Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-34142

Server crashes in create_internal_tmp_table with low tmp space limit

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Critical
    • Resolution: Fixed
    • N/A
    • 11.5.1
    • Server
    • None

    Description

      Note: It is possible that the issue is limited to very low max_tmp_xxx_space_usage values. If so, it can be downgraded to a lower priority.

      --source include/have_sequence.inc
      		 
       
      		 
      CREATE TABLE t1 (a varchar(1024)) DEFAULT CHARACTER SET utf8mb3;
      		 
      INSERT INTO t1 SELECT 'x' FROM seq_1_to_50;
      		 
       
      		 
      SET MAX_TMP_SESSION_SPACE_USAGE = 128*1024, MAX_HEAP_TABLE_SIZE= 16*1024*1024;
      		 
       
      		 
      SELECT * FROM t1 JOIN seq_1_to_200 INTERSECT ALL SELECT * FROM t1 JOIN seq_1_to_200;
      		 
       
      		 
      # Cleanup
      		 
      DROP TABLE t1;

      bb-11.5-MDEV-9101-max-tmp-space-used a33f528d52c8d9d17b858c9c5a4dac65ec147dce ASAN

      		 
      ==801210==ERROR: AddressSanitizer: use-after-poison on address 0x621000111a10 at pc 0x7fe1b8047681 bp 0x7fe1ad5f9790 sp 0x7fe1ad5f8f40
      		 
      WRITE of size 56 at 0x621000111a10 thread T5
      		 
          #0 0x7fe1b8047680 in __interceptor_memset ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:799
      		 
          #1 0x5597b44bb6bc in create_internal_tmp_table(TABLE*, st_key*, st_maria_columndef*, st_maria_columndef**, unsigned long long) /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-asan/sql/sql_select.cc:22394
      		 
          #2 0x5597b44bd770 in create_internal_tmp_table_from_heap(THD*, TABLE*, st_maria_columndef*, st_maria_columndef**, int, bool, bool*) /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-asan/sql/sql_select.cc:22734
      		 
          #3 0x5597b467b949 in select_unit::write_record() /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-asan/sql/sql_union.cc:430
      		 
          #4 0x5597b467beda in select_unit_ext::unfold_record(unsigned long long) /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-asan/sql/sql_union.cc:511
      		 
          #5 0x5597b467f627 in select_unit_ext::send_eof() /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-asan/sql/sql_union.cc:876
      		 
          #6 0x5597b44c14c0 in do_select /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-asan/sql/sql_select.cc:23177
      		 
          #7 0x5597b443f96f in JOIN::exec_inner() /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-asan/sql/sql_select.cc:4991
      		 
          #8 0x5597b443ccf9 in JOIN::exec() /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-asan/sql/sql_select.cc:4774
      		 
          #9 0x5597b468d5db in st_select_lex_unit::exec_inner() /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-asan/sql/sql_union.cc:2388
      		 
          #10 0x5597b468c095 in st_select_lex_unit::exec() /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-asan/sql/sql_union.cc:2292
      		 
          #11 0x5597b4677cb1 in mysql_union(THD*, LEX*, select_result*, st_select_lex_unit*, unsigned long long) /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-asan/sql/sql_union.cc:45
      		 
          #12 0x5597b440fef1 in handle_select(THD*, LEX*, select_result*, unsigned long long) /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-asan/sql/sql_select.cc:620
      		 
          #13 0x5597b4334826 in execute_sqlcom_select /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-asan/sql/sql_parse.cc:6094
      		 
          #14 0x5597b4324b3e in mysql_execute_command(THD*, bool) /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-asan/sql/sql_parse.cc:3943
      		 
          #15 0x5597b433f68e in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-asan/sql/sql_parse.cc:7814
      		 
          #16 0x5597b4316b21 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-asan/sql/sql_parse.cc:1893
      		 
          #17 0x5597b4313841 in do_command(THD*, bool) /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-asan/sql/sql_parse.cc:1406
      		 
          #18 0x5597b47ece5a in do_handle_one_connection(CONNECT*, bool) /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-asan/sql/sql_connect.cc:1437
      		 
          #19 0x5597b47ec81b in handle_one_connection /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-asan/sql/sql_connect.cc:1339
      		 
          #20 0x5597b5432111 in pfs_spawn_thread /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-asan/storage/perfschema/pfs.cc:2201
      		 
          #21 0x7fe1b74a8043 in start_thread nptl/pthread_create.c:442
      		 
          #22 0x7fe1b752861b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
      		 
       
      		 
      0x621000111a10 is located 4368 bytes inside of 4560-byte region [0x621000110900,0x621000111ad0)
      		 
      allocated by thread T5 here:
      		 
          #0 0x7fe1b80b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
      		 
          #1 0x5597b60250c2 in my_malloc /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-asan/mysys/my_malloc.c:93
      		 
          #2 0x5597b600073a in root_alloc /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-asan/mysys/my_alloc.c:66
      		 
          #3 0x5597b6002093 in alloc_root /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-asan/mysys/my_alloc.c:332
      		 
          #4 0x5597b6002854 in multi_alloc_root /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-asan/mysys/my_alloc.c:405
      		 
          #5 0x5597b44accaa in Create_tmp_table::start(THD*, TMP_TABLE_PARAM*, st_mysql_const_lex_string const*) /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-asan/sql/sql_select.cc:21211
      		 
          #6 0x5597b44b85f6 in create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, st_mysql_const_lex_string const*, bool, bool) /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-asan/sql/sql_select.cc:22077
      		 
          #7 0x5597b467afce in select_unit::create_result_table(THD*, List<Item>*, bool, unsigned long long, st_mysql_const_lex_string const*, bool, bool, bool, unsigned int) /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-asan/sql/sql_union.cc:354
      		 
          #8 0x5597b4687bdb in st_select_lex_unit::prepare(TABLE_LIST*, select_result*, unsigned long long) /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-asan/sql/sql_union.cc:1855
      		 
          #9 0x5597b4677c8e in mysql_union(THD*, LEX*, select_result*, st_select_lex_unit*, unsigned long long) /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-asan/sql/sql_union.cc:43
      		 
          #10 0x5597b440fef1 in handle_select(THD*, LEX*, select_result*, unsigned long long) /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-asan/sql/sql_select.cc:620
      		 
          #11 0x5597b4334826 in execute_sqlcom_select /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-asan/sql/sql_parse.cc:6094
      		 
          #12 0x5597b4324b3e in mysql_execute_command(THD*, bool) /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-asan/sql/sql_parse.cc:3943
      		 
          #13 0x5597b433f68e in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-asan/sql/sql_parse.cc:7814
      		 
          #14 0x5597b4316b21 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-asan/sql/sql_parse.cc:1893
      		 
          #15 0x5597b4313841 in do_command(THD*, bool) /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-asan/sql/sql_parse.cc:1406
      		 
          #16 0x5597b47ece5a in do_handle_one_connection(CONNECT*, bool) /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-asan/sql/sql_connect.cc:1437
      		 
          #17 0x5597b47ec81b in handle_one_connection /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-asan/sql/sql_connect.cc:1339
      		 
          #18 0x5597b5432111 in pfs_spawn_thread /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-asan/storage/perfschema/pfs.cc:2201
      		 
          #19 0x7fe1b74a8043 in start_thread nptl/pthread_create.c:442
      		 
       
      		 
      Thread T5 created by T0 here:
      		 
          #0 0x7fe1b8049726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
      		 
          #1 0x5597b542de4c in my_thread_create /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-asan/storage/perfschema/my_thread.h:52
      		 
          #2 0x5597b5432500 in pfs_spawn_thread_v1 /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-asan/storage/perfschema/pfs.cc:2252
      		 
          #3 0x5597b3f52979 in inline_mysql_thread_create /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-asan/include/mysql/psi/mysql_thread.h:1139
      		 
          #4 0x5597b3f6ae90 in create_thread_to_handle_connection(CONNECT*) /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-asan/sql/mysqld.cc:6157
      		 
          #5 0x5597b3f6b4b5 in create_new_thread(CONNECT*) /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-asan/sql/mysqld.cc:6219
      		 
          #6 0x5597b3f6b7a0 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-asan/sql/mysqld.cc:6281
      		 
          #7 0x5597b3f6c428 in handle_connections_sockets() /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-asan/sql/mysqld.cc:6394
      		 
          #8 0x5597b3f6a70d in mysqld_main(int, char**) /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-asan/sql/mysqld.cc:6052
      		 
          #9 0x5597b3f51b28 in main /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-asan/sql/main.cc:34
      		 
          #10 0x7fe1b74461c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
      		 
       
      		 
      SUMMARY: AddressSanitizer: use-after-poison ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:799 in __interceptor_memset
      		 
      Shadow bytes around the buggy address:
      		 
        0x0c428001a2f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x0c428001a300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x0c428001a310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x0c428001a320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x0c428001a330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
      =>0x0c428001a340: 00 00[f7]f7 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x0c428001a350: 00 00 f7 f7 00 00 00 f7 00 f7 fa fa fa fa fa fa
      		 
        0x0c428001a360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c428001a370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c428001a380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c428001a390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
      Shadow byte legend (one shadow byte represents 8 application bytes):
      		 
        Addressable:           00
      		 
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
      		 
        Freed heap region:       fd
      		 
        Stack left redzone:      f1
      		 
        Stack mid redzone:       f2
      		 
        Stack right redzone:     f3
      		 
        Stack after return:      f5
      		 
        Stack use after scope:   f8
      		 
        Global redzone:          f9
      		 
        Global init order:       f6
      		 
        Poisoned by user:        f7
      		 
        Container overflow:      fc
      		 
        Array cookie:            ac
      		 
        Intra object redzone:    bb
      		 
        ASan internal:           fe
      		 
        Left alloca redzone:     ca
      		 
        Right alloca redzone:    cb

      Non-debug server also crashes or hangs, depending on the combination of field length and row counts.

      #2  <signal handler called>
      		 
      #3  0x000056476de5d982 in select_unit_ext::send_eof (this=0x7f95a8043070) at /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-rel/sql/sql_union.cc:860
      		 
      #4  0x000056476de0d91c in do_select (procedure=<optimized out>, join=0x7f95a8043cd0) at /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-rel/sql/sql_select.cc:23177
      		 
      #5  JOIN::exec_inner (this=this@entry=0x7f95a8043cd0) at /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-rel/sql/sql_select.cc:4991
      		 
      #6  0x000056476de0dc9e in JOIN::exec (this=0x7f95a8043cd0) at /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-rel/sql/sql_select.cc:4774
      		 
      #7  0x000056476de5f6cc in st_select_lex_unit::exec_inner (this=0x7f95a8004f58) at /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-rel/sql/sql_union.cc:2388
      		 
      #8  0x000056476de62648 in mysql_union (thd=thd@entry=0x7f95a8000c68, lex=lex@entry=0x7f95a8004e78, result=result@entry=0x7f95a8043048, unit=unit@entry=0x7f95a8004f58, setup_tables_done_option=setup_tables_done_option@entry=0) at /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-rel/sql/sql_union.cc:45
      		 
      #9  0x000056476de0c306 in handle_select (thd=thd@entry=0x7f95a8000c68, lex=lex@entry=0x7f95a8004e78, result=result@entry=0x7f95a8043048, setup_tables_done_option=setup_tables_done_option@entry=0) at /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-rel/sql/sql_select.cc:620
      		 
      #10 0x000056476dd8a780 in execute_sqlcom_select (thd=thd@entry=0x7f95a8000c68, all_tables=0x7f95a8011368) at /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-rel/sql/sql_parse.cc:6094
      		 
      #11 0x000056476dd96a1f in mysql_execute_command (thd=thd@entry=0x7f95a8000c68, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-rel/sql/sql_parse.cc:3943
      		 
      #12 0x000056476dd97c75 in mysql_parse (thd=0x7f95a8000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-rel/sql/sql_parse.cc:7814
      		 
      #13 0x000056476dd99bb5 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x7f95a8000c68, packet=packet@entry=0x7f95a8008819 "SELECT * FROM t1 JOIN seq_1_to_200 INTERSECT ALL SELECT * FROM t1 JOIN seq_1_to_200", packet_length=packet_length@entry=83, blocking=blocking@entry=true) at /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-rel/sql/sql_parse.cc:1992
      		 
      #14 0x000056476dd9b267 in do_command (thd=0x7f95a8000c68, blocking=blocking@entry=true) at /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-rel/sql/sql_parse.cc:1406
      		 
      #15 0x000056476deb3947 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x564770816e38, put_in_cache=put_in_cache@entry=true) at /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-rel/sql/sql_connect.cc:1437
      		 
      #16 0x000056476deb3cdd in handle_one_connection (arg=arg@entry=0x564770816e38) at /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-rel/sql/sql_connect.cc:1339
      		 
      #17 0x000056476e1e1f97 in pfs_spawn_thread (arg=0x56477078d608) at /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-rel/storage/perfschema/pfs.cc:2201
      		 
      #18 0x00007f95bf8a8044 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
      		 
      #19 0x00007f95bf92861c in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

      Also reproducible on bb-11.5-monty.

      Attachments

        Issue Links

          is caused by

          New Feature - A new feature of the product, which has yet to be developed. MDEV-9101 Limit size of created disk temporary files and tables

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Activity

            People

              monty Michael Widenius
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.