[MDEV-38449] GTT+ha_federatedx: Assertion `sp && savepoint_next && *sp && *sp <= savepoint_level' failed and memory corruption on RELEASE SAVEPOINT - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: N/A
Fix Version/s: N/A
Component/s: Data Definition - Temporary, Storage Engine - Federated, Storage Engine - Memory
Labels:

Bug Category:
Not for Release Notes

Description

INSTALL SONAME 'ha_federatedx';

CREATE GLOBAL TEMPORARY TABLE t1 (c INT) ENGINE=MEMORY ON COMMIT PRESERVE ROWS;

CREATE SERVER srv FOREIGN DATA WRAPPER mysql OPTIONS (SOCKET '../socket.sock', DATABASE 'test', USER 'root@localhost', PASSWORD '');

CREATE GLOBAL TEMPORARY TABLE t3 (c INT) CONNECTION='srv/t1' ENGINE=Federated ON COMMIT DELETE ROWS;

XA START 'a';

INSERT INTO t3 (a,b) VALUES (1,1);

SAVEPOINT sp1;

RELEASE SAVEPOINT sp1;

Leads to:

MDEV-35915 CS 12.2.0 228260ead7d9343e81a6d73bc0eb7ec96718d917 (Debug, Clang 21.1.3-20250923) Build 27/12/2025

mariadbd: /test/bb-12.2-nikita-global-tmp_dbg/storage/federatedx/federatedx_txn.cc:343: int federatedx_txn::sp_release(ulong *): Assertion `sp && savepoint_next && *sp && *sp <= savepoint_level' failed.

MDEV-35915 CS 12.2.0 228260ead7d9343e81a6d73bc0eb7ec96718d917 (Debug, Clang 21.1.3-20250923) Build 27/12/2025
Core was generated by `/test/MDEV-35915_v9_MD271225-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd --no-'.
Program terminated with signal SIGABRT, Aborted.
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44

[Current thread is 1 (LWP 1545012)]
(gdb) bt
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44
#1 __pthread_kill_internal (signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6)at ./nptl/pthread_kill.c:89
#3 0x000079a53644526e in __GI_raise (sig=sig@entry=6)at ../sysdeps/posix/raise.c:26
#4 0x000079a5364288ff in __GI_abort () at ./stdlib/abort.c:79
#5 0x000079a53642881b in __assert_fail_base (fmt=0x79a5365d01e8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x79a5349973b7 "sp && savepoint_next && sp && sp <= savepoint_level", file=file@entry=0x79a534997739 "/test/bb-12.2-nikita-global-tmp_dbg/storage/federatedx/federatedx_txn.cc", line=line@entry=343, function=function@entry=0x79a53499682a "int federatedx_txn::sp_release(ulong *)") at ./assert/assert.c:94
#6 0x000079a53643b507 in __assert_fail (assertion=0x79a5349973b7 "sp && savepoint_next && sp && sp <= savepoint_level", file=0x79a534997739 "/test/bb-12.2-nikita-global-tmp_dbg/storage/federatedx/federatedx_txn.cc", line=343, function=0x79a53499682a "int federatedx_txn::sp_release(ulong *)")at ./assert/assert.c:103
#7 0x000079a5349ad3e9 in federatedx_txn::sp_release (this=0x79a408053dc0, sp=0x79a408021ef0)at /test/bb-12.2-nikita-global-tmp_dbg/storage/federatedx/federatedx_txn.cc:343
#8 0x000079a53499e7d2 in ha_federatedx::savepoint_release (thd=0x79a408000d58, sv=0x79a408021ef0)at /test/bb-12.2-nikita-global-tmp_dbg/storage/federatedx/ha_federatedx.cc:3590
#9 0x00006365c696dff4 in ha_release_savepoint (thd=0x79a408000d58, sv=0x79a408021e80)at /test/bb-12.2-nikita-global-tmp_dbg/sql/handler.cc:3176
#10 0x00006365c6fc06cd in trans_release_savepoint (thd=0x79a408000d58, name={str = 0x79a408019f08 "sp1", length = 3})at /test/bb-12.2-nikita-global-tmp_dbg/sql/transaction.cc:780
#11 0x00006365c6dbb8a1 in mysql_execute_command (thd=0x79a408000d58, is_called_from_prepared_stmt=false)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_parse.cc:5577
#12 0x00006365c6dadc18 in mysql_parse (thd=0x79a408000d58, rawbuf=0x79a408019e80 "RELEASE SAVEPOINT sp1", length=21, parser_state=0x79a5349fda10)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_parse.cc:7911
#13 0x00006365c6dab3f9 in dispatch_command (command=COM_QUERY, thd=0x79a408000d58, packet=0x79a40800b1f9 "RELEASE SAVEPOINT sp1", packet_length=21, blocking=true)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_parse.cc:1898
#14 0x00006365c6dae69a in do_command (thd=0x79a408000d58, blocking=true)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_parse.cc:1437
#15 0x00006365c6fa104e in do_handle_one_connection (connect=0x6365c9e2e298, put_in_cache=true)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_connect.cc:1414
#16 0x00006365c6fa0e31 in handle_one_connection (arg=0x6365c9eb6648)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_connect.cc:1326
#17 0x000079a53649ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
#18 0x000079a536529c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

And ASAN sees a memory corruption:

MDEV-35915 CS 12.2.0 228260ead7d9343e81a6d73bc0eb7ec96718d917 (Debug, UBASAN, Clang 21.1.3-20250923) Build 27/12/2025
==1918651==ERROR: AddressSanitizer: use-after-poison on address 0x7122030e59a8 at pc 0x6ed1885b52a6 bp 0x6ed12f900440 sp 0x6ed12f900438
READ of size 8 at 0x7122030e59a8 thread T11
#0 0x6ed1885b52a5 in federatedx_txn::sp_release(unsigned long*) /test/bb-12.2-nikita-global-tmp_dbg_san/storage/federatedx/federatedx_txn.cc:343:3
#1 0x5a23ba9cbdbb in ha_release_savepoint(THD, st_savepoint) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/handler.cc:3176:15
#2 0x5a23bc152466 in trans_release_savepoint(THD*, st_mysql_const_lex_string) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/transaction.cc:780:7
#3 0x5a23bb8feb59 in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:5577:9
#4 0x5a23bb8df9a8 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:7911:18
#5 0x5a23bb8d9161 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1898:7
#6 0x5a23bb8e1dda in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1437:17
#7 0x5a23bc0e63dc in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1414:11
#8 0x5a23bc0e5ee5 in handle_one_connection /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1326:5
#9 0x5a23ba89ea8a in asan_thread_start(void*) crtstuff.c
#10 0x72d20429ca93 in start_thread nptl/pthread_create.c:447:8
#11 0x72d204329c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

0x7122030e59a8 is located 168 bytes inside of 8184-byte region [0x7122030e5900,0x7122030e78f8)
allocated by thread T11 here:
#0 0x5a23ba8a1208 in malloc (/test/MDEV-35915_v9_UBASAN_MD271225-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd+0x3b9c208) (BuildId: 7f11495be59e36864e7725fab8d210105f35e511)
#1 0x5a23bda62851 in my_malloc /test/bb-12.2-nikita-global-tmp_dbg_san/mysys/my_malloc.c:93:29
#2 0x5a23bda160a6 in reset_root_defaults /test/bb-12.2-nikita-global-tmp_dbg_san/mysys/my_alloc.c:247:30
#3 0x5a23bb48c05b in THD::init_for_queries() /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_class.cc:1530:3
#4 0x5a23bc0e4fd9 in prepare_new_connection_state(THD*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1252:8
#5 0x5a23bc0e8156 in thd_prepare_connection(THD*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1347:3
#6 0x5a23bc0e63c0 in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1404:9
#7 0x5a23bc0e5ee5 in handle_one_connection /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1326:5
#8 0x5a23ba89ea8a in asan_thread_start(void*) crtstuff.c

Thread T11 created by T0 here:
#0 0x5a23ba885185 in pthread_create (/test/MDEV-35915_v9_UBASAN_MD271225-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd+0x3b80185) (BuildId: 7f11495be59e36864e7725fab8d210105f35e511)
#1 0x5a23ba8f8adc in create_thread_to_handle_connection(CONNECT*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mysqld.cc:6272:19
#2 0x5a23ba8f9b65 in handle_connections_sockets() /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mysqld.cc:6508:9
#3 0x5a23ba8f80ea in run_main_loop() /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mysqld.cc:5750:3
#4 0x5a23ba8eda9e in mysqld_main(int, char**) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mysqld.cc:6173:3
#5 0x72d20422a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#6 0x72d20422a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#7 0x5a23ba7fba94 in _start (/test/MDEV-35915_v9_UBASAN_MD271225-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd+0x3af6a94) (BuildId: 7f11495be59e36864e7725fab8d210105f35e511)

SUMMARY: AddressSanitizer: use-after-poison /test/bb-12.2-nikita-global-tmp_dbg_san/storage/federatedx/federatedx_txn.cc:343:3 in federatedx_txn::sp_release(unsigned long*)
Shadow bytes around the buggy address:
0x7122030e5700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7122030e5780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7122030e5800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7122030e5880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7122030e5900: 00 00 00 00 00 00 f7 00 00 00 00 00 00 00 00 00
=>0x7122030e5980: f7 04 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x7122030e5a00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x7122030e5a80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x7122030e5b00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x7122030e5b80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x7122030e5c00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb

NOTE: the stack trace above identifies the code that accessed the poisoned memory.
To identify the code that poisoned the memory, try the experimental setting ASAN_OPTIONS=poison_history_size=<size>.
==1918651==ABORTING

MDEV-35915 CS 12.2.0 228260ead7d9343e81a6d73bc0eb7ec96718d917 (Optimized, UBASAN, Clang 21.1.3-20250923) Build 27/12/2025
==1916098==ERROR: AddressSanitizer: use-after-poison on address 0x7493f07039a8 at pc 0x72438e9af678 bp 0x7243369005c0 sp 0x7243369005b8
WRITE of size 8 at 0x7493f07039a8 thread T10
#0 0x72438e9af677 in federatedx_txn::sp_release(unsigned long*) /test/bb-12.2-nikita-global-tmp_opt_san/storage/federatedx/federatedx_txn.cc:355:6
#1 0x61773aef7c60 in ha_release_savepoint(THD, st_savepoint) /test/bb-12.2-nikita-global-tmp_opt_san/sql/handler.cc:3176:15
#2 0x61773c6926a3 in trans_release_savepoint(THD*, st_mysql_const_lex_string) /test/bb-12.2-nikita-global-tmp_opt_san/sql/transaction.cc:780:7
#3 0x61773be2316b in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:5577:9
#4 0x61773be017e5 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:7911:18
#5 0x61773bdf99ad in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1898:7
#6 0x61773be03720 in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1437:17
#7 0x61773c62e1bc in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1414:11
#8 0x61773c62dcd6 in handle_one_connection /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1326:5
#9 0x61773ade1aca in asan_thread_start(void*) crtstuff.c
#10 0x7643f189ca93 in start_thread nptl/pthread_create.c:447:8
#11 0x7643f1929c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

0x7493f07039a8 is located 168 bytes inside of 8184-byte region [0x7493f0703900,0x7493f07058f8)
allocated by thread T10 here:
#0 0x61773ade4248 in malloc (/test/MDEV-35915_v9_UBASAN_MD271225-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd+0x2fcf248) (BuildId: 36fa81a16067ba38044d96ac0e7bc8372d20deb9)
#1 0x61773dd95385 in my_malloc /test/bb-12.2-nikita-global-tmp_opt_san/mysys/my_malloc.c:93:29
#2 0x61773dd63da5 in reset_root_defaults /test/bb-12.2-nikita-global-tmp_opt_san/mysys/my_alloc.c:247:30
#3 0x61773c62cc18 in prepare_new_connection_state(THD*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1252:8
#4 0x61773c62fed3 in thd_prepare_connection(THD*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1347:3
#5 0x61773c62e199 in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1404:9
#6 0x61773c62dcd6 in handle_one_connection /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1326:5
#7 0x61773ade1aca in asan_thread_start(void*) crtstuff.c

Thread T10 created by T0 here:
#0 0x61773adc81c5 in pthread_create (/test/MDEV-35915_v9_UBASAN_MD271225-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd+0x2fb31c5) (BuildId: 36fa81a16067ba38044d96ac0e7bc8372d20deb9)
#1 0x61773ae3a7f9 in create_thread_to_handle_connection(CONNECT*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/mysqld.cc:6272:19
#2 0x61773ae3bb3a in handle_connections_sockets() /test/bb-12.2-nikita-global-tmp_opt_san/sql/mysqld.cc:6508:9
#3 0x61773ae39f40 in run_main_loop() /test/bb-12.2-nikita-global-tmp_opt_san/sql/mysqld.cc:5750:3
#4 0x61773ae30a7e in mysqld_main(int, char**) /test/bb-12.2-nikita-global-tmp_opt_san/sql/mysqld.cc:6173:3
#5 0x7643f182a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#6 0x7643f182a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#7 0x61773ad3ead4 in _start (/test/MDEV-35915_v9_UBASAN_MD271225-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd+0x2f29ad4) (BuildId: 36fa81a16067ba38044d96ac0e7bc8372d20deb9)

SUMMARY: AddressSanitizer: use-after-poison /test/bb-12.2-nikita-global-tmp_opt_san/storage/federatedx/federatedx_txn.cc:355:6 in federatedx_txn::sp_release(unsigned long*)
Shadow bytes around the buggy address:
0x7493f0703700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7493f0703780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7493f0703800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7493f0703880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7493f0703900: 00 00 00 00 00 00 f7 00 00 00 00 00 00 00 00 00
=>0x7493f0703980: f7 04 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x7493f0703a00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x7493f0703a80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x7493f0703b00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x7493f0703b80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x7493f0703c00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb

NOTE: the stack trace above identifies the code that accessed the poisoned memory.
To identify the code that poisoned the memory, try the experimental setting ASAN_OPTIONS=poison_history_size=<size>.
==1916098==ABORTING

Attachments

Issue Links

causes

MDEV-38528 Federated[x] TEMPORARY table creation no longer possible after MDEV-38449 patch

Confirmed

duplicates

MDEV-38526 Federatedx: ASAN: use-after-poison memory corruption on SAVEPOINT

Open

is caused by

MDEV-35915 Implement Global temporary tables

In Testing

relates to

MDEV-38440 UBSAN invalid-bool-load in ha_federated::end_bulk_insert on INSERT to Federated GTT

In Testing

GTT+ha_federatedx: Assertion `sp && savepoint_next && sp && sp <= savepoint_level' failed and memory corruption on RELEASE SAVEPOINT

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration