[MDEV-14995] Server crashes in ha_partition::update_create_info upon dropping history partition under lock after ER_SAME_NAME_PARTITION - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Duplicate
Affects Version/s: 10.3(EOL)
Fix Version/s: 10.3.7
Component/s: Data Definition - Alter Table, Partitioning
Labels:
None

Description

Note: the scenario looks very similar to one of ~~MDEV-15456~~, but the debug stack trace is different here, so I'm filing it separately.

--source include/have_partition.inc

CREATE TABLE t1 (a INT) WITH SYSTEM VERSIONING PARTITION BY SYSTEM_TIME ( PARTITION p1 HISTORY, PARTITION p2 HISTORY, PARTITION pn CURRENT );

LOCK TABLE t1 WRITE;

--error ER_SAME_NAME_PARTITION

ALTER TABLE t1 ADD PARTITION (PARTITION p2 HISTORY);

ALTER TABLE t1 DROP PARTITION p2;

# Cleanup

DROP TABLE t1;

10.3 0c8d6fd66cf
#3 <signal handler called>
#4 0x0000562ac2cac62d in ha_partition::update_create_info (this=0x7f38c0077968, create_info=0x7f38d008bc50) at /data/src/10.3/sql/ha_partition.cc:2223
#5 0x0000562ac233bbae in mysql_prepare_alter_table (thd=0x7f38c0000b00, table=0x7f38c0076d20, create_info=0x7f38d008bc50, alter_info=0x7f38d008bb90, alter_ctx=0x7f38d008b060) at /data/src/10.3/sql/sql_table.cc:8513
#6 0x0000562ac233e528 in mysql_alter_table (thd=0x7f38c0000b00, new_db=0x7f38c0005158, new_name=0x7f38c0005508, create_info=0x7f38d008bc50, table_list=0x7f38c0014e48, alter_info=0x7f38d008bb90, order_num=0, order=0x0, ignore=false) at /data/src/10.3/sql/sql_table.cc:9469
#7 0x0000562ac23c4850 in Sql_cmd_alter_table::execute (this=0x7f38c00154b8, thd=0x7f38c0000b00) at /data/src/10.3/sql/sql_alter.cc:334
#8 0x0000562ac2269cb3 in mysql_execute_command (thd=0x7f38c0000b00) at /data/src/10.3/sql/sql_parse.cc:6284
#9 0x0000562ac226e886 in mysql_parse (thd=0x7f38c0000b00, rawbuf=0x7f38c0014d58 "ALTER TABLE t1 DROP PARTITION p2", length=32, parser_state=0x7f38d008d5d0, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:8013
#10 0x0000562ac225bf39 in dispatch_command (command=COM_QUERY, thd=0x7f38c0000b00, packet=0x7f38c008fe31 "ALTER TABLE t1 DROP PARTITION p2", packet_length=32, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:1842
#11 0x0000562ac225a978 in do_command (thd=0x7f38c0000b00) at /data/src/10.3/sql/sql_parse.cc:1387
#12 0x0000562ac23bf243 in do_handle_one_connection (connect=0x562ac4c79410) at /data/src/10.3/sql/sql_connect.cc:1402
#13 0x0000562ac23befd0 in handle_one_connection (arg=0x562ac4c79410) at /data/src/10.3/sql/sql_connect.cc:1308
#14 0x0000562ac28466d3 in pfs_spawn_thread (arg=0x562ac4d3b8b0) at /data/src/10.3/storage/perfschema/pfs.cc:1862
#15 0x00007f38d7bbd494 in start_thread (arg=0x7f38d008e700) at pthread_create.c:333
#16 0x00007f38d5fa393f in clone () from /lib/x86_64-linux-gnu/libc.so.6

10.3 non-debug 209375fdd07
#2 <signal handler called>
#3 ha_partition::create_handler_file (this=0x7fc428073b00, name=0x7fc4444d2eb0 "./test/#sql-t1") at /data/src/10.3/sql/ha_partition.cc:2672
#4 0x000055704e7c21e1 in ha_partition::create_partitioning_metadata (this=<optimized out>, path=<optimized out>, old_path=<optimized out>, action_flag=<optimized out>) at /data/src/10.3/sql/ha_partition.cc:661
#5 0x000055704e1d9aac in mysql_write_frm (lpt=0x7fc4444d3580, flags=1) at /data/src/10.3/sql/sql_table.cc:1873
#6 0x000055704e44cfed in fast_alter_partition_table (thd=thd@entry=0x7fc4280009a8, table=table@entry=0x7fc428072f28, alter_info=alter_info@entry=0x7fc4444d5540, create_info=create_info@entry=0x7fc4444d55f0, table_list=0x7fc428011750, db=db@entry=0x7fc4444d4a60, table_name=0x7fc4444d4a70) at /data/src/10.3/sql/sql_partition.cc:7181
#7 0x000055704e1e2e88 in mysql_alter_table (thd=0x7fc4280009a8, new_db=0x7fc428004e28, new_name=<optimized out>, create_info=0x7fc4444d55f0, table_list=0x7fc428011750, alter_info=0x7fc4444d5540, order_num=0, order=0x0, ignore=false) at /data/src/10.3/sql/sql_table.cc:9556
#8 0x000055704e23160d in Sql_cmd_alter_table::execute (this=0x7fc4444d27b0, thd=0x7fc4280009a8) at /data/src/10.3/sql/sql_alter.cc:334
#9 0x000055704e153b7b in mysql_execute_command (thd=0x7fc4280009a8) at /data/src/10.3/sql/sql_parse.cc:6284
#10 0x000055704e15bc5a in mysql_parse (thd=0x7fc4280009a8, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /data/src/10.3/sql/sql_parse.cc:8013
#11 0x000055704e15f559 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x7fc4280009a8, packet=packet@entry=0x7fc4280092f9 "ALTER TABLE t1 DROP PARTITION p2", packet_length=packet_length@entry=32, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /data/src/10.3/sql/sql_parse.cc:1842
#12 0x000055704e15fb2f in do_command (thd=0x7fc4280009a8) at /data/src/10.3/sql/sql_parse.cc:1387
#13 0x000055704e22e894 in do_handle_one_connection (connect=connect@entry=0x557051a98928) at /data/src/10.3/sql/sql_connect.cc:1402
#14 0x000055704e22ea34 in handle_one_connection (arg=arg@entry=0x557051a98928) at /data/src/10.3/sql/sql_connect.cc:1308
#15 0x000055704e5107a4 in pfs_spawn_thread (arg=0x557051aa4888) at /data/src/10.3/storage/perfschema/pfs.cc:1862
#16 0x00007fc44b808494 in start_thread (arg=0x7fc4444d8700) at pthread_create.c:333
#17 0x00007fc449bee93f in clone () from /lib/x86_64-linux-gnu/libc.so.6

Attachments

Issue Links

is duplicated by

MDEV-15456 Server crashes upon adding or dropping a partition in ALTER under LOCK TABLE after ER_SAME_NAME_PARTITION

Closed

Activity

Eugene Kosov (Inactive) added a comment - 2018-04-16 19:05

Not a system versioning bug.

create or replace table t1 (pk int primary key) partition by range (pk) (

  partition p0 values less than (10),

  partition p1 values less than (20)

);

lock table t1 write;

--error ER_SAME_NAME_PARTITION

alter table t1 add partition (partition p1 values less than (20));

alter table t1 drop partition p1;

==10420==ERROR: AddressSanitizer: use-after-poison on address 0x62b0000014c8 at pc 0x0000007b1ba4 bp 0x7f26e5f556c0 sp 0x7f26e5f556b8

READ of size 8 at 0x62b0000014c8 thread T27

    #0 0x7b1ba3 in base_list_iterator::next_fast() /home/kevg/work/mariadb/sql/sql_list.h:425:17

    #1 0x1544447 in List_iterator_fast<partition_element>::operator++(int) /home/kevg/work/mariadb/sql/sql_list.h:546:63

    #2 0x2d295d3 in ha_partition::create_handler_file(char const*) /home/kevg/work/mariadb/sql/ha_partition.cc:2671:16

    #3 0x2d2859a in ha_partition::create_partitioning_metadata(char const*, char const*, int) /home/kevg/work/mariadb/sql/ha_partition.cc:661:9

    #4 0x1522945 in handler::ha_create_partitioning_metadata(char const*, char const*, int) /home/kevg/work/mariadb/sql/handler.cc:4584:10

    #5 0xe21a6a in mysql_write_frm(st_lock_param_type*, unsigned int) /home/kevg/work/mariadb/sql/sql_table.cc:1871:36

    #6 0x1ae3681 in fast_alter_partition_table(THD*, TABLE*, Alter_info*, HA_CREATE_INFO*, TABLE_LIST*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*) /home/kevg/work/mariadb/sql/sql_partition.cc:7181:9

    #7 0xe5a2cb in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /home/kevg/work/mariadb/sql/sql_table.cc:9372:5

    #8 0x1059537 in Sql_cmd_alter_table::execute(THD*) /home/kevg/work/mariadb/sql/sql_alter.cc:328:11

    #9 0xb655cb in mysql_execute_command(THD*) /home/kevg/work/mariadb/sql/sql_parse.cc:6282:26

    #10 0xb3bbfc in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/kevg/work/mariadb/sql/sql_parse.cc:8001:18

    #11 0xb2d0fd in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/kevg/work/mariadb/sql/sql_parse.cc:1845:7

    #12 0xb36219 in do_command(THD*) /home/kevg/work/mariadb/sql/sql_parse.cc:1390:17

    #13 0x1043530 in do_handle_one_connection(CONNECT*) /home/kevg/work/mariadb/sql/sql_connect.cc:1402:11

    #14 0x1042c31 in handle_one_connection /home/kevg/work/mariadb/sql/sql_connect.cc:1308:3

    #15 0x2cd8094 in pfs_spawn_thread /home/kevg/work/mariadb/storage/perfschema/pfs.cc:1862:3

    #16 0x73a63e in __asan::AsanThread::ThreadStart(unsigned long long, __sanitizer::atomic_uintptr_t*) /home/kevg/fun/cpp_projects/llvm_toolchain/llvm/projects/compiler-rt/lib/asan/asan_thread.cc:259

    #17 0x7f26ff56b7fb in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x77fb)

    #18 0x7f26fcf8fb5e in clone /build/glibc-itYbWN/glibc-2.26/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Eugene Kosov (Inactive) added a comment - 2018-04-16 19:05 Not a system versioning bug. create or replace table t1 (pk int primary key ) partition by range (pk) ( partition p0 values less than (10), partition p1 values less than (20) ); lock table t1 write; --error ER_SAME_NAME_PARTITION alter table t1 add partition (partition p1 values less than (20)); alter table t1 drop partition p1; ==10420==ERROR: AddressSanitizer: use-after-poison on address 0x62b0000014c8 at pc 0x0000007b1ba4 bp 0x7f26e5f556c0 sp 0x7f26e5f556b8 READ of size 8 at 0x62b0000014c8 thread T27 #0 0x7b1ba3 in base_list_iterator::next_fast() /home/kevg/work/mariadb/sql/sql_list.h:425:17 #1 0x1544447 in List_iterator_fast<partition_element>::operator++(int) /home/kevg/work/mariadb/sql/sql_list.h:546:63 #2 0x2d295d3 in ha_partition::create_handler_file(char const*) /home/kevg/work/mariadb/sql/ha_partition.cc:2671:16 #3 0x2d2859a in ha_partition::create_partitioning_metadata(char const*, char const*, int) /home/kevg/work/mariadb/sql/ha_partition.cc:661:9 #4 0x1522945 in handler::ha_create_partitioning_metadata(char const*, char const*, int) /home/kevg/work/mariadb/sql/handler.cc:4584:10 #5 0xe21a6a in mysql_write_frm(st_lock_param_type*, unsigned int) /home/kevg/work/mariadb/sql/sql_table.cc:1871:36 #6 0x1ae3681 in fast_alter_partition_table(THD*, TABLE*, Alter_info*, HA_CREATE_INFO*, TABLE_LIST*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*) /home/kevg/work/mariadb/sql/sql_partition.cc:7181:9 #7 0xe5a2cb in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /home/kevg/work/mariadb/sql/sql_table.cc:9372:5 #8 0x1059537 in Sql_cmd_alter_table::execute(THD*) /home/kevg/work/mariadb/sql/sql_alter.cc:328:11 #9 0xb655cb in mysql_execute_command(THD*) /home/kevg/work/mariadb/sql/sql_parse.cc:6282:26 #10 0xb3bbfc in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/kevg/work/mariadb/sql/sql_parse.cc:8001:18 #11 0xb2d0fd in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/kevg/work/mariadb/sql/sql_parse.cc:1845:7 #12 0xb36219 in do_command(THD*) /home/kevg/work/mariadb/sql/sql_parse.cc:1390:17 #13 0x1043530 in do_handle_one_connection(CONNECT*) /home/kevg/work/mariadb/sql/sql_connect.cc:1402:11 #14 0x1042c31 in handle_one_connection /home/kevg/work/mariadb/sql/sql_connect.cc:1308:3 #15 0x2cd8094 in pfs_spawn_thread /home/kevg/work/mariadb/storage/perfschema/pfs.cc:1862:3 #16 0x73a63e in __asan::AsanThread::ThreadStart(unsigned long long, __sanitizer::atomic_uintptr_t*) /home/kevg/fun/cpp_projects/llvm_toolchain/llvm/projects/compiler-rt/lib/asan/asan_thread.cc:259 #17 0x7f26ff56b7fb in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x77fb) #18 0x7f26fcf8fb5e in clone /build/glibc-itYbWN/glibc-2.26/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

MariaDB Server

Server crashes in ha_partition::update_create_info upon dropping history partition under lock after ER_SAME_NAME_PARTITION

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration