[MDEV-32155] MariaDB Server crashes with ill-formed partitions - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 11.3.0, 10.4(EOL), 10.5, 10.6, 10.9(EOL), 10.10(EOL), 10.11, 11.0(EOL), 11.1(EOL)
Fix Version/s: 10.5.26, 10.6.19, 10.11.9, 11.1.6, 11.2.5
Component/s: Admin statements, Partitioning
Labels:
- crash
Environment:
Ubuntu Desktop 20.04 LTS
Intel(R) Core(TM) i7-10700 CPU @ 2.90GHz

Description

The latest version of MariDB Server: Git commit hash: `e987b9350cb83038c73` crashes when executing the following query:

drop database if exists test;

create database test;

use test;

CREATE TABLE IF NOT EXISTS v0 ( c1 SET ( 'abc' ) BINARY UNICODE ) PARTITION BY LINEAR HASH ( c1 MOD c1 ) PARTITIONS 0x100 ;

ALTER TABLE v0 CHECK PARTITION ALL FOR UPGRADE ;

ALTER TABLE v0 LOCK SHARED , ORDER BY v0 ;

Here is a crashing stack trace:

(gdb) bt

#0  0x0000aaaada90e030 in ha_partition::create_handlers (mem_root=0xffff8412ceb0, this=0xffff280caa90) at /home/mysql/mariadb/sql/ha_partition.cc:3034

#1  ha_partition::create_handlers (this=0xffff280caa90, mem_root=0xffff8412ceb0) at /home/mysql/mariadb/sql/ha_partition.cc:3015

#2  0x0000aaaada90e2b0 in ha_partition::setup_engine_array (this=0xffff280caa90, mem_root=0xffff8412ceb0, first_engine=0xaaaae03f49c8)

    at /home/mysql/mariadb/sql/ha_partition.cc:3271

#3  0x0000aaaada90f310 in ha_partition::initialize_partition (this=0xffff280caa90, mem_root=<optimized out>) at /home/mysql/mariadb/sql/ha_partition.cc:569

#4  0x0000aaaada9108fc in partition_create_handler (hton=0xaaaae03e1108, share=0xffff8412ce28, mem_root=0xffff8412ceb0) at /home/mysql/mariadb/sql/ha_partition.cc:264

#5  0x0000aaaada7220d0 in get_new_handler (share=share@entry=0xffff8412ce28, alloc=0xffff8412ceb0, db_type=<optimized out>) at /home/mysql/mariadb/sql/handler.cc:384

#6  0x0000aaaada5cc184 in TABLE_SHARE::init_from_binary_frm_image (this=this@entry=0xffff8412ce28, thd=thd@entry=0xffff28000c68, write=<optimized out>,

    frm_image=<optimized out>, frm_length=<optimized out>, par_image=par_image@entry=0x0, par_length=par_length@entry=0) at /home/mysql/mariadb/sql/handler.h:1717

#7  0x0000aaaada72a780 in ha_create_table (thd=thd@entry=0xffff28000c68, path=path@entry=0xffff8412fa47 "./test/#sql-alter-5c73-3", db=0xffff28012b48 "test",

    table_name=0xffff28012400 "v0", create_info=0xffff8412fde0, create_info@entry=0xffff8412fb90, frm=frm@entry=0xffff8412d4e8, skip_frm_file=false,

    skip_frm_file@entry=64) at /home/mysql/mariadb/sql/handler.cc:6122

#8  0x0000aaaada5a732c in mysql_alter_table (thd=thd@entry=0xffff28000c68, new_db=new_db@entry=0xffff280058b8, new_name=new_name@entry=0xffff28005d08,

    create_info=0xffff8412fb90, create_info@entry=0xffff8412fde0, table_list=<optimized out>, table_list@entry=0xffff28012438, recreate_info=0xffff00000000,

    recreate_info@entry=0xffff8412fce0, alter_info=alter_info@entry=0xffff8412fcf8, order_num=2215836944, order=<optimized out>, ignore=<optimized out>,

    if_exists=<optimized out>) at /home/mysql/mariadb/sql/sql_alter.h:298

#9  0x0000aaaada603c94 in Sql_cmd_alter_table::execute (this=<optimized out>, thd=0xffff28000c68) at /home/mysql/mariadb/sql/structs.h:568

#10 0x0000aaaada507028 in mysql_execute_command (thd=thd@entry=0xffff28000c68, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false)

    at /home/mysql/mariadb/sql/sql_parse.cc:5733

#11 0x0000aaaada4f9760 in mysql_parse (thd=thd@entry=0xffff28000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>)

    at /home/mysql/mariadb/sql/sql_parse.cc:7760

#12 0x0000aaaada50382c in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0xffff28000c68,

    packet=packet@entry=0xffff280087b9 "ALTER TABLE v0 LOCK SHARED , ORDER BY v0", packet_length=packet_length@entry=40, blocking=blocking@entry=true)

    at /home/mysql/mariadb/sql/sql_class.h:1489

#13 0x0000aaaada505488 in do_command (thd=0xffff28000c68, blocking=blocking@entry=true) at /home/mysql/mariadb/sql/sql_parse.cc:1406

#14 0x0000aaaada5ff814 in do_handle_one_connection (connect=<optimized out>, put_in_cache=put_in_cache@entry=true) at /home/mysql/mariadb/sql/sql_connect.cc:1445

#15 0x0000aaaada5ffbf0 in handle_one_connection (arg=arg@entry=0xaaaae0a66aa8) at /home/mysql/mariadb/sql/sql_connect.cc:1347

#16 0x0000aaaada917698 in pfs_spawn_thread (arg=<optimized out>) at /home/mysql/mariadb/storage/perfschema/pfs.cc:2201

#17 0x0000ffff9ac3d624 in start_thread (arg=0xaaaada9175f8 <pfs_spawn_thread(void*)>) at pthread_create.c:477

#18 0x0000ffff9a8cc49c in thread_start () at ../sysdeps/unix/sysv/linux/aarch64/clone.S:78

```

Some other useful information:

```

Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=on,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on,split_materialized=on,condition_pushdown_for_subquery=on,rowid_filter=on,condition_pushdown_from_having=on,not_null_range_scan=off,hash_join_cardinality=on,sargable_casefold=on

The bug could corrupt the database, causing future MariaDB access to the same database to also crash. Therefore, I label the bug as `Critical`.

Attachments

Issue Links

relates to

MDEV-31417 ASAN errors in ha_partition::create_handlers upon upgrading from MySQL 5.7 with partitioned tables

Closed

Activity

Alice Sherepa added a comment - 2023-09-13 10:05 - edited

Thank you!
I repeated as described on 10.4-11.3

Version: '10.4.32-MariaDB-debug-log'

=================================================================

==1350357==ERROR: AddressSanitizer: use-after-poison on address 0x617000049cb0 at pc 0x5631cfe5b539 bp 0x7ff535bee930 sp 0x7ff535bee920

READ of size 8 at 0x617000049cb0 thread T27

    #0 0x5631cfe5b538 in ha_partition::create_handlers(st_mem_root*) /10.4/src/sql/ha_partition.cc:2888

    #1 0x5631cfe5d763 in ha_partition::setup_engine_array(st_mem_root*, handlerton*) /10.4/src/sql/ha_partition.cc:3124

    #2 0x5631cfe5e5e0 in ha_partition::get_from_handler_file(char const*, st_mem_root*, bool) /10.4/src/sql/ha_partition.cc:3237

    #3 0x5631cfe4ae14 in ha_partition::initialize_partition(st_mem_root*) /10.4/src/sql/ha_partition.cc:512

    #4 0x5631cfe48715 in partition_create_handler /10.4/src/sql/ha_partition.cc:185

    #5 0x5631cf64accf in get_new_handler(TABLE_SHARE*, st_mem_root*, handlerton*) /10.4/src/sql/handler.cc:316

    #6 0x5631cf19e151 in TABLE_SHARE::init_from_binary_frm_image(THD*, bool, unsigned char const*, unsigned long) /10.4/src/sql/table.cc:2091

    #7 0x5631cf671504 in ha_create_table(THD*, char const*, char const*, char const*, HA_CREATE_INFO*, st_mysql_const_unsigned_lex_string*) /10.4/src/sql/handler.cc:5299

    #8 0x5631cf111f64 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Recreate_info*, Alter_info*, unsigned int, st_order*, bool) /10.4/src/sql/sql_table.cc:10504

    #9 0x5631cf29e48b in Sql_cmd_alter_table::execute(THD*) /10.4/src/sql/sql_alter.cc:531

    #10 0x5631cee98c49 in mysql_execute_command(THD*) /10.4/src/sql/sql_parse.cc:6218

    #11 0x5631ceea4794 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.4/src/sql/sql_parse.cc:8012

    #12 0x5631cee7abba in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.4/src/sql/sql_parse.cc:1857

    #13 0x5631cee776e5 in do_command(THD*) /10.4/src/sql/sql_parse.cc:1378

    #14 0x5631cf28531a in do_handle_one_connection(CONNECT*) /10.4/src/sql/sql_connect.cc:1420

    #15 0x5631cf284bbe in handle_one_connection /10.4/src/sql/sql_connect.cc:1324

    #16 0x5631cff2ece7 in pfs_spawn_thread /10.4/src/storage/perfschema/pfs.cc:1869

    #17 0x7ff54c7c2608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477

    #18 0x7ff54c393132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)

0x617000049cb0 is located 176 bytes inside of 652-byte region [0x617000049c00,0x617000049e8c)

allocated by thread T27 here:

    #0 0x7ff54cdc0808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144

    #1 0x5631d0ac452e in sf_malloc /10.4/src/mysys/safemalloc.c:118

    #2 0x5631d0a92a92 in my_malloc /10.4/src/mysys/my_malloc.c:101

    #3 0x5631d0a6d9db in init_alloc_root /10.4/src/mysys/my_alloc.c:85

    #4 0x5631cfe48a6c in ha_partition::ha_partition_init() /10.4/src/sql/ha_partition.cc:247

    #5 0x5631cfe48921 in ha_partition::ha_partition(handlerton*, TABLE_SHARE*) /10.4/src/sql/ha_partition.cc:238

    #6 0x5631cfe486f7 in partition_create_handler /10.4/src/sql/ha_partition.cc:184

    #7 0x5631cf64accf in get_new_handler(TABLE_SHARE*, st_mem_root*, handlerton*) /10.4/src/sql/handler.cc:316

    #8 0x5631cf19e151 in TABLE_SHARE::init_from_binary_frm_image(THD*, bool, unsigned char const*, unsigned long) /10.4/src/sql/table.cc:2091

    #9 0x5631cf671504 in ha_create_table(THD*, char const*, char const*, char const*, HA_CREATE_INFO*, st_mysql_const_unsigned_lex_string*) /10.4/src/sql/handler.cc:5299

    #10 0x5631cf111f64 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Recreate_info*, Alter_info*, unsigned int, st_order*, bool) /10.4/src/sql/sql_table.cc:10504

    #11 0x5631cf29e48b in Sql_cmd_alter_table::execute(THD*) /10.4/src/sql/sql_alter.cc:531

    #12 0x5631cee98c49 in mysql_execute_command(THD*) /10.4/src/sql/sql_parse.cc:6218

    #13 0x5631ceea4794 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.4/src/sql/sql_parse.cc:8012

    #14 0x5631cee7abba in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.4/src/sql/sql_parse.cc:1857

    #15 0x5631cee776e5 in do_command(THD*) /10.4/src/sql/sql_parse.cc:1378

    #16 0x5631cf28531a in do_handle_one_connection(CONNECT*) /10.4/src/sql/sql_connect.cc:1420

    #17 0x5631cf284bbe in handle_one_connection /10.4/src/sql/sql_connect.cc:1324

    #18 0x5631cff2ece7 in pfs_spawn_thread /10.4/src/storage/perfschema/pfs.cc:1869

    #19 0x7ff54c7c2608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477

Thread T27 created by T0 here:

    #0 0x7ff54cced815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208

    #1 0x5631cff2f0d8 in spawn_thread_v1 /10.4/src/storage/perfschema/pfs.cc:1919

    #2 0x5631ceb73f71 in inline_mysql_thread_create /10.4/src/include/mysql/psi/mysql_thread.h:1275

    #3 0x5631ceb8c0e0 in create_thread_to_handle_connection(CONNECT*) /10.4/src/sql/mysqld.cc:6287

    #4 0x5631ceb8c87b in create_new_thread(CONNECT*) /10.4/src/sql/mysqld.cc:6357

    #5 0x5631ceb8cd61 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /10.4/src/sql/mysqld.cc:6455

    #6 0x5631ceb8dc1d in handle_connections_sockets() /10.4/src/sql/mysqld.cc:6613

    #7 0x5631ceb8b7e5 in mysqld_main(int, char**) /10.4/src/sql/mysqld.cc:5945

    #8 0x5631ceb71f3c in main /10.4/src/sql/main.cc:25

    #9 0x7ff54c298082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: use-after-poison /10.4/src/sql/ha_partition.cc:2888 in ha_partition::create_handlers(st_mem_root*)

Shadow bytes around the buggy address:

  0x0c2e80001340: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c2e80001350: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c2e80001360: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c2e80001370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c2e80001380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

=>0x0c2e80001390: 00 f7 00 00 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c2e800013a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c2e800013b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c2e800013c0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c2e800013d0: f7 04 fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c2e800013e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

  Shadow gap:              cc

==1350357==ABORTING

----------SERVER LOG END-------------

Version: '10.11.5-MariaDB'

230913 12:03:44 [ERROR] mysqld got signal 11 ;

Server version: 10.11.5-MariaDB source revision: 7875294b6b74b53dd3aaa723e6cc103d2bb47b2c

sql/signal_handler.cc:241(handle_fatal_signal)[0x5555f967e4c7]

sigaction.c:0(__restore_rt)[0x7f064a938420]

sql/ha_partition.cc:583(ha_partition::initialize_partition(st_mem_root*))[0x5555f98c1bbf]

sql/ha_partition.cc:264(partition_create_handler(handlerton*, TABLE_SHARE*, st_mem_root*))[0x5555f98c38d2]

sql/handler.cc:379(get_new_handler(TABLE_SHARE*, st_mem_root*, handlerton*))[0x5555f9680ef1]

sql/table.cc:2311(TABLE_SHARE::init_from_binary_frm_image(THD*, bool, unsigned char const*, unsigned long, unsigned char const*, unsigned long))[0x5555f951fb9e]

sql/handler.cc:5962(ha_create_table(THD*, char const*, char const*, char const*, HA_CREATE_INFO*, st_mysql_const_unsigned_lex_string*, bool))[0x5555f968a0bf]

sql/sql_table.cc:10947(mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, Table_specification_st*, TABLE_LIST*, Recreate_info*, Alter_info*, unsigned int, st_order*, bool, bool))[0x5555f94eb4b1]

sql/sql_alter.cc:609(Sql_cmd_alter_table::execute(THD*))[0x5555f9552850]

sql/sql_parse.cc:6025(mysql_execute_command(THD*, bool))[0x5555f943a047]

sql/sql_parse.cc:8035(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x5555f943dd8b]

sql/sql_parse.cc:1953(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x5555f94401c8]

sql/sql_parse.cc:1409(do_command(THD*, bool))[0x5555f94416f3]

sql/sql_connect.cc:1416(do_handle_one_connection(CONNECT*, bool))[0x5555f954d5e7]

sql/sql_connect.cc:1324(handle_one_connection)[0x5555f954d884]

perfschema/pfs.cc:2204(pfs_spawn_thread)[0x5555f98d0d6c]

nptl/pthread_create.c:478(start_thread)[0x7f064a92c609]

Query (0x7f05f8010c20): ALTER TABLE v0 LOCK SHARED , ORDER BY v0

when trying to start server after the crash:

230913 18:12:52 [ERROR] mysqld got signal 11 ;

Server version: 10.11.5-MariaDB source revision: 7875294b6b74b53dd3aaa723e6cc103d2bb47b2c

Thread pointer: 0x55d38ce34918

sql/signal_handler.cc:241(handle_fatal_signal)[0x55d389a7e4c7]

sigaction.c:0(__restore_rt)[0x7fcea6da8420]

sql/ha_partition.cc:2468(ha_partition::del_ren_table(char const*, char const*))[0x55d389cc1cc2]

sql/handler.cc:573(hton_drop_table(handlerton*, char const*))[0x55d389a8471f]

sql/ddl_log.cc:2239(ddl_log_execute_entry_no_lock(THD*, unsigned int))[0x55d3898ff35d]

sql/ddl_log.cc:2795(ddl_log_execute_recovery())[0x55d389900afc]

sql/mysqld.cc:5508(init_server_components())[0x55d38973e6ba]

sql/mysqld.cc:5838(mysqld_main(int, char**))[0x55d389745084]

/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0x7fcea688d083]

Query (0x55d38ad26d60): INTERNAL DDL LOG RECOVER IN PROGRESS

Alice Sherepa added a comment - 2023-09-13 10:05 - edited Thank you! I repeated as described on 10.4-11.3 Version: '10.4.32-MariaDB-debug-log' ================================================================= ==1350357==ERROR: AddressSanitizer: use-after-poison on address 0x617000049cb0 at pc 0x5631cfe5b539 bp 0x7ff535bee930 sp 0x7ff535bee920 READ of size 8 at 0x617000049cb0 thread T27 #0 0x5631cfe5b538 in ha_partition::create_handlers(st_mem_root*) /10.4/src/sql/ha_partition.cc:2888 #1 0x5631cfe5d763 in ha_partition::setup_engine_array(st_mem_root*, handlerton*) /10.4/src/sql/ha_partition.cc:3124 #2 0x5631cfe5e5e0 in ha_partition::get_from_handler_file(char const*, st_mem_root*, bool) /10.4/src/sql/ha_partition.cc:3237 #3 0x5631cfe4ae14 in ha_partition::initialize_partition(st_mem_root*) /10.4/src/sql/ha_partition.cc:512 #4 0x5631cfe48715 in partition_create_handler /10.4/src/sql/ha_partition.cc:185 #5 0x5631cf64accf in get_new_handler(TABLE_SHARE*, st_mem_root*, handlerton*) /10.4/src/sql/handler.cc:316 #6 0x5631cf19e151 in TABLE_SHARE::init_from_binary_frm_image(THD*, bool, unsigned char const*, unsigned long) /10.4/src/sql/table.cc:2091 #7 0x5631cf671504 in ha_create_table(THD*, char const*, char const*, char const*, HA_CREATE_INFO*, st_mysql_const_unsigned_lex_string*) /10.4/src/sql/handler.cc:5299 #8 0x5631cf111f64 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Recreate_info*, Alter_info*, unsigned int, st_order*, bool) /10.4/src/sql/sql_table.cc:10504 #9 0x5631cf29e48b in Sql_cmd_alter_table::execute(THD*) /10.4/src/sql/sql_alter.cc:531 #10 0x5631cee98c49 in mysql_execute_command(THD*) /10.4/src/sql/sql_parse.cc:6218 #11 0x5631ceea4794 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.4/src/sql/sql_parse.cc:8012 #12 0x5631cee7abba in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.4/src/sql/sql_parse.cc:1857 #13 0x5631cee776e5 in do_command(THD*) /10.4/src/sql/sql_parse.cc:1378 #14 0x5631cf28531a in do_handle_one_connection(CONNECT*) /10.4/src/sql/sql_connect.cc:1420 #15 0x5631cf284bbe in handle_one_connection /10.4/src/sql/sql_connect.cc:1324 #16 0x5631cff2ece7 in pfs_spawn_thread /10.4/src/storage/perfschema/pfs.cc:1869 #17 0x7ff54c7c2608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477 #18 0x7ff54c393132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132) 0x617000049cb0 is located 176 bytes inside of 652-byte region [0x617000049c00,0x617000049e8c) allocated by thread T27 here: #0 0x7ff54cdc0808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144 #1 0x5631d0ac452e in sf_malloc /10.4/src/mysys/safemalloc.c:118 #2 0x5631d0a92a92 in my_malloc /10.4/src/mysys/my_malloc.c:101 #3 0x5631d0a6d9db in init_alloc_root /10.4/src/mysys/my_alloc.c:85 #4 0x5631cfe48a6c in ha_partition::ha_partition_init() /10.4/src/sql/ha_partition.cc:247 #5 0x5631cfe48921 in ha_partition::ha_partition(handlerton*, TABLE_SHARE*) /10.4/src/sql/ha_partition.cc:238 #6 0x5631cfe486f7 in partition_create_handler /10.4/src/sql/ha_partition.cc:184 #7 0x5631cf64accf in get_new_handler(TABLE_SHARE*, st_mem_root*, handlerton*) /10.4/src/sql/handler.cc:316 #8 0x5631cf19e151 in TABLE_SHARE::init_from_binary_frm_image(THD*, bool, unsigned char const*, unsigned long) /10.4/src/sql/table.cc:2091 #9 0x5631cf671504 in ha_create_table(THD*, char const*, char const*, char const*, HA_CREATE_INFO*, st_mysql_const_unsigned_lex_string*) /10.4/src/sql/handler.cc:5299 #10 0x5631cf111f64 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Recreate_info*, Alter_info*, unsigned int, st_order*, bool) /10.4/src/sql/sql_table.cc:10504 #11 0x5631cf29e48b in Sql_cmd_alter_table::execute(THD*) /10.4/src/sql/sql_alter.cc:531 #12 0x5631cee98c49 in mysql_execute_command(THD*) /10.4/src/sql/sql_parse.cc:6218 #13 0x5631ceea4794 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.4/src/sql/sql_parse.cc:8012 #14 0x5631cee7abba in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.4/src/sql/sql_parse.cc:1857 #15 0x5631cee776e5 in do_command(THD*) /10.4/src/sql/sql_parse.cc:1378 #16 0x5631cf28531a in do_handle_one_connection(CONNECT*) /10.4/src/sql/sql_connect.cc:1420 #17 0x5631cf284bbe in handle_one_connection /10.4/src/sql/sql_connect.cc:1324 #18 0x5631cff2ece7 in pfs_spawn_thread /10.4/src/storage/perfschema/pfs.cc:1869 #19 0x7ff54c7c2608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477 Thread T27 created by T0 here: #0 0x7ff54cced815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208 #1 0x5631cff2f0d8 in spawn_thread_v1 /10.4/src/storage/perfschema/pfs.cc:1919 #2 0x5631ceb73f71 in inline_mysql_thread_create /10.4/src/include/mysql/psi/mysql_thread.h:1275 #3 0x5631ceb8c0e0 in create_thread_to_handle_connection(CONNECT*) /10.4/src/sql/mysqld.cc:6287 #4 0x5631ceb8c87b in create_new_thread(CONNECT*) /10.4/src/sql/mysqld.cc:6357 #5 0x5631ceb8cd61 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /10.4/src/sql/mysqld.cc:6455 #6 0x5631ceb8dc1d in handle_connections_sockets() /10.4/src/sql/mysqld.cc:6613 #7 0x5631ceb8b7e5 in mysqld_main(int, char**) /10.4/src/sql/mysqld.cc:5945 #8 0x5631ceb71f3c in main /10.4/src/sql/main.cc:25 #9 0x7ff54c298082 in __libc_start_main ../csu/libc-start.c:308 SUMMARY: AddressSanitizer: use-after-poison /10.4/src/sql/ha_partition.cc:2888 in ha_partition::create_handlers(st_mem_root*) Shadow bytes around the buggy address: 0x0c2e80001340: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2e80001350: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2e80001360: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2e80001370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2e80001380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c2e80001390: 00 f7 00 00 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c2e800013a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c2e800013b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c2e800013c0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c2e800013d0: f7 04 fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2e800013e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==1350357==ABORTING ----------SERVER LOG END------------- Version: '10.11.5-MariaDB' 230913 12:03:44 [ERROR] mysqld got signal 11 ; Server version: 10.11.5-MariaDB source revision: 7875294b6b74b53dd3aaa723e6cc103d2bb47b2c sql/signal_handler.cc:241(handle_fatal_signal)[0x5555f967e4c7] sigaction.c:0(__restore_rt)[0x7f064a938420] sql/ha_partition.cc:583(ha_partition::initialize_partition(st_mem_root*))[0x5555f98c1bbf] sql/ha_partition.cc:264(partition_create_handler(handlerton*, TABLE_SHARE*, st_mem_root*))[0x5555f98c38d2] sql/handler.cc:379(get_new_handler(TABLE_SHARE*, st_mem_root*, handlerton*))[0x5555f9680ef1] sql/table.cc:2311(TABLE_SHARE::init_from_binary_frm_image(THD*, bool, unsigned char const*, unsigned long, unsigned char const*, unsigned long))[0x5555f951fb9e] sql/handler.cc:5962(ha_create_table(THD*, char const*, char const*, char const*, HA_CREATE_INFO*, st_mysql_const_unsigned_lex_string*, bool))[0x5555f968a0bf] sql/sql_table.cc:10947(mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, Table_specification_st*, TABLE_LIST*, Recreate_info*, Alter_info*, unsigned int, st_order*, bool, bool))[0x5555f94eb4b1] sql/sql_alter.cc:609(Sql_cmd_alter_table::execute(THD*))[0x5555f9552850] sql/sql_parse.cc:6025(mysql_execute_command(THD*, bool))[0x5555f943a047] sql/sql_parse.cc:8035(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x5555f943dd8b] sql/sql_parse.cc:1953(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x5555f94401c8] sql/sql_parse.cc:1409(do_command(THD*, bool))[0x5555f94416f3] sql/sql_connect.cc:1416(do_handle_one_connection(CONNECT*, bool))[0x5555f954d5e7] sql/sql_connect.cc:1324(handle_one_connection)[0x5555f954d884] perfschema/pfs.cc:2204(pfs_spawn_thread)[0x5555f98d0d6c] nptl/pthread_create.c:478(start_thread)[0x7f064a92c609] Query (0x7f05f8010c20): ALTER TABLE v0 LOCK SHARED , ORDER BY v0 when trying to start server after the crash: 230913 18:12:52 [ERROR] mysqld got signal 11 ; Server version: 10.11.5-MariaDB source revision: 7875294b6b74b53dd3aaa723e6cc103d2bb47b2c Thread pointer: 0x55d38ce34918 sql/signal_handler.cc:241(handle_fatal_signal)[0x55d389a7e4c7] sigaction.c:0(__restore_rt)[0x7fcea6da8420] sql/ha_partition.cc:2468(ha_partition::del_ren_table(char const*, char const*))[0x55d389cc1cc2] sql/handler.cc:573(hton_drop_table(handlerton*, char const*))[0x55d389a8471f] sql/ddl_log.cc:2239(ddl_log_execute_entry_no_lock(THD*, unsigned int))[0x55d3898ff35d] sql/ddl_log.cc:2795(ddl_log_execute_recovery())[0x55d389900afc] sql/mysqld.cc:5508(init_server_components())[0x55d38973e6ba] sql/mysqld.cc:5838(mysqld_main(int, char**))[0x55d389745084] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0x7fcea688d083] Query (0x55d38ad26d60): INTERNAL DDL LOG RECOVER IN PROGRESS

MariaDB Server

MariaDB Server crashes with ill-formed partitions

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration