Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-38467

GTT: SIGSEGV, UBSAN null-pointer-use in wait_while_table_is_used on CoR SEQUENCE

    XMLWordPrintable

Details

    • Not for Release Notes

    Description

      CREATE GLOBAL TEMPORARY TABLE t (c INT,t TEXT);
      		 
      --error ER_WRONG_VALUE_COUNT_ON_ROW
      		 
      INSERT INTO t VALUES (0);
      		 
      SET max_session_mem_used=8192;
      		 
      LOCK TABLES t WRITE;
      		 
      CREATE OR REPLACE SEQUENCE t;

      Leads to:

      MDEV-35915-v10 CS 12.2.0 2ef81706c8c4782b2f8a45a05ac90377403de2e1 (Optimized, Clang 21.1.3-20250923) Build 31/12/2025

      		 
      Core was generated by `/test/MDEV-35915_v10_MD311225-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd --no'.
      		 
      Program terminated with signal SIGSEGV, Segmentation fault.
      		 
      #0  wait_while_table_is_used (thd=thd@entry=0x7a23d8000c68, table=0x0, function=function@entry=HA_EXTRA_NOT_USED, lock_wait_timeout=86400)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_base.cc:1485
      		 
      1485	             table->mdl_ticket, MDL_EXCLUSIVE,
      		 
      [Current thread is 1 (LWP 1722024)]
      		 
      (gdb) bt
      		 
      #0  wait_while_table_is_used (thd=thd@entry=0x7a23d8000c68, table=0x0, function=function@entry=HA_EXTRA_NOT_USED, lock_wait_timeout=86400)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_base.cc:1485
      		 
      #1  0x000059fad931c8b6 in wait_while_table_is_used (thd=0x7a23d8000c68, table=0x0, table@entry=0x7a23d8000c68, function=HA_EXTRA_NOT_USED)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_base.h:247
      		 
      #2  mysql_rm_table_no_locks (thd=thd@entry=0x7a23d8000c68, tables=tables@entry=0x7a23d8017790, current_db=current_db@entry=0x7a23d8000d08, ddl_log_state=0x7a2504bb1ec0, ddl_log_state@entry=0x0, if_exists=<optimized out>, drop_temporary=false, drop_view=<optimized out>, drop_sequence=<optimized out>, dont_log_query=<optimized out>, dont_free_locks=<optimized out>)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_table.cc:1695
      		 
      #3  0x000059fad9321e66 in mysql_create_table_no_lock (thd=thd@entry=0x7a23d8000c68, ddl_log_state_create=ddl_log_state_create@entry=0x7a2504bb2920, ddl_log_state_rm=ddl_log_state_rm@entry=0x7a2504bb2940, create_info=create_info@entry=0x7a2504bb2ba0, alter_info=alter_info@entry=0x7a2504bb2a28, is_trans=is_trans@entry=0x7a2504bb29a7, create_table_mode=0, table_list=0x7a23d8017790)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_table.cc:5126
      		 
      #4  0x000059fad9333f81 in mysql_create_table (thd=thd@entry=0x7a23d8000c68, create_table=create_table@entry=0x7a23d8017790, create_info=create_info@entry=0x7a2504bb2ba0, alter_info=alter_info@entry=0x7a2504bb2a28)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_table.cc:5346
      		 
      #5  0x000059fad9332e00 in Sql_cmd_create_table_like::execute (this=<optimized out>, thd=0x7a23d8000c68)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_table.cc:14034
      		 
      #6  0x000059fad9258281 in mysql_execute_command (thd=thd@entry=0x7a23d8000c68, is_called_from_prepared_stmt=false)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_parse.cc:5879
      		 
      #7  0x000059fad9253504 in mysql_parse (thd=thd@entry=0x7a23d8000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x7a2504bb3420)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_parse.cc:7912
      		 
      #8  0x000059fad9251c9d in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x7a23d8000c68, packet=packet@entry=0x7a23d80089f9 "CREATE OR REPLACE SEQUENCE t", packet_length=packet_length@entry=28, blocking=true)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_parse.cc:1898
      		 
      #9  0x000059fad9253981 in do_command (thd=thd@entry=0x7a23d8000c68, blocking=true) at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_parse.cc:1437
      		 
      #10 0x000059fad93a9a5d in do_handle_one_connection (connect=<optimized out>, connect@entry=0x59fadc057b48, put_in_cache=true)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_connect.cc:1414
      		 
      #11 0x000059fad93a981f in handle_one_connection (arg=arg@entry=0x59fadc057b48)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_connect.cc:1326
      		 
      #12 0x000059fad956e7c9 in pfs_spawn_thread (arg=0x59fadbffab08)at /test/bb-12.2-nikita-global-tmp_opt/storage/perfschema/pfs.cc:2198
      		 
      #13 0x00007a2507c9ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
      		 
      #14 0x00007a2507d29c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

      MDEV-35915-v10 CS 12.2.0 2ef81706c8c4782b2f8a45a05ac90377403de2e1 (Debug, Clang 21.1.3-20250923) Build 31/12/2025

      		 
      Core was generated by `/test/MDEV-35915_v10_MD311225-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd --no'.
      		 
      Program terminated with signal SIGSEGV, Segmentation fault.
      		 
      #0  0x00005c3d0d55799b in wait_while_table_is_used (thd=0x7ce168000d58, table=0x0, function=HA_EXTRA_NOT_USED, lock_wait_timeout=86400)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_base.cc:1479
      		 
      1479	  DBUG_ASSERT(!table->s->tmp_table);
      		 
      [Current thread is 1 (LWP 1719800)]
      		 
      (gdb) bt
      		 
      #0  0x00005c3d0d55799b in wait_while_table_is_used (thd=0x7ce168000d58, table=0x0, function=HA_EXTRA_NOT_USED, lock_wait_timeout=86400)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_base.cc:1479
      		 
      #1  0x00005c3d0d56bf9e in wait_while_table_is_used (thd=0x7ce168000d58, table=0x0, function=HA_EXTRA_NOT_USED)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_base.h:247
      		 
      #2  0x00005c3d0d7d49f2 in mysql_rm_table_no_locks (thd=0x7ce168000d58, tables=0x7ce168019f90, current_db=0x7ce168000e00, ddl_log_state=0x7ce22bf64f80, if_exists=true, drop_temporary=false, drop_view=false, drop_sequence=true, dont_log_query=true, dont_free_locks=true)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_table.cc:1695
      		 
      #3  0x00005c3d0d7dc772 in mysql_create_table_no_lock (thd=0x7ce168000d58, ddl_log_state_create=0x7ce22bf65be8, ddl_log_state_rm=0x7ce22bf65bc8, create_info=0x7ce22bf65fa8, alter_info=0x7ce22bf65e30, is_trans=0x7ce22bf65bbf, create_table_mode=0, table_list=0x7ce168019f90)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_table.cc:5126
      		 
      #4  0x00005c3d0d7f69dd in mysql_create_table (thd=0x7ce168000d58, create_table=0x7ce168019f90, create_info=0x7ce22bf65fa8, alter_info=0x7ce22bf65e30)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_table.cc:5346
      		 
      #5  0x00005c3d0d7f4fa0 in Sql_cmd_create_table_like::execute (this=0x7ce168019f58, thd=0x7ce168000d58)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_table.cc:14034
      		 
      #6  0x00005c3d0d6c192b in mysql_execute_command (thd=0x7ce168000d58, is_called_from_prepared_stmt=false)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_parse.cc:5879
      		 
      #7  0x00005c3d0d6b2b98 in mysql_parse (thd=0x7ce168000d58, rawbuf=0x7ce168019e80 "CREATE OR REPLACE SEQUENCE t", length=28, parser_state=0x7ce22bf67a10)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_parse.cc:7912
      		 
      #8  0x00005c3d0d6b0379 in dispatch_command (command=COM_QUERY, thd=0x7ce168000d58, packet=0x7ce16800b1f9 "CREATE OR REPLACE SEQUENCE t", packet_length=28, blocking=true)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_parse.cc:1898
      		 
      #9  0x00005c3d0d6b361a in do_command (thd=0x7ce168000d58, blocking=true)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_parse.cc:1437
      		 
      #10 0x00005c3d0d8a601e in do_handle_one_connection (connect=0x5c3d1110b2a8, put_in_cache=true)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_connect.cc:1414
      		 
      #11 0x00005c3d0d8a5e01 in handle_one_connection (arg=0x5c3d11193668)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_connect.cc:1326
      		 
      #12 0x00007ce232a9ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
      		 
      #13 0x00007ce232b29c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

      MDEV-35915-v10 CS 12.2.0 2ef81706c8c4782b2f8a45a05ac90377403de2e1 (Optimized, UBASAN, Clang 21.1.3-20250923) Build 31/12/2025

      		 
      /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_base.cc:1479:3: runtime error: member access within null pointer of type 'TABLE'
      		 
          #0 0x631c4fe8f343 in wait_while_table_is_used(THD*, TABLE*, ha_extra_function, unsigned long long) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_base.cc:1479:3
      		 
          #1 0x631c508457b6 in wait_while_table_is_used(THD*, TABLE*, ha_extra_function) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_base.h:247:10
      		 
          #2 0x631c508457b6 in mysql_rm_table_no_locks(THD*, TABLE_LIST*, st_mysql_const_lex_string const*, st_ddl_log_state*, bool, bool, bool, bool, bool, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_table.cc:1695:13
      		 
          #3 0x631c5086554d in mysql_create_table_no_lock(THD*, st_ddl_log_state*, st_ddl_log_state*, Table_specification_st*, Alter_info*, bool*, int, TABLE_LIST*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_table.cc:5126:12
      		 
          #4 0x631c508dcba7 in mysql_create_table(THD*, TABLE_LIST*, Table_specification_st*, Alter_info*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_table.cc:5346:7
      		 
          #5 0x631c508d5b17 in Sql_cmd_create_table_like::execute(THD*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_table.cc:14034:12
      		 
          #6 0x631c5039e8b7 in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:5879:26
      		 
          #7 0x631c503819e8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:7912:18
      		 
          #8 0x631c5037b1a1 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1898:7
      		 
          #9 0x631c50383e1a in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1437:17
      		 
          #10 0x631c50b884fc in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1414:11
      		 
          #11 0x631c50b88005 in handle_one_connection /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1326:5
      		 
          #12 0x631c4f340bca in asan_thread_start(void*) crtstuff.c
      		 
          #13 0x723065e9ca93 in start_thread nptl/pthread_create.c:447:8
      		 
          #14 0x723065f29c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
      		 
       
      		 
      SUMMARY: UndefinedBehaviorSanitizer: null-pointer-use /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_base.cc:1479:3 
      /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_base.cc:1479:3: runtime error: load of null pointer of type 'TABLE_SHARE *'
      		 
          #0 0x631c4fe8f361 in wait_while_table_is_used(THD*, TABLE*, ha_extra_function, unsigned long long) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_base.cc:1479:3
      		 
          #1 0x631c508457b6 in wait_while_table_is_used(THD*, TABLE*, ha_extra_function) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_base.h:247:10
      		 
          #2 0x631c508457b6 in mysql_rm_table_no_locks(THD*, TABLE_LIST*, st_mysql_const_lex_string const*, st_ddl_log_state*, bool, bool, bool, bool, bool, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_table.cc:1695:13
      		 
          #3 0x631c5086554d in mysql_create_table_no_lock(THD*, st_ddl_log_state*, st_ddl_log_state*, Table_specification_st*, Alter_info*, bool*, int, TABLE_LIST*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_table.cc:5126:12
      		 
          #4 0x631c508dcba7 in mysql_create_table(THD*, TABLE_LIST*, Table_specification_st*, Alter_info*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_table.cc:5346:7
      		 
          #5 0x631c508d5b17 in Sql_cmd_create_table_like::execute(THD*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_table.cc:14034:12
      		 
          #6 0x631c5039e8b7 in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:5879:26
      		 
          #7 0x631c503819e8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:7912:18
      		 
          #8 0x631c5037b1a1 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1898:7
      		 
          #9 0x631c50383e1a in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1437:17
      		 
          #10 0x631c50b884fc in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1414:11
      		 
          #11 0x631c50b88005 in handle_one_connection /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1326:5
      		 
          #12 0x631c4f340bca in asan_thread_start(void*) crtstuff.c
      		 
          #13 0x723065e9ca93 in start_thread nptl/pthread_create.c:447:8
      		 
          #14 0x723065f29c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
      		 
       
      		 
      SUMMARY: UndefinedBehaviorSanitizer: null-pointer-use /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_base.cc:1479:3

      MDEV-35915-v10 CS 12.2.0 2ef81706c8c4782b2f8a45a05ac90377403de2e1 (Debug, UBASAN, Clang 21.1.3-20250923) Build 31/12/2025

      		 
      /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.cc:1485:21: runtime error: member access within null pointer of type 'TABLE'
      		 
          #0 0x5b097fc515df in wait_while_table_is_used(THD*, TABLE*, ha_extra_function, unsigned long long) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.cc:1485:21
      		 
          #1 0x5b0980623c8c in wait_while_table_is_used(THD*, TABLE*, ha_extra_function) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.h:247:10
      		 
          #2 0x5b0980623c8c in mysql_rm_table_no_locks(THD*, TABLE_LIST*, st_mysql_const_lex_string const*, st_ddl_log_state*, bool, bool, bool, bool, bool, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_table.cc:1695:13
      		 
          #3 0x5b0980645581 in mysql_create_table_no_lock(THD*, st_ddl_log_state*, st_ddl_log_state*, Table_specification_st*, Alter_info*, bool*, int, TABLE_LIST*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_table.cc:5126:12
      		 
          #4 0x5b09806c3ce4 in mysql_create_table(THD*, TABLE_LIST*, Table_specification_st*, Alter_info*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_table.cc:5346:7
      		 
          #5 0x5b09806bd7ef in Sql_cmd_create_table_like::execute(THD*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_table.cc:14034:12
      		 
          #6 0x5b098015e1cf in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:5879:26
      		 
          #7 0x5b09801418b5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:7912:18
      		 
          #8 0x5b0980139a7d in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1898:7
      		 
          #9 0x5b09801437f0 in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1437:17
      		 
          #10 0x5b098096e3ec in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1414:11
      		 
          #11 0x5b098096df06 in handle_one_connection /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1326:5
      		 
          #12 0x5b097f121bca in asan_thread_start(void*) crtstuff.c
      		 
          #13 0x7cf80ca9ca93 in start_thread nptl/pthread_create.c:447:8
      		 
          #14 0x7cf80cb29c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
      		 
       
      		 
      SUMMARY: UndefinedBehaviorSanitizer: null-pointer-use /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.cc:1485:21

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. MDEV-26805 SIGSEGV in wait_while_table_is_used

          • Major - Major loss of function.
          • Confirmed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-38445 malloc(): unaligned [tcache|fastbin] chunk detected, ASAN heap-use-after-free on CoR GTT

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Activity

            People

              Roel Roel Van de Paar
              Roel Roel Van de Paar
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.