[MDEV-37956] ASAN heap-use-after-free and SIGSEGV in mysql_ha_close_table on DROP DATABASE - Jira

XML

Word

Printable

Details

Type: Bug
Status: Open (View Workflow)
Priority: Critical
Resolution: Unresolved
Affects Version/s: N/A
Fix Version/s: N/A
Component/s: Data Definition - Temporary
Labels:
- ASAN
- heap-use-after-free

Bug Category:
Not for Release Notes
Sprint:
Q4/2025 Server Development

Description

CREATE GLOBAL TEMPORARY TABLE t (c INT) ON COMMIT PRESERVE ROWS;

HANDLER t OPEN;

DROP DATABASE test;

Leads to:

MDEV-35915-8 CS 12.2.0 c7ea08421d34fa7d45e27919a869ade968bd88c4 (Optimized, Clang 21.1.3-20250923) Build 20/10/2025
Core was generated by `/test/MDEV-35915_8_MD201025-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd --no-d'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00005880580cc55b in mysql_ha_close_table (handler=handler@entry=0x70348002cf50)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_handler.cc:204

[Current thread is 1 (LWP 3039930)]
(gdb) bt
#0 0x00005880580cc55b in mysql_ha_close_table (handler=handler@entry=0x70348002cf50)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_handler.cc:204
#1 0x00005880580cd918 in mysql_ha_rm_tables (thd=thd@entry=0x703480000c68, tables=<optimized out>)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_handler.cc:1125
#2 0x00005880580c00b6 in mysql_rm_db_internal (thd=0x703480000c68, db=@0x7035cc1ccef8: {<Lex_ident_fs> = {<Lex_ident<Compare_table_names>> = {<Lex_cstring> = {<st_mysql_const_lex_string> = {str = 0x7035cc1cd070 "test", length = 4}, <No data fields>}, <No data fields>}, <No data fields>}, <No data fields>}, if_exists=<optimized out>, silent=false)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_db.cc:1137
#3 0x0000588058113a5e in mysql_execute_command (thd=thd@entry=0x703480000c68, is_called_from_prepared_stmt=false)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_parse.cc:5057
#4 0x000058805810d1d4 in mysql_parse (thd=thd@entry=0x703480000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x7035cc1cd420)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_parse.cc:7895
#5 0x000058805810b97d in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x703480000c68, packet=packet@entry=0x7034800089f9 "DROP DATABASE test", packet_length=packet_length@entry=18, blocking=true)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_parse.cc:1882
#6 0x000058805810d651 in do_command (thd=thd@entry=0x703480000c68, blocking=true) at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_parse.cc:1421
#7 0x000058805826374d in do_handle_one_connection (connect=<optimized out>, connect@entry=0x58805a40cc78, put_in_cache=true)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_connect.cc:1414
#8 0x000058805826350f in handle_one_connection (arg=arg@entry=0x58805a40cc78)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_connect.cc:1326
#9 0x0000588058428349 in pfs_spawn_thread (arg=0x58805a3bc848)at /test/bb-12.2-nikita-global-tmp_opt/storage/perfschema/pfs.cc:2198
#10 0x00007035ce89ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
#11 0x00007035ce929c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

MDEV-35915-8 CS 12.2.0 c7ea08421d34fa7d45e27919a869ade968bd88c4 (Debug, Clang 21.1.3-20250923) Build 20/10/2025
Core was generated by `/test/MDEV-35915_8_MD201025-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd --no-d'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x0000595eb9385bbf in mysql_ha_close_table (handler=0x719dc4038220)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_handler.cc:204

[Current thread is 1 (LWP 3038641)]
(gdb) bt
#0 0x0000595eb9385bbf in mysql_ha_close_table (handler=0x719dc4038220)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_handler.cc:204
#1 0x0000595eb9387866 in mysql_ha_rm_tables (thd=0x719dc4000d58, tables=0x719dc4019f30)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_handler.cc:1125
#2 0x0000595eb9371c1f in mysql_rm_db_internal (thd=0x719dc4000d58, db=@0x719ef00a1bb8: {<Lex_ident_fs> = {<Lex_ident<Compare_table_names>> = {<Lex_cstring> = {<st_mysql_const_lex_string> = {str = 0x719ef00a1f88 "test", length = 4}, <No data fields>}, <No data fields>}, <No data fields>}, <No data fields>}, if_exists=false, silent=false)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_db.cc:1137
#3 0x0000595eb93717ec in mysql_rm_db (thd=0x719dc4000d58, db=@0x719ef00a1bb8: {<Lex_ident_fs> = {<Lex_ident<Compare_table_names>> = {<Lex_cstring> = {<st_mysql_const_lex_string> = {str = 0x719ef00a1f88 "test", length = 4}, <No data fields>}, <No data fields>}, <No data fields>}, <No data fields>}, if_exists=false) at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_db.cc:1329
#4 0x0000595eb93f1c86 in mysql_execute_command (thd=0x719dc4000d58, is_called_from_prepared_stmt=false)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_parse.cc:5057
#5 0x0000595eb93e6538 in mysql_parse (thd=0x719dc4000d58, rawbuf=0x719dc4019e80 "DROP DATABASE test", length=18, parser_state=0x719ef00a2a10)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_parse.cc:7895
#6 0x0000595eb93e3d19 in dispatch_command (command=COM_QUERY, thd=0x719dc4000d58, packet=0x719dc400b1f9 "DROP DATABASE test", packet_length=18, blocking=true)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_parse.cc:1882
#7 0x0000595eb93e6fba in do_command (thd=0x719dc4000d58, blocking=true)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_parse.cc:1421
#8 0x0000595eb95d99ee in do_handle_one_connection (connect=0x595ebbc1d588, put_in_cache=true)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_connect.cc:1414
#9 0x0000595eb95d97d1 in handle_one_connection (arg=0x595ebbc2e628)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_connect.cc:1326
#10 0x0000719ef269ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
#11 0x0000719ef2729c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

MDEV-35915-8 CS 12.2.0 c7ea08421d34fa7d45e27919a869ade968bd88c4 (Optimized, UBASAN, Clang 21.1.3-20250923) Build 20/10/2025
==3041457==ERROR: AddressSanitizer: heap-use-after-free on address 0x70f35e2737a0 at pc 0x63f3d59b796c bp 0x6f6271900450 sp 0x6f6271900448
READ of size 8 at 0x70f35e2737a0 thread T12
#0 0x63f3d59b796b in mysql_ha_close_table(SQL_HANDLER*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_handler.cc:204:28
#1 0x63f3d59c0ca8 in mysql_ha_rm_tables(THD, TABLE_LIST) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_handler.cc:1125:7
#2 0x63f3d5967ecd in mysql_rm_db_internal(THD*, Lex_ident_db const&, bool, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_db.cc:1137:5
#3 0x63f3d5b3adc6 in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:5057:10
#4 0x63f3d5b17545 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:7895:18
#5 0x63f3d5b0f708 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1882:7
#6 0x63f3d5b19480 in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1421:17
#7 0x63f3d634448c in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1414:11
#8 0x63f3d6343fa6 in handle_one_connection /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1326:5
#9 0x63f3d4af85ea in asan_thread_start(void*) crtstuff.c
#10 0x73635f29ca93 in start_thread nptl/pthread_create.c:447:8
#11 0x73635f329c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

0x70f35e2737a0 is located 32 bytes inside of 1064-byte region [0x70f35e273780,0x70f35e273ba8)
freed by thread T12 here:
#0 0x63f3d4afaaca in free (/test/MDEV-35915_8_UBASAN_MD201025-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd+0x2fceaca) (BuildId: fc8a216f1e4383a8bb3e6ff4e3296e5d340d15c8)
#1 0x63f3d67b014c in THD::close_temporary_table(TABLE*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/temporary_tables.cc:1449:3
#2 0x63f3d67b014c in THD::free_temporary_table(TABLE*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/temporary_tables.cc:1840:3
#3 0x63f3d67b014c in THD::drop_tmp_table_share(TABLE, TMP_TABLE_SHARE, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/temporary_tables.cc:811:5
#4 0x63f3d67b27cb in THD::global_tmp_drop_database(Lex_ident_db const&) /test/bb-12.2-nikita-global-tmp_opt_san/sql/temporary_tables.cc:1489:7
#5 0x63f3d5967eb5 in mysql_rm_db_internal(THD*, Lex_ident_db const&, bool, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_db.cc:1130:8
#6 0x63f3d5b3adc6 in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:5057:10
#7 0x63f3d5b17545 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:7895:18
#8 0x63f3d5b0f708 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1882:7
#9 0x63f3d5b19480 in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1421:17
#10 0x63f3d634448c in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1414:11
#11 0x63f3d6343fa6 in handle_one_connection /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1326:5
#12 0x63f3d4af85ea in asan_thread_start(void*) crtstuff.c

previously allocated by thread T12 here:
#0 0x63f3d4afad68 in malloc (/test/MDEV-35915_8_UBASAN_MD201025-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd+0x2fced68) (BuildId: fc8a216f1e4383a8bb3e6ff4e3296e5d340d15c8)
#1 0x63f3d7aaadc5 in my_malloc /test/bb-12.2-nikita-global-tmp_opt_san/mysys/my_malloc.c:93:29
#2 0x63f3d67a72c4 in THD::open_temporary_table(TMP_TABLE_SHARE*, Lex_ident_table const&) /test/bb-12.2-nikita-global-tmp_opt_san/sql/temporary_tables.cc:1313:26
#3 0x63f3d67a637f in THD::create_and_open_tmp_table(st_mysql_const_unsigned_lex_string, char const, Lex_ident_db const&, Lex_ident_table const&, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/temporary_tables.cc:139:12
#4 0x63f3d601e1d2 in create_table_impl(THD, st_ddl_log_state, st_ddl_log_state, Lex_ident_db const&, Lex_ident_table const&, Lex_ident_db const&, Lex_ident_table const&, st_mysql_const_lex_string const&, DDL_options_st, HA_CREATE_INFO, Alter_info, int, bool, st_key*, unsigned int, st_mysql_const_unsigned_lex_string*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_table.cc:5031:24
#5 0x63f3d601aeea in mysql_create_table_no_lock(THD, st_ddl_log_state, st_ddl_log_state, Table_specification_st, Alter_info, bool, int, TABLE_LIST*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_table.cc:5119:8
#6 0x63f3d6022ca2 in open_global_temporary_table(THD, TABLE_SHARE, TABLE_LIST, MDL_ticket) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_table.cc:6311:14
#7 0x63f3d562f2ae in open_table(THD, TABLE_LIST, Open_table_context*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.cc:2351:22
#8 0x63f3d56419a4 in open_and_process_table(THD, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy, bool, Open_table_context*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.cc:4308:14
#9 0x63f3d56419a4 in open_tables(THD, DDL_options_st const&, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.cc:4791:14
#10 0x63f3d56129b7 in open_tables(THD, TABLE_LIST, unsigned int, unsigned int) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.h:514:10
#11 0x63f3d59b3203 in mysql_ha_open(THD, TABLE_LIST, SQL_HANDLER*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_handler.cc:348:11
#12 0x63f3d5b38544 in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:5448:10
#13 0x63f3d5b17545 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:7895:18
#14 0x63f3d5b0f708 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1882:7
#15 0x63f3d5b19480 in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1421:17
#16 0x63f3d634448c in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1414:11
#17 0x63f3d6343fa6 in handle_one_connection /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1326:5
#18 0x63f3d4af85ea in asan_thread_start(void*) crtstuff.c

Thread T12 created by T0 here:
#0 0x63f3d4adece5 in pthread_create (/test/MDEV-35915_8_UBASAN_MD201025-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd+0x2fb2ce5) (BuildId: fc8a216f1e4383a8bb3e6ff4e3296e5d340d15c8)
#1 0x63f3d4b51319 in create_thread_to_handle_connection(CONNECT*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/mysqld.cc:6272:19
#2 0x63f3d4b5265a in handle_connections_sockets() /test/bb-12.2-nikita-global-tmp_opt_san/sql/mysqld.cc:6508:9
#3 0x63f3d4b50a60 in run_main_loop() /test/bb-12.2-nikita-global-tmp_opt_san/sql/mysqld.cc:5750:3
#4 0x63f3d4b4759e in mysqld_main(int, char**) /test/bb-12.2-nikita-global-tmp_opt_san/sql/mysqld.cc:6173:3
#5 0x73635f22a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#6 0x73635f22a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#7 0x63f3d4a555f4 in _start (/test/MDEV-35915_8_UBASAN_MD201025-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd+0x2f295f4) (BuildId: fc8a216f1e4383a8bb3e6ff4e3296e5d340d15c8)

SUMMARY: AddressSanitizer: heap-use-after-free /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_handler.cc:204:28 in mysql_ha_close_table(SQL_HANDLER*)
Shadow bytes around the buggy address:
0x70f35e273500: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x70f35e273580: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x70f35e273600: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x70f35e273680: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x70f35e273700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x70f35e273780: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
0x70f35e273800: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x70f35e273880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x70f35e273900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x70f35e273980: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x70f35e273a00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3041457==ABORTING

MDEV-35915-8 CS 12.2.0 c7ea08421d34fa7d45e27919a869ade968bd88c4 (Debug, UBASAN, Clang 21.1.3-20250923) Build 20/10/2025
==3043230==ERROR: AddressSanitizer: heap-use-after-free on address 0x78f797272da0 at pc 0x5b0f9a86e6a6 bp 0x7766aa900310 sp 0x7766aa900308
READ of size 8 at 0x78f797272da0 thread T12
#0 0x5b0f9a86e6a5 in mysql_ha_close_table(SQL_HANDLER*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_handler.cc:204:28
#1 0x5b0f9a876d85 in mysql_ha_rm_tables(THD, TABLE_LIST) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_handler.cc:1125:7
#2 0x5b0f9a82401b in mysql_rm_db_internal(THD*, Lex_ident_db const&, bool, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_db.cc:1137:5
#3 0x5b0f9a9ee6a0 in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:5057:10
#4 0x5b0f9a9cd098 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:7895:18
#5 0x5b0f9a9c685c in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1882:7
#6 0x5b0f9a9cf4ca in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1421:17
#7 0x5b0f9b1d480c in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1414:11
#8 0x5b0f9b1d4315 in handle_one_connection /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1326:5
#9 0x5b0f9998d1ba in asan_thread_start(void*) crtstuff.c
#10 0x7b679849ca93 in start_thread nptl/pthread_create.c:447:8
#11 0x7b6798529c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

0x78f797272da0 is located 32 bytes inside of 1064-byte region [0x78f797272d80,0x78f7972731a8)
freed by thread T12 here:
#0 0x5b0f9998f69a in free (/test/MDEV-35915_8_UBASAN_MD201025-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd+0x3b9a69a) (BuildId: d4a828b33aebc2797ad9f8c5f8926e77c58b6758)
#1 0x5b0f9b6565d0 in THD::close_temporary_table(TABLE*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/temporary_tables.cc:1449:3
#2 0x5b0f9b653b98 in THD::free_temporary_table(TABLE*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/temporary_tables.cc:1840:3
#3 0x5b0f9b653b98 in THD::drop_tmp_table_share(TABLE, TMP_TABLE_SHARE, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/temporary_tables.cc:811:5
#4 0x5b0f9b656c0b in THD::global_tmp_drop_database(Lex_ident_db const&) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/temporary_tables.cc:1489:7
#5 0x5b0f9a824003 in mysql_rm_db_internal(THD*, Lex_ident_db const&, bool, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_db.cc:1130:8
#6 0x5b0f9a9ee6a0 in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:5057:10
#7 0x5b0f9a9cd098 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:7895:18
#8 0x5b0f9a9c685c in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1882:7
#9 0x5b0f9a9cf4ca in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1421:17
#10 0x5b0f9b1d480c in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1414:11
#11 0x5b0f9b1d4315 in handle_one_connection /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1326:5
#12 0x5b0f9998d1ba in asan_thread_start(void*) crtstuff.c

previously allocated by thread T12 here:
#0 0x5b0f9998f938 in malloc (/test/MDEV-35915_8_UBASAN_MD201025-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd+0x3b9a938) (BuildId: d4a828b33aebc2797ad9f8c5f8926e77c58b6758)
#1 0x5b0f9cb501f1 in my_malloc /test/bb-12.2-nikita-global-tmp_dbg_san/mysys/my_malloc.c:93:29
#2 0x5b0f9b64a764 in THD::open_temporary_table(TMP_TABLE_SHARE*, Lex_ident_table const&) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/temporary_tables.cc:1313:26
#3 0x5b0f9b64978f in THD::create_and_open_tmp_table(st_mysql_const_unsigned_lex_string, char const, Lex_ident_db const&, Lex_ident_table const&, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/temporary_tables.cc:139:12
#4 0x5b0f9aeb3e97 in create_table_impl(THD, st_ddl_log_state, st_ddl_log_state, Lex_ident_db const&, Lex_ident_table const&, Lex_ident_db const&, Lex_ident_table const&, st_mysql_const_lex_string const&, DDL_options_st, HA_CREATE_INFO, Alter_info, int, bool, st_key*, unsigned int, st_mysql_const_unsigned_lex_string*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_table.cc:5031:24
#5 0x5b0f9aeb07b1 in mysql_create_table_no_lock(THD, st_ddl_log_state, st_ddl_log_state, Table_specification_st, Alter_info, bool, int, TABLE_LIST*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_table.cc:5119:8
#6 0x5b0f9aeb8ad7 in open_global_temporary_table(THD, TABLE_SHARE, TABLE_LIST, MDL_ticket) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_table.cc:6311:14
#7 0x5b0f9a4e4102 in open_table(THD, TABLE_LIST, Open_table_context*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_base.cc:2351:22
#8 0x5b0f9a4f7365 in open_and_process_table(THD, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy, bool, Open_table_context*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_base.cc:4308:14
#9 0x5b0f9a4f7365 in open_tables(THD, DDL_options_st const&, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_base.cc:4791:14
#10 0x5b0f9a4c08a8 in open_tables(THD, TABLE_LIST, unsigned int, unsigned int) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_base.h:514:10
#11 0x5b0f9a86a1aa in mysql_ha_open(THD, TABLE_LIST, SQL_HANDLER*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_handler.cc:348:11
#12 0x5b0f9a9eb696 in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:5448:10
#13 0x5b0f9a9cd098 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:7895:18
#14 0x5b0f9a9c685c in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1882:7
#15 0x5b0f9a9cf4ca in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1421:17
#16 0x5b0f9b1d480c in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1414:11
#17 0x5b0f9b1d4315 in handle_one_connection /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1326:5
#18 0x5b0f9998d1ba in asan_thread_start(void*) crtstuff.c

Thread T12 created by T0 here:
#0 0x5b0f999738b5 in pthread_create (/test/MDEV-35915_8_UBASAN_MD201025-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd+0x3b7e8b5) (BuildId: d4a828b33aebc2797ad9f8c5f8926e77c58b6758)
#1 0x5b0f999e720c in create_thread_to_handle_connection(CONNECT*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mysqld.cc:6272:19
#2 0x5b0f999e8295 in handle_connections_sockets() /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mysqld.cc:6508:9
#3 0x5b0f999e681a in run_main_loop() /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mysqld.cc:5750:3
#4 0x5b0f999dc1ce in mysqld_main(int, char**) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mysqld.cc:6173:3
#5 0x7b679842a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#6 0x7b679842a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#7 0x5b0f998ea1c4 in _start (/test/MDEV-35915_8_UBASAN_MD201025-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd+0x3af51c4) (BuildId: d4a828b33aebc2797ad9f8c5f8926e77c58b6758)

SUMMARY: AddressSanitizer: heap-use-after-free /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_handler.cc:204:28 in mysql_ha_close_table(SQL_HANDLER*)
Shadow bytes around the buggy address:
0x78f797272b00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x78f797272b80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x78f797272c00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x78f797272c80: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
0x78f797272d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x78f797272d80: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
0x78f797272e00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x78f797272e80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x78f797272f00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x78f797272f80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x78f797273000: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3043230==ABORTING

Testcase is MTR and CLI compatible. At least InnoDB+MyISAM affected.

Attachments

Issue Links

is caused by

MDEV-35915 Implement Global temporary tables

Stalled

relates to

MDEV-37957 Assertion `(*tables)->reginfo.lock_type >= TL_READ_SKIP_LOCKED' failed on HANDLER READ

Open

MDEV-37720 use-after-free on CREATE OR REPLACE GTT under LOCK TABLES and pseudo_slave_mode

Confirmed

Activity

People

Assignee:: Nikita Malyavin

Reporter:: Roel Van de Paar

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 4 days ago 01:38

Updated:: 2 days ago 08:06