Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-38468

SIGSEGV in MDL_lock::incompatible_granted_types_bitmap, Assertion `mdl_ticket->m_duration == MDL_TRANSACTION && duration != MDL_TRANSACTION' in MDL_context::set_lock_duration, memory corruptions in I_P_List & MDL_context::set_lock_duration

    XMLWordPrintable

Details

    Description

      CREATE GLOBAL TEMPORARY TABLE t (c INT) ON COMMIT DELETE ROWS;
      		 
      RENAME TABLE t TO t2;
      		 
      CREATE GLOBAL TEMPORARY TABLE t (c INT);
      		 
      XA START 'a';
      		 
      --error ER_BASE64_DECODE_ERROR
      		 
      BINLOG 'a';
      		 
      INSERT t VALUES (1);
      		 
      SET pseudo_slave_mode=1;
      		 
      XA END 'a';
      		 
      XA PREPARE 'a';
      		 
      LOCK TABLES t2 AS a1 WRITE,t AS a5 WRITE;
      		 
      DROP TABLE t;
      		 
      LOCK TABLES t2 READ;

      Leads to:

      MDEV-35915-v10 CS 12.2.0 2ef81706c8c4782b2f8a45a05ac90377403de2e1 (Optimized, Clang 21.1.3-20250923) Build 31/12/2025

      		 
      Core was generated by `/test/MDEV-35915_v10_MD311225-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd --no'.
      		 
      Program terminated with signal SIGSEGV, Segmentation fault.
      		 
      #0  0x00005d74c7ce4c55 in MDL_lock::incompatible_granted_types_bitmap (this=0x784408060748) at /test/bb-12.2-nikita-global-tmp_opt/sql/mdl.cc:1056
      		 
      1056	  { return m_strategy->incompatible_granted_types_bitmap(); }
      		 
      [Current thread is 1 (LWP 764681)]
      		 
      (gdb) bt
      		 
      #0  0x00005d74c7ce4c55 in MDL_lock::incompatible_granted_types_bitmap (this=0x784408060748) at /test/bb-12.2-nikita-global-tmp_opt/sql/mdl.cc:1056
      		 
      #1  MDL_ticket::has_stronger_or_equal_type (this=0x784408017180, type=<optimized out>)at /test/bb-12.2-nikita-global-tmp_opt/sql/mdl.cc:2549
      		 
      #2  MDL_context::find_ticket (this=0x784408000e78, mdl_request=0x784408017be8, result_duration=result_duration@entry=0x7844f3bfd53c)at /test/bb-12.2-nikita-global-tmp_opt/sql/mdl.cc:2620
      		 
      #3  0x00005d74c7ce4dfb in MDL_context::try_acquire_lock_impl (this=0x0, mdl_request=0x784408060750, out_ticket=0x7844f3bfd5c0)at /test/bb-12.2-nikita-global-tmp_opt/sql/mdl.cc:2699
      		 
      #4  0x00005d74c7ce51dd in MDL_context::acquire_lock (this=0x0, mdl_request=0x784408060750, lock_wait_timeout=86400)at /test/bb-12.2-nikita-global-tmp_opt/sql/mdl.cc:2895
      		 
      #5  0x00005d74c7ab57e2 in open_table_get_mdl_lock (thd=thd@entry=0x784408000c68, ot_ctx=ot_ctx@entry=0x7844f3bfdb28, mdl_request=mdl_request@entry=0x784408017be8, flags=0, mdl_ticket=mdl_ticket@entry=0x7844f3bfd8a0)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_base.cc:1719
      		 
      #6  0x00005d74c7ab4b7e in open_table (thd=thd@entry=0x784408000c68, table_list=table_list@entry=0x784408017748, ot_ctx=ot_ctx@entry=0x7844f3bfdb28)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_base.cc:2134
      		 
      #7  0x00005d74c7ab8098 in open_and_process_table (thd=0x784408000c68, tables=0x784408017748, counter=0x7844f3bfddfc, flags=0, prelocking_strategy=0x7844f3bfdde0, ot_ctx=0x7844f3bfdb28, has_prelocking_list=<optimized out>)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_base.cc:4285
      		 
      #8  open_tables (thd=thd@entry=0x784408000c68, options=@0x78440800666c: {m_options = DDL_options_st::OPT_NONE}, start=start@entry=0x7844f3bfde00, counter=counter@entry=0x7844f3bfddfc, flags=flags@entry=0, prelocking_strategy=prelocking_strategy@entry=0x7844f3bfdde0)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_base.cc:4768
      		 
      #9  0x00005d74c7b8e4fd in open_tables (thd=0x784408000c68, tables=0x7844f3bfde00, counter=0x7844f3bfddfc, flags=0, prelocking_strategy=0x7844f3bfdde0)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_base.h:282
      		 
      #10 lock_tables_open_and_lock_tables (thd=thd@entry=0x784408000c68, tables=0x784408017748)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_parse.cc:2910
      		 
      #11 0x00005d74c7b89f9b in mysql_execute_command (thd=thd@entry=0x784408000c68, is_called_from_prepared_stmt=false)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_parse.cc:4967
      		 
      #12 0x00005d74c7b84504 in mysql_parse (thd=thd@entry=0x784408000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x7844f3bfe420)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_parse.cc:7912
      		 
      #13 0x00005d74c7b82c9d in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x784408000c68, packet=packet@entry=0x7844080089f9 "LOCK TABLES t2 READ", packet_length=packet_length@entry=19, blocking=true)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_parse.cc:1898
      		 
      #14 0x00005d74c7b84981 in do_command (thd=thd@entry=0x784408000c68, blocking=true) at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_parse.cc:1437
      		 
      #15 0x00005d74c7cdaa5d in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5d74cb1e4888, put_in_cache=true)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_connect.cc:1414
      		 
      #16 0x00005d74c7cda81f in handle_one_connection (arg=arg@entry=0x5d74cb1e4888)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_connect.cc:1326
      		 
      #17 0x00005d74c7e9f7c9 in pfs_spawn_thread (arg=0x5d74cb187848)at /test/bb-12.2-nikita-global-tmp_opt/storage/perfschema/pfs.cc:2198
      		 
      #18 0x00007844fb29ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
      		 
      #19 0x00007844fb329c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

      MDEV-35915-v10 CS 12.2.0 2ef81706c8c4782b2f8a45a05ac90377403de2e1 (Debug, Clang 21.1.3-20250923) Build 31/12/2025

      		 
      mariadbd: /test/bb-12.2-nikita-global-tmp_dbg/sql/mdl.cc:3781: void MDL_context::set_lock_duration(MDL_ticket *, enum_mdl_duration): Assertion `mdl_ticket->m_duration == MDL_TRANSACTION && duration != MDL_TRANSACTION' failed.

      MDEV-35915-v10 CS 12.2.0 2ef81706c8c4782b2f8a45a05ac90377403de2e1 (Debug, Clang 21.1.3-20250923) Build 31/12/2025

      		 
      Core was generated by `/test/MDEV-35915_v10_MD311225-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd --no'.
      		 
      Program terminated with signal SIGABRT, Aborted.
      		 
      #0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44
      		 
       
      		 
      [Current thread is 1 (LWP 766086)]
      		 
      (gdb) bt
      		 
      #0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44
      		 
      #1  __pthread_kill_internal (signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:78
      		 
      #2  __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6)at ./nptl/pthread_kill.c:89
      		 
      #3  0x000074a5d104526e in __GI_raise (sig=sig@entry=6)at ../sysdeps/posix/raise.c:26
      		 
      #4  0x000074a5d10288ff in __GI_abort () at ./stdlib/abort.c:79
      		 
      #5  0x000074a5d102881b in __assert_fail_base (fmt=0x74a5d11d01e8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x5c6fbd6b34d9 "mdl_ticket->m_duration == MDL_TRANSACTION && duration != MDL_TRANSACTION", file=file@entry=0x5c6fbd589093 "/test/bb-12.2-nikita-global-tmp_dbg/sql/mdl.cc", line=line@entry=3781, function=function@entry=0x5c6fbd5b4293 "void MDL_context::set_lock_duration(MDL_ticket *, enum_mdl_duration)") at ./assert/assert.c:94
      		 
      #6  0x000074a5d103b507 in __assert_fail (assertion=0x5c6fbd6b34d9 "mdl_ticket->m_duration == MDL_TRANSACTION && duration != MDL_TRANSACTION", file=0x5c6fbd589093 "/test/bb-12.2-nikita-global-tmp_dbg/sql/mdl.cc", line=3781, function=0x5c6fbd5b4293 "void MDL_context::set_lock_duration(MDL_ticket *, enum_mdl_duration)") at ./assert/assert.c:103
      		 
      #7  0x00005c6fbe45e782 in MDL_context::set_lock_duration (this=0x74a484000f70, mdl_ticket=0x74a48402e350, duration=MDL_EXPLICIT)at /test/bb-12.2-nikita-global-tmp_dbg/sql/mdl.cc:3780
      		 
      #8  0x00005c6fbe5a055a in THD::global_tmp_tables_set_explicit_lock_duration (this=0x74a484000d58)at /test/bb-12.2-nikita-global-tmp_dbg/sql/temporary_tables.cc:377
      		 
      #9  0x00005c6fbe130b94 in THD::leave_locked_tables_mode (this=0x74a484000d58)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_class.cc:6569
      		 
      #10 0x00005c6fbe100c8e in Locked_tables_list::unlock_locked_tables (this=0x74a484004f68, thd=0x74a484000d58)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_base.cc:2739
      		 
      #11 0x00005c6fbe263ab3 in mysql_execute_command (thd=0x74a484000d58, is_called_from_prepared_stmt=false)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_parse.cc:4923
      		 
      #12 0x00005c6fbe258b98 in mysql_parse (thd=0x74a484000d58, rawbuf=0x74a484019e80 "LOCK TABLES t2 READ", length=19, parser_state=0x74a5cbfb2a10)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_parse.cc:7912
      		 
      #13 0x00005c6fbe256379 in dispatch_command (command=COM_QUERY, thd=0x74a484000d58, packet=0x74a48400b1f9 "LOCK TABLES t2 READ", packet_length=19, blocking=true)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_parse.cc:1898
      		 
      #14 0x00005c6fbe25961a in do_command (thd=0x74a484000d58, blocking=true)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_parse.cc:1437
      		 
      #15 0x00005c6fbe44c01e in do_handle_one_connection (connect=0x5c6fc09b4288, put_in_cache=true)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_connect.cc:1414
      		 
      #16 0x00005c6fbe44be01 in handle_one_connection (arg=0x5c6fc0a3c688)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_connect.cc:1326
      		 
      #17 0x000074a5d109ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
      		 
      #18 0x000074a5d1129c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

      MDEV-35915-v10 CS 12.2.0 2ef81706c8c4782b2f8a45a05ac90377403de2e1 (Optimized, UBASAN, Clang 21.1.3-20250923) Build 31/12/2025

      		 
      ==766489==ERROR: AddressSanitizer: heap-use-after-free on address 0x7907dac2cdb8 at pc 0x61dde28f8193 bp 0x7886ee900580 sp 0x7886ee900578
      		 
      READ of size 8 at 0x7907dac2cdb8 thread T12
      		 
          #0 0x61dde28f8192 in I_P_List<MDL_ticket, I_P_List_adapter<MDL_ticket, &MDL_ticket::next_in_context, &MDL_ticket::prev_in_context>, I_P_List_null_counter, I_P_List_no_push_back<MDL_ticket>>::remove(MDL_ticket*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_plist.h:124:14
      		 
          #1 0x61dde28f47bd in MDL_context::set_lock_duration(MDL_ticket*, enum_mdl_duration) /test/bb-12.2-nikita-global-tmp_opt_san/sql/mdl.cc:3783:30
      		 
          #2 0x61dde2d1dcc3 in THD::global_tmp_tables_set_explicit_lock_duration() /test/bb-12.2-nikita-global-tmp_opt_san/sql/temporary_tables.cc:377:17
      		 
          #3 0x61dde1c63135 in THD::leave_locked_tables_mode() /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_class.cc:6569:7
      		 
          #4 0x61dde1ba6541 in Locked_tables_list::unlock_locked_tables(THD*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.cc:2739:8
      		 
          #5 0x61dde20a8743 in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:4923:33
      		 
          #6 0x61dde20898b5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:7912:18
      		 
          #7 0x61dde2081a7d in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1898:7
      		 
          #8 0x61dde208b7f0 in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1437:17
      		 
          #9 0x61dde28b63ec in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1414:11
      		 
          #10 0x61dde28b5f06 in handle_one_connection /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1326:5
      		 
          #11 0x61dde1069bca in asan_thread_start(void*) crtstuff.c
      		 
          #12 0x7c87dbe9ca93 in start_thread nptl/pthread_create.c:447:8
      		 
          #13 0x7c87dbf29c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
      		 
       
      		 
      0x7907dac2cdb8 is located 24 bytes inside of 88-byte region [0x7907dac2cda0,0x7907dac2cdf8)
      		 
      freed by thread T12 here:
      		 
          #0 0x61dde10b1156 in operator delete(void*, unsigned long) (/test/MDEV-35915_v10_UBASAN_MD311225-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd+0x3014156) (BuildId: 4d53114b05e7799a29921eb452ea49624110e9ab)
      		 
          #1 0x61dde28f3e63 in MDL_context::release_all_locks_for_name(MDL_ticket*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/mdl.cc:3573:7
      		 
          #2 0x61dde256f1bf in mysql_rm_table_no_locks(THD*, TABLE_LIST*, st_mysql_const_lex_string const*, st_ddl_log_state*, bool, bool, bool, bool, bool, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_table.cc:2060:28
      		 
          #3 0x61dde2568c92 in mysql_rm_table(THD*, TABLE_LIST*, bool, bool, bool, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_table.cc:1266:10
      		 
          #4 0x61dde20aeb01 in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:4790:10
      		 
          #5 0x61dde20898b5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:7912:18
      		 
          #6 0x61dde2081a7d in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1898:7
      		 
          #7 0x61dde208b7f0 in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1437:17
      		 
          #8 0x61dde28b63ec in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1414:11
      		 
          #9 0x61dde28b5f06 in handle_one_connection /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1326:5
      		 
          #10 0x61dde1069bca in asan_thread_start(void*) crtstuff.c
      		 
       
      		 
      previously allocated by thread T12 here:
      		 
          #0 0x61dde10b0711 in operator new(unsigned long, std::nothrow_t const&) (/test/MDEV-35915_v10_UBASAN_MD311225-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd+0x3013711) (BuildId: 4d53114b05e7799a29921eb452ea49624110e9ab)
      		 
          #1 0x61dde28ef24f in MDL_context::clone_ticket(MDL_request*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/mdl.cc:2798:17
      		 
          #2 0x61dde2595502 in open_global_temporary_table(THD*, TABLE_SHARE*, TABLE_LIST*, MDL_ticket*, Open_table_context*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_table.cc:6324:26
      		 
          #3 0x61dde1b9ebd5 in open_table(THD*, TABLE_LIST*, Open_table_context*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.cc:2323:22
      		 
          #4 0x61dde1bb2e13 in open_and_process_table(THD*, TABLE_LIST*, unsigned int*, unsigned int, Prelocking_strategy*, bool, Open_table_context*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.cc:4285:14
      		 
          #5 0x61dde1bb2e13 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.cc:4768:14
      		 
          #6 0x61dde1bc11c5 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.cc:5756:7
      		 
          #7 0x61dde1670403 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.h:544:10
      		 
          #8 0x61dde1f39ddd in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item>>&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_insert.cc:789:9
      		 
          #9 0x61dde20adc4c in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:4477:10
      		 
          #10 0x61dde20898b5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:7912:18
      		 
          #11 0x61dde2081a7d in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1898:7
      		 
          #12 0x61dde208b7f0 in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1437:17
      		 
          #13 0x61dde28b63ec in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1414:11
      		 
          #14 0x61dde28b5f06 in handle_one_connection /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1326:5
      		 
          #15 0x61dde1069bca in asan_thread_start(void*) crtstuff.c
      		 
       
      		 
      Thread T12 created by T0 here:
      		 
          #0 0x61dde10502c5 in pthread_create (/test/MDEV-35915_v10_UBASAN_MD311225-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd+0x2fb32c5) (BuildId: 4d53114b05e7799a29921eb452ea49624110e9ab)
      		 
          #1 0x61dde10c28f9 in create_thread_to_handle_connection(CONNECT*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/mysqld.cc:6272:19
      		 
          #2 0x61dde10c3c3a in handle_connections_sockets() /test/bb-12.2-nikita-global-tmp_opt_san/sql/mysqld.cc:6508:9
      		 
          #3 0x61dde10c2040 in run_main_loop() /test/bb-12.2-nikita-global-tmp_opt_san/sql/mysqld.cc:5750:3
      		 
          #4 0x61dde10b8b7e in mysqld_main(int, char**) /test/bb-12.2-nikita-global-tmp_opt_san/sql/mysqld.cc:6173:3
      		 
          #5 0x7c87dbe2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
      		 
          #6 0x7c87dbe2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
      		 
          #7 0x61dde0fc6bd4 in _start (/test/MDEV-35915_v10_UBASAN_MD311225-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd+0x2f29bd4) (BuildId: 4d53114b05e7799a29921eb452ea49624110e9ab)
      		 
       
      		 
      SUMMARY: AddressSanitizer: heap-use-after-free /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_plist.h:124:14 in I_P_List<MDL_ticket, I_P_List_adapter<MDL_ticket, &MDL_ticket::next_in_context, &MDL_ticket::prev_in_context>, I_P_List_null_counter, I_P_List_no_push_back<MDL_ticket>>::remove(MDL_ticket*)
      		 
      Shadow bytes around the buggy address:
      		 
        0x7907dac2cb00: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
      		 
        0x7907dac2cb80: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
      		 
        0x7907dac2cc00: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
      		 
        0x7907dac2cc80: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
      		 
        0x7907dac2cd00: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
      		 
      =>0x7907dac2cd80: fa fa fa fa fd fd fd[fd]fd fd fd fd fd fd fd fa
      		 
        0x7907dac2ce00: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
      		 
        0x7907dac2ce80: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
      		 
        0x7907dac2cf00: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
      		 
        0x7907dac2cf80: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
      		 
        0x7907dac2d000: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
      		 
      Shadow byte legend (one shadow byte represents 8 application bytes):
      		 
        Addressable:           00
      		 
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
      		 
        Freed heap region:       fd
      		 
        Stack left redzone:      f1
      		 
        Stack mid redzone:       f2
      		 
        Stack right redzone:     f3
      		 
        Stack after return:      f5
      		 
        Stack use after scope:   f8
      		 
        Global redzone:          f9
      		 
        Global init order:       f6
      		 
        Poisoned by user:        f7
      		 
        Container overflow:      fc
      		 
        Array cookie:            ac
      		 
        Intra object redzone:    bb
      		 
        ASan internal:           fe
      		 
        Left alloca redzone:     ca
      		 
        Right alloca redzone:    cb
      		 
      ==766489==ABORTING

      MDEV-35915-v10 CS 12.2.0 2ef81706c8c4782b2f8a45a05ac90377403de2e1 (Debug, UBASAN, Clang 21.1.3-20250923) Build 31/12/2025

      		 
      ==766978==ERROR: AddressSanitizer: heap-use-after-free on address 0x79d52442cdc8 at pc 0x57852e790748 bp 0x795437900420 sp 0x795437900418
      		 
      READ of size 4 at 0x79d52442cdc8 thread T12
      		 
          #0 0x57852e790747 in MDL_context::set_lock_duration(MDL_ticket*, enum_mdl_duration) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mdl.cc:3780:3
      		 
          #1 0x57852ebc831f in THD::global_tmp_tables_set_explicit_lock_duration() /test/bb-12.2-nikita-global-tmp_dbg_san/sql/temporary_tables.cc:377:17
      		 
          #2 0x57852db283cf in THD::leave_locked_tables_mode() /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_class.cc:6569:7
      		 
          #3 0x57852da621a8 in Locked_tables_list::unlock_locked_tables(THD*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_base.cc:2739:8
      		 
          #4 0x57852df68c20 in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:4923:33
      		 
          #5 0x57852df469e8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:7912:18
      		 
          #6 0x57852df401a1 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1898:7
      		 
          #7 0x57852df48e1a in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1437:17
      		 
          #8 0x57852e74d4fc in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1414:11
      		 
          #9 0x57852e74d005 in handle_one_connection /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1326:5
      		 
          #10 0x57852cf05bca in asan_thread_start(void*) crtstuff.c
      		 
          #11 0x7d552549ca93 in start_thread nptl/pthread_create.c:447:8
      		 
          #12 0x7d5525529c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
      		 
       
      		 
      0x79d52442cdc8 is located 40 bytes inside of 96-byte region [0x79d52442cda0,0x79d52442ce00)
      		 
      freed by thread T12 here:
      		 
          #0 0x57852cf4d156 in operator delete(void*, unsigned long) (/test/MDEV-35915_v10_UBASAN_MD311225-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd+0x3be1156) (BuildId: bcd316f2f88ee08194105600810e97f8ef279854)
      		 
          #1 0x57852e78f158 in MDL_context::release_all_locks_for_name(MDL_ticket*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mdl.cc:3573:7
      		 
          #2 0x57852e40c2bf in mysql_rm_table_no_locks(THD*, TABLE_LIST*, st_mysql_const_lex_string const*, st_ddl_log_state*, bool, bool, bool, bool, bool, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_table.cc:2060:28
      		 
          #3 0x57852e405e4f in mysql_rm_table(THD*, TABLE_LIST*, bool, bool, bool, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_table.cc:1266:10
      		 
          #4 0x57852df6b55b in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:4790:10
      		 
          #5 0x57852df469e8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:7912:18
      		 
          #6 0x57852df401a1 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1898:7
      		 
          #7 0x57852df48e1a in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1437:17
      		 
          #8 0x57852e74d4fc in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1414:11
      		 
          #9 0x57852e74d005 in handle_one_connection /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1326:5
      		 
          #10 0x57852cf05bca in asan_thread_start(void*) crtstuff.c
      		 
       
      		 
      previously allocated by thread T12 here:
      		 
          #0 0x57852cf4c711 in operator new(unsigned long, std::nothrow_t const&) (/test/MDEV-35915_v10_UBASAN_MD311225-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd+0x3be0711) (BuildId: bcd316f2f88ee08194105600810e97f8ef279854)
      		 
          #1 0x57852e7891df in MDL_context::clone_ticket(MDL_request*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mdl.cc:2798:17
      		 
          #2 0x57852e432920 in open_global_temporary_table(THD*, TABLE_SHARE*, TABLE_LIST*, MDL_ticket*, Open_table_context*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_table.cc:6324:26
      		 
          #3 0x57852da5a949 in open_table(THD*, TABLE_LIST*, Open_table_context*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_base.cc:2323:22
      		 
          #4 0x57852da6f6ef in open_and_process_table(THD*, TABLE_LIST*, unsigned int*, unsigned int, Prelocking_strategy*, bool, Open_table_context*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_base.cc:4285:14
      		 
          #5 0x57852da6f6ef in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_base.cc:4768:14
      		 
          #6 0x57852da7f971 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_base.cc:5756:7
      		 
          #7 0x57852d54a004 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_base.h:544:10
      		 
          #8 0x57852ddf6036 in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item>>&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_insert.cc:789:9
      		 
          #9 0x57852df7195e in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:4477:10
      		 
          #10 0x57852df469e8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:7912:18
      		 
          #11 0x57852df401a1 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1898:7
      		 
          #12 0x57852df48e1a in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1437:17
      		 
          #13 0x57852e74d4fc in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1414:11
      		 
          #14 0x57852e74d005 in handle_one_connection /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1326:5
      		 
          #15 0x57852cf05bca in asan_thread_start(void*) crtstuff.c
      		 
       
      		 
      Thread T12 created by T0 here:
      		 
          #0 0x57852ceec2c5 in pthread_create (/test/MDEV-35915_v10_UBASAN_MD311225-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd+0x3b802c5) (BuildId: bcd316f2f88ee08194105600810e97f8ef279854)
      		 
          #1 0x57852cf5fc1c in create_thread_to_handle_connection(CONNECT*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mysqld.cc:6272:19
      		 
          #2 0x57852cf60ca5 in handle_connections_sockets() /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mysqld.cc:6508:9
      		 
          #3 0x57852cf5f22a in run_main_loop() /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mysqld.cc:5750:3
      		 
          #4 0x57852cf54bde in mysqld_main(int, char**) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mysqld.cc:6173:3
      		 
          #5 0x7d552542a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
      		 
          #6 0x7d552542a28a in __libc_start_main csu/../csu/libc-start.c:360:3
      		 
          #7 0x57852ce62bd4 in _start (/test/MDEV-35915_v10_UBASAN_MD311225-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd+0x3af6bd4) (BuildId: bcd316f2f88ee08194105600810e97f8ef279854)
      		 
       
      		 
      SUMMARY: AddressSanitizer: heap-use-after-free /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mdl.cc:3780:3 in MDL_context::set_lock_duration(MDL_ticket*, enum_mdl_duration)
      		 
      Shadow bytes around the buggy address:
      		 
        0x79d52442cb00: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x79d52442cb80: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x79d52442cc00: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x79d52442cc80: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x79d52442cd00: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
      		 
      =>0x79d52442cd80: fa fa fa fa fd fd fd fd fd[fd]fd fd fd fd fd fd
      		 
        0x79d52442ce00: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x79d52442ce80: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x79d52442cf00: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x79d52442cf80: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x79d52442d000: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
      		 
      Shadow byte legend (one shadow byte represents 8 application bytes):
      		 
        Addressable:           00
      		 
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
      		 
        Freed heap region:       fd
      		 
        Stack left redzone:      f1
      		 
        Stack mid redzone:       f2
      		 
        Stack right redzone:     f3
      		 
        Stack after return:      f5
      		 
        Stack use after scope:   f8
      		 
        Global redzone:          f9
      		 
        Global init order:       f6
      		 
        Poisoned by user:        f7
      		 
        Container overflow:      fc
      		 
        Array cookie:            ac
      		 
        Intra object redzone:    bb
      		 
        ASan internal:           fe
      		 
        Left alloca redzone:     ca
      		 
        Right alloca redzone:    cb
      		 
      ==766978==ABORTING

      Attachments

        Issue Links

          is caused by

          New Feature - A new feature of the product, which has yet to be developed. MDEV-35915 Implement Global temporary tables

          • Critical - Crashes, loss of data, severe memory leak.
          • In Testing
          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-37872 SIGSEGV in MDL_context::release_loc, Assertion `mdl_ticket->m_duration == MDL_TRANSACTION && duration != MDL_TRANSACTION' failed, ASAN heap-use-after-free in I_P_List on CoR

          • Critical - Crashes, loss of data, severe memory leak.
          • In Testing

          Activity

            People

              nikitamalyavin Nikita Malyavin
              Roel Roel Van de Paar
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.