[MDEV-20563] Server crash in row_upd_del_mark_clust_rec or in wsrep_row_upd_index_is_foreign or Assertion `update->n_fields < ulint(table->n_cols + table->n_v_cols)' failed upon DELETE from precise-versioned table - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Duplicate
Affects Version/s: 10.5.4, 10.5.3, 10.3(EOL), 10.4(EOL)
Fix Version/s: N/A
Component/s: Storage Engine - InnoDB, Versioned Tables
Labels:

Description

--source include/have_innodb.inc

CREATE  TABLE t1 (a INT, s BIGINT UNSIGNED AS ROW START, e BIGINT UNSIGNED AS ROW END, PERIOD FOR SYSTEM_TIME(s,e)) WITH SYSTEM VERSIONING ENGINE=InnoDB;

INSERT INTO t1 (a) VALUES (1),(2),(3),(4),(5),(6),(7),(8);

START TRANSACTION;

INSERT INTO t1 (a) VALUES (1),(2),(3),(4),(5),(6),(7),(8);

DELETE FROM t1;

# Cleanup

COMMIT;

DROP TABLE t1;

10.3 f1309fac non-debug
#3 <signal handler called>
#4 row_upd_del_mark_clust_rec (mtr=0x7f1eca6c9fc0, foreign=false, referenced=0, thr=0x7f1e7806bc08, offsets=0x7f1eca6c96a0, index=0x7f1e780803e0, node=0x7f1e7806b8e0) at /data/src/10.3/storage/innobase/row/row0upd.cc:2983
#5 row_upd_clust_step (node=node@entry=0x7f1e7806b8e0, thr=thr@entry=0x7f1e7806bc08) at /data/src/10.3/storage/innobase/row/row0upd.cc:3168
#6 0x00005595175efa94 in row_upd (thr=0x7f1e7806bc08, node=0x7f1e7806b8e0) at /data/src/10.3/storage/innobase/row/row0upd.cc:3295
#7 row_upd_step (thr=thr@entry=0x7f1e7806bc08) at /data/src/10.3/storage/innobase/row/row0upd.cc:3439
#8 0x00005595175c48ac in row_update_for_mysql (prebuilt=0x7f1e7806adf0) at /data/src/10.3/storage/innobase/row/row0mysql.cc:1888
#9 0x00005595175181d3 in ha_innobase::delete_row (this=0x7f1e7806a660, record=0x7f1e780655d8 "\375\a") at /data/src/10.3/storage/innobase/handler/ha_innodb.cc:8983
#10 0x00005595173b0a04 in handler::ha_delete_row (this=0x7f1e7806a660, buf=0x7f1e780655d8 "\375\a") at /data/src/10.3/sql/handler.cc:6534
#11 0x00005595174bf1ba in mysql_delete (thd=thd@entry=0x7f1e780009a8, table_list=0x7f1e7800f528, conds=<optimized out>, order_list=order_list@entry=0x7f1e780050b0, limit=18446744073709551601, options=<optimized out>, result=0x0) at /data/src/10.3/sql/sql_delete.cc:750
#12 0x00005595171e4817 in mysql_execute_command (thd=thd@entry=0x7f1e780009a8) at /data/src/10.3/sql/sql_parse.cc:4654
#13 0x00005595171e5859 in mysql_parse (thd=thd@entry=0x7f1e780009a8, rawbuf=<optimized out>, length=14, parser_state=parser_state@entry=0x7f1eca6cc620, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /data/src/10.3/sql/sql_parse.cc:7830
#14 0x00005595171e806d in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x7f1e780009a8, packet=packet@entry=0x7f1e780070b9 "DELETE FROM t1", packet_length=packet_length@entry=14, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /data/src/10.3/sql/sql_parse.cc:1856
#15 0x00005595171e8ce6 in do_command (thd=0x7f1e780009a8) at /data/src/10.3/sql/sql_parse.cc:1401
#16 0x00005595172afca4 in do_handle_one_connection (connect=connect@entry=0x559519241958) at /data/src/10.3/sql/sql_connect.cc:1403
#17 0x00005595172afd54 in handle_one_connection (arg=arg@entry=0x559519241958) at /data/src/10.3/sql/sql_connect.cc:1308
#18 0x000055951781f1e4 in pfs_spawn_thread (arg=0x5595192024c8) at /data/src/10.3/storage/perfschema/pfs.cc:1862
#19 0x00007f1ed6e834a4 in start_thread (arg=0x7f1eca6cd700) at pthread_create.c:456
#20 0x00007f1ed53cbd0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97

10.3 f1309fac debug
mysqld: /data/src/10.3/storage/innobase/row/row0upd.cc:3486: void upd_node_t::make_versioned_helper(const trx_t*, ulint): Assertion `update->n_fields < ulint(table->n_cols + table->n_v_cols)' failed.
190911 16:59:14 [ERROR] mysqld got signal 6 ;

#7 0x00007f9056c21f12 in __GI___assert_fail (assertion=0x55e4c728ae28 "update->n_fields < ulint(table->n_cols + table->n_v_cols)", file=0x55e4c7289fd8 "/data/src/10.3/storage/innobase/row/row0upd.cc", line=3486, function=0x55e4c728da40 <upd_node_t::make_versioned_helper(trx_t const, unsigned long)::__PRETTY_FUNCTION__> "void upd_node_t::make_versioned_helper(const trx_t, ulint)") at assert.c:101
#8 0x000055e4c6b0ba2b in upd_node_t::make_versioned_helper (this=0x7f90000a5330, trx=0x7f9050ab80f0, idx=1) at /data/src/10.3/storage/innobase/row/row0upd.cc:3486
#9 0x000055e4c6aa17dc in upd_node_t::make_versioned_update (this=0x7f90000a5330, trx=0x7f9050ab80f0) at /data/src/10.3/storage/innobase/include/row0upd.h:606
#10 0x000055e4c6a99179 in row_update_for_mysql (prebuilt=0x7f90000a4808) at /data/src/10.3/storage/innobase/row/row0mysql.cc:1879
#11 0x000055e4c68fa0af in ha_innobase::delete_row (this=0x7f90000a4058, record=0x7f9000006af0 "\375\006") at /data/src/10.3/storage/innobase/handler/ha_innodb.cc:8983
#12 0x000055e4c66d294a in handler::ha_delete_row (this=0x7f90000a4058, buf=0x7f9000006af0 "\375\006") at /data/src/10.3/sql/handler.cc:6534
#13 0x000055e4c687f205 in TABLE::delete_row (this=0x7f9000162a70) at /data/src/10.3/sql/sql_delete.cc:253
#14 0x000055e4c687c409 in mysql_delete (thd=0x7f9000000b00, table_list=0x7f90000128e0, conds=0x0, order_list=0x7f90000053c8, limit=18446744073709551602, options=0, result=0x0) at /data/src/10.3/sql/sql_delete.cc:750
#15 0x000055e4c63a4d6c in mysql_execute_command (thd=0x7f9000000b00) at /data/src/10.3/sql/sql_parse.cc:4654
#16 0x000055e4c63af9fd in mysql_parse (thd=0x7f9000000b00, rawbuf=0x7f9000012818 "DELETE FROM t1", length=14, parser_state=0x7f904bfb35e0, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:7830
#17 0x000055e4c639c2fb in dispatch_command (command=COM_QUERY, thd=0x7f9000000b00, packet=0x7f9000008c71 "DELETE FROM t1", packet_length=14, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:1856
#18 0x000055e4c639ac22 in do_command (thd=0x7f9000000b00) at /data/src/10.3/sql/sql_parse.cc:1401
#19 0x000055e4c6513d40 in do_handle_one_connection (connect=0x55e4c97900c0) at /data/src/10.3/sql/sql_connect.cc:1403
#20 0x000055e4c6513aa2 in handle_one_connection (arg=0x55e4c97900c0) at /data/src/10.3/sql/sql_connect.cc:1308
#21 0x000055e4c6ef60a0 in pfs_spawn_thread (arg=0x55e4c96d3710) at /data/src/10.3/storage/perfschema/pfs.cc:1862
#22 0x00007f90587964a4 in start_thread (arg=0x7f904bfb4700) at pthread_create.c:456
#23 0x00007f9056cded0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97

10.5 non-debug ASAN 0186b0a0
==18014==ERROR: AddressSanitizer: use-after-poison on address 0x620000077e68 at pc 0x55abf29dc770 bp 0x7f5fa8fcbd90 sp 0x7f5fa8fcbd88
WRITE of size 2 at 0x620000077e68 thread T14
#0 0x55abf29dc76f in upd_field_set_field_no /data/src/10.5/storage/innobase/include/row0upd.ic:100
#1 0x55abf29dc76f in upd_node_t::make_versioned_helper(trx_t const*, unsigned long) /data/src/10.5/storage/innobase/row/row0upd.cc:3195
#2 0x55abf2970266 in upd_node_t::make_versioned_update(trx_t const*) /data/src/10.5/storage/innobase/include/row0upd.h:504
#3 0x55abf2970266 in row_update_for_mysql(row_prebuilt_t*) /data/src/10.5/storage/innobase/row/row0mysql.cc:1879
#4 0x55abf277cabf in ha_innobase::delete_row(unsigned char const*) /data/src/10.5/storage/innobase/handler/ha_innodb.cc:8657
#5 0x55abf1f8cb51 in handler::ha_delete_row(unsigned char const*) /data/src/10.5/sql/handler.cc:7100
#6 0x55abf2323f90 in mysql_delete(THD, TABLE_LIST, Item, SQL_I_List<st_order>, unsigned long long, unsigned long long, select_result*) /data/src/10.5/sql/sql_delete.cc:794
#7 0x55abf1a2b535 in mysql_execute_command(THD*) /data/src/10.5/sql/sql_parse.cc:4749
#8 0x55abf1a3a014 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.5/sql/sql_parse.cc:7957
#9 0x55abf1a1e706 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.5/sql/sql_parse.cc:1840
#10 0x55abf1a1a176 in do_command(THD*) /data/src/10.5/sql/sql_parse.cc:1359
#11 0x55abf1cc7867 in do_handle_one_connection(CONNECT*, bool) /data/src/10.5/sql/sql_connect.cc:1411
#12 0x55abf1cc8576 in handle_one_connection /data/src/10.5/sql/sql_connect.cc:1313
#13 0x55abf25cae33 in pfs_spawn_thread /data/src/10.5/storage/perfschema/pfs.cc:2201
#14 0x7f5fb9a2c4a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
#15 0x7f5fb7b60d0e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8d0e)

0x620000077e68 is located 3560 bytes inside of 3784-byte region [0x620000077080,0x620000077f48)
allocated by thread T14 here:
#0 0x7f5fb9d03d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
#1 0x55abf287dcfc in ut_allocator<unsigned char, true>::allocate(unsigned long, unsigned char const, char const, bool, bool) /data/src/10.5/storage/innobase/include/ut0new.h:372
#2 0x55abf287dcfc in mem_heap_create_block_func(mem_block_info_t*, unsigned long, unsigned long) /data/src/10.5/storage/innobase/mem/mem0mem.cc:277

Thread T14 created by T0 here:
#0 0x7f5fb9c72f59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
#1 0x55abf25cb0aa in my_thread_create /data/src/10.5/storage/perfschema/my_thread.h:34
#2 0x55abf25cb0aa in pfs_spawn_thread_v1 /data/src/10.5/storage/perfschema/pfs.cc:2252

SUMMARY: AddressSanitizer: use-after-poison /data/src/10.5/storage/innobase/include/row0upd.ic:100 in upd_field_set_field_no
Shadow bytes around the buggy address:
0x0c4080006f70: 00 00 00 00 00 00 00 00 00 00 00 00 00 f7 00 00
0x0c4080006f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4080006f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4080006fa0: 00 00 f7 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4080006fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4080006fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00[f7]00 00
0x0c4080006fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4080006fe0: 00 00 00 00 f7 f7 f7 f7 f7 fa fa fa fa fa fa fa
0x0c4080006ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4080007000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4080007010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==18014==ABORTING

Attachments

Issue Links

duplicates

MDEV-22061 InnoDB: Assertion of missing row in sec index row_start upon REPLACE on a system-versioned table

Closed

relates to

MDEV-16554 InnoDB: Assertion failure in file mariadb-10.2.14/storage/innobase/que/que0que.cc line 563

Closed

MDEV-20906 MariaDB crashed on DELETE (lock0priv.ic:410)

Closed

Server crash in row_upd_del_mark_clust_rec or in wsrep_row_upd_index_is_foreign or Assertion `update->n_fields < ulint(table->n_cols + table->n_v_cols)' failed upon DELETE from precise-versioned table

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration