdcc319 in create_thread_to_handle_connection(CONNECT*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/mysqld.cc:6272:19
      		 
          #2 0x57788fdcd65a in handle_connections_sockets() /test/bb-12.2-nikita-global-tmp_opt_san/sql/mysqld.cc:6508:9
      		 
          #3 0x57788fdcba60 in run_main_loop() /test/bb-12.2-nikita-global-tmp_opt_san/sql/mysqld.cc:5750:3
      		 
          #4 0x57788fdc259e in mysqld_main(int, char**) /test/bb-12.2-nikita-global-tmp_opt_san/sql/mysqld.cc:6173:3
      		 
          #5 0x7c976002a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
      		 
          #6 0x7c976002a28a in __libc_start_main csu/../csu/libc-start.c:360:3
      		 
          #7 0x57788fcd05f4 in _start (/test/MDEV-35915_7_UBASAN_MD141025-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd+0x2f295f4) (BuildId: 9ce5923b9c6488539df89c3decc205367c77e88c)
      		 
       
      		 
      SUMMARY: AddressSanitizer: heap-use-after-free /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_plist.h:124:14 in I_P_List<MDL_ticket, I_P_List_adapter<MDL_ticket, &MDL_ticket::next_in_context, &MDL_ticket::prev_in_context>, I_P_List_null_counter, I_P_List_no_push_back<MDL_ticket>>::remove(MDL_ticket*)
      		 
      Shadow bytes around the buggy address:
      		 
        0x79175ee2c180: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
      		 
        0x79175ee2c200: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
      		 
        0x79175ee2c280: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
      		 
        0x79175ee2c300: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
      		 
        0x79175ee2c380: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
      		 
      =>0x79175ee2c400: fa fa fa fa fd fd fd[fd]fd fd fd fd fd fd fd fa
      		 
        0x79175ee2c480: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
      		 
        0x79175ee2c500: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
      		 
        0x79175ee2c580: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
      		 
        0x79175ee2c600: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
      		 
        0x79175ee2c680: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
      		 
      Shadow byte legend (one shadow byte represents 8 application bytes):
      		 
        Addressable:           00
      		 
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
      		 
        Freed heap region:       fd
      		 
        Stack left redzone:      f1
      		 
        Stack mid redzone:       f2
      		 
        Stack right redzone:     f3
      		 
        Stack after return:      f5
      		 
        Stack use after scope:   f8
      		 
        Global redzone:          f9
      		 
        Global init order:       f6
      		 
        Poisoned by user:        f7
      		 
        Container overflow:      fc
      		 
        Array cookie:            ac
      		 
        Intra object redzone:    bb
      		 
        ASan internal:           fe
      		 
        Left alloca redzone:     ca
      		 
        Right alloca redzone:    cb
      		 
      ==660245==ABORTING

      MDEV-35915-7 CS 12.2.0 87e89a3e8300009e00c1c480ffbb2062db9a87ec (Debug, UBASAN, Clang 21.1.3-20250923) Build 14/10/2025

      		 
      ==660376==ERROR: AddressSanitizer: heap-use-after-free on address 0x6ddacd62c448 at pc 0x65067c798a58 bp 0x6d59e0d00160 sp 0x6d59e0d00158
      		 
      READ of size 4 at 0x6ddacd62c448 thread T12
      		 
          #0 0x65067c798a57 in MDL_context::set_lock_duration(MDL_ticket*, enum_mdl_duration) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mdl.cc:3780:3
      		 
          #1 0x65067cbcfb8f in THD::global_tmp_tables_set_explicit_lock_duration() /test/bb-12.2-nikita-global-tmp_dbg_san/sql/temporary_tables.cc:377:17
      		 
          #2 0x65067bb3103f in THD::leave_locked_tables_mode() /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_class.cc:6569:7
      		 
          #3 0x65067ba6ae38 in Locked_tables_list::unlock_locked_tables(THD*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_base.cc:2762:8
      		 
          #4 0x65067c4ab2ed in mysql_create_table(THD*, TABLE_LIST*, Table_specification_st*, Alter_info*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_table.cc:5425:38
      		 
          #5 0x65067c4a20df in Sql_cmd_create_table_like::execute(THD*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_table.cc:14043:12
      		 
          #6 0x65067bf6af68 in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:5862:26
      		 
          #7 0x65067bf4e098 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:7895:18
      		 
          #8 0x65067bf4785c in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1882:7
      		 
          #9 0x65067bf504ca in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1421:17
      		 
          #10 0x65067c75580c in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1414:11
      		 
          #11 0x65067c755315 in handle_one_connection /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1326:5
      		 
          #12 0x65067af0e1ba in asan_thread_start(void*) crtstuff.c
      		 
          #13 0x715ace69ca93 in start_thread nptl/pthread_create.c:447:8
      		 
          #14 0x715ace729c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
      		 
       
      		 
      0x6ddacd62c448 is located 40 bytes inside of 96-byte region [0x6ddacd62c420,0x6ddacd62c480)
      		 
      freed by thread T12 here:
      		 
          #0 0x65067af55746 in operator delete(void*, unsigned long) (/test/MDEV-35915_7_UBASAN_MD141025-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd+0x3bdf746) (BuildId: d5a66a3a89a7a4942fa0e58a12f5e6af23fc5932)
      		 
          #1 0x65067c797468 in MDL_context::release_all_locks_for_name(MDL_ticket*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mdl.cc:3573:7
      		 
          #2 0x65067ba6b5bd in Locked_tables_list::unlock_locked_table(THD*, MDL_ticket*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_base.cc:2806:22
      		 
          #3 0x65067c4ab2ed in mysql_create_table(THD*, TABLE_LIST*, Table_specification_st*, Alter_info*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_table.cc:5425:38
      		 
          #4 0x65067c4a20df in Sql_cmd_create_table_like::execute(THD*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_table.cc:14043:12
      		 
          #5 0x65067bf6af68 in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:5862:26
      		 
          #6 0x65067bf4e098 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:7895:18
      		 
          #7 0x65067bf4785c in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1882:7
      		 
          #8 0x65067bf504ca in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1421:17
      		 
          #9 0x65067c75580c in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1414:11
      		 
          #10 0x65067c755315 in handle_one_connection /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1326:5
      		 
          #11 0x65067af0e1ba in asan_thread_start(void*) crtstuff.c
      		 
       
      		 
      previously allocated by thread T12 here:
      		 
          #0 0x65067af54d01 in operator new(unsigned long, std::nothrow_t const&) (/test/MDEV-35915_7_UBASAN_MD141025-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd+0x3bded01) (BuildId: d5a66a3a89a7a4942fa0e58a12f5e6af23fc5932)
      		 
          #1 0x65067c7914ef in MDL_context::clone_ticket(MDL_request*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mdl.cc:2798:17
      		 
          #2 0x65067c439dc6 in open_global_temporary_table(THD*, TABLE_SHARE*, TABLE_LIST*, MDL_ticket*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_table.cc:6334:26
      		 
          #3 0x65067ba65102 in open_table(THD*, TABLE_LIST*, Open_table_context*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_base.cc:2351:22
      		 
          #4 0x65067ba78365 in open_and_process_table(THD*, TABLE_LIST*, unsigned int*, unsigned int, Prelocking_strategy*, bool, Open_table_context*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_base.cc:4308:14
      		 
          #5 0x65067ba78365 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_base.cc:4791:14
      		 
          #6 0x65067ba885e1 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_base.cc:5779:7
      		 
          #7 0x65067b552404 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_base.h:544:10
      		 
          #8 0x65067bf890b3 in execute_sqlcom_select(THD*, TABLE_LIST*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:6093:14
      		 
          #9 0x65067bf74a28 in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:3955:12
      		 
          #10 0x65067bf4e098 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:7895:18
      		 
          #11 0x65067bf4785c in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1882:7
      		 
          #12 0x65067bf504ca in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1421:17
      		 
          #13 0x65067c75580c in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1414:11
      		 
          #14 0x65067c755315 in handle_one_connection /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1326:5
      		 
          #15 0x65067af0e1ba in asan_thread_start(void*) crtstuff.c
      		 
       
      		 
      Thread T12 created by T0 here:
      		 
          #0 0x65067aef48b5 in pthread_create (/test/MDEV-35915_7_UBASAN_MD141025-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd+0x3b7e8b5) (BuildId: d5a66a3a89a7a4942fa0e58a12f5e6af23fc5932)
      		 
          #1 0x65067af6820c in create_thread_to_handle_connection(CONNECT*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mysqld.cc:6272:19
      		 
          #2 0x65067af69295 in handle_connections_sockets() /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mysqld.cc:6508:9
      		 
          #3 0x65067af6781a in run_main_loop() /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mysqld.cc:5750:3
      		 
          #4 0x65067af5d1ce in mysqld_main(int, char**) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mysqld.cc:6173:3
      		 
          #5 0x715ace62a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
      		 
          #6 0x715ace62a28a in __libc_start_main csu/../csu/libc-start.c:360:3
      		 
          #7 0x65067ae6b1c4 in _start (/test/MDEV-35915_7_UBASAN_MD141025-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd+0x3af51c4) (BuildId: d5a66a3a89a7a4942fa0e58a12f5e6af23fc5932)
      		 
       
      		 
      SUMMARY: AddressSanitizer: heap-use-after-free /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mdl.cc:3780:3 in MDL_context::set_lock_duration(MDL_ticket*, enum_mdl_duration)
      		 
      Shadow bytes around the buggy address:
      		 
        0x6ddacd62c180: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x6ddacd62c200: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x6ddacd62c280: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x6ddacd62c300: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x6ddacd62c380: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
      		 
      =>0x6ddacd62c400: fa fa fa fa fd fd fd fd fd[fd]fd fd fd fd fd fd
      		 
        0x6ddacd62c480: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x6ddacd62c500: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x6ddacd62c580: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x6ddacd62c600: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x6ddacd62c680: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
      		 
      Shadow byte legend (one shadow byte represents 8 application bytes):
      		 
        Addressable:           00
      		 
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
      		 
        Freed heap region:       fd
      		 
        Stack left redzone:      f1
      		 
        Stack mid redzone:       f2
      		 
        Stack right redzone:     f3
      		 
        Stack after return:      f5
      		 
        Stack use after scope:   f8
      		 
        Global redzone:          f9
      		 
        Global init order:       f6
      		 
        Poisoned by user:        f7
      		 
        Container overflow:      fc
      		 
        Array cookie:            ac
      		 
        Intra object redzone:    bb
      		 
        ASan internal:           fe
      		 
        Left alloca redzone:     ca
      		 
        Right alloca redzone:    cb
      		 
      ==660376==ABORTING

      Attachments

        Issue Links

          is caused by

          New Feature - A new feature of the product, which has yet to be developed. MDEV-35915 Implement Global temporary tables

          • Critical - Crashes, loss of data, severe memory leak.
          • In Testing
          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-37720 use-after-free on CREATE OR REPLACE GTT under LOCK TABLES and pseudo_slave_mode

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Activity

            People

              nikitamalyavin Nikita Malyavin
              Roel Roel Van de Paar
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.