[MDEV-23198] mysqld crash when running REPLACE update - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.2.31, 10.3.22, 10.4.12, 10.5.1, 10.3.23, 10.4.13
Fix Version/s: 10.2.33, 10.3.24, 10.4.14, 10.5.5
Component/s: Storage Engine - InnoDB
Labels:
None
Environment:
Linux (centos7, centos8, ubuntu 14+)

Description

We found this in production - but I've managed to narrow this down to:

innodb
table with 296 columns or more
table has primary key with auto_increment
table has a second index
mariadb 10.4.13 and 10.3.23

Its easy to reproduce -

mysql -u ... -p... dbname < createtable
mysql -u ... -p... dbname < populatetable
mysql -u ... -p... dbname < populatetable (this one will crash).

The log at crash gives...

Thread pointer: 0x7f820c000a88
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
stack_bottom = 0x7f826832be70 thread_stack 0x49000
/usr/local/mysql/bin/mysqld(my_print_stacktrace+0x2e)[0x55ab034c7e2e]
mysys/stacktrace.c:270(my_print_stacktrace)[0x55ab02ed8b3f]
sigaction.c:0(__restore_rt)[0x7f826ee12630]
:0(__memmove_ssse3_back)[0x7f826dd42a46]
/usr/local/mysql/bin/mysqld(+0xb70ffc)[0x55ab0311fffc]
rem/rem0rec.cc:1685(rec_convert_dtuple_to_rec_comp<false>)[0x55ab031a8919]
trx/trx0rec.cc:2490(trx_undo_prev_version_build(unsigned char const*, mtr_t*, unsigned char const*, dict_index_t*, unsigned short*, mem_block_info_t*, unsigned char*, mem_block_info_t, dtuple_t**, unsigned long))[0x55ab031789b7]
row/row0vers.cc:196(row_vers_impl_x_locked_low)[0x55ab030c9350]
lock/lock0lock.cc:1233(lock_sec_rec_some_has_impl)[0x55ab030cdbdc]
lock/lock0lock.cc:5757(lock_sec_rec_read_check_and_lock(unsigned long, buf_block_t const*, unsigned char const*, dict_index_t*, unsigned short const*, lock_mode, unsigned long, que_thr_t*))[0x55ab03139989]
row/row0ins.cc:2160(row_ins_scan_sec_index_for_duplicate)[0x55ab0313a833]
row/row0ins.cc:3285(row_ins_sec_index_entry(dict_index_t*, dtuple_t*, que_thr_t*, bool))[0x55ab0313ad03]
row/row0ins.cc:3329(row_ins_index_entry)[0x55ab0314b17d]
row/row0mysql.cc:1467(row_insert_for_mysql(unsigned char const*, row_prebuilt_t*, ins_mode_t))[0x55ab0308a685]
handler/ha_innodb.cc:8039(ha_innobase::write_row(unsigned char const*))[0x55ab02ee40bf]
sql/handler.cc:6706(handler::ha_write_row(unsigned char const*))[0x55ab02c9be40]
sql/sql_insert.cc:1732(write_record(THD*, TABLE*, st_copy_info*))[0x55ab02ca263b]
sql/sql_insert.cc:1078(mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool))[0x55ab02cd1677]
sql/sql_parse.cc:4530(mysql_execute_command(THD*))[0x55ab02cd6f7c]
sql/sql_audit.h:169(mysql_audit_general)[0x55ab02cd94ee]
sql/sql_parse.cc:1360(do_command(THD*))[0x55ab02cdad79]
sql/sql_connect.cc:1412(do_handle_one_connection(CONNECT*))[0x55ab02db9c8a]
sql/sql_connect.cc:1318(handle_one_connection)[0x55ab02db9d6d]
pthread_create.c:0(start_thread)[0x7f826ee0aea5]
/lib64/libc.so.6(clone+0x6d)[0x7f826dce58dd]

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

createtable
7 kB
2020-07-17 03:44
my.cnf
0.7 kB
2020-07-17 03:44
populatetable
0.9 kB
2020-07-17 03:44

Issue Links

is caused by

MDEV-20950 Reduce size of record offsets

Closed

relates to

MDEV-4663 crash, race, invalid purge_sys->view in read_view_sees_trx_id

Closed

Activity

Ascending order - Click to sort in descending order

Alice Sherepa added a comment - 2020-07-17 07:31 - edited

Thank you very much for the report and test case!
Reproducible as described on current 10.2-10.5:

--source include/have_innodb.inc

CREATE TABLE t1 (id int NOT NULL auto_increment PRIMARY KEY, c1 int, c2 int, c3 int, c4 int, c5 int, c6 int, c7 int, c8 int, c9 int, c10 int, c11 int, c12 int, c13 int, c14 int, c15 int, c16 int, c17 int, c18 int, c19 int, c20 int, c21 int, c22 int, c23 int, c24 int, c25 int, c26 int, c27 int, c28 int, c29 int, c30 int, c31 int, c32 int, c33 int, c34 int, c35 int, c36 int, c37 int, c38 int, c39 int, c40 int, c41 int, c42 int, c43 int, c44 int, c45 int, c46 int, c47 int, c48 int, c49 int, c50 int, c51 int, c52 int, c53 int, c54 int, c55 int, c56 int, c57 int, c58 int, c59 int, c60 int, c61 int, c62 int, c63 int, c64 int, c65 int, c66 int, c67 int, c68 int, c69 int, c70 int, c71 int, c72 int, c73 int, c74 int, c75 int, c76 int, c77 int, c78 int, c79 int, c80 int, c81 int, c82 int, c83 int, c84 int, c85 int, c86 int, c87 int, c88 int, c89 int, c90 int, c91 int, c92 int, c93 int, c94 int, c95 int, c96 int, c97 int, c98 int, c99 int, c100 int, c101 int, c102 int, c103 int, c104 int, c105 int, c106 int, c107 int, c108 int, c109 int, c110 int, c111 int, c112 int, c113 int, c114 int, c115 int, c116 int, c117 int, c118 int, c119 int, c120 int, c121 int, c122 int, c123 int, c124 int, c125 int, c126 int, c127 int, c128 int, c129 int, c130 int, c131 int, c132 int, c133 int, c134 int, c135 int, c136 int, c137 int, c138 int, c139 int, c140 int, c141 int, c142 int, c143 int, c144 int, c145 int, c146 int, c147 int, c148 int, c149 int, c150 int, c151 int, c152 int, c153 int, c154 int, c155 int, c156 int, c157 int, c158 int, c159 int, c160 int, c161 int, c162 int, c163 int, c164 int, c165 int, c166 int, c167 int, c168 int, c169 int, c170 int, c171 int, c172 int, c173 int, c174 int, c175 int, c176 int, c177 int, c178 int, c179 int, c180 int, c181 int, c182 int, c183 int, c184 int, c185 int, c186 int, c187 int, c188 int, c189 int, c190 int, c191 int, c192 int, c193 int, c194 int, c195 int, c196 int, c197 int, c198 int, c199 int, c200 int, c201 int, c202 int, c203 int, c204 int, c205 int, c206 int, c207 int, c208 int, c209 int, c210 int, c211 int, c212 int, c213 int, c214 int, c215 int, c216 int, c217 int, c218 int, c219 int, c220 int, c221 int, c222 int, c223 int, c224 int, c225 int, c226 int, c227 int, c228 int, c229 int, c230 int, c231 int, c232 int, c233 int, c234 int, c235 int, c236 int, c237 int, c238 int, c239 int, c240 int, c241 int, c242 int, c243 int, c244 int, c245 int, c246 int, c247 int, c248 int, c249 int, c250 int, c251 int, c252 int, c253 int, c254 int, c255 int, c256 int, c257 int, c258 int, c259 int, c260 int, c261 int, c262 int, c263 int, c264 int, c265 int, c266 int, c267 int, c268 int, c269 int, c270 int, c271 int, c272 int, c273 int, c274 int, c275 int, c276 int, c277 int, c278 int, c279 int, c280 int, c281 int, c282 int, c283 int, c284 int, c285 int, c286 int, c287 int, c288 int, c289 int, c290 int, c291 int, c292 int, c293 int, c294 int, UNIQUE KEY (c2)) engine=innodb;

REPLACE t1 VALUES  (47,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0);

REPLACE t1 VALUES  (47,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0);

10.2 9c8420fe8c97e0795af566
Version: '10.2.33-MariaDB-debug-log'
mysqld: /10.2/storage/innobase/include/rem0rec.ic:994: ulint rec_offs_validate(const rec_t, const dict_index_t, const rec_offs*): Assertion `!memcmp(&index, &offsets[INDEX_OFFSET], sizeof(index))' failed.
200717 7:24:10 [ERROR] mysqld got signal 6 ;

Server version: 10.2.33-MariaDB-debug-log

/lib/x86_64-linux-gnu/libpthread.so.0(+0x12730)[0x7f93a787b730]
linux/raise.c:51(__GI_raise)[0x7f93a71327bb]
stdlib/abort.c:81(__GI_abort)[0x7f93a711d535]
intl/loadmsgcat.c:1177(_nl_load_domain)[0x7f93a711d40f]
/lib/x86_64-linux-gnu/libc.so.6(+0x30102)[0x7f93a712b102]
include/rem0rec.ic:997(rec_offs_validate(unsigned char const, dict_index_t const, unsigned short const*))[0x55bae1020a8c]
row/row0upd.cc:581(row_upd_changes_field_size_or_external(dict_index_t, unsigned short const, upd_t const*))[0x55bae1023102]
trx/trx0rec.cc:2404(trx_undo_prev_version_build(unsigned char const, mtr_t, unsigned char const, dict_index_t, unsigned short, mem_block_info_t, unsigned char*, mem_block_info_t, dtuple_t**, unsigned long))[0x55bae107782d]
row/row0vers.cc:174(row_vers_impl_x_locked_low(unsigned char const, dict_index_t, unsigned char const, dict_index_t, unsigned short const, mtr_t))[0x55bae102fb4f]
row/row0vers.cc:409(row_vers_impl_x_locked(unsigned char const, dict_index_t, unsigned short const*))[0x55bae10301c0]
lock/lock0lock.cc:1247(lock_sec_rec_some_has_impl(unsigned char const, dict_index_t, unsigned short const*))[0x55bae0f0ccf4]
lock/lock0lock.cc:5824(lock_rec_convert_impl_to_expl(buf_block_t const, unsigned char const, dict_index_t, unsigned short const))[0x55bae0f198ac]
lock/lock0lock.cc:6046(lock_sec_rec_read_check_and_lock(unsigned long, buf_block_t const, unsigned char const, dict_index_t, unsigned short const, lock_mode, unsigned long, que_thr_t*))[0x55bae0f1a290]
row/row0ins.cc:1517(row_ins_set_exclusive_rec_lock(unsigned long, buf_block_t const, unsigned char const, dict_index_t, unsigned short const, que_thr_t*))[0x55bae0fb0aa0]
row/row0ins.cc:2151(row_ins_scan_sec_index_for_duplicate(unsigned long, dict_index_t, dtuple_t, que_thr_t, bool, mtr_t, mem_block_info_t*))[0x55bae0fb1f9a]
row/row0ins.cc:2972(row_ins_sec_index_entry_low(unsigned long, unsigned long, dict_index_t, mem_block_info_t, mem_block_info_t, dtuple_t, unsigned long, que_thr_t*))[0x55bae0fb413c]
row/row0ins.cc:3218(row_ins_sec_index_entry(dict_index_t, dtuple_t, que_thr_t*))[0x55bae0fb4bb8]
row/row0ins.cc:3265(row_ins_index_entry(dict_index_t, dtuple_t, que_thr_t*))[0x55bae0fb4d15]
row/row0ins.cc:3414(row_ins_index_entry_step(ins_node_t, que_thr_t))[0x55bae0fb521f]
row/row0ins.cc:3551(row_ins(ins_node_t, que_thr_t))[0x55bae0fb55f5]
row/row0ins.cc:3671(row_ins_step(que_thr_t*))[0x55bae0fb59a2]
row/row0mysql.cc:1413(row_insert_for_mysql(unsigned char const, row_prebuilt_t))[0x55bae0fd330e]
handler/ha_innodb.cc:8208(ha_innobase::write_row(unsigned char*))[0x55bae0e977d9]
sql/handler.cc:6108(handler::ha_write_row(unsigned char*))[0x55bae0ca7c82]
sql/sql_insert.cc:1667(write_record(THD, TABLE, st_copy_info*))[0x55bae09ff519]
sql/sql_insert.cc:1066(mysql_insert(THD, TABLE_LIST, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool))[0x55bae09fdca0]
sql/sql_parse.cc:4159(mysql_execute_command(THD*))[0x55bae0a24461]
sql/sql_parse.cc:7733(mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool))[0x55bae0a2fb5f]
sql/sql_parse.cc:1826(dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool))[0x55bae0a1df79]
sql/sql_parse.cc:1377(do_command(THD*))[0x55bae0a1c9fe]
sql/sql_connect.cc:1336(do_handle_one_connection(CONNECT*))[0x55bae0b714f0]
sql/sql_connect.cc:1242(handle_one_connection)[0x55bae0b7125b]
perfschema/pfs.cc:1871(pfs_spawn_thread)[0x55bae13729dc]
nptl/pthread_create.c:487(start_thread)[0x7f93a7870fa3]
x86_64/clone.S:97(clone)[0x7f93a71f44cf]

Query (0x7f93500127b8): REPLACE ian VALUES (47,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0)
Connection ID (thread ID): 10

non-debug build:

10.5 e67daa5653490074850bc9f5d2
200717 7:24:38 [ERROR] mysqld got signal 11 ;
Server version: 10.5.5-MariaDB-log
??:0(__restore_rt)[0x7fbde9547730]
multiarch/memmove-vec-unaligned-erms.S:384(__nss_passwd_lookup)[0x7fbde8ba8820]
bits/string_fortified.h:34(memcpy)[0x5573f347a443]
trx/trx0rec.cc:2376(trx_undo_prev_version_build(unsigned char const, mtr_t, unsigned char const, dict_index_t, unsigned short, mem_block_info_t, unsigned char*, mem_block_info_t, dtuple_t**, unsigned long))[0x5573f3452838]
row/row0vers.cc:196(row_vers_impl_x_locked_low)[0x5573f33be1db]
lock/lock0lock.cc:1218(lock_sec_rec_some_has_impl)[0x5573f33bfee6]
lock/lock0lock.cc:5722(lock_sec_rec_read_check_and_lock(unsigned long, buf_block_t const, unsigned char const, dict_index_t, unsigned short const, lock_mode, unsigned int, que_thr_t*))[0x5573f3413cf0]
row/row0ins.cc:1491(row_ins_set_exclusive_rec_lock(unsigned int, buf_block_t const, unsigned char const, dict_index_t, unsigned short const, que_thr_t*))[0x5573f341623b]
row/row0ins.cc:2142(row_ins_scan_sec_index_for_duplicate)[0x5573f341b6fb]
row/row0ins.cc:3269(row_ins_sec_index_entry(dict_index_t, dtuple_t, que_thr_t*, bool))[0x5573f341bda5]
row/row0ins.cc:3619(row_ins)[0x5573f342c110]
row/row0mysql.cc:1463(row_insert_for_mysql(unsigned char const, row_prebuilt_t, ins_mode_t))[0x5573f3379906]
handler/ha_innodb.cc:7729(ha_innobase::write_row(unsigned char const*))[0x5573f30bb1cd]
sql/handler.cc:7133(handler::ha_write_row(unsigned char const*))[0x5573f2e94cb5]
sql/sql_insert.cc:1778(write_record(THD, TABLE, st_copy_info, select_result))[0x5573f2e9b75e]
sql/sql_insert.cc:1087(mysql_insert(THD, TABLE_LIST, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*))[0x5573f2ecff4b]
sql/sql_parse.cc:4545(mysql_execute_command(THD*))[0x5573f2ec2432]
sql/sql_parse.cc:8010(mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool))[0x5573f2eccf77]
sql/sql_parse.cc:1869(dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool))[0x5573f2ecdecd]
sql/sql_parse.cc:1347(do_command(THD*))[0x5573f2fb3dd0]
sql/sql_connect.cc:1411(do_handle_one_connection(CONNECT*, bool))[0x5573f2fb419d]
sql/sql_connect.cc:1313(handle_one_connection)[0x5573f32ddd9b]
nptl/pthread_create.c:487(start_thread)[0x7fbde953cfa3]
x86_64/clone.S:97(clone)[0x7fbde8b454cf]

Query (0x7fbdac0102d0): REPLACE ian VALUES (47,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0)

Alice Sherepa added a comment - 2020-07-17 07:31 - edited Thank you very much for the report and test case! Reproducible as described on current 10.2-10.5: --source include/have_innodb.inc CREATE TABLE t1 (id int NOT NULL auto_increment PRIMARY KEY , c1 int , c2 int , c3 int , c4 int , c5 int , c6 int , c7 int , c8 int , c9 int , c10 int , c11 int , c12 int , c13 int , c14 int , c15 int , c16 int , c17 int , c18 int , c19 int , c20 int , c21 int , c22 int , c23 int , c24 int , c25 int , c26 int , c27 int , c28 int , c29 int , c30 int , c31 int , c32 int , c33 int , c34 int , c35 int , c36 int , c37 int , c38 int , c39 int , c40 int , c41 int , c42 int , c43 int , c44 int , c45 int , c46 int , c47 int , c48 int , c49 int , c50 int , c51 int , c52 int , c53 int , c54 int , c55 int , c56 int , c57 int , c58 int , c59 int , c60 int , c61 int , c62 int , c63 int , c64 int , c65 int , c66 int , c67 int , c68 int , c69 int , c70 int , c71 int , c72 int , c73 int , c74 int , c75 int , c76 int , c77 int , c78 int , c79 int , c80 int , c81 int , c82 int , c83 int , c84 int , c85 int , c86 int , c87 int , c88 int , c89 int , c90 int , c91 int , c92 int , c93 int , c94 int , c95 int , c96 int , c97 int , c98 int , c99 int , c100 int , c101 int , c102 int , c103 int , c104 int , c105 int , c106 int , c107 int , c108 int , c109 int , c110 int , c111 int , c112 int , c113 int , c114 int , c115 int , c116 int , c117 int , c118 int , c119 int , c120 int , c121 int , c122 int , c123 int , c124 int , c125 int , c126 int , c127 int , c128 int , c129 int , c130 int , c131 int , c132 int , c133 int , c134 int , c135 int , c136 int , c137 int , c138 int , c139 int , c140 int , c141 int , c142 int , c143 int , c144 int , c145 int , c146 int , c147 int , c148 int , c149 int , c150 int , c151 int , c152 int , c153 int , c154 int , c155 int , c156 int , c157 int , c158 int , c159 int , c160 int , c161 int , c162 int , c163 int , c164 int , c165 int , c166 int , c167 int , c168 int , c169 int , c170 int , c171 int , c172 int , c173 int , c174 int , c175 int , c176 int , c177 int , c178 int , c179 int , c180 int , c181 int , c182 int , c183 int , c184 int , c185 int , c186 int , c187 int , c188 int , c189 int , c190 int , c191 int , c192 int , c193 int , c194 int , c195 int , c196 int , c197 int , c198 int , c199 int , c200 int , c201 int , c202 int , c203 int , c204 int , c205 int , c206 int , c207 int , c208 int , c209 int , c210 int , c211 int , c212 int , c213 int , c214 int , c215 int , c216 int , c217 int , c218 int , c219 int , c220 int , c221 int , c222 int , c223 int , c224 int , c225 int , c226 int , c227 int , c228 int , c229 int , c230 int , c231 int , c232 int , c233 int , c234 int , c235 int , c236 int , c237 int , c238 int , c239 int , c240 int , c241 int , c242 int , c243 int , c244 int , c245 int , c246 int , c247 int , c248 int , c249 int , c250 int , c251 int , c252 int , c253 int , c254 int , c255 int , c256 int , c257 int , c258 int , c259 int , c260 int , c261 int , c262 int , c263 int , c264 int , c265 int , c266 int , c267 int , c268 int , c269 int , c270 int , c271 int , c272 int , c273 int , c274 int , c275 int , c276 int , c277 int , c278 int , c279 int , c280 int , c281 int , c282 int , c283 int , c284 int , c285 int , c286 int , c287 int , c288 int , c289 int , c290 int , c291 int , c292 int , c293 int , c294 int , UNIQUE KEY (c2)) engine=innodb; REPLACE t1 VALUES (47,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0); REPLACE t1 VALUES (47,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0); 10.2 9c8420fe8c97e0795af566 Version: '10.2.33-MariaDB-debug-log' mysqld: /10.2/storage/innobase/include/rem0rec.ic:994: ulint rec_offs_validate(const rec_t*, const dict_index_t*, const rec_offs*): Assertion `!memcmp(&index, &offsets[INDEX_OFFSET], sizeof(index))' failed. 200717 7:24:10 [ERROR] mysqld got signal 6 ; Server version: 10.2.33-MariaDB-debug-log /lib/x86_64-linux-gnu/libpthread.so.0(+0x12730)[0x7f93a787b730] linux/raise.c:51(__GI_raise)[0x7f93a71327bb] stdlib/abort.c:81(__GI_abort)[0x7f93a711d535] intl/loadmsgcat.c:1177(_nl_load_domain)[0x7f93a711d40f] /lib/x86_64-linux-gnu/libc.so.6(+0x30102)[0x7f93a712b102] include/rem0rec.ic:997(rec_offs_validate(unsigned char const*, dict_index_t const*, unsigned short const*))[0x55bae1020a8c] row/row0upd.cc:581(row_upd_changes_field_size_or_external(dict_index_t*, unsigned short const*, upd_t const*))[0x55bae1023102] trx/trx0rec.cc:2404(trx_undo_prev_version_build(unsigned char const*, mtr_t*, unsigned char const*, dict_index_t*, unsigned short*, mem_block_info_t*, unsigned char**, mem_block_info_t*, dtuple_t**, unsigned long))[0x55bae107782d] row/row0vers.cc:174(row_vers_impl_x_locked_low(unsigned char const*, dict_index_t*, unsigned char const*, dict_index_t*, unsigned short const*, mtr_t*))[0x55bae102fb4f] row/row0vers.cc:409(row_vers_impl_x_locked(unsigned char const*, dict_index_t*, unsigned short const*))[0x55bae10301c0] lock/lock0lock.cc:1247(lock_sec_rec_some_has_impl(unsigned char const*, dict_index_t*, unsigned short const*))[0x55bae0f0ccf4] lock/lock0lock.cc:5824(lock_rec_convert_impl_to_expl(buf_block_t const*, unsigned char const*, dict_index_t*, unsigned short const*))[0x55bae0f198ac] lock/lock0lock.cc:6046(lock_sec_rec_read_check_and_lock(unsigned long, buf_block_t const*, unsigned char const*, dict_index_t*, unsigned short const*, lock_mode, unsigned long, que_thr_t*))[0x55bae0f1a290] row/row0ins.cc:1517(row_ins_set_exclusive_rec_lock(unsigned long, buf_block_t const*, unsigned char const*, dict_index_t*, unsigned short const*, que_thr_t*))[0x55bae0fb0aa0] row/row0ins.cc:2151(row_ins_scan_sec_index_for_duplicate(unsigned long, dict_index_t*, dtuple_t*, que_thr_t*, bool, mtr_t*, mem_block_info_t*))[0x55bae0fb1f9a] row/row0ins.cc:2972(row_ins_sec_index_entry_low(unsigned long, unsigned long, dict_index_t*, mem_block_info_t*, mem_block_info_t*, dtuple_t*, unsigned long, que_thr_t*))[0x55bae0fb413c] row/row0ins.cc:3218(row_ins_sec_index_entry(dict_index_t*, dtuple_t*, que_thr_t*))[0x55bae0fb4bb8] row/row0ins.cc:3265(row_ins_index_entry(dict_index_t*, dtuple_t*, que_thr_t*))[0x55bae0fb4d15] row/row0ins.cc:3414(row_ins_index_entry_step(ins_node_t*, que_thr_t*))[0x55bae0fb521f] row/row0ins.cc:3551(row_ins(ins_node_t*, que_thr_t*))[0x55bae0fb55f5] row/row0ins.cc:3671(row_ins_step(que_thr_t*))[0x55bae0fb59a2] row/row0mysql.cc:1413(row_insert_for_mysql(unsigned char const*, row_prebuilt_t*))[0x55bae0fd330e] handler/ha_innodb.cc:8208(ha_innobase::write_row(unsigned char*))[0x55bae0e977d9] sql/handler.cc:6108(handler::ha_write_row(unsigned char*))[0x55bae0ca7c82] sql/sql_insert.cc:1667(write_record(THD*, TABLE*, st_copy_info*))[0x55bae09ff519] sql/sql_insert.cc:1066(mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool))[0x55bae09fdca0] sql/sql_parse.cc:4159(mysql_execute_command(THD*))[0x55bae0a24461] sql/sql_parse.cc:7733(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x55bae0a2fb5f] sql/sql_parse.cc:1826(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x55bae0a1df79] sql/sql_parse.cc:1377(do_command(THD*))[0x55bae0a1c9fe] sql/sql_connect.cc:1336(do_handle_one_connection(CONNECT*))[0x55bae0b714f0] sql/sql_connect.cc:1242(handle_one_connection)[0x55bae0b7125b] perfschema/pfs.cc:1871(pfs_spawn_thread)[0x55bae13729dc] nptl/pthread_create.c:487(start_thread)[0x7f93a7870fa3] x86_64/clone.S:97(clone)[0x7f93a71f44cf] Query (0x7f93500127b8): REPLACE ian VALUES (47,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0) Connection ID (thread ID): 10 non-debug build: 10.5 e67daa5653490074850bc9f5d2 200717 7:24:38 [ERROR] mysqld got signal 11 ; Server version: 10.5.5-MariaDB-log ??:0(__restore_rt)[0x7fbde9547730] multiarch/memmove-vec-unaligned-erms.S:384(__nss_passwd_lookup)[0x7fbde8ba8820] bits/string_fortified.h:34(memcpy)[0x5573f347a443] trx/trx0rec.cc:2376(trx_undo_prev_version_build(unsigned char const*, mtr_t*, unsigned char const*, dict_index_t*, unsigned short*, mem_block_info_t*, unsigned char**, mem_block_info_t*, dtuple_t**, unsigned long))[0x5573f3452838] row/row0vers.cc:196(row_vers_impl_x_locked_low)[0x5573f33be1db] lock/lock0lock.cc:1218(lock_sec_rec_some_has_impl)[0x5573f33bfee6] lock/lock0lock.cc:5722(lock_sec_rec_read_check_and_lock(unsigned long, buf_block_t const*, unsigned char const*, dict_index_t*, unsigned short const*, lock_mode, unsigned int, que_thr_t*))[0x5573f3413cf0] row/row0ins.cc:1491(row_ins_set_exclusive_rec_lock(unsigned int, buf_block_t const*, unsigned char const*, dict_index_t*, unsigned short const*, que_thr_t*))[0x5573f341623b] row/row0ins.cc:2142(row_ins_scan_sec_index_for_duplicate)[0x5573f341b6fb] row/row0ins.cc:3269(row_ins_sec_index_entry(dict_index_t*, dtuple_t*, que_thr_t*, bool))[0x5573f341bda5] row/row0ins.cc:3619(row_ins)[0x5573f342c110] row/row0mysql.cc:1463(row_insert_for_mysql(unsigned char const*, row_prebuilt_t*, ins_mode_t))[0x5573f3379906] handler/ha_innodb.cc:7729(ha_innobase::write_row(unsigned char const*))[0x5573f30bb1cd] sql/handler.cc:7133(handler::ha_write_row(unsigned char const*))[0x5573f2e94cb5] sql/sql_insert.cc:1778(write_record(THD*, TABLE*, st_copy_info*, select_result*))[0x5573f2e9b75e] sql/sql_insert.cc:1087(mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*))[0x5573f2ecff4b] sql/sql_parse.cc:4545(mysql_execute_command(THD*))[0x5573f2ec2432] sql/sql_parse.cc:8010(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x5573f2eccf77] sql/sql_parse.cc:1869(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x5573f2ecdecd] sql/sql_parse.cc:1347(do_command(THD*))[0x5573f2fb3dd0] sql/sql_connect.cc:1411(do_handle_one_connection(CONNECT*, bool))[0x5573f2fb419d] sql/sql_connect.cc:1313(handle_one_connection)[0x5573f32ddd9b] nptl/pthread_create.c:487(start_thread)[0x7fbde953cfa3] x86_64/clone.S:97(clone)[0x7fbde8b454cf] Query (0x7fbdac0102d0): REPLACE ian VALUES (47,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0)

Ian Collins added a comment - 2020-07-18 06:30

Hi Alice,
Thanks heaps for the prompt response.

Regards, Ian Collins

Ian Collins added a comment - 2020-07-18 06:30 Hi Alice, Thanks heaps for the prompt response. Regards, Ian Collins

Mike Treadgold added a comment - 2020-07-23 20:46 - edited

Hi Team,
We have a number of systems running different versions of mariadb from 10.1 through to 10.5. This issue has come up in our testing. Are you able to help me confirm the builds that this was introduced in please? As we need to avoid these builds in our production environments. I would like to know which builds of 10.2, 10.3, 10.4, and 10.5 that this issue is present in.
thanks in advance!
Mike

Mike Treadgold added a comment - 2020-07-23 20:46 - edited Hi Team, We have a number of systems running different versions of mariadb from 10.1 through to 10.5. This issue has come up in our testing. Are you able to help me confirm the builds that this was introduced in please? As we need to avoid these builds in our production environments. I would like to know which builds of 10.2, 10.3, 10.4, and 10.5 that this issue is present in. thanks in advance! Mike

Mike Treadgold added a comment - 2020-07-31 03:40

Hi guys,
Any update on the info requested above?
thanks!
Mike

Mike Treadgold added a comment - 2020-07-31 03:40 Hi guys, Any update on the info requested above? thanks! Mike

Marko Mäkelä added a comment - 2020-07-31 05:25

I can repeat this even without an AUTO_INCREMENT column. AddressSanitizer identifies the problem nicely, causing a crash on the second REPLACE:

CREATE TABLE t1 (id int PRIMARY KEY, c1 int, c2 int UNIQUE, c3 int, …, c294 int) ENGINE=InnoDB;

REPLACE …;

REPLACE …;

10.3 6053eb1ce278ac1f566cd74498506bf457d6d048
==301499==ERROR: AddressSanitizer: heap-use-after-free on address 0x6190000c9f08 at pc 0x000001a16d46 bp 0x7f841f27fa00 sp 0x7f841f27f9f8
READ of size 2 at 0x6190000c9f08 thread T27
#0 0x1a16d45 in rec_offs_get_n_alloc(unsigned short const*) /mariadb/10.3/storage/innobase/include/rem0rec.h:699:18
#1 0x1a16d45 in rec_get_offsets_func(unsigned char const, dict_index_t const, unsigned short, bool, unsigned long, char const, unsigned int, mem_block_info_t**) /mariadb/10.3/storage/innobase/rem/rem0rec.cc:857:9
#2 0x1c0f919 in row_vers_impl_x_locked_low(trx_t, unsigned char const, dict_index_t, unsigned char const, dict_index_t, unsigned short const, mtr_t*) /mariadb/10.3/storage/innobase/row/row0vers.cc:241:19
#3 0x1c0f919 in row_vers_impl_x_locked(trx_t, unsigned char const, dict_index_t, unsigned short const) /mariadb/10.3/storage/innobase/row/row0vers.cc:428:9
#4 0x18c3a56 in lock_sec_rec_some_has_impl(trx_t, unsigned char const, dict_index_t, unsigned short const) /mariadb/10.3/storage/innobase/lock/lock0lock.cc:1238:9
#5 0x18c3a56 in lock_rec_convert_impl_to_expl(trx_t, buf_block_t const, unsigned char const, dict_index_t, unsigned short const*) /mariadb/10.3/storage/innobase/lock/lock0lock.cc:5545:9
#6 0x18c829d in lock_sec_rec_read_check_and_lock(unsigned long, buf_block_t const, unsigned char const, dict_index_t, unsigned short const, lock_mode, unsigned long, que_thr_t*) /mariadb/10.3/storage/innobase/lock/lock0lock.cc:5763:9
#7 0x1a9324f in row_ins_set_exclusive_rec_lock(unsigned long, buf_block_t const, unsigned char const, dict_index_t, unsigned short const, que_thr_t*) /mariadb/10.3/storage/innobase/row/row0ins.cc:1492:9
#8 0x1a83615 in row_ins_scan_sec_index_for_duplicate(unsigned long, dict_index_t, dtuple_t, que_thr_t, bool, mtr_t, mem_block_info_t*) /mariadb/10.3/storage/innobase/row/row0ins.cc:2155:10
#9 0x1a83615 in row_ins_sec_index_entry_low(unsigned long, unsigned long, dict_index_t, mem_block_info_t, mem_block_info_t, dtuple_t, unsigned long, que_thr_t*) /mariadb/10.3/storage/innobase/row/row0ins.cc:3020:9
#10 0x1a8a650 in row_ins_sec_index_entry(dict_index_t, dtuple_t, que_thr_t*, bool) /mariadb/10.3/storage/innobase/row/row0ins.cc:3276:8
#11 0x1a8e1a2 in row_ins_index_entry(dict_index_t, dtuple_t, que_thr_t*) /mariadb/10.3/storage/innobase/row/row0ins.cc:3323:10
#12 0x1a8e1a2 in row_ins_index_entry_step(ins_node_t, que_thr_t) /mariadb/10.3/storage/innobase/row/row0ins.cc:3472:8
#13 0x1a8e1a2 in row_ins(ins_node_t, que_thr_t) /mariadb/10.3/storage/innobase/row/row0ins.cc:3609:18
#14 0x1a8e1a2 in row_ins_step(que_thr_t*) /mariadb/10.3/storage/innobase/row/row0ins.cc:3748:8
#15 0x1aded51 in row_insert_for_mysql(unsigned char const, row_prebuilt_t, ins_mode_t) /mariadb/10.3/storage/innobase/row/row0mysql.cc:1421:2
#16 0x17278e1 in ha_innobase::write_row(unsigned char*) /mariadb/10.3/storage/innobase/handler/ha_innodb.cc:8039:10
#17 0x10e1288 in handler::ha_write_row(unsigned char*) /mariadb/10.3/sql/handler.cc:6466:3
#18 0x8d3075 in write_record(THD, TABLE, st_copy_info*) /mariadb/10.3/sql/sql_insert.cc:1712:12
#19 0x8ca341 in mysql_insert(THD, TABLE_LIST, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /mariadb/10.3/sql/sql_insert.cc:1072:15
#20 0x9882a6 in mysql_execute_command(THD*) /mariadb/10.3/sql/sql_parse.cc:4446:10
#21 0x9784af in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /mariadb/10.3/sql/sql_parse.cc:7810:18
#22 0x96a0f3 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /mariadb/10.3/sql/sql_parse.cc:1847:7
#23 0x9725ba in do_command(THD*) /mariadb/10.3/sql/sql_parse.cc:1393:17
#24 0xd22df3 in do_handle_one_connection(CONNECT*) /mariadb/10.3/sql/sql_connect.cc:1403:11
#25 0xd22643 in handle_one_connection /mariadb/10.3/sql/sql_connect.cc:1308:3
#26 0x2564c85 in pfs_spawn_thread /mariadb/10.3/storage/perfschema/pfs.cc:1869:3
#27 0x7f8436322ea6 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8ea6)
#28 0x7f843597bdae in clone (/lib/x86_64-linux-gnu/libc.so.6+0xfddae)

0x6190000c9f08 is located 136 bytes inside of 1152-byte region [0x6190000c9e80,0x6190000ca300)
freed by thread T27 here:
#0 0x661ded in free (/dev/shm/10.3/sql/mysqld+0x661ded)
#1 0x1c0f8b6 in mem_heap_free(mem_block_info_t*) /mariadb/10.3/storage/innobase/include/mem0mem.ic:417:3
#2 0x1c0f8b6 in row_vers_impl_x_locked_low(trx_t, unsigned char const, dict_index_t, unsigned char const, dict_index_t, unsigned short const, mtr_t*) /mariadb/10.3/storage/innobase/row/row0vers.cc:208:3
#3 0x1c0f8b6 in row_vers_impl_x_locked(trx_t, unsigned char const, dict_index_t, unsigned short const) /mariadb/10.3/storage/innobase/row/row0vers.cc:428:9
#4 0x18c3a56 in lock_sec_rec_some_has_impl(trx_t, unsigned char const, dict_index_t, unsigned short const) /mariadb/10.3/storage/innobase/lock/lock0lock.cc:1238:9
#5 0x18c3a56 in lock_rec_convert_impl_to_expl(trx_t, buf_block_t const, unsigned char const, dict_index_t, unsigned short const*) /mariadb/10.3/storage/innobase/lock/lock0lock.cc:5545:9
#6 0x18c829d in lock_sec_rec_read_check_and_lock(unsigned long, buf_block_t const, unsigned char const, dict_index_t, unsigned short const, lock_mode, unsigned long, que_thr_t*) /mariadb/10.3/storage/innobase/lock/lock0lock.cc:5763:9
#7 0x1a9324f in row_ins_set_exclusive_rec_lock(unsigned long, buf_block_t const, unsigned char const, dict_index_t, unsigned short const, que_thr_t*) /mariadb/10.3/storage/innobase/row/row0ins.cc:1492:9

previously allocated by thread T27 here:
#0 0x66206d in malloc (/dev/shm/10.3/sql/mysqld+0x66206d)
#1 0x193892c in mem_heap_create_block_func(mem_block_info_t, unsigned long, char const, unsigned int, unsigned long) /mariadb/10.3/storage/innobase/mem/mem0mem.cc:277:37
#2 0x1c0ed35 in mem_heap_create_func(unsigned long, char const*, unsigned int, unsigned long) /mariadb/10.3/storage/innobase/include/mem0mem.ic:375:10
#3 0x1c0ed35 in row_vers_impl_x_locked_low(trx_t, unsigned char const, dict_index_t, unsigned char const, dict_index_t, unsigned short const, mtr_t*) /mariadb/10.3/storage/innobase/row/row0vers.cc:116:9
#4 0x1c0ed35 in row_vers_impl_x_locked(trx_t, unsigned char const, dict_index_t, unsigned short const) /mariadb/10.3/storage/innobase/row/row0vers.cc:428:9
#5 0x18c3a56 in lock_sec_rec_some_has_impl(trx_t, unsigned char const, dict_index_t, unsigned short const) /mariadb/10.3/storage/innobase/lock/lock0lock.cc:1238:9
#6 0x18c3a56 in lock_rec_convert_impl_to_expl(trx_t, buf_block_t const, unsigned char const, dict_index_t, unsigned short const*) /mariadb/10.3/storage/innobase/lock/lock0lock.cc:5545:9
#7 0x18c829d in lock_sec_rec_read_check_and_lock(unsigned long, buf_block_t const, unsigned char const, dict_index_t, unsigned short const, lock_mode, unsigned long, que_thr_t*) /mariadb/10.3/storage/innobase/lock/lock0lock.cc:5763:9
#8 0x1a9324f in row_ins_set_exclusive_rec_lock(unsigned long, buf_block_t const, unsigned char const, dict_index_t, unsigned short const, que_thr_t*) /mariadb/10.3/storage/innobase/row/row0ins.cc:1492:9

Thread T27 created by T0 here:
#0 0x64ce1a in pthread_create (/dev/shm/10.3/sql/mysqld+0x64ce1a)
#1 0x2568911 in spawn_thread_v1(unsigned int, unsigned long, pthread_attr_t const, void* ()(void), void*) /mariadb/10.3/storage/perfschema/pfs.cc:1919:15

Marko Mäkelä added a comment - 2020-07-31 05:25 I can repeat this even without an AUTO_INCREMENT column. AddressSanitizer identifies the problem nicely, causing a crash on the second REPLACE : CREATE TABLE t1 (id int PRIMARY KEY , c1 int , c2 int UNIQUE , c3 int , …, c294 int ) ENGINE=InnoDB; REPLACE …; REPLACE …; 10.3 6053eb1ce278ac1f566cd74498506bf457d6d048 ==301499==ERROR: AddressSanitizer: heap-use-after-free on address 0x6190000c9f08 at pc 0x000001a16d46 bp 0x7f841f27fa00 sp 0x7f841f27f9f8 READ of size 2 at 0x6190000c9f08 thread T27 #0 0x1a16d45 in rec_offs_get_n_alloc(unsigned short const*) /mariadb/10.3/storage/innobase/include/rem0rec.h:699:18 #1 0x1a16d45 in rec_get_offsets_func(unsigned char const*, dict_index_t const*, unsigned short*, bool, unsigned long, char const*, unsigned int, mem_block_info_t**) /mariadb/10.3/storage/innobase/rem/rem0rec.cc:857:9 #2 0x1c0f919 in row_vers_impl_x_locked_low(trx_t*, unsigned char const*, dict_index_t*, unsigned char const*, dict_index_t*, unsigned short const*, mtr_t*) /mariadb/10.3/storage/innobase/row/row0vers.cc:241:19 #3 0x1c0f919 in row_vers_impl_x_locked(trx_t*, unsigned char const*, dict_index_t*, unsigned short const*) /mariadb/10.3/storage/innobase/row/row0vers.cc:428:9 #4 0x18c3a56 in lock_sec_rec_some_has_impl(trx_t*, unsigned char const*, dict_index_t*, unsigned short const*) /mariadb/10.3/storage/innobase/lock/lock0lock.cc:1238:9 #5 0x18c3a56 in lock_rec_convert_impl_to_expl(trx_t*, buf_block_t const*, unsigned char const*, dict_index_t*, unsigned short const*) /mariadb/10.3/storage/innobase/lock/lock0lock.cc:5545:9 #6 0x18c829d in lock_sec_rec_read_check_and_lock(unsigned long, buf_block_t const*, unsigned char const*, dict_index_t*, unsigned short const*, lock_mode, unsigned long, que_thr_t*) /mariadb/10.3/storage/innobase/lock/lock0lock.cc:5763:9 #7 0x1a9324f in row_ins_set_exclusive_rec_lock(unsigned long, buf_block_t const*, unsigned char const*, dict_index_t*, unsigned short const*, que_thr_t*) /mariadb/10.3/storage/innobase/row/row0ins.cc:1492:9 #8 0x1a83615 in row_ins_scan_sec_index_for_duplicate(unsigned long, dict_index_t*, dtuple_t*, que_thr_t*, bool, mtr_t*, mem_block_info_t*) /mariadb/10.3/storage/innobase/row/row0ins.cc:2155:10 #9 0x1a83615 in row_ins_sec_index_entry_low(unsigned long, unsigned long, dict_index_t*, mem_block_info_t*, mem_block_info_t*, dtuple_t*, unsigned long, que_thr_t*) /mariadb/10.3/storage/innobase/row/row0ins.cc:3020:9 #10 0x1a8a650 in row_ins_sec_index_entry(dict_index_t*, dtuple_t*, que_thr_t*, bool) /mariadb/10.3/storage/innobase/row/row0ins.cc:3276:8 #11 0x1a8e1a2 in row_ins_index_entry(dict_index_t*, dtuple_t*, que_thr_t*) /mariadb/10.3/storage/innobase/row/row0ins.cc:3323:10 #12 0x1a8e1a2 in row_ins_index_entry_step(ins_node_t*, que_thr_t*) /mariadb/10.3/storage/innobase/row/row0ins.cc:3472:8 #13 0x1a8e1a2 in row_ins(ins_node_t*, que_thr_t*) /mariadb/10.3/storage/innobase/row/row0ins.cc:3609:18 #14 0x1a8e1a2 in row_ins_step(que_thr_t*) /mariadb/10.3/storage/innobase/row/row0ins.cc:3748:8 #15 0x1aded51 in row_insert_for_mysql(unsigned char const*, row_prebuilt_t*, ins_mode_t) /mariadb/10.3/storage/innobase/row/row0mysql.cc:1421:2 #16 0x17278e1 in ha_innobase::write_row(unsigned char*) /mariadb/10.3/storage/innobase/handler/ha_innodb.cc:8039:10 #17 0x10e1288 in handler::ha_write_row(unsigned char*) /mariadb/10.3/sql/handler.cc:6466:3 #18 0x8d3075 in write_record(THD*, TABLE*, st_copy_info*) /mariadb/10.3/sql/sql_insert.cc:1712:12 #19 0x8ca341 in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /mariadb/10.3/sql/sql_insert.cc:1072:15 #20 0x9882a6 in mysql_execute_command(THD*) /mariadb/10.3/sql/sql_parse.cc:4446:10 #21 0x9784af in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /mariadb/10.3/sql/sql_parse.cc:7810:18 #22 0x96a0f3 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /mariadb/10.3/sql/sql_parse.cc:1847:7 #23 0x9725ba in do_command(THD*) /mariadb/10.3/sql/sql_parse.cc:1393:17 #24 0xd22df3 in do_handle_one_connection(CONNECT*) /mariadb/10.3/sql/sql_connect.cc:1403:11 #25 0xd22643 in handle_one_connection /mariadb/10.3/sql/sql_connect.cc:1308:3 #26 0x2564c85 in pfs_spawn_thread /mariadb/10.3/storage/perfschema/pfs.cc:1869:3 #27 0x7f8436322ea6 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8ea6) #28 0x7f843597bdae in clone (/lib/x86_64-linux-gnu/libc.so.6+0xfddae) 0x6190000c9f08 is located 136 bytes inside of 1152-byte region [0x6190000c9e80,0x6190000ca300) freed by thread T27 here: #0 0x661ded in free (/dev/shm/10.3/sql/mysqld+0x661ded) #1 0x1c0f8b6 in mem_heap_free(mem_block_info_t*) /mariadb/10.3/storage/innobase/include/mem0mem.ic:417:3 #2 0x1c0f8b6 in row_vers_impl_x_locked_low(trx_t*, unsigned char const*, dict_index_t*, unsigned char const*, dict_index_t*, unsigned short const*, mtr_t*) /mariadb/10.3/storage/innobase/row/row0vers.cc:208:3 #3 0x1c0f8b6 in row_vers_impl_x_locked(trx_t*, unsigned char const*, dict_index_t*, unsigned short const*) /mariadb/10.3/storage/innobase/row/row0vers.cc:428:9 #4 0x18c3a56 in lock_sec_rec_some_has_impl(trx_t*, unsigned char const*, dict_index_t*, unsigned short const*) /mariadb/10.3/storage/innobase/lock/lock0lock.cc:1238:9 #5 0x18c3a56 in lock_rec_convert_impl_to_expl(trx_t*, buf_block_t const*, unsigned char const*, dict_index_t*, unsigned short const*) /mariadb/10.3/storage/innobase/lock/lock0lock.cc:5545:9 #6 0x18c829d in lock_sec_rec_read_check_and_lock(unsigned long, buf_block_t const*, unsigned char const*, dict_index_t*, unsigned short const*, lock_mode, unsigned long, que_thr_t*) /mariadb/10.3/storage/innobase/lock/lock0lock.cc:5763:9 #7 0x1a9324f in row_ins_set_exclusive_rec_lock(unsigned long, buf_block_t const*, unsigned char const*, dict_index_t*, unsigned short const*, que_thr_t*) /mariadb/10.3/storage/innobase/row/row0ins.cc:1492:9 previously allocated by thread T27 here: #0 0x66206d in malloc (/dev/shm/10.3/sql/mysqld+0x66206d) #1 0x193892c in mem_heap_create_block_func(mem_block_info_t*, unsigned long, char const*, unsigned int, unsigned long) /mariadb/10.3/storage/innobase/mem/mem0mem.cc:277:37 #2 0x1c0ed35 in mem_heap_create_func(unsigned long, char const*, unsigned int, unsigned long) /mariadb/10.3/storage/innobase/include/mem0mem.ic:375:10 #3 0x1c0ed35 in row_vers_impl_x_locked_low(trx_t*, unsigned char const*, dict_index_t*, unsigned char const*, dict_index_t*, unsigned short const*, mtr_t*) /mariadb/10.3/storage/innobase/row/row0vers.cc:116:9 #4 0x1c0ed35 in row_vers_impl_x_locked(trx_t*, unsigned char const*, dict_index_t*, unsigned short const*) /mariadb/10.3/storage/innobase/row/row0vers.cc:428:9 #5 0x18c3a56 in lock_sec_rec_some_has_impl(trx_t*, unsigned char const*, dict_index_t*, unsigned short const*) /mariadb/10.3/storage/innobase/lock/lock0lock.cc:1238:9 #6 0x18c3a56 in lock_rec_convert_impl_to_expl(trx_t*, buf_block_t const*, unsigned char const*, dict_index_t*, unsigned short const*) /mariadb/10.3/storage/innobase/lock/lock0lock.cc:5545:9 #7 0x18c829d in lock_sec_rec_read_check_and_lock(unsigned long, buf_block_t const*, unsigned char const*, dict_index_t*, unsigned short const*, lock_mode, unsigned long, que_thr_t*) /mariadb/10.3/storage/innobase/lock/lock0lock.cc:5763:9 #8 0x1a9324f in row_ins_set_exclusive_rec_lock(unsigned long, buf_block_t const*, unsigned char const*, dict_index_t*, unsigned short const*, que_thr_t*) /mariadb/10.3/storage/innobase/row/row0ins.cc:1492:9 Thread T27 created by T0 here: #0 0x64ce1a in pthread_create (/dev/shm/10.3/sql/mysqld+0x64ce1a) #1 0x2568911 in spawn_thread_v1(unsigned int, unsigned long*, pthread_attr_t const*, void* (*)(void*), void*) /mariadb/10.3/storage/perfschema/pfs.cc:1919:15

Marko Mäkelä added a comment - 2020-07-31 06:19 - edited

This was caused by an incorrect change in ~~MDEV-20950~~:

@@ -186,7 +189,7 @@ row_vers_impl_x_locked_low(

 		ut_ad(committed || prev_version

 		      || !rec_get_deleted_flag(version, comp));

-		/* Free version and clust_offsets. */

+		/* Free version. */

 		mem_heap_free(old_heap);

 		if (committed) {

@@ -221,7 +224,7 @@ row_vers_impl_x_locked_low(

 		clust_offsets = rec_get_offsets(

-			prev_version, clust_index, NULL, true,

+			prev_version, clust_index, clust_offsets, true,

 			ULINT_UNDEFINED, &heap);

 		vers_del = rec_get_deleted_flag(prev_version, comp);

I am sorry, I should have noticed these changes in code review. I was relying too much on RQG testing, and which did not create tables with enough many columns. In retrospect, we should have tested with a smaller value of REC_OFFS_NORMAL_SIZE.

The correct parameter would be clust_offsets_. The clust_offsets can point to either that stack-allocated variable, or for wide tables, to something that was freed along with old_heap.

Marko Mäkelä added a comment - 2020-07-31 06:19 - edited This was caused by an incorrect change in MDEV-20950 : @@ -186,7 +189,7 @@ row_vers_impl_x_locked_low( ut_ad(committed || prev_version || !rec_get_deleted_flag(version, comp)); - /* Free version and clust_offsets. */ + /* Free version. */ mem_heap_free(old_heap); if (committed) { @@ -221,7 +224,7 @@ row_vers_impl_x_locked_low( } clust_offsets = rec_get_offsets( - prev_version, clust_index, NULL, true, + prev_version, clust_index, clust_offsets, true, ULINT_UNDEFINED, &heap); vers_del = rec_get_deleted_flag(prev_version, comp); I am sorry, I should have noticed these changes in code review. I was relying too much on RQG testing, and which did not create tables with enough many columns. In retrospect, we should have tested with a smaller value of REC_OFFS_NORMAL_SIZE . The correct parameter would be clust_offsets_ . The clust_offsets can point to either that stack-allocated variable, or for wide tables, to something that was freed along with old_heap .

MariaDB Server

mysqld crash when running REPLACE update

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates

Git Integration