[MDEV-38444] ASAN heap-use-after-free memory corruption on FLUSH TABLES - Jira

XML

Word

Printable

Details

Type: Bug
Status: Open (View Workflow)
Priority: Minor
Resolution: Unresolved
Affects Version/s: N/A
Fix Version/s: N/A
Component/s: Data Definition - Temporary, Locking
Labels:

Bug Category:
Can result in unexpected behaviour

Description

SET pseudo_slave_mode=1;

CREATE GLOBAL TEMPORARY TABLE t (c INT);

LOCK TABLE t WRITE;

INSERT INTO t VALUES (1);

FLUSH TABLES;

Leads to:

MDEV-35915 CS 12.2.0 228260ead7d9343e81a6d73bc0eb7ec96718d917 (Debug, Clang 21.1.3-20250923) Build 27/12/2025
mariadbd: /test/bb-12.2-nikita-global-tmp_dbg/sql/table_cache.cc:479: void tdc_assert_clean_share(TDC_element *): Assertion `element->all_tables.is_empty()' failed.

MDEV-35915 CS 12.2.0 228260ead7d9343e81a6d73bc0eb7ec96718d917 (Debug, Clang 21.1.3-20250923) Build 27/12/2025
Core was generated by `/test/MDEV-35915_v9_MD271225-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd --no-'.
Program terminated with signal SIGABRT, Aborted.
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44

[Current thread is 1 (LWP 3878250)]
(gdb) bt
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44
#1 __pthread_kill_internal (signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6)at ./nptl/pthread_kill.c:89
#3 0x000070f07a24526e in __GI_raise (sig=sig@entry=6)at ../sysdeps/posix/raise.c:26
#4 0x000070f07a2288ff in __GI_abort () at ./stdlib/abort.c:79
#5 0x000070f07a22881b in __assert_fail_base (fmt=0x70f07a3d01e8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x579867445db5 "element->all_tables.is_empty()", file=file@entry=0x57986738d480 "/test/bb-12.2-nikita-global-tmp_dbg/sql/table_cache.cc", line=line@entry=479, function=function@entry=0x579867362b6f "void tdc_assert_clean_share(TDC_element *)") at ./assert/assert.c:94
#6 0x000070f07a23b507 in __assert_fail (assertion=0x579867445db5 "element->all_tables.is_empty()", file=0x57986738d480 "/test/bb-12.2-nikita-global-tmp_dbg/sql/table_cache.cc", line=479, function=0x579867362b6f "void tdc_assert_clean_share(TDC_element *)")at ./assert/assert.c:103
#7 0x0000579868349ad6 in tdc_assert_clean_share (element=0x70ef4c030848)at /test/bb-12.2-nikita-global-tmp_dbg/sql/table_cache.cc:479
#8 0x0000579868347e41 in tdc_delete_share_from_hash (element=0x70ef4c030848)at /test/bb-12.2-nikita-global-tmp_dbg/sql/table_cache.cc:532
#9 0x0000579868347b78 in tdc_purge (all=true)at /test/bb-12.2-nikita-global-tmp_dbg/sql/table_cache.cc:716
#10 0x0000579867ea7b98 in purge_tables ()at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_base.cc:350
#11 0x0000579867ea7d3c in close_cached_tables (thd=0x70ef4c000d58, tables=0x0, wait_for_refresh=true, timeout=86400)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_base.cc:377
#12 0x000057986824c010 in reload_acl_and_cache (thd=0x70ef4c000d58, options=4, tables=0x0, write_to_binlog=0x70f0789fcb94)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_reload.cc:358
#13 0x000057986801279f in mysql_execute_command (thd=0x70ef4c000d58, is_called_from_prepared_stmt=false)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_parse.cc:5346
#14 0x0000579868005c18 in mysql_parse (thd=0x70ef4c000d58, rawbuf=0x70ef4c019e80 "FLUSH TABLES", length=12, parser_state=0x70f0789fda10)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_parse.cc:7911
#15 0x00005798680033f9 in dispatch_command (command=COM_QUERY, thd=0x70ef4c000d58, packet=0x70ef4c00b1f9 "FLUSH TABLES", packet_length=12, blocking=true)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_parse.cc:1898
#16 0x000057986800669a in do_command (thd=0x70ef4c000d58, blocking=true)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_parse.cc:1437
#17 0x00005798681f904e in do_handle_one_connection (connect=0x57986abe7108, put_in_cache=true)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_connect.cc:1414
#18 0x00005798681f8e31 in handle_one_connection (arg=0x57986ac6f4b8)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_connect.cc:1326
#19 0x000070f07a29ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
#20 0x000070f07a329c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

And, more importantly, to this memory corruption:

MDEV-35915 CS 12.2.0 228260ead7d9343e81a6d73bc0eb7ec96718d917 (Optimized, UBASAN, Clang 21.1.3-20250923) Build 27/12/2025
==271300==ERROR: AddressSanitizer: heap-use-after-free on address 0x7b6febb12b98 at pc 0x5e08cf3497c6 bp 0x791f18500430 sp 0x791f18500428
READ of size 8 at 0x7b6febb12b98 thread T11
#0 0x5e08cf3497c5 in find_locked_table(TABLE, char const, char const*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.cc:2550:35
#1 0x5e08cf332796 in find_table_for_mdl_upgrade(THD, char const, char const, int) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.cc:2583:15
#2 0x5e08cf33205a in close_cached_tables(THD, TABLE_LIST, bool, unsigned long) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.cc:405:21
#3 0x5e08d0124f7f in reload_acl_and_cache(THD, unsigned long long, TABLE_LIST, int*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_reload.cc:358:13
#4 0x5e08cf850add in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:5346:10
#5 0x5e08cf82e7e5 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:7911:18
#6 0x5e08cf8269ad in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1898:7
#7 0x5e08cf830720 in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1437:17
#8 0x5e08d005b1bc in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1414:11
#9 0x5e08d005acd6 in handle_one_connection /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1326:5
#10 0x5e08ce80eaca in asan_thread_start(void*) crtstuff.c
#11 0x7d1feca9ca93 in start_thread nptl/pthread_create.c:447:8
#12 0x7d1fecb29c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

0x7b6febb12b98 is located 664 bytes inside of 8184-byte region [0x7b6febb12900,0x7b6febb148f8)
freed by thread T11 here:
#0 0x5e08ce810faa in free (/test/MDEV-35915_v9_UBASAN_MD271225-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd+0x2fcefaa) (BuildId: 36fa81a16067ba38044d96ac0e7bc8372d20deb9)
#1 0x5e08d1793997 in root_free /test/bb-12.2-nikita-global-tmp_opt_san/mysys/my_alloc.c:77:5
#2 0x5e08d1793997 in free_root /test/bb-12.2-nikita-global-tmp_opt_san/mysys/my_alloc.c:517:7
#3 0x5e08cfe95227 in TABLE_SHARE::destroy() /test/bb-12.2-nikita-global-tmp_opt_san/sql/table.cc:554:3
#4 0x5e08d04b346f in tdc_purge(bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/table_cache.cc:716:5
#5 0x5e08cf331693 in purge_tables() /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.cc:350:3
#6 0x5e08cf331693 in close_cached_tables(THD, TABLE_LIST, bool, unsigned long) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.cc:377:5
#7 0x5e08d0124f7f in reload_acl_and_cache(THD, unsigned long long, TABLE_LIST, int*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_reload.cc:358:13
#8 0x5e08cf850add in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:5346:10
#9 0x5e08cf82e7e5 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:7911:18
#10 0x5e08cf8269ad in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1898:7
#11 0x5e08cf830720 in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1437:17
#12 0x5e08d005b1bc in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1414:11
#13 0x5e08d005acd6 in handle_one_connection /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1326:5
#14 0x5e08ce80eaca in asan_thread_start(void*) crtstuff.c

previously allocated by thread T11 here:
#0 0x5e08ce811248 in malloc (/test/MDEV-35915_v9_UBASAN_MD271225-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd+0x2fcf248) (BuildId: 36fa81a16067ba38044d96ac0e7bc8372d20deb9)
#1 0x5e08d17c2385 in my_malloc /test/bb-12.2-nikita-global-tmp_opt_san/mysys/my_malloc.c:93:29
#2 0x5e08d178f35e in init_alloc_root /test/bb-12.2-nikita-global-tmp_opt_san/mysys/my_alloc.c:178:22
#3 0x5e08cff23e79 in init_sql_alloc(unsigned int, st_mem_root*, unsigned int, unsigned int, unsigned long) /test/bb-12.2-nikita-global-tmp_opt_san/sql/thr_malloc.cc:64:3
#4 0x5e08cfe92e48 in alloc_table_share(char const, char const, char const*, unsigned int) /test/bb-12.2-nikita-global-tmp_opt_san/sql/table.cc:366:3
#5 0x5e08d04b559f in tdc_acquire_share(THD, TABLE_LIST, unsigned int, TABLE**) /test/bb-12.2-nikita-global-tmp_opt_san/sql/table_cache.cc:848:18
#6 0x5e08cf3440bb in open_table(THD, TABLE_LIST, Open_table_context*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.cc:2183:10
#7 0x5e08cf357d43 in open_and_process_table(THD, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy, bool, Open_table_context*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.cc:4293:14
#8 0x5e08cf357d43 in open_tables(THD, DDL_options_st const&, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.cc:4776:14
#9 0x5e08cf86cb1f in open_tables(THD, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.h:282:10
#10 0x5e08cf86cb1f in lock_tables_open_and_lock_tables(THD, TABLE_LIST) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:2910:7
#11 0x5e08cf8534ee in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:4966:10
#12 0x5e08cf82e7e5 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:7911:18
#13 0x5e08cf8269ad in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1898:7
#14 0x5e08cf830720 in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1437:17
#15 0x5e08d005b1bc in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1414:11
#16 0x5e08d005acd6 in handle_one_connection /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1326:5
#17 0x5e08ce80eaca in asan_thread_start(void*) crtstuff.c

Thread T11 created by T0 here:
#0 0x5e08ce7f51c5 in pthread_create (/test/MDEV-35915_v9_UBASAN_MD271225-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd+0x2fb31c5) (BuildId: 36fa81a16067ba38044d96ac0e7bc8372d20deb9)
#1 0x5e08ce8677f9 in create_thread_to_handle_connection(CONNECT*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/mysqld.cc:6272:19
#2 0x5e08ce868b3a in handle_connections_sockets() /test/bb-12.2-nikita-global-tmp_opt_san/sql/mysqld.cc:6508:9
#3 0x5e08ce866f40 in run_main_loop() /test/bb-12.2-nikita-global-tmp_opt_san/sql/mysqld.cc:5750:3
#4 0x5e08ce85da7e in mysqld_main(int, char**) /test/bb-12.2-nikita-global-tmp_opt_san/sql/mysqld.cc:6173:3
#5 0x7d1feca2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#6 0x7d1feca2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#7 0x5e08ce76bad4 in _start (/test/MDEV-35915_v9_UBASAN_MD271225-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd+0x2f29ad4) (BuildId: 36fa81a16067ba38044d96ac0e7bc8372d20deb9)

SUMMARY: AddressSanitizer: heap-use-after-free /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.cc:2550:35 in find_locked_table(TABLE, char const, char const*)
Shadow bytes around the buggy address:
0x7b6febb12900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x7b6febb12980: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x7b6febb12a00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x7b6febb12a80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x7b6febb12b00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x7b6febb12b80: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd
0x7b6febb12c00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x7b6febb12c80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x7b6febb12d00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x7b6febb12d80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x7b6febb12e00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==271300==ABORTING

Attachments

Issue Links

duplicates

MDEV-38448 Memory corruption in find_locked_table and SIGSEGV from memcpy in TABLE_LIST::is_the_same_definition on CREATE GTT

In Testing

is caused by

MDEV-35915 Implement Global temporary tables

In Testing

Activity

People

Assignee:: Nikita Malyavin

Reporter:: Roel Van de Paar

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2025-12-29 05:07

Updated:: 1 week ago 07:26

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.