[MDEV-33332] SIGSEGV in buf_read_ahead_linear() when bpage is in buf_pool.watch - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.5, 10.6, 10.11
Fix Version/s: 10.5.25, 10.6.18, 10.11.8
Component/s: Storage Engine - InnoDB
Labels:
- crash
- not-11.0

Description

mleich reported a crash while testing ~~MDEV-32898~~:

bb-10.6-MDEV-32898-pkgtest 7a77e04d87c81e386fecffe3b56320cb0be29671
#4 0x000055af192f2791 in handle_fatal_signal (sig=11) at /data/Server/bb-10.6-MDEV-32898-pkgtest/sql/signal_handler.cc:357
#5 <signal handler called>
#6 mach_read_from_4 (b=0x8 <error: Cannot access memory at address 0x8>) at /data/Server/bb-10.6-MDEV-32898-pkgtest/storage/innobase/include/mach0data.inl:179
#7 buf_read_ahead_linear (page_id=..., zip_size=zip_size@entry=0, ibuf=ibuf@entry=false) at /data/Server/bb-10.6-MDEV-32898-pkgtest/storage/innobase/buf/buf0rea.cc:597
#8 0x000055af198d0aa7 in btr_cur_t::open_leaf (this=this@entry=0x7f255001faf8, first=first@entry=true, index=index@entry=0x7f2598081d50, latch_mode=latch_mode@entry=BTR_SEARCH_LEAF, mtr=mtr@entry=0x7f25c43c1ea0)
at /data/Server/bb-10.6-MDEV-32898-pkgtest/storage/innobase/btr/btr0cur.cc:2056
#9 0x000055af19813276 in btr_pcur_t::open_leaf (mtr=0x7f25c43c1ea0, latch_mode=BTR_SEARCH_LEAF, index=0x7f2598081d50, first=true, this=0x7f255001faf8)
at /data/Server/bb-10.6-MDEV-32898-pkgtest/storage/innobase/include/btr0pcur.h:393
#10 row_search_mvcc (buf=buf@entry=0x7f255001c520 "\377\377\377", mode=PAGE_CUR_G, prebuilt=<optimized out>, match_mode=<optimized out>, direction=direction@entry=0)
at /data/Server/bb-10.6-MDEV-32898-pkgtest/storage/innobase/row/row0sel.cc:4840

I checked the core dump, and bpage is pointing to the last element of buf_pool.watch, which is dummy block descriptors related to the change buffer, causing the frame address to be a null pointer.

This does not affect MariaDB Server 11.0 or later because ~~MDEV-29694~~ removed that code.

It looks like in this function we are missing a call to buf_pool.watch_is_sentinel(bpage) here, similar to what we have in buf_page_init_for_read(). This bug could have been introduced in ~~MDEV-15053~~ when some contention on buf_pool.mutex was removed.

Attachments

Issue Links

is caused by

MDEV-15053 Reduce buf_pool_t::mutex contention

Closed

Activity

People

Assignee:: Marko Mäkelä

Reporter:: Marko Mäkelä

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2024-01-30 16:22

Updated:: 2024-02-13 14:00

Resolved:: 2024-02-13 14:00

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.