Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-20563

Server crash in row_upd_del_mark_clust_rec or in wsrep_row_upd_index_is_foreign or Assertion `update->n_fields < ulint(table->n_cols + table->n_v_cols)' failed upon DELETE from precise-versioned table

    XMLWordPrintable

    Details

      Description

      --source include/have_innodb.inc
       
      CREATE  TABLE t1 (a INT, s BIGINT UNSIGNED AS ROW START, e BIGINT UNSIGNED AS ROW END, PERIOD FOR SYSTEM_TIME(s,e)) WITH SYSTEM VERSIONING ENGINE=InnoDB;
      INSERT INTO t1 (a) VALUES (1),(2),(3),(4),(5),(6),(7),(8);
      START TRANSACTION;
      INSERT INTO t1 (a) VALUES (1),(2),(3),(4),(5),(6),(7),(8);
      DELETE FROM t1;
       
      # Cleanup
      COMMIT;
      DROP TABLE t1;
      

      10.3 f1309fac non-debug

      #3  <signal handler called>
      #4  row_upd_del_mark_clust_rec (mtr=0x7f1eca6c9fc0, foreign=false, referenced=0, thr=0x7f1e7806bc08, offsets=0x7f1eca6c96a0, index=0x7f1e780803e0, node=0x7f1e7806b8e0) at /data/src/10.3/storage/innobase/row/row0upd.cc:2983
      #5  row_upd_clust_step (node=node@entry=0x7f1e7806b8e0, thr=thr@entry=0x7f1e7806bc08) at /data/src/10.3/storage/innobase/row/row0upd.cc:3168
      #6  0x00005595175efa94 in row_upd (thr=0x7f1e7806bc08, node=0x7f1e7806b8e0) at /data/src/10.3/storage/innobase/row/row0upd.cc:3295
      #7  row_upd_step (thr=thr@entry=0x7f1e7806bc08) at /data/src/10.3/storage/innobase/row/row0upd.cc:3439
      #8  0x00005595175c48ac in row_update_for_mysql (prebuilt=0x7f1e7806adf0) at /data/src/10.3/storage/innobase/row/row0mysql.cc:1888
      #9  0x00005595175181d3 in ha_innobase::delete_row (this=0x7f1e7806a660, record=0x7f1e780655d8 "\375\a") at /data/src/10.3/storage/innobase/handler/ha_innodb.cc:8983
      #10 0x00005595173b0a04 in handler::ha_delete_row (this=0x7f1e7806a660, buf=0x7f1e780655d8 "\375\a") at /data/src/10.3/sql/handler.cc:6534
      #11 0x00005595174bf1ba in mysql_delete (thd=thd@entry=0x7f1e780009a8, table_list=0x7f1e7800f528, conds=<optimized out>, order_list=order_list@entry=0x7f1e780050b0, limit=18446744073709551601, options=<optimized out>, result=0x0) at /data/src/10.3/sql/sql_delete.cc:750
      #12 0x00005595171e4817 in mysql_execute_command (thd=thd@entry=0x7f1e780009a8) at /data/src/10.3/sql/sql_parse.cc:4654
      #13 0x00005595171e5859 in mysql_parse (thd=thd@entry=0x7f1e780009a8, rawbuf=<optimized out>, length=14, parser_state=parser_state@entry=0x7f1eca6cc620, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /data/src/10.3/sql/sql_parse.cc:7830
      #14 0x00005595171e806d in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x7f1e780009a8, packet=packet@entry=0x7f1e780070b9 "DELETE FROM t1", packet_length=packet_length@entry=14, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /data/src/10.3/sql/sql_parse.cc:1856
      #15 0x00005595171e8ce6 in do_command (thd=0x7f1e780009a8) at /data/src/10.3/sql/sql_parse.cc:1401
      #16 0x00005595172afca4 in do_handle_one_connection (connect=connect@entry=0x559519241958) at /data/src/10.3/sql/sql_connect.cc:1403
      #17 0x00005595172afd54 in handle_one_connection (arg=arg@entry=0x559519241958) at /data/src/10.3/sql/sql_connect.cc:1308
      #18 0x000055951781f1e4 in pfs_spawn_thread (arg=0x5595192024c8) at /data/src/10.3/storage/perfschema/pfs.cc:1862
      #19 0x00007f1ed6e834a4 in start_thread (arg=0x7f1eca6cd700) at pthread_create.c:456
      #20 0x00007f1ed53cbd0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97
      

      10.3 f1309fac debug

      mysqld: /data/src/10.3/storage/innobase/row/row0upd.cc:3486: void upd_node_t::make_versioned_helper(const trx_t*, ulint): Assertion `update->n_fields < ulint(table->n_cols + table->n_v_cols)' failed.
      190911 16:59:14 [ERROR] mysqld got signal 6 ;
       
      #7  0x00007f9056c21f12 in __GI___assert_fail (assertion=0x55e4c728ae28 "update->n_fields < ulint(table->n_cols + table->n_v_cols)", file=0x55e4c7289fd8 "/data/src/10.3/storage/innobase/row/row0upd.cc", line=3486, function=0x55e4c728da40 <upd_node_t::make_versioned_helper(trx_t const*, unsigned long)::__PRETTY_FUNCTION__> "void upd_node_t::make_versioned_helper(const trx_t*, ulint)") at assert.c:101
      #8  0x000055e4c6b0ba2b in upd_node_t::make_versioned_helper (this=0x7f90000a5330, trx=0x7f9050ab80f0, idx=1) at /data/src/10.3/storage/innobase/row/row0upd.cc:3486
      #9  0x000055e4c6aa17dc in upd_node_t::make_versioned_update (this=0x7f90000a5330, trx=0x7f9050ab80f0) at /data/src/10.3/storage/innobase/include/row0upd.h:606
      #10 0x000055e4c6a99179 in row_update_for_mysql (prebuilt=0x7f90000a4808) at /data/src/10.3/storage/innobase/row/row0mysql.cc:1879
      #11 0x000055e4c68fa0af in ha_innobase::delete_row (this=0x7f90000a4058, record=0x7f9000006af0 "\375\006") at /data/src/10.3/storage/innobase/handler/ha_innodb.cc:8983
      #12 0x000055e4c66d294a in handler::ha_delete_row (this=0x7f90000a4058, buf=0x7f9000006af0 "\375\006") at /data/src/10.3/sql/handler.cc:6534
      #13 0x000055e4c687f205 in TABLE::delete_row (this=0x7f9000162a70) at /data/src/10.3/sql/sql_delete.cc:253
      #14 0x000055e4c687c409 in mysql_delete (thd=0x7f9000000b00, table_list=0x7f90000128e0, conds=0x0, order_list=0x7f90000053c8, limit=18446744073709551602, options=0, result=0x0) at /data/src/10.3/sql/sql_delete.cc:750
      #15 0x000055e4c63a4d6c in mysql_execute_command (thd=0x7f9000000b00) at /data/src/10.3/sql/sql_parse.cc:4654
      #16 0x000055e4c63af9fd in mysql_parse (thd=0x7f9000000b00, rawbuf=0x7f9000012818 "DELETE FROM t1", length=14, parser_state=0x7f904bfb35e0, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:7830
      #17 0x000055e4c639c2fb in dispatch_command (command=COM_QUERY, thd=0x7f9000000b00, packet=0x7f9000008c71 "DELETE FROM t1", packet_length=14, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:1856
      #18 0x000055e4c639ac22 in do_command (thd=0x7f9000000b00) at /data/src/10.3/sql/sql_parse.cc:1401
      #19 0x000055e4c6513d40 in do_handle_one_connection (connect=0x55e4c97900c0) at /data/src/10.3/sql/sql_connect.cc:1403
      #20 0x000055e4c6513aa2 in handle_one_connection (arg=0x55e4c97900c0) at /data/src/10.3/sql/sql_connect.cc:1308
      #21 0x000055e4c6ef60a0 in pfs_spawn_thread (arg=0x55e4c96d3710) at /data/src/10.3/storage/perfschema/pfs.cc:1862
      #22 0x00007f90587964a4 in start_thread (arg=0x7f904bfb4700) at pthread_create.c:456
      #23 0x00007f9056cded0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97
      

      10.5 non-debug ASAN 0186b0a0

      ==18014==ERROR: AddressSanitizer: use-after-poison on address 0x620000077e68 at pc 0x55abf29dc770 bp 0x7f5fa8fcbd90 sp 0x7f5fa8fcbd88
      WRITE of size 2 at 0x620000077e68 thread T14
          #0 0x55abf29dc76f in upd_field_set_field_no /data/src/10.5/storage/innobase/include/row0upd.ic:100
          #1 0x55abf29dc76f in upd_node_t::make_versioned_helper(trx_t const*, unsigned long) /data/src/10.5/storage/innobase/row/row0upd.cc:3195
          #2 0x55abf2970266 in upd_node_t::make_versioned_update(trx_t const*) /data/src/10.5/storage/innobase/include/row0upd.h:504
          #3 0x55abf2970266 in row_update_for_mysql(row_prebuilt_t*) /data/src/10.5/storage/innobase/row/row0mysql.cc:1879
          #4 0x55abf277cabf in ha_innobase::delete_row(unsigned char const*) /data/src/10.5/storage/innobase/handler/ha_innodb.cc:8657
          #5 0x55abf1f8cb51 in handler::ha_delete_row(unsigned char const*) /data/src/10.5/sql/handler.cc:7100
          #6 0x55abf2323f90 in mysql_delete(THD*, TABLE_LIST*, Item*, SQL_I_List<st_order>*, unsigned long long, unsigned long long, select_result*) /data/src/10.5/sql/sql_delete.cc:794
          #7 0x55abf1a2b535 in mysql_execute_command(THD*) /data/src/10.5/sql/sql_parse.cc:4749
          #8 0x55abf1a3a014 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.5/sql/sql_parse.cc:7957
          #9 0x55abf1a1e706 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.5/sql/sql_parse.cc:1840
          #10 0x55abf1a1a176 in do_command(THD*) /data/src/10.5/sql/sql_parse.cc:1359
          #11 0x55abf1cc7867 in do_handle_one_connection(CONNECT*, bool) /data/src/10.5/sql/sql_connect.cc:1411
          #12 0x55abf1cc8576 in handle_one_connection /data/src/10.5/sql/sql_connect.cc:1313
          #13 0x55abf25cae33 in pfs_spawn_thread /data/src/10.5/storage/perfschema/pfs.cc:2201
          #14 0x7f5fb9a2c4a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
          #15 0x7f5fb7b60d0e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8d0e)
       
      0x620000077e68 is located 3560 bytes inside of 3784-byte region [0x620000077080,0x620000077f48)
      allocated by thread T14 here:
          #0 0x7f5fb9d03d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
          #1 0x55abf287dcfc in ut_allocator<unsigned char, true>::allocate(unsigned long, unsigned char const*, char const*, bool, bool) /data/src/10.5/storage/innobase/include/ut0new.h:372
          #2 0x55abf287dcfc in mem_heap_create_block_func(mem_block_info_t*, unsigned long, unsigned long) /data/src/10.5/storage/innobase/mem/mem0mem.cc:277
       
      Thread T14 created by T0 here:
          #0 0x7f5fb9c72f59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
          #1 0x55abf25cb0aa in my_thread_create /data/src/10.5/storage/perfschema/my_thread.h:34
          #2 0x55abf25cb0aa in pfs_spawn_thread_v1 /data/src/10.5/storage/perfschema/pfs.cc:2252
       
      SUMMARY: AddressSanitizer: use-after-poison /data/src/10.5/storage/innobase/include/row0upd.ic:100 in upd_field_set_field_no
      Shadow bytes around the buggy address:
        0x0c4080006f70: 00 00 00 00 00 00 00 00 00 00 00 00 00 f7 00 00
        0x0c4080006f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c4080006f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c4080006fa0: 00 00 f7 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c4080006fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      =>0x0c4080006fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00[f7]00 00
        0x0c4080006fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c4080006fe0: 00 00 00 00 f7 f7 f7 f7 f7 fa fa fa fa fa fa fa
        0x0c4080006ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c4080007000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c4080007010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Heap right redzone:      fb
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack partial redzone:   f4
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
      ==18014==ABORTING
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              midenok Aleksey Midenkov
              Reporter:
              elenst Elena Stepanova
              Votes:
              2 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated: