Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-22339

Assertion `str_length < len' failed in Binary_string::realloc_raw

    XMLWordPrintable

Details

    Description

      10.4 632b1deb

      mysqld: /data/src/10.4/sql/sql_string.cc:106: bool Binary_string::realloc_raw(size_t): Assertion `str_length < len' failed.
      200422 14:10:18 [ERROR] mysqld got signal 6 ;
       
      #7  0x00007f8a0ffca102 in __GI___assert_fail (assertion=0x55a9539751c0 "str_length < len", file=0x55a9539750a0 "/data/src/10.4/sql/sql_string.cc", line=106, function=0x55a953975b40 <Binary_string::realloc_raw(unsigned long)::__PRETTY_FUNCTION__> "bool Binary_string::realloc_raw(size_t)") at assert.c:101
      #8  0x000055a951d34b4d in Binary_string::realloc_raw (this=0x62000094a218, alloc_length=0) at /data/src/10.4/sql/sql_string.cc:106
      #9  0x000055a95185198d in Binary_string::realloc (this=0x62000094a218, arg_length=0) at /data/src/10.4/sql/sql_string.h:623
      #10 0x000055a9518cf4a7 in Binary_string::c_ptr (this=0x62000094a218) at /data/src/10.4/sql/sql_string.h:585
      #11 0x000055a9525eb1b9 in get_lock_data (thd=0x62b00008c270, table_ptr=0x7f8a06e20570, count=1, flags=2) at /data/src/10.4/sql/lock.cc:803
      #12 0x000055a9525e94e5 in mysql_lock_abort_for_thread (thd=0x62b00008c270, table=0x62000094a0f0) at /data/src/10.4/sql/lock.cc:613
      #13 0x000055a951a03718 in THD::notify_shared_lock (this=0x62b00008c270, ctx_in_use=0x62b00005b340, needs_thr_lock_abort=true) at /data/src/10.4/sql/sql_class.cc:2053
      #14 0x000055a951f0dc71 in MDL_lock::notify_conflicting_locks (this=0x617000048410, ctx=0x62b00008c390) at /data/src/10.4/sql/mdl.cc:573
      #15 0x000055a951f07dde in MDL_context::acquire_lock (this=0x62b00008c390, mdl_request=0x62b0000937b8, lock_wait_timeout=86400) at /data/src/10.4/sql/mdl.cc:2292
      #16 0x000055a951f08ef8 in MDL_context::acquire_locks (this=0x62b00008c390, mdl_requests=0x7f8a06e20b70, lock_wait_timeout=86400) at /data/src/10.4/sql/mdl.cc:2447
      #17 0x000055a95199ee28 in lock_table_names (thd=0x62b00008c270, options=..., tables_start=0x62b000093370, tables_end=0x0, lock_wait_timeout=86400, flags=0) at /data/src/10.4/sql/sql_base.cc:4086
      #18 0x000055a95199fbbe in open_tables (thd=0x62b00008c270, options=..., start=0x7f8a06e21120, counter=0x7f8a06e210e0, flags=0, prelocking_strategy=0x7f8a06e21260) at /data/src/10.4/sql/sql_base.cc:4292
      #19 0x000055a9519a52d4 in open_and_lock_tables (thd=0x62b00008c270, options=..., tables=0x62b000093370, derived=true, flags=0, prelocking_strategy=0x7f8a06e21260) at /data/src/10.4/sql/sql_base.cc:5217
      #20 0x000055a951905067 in open_and_lock_tables (thd=0x62b00008c270, tables=0x62b000093370, derived=true, flags=0) at /data/src/10.4/sql/sql_base.h:503
      #21 0x000055a951f1243e in open_only_one_table (thd=0x62b00008c270, table=0x62b000093370, repair_table_use_frm=false, is_view_operator_func=true) at /data/src/10.4/sql/sql_admin.cc:395
      #22 0x000055a951f13099 in mysql_admin_table (thd=0x62b00008c270, tables=0x62b000093370, check_opt=0x62b000091448, operator_name=0x55a953a07fa0 "repair", lock_type=TL_WRITE, org_open_for_modify=true, repair_table_use_frm=false, extra_open_options=32, prepare_func=0x55a951f10ab3 <prepare_for_repair(THD*, TABLE_LIST*, HA_CHECK_OPT*)>, operator_func=(int (handler::*)(class handler * const, class THD *, HA_CHECK_OPT *)) 0x55a9522fc3d0 <handler::ha_repair(THD*, st_ha_check_opt*)>, view_operator_func=0x55a951df333d <view_repair(THD*, TABLE_LIST*, st_ha_check_opt*)>) at /data/src/10.4/sql/sql_admin.cc:518
      #23 0x000055a951f1b1b0 in Sql_cmd_repair_table::execute (this=0x62b000093a48, thd=0x62b00008c270) at /data/src/10.4/sql/sql_admin.cc:1409
      #24 0x000055a951b2f266 in mysql_execute_command (thd=0x62b00008c270) at /data/src/10.4/sql/sql_parse.cc:6101
      #25 0x000055a951b3ac91 in mysql_parse (thd=0x62b00008c270, rawbuf=0x62b000093290 "REPAIR TABLE t1", length=15, parser_state=0x7f8a06e24a70, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:7900
      #26 0x000055a951b109af in dispatch_command (command=COM_QUERY, thd=0x62b00008c270, packet=0x629000230271 "", packet_length=15, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:1841
      #27 0x000055a951b0d3da in do_command (thd=0x62b00008c270) at /data/src/10.4/sql/sql_parse.cc:1359
      #28 0x000055a951ee45a4 in do_handle_one_connection (connect=0x6110000096b0) at /data/src/10.4/sql/sql_connect.cc:1412
      #29 0x000055a951ee3e46 in handle_one_connection (arg=0x6110000096b0) at /data/src/10.4/sql/sql_connect.cc:1316
      #30 0x000055a953505e59 in pfs_spawn_thread (arg=0x61600000d2f0) at /data/src/10.4/storage/perfschema/pfs.cc:1869
      #31 0x00007f8a10844fa3 in start_thread (arg=<optimized out>) at pthread_create.c:486
      #32 0x00007f8a100934cf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
      

      Reproducible on 10.4, 10.5 debug builds.
      Mo obvious immediate problem observed on non-debug builds.
      Couldn't reproduce and didn't observe on 10.3. However, the test case below non-deterministically causes memory leak warnings on 10.2, 10.3.

      The test case courtesy of svoj:

      CREATE TABLE t1(a INT) ENGINE=MyISAM;
      connect con1, localhost, root;
      let $i=10000;
      disable_query_log;
      disable_result_log;
      while ($i)
      {
        connection default;
        HANDLER t1 OPEN;
        send SELECT * FROM t1, t1 t1a1over8, t1 t1a2over8, t1 t1a3over8, t1 t1a4over8, t1 t1a5over8, t1 t1a6over8;
        connection con1;
        send REPAIR TABLE t1;
        connection default;
        reap;
        HANDLER t1 CLOSE;
        connection con1;
        reap;
        dec $i;
      }
      enable_query_log;
      enable_result_log;
      DROP TABLE t1;
      

      Optional sleeps, also courtesy of svoj (I didn't try them, as the test case fails for me easily enough without them):

      diff --git a/sql/sql_string.cc b/sql/sql_string.cc
      index 2fc6ae0..cd5fff7 100644
      --- a/sql/sql_string.cc
      +++ b/sql/sql_string.cc
      @@ -41,6 +41,7 @@ bool Binary_string::real_alloc(size_t length)
         if (Alloced_length < arg_length)
         {
           free();
      +    my_sleep(100);
           if (!(Ptr=(char*) my_malloc(PSI_INSTRUMENT_ME,
                                       arg_length,MYF(MY_WME | (thread_specific ?
                                                       MY_THREAD_SPECIFIC : 0)))))
      @@ -103,6 +104,7 @@ bool Binary_string::realloc_raw(size_t alloc_length)
                                                    (thread_specific ?
                                                     MY_THREAD_SPECIFIC : 0)))))
           {
      +      my_sleep(200);
             DBUG_ASSERT(str_length < len);
             if (str_length)                          // Avoid bugs in memcpy on AIX
              memcpy(new_ptr,Ptr,str_length);
      

      Attachments

        Activity

          People

            serg Sergei Golubchik
            elenst Elena Stepanova
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.