[MDEV-22928] SUMMARY: AddressSanitizer: SEGV storage/innobase/include/dict0mem.h:1178 in dict_index_t::is_spatial() const - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.5.4, 10.2(EOL), 10.3(EOL), 10.4(EOL)
Fix Version/s: 10.2.38, 10.3.29, 10.4.19, 10.5.10, 10.6.1
Component/s: Storage Engine - InnoDB
Labels:
- need_rr

Description

SEGV hit during RQG testing

Workflow of RQG test

1. Start the server + generate some data

2. Several connections run a DDL/DML mix on the same tables

3. At some point of time during 2. the server process gets killed

4. Restart of the server

5. Try to check the integrity of InnoDB tables

Within 5. some

      SHOW KEYS FROM `test`.`t3` harvested

2013: Lost connection to MySQL server

and the server error log shows

SUMMARY: AddressSanitizer: SEGV /storage/innobase/include/dict0mem.h:1178 in dict_index_t::is_spatial() const

Thread T33 created by T0 here:

    #0 0x131f70338d2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)

    #1 0x560720863ff6 in my_thread_create /storage/perfschema/my_thread.h:34

    #2 0x560720869693 in pfs_spawn_thread_v1 /storage/perfschema/pfs.cc:2252

    #3 0x56071f48814c in inline_mysql_thread_create /include/mysql/psi/mysql_thread.h:1321

    #4 0x56071f49d5e9 in create_thread_to_handle_connection(CONNECT*) /sql/mysqld.cc:5951

    #5 0x56071f49dc4a in create_new_thread(CONNECT*) /sql/mysqld.cc:6010

    #6 0x56071f49df70 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /sql/mysqld.cc:6075

    #7 0x56071f49ea8d in handle_connections_sockets() /sql/mysqld.cc:6202

    #8 0x56071f49ce47 in mysqld_main(int, char**) /sql/mysqld.cc:5620

    #9 0x56071f486879 in main /sql/main.cc:25

    #10 0x7f3a327f6b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

==8558==ABORTING

origin/HEAD, origin/10.5, 10.5 bd62a636a42f1486437cbed21198315f44d9e7b6 2020-06-14T18:40:07+09:00

Per Thiru all MariaDB versions >= 10.2 are affected.

RQG

git clone https://github.com/mleich1/rqg --branch experimental RQG

origin/experimental 611a31e38a3bc157392c0748c95991b6a248bb3b 2020-06-09T15:31:46+02:00

perl rqg.pl \

--grammar=conf/mariadb/table_stress_innodb_nocopy.yy \

--gendata=conf/mariadb/table_stress.zz \

--gendata_sql=conf/mariadb/table_stress.sql \

--reporters=CrashRecovery1 \

--mysqld=--innodb_use_native_aio=1 \

--mysqld=--innodb_stats_persistent=off \

--mysqld=--innodb_lock_schedule_algorithm=fcfs \

--mysqld=--loose-idle_write_transaction_timeout=0 \

--mysqld=--loose-idle_transaction_timeout=0 \

--mysqld=--loose-idle_readonly_transaction_timeout=0 \

--mysqld=--connect_timeout=60 \

--mysqld=--interactive_timeout=28800 \

--mysqld=--slave_net_timeout=60 \

--mysqld=--net_read_timeout=30 \

--mysqld=--net_write_timeout=60 \

--mysqld=--loose-table_lock_wait_timeout=50 \

--mysqld=--wait_timeout=28800 \

--mysqld=--lock-wait-timeout=86400 \

--mysqld=--innodb-lock-wait-timeout=50 \

--no-mask \

--queries=10000000 \

--duration=300 \

--seed=random \

--reporters=Backtrace \

--reporters=ErrorLog \

--reporters=Deadlock1 \

--validators=None \

--mysqld=--log_output=none \

--mysqld=--log-bin \

--mysqld=--log_bin_trust_function_creators=1 \

--mysqld=--loose-max-statement-time=30 \

--mysqld=--loose-debug_assert_on_not_freed_memory=0 \

--engine=InnoDB \

--restart_timeout=60 \

--threads=9 \

--redefine=conf/mariadb/redefine_ment-601.yy \

... certain local settings

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

001032.log
637 kB
2020-06-17 18:27

Issue Links

relates to

MDEV-17567 Atomic DDL

Closed

Activity

Ascending order - Click to sort in descending order

Marko Mäkelä added a comment - 2020-07-16 05:17

mleich, sorry, the rr replay trace is not available any more. Can you please generate a new one?

001032.log contains the following stack trace for the crash, which occurs because a member function is being invoked on a this=nullptr:

10.5 bd62a636a42f1486437cbed21198315f44d9e7b6
dict_index_t::is_spatial() const /home/mleich/10.5_A/storage/innobase/include/dict0mem.h:1178
ha_innobase::index_type(unsigned int) /home/mleich/10.5_A/storage/innobase/handler/ha_innodb.cc:4931
get_schema_stat_record /home/mleich/10.5_A/sql/sql_show.cc:6664
fill_schema_table_by_open /home/mleich/10.5_A/sql/sql_show.cc:4635
get_all_tables(THD, TABLE_LIST, Item*) /home/mleich/10.5_A/sql/sql_show.cc:5125
get_schema_tables_result(JOIN*, enum_schema_table_state) /home/mleich/10.5_A/sql/sql_show.cc:8673
JOIN::exec_inner() /home/mleich/10.5_A/sql/sql_select.cc:4401
JOIN::exec() /home/mleich/10.5_A/sql/sql_select.cc:4225

Possibly this happens due to us not having crash-safe DDL operations with respect to .frm files (to be fixed in ~~MDEV-17567~~).

Marko Mäkelä added a comment - 2020-07-16 05:17 mleich , sorry, the rr replay trace is not available any more. Can you please generate a new one? 001032.log contains the following stack trace for the crash, which occurs because a member function is being invoked on a this=nullptr : 10.5 bd62a636a42f1486437cbed21198315f44d9e7b6 dict_index_t::is_spatial() const /home/mleich/10.5_A/storage/innobase/include/dict0mem.h:1178 ha_innobase::index_type(unsigned int) /home/mleich/10.5_A/storage/innobase/handler/ha_innodb.cc:4931 get_schema_stat_record /home/mleich/10.5_A/sql/sql_show.cc:6664 fill_schema_table_by_open /home/mleich/10.5_A/sql/sql_show.cc:4635 get_all_tables(THD*, TABLE_LIST*, Item*) /home/mleich/10.5_A/sql/sql_show.cc:5125 get_schema_tables_result(JOIN*, enum_schema_table_state) /home/mleich/10.5_A/sql/sql_show.cc:8673 JOIN::exec_inner() /home/mleich/10.5_A/sql/sql_select.cc:4401 JOIN::exec() /home/mleich/10.5_A/sql/sql_select.cc:4225 Possibly this happens due to us not having crash-safe DDL operations with respect to .frm files (to be fixed in MDEV-17567 ).

Marko Mäkelä added a comment - 2021-04-27 08:59

The fix looks OK to me. But, I do not like DBUG_SUICIDE in tests, because that at least used to make ./mtr --valgrind hang.

I prefer to halt the server from a non-default connection and then kill and restart the server. A simple example of that is in mysql-test/suite/innodb/t/rename_table_debug.test.

We seem to lack a DEBUG_SYNC point after the commit. I would suggest the following:

diff --git a/sql/sql_table.cc b/sql/sql_table.cc

index 07762e64259..2b26af6e9ba 100644

--- a/sql/sql_table.cc

+++ b/sql/sql_table.cc

@@ -7537,6 +7537,7 @@ static bool mysql_inplace_alter_table(THD *thd,

     goto rollback;

+  DEBUG_SYNC(thd, "alter_table_inplace_after_commit");

   close_all_tables_for_name(thd, table->s,

                             alter_ctx->is_table_renamed() ?

                             HA_EXTRA_PREPARE_FOR_RENAME :

Marko Mäkelä added a comment - 2021-04-27 08:59 The fix looks OK to me. But, I do not like DBUG_SUICIDE in tests, because that at least used to make ./mtr --valgrind hang. I prefer to halt the server from a non- default connection and then kill and restart the server. A simple example of that is in mysql-test/suite/innodb/t/rename_table_debug.test . We seem to lack a DEBUG_SYNC point after the commit. I would suggest the following: diff --git a/sql/sql_table.cc b/sql/sql_table.cc index 07762e64259..2b26af6e9ba 100644 --- a/sql/sql_table.cc +++ b/sql/sql_table.cc @@ -7537,6 +7537,7 @@ static bool mysql_inplace_alter_table(THD *thd, goto rollback; } + DEBUG_SYNC(thd, "alter_table_inplace_after_commit"); close_all_tables_for_name(thd, table->s, alter_ctx->is_table_renamed() ? HA_EXTRA_PREPARE_FOR_RENAME :

MariaDB Server

SUMMARY: AddressSanitizer: SEGV storage/innobase/include/dict0mem.h:1178 in dict_index_t::is_spatial() const

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates

Git Integration