[#MDEV-15518] XA: Server crash or ASAN heap-use-after-free in ha_innobase::delete

Note: According to marko, it can be a member of ~~MDEV-14693~~ family.

--source include/have_innodb.inc

CREATE TABLE t1 (a INT) ENGINE=InnoDB;

--connect (con1,localhost,root,,test)

XA START 'xid';

CREATE TEMPORARY TABLE tmp (b INT) ENGINE=InnoDB;

INSERT INTO t1 VALUES (1);

--error ER_XAER_RMFAIL

COMMIT;

# Could also be --ER_XAER_NOTA

# XA COMMIT 'non_existing_xid';

# etc.

--connection default

DROP TABLE t1;

10.2 8f98835bb86
#3 <signal handler called>
#4 0x00007f3e62b3f34e in __strcmp_sse2_unaligned () from /lib/x86_64-linux-gnu/libc.so.6
#5 0x00005574d2b3cfd0 in ha_innobase::delete_table (this=0x7f3de8011028, name=0x7f3de80258f8 "/data/bld/10.2/data/tmp/#sql8ab_9_0") at /data/src/10.2/storage/innobase/handler/ha_innodb.cc:13512
#6 0x00005574d28254dc in handler::ha_delete_table (this=0x7f3de8011028, name=0x7f3de80258f8 "/data/bld/10.2/data/tmp/#sql8ab_9_0") at /data/src/10.2/sql/handler.cc:4337
#7 0x00005574d279a967 in THD::rm_temporary_table (this=0x7f3de8000b00, base=0x5574d4645290, path=0x7f3de80258f8 "/data/bld/10.2/data/tmp/#sql8ab_9_0") at /data/src/10.2/sql/temporary_tables.cc:676
#8 0x00005574d279c533 in THD::free_tmp_table_share (this=0x7f3de8000b00, share=0x7f3de80253e0, delete_table=true) at /data/src/10.2/sql/temporary_tables.cc:1445
#9 0x00005574d279a428 in THD::close_temporary_tables (this=0x7f3de8000b00) at /data/src/10.2/sql/temporary_tables.cc:509
#10 0x00005574d255f40f in THD::cleanup (this=0x7f3de8000b00) at /data/src/10.2/sql/sql_class.cc:1462
#11 0x00005574d24c78d2 in unlink_thd (thd=0x7f3de8000b00) at /data/src/10.2/sql/mysqld.cc:2910
#12 0x00005574d24c7d73 in one_thread_per_connection_end (thd=0x7f3de8000b00, put_in_cache=true) at /data/src/10.2/sql/mysqld.cc:3055
#13 0x00005574d26f272f in do_handle_one_connection (connect=0x5574d507f1f0) at /data/src/10.2/sql/sql_connect.cc:1354
#14 0x00005574d26f23d3 in handle_one_connection (arg=0x5574d507f1f0) at /data/src/10.2/sql/sql_connect.cc:1241
#15 0x00007f3e647b2494 in start_thread (arg=0x7f3e60257700) at pthread_create.c:333
#16 0x00007f3e62b9893f in clone () from /lib/x86_64-linux-gnu/libc.so.6

==330==ERROR: AddressSanitizer: heap-use-after-free on address 0x617000067c18 at pc 0x55fdc35543e3 bp 0x7f2b649aff30 sp 0x7f2b649aff28

READ of size 8 at 0x617000067c18 thread T32

    #0 0x55fdc35543e2 in ha_innobase::delete_table(char const*) /data/src/10.2/storage/innobase/handler/ha_innodb.cc:13512

    #1 0x55fdc2dabcf8 in handler::ha_delete_table(char const*) /data/src/10.2/sql/handler.cc:4337

    #2 0x55fdc2c5215f in THD::rm_temporary_table(handlerton*, char const*) /data/src/10.2/sql/temporary_tables.cc:676

    #3 0x55fdc2c5626b in THD::free_tmp_table_share(TMP_TABLE_SHARE*, bool) /data/src/10.2/sql/temporary_tables.cc:1445

    #4 0x55fdc2c515c1 in THD::close_temporary_tables() /data/src/10.2/sql/temporary_tables.cc:509

    #5 0x55fdc27025dc in THD::cleanup() /data/src/10.2/sql/sql_class.cc:1462

    #6 0x55fdc25b3412 in unlink_thd(THD*) /data/src/10.2/sql/mysqld.cc:2910

    #7 0x55fdc25b3d13 in one_thread_per_connection_end(THD*, bool) /data/src/10.2/sql/mysqld.cc:3055

    #8 0x55fdc2ae660b in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1354

    #9 0x55fdc2ae5dfe in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241

    #10 0x7f2b99b7f493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)

    #11 0x7f2b97f6593e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)

Could not reproduce on 10.1 or 10.3.

[MDEV-15518] XA: Server crash or ASAN heap-use-after-free in ha_innobase::delete_table Created: 2018-03-08 Updated: 2020-02-13 Resolved: 2020-02-13
Status:	Closed
Project:	MariaDB Server
Component/s:	Storage Engine - InnoDB, XA
Affects Version/s:	10.2
Fix Version/s:	N/A

[MDEV-15518] XA: Server crash or ASAN heap-use-after-free in ha_innobase::delete_table Created: 2018-03-08 Updated: 2020-02-13 Resolved: 2020-02-13