[#MDEV-15029] XA COMMIT and XA ROLLBACK operate on freed transaction object

[MDEV-15029] XA COMMIT and XA ROLLBACK operate on freed transaction object Created: 2018-01-22 Updated: 2018-01-23 Resolved: 2018-01-23
Status:	Closed
Project:	MariaDB Server
Component/s:	Storage Engine - InnoDB
Affects Version/s:	10.2.2, 10.3.0
Fix Version/s:	10.2.13, 10.3.5

Type:

Bug

Priority:

Major

Reporter:

Marko Mäkelä

Assignee:

Marko Mäkelä

Resolution:

Fixed

Votes:

Labels:

corruption, transactions, upstream

Issue Links:

Relates
relates to	~~MDEV-13935~~	INSERT INTO stuck at state "Unlocking...	Closed
relates to	~~MDEV-14128~~	Assertion `trx->in_depth > 0' failed ...	Closed
relates to	~~MDEV-15030~~	Add ASAN instrumentation	Closed

Description

The functions innobase_commit_by_xid() and innobase_rollback_by_xid(), which implement XA ROLLBACK and XA COMMIT for XA PREPARE transactions that are no longer attached to a connection, are freeing the transaction object to the pool prematurely, and then modifying the trx_t::in_depth and trx::in_innodb fields of the freed object. While the object is already free in the pool, it could be reused by trx_create_low() by some other connection. This could cause memory corruption and cause bugs like ~~MDEV-14128~~ and ~~MDEV-13935~~.

This bug was caught after adding AddressSanitizer poisoning to the transaction Pool.

Generated at Thu Feb 08 08:18:09 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.

[MDEV-15029] XA COMMIT and XA ROLLBACK operate on freed transaction object Created: 2018-01-22 Updated: 2018-01-23 Resolved: 2018-01-23