Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-40004

Server crashes in sp_head::register_instr_mem_root_for_deallocation upon shutdown

    XMLWordPrintable

Details

    Description

      CREATE TABLE t (a INT);
      		 
      INSERT INTO t VALUES (1),(2);
      		 
      CREATE TRIGGER tr BEFORE UPDATE ON t FOR EACH ROW DELETE FROM v;
      		 
      CREATE VIEW v AS SELECT 0 AS a; 
      --error ER_NON_UPDATABLE_TABLE
      		 
      UPDATE t SET a = 3;
      		 
      CREATE OR REPLACE VIEW v AS SELECT 0 AS a; 
       
      		 
      --error ER_NON_UPDATABLE_TABLE
      		 
      UPDATE t SET a = 4;
      		 
       
      		 
      --source include/restart_mysqld.inc
      		 
       
      		 
      DROP VIEW v;
      		 
      DROP TABLE t;

      11.4 cc40fe532961af4bf1b138f7b1f5a18c85ce320e

      		 
      #4  <signal handler called>
      		 
      #5  0x0000557a4b50cbb2 in thd_alloc (thd=0x0, size=16) at /data/bld/11.4-asan-ubsan/sql/sql_class.cc:1210
      		 
      #6  0x0000557a4b1c8f40 in Sql_alloc::operator new (size=size@entry=16) at /data/bld/11.4-asan-ubsan/sql/sql_alloc.h:28
      		 
      #7  0x0000557a4b1c8f89 in base_list::push_back (this=this@entry=0x62500024e430, info=info@entry=0x625000263518) at /data/bld/11.4-asan-ubsan/sql/sql_list.h:183
      		 
      #8  0x0000557a4b302952 in List<st_mem_root>::push_back (a=0x625000263518, this=0x62500024e430) at /data/bld/11.4-asan-ubsan/sql/sql_list.h:502
      		 
      #9  sp_head::register_instr_mem_root_for_deallocation (this=this@entry=0x62500024e138, mem_root=0x625000263518) at /data/bld/11.4-asan-ubsan/sql/sp_head.cc:960
      		 
      #10 0x0000557a4b346706 in sp_lex_instr::~sp_lex_instr (this=this@entry=0x625000250030, __in_chrg=<optimized out>) at /data/bld/11.4-asan-ubsan/sql/sp_instr.h:426
      		 
      #11 0x0000557a4c46f409 in sp_instr_stmt::~sp_instr_stmt (this=0x625000250030, __in_chrg=<optimized out>) at /data/bld/11.4-asan-ubsan/sql/sp_instr.h:570
      		 
      #12 sp_instr_stmt::~sp_instr_stmt (this=0x625000250030, __in_chrg=<optimized out>) at /data/bld/11.4-asan-ubsan/sql/sp_instr.h:570
      		 
      #13 0x0000557a4b30838e in sp_head::~sp_head (this=0x62500024e138, __in_chrg=<optimized out>) at /data/bld/11.4-asan-ubsan/sql/sp_head.cc:902
      		 
      #14 0x0000557a4b308a71 in sp_head::~sp_head (this=0x62500024e138, __in_chrg=<optimized out>) at /data/bld/11.4-asan-ubsan/sql/sp_head.cc:923
      		 
      #15 0x0000557a4b2f9105 in sp_head::destroy (sp=0x62500024e138) at /data/bld/11.4-asan-ubsan/sql/sp_head.cc:536
      		 
      #16 0x0000557a4bd8e2ac in Trigger::~Trigger (this=0x62500024c958, __in_chrg=<optimized out>) at /data/bld/11.4-asan-ubsan/sql/sql_trigger.cc:364
      		 
      #17 0x0000557a4bd90ecd in Table_triggers_list::~Table_triggers_list (this=this@entry=0x62500024c428, __in_chrg=<optimized out>) at /data/bld/11.4-asan-ubsan/sql/sql_trigger.cc:1436
      		 
      #18 0x0000557a4c6865b5 in intern_close_table (table=0x61900005af98) at /data/bld/11.4-asan-ubsan/sql/table_cache.cc:228
      		 
      #19 0x0000557a4c688005 in tc_purge () at /data/bld/11.4-asan-ubsan/sql/table_cache.cc:324
      		 
      #20 0x0000557a4b44af1b in purge_tables () at /data/bld/11.4-asan-ubsan/sql/sql_base.cc:335
      		 
      #21 0x0000557a4c684799 in tdc_start_shutdown () at /data/bld/11.4-asan-ubsan/sql/table_cache.cc:649
      		 
      #22 0x0000557a4b091846 in clean_up (print_message=print_message@entry=true) at /data/bld/11.4-asan-ubsan/sql/mysqld.cc:2012
      		 
      #23 0x0000557a4b0aab8a in mysqld_main (argc=<optimized out>, argv=<optimized out>) at /data/bld/11.4-asan-ubsan/sql/mysqld.cc:6167
      		 
      #24 0x0000557a4b07bb42 in main (argc=<optimized out>, argv=<optimized out>) at /data/bld/11.4-asan-ubsan/sql/main.cc:34

      UBSAN error

      		 
      /data/bld/11.4-asan-ubsan/sql/sql_class.cc:1210:20: runtime error: member access within null pointer of type 'const struct THD'

      The failure started happening after this commit in 11.4 between 11.4.12 and the next release:

      commit d2ebea4febdbc102da09a3b51bea4ef2819a3843 (HEAD)
      		 
      Author:     Dmitry Shulga <dmitry.shulga@mariadb.com>
      		 
      AuthorDate: Thu May 28 18:35:30 2026 +0700
      		 
       
      		 
          MDEV-38561: ASAN heap-use-after-free in Query_arena::free_items/sp_lex_cursor::~sp_lex_cursor

      Attachments

        Issue Links

          is caused by

          Bug - A problem which impairs or prevents the functions of the product. MDEV-38561 ASAN heap-use-after-free in Query_arena::free_items/sp_lex_cursor::~sp_lex_cursor

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Activity

            People

              shulga Dmitry Shulga
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.