Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-24749

Various corruptions caused by Aria subsystem asking system call to overwrite memory that it does not own

Details

    Description

      Looks related to MDEV-20945.

      The attached testcase (MDEV-24749_main_raw.sql - also ref first comment), executed 1-3 times at the CLI, using SOURCE or client redirection (mysql < input.sql), will produce various issues:

      1) SIGSEGV in MDL_key::is_equal in 10.6 optimized. No stack trace possible, ref #2
      2) Hangs in 10.6 optimized, no CLI access possible
      3) double free or corruption (out) in 10.6 optimized, but not in 10.5 optimized (even though that crashes also, in a different way).
      4) Error: Freeing overrun buffer in 10.6 debug and in 10.5 debug
      5) SIGSEGV in lock_get_mode in 10.6 debug
      6) SIGSEGV in std::less in 10.5 optimized

      It seems there is a double regression: 10.6 and 10.5 optimized have different crash stacks, hang (10.6) vs no hang (10.5), and double free/corruption (10.6) vs not (10.5).

      The various stacks and error logs:

      10.5.9 927a882341eb1087e71d64de4e8cd89ab520de89 (Optimized)

      		 
      Core was generated by `/test/MD260121-mariadb-10.5.9-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
      		 
      Program terminated with signal SIGSEGV, Segmentation fault.
      		 
      #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
      		 
          at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
      		 
      [Current thread is 1 (Thread 0x14e6bc114700 (LWP 2084271))]
      		 
      (gdb) bt
      		 
      #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
      		 
      #1  0x0000558c1537968f in my_write_core (sig=sig@entry=11) at /data/builds/10.5_opt/mysys/stacktrace.c:424
      		 
      #2  0x0000558c14da8690 in handle_fatal_signal (sig=11) at /data/builds/10.5_opt/sql/signal_handler.cc:330
      		 
      #3  <signal handler called>
      		 
      #4  std::less<dict_table_t*>::operator() (this=0x14e6bd3d01d4, __y=<error reading variable: Cannot access memory at address 0x4002000000000621>, __x=0x14e674053240) at /usr/include/c++/9/bits/stl_function.h:433
      		 
      #5  std::_Rb_tree<dict_table_t*, std::pair<dict_table_t* const, trx_mod_table_time_t>, std::_Select1st<std::pair<dict_table_t* const, trx_mod_table_time_t> >, std::less<dict_table_t*>, ut_allocator<std::pair<dict_table_t* const, trx_mod_table_time_t>, true> >::_M_get_insert_unique_pos (__k=@0x14e6bc110a80: 0x14e674053240, this=0x14e6bd3d01d0) at /usr/include/c++/9/bits/stl_tree.h:2095
      		 
      #6  std::_Rb_tree<dict_table_t*, std::pair<dict_table_t* const, trx_mod_table_time_t>, std::_Select1st<std::pair<dict_table_t* const, trx_mod_table_time_t> >, std::less<dict_table_t*>, ut_allocator<std::pair<dict_table_t* const, trx_mod_table_time_t>, true> >::_M_insert_unique<std::pair<dict_table_t* const, trx_mod_table_time_t> > (this=this@entry=0x14e6bd3d01d0, __v=@0x14e6bc110a80: {
      		 
            first = 0x14e674053240,
      		 
            second = {first = 528, first_versioned = 18446744073709551615, static UNVERSIONED = 18446744073709551615}
      		 
          }) at /usr/include/c++/9/bits/stl_tree.h:2147
      		 
      #7  0x0000558c151e3383 in std::map<dict_table_t*, trx_mod_table_time_t, std::less<dict_table_t*>, ut_allocator<std::pair<dict_table_t* const, trx_mod_table_time_t>, true> >::insert (__x=@0x14e6bc110a80: {
      		 
            first = 0x14e674053240,
      		 
            second = {first = 528, first_versioned = 18446744073709551615, static UNVERSIONED = 18446744073709551615}
      		 
          }, this=0x14e6bd3d01d0) at /usr/include/c++/9/bits/stl_map.h:808
      		 
      #8  trx_undo_report_row_operation (thr=thr@entry=0x14e67408b6e0, index=<optimized out>, clust_entry=clust_entry@entry=0x0, update=update@entry=0x14e674062630, cmpl_info=cmpl_info@entry=1, rec=<optimized out>, offsets=<optimized out>, roll_ptr=<optimized out>) at /data/builds/10.5_opt/storage/innobase/trx/trx0rec.cc:2092
      		 
      #9  0x0000558c1522b16c in btr_cur_upd_lock_and_undo (roll_ptr=0x14e6bc111c28, mtr=0x14e6bc1123c0, thr=0x14e67408b6e0, cmpl_info=1, update=0x14e674062630, offsets=<optimized out>, cursor=0x14e674028be8, flags=2) at /data/builds/10.5_opt/storage/innobase/btr/btr0cur.cc:3863
      		 
      #10 btr_cur_optimistic_update (flags=2, cursor=cursor@entry=0x14e674028be8, offsets=offsets@entry=0x14e6bc111cb8, heap=heap@entry=0x14e6bc111d70, update=0x14e674062630, cmpl_info=1, thr=0x14e67408b6e0, trx_id=67, mtr=0x14e6bc1123c0) at /data/builds/10.5_opt/storage/innobase/btr/btr0cur.cc:4705
      		 
      #11 0x0000558c151b92bf in row_upd_clust_rec (flags=0, node=0x14e674062510, index=0x14e67405f7f0, offsets=<optimized out>, offsets_heap=0x14e6bc111d70, thr=0x14e67408b6e0, mtr=0x14e6bc1123c0) at /data/builds/10.5_opt/storage/innobase/include/que0que.ic:37
      		 
      #12 0x0000558c151bcd39 in row_upd_clust_step (node=0x14e674062510, thr=0x14e67408b6e0) at /data/builds/10.5_opt/storage/innobase/row/row0upd.cc:2888
      		 
      #13 0x0000558c151be37e in row_upd (thr=0x14e67408b6e0, node=0x14e674062510) at /data/builds/10.5_opt/storage/innobase/row/row0upd.cc:2992
      		 
      #14 row_upd_step (thr=thr@entry=0x14e67408b6e0) at /data/builds/10.5_opt/storage/innobase/row/row0upd.cc:3136
      		 
      #15 0x0000558c151980de in row_update_for_mysql (prebuilt=<optimized out>) at /data/builds/10.5_opt/storage/innobase/row/row0mysql.cc:1847
      		 
      #16 0x0000558c150d727b in ha_innobase::update_row (this=0x14e674061200, old_row=0x14e67405c140 "\376\001C\345\064\061\066", new_row=0x14e67405c038 "\376\002\255\345\064\061\066") at /data/builds/10.5_opt/storage/innobase/handler/ha_innodb.cc:8339
      		 
      #17 0x0000558c14db7963 in handler::ha_update_row (this=0x14e674061200, old_data=0x14e67405c140 "\376\001C\345\064\061\066", new_data=0x14e67405c038 "\376\002\255\345\064\061\066") at /data/builds/10.5_opt/sql/handler.cc:7204
      		 
      #18 0x0000558c14c5a5c3 in multi_update::do_updates (this=0x14e674012720) at /data/builds/10.5_opt/sql/sql_update.cc:2877
      		 
      #19 0x0000558c14c5adfb in multi_update::send_eof (this=0x14e674012720) at /data/builds/10.5_opt/sql/sql_update.cc:3037
      		 
      #20 0x0000558c14c0265f in do_select (procedure=<optimized out>, join=0x14e6740127f8) at /data/builds/10.5_opt/sql/sql_select.cc:20220
      		 
      #21 JOIN::exec_inner (this=0x14e6740127f8) at /data/builds/10.5_opt/sql/sql_select.cc:4466
      		 
      #22 0x0000558c14c029c8 in JOIN::exec (this=this@entry=0x14e6740127f8) at /data/builds/10.5_opt/sql/sql_select.cc:4246
      		 
      #23 0x0000558c14c00a48 in mysql_select (thd=thd@entry=0x14e674000c58, tables=tables@entry=0x14e6740104c0, fields=@0x14e6bc112db0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x558c15cdfe50 <end_of_list>, last = 0x14e6bc112db0, elements = 0}, <No data fields>}, conds=conds@entry=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2200096997504, result=0x14e674012720, unit=0x14e674004c38, select_lex=0x14e674005438) at /data/builds/10.5_opt/sql/sql_select.cc:4662
      		 
      #24 0x0000558c14c59d5a in mysql_multi_update (thd=thd@entry=0x14e674000c58, table_list=0x14e6740104c0, fields=fields@entry=0x14e674005588, values=values@entry=0x14e674005af8, conds=0x0, options=0, handle_duplicates=DUP_ERROR, ignore=false, unit=0x14e674004c38, select_lex=0x14e674005438, result=0x14e6bc112fb0) at /data/builds/10.5_opt/sql/sql_update.cc:1950
      		 
      #25 0x0000558c14b9e4ac in mysql_execute_command (thd=0x14e674000c58) at /data/builds/10.5_opt/sql/sql_parse.cc:4520
      		 
      #26 0x0000558c14b8ad63 in mysql_parse (thd=0x14e674000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /data/builds/10.5_opt/sql/sql_parse.cc:8062
      		 
      #27 0x0000558c14b96a60 in dispatch_command (command=COM_QUERY, thd=0x14e674000c58, packet=0x14e674008029 "update t1 set a = ((select max(a) from t1))", packet_length=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /data/builds/10.5_opt/sql/sql_class.h:1256
      		 
      #28 0x0000558c14b98e2d in do_command (thd=0x14e674000c58) at /data/builds/10.5_opt/sql/sql_parse.cc:1370
      		 
      #29 0x0000558c14c9dcd1 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x558c17114088, put_in_cache=put_in_cache@entry=true) at /data/builds/10.5_opt/sql/sql_connect.cc:1410
      		 
      #30 0x0000558c14c9e14d in handle_one_connection (arg=arg@entry=0x558c17114088) at /data/builds/10.5_opt/sql/sql_connect.cc:1312
      		 
      #31 0x0000558c15028a89 in pfs_spawn_thread (arg=0x558c17083198) at /data/builds/10.5_opt/storage/perfschema/pfs.cc:2201
      		 
      #32 0x000014e6c01a6609 in start_thread (arg=<optimized out>) at pthread_create.c:477
      		 
      #33 0x000014e6bfd95293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

      10.6.0 9118fd360a3da0bba521caf2a35c424968235ac4 (Debug)

      		 
      2021-02-01  8:47:57 0 [Note] /test/MD260121-mariadb-10.6.0-linux-x86_64-dbg/bin/mysqld: ready for connections.
      		 
      Version: '10.6.0-MariaDB-debug'  socket: '/test/MD260121-mariadb-10.6.0-linux-x86_64-dbg/socket.sock'  port: 10503  MariaDB Server
      		 
      Error: Freeing overrun buffer 0x147cb8040430 at 0x556949375cb8, 0x5569493664cc, 0x556948e14bbc, 0x556948e09da6, 0x556948d8d880, mysys/safemalloc.c:194, mysys/my_malloc.c:210, maria/ma_sort.c:719
      		 
      Allocated at maria/ma_check.c:4551, maria/ha_maria.cc:1657, maria/ha_maria.cc:2024, sql/handler.cc:4654, maria/ma_sort.c:631, maria/ha_maria.cc:2263, sql/handler.cc:4654, sql/sql_select.cc:19840
      		 
      Error: Freeing overrun buffer 0x147cb803ffd0 at sql/sql_update.cc:2641, mysys/safemalloc.c:194, mysys/my_malloc.c:210, maria/ma_sort.c:719, maria/ma_check.c:4551, maria/ha_maria.cc:1657, maria/ha_maria.cc:2024, maria/ha_maria.cc:2263
      		 
      Allocated at sql/handler.cc:4654, maria/ma_sort.c:631, maria/ma_check.c:4551, maria/ha_maria.cc:1657, maria/ha_maria.cc:2024, maria/ha_maria.cc:2263, sql/handler.cc:4654, sql/sql_select.cc:19840
      		 
      Error: Freeing overrun buffer 0x147cb800b4a0 at sql/sql_update.cc:2641, mysys/safemalloc.c:194, mysys/my_malloc.c:210, maria/ma_sort.c:719, maria/ma_check.c:4551, maria/ha_maria.cc:1657, maria/ha_maria.cc:2024, maria/ha_maria.cc:2263
      		 
      Allocated at sql/handler.cc:4654, maria/ma_sort.c:631, maria/ma_check.c:4551, maria/ha_maria.cc:1657, maria/ha_maria.cc:2024, maria/ha_maria.cc:2263, sql/handler.cc:4654, sql/sql_select.cc:19840
      		 
      210201  8:48:16 [ERROR] mysqld got signal 11 ;

      10.6.0 9118fd360a3da0bba521caf2a35c424968235ac4 (Debug)

      		 
      Core was generated by `/test/MD010121-mariadb-10.6.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
      		 
      Program terminated with signal SIGSEGV, Segmentation fault.
      		 
      #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
      		 
          at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
      		 
      [Current thread is 1 (Thread 0x14be4c095700 (LWP 2076520))]
      		 
      (gdb) bt
      		 
      #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
      		 
      #1  0x0000563bb2e470d7 in my_write_core (sig=sig@entry=11) at /test/10.6_dbg/mysys/stacktrace.c:424
      		 
      #2  0x0000563bb25dbab1 in handle_fatal_signal (sig=11) at /test/10.6_dbg/sql/signal_handler.cc:330
      		 
      #3  <signal handler called>
      		 
      #4  0x0000563bb247dc51 in MDL_key::is_equal (rhs=0x1102000000000601, this=0x14be4c093b10) at /test/10.6_dbg/sql/mdl.h:449
      		 
      #5  MDL_context::find_ticket (this=this@entry=0x14be08000ee8, mdl_request=mdl_request@entry=0x14be4c093af0, result_duration=result_duration@entry=0x14be4c093aec) at /test/10.6_dbg/sql/mdl.cc:1929
      		 
      #6  0x0000563bb247dda7 in MDL_context::is_lock_owner (this=this@entry=0x14be08000ee8, mdl_namespace=mdl_namespace@entry=MDL_key::TABLE, db=<optimized out>, name=<optimized out>, mdl_type=mdl_type@entry=MDL_SHARED) at /test/10.6_dbg/sql/mdl.cc:2968
      		 
      #7  0x0000563bb227c310 in close_thread_table (thd=thd@entry=0x14be08000db8, table_ptr=table_ptr@entry=0x14be08000ea8) at /test/10.6_dbg/sql/sql_base.cc:940
      		 
      #8  0x0000563bb227c9a6 in close_thread_tables (thd=thd@entry=0x14be08000db8) at /test/10.6_dbg/sql/sql_base.cc:919
      		 
      #9  0x0000563bb231cf35 in mysql_execute_command (thd=thd@entry=0x14be08000db8) at /test/10.6_dbg/sql/sql_parse.cc:5924
      		 
      #10 0x0000563bb2303072 in mysql_parse (thd=thd@entry=0x14be08000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14be4c0943d0) at /test/10.6_dbg/sql/sql_parse.cc:7881
      		 
      #11 0x0000563bb23111ec in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14be08000db8, packet=packet@entry=0x14be08008d39 "update t1 set a = ((select max(a) from t1))", packet_length=packet_length@entry=43) at /test/10.6_dbg/sql/sql_class.h:1293
      		 
      #12 0x0000563bb231452d in do_command (thd=0x14be08000db8) at /test/10.6_dbg/sql/sql_parse.cc:1348
      		 
      #13 0x0000563bb24707fc in do_handle_one_connection (connect=<optimized out>, connect@entry=0x563bb5af69a8, put_in_cache=put_in_cache@entry=true) at /test/10.6_dbg/sql/sql_connect.cc:1410
      		 
      #14 0x0000563bb2470f03 in handle_one_connection (arg=arg@entry=0x563bb5af69a8) at /test/10.6_dbg/sql/sql_connect.cc:1312
      		 
      #15 0x0000563bb292688f in pfs_spawn_thread (arg=0x563bb5a1e898) at /test/10.6_dbg/storage/perfschema/pfs.cc:2201
      		 
      #16 0x000014be4ce0a609 in start_thread (arg=<optimized out>) at pthread_create.c:477
      		 
      #17 0x000014be4c9f9293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

      10.5.9 927a882341eb1087e71d64de4e8cd89ab520de89 (Debug)

      		 
      Version: '10.5.9-MariaDB-debug'  socket: '/test/MD260121-mariadb-10.5.9-linux-x86_64-dbg/socket.sock'  port: 10421  MariaDB Server
      		 
      Error: Freeing overrun buffer 0x1503ec0405b0 at 0x55aec402f0f6, 0x55aec401f90a, 0x55aec3a8ef1a, 0x55aec3a84104, 0x55aec3a07bde, mysys/safemalloc.c:194, mysys/my_malloc.c:210, maria/ma_sort.c:719
      		 
      Allocated at maria/ma_check.c:4551, maria/ha_maria.cc:1657, maria/ha_maria.cc:2024, sql/handler.cc:4654, maria/ma_sort.c:631, maria/ma_check.c:4551, sql/handler.cc:4654, sql/sql_select.cc:19856
      		 
      Error: Freeing overrun buffer 0x1503ec040150 at sql/sql_update.cc:2641, mysys/safemalloc.c:194, mysys/my_malloc.c:210, maria/ma_sort.c:719, maria/ma_check.c:4551, maria/ha_maria.cc:1657, maria/ha_maria.cc:2024, maria/ha_maria.cc:2263
      		 
      Allocated at sql/handler.cc:4654, maria/ma_sort.c:631, maria/ma_check.c:4551, maria/ha_maria.cc:1657, maria/ha_maria.cc:2024, maria/ha_maria.cc:2263, sql/handler.cc:4654, sql/sql_select.cc:19856
      		 
      Error: Freeing overrun buffer 0x1503ec00b650 at sql/sql_update.cc:2641, mysys/safemalloc.c:194, mysys/my_malloc.c:210, maria/ma_sort.c:719, maria/ma_check.c:4551, maria/ha_maria.cc:1657, maria/ha_maria.cc:2024, maria/ha_maria.cc:2263
      		 
      Allocated at sql/handler.cc:4654, maria/ma_sort.c:631, maria/ma_check.c:4551, maria/ha_maria.cc:1657, maria/ha_maria.cc:2024, maria/ha_maria.cc:2263, sql/handler.cc:4654, sql/sql_select.cc:19856
      		 
      210201  8:48:16 [ERROR] mysqld got signal 11 ;

      10.5.9 927a882341eb1087e71d64de4e8cd89ab520de89 (Debug)

      		 
      Core was generated by `/test/MD260121-mariadb-10.5.9-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
      		 
      Program terminated with signal SIGSEGV, Segmentation fault.
      		 
      #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
      		 
          at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
      		 
      [Current thread is 1 (Thread 0x15044015f700 (LWP 2084671))]
      		 
      (gdb) bt
      		 
      #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
      		 
      #1  0x000055aec402464e in my_write_core (sig=sig@entry=11) at /data/builds/10.5_dbg/mysys/stacktrace.c:424
      		 
      #2  0x000055aec37791a8 in handle_fatal_signal (sig=11) at /data/builds/10.5_dbg/sql/signal_handler.cc:330
      		 
      #3  <signal handler called>
      		 
      #4  0x000055aec361b078 in MDL_key::is_equal (rhs=0x1102000000000601, this=0x15044015dae0) at /data/builds/10.5_dbg/sql/mdl.h:449
      		 
      #5  MDL_context::find_ticket (this=this@entry=0x1503ec000ed8, mdl_request=mdl_request@entry=0x15044015dac0, result_duration=result_duration@entry=0x15044015dabc) at /data/builds/10.5_dbg/sql/mdl.cc:1929
      		 
      #6  0x000055aec361b1cd in MDL_context::is_lock_owner (this=this@entry=0x1503ec000ed8, mdl_namespace=mdl_namespace@entry=MDL_key::TABLE, db=<optimized out>, name=<optimized out>, mdl_type=mdl_type@entry=MDL_SHARED) at /data/builds/10.5_dbg/sql/mdl.cc:2968
      		 
      #7  0x000055aec3419d94 in close_thread_table (thd=thd@entry=0x1503ec000db8, table_ptr=table_ptr@entry=0x1503ec000e98) at /data/builds/10.5_dbg/sql/sql_base.cc:940
      		 
      #8  0x000055aec341a42a in close_thread_tables (thd=thd@entry=0x1503ec000db8) at /data/builds/10.5_dbg/sql/sql_base.cc:919
      		 
      #9  0x000055aec34bad85 in mysql_execute_command (thd=thd@entry=0x1503ec000db8) at /data/builds/10.5_dbg/sql/sql_parse.cc:6089
      		 
      #10 0x000055aec34a08d8 in mysql_parse (thd=thd@entry=0x1503ec000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x15044015e3d0, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /data/builds/10.5_dbg/sql/sql_parse.cc:8062
      		 
      #11 0x000055aec34aebe2 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x1503ec000db8, packet=packet@entry=0x1503ec01ad29 "update t1 set a = ((select max(a) from t1))", packet_length=packet_length@entry=43, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /data/builds/10.5_dbg/sql/sql_class.h:1256
      		 
      #12 0x000055aec34b232f in do_command (thd=0x1503ec000db8) at /data/builds/10.5_dbg/sql/sql_parse.cc:1370
      		 
      #13 0x000055aec360dc83 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55aec6a656f8, put_in_cache=put_in_cache@entry=true) at /data/builds/10.5_dbg/sql/sql_connect.cc:1410
      		 
      #14 0x000055aec360e387 in handle_one_connection (arg=arg@entry=0x55aec6a656f8) at /data/builds/10.5_dbg/sql/sql_connect.cc:1312
      		 
      #15 0x000055aec3ac279d in pfs_spawn_thread (arg=0x55aec699bed8) at /data/builds/10.5_dbg/storage/perfschema/pfs.cc:2201
      		 
      #16 0x000015044422b609 in start_thread (arg=<optimized out>) at pthread_create.c:477
      		 
      #17 0x0000150443e1a293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

      Bug confirmed present (in various expression thereof) in:
      MariaDB: 10.5.9 (dbg), 10.5.9 (opt), 10.6.0 (dbg), 10.6.0 (opt)

      Bug (or feature/syntax) confirmed not present in:
      MariaDB: 10.2.37 (dbg), 10.2.37 (opt), 10.3.28 (dbg), 10.3.28 (opt), 10.4.18 (dbg), 10.4.18 (opt)
      MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.33 (dbg), 5.7.33 (opt), 8.0.23 (dbg), 8.0.23 (opt)

      Attachments

        Issue Links

          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. MDEV-24750 Various corruptions caused by Aria subsystem asking system call to overwrite memory that it does not own (InnoDB stacks)

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-20945 BACKUP UNLOCK + FTWRL assertion failure | SIGSEGV in I_P_List from MDL_context::release_lock on INSERT w/ BACKUP LOCK (on optimized builds) | Assertion `ticket->m_duration == MDL_EXPLICIT' failed.

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Activity

            Ascending order - Click to sort in descending order
            Roel Roel Van de Paar added a comment - - edited

            The attached file MDEV-24749_main_raw.sql is not really the main testcase I want to put forward for this bug. It is however the basis/raw and original reduced then manually hacked version. Attaching it as a starting reference. More to follow.

            Roel Roel Van de Paar added a comment - - edited The attached file MDEV-24749 _main_raw.sql is not really the main testcase I want to put forward for this bug. It is however the basis/raw and original reduced then manually hacked version. Attaching it as a starting reference. More to follow.
            Roel Roel Van de Paar added a comment - - edited

            Also seen (with MDEV-24749_1.sql specifically):

            10.6.0 3f871b339429441ad907ecf7dfabdc414797e664 (Debug)

            		 
            Version: '10.6.0-MariaDB-debug'  socket: '/test/MD260121-mariadb-10.6.0-linux-x86_64-dbg/socket.sock'  port: 10503  MariaDB Server
            		 
            Error: Freeing overrun buffer 0x14b7d4040430 at mysys/safemalloc.c:194, mysys/my_malloc.c:210, maria/ma_sort.c:719, maria/ma_check.c:4551, maria/ha_maria.cc:1657, maria/ha_maria.cc:2024, maria/ha_maria.cc:2263, sql/handler.cc:4654
            		 
            Allocated at maria/ma_sort.c:631, maria/ma_check.c:4551, maria/ha_maria.cc:1657, maria/ha_maria.cc:2024, maria/ha_maria.cc:2263, sql/handler.cc:4654, sql/sql_select.cc:19840, sql/sql_update.cc:2641
            		 
            Error: Freeing overrun buffer 0x14b7d403ffd0 at mysys/safemalloc.c:194, mysys/my_malloc.c:210, maria/ma_sort.c:719, maria/ma_check.c:4551, maria/ha_maria.cc:1657, maria/ha_maria.cc:2024, maria/ha_maria.cc:2263, sql/handler.cc:4654
            		 
            Allocated at maria/ma_sort.c:631, maria/ma_check.c:4551, maria/ha_maria.cc:1657, maria/ha_maria.cc:2024, maria/ha_maria.cc:2263, sql/handler.cc:4654, sql/sql_select.cc:19840, sql/sql_update.cc:2641
            		 
            mysqld: /data/builds/10.6_dbg/sql/mysqld.cc:3555: void my_malloc_size_cb_func(long long int, my_bool): Assertion `(longlong) thd->status_var.local_memory_used >= 0 || !debug_assert_on_not_freed_memory' failed.
            		 
            210201 18:41:07 [ERROR] mysqld got signal 6 ;

            10.6.0 3f871b339429441ad907ecf7dfabdc414797e664 (Debug)

            		 
            Core was generated by `/test/MD260121-mariadb-10.6.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
            		 
            Program terminated with signal SIGABRT, Aborted.
            		 
            #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=6)
            		 
                at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
            		 
            [Current thread is 1 (Thread 0x1502103d7700 (LWP 1026633))]
            		 
            (gdb) bt
            		 
            #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
            		 
            #1  0x00005590a9ce8210 in my_write_core (sig=sig@entry=6) at /data/builds/10.6_dbg/mysys/stacktrace.c:424
            		 
            #2  0x00005590a947d2d0 in handle_fatal_signal (sig=6) at /data/builds/10.6_dbg/sql/signal_handler.cc:330
            		 
            #3  <signal handler called>
            		 
            #4  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
            		 
            #5  0x0000150213f95859 in __GI_abort () at abort.c:79
            		 
            #6  0x0000150213f95729 in __assert_fail_base (fmt=0x15021412b588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x5590a9e2c320 "(longlong) thd->status_var.local_memory_used >= 0 || !debug_assert_on_not_freed_memory", file=0x5590a9e2bdc0 "/data/builds/10.6_dbg/sql/mysqld.cc", line=3555, function=<optimized out>) at assert.c:92
            		 
            #7  0x0000150213fa6f36 in __GI___assert_fail (assertion=assertion@entry=0x5590a9e2c320 "(longlong) thd->status_var.local_memory_used >= 0 || !debug_assert_on_not_freed_memory", file=file@entry=0x5590a9e2bdc0 "/data/builds/10.6_dbg/sql/mysqld.cc", line=line@entry=3555, function=function@entry=0x5590a9e2c280 "void my_malloc_size_cb_func(long long int, my_bool)") at assert.c:101
            		 
            #8  0x00005590a90998ba in my_malloc_size_cb_func (size=<optimized out>, is_thread_specific=<optimized out>) at /data/builds/10.6_dbg/sql/mysqld.cc:3555
            		 
            #9  0x00005590a9ce34c3 in my_free (ptr=ptr@entry=0x1501cc040088) at /data/builds/10.6_dbg/mysys/my_malloc.c:200
            		 
            #10 0x00005590a913e7db in THD::set_db (this=this@entry=0x1501cc000db8, new_db=0x5590a9e558f0 <null_clex_str>) at /data/builds/10.6_dbg/sql/sql_class.cc:1499
            		 
            #11 0x00005590a91555dc in mysql_change_db_impl (thd=thd@entry=0x1501cc000db8, new_db_name=new_db_name@entry=0x1502103d5d60, new_db_access=new_db_access@entry=(SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | GRANT_ACL | REFERENCES_ACL | INDEX_ACL | ALTER_ACL | CREATE_TMP_ACL | LOCK_TABLES_ACL | EXECUTE_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL | CREATE_PROC_ACL | ALTER_PROC_ACL | EVENT_ACL | TRIGGER_ACL | DELETE_HISTORY_ACL), new_db_charset=0x5590aa72eb20 <my_charset_latin1>) at /data/builds/10.6_dbg/sql/sql_db.cc:1496
            		 
            #12 0x00005590a91576f6 in mysql_change_db (thd=thd@entry=0x1501cc000db8, new_db_name=new_db_name@entry=0x1501cc005828, force_switch=force_switch@entry=false) at /data/builds/10.6_dbg/sql/sql_db.cc:1761
            		 
            #13 0x00005590a91bbb37 in mysql_execute_command (thd=thd@entry=0x1501cc000db8) at /data/builds/10.6_dbg/sql/sql_parse.cc:4879
            		 
            #14 0x00005590a91a515e in mysql_parse (thd=thd@entry=0x1501cc000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x1502103d63d0) at /data/builds/10.6_dbg/sql/sql_parse.cc:7901
            		 
            #15 0x00005590a91b324f in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x1501cc000db8, packet=packet@entry=0x1501cc01aac9 "USE test", packet_length=packet_length@entry=8) at /data/builds/10.6_dbg/sql/sql_class.h:1294
            		 
            #16 0x00005590a91b6581 in do_command (thd=0x1501cc000db8) at /data/builds/10.6_dbg/sql/sql_parse.cc:1365
            		 
            #17 0x00005590a9312079 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5590acb5d1a8, put_in_cache=put_in_cache@entry=true) at /data/builds/10.6_dbg/sql/sql_connect.cc:1410
            		 
            #18 0x00005590a931277d in handle_one_connection (arg=arg@entry=0x5590acb5d1a8) at /data/builds/10.6_dbg/sql/sql_connect.cc:1312
            		 
            #19 0x00005590a97c543f in pfs_spawn_thread (arg=0x5590aca82ba8) at /data/builds/10.6_dbg/storage/perfschema/pfs.cc:2201
            		 
            #20 0x00001502144a3609 in start_thread (arg=<optimized out>) at pthread_create.c:477
            		 
            #21 0x0000150214092293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

            Roel Roel Van de Paar added a comment - - edited Also seen (with MDEV-24749 _1.sql specifically): 10.6.0 3f871b339429441ad907ecf7dfabdc414797e664 (Debug) Version: '10.6.0-MariaDB-debug' socket: '/test/MD260121-mariadb-10.6.0-linux-x86_64-dbg/socket.sock' port: 10503 MariaDB Server Error: Freeing overrun buffer 0x14b7d4040430 at mysys/safemalloc.c:194, mysys/my_malloc.c:210, maria/ma_sort.c:719, maria/ma_check.c:4551, maria/ha_maria.cc:1657, maria/ha_maria.cc:2024, maria/ha_maria.cc:2263, sql/handler.cc:4654 Allocated at maria/ma_sort.c:631, maria/ma_check.c:4551, maria/ha_maria.cc:1657, maria/ha_maria.cc:2024, maria/ha_maria.cc:2263, sql/handler.cc:4654, sql/sql_select.cc:19840, sql/sql_update.cc:2641 Error: Freeing overrun buffer 0x14b7d403ffd0 at mysys/safemalloc.c:194, mysys/my_malloc.c:210, maria/ma_sort.c:719, maria/ma_check.c:4551, maria/ha_maria.cc:1657, maria/ha_maria.cc:2024, maria/ha_maria.cc:2263, sql/handler.cc:4654 Allocated at maria/ma_sort.c:631, maria/ma_check.c:4551, maria/ha_maria.cc:1657, maria/ha_maria.cc:2024, maria/ha_maria.cc:2263, sql/handler.cc:4654, sql/sql_select.cc:19840, sql/sql_update.cc:2641 mysqld: /data/builds/10.6_dbg/sql/mysqld.cc:3555: void my_malloc_size_cb_func(long long int, my_bool): Assertion `(longlong) thd->status_var.local_memory_used >= 0 || !debug_assert_on_not_freed_memory' failed. 210201 18:41:07 [ERROR] mysqld got signal 6 ; 10.6.0 3f871b339429441ad907ecf7dfabdc414797e664 (Debug) Core was generated by `/test/MD260121-mariadb-10.6.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'. Program terminated with signal SIGABRT, Aborted. #0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56 [Current thread is 1 (Thread 0x1502103d7700 (LWP 1026633))] (gdb) bt #0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56 #1 0x00005590a9ce8210 in my_write_core (sig=sig@entry=6) at /data/builds/10.6_dbg/mysys/stacktrace.c:424 #2 0x00005590a947d2d0 in handle_fatal_signal (sig=6) at /data/builds/10.6_dbg/sql/signal_handler.cc:330 #3 <signal handler called> #4 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 #5 0x0000150213f95859 in __GI_abort () at abort.c:79 #6 0x0000150213f95729 in __assert_fail_base (fmt=0x15021412b588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x5590a9e2c320 "(longlong) thd->status_var.local_memory_used >= 0 || !debug_assert_on_not_freed_memory", file=0x5590a9e2bdc0 "/data/builds/10.6_dbg/sql/mysqld.cc", line=3555, function=<optimized out>) at assert.c:92 #7 0x0000150213fa6f36 in __GI___assert_fail (assertion=assertion@entry=0x5590a9e2c320 "(longlong) thd->status_var.local_memory_used >= 0 || !debug_assert_on_not_freed_memory", file=file@entry=0x5590a9e2bdc0 "/data/builds/10.6_dbg/sql/mysqld.cc", line=line@entry=3555, function=function@entry=0x5590a9e2c280 "void my_malloc_size_cb_func(long long int, my_bool)") at assert.c:101 #8 0x00005590a90998ba in my_malloc_size_cb_func (size=<optimized out>, is_thread_specific=<optimized out>) at /data/builds/10.6_dbg/sql/mysqld.cc:3555 #9 0x00005590a9ce34c3 in my_free (ptr=ptr@entry=0x1501cc040088) at /data/builds/10.6_dbg/mysys/my_malloc.c:200 #10 0x00005590a913e7db in THD::set_db (this=this@entry=0x1501cc000db8, new_db=0x5590a9e558f0 <null_clex_str>) at /data/builds/10.6_dbg/sql/sql_class.cc:1499 #11 0x00005590a91555dc in mysql_change_db_impl (thd=thd@entry=0x1501cc000db8, new_db_name=new_db_name@entry=0x1502103d5d60, new_db_access=new_db_access@entry=(SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | GRANT_ACL | REFERENCES_ACL | INDEX_ACL | ALTER_ACL | CREATE_TMP_ACL | LOCK_TABLES_ACL | EXECUTE_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL | CREATE_PROC_ACL | ALTER_PROC_ACL | EVENT_ACL | TRIGGER_ACL | DELETE_HISTORY_ACL), new_db_charset=0x5590aa72eb20 <my_charset_latin1>) at /data/builds/10.6_dbg/sql/sql_db.cc:1496 #12 0x00005590a91576f6 in mysql_change_db (thd=thd@entry=0x1501cc000db8, new_db_name=new_db_name@entry=0x1501cc005828, force_switch=force_switch@entry=false) at /data/builds/10.6_dbg/sql/sql_db.cc:1761 #13 0x00005590a91bbb37 in mysql_execute_command (thd=thd@entry=0x1501cc000db8) at /data/builds/10.6_dbg/sql/sql_parse.cc:4879 #14 0x00005590a91a515e in mysql_parse (thd=thd@entry=0x1501cc000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x1502103d63d0) at /data/builds/10.6_dbg/sql/sql_parse.cc:7901 #15 0x00005590a91b324f in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x1501cc000db8, packet=packet@entry=0x1501cc01aac9 "USE test", packet_length=packet_length@entry=8) at /data/builds/10.6_dbg/sql/sql_class.h:1294 #16 0x00005590a91b6581 in do_command (thd=0x1501cc000db8) at /data/builds/10.6_dbg/sql/sql_parse.cc:1365 #17 0x00005590a9312079 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5590acb5d1a8, put_in_cache=put_in_cache@entry=true) at /data/builds/10.6_dbg/sql/sql_connect.cc:1410 #18 0x00005590a931277d in handle_one_connection (arg=arg@entry=0x5590acb5d1a8) at /data/builds/10.6_dbg/sql/sql_connect.cc:1312 #19 0x00005590a97c543f in pfs_spawn_thread (arg=0x5590aca82ba8) at /data/builds/10.6_dbg/storage/perfschema/pfs.cc:2201 #20 0x00001502144a3609 in start_thread (arg=<optimized out>) at pthread_create.c:477 #21 0x0000150214092293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
            Roel Roel Van de Paar added a comment - - edited

            Yet another very interesting error with MDEV-24749_1.sql. The files around line 97 are this:

            95: UPDATE t1 SET a=( (SELECT MAX(a) FROM t1));
            		 
            96: UPDATE t1 SET a=( (SELECT MAX(a) FROM t1));
            		 
            97: UPDATE t1 SET a=( (SELECT MAX(a) FROM t1));
            		 
            98: UPDATE t1 SET a=( (SELECT MAX(a) FROM t1));
            		 
            99: UPDATE t1 SET a=( (SELECT MAX(a) FROM t1));
            		 
            ... etc (more identical UPDATE's) ...

            And the SQL replay gives this at the CLI:

            10.6.0 3f871b339429441ad907ecf7dfabdc414797e664 (Debug)

            		 
            Query OK, 90 rows affected (0.464 sec)      ### This is row 95 executing
            		 
            Rows matched: 444  Changed: 90  Warnings: 0
            		 
             
            		 
            Query OK, 0 rows affected (0.046 sec)        ### This is row 96 executing
            		 
            Rows matched: 444  Changed: 0  Warnings: 0
            		 
             
            		 
            ERROR 1146 (42S02) at line 97 in file: 'in.sql': Table '\0001\0006.t1' doesn't exist     ### This is row 97 executing
            		 
            ERROR 1146 (42S02) at line 98 in file: 'in.sql': Table '\0001\0006.t1' doesn't exist      ### This is row 98 executing
            		 
            ... etc (more ERROR 1146's for further same UPDATE queries)...

            Roel Roel Van de Paar added a comment - - edited Yet another very interesting error with MDEV-24749 _1.sql . The files around line 97 are this: 95: UPDATE t1 SET a=( (SELECT MAX(a) FROM t1)); 96: UPDATE t1 SET a=( (SELECT MAX(a) FROM t1)); 97: UPDATE t1 SET a=( (SELECT MAX(a) FROM t1)); 98: UPDATE t1 SET a=( (SELECT MAX(a) FROM t1)); 99: UPDATE t1 SET a=( (SELECT MAX(a) FROM t1)); ... etc (more identical UPDATE's) ... And the SQL replay gives this at the CLI: 10.6.0 3f871b339429441ad907ecf7dfabdc414797e664 (Debug) Query OK, 90 rows affected (0.464 sec) ### This is row 95 executing Rows matched: 444 Changed: 90 Warnings: 0   Query OK, 0 rows affected (0.046 sec) ### This is row 96 executing Rows matched: 444 Changed: 0 Warnings: 0   ERROR 1146 (42S02) at line 97 in file: 'in.sql': Table '\0001\0006.t1' doesn't exist ### This is row 97 executing ERROR 1146 (42S02) at line 98 in file: 'in.sql': Table '\0001\0006.t1' doesn't exist ### This is row 98 executing ... etc (more ERROR 1146's for further same UPDATE queries)...
            monty Michael Widenius added a comment - - edited

            Any test case that sets aria_buffer_size to CAST(-1 AS UNSIGNED INT) should be fixed when I push MDEV-24750

            Note however that setting this buffer to this value ha nothing to do with crashes that is related to the real world usage of MariaDB.

            This issue has also nothing to do with XA or locking

            monty Michael Widenius added a comment - - edited Any test case that sets aria_buffer_size to CAST(-1 AS UNSIGNED INT) should be fixed when I push MDEV-24750 Note however that setting this buffer to this value ha nothing to do with crashes that is related to the real world usage of MariaDB. This issue has also nothing to do with XA or locking
            monty Michael Widenius added a comment -

            This issue is probably fixed (in 10.6) thanks the fix for MDEV-24750. It would be good if someone from QA could verify this

            monty Michael Widenius added a comment - This issue is probably fixed (in 10.6) thanks the fix for MDEV-24750 . It would be good if someone from QA could verify this
            Roel Roel Van de Paar added a comment -

            Did additional testing on 10.6 opt+dbg using attached testcases. Also tested against UBSAN+ASAN.

            No issues observed anymore, so it looks confirmed MDEV-24750 fix resolved the issue. Closing as fixed.

            Roel Roel Van de Paar added a comment - Did additional testing on 10.6 opt+dbg using attached testcases. Also tested against UBSAN+ASAN. No issues observed anymore, so it looks confirmed MDEV-24750 fix resolved the issue. Closing as fixed.

            People

              monty Michael Widenius
              Roel Roel Van de Paar
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.