[MDEV-27575] Spider: UBSAN member access within null pointer of type 'struct st_plugin_int and SIGSEGV in intern_plugin_lock on SHUTDOWN when setting Spider as default storage engine (temporary or global) - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL), 10.11, 11.0(EOL)
Fix Version/s: 10.4.33, 10.5.24, 10.6.17, 10.11.7, 11.0.5, 11.1.4, 11.2.3
Component/s: Storage Engine - Spider
Labels:
- affects-tests

Description

INSTALL PLUGIN spider SONAME 'ha_spider.so';

SET GLOBAL default_tmp_storage_engine=spider;

SHUTDOWN;

Leads to:

10.8.0 1bfeac1aef7025d8e13d92ec85c2bacf1503b794 (Optimized)
Core was generated by `/test/MDEV-27106-MD220122-mariadb-10.8.0-linux-x86_64-opt/bin/mysqld --no-defau'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 intern_plugin_lock (state_mask=14, rc=0x0, lex=0x0)
at /test/preview-10.8-MDEV-27106-spider_opt/sql/sql_plugin.cc:973
973 if (pi->state & state_mask)
[Current thread is 1 (Thread 0x14fa6b230800 (LWP 815454))]
(gdb) bt
#0 intern_plugin_lock (state_mask=14, rc=0x0, lex=0x0) at /test/preview-10.8-MDEV-27106-spider_opt/sql/sql_plugin.cc:973
#1 plugin_thdvar_init (thd=0x564bc0252ce8) at /test/preview-10.8-MDEV-27106-spider_opt/sql/sql_plugin.cc:3242
#2 0x0000564bbe16c527 in THD::init (this=0x564bc0252ce8) at /test/preview-10.8-MDEV-27106-spider_opt/sql/sql_class.cc:1234
#3 0x0000564bbe171e06 in THD::THD (this=0x564bc0252ce8, id=<optimized out>, is_wsrep_applier=<optimized out>) at /test/preview-10.8-MDEV-27106-spider_opt/sql/sql_class.cc:849
#4 0x000014fa46d6eec0 in spider_create_thd () at /test/preview-10.8-MDEV-27106-spider_opt/sql/sql_list.h:680
#5 spider_db_done (p=<optimized out>) at /test/preview-10.8-MDEV-27106-spider_opt/storage/spider/spd_table.cc:6737
#6 0x0000564bbe40bfde in ha_finalize_handlerton (plugin=0x564bbfc96f90) at /test/preview-10.8-MDEV-27106-spider_opt/sql/handler.cc:599
#7 0x0000564bbe1dc37c in plugin_deinitialize (plugin=0x564bbfc96f90, ref_check=ref_check@entry=true) at /test/preview-10.8-MDEV-27106-spider_opt/sql/sql_plugin.cc:1267
#8 0x0000564bbe1e096e in reap_plugins () at /test/preview-10.8-MDEV-27106-spider_opt/sql/sql_plugin.cc:1341
#9 0x0000564bbe1e1485 in plugin_shutdown () at /test/preview-10.8-MDEV-27106-spider_opt/sql/sql_plugin.cc:2049
#10 0x0000564bbe0bddf7 in clean_up (print_message=print_message@entry=true) at /test/preview-10.8-MDEV-27106-spider_opt/sql/mysqld.cc:1951
#11 0x0000564bbe0c8afa in clean_up (print_message=true) at /test/preview-10.8-MDEV-27106-spider_opt/sql/mysqld.cc:5887
#12 mysqld_main (argc=<optimized out>, argv=<optimized out>) at /test/preview-10.8-MDEV-27106-spider_opt/sql/mysqld.cc:5887
#13 0x000014fa6b40f0b3 in __libc_start_main (main=0x564bbe08c230 <main(int, char**)>, argc=10, argv=0x7ffe5d003538, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffe5d003528) at ../csu/libc-start.c:308
#14 0x0000564bbe0bc7be in _start () at /test/preview-10.8-MDEV-27106-spider_opt/sql/mysqld.cc:4508

10.8.0 1bfeac1aef7025d8e13d92ec85c2bacf1503b794 (Debug)
Core was generated by `/test/MDEV-27106-MD220122-mariadb-10.8.0-linux-x86_64-dbg/bin/mysqld --no-defau'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 intern_plugin_lock (lex=lex@entry=0x0, rc=<optimized out>,
state_mask=state_mask@entry=14)
at /test/preview-10.8-MDEV-27106-spider_dbg/sql/sql_plugin.cc:973
973 if (pi->state & state_mask)
[Current thread is 1 (Thread 0x14b3cf60f800 (LWP 659191))]
(gdb) bt
#0 intern_plugin_lock (lex=lex@entry=0x0, rc=<optimized out>, state_mask=state_mask@entry=14) at /test/preview-10.8-MDEV-27106-spider_dbg/sql/sql_plugin.cc:973
#1 0x0000564efdbe6f4a in plugin_thdvar_init (thd=thd@entry=0x564f0040a6b8) at /test/preview-10.8-MDEV-27106-spider_dbg/sql/sql_plugin.cc:3241
#2 0x0000564efdb4f3f4 in THD::init (this=this@entry=0x564f0040a6b8) at /test/preview-10.8-MDEV-27106-spider_dbg/sql/sql_class.cc:1234
#3 0x0000564efdb586f5 in THD::THD (this=0x564f0040a6b8, id=<optimized out>, is_wsrep_applier=<optimized out>) at /test/preview-10.8-MDEV-27106-spider_dbg/sql/sql_class.cc:849
#4 0x000014b3b82613c9 in spider_create_thd () at /test/preview-10.8-MDEV-27106-spider_dbg/sql/sql_list.h:680
#5 spider_db_done (p=<optimized out>) at /test/preview-10.8-MDEV-27106-spider_dbg/storage/spider/spd_table.cc:6737
#6 0x0000564efdec7fc9 in ha_finalize_handlerton (plugin=0x564effdac460) at /test/preview-10.8-MDEV-27106-spider_dbg/sql/handler.cc:599
#7 0x0000564efdbe2e72 in plugin_deinitialize (plugin=0x564effdac460, ref_check=ref_check@entry=true) at /test/preview-10.8-MDEV-27106-spider_dbg/sql/sql_plugin.cc:1267
#8 0x0000564efdbe7666 in reap_plugins () at /test/preview-10.8-MDEV-27106-spider_dbg/sql/sql_plugin.cc:1341
#9 0x0000564efdbe85fb in plugin_shutdown () at /test/preview-10.8-MDEV-27106-spider_dbg/sql/sql_plugin.cc:2049
#10 0x0000564efda7049b in clean_up (print_message=print_message@entry=true) at /test/preview-10.8-MDEV-27106-spider_dbg/sql/mysqld.cc:1951
#11 0x0000564efda7e3fe in mysqld_main (argc=<optimized out>, argv=<optimized out>) at /test/preview-10.8-MDEV-27106-spider_dbg/sql/mysqld.cc:5887
#12 0x0000564efda6eb56 in main (argc=<optimized out>, argv=<optimized out>) at /test/preview-10.8-MDEV-27106-spider_dbg/sql/main.cc:34

Only present in the ~~MDEV-27106~~ feature branch.

This bug can also be observed, sporadically, with this more generic testcase:

INSTALL PLUGIN spider SONAME 'ha_spider.so';

SET GLOBAL default_storage_engine=Spider;

SELECT SLEEP (1);  # Not always necessary

SHUTDOWN;

Attachments

Issue Links

is blocked by

MDEV-27233 Server hangs when using --init-file which loads Spider and creates a Spider table

Closed

is caused by

MDEV-7914 spider/bg.ha, spider/bg.ha_part crash server sporadically in buildbot

Closed

relates to

MDEV-27233 Server hangs when using --init-file which loads Spider and creates a Spider table

Closed

MDEV-28219 Spider: Could not remove temporary table on DROP when mysql.spider_tables is missing

Closed

MDEV-29454 Spider XA Failures | ERROR 1440 (XAE08): XAER_DUPID: The XID already exists | Got error 1440 when reading table on SELECT after XA START | mysql_ha_read: Got error 1440

Open

Activity

Ascending order - Click to sort in descending order

View 27 older comments

Roel Van de Paar added a comment - 2023-05-20 00:39 - edited

UBSAN also report a member access within null pointer of type 'struct st_plugin_int' in sql/sql_plugin.cc for this:

INSTALL PLUGIN Spider SONAME 'ha_spider.so';

SET GLOBAL default_storage_engine=Spider;

SHUTDOWN;

Leads to:

11.0.2 368dd22a816f3b437bccd0b9ff28b9de9b1abf0a (Optimized, UBASAN)
2023-05-20 10:36:08 0 [Note] InnoDB: Shutdown completed; log sequence number 47139; transaction id 15
/test/11.0_opt_san/sql/sql_plugin.cc:976:11: runtime error: member access within null pointer of type 'struct st_plugin_int'
#0 0x5577507300b7 in intern_plugin_lock /test/11.0_opt_san/sql/sql_plugin.cc:976
#1 0x5577507300b7 in plugin_thdvar_init(THD*) /test/11.0_opt_san/sql/sql_plugin.cc:3248
#2 0x557750329b07 in THD::init() /test/11.0_opt_san/sql/sql_class.cc:1231
#3 0x55775035da6b in THD::THD(unsigned long long, bool) /test/11.0_opt_san/sql/sql_class.cc:851
#4 0x14d0271e6d54 in spider_create_thd() /test/11.0_opt_san/storage/spider/spd_table.cc:96
#5 0x14d0271e6d54 in spider_db_done(void*) /test/11.0_opt_san/storage/spider/spd_table.cc:6012
#6 0x557751b5fae9 in ha_finalize_handlerton(st_plugin_int*) /test/11.0_opt_san/sql/handler.cc:601
#7 0x55775071c09c in plugin_deinitialize /test/11.0_opt_san/sql/sql_plugin.cc:1273
#8 0x55775071f5c5 in reap_plugins /test/11.0_opt_san/sql/sql_plugin.cc:1344
#9 0x557750727f83 in plugin_shutdown() /test/11.0_opt_san/sql/sql_plugin.cc:2055
#10 0x55774fe094c6 in clean_up /test/11.0_opt_san/sql/mysqld.cc:1999
#11 0x55774fe094c6 in clean_up /test/11.0_opt_san/sql/mysqld.cc:1962
#12 0x55774fe2d7a0 in mysqld_main(int, char**) /test/11.0_opt_san/sql/mysqld.cc:6051
#13 0x14d049c29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#14 0x14d049c29e3f in __libc_start_main_impl ../csu/libc-start.c:392
#15 0x55774fd2cde4 in _start (/test/UBASAN_MD120523-mariadb-11.0.2-linux-x86_64-opt/bin/mariadbd+0x798ede4)

230520 10:36:10 [ERROR] mysqld got signal 11 ;

Same on debug. Confirmed bug present in 10.4 and 11.0

Roel Van de Paar added a comment - 2023-05-20 00:39 - edited UBSAN also report a member access within null pointer of type 'struct st_plugin_int' in sql/sql_plugin.cc for this: INSTALL PLUGIN Spider SONAME 'ha_spider.so' ; SET GLOBAL default_storage_engine=Spider; SHUTDOWN; Leads to: 11.0.2 368dd22a816f3b437bccd0b9ff28b9de9b1abf0a (Optimized, UBASAN) 2023-05-20 10:36:08 0 [Note] InnoDB: Shutdown completed; log sequence number 47139; transaction id 15 /test/11.0_opt_san/sql/sql_plugin.cc:976:11: runtime error: member access within null pointer of type 'struct st_plugin_int' #0 0x5577507300b7 in intern_plugin_lock /test/11.0_opt_san/sql/sql_plugin.cc:976 #1 0x5577507300b7 in plugin_thdvar_init(THD*) /test/11.0_opt_san/sql/sql_plugin.cc:3248 #2 0x557750329b07 in THD::init() /test/11.0_opt_san/sql/sql_class.cc:1231 #3 0x55775035da6b in THD::THD(unsigned long long, bool) /test/11.0_opt_san/sql/sql_class.cc:851 #4 0x14d0271e6d54 in spider_create_thd() /test/11.0_opt_san/storage/spider/spd_table.cc:96 #5 0x14d0271e6d54 in spider_db_done(void*) /test/11.0_opt_san/storage/spider/spd_table.cc:6012 #6 0x557751b5fae9 in ha_finalize_handlerton(st_plugin_int*) /test/11.0_opt_san/sql/handler.cc:601 #7 0x55775071c09c in plugin_deinitialize /test/11.0_opt_san/sql/sql_plugin.cc:1273 #8 0x55775071f5c5 in reap_plugins /test/11.0_opt_san/sql/sql_plugin.cc:1344 #9 0x557750727f83 in plugin_shutdown() /test/11.0_opt_san/sql/sql_plugin.cc:2055 #10 0x55774fe094c6 in clean_up /test/11.0_opt_san/sql/mysqld.cc:1999 #11 0x55774fe094c6 in clean_up /test/11.0_opt_san/sql/mysqld.cc:1962 #12 0x55774fe2d7a0 in mysqld_main(int, char**) /test/11.0_opt_san/sql/mysqld.cc:6051 #13 0x14d049c29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #14 0x14d049c29e3f in __libc_start_main_impl ../csu/libc-start.c:392 #15 0x55774fd2cde4 in _start (/test/UBASAN_MD120523-mariadb-11.0.2-linux-x86_64-opt/bin/mariadbd+0x798ede4) 230520 10:36:10 [ERROR] mysqld got signal 11 ; Same on debug. Confirmed bug present in 10.4 and 11.0

Yuchen Pei added a comment - 2023-11-03 07:04

An initial patch, based on 10.10. Still need to check for 10.4

upstream/bb-10.10-mdev-27575 fee173053887ba3914e7575bc7d41162280972a3

MDEV-27575 Remove thd from spider_db_done

It is unused, and causing segfaults

Yuchen Pei added a comment - 2023-11-03 07:04 An initial patch, based on 10.10. Still need to check for 10.4 upstream/bb-10.10-mdev-27575 fee173053887ba3914e7575bc7d41162280972a3 MDEV-27575 Remove thd from spider_db_done It is unused, and causing segfaults

Yuchen Pei added a comment - 2023-11-08 06:53

Hi holyfoot, ptal thanks (based on 10.10)

[Revision fee173053887ba3914e7575bc7d41162280972a3]

Author: Yuchen Pei <ycp@mariadb.com>

Date: 2023-11-03 Fri 18:00:51 AEDT

MDEV-27575 Remove thd from spider_db_done

It is unused, and causing segfaults

There's also a 10.4 version at e3141826794fea9fec771407e8c36feb12cf6f6b, where the SET GLOBAL default_tmp_storage_engine=spider; does not cause an error, presumably because of commit f7216fa63d69448c3de1532a1dd197d0f28faefd which is included in 10.7+

Yuchen Pei added a comment - 2023-11-08 06:53 Hi holyfoot , ptal thanks (based on 10.10) [Revision fee173053887ba3914e7575bc7d41162280972a3] Author: Yuchen Pei <ycp@mariadb.com> Date: 2023-11-03 Fri 18:00:51 AEDT MDEV-27575 Remove thd from spider_db_done It is unused, and causing segfaults There's also a 10.4 version at e3141826794fea9fec771407e8c36feb12cf6f6b, where the SET GLOBAL default_tmp_storage_engine=spider; does not cause an error, presumably because of commit f7216fa63d69448c3de1532a1dd197d0f28faefd which is included in 10.7+

Alexey Botchkov added a comment - 2023-11-20 21:23

ok to push.

Alexey Botchkov added a comment - 2023-11-20 21:23 ok to push.

Yuchen Pei added a comment - 2023-11-21 01:14

Thanks for the review.

Pushing 9656573376516807b41066dd5f0ff7fa316946fc to 10.4.

There's no conflict when cherry-picked to higher versions, but 10.11
requires a slightly different patch (see my previous comment).

Yuchen Pei added a comment - 2023-11-21 01:14 Thanks for the review. Pushing 9656573376516807b41066dd5f0ff7fa316946fc to 10.4. There's no conflict when cherry-picked to higher versions, but 10.11 requires a slightly different patch (see my previous comment).

MariaDB Server

Spider: UBSAN member access within null pointer of type 'struct st_plugin_int and SIGSEGV in intern_plugin_lock on SHUTDOWN when setting Spider as default storage engine (temporary or global)

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration