[MDEV-24750] Various corruptions caused by Aria subsystem asking system call to overwrite memory that it does not own (InnoDB stacks) - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.6
Fix Version/s: 10.5.9
Component/s: N/A
Labels:

Description

This bug report is based on testcases very similar to the one in ~~MDEV-24749~~, and it may be a duplicate. However, the results (crashes etc.) seen here are much more InnoDB oriented. It seems to me that the issues in Aria are affecting InnoDB. I am attaching a few different versions of this testcase as I keep getting different outcomes/results. It seems SOURCE is required at the CLI to reproduce these bugs. The testcase is also sporadic (though not much). Here are some of the stacks I have seen, all with some variation of the same testcase:

Seen with 1.sql and using 10.6 build from 26/1:
1) Assertion `table->magic_n == 76333786' failed in dict_table_get_first_index on debug:

10.6.0 3f871b339429441ad907ecf7dfabdc414797e664 (Debug)
mysqld: /data/builds/10.6_dbg/storage/innobase/include/dict0dict.ic:211: dict_index_t* dict_table_get_first_index(const dict_table_t*): Assertion `table->magic_n == 76333786' failed.

10.6.0 3f871b339429441ad907ecf7dfabdc414797e664 (Debug)
Core was generated by `/test/MD260121-mariadb-10.6.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
Program terminated with signal SIGABRT, Aborted.
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=6)
at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
[Current thread is 1 (Thread 0x146aa80e4700 (LWP 4180868))]
(gdb) bt
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
#1 0x000056027b3a1210 in my_write_core (sig=sig@entry=6) at /data/builds/10.6_dbg/mysys/stacktrace.c:424
#2 0x000056027ab362d0 in handle_fatal_signal (sig=6) at /data/builds/10.6_dbg/sql/signal_handler.cc:330
#3 <signal handler called>
#4 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#5 0x0000146aa9347859 in __GI_abort () at abort.c:79
#6 0x0000146aa9347729 in __assert_fail_base (fmt=0x146aa94dd588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x56027b748d26 "table->magic_n == 76333786", file=0x56027b74bd20 "/data/builds/10.6_dbg/storage/innobase/include/dict0dict.ic", line=211, function=<optimized out>) at assert.c:92
#7 0x0000146aa9358f36 in __GI___assert_fail (assertion=assertion@entry=0x56027b748d26 "table->magic_n == 76333786", file=file@entry=0x56027b74bd20 "/data/builds/10.6_dbg/storage/innobase/include/dict0dict.ic", line=line@entry=211, function=function@entry=0x56027b74ced0 "dict_index_t* dict_table_get_first_index(const dict_table_t*)") at assert.c:101
#8 0x000056027b0f05bf in dict_table_get_first_index (table=0x146a6400ace8) at /data/builds/10.6_dbg/storage/innobase/include/dict0dict.ic:211
#9 0x000056027b0ff68b in row_search_mvcc (buf=buf@entry=0x146a640236d8 "\376\002\255\345\060\061-01-01 10:10:10.999993", mode=<optimized out>, mode@entry=PAGE_CUR_UNSUPP, prebuilt=0x146a640253c8, match_mode=match_mode@entry=0, direction=direction@entry=1) at /data/builds/10.6_dbg/storage/innobase/row/row0sel.cc:4594
#10 0x000056027af328ac in ha_innobase::general_fetch (this=this@entry=0x146a64023b40, buf=buf@entry=0x146a640236d8 "\376\002\255\345\060\061-01-01 10:10:10.999993", direction=direction@entry=1, match_mode=match_mode@entry=0) at /data/builds/10.6_dbg/storage/innobase/handler/ha_innodb.cc:8804
#11 0x000056027af423bb in ha_innobase::rnd_next (this=0x146a64023b40, buf=0x146a640236d8 "\376\002\255\345\060\061-01-01 10:10:10.999993") at /data/builds/10.6_dbg/storage/innobase/handler/ha_innodb.cc:9008
#12 0x000056027ab3df27 in handler::ha_rnd_next (this=0x146a64023b40, buf=0x146a640236d8 "\376\002\255\345\060\061-01-01 10:10:10.999993") at /data/builds/10.6_dbg/sql/handler.cc:3066
#13 0x000056027ad11b6d in rr_sequential (info=0x146a6407fff0) at /data/builds/10.6_dbg/sql/records.h:82
#14 0x000056027a8bb04b in READ_RECORD::read_record (this=0x146a6407fff0) at /data/builds/10.6_dbg/sql/records.h:81
#15 sub_select (join=0x146a64014af8, join_tab=0x146a6407ff28, end_of_records=<optimized out>) at /data/builds/10.6_dbg/sql/sql_select.cc:20621
#16 0x000056027a8f3a22 in do_select (procedure=0x0, join=0x146a64014af8) at /data/builds/10.6_dbg/sql/sql_select.cc:20149
#17 JOIN::exec_inner (this=this@entry=0x146a64014af8) at /data/builds/10.6_dbg/sql/sql_select.cc:4476
#18 0x000056027a8f3e92 in JOIN::exec (this=this@entry=0x146a64014af8) at /data/builds/10.6_dbg/sql/sql_select.cc:4256
#19 0x000056027a8f20f2 in mysql_select (thd=thd@entry=0x146a64000db8, tables=tables@entry=0x146a640127c0, fields=@0x146aa80e2d20: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x56027be442e0 <end_of_list>, last = 0x146aa80e2d20, elements = 0}, <No data fields>}, conds=conds@entry=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2200096997504, result=0x146a64014a20, unit=0x146a64004f80, select_lex=0x146a64005780) at /data/builds/10.6_dbg/sql/sql_select.cc:4672
#20 0x000056027a969d93 in mysql_multi_update (thd=thd@entry=0x146a64000db8, table_list=0x146a640127c0, fields=fields@entry=0x146a640058d0, values=values@entry=0x146a64005e40, conds=0x0, options=0, handle_duplicates=DUP_ERROR, ignore=false, unit=0x146a64004f80, select_lex=0x146a64005780, result=0x146aa80e2f60) at /data/builds/10.6_dbg/sql/sql_update.cc:1950
#21 0x000056027a873366 in mysql_execute_command (thd=thd@entry=0x146a64000db8) at /data/builds/10.6_dbg/sql/sql_parse.cc:4372
#22 0x000056027a85e15e in mysql_parse (thd=thd@entry=0x146a64000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x146aa80e33d0) at /data/builds/10.6_dbg/sql/sql_parse.cc:7901
#23 0x000056027a86c24f in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x146a64000db8, packet=packet@entry=0x146a6401aac9 "UPDATE t1 SET a=( (SELECT MAX(a) FROM t1))", packet_length=packet_length@entry=42) at /data/builds/10.6_dbg/sql/sql_class.h:1294
#24 0x000056027a86f581 in do_command (thd=0x146a64000db8) at /data/builds/10.6_dbg/sql/sql_parse.cc:1365
#25 0x000056027a9cb079 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x56027cf5d658, put_in_cache=put_in_cache@entry=true) at /data/builds/10.6_dbg/sql/sql_connect.cc:1410
#26 0x000056027a9cb77d in handle_one_connection (arg=arg@entry=0x56027cf5d658) at /data/builds/10.6_dbg/sql/sql_connect.cc:1312
#27 0x000056027ae7e43f in pfs_spawn_thread (arg=0x56027ce42ba8) at /data/builds/10.6_dbg/storage/perfschema/pfs.cc:2201
#28 0x0000146aa9855609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#29 0x0000146aa9444293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

2) SIGSEGV in plugin_lock on debug:

10.6.0 3f871b339429441ad907ecf7dfabdc414797e664 (Debug)
Core was generated by `/test/MD260121-mariadb-10.6.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
[Current thread is 1 (Thread 0x151148105700 (LWP 18478))]
(gdb) bt
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
#1 0x000055acd8588210 in my_write_core (sig=sig@entry=11) at /data/builds/10.6_dbg/mysys/stacktrace.c:424
#2 0x000055acd7d1d2d0 in handle_fatal_signal (sig=11) at /data/builds/10.6_dbg/sql/signal_handler.cc:330
#3 <signal handler called>
#4 0x000055acd7a639a0 in plugin_lock (thd=thd@entry=0x0, ptr=0x151104008e08) at /data/builds/10.6_dbg/sql/sql_plugin.cc:1044
#5 0x000055acd7aad35e in create_internal_tmp_table_from_heap (thd=0x151104000db8, table=table@entry=0x151104084810, start_recinfo=<optimized out>, recinfo=<optimized out>, error=error@entry=135, ignore_last_dupp_key_error=ignore_last_dupp_key_error@entry=true, is_duplicate=0x0) at /data/builds/10.6_dbg/sql/sql_select.cc:19863
#6 0x000055acd7b4fa76 in multi_update::send_data (this=0x151104014a20, not_used_values=<optimized out>) at /data/builds/10.6_dbg/sql/sql_update.cc:2641
#7 0x000055acd7abcba8 in select_result_sink::send_data_with_check (sent=<optimized out>, u=<optimized out>, items=@0x151148103d20: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55acd902b2e0 <end_of_list>, last = 0x151148103d20, elements = 0}, <No data fields>}, this=<optimized out>) at /data/builds/10.6_dbg/sql/sql_class.h:5376
#8 end_send (join=0x151104014af8, join_tab=0x1511040815c8, end_of_records=<optimized out>) at /data/builds/10.6_dbg/sql/sql_select.cc:21802
#9 0x000055acd7a8b87e in evaluate_join_record (join=join@entry=0x151104014af8, join_tab=join_tab@entry=0x151104081218, error=error@entry=0) at /data/builds/10.6_dbg/sql/sql_select.cc:20825
#10 0x000055acd7aa2017 in sub_select (join=0x151104014af8, join_tab=0x151104081218, end_of_records=<optimized out>) at /data/builds/10.6_dbg/sql/sql_select.cc:20641
#11 0x000055acd7adaa22 in do_select (procedure=0x0, join=0x151104014af8) at /data/builds/10.6_dbg/sql/sql_select.cc:20149
#12 JOIN::exec_inner (this=this@entry=0x151104014af8) at /data/builds/10.6_dbg/sql/sql_select.cc:4476
#13 0x000055acd7adae92 in JOIN::exec (this=this@entry=0x151104014af8) at /data/builds/10.6_dbg/sql/sql_select.cc:4256
#14 0x000055acd7ad90f2 in mysql_select (thd=thd@entry=0x151104000db8, tables=tables@entry=0x1511040127c0, fields=@0x151148103d20: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55acd902b2e0 <end_of_list>, last = 0x151148103d20, elements = 0}, <No data fields>}, conds=conds@entry=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2200096997504, result=0x151104014a20, unit=0x151104004f80, select_lex=0x151104005780) at /data/builds/10.6_dbg/sql/sql_select.cc:4672
#15 0x000055acd7b50d93 in mysql_multi_update (thd=thd@entry=0x151104000db8, table_list=0x1511040127c0, fields=fields@entry=0x1511040058d0, values=values@entry=0x151104005e40, conds=0x0, options=0, handle_duplicates=DUP_ERROR, ignore=false, unit=0x151104004f80, select_lex=0x151104005780, result=0x151148103f60) at /data/builds/10.6_dbg/sql/sql_update.cc:1950
#16 0x000055acd7a5a366 in mysql_execute_command (thd=thd@entry=0x151104000db8) at /data/builds/10.6_dbg/sql/sql_parse.cc:4372
#17 0x000055acd7a4515e in mysql_parse (thd=thd@entry=0x151104000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x1511481043d0) at /data/builds/10.6_dbg/sql/sql_parse.cc:7901
#18 0x000055acd7a5324f in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x151104000db8, packet=packet@entry=0x15110401aac9 "UPDATE t1 SET a=( (SELECT MAX(a) FROM t1))", packet_length=packet_length@entry=42) at /data/builds/10.6_dbg/sql/sql_class.h:1294
#19 0x000055acd7a56581 in do_command (thd=0x151104000db8) at /data/builds/10.6_dbg/sql/sql_parse.cc:1365
#20 0x000055acd7bb2079 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55acdb872aa8, put_in_cache=put_in_cache@entry=true) at /data/builds/10.6_dbg/sql/sql_connect.cc:1410
#21 0x000055acd7bb277d in handle_one_connection (arg=arg@entry=0x55acdb872aa8) at /data/builds/10.6_dbg/sql/sql_connect.cc:1312
#22 0x000055acd806543f in pfs_spawn_thread (arg=0x55acdb7a7158) at /data/builds/10.6_dbg/storage/perfschema/pfs.cc:2201
#23 0x000015114afd0609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#24 0x000015114abbf293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

3) In optimized, Double free or corruption (out) then crash without stack and without core, on executing the testcase a few times and interrupting somewhere after a number of executions. This is already described in ~~MDEV-24749~~.

10.6.0 3f871b339429441ad907ecf7dfabdc414797e664 (Optimized)
2021-02-01 12:22:11 0 [Note] /test/MD260121-mariadb-10.6.0-linux-x86_64-opt/bin/mysqld: ready for connections.
Version: '10.6.0-MariaDB' socket: '/test/MD260121-mariadb-10.6.0-linux-x86_64-opt/socket.sock' port: 16083 MariaDB Server
double free or corruption (out)
210201 12:24:00 [ERROR] mysqld got signal 6 ;

4) A hang in optimized after executing the testcase two times and then shutting down. This is different from ~~MDEV-24749~~ as that hang happens during SQL execution. mysqladmin and the client just hang whereas the error log already shows a crash, again without stack in the error log, and without core.

Seen with 2.sql and using 10.6 build from 26/1:
1) SIGSEGV in dict_index_t::is_corrupted on 10.6 optimized (crashing at line 79 of 2.sql)
Notes: No additional information in error log. Issue seems highly reproducible, again using SOURCE 2.sql in CLI.

10.6.0 3f871b339429441ad907ecf7dfabdc414797e664 (Optimized)
Core was generated by `/test/MD260121-mariadb-10.6.0-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
[Current thread is 1 (Thread 0x15394c3df700 (LWP 606410))]
(gdb) bt
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
#1 0x000055e63085c05f in my_write_core (sig=sig@entry=11) at /data/builds/10.6_opt/mysys/stacktrace.c:424
#2 0x000055e6302d0730 in handle_fatal_signal (sig=11) at /data/builds/10.6_opt/sql/signal_handler.cc:330
#3 <signal handler called>
#4 0x000055e6306c81c0 in dict_index_t::is_corrupted (this=0x15391001e250) at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34
#5 row_search_mvcc (buf=buf@entry=0x153910018198 "\376\002\255\345\060\061-01-01 10:10:10.999993", mode=mode@entry=PAGE_CUR_UNSUPP, prebuilt=0x15391001fcd0, match_mode=match_mode@entry=0, direction=direction@entry=1) at /data/builds/10.6_opt/storage/innobase/row/row0sel.cc:4301
#6 0x000055e630600ed8 in ha_innobase::general_fetch (match_mode=0, direction=1, buf=0x153910018198 "\376\002\255\345\060\061-01-01 10:10:10.999993", this=0x15391001f4a0) at /data/builds/10.6_opt/storage/innobase/handler/ha_innodb.cc:8804
#7 ha_innobase::rnd_next (this=0x15391001f4a0, buf=0x153910018198 "\376\002\255\345\060\061-01-01 10:10:10.999993") at /data/builds/10.6_opt/storage/innobase/handler/ha_innodb.cc:9008
#8 0x000055e6302d6c27 in handler::ha_rnd_next (this=0x15391001f4a0, buf=0x153910018198 "\376\002\255\345\060\061-01-01 10:10:10.999993") at /data/builds/10.6_opt/sql/handler.cc:3066
#9 0x000055e63042cab6 in rr_sequential (info=0x15391005a740) at /data/builds/10.6_opt/sql/records.h:82
#10 0x000055e6300fc66d in READ_RECORD::read_record (this=0x15391005a740) at /data/builds/10.6_opt/sql/records.h:81
#11 sub_select (end_of_records=false, join_tab=0x15391005a678, join=0x153910012818) at /data/builds/10.6_opt/sql/sql_select.cc:20621
#12 sub_select (join=0x153910012818, join_tab=0x15391005a678, end_of_records=false) at /data/builds/10.6_opt/sql/sql_select.cc:20531
#13 0x000055e63012aae2 in do_select (procedure=<optimized out>, join=0x153910012818) at /data/builds/10.6_opt/sql/sql_select.cc:20149
#14 JOIN::exec_inner (this=0x153910012818) at /data/builds/10.6_opt/sql/sql_select.cc:4476
#15 0x000055e63012ad78 in JOIN::exec (this=this@entry=0x153910012818) at /data/builds/10.6_opt/sql/sql_select.cc:4256
#16 0x000055e630128df8 in mysql_select (thd=thd@entry=0x153910000c58, tables=tables@entry=0x1539100104e0, fields=@0x15394c3ddde0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55e6311bcf70 <end_of_list>, last = 0x15394c3ddde0, elements = 0}, <No data fields>}, conds=conds@entry=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2200096997504, result=0x153910012740, unit=0x153910004c60, select_lex=0x153910005460) at /data/builds/10.6_opt/sql/sql_select.cc:4672
#17 0x000055e63018214a in mysql_multi_update (thd=thd@entry=0x153910000c58, table_list=0x1539100104e0, fields=fields@entry=0x1539100055b0, values=values@entry=0x153910005b20, conds=0x0, options=0, handle_duplicates=DUP_ERROR, ignore=false, unit=0x153910004c60, select_lex=0x153910005460, result=0x15394c3ddfe0) at /data/builds/10.6_opt/sql/sql_update.cc:1950
#18 0x000055e6300c668c in mysql_execute_command (thd=0x153910000c58) at /data/builds/10.6_opt/sql/sql_parse.cc:4372
#19 0x000055e6300b3336 in mysql_parse (thd=0x153910000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /data/builds/10.6_opt/sql/sql_parse.cc:7901
#20 0x000055e6300bec18 in dispatch_command (command=COM_QUERY, thd=0x153910000c58, packet=0x153910008049 "UPDATE t1 SET a=( (SELECT MAX(a) FROM t1))", packet_length=42) at /data/builds/10.6_opt/sql/sql_class.h:1294
#21 0x000055e6300c1016 in do_command (thd=0x153910000c58) at /data/builds/10.6_opt/sql/sql_parse.cc:1365
#22 0x000055e6301c60a1 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55e631fe19c8, put_in_cache=put_in_cache@entry=true) at /data/builds/10.6_opt/sql/sql_connect.cc:1410
#23 0x000055e6301c651d in handle_one_connection (arg=arg@entry=0x55e631fe19c8) at /data/builds/10.6_opt/sql/sql_connect.cc:1312
#24 0x000055e63054f2c9 in pfs_spawn_thread (arg=0x55e631f85ee8) at /data/builds/10.6_opt/storage/perfschema/pfs.cc:2201
#25 0x0000153962774609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#26 0x0000153962363293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

2) Failing assertion: strchr(table->name.m_name, '/') != NULL failed in dict_stats_update on 10.6 debug (crashing again at line 80 of 2.sql) which seems to be a secondary crash after the main one

10.6.0 3f871b339429441ad907ecf7dfabdc414797e664 (Debug)
2021-02-01 12:47:18 0 [Note] /test/MD260121-mariadb-10.6.0-linux-x86_64-dbg/bin/mysqld: ready for connections.
Version: '10.6.0-MariaDB-debug' socket: '/test/MD260121-mariadb-10.6.0-linux-x86_64-dbg/socket.sock' port: 10503 MariaDB Server
Error: Freeing overrun buffer 0x15542c027050 at mysys/safemalloc.c:194, mysys/my_malloc.c:210, maria/ma_sort.c:719, maria/ma_check.c:4551, maria/ha_maria.cc:1657, maria/ha_maria.cc:2024, maria/ha_maria.cc:2263, sql/handler.cc:4654
Allocated at maria/ma_sort.c:631, maria/ma_check.c:4551, maria/ha_maria.cc:1657, maria/ha_maria.cc:2024, maria/ha_maria.cc:2263, sql/handler.cc:4654, sql/sql_select.cc:19840, sql/sql_update.cc:2641
Error: Freeing overrun buffer 0x15542c00bdc0 at mysys/safemalloc.c:194, mysys/my_malloc.c:210, maria/ma_sort.c:719, maria/ma_check.c:4551, maria/ha_maria.cc:1657, maria/ha_maria.cc:2024, maria/ha_maria.cc:2263, sql/handler.cc:4654
Allocated at maria/ma_sort.c:631, maria/ma_check.c:4551, maria/ha_maria.cc:1657, maria/ha_maria.cc:2024, maria/ha_maria.cc:2263, sql/handler.cc:4654, sql/sql_select.cc:19840, sql/sql_update.cc:2641
double free or corruption (out)
210201 12:47:24 [ERROR] mysqld got signal 6 ;
...
Server version: 10.6.0-MariaDB-debug
key_buffer_size=134217728
read_buffer_size=131072
max_used_connections=1
max_threads=153
thread_count=2
It is possible that mysqld could use up to
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 467973 K bytes of memory
Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x15542c000db8
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
stack_bottom = 0x15545c907d38 thread_stack 0x49000
mysys/stacktrace.c:212(my_print_stacktrace)[0x5589e786e421]
sql/signal_handler.cc:208(handle_fatal_signal)[0x5589e7003013]
2021-02-01 12:47:33 0x15544e7fb700 InnoDB: Assertion failure in file /data/builds/10.6_dbg/storage/innobase/dict/dict0stats.cc line 3213
InnoDB: Failing assertion: strchr(table->name.m_name, '/') != NULL
InnoDB: We intentionally generate a memory trap.

10.6.0 3f871b339429441ad907ecf7dfabdc414797e664 (Debug)
Core was generated by `/test/MD260121-mariadb-10.6.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
Program terminated with signal SIGABRT, Aborted.
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
[Current thread is 1 (Thread 0x15544e7fb700 (LWP 1135994))]
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00001554727b4859 in __GI_abort () at abort.c:79
#2 0x00005589e764df5c in ut_dbg_assertion_failed (expr=expr@entry=0x5589e7ca08e8 "strchr(table->name.m_name, '/') != NULL", file=file@entry=0x5589e7c9f118 "/data/builds/10.6_dbg/storage/innobase/dict/dict0stats.cc", line=line@entry=3213) at /data/builds/10.6_dbg/storage/innobase/ut/ut0dbg.cc:60
#3 0x00005589e774f31b in dict_stats_update (table=table@entry=0x15542c020db8, stats_upd_option=stats_upd_option@entry=DICT_STATS_RECALC_PERSISTENT) at /data/builds/10.6_dbg/storage/innobase/dict/dict0stats.cc:3213
#4 0x00005589e7751dfd in dict_stats_process_entry_from_recalc_pool () at /data/builds/10.6_dbg/storage/innobase/dict/dict0stats_bg.cc:374
#5 dict_stats_func () at /data/builds/10.6_dbg/storage/innobase/dict/dict0stats_bg.cc:408
#6 0x00005589e77f9ece in tpool::thread_pool_generic::timer_generic::run (this=0x5589e9365240) at /data/builds/10.6_dbg/tpool/tpool_generic.cc:309
#7 tpool::thread_pool_generic::timer_generic::execute (arg=0x5589e9365240) at /data/builds/10.6_dbg/tpool/tpool_generic.cc:329
#8 0x00005589e77fae39 in tpool::task::execute (this=0x5589e9365280) at /data/builds/10.6_dbg/tpool/task.cc:52
#9 0x00005589e77f99e9 in tpool::thread_pool_generic::worker_main (this=0x5589e8fe17f0, thread_var=0x5589e8ff1290) at /data/builds/10.6_dbg/tpool/tpool_generic.cc:546
#10 0x00005589e77f9d20 in std::__invoke_impl<void, void (tpool::thread_pool_generic::)(tpool::worker_data), tpool::thread_pool_generic, tpool::worker_data> (__t=<optimized out>, __f=<optimized out>) at /usr/include/c++/9/bits/invoke.h:89
#11 std::__invoke<void (tpool::thread_pool_generic::)(tpool::worker_data), tpool::thread_pool_generic, tpool::worker_data> (__fn=<optimized out>) at /usr/include/c++/9/bits/invoke.h:95
#12 std::thread::_Invoker<std::tuple<void (tpool::thread_pool_generic::)(tpool::worker_data), tpool::thread_pool_generic, tpool::worker_data> >::_M_invoke<0ul, 1ul, 2ul> (this=<optimized out>) at /usr/include/c++/9/thread:244
#13 std::thread::_Invoker<std::tuple<void (tpool::thread_pool_generic::)(tpool::worker_data), tpool::thread_pool_generic, tpool::worker_data> >::operator() (this=<optimized out>) at /usr/include/c++/9/thread:251
#14 std::thread::_State_impl<std::thread::_Invoker<std::tuple<void (tpool::thread_pool_generic::)(tpool::worker_data), tpool::thread_pool_generic, tpool::worker_data> > >::_M_run (this=<optimized out>) at /usr/include/c++/9/thread:195
#15 0x0000155472ba6d84 in ?? () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#16 0x0000155472cc2609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#17 0x00001554728b1293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

3) Assertion `trx == thd_to_trx(m_user_thd)' failed in ha_innobase::general_fetch on 10.6 debug (crashing again at line 79 of 2.sql)

10.6.0 3f871b339429441ad907ecf7dfabdc414797e664 (Debug)
mysqld: /data/builds/10.6_dbg/storage/innobase/handler/ha_innodb.cc:8791: int ha_innobase::general_fetch(uchar*, uint, uint): Assertion `trx == thd_to_trx(m_user_thd)' failed.

10.6.0 3f871b339429441ad907ecf7dfabdc414797e664 (Debug)
Core was generated by `/test/MD260121-mariadb-10.6.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
Program terminated with signal SIGABRT, Aborted.
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=6)
at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
[Current thread is 1 (Thread 0x146d241f9700 (LWP 811041))]
(gdb) bt
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
#1 0x0000560feea6c210 in my_write_core (sig=sig@entry=6) at /data/builds/10.6_dbg/mysys/stacktrace.c:424
#2 0x0000560fee2012d0 in handle_fatal_signal (sig=6) at /data/builds/10.6_dbg/sql/signal_handler.cc:330
#3 <signal handler called>
#4 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#5 0x0000146d38e63859 in __GI_abort () at abort.c:79
#6 0x0000146d38e63729 in __assert_fail_base (fmt=0x146d38ff9588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x560feee149da "trx == thd_to_trx(m_user_thd)", file=0x560feee16dc8 "/data/builds/10.6_dbg/storage/innobase/handler/ha_innodb.cc", line=8791, function=<optimized out>) at assert.c:92
#7 0x0000146d38e74f36 in __GI___assert_fail (assertion=assertion@entry=0x560feee149da "trx == thd_to_trx(m_user_thd)", file=file@entry=0x560feee16dc8 "/data/builds/10.6_dbg/storage/innobase/handler/ha_innodb.cc", line=line@entry=8791, function=function@entry=0x560feee1ad40 "int ha_innobase::general_fetch(uchar*, uint, uint)") at assert.c:101
#8 0x0000560fee5fd8fd in ha_innobase::general_fetch (this=this@entry=0x146cf4025f70, buf=buf@entry=0x146cf4025b08 "\376\002\255\345\060\061-01-01 10:10:10.999993", direction=direction@entry=1, match_mode=match_mode@entry=0) at /data/builds/10.6_dbg/storage/innobase/handler/ha_innodb.cc:8791
#9 0x0000560fee60d3bb in ha_innobase::rnd_next (this=0x146cf4025f70, buf=0x146cf4025b08 "\376\002\255\345\060\061-01-01 10:10:10.999993") at /data/builds/10.6_dbg/storage/innobase/handler/ha_innodb.cc:9008
#10 0x0000560fee208f27 in handler::ha_rnd_next (this=0x146cf4025f70, buf=0x146cf4025b08 "\376\002\255\345\060\061-01-01 10:10:10.999993") at /data/builds/10.6_dbg/sql/handler.cc:3066
#11 0x0000560fee3dcb6d in rr_sequential (info=0x146cf4095710) at /data/builds/10.6_dbg/sql/records.h:82
#12 0x0000560fedf8604b in READ_RECORD::read_record (this=0x146cf4095710) at /data/builds/10.6_dbg/sql/records.h:81
#13 sub_select (join=0x146cf4014af8, join_tab=0x146cf4095648, end_of_records=<optimized out>) at /data/builds/10.6_dbg/sql/sql_select.cc:20621
#14 0x0000560fedfbea22 in do_select (procedure=0x0, join=0x146cf4014af8) at /data/builds/10.6_dbg/sql/sql_select.cc:20149
#15 JOIN::exec_inner (this=this@entry=0x146cf4014af8) at /data/builds/10.6_dbg/sql/sql_select.cc:4476
#16 0x0000560fedfbee92 in JOIN::exec (this=this@entry=0x146cf4014af8) at /data/builds/10.6_dbg/sql/sql_select.cc:4256
#17 0x0000560fedfbd0f2 in mysql_select (thd=thd@entry=0x146cf4000db8, tables=tables@entry=0x146cf40127c0, fields=@0x146d241f7d20: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x560fef50f2e0 <end_of_list>, last = 0x146d241f7d20, elements = 0}, <No data fields>}, conds=conds@entry=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2200096997504, result=0x146cf4014a20, unit=0x146cf4004f80, select_lex=0x146cf4005780) at /data/builds/10.6_dbg/sql/sql_select.cc:4672
#18 0x0000560fee034d93 in mysql_multi_update (thd=thd@entry=0x146cf4000db8, table_list=0x146cf40127c0, fields=fields@entry=0x146cf40058d0, values=values@entry=0x146cf4005e40, conds=0x0, options=0, handle_duplicates=DUP_ERROR, ignore=false, unit=0x146cf4004f80, select_lex=0x146cf4005780, result=0x146d241f7f60) at /data/builds/10.6_dbg/sql/sql_update.cc:1950
#19 0x0000560fedf3e366 in mysql_execute_command (thd=thd@entry=0x146cf4000db8) at /data/builds/10.6_dbg/sql/sql_parse.cc:4372
#20 0x0000560fedf2915e in mysql_parse (thd=thd@entry=0x146cf4000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x146d241f83d0) at /data/builds/10.6_dbg/sql/sql_parse.cc:7901
#21 0x0000560fedf3724f in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x146cf4000db8, packet=packet@entry=0x146cf401aac9 "UPDATE t1 SET a=( (SELECT MAX(a) FROM t1))", packet_length=packet_length@entry=42) at /data/builds/10.6_dbg/sql/sql_class.h:1294
#22 0x0000560fedf3a581 in do_command (thd=0x146cf4000db8) at /data/builds/10.6_dbg/sql/sql_parse.cc:1365
#23 0x0000560fee096079 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x560ff0d9ca68, put_in_cache=put_in_cache@entry=true) at /data/builds/10.6_dbg/sql/sql_connect.cc:1410
#24 0x0000560fee09677d in handle_one_connection (arg=arg@entry=0x560ff0d9ca68) at /data/builds/10.6_dbg/sql/sql_connect.cc:1312
#25 0x0000560fee54943f in pfs_spawn_thread (arg=0x560ff0cd1438) at /data/builds/10.6_dbg/storage/perfschema/pfs.cc:2201
#26 0x0000146d39371609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#27 0x0000146d38f60293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

3) A hang, similar to previously described and also mentioned in ~~MDEV-24749~~, this time while executing SQL. CLI + mysqladmin unusable (hang also on attempt), mysqld process still live while sig6 crash in error log already (the only thing that helps to kill mysqld here is kill -9 PID), no stack, no core, but Freeing overrun buffer message:

10.6.0 3f871b339429441ad907ecf7dfabdc414797e664 (Debug)
2021-02-01 12:39:21 0 [Note] /test/MD260121-mariadb-10.6.0-linux-x86_64-dbg/bin/mysqld: ready for connections.
Version: '10.6.0-MariaDB-debug' socket: '/test/MD260121-mariadb-10.6.0-linux-x86_64-dbg/socket.sock' port: 10503 MariaDB Server
Error: Freeing overrun buffer 0x1530400286d0 at 0x55c0c2b99cb8, mysys/safemalloc.c:194, mysys/my_malloc.c:210, maria/ma_sort.c:719, maria/ma_check.c:4551, maria/ha_maria.cc:1657, maria/ha_maria.cc:2024, maria/ha_maria.cc:2263
Allocated at sql/handler.cc:4654, maria/ma_sort.c:631, maria/ma_check.c:4551, maria/ha_maria.cc:1657, maria/ha_maria.cc:2024, maria/ha_maria.cc:2263, sql/handler.cc:4654, sql/sql_select.cc:19840
realloc(): invalid old size
210201 12:39:26 [ERROR] mysqld got signal 6 ;

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

1.sql
4 kB
2021-02-01 01:20
2.sql
4 kB
2021-02-01 01:33
3.sql
3 kB
2021-02-01 08:09

Issue Links

duplicates

MDEV-24749 Various corruptions caused by Aria subsystem asking system call to overwrite memory that it does not own

Closed

Activity

People

Assignee:: Michael Widenius

Reporter:: Roel Van de Paar

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2021-02-01 01:18

Updated:: 2021-02-03 00:30

Resolved:: 2021-02-03 00:30

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.