[MDEV-27902] Spider: Crashes, asserts, hangs, memory corruptions and ASAN heap-use-after-free's - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL), 10.11, 11.0(EOL), 11.1(EOL), 11.2, 11.4, 11.5(EOL), 11.6
Fix Version/s: 10.5.26, 10.6.19, 10.11.9, 11.1.6, 11.2.5, 11.4.3
Component/s: Locking, Storage Engine - Spider, XA
Labels:
- ASAN
- affects-tests
- hang
- locking
- memory_corruption
- mutex
- regression-10.4

Description

Very lightly sporadic. Repeat 1-2 times. This testcase seems to highlight some serious locking, isolation and ownership issues in Spider code.

INSTALL PLUGIN spider SONAME 'ha_spider.so';

CREATE TABLE t (c INT) ENGINE=Spider;

HANDLER t OPEN;

HANDLER t READ next;

dummy;

HANDLER t READ next;

Leads to:

10.9.0 b5852ffbeebc3000982988383daeefb0549e058a (Optimized)
mysqld: ../nptl/pthread_mutex_lock.c:81: __pthread_mutex_lock: Assertion `mutex->__data.__owner == 0' failed.

10.9.0 b5852ffbeebc3000982988383daeefb0549e058a (Optimized)
Core was generated by `/test/MD140222-mariadb-10.9.0-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
Program terminated with signal SIGABRT, Aborted.
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
[Current thread is 1 (Thread 0x14bc3c125700 (LWP 4096750))]
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x000014bc5b1a5859 in __GI_abort () at abort.c:79
#2 0x000014bc5b1a5729 in __assert_fail_base (fmt=0x14bc5b33b588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x14bc5b6c362d "mutex->__data.__owner == 0", file=0x14bc5b6c35fa "../nptl/pthread_mutex_lock.c", line=81, function=<optimized out>) at assert.c:92
#3 0x000014bc5b1b6f36 in __GI___assert_fail (assertion=assertion@entry=0x14bc5b6c362d "mutex->__data.__owner == 0", file=file@entry=0x14bc5b6c35fa "../nptl/pthread_mutex_lock.c", line=line@entry=81, function=function@entry=0x14bc5b6c3790 <__PRETTY_FUNCTION__.10174> "__pthread_mutex_lock") at assert.c:101
#4 0x000014bc5b6b7164 in __GI___pthread_mutex_lock (mutex=mutex@entry=0x14bb7c05f5d0) at ../nptl/pthread_mutex_lock.c:81
#5 0x000055da414f4ccf in psi_mutex_lock (that=that@entry=0x14bb7c05f5d0, file=file@entry=0x14bc341ab2a0 "/test/10.9_opt/storage/spider/spd_db_conn.cc", line=line@entry=10616) at /test/10.9_opt/mysys/my_thr_init.c:489
#6 0x000014bc340ffa21 in inline_mysql_mutex_lock (src_file=0x14bc341ab2a0 "/test/10.9_opt/storage/spider/spd_db_conn.cc", src_line=10616, that=0x14bb7c05f5d0) at /test/10.9_opt/include/mysql/psi/mysql_thread.h:746
#7 spider_db_open_handler (spider=spider@entry=0x14bb7c023810, conn=0x14bb7c05f578, link_idx=link_idx@entry=0) at /test/10.9_opt/storage/spider/spd_db_conn.cc:10616
#8 0x000014bc3416a228 in ha_spider::rnd_handler_init (this=0x14bb7c023810) at /test/10.9_opt/storage/spider/ha_spider.cc:10732
#9 ha_spider::rnd_handler_init (this=0x14bb7c023810) at /test/10.9_opt/storage/spider/ha_spider.cc:10700
#10 0x000014bc34170e27 in ha_spider::rnd_next_internal (this=0x14bb7c023810, buf=0x14bb7c0233f8 "\377") at /test/10.9_opt/storage/spider/ha_spider.cc:5947
#11 0x000055da4188a777 in handler::ha_rnd_next (this=0x14bb7c023810, buf=0x14bb7c0233f8 "\377") at /test/10.9_opt/sql/handler.cc:3393
#12 0x000055da415f8959 in mysql_ha_read (thd=thd@entry=0x14bb7c000c58, tables=tables@entry=0x14bb7c010a08, mode=<optimized out>, keyname=0x0, key_expr=<optimized out>, ha_rkey_mode=HA_READ_KEY_EXACT, cond=0x0, select_limit_cnt=1, offset_limit_cnt=0) at /test/10.9_opt/sql/sql_handler.cc:923
#13 0x000055da4163f8d6 in mysql_execute_command (thd=0x14bb7c000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.9_opt/sql/sql_limit.h:87
#14 0x000055da4162d086 in mysql_parse (thd=0x14bb7c000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.9_opt/sql/sql_parse.cc:8027
#15 0x000055da41639235 in dispatch_command (command=COM_QUERY, thd=0x14bb7c000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.9_opt/sql/sql_class.h:1362
#16 0x000055da4163b427 in do_command (thd=0x14bb7c000c58, blocking=blocking@entry=true) at /test/10.9_opt/sql/sql_parse.cc:1402
#17 0x000055da4175ad77 in do_handle_one_connection (connect=<optimized out>, put_in_cache=true) at /test/10.9_opt/sql/sql_connect.cc:1418
#18 0x000055da4175b0bd in handle_one_connection (arg=arg@entry=0x55da450b0888) at /test/10.9_opt/sql/sql_connect.cc:1312
#19 0x000055da41ad47b1 in pfs_spawn_thread (arg=0x55da450459a8) at /test/10.9_opt/storage/perfschema/pfs.cc:2201
#20 0x000014bc5b6b4609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#21 0x000014bc5b2a2293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

10.9.0 b5852ffbeebc3000982988383daeefb0549e058a (Debug)
Core was generated by `/test/MD140222-mariadb-10.9.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00001535cfedf107 in spider_db_open_handler (
spider=spider@entry=0x1535b407c920, conn=0x1535b408d8d8,
link_idx=link_idx@entry=0)
at /test/10.9_dbg/storage/spider/spd_db_conn.cc:10613
[Current thread is 1 (Thread 0x1535fc167700 (LWP 3916172))]
(gdb) bt
#0 0x00001535cfedf107 in spider_db_open_handler (spider=spider@entry=0x1535b407c920, conn=0x1535b408d8d8, link_idx=link_idx@entry=0) at /test/10.9_dbg/storage/spider/spd_db_conn.cc:10613
#1 0x00001535cff40096 in ha_spider::rnd_handler_init (this=this@entry=0x1535b407c920) at /test/10.9_dbg/storage/spider/ha_spider.cc:10732
#2 0x00001535cff4a615 in ha_spider::rnd_next_internal (this=this@entry=0x1535b407c920, buf=buf@entry=0x1535b4030878 "\377") at /test/10.9_dbg/storage/spider/ha_spider.cc:5947
#3 0x00001535cff4b80e in ha_spider::rnd_next (this=0x1535b407c920, buf=0x1535b4030878 "\377") at /test/10.9_dbg/storage/spider/ha_spider.cc:6310
#4 0x0000561e51b2b041 in handler::ha_rnd_next (this=0x1535b407c920, buf=0x1535b4030878 "\377") at /test/10.9_dbg/sql/handler.cc:3393
#5 0x0000561e517c8788 in mysql_ha_read (thd=thd@entry=0x1535b4000db8, tables=tables@entry=0x1535b4013f28, mode=<optimized out>, keyname=0x0, key_expr=<optimized out>, ha_rkey_mode=HA_READ_KEY_EXACT, cond=0x0, select_limit_cnt=1, offset_limit_cnt=0) at /test/10.9_dbg/sql/sql_handler.cc:923
#6 0x0000561e518226d5 in mysql_execute_command (thd=thd@entry=0x1535b4000db8, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.9_dbg/sql/sql_limit.h:87
#7 0x0000561e5180a315 in mysql_parse (thd=thd@entry=0x1535b4000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x1535fc166400) at /test/10.9_dbg/sql/sql_parse.cc:8027
#8 0x0000561e51818fb1 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x1535b4000db8, packet=packet@entry=0x1535b400b889 "", packet_length=packet_length@entry=19, blocking=blocking@entry=true) at /test/10.9_dbg/sql/sql_class.h:1362
#9 0x0000561e5181c3f8 in do_command (thd=0x1535b4000db8, blocking=blocking@entry=true) at /test/10.9_dbg/sql/sql_parse.cc:1402
#10 0x0000561e51996fc4 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x561e5509a888, put_in_cache=put_in_cache@entry=true) at /test/10.9_dbg/sql/sql_connect.cc:1418
#11 0x0000561e519975c9 in handle_one_connection (arg=arg@entry=0x561e5509a888) at /test/10.9_dbg/sql/sql_connect.cc:1312
#12 0x0000561e51e1dd67 in pfs_spawn_thread (arg=0x561e54fadc78) at /test/10.9_dbg/storage/perfschema/pfs.cc:2201
#13 0x000015361cf12609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#14 0x000015361cb00293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

10.4.23 12cad0c3468d734e041d4ef0cd5a26d2a28606fc (Optimized)
Core was generated by `/test/MD290122-mariadb-10.4.23-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x0000147678056456 in spider_check_and_set_trx_isolation (
conn=0x1476300611c8, need_mon=0x14763005fb68)
at /test/10.4_opt/storage/spider/spd_trx.cc:1593
[Current thread is 1 (Thread 0x147684058700 (LWP 3970406))]
(gdb) bt
#0 0x0000147678056456 in spider_check_and_set_trx_isolation (conn=0x1476300611c8, need_mon=0x14763005fb68) at /test/10.4_opt/storage/spider/spd_trx.cc:1593
#1 0x00001476780b900c in ha_spider::external_lock (this=0x147630058830, thd=0x147630000c48, lock_type=0) at /test/10.4_opt/storage/spider/ha_spider.cc:1370
#2 0x000055c8a7161a8d in handler::ha_external_lock (this=0x147630058830, thd=thd@entry=0x147630000c48, lock_type=lock_type@entry=0) at /test/10.4_opt/sql/handler.cc:6506
#3 0x000055c8a725d2d9 in lock_external (count=<optimized out>, tables=0x147630061d98, thd=0x147630000c48) at /test/10.4_opt/sql/lock.cc:393
#4 mysql_lock_tables (thd=thd@entry=0x147630000c48, sql_lock=0x147630061d68, flags=<optimized out>) at /test/10.4_opt/sql/lock.cc:338
#5 0x000055c8a6f0e6d6 in mysql_ha_read (thd=thd@entry=0x147630000c48, tables=tables@entry=0x147630010150, mode=RNEXT, keyname=0x0, key_expr=0x0, ha_rkey_mode=HA_READ_KEY_EXACT, cond=0x0, select_limit_cnt=1, offset_limit_cnt=0) at /test/10.4_opt/sql/sql_handler.cc:819
#6 0x000055c8a6f4b081 in mysql_execute_command (thd=0x147630000c48) at /test/10.4_opt/sql/sql_parse.cc:5676
#7 0x000055c8a6f500b7 in mysql_parse (thd=0x147630000c48, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /test/10.4_opt/sql/sql_parse.cc:7995
#8 0x000055c8a6f5272d in dispatch_command (command=COM_QUERY, thd=0x147630000c48, packet=<optimized out>, packet_length=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /test/10.4_opt/sql/sql_class.h:1201
#9 0x000055c8a6f54d9e in do_command (thd=0x147630000c48) at /test/10.4_opt/sql/sql_parse.cc:1373
#10 0x000055c8a704abbe in do_handle_one_connection (connect=connect@entry=0x55c8a93a0c08) at /test/10.4_opt/sql/sql_connect.cc:1420
#11 0x000055c8a704acef in handle_one_connection (arg=0x55c8a93a0c08) at /test/10.4_opt/sql/sql_connect.cc:1316
#12 0x000014768db38609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#13 0x000014768d726293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

10.5.14 059a8fd87eb900a5a12185b1963e5623df874c21 (Optimized)
mysqld: ../nptl/pthread_mutex_lock.c:81: __pthread_mutex_lock: Assertion `mutex->__data.__owner == 0' failed.

10.5.14 059a8fd87eb900a5a12185b1963e5623df874c21 (Optimized)
Core was generated by `/test/MD290122-mariadb-10.5.14-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
Program terminated with signal SIGABRT, Aborted.
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
[Current thread is 1 (Thread 0x1527b4958700 (LWP 3916429))]
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00001527beda4859 in __GI_abort () at abort.c:79
#2 0x00001527beda4729 in __assert_fail_base (fmt=0x1527bef3a588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x1527bf2c262d "mutex->__data.__owner == 0", file=0x1527bf2c25fa "../nptl/pthread_mutex_lock.c", line=81, function=<optimized out>) at assert.c:92
#3 0x00001527bedb5f36 in __GI___assert_fail (assertion=assertion@entry=0x1527bf2c262d "mutex->__data.__owner == 0", file=file@entry=0x1527bf2c25fa "../nptl/pthread_mutex_lock.c", line=line@entry=81, function=function@entry=0x1527bf2c2790 <__PRETTY_FUNCTION__.10174> "__pthread_mutex_lock") at assert.c:101
#4 0x00001527bf2b6164 in __GI___pthread_mutex_lock (mutex=mutex@entry=0x15271c05c900) at ../nptl/pthread_mutex_lock.c:81
#5 0x00001527b41230d2 in inline_mysql_mutex_lock (src_file=0x1527b41b12a0 "/test/10.5_opt/storage/spider/spd_db_conn.cc", src_line=12442, that=<optimized out>) at /test/10.5_opt/include/mysql/psi/mysql_thread.h:752
#6 spider_db_open_handler (spider=spider@entry=0x15271c028f80, conn=0x15271c05c8a8, link_idx=link_idx@entry=0) at /test/10.5_opt/storage/spider/spd_db_conn.cc:12442
#7 0x00001527b4165728 in ha_spider::rnd_handler_init (this=0x15271c028f80) at /test/10.5_opt/storage/spider/ha_spider.cc:13654
#8 ha_spider::rnd_handler_init (this=0x15271c028f80) at /test/10.5_opt/storage/spider/ha_spider.cc:13620
#9 0x00001527b416c9a7 in ha_spider::rnd_next_internal (this=0x15271c028f80, buf=0x15271c024618 "\377") at /test/10.5_opt/storage/spider/ha_spider.cc:7448
#10 0x000055a4bc199fd7 in handler::ha_rnd_next (this=0x15271c028f80, buf=0x15271c024618 "\377") at /test/10.5_opt/sql/handler.cc:3080
#11 0x000055a4bbf3b897 in mysql_ha_read (thd=thd@entry=0x15271c000c58, tables=tables@entry=0x15271c010568, mode=<optimized out>, keyname=0x0, key_expr=<optimized out>, ha_rkey_mode=HA_READ_KEY_EXACT, cond=0x0, select_limit_cnt=1, offset_limit_cnt=0) at /test/10.5_opt/sql/sql_handler.cc:911
#12 0x000055a4bbf80cf1 in mysql_execute_command (thd=0x15271c000c58) at /test/10.5_opt/sql/sql_limit.h:71
#13 0x000055a4bbf6ebf3 in mysql_parse (thd=0x15271c000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /test/10.5_opt/sql/sql_parse.cc:8100
#14 0x000055a4bbf7ba0d in dispatch_command (command=COM_QUERY, thd=0x15271c000c58, packet=<optimized out>, packet_length=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /test/10.5_opt/sql/sql_class.h:1290
#15 0x000055a4bbf7e1e2 in do_command (thd=0x15271c000c58) at /test/10.5_opt/sql/sql_parse.cc:1370
#16 0x000055a4bc085d41 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55a4bfe3f158, put_in_cache=put_in_cache@entry=true) at /test/10.5_opt/sql/sql_connect.cc:1418
#17 0x000055a4bc0861bd in handle_one_connection (arg=arg@entry=0x55a4bfe3f158) at /test/10.5_opt/sql/sql_connect.cc:1312
#18 0x000055a4bc41aec2 in pfs_spawn_thread (arg=0x55a4bfdad558) at /test/10.5_opt/storage/perfschema/pfs.cc:2201
#19 0x00001527bf2b3609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#20 0x00001527beea1293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.4.23 (dbg), 10.4.23 (opt), 10.5.14 (dbg), 10.5.14 (opt), 10.6.6 (dbg), 10.6.6 (opt), 10.7.2 (dbg), 10.7.2 (opt), 10.8.1 (dbg), 10.8.1 (opt), 10.9.0 (dbg), 10.9.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.36 (dbg), 5.7.36 (opt), 8.0.27 (dbg), 8.0.27 (opt)

Possibly present in 10.2 and 10.3 also.

Attachments

Issue Links

relates to

MDEV-28683 Spider: SIGSEGV in spider_db_direct_delete, SIGSEGV in spider_db_connect, ASAN: heap-use-after-free in spider_db_direct_delete

Closed

MDEV-28775 Implement connection manager in Spider

Stalled

MDEV-29002 ASAN errors in spider_conn_queue_and_merge_loop_check

Closed

MDEV-29962 SIGSEGV in ha_spider::lock_tables on BEGIN after table lock

Closed

MDEV-31996 Segfault when setting spider_delete_all_rows to 0 and delete all rows of a spider table, ASAN heap-use-after-free in spider_db_delete_all_rows

Closed

MDEV-32492 SIGSEGV in spider_conn_first_link_idx and others on DELETE, INSERT and SELECT

Closed

MDEV-34849 SIGSEGV in server_mysql_real_connect, spider_db_connect, __strcmp_evex and __strnlen_evex, ASAN heap-use-after-free in spider_db_connect on INSERT

Confirmed

split to

MDEV-34555 SIGSEGV in spider_conn_queue_and_merge_loop_check, and ASAN: heap-use-after-free in spider_conn_reset_queue_loop_check

Closed

(2 relates to, 1 split to)

Activity

People

Assignee:: Yuchen Pei

Reporter:: Roel Van de Paar

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2022-02-20 21:56

Updated:: 2024-08-31 06:29

Resolved:: 2024-07-16 09:14

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.