Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-16407

[Draft] Error: Freeing overrun buffer and server crash in MDL_key::mdl_key_init or in free_root

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Cannot Reproduce
    • 10.3
    • N/A
    • Locking, Server
    • None

    Description

      Note: it might well be that other versions are also affected, but there is no good reproducer for it (yet), so I couldn't check.

      Occurrence 1, in Travis (no coredump available, only the stack trace)

      10.3 898a8c3c0ce2c56773865521c59d5ac172495978

      		 
      Error: Freeing overrun buffer 0x7f06f05e9e10 at 0x55e12e627048, 0x55e12e614e12, mysys/safemalloc.c:194, mysys/my_malloc.c:224, mysys/my_alloc.c:421, sql/sp_head.cc:1381, sql/sp_head.cc:2295, sql/sql_parse.cc:2945
      		 
      Allocated at sql/sql_parse.cc:3187, sql/sql_parse.cc:6281, sql/sql_class.h:1030, sql/sql_parse.cc:2679, sql/sp_head.cc:3488, sql/sp_head.cc:1355, sql/sp_head.cc:2295, sql/sql_parse.cc:2945
      		 
      Error: ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������� unallocated data or underrun buffer 0x55e12ea2d3cd at sql/sql_parse.cc:3187, mysys/safemalloc.c:194, mysys/my_malloc.c:224, mysys/my_alloc.c:412, sql/sp_head.cc:511, sql/sp_head.cc:850, sql/sql_trigger.cc:339, sql/sql_trigger.cc:1191
      		 
      180604  4:54:50 [ERROR] mysqld got signal 11 ;
      		 
       
      		 
      #3  <signal handler called>
      		 
      #4  0x000055e12e6084fa in free_root (root=0x7f0700a6b060, MyFlags=0) at /home/travis/src/mysys/my_alloc.c:414
      		 
      #5  0x000055e12daa00a5 in sp_head::operator delete (ptr=0x7f06f0800ff8, size=2360) at /home/travis/src/sql/sp_head.cc:509
      		 
      #6  0x000055e12daa1a4f in sp_head::~sp_head (this=0x7f06f0800ff8, __in_chrg=<optimized out>) at /home/travis/src/sql/sp_head.cc:850
      		 
      #7  0x000055e12dc62b6f in Trigger::~Trigger (this=0x7f06f004b8a8, __in_chrg=<optimized out>) at /home/travis/src/sql/sql_trigger.cc:341
      		 
      #8  0x000055e12dc64ae1 in Table_triggers_list::~Table_triggers_list (this=0x7f06f00ba168, __in_chrg=<optimized out>) at /home/travis/src/sql/sql_trigger.cc:1191
      		 
      #9  0x000055e12dda41e6 in intern_close_table (table=0x7f06f0064270) at /home/travis/src/sql/table_cache.cc:220
      		 
      #10 0x000055e12dda719a in tdc_remove_table (thd=0x7f06bc000c70, remove_type=TDC_RT_REMOVE_NOT_OWN, db=0x7f06bc404da0 "test", table_name=0x7f06bc404da5 "non_existing_table", kill_delayed_threads=false) at /home/travis/src/sql/table_cache.cc:1151
      		 
      #11 0x000055e12daeb0c0 in wait_while_table_is_used (thd=0x7f06bc000c70, table=0x7f06ed1777a0, function=HA_EXTRA_FORCE_REOPEN) at /home/travis/src/sql/sql_base.cc:1245
      		 
      #12 0x000055e12dc632e2 in mysql_create_or_drop_trigger (thd=0x7f06bc000c70, tables=0x7f06bc0164e8, create=true) at /home/travis/src/sql/sql_trigger.cc:562
      		 
      #13 0x000055e12db85256 in mysql_execute_command (thd=0x7f06bc000c70) at /home/travis/src/sql/sql_parse.cc:6117
      		 
      #14 0x000055e12db8ab6c in mysql_parse (thd=0x7f06bc000c70, rawbuf=0x7f06bc015bd8 "CREATE TRIGGER x BEFORE UPDATE ON `non_existing_table` FOR EACH ROW BEGIN SET @binlog_format_saved = @@binlog_format ; SET BINLOG_FORMAT = 'STATEMENT' ; DELETE FROM `non_existing_table` WHERE `non_exi"..., length=1001, parser_state=0x7f0700a6c600, is_com_multi=false, is_next_command=false) at /home/travis/src/sql/sql_parse.cc:8078
      		 
      #15 0x000055e12db77d85 in dispatch_command (command=COM_QUERY, thd=0x7f06bc000c70, packet=0x7f06bc2ce031 "CREATE TRIGGER x BEFORE UPDATE ON `non_existing_table` FOR EACH ROW BEGIN SET @binlog_format_saved = @@binlog_format ; SET BINLOG_FORMAT = 'STATEMENT' ; DELETE FROM `non_existing_table` WHERE `non_exi"..., packet_length=1002, is_com_multi=false, is_next_command=false) at /home/travis/src/sql/sql_parse.cc:1847
      		 
      #16 0x000055e12db767b6 in do_command (thd=0x7f06bc000c70) at /home/travis/src/sql/sql_parse.cc:1392
      		 
      #17 0x000055e12dcdd2e1 in do_handle_one_connection (connect=0x55e1308753a0) at /home/travis/src/sql/sql_connect.cc:1402
      		 
      #18 0x000055e12dcdd065 in handle_one_connection (arg=0x55e1308753a0) at /home/travis/src/sql/sql_connect.cc:1308
      		 
      #19 0x00007f0712e14184 in start_thread (arg=0x7f0700a6d700) at pthread_create.c:312
      		 
      #20 0x00007f071232103d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

      All threads are attached as threads1.

      Occurrence 2, locally (coredump, binary, logs and datadir are at ftp://ftp.askmonty.org/public/mdev16407.tar.gz )

      10.3 b50685af82508ca1cc83e1743dff527770e6e64b

      		 
      Error: Freeing overrun buffer 0x7f9e291320c0 at 180604 21:34:50 [ERROR] mysqld got signal 11 ;
      		 
       
      		 
      #3  <signal handler called>
      		 
      #4  strlen () at ../sysdeps/x86_64/strlen.S:106
      		 
      #5  0x00007f9eb1808e1f in MDL_key::mdl_key_init (this=0x7f9ea0263cd0, mdl_namespace_arg=MDL_key::TRIGGER, db=0xa5a5a5a5a5a5a5a5 <error: Cannot access memory at address 0xa5a5a5a5a5a5a5a5>, name_arg=0xa5a5a5a5a5a5a5a5 <error: Cannot access memory at address 0xa5a5a5a5a5a5a5a5>) at /data/src/10.3/sql/mdl.h:342
      		 
      #6  0x00007f9eb1808ff8 in MDL_key::MDL_key (this=0x7f9ea0263cd0, namespace_arg=MDL_key::TRIGGER, db_arg=0xa5a5a5a5a5a5a5a5 <error: Cannot access memory at address 0xa5a5a5a5a5a5a5a5>, name_arg=0xa5a5a5a5a5a5a5a5 <error: Cannot access memory at address 0xa5a5a5a5a5a5a5a5>) at /data/src/10.3/sql/mdl.h:385
      		 
      #7  0x00007f9eb18083e7 in Table_triggers_list::add_tables_and_routines_for_triggers (this=0x7f9e29036588, thd=0x7f9e1c000b00, prelocking_ctx=0x7f9e1c0048b8, table_list=0x7f9e1c018328) at /data/src/10.3/sql/sql_trigger.cc:2260
      		 
      #8  0x00007f9eb1691a54 in DML_prelocking_strategy::handle_table (this=0x7f9ea0264210, thd=0x7f9e1c000b00, prelocking_ctx=0x7f9e1c0048b8, table_list=0x7f9e1c018328, need_prelocking=0x7f9ea0263ff0) at /data/src/10.3/sql/sql_base.cc:4405
      		 
      #9  0x00007f9eb168fead in open_and_process_table (thd=0x7f9e1c000b00, lex=0x7f9e1c0048b0, tables=0x7f9e1c018328, counter=0x7f9ea0264194, flags=0, prelocking_strategy=0x7f9ea0264210, has_prelocking_list=false, ot_ctx=0x7f9ea0264100) at /data/src/10.3/sql/sql_base.cc:3620
      		 
      #10 0x00007f9eb1690e6d in open_tables (thd=0x7f9e1c000b00, options=..., start=0x7f9ea0264178, counter=0x7f9ea0264194, flags=0, prelocking_strategy=0x7f9ea0264210) at /data/src/10.3/sql/sql_base.cc:4062
      		 
      #11 0x00007f9eb1692be7 in open_and_lock_tables (thd=0x7f9e1c000b00, options=..., tables=0x7f9e1c013a88, derived=true, flags=0, prelocking_strategy=0x7f9ea0264210) at /data/src/10.3/sql/sql_base.cc:4937
      		 
      #12 0x00007f9eb16532fd in open_and_lock_tables (thd=0x7f9e1c000b00, tables=0x7f9e1c013a88, derived=true, flags=0) at /data/src/10.3/sql/sql_base.h:497
      		 
      #13 0x00007f9eb16de311 in mysql_insert (thd=0x7f9e1c000b00, table_list=0x7f9e1c013a88, fields=..., values_list=..., update_fields=..., update_values=..., duplic=DUP_ERROR, ignore=false) at /data/src/10.3/sql/sql_insert.cc:760
      		 
      #14 0x00007f9eb17201ba in mysql_execute_command (thd=0x7f9e1c000b00) at /data/src/10.3/sql/sql_parse.cc:4723
      		 
      #15 0x00007f9eb172ae77 in mysql_parse (thd=0x7f9e1c000b00, rawbuf=0x7f9e1c0138a8 "INSERT INTO `non_existing_table` ( `non_existing_column` ) VALUES ( LAST_INSERT_ID() ) /* QNO 6347 CON_ID 15 */", length=111, parser_state=0x7f9ea0265640, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:8078
      		 
      #16 0x00007f9eb171804e in dispatch_command (command=COM_QUERY, thd=0x7f9e1c000b00, packet=0x7f9e1c00b0e1 "INSERT INTO `non_existing_table` ( `non_existing_column` ) VALUES ( LAST_INSERT_ID() ) /* QNO 6347 CON_ID 15 */ ", packet_length=112, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:1847
      		 
      #17 0x00007f9eb1716a72 in do_command (thd=0x7f9e1c000b00) at /data/src/10.3/sql/sql_parse.cc:1392
      		 
      #18 0x00007f9eb187c735 in do_handle_one_connection (connect=0x7f9eb4d50dc0) at /data/src/10.3/sql/sql_connect.cc:1402
      		 
      #19 0x00007f9eb187c4b9 in handle_one_connection (arg=0x7f9eb4d50dc0) at /data/src/10.3/sql/sql_connect.cc:1308
      		 
      #20 0x00007f9eb0c2d064 in start_thread (arg=0x7f9ea0266700) at pthread_create.c:309
      		 
      #21 0x00007f9eaf08062d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

      All threads attached as threads2

      Both failures happened while executing this

      travis-workarounds 5d277d41ffc2630887a1349f0f90d5c66a88dda0

      		 
      perl ./runall-new.pl --duration=350 --threads=6 --seed=1528088001 --reporters=Backtrace,ErrorLog,Deadlock --validators=TransformerNoComparator --views --redefine=conf/mariadb/versioning.yy --redefine=conf/mariadb/alter_table.yy --redefine=conf/mariadb/bulk_insert.yy --redefine=conf/mariadb/sequences.yy --basedir=/data/bld/10.3 --mysqld=--log_output=FILE --mysqld=--max-statement-time=30 --mysqld=--lock-wait-timeout=10 --mysqld=--loose-innodb-lock-wait-timeout=5 --mysqld=--loose-debug_assert_on_not_freed_memory=0 --mysqld=--default-storage-engine=RocksDB --mysqld=--plugin-load-add=ha_rocksdb --mysqld=--binlog-format=row --grammar=conf/replication/replication.yy --gendata=conf/replication/replication-5.1.zz --skip-gendata --gendata-advanced --vcols --transformers=ExecuteAsCTE,ExecuteAsDeleteReturning,ExecuteAsExcept,ExecuteAsExecuteImmediate,ExecuteAsInsertSelect,ExecuteAsIntersect,ExecuteAsUnion,ExecuteAsUpdateDelete,ExecuteAsView,ExecuteAsPreparedTwice,ExecuteAsSPTwice --vardir=/dev/shm/vardir

      But it's not easily reproducible.

      Attachments

        1. threads1
          62 kB
        2. threads2
          62 kB

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-14894 [Draft] Assorted crashes and assertion failures in and around tdc_remove_table

          • Major - Major loss of function.
          • Closed

          Activity

            People

              Unassigned Unassigned
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.