Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-40091

ASAN: heap-use-after-free with concurrent create/drop system trigger

    XMLWordPrintable

Details

    • Bug
    • Status: Open (View Workflow)
    • Critical
    • Resolution: Unresolved
    • N/A
    • 13.1
    • Triggers
    • None
    • Q3/2026 Server Maintenance

    Description

      run with --repeat - it fails in a different places: mysql_create_sys_trigger/compare_name/mysql_drop_sys_or_ddl_trigger/register_trigger/unregister_trigger/Sys_trigger::execute
      bb-13.0-MDEV-30645 a51f81628b0cc9b74d0b

      DELIMITER |;
      		 
      CREATE PROCEDURE stress()
      		 
      BEGIN
      		 
        DECLARE i INT DEFAULT 0;
      		 
        WHILE i < 500000 DO
      		 
          SET @c = CONCAT('CREATE TRIGGER tr1', CONNECTION_ID(), '_', i,
      		 
                          IF(i%2, ' AFTER STARTUP', ' BEFORE SHUTDOWN'), ' SET @x=1');
      		 
          PREPARE s FROM @c; EXECUTE s; DROP PREPARE s;
      		 
          IF i > 3 THEN
      		 
            SET @d = CONCAT('DROP TRIGGER tr1', CONNECTION_ID(), '_', i-3);
      		 
            PREPARE s FROM @d; EXECUTE s; DROP PREPARE s;
      		 
          END IF;
      		 
          SET i = i + 1;
      		 
        END WHILE;
      		 
      END|
      		 
      DELIMITER ;|
      		 
       
      		 
      --connect (c1, localhost, root,,test)
      		 
      --connect (c2, localhost, root,,test)
      		 
       
      		 
      --connection c1
      		 
      --send CALL stress()
      		 
      --connection c2
      		 
      --send CALL stress()
      		 
       
      		 
      --connection default
      		 
      --real_sleep 1.5
      		 
      --source include/restart_mysqld.inc
      		 
       
      		 
      --connection c1
      		 
      --reap
      		 
      --connection c2
      		 
      --reap
      		 
       
      		 
      --connection default
      		 
      DROP PROCEDURE stress;


      #16 0x000071b9f2108f29 in __asan::__asan_report_load8 (addr=<optimized out>) at ../../../../src/libsanitizer/asan/asan_rtl.cpp:131
      		 
      #17 0x000057c282e8b100 in Sys_trigger::compare_name (other=0x52d0000fc4f8, this=0x519000053d28) at /13.1/src/sql/sql_sys_or_ddl_trigger.h:84
      		 
      #18 unregister_trigger (spname=0x52d0000fc4f8) at /13.1/src/sql/sql_sys_or_ddl_trigger.cc:467
      		 
      #19 0x000057c282e8b7c9 in mysql_drop_sys_or_ddl_trigger (thd=thd@entry=0x52c000220220, no_ddl_trigger_found=no_ddl_trigger_found@entry=0x69b9d2ffa030) at /13.1/src/sql/sql_sys_or_ddl_trigger.cc:763
      		 
      #20 0x000057c282605a31 in mysql_execute_command (thd=0x52c000220220, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=0x1) at /13.1/src/sql/sql_parse.cc:5765
      		 
      #21 0x000057c282689ced in Prepared_statement::execute (this=this@entry=0x51a0002b62a0, expanded_query=expanded_query@entry=(String *) 0x69b9d2cbfae0 _binary ..., open_cursor=open_cursor@entry=0x0, result_arg=result_arg@entry=0x51a0002b63f0, cursor_arg=cursor_arg@entry=0x51a0002b6460) at /13.1/src/sql/sql_prepare.cc:5367
      		 
      #22 0x000057c28268ffd7 in Prepared_statement::execute_loop (this=this@entry=0x51a0002b62a0, expanded_query=expanded_query@entry=(String *) 0x69b9d2cbfae0 _binary ..., open_cursor=open_cursor@entry=0x0, result_arg=result_arg@entry=0x51a0002b63f0, cursor_arg=cursor_arg@entry=0x51a0002b6460, instrs_set_placeholder=..., packet=<optimized out>, packet_end=<optimized out>) at /13.1/src/sql/sql_prepare.cc:4725
      		 
      #23 0x000057c282690f08 in mysql_sql_stmt_execute (thd=thd@entry=0x52c000220220, name=..., cmd=cmd@entry=0x57c2848f4b00 "EXECUTE", open_dynamic_cursor=open_dynamic_cursor@entry=0x0, result_arg=result_arg@entry=0x0, cursor_arg=cursor_arg@entry=0x0) at /13.1/src/sql/sql_prepare.cc:3656
      		 
      #24 0x000057c282691464 in mysql_sql_stmt_execute (thd=thd@entry=0x52c000220220) at /13.1/src/sql/sql_prepare.cc:3670
      		 
      #25 0x000057c2825faef1 in mysql_execute_command (thd=0x52c000220220, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=0x0) at /13.1/src/sql/sql_parse.cc:4008
      		 
      #26 0x000057c282d1105b in sp_instr_stmt::exec_core (this=0x529000355108, thd=<optimized out>, nextp=0x69b9d2e6f030) at /13.1/src/sql/sp_instr.cc:1281
      		 
      #27 0x000057c282d1a24b in sp_lex_keeper::reset_lex_and_exec_core (this=this@entry=0x529000355148, thd=thd@entry=0x52c000220220, nextp=nextp@entry=0x69b9d2e6f030, open_tables=open_tables@entry=0x0, instr=instr@entry=0x529000355108, rerun_the_same_instr=rerun_the_same_instr@entry=0x0) at /13.1/src/sql/sp_instr.cc:420
      		 
      #28 0x000057c282d20372 in sp_lex_keeper::validate_lex_and_exec_core (this=this@entry=0x529000355148, thd=thd@entry=0x52c000220220, nextp=nextp@entry=0x69b9d2e6f030, open_tables=open_tables@entry=0x0, instr=instr@entry=0x529000355108) at /13.1/src/sql/sp_instr.cc:599
      		 
      #29 0x000057c282d2199d in sp_instr_stmt::execute (this=0x529000355108, thd=0x52c000220220, nextp=<optimized out>) at /13.1/src/sql/sp_instr.cc:1183
      		 
      #30 0x000057c282376862 in sp_head::execute (this=this@entry=0x5250002c6310, thd=thd@entry=0x52c000220220, merge_da_on_success=merge_da_on_success@entry=0x1) at /13.1/src/sql/sp_head.cc:1292
      		 
      #31 0x000057c28237a487 in sp_head::execute_procedure (this=this@entry=0x5250002c6310, thd=thd@entry=0x52c000220220, args=<optimized out>) at /13.1/src/sql/sp_head.cc:2329
      		 
      #32 0x000057c2825dabba in do_execute_sp (thd=thd@entry=0x52c000220220, sp=sp@entry=0x5250002c6310) at /13.1/src/sql/sql_parse.cc:3085
      		 
      #33 0x000057c2825e5acf in Sql_cmd_call::execute (this=0x5190000909b8, thd=0x52c000220220) at /13.1/src/sql/sql_parse.cc:3323
      		 
      #34 0x000057c2826067af in mysql_execute_command (thd=thd@entry=0x52c000220220, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=0x0) at /13.1/src/sql/sql_parse.cc:5940
      		 
      #35 0x000057c282608798 in mysql_parse (thd=thd@entry=0x52c000220220, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x69b9d30681a0) at /13.1/src/sql/sql_parse.cc:7980
      		 
      #36 0x000057c28260c54d in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x52c000220220, packet=packet@entry=0x52900032f221 "CALL stress()", packet_length=packet_length@entry=0xd, blocking=blocking@entry=0x1) at /13.1/src/sql/sql_parse.cc:1904
      		 
      #37 0x000057c2826112e7 in do_command (thd=thd@entry=0x52c000220220, blocking=blocking@entry=0x1) at /13.1/src/sql/sql_parse.cc:1438
      		 
      #38 0x000057c282ada19d in do_handle_one_connection (connect=<optimized out>, connect@entry=0x50b000010650, put_in_cache=put_in_cache@entry=0x1) at /13.1/src/sql/sql_connect.cc:1503
      		 
      #39 0x000057c282ada683 in handle_one_connection (arg=arg@entry=0x50b000010650) at /13.1/src/sql/sql_connect.cc:1415
      		 
      #40 0x000057c2837cc8f4 in pfs_spawn_thread (arg=arg@entry=0x517000009e20) at /13.1/src/storage/perfschema/pfs.cc:2198
      		 
      #41 0x000071b9f205ea42 in asan_thread_start (arg=0x69b9d3f6a000) at ../../../../src/libsanitizer/asan/asan_interceptors.cpp:234
      		 
      #42 0x000071b9f109caa4 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:447
      		 
      #43 0x000071b9f1129c6c in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78


      ==1693128==ERROR: AddressSanitizer: heap-use-after-free on address 0x52c0000b0248 at pc 0x5b62d38bb850 bp 0x7a53fbe47650 sp 0x7a53fbe47640
      		 
      READ of size 8 at 0x52c0000b0248 thread T7
      		 
          #0 0x5b62d38bb84f in mysql_create_sys_trigger(THD*) /13.1/sql/sql_sys_or_ddl_trigger.cc:615
      		 
          #1 0x5b62d3009b78 in mysql_execute_command(THD*, bool) /13.1/sql/sql_parse.cc:5734
      		 
          #2 0x5b62d308bf2a in Prepared_statement::execute(String*, bool, select_result*, Server_side_cursor**) /13.1/sql/sql_prepare.cc:5367
      		 
          #3 0x5b62d3092214 in Prepared_statement::execute_loop(String*, bool, select_result*, Server_side_cursor**, InstrSlice const&, unsigned char*, unsigned char*) /13.1/sql/sql_prepare.cc:4725
      		 
          #4 0x5b62d3093145 in mysql_sql_stmt_execute /13.1/sql/sql_prepare.cc:3656
      		 
          #5 0x5b62d30936a1 in mysql_sql_stmt_execute(THD*) /13.1/sql/sql_prepare.cc:3670
      		 
          #6 0x5b62d2fff204 in mysql_execute_command(THD*, bool) /13.1/sql/sql_parse.cc:4008
      		 
          #7 0x5b62d3740ff0 in sp_instr_stmt::exec_core(THD*, unsigned int*) /13.1/sql/sp_instr.cc:1281
      		 
          #8 0x5b62d374a1e0 in sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*, bool) /13.1/sql/sp_instr.cc:420
      		 
          #9 0x5b62d3750307 in sp_lex_keeper::validate_lex_and_exec_core(THD*, unsigned int*, bool, sp_lex_instr*) /13.1/sql/sp_instr.cc:599
      		 
          #10 0x5b62d3751932 in sp_instr_stmt::execute(THD*, unsigned int*) /13.1/sql/sp_instr.cc:1183
      		 
          #11 0x5b62d2d24a95 in sp_head::execute(THD*, bool) /13.1/sql/sp_head.cc:1292
      		 
          #12 0x5b62d2d286ba in sp_head::execute_procedure(THD*, List<Item>*) /13.1/sql/sp_head.cc:2329
      		 
          #13 0x5b62d2fdeecd in do_execute_sp /13.1/sql/sql_parse.cc:3085
      		 
          #14 0x5b62d2fe9de2 in Sql_cmd_call::execute(THD*) /13.1/sql/sql_parse.cc:3323
      		 
          #15 0x5b62d300aac2 in mysql_execute_command(THD*, bool) /13.1/sql/sql_parse.cc:5940
      		 
          #16 0x5b62d300caab in mysql_parse(THD*, char*, unsigned int, Parser_state*) /13.1/sql/sql_parse.cc:7980
      		 
          #17 0x5b62d3010860 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /13.1/sql/sql_parse.cc:1904
      		 
          #18 0x5b62d30155fa in do_command(THD*, bool) /13.1/sql/sql_parse.cc:1438
      		 
          #19 0x5b62d34fc348 in do_handle_one_connection(CONNECT*, bool) /13.1/sql/sql_connect.cc:1503
      		 
          #20 0x5b62d34fc82e in handle_one_connection /13.1/sql/sql_connect.cc:1415
      		 
          #21 0x5b62d3b0f7c7 in pfs_spawn_thread /13.1/storage/perfschema/pfs.cc:2198
      		 
          #22 0x7a540f45ea41 in asan_thread_start ../../../../src/libsanitizer/asan/asan_interceptors.cpp:234
      		 
          #23 0x7a540e49caa3 in start_thread nptl/pthread_create.c:447
      		 
          #24 0x7a540e529c6b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78


      =================================================================
      		 
      ==1693270==ERROR: AddressSanitizer: heap-use-after-free on address 0x5250000a79b0 at pc 0x5c9fbdd2a10e bp 0x7fff1493f0c0 sp 0x7fff1493f0b0
      		 
      READ of size 8 at 0x5250000a79b0 thread T0
      		 
          #0 0x5c9fbdd2a10d in Sys_trigger::execute() /13.1/sql/sql_sys_or_ddl_trigger.cc:774
      		 
          #1 0x5c9fbdd2a48c in run_before_shutdown_triggers(bool) /13.1/sql/sql_sys_or_ddl_trigger.cc:1389
      		 
          #2 0x5c9fbd00d04c in mysqld_main(int, char**) /13.1/sql/mysqld.cc:6441
      		 
          #3 0x5c9fbc97de35 in main /13.1/sql/main.cc:34
      		 
          #4 0x768c6362a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
      		 
          #5 0x768c6362a28a in __libc_start_main_impl ../csu/libc-start.c:360
      		 
          #6 0x5c9fbc97dd64 in _start (/13.1/sql/mariadbd+0x232cd64) (BuildId: 67d3e0948def665d8517203475bbe9e9fe831249)


      mariadbd: /13.1/mysys/my_alloc.c:346: alloc_root: Assertion `*prev == 0' failed.
      		 
      260617 14:02:45 [ERROR] /13.1/sql/mariadbd got signal 6 ;
      		 
       
      		 
      Server version: 13.1.0-MariaDB-asan-debug-log source revision: a51f81628b0cc9b74d0b436405fb42c3d6e104dc
      		 
       
      		 
      Thread pointer: 0x52c0000f0220
      		 
      stack_bottom = 0x79ee90a7d000 thread_stack 0xb00000
      		 
      mysys/my_alloc.c:347(alloc_root)[0x5677965636a2]
      		 
      sql/sql_alloc.h:37(Sql_alloc::operator new(unsigned long, st_mem_root*))[0x5677964cf205]
      		 
      sql/sql_parse.cc:5734(mysql_execute_command(THD*, bool))[0x567796c10ff1]
      		 
      sql/sql_prepare.cc:5367(Prepared_statement::execute(String*, bool, select_result*, Server_side_cursor**))[0x567796c1a1e1]
      		 
      sql/sql_prepare.cc:3656(mysql_sql_stmt_execute(THD*, Lex_ident_sys const&, char const*, bool, select_result*, Server_side_cursor**))[0x567796c20308]
      		 
      sql/sql_parse.cc:4008(mysql_execute_command(THD*, bool))[0x567796c21933]
      		 
      sql/sp_instr.cc:1183(sp_instr_stmt::execute(THD*, unsigned int*))[0x5677961f4a96]
      		 
      sql/sp_head.cc:1292(sp_head::execute(THD*, bool))[0x5677961f86bb]
      		 
      sql/sp_head.cc:2329(sp_head::execute_procedure(THD*, List<Item>*))[0x5677964aeece]
      		 
      sql/sql_parse.cc:3085(do_execute_sp(THD*, sp_head*))[0x5677964b9de3]
      		 
      sql/sql_parse.cc:5940(mysql_execute_command(THD*, bool))[0x5677964daac3]
      		 
      sql/sql_parse.cc:7980(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x5677964dcaac]
      		 
      sql/sql_parse.cc:1904(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x5677964e0861]
      		 
      sql/sql_parse.cc:1438(do_command(THD*, bool))[0x5677964e55fb]
      		 
      sql/sql_connect.cc:1503(do_handle_one_connection(CONNECT*, bool))[0x5677969cc349]
      		 
      sql/sql_connect.cc:1415(handle_one_connection)[0x5677969cc82f]
      		 
      perfschema/pfs.cc:2201(pfs_spawn_thread)[0x567796fdf7c8]
      		 
      asan/asan_interceptors.cpp:234(asan_thread_start(void*))[0x79eea405ea42]
      		 
      nptl/pthread_create.c:447(start_thread)[0x79eea309caa4]
      		 
      x86_64/clone3.S:80(clone3)[0x79eea3129c6c]
      		 
       
      		 
      Query (0x525005b0b9b0): CREATE TRIGGER z5_412 BEFORE SHUTDOWN SET @x=1


      ==1694329==ERROR: AddressSanitizer: use-after-poison on address 0x519000034440 at pc 0x5f847e25ad95 bp 0x74abc27b8610 sp 0x74abc27b8600
      		 
      READ of size 8 at 0x519000034440 thread T8
      		 
          #0 0x5f847e25ad94 in register_trigger /13.1/sql/sql_sys_or_ddl_trigger.cc:393
      		 
          #1 0x5f847e25ade7 in register_system_triggers /13.1/sql/sql_sys_or_ddl_trigger.cc:442
      		 
          #2 0x5f847e2657b4 in mysql_create_sys_trigger(THD*) /13.1/sql/sql_sys_or_ddl_trigger.cc:616
      		 
          #3 0x5f847d9b3b78 in mysql_execute_command(THD*, bool) /13.1/sql/sql_parse.cc:5734
      		 
          #4 0x5f847da35f2a in Prepared_statement::execute(String*, bool, select_result*, Server_side_cursor**) /13.1/sql/sql_prepare.cc:5367
      		 
          #5 0x5f847da3c214 in Prepared_statement::execute_loop(String*, bool, select_result*, Server_side_cursor**, InstrSlice const&, unsigned char*, unsigned char*) /13.1/sql/sql_prepare.cc:4725
      		 
          #6 0x5f847da3d145 in mysql_sql_stmt_execute /13.1/sql/sql_prepare.cc:3656
      		 
          #7 0x5f847da3d6a1 in mysql_sql_stmt_execute(THD*) /13.1/sql/sql_prepare.cc:3670
      		 
          #8 0x5f847d9a9204 in mysql_execute_command(THD*, bool) /13.1/sql/sql_parse.cc:4008
      		 
          #9 0x5f847e0eaff0 in sp_instr_stmt::exec_core(THD*, unsigned int*) /13.1/sql/sp_instr.cc:1281
      		 
          #10 0x5f847e0f41e0 in sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*, bool) /13.1/sql/sp_instr.cc:420
      		 
          #11 0x5f847e0fa307 in sp_lex_keeper::validate_lex_and_exec_core(THD*, unsigned int*, bool, sp_lex_instr*) /13.1/sql/sp_instr.cc:599
      		 
          #12 0x5f847e0fb932 in sp_instr_stmt::execute(THD*, unsigned int*) /13.1/sql/sp_instr.cc:1183
      		 
          #13 0x5f847d6cea95 in sp_head::execute(THD*, bool) /13.1/sql/sp_head.cc:1292
      		 
          #14 0x5f847d6d26ba in sp_head::execute_procedure(THD*, List<Item>*) /13.1/sql/sp_head.cc:2329
      		 
          #15 0x5f847d988ecd in do_execute_sp /13.1/sql/sql_parse.cc:3085
      		 
          #16 0x5f847d993de2 in Sql_cmd_call::execute(THD*) /13.1/sql/sql_parse.cc:3323
      		 
          #17 0x5f847d9b4ac2 in mysql_execute_command(THD*, bool) /13.1/sql/sql_parse.cc:5940
      		 
          #18 0x5f847d9b6aab in mysql_parse(THD*, char*, unsigned int, Parser_state*) /13.1/sql/sql_parse.cc:7980
      		 
          #19 0x5f847d9ba860 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /13.1/sql/sql_parse.cc:1904
      		 
          #20 0x5f847d9bf5fa in do_command(THD*, bool) /13.1/sql/sql_parse.cc:1438
      		 
          #21 0x5f847dea6348 in do_handle_one_connection(CONNECT*, bool) /13.1/sql/sql_connect.cc:1503
      		 
          #22 0x5f847dea682e in handle_one_connection /13.1/sql/sql_connect.cc:1415
      		 
          #23 0x5f847e4b97c7 in pfs_spawn_thread /13.1/storage/perfschema/pfs.cc:2198
      		 
          #24 0x74abd725ea41 in asan_thread_start ../../../../src/libsanitizer/asan/asan_interceptors.cpp:234
      		 
          #25 0x74abd649caa3 in start_thread nptl/pthread_create.c:447
      		 
          #26 0x74abd6529c6b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

      Attachments

        Issue Links

          is caused by

          New Feature - A new feature of the product, which has yet to be developed. MDEV-30645 CREATE TRIGGER FOR { STARTUP | SHUTDOWN }

          • Critical - Crashes, loss of data, severe memory leak.
          • In Testing

          Activity

            People

              shulga Dmitry Shulga
              alice Alice Sherepa
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.