Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-39805

Server crash in que_fork_get_first_thr

    XMLWordPrintable

Details

    • Can result in hang or crash
    • Q3/2026 Server Maintenance

    Description

      Testcase is cli compatible

      CREATE TABLE t1 (c1 INT,c2 INT,PRIMARY KEY(c1)) PARTITION BY KEY ALGORITHM=2 (c1) PARTITIONS 20;
      		 
      HANDLER t1 OPEN AS h1;
      		 
      HANDLER h1 READ `PRIMARY`=(1);
      		 
      HANDLER h1 READ `PRIMARY` PREV;
      		 
      HANDLER h1 READ `PRIMARY` PREV;

      Leads to:

      CS 12.3.2 66b3c6784689fbb65110a5b21efcb815a8bcde24 (Optimized, Clang 18.1.3-11) Build 24/05/2026

      		 
      Core was generated by `/test/MD240526-mariadb-12.3.2-linux-x86_64-opt/bin/mariadbd --no-defaults --loo'.
      		 
      Program terminated with signal SIGSEGV, Segmentation fault.
      		 
      #0  0x00005e7b81b10dae in row_search_mvcc (buf=0x6914e4035c40 "\377\001", mode=mode@entry=PAGE_CUR_UNSUPP, prebuilt=0x6914e4047488, match_mode=0, direction=2) at /test/12.3_opt/storage/innobase/row/row0sel.cc:4695
      		 
      4695		thr = que_fork_get_first_thr(prebuilt->sel_graph);
      		 
      [Current thread is 1 (LWP 1920904)]
      		 
      (gdb) bt
      		 
      #0  0x00005e7b81b10dae in row_search_mvcc (buf=0x6914e4035c40 "\377\001", mode=mode@entry=PAGE_CUR_UNSUPP, prebuilt=0x6914e4047488, match_mode=0, direction=2) at /test/12.3_opt/storage/innobase/row/row0sel.cc:4695
      		 
      #1  0x00005e7b81a44b2c in ha_innobase::general_fetch (this=0x6914e40363e0, buf=0x6914e4000c70 "\250\033c\202{^", direction=2, match_mode=<optimized out>)at /test/12.3_opt/storage/innobase/handler/ha_innodb.cc:9264
      		 
      #2  0x00005e7b8174d1b0 in handler::ha_index_prev (this=0x6914e40363e0, buf=0x6914e4035c40 "\377\001") at /test/12.3_opt/sql/handler.cc:4236
      		 
      #3  0x00005e7b819a57c2 in ha_partition::handle_unordered_prev (this=0x6914e40333d0, buf=0x7115d82fbb80 "\200\260/\330\025q")at /test/12.3_opt/sql/ha_partition.cc:7959
      		 
      #4  0x00005e7b8174d1b0 in handler::ha_index_prev (this=0x6914e40333d0, buf=0x6914e4035c40 "\377\001") at /test/12.3_opt/sql/handler.cc:4236
      		 
      #5  0x00005e7b81481358 in mysql_ha_read (thd=thd@entry=0x6914e4000c70, tables=tables@entry=0x6914e4017b80, mode=<optimized out>, keyname=0x6914e40182e0 "PRIMARY", key_expr=<optimized out>, ha_rkey_mode=HA_READ_KEY_EXACT, cond=0x0, select_limit_cnt=1, offset_limit_cnt=0) at /test/12.3_opt/sql/sql_handler.cc:933
      		 
      #6  0x00005e7b814c2798 in mysql_execute_command (thd=thd@entry=0x6914e4000c70, is_called_from_prepared_stmt=false) at /test/12.3_opt/sql/sql_parse.cc:5535
      		 
      #7  0x00005e7b814bbd11 in mysql_parse (thd=thd@entry=0x6914e4000c70, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x7115d81f7410)at /test/12.3_opt/sql/sql_parse.cc:7949
      		 
      #8  0x00005e7b814ba12d in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x6914e4000c70, packet=packet@entry=0x6914e4008d81 "", packet_length=packet_length@entry=30, blocking=true)at /test/12.3_opt/sql/sql_parse.cc:1903
      		 
      #9  0x00005e7b814bc121 in do_command (thd=thd@entry=0x6914e4000c70, blocking=true) at /test/12.3_opt/sql/sql_parse.cc:1437
      		 
      #10 0x00005e7b815ed62d in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5e7b88cea450, put_in_cache=true)at /test/12.3_opt/sql/sql_connect.cc:1503
      		 
      #11 0x00005e7b815ed3ef in handle_one_connection (arg=arg@entry=0x5e7b88cea450)at /test/12.3_opt/sql/sql_connect.cc:1415
      		 
      #12 0x00005e7b819af7f3 in pfs_spawn_thread (arg=0x5e7b88d0a950)at /test/12.3_opt/storage/perfschema/pfs.cc:2198
      		 
      #13 0x00007115db49caa4 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
      		 
      #14 0x00007115db529c6c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

      CS 12.3.2 66b3c6784689fbb65110a5b21efcb815a8bcde24 (Debug, Clang 18.1.3-11) Build 24/05/2026

      		 
      Core was generated by `/test/MD240526-mariadb-12.3.2-linux-x86_64-dbg/bin/mariadbd --no-defaults --loo'.
      		 
      Program terminated with signal SIGSEGV, Segmentation fault.
      		 
      #0  0x0000627563e239bc in que_fork_get_first_thr (fork=0x0)at include/que0que.inl:48
      		 
      48		return(UT_LIST_GET_FIRST(fork->thrs));
      		 
      [Current thread is 1 (LWP 1920310)]
      		 
      (gdb) bt
      		 
      #0  0x0000627563e239bc in que_fork_get_first_thr (fork=0x0)at include/que0que.inl:48
      		 
      #1  0x0000627563e1d22d in row_search_mvcc (buf=0x6e418803f560 "\377\001", mode=PAGE_CUR_UNSUPP, prebuilt=0x6e4188079fd8, match_mode=0, direction=2)at /test/12.3_dbg/storage/innobase/row/row0sel.cc:4695
      		 
      #2  0x0000627563bc901e in ha_innobase::general_fetch (this=0x6e4188040960, buf=0x6e418803f560 "\377\001", direction=2, match_mode=0)at /test/12.3_dbg/storage/innobase/handler/ha_innodb.cc:9264
      		 
      #3  0x0000627563bc92a4 in ha_innobase::index_prev (this=0x6e4188040960, buf=0x6e418803f560 "\377\001")at /test/12.3_dbg/storage/innobase/handler/ha_innodb.cc:9345
      		 
      #4  0x000062756379d7c3 in handler::ha_index_prev (this=0x6e4188040960, buf=0x6e418803f560 "\377\001") at /test/12.3_dbg/sql/handler.cc:4236
      		 
      #5  0x0000627563b4ded7 in ha_partition::handle_unordered_prev (this=0x6e418803ccf0, buf=0x6e418803f560 "\377\001")at /test/12.3_dbg/sql/ha_partition.cc:7959
      		 
      #6  0x0000627563b4dc92 in ha_partition::index_prev (this=0x6e418803ccf0, buf=0x6e418803f560 "\377\001") at /test/12.3_dbg/sql/ha_partition.cc:6281
      		 
      #7  0x000062756379d7c3 in handler::ha_index_prev (this=0x6e418803ccf0, buf=0x6e418803f560 "\377\001") at /test/12.3_dbg/sql/handler.cc:4236
      		 
      #8  0x00006275632cdce9 in mysql_ha_read (thd=0x6e4188000d60, tables=0x6e418801a3e0, mode=RPREV, keyname=0x6e418801ab40 "PRIMARY", key_expr=0x6e418801ab60, ha_rkey_mode=HA_READ_KEY_EXACT, cond=0x0, select_limit_cnt=1, offset_limit_cnt=0)at /test/12.3_dbg/sql/sql_handler.cc:933
      		 
      #9  0x000062756334268d in mysql_execute_command (thd=0x6e4188000d60, is_called_from_prepared_stmt=false) at /test/12.3_dbg/sql/sql_parse.cc:5535
      		 
      #10 0x0000627563333284 in mysql_parse (thd=0x6e4188000d60, rawbuf=0x6e418801a250 "HANDLER h1 READ `PRIMARY` PREV", length=30, parser_state=0x76429c2349f0) at /test/12.3_dbg/sql/sql_parse.cc:7949
      		 
      #11 0x00006275633305cd in dispatch_command (command=COM_QUERY, thd=0x6e4188000d60, packet=0x6e418800b5e1 "", packet_length=30, blocking=true) at /test/12.3_dbg/sql/sql_parse.cc:1903
      		 
      #12 0x0000627563333e33 in do_command (thd=0x6e4188000d60, blocking=true)at /test/12.3_dbg/sql/sql_parse.cc:1437
      		 
      #13 0x0000627563530409 in do_handle_one_connection (connect=0x62757a6a2770, put_in_cache=true) at /test/12.3_dbg/sql/sql_connect.cc:1503
      		 
      #14 0x00006275635301ae in handle_one_connection (arg=0x62757a612a50)at /test/12.3_dbg/sql/sql_connect.cc:1415
      		 
      #15 0x00007642a049caa4 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
      		 
      #16 0x00007642a0529c6c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

      Bug Detection Matrix

      		 
          Rel    o/d  Build   Commit                                    UniqueID observed             
      CS  10.6   dbg  240526  b2050fdb4a8776422baf01a41bf86845994edb97  No bug found                  
      CS  10.6   opt  240526  b2050fdb4a8776422baf01a41bf86845994edb97  No bug found                  
      CS  10.11  dbg  240526  9ed3a7f9f6929aa34420a8616930844d3a35bb91  No bug found                  
      CS  10.11  opt  240526  9ed3a7f9f6929aa34420a8616930844d3a35bb91  No bug found                  
      CS  11.4   dbg  240526  19c59f2c79637cc360cc6d6b219ed9131124500d  No bug found                  
      CS  11.4   opt  240526  19c59f2c79637cc360cc6d6b219ed9131124500d  No bug found                  
      CS  11.8   dbg  240526  b494164767979072713fdeccc175ce3b3f5b1983  No bug found                  
      CS  11.8   opt  240526  b494164767979072713fdeccc175ce3b3f5b1983  No bug found                  
      CS  12.3   dbg  240526  66b3c6784689fbb65110a5b21efcb815a8bcde24  SIGSEGV|que_fork_get_first_thr|row_search_mvcc|ha_innobase::general_fetch|ha_innobase::index_prev
      		 
      CS  12.3   opt  240526  66b3c6784689fbb65110a5b21efcb815a8bcde24  SIGSEGV|row_search_mvcc|ha_innobase::general_fetch|handler::ha_index_prev|ha_partition::handle_unordered_prev
      		 
      CS  13.0   dbg  240526  c8e8d33309606e682c98675d594dbd23ebc2ddf6  SIGSEGV|que_fork_get_first_thr|row_search_mvcc|ha_innobase::general_fetch|ha_innobase::index_prev
      		 
      CS  13.0   opt  240526  c8e8d33309606e682c98675d594dbd23ebc2ddf6  SIGSEGV|row_search_mvcc|ha_innobase::general_fetch|handler::ha_index_prev|ha_partition::handle_unordered_prev
      		 
      ES  10.6   dbg  240526  55cfada6c54d1b08f2372adc1369a5e5e76f472d  No bug found                  
      ES  10.6   opt  240526  55cfada6c54d1b08f2372adc1369a5e5e76f472d  No bug found                  
      ES  11.4   dbg  240526  90f707057d44f1b5c013a0c3672fd12f32ea7085  No bug found                  
      ES  11.4   opt  240526  90f707057d44f1b5c013a0c3672fd12f32ea7085  No bug found                  
      ES  11.8   dbg  240526  d4fbd664a4514441bb3d9042c0089842ee6fc3c8  No bug found                  
      ES  11.8   opt  240526  d4fbd664a4514441bb3d9042c0089842ee6fc3c8  No bug found                  
      ES  12.3   dbg  240526  4063148254974421994024b7cc94f6f2a850177d  SIGSEGV|que_fork_get_first_thr|row_search_mvcc|ha_innobase::general_fetch|ha_innobase::index_prev
      		 
      ES  12.3   opt  240526  4063148254974421994024b7cc94f6f2a850177d  SIGSEGV|row_search_mvcc|ha_innobase::general_fetch|handler::ha_index_prev|ha_partition::handle_unordered_prev

      Attachments

        Issue Links

          blocks

          Bug - A problem which impairs or prevents the functions of the product. MDEV-39790 Assertion failure upon HANDLER operations on a partitioned table

          • Critical - Crashes, loss of data, severe memory leak.
          • Confirmed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-20195 Assertion `0' failed in ha_partition::handle_unordered_next upon HANDLER READ from partitioned table

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-39535 Server crash or assertion failure upon HANDLER operations on a partitioned table

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

          Activity

            People

              ycp Yuchen Pei
              saahil Saahil Alam
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.