Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
10.4, 10.5
Description
--source include/have_innodb.inc
|
|
|
CREATE TABLE t1 ( |
pk int, |
a int, |
b int, |
c int, |
PRIMARY KEY (pk), |
KEY (c), |
FOREIGN KEY fx (b) REFERENCES t1 (c) |
) ENGINE=InnoDB;
|
|
|
INSERT INTO t1 VALUES (1,0,10,10); |
ALTER TABLE t1 DROP a; |
SET FOREIGN_KEY_CHECKS= 0; |
DROP INDEX fx ON t1; |
INSERT INTO t1 VALUES (2,11,11); |
|
|
# Cleanup
|
DROP TABLE t1; |
|
10.4 1cda462f |
mysqld: /data/src/10.4/storage/innobase/include/dict0dict.ic:370: dict_col_t* dict_table_get_nth_col(const dict_table_t*, ulint): Assertion `pos < table->n_def' failed.
|
200904 21:44:17 [ERROR] mysqld got signal 6 ;
|
|
|
#7 0x00007fca0237ef12 in __GI___assert_fail (assertion=0x55f086dbbd1f "pos < table->n_def", file=0x55f086dbbc78 "/data/src/10.4/storage/innobase/include/dict0dict.ic", line=370, function=0x55f086dcb340 <dict_table_get_nth_col(dict_table_t const*, unsigned long)::__PRETTY_FUNCTION__> "dict_col_t* dict_table_get_nth_col(const dict_table_t*, ulint)") at assert.c:101
|
#8 0x000055f0864448fe in dict_table_get_nth_col (table=0x7fc9a8156e60, pos=1023) at /data/src/10.4/storage/innobase/include/dict0dict.ic:370
|
#9 0x000055f086474436 in dict_table_get_col_name (table=0x7fc9a8156e60, col_nr=1023) at /data/src/10.4/storage/innobase/include/dict0dict.h:799
|
#10 0x000055f0865d4652 in row_ins_foreign_index_entry (foreign=0x7fc9a8159160, index=0x7fc9a8159430, entry=0x7fc9a815a500, ref_entry=0x7fc9a806e9b0) at /data/src/10.4/storage/innobase/row/row0ins.cc:1917
|
#11 0x000055f0865d4976 in row_ins_check_foreign_constraints (table=0x7fc9a8156e60, index=0x7fc9a8159430, pk=true, entry=0x7fc9a815a500, thr=0x7fc9a80703c0) at /data/src/10.4/storage/innobase/row/row0ins.cc:1985
|
#12 0x000055f0865d86a9 in row_ins_clust_index_entry (index=0x7fc9a8159430, entry=0x7fc9a815a500, thr=0x7fc9a80703c0, n_ext=0) at /data/src/10.4/storage/innobase/row/row0ins.cc:3189
|
#13 0x000055f0865d8d53 in row_ins_index_entry (index=0x7fc9a8159430, entry=0x7fc9a815a500, thr=0x7fc9a80703c0) at /data/src/10.4/storage/innobase/row/row0ins.cc:3360
|
#14 0x000055f0865d9602 in row_ins_index_entry_step (node=0x7fc9a8070160, thr=0x7fc9a80703c0) at /data/src/10.4/storage/innobase/row/row0ins.cc:3529
|
#15 0x000055f0865d9ab9 in row_ins (node=0x7fc9a8070160, thr=0x7fc9a80703c0) at /data/src/10.4/storage/innobase/row/row0ins.cc:3666
|
#16 0x000055f0865da290 in row_ins_step (thr=0x7fc9a80703c0) at /data/src/10.4/storage/innobase/row/row0ins.cc:3805
|
#17 0x000055f0865ff83f in row_insert_for_mysql (mysql_rec=0x7fc9a8158cf0 "\371\002", prebuilt=0x7fc9a806fbf0, ins_mode=ROW_INS_NORMAL) at /data/src/10.4/storage/innobase/row/row0mysql.cc:1422
|
#18 0x000055f086455bb9 in ha_innobase::write_row (this=0x7fc9a8147d08, record=0x7fc9a8158cf0 "\371\002") at /data/src/10.4/storage/innobase/handler/ha_innodb.cc:7973
|
#19 0x000055f086217a5e in handler::ha_write_row (this=0x7fc9a8147d08, buf=0x7fc9a8158cf0 "\371\002") at /data/src/10.4/sql/handler.cc:6742
|
#20 0x000055f085e60fb9 in write_record (thd=0x7fc9a8000af0, table=0x7fc9a8146ea0, info=0x7fc9f76fda90) at /data/src/10.4/sql/sql_insert.cc:2058
|
#21 0x000055f085e5df35 in mysql_insert (thd=0x7fc9a8000af0, table_list=0x7fc9a8013280, fields=..., values_list=..., update_fields=..., update_values=..., duplic=DUP_ERROR, ignore=false) at /data/src/10.4/sql/sql_insert.cc:1078
|
#22 0x000055f085eab783 in mysql_execute_command (thd=0x7fc9a8000af0) at /data/src/10.4/sql/sql_parse.cc:4519
|
#23 0x000055f085eb70cd in mysql_parse (thd=0x7fc9a8000af0, rawbuf=0x7fc9a8013198 "INSERT INTO t1 VALUES (2,11,11)", length=31, parser_state=0x7fc9f76fe570, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:7896
|
#24 0x000055f085ea3601 in dispatch_command (command=COM_QUERY, thd=0x7fc9a8000af0, packet=0x7fc9a80083a1 "INSERT INTO t1 VALUES (2,11,11)", packet_length=31, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:1835
|
#25 0x000055f085ea1da3 in do_command (thd=0x7fc9a8000af0) at /data/src/10.4/sql/sql_parse.cc:1353
|
#26 0x000055f08602be3c in do_handle_one_connection (connect=0x55f089d15330) at /data/src/10.4/sql/sql_connect.cc:1412
|
#27 0x000055f08602bb8b in handle_one_connection (arg=0x55f089d15330) at /data/src/10.4/sql/sql_connect.cc:1316
|
#28 0x000055f086a312b9 in pfs_spawn_thread (arg=0x55f089c932e0) at /data/src/10.4/storage/perfschema/pfs.cc:1869
|
#29 0x00007fca043074a4 in start_thread (arg=0x7fc9f76ff700) at pthread_create.c:456
|
#30 0x00007fca0243bd0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97
|
It appears to be a recent regression, somewhere between ae33ebe5 and 1cda462f, I didn't look for the exact commit.
Reproducible on 10.4 debug builds.
Not reproducible on 10.3.
No obvious effect on a release build, but non-debug ASAN build throws heap-buffer-overflow:
|
10.5 34212233 |
==2648901==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61c00005caa0 at pc 0x563f95fd5ec3 bp 0x7efe2cdb6bc0 sp 0x7efe2cdb6bb0
|
READ of size 16 at 0x61c00005caa0 thread T13
|
#0 0x563f95fd5ec2 in dict_col_t::is_virtual() const /data/src/10.5/storage/innobase/include/dict0mem.h:600
|
#1 0x563f95fd5ec2 in dict_col_t::name(dict_table_t const&) const /data/src/10.5/storage/innobase/dict/dict0dict.cc:445
|
#2 0x563f95ca68e9 in dict_table_get_col_name(dict_table_t const*, unsigned long) /data/src/10.5/storage/innobase/include/dict0dict.h:816
|
#3 0x563f95ca68e9 in row_ins_foreign_index_entry /data/src/10.5/storage/innobase/row/row0ins.cc:1915
|
#4 0x563f95ca68e9 in row_ins_check_foreign_constraints /data/src/10.5/storage/innobase/row/row0ins.cc:1984
|
#5 0x563f95cb3d8e in row_ins_clust_index_entry(dict_index_t*, dtuple_t*, que_thr_t*, unsigned long) /data/src/10.5/storage/innobase/row/row0ins.cc:3185
|
#6 0x563f95cb5290 in row_ins_index_entry /data/src/10.5/storage/innobase/row/row0ins.cc:3357
|
#7 0x563f95cb5290 in row_ins_index_entry_step /data/src/10.5/storage/innobase/row/row0ins.cc:3526
|
#8 0x563f95cb5290 in row_ins /data/src/10.5/storage/innobase/row/row0ins.cc:3663
|
#9 0x563f95cb5290 in row_ins_step(que_thr_t*) /data/src/10.5/storage/innobase/row/row0ins.cc:3802
|
#10 0x563f95cea26e in row_insert_for_mysql(unsigned char const*, row_prebuilt_t*, ins_mode_t) /data/src/10.5/storage/innobase/row/row0mysql.cc:1421
|
#11 0x563f95a580ec in ha_innobase::write_row(unsigned char const*) /data/src/10.5/storage/innobase/handler/ha_innodb.cc:7561
|
#12 0x563f94fdf7a7 in handler::ha_write_row(unsigned char const*) /data/src/10.5/sql/handler.cc:7137
|
#13 0x563f947e5ddc in write_record(THD*, TABLE*, st_copy_info*, select_result*) /data/src/10.5/sql/sql_insert.cc:2092
|
#14 0x563f94800728 in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*) /data/src/10.5/sql/sql_insert.cc:1087
|
#15 0x563f948d0e1d in mysql_execute_command(THD*) /data/src/10.5/sql/sql_parse.cc:4546
|
#16 0x563f9489658c in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.5/sql/sql_parse.cc:7994
|
#17 0x563f948c2750 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.5/sql/sql_parse.cc:1867
|
#18 0x563f948c8534 in do_command(THD*) /data/src/10.5/sql/sql_parse.cc:1348
|
#19 0x563f94c620cc in do_handle_one_connection(CONNECT*, bool) /data/src/10.5/sql/sql_connect.cc:1410
|
#20 0x563f94c62c4c in handle_one_connection /data/src/10.5/sql/sql_connect.cc:1312
|
#21 0x563f958411b8 in pfs_spawn_thread /data/src/10.5/storage/perfschema/pfs.cc:2201
|
#22 0x7efe3be2e608 in start_thread /build/glibc-YYA7BZ/glibc-2.31/nptl/pthread_create.c:477
|
#23 0x7efe3ba02102 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122102)
|
|
|
Address 0x61c00005caa0 is a wild pointer.
|
SUMMARY: AddressSanitizer: heap-buffer-overflow /data/src/10.5/storage/innobase/include/dict0mem.h:600 in dict_col_t::is_virtual() const
|
Shadow bytes around the buggy address:
|
0x0c3880003900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c3880003910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c3880003920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c3880003930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c3880003940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
=>0x0c3880003950: fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa
|
0x0c3880003960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c3880003970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c3880003980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c3880003990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c38800039a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
Shadow gap: cc
|
Thread T13 created by T0 here:
|
#0 0x7efe3bec2805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
|
#1 0x563f95841456 in my_thread_create /data/src/10.5/storage/perfschema/my_thread.h:38
|
#2 0x563f95841456 in pfs_spawn_thread_v1 /data/src/10.5/storage/perfschema/pfs.cc:2252
|
#3 0x563f94623e3e in inline_mysql_thread_create /data/src/10.5/include/mysql/psi/mysql_thread.h:1321
|
#4 0x563f94623e3e in create_thread_to_handle_connection(CONNECT*) /data/src/10.5/sql/mysqld.cc:6025
|
#5 0x563f9462f804 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.5/sql/mysqld.cc:6149
|
#6 0x563f94630212 in handle_connections_sockets() /data/src/10.5/sql/mysqld.cc:6276
|
#7 0x563f94631e43 in mysqld_main(int, char**) /data/src/10.5/sql/mysqld.cc:5671
|
#8 0x7efe3b9070b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
|
|
|
==2648901==ABORTING
|
200910 21:43:25 [ERROR] mysqld got signal 6 ;
|
This could be because you hit a bug. It is also possible that this binary
|
or one of the libraries it was linked against is corrupt, improperly built,
|
or misconfigured. This error can also be caused by malfunctioning hardware.
|
|
|
To report this bug, see https://mariadb.com/kb/en/reporting-bugs
|
|
|
We will try our best to scrape up some info that will hopefully help
|
diagnose the problem, but since we have already crashed,
|
something is definitely wrong and this may fail.
|
|
|
Server version: 10.5.6-MariaDB-log
|
key_buffer_size=1048576
|
read_buffer_size=131072
|
max_used_connections=1
|
max_threads=153
|
thread_count=2
|
It is possible that mysqld could use up to
|
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 63636 K bytes of memory
|
Hope that's ok; if not, decrease some variables in the equation.
|
|
|
Thread pointer: 0x62b00009a218
|
Attempting backtrace. You can use the following information to find out
|
where mysqld died. If you see no messages after this, something went
|
terribly wrong...
|
stack_bottom = 0x7efe2cdbb800 thread_stack 0x5fc00
|
??:0(__interceptor_tcgetattr)[0x7efe3bef4d30]
|
/data/bld/10.5-rel-asan-nightly/bin/mariadbd(my_print_stacktrace+0xf6)[0x563f96347ee6]
|
mysys/stacktrace.c:213(my_print_stacktrace)[0x563f94fb4ea4]
|
sigaction.c:0(__restore_rt)[0x7efe3be3a3c0]
|
??:0(gsignal)[0x7efe3b92618b]
|
??:0(abort)[0x7efe3b905859]
|
??:0(__sanitizer_set_report_fd)[0x7efe3bfb36a2]
|
??:0(__sanitizer_get_module_and_offset_for_pc)[0x7efe3bfbe24c]
|
??:0(__sanitizer_ptr_cmp)[0x7efe3bf9f8ec]
|
??:0(__asan_on_error)[0x7efe3bf9f363]
|
??:0(__asan_report_load16)[0x7efe3bfa02cb]
|
/data/bld/10.5-rel-asan-nightly/bin/mariadbd(+0x24ddec3)[0x563f95fd5ec3]
|
dict/dict0dict.cc:451(dict_col_t::name(dict_table_t const&) const)[0x563f95ca68ea]
|
include/dict0dict.h:816(dict_table_get_col_name(dict_table_t const*, unsigned long))[0x563f95cb3d8f]
|
row/row0ins.cc:3187(row_ins_clust_index_entry(dict_index_t*, dtuple_t*, que_thr_t*, unsigned long))[0x563f95cb5291]
|
row/row0ins.cc:3357(row_ins_step(que_thr_t*))[0x563f95cea26f]
|
row/row0mysql.cc:1425(row_insert_for_mysql(unsigned char const*, row_prebuilt_t*, ins_mode_t))[0x563f95a580ed]
|
handler/ha_innodb.cc:7561(ha_innobase::write_row(unsigned char const*))[0x563f94fdf7a8]
|
sql/handler.cc:7137(handler::ha_write_row(unsigned char const*))[0x563f947e5ddd]
|
sql/sql_insert.cc:2092(write_record(THD*, TABLE*, st_copy_info*, select_result*))[0x563f94800729]
|
sql/sql_insert.cc:1087(mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*))[0x563f948d0e1e]
|
sql/sql_parse.cc:4546(mysql_execute_command(THD*))[0x563f9489658d]
|
sql/sql_parse.cc:8011(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x563f948c2751]
|
sql/sql_parse.cc:1870(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x563f948c8535]
|
sql/sql_parse.cc:1348(do_command(THD*))[0x563f94c620cd]
|
sql/sql_connect.cc:1410(do_handle_one_connection(CONNECT*, bool))[0x563f94c62c4d]
|
sql/sql_connect.cc:1318(handle_one_connection)[0x563f958411b9]
|
nptl/pthread_create.c:478(start_thread)[0x7efe3be2e609]
|
??:0(clone)[0x7efe3ba02103]
|
|
|
Trying to get some variables.
|
Some pointers may be invalid and cause the dump to abort.
|
Query (0x62b0000a1238): INSERT INTO t1 VALUES (2,11,11)
|
|
|
Connection ID (thread ID): 4
|
Status: NOT_KILLED
|
|
|
Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=on,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on,split_materialized=on,condition_pushdown_for_subquery=on,rowid_filter=on,condition_pushdown_from_having=on,not_null_range_scan=off
|
|
|
The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ contains
|
information that should help you find out what is causing the crash.
|
Writing a core file...
|
Working directory at /dev/shm/var_auto_FeKg/mysqld.1/data
|
Resource Limits:
|
Limit Soft Limit Hard Limit Units
|
Max cpu time unlimited unlimited seconds
|
Max file size unlimited unlimited bytes
|
Max data size unlimited unlimited bytes
|
Max stack size 8388608 unlimited bytes
|
Max core file size 0 0 bytes
|
Max resident set unlimited unlimited bytes
|
Max processes 385884 385884 processes
|
Max open files 1024 1024 files
|
Max locked memory 67108864 67108864 bytes
|
Max address space unlimited unlimited bytes
|
Max file locks unlimited unlimited locks
|
Max pending signals 385884 385884 signals
|
Max msgqueue size 819200 819200 bytes
|
Max nice priority 0 0
|
Max realtime priority 0 0
|
Max realtime timeout unlimited unlimited us
|
Core pattern: |/usr/share/apport/apport %p %s %c %d %P %E
|
Attachments
Issue Links
- is caused by
-
-
- Closed
-