[#MDEV-21821] ASAN heap-use-after-free in std::__atomic_base<long>::store, while using XA commit one phase and RocksDB table

10.4 a17a327f116302612
Version: '10.4.13-MariaDB-debug-log'
=================================================================
==25403==ERROR: AddressSanitizer: heap-use-after-free on address 0x6100000447e8 at pc 0x7f0fa22c3976 bp 0x7f0f79aef300 sp 0x7f0f79aef2f0
WRITE of size 8 at 0x6100000447e8 thread T71
#0 0x7f0fa22c3975 in std::__atomic_base<long>::store(long, std::memory_order) /usr/include/c++/5/bits/atomic_base.h:374
#1 0x7f0fa22c3975 in std::__atomic_base<long>::operator=(long) /usr/include/c++/5/bits/atomic_base.h:267
#2 0x7f0fa22af277 in myrocks::Rdb_transaction::on_commit() (/10.4/storage/rocksdb/ha_rocksdb.so+0xc64277)
#3 0x7f0fa22b1b25 in myrocks::Rdb_transaction_impl::commit_no_binlog() (/10.4/storage/rocksdb/ha_rocksdb.so+0xc66b25)
#4 0x7f0fa22aba03 in myrocks::Rdb_transaction::commit() (/10.4/storage/rocksdb/ha_rocksdb.so+0xc60a03)
#5 0x7f0fa2245d3d in rocksdb_commit /10.4/storage/rocksdb/ha_rocksdb.cc:4202
#6 0x114ef7e in commit_one_phase_2 /10.4/sql/handler.cc:1775
#7 0x114eccc in ha_commit_one_phase(THD*, bool) /10.4/sql/handler.cc:1755
#8 0x114d61a in ha_commit_trans(THD*, bool) /10.4/sql/handler.cc:1564
#9 0xf7ce95 in trans_xa_commit(THD*) /10.4/sql/xa.cc:555
#10 0x9cea5a in mysql_execute_command(THD*) /10.4/sql/sql_parse.cc:5964
#11 0x9da62e in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /10.4/sql/sql_parse.cc:7900
#12 0x9b3244 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /10.4/sql/sql_parse.cc:1842
#13 0x9b0074 in do_command(THD*) /10.4/sql/sql_parse.cc:1360
#14 0xd46b54 in do_handle_one_connection(CONNECT*) /10.4/sql/sql_connect.cc:1412
#15 0xd464fa in handle_one_connection /10.4/sql/sql_connect.cc:1316
#16 0x7f0fb05956b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
#17 0x7f0faf17841c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)

0x6100000447e8 is located 168 bytes inside of 192-byte region [0x610000044740,0x610000044800)
freed by thread T70 here:
#0 0x7f0fb14c8b2a in operator delete(void*) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99b2a)
#1 0x7f0fa237ad63 in myrocks::Rdb_ddl_manager::remove(myrocks::Rdb_tbl_def, rocksdb::WriteBatch, bool) /10.4/storage/rocksdb/rdb_datadic.cc:4409
#2 0x7f0fa237b32d in myrocks::Rdb_ddl_manager::rename(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, rocksdb::WriteBatch*) /10.4/storage/rocksdb/rdb_datadic.cc:4451
#3 0x7f0fa2279891 in myrocks::ha_rocksdb::rename_table(char const, char const) /10.4/storage/rocksdb/ha_rocksdb.cc:11829
#4 0x116607a in handler::ha_rename_table(char const, char const) /10.4/sql/handler.cc:4681
#5 0xbe1cfe in mysql_rename_table(handlerton, st_mysql_const_lex_string const, st_mysql_const_lex_string const, st_mysql_const_lex_string const, st_mysql_const_lex_string const*, unsigned int) /10.4/sql/sql_table.cc:5543
#6 0xbfeb17 in mysql_alter_table(THD, st_mysql_const_lex_string const, st_mysql_const_lex_string const, HA_CREATE_INFO, TABLE_LIST, Alter_info, unsigned int, st_order*, bool) /10.4/sql/sql_table.cc:10328
#7 0xd5c6f2 in Sql_cmd_alter_table::execute(THD*) /10.4/sql/sql_alter.cc:508
#8 0x9cf8f8 in mysql_execute_command(THD*) /10.4/sql/sql_parse.cc:6101
#9 0x9da62e in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /10.4/sql/sql_parse.cc:7900
#10 0x9b3244 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /10.4/sql/sql_parse.cc:1842
#11 0x9b0074 in do_command(THD*) /10.4/sql/sql_parse.cc:1360
#12 0xd46b54 in do_handle_one_connection(CONNECT*) /10.4/sql/sql_connect.cc:1412
#13 0xd464fa in handle_one_connection /10.4/sql/sql_connect.cc:1316
#14 0x7f0fb05956b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)

previously allocated by thread T70 here:
#0 0x7f0fb14c8532 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99532)
#1 0x7f0fa237aff6 in myrocks::Rdb_ddl_manager::rename(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, rocksdb::WriteBatch*) /10.4/storage/rocksdb/rdb_datadic.cc:4430
#2 0x7f0fa2279891 in myrocks::ha_rocksdb::rename_table(char const, char const) /10.4/storage/rocksdb/ha_rocksdb.cc:11829
#3 0x116607a in handler::ha_rename_table(char const, char const) /10.4/sql/handler.cc:4681
#4 0xbe1cfe in mysql_rename_table(handlerton, st_mysql_const_lex_string const, st_mysql_const_lex_string const, st_mysql_const_lex_string const, st_mysql_const_lex_string const*, unsigned int) /10.4/sql/sql_table.cc:5543
#5 0xbfeb9c in mysql_alter_table(THD, st_mysql_const_lex_string const, st_mysql_const_lex_string const, HA_CREATE_INFO, TABLE_LIST, Alter_info, unsigned int, st_order*, bool) /10.4/sql/sql_table.cc:10338
#6 0xd5c6f2 in Sql_cmd_alter_table::execute(THD*) /10.4/sql/sql_alter.cc:508
#7 0x9cf8f8 in mysql_execute_command(THD*) /10.4/sql/sql_parse.cc:6101
#8 0x9da62e in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /10.4/sql/sql_parse.cc:7900
#9 0x9b3244 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /10.4/sql/sql_parse.cc:1842
#10 0x9b0074 in do_command(THD*) /10.4/sql/sql_parse.cc:1360
#11 0xd46b54 in do_handle_one_connection(CONNECT*) /10.4/sql/sql_connect.cc:1412
#12 0xd464fa in handle_one_connection /10.4/sql/sql_connect.cc:1316
#13 0x7f0fb05956b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)

Thread T71 created by T0 here:
#0 0x7f0fb1465253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
#1 0x2385ad5 in spawn_thread_noop /10.4/mysys/psi_noop.c:187
#2 0x6f9c50 in inline_mysql_thread_create /10.4/include/mysql/psi/mysql_thread.h:1275
#3 0x70f00a in create_thread_to_handle_connection(CONNECT*) /10.4/sql/mysqld.cc:6242
#4 0x70f72e in create_new_thread(CONNECT*) /10.4/sql/mysqld.cc:6312
#5 0x70fad6 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /10.4/sql/mysqld.cc:6410
#6 0x710753 in handle_connections_sockets() /10.4/sql/mysqld.cc:6568
#7 0x70e811 in mysqld_main(int, char**) /10.4/sql/mysqld.cc:5900
#8 0x6f7a45 in main /10.4/sql/main.cc:25
#9 0x7f0faf09182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

Thread T70 created by T0 here:
#0 0x7f0fb1465253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
#1 0x2385ad5 in spawn_thread_noop /10.4/mysys/psi_noop.c:187
#2 0x6f9c50 in inline_mysql_thread_create /10.4/include/mysql/psi/mysql_thread.h:1275
#3 0x70f00a in create_thread_to_handle_connection(CONNECT*) /10.4/sql/mysqld.cc:6242
#4 0x70f72e in create_new_thread(CONNECT*) /10.4/sql/mysqld.cc:6312
#5 0x70fad6 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /10.4/sql/mysqld.cc:6410
#6 0x710753 in handle_connections_sockets() /10.4/sql/mysqld.cc:6568
#7 0x70e811 in mysqld_main(int, char**) /10.4/sql/mysqld.cc:5900
#8 0x6f7a45 in main /10.4/sql/main.cc:25
#9 0x7f0faf09182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-use-after-free /usr/include/c++/5/bits/atomic_base.h:374 std::__atomic_base<long>::store(long, std::memory_order)
Shadow bytes around the buggy address:
0x0c20800008a0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c20800008b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c20800008c0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c20800008d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c20800008e0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c20800008f0: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd
0x0c2080000900: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c2080000910: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2080000920: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c2080000930: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c2080000940: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==25403==ABORTING

Version: '10.4.13-MariaDB-debug-log'

=================================================================

==26969==ERROR: AddressSanitizer: heap-use-after-free on address 0x6100000201e8 at pc 0x7efe75e43976 bp 0x7efe4ddbe750 sp 0x7efe4ddbe740

WRITE of size 8 at 0x6100000201e8 thread T72

    #0 0x7efe75e43975 in std::__atomic_base<long>::store(long, std::memory_order) /usr/include/c++/5/bits/atomic_base.h:374

    #1 0x7efe75e43975 in std::__atomic_base<long>::operator=(long) /usr/include/c++/5/bits/atomic_base.h:267

    #2 0x7efe75e2f277 in myrocks::Rdb_transaction::on_commit() (/10.4/storage/rocksdb/ha_rocksdb.so+0xc64277)

    #3 0x7efe75e31b25 in myrocks::Rdb_transaction_impl::commit_no_binlog() (/10.4/storage/rocksdb/ha_rocksdb.so+0xc66b25)

    #4 0x7efe75e2ba03 in myrocks::Rdb_transaction::commit() (/10.4/storage/rocksdb/ha_rocksdb.so+0xc60a03)

    #5 0x7efe75dc56ca in rocksdb_commit_ordered /10.4/storage/rocksdb/ha_rocksdb.cc:4139

    #6 0x1426e5e in TC_LOG::run_commit_ordered(THD*, bool) /10.4/sql/log.cc:8950

    #7 0x1421ce4 in MYSQL_BIN_LOG::trx_group_commit_leader(MYSQL_BIN_LOG::group_commit_entry*) /10.4/sql/log.cc:8184

    #8 0x141efa8 in MYSQL_BIN_LOG::write_transaction_to_binlog_events(MYSQL_BIN_LOG::group_commit_entry*) /10.4/sql/log.cc:7773

    #9 0x141d689 in MYSQL_BIN_LOG::write_transaction_to_binlog(THD*, binlog_cache_mngr*, Log_event*, bool, bool, bool) /10.4/sql/log.cc:7421

    #10 0x13fd830 in binlog_flush_cache /10.4/sql/log.cc:1786

    #11 0x13fe594 in binlog_commit_flush_xid_caches /10.4/sql/log.cc:1906

    #12 0x142c011 in MYSQL_BIN_LOG::log_and_order(THD*, unsigned long long, bool, bool, bool) /10.4/sql/log.cc:9733

    #13 0x114db12 in ha_commit_trans(THD*, bool) /10.4/sql/handler.cc:1625

    #14 0xf7ce95 in trans_xa_commit(THD*) /10.4/sql/xa.cc:555

    #15 0x9cea5a in mysql_execute_command(THD*) /10.4/sql/sql_parse.cc:5964

    #16 0x9da62e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.4/sql/sql_parse.cc:7900

    #17 0x9b3244 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.4/sql/sql_parse.cc:1842

    #18 0x9b0074 in do_command(THD*) /10.4/sql/sql_parse.cc:1360

    #19 0xd46b54 in do_handle_one_connection(CONNECT*) /10.4/sql/sql_connect.cc:1412

    #20 0xd464fa in handle_one_connection /10.4/sql/sql_connect.cc:1316

    #21 0x7efe840e76b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)

    #22 0x7efe82cca41c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)

0x6100000201e8 is located 168 bytes inside of 192-byte region [0x610000020140,0x610000020200)

freed by thread T71 here:

    #0 0x7efe8501ab2a in operator delete(void*) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99b2a)

    #1 0x7efe75efad63 in myrocks::Rdb_ddl_manager::remove(myrocks::Rdb_tbl_def*, rocksdb::WriteBatch*, bool) /10.4/storage/rocksdb/rdb_datadic.cc:4409

    #2 0x7efe75efb32d in myrocks::Rdb_ddl_manager::rename(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, rocksdb::WriteBatch*) /10.4/storage/rocksdb/rdb_datadic.cc:4451

    #3 0x7efe75df9891 in myrocks::ha_rocksdb::rename_table(char const*, char const*) /10.4/storage/rocksdb/ha_rocksdb.cc:11829

    #4 0x116607a in handler::ha_rename_table(char const*, char const*) /10.4/sql/handler.cc:4681

    #5 0xbe1cfe in mysql_rename_table(handlerton*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, unsigned int) /10.4/sql/sql_table.cc:5543

    #6 0xbfeb17 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /10.4/sql/sql_table.cc:10328

    #7 0xd5c6f2 in Sql_cmd_alter_table::execute(THD*) /10.4/sql/sql_alter.cc:508

    #8 0x9cf8f8 in mysql_execute_command(THD*) /10.4/sql/sql_parse.cc:6101

    #9 0x9da62e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.4/sql/sql_parse.cc:7900

    #10 0x9b3244 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.4/sql/sql_parse.cc:1842

    #11 0x9b0074 in do_command(THD*) /10.4/sql/sql_parse.cc:1360

    #12 0xd46b54 in do_handle_one_connection(CONNECT*) /10.4/sql/sql_connect.cc:1412

    #13 0xd464fa in handle_one_connection /10.4/sql/sql_connect.cc:1316

    #14 0x7efe840e76b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)

previously allocated by thread T71 here:

    #0 0x7efe8501a532 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99532)

    #1 0x7efe75efaff6 in myrocks::Rdb_ddl_manager::rename(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, rocksdb::WriteBatch*) /10.4/storage/rocksdb/rdb_datadic.cc:4430

    #2 0x7efe75df9891 in myrocks::ha_rocksdb::rename_table(char const*, char const*) /10.4/storage/rocksdb/ha_rocksdb.cc:11829

    #3 0x116607a in handler::ha_rename_table(char const*, char const*) /10.4/sql/handler.cc:4681

    #4 0xbe1cfe in mysql_rename_table(handlerton*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, unsigned int) /10.4/sql/sql_table.cc:5543

    #5 0xbfeb9c in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /10.4/sql/sql_table.cc:10338

    #6 0xd5c6f2 in Sql_cmd_alter_table::execute(THD*) /10.4/sql/sql_alter.cc:508

    #7 0x9cf8f8 in mysql_execute_command(THD*) /10.4/sql/sql_parse.cc:6101

    #8 0x9da62e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.4/sql/sql_parse.cc:7900

    #9 0x9b3244 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.4/sql/sql_parse.cc:1842

    #10 0x9b0074 in do_command(THD*) /10.4/sql/sql_parse.cc:1360

    #11 0xd46b54 in do_handle_one_connection(CONNECT*) /10.4/sql/sql_connect.cc:1412

    #12 0xd464fa in handle_one_connection /10.4/sql/sql_connect.cc:1316

    #13 0x7efe840e76b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)

Thread T72 created by T0 here:

    #0 0x7efe84fb7253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)

    #1 0x2385ad5 in spawn_thread_noop /10.4/mysys/psi_noop.c:187

    #2 0x6f9c50 in inline_mysql_thread_create /10.4/include/mysql/psi/mysql_thread.h:1275

    #3 0x70f00a in create_thread_to_handle_connection(CONNECT*) /10.4/sql/mysqld.cc:6242

    #4 0x70f72e in create_new_thread(CONNECT*) /10.4/sql/mysqld.cc:6312

    #5 0x70fad6 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /10.4/sql/mysqld.cc:6410

    #6 0x710753 in handle_connections_sockets() /10.4/sql/mysqld.cc:6568

    #7 0x70e811 in mysqld_main(int, char**) /10.4/sql/mysqld.cc:5900

    #8 0x6f7a45 in main /10.4/sql/main.cc:25

    #9 0x7efe82be382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

Thread T71 created by T0 here:

    #0 0x7efe84fb7253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)

    #1 0x2385ad5 in spawn_thread_noop /10.4/mysys/psi_noop.c:187

    #2 0x6f9c50 in inline_mysql_thread_create /10.4/include/mysql/psi/mysql_thread.h:1275

    #3 0x70f00a in create_thread_to_handle_connection(CONNECT*) /10.4/sql/mysqld.cc:6242

    #4 0x70f72e in create_new_thread(CONNECT*) /10.4/sql/mysqld.cc:6312

    #5 0x70fad6 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /10.4/sql/mysqld.cc:6410

    #6 0x710753 in handle_connections_sockets() /10.4/sql/mysqld.cc:6568

    #7 0x70e811 in mysqld_main(int, char**) /10.4/sql/mysqld.cc:5900

    #8 0x6f7a45 in main /10.4/sql/main.cc:25

    #9 0x7efe82be382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-use-after-free /usr/include/c++/5/bits/atomic_base.h:374 std::__atomic_base<long>::store(long, std::memory_order)

Shadow bytes around the buggy address:

  0x0c207fffbfe0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd

  0x0c207fffbff0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c207fffc000: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd

  0x0c207fffc010: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c207fffc020: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd

=>0x0c207fffc030: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd

  0x0c207fffc040: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd

  0x0c207fffc050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c207fffc060: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd

  0x0c207fffc070: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c207fffc080: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07

  Heap left redzone:       fa

  Heap right redzone:      fb

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack partial redzone:   f4

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

==26969==ABORTING

perl ./runall-new.pl --threads=2 --duration=200 --queries=1M --grammar=1my3.yy --engine=RocksDB --mysqld=--default-storage-engine=RocksDB --mysqld=--plugin-load-add=ha_rocksdb --gendata --basedir=/10.4  --vardir=/1

CREATE TABLE t1 (a INT) ENGINE=RocksDB;

INSERT INTO t1 () VALUES (1),(2);

--connect (con1,localhost,root,,)

START TRANSACTION;

UPDATE t1 SET a = 0;

LOAD INDEX INTO CACHE x;

--connection default

ALTER TABLE t1 FORCE;

--connection con1

DROP TABLE IF EXISTS xx;

# Cleanup

--disconnect con1

--connection default

DROP TABLE t1;

10.3 ASAN a662cb9b
==25160==ERROR: AddressSanitizer: heap-use-after-free on address 0x61000000d1e8 at pc 0x7f81a1d38cc2 bp 0x7f819c2dc7a0 sp 0x7f819c2dc798
WRITE of size 8 at 0x61000000d1e8 thread T29
#0 0x7f81a1d38cc1 in std::__atomic_base<long>::store(long, std::memory_order) /usr/include/c++/6/bits/atomic_base.h:374
#1 0x7f81a1d38cc1 in std::__atomic_base<long>::operator=(long) /usr/include/c++/6/bits/atomic_base.h:267
#2 0x7f81a1d24f0e in myrocks::Rdb_transaction::on_commit() (/data/bld/10.3-asan/lib/plugin/ha_rocksdb.so+0xb7bf0e)
#3 0x7f81a1d276dc in myrocks::Rdb_transaction_impl::commit_no_binlog() (/data/bld/10.3-asan/lib/plugin/ha_rocksdb.so+0xb7e6dc)
#4 0x7f81a1d2165b in myrocks::Rdb_transaction::commit() (/data/bld/10.3-asan/lib/plugin/ha_rocksdb.so+0xb7865b)
#5 0x7f81a1cbfe13 in rocksdb_commit /data/src/10.3/storage/rocksdb/ha_rocksdb.cc:4202
#6 0x560b6e9cdbd6 in commit_one_phase_2 /data/src/10.3/sql/handler.cc:1642
#7 0x560b6e9cd92f in ha_commit_one_phase(THD*, bool) /data/src/10.3/sql/handler.cc:1622
#8 0x560b6e9cc88f in ha_commit_trans(THD*, bool) /data/src/10.3/sql/handler.cc:1484
#9 0x560b6e66a10a in trans_commit_implicit(THD*) /data/src/10.3/sql/transaction.cc:361
#10 0x560b6e2d31a2 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:3668
#11 0x560b6e2ed8bc in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7817
#12 0x560b6e2c8628 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1856
#13 0x560b6e2c5507 in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1401
#14 0x560b6e63b912 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403
#15 0x560b6e63b2d9 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
#16 0x560b6faa5b6d in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869
#17 0x7f81ac07b4a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
#18 0x7f81aa1afd0e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8d0e)

0x61000000d1e8 is located 168 bytes inside of 192-byte region [0x61000000d140,0x61000000d200)
freed by thread T28 here:
#0 0x7f81ac3541f0 in operator delete(void*) (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc31f0)
#1 0x7f81a1ded1de in myrocks::Rdb_ddl_manager::remove(myrocks::Rdb_tbl_def, rocksdb::WriteBatch, bool) /data/src/10.3/storage/rocksdb/rdb_datadic.cc:4408
#2 0x7f81a1ded786 in myrocks::Rdb_ddl_manager::rename(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, rocksdb::WriteBatch*) /data/src/10.3/storage/rocksdb/rdb_datadic.cc:4450
#3 0x7f81a1cf14fe in myrocks::ha_rocksdb::rename_table(char const, char const) /data/src/10.3/storage/rocksdb/ha_rocksdb.cc:11825
#4 0x560b6e9e52d4 in handler::ha_rename_table(char const, char const) /data/src/10.3/sql/handler.cc:4667
#5 0x560b6e4e3710 in mysql_rename_table(handlerton, st_mysql_const_lex_string const, st_mysql_const_lex_string const, st_mysql_const_lex_string const, st_mysql_const_lex_string const*, unsigned int) /data/src/10.3/sql/sql_table.cc:5507
#6 0x560b6e4ff573 in mysql_alter_table(THD, st_mysql_const_lex_string const, st_mysql_const_lex_string const, HA_CREATE_INFO, TABLE_LIST, Alter_info, unsigned int, st_order*, bool) /data/src/10.3/sql/sql_table.cc:10133
#7 0x560b6e64ab75 in Sql_cmd_alter_table::execute(THD*) /data/src/10.3/sql/sql_alter.cc:500
#8 0x560b6e2e25bf in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:6030
#9 0x560b6e2ed8bc in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7817
#10 0x560b6e2c8628 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1856
#11 0x560b6e2c5507 in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1401
#12 0x560b6e63b912 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403
#13 0x560b6e63b2d9 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
#14 0x560b6faa5b6d in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869
#15 0x7f81ac07b4a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)

previously allocated by thread T28 here:
#0 0x7f81ac353bf0 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2bf0)
#1 0x7f81a1cd427b in myrocks::ha_rocksdb::create_table(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, TABLE const*, unsigned long long) /data/src/10.3/storage/rocksdb/ha_rocksdb.cc:7683
#2 0x7f81a1cd515f in myrocks::ha_rocksdb::create(char const, TABLE, HA_CREATE_INFO*) /data/src/10.3/storage/rocksdb/ha_rocksdb.cc:7848
#3 0x560b6e9e564f in handler::ha_create(char const, TABLE, HA_CREATE_INFO*) /data/src/10.3/sql/handler.cc:4715
#4 0x560b6e9e97fe in ha_create_table(THD, char const, char const, char const, HA_CREATE_INFO, st_mysql_const_unsigned_lex_string) /data/src/10.3/sql/handler.cc:5178
#5 0x560b6e5c9f69 in rea_create_table(THD, st_mysql_const_unsigned_lex_string, char const, char const, char const, HA_CREATE_INFO, handler*, bool) /data/src/10.3/sql/unireg.cc:515
#6 0x560b6e4e0075 in create_table_impl /data/src/10.3/sql/sql_table.cc:4999
#7 0x560b6e4e0b4b in mysql_create_table_no_lock(THD, st_mysql_const_lex_string const, st_mysql_const_lex_string const, Table_specification_st, Alter_info, bool, int, TABLE_LIST*) /data/src/10.3/sql/sql_table.cc:5121
#8 0x560b6e4e15cc in mysql_create_table(THD, TABLE_LIST, Table_specification_st, Alter_info) /data/src/10.3/sql/sql_table.cc:5210
#9 0x560b6e507768 in Sql_cmd_create_table_like::execute(THD*) /data/src/10.3/sql/sql_table.cc:11250
#10 0x560b6e2e25bf in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:6030
#11 0x560b6e2ed8bc in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7817
#12 0x560b6e2c8628 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1856
#13 0x560b6e2c5507 in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1401
#14 0x560b6e63b912 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403
#15 0x560b6e63b2d9 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
#16 0x560b6faa5b6d in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869
#17 0x7f81ac07b4a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)

Thread T29 created by T0 here:
#0 0x7f81ac2c1f59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
#1 0x560b6faa5fa9 in spawn_thread_v1 /data/src/10.3/storage/perfschema/pfs.cc:1919
#2 0x560b6e0328c0 in inline_mysql_thread_create /data/src/10.3/include/mysql/psi/mysql_thread.h:1275
#3 0x560b6e047e31 in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6608
#4 0x560b6e048514 in create_new_thread /data/src/10.3/sql/mysqld.cc:6678
#5 0x560b6e04952c in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6953
#6 0x560b6e047301 in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6230
#7 0x560b6e030fdf in main /data/src/10.3/sql/main.cc:25
#8 0x7f81aa0e72e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)

Thread T28 created by T0 here:
#0 0x7f81ac2c1f59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
#1 0x560b6faa5fa9 in spawn_thread_v1 /data/src/10.3/storage/perfschema/pfs.cc:1919
#2 0x560b6e0328c0 in inline_mysql_thread_create /data/src/10.3/include/mysql/psi/mysql_thread.h:1275
#3 0x560b6e047e31 in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6608
#4 0x560b6e048514 in create_new_thread /data/src/10.3/sql/mysqld.cc:6678
#5 0x560b6e04952c in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6953
#6 0x560b6e047301 in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6230
#7 0x560b6e030fdf in main /data/src/10.3/sql/main.cc:25
#8 0x7f81aa0e72e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)

SUMMARY: AddressSanitizer: heap-use-after-free /usr/include/c++/6/bits/atomic_base.h:374 in std::__atomic_base<long>::store(long, std::memory_order)
Shadow bytes around the buggy address:
0x0c207fff99e0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c207fff99f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c207fff9a00: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c207fff9a10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c207fff9a20: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c207fff9a30: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd
0x0c207fff9a40: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c207fff9a50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c207fff9a60: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c207fff9a70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c207fff9a80: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==25160==ABORTING

[MDEV-21821] ASAN heap-use-after-free in std::__atomic_base<long>::store, while using XA commit one phase and RocksDB table Created: 2020-02-26 Updated: 2023-04-27
Status:	Confirmed
Project:	MariaDB Server
Component/s:	Storage Engine - RocksDB
Affects Version/s:	10.3, 10.4, 10.5
Fix Version/s:	10.4, 10.5

[MDEV-21821] ASAN heap-use-after-free in std::__atomic_base<long>::store, while using XA commit one phase and RocksDB table Created: 2020-02-26 Updated: 2023-04-27