Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-18707

Server crash in my_hash_sort_bin, ASAN heap-use-after-free in Field::is_null, server hang, corrupted double-linked list

    XMLWordPrintable

    Details

      Description

      Note: The failure became possible after MDEV-371, without it the key without a length in the table definition is rejected.

      CREATE TABLE t1 (a INT, b INT, c INT, d INT, e INT);
       
      INSERT INTO t1 () VALUES
      (),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),
      (),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),
      (),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),
      (),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),
      (),(),(),();
       
      SELECT * FROM t1 INTO OUTFILE 'load.data';
       
      CREATE TEMPORARY TABLE tmp (a VARCHAR(1024), b INT, c INT, d INT, e LINESTRING, KEY (e));
      LOAD DATA INFILE 'load.data' INTO TABLE tmp;
       
      DELETE FROM tmp;
       
      # Cleanup
      DROP TABLE t1;
      --let $datadir= `SELECT @@datadir`
      --remove_file $datadir/test/load.data
      

      10.4 ASAN fb01193c

      ==22969==ERROR: AddressSanitizer: heap-use-after-free on address 0x61a000040908 at pc 0x562bf56e680e bp 0x7f6deeb2fb30 sp 0x7f6deeb2fb28
      READ of size 1 at 0x61a000040908 thread T5
          #0 0x562bf56e680d in Field::is_null(long long) const /data/src/10.4/sql/field.h:1166
          #1 0x562bf614ece4 in Item_field::val_str(String*) /data/src/10.4/sql/item.cc:3133
          #2 0x562bf5ac6a70 in Item::val_str() /data/src/10.4/sql/item.h:899
          #3 0x562bf6236b2a in Item_func_hash::val_int() /data/src/10.4/sql/item_func.cc:1736
          #4 0x562bf61682ac in Item::save_int_in_field(Field*, bool) /data/src/10.4/sql/item.cc:6492
          #5 0x562bf5e24023 in Type_handler_int_result::Item_save_in_field(Item*, Field*, bool) const /data/src/10.4/sql/sql_type.cc:3587
          #6 0x562bf616848e in Item::save_in_field(Field*, bool) /data/src/10.4/sql/item.cc:6502
          #7 0x562bf5c49ca0 in TABLE::update_virtual_fields(handler*, enum_vcol_update_mode) /data/src/10.4/sql/table.cc:8195
          #8 0x562bf61071b6 in handler::ha_rnd_next(unsigned char*) /data/src/10.4/sql/handler.cc:2996
          #9 0x562bf64d13db in rr_sequential(READ_RECORD*) /data/src/10.4/sql/records.cc:481
          #10 0x562bf57d68a5 in READ_RECORD::read_record() /data/src/10.4/sql/records.h:73
          #11 0x562bf6516c6b in mysql_delete(THD*, TABLE_LIST*, Item*, SQL_I_List<st_order>*, unsigned long long, unsigned long long, select_result*) /data/src/10.4/sql/sql_delete.cc:811
          #12 0x562bf59697a0 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4985
          #13 0x562bf597e87e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8157
          #14 0x562bf5956a87 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1829
          #15 0x562bf5953888 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1358
          #16 0x562bf5ce7449 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1399
          #17 0x562bf5ce6e42 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1302
          #18 0x562bf68b1f5e in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
          #19 0x7f6df9eb1493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
          #20 0x7f6df829793e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
       
      0x61a000040908 is located 136 bytes inside of 1284-byte region [0x61a000040880,0x61a000040d84)
      freed by thread T5 here:
          #0 0x7f6dfa11b527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
          #1 0x562bf7262bbb in free_memory /data/src/10.4/mysys/safemalloc.c:279
          #2 0x562bf72621c1 in sf_free /data/src/10.4/mysys/safemalloc.c:197
          #3 0x562bf7232c0a in my_free /data/src/10.4/mysys/my_malloc.c:222
          #4 0x562bf703d69b in mi_repair_by_sort /data/src/10.4/storage/myisam/mi_check.c:2558
          #5 0x562bf701a3da in ha_myisam::repair(THD*, st_handler_check_param&, bool) /data/src/10.4/storage/myisam/ha_myisam.cc:1302
          #6 0x562bf701ce9a in ha_myisam::enable_indexes(unsigned int) /data/src/10.4/storage/myisam/ha_myisam.cc:1640
          #7 0x562bf701dda2 in ha_myisam::end_bulk_insert() /data/src/10.4/storage/myisam/ha_myisam.cc:1801
          #8 0x562bf58db0bc in handler::ha_end_bulk_insert() /data/src/10.4/sql/handler.h:3281
          #9 0x562bf593de12 in mysql_load(THD*, sql_exchange const*, TABLE_LIST*, List<Item>&, List<Item>&, List<Item>&, enum_duplicates, bool, bool) /data/src/10.4/sql/sql_load.cc:667
          #10 0x562bf596b319 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:5185
          #11 0x562bf597e87e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8157
          #12 0x562bf5956a87 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1829
          #13 0x562bf5953888 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1358
          #14 0x562bf5ce7449 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1399
          #15 0x562bf5ce6e42 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1302
          #16 0x562bf68b1f5e in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
          #17 0x7f6df9eb1493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
       
      previously allocated by thread T5 here:
          #0 0x7f6dfa11b73f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
          #1 0x562bf7261931 in sf_malloc /data/src/10.4/mysys/safemalloc.c:118
          #2 0x562bf723222c in my_malloc /data/src/10.4/mysys/my_malloc.c:101
          #3 0x562bf7232772 in my_realloc /data/src/10.4/mysys/my_malloc.c:155
          #4 0x562bf7094854 in mi_alloc_rec_buff /data/src/10.4/storage/myisam/mi_open.c:762
          #5 0x562bf703a7de in mi_repair_by_sort /data/src/10.4/storage/myisam/mi_check.c:2241
          #6 0x562bf701a3da in ha_myisam::repair(THD*, st_handler_check_param&, bool) /data/src/10.4/storage/myisam/ha_myisam.cc:1302
          #7 0x562bf701ce9a in ha_myisam::enable_indexes(unsigned int) /data/src/10.4/storage/myisam/ha_myisam.cc:1640
          #8 0x562bf701dda2 in ha_myisam::end_bulk_insert() /data/src/10.4/storage/myisam/ha_myisam.cc:1801
          #9 0x562bf58db0bc in handler::ha_end_bulk_insert() /data/src/10.4/sql/handler.h:3281
          #10 0x562bf593de12 in mysql_load(THD*, sql_exchange const*, TABLE_LIST*, List<Item>&, List<Item>&, List<Item>&, enum_duplicates, bool, bool) /data/src/10.4/sql/sql_load.cc:667
          #11 0x562bf596b319 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:5185
          #12 0x562bf597e87e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8157
          #13 0x562bf5956a87 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1829
          #14 0x562bf5953888 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1358
          #15 0x562bf5ce7449 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1399
          #16 0x562bf5ce6e42 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1302
          #17 0x562bf68b1f5e in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
          #18 0x7f6df9eb1493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
       
      Thread T5 created by T0 here:
          #0 0x7f6dfa0eabba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
          #1 0x562bf68b2526 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1912
          #2 0x562bf56a2c96 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1268
          #3 0x562bf56b84c0 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6194
          #4 0x562bf56b8bc5 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6264
          #5 0x562bf56b8f55 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6362
          #6 0x562bf56b9ba1 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6520
          #7 0x562bf56b7cfb in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5852
          #8 0x562bf56a0b1f in main /data/src/10.4/sql/main.cc:25
          #9 0x7f6df81cf2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
       
      SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.4/sql/field.h:1166 Field::is_null(long long) const
      Shadow bytes around the buggy address:
        0x0c34800000d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c34800000e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c34800000f0: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c3480000100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c3480000110: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      =>0x0c3480000120: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c3480000130: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c3480000140: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c3480000150: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c3480000160: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c3480000170: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Heap right redzone:      fb
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack partial redzone:   f4
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Contiguous container OOB:fc
        ASan internal:           fe
      ==22969==ABORTING
      

      10.4 debug fb01193c

      #3  <signal handler called>
      #4  0x0000561e88028bdf in my_hash_sort_bin (cs=0x561e88bb7840 <my_charset_bin>, key=0x8f8f8f8f8f8f8f8f <error: Cannot access memory at address 0x8f8f8f8f8f8f8f8f>, len=2408550287, nr1=0x7f7021fa29e8, nr2=0x7f7021fa29f0) at /data/src/10.4/strings/ctype-bin.c:274
      #5  0x0000561e878b8793 in calc_hash_for_unique (nr1=@0x7f7021fa29e8: 16388949499, nr2=@0x7f7021fa29f0: 16, str=0x7f701006f278) at /data/src/10.4/sql/item_func.cc:1725
      #6  0x0000561e878b8870 in Item_func_hash::val_int (this=0x7f701006efe8) at /data/src/10.4/sql/item_func.cc:1742
      #7  0x0000561e8785b4d0 in Item::save_int_in_field (this=0x7f701006efe8, field=0x7f701006ef08, no_conversions=false) at /data/src/10.4/sql/item.cc:6492
      #8  0x0000561e876f2946 in Type_handler_int_result::Item_save_in_field (this=0x561e88b90478 <type_handler_long>, item=0x7f701006efe8, field=0x7f701006ef08, no_conversions=false) at /data/src/10.4/sql/sql_type.cc:3587
      #9  0x0000561e8785b57b in Item::save_in_field (this=0x7f701006efe8, field=0x7f701006ef08, no_conversions=false) at /data/src/10.4/sql/item.cc:6502
      #10 0x0000561e8761af5e in TABLE::update_virtual_fields (this=0x7f701006c410, h=0x7f701006d6d8, update_mode=VCOL_UPDATE_FOR_READ) at /data/src/10.4/sql/table.cc:8195
      #11 0x0000561e878359ce in handler::ha_rnd_next (this=0x7f701006d6d8, buf=0x7f701006e3f8 "\377") at /data/src/10.4/sql/handler.cc:2996
      #12 0x0000561e879c9599 in rr_sequential (info=0x7f7021fa2e00) at /data/src/10.4/sql/records.cc:481
      #13 0x0000561e874427af in READ_RECORD::read_record (this=0x7f7021fa2e00) at /data/src/10.4/sql/records.h:73
      #14 0x0000561e879e7c61 in mysql_delete (thd=0x7f7010000b00, table_list=0x7f7010015570, conds=0x0, order_list=0x7f7010005488, limit=18446744073709551615, options=0, result=0x0) at /data/src/10.4/sql/sql_delete.cc:811
      #15 0x0000561e874f0cfd in mysql_execute_command (thd=0x7f7010000b00) at /data/src/10.4/sql/sql_parse.cc:4985
      #16 0x0000561e874fbc72 in mysql_parse (thd=0x7f7010000b00, rawbuf=0x7f70100154a8 "DELETE FROM tmp", length=15, parser_state=0x7f7021fa4180, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:8157
      #17 0x0000561e874e7360 in dispatch_command (command=COM_QUERY, thd=0x7f7010000b00, packet=0x7f701000a761 "DELETE FROM tmp", packet_length=15, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:1829
      #18 0x0000561e874e5b34 in do_command (thd=0x7f7010000b00) at /data/src/10.4/sql/sql_parse.cc:1358
      #19 0x0000561e8765f837 in do_handle_one_connection (connect=0x561e89d80c40) at /data/src/10.4/sql/sql_connect.cc:1399
      #20 0x0000561e8765f5a8 in handle_one_connection (arg=0x561e89d80c40) at /data/src/10.4/sql/sql_connect.cc:1302
      #21 0x0000561e87b56979 in pfs_spawn_thread (arg=0x561e89e732b0) at /data/src/10.4/storage/perfschema/pfs.cc:1862
      #22 0x00007f7029b01494 in start_thread (arg=0x7f7021fa5700) at pthread_create.c:333
      #23 0x00007f7027ee793f in clone () from /lib/x86_64-linux-gnu/libc.so.6
      

      Variations of the test case with variations of the failure on a non-ASAN build (ASAN failures are the same for all test cases).
      The difference is only in the data type for the first field in the temporary table.

      CREATE TABLE t1 (a INT, b INT, c INT, d INT, e INT);
       
      INSERT INTO t1 () VALUES
      (),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),
      (),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),
      (),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),
      (),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),
      (),(),(),();
       
      SELECT * FROM t1 INTO OUTFILE 'load.data';
       
      CREATE TEMPORARY TABLE tmp (a VARCHAR(8), b INT, c INT, d INT, e LINESTRING, KEY (e));
      LOAD DATA INFILE 'load.data' INTO TABLE tmp;
       
      DELETE FROM tmp;
       
      # Cleanup
      DROP TABLE t1;
      --let $datadir= `SELECT @@datadir`
      --remove_file $datadir/test/load.data
      

      *** Error in `/data/bld/10.4-daily/bin/mysqld': corrupted double-linked list: 0x00007f1b14069480 ***
      ======= Backtrace: =========
      /lib/x86_64-linux-gnu/libc.so.6(+0x70bcb)DROP TABLE t1;
      /lib/x86_64-linux-gnu/libc.so.6(+0x76f96)[0x7f1b351abf96]
      /lib/x86_64-linux-gnu/libc.so.6(+0x79510)[0x7f1b351ae510]
      /lib/x86_64-linux-gnu/libc.so.6(__libc_malloc+0x54)[0x7f1b351afd84]
      /data/bld/10.4-daily/bin/mysqld(sf_malloc+0x51)[0x55693ea516a3]
      /data/bld/10.4-daily/bin/mysqld(my_malloc+0xad)[0x55693ea3f18d]
      /data/bld/10.4-daily/bin/mysqld(lf_alloc_new+0x72)[0x55693ea4fe69]
      /data/bld/10.4-daily/bin/mysqld(lf_hash_insert+0x20)[0x55693ea50f7e]
      /data/bld/10.4-daily/bin/mysqld(+0xdbb34a)[0x55693e56834a]
      /data/bld/10.4-daily/bin/mysqld(+0xdf696a)[0x55693e5a396a]
      /data/bld/10.4-daily/bin/mysqld(+0x77a9e8)[0x55693df279e8]
      /data/bld/10.4-daily/bin/mysqld(_Z16dispatch_command19enum_server_commandP3THDPcjbb+0x3251)[0x55693df2f3cf]
      /data/bld/10.4-daily/bin/mysqld(_Z10do_commandP3THD+0x7fe)[0x55693df2bb34]
      /data/bld/10.4-daily/bin/mysqld(_Z24do_handle_one_connectionP7CONNECT+0x1d0)[0x55693e0a5837]
      /data/bld/10.4-daily/bin/mysqld(handle_one_connection+0x30)[0x55693e0a55a8]
      /data/bld/10.4-daily/bin/mysqld(+0xdef979)[0x55693e59c979]
      /lib/x86_64-linux-gnu/libpthread.so.0(+0x7494)[0x7f1b36e37494]
      /lib/x86_64-linux-gnu/libc.so.6(clone+0x3f)[0x7f1b3521d93f]
      ======= Memory map: ========
      55693d7ad000-55693f284000 r-xp 00000000 08:11 33956525                   /data/bld/10.4-daily/bin/mysqld
      55693f483000-55693f5af000 r--p 01ad6000 08:11 33956525                   /data/bld/10.4-daily/bin/mysqld
      55693f5af000-55693f7b3000 rw-p 01c02000 08:11 33956525                   /data/bld/10.4-daily/bin/mysqld
      55693f7b3000-55694005c000 rw-p 00000000 00:00 0 
      556941c5e000-556942009000 rw-p 00000000 00:00 0                          [heap]
      7f1b14000000-7f1b141d4000 rw-p 00000000 00:00 0 
      7f1b141d4000-7f1b18000000 ---p 00000000 00:00 0 
      7f1b1c000000-7f1b1c021000 rw-p 00000000 00:00 0 
      7f1b1c021000-7f1b20000000 ---p 00000000 00:00 0 
      7f1b20000000-7f1b20029000 rw-p 00000000 00:00 0 
      7f1b20029000-7f1b24000000 ---p 00000000 00:00 0 
      7f1b24000000-7f1b24021000 rw-p 00000000 00:00 0 
      7f1b24021000-7f1b28000000 ---p 00000000 00:00 0 
      7f1b2b05a000-7f1b2b05b000 ---p 00000000 00:00 0 
      7f1b2b05b000-7f1b2c000000 rw-p 00000000 00:00 0                          [stack:23254]
      7f1b2c000000-7f1b2c021000 rw-p 00000000 00:00 0 
      7f1b2c021000-7f1b30000000 ---p 00000000 00:00 0 
      7f1b30238000-7f1b30239000 ---p 00000000 00:00 0 
      7f1b30239000-7f1b30282000 rw-p 00000000 00:00 0                          [stack:23259]
      7f1b30282000-7f1b30283000 ---p 00000000 00:00 0 
      7f1b30283000-7f1b302cc000 rw-p 00000000 00:00 0                          [stack:23256]
      7f1b302cc000-7f1b302cd000 ---p 00000000 00:00 0 
      7f1b302cd000-7f1b306da000 rw-p 00000000 00:00 0                          [stack:23255]
      7f1b306da000-7f1b306db000 ---p 00000000 00:00 0 
      7f1b306db000-7f1b35135000 rw-p 00000000 00:00 0                          [stack:23253]
      7f1b35135000-7f1b352ca000 r-xp 00000000 08:05 3152648                    /lib/x86_64-linux-gnu/libc-2.24.so
      7f1b352ca000-7f1b354c9000 ---p 00195000 08:05 3152648                    /lib/x86_64-linux-gnu/libc-2.24.so
      7f1b354c9000-7f1b354cd000 r--p 00194000 08:05 3152648                    /lib/x86_64-linux-gnu/libc-2.24.so
      7f1b354cd000-7f1b354cf000 rw-p 00198000 08:05 3152648                    /lib/x86_64-linux-gnu/libc-2.24.so
      7f1b354cf000-7f1b354d3000 rw-p 00000000 00:00 0 
      7f1b354d3000-7f1b354e9000 r-xp 00000000 08:05 3145732                    /lib/x86_64-linux-gnu/libgcc_s.so.1
      7f1b354e9000-7f1b356e8000 ---p 00016000 08:05 3145732                    /lib/x86_64-linux-gnu/libgcc_s.so.1
      7f1b356e8000-7f1b356e9000 rw-p 00015000 08:05 3145732                    /lib/x86_64-linux-gnu/libgcc_s.so.1
      7f1b356e9000-7f1b357ec000 r-xp 00000000 08:05 3152660                    /lib/x86_64-linux-gnu/libm-2.24.so
      7f1b357ec000-7f1b359eb000 ---p 00103000 08:05 3152660                    /lib/x86_64-linux-gnu/libm-2.24.so
      7f1b359eb000-7f1b359ec000 r--p 00102000 08:05 3152660                    /lib/x86_64-linux-gnu/libm-2.24.so
      7f1b359ec000-7f1b359ed000 rw-p 00103000 08:05 3152660                    /lib/x86_64-linux-gnu/libm-2.24.so
      7f1b359ed000-7f1b35b5f000 r-xp 00000000 08:05 1577675                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.22
      7f1b35b5f000-7f1b35d5f000 ---p 00172000 08:05 1577675                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.22
      7f1b35d5f000-7f1b35d69000 r--p 00172000 08:05 1577675                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.22
      7f1b35d69000-7f1b35d6b000 rw-p 0017c000 08:05 1577675                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.22
      7f1b35d6b000-7f1b35d6f000 rw-p 00000000 00:00 0 
      7f1b35d6f000-7f1b35d72000 r-xp 00000000 08:05 3152657                    /lib/x86_64-linux-gnu/libdl-2.24.so
      7f1b35d72000-7f1b35f71000 ---p 00003000 08:05 3152657                    /lib/x86_64-linux-gnu/libdl-2.24.so
      7f1b35f71000-7f1b35f72000 r--p 00002000 08:05 3152657                    /lib/x86_64-linux-gnu/libdl-2.24.so
      7f1b35f72000-7f1b35f73000 rw-p 00003000 08:05 3152657                    /lib/x86_64-linux-gnu/libdl-2.24.so
      7f1b35f73000-7f1b36140000 r-xp 00000000 08:05 1576357                    /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
      7f1b36140000-7f1b3633f000 ---p 001cd000 08:05 1576357                    /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
      7f1b3633f000-7f1b3635c000 r--p 001cc000 08:05 1576357                    /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
      7f1b3635c000-7f1b3636c000 rw-p 001e9000 08:05 1576357                    /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
      7f1b3636c000-7f1b3636f000 rw-p 00000000 00:00 0 
      7f1b3636f000-7f1b363c6000 r-xp 00000000 08:05 1576361                    /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0
      7f1b363c6000-7f1b365c6000 ---p 00057000 08:05 1576361                    /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0
      7f1b365c6000-7f1b365c9000 r--p 00057000 08:05 1576361                    /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0
      7f1b365c9000-7f1b365cf000 rw-p 0005a000 08:05 1576361                    /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0
      7f1b365cf000-7f1b365d0000 rw-p 00000000 00:00 0 
      7f1b365d0000-7f1b365d8000 r-xp 00000000 08:05 3152654                    /lib/x86_64-linux-gnu/libcrypt-2.24.so
      7f1b365d8000-7f1b367d8000 ---p 00008000 08:05 3152654                    /lib/x86_64-linux-gnu/libcrypt-2.24.so
      7f1b367d8000-7f1b367d9000 r--p 00008000 08:05 3152654                    /lib/x86_64-linux-gnu/libcrypt-2.24.so
      7f1b367d9000-7f1b367da000 rw-p 00009000 08:05 3152654                    /lib/x86_64-linux-gnu/libcrypt-2.24.so
      7f1b367da000-7f1b36808000 rw-p 00000000 00:00 0 
      7f1b36808000-7f1b36822000 r-xp 00000000 08:05 3145828                    /lib/x86_64-linux-gnu/libz.so.1.2.8
      7f1b36822000-7f1b36a21000 ---p 0001a000 08:05 3145828                    /lib/x86_64-linux-gnu/libz.so.1.2.8
      7f1b36a21000-7f1b36a22000 r--p 00019000 08:05 3145828                    /lib/x86_64-linux-gnu/libz.so.1.2.8
      7f1b36a22000-7f1b36a23000 rw-p 0001a000 08:05 3145828                    /lib/x86_64-linux-gnu/libz.so.1.2.8
      7f1b36a23000-7f1b36a2d000 r-xp 00000000 08:05 1586559                    /usr/lib/x86_64-linux-gnu/libnuma.so.1.0.0
      7f1b36a2d000-7f1b36c2c000 ---p 0000a000 08:05 1586559                    /usr/lib/x86_64-linux-gnu/libnuma.so.1.0.0
      7f1b36c2c000-7f1b36c2d000 r--p 00009000 08:05 1586559                    /usr/lib/x86_64-linux-gnu/libnuma.so.1.0.0
      7f1b36c2d000-7f1b36c2e000 rw-p 0000a000 08:05 1586559                    /usr/lib/x86_64-linux-gnu/libnuma.so.1.0.0
      7f1b36c2e000-7f1b36c2f000 r-xp 00000000 08:05 3152558                    /lib/x86_64-linux-gnu/libaio.so.1.0.1
      7f1b36c2f000-7f1b36e2e000 ---p 00001000 08:05 3152558                    /lib/x86_64-linux-gnu/libaio.so.1.0.1
      7f1b36e2e000-7f1b36e2f000 r--p 00000000 08:05 3152558                    /lib/x86_64-linux-gnu/libaio.so.1.0.1
      7f1b36e2f000-7f1b36e30000 rw-p 00001000 08:05 3152558                    /lib/x86_64-linux-gnu/libaio.so.1.0.1
      7f1b36e30000-7f1b36e48000 r-xp 00000000 08:05 3152800                    /lib/x86_64-linux-gnu/libpthread-2.24.so
      7f1b36e48000-7f1b37047000 ---p 00018000 08:05 3152800                    /lib/x86_64-linux-gnu/libpthread-2.24.so
      7f1b37047000-7f1b37048000 r--p 00017000 08:05 3152800                    /lib/x86_64-linux-gnu/libpthread-2.24.so
      7f1b37048000-7f1b37049000 rw-p 00018000 08:05 3152800                    /lib/x86_64-linux-gnu/libpthread-2.24.so
      7f1b37049000-7f1b3704d000 rw-p 00000000 00:00 0 
      7f1b3704d000-7f1b37070000 r-xp 00000000 08:05 3145795                    /lib/x86_64-linux-gnu/ld-2.24.so
      7f1b37084000-7f1b37255000 rw-p 00000000 00:00 0 
      7f1b3726c000-7f1b37270000 rw-p 00000000 00:00 0 
      7f1b37270000-7f1b37271000 r--p 00023000 08:05 3145795                    /lib/x86_64-linux-gnu/ld-2.24.so
      7f1b37271000-7f1b37272000 rw-p 00024000 08:05 3145795                    /lib/x86_64-linux-gnu/ld-2.24.so
      7f1b37272000-7f1b37273000 rw-p 00000000 00:00 0 
      7ffc7a839000-7ffc7a85c000 rw-p 00000000 00:00 0                          [stack]
      7ffc7a929000-7ffc7a92b000 r-xp 00000000 00:00 0                          [vdso]
      7ffc7a92b000-7ffc7a92d000 r--p 00000000 00:00 0                          [vvar]
      ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
      

      CREATE TABLE t1 (a INT, b INT, c INT, d INT, e INT);
       
      INSERT INTO t1 () VALUES
      (),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),
      (),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),
      (),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),
      (),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),(),
      (),(),(),();
       
      SELECT * FROM t1 INTO OUTFILE 'load.data';
       
      CREATE TEMPORARY TABLE tmp (a INT, b INT, c INT, d INT, e LINESTRING, KEY (e));
      LOAD DATA INFILE 'load.data' INTO TABLE tmp;
       
      DELETE FROM tmp;
       
      # Cleanup
      DROP TABLE t1;
      --let $datadir= `SELECT @@datadir`
      --remove_file $datadir/test/load.data
      

      Hangs in the middle of the crash. The assertion line is from the error log, the stack trace from the still running process.

      mysqld: malloc.c:3757: _int_malloc: Assertion `(unsigned long) (size) >= (unsigned long) (nb)' failed.
      190224  1:42:50 [ERROR] mysqld got signal 6 ;
       
      #8  <signal handler called>
      #9  0x00007f08e0d81fcf in raise () from /lib/x86_64-linux-gnu/libc.so.6
      #10 0x00007f08e0d833fa in abort () from /lib/x86_64-linux-gnu/libc.so.6
      #11 0x00007f08e0dc59c8 in __malloc_assert () from /lib/x86_64-linux-gnu/libc.so.6
      #12 0x00007f08e0dc85bc in _int_malloc () from /lib/x86_64-linux-gnu/libc.so.6
      #13 0x00007f08e0dc9d84 in malloc () from /lib/x86_64-linux-gnu/libc.so.6
      #14 0x00005582226346a3 in sf_malloc (size=40, my_flags=16) at /data/src/10.4/mysys/safemalloc.c:118
      #15 0x000055822262218d in my_malloc (size=40, my_flags=16) at /data/src/10.4/mysys/my_malloc.c:101
      #16 0x0000558222632e69 in lf_alloc_new (pins=0x7f08c001d980) at /data/src/10.4/mysys/lf_alloc-pin.c:507
      #17 0x0000558222633f7e in lf_hash_insert (hash=0x558223bd6040 <digest_hash>, pins=0x7f08c001d980, data=0x7f08dc080e30) at /data/src/10.4/mysys/lf_hash.c:403
      #18 0x000055822214b34a in find_or_create_digest (thread=0x7f08df2407c0, digest_storage=0x7f08c00043e0, schema_name=0x7f08c00044c0 "test", '\245' <repeats 188 times>, "\004", schema_name_length=4) at /data/src/10.4/storage/perfschema/pfs_digest.cc:283
      #19 0x000055822218696a in end_statement_v1 (locker=0x7f08c0004418, stmt_da=0x7f08c00064a0) at /data/src/10.4/storage/perfschema/pfs.cc:4837
      #20 0x0000558221b0a9e8 in inline_mysql_end_statement (locker=0x7f08c0004418, stmt_da=0x7f08c00064a0) at /data/src/10.4/include/mysql/psi/mysql_statement.h:216
      #21 0x0000558221b123cf in dispatch_command (command=COM_QUERY, thd=0x7f08c0000b00, packet=0x7f08c000a761 "", packet_length=15, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:2446
      #22 0x0000558221b0eb34 in do_command (thd=0x7f08c0000b00) at /data/src/10.4/sql/sql_parse.cc:1358
      #23 0x0000558221c88837 in do_handle_one_connection (connect=0x5582245eac40) at /data/src/10.4/sql/sql_connect.cc:1399
      #24 0x0000558221c885a8 in handle_one_connection (arg=0x5582245eac40) at /data/src/10.4/sql/sql_connect.cc:1302
      #25 0x000055822217f979 in pfs_spawn_thread (arg=0x5582246dd2b0) at /data/src/10.4/storage/perfschema/pfs.cc:1862
      #26 0x00007f08e2a51494 in start_thread (arg=0x7f08dc082700) at pthread_create.c:333
      #27 0x00007f08e0e3793f in clone () from /lib/x86_64-linux-gnu/libc.so.6
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              serg Sergei Golubchik
              Reporter:
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: