Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-23222

MDEV-23222 SIGSEG in maria_create() because of double free

    XMLWordPrintable

    Details

      Description

      USE test;
      CREATE TABLE t1 (a INT); 
      INSERT INTO t1 VALUES (1);
      CREATE TABLE t2 (i INT) DATA DIRECTORY = '/tmp', ENGINE=Aria;
      CREATE TABLE t2 (i INT) DATA DIRECTORY = '/tmp', ENGINE=Aria;
      

      Leads to:

      10.5.5 30e7a0a866dce530d8328c6d614e48d39a264f9b (Debug)

      mysqld: /test/10.5_dbg/sql/mysqld.cc:3518: void my_malloc_size_cb_func(long long int, my_bool): Assertion `(longlong) thd->status_var.local_memory_used >= 0 || !debug_assert_on_not_freed_memory' failed.
      

      10.5.5 30e7a0a866dce530d8328c6d614e48d39a264f9b (Debug)

      Core was generated by `/test/MD140720-mariadb-10.5.5-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
      Program terminated with signal SIGABRT, Aborted.
      #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=6)
          at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
      [Current thread is 1 (Thread 0x1489a2f4c700 (LWP 64544))]
      (gdb) bt
      #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
      #1  0x000056228f57e4d7 in my_write_core (sig=sig@entry=6) at /test/10.5_dbg/mysys/stacktrace.c:518
      #2  0x000056228ed389ba in handle_fatal_signal (sig=6) at /test/10.5_dbg/sql/signal_handler.cc:330
      #3  <signal handler called>
      #4  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
      #5  0x00001489a11e28b1 in __GI_abort () at abort.c:79
      #6  0x00001489a11d242a in __assert_fail_base (fmt=0x1489a1359a38 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x56228f6cde28 "(longlong) thd->status_var.local_memory_used >= 0 || !debug_assert_on_not_freed_memory", file=file@entry=0x56228f6ca004 "/test/10.5_dbg/sql/mysqld.cc", line=line@entry=3518, function=function@entry=0x56228f6d4020 <my_malloc_size_cb_func::__PRETTY_FUNCTION__> "void my_malloc_size_cb_func(long long int, my_bool)") at assert.c:92
      #7  0x00001489a11d24a2 in __GI___assert_fail (assertion=assertion@entry=0x56228f6cde28 "(longlong) thd->status_var.local_memory_used >= 0 || !debug_assert_on_not_freed_memory", file=file@entry=0x56228f6ca004 "/test/10.5_dbg/sql/mysqld.cc", line=line@entry=3518, function=function@entry=0x56228f6d4020 <my_malloc_size_cb_func::__PRETTY_FUNCTION__> "void my_malloc_size_cb_func(long long int, my_bool)") at assert.c:101
      #8  0x000056228e98836f in my_malloc_size_cb_func (size=<optimized out>, is_thread_specific=<optimized out>) at /test/10.5_dbg/sql/mysqld.cc:3517
      #9  0x000056228f579849 in my_free (ptr=ptr@entry=0x14897ec28b08) at /test/10.5_dbg/mysys/my_malloc.c:200
      #10 0x000056228ef83463 in maria_create (name=<optimized out>, datafile_type=<optimized out>, datafile_type@entry=BLOCK_RECORD, keys=<optimized out>, keys@entry=0, keydefs=keydefs@entry=0x14897ec10268, columns=columns@entry=1, columndef=columndef@entry=0x14897ec10188, uniques=0, uniquedefs=0x0, ci=<optimized out>, flags=32) at /test/10.5_dbg/storage/maria/ma_create.c:1280
      #11 0x000056228ef8bd00 in ha_maria::create (this=0x14897ed4f0a0, name=0x1489a2f4a4a0 "./test/t2", table_arg=0x1489a2f490c0, ha_create_info=0x1489a2f4a8f0) at /test/10.5_dbg/storage/maria/ha_maria.cc:3255
      #12 0x000056228ed47ab9 in handler::ha_create (this=0x14897ed4f0a0, name=0x1489a2f4a4a0 "./test/t2", form=form@entry=0x1489a2f490c0, info_arg=info_arg@entry=0x1489a2f4a8f0) at /test/10.5_dbg/sql/handler.cc:5072
      #13 0x000056228ed487b3 in ha_create_table (thd=thd@entry=0x14897ec15088, path=path@entry=0x1489a2f4a4a0 "./test/t2", db=0x14897ec748b0 "test", table_name=0x14897ec741a8 "t2", create_info=create_info@entry=0x1489a2f4a8f0, frm=frm@entry=0x1489a2f4a490) at /test/10.5_dbg/sql/handler.cc:5536
      #14 0x000056228eb5dfd4 in create_table_impl (thd=thd@entry=0x14897ec15088, orig_db=@0x14897ec741f8: {str = 0x14897ec748b0 "test", length = 4}, orig_table_name=@0x14897ec74208: {str = 0x14897ec741a8 "t2", length = 2}, db=@0x14897ec741f8: {str = 0x14897ec748b0 "test", length = 4}, table_name=@0x14897ec74208: {str = 0x14897ec741a8 "t2", length = 2}, path=path@entry=0x1489a2f4a4a0 "./test/t2", options={m_options = DDL_options_st::OPT_NONE}, create_info=0x1489a2f4a8f0, alter_info=0x1489a2f4a820, create_table_mode=0, is_trans=0x1489a2f4a727, key_info=0x1489a2f4a488, key_count=0x1489a2f4a484, frm=0x1489a2f4a490) at /test/10.5_dbg/sql/sql_table.cc:5290
      #15 0x000056228eb5e4b9 in mysql_create_table_no_lock (thd=thd@entry=0x14897ec15088, db=db@entry=0x14897ec741f8, table_name=table_name@entry=0x14897ec74208, create_info=create_info@entry=0x1489a2f4a8f0, alter_info=alter_info@entry=0x1489a2f4a820, is_trans=is_trans@entry=0x1489a2f4a727, create_table_mode=0, table_list=0x14897ec741e0) at /test/10.5_dbg/sql/sql_table.cc:5374
      #16 0x000056228eb5e800 in mysql_create_table (thd=thd@entry=0x14897ec15088, create_table=create_table@entry=0x14897ec741e0, create_info=create_info@entry=0x1489a2f4a8f0, alter_info=alter_info@entry=0x1489a2f4a820) at /test/10.5_dbg/sql/sql_table.cc:5466
      #17 0x000056228eb6011b in Sql_cmd_create_table_like::execute (this=0x14897ec74180, thd=0x14897ec15088) at /test/10.5_dbg/sql/sql_table.cc:11998
      #18 0x000056228ea91e4a in mysql_execute_command (thd=thd@entry=0x14897ec15088) at /test/10.5_dbg/sql/sql_parse.cc:5951
      #19 0x000056228ea99752 in mysql_parse (thd=thd@entry=0x14897ec15088, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x1489a2f4b350, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:7993
      #20 0x000056228ea86204 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14897ec15088, packet=packet@entry=0x14897ec67089 "CREATE TABLE t2 (i INT) DATA DIRECTORY = '/tmp', ENGINE=Aria", packet_length=packet_length@entry=60, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:1866
      #21 0x000056228ea849de in do_command (thd=0x14897ec15088) at /test/10.5_dbg/sql/sql_parse.cc:1347
      #22 0x000056228ebe0c3b in do_handle_one_connection (connect=<optimized out>, connect@entry=0x1489820c7808, put_in_cache=put_in_cache@entry=true) at /test/10.5_dbg/sql/sql_connect.cc:1411
      #23 0x000056228ebe1357 in handle_one_connection (arg=arg@entry=0x1489820c7808) at /test/10.5_dbg/sql/sql_connect.cc:1313
      #24 0x000056228f044ca8 in pfs_spawn_thread (arg=0x14899fc46508) at /test/10.5_dbg/storage/perfschema/pfs.cc:2201
      #25 0x00001489a1ec56db in start_thread (arg=0x1489a2f4c700) at pthread_create.c:463
      #26 0x00001489a12c3a3f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
      

      On optimized:

      10.5.5 30e7a0a866dce530d8328c6d614e48d39a264f9b (Optimized)

      Core was generated by `/test/MD140720-mariadb-10.5.5-linux-x86_64-opt/bin/mysqld --no-defaults --lc-me'.
      Program terminated with signal SIGSEGV, Segmentation fault.
      #0  0x000014f905925237 in kill () at ../sysdeps/unix/syscall-template.S:78
      [Current thread is 1 (Thread 0x14f90774c840 (LWP 66105))]
      (gdb) bt
      #0  0x000014f905925237 in kill () at ../sysdeps/unix/syscall-template.S:78
      #1  0x000055cc46e7c037 in handle_fatal_signal (sig=11) at /test/10.5_opt/sql/signal_handler.cc:342
      #2  <signal handler called>
      #3  maria_status (info=0x0, x=x@entry=0x7ffceecd1850, flag=flag@entry=16) at /test/10.5_opt/storage/maria/ma_info.c:47
      #4  0x000055cc47046edd in ha_maria::info (this=0x14f8f32d5030, flag=16) at /test/10.5_opt/storage/maria/ha_maria.cc:2549
      #5  0x000055cc46cc9aa8 in free_tmp_table (thd=thd@entry=0x14f904739018, entry=entry@entry=0x14f904744030) at /test/10.5_opt/sql/sql_select.cc:19936
      #6  0x000055cc46cc9e6c in Create_tmp_table::cleanup_on_failure (this=this@entry=0x7ffceecd1c00, thd=thd@entry=0x14f904739018, table=table@entry=0x14f904744030) at /test/10.5_opt/sql/sql_select.cc:19179
      #7  0x000055cc46ccbcd6 in create_tmp_table_for_schema (thd=thd@entry=0x14f904739018, param=param@entry=0x14f8dd433880, schema_table=@0x55cc47f7bc60: {table_name = 0x55cc4762962e "VIEWS", fields_info = 0x55cc48028e40 <Show::view_fields_info>, reset_table = 0x0, fill_table = 0x55cc46cfb010 <get_all_tables(THD*, TABLE_LIST*, Item*)>, old_format = 0x0, process_table = 0x55cc46cf4880 <get_schema_views_record(THD*, TABLE_LIST*, TABLE*, bool, LEX_CSTRING const*, LEX_CSTRING const*)>, idx_field1 = 1, idx_field2 = 2, hidden = false, i_s_requested_object = 655360}, bitmap=@0x7ffceecd1d20: {bitmap = 0x14f8dd433878, last_word_ptr = 0x14f8dd433878, mutex = 0x0, last_word_mask = 4294965248, n_bits = 11}, select_options=<optimized out>, table_alias=@0x14f8dd431840: {str = 0x14f8dd4317f0 "VIEWS", length = 5}, keep_row_order=false) at /test/10.5_opt/sql/sql_select.cc:19219
      #8  0x000055cc46cfc30c in create_schema_table (thd=thd@entry=0x14f904739018, table_list=table_list@entry=0x14f8dd4317f8) at /test/10.5_opt/sql/sql_show.cc:8138
      #9  0x000055cc46cfc412 in mysql_schema_table (thd=thd@entry=0x14f904739018, lex=lex@entry=0x14f90473cda8, table_list=table_list@entry=0x14f8dd4317f8) at /test/10.5_opt/sql/sql_show.cc:8349
      #10 0x000055cc46c254f9 in open_and_process_table (ot_ctx=0x7ffceecd1e80, has_prelocking_list=false, prelocking_strategy=0x7ffceecd21f0, flags=0, counter=0x7ffceecd20ec, tables=0x14f8dd4317f8, thd=0x14f904739018) at /test/10.5_opt/sql/sql_base.cc:3662
      #11 open_tables (thd=thd@entry=0x14f904739018, options=@0x14f90473e330: {m_options = DDL_options_st::OPT_NONE}, start=start@entry=0x7ffceecd20d8, counter=counter@entry=0x7ffceecd20ec, flags=flags@entry=0, prelocking_strategy=prelocking_strategy@entry=0x7ffceecd21f0) at /test/10.5_opt/sql/sql_base.cc:4256
      #12 0x000055cc46c26565 in open_and_lock_tables (thd=thd@entry=0x14f904739018, options=<optimized out>, tables=<optimized out>, derived=derived@entry=true, flags=flags@entry=0, prelocking_strategy=prelocking_strategy@entry=0x7ffceecd21f0) at /test/10.5_opt/sql/sql_base.cc:5160
      #13 0x000055cc46c85871 in open_and_lock_tables (flags=0, derived=true, tables=<optimized out>, thd=0x14f904739018) at /test/10.5_opt/sql/sql_base.h:509
      #14 mysql_execute_command (thd=thd@entry=0x14f904739018) at /test/10.5_opt/sql/sql_parse.cc:5006
      #15 0x000055cc46c8c46c in mysql_parse (thd=0x14f904739018, rawbuf=<optimized out>, length=148, parser_state=parser_state@entry=0x7ffceecd2630, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_opt/sql/sql_parse.cc:7993
      #16 0x000055cc46c7f480 in bootstrap (file=0x55cc488fb430 <instrumented_stdin>) at /test/10.5_opt/sql/sql_parse.cc:1081
      #17 0x000055cc46bc7596 in mysqld_main (argc=<optimized out>, argv=<optimized out>) at /test/10.5_opt/sql/mysqld.cc:5582
      #18 0x000014f905907b97 in __libc_start_main (main=0x55cc46b89940 <main(int, char**)>, argc=12, argv=0x7ffceecd78d8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffceecd78c8) at ../csu/libc-start.c:310
      #19 0x000055cc46bbb1fa in _start ()
      

      Bug confirmed present in:
      MariaDB: 10.1.46 (dbg), 10.1.46 (opt), 10.2.33 (dbg), 10.2.33 (opt), 10.3.24 (dbg), 10.3.24 (opt), 10.4.14 (dbg), 10.4.14 (opt), 10.5.5 (dbg), 10.5.5 (opt)

      Bug confirmed not present in:
      MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.47 (dbg), 5.6.47 (opt), 5.7.29 (dbg), 5.7.29 (opt), 8.0.19 (dbg), 8.0.19 (opt)

      Whereas 10.5.5 debug will assert on the second CREATE TABLE attempt near the end of the testcase, 10.4.14 debug will produce the error (seen on the first CREATE TABLE attempt in all versions) twice (i.e. on the second CREATE TABLE - as well as for any subsequent CREATE TABLE attempts). Then, on shutdown, depending on how many times CREATE TABLE was attempted, a matching memory loss size is shown in the error log:

      10.4.14 dc68846ec5ffdd6f08d93dc3bda123ff9cef04fa (Debug)

      10.4.14>INSERT INTO t1 VALUES (1);
      Query OK, 1 row affected (0.008 sec)
      10.4.14>CREATE TABLE t2 (i INT) DATA DIRECTORY = '/tmp', ENGINE=Aria;
      ERROR 1 (HY000): Can't create/write to file '/tmp/t2.MAD' (Errcode: 17 "File exists")
      10.4.14>CREATE TABLE t2 (i INT) DATA DIRECTORY = '/tmp', ENGINE=Aria;
      ERROR 1 (HY000): Can't create/write to file '/tmp/t2.MAD' (Errcode: 17 "File exists")
      10.4.14>CREATE TABLE t2 (i INT) DATA DIRECTORY = '/tmp', ENGINE=Aria;
      ...etc...
      

      10.4.14 dc68846ec5ffdd6f08d93dc3bda123ff9cef04fa (Debug)

      2020-07-20 13:37:21 0 [Note] /test/MD250620-mariadb-10.4.14-linux-x86_64-dbg/bin/mysqld: Shutdown complete
       
      Warning: Memory not freed: -2304
      

      Similar outcome on for example 10.2.33 debug:

      10.2.33 (Debug)

      2020-07-20 13:43:38 22646027314944 [Note] /test/MD250620-mariadb-10.2.33-linux-x86_64-dbg/bin/mysqld: Shutdown complete
       
      Warning: Memory not freed: -1152
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              monty Michael Widenius
              Reporter:
              Roel Roel Van de Paar
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: