[MDEV-31395] Server crashes in THD::decide_logging_format upon CREATE TEMPORARY TABLE via PS with function Created: 2023-06-02  Updated: 2023-11-28

Status: Open
Project: MariaDB Server
Component/s: Data Definition - Temporary, Prepared Statements, Stored routines
Affects Version/s: 10.3, 10.4, 10.5, 10.6, 10.9, 10.10, 10.11, 11.0
Fix Version/s: 10.4, 10.5, 10.6, 10.11, 11.0

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Oleksandr Byelkin
Resolution: Unresolved Votes: 0
Labels: None


 Description   

Not sure whom it should belong as it's a mix of binary logging, temporary tables, stored functions and prepared statements. Feel free to reassign as needed.

--source include/have_log_bin.inc
 
 
 
CREATE TEMPORARY TABLE t (a INT);
 
--delimiter $
 
CREATE FUNCTION f() RETURNS INT NOT DETERMINISTIC BEGIN INSERT INTO t VALUES (1); RETURN 0; END $
 
--delimiter ;
 
EXECUTE IMMEDIATE "CREATE OR REPLACE TEMPORARY TABLE t AS SELECT f()";
 
 
 
# Cleanup
 
DROP FUNCTION f;

10.4 956d6c4a ASAN

 
==1159316==ERROR: AddressSanitizer: heap-use-after-free on address 0x62000003c088 at pc 0x559e1110f88d bp 0x7ff8d5c188b0 sp 0x7ff8d5c188a8
 
READ of size 8 at 0x62000003c088 thread T6
 
    #0 0x559e1110f88c in THD::decide_logging_format(TABLE_LIST*) /data/src/10.4/sql/sql_class.cc:6075
 
    #1 0x559e111791f3 in do_postlock /data/src/10.4/sql/sql_insert.cc:4549
 
    #2 0x559e1117ef15 in TABLEOP_HOOKS::postlock(TABLE**, unsigned int) /data/src/10.4/sql/handler.h:2503
 
    #3 0x559e11178b9a in select_create::create_table_from_items(THD*, List<Item>*, st_mysql_lock**, TABLEOP_HOOKS*) /data/src/10.4/sql/sql_insert.cc:4478
 
    #4 0x559e1117973b in select_create::prepare(List<Item>&, st_select_lex_unit*) /data/src/10.4/sql/sql_insert.cc:4588
 
    #5 0x559e112c298a in JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /data/src/10.4/sql/sql_select.cc:1590
 
    #6 0x559e112e4c85 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.4/sql/sql_select.cc:4789
 
    #7 0x559e112b5cf4 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:442
 
    #8 0x559e1149d141 in Sql_cmd_create_table_like::execute(THD*) /data/src/10.4/sql/sql_table.cc:11768
 
    #9 0x559e11223234 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6216
 
    #10 0x559e112825da in Prepared_statement::execute(String*, bool) /data/src/10.4/sql/sql_prepare.cc:5024
 
    #11 0x559e1127dc1a in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /data/src/10.4/sql/sql_prepare.cc:4493
 
    #12 0x559e112836ed in Prepared_statement::execute_immediate(char const*, unsigned int) /data/src/10.4/sql/sql_prepare.cc:5148
 
    #13 0x559e11274ac0 in mysql_sql_stmt_execute_immediate(THD*) /data/src/10.4/sql/sql_prepare.cc:3012
 
    #14 0x559e11212d90 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3982
 
    #15 0x559e1122ea36 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8008
 
    #16 0x559e11204d79 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1857
 
    #17 0x559e112018f2 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1378
 
    #18 0x559e11600899 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1420
 
    #19 0x559e116001b0 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1324
 
    #20 0x559e1226cb83 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
 
    #21 0x7ff8ddaa7fd3 in start_thread nptl/pthread_create.c:442
 
    #22 0x7ff8ddb285bb in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
 
 
 
0x62000003c088 is located 8 bytes inside of 3576-byte region [0x62000003c080,0x62000003ce78)
 
freed by thread T6 here:
 
    #0 0x7ff8de0b76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
 
    #1 0x559e12db3328 in my_free /data/src/10.4/mysys/my_malloc.c:222
 
    #2 0x559e118092ac in THD::close_temporary_table(TABLE*) /data/src/10.4/sql/temporary_tables.cc:1242
 
    #3 0x559e1180ac33 in THD::free_temporary_table(TABLE*) /data/src/10.4/sql/temporary_tables.cc:1491
 
    #4 0x559e11805761 in THD::drop_temporary_table(TABLE*, bool*, bool) /data/src/10.4/sql/temporary_tables.cc:655
 
    #5 0x559e1146caca in create_table_impl /data/src/10.4/sql/sql_table.cc:5038
 
    #6 0x559e1146e22d in mysql_create_table_no_lock(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, Table_specification_st*, Alter_info*, bool*, int, TABLE_LIST*) /data/src/10.4/sql/sql_table.cc:5267
 
    #7 0x559e1117814c in select_create::create_table_from_items(THD*, List<Item>*, st_mysql_lock**, TABLEOP_HOOKS*) /data/src/10.4/sql/sql_insert.cc:4398
 
    #8 0x559e1117973b in select_create::prepare(List<Item>&, st_select_lex_unit*) /data/src/10.4/sql/sql_insert.cc:4588
 
    #9 0x559e112c298a in JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /data/src/10.4/sql/sql_select.cc:1590
 
    #10 0x559e112e4c85 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.4/sql/sql_select.cc:4789
 
    #11 0x559e112b5cf4 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:442
 
    #12 0x559e1149d141 in Sql_cmd_create_table_like::execute(THD*) /data/src/10.4/sql/sql_table.cc:11768
 
    #13 0x559e11223234 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6216
 
    #14 0x559e112825da in Prepared_statement::execute(String*, bool) /data/src/10.4/sql/sql_prepare.cc:5024
 
    #15 0x559e1127dc1a in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /data/src/10.4/sql/sql_prepare.cc:4493
 
    #16 0x559e112836ed in Prepared_statement::execute_immediate(char const*, unsigned int) /data/src/10.4/sql/sql_prepare.cc:5148
 
    #17 0x559e11274ac0 in mysql_sql_stmt_execute_immediate(THD*) /data/src/10.4/sql/sql_prepare.cc:3012
 
    #18 0x559e11212d90 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3982
 
    #19 0x559e1122ea36 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8008
 
    #20 0x559e11204d79 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1857
 
    #21 0x559e112018f2 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1378
 
    #22 0x559e11600899 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1420
 
    #23 0x559e116001b0 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1324
 
    #24 0x559e1226cb83 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
 
    #25 0x7ff8ddaa7fd3 in start_thread nptl/pthread_create.c:442
 
 
 
previously allocated by thread T6 here:
 
    #0 0x7ff8de0b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
 
    #1 0x559e12db2789 in my_malloc /data/src/10.4/mysys/my_malloc.c:101
 
    #2 0x559e11808589 in THD::open_temporary_table(TMP_TABLE_SHARE*, char const*) /data/src/10.4/sql/temporary_tables.cc:1113
 
    #3 0x559e118020fe in THD::create_and_open_tmp_table(st_mysql_const_unsigned_lex_string*, char const*, char const*, char const*, bool) /data/src/10.4/sql/temporary_tables.cc:74
 
    #4 0x559e1146da34 in create_table_impl /data/src/10.4/sql/sql_table.cc:5195
 
    #5 0x559e1146e22d in mysql_create_table_no_lock(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, Table_specification_st*, Alter_info*, bool*, int, TABLE_LIST*) /data/src/10.4/sql/sql_table.cc:5267
 
    #6 0x559e1146f0d0 in mysql_create_table(THD*, TABLE_LIST*, Table_specification_st*, Alter_info*) /data/src/10.4/sql/sql_table.cc:5416
 
    #7 0x559e1149d7dc in Sql_cmd_create_table_like::execute(THD*) /data/src/10.4/sql/sql_table.cc:11823
 
    #8 0x559e11223234 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6216
 
    #9 0x559e1122ea36 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8008
 
    #10 0x559e11204d79 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1857
 
    #11 0x559e112018f2 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1378
 
    #12 0x559e11600899 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1420
 
    #13 0x559e116001b0 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1324
 
    #14 0x559e1226cb83 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
 
    #15 0x7ff8ddaa7fd3 in start_thread nptl/pthread_create.c:442
 
 
 
Thread T6 created by T0 here:
 
    #0 0x7ff8de049726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
 
    #1 0x559e1226cf70 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1919
 
    #2 0x559e10f0df28 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1275
 
    #3 0x559e10f2562e in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6287
 
    #4 0x559e10f25d79 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6357
 
    #5 0x559e10f26247 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6455
 
    #6 0x559e10f270f3 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6613
 
    #7 0x559e10f24d91 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5945
 
    #8 0x559e10f0c0b8 in main /data/src/10.4/sql/main.cc:25
 
    #9 0x7ff8dda46189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
 
 
 
SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.4/sql/sql_class.cc:6075 in THD::decide_logging_format(TABLE_LIST*)
 
Shadow bytes around the buggy address:
 
  0x0c407ffff7c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
 
  0x0c407ffff7d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c407ffff7e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c407ffff7f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c407ffff800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
=>0x0c407ffff810: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c407ffff820: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c407ffff830: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c407ffff840: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c407ffff850: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c407ffff860: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
==1159316==ABORTING

10.4 956d6c4a non-debug, non-ASAN

 
#2  <signal handler called>
 
#3  0x0000555b0b9035c6 in handler::ha_table_flags (this=<optimized out>) at /data/src/10.4/sql/handler.h:3244
 
#4  THD::decide_logging_format (this=this@entry=0x7fb1c4000c58, tables=0x7fb1c40bb2b0) at /data/src/10.4/sql/sql_class.cc:6076
 
#5  0x0000555b0b91d26e in MY_HOOKS::do_postlock (this=0x7fb1e19c6a70, tables=0x7fb1e19c5728, count=1) at /data/src/10.4/sql/sql_insert.cc:4549
 
#6  0x0000555b0b91c8bc in TABLEOP_HOOKS::postlock (count=1, tables=0x7fb1e19c5728, this=0x7fb1e19c6a70) at /data/src/10.4/sql/handler.h:2503
 
#7  select_create::create_table_from_items (this=this@entry=0x7fb1c4010d50, thd=0x7fb1c4000c58, items=items@entry=0x7fb1e19c6a50, lock=lock@entry=0x7fb1e19c6a48, hooks=hooks@entry=0x7fb1e19c6a70) at /data/src/10.4/sql/sql_insert.cc:4478
 
#8  0x0000555b0b91cc09 in select_create::prepare (this=0x7fb1c4010d50, _values=..., u=0x7fb1c40b96b0) at /data/src/10.4/sql/sql_insert.cc:4588
 
#9  0x0000555b0b9a940e in JOIN::prepare (this=this@entry=0x7fb1c4010e48, tables_init=tables_init@entry=0x0, wild_num=wild_num@entry=0, conds_init=conds_init@entry=0x0, og_num=og_num@entry=0, order_init=order_init@entry=0x0, skip_order_by=<optimized out>, group_init=<optimized out>, having_init=<optimized out>, proc_param_init=<optimized out>, select_lex_arg=<optimized out>, unit_arg=<optimized out>) at /data/src/10.4/sql/sql_select.cc:1590
 
#10 0x0000555b0b9bc099 in mysql_select (thd=thd@entry=0x7fb1c4000c58, tables=<optimized out>, wild_num=<optimized out>, fields=..., conds=<optimized out>, og_num=<optimized out>, order=<optimized out>, group=<optimized out>, having=<optimized out>, proc_param=<optimized out>, select_options=<optimized out>, result=<optimized out>, unit=<optimized out>, select_lex=<optimized out>) at /data/src/10.4/sql/sql_select.cc:4789
 
#11 0x0000555b0b9bc414 in handle_select (thd=thd@entry=0x7fb1c4000c58, lex=lex@entry=0x7fb1c40b95f0, result=result@entry=0x7fb1c4010d50, setup_tables_done_option=setup_tables_done_option@entry=0) at /data/src/10.4/sql/sql_select.cc:442
 
#12 0x0000555b0b9f83b4 in Sql_cmd_create_table_like::execute (this=<optimized out>, thd=0x7fb1c4000c58) at /data/src/10.4/sql/sql_table.cc:11768
 
#13 0x0000555b0b94e980 in mysql_execute_command (thd=0x7fb1c4000c58) at /data/src/10.4/sql/sql_parse.cc:6216
 
#14 0x0000555b0b96a3d6 in Prepared_statement::execute (this=this@entry=0x7fb1c40c8fa8, expanded_query=expanded_query@entry=0x7fb1e19c81e0, open_cursor=open_cursor@entry=false) at /data/src/10.4/sql/sql_prepare.cc:5024
 
#15 0x0000555b0b96a555 in Prepared_statement::execute_loop (packet=<optimized out>, packet_end=<optimized out>, open_cursor=<optimized out>, expanded_query=0x7fb1e19c81e0, this=0x7fb1c40c8fa8) at /data/src/10.4/sql/sql_prepare.cc:4493
 
#16 Prepared_statement::execute_loop (this=0x7fb1c40c8fa8, expanded_query=0x7fb1e19c81e0, open_cursor=<optimized out>, packet=<optimized out>, packet_end=<optimized out>) at /data/src/10.4/sql/sql_prepare.cc:4442
 
#17 0x0000555b0b96aa23 in Prepared_statement::execute_immediate (this=this@entry=0x7fb1c40c8fa8, query=<optimized out>, query_len=49) at /data/src/10.4/sql/sql_prepare.cc:5148
 
#18 0x0000555b0b96ac37 in mysql_sql_stmt_execute_immediate (thd=thd@entry=0x7fb1c4000c58) at /data/src/10.4/sql/sql_prepare.cc:3012
 
#19 0x0000555b0b94f83b in mysql_execute_command (thd=thd@entry=0x7fb1c4000c58) at /data/src/10.4/sql/sql_parse.cc:3982
 
#20 0x0000555b0b954ae1 in mysql_parse (thd=0x7fb1c4000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /data/src/10.4/sql/sql_parse.cc:8008
 
#21 0x0000555b0b957485 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x7fb1c4000c58, packet=packet@entry=0x7fb1c4007de9 "EXECUTE IMMEDIATE \"CREATE OR REPLACE TEMPORARY TABLE t AS SELECT f()\"", packet_length=packet_length@entry=69, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /data/src/10.4/sql/sql_parse.cc:1958
 
#22 0x0000555b0b95932f in do_command (thd=0x7fb1c4000c58) at /data/src/10.4/sql/sql_parse.cc:1378
 
#23 0x0000555b0ba528ce in do_handle_one_connection (connect=connect@entry=0x555b0e0c8748) at /data/src/10.4/sql/sql_connect.cc:1420
 
#24 0x0000555b0ba529ed in handle_one_connection (arg=arg@entry=0x555b0e0c8748) at /data/src/10.4/sql/sql_connect.cc:1324
 
#25 0x0000555b0bde4b6b in pfs_spawn_thread (arg=0x555b0e01e128) at /data/src/10.4/storage/perfschema/pfs.cc:1869
 
#26 0x00007fb1e7aa7fd4 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
 
#27 0x00007fb1e7b285bc in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

Reproducible on all existing versions, also earlier minor releases.

 Comments   
Comment by Oleksandr Byelkin [ 2023-09-26 ] 

CREATE TEMPORARY TABLE t (a INT);
 
CREATE FUNCTION f() RETURNS INT NOT DETERMINISTIC BEGIN INSERT INTO t VALUES (1); RETURN 0; END $
 
EXECUTE IMMEDIATE "CREATE OR REPLACE TEMPORARY TABLE t AS SELECT f()";
 
main.test                                [ fail ]
 
        Test ended at 2023-09-26 11:55:33
 
 
 
CURRENT_TEST: main.test
 
mysqltest: At line 7: query 'EXECUTE IMMEDIATE "CREATE OR REPLACE TEMPORARY TABLE t AS SELECT f()"' failed: 1146: Table 'test.t' doesn't exist

Comment by Elena Stepanova [ 2023-09-26 ]

sanja,

It still throws ASAN errors for me on the current 10.4 (9b5275b8).
Please make sure you have copied the very first line of the test case in the description, include/have_log_bin.inc. Without it it would fail exactly like it did for you.

Generated at Thu Feb 08 10:23:33 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.