Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-15243

Server crashes in in Field_blob::pack upon REPLACE into view with virtual columns with binlog enabled

Details

    Description

      --source include/have_innodb.inc
      		 
      --source include/have_binlog_format_mixed.inc
      		 
       
      		 
      CREATE TABLE t1 ( 
       pk SERIAL,
      		 
       vcol_date DATE AS (col_date) PERSISTENT,
      		 
       vcol_int INT AS (col_int) VIRTUAL,
      		 
       vcol_year YEAR AS (col_year) PERSISTENT,
      		 
       vcol_blob BLOB AS (col_blob) VIRTUAL,
      		 
       col_date DATE,
      		 
       col_int INT NULL,
      		 
       col_blob BLOB NULL,
      		 
       col_year YEAR,
      		 
       PRIMARY KEY(pk)
      		 
      ) ENGINE=InnoDB;
      		 
      CREATE VIEW v1 AS SELECT * FROM t1;
      		 
      INSERT INTO t1 (col_date,col_int,col_blob,col_year) VALUES ('2010-04-24',5,'foo',1981);
      		 
      SET SQL_MODE='';
      		 
      REPLACE INTO v1 SELECT * FROM t1;
      		 
       
      		 
      # Cleanup
      		 
      DROP VIEW v1;
      		 
      DROP TABLE t1;

      10.1 8812a2f8580

      		 
      #3  <signal handler called>
      		 
      #4  0x00007f1351d80c6f in __memmove_avx_unaligned_erms () from /lib/x86_64-linux-gnu/libc.so.6
      		 
      #5  0x000055d647be0708 in Field_blob::pack (this=0x7f133c0a0f88, to=0x7f133c297082 '\245' <repeats 200 times>..., from=0xa5a5a5a5a5a5a5a5 <error: Cannot access memory at address 0xa5a5a5a5a5a5a5a5>, max_length=65535) at /data/src/10.1/sql/field.cc:8331
      		 
      #6  0x000055d647d09451 in pack_row (table=0x7f133c081c70, cols=0x7f133c068d88, row_data=0x7f133c297070 "\245\245\001", record=0x7f1348750eb8 "") at /data/src/10.1/sql/rpl_record.cc:107
      		 
      #7  0x000055d64798540d in THD::binlog_delete_row (this=0x7f13487bd070, table=0x7f133c081c70, is_trans=true, record=0x7f1348750eb8 "") at /data/src/10.1/sql/sql_class.cc:6567
      		 
      #8  0x000055d647c08c50 in Delete_rows_log_event::binlog_row_logging_function (thd=0x7f13487bd070, table=0x7f133c081c70, is_transactional=true, before_record=0x7f1348750eb8 "", after_record=0x0) at /data/src/10.1/sql/log_event.h:4705
      		 
      #9  0x000055d647c06116 in binlog_log_row (table=0x7f133c081c70, before_record=0x7f1348750eb8 "", after_record=0x0, log_func=0x55d647c08c1b <Delete_rows_log_event::binlog_row_logging_function(THD*, TABLE*, bool, unsigned char const*, unsigned char const*)>) at /data/src/10.1/sql/handler.cc:5826
      		 
      #10 0x000055d647c06e28 in handler::ha_delete_row (this=0x7f133c0b0088, buf=0x7f1348750eb8 "") at /data/src/10.1/sql/handler.cc:6048
      		 
      #11 0x000055d64799d6c0 in write_record (thd=0x7f13487bd070, table=0x7f133c081c70, info=0x7f133c047518) at /data/src/10.1/sql/sql_insert.cc:1877
      		 
      #12 0x000055d6479a24d5 in select_insert::send_data (this=0x7f133c0474d8, values=...) at /data/src/10.1/sql/sql_insert.cc:3710
      		 
      #13 0x000055d647a29046 in end_send (join=0x7f133c047578, join_tab=0x7f133c0fe138, end_of_records=false) at /data/src/10.1/sql/sql_select.cc:19575
      		 
      #14 0x000055d647a26dbf in evaluate_join_record (join=0x7f133c047578, join_tab=0x7f133c0fddf0, error=0) at /data/src/10.1/sql/sql_select.cc:18664
      		 
      #15 0x000055d647a266d1 in sub_select (join=0x7f133c047578, join_tab=0x7f133c0fddf0, end_of_records=false) at /data/src/10.1/sql/sql_select.cc:18441
      		 
      #16 0x000055d647a25f34 in do_select (join=0x7f133c047578, fields=0x7f133c047948, table=0x0, procedure=0x0) at /data/src/10.1/sql/sql_select.cc:18096
      		 
      #17 0x000055d647a008e6 in JOIN::exec_inner (this=0x7f133c047578) at /data/src/10.1/sql/sql_select.cc:3252
      		 
      #18 0x000055d6479fdb77 in JOIN::exec (this=0x7f133c047578) at /data/src/10.1/sql/sql_select.cc:2539
      		 
      #19 0x000055d647a0110d in mysql_select (thd=0x7f13487bd070, rref_pointer_array=0x7f13487c1520, tables=0x7f133c0438a8, wild_num=1, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=3489925888, result=0x7f133c0474d8, unit=0x7f13487c0b78, select_lex=0x7f13487c1278) at /data/src/10.1/sql/sql_select.cc:3476
      		 
      #20 0x000055d6479f69f0 in handle_select (thd=0x7f13487bd070, lex=0x7f13487c0ab0, result=0x7f133c0474d8, setup_tables_done_option=1073741824) at /data/src/10.1/sql/sql_select.cc:388
      		 
      #21 0x000055d6479bffd9 in mysql_execute_command (thd=0x7f13487bd070) at /data/src/10.1/sql/sql_parse.cc:4022
      		 
      #22 0x000055d6479ca1c3 in mysql_parse (thd=0x7f13487bd070, rawbuf=0x7f133c043088 "REPLACE INTO v1 SELECT * FROM t1", length=32, parser_state=0x7f1353cb35e0) at /data/src/10.1/sql/sql_parse.cc:7352
      		 
      #23 0x000055d6479b9042 in dispatch_command (command=COM_QUERY, thd=0x7f13487bd070, packet=0x7f134a6c5071 "REPLACE INTO v1 SELECT * FROM t1", packet_length=32) at /data/src/10.1/sql/sql_parse.cc:1477
      		 
      #24 0x000055d6479b7dc7 in do_command (thd=0x7f13487bd070) at /data/src/10.1/sql/sql_parse.cc:1106
      		 
      #25 0x000055d647af0b0f in do_handle_one_connection (thd_arg=0x7f13487bd070) at /data/src/10.1/sql/sql_connect.cc:1330
      		 
      #26 0x000055d647af0873 in handle_one_connection (arg=0x7f13487bd070) at /data/src/10.1/sql/sql_connect.cc:1242
      		 
      #27 0x000055d647eab04e in pfs_spawn_thread (arg=0x7f134cbf78f0) at /data/src/10.1/storage/perfschema/pfs.cc:1861
      		 
      #28 0x00007f1353987494 in start_thread (arg=0x7f1353cb4b00) at pthread_create.c:333
      		 
      #29 0x00007f1351d4093f in clone () from /lib/x86_64-linux-gnu/libc.so.6

      Variation with LOAD:

      --source include/have_innodb.inc
      		 
      --source include/have_binlog_format_mixed.inc
      		 
       
      		 
      CREATE TABLE t1 ( 
       pk SERIAL,
      		 
       vcol_date DATE AS (col_date) PERSISTENT,
      		 
       vcol_int INT AS (col_int) VIRTUAL,
      		 
       vcol_year YEAR AS (col_year) PERSISTENT,
      		 
       vcol_blob BLOB AS (col_blob) VIRTUAL,
      		 
       col_date DATE,
      		 
       col_int INT NULL,
      		 
       col_blob BLOB NULL,
      		 
       col_year YEAR,
      		 
       PRIMARY KEY(pk)
      		 
      ) ENGINE=InnoDB;
      		 
      CREATE VIEW v1 AS SELECT * FROM t1;
      		 
      INSERT INTO t1 (col_date,col_int,col_blob,col_year) VALUES ('2010-04-24',5,'foo',1981);
      		 
      SET SQL_MODE='';
      		 
      SELECT * FROM t1 INTO OUTFILE 't1.data';
      		 
      LOAD DATA INFILE 't1.data' REPLACE INTO TABLE v1;
      		 
       
      		 
      # Cleanup
      		 
      DROP VIEW v1;
      		 
      DROP TABLE t1;


      #3  <signal handler called>
      		 
      #4  0x00007f1d0046fc6f in __memmove_avx_unaligned_erms () from /lib/x86_64-linux-gnu/libc.so.6
      		 
      #5  0x00005616f80cd708 in Field_blob::pack (this=0x7f1cea4a0f88, to=0x7f1cea632082 '\245' <repeats 200 times>..., from=0xa5a5a5a5a5a5a5a5 <error: Cannot access memory at address 0xa5a5a5a5a5a5a5a5>, max_length=65535) at /data/src/10.1/sql/field.cc:8331
      		 
      #6  0x00005616f81f6451 in pack_row (table=0x7f1cea481c70, cols=0x7f1cea468d88, row_data=0x7f1cea632070 "\245\245\001", record=0x7f1cf6b50eb8 "") at /data/src/10.1/sql/rpl_record.cc:107
      		 
      #7  0x00005616f7e7240d in THD::binlog_delete_row (this=0x7f1cf6bbd070, table=0x7f1cea481c70, is_trans=true, record=0x7f1cf6b50eb8 "") at /data/src/10.1/sql/sql_class.cc:6567
      		 
      #8  0x00005616f80f5c50 in Delete_rows_log_event::binlog_row_logging_function (thd=0x7f1cf6bbd070, table=0x7f1cea481c70, is_transactional=true, before_record=0x7f1cf6b50eb8 "", after_record=0x0) at /data/src/10.1/sql/log_event.h:4705
      		 
      #9  0x00005616f80f3116 in binlog_log_row (table=0x7f1cea481c70, before_record=0x7f1cf6b50eb8 "", after_record=0x0, log_func=0x5616f80f5c1b <Delete_rows_log_event::binlog_row_logging_function(THD*, TABLE*, bool, unsigned char const*, unsigned char const*)>) at /data/src/10.1/sql/handler.cc:5826
      		 
      #10 0x00005616f80f3e28 in handler::ha_delete_row (this=0x7f1cea4b0088, buf=0x7f1cf6b50eb8 "") at /data/src/10.1/sql/handler.cc:6048
      		 
      #11 0x00005616f7e8a6c0 in write_record (thd=0x7f1cf6bbd070, table=0x7f1cea481c70, info=0x7f1d023a14c0) at /data/src/10.1/sql/sql_insert.cc:1877
      		 
      #12 0x00005616f825db85 in read_sep_field (thd=0x7f1cf6bbd070, info=..., table_list=0x7f1cea4431f0, fields_vars=..., set_fields=..., set_values=..., read_info=..., enclosed=..., skip_lines=0, ignore_check_option_errors=false) at /data/src/10.1/sql/sql_load.cc:1195
      		 
      #13 0x00005616f825be18 in mysql_load (thd=0x7f1cf6bbd070, ex=0x7f1cea443168, table_list=0x7f1cea4431f0, fields_vars=..., set_fields=..., set_values=..., handle_duplicates=DUP_REPLACE, ignore=false, read_file_from_client=false) at /data/src/10.1/sql/sql_load.cc:589
      		 
      #14 0x00005616f7eae039 in mysql_execute_command (thd=0x7f1cf6bbd070) at /data/src/10.1/sql/sql_parse.cc:4306
      		 
      #15 0x00005616f7eb71c3 in mysql_parse (thd=0x7f1cf6bbd070, rawbuf=0x7f1cea443088 "LOAD DATA INFILE 't1.data' REPLACE INTO TABLE v1", length=48, parser_state=0x7f1d023a25e0) at /data/src/10.1/sql/sql_parse.cc:7352
      		 
      #16 0x00005616f7ea6042 in dispatch_command (command=COM_QUERY, thd=0x7f1cf6bbd070, packet=0x7f1cf8ac5071 "LOAD DATA INFILE 't1.data' REPLACE INTO TABLE v1", packet_length=48) at /data/src/10.1/sql/sql_parse.cc:1477
      		 
      #17 0x00005616f7ea4dc7 in do_command (thd=0x7f1cf6bbd070) at /data/src/10.1/sql/sql_parse.cc:1106
      		 
      #18 0x00005616f7fddb0f in do_handle_one_connection (thd_arg=0x7f1cf6bbd070) at /data/src/10.1/sql/sql_connect.cc:1330
      		 
      #19 0x00005616f7fdd873 in handle_one_connection (arg=0x7f1cf6bbd070) at /data/src/10.1/sql/sql_connect.cc:1242
      		 
      #20 0x00005616f839804e in pfs_spawn_thread (arg=0x7f1cfaff78f0) at /data/src/10.1/storage/perfschema/pfs.cc:1861
      		 
      #21 0x00007f1d02076494 in start_thread (arg=0x7f1d023a3b00) at pthread_create.c:333
      		 
      #22 0x00007f1d0042f93f in clone () from /lib/x86_64-linux-gnu/libc.so.6

      Reproducible with 10.1, 10.2, 10.3.
      Not reproducible with 10.0.

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-15330 Server crash or assertion `table->insert_values' failure in write_record upon LOAD DATA

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-30441 ASAN heap-use-after-free in Field_blob::pack/pack_row

          • Major - Major loss of function.
          • Open

          Activity

            Ascending order - Click to sort in descending order
            monty Michael Widenius added a comment -

            The cause of this was several different bugs:

            • When using binary logging with binlog_row_image=FULL
              the all bits in read_set was set, which caused a
              different (wrong) pattern for marking vcol_set.
            • TABLE::mark_virtual_columns_for_write() didn't in all
              cases mark vcol_set with the vcol_field.
            • TABLE::update_virtual_fields() has to update all
              vcol fields on REPLACE if binary logging with FULL
              is used.
            • VCOL_UPDATE_INDEXED should update all vcol fields part
              of an index that was not updated by VCOL_UPDATE_FOR_READ
            • max_row_length() calculated length of NULL and not
              used fields. This didn't cause any crash, but used
              more memory than needed.
            monty Michael Widenius added a comment - The cause of this was several different bugs: When using binary logging with binlog_row_image=FULL the all bits in read_set was set, which caused a different (wrong) pattern for marking vcol_set. TABLE::mark_virtual_columns_for_write() didn't in all cases mark vcol_set with the vcol_field. TABLE::update_virtual_fields() has to update all vcol fields on REPLACE if binary logging with FULL is used. VCOL_UPDATE_INDEXED should update all vcol fields part of an index that was not updated by VCOL_UPDATE_FOR_READ max_row_length() calculated length of NULL and not used fields. This didn't cause any crash, but used more memory than needed.
            monty Michael Widenius added a comment -

            Fix pushed.
            This was done in 10.2 and not in 10.1 or earlier as it the involved code is quite different between 10.1 and 10.2 and thus not worth doing in 10.1 as the fix can have other side effects.

            monty Michael Widenius added a comment - Fix pushed. This was done in 10.2 and not in 10.1 or earlier as it the involved code is quite different between 10.1 and 10.2 and thus not worth doing in 10.1 as the fix can have other side effects.

            People

              monty Michael Widenius
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.