[MDEV-26583] SIGSEGV's in spider_get_select_limit_from_select_lex when DELAYED INSERT is used - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.8(EOL)
Fix Version/s: 10.4.23, 10.5.14, 10.6.6, 10.7.2
Component/s: Storage Engine - Spider
Labels:

Description

Repeat till it crashes. Sporadic or delayed due to INSERT DELAYED.

DROP DATABASE test;

CREATE DATABASE test;

USE test;

INSTALL PLUGIN spider SONAME 'ha_spider.so';

CREATE SERVER d FOREIGN DATA WRAPPER mysql OPTIONS (HOST'',DATABASE'',USER'',PORT 10000,PASSWORD'');

SET SESSION spider_same_server_link=ON;

CREATE TABLE t (c INT AUTO_INCREMENT KEY,c2 INT,INDEX i (c2)) ENGINE=SPIDER ROW_FORMAT=COMPRESSED;

INSERT DELAYED INTO t VALUES (0,0),(0,0),(0,0);

SELECT SLEEP (3);

Leads to:

10.7.0 1bc82aaf0a7746c0921a94034aff2d51f0d75cd0 (Debug)
Core was generated by `/test/MD040921-mariadb-10.7.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000014a4b2f06e9d in spider_get_select_limit_from_select_lex (
select_lex=0x14a484014468, select_limit=select_limit@entry=0x14a4c010ab90,
offset_limit=offset_limit@entry=0x14a4c010ab98)
at /test/10.7_dbg/storage/spider/spd_table.cc:8967
[Current thread is 1 (Thread 0x14a4c010c700 (LWP 585154))]
(gdb) bt
#0 0x000014a4b2f06e9d in spider_get_select_limit_from_select_lex (select_lex=0x14a484014468, select_limit=select_limit@entry=0x14a4c010ab90, offset_limit=offset_limit@entry=0x14a4c010ab98) at /test/10.7_dbg/storage/spider/spd_table.cc:8967
#1 0x000014a4b2f06f59 in spider_get_select_limit (spider=spider@entry=0x14a430005010, select_lex=select_lex@entry=0x14a4c010ab88, select_limit=select_limit@entry=0x14a4c010ab90, offset_limit=offset_limit@entry=0x14a4c010ab98) at /test/10.7_dbg/storage/spider/spd_table.cc:8983
#2 0x000014a4b2f070d0 in spider_split_read_param (spider=spider@entry=0x14a430005010) at /test/10.7_dbg/storage/spider/spd_table.cc:9020
#3 0x000014a4b2f07903 in spider_set_result_list_param (spider=spider@entry=0x14a430005010) at /test/10.7_dbg/storage/spider/spd_table.cc:8439
#4 0x000014a4b2f554ab in ha_spider::index_init (this=this@entry=0x14a430005010, idx=0, sorted=sorted@entry=true) at /test/10.7_dbg/storage/spider/ha_spider.cc:1778
#5 0x000014a4b2f55714 in ha_spider::get_auto_increment (this=0x14a430005010, offset=<optimized out>, increment=1, nb_desired_values=1, first_value=0x14a4c010b990, nb_reserved_values=0x14a4c010b998) at /test/10.7_dbg/storage/spider/ha_spider.cc:9800
#6 0x0000555b9fd59227 in handler::update_auto_increment (this=this@entry=0x14a430005010) at /test/10.7_dbg/sql/handler.cc:3954
#7 0x000014a4b2f3b52c in ha_spider::update_auto_increment (this=this@entry=0x14a430005010) at /test/10.7_dbg/storage/spider/ha_spider.cc:9755
#8 0x000014a4b2f574f3 in ha_spider::write_row (this=0x14a430005010, buf=0x14a430004b88 <incomplete sequence \375>) at /test/10.7_dbg/storage/spider/ha_spider.cc:10014
#9 0x0000555b9fd610b5 in handler::ha_write_row (this=0x14a430005010, buf=0x14a430004b88 <incomplete sequence \375>) at /test/10.7_dbg/sql/handler.cc:7514
#10 0x0000555b9fa0533a in write_record (thd=thd@entry=0x14a48409c948, table=0x14a430001cc8, info=info@entry=0x14a4840a35e8, sink=sink@entry=0x0) at /test/10.7_dbg/sql/sql_insert.cc:2135
#11 0x0000555b9fa07e0c in Delayed_insert::handle_inserts (this=this@entry=0x14a48409c928) at /test/10.7_dbg/sql/sql_insert.cc:3576
#12 0x0000555b9fa09885 in handle_delayed_insert (arg=arg@entry=0x14a48409c928) at /test/10.7_dbg/sql/sql_insert.cc:3316
#13 0x0000555ba0033ade in pfs_spawn_thread (arg=0x555ba32c7418) at /test/10.7_dbg/storage/perfschema/pfs.cc:2201
#14 0x000014a4d64db609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#15 0x000014a4d60c9293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.4.22 (dbg), 10.5.13 (dbg), 10.6.5 (dbg), 10.7.0 (dbg)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.2.41 (dbg), 10.2.41 (opt), 10.3.32 (dbg), 10.3.32 (opt), 10.4.22 (opt), 10.5.13 (opt), 10.6.5 (opt), 10.7.0 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.35 (dbg), 5.7.35 (opt), 8.0.26 (dbg), 8.0.26 (opt)

Attachments

Issue Links

relates to

MDEV-24769 Spider crash when selecting all rows from the partitioned table

Closed

MDEV-27231 Spider: SIGSEGV in spider_db_bulk_insert on INSERT DELAYED

Closed

MDEV-28406 Spider: SIGSEGV in ha_spider::index_last_internal on INSERT DELAYED

Closed

MDEV-24769 Spider crash when selecting all rows from the partitioned table

Closed

MDEV-34735 Hang & Assertion `len > alloc_length' failed in Binary_string::realloc_raw & SIGSEGV in spider_get_select_limit_from_select_lex

Open

Activity

Ascending order - Click to sort in descending order

Roel Van de Paar created issue - 2021-09-10 05:10

Roel Van de Paar made changes - 2021-09-10 05:16

Field	Original Value	New Value
Link		This issue relates to TODO-3120 [ TODO-3120 ]

Roel Van de Paar made changes - 2021-09-10 08:16

Summary

SIGSEGV in spider_get_select_limit_from_select_lex on INSERT DELAYED

SIGSEGV's in spider_get_select_limit_from_select_lex on various queries

Roel Van de Paar made changes - 2021-09-10 08:16

Component/s

Data Manipulation - Insert [ 10101 ]

Roel Van de Paar made changes - 2021-09-10 08:16

Labels

regression

affects-tests regression

Roel Van de Paar made changes - 2021-09-10 08:17

Link

This issue relates to ~~MDEV-24769~~ [ ~~MDEV-24769~~ ]

Roel Van de Paar added a comment - 2021-09-10 08:22

The issue is also seen on UPDATE. Again sporadic. Repeat 1-x times.

DROP DATABASE test;

CREATE DATABASE test;

USE test;

INSTALL PLUGIN spider SONAME 'ha_spider.so';

CREATE TABLE t1 (id INT AUTO_INCREMENT PRIMARY KEY) ENGINE=SPIDER;

INSERT INTO nonexisting VALUES (1);

INSERT DELAYED INTO t1 VALUES (0);

UPDATE t1 SET a=0 WHERE a>1;

Leads to:

10.7.0 1bc82aaf0a7746c0921a94034aff2d51f0d75cd0 (Debug)
Core was generated by `/test/MD040921-mariadb-10.7.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000015147d2fce9d in spider_get_select_limit_from_select_lex (
select_lex=0x151454014450, select_limit=select_limit@entry=0x15148c15cb90,
offset_limit=offset_limit@entry=0x15148c15cb98)
at /test/10.7_dbg/storage/spider/spd_table.cc:8967
[Current thread is 1 (Thread 0x15148c15e700 (LWP 1391519))]
(gdb) bt
#0 0x000015147d2fce9d in spider_get_select_limit_from_select_lex (select_lex=0x151454014450, select_limit=select_limit@entry=0x15148c15cb90, offset_limit=offset_limit@entry=0x15148c15cb98) at /test/10.7_dbg/storage/spider/spd_table.cc:8967
#1 0x000015147d2fcf59 in spider_get_select_limit (spider=spider@entry=0x151400004db0, select_lex=select_lex@entry=0x15148c15cb88, select_limit=select_limit@entry=0x15148c15cb90, offset_limit=offset_limit@entry=0x15148c15cb98) at /test/10.7_dbg/storage/spider/spd_table.cc:8983
#2 0x000015147d2fd0d0 in spider_split_read_param (spider=spider@entry=0x151400004db0) at /test/10.7_dbg/storage/spider/spd_table.cc:9020
#3 0x000015147d2fd903 in spider_set_result_list_param (spider=spider@entry=0x151400004db0) at /test/10.7_dbg/storage/spider/spd_table.cc:8439
#4 0x000015147d34b4ab in ha_spider::index_init (this=this@entry=0x151400004db0, idx=0, sorted=sorted@entry=true) at /test/10.7_dbg/storage/spider/ha_spider.cc:1778
#5 0x000015147d34b714 in ha_spider::get_auto_increment (this=0x151400004db0, offset=<optimized out>, increment=1, nb_desired_values=1, first_value=0x15148c15d990, nb_reserved_values=0x15148c15d998) at /test/10.7_dbg/storage/spider/ha_spider.cc:9800
#6 0x0000564087f9f227 in handler::update_auto_increment (this=this@entry=0x151400004db0) at /test/10.7_dbg/sql/handler.cc:3954
#7 0x000015147d33152c in ha_spider::update_auto_increment (this=this@entry=0x151400004db0) at /test/10.7_dbg/storage/spider/ha_spider.cc:9755
#8 0x000015147d34d4f3 in ha_spider::write_row (this=0x151400004db0, buf=0x151400004928 "\377") at /test/10.7_dbg/storage/spider/ha_spider.cc:10014
#9 0x0000564087fa70b5 in handler::ha_write_row (this=0x151400004db0, buf=0x151400004928 "\377") at /test/10.7_dbg/sql/handler.cc:7514
#10 0x0000564087c4b33a in write_record (thd=thd@entry=0x151454097e08, table=0x1514000044d8, info=info@entry=0x15145409eaa8, sink=sink@entry=0x0) at /test/10.7_dbg/sql/sql_insert.cc:2135
#11 0x0000564087c4de0c in Delayed_insert::handle_inserts (this=this@entry=0x151454097de8) at /test/10.7_dbg/sql/sql_insert.cc:3576
#12 0x0000564087c4f885 in handle_delayed_insert (arg=arg@entry=0x151454097de8) at /test/10.7_dbg/sql/sql_insert.cc:3316
#13 0x0000564088279ade in pfs_spawn_thread (arg=0x56408a25a348) at /test/10.7_dbg/storage/perfschema/pfs.cc:2201
#14 0x00001514a1b3e609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#15 0x00001514a172c293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Also produces an additional stack:

10.5.13 0268b8712288d46fbd8a43fdef6bada399b68dff (Optimized)
Core was generated by `/test/MD160821-mariadb-10.5.13-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000014cd2ef6029a in spider_get_select_limit_from_select_lex (
offset_limit=0x14cd3c053c88, select_limit=0x14cd3c053c80,
select_lex=<optimized out>)
at /test/10.5_opt/storage/spider/spd_table.cc:8786
[Current thread is 1 (Thread 0x14cd3c055700 (LWP 1422251))]
(gdb) bt
#0 0x000014cd2ef6029a in spider_get_select_limit_from_select_lex (offset_limit=0x14cd3c053c88, select_limit=0x14cd3c053c80, select_lex=<optimized out>) at /test/10.5_opt/storage/spider/spd_table.cc:8786
#1 spider_get_select_limit_from_select_lex (select_lex=0x14ccf8010bb8, select_limit=0x14cd3c053c80, offset_limit=0x14cd3c053c88) at /test/10.5_opt/storage/spider/spd_table.cc:8776
#2 0x000014cd2ef603e9 in spider_split_read_param (spider=spider@entry=0x14cca4006c60) at /test/10.5_opt/storage/spider/spd_table.cc:8839
#3 0x000014cd2ef607b0 in spider_set_result_list_param (spider=spider@entry=0x14cca4006c60) at /test/10.5_opt/storage/spider/spd_table.cc:8264
#4 0x000014cd2ef93dcd in ha_spider::index_init (this=this@entry=0x14cca4006c60, idx=0, sorted=sorted@entry=true) at /test/10.5_opt/storage/spider/ha_spider.cc:1778
#5 0x000014cd2ef9404d in ha_spider::get_auto_increment (this=0x14cca4006c60, offset=<optimized out>, increment=1, nb_desired_values=1, first_value=0x14cd3c054a10, nb_reserved_values=0x14cd3c054a18) at /test/10.5_opt/storage/spider/ha_spider.cc:9800
#6 0x00005572c641d408 in handler::update_auto_increment (this=this@entry=0x14cca4006c60) at /test/10.5_opt/sql/handler.cc:3638
#7 0x000014cd2ef821c8 in ha_spider::update_auto_increment (this=this@entry=0x14cca4006c60) at /test/10.5_opt/storage/spider/ha_spider.cc:9755
#8 0x000014cd2ef954c5 in ha_spider::write_row (this=0x14cca4006c60, buf=0x14cca4014a08 "\377") at /test/10.5_opt/storage/spider/ha_spider.cc:10014
#9 0x00005572c6422dc8 in handler::ha_write_row (this=0x14cca4006c60, buf=0x14cca4014a08 "\377") at /test/10.5_opt/sql/handler.cc:7168
#10 0x00005572c61c328d in write_record (thd=thd@entry=0x14ccf806fea8, table=0x14cca401a078, info=info@entry=0x14ccf8076540, sink=sink@entry=0x0) at /test/10.5_opt/sql/sql_insert.cc:2129
#11 0x00005572c61c5e0d in Delayed_insert::handle_inserts (this=this@entry=0x14ccf806fe88) at /test/10.5_opt/sql/sql_insert.cc:3565
#12 0x00005572c61cd837 in handle_delayed_insert (arg=arg@entry=0x14ccf806fe88) at /test/10.5_opt/sql/sql_insert.cc:3305
#13 0x00005572c66975c9 in pfs_spawn_thread (arg=0x14ccf8068818) at /test/10.5_opt/storage/perfschema/pfs.cc:2201
#14 0x000014cd5242a609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#15 0x000014cd52018293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.4.22 (dbg), 10.5.13 (dbg), 10.5.13 (opt), 10.7.0 (dbg)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.2.41 (dbg), 10.2.41 (opt), 10.3.32 (dbg), 10.3.32 (opt), 10.4.22 (opt), 10.6.5 (dbg), 10.6.5 (opt), 10.7.0 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.35 (dbg), 5.7.35 (opt), 8.0.26 (dbg), 8.0.26 (opt)

Roel Van de Paar added a comment - 2021-09-10 08:22 The issue is also seen on UPDATE. Again sporadic. Repeat 1-x times. DROP DATABASE test; CREATE DATABASE test; USE test; INSTALL PLUGIN spider SONAME 'ha_spider.so' ; CREATE TABLE t1 (id INT AUTO_INCREMENT PRIMARY KEY ) ENGINE=SPIDER; INSERT INTO nonexisting VALUES (1); INSERT DELAYED INTO t1 VALUES (0); UPDATE t1 SET a=0 WHERE a>1; Leads to: 10.7.0 1bc82aaf0a7746c0921a94034aff2d51f0d75cd0 (Debug) Core was generated by `/test/MD040921-mariadb-10.7.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x000015147d2fce9d in spider_get_select_limit_from_select_lex ( select_lex=0x151454014450, select_limit=select_limit@entry=0x15148c15cb90, offset_limit=offset_limit@entry=0x15148c15cb98) at /test/10.7_dbg/storage/spider/spd_table.cc:8967 [Current thread is 1 (Thread 0x15148c15e700 (LWP 1391519))] (gdb) bt #0 0x000015147d2fce9d in spider_get_select_limit_from_select_lex (select_lex=0x151454014450, select_limit=select_limit@entry=0x15148c15cb90, offset_limit=offset_limit@entry=0x15148c15cb98) at /test/10.7_dbg/storage/spider/spd_table.cc:8967 #1 0x000015147d2fcf59 in spider_get_select_limit (spider=spider@entry=0x151400004db0, select_lex=select_lex@entry=0x15148c15cb88, select_limit=select_limit@entry=0x15148c15cb90, offset_limit=offset_limit@entry=0x15148c15cb98) at /test/10.7_dbg/storage/spider/spd_table.cc:8983 #2 0x000015147d2fd0d0 in spider_split_read_param (spider=spider@entry=0x151400004db0) at /test/10.7_dbg/storage/spider/spd_table.cc:9020 #3 0x000015147d2fd903 in spider_set_result_list_param (spider=spider@entry=0x151400004db0) at /test/10.7_dbg/storage/spider/spd_table.cc:8439 #4 0x000015147d34b4ab in ha_spider::index_init (this=this@entry=0x151400004db0, idx=0, sorted=sorted@entry=true) at /test/10.7_dbg/storage/spider/ha_spider.cc:1778 #5 0x000015147d34b714 in ha_spider::get_auto_increment (this=0x151400004db0, offset=<optimized out>, increment=1, nb_desired_values=1, first_value=0x15148c15d990, nb_reserved_values=0x15148c15d998) at /test/10.7_dbg/storage/spider/ha_spider.cc:9800 #6 0x0000564087f9f227 in handler::update_auto_increment (this=this@entry=0x151400004db0) at /test/10.7_dbg/sql/handler.cc:3954 #7 0x000015147d33152c in ha_spider::update_auto_increment (this=this@entry=0x151400004db0) at /test/10.7_dbg/storage/spider/ha_spider.cc:9755 #8 0x000015147d34d4f3 in ha_spider::write_row (this=0x151400004db0, buf=0x151400004928 "\377") at /test/10.7_dbg/storage/spider/ha_spider.cc:10014 #9 0x0000564087fa70b5 in handler::ha_write_row (this=0x151400004db0, buf=0x151400004928 "\377") at /test/10.7_dbg/sql/handler.cc:7514 #10 0x0000564087c4b33a in write_record (thd=thd@entry=0x151454097e08, table=0x1514000044d8, info=info@entry=0x15145409eaa8, sink=sink@entry=0x0) at /test/10.7_dbg/sql/sql_insert.cc:2135 #11 0x0000564087c4de0c in Delayed_insert::handle_inserts (this=this@entry=0x151454097de8) at /test/10.7_dbg/sql/sql_insert.cc:3576 #12 0x0000564087c4f885 in handle_delayed_insert (arg=arg@entry=0x151454097de8) at /test/10.7_dbg/sql/sql_insert.cc:3316 #13 0x0000564088279ade in pfs_spawn_thread (arg=0x56408a25a348) at /test/10.7_dbg/storage/perfschema/pfs.cc:2201 #14 0x00001514a1b3e609 in start_thread (arg=<optimized out>) at pthread_create.c:477 #15 0x00001514a172c293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 Also produces an additional stack: 10.5.13 0268b8712288d46fbd8a43fdef6bada399b68dff (Optimized) Core was generated by `/test/MD160821-mariadb-10.5.13-linux-x86_64-opt/bin/mysqld --no-defaults --core'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x000014cd2ef6029a in spider_get_select_limit_from_select_lex ( offset_limit=0x14cd3c053c88, select_limit=0x14cd3c053c80, select_lex=<optimized out>) at /test/10.5_opt/storage/spider/spd_table.cc:8786 [Current thread is 1 (Thread 0x14cd3c055700 (LWP 1422251))] (gdb) bt #0 0x000014cd2ef6029a in spider_get_select_limit_from_select_lex (offset_limit=0x14cd3c053c88, select_limit=0x14cd3c053c80, select_lex=<optimized out>) at /test/10.5_opt/storage/spider/spd_table.cc:8786 #1 spider_get_select_limit_from_select_lex (select_lex=0x14ccf8010bb8, select_limit=0x14cd3c053c80, offset_limit=0x14cd3c053c88) at /test/10.5_opt/storage/spider/spd_table.cc:8776 #2 0x000014cd2ef603e9 in spider_split_read_param (spider=spider@entry=0x14cca4006c60) at /test/10.5_opt/storage/spider/spd_table.cc:8839 #3 0x000014cd2ef607b0 in spider_set_result_list_param (spider=spider@entry=0x14cca4006c60) at /test/10.5_opt/storage/spider/spd_table.cc:8264 #4 0x000014cd2ef93dcd in ha_spider::index_init (this=this@entry=0x14cca4006c60, idx=0, sorted=sorted@entry=true) at /test/10.5_opt/storage/spider/ha_spider.cc:1778 #5 0x000014cd2ef9404d in ha_spider::get_auto_increment (this=0x14cca4006c60, offset=<optimized out>, increment=1, nb_desired_values=1, first_value=0x14cd3c054a10, nb_reserved_values=0x14cd3c054a18) at /test/10.5_opt/storage/spider/ha_spider.cc:9800 #6 0x00005572c641d408 in handler::update_auto_increment (this=this@entry=0x14cca4006c60) at /test/10.5_opt/sql/handler.cc:3638 #7 0x000014cd2ef821c8 in ha_spider::update_auto_increment (this=this@entry=0x14cca4006c60) at /test/10.5_opt/storage/spider/ha_spider.cc:9755 #8 0x000014cd2ef954c5 in ha_spider::write_row (this=0x14cca4006c60, buf=0x14cca4014a08 "\377") at /test/10.5_opt/storage/spider/ha_spider.cc:10014 #9 0x00005572c6422dc8 in handler::ha_write_row (this=0x14cca4006c60, buf=0x14cca4014a08 "\377") at /test/10.5_opt/sql/handler.cc:7168 #10 0x00005572c61c328d in write_record (thd=thd@entry=0x14ccf806fea8, table=0x14cca401a078, info=info@entry=0x14ccf8076540, sink=sink@entry=0x0) at /test/10.5_opt/sql/sql_insert.cc:2129 #11 0x00005572c61c5e0d in Delayed_insert::handle_inserts (this=this@entry=0x14ccf806fe88) at /test/10.5_opt/sql/sql_insert.cc:3565 #12 0x00005572c61cd837 in handle_delayed_insert (arg=arg@entry=0x14ccf806fe88) at /test/10.5_opt/sql/sql_insert.cc:3305 #13 0x00005572c66975c9 in pfs_spawn_thread (arg=0x14ccf8068818) at /test/10.5_opt/storage/perfschema/pfs.cc:2201 #14 0x000014cd5242a609 in start_thread (arg=<optimized out>) at pthread_create.c:477 #15 0x000014cd52018293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 Bug confirmed present in: MariaDB: 10.4.22 (dbg), 10.5.13 (dbg), 10.5.13 (opt), 10.7.0 (dbg) Bug (or feature/syntax) confirmed not present in: MariaDB: 10.2.41 (dbg), 10.2.41 (opt), 10.3.32 (dbg), 10.3.32 (opt), 10.4.22 (opt), 10.6.5 (dbg), 10.6.5 (opt), 10.7.0 (opt) MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.35 (dbg), 5.7.35 (opt), 8.0.26 (dbg), 8.0.26 (opt)

Roel Van de Paar made changes - 2021-09-10 09:50

Summary

SIGSEGV's in spider_get_select_limit_from_select_lex on various queries

SIGSEGV's in spider_get_select_limit_from_select_lex when DELAYED INSERT is used

Roel Van de Paar made changes - 2021-12-05 17:34

Affects Version/s

10.8 [ 26121 ]

Roel Van de Paar added a comment - 2021-12-05 17:35 - edited

INSTALL PLUGIN spider SONAME 'ha_spider.so';

CREATE SERVER d FOREIGN DATA WRAPPER mysql OPTIONS (HOST'',DATABASE'',USER'',PORT 10000,PASSWORD'');

SET SESSION spider_same_server_link=ON;

CREATE TABLE t0(a INT AUTO_INCREMENT KEY,b VARCHAR(0)) ENGINE=SPIDER;

INSERT DELAYED INTO t0 VALUES(0,'');

INSERT INTO t0(col0)VALUES(STR_TO_DATE('',''));

Leads to:

10.7.2 06988bdcaa2d1af2c178c199b7f65dbafda45a2c (Debug)
Core was generated by `/test/MD121121-mariadb-10.7.2-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x0000151e4ef05e70 in spider_get_select_limit_from_select_lex (
select_lex=0x151e2c0145a8, select_limit=select_limit@entry=0x151e5c0f9b90,
offset_limit=offset_limit@entry=0x151e5c0f9b98)
at /test/10.7_dbg/storage/spider/spd_table.cc:8967
[Current thread is 1 (Thread 0x151e5c0fb700 (LWP 166437))]
(gdb) bt
#0 0x0000151e4ef05e70 in spider_get_select_limit_from_select_lex (select_lex=0x151e2c0145a8, select_limit=select_limit@entry=0x151e5c0f9b90, offset_limit=offset_limit@entry=0x151e5c0f9b98) at /test/10.7_dbg/storage/spider/spd_table.cc:8967
#1 0x0000151e4ef05f2c in spider_get_select_limit (spider=spider@entry=0x151dd0004dd0, select_lex=select_lex@entry=0x151e5c0f9b88, select_limit=select_limit@entry=0x151e5c0f9b90, offset_limit=offset_limit@entry=0x151e5c0f9b98) at /test/10.7_dbg/storage/spider/spd_table.cc:8983
#2 0x0000151e4ef060a3 in spider_split_read_param (spider=spider@entry=0x151dd0004dd0) at /test/10.7_dbg/storage/spider/spd_table.cc:9020
#3 0x0000151e4ef068d6 in spider_set_result_list_param (spider=spider@entry=0x151dd0004dd0) at /test/10.7_dbg/storage/spider/spd_table.cc:8439
#4 0x0000151e4ef544a3 in ha_spider::index_init (this=this@entry=0x151dd0004dd0, idx=0, sorted=sorted@entry=true) at /test/10.7_dbg/storage/spider/ha_spider.cc:1778
#5 0x0000151e4ef5470c in ha_spider::get_auto_increment (this=0x151dd0004dd0, offset=<optimized out>, increment=1, nb_desired_values=1, first_value=0x151e5c0fa990, nb_reserved_values=0x151e5c0fa998) at /test/10.7_dbg/storage/spider/ha_spider.cc:9800
#6 0x000055d7401f96df in handler::update_auto_increment (this=this@entry=0x151dd0004dd0) at /test/10.7_dbg/sql/handler.cc:3951
#7 0x0000151e4ef3a524 in ha_spider::update_auto_increment (this=this@entry=0x151dd0004dd0) at /test/10.7_dbg/storage/spider/ha_spider.cc:9755
#8 0x0000151e4ef564eb in ha_spider::write_row (this=0x151dd0004dd0, buf=0x151dd0004948 "\376") at /test/10.7_dbg/storage/spider/ha_spider.cc:10014
#9 0x000055d740201559 in handler::ha_write_row (this=0x151dd0004dd0, buf=0x151dd0004948 "\376") at /test/10.7_dbg/sql/handler.cc:7516
#10 0x000055d73fea0eee in write_record (thd=thd@entry=0x151e2c07e6c8, table=0x151dd00044f8, info=info@entry=0x151e2c085468, sink=sink@entry=0x0) at /test/10.7_dbg/sql/sql_insert.cc:2156
#11 0x000055d73fea39c0 in Delayed_insert::handle_inserts (this=this@entry=0x151e2c07e6a8) at /test/10.7_dbg/sql/sql_insert.cc:3597
#12 0x000055d73fea5439 in handle_delayed_insert (arg=arg@entry=0x151e2c07e6a8) at /test/10.7_dbg/sql/sql_insert.cc:3337
#13 0x000055d7404ea4ca in pfs_spawn_thread (arg=0x55d743ee3a18) at /test/10.7_dbg/storage/perfschema/pfs.cc:2201
#14 0x0000151e732f3609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#15 0x0000151e72ee1293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

10.7.2 06988bdcaa2d1af2c178c199b7f65dbafda45a2c (Optimized)
Core was generated by `/test/MD121121-mariadb-10.7.2-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x0000000000000004 in ?? ()
[Current thread is 1 (Thread 0x14ead00a0700 (LWP 262096))]
(gdb) bt
#0 0x0000000000000004 in ?? ()
#1 0x000014eabcc7ea7e in spider_get_select_limit_from_select_lex (offset_limit=0x14ead009ed68, select_limit=0x14ead009ed60, select_lex=<optimized out>) at /test/10.7_opt/storage/spider/spd_table.cc:8969
#2 spider_get_select_limit_from_select_lex (select_lex=0x14ea70011088, select_limit=0x14ead009ed60, offset_limit=0x14ead009ed68) at /test/10.7_opt/storage/spider/spd_table.cc:8957
#3 0x000014eabcc7eba9 in spider_split_read_param (spider=spider@entry=0x14ea14003270) at /test/10.7_opt/storage/spider/spd_table.cc:9020
#4 0x000014eabcc7ef70 in spider_set_result_list_param (spider=spider@entry=0x14ea14003270) at /test/10.7_opt/storage/spider/spd_table.cc:8439
#5 0x000014eabccafdcd in ha_spider::index_init (this=this@entry=0x14ea14003270, idx=0, sorted=sorted@entry=true) at /test/10.7_opt/storage/spider/ha_spider.cc:1778
#6 0x000014eabccb0045 in ha_spider::get_auto_increment (this=0x14ea14003270, offset=<optimized out>, increment=1, nb_desired_values=1, first_value=0x14ead009fac0, nb_reserved_values=0x14ead009fac8) at /test/10.7_opt/storage/spider/ha_spider.cc:9800
#7 0x00005581b2b5c0d8 in handler::update_auto_increment (this=this@entry=0x14ea14003270) at /test/10.7_opt/sql/handler.cc:3951
#8 0x000014eabcc9f1d6 in ha_spider::update_auto_increment (this=0x14ea14003270) at /test/10.7_opt/storage/spider/ha_spider.cc:9755
#9 0x000014eabccb12a5 in ha_spider::write_row (this=0x14ea14003270, buf=0x14ea14002e58 "\376") at /test/10.7_opt/storage/spider/ha_spider.cc:10014
#10 0x00005581b2b61aa0 in handler::ha_write_row (this=0x14ea14003270, buf=0x14ea14002e58 "\376") at /test/10.7_opt/sql/handler.cc:7516
#11 0x00005581b28d447d in write_record (thd=thd@entry=0x14ea70059c68, table=0x14ea14002a78, info=info@entry=0x14ea70060640, sink=sink@entry=0x0) at /test/10.7_opt/sql/sql_insert.cc:2156
#12 0x00005581b28d6ead in Delayed_insert::handle_inserts (this=0x14ea70059c48) at /test/10.7_opt/sql/sql_insert.cc:3597
#13 0x00005581b28de475 in handle_delayed_insert (arg=arg@entry=0x14ea70059c48) at /test/10.7_opt/sql/sql_insert.cc:3337
#14 0x00005581b2d9e0a8 in pfs_spawn_thread (arg=0x5581b620fbb8) at /test/10.7_opt/storage/perfschema/pfs.cc:2201
#15 0x000014ead319f609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#16 0x000014ead2d8d293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

10.8.0 bc57ff7cf79504a198d4752b4748340a4afd886c (Optimized)
Core was generated by `/test/MD121121-mariadb-10.8.0-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x0000000000000004 in ?? ()
[Current thread is 1 (Thread 0x153b38e92700 (LWP 262109))]
(gdb) bt
#0 0x0000000000000004 in ?? ()
#1 0x0000153b380c9a7e in spider_get_select_limit_from_select_lex (offset_limit=0x153b38e90d38, select_limit=0x153b38e90d30, select_lex=<optimized out>) at /test/10.8_opt/storage/spider/spd_table.cc:8969
#2 spider_get_select_limit_from_select_lex (select_lex=0x153ad8011088, select_limit=0x153b38e90d30, offset_limit=0x153b38e90d38) at /test/10.8_opt/storage/spider/spd_table.cc:8957
#3 0x0000153b380ca559 in spider_check_direct_order_limit (spider=spider@entry=0x153a78003270) at /test/10.8_opt/storage/spider/spd_table.cc:9279
#4 0x0000153b380e7e71 in ha_spider::check_direct_order_limit (this=0x153a78003270) at /test/10.8_opt/storage/spider/ha_spider.cc:13096
#5 ha_spider::check_direct_order_limit (this=0x153a78003270) at /test/10.8_opt/storage/spider/ha_spider.cc:13089
#6 0x0000153b380f1f1d in ha_spider::index_last_internal (buf=0x153a78002e60 "", this=0x153a78003270) at /test/10.8_opt/storage/spider/ha_spider.cc:3350
#7 ha_spider::index_last_internal (this=0x153a78003270, buf=0x153a78002e60 "") at /test/10.8_opt/storage/spider/ha_spider.cc:3310
#8 0x0000153b380fb079 in ha_spider::get_auto_increment (this=0x153a78003270, offset=<optimized out>, increment=1, nb_desired_values=1, first_value=0x153b38e91ac0, nb_reserved_values=0x153b38e91ac8) at /test/10.8_opt/storage/spider/ha_spider.cc:9812
#9 0x000055f2cfba40d8 in handler::update_auto_increment (this=this@entry=0x153a78003270) at /test/10.8_opt/sql/handler.cc:3951
#10 0x0000153b380ea1d6 in ha_spider::update_auto_increment (this=0x153a78003270) at /test/10.8_opt/storage/spider/ha_spider.cc:9755
#11 0x0000153b380fc2a5 in ha_spider::write_row (this=0x153a78003270, buf=0x153a78002e58 "\376") at /test/10.8_opt/storage/spider/ha_spider.cc:10014
#12 0x000055f2cfba9aa0 in handler::ha_write_row (this=0x153a78003270, buf=0x153a78002e58 "\376") at /test/10.8_opt/sql/handler.cc:7516
#13 0x000055f2cf91c47d in write_record (thd=thd@entry=0x153ad8059998, table=0x153a78002a78, info=info@entry=0x153ad8060370, sink=sink@entry=0x0) at /test/10.8_opt/sql/sql_insert.cc:2156
#14 0x000055f2cf91eead in Delayed_insert::handle_inserts (this=0x153ad8059978) at /test/10.8_opt/sql/sql_insert.cc:3597
#15 0x000055f2cf926475 in handle_delayed_insert (arg=arg@entry=0x153ad8059978) at /test/10.8_opt/sql/sql_insert.cc:3337
#16 0x000055f2cfde60a8 in pfs_spawn_thread (arg=0x55f2d2efee08) at /test/10.8_opt/storage/perfschema/pfs.cc:2201
#17 0x0000153b44838609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#18 0x0000153b44426293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.4.23 (dbg), 10.5.14 (dbg), 10.6.6 (dbg), 10.7.2 (dbg), 10.7.2 (opt), 10.8.0 (dbg), 10.8.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.2.42 (dbg), 10.2.42 (opt), 10.3.33 (dbg), 10.3.33 (opt), 10.4.23 (opt), 10.5.14 (opt), 10.6.6 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.36 (dbg), 5.7.36 (opt), 8.0.27 (dbg), 8.0.27 (opt)

Across versions, this adds the following new UniqueID's (seen in 10.7 opt and 10.8 opt):

SIGSEGV|spider_get_select_limit_from_select_lex|spider_get_select_limit_from_select_lex|spider_check_direct_order_limit|ha_spider::check_direct_order_limit

SIGSEGV|spider_get_select_limit_from_select_lex|spider_get_select_limit_from_select_lex|spider_split_read_param|spider_set_result_list_param

And there was already:

SIGSEGV|spider_get_select_limit_from_select_lex|spider_get_select_limit|spider_split_read_param|spider_set_result_list_param

Roel Van de Paar added a comment - 2021-12-05 17:35 - edited INSTALL PLUGIN spider SONAME 'ha_spider.so' ; CREATE SERVER d FOREIGN DATA WRAPPER mysql OPTIONS (HOST '' , DATABASE '' , USER '' ,PORT 10000, PASSWORD '' ); SET SESSION spider_same_server_link= ON ; CREATE TABLE t0(a INT AUTO_INCREMENT KEY ,b VARCHAR (0)) ENGINE=SPIDER; INSERT DELAYED INTO t0 VALUES (0, '' ); INSERT INTO t0(col0) VALUES (STR_TO_DATE( '' , '' )); Leads to: 10.7.2 06988bdcaa2d1af2c178c199b7f65dbafda45a2c (Debug) Core was generated by `/test/MD121121-mariadb-10.7.2-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x0000151e4ef05e70 in spider_get_select_limit_from_select_lex ( select_lex=0x151e2c0145a8, select_limit=select_limit@entry=0x151e5c0f9b90, offset_limit=offset_limit@entry=0x151e5c0f9b98) at /test/10.7_dbg/storage/spider/spd_table.cc:8967 [Current thread is 1 (Thread 0x151e5c0fb700 (LWP 166437))] (gdb) bt #0 0x0000151e4ef05e70 in spider_get_select_limit_from_select_lex (select_lex=0x151e2c0145a8, select_limit=select_limit@entry=0x151e5c0f9b90, offset_limit=offset_limit@entry=0x151e5c0f9b98) at /test/10.7_dbg/storage/spider/spd_table.cc:8967 #1 0x0000151e4ef05f2c in spider_get_select_limit (spider=spider@entry=0x151dd0004dd0, select_lex=select_lex@entry=0x151e5c0f9b88, select_limit=select_limit@entry=0x151e5c0f9b90, offset_limit=offset_limit@entry=0x151e5c0f9b98) at /test/10.7_dbg/storage/spider/spd_table.cc:8983 #2 0x0000151e4ef060a3 in spider_split_read_param (spider=spider@entry=0x151dd0004dd0) at /test/10.7_dbg/storage/spider/spd_table.cc:9020 #3 0x0000151e4ef068d6 in spider_set_result_list_param (spider=spider@entry=0x151dd0004dd0) at /test/10.7_dbg/storage/spider/spd_table.cc:8439 #4 0x0000151e4ef544a3 in ha_spider::index_init (this=this@entry=0x151dd0004dd0, idx=0, sorted=sorted@entry=true) at /test/10.7_dbg/storage/spider/ha_spider.cc:1778 #5 0x0000151e4ef5470c in ha_spider::get_auto_increment (this=0x151dd0004dd0, offset=<optimized out>, increment=1, nb_desired_values=1, first_value=0x151e5c0fa990, nb_reserved_values=0x151e5c0fa998) at /test/10.7_dbg/storage/spider/ha_spider.cc:9800 #6 0x000055d7401f96df in handler::update_auto_increment (this=this@entry=0x151dd0004dd0) at /test/10.7_dbg/sql/handler.cc:3951 #7 0x0000151e4ef3a524 in ha_spider::update_auto_increment (this=this@entry=0x151dd0004dd0) at /test/10.7_dbg/storage/spider/ha_spider.cc:9755 #8 0x0000151e4ef564eb in ha_spider::write_row (this=0x151dd0004dd0, buf=0x151dd0004948 "\376") at /test/10.7_dbg/storage/spider/ha_spider.cc:10014 #9 0x000055d740201559 in handler::ha_write_row (this=0x151dd0004dd0, buf=0x151dd0004948 "\376") at /test/10.7_dbg/sql/handler.cc:7516 #10 0x000055d73fea0eee in write_record (thd=thd@entry=0x151e2c07e6c8, table=0x151dd00044f8, info=info@entry=0x151e2c085468, sink=sink@entry=0x0) at /test/10.7_dbg/sql/sql_insert.cc:2156 #11 0x000055d73fea39c0 in Delayed_insert::handle_inserts (this=this@entry=0x151e2c07e6a8) at /test/10.7_dbg/sql/sql_insert.cc:3597 #12 0x000055d73fea5439 in handle_delayed_insert (arg=arg@entry=0x151e2c07e6a8) at /test/10.7_dbg/sql/sql_insert.cc:3337 #13 0x000055d7404ea4ca in pfs_spawn_thread (arg=0x55d743ee3a18) at /test/10.7_dbg/storage/perfschema/pfs.cc:2201 #14 0x0000151e732f3609 in start_thread (arg=<optimized out>) at pthread_create.c:477 #15 0x0000151e72ee1293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 10.7.2 06988bdcaa2d1af2c178c199b7f65dbafda45a2c (Optimized) Core was generated by `/test/MD121121-mariadb-10.7.2-linux-x86_64-opt/bin/mysqld --no-defaults --core-'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x0000000000000004 in ?? () [Current thread is 1 (Thread 0x14ead00a0700 (LWP 262096))] (gdb) bt #0 0x0000000000000004 in ?? () #1 0x000014eabcc7ea7e in spider_get_select_limit_from_select_lex (offset_limit=0x14ead009ed68, select_limit=0x14ead009ed60, select_lex=<optimized out>) at /test/10.7_opt/storage/spider/spd_table.cc:8969 #2 spider_get_select_limit_from_select_lex (select_lex=0x14ea70011088, select_limit=0x14ead009ed60, offset_limit=0x14ead009ed68) at /test/10.7_opt/storage/spider/spd_table.cc:8957 #3 0x000014eabcc7eba9 in spider_split_read_param (spider=spider@entry=0x14ea14003270) at /test/10.7_opt/storage/spider/spd_table.cc:9020 #4 0x000014eabcc7ef70 in spider_set_result_list_param (spider=spider@entry=0x14ea14003270) at /test/10.7_opt/storage/spider/spd_table.cc:8439 #5 0x000014eabccafdcd in ha_spider::index_init (this=this@entry=0x14ea14003270, idx=0, sorted=sorted@entry=true) at /test/10.7_opt/storage/spider/ha_spider.cc:1778 #6 0x000014eabccb0045 in ha_spider::get_auto_increment (this=0x14ea14003270, offset=<optimized out>, increment=1, nb_desired_values=1, first_value=0x14ead009fac0, nb_reserved_values=0x14ead009fac8) at /test/10.7_opt/storage/spider/ha_spider.cc:9800 #7 0x00005581b2b5c0d8 in handler::update_auto_increment (this=this@entry=0x14ea14003270) at /test/10.7_opt/sql/handler.cc:3951 #8 0x000014eabcc9f1d6 in ha_spider::update_auto_increment (this=0x14ea14003270) at /test/10.7_opt/storage/spider/ha_spider.cc:9755 #9 0x000014eabccb12a5 in ha_spider::write_row (this=0x14ea14003270, buf=0x14ea14002e58 "\376") at /test/10.7_opt/storage/spider/ha_spider.cc:10014 #10 0x00005581b2b61aa0 in handler::ha_write_row (this=0x14ea14003270, buf=0x14ea14002e58 "\376") at /test/10.7_opt/sql/handler.cc:7516 #11 0x00005581b28d447d in write_record (thd=thd@entry=0x14ea70059c68, table=0x14ea14002a78, info=info@entry=0x14ea70060640, sink=sink@entry=0x0) at /test/10.7_opt/sql/sql_insert.cc:2156 #12 0x00005581b28d6ead in Delayed_insert::handle_inserts (this=0x14ea70059c48) at /test/10.7_opt/sql/sql_insert.cc:3597 #13 0x00005581b28de475 in handle_delayed_insert (arg=arg@entry=0x14ea70059c48) at /test/10.7_opt/sql/sql_insert.cc:3337 #14 0x00005581b2d9e0a8 in pfs_spawn_thread (arg=0x5581b620fbb8) at /test/10.7_opt/storage/perfschema/pfs.cc:2201 #15 0x000014ead319f609 in start_thread (arg=<optimized out>) at pthread_create.c:477 #16 0x000014ead2d8d293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 10.8.0 bc57ff7cf79504a198d4752b4748340a4afd886c (Optimized) Core was generated by `/test/MD121121-mariadb-10.8.0-linux-x86_64-opt/bin/mysqld --no-defaults --core-'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x0000000000000004 in ?? () [Current thread is 1 (Thread 0x153b38e92700 (LWP 262109))] (gdb) bt #0 0x0000000000000004 in ?? () #1 0x0000153b380c9a7e in spider_get_select_limit_from_select_lex (offset_limit=0x153b38e90d38, select_limit=0x153b38e90d30, select_lex=<optimized out>) at /test/10.8_opt/storage/spider/spd_table.cc:8969 #2 spider_get_select_limit_from_select_lex (select_lex=0x153ad8011088, select_limit=0x153b38e90d30, offset_limit=0x153b38e90d38) at /test/10.8_opt/storage/spider/spd_table.cc:8957 #3 0x0000153b380ca559 in spider_check_direct_order_limit (spider=spider@entry=0x153a78003270) at /test/10.8_opt/storage/spider/spd_table.cc:9279 #4 0x0000153b380e7e71 in ha_spider::check_direct_order_limit (this=0x153a78003270) at /test/10.8_opt/storage/spider/ha_spider.cc:13096 #5 ha_spider::check_direct_order_limit (this=0x153a78003270) at /test/10.8_opt/storage/spider/ha_spider.cc:13089 #6 0x0000153b380f1f1d in ha_spider::index_last_internal (buf=0x153a78002e60 "", this=0x153a78003270) at /test/10.8_opt/storage/spider/ha_spider.cc:3350 #7 ha_spider::index_last_internal (this=0x153a78003270, buf=0x153a78002e60 "") at /test/10.8_opt/storage/spider/ha_spider.cc:3310 #8 0x0000153b380fb079 in ha_spider::get_auto_increment (this=0x153a78003270, offset=<optimized out>, increment=1, nb_desired_values=1, first_value=0x153b38e91ac0, nb_reserved_values=0x153b38e91ac8) at /test/10.8_opt/storage/spider/ha_spider.cc:9812 #9 0x000055f2cfba40d8 in handler::update_auto_increment (this=this@entry=0x153a78003270) at /test/10.8_opt/sql/handler.cc:3951 #10 0x0000153b380ea1d6 in ha_spider::update_auto_increment (this=0x153a78003270) at /test/10.8_opt/storage/spider/ha_spider.cc:9755 #11 0x0000153b380fc2a5 in ha_spider::write_row (this=0x153a78003270, buf=0x153a78002e58 "\376") at /test/10.8_opt/storage/spider/ha_spider.cc:10014 #12 0x000055f2cfba9aa0 in handler::ha_write_row (this=0x153a78003270, buf=0x153a78002e58 "\376") at /test/10.8_opt/sql/handler.cc:7516 #13 0x000055f2cf91c47d in write_record (thd=thd@entry=0x153ad8059998, table=0x153a78002a78, info=info@entry=0x153ad8060370, sink=sink@entry=0x0) at /test/10.8_opt/sql/sql_insert.cc:2156 #14 0x000055f2cf91eead in Delayed_insert::handle_inserts (this=0x153ad8059978) at /test/10.8_opt/sql/sql_insert.cc:3597 #15 0x000055f2cf926475 in handle_delayed_insert (arg=arg@entry=0x153ad8059978) at /test/10.8_opt/sql/sql_insert.cc:3337 #16 0x000055f2cfde60a8 in pfs_spawn_thread (arg=0x55f2d2efee08) at /test/10.8_opt/storage/perfschema/pfs.cc:2201 #17 0x0000153b44838609 in start_thread (arg=<optimized out>) at pthread_create.c:477 #18 0x0000153b44426293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 Bug confirmed present in: MariaDB: 10.4.23 (dbg), 10.5.14 (dbg), 10.6.6 (dbg), 10.7.2 (dbg), 10.7.2 (opt), 10.8.0 (dbg), 10.8.0 (opt) Bug (or feature/syntax) confirmed not present in: MariaDB: 10.2.42 (dbg), 10.2.42 (opt), 10.3.33 (dbg), 10.3.33 (opt), 10.4.23 (opt), 10.5.14 (opt), 10.6.6 (opt) MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.36 (dbg), 5.7.36 (opt), 8.0.27 (dbg), 8.0.27 (opt) Across versions, this adds the following new UniqueID's (seen in 10.7 opt and 10.8 opt): SIGSEGV|spider_get_select_limit_from_select_lex|spider_get_select_limit_from_select_lex|spider_check_direct_order_limit|ha_spider::check_direct_order_limit SIGSEGV|spider_get_select_limit_from_select_lex|spider_get_select_limit_from_select_lex|spider_split_read_param|spider_set_result_list_param And there was already: SIGSEGV|spider_get_select_limit_from_select_lex|spider_get_select_limit|spider_split_read_param|spider_set_result_list_param

Roel Van de Paar added a comment - 2021-12-05 17:42 - edited

There are thus seemingly 2 new regressions in 10.7 and 10.8, in optimized builds.

Roel Van de Paar added a comment - 2021-12-05 17:42 - edited There are thus seemingly 2 new regressions in 10.7 and 10.8, in optimized builds.

Roel Van de Paar made changes - 2021-12-05 17:42

Labels

affects-tests regression

affects-tests regression regression-10.7 regression-10.8

Roel Van de Paar made changes - 2021-12-05 17:43

Priority

Major [ 3 ]

Critical [ 2 ]

Sergei Golubchik made changes - 2021-12-06 21:35

Workflow

MariaDB v3 [ 124957 ]

MariaDB v4 [ 143161 ]

Roel Van de Paar made changes - 2021-12-12 01:55

Link

This issue relates to ~~MDEV-27231~~ [ ~~MDEV-27231~~ ]

Nayuta Yanagisawa (Inactive) made changes - 2021-12-21 06:45

Status

Open [ 1 ]

In Progress [ 3 ]

Nayuta Yanagisawa (Inactive) added a comment - 2021-12-21 06:58

The bug is caused by a phenomenon so-called use-after-free.

Thread 3 received signal SIGSEGV, Segmentation fault.

spider_get_select_limit_from_select_lex (select_lex=0x7f8ca8025368, select_limit=0x7f8cb00f8ae8, offset_limit=0x7f8cb00f8af0)

    at /home/nayuta_mariadb/repo/mariadb-server/10.4/storage/spider/spd_table.cc:8506

8506          select_lex->select_limit->val_int() : 0;

(rr) watch -l  select_lex->select_limit

Hardware watchpoint 1: -location select_lex->select_limit

(rr) rc

Continuing.

[Switching to Thread 2264066.2264188]

Thread 2 hit Hardware watchpoint 1: -location select_lex->select_limit

Old value = (Item *) 0x8f8f8f8f8f8f8f8f

New value = (Item *) 0x0

0x00007f8cbeaad46f in ?? () from /lib/x86_64-linux-gnu/libc.so.6

(rr) bt

#0  0x00007f8cbeaad46f in ?? () from /lib/x86_64-linux-gnu/libc.so.6

#1  0x00005561ae4728be in free_root (root=0x7f8ca801f148, MyFlags=1) at /home/nayuta_mariadb/repo/mariadb-server/10.4/mysys/my_alloc.c:438

#2  0x00005561ad858d27 in dispatch_command (command=COM_QUERY, thd=0x7f8ca8019770, packet=0x7f8ca800e5c1 "", packet_length=46, is_com_multi=false, is_next_command=false)

    at /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_parse.cc:2480

#3  0x00005561ad855336 in do_command (thd=0x7f8ca8019770) at /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_parse.cc:1373

#4  0x00005561ad9e83af in do_handle_one_connection (connect=0x5561b07c6250) at /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_connect.cc:1420

#5  0x00005561ad9e804b in handle_one_connection (arg=0x5561b07c6250) at /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_connect.cc:1316

#6  0x00005561adf1ceab in pfs_spawn_thread (arg=0x5561b0718cc0) at /home/nayuta_mariadb/repo/mariadb-server/10.4/storage/perfschema/pfs.cc:1869

#7  0x00007f8cbeea8450 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0

#8  0x00007f8cbea41d53 in clone () from /lib/x86_64-linux-gnu/libc.so.6

Nayuta Yanagisawa (Inactive) added a comment - 2021-12-21 06:58 The bug is caused by a phenomenon so-called use-after-free. Thread 3 received signal SIGSEGV, Segmentation fault. spider_get_select_limit_from_select_lex (select_lex=0x7f8ca8025368, select_limit=0x7f8cb00f8ae8, offset_limit=0x7f8cb00f8af0) at /home/nayuta_mariadb/repo/mariadb-server/10.4/storage/spider/spd_table.cc:8506 8506 select_lex->select_limit->val_int() : 0; (rr) watch -l select_lex->select_limit Hardware watchpoint 1: -location select_lex->select_limit (rr) rc Continuing. [Switching to Thread 2264066.2264188] Thread 2 hit Hardware watchpoint 1: -location select_lex->select_limit Old value = (Item *) 0x8f8f8f8f8f8f8f8f New value = (Item *) 0x0 0x00007f8cbeaad46f in ?? () from /lib/x86_64-linux-gnu/libc.so.6 (rr) bt #0 0x00007f8cbeaad46f in ?? () from /lib/x86_64-linux-gnu/libc.so.6 #1 0x00005561ae4728be in free_root (root=0x7f8ca801f148, MyFlags=1) at /home/nayuta_mariadb/repo/mariadb-server/10.4/mysys/my_alloc.c:438 #2 0x00005561ad858d27 in dispatch_command (command=COM_QUERY, thd=0x7f8ca8019770, packet=0x7f8ca800e5c1 "", packet_length=46, is_com_multi=false, is_next_command=false) at /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_parse.cc:2480 #3 0x00005561ad855336 in do_command (thd=0x7f8ca8019770) at /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_parse.cc:1373 #4 0x00005561ad9e83af in do_handle_one_connection (connect=0x5561b07c6250) at /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_connect.cc:1420 #5 0x00005561ad9e804b in handle_one_connection (arg=0x5561b07c6250) at /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_connect.cc:1316 #6 0x00005561adf1ceab in pfs_spawn_thread (arg=0x5561b0718cc0) at /home/nayuta_mariadb/repo/mariadb-server/10.4/storage/perfschema/pfs.cc:1869 #7 0x00007f8cbeea8450 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0 #8 0x00007f8cbea41d53 in clone () from /lib/x86_64-linux-gnu/libc.so.6

Nayuta Yanagisawa (Inactive) added a comment - 2021-12-21 07:01

In the first place, I doubt that whether the Spider should support the delayed insert.

Nayuta Yanagisawa (Inactive) added a comment - 2021-12-21 07:01 In the first place, I doubt that whether the Spider should support the delayed insert.

Roel Van de Paar added a comment - 2021-12-21 08:34 - edited

FWIW, I think this is a good solution for the time being.

Roel Van de Paar added a comment - 2021-12-21 08:34 - edited FWIW, I think this is a good solution for the time being.

Nayuta Yanagisawa (Inactive) added a comment - 2021-12-21 10:11

Please review: https://github.com/MariaDB/server/commit/083fb99cb9389c69b9a8db942b4f101b9195fb44

Nayuta Yanagisawa (Inactive) added a comment - 2021-12-21 10:11 Please review: https://github.com/MariaDB/server/commit/083fb99cb9389c69b9a8db942b4f101b9195fb44

Nayuta Yanagisawa (Inactive) made changes - 2021-12-21 10:11

Assignee	Nayuta Yanagisawa [ JIRAUSER47117 ]	Alexey Botchkov [ holyfoot ]
Status	In Progress [ 3 ]	In Review [ 10002 ]

Nayuta Yanagisawa (Inactive) made changes - 2021-12-21 12:55

Assignee

Alexey Botchkov [ holyfoot ]

Nayuta Yanagisawa [ JIRAUSER47117 ]

Nayuta Yanagisawa (Inactive) made changes - 2021-12-21 12:55

Status

In Review [ 10002 ]

Stalled [ 10000 ]

Nayuta Yanagisawa (Inactive) made changes - 2021-12-21 12:55

Status

Stalled [ 10000 ]

In Progress [ 3 ]

Sergei Golubchik added a comment - 2021-12-21 18:10

To fix the crash in the original bug report:

--- a/sql/sql_insert.cc

+++ b/sql/sql_insert.cc

@@ -2524,6 +2524,7 @@ bool delayed_get_table(THD *thd, MDL_request *grl_protect>

       di->table_list.alias.str=    di->table_list.table_name.str=    di->thd.q>

       di->table_list.alias.length= di->table_list.table_name.length= di->thd.q>

       di->table_list.db= di->thd.db;

+      di->table_list.select_lex= NULL;

/*

         We need the tickets so that they can be cloned in

         handle_delayed_insert

Then I made a simple change to see whether Spider can do INSERT DELAYED at all:

--- a/storage/spider/mysql-test/spider/t/auto_increment.test

+++ b/storage/spider/mysql-test/spider/t/auto_increment.test

@@ -144,6 +144,8 @@ if ($USE_CHILD_GROUP2)

 --connection master_1

+  show create table tbl_a;

+  insert delayed tbl_a values (100,200,300);

 SELECT * FROM tbl_a;

 if ($USE_CHILD_GROUP2)

That crashed too. This was the fix:

--- a/sql/sql_insert.cc

+++ b/sql/sql_insert.cc

@@ -3183,6 +3184,8 @@ pthread_handler_t handle_delayed_insert(void *arg)

     di->handler_thread_initialized= TRUE;

     di->table_list.mdl_request.ticket= NULL;

+    thd->set_query_id(next_query_id());

     if (di->open_and_lock_table())

       goto err;

@@ -3301,6 +3304,7 @@ pthread_handler_t handle_delayed_insert(void *arg)

       if (di->tables_in_use && ! thd->lock &&

           (!thd->killed || di->stacked_inserts))

+        thd->set_query_id(next_query_id());

/*

           Request for new delayed insert.

           Lock the table, but avoid to be blocked by a global read lock.

after that Spider apparently executed INSERT DELAYED just fine (not crashed, the line appeared in SELECT) and the original test case didn't crash either.

Sergei Golubchik added a comment - 2021-12-21 18:10 To fix the crash in the original bug report: --- a/sql/sql_insert.cc +++ b/sql/sql_insert.cc @@ -2524,6 +2524,7 @@ bool delayed_get_table(THD *thd, MDL_request *grl_protect> di->table_list.alias.str= di->table_list.table_name.str= di->thd.q> di->table_list.alias.length= di->table_list.table_name.length= di->thd.q> di->table_list.db= di->thd.db; + di->table_list.select_lex= NULL; /* We need the tickets so that they can be cloned in handle_delayed_insert Then I made a simple change to see whether Spider can do INSERT DELAYED at all: --- a/storage/spider/mysql-test/spider/t/auto_increment.test +++ b/storage/spider/mysql-test/spider/t/auto_increment.test @@ -144,6 +144,8 @@ if ($USE_CHILD_GROUP2) } } --connection master_1 + show create table tbl_a; + insert delayed tbl_a values (100,200,300); SELECT * FROM tbl_a; if ($USE_CHILD_GROUP2) { That crashed too. This was the fix: --- a/sql/sql_insert.cc +++ b/sql/sql_insert.cc @@ -3183,6 +3184,8 @@ pthread_handler_t handle_delayed_insert(void *arg) di->handler_thread_initialized= TRUE; di->table_list.mdl_request.ticket= NULL; + thd->set_query_id(next_query_id()); + if (di->open_and_lock_table()) goto err; @@ -3301,6 +3304,7 @@ pthread_handler_t handle_delayed_insert(void *arg) if (di->tables_in_use && ! thd->lock && (!thd->killed || di->stacked_inserts)) { + thd->set_query_id(next_query_id()); /* Request for new delayed insert. Lock the table, but avoid to be blocked by a global read lock. after that Spider apparently executed INSERT DELAYED just fine (not crashed, the line appeared in SELECT ) and the original test case didn't crash either.

Nayuta Yanagisawa (Inactive) added a comment - 2021-12-22 03:34

Thank you very much for your analysis. I will look at it in details.

Nayuta Yanagisawa (Inactive) added a comment - 2021-12-22 03:34 Thank you very much for your analysis. I will look at it in details.

Nayuta Yanagisawa (Inactive) added a comment - 2022-01-04 05:53

I checked Sergei's change by my hand. It doesn't crash even without thd->set_query_id(next_qury_id()).

Nayuta Yanagisawa (Inactive) added a comment - 2022-01-04 05:53 I checked Sergei's change by my hand. It doesn't crash even without thd->set_query_id(next_qury_id()) .

Nayuta Yanagisawa (Inactive) added a comment - 2022-01-04 06:17

holyfoot Please review: https://github.com/MariaDB/server/commit/b97e8a295e20778f06f031dc121f0e40d546082c

Nayuta Yanagisawa (Inactive) added a comment - 2022-01-04 06:17 holyfoot Please review: https://github.com/MariaDB/server/commit/b97e8a295e20778f06f031dc121f0e40d546082c

Nayuta Yanagisawa (Inactive) made changes - 2022-01-04 06:17

Assignee	Nayuta Yanagisawa [ JIRAUSER47117 ]	Alexey Botchkov [ holyfoot ]
Status	In Progress [ 3 ]	In Review [ 10002 ]

Sergei Golubchik added a comment - 2022-01-04 18:20

nayuta-yanagisawa the second patch is needed if you add a test that INSERT DELAYED actually works, not simply not crashes. Like, create a table, insert some rows with INSERT DELAYED, verify that rows are actually in the table.

Sergei Golubchik added a comment - 2022-01-04 18:20 nayuta-yanagisawa the second patch is needed if you add a test that INSERT DELAYED actually works , not simply not crashes . Like, create a table, insert some rows with INSERT DELAYED, verify that rows are actually in the table.

Nayuta Yanagisawa (Inactive) added a comment - 2022-01-05 01:44

serg On which version did you test? On 10.4, Spider fully executed an insert delayed even without the second patch on my side.

Nayuta Yanagisawa (Inactive) added a comment - 2022-01-05 01:44 serg On which version did you test? On 10.4, Spider fully executed an insert delayed even without the second patch on my side.

Sergei Golubchik added a comment - 2022-01-05 12:26

Likely a newer one. Spider created a transaction, wanted to commit, but XID was 0, because it was generated from query_id, and delayed thread never set a query id.

If it doesn't crash — I suggest to ignore it for now, and fix it when it starts crashing after a merge up.

Just don't forget to add a test that insert delayed actually does work. inserts rows. that end up in a table.

Sergei Golubchik added a comment - 2022-01-05 12:26 Likely a newer one. Spider created a transaction, wanted to commit, but XID was 0, because it was generated from query_id, and delayed thread never set a query id. If it doesn't crash — I suggest to ignore it for now, and fix it when it starts crashing after a merge up. Just don't forget to add a test that insert delayed actually does work. inserts rows. that end up in a table.

Nayuta Yanagisawa (Inactive) added a comment - 2022-01-05 14:52

serg OK. Thank you!

Nayuta Yanagisawa (Inactive) added a comment - 2022-01-05 14:52 serg OK. Thank you!

Nayuta Yanagisawa (Inactive) added a comment - 2022-01-05 14:53 - edited

holyfoot I updated the test case according to Sergei's comment: https://github.com/MariaDB/server/commit/94637a0c76f6fcf2169ecc7fb790aee139931d4e

Nayuta Yanagisawa (Inactive) added a comment - 2022-01-05 14:53 - edited holyfoot I updated the test case according to Sergei's comment: https://github.com/MariaDB/server/commit/94637a0c76f6fcf2169ecc7fb790aee139931d4e

Nayuta Yanagisawa (Inactive) made changes - 2022-01-19 05:47

Link

This issue relates to ~~MDEV-24769~~ [ ~~MDEV-24769~~ ]

Alexey Botchkov added a comment - 2022-01-19 09:49

ok to push.

Alexey Botchkov added a comment - 2022-01-19 09:49 ok to push.

Alexey Botchkov made changes - 2022-01-19 09:49

Assignee	Alexey Botchkov [ holyfoot ]	Nayuta Yanagisawa [ JIRAUSER47117 ]
Status	In Review [ 10002 ]	Stalled [ 10000 ]

Nayuta Yanagisawa (Inactive) made changes - 2022-01-19 10:40

Component/s		Storage Engine - Spider [ 10132 ]
Fix Version/s		10.4.23 [ 26807 ]
Fix Version/s		10.5.14 [ 26809 ]
Fix Version/s		10.6.6 [ 26811 ]
Fix Version/s		10.7.2 [ 26813 ]
Fix Version/s	10.4 [ 22408 ]
Fix Version/s	10.5 [ 23123 ]
Fix Version/s	10.6 [ 24028 ]
Resolution		Fixed [ 1 ]
Status	Stalled [ 10000 ]	Closed [ 6 ]

Roel Van de Paar added a comment - 2022-01-19 14:04 - edited

Adding for completeness. After ~~MDEV-27240~~ fix, and prior to the fix in this ticket, things for this bug became a little clearer.

INSTALL PLUGIN spider SONAME 'ha_spider.so';

CREATE TABLE t1 (c0 INT,UNIQUE (c0) USING HASH) ENGINE=SPIDER;

INSERT DELAYED INTO t1 VALUES (0);

invalid;

SELECT SLEEP (1);

Will produce:

SIGSEGV|spider_get_select_limit_from_select_lex|spider_get_select_limit|spider_split_read_param|spider_set_result_list_param

As per the original stack above. And the following stack was also observed with this testcase, and/or this similar one:

INSTALL PLUGIN spider SONAME 'ha_spider.so';

DROP TABLE t1;

SET sql_mode='';

CREATE TABLE t1 (pk0 INT,pk1 CHAR(1),c0 INT,UNIQUE (c0) USING HASH) ENGINE=SPIDER;

INSERT DELAYED INTO t1 VALUES (3,'','');

SELECT ST_EQUALS (g,ST_GEOMFROMTEXT (@clection_elems_1)) FROM gis_geometryclection WHERE fid=114;

SIGSEGV|spider_check_index_merge|spider_check_direct_order_limit|ha_spider::check_direct_order_limit|ha_spider::check_direct_order_limit

Roel Van de Paar added a comment - 2022-01-19 14:04 - edited Adding for completeness. After MDEV-27240 fix, and prior to the fix in this ticket, things for this bug became a little clearer. INSTALL PLUGIN spider SONAME 'ha_spider.so' ; CREATE TABLE t1 (c0 INT , UNIQUE (c0) USING HASH) ENGINE=SPIDER; INSERT DELAYED INTO t1 VALUES (0); invalid; SELECT SLEEP (1); Will produce: SIGSEGV|spider_get_select_limit_from_select_lex|spider_get_select_limit|spider_split_read_param|spider_set_result_list_param As per the original stack above. And the following stack was also observed with this testcase, and/or this similar one: INSTALL PLUGIN spider SONAME 'ha_spider.so' ; DROP TABLE t1; SET sql_mode= '' ; CREATE TABLE t1 (pk0 INT ,pk1 CHAR (1),c0 INT , UNIQUE (c0) USING HASH) ENGINE=SPIDER; INSERT DELAYED INTO t1 VALUES (3, '' , '' ); SELECT ST_EQUALS (g,ST_GEOMFROMTEXT (@clection_elems_1)) FROM gis_geometryclection WHERE fid=114; SIGSEGV|spider_check_index_merge|spider_check_direct_order_limit|ha_spider::check_direct_order_limit|ha_spider::check_direct_order_limit

Roel Van de Paar made changes - 2022-04-25 04:10

Link

This issue relates to ~~MDEV-28406~~ [ ~~MDEV-28406~~ ]

Roel Van de Paar made changes - 2024-08-11 19:25

Link

This issue relates to MDEV-34735 [ MDEV-34735 ]

People

Assignee:: Nayuta Yanagisawa (Inactive)

Reporter:: Roel Van de Paar

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2021-09-10 05:10

Updated:: 2024-08-11 19:25

Resolved:: 2022-01-19 10:40

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration