[MDEV-38448] Memory corruption in find_locked_table and SIGSEGV from memcpy in TABLE_LIST::is_the_same_definition on CREATE GTT - Jira

XML

Word

Printable

Details

Type: Bug
Status: In Testing (View Workflow)
Priority: Critical
Resolution: Unresolved
Affects Version/s: N/A
Fix Version/s: N/A
Component/s: Data Definition - Create Table, Data Definition - Temporary, Storage Engine - Archive, Storage Engine - InnoDB
Labels:

Bug Category:
Can result in data loss

Description

SET sql_mode='', pseudo_slave_mode=1, GLOBAL innodb_stats_persistent=0;

CREATE GLOBAL TEMPORARY TABLE t1 (c INT) ENGINE=ARCHIVE ON COMMIT DELETE ROWS;

SET max_session_mem_used=8192;

SELECT 1 FROM t1;

LOCK TABLES t1 WRITE;

ALTER TABLE t1 ADD d INT;

INSERT INTO t1 VALUES (1);

DROP TABLE t;

CREATE GLOBAL TEMPORARY TABLE t1 (c INT);

On debug builds leads to the same crash as observed in MDEV-38438 upon the INSERT, however on optimized builds the testcase continues and the final CREATE GTT executes.
This shows an addtional SIGSEGV in TABLE_LIST::set_tabledef_version on regular builds and a memory corruption on ASAN builds:

MDEV-35915 CS 12.2.0 228260ead7d9343e81a6d73bc0eb7ec96718d917 (Optimized, Clang 21.1.3-20250923) Build 27/12/2025
Core was generated by `/test/MDEV-35915_v9_MD271225-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd --no-'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __memcpy_evex_unaligned_erms ()at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:265

[Current thread is 1 (LWP 2135346)]
(gdb) bt
#0 __memcpy_evex_unaligned_erms ()at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:265
#1 0x000059293c3e69dc in memcpy (__dest=0x76cfd40179c0, __src=0x64656b636f6c2074, __len=5713977660228073248)at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29
#2 TABLE_LIST::set_tabledef_version (this=0x76cfd40177a8, s=0x76cfd4021680)at /test/bb-12.2-nikita-global-tmp_opt/sql/table.h:3150
#3 TABLE_LIST::is_the_same_definition (this=0x76cfd40177a8, thd=<optimized out>, s=0x76cfd4021680)at /test/bb-12.2-nikita-global-tmp_opt/sql/table.cc:10438
#4 0x000059293c1ffdd7 in check_and_update_table_version (thd=0x76cfd4000c68, table_share=0x76cfd4021680, tables=<optimized out>)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_base.cc:3202
#5 open_and_process_table (thd=0x76cfd4000c68, tables=0x76cfd40177a8, counter=0x76d0bc7fd84c, flags=0, prelocking_strategy=0x76d0bc7fd888, ot_ctx=0x76d0bc7fd598, has_prelocking_list=<optimized out>)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_base.cc:4348
#6 open_tables (thd=0x76cfd4000c68, thd@entry=0x100, options=@0x76d0bc7fdde4: {m_options = DDL_options_st::OPT_NONE}, start=start@entry=0x76d0bc7fd840, counter=counter@entry=0x76d0bc7fd84c, flags=flags@entry=0, prelocking_strategy=prelocking_strategy@entry=0x76d0bc7fd888)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_base.cc:4776
#7 0x000059293c201a84 in open_and_lock_tables (thd=0x76cfd40179c0, thd@entry=0x100, options=<error reading variable: Cannot access memory at address 0x64656b636f6c2074>, tables=0x76cfd40177a8, derived=false, flags=2, flags@entry=0, prelocking_strategy=0x0, prelocking_strategy@entry=0x76d0bc7fd888)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_base.cc:5764
#8 0x000059293c3acd74 in open_and_lock_tables (thd=0x76cfd4000c68, options=@0x76d0bc7fdde4: {m_options = DDL_options_st::OPT_NONE}, tables=0x76cfd40177a8, derived=false, flags=0)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_base.h:536
#9 mysql_create_table (thd=0x76cfd40179c0, thd@entry=0x76cfd4000c68, create_table=create_table@entry=0x76cfd40177a8, create_info=create_info@entry=0x76d0bc7fdba0, alter_info=alter_info@entry=0x76d0bc7fda28)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_table.cc:5304
#10 0x000059293c3abe00 in Sql_cmd_create_table_like::execute (this=<optimized out>, thd=0x76cfd4000c68)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_table.cc:14033
#11 0x000059293c2d129c in mysql_execute_command (thd=thd@entry=0x76cfd4000c68, is_called_from_prepared_stmt=false)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_parse.cc:5878
#12 0x000059293c2cc524 in mysql_parse (thd=thd@entry=0x76cfd4000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x76d0bc7fe420)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_parse.cc:7911
#13 0x000059293c2cacbd in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x76cfd4000c68, packet=packet@entry=0x76cfd40089f9 "CREATE GLOBAL TEMPORARY TABLE t1 (c INT)", packet_length=packet_length@entry=40, blocking=true)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_parse.cc:1898
#14 0x000059293c2cc9a1 in do_command (thd=thd@entry=0x76cfd4000c68, blocking=true) at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_parse.cc:1437
#15 0x000059293c422a5d in do_handle_one_connection (connect=<optimized out>, connect@entry=0x59293ed89b38, put_in_cache=true)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_connect.cc:1414
#16 0x000059293c42281f in handle_one_connection (arg=arg@entry=0x59293ed89b38)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_connect.cc:1326
#17 0x000059293c5e77c9 in pfs_spawn_thread (arg=0x59293ed2caf8)at /test/bb-12.2-nikita-global-tmp_opt/storage/perfschema/pfs.cc:2198
#18 0x000076d0c629ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
#19 0x000076d0c6329c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

MDEV-35915 CS 12.2.0 228260ead7d9343e81a6d73bc0eb7ec96718d917 (Optimized, UBASAN, Clang 21.1.3-20250923) Build 27/12/2025
==2136856==ERROR: AddressSanitizer: heap-use-after-free on address 0x7d22ef912b98 at pc 0x5fd852ae37c6 bp 0x7ad202d004f0 sp 0x7ad202d004e8
READ of size 8 at 0x7d22ef912b98 thread T12
#0 0x5fd852ae37c5 in find_locked_table(TABLE, char const, char const*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.cc:2550:35
#1 0x5fd852acc796 in find_table_for_mdl_upgrade(THD, char const, char const, int) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.cc:2583:15
#2 0x5fd8534a7e3a in mysql_rm_table(THD, TABLE_LIST, bool, bool, bool, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_table.cc:1246:25
#3 0x5fd852fedb4f in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:4789:10
#4 0x5fd852fc87e5 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:7911:18
#5 0x5fd852fc09ad in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1898:7
#6 0x5fd852fca720 in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1437:17
#7 0x5fd8537f51bc in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1414:11
#8 0x5fd8537f4cd6 in handle_one_connection /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1326:5
#9 0x5fd851fa8aca in asan_thread_start(void*) crtstuff.c
#10 0x7ed2f0a9ca93 in start_thread nptl/pthread_create.c:447:8
#11 0x7ed2f0b29c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

0x7d22ef912b98 is located 664 bytes inside of 8184-byte region [0x7d22ef912900,0x7d22ef9148f8)
freed by thread T12 here:
#0 0x5fd851faafaa in free (/test/MDEV-35915_v9_UBASAN_MD271225-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd+0x2fcefaa) (BuildId: 36fa81a16067ba38044d96ac0e7bc8372d20deb9)
#1 0x5fd854f2d997 in root_free /test/bb-12.2-nikita-global-tmp_opt_san/mysys/my_alloc.c:77:5
#2 0x5fd854f2d997 in free_root /test/bb-12.2-nikita-global-tmp_opt_san/mysys/my_alloc.c:517:7
#3 0x5fd85362f227 in TABLE_SHARE::destroy() /test/bb-12.2-nikita-global-tmp_opt_san/sql/table.cc:554:3
#4 0x5fd852ae0744 in open_table(THD, TABLE_LIST, Open_table_context*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.cc:2526:3
#5 0x5fd852af1d43 in open_and_process_table(THD, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy, bool, Open_table_context*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.cc:4293:14
#6 0x5fd852af1d43 in open_tables(THD, DDL_options_st const&, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.cc:4776:14
#7 0x5fd852b000f5 in open_and_lock_tables(THD, DDL_options_st const&, TABLE_LIST, bool, unsigned int, Prelocking_strategy*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.cc:5764:7
#8 0x5fd8525af303 in open_and_lock_tables(THD, TABLE_LIST, bool, unsigned int) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.h:544:10
#9 0x5fd852e78d0d in mysql_insert(THD, TABLE_LIST, List<Item>&, List<List<Item>>&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_insert.cc:789:9
#10 0x5fd852fecd14 in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:4476:10
#11 0x5fd852fc87e5 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:7911:18
#12 0x5fd852fc09ad in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1898:7
#13 0x5fd852fca720 in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1437:17
#14 0x5fd8537f51bc in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1414:11
#15 0x5fd8537f4cd6 in handle_one_connection /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1326:5
#16 0x5fd851fa8aca in asan_thread_start(void*) crtstuff.c

previously allocated by thread T12 here:
#0 0x5fd851fab248 in malloc (/test/MDEV-35915_v9_UBASAN_MD271225-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd+0x2fcf248) (BuildId: 36fa81a16067ba38044d96ac0e7bc8372d20deb9)
#1 0x5fd854f5c385 in my_malloc /test/bb-12.2-nikita-global-tmp_opt_san/mysys/my_malloc.c:93:29
#2 0x5fd854f2935e in init_alloc_root /test/bb-12.2-nikita-global-tmp_opt_san/mysys/my_alloc.c:178:22
#3 0x5fd8536bde79 in init_sql_alloc(unsigned int, st_mem_root*, unsigned int, unsigned int, unsigned long) /test/bb-12.2-nikita-global-tmp_opt_san/sql/thr_malloc.cc:64:3
#4 0x5fd85362ce48 in alloc_table_share(char const, char const, char const*, unsigned int) /test/bb-12.2-nikita-global-tmp_opt_san/sql/table.cc:366:3
#5 0x5fd853c4f59f in tdc_acquire_share(THD, TABLE_LIST, unsigned int, TABLE**) /test/bb-12.2-nikita-global-tmp_opt_san/sql/table_cache.cc:848:18
#6 0x5fd852ade0bb in open_table(THD, TABLE_LIST, Open_table_context*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.cc:2183:10
#7 0x5fd852af1d43 in open_and_process_table(THD, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy, bool, Open_table_context*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.cc:4293:14
#8 0x5fd852af1d43 in open_tables(THD, DDL_options_st const&, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.cc:4776:14
#9 0x5fd852b000f5 in open_and_lock_tables(THD, DDL_options_st const&, TABLE_LIST, bool, unsigned int, Prelocking_strategy*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.cc:5764:7
#10 0x5fd8525af303 in open_and_lock_tables(THD, TABLE_LIST, bool, unsigned int) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.h:544:10
#11 0x5fd8530016fa in execute_sqlcom_select(THD, TABLE_LIST) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:6109:14
#12 0x5fd852fe52c6 in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:3971:12
#13 0x5fd852fc87e5 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:7911:18
#14 0x5fd852fc09ad in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1898:7
#15 0x5fd852fca720 in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1437:17
#16 0x5fd8537f51bc in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1414:11
#17 0x5fd8537f4cd6 in handle_one_connection /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1326:5
#18 0x5fd851fa8aca in asan_thread_start(void*) crtstuff.c

Thread T12 created by T0 here:
#0 0x5fd851f8f1c5 in pthread_create (/test/MDEV-35915_v9_UBASAN_MD271225-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd+0x2fb31c5) (BuildId: 36fa81a16067ba38044d96ac0e7bc8372d20deb9)
#1 0x5fd8520017f9 in create_thread_to_handle_connection(CONNECT*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/mysqld.cc:6272:19
#2 0x5fd852002b3a in handle_connections_sockets() /test/bb-12.2-nikita-global-tmp_opt_san/sql/mysqld.cc:6508:9
#3 0x5fd852000f40 in run_main_loop() /test/bb-12.2-nikita-global-tmp_opt_san/sql/mysqld.cc:5750:3
#4 0x5fd851ff7a7e in mysqld_main(int, char**) /test/bb-12.2-nikita-global-tmp_opt_san/sql/mysqld.cc:6173:3
#5 0x7ed2f0a2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#6 0x7ed2f0a2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#7 0x5fd851f05ad4 in _start (/test/MDEV-35915_v9_UBASAN_MD271225-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd+0x2f29ad4) (BuildId: 36fa81a16067ba38044d96ac0e7bc8372d20deb9)

SUMMARY: AddressSanitizer: heap-use-after-free /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.cc:2550:35 in find_locked_table(TABLE, char const, char const*)
Shadow bytes around the buggy address:
0x7d22ef912900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x7d22ef912980: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x7d22ef912a00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x7d22ef912a80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x7d22ef912b00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x7d22ef912b80: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd
0x7d22ef912c00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x7d22ef912c80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x7d22ef912d00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x7d22ef912d80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x7d22ef912e00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2136856==ABORTING

Attachments

Issue Links

is caused by

MDEV-35915 Implement Global temporary tables

In Testing

is duplicated by

MDEV-38441 Assertion `s->tmp_table != NO_TMP_TABLE || s->tdc->ref_count > 0' failed in TABLE::init on SELECT

Closed

MDEV-38442 Assertion `share->tdc->ref_count' failed in tdc_release_share on BEGIN

Closed

MDEV-38444 ASAN heap-use-after-free memory corruption on FLUSH TABLES

Open

MDEV-38445 malloc(): unaligned [tcache|fastbin] chunk detected, ASAN heap-use-after-free on CoR GTT

Closed

relates to

MDEV-38438 Assertion `element->all_tables.is_empty()' failed in tdc_assert_clean_share on SELECT

In Testing

(1 relates to)

Activity

People

Assignee:: Nikita Malyavin

Reporter:: Roel Van de Paar

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2025-12-29 06:04

Updated:: 2 days ago 18:02

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.