[MDEV-33464] Crash when innodb_max_undo_log_size is set to innodb_page_size*4294967296 - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.6, 10.11, 11.0(EOL), 11.1(EOL), 11.2(EOL), 11.3(EOL), 11.4
Fix Version/s: 10.11.8, 10.6.18, 11.0.6, 11.1.5, 11.2.4, 11.4.2
Component/s: Storage Engine - InnoDB
Labels:
- debug
- regression

Description

SET @@GLOBAL.innodb_max_undo_log_size=70368744177664;

SET @@global.innodb_undo_log_truncate=1;

Leads to

11.3.2 d21cb43db1b020e5f29e68e4f38e6dc03b06f8e4 (Debug)
mariadbd: /test/mtest/server_dbg/storage/innobase/mtr/mtr0mtr.cc:529: void mtr_t::commit_shrink(fil_space_t&, uint32_t): Assertion `!space.id \|\| m_made_dirty' failed.

11.3.2 d21cb43db1b020e5f29e68e4f38e6dc03b06f8e4 (Debug)
Core was generated by `/test/mtest/MD140224-mariadb-11.3.2-linux-x86_64-dbg/bin/mariadbd --no-defaults'.
Program terminated with signal SIGABRT, Aborted.
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
[Current thread is 1 (Thread 0x14fa393f0700 (LWP 2036753))]
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x000014fa5d36d859 in __GI_abort () at abort.c:79
#2 0x000014fa5d36d729 in __assert_fail_base (fmt=0x14fa5d503588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x55974828d157 "!space.id \|\| m_made_dirty", file=0x55974828ecd0 "/test/mtest/server_dbg/storage/innobase/mtr/mtr0mtr.cc", line=529, function=<optimized out>) at assert.c:92
#3 0x000014fa5d37efd6 in __GI___assert_fail (assertion=assertion@entry=0x55974828d157 "!space.id \|\| m_made_dirty", file=file@entry=0x55974828ecd0 "/test/mtest/server_dbg/storage/innobase/mtr/mtr0mtr.cc", line=line@entry=529, function=function@entry=0x55974828dd60 "void mtr_t::commit_shrink(fil_space_t&, uint32_t)") at assert.c:101
#4 0x0000559747ac70e5 in mtr_t::commit_shrink (this=this@entry=0x14fa393ef790, space=Python Exception <class 'AttributeError'> 'NoneType' object has no attribute 'pointer':
@0x55974a26b918: {<ilist_node<unflushed_spaces_tag_t>> = {next = 0x0, prev = 0x0}, <ilist_node<default_encrypt_tag_t>> = {next = 0x0, prev = 0x0}, <ilist_node<space_list_tag_t>> = {next = 0x55974a26bb08, prev = 0x55974a13eea8}, <ilist_node<named_spaces_tag_t>> = {next = 0x0, prev = 0x0}, hash = 0x0, max_lsn = 0, id = 1, purpose = FIL_TYPE_TABLESPACE, chain = {count = 1, start = 0x55974a26ba78, end = 0x55974a26ba78, node = &fil_node_t::chain, init = 51966}, size = 640, size_in_header = 640, free_len = 4, free_limit = 320, recv_size = 0, n_reserved_extents = 0, committed_size = {m = {<std::__atomic_base<unsigned int>> = {static _S_alignment = 4, _M_i = 640}, <No data fields>}}, n_pending = {<std::__atomic_base<unsigned int>> = {static _S_alignment = 4, _M_i = 0}, <No data fields>}, static STOPPING_READS = 2147483648, static STOPPING_WRITES = 1073741824, static STOPPING = 3221225472, static CLOSING = 536870912, static NEEDS_FSYNC = 268435456, static PENDING = 268435455, latch = {pfs_psi = 0x0, lock = {writer = {lock = {<std::__atomic_base<unsigned int>> = {static _S_alignment = 4, _M_i = 2147483649}, <No data fields>}, static HOLDER = 2147483648}, readers = {<std::__atomic_base<unsigned int>> = {static _S_alignment = 4, _M_i = 2147483648}, <No data fields>}, static WRITER = 2147483648}}, latch_owner = 23064934811392, latch_count = {m = {<std::__atomic_base<unsigned int>> = {static _S_alignment = 4, _M_i = 1}, <No data fields>}}, crypt_data = 0x0, is_in_unflushed_spaces = false, is_in_default_encrypt = false, is_corrupted = {<std::__atomic_flag_base> = {_M_i = false}, <No data fields>}, freed_range_mutex = {<std::__mutex_base> = {_M_mutex = pthread_mutex_t = {
Type = Normal,
Status = Not acquired,
Robust = No,
Shared = No,
Protocol = None
}}, <No data fields>}, freed_ranges = {ranges = std::set with 0 elements}, last_freed_lsn = 0, create_lsn = 62465, flags = 21}, size=size@entry=640) at /test/mtest/server_dbg/storage/innobase/mtr/mtr0mtr.cc:529
#5 0x0000559747c02538 in trx_purge_truncate_history () at /test/mtest/server_dbg/storage/innobase/trx/trx0purge.cc:817
#6 0x0000559747bee5b3 in purge_coordinator_state::do_purge (this=0x559749340210 <purge_state>) at /test/mtest/server_dbg/storage/innobase/srv/srv0srv.cc:1414
#7 purge_coordinator_callback () at /test/mtest/server_dbg/storage/innobase/srv/srv0srv.cc:1496
#8 0x0000559747dd3ed5 in tpool::task_group::execute (this=0x5597493400a0 <purge_coordinator_task_group>, t=t@entry=0x559749340000 <purge_coordinator_task>) at /test/mtest/server_dbg/tpool/task_group.cc:70
#9 0x0000559747dd3f5d in tpool::task::execute (this=0x559749340000 <purge_coordinator_task>) at /test/mtest/server_dbg/tpool/task.cc:32
#10 0x0000559747dd181b in tpool::thread_pool_generic::worker_main (this=0x559749fbf850, thread_var=0x559749fbfe10) at /test/mtest/server_dbg/tpool/tpool_generic.cc:583
#11 0x0000559747dd2fa2 in std::__invoke_impl<void, void (tpool::thread_pool_generic::)(tpool::worker_data), tpool::thread_pool_generic, tpool::worker_data> (__t=<optimized out>, __f=<optimized out>) at /usr/include/c++/9/bits/invoke.h:89
#12 std::__invoke<void (tpool::thread_pool_generic::)(tpool::worker_data), tpool::thread_pool_generic, tpool::worker_data> (__fn=<optimized out>) at /usr/include/c++/9/bits/invoke.h:95
#13 std::thread::_Invoker<std::tuple<void (tpool::thread_pool_generic::)(tpool::worker_data), tpool::thread_pool_generic, tpool::worker_data> >::_M_invoke<0ul, 1ul, 2ul> (this=<optimized out>) at /usr/include/c++/9/thread:244
#14 std::thread::_Invoker<std::tuple<void (tpool::thread_pool_generic::)(tpool::worker_data), tpool::thread_pool_generic, tpool::worker_data> >::operator() (this=<optimized out>) at /usr/include/c++/9/thread:251
#15 std::thread::_State_impl<std::thread::_Invoker<std::tuple<void (tpool::thread_pool_generic::)(tpool::worker_data), tpool::thread_pool_generic, tpool::worker_data> > >::_M_run (this=<optimized out>) at /usr/include/c++/9/thread:195
#16 0x000014fa5d764de4 in ?? () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#17 0x000014fa5d87e609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#18 0x000014fa5d46a133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Attachments

Issue Links

is caused by

MDEV-33213 History list is not shrunk unless there is a pause in the workload

Closed

Activity

Ascending order - Click to sort in descending order

Marko Mäkelä added a comment - 2024-02-15 08:34

I can reproduce this on a 32-bit build of MariaDB Server 10.6 or any build of MariaDB Server 10.11 or later. I could not reproduce this on a 32-bit build of MariaDB Server 10.5. For releases earlier than 11.0 (and ~~MDEV-29986~~), we must also set innodb_undo_tablespaces to at least 2 in order for this code to be executed. The fix is simple:

diff --git a/storage/innobase/trx/trx0purge.cc b/storage/innobase/trx/trx0purge.cc

index f3c0adfef24..d142384e266 100644

--- a/storage/innobase/trx/trx0purge.cc

+++ b/storage/innobase/trx/trx0purge.cc

@@ -669,7 +669,9 @@ fil_space_t *purge_sys_t::truncating_tablespace()

   if (space || srv_undo_tablespaces_active < 2 || !srv_undo_log_truncate)

     return space;

-  const ulint size= ulint(srv_max_undo_log_size >> srv_page_size_shift);

+  const uint32_t size=

+    uint32_t(std::min((1ULL << 32) - 1,

+                      srv_max_undo_log_size >> srv_page_size_shift));

   for (ulint i= truncate_undo_space.last, j= i;; )

     if (fil_space_t *s= undo_truncate_try(srv_undo_space_id_start + i, size))

The problem is that when innodb_max_undo_log_size=innodb_page_size*2³², the size would evaluate to 0, which would be less than the minimum value 10 MiB (640 pages when using the default innodb_page_size=16k).

Starting with 10.11, also 64-bit builds are affected by this bug, because the variable size would be declared as uint32_t due to the clean-up ~~MDEV-26195~~.

Marko Mäkelä added a comment - 2024-02-15 08:34 I can reproduce this on a 32-bit build of MariaDB Server 10.6 or any build of MariaDB Server 10.11 or later. I could not reproduce this on a 32-bit build of MariaDB Server 10.5. For releases earlier than 11.0 (and MDEV-29986 ), we must also set innodb_undo_tablespaces to at least 2 in order for this code to be executed. The fix is simple: diff --git a/storage/innobase/trx/trx0purge.cc b/storage/innobase/trx/trx0purge.cc index f3c0adfef24..d142384e266 100644 --- a/storage/innobase/trx/trx0purge.cc +++ b/storage/innobase/trx/trx0purge.cc @@ -669,7 +669,9 @@ fil_space_t *purge_sys_t::truncating_tablespace() if (space || srv_undo_tablespaces_active < 2 || !srv_undo_log_truncate) return space; - const ulint size= ulint(srv_max_undo_log_size >> srv_page_size_shift); + const uint32_t size= + uint32_t(std::min((1ULL << 32) - 1, + srv_max_undo_log_size >> srv_page_size_shift)); for (ulint i= truncate_undo_space.last, j= i;; ) { if (fil_space_t *s= undo_truncate_try(srv_undo_space_id_start + i, size)) The problem is that when innodb_max_undo_log_size=innodb_page_size *2³², the size would evaluate to 0, which would be less than the minimum value 10 MiB (640 pages when using the default innodb_page_size=16k ). Starting with 10.11, also 64-bit builds are affected by this bug, because the variable size would be declared as uint32_t due to the clean-up MDEV-26195 .

Debarun Banerjee added a comment - 2024-02-15 10:36

Thanks, Looks good to me.

Debarun Banerjee added a comment - 2024-02-15 10:36 Thanks, Looks good to me.

MariaDB Server

Crash when innodb_max_undo_log_size is set to innodb_page_size*4294967296

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration