Details
-
Bug
-
Status: Closed (View Workflow)
-
Critical
-
Resolution: Fixed
-
23.02.18, 25.10.4
-
None
-
None
-
2026-4
Description
A customer reports that cpimport and `select calshowpartitions()` run in parallel caused SEGV in mariadbd runtime. Plz find crashtrace below.
/lib64/libbrm.so(_ZN3BRM18ExtentMapIndexImpl14search2ndLayerERN5boost9unordered13unordered_mapIiNS3_IjNS1_9container6vectorIlNS1_12interprocess9allocatorIlNS6_15segment_managerIcNS6_15rbtree_best_fitINS6_12mutex_familyENS6_10offset_ptrIvlmLm0EEELm0EEENS6_10iset_indexEEEEEvEENS1_4hashIjEESt8equal_toIjENS7_ISt4pairIKjSH_ESF_EEEENSI_IiEESK_IiENS7_ISM_IKiSQ_ESF_EEEEi+0xcc)[0x7fcd93e3c80c]
|
/lib64/libbrm.so(_ZN3BRM18ExtentMapIndexImpl4findEti+0x77)[0x7fcd93e3cb27]
|
/lib64/libbrm.so(_ZN3BRM9ExtentMap10getExtentsEiRSt6vectorINS_7EMEntryESaIS2_EEbbb+0xe0)[0x7fcd93e4fab0]
|
/lib64/libbrm.so(_ZN3BRM4DBRM10getExtentsEiRSt6vectorINS_7EMEntryESaIS2_EEbbb+0x23)[0x7fcd93e24683]
|
/usr/lib64/mysql/plugin/ha_columnstore.so(calshowpartitions+0x4b1)[0x7fcda0c5e871]
|
/usr/sbin/mariadbd(_ZN11udf_handler7val_strEP6StringS1_+0x62)[0x55c2e7b5bca2]
|
/usr/sbin/mariadbd(_ZN17Item_func_udf_str7val_strEP6String+0x1c)[0x55c2e7b5bd7c]
|
/usr/sbin/mariadbd(_ZNK12Type_handler13Item_send_strEP4ItemP8ProtocolP8st_value+0x24)[0x55c2e7a39f94]
|
/usr/sbin/mariadbd(_ZN8Protocol19send_result_set_rowEP4ListI4ItemE+0xe2)[0x55c2e77b3d52]
|
/usr/sbin/mariadbd(_ZN11select_send9send_dataER4ListI4ItemE+0x33)[0x55c2e782ea13]
|
/usr/sbin/mariadbd(_ZN4JOIN10exec_innerEv+0xfc9)[0x55c2e78ffad9]
|
/usr/sbin/mariadbd(_ZN4JOIN4execEv+0x37)[0x55c2e78ffe87]
|
/usr/sbin/mariadbd(_Z12mysql_selectP3THDP10TABLE_LISTR4ListI4ItemEPS4_jP8st_orderS9_S7_S9_yP13select_resultP18st_select_lex_unitP13st_select_lex+0x106)[0x55c2e78fde86]
|
/usr/sbin/mariadbd(_Z13handle_selectP3THDP3LEXP13select_resultm+0x16c)[0x55c2e78fe67c]
|
/usr/sbin/mariadbd(+0x7dbd91)[0x55c2e7874d91]
|
/usr/sbin/mariadbd(_Z21mysql_execute_commandP3THDb+0x48a7)[0x55c2e7884177]
|
/usr/sbin/mariadbd(_Z11mysql_parseP3THDPcjP12Parser_state+0x211)[0x55c2e7885911]
|
/usr/sbin/mariadbd(_Z16dispatch_command19enum_server_commandP3THDPcjb+0x1a55)[0x55c2e78889f5]
|
/usr/sbin/mariadbd(_Z10do_commandP3THDb+0x132)[0x55c2e788a862]
|
/usr/sbin/mariadbd(_Z24do_handle_one_connectionP7CONNECTb+0x3b7)[0x55c2e79a9987]
|
/usr/sbin/mariadbd(handle_one_connection+0x5d)[0x55c2e79a9ccd]
|
/usr/sbin/mariadbd(+0xc8d752)[0x55c2e7d26752]
|
/lib64/libpthread.so.0(+0x81ca)[0x7fcda2e5b1ca]
|
/lib64/libc.so.6(clone+0x43)[0x7fcda219a8d3]
|
Decode tells that offset_ptr::get() dereference crashes runtime calling boost::unordered_map::find in ExtentMapIndexImpl::search2ndLayer(). This implicitly points to the fact that offset_ptr::get() accesses invalid memory thus there is a race when cpimport causes EMIndex shmem segment change but calshowpartitions run by mariadbd still uses the old shmem segment.
The root cause is shmem segment size that is used as a trigger for remap() operation and the fact that remap() doesn't change its internal variable that stores shmem segment size.