Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-9195

Segmentation fault when using the embedded library

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Minor
    • Resolution: Cannot Reproduce
    • 10.1.9
    • N/A
    • Embedded Server
    • None
    • Fedora release 22 (Twenty Two)
      MaxScale 1.3.0 built with MariaDB 10.1.9 embedded library

    Description

      When testing MaxScale with the 10.1.9 embedded library and running the attached PHP script with the data.sql loaded in and after a while MaxScale gets a segmentation fault in mysql_init. I ran it under valgrind and I'm getting first an invalid read then an invalid write:

      ==25870== Thread 8:
      ==25870== Invalid read of size 8
      ==25870==    at 0x59519D: my_malloc_size_cb_func (in /home/markusjm/build/bin/maxscale)
      ==25870==    by 0x58B46E: my_malloc (in /home/markusjm/build/bin/maxscale)
      ==25870==    by 0x561A36: mysql_init (in /home/markusjm/build/bin/maxscale)
      ==25870==    by 0x1CE3423E: parsing_info_init (query_classifier.cc:1406)
      ==25870==    by 0x1CE320DC: parse_query (query_classifier.cc:158)
      ==25870==    by 0x1CE34D98: query_classifier_get_operation (query_classifier.cc:1608)
      ==25870==    by 0x1CC1F1A7: route_single_stmt (readwritesplit.c:2192)
      ==25870==    by 0x1CC1E91B: routeQuery (readwritesplit.c:2039)
      ==25870==    by 0x1DE75326: route_by_statement (mysql_client.c:1891)
      ==25870==    by 0x1DE7304D: gw_read_client_event (mysql_client.c:1092)
      ==25870==    by 0x54799F: process_pollq (poll.c:915)
      ==25870==    by 0x547029: poll_waitevents (poll.c:669)
      ==25870==  Address 0x1b738f38 is 4,344 bytes inside a block of size 20,240 free'd
      ==25870==    at 0x4C29D6A: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
      ==25870==    by 0x599F99: emb_free_embedded_thd (in /home/markusjm/build/bin/maxscale)
      ==25870==    by 0x1CE34474: parsing_info_done (query_classifier.cc:1470)
      ==25870==    by 0x52E537: gwbuf_remove_buffer_object (buffer.c:687)
      ==25870==    by 0x52CFCA: gwbuf_free (buffer.c:256)
      ==25870==    by 0x1CC2165F: clientReply (readwritesplit.c:2970)
      ==25870==    by 0x20C8FBD6: gw_read_backend_event (mysql_backend.c:565)
      ==25870==    by 0x54799F: process_pollq (poll.c:915)
      ==25870==    by 0x547029: poll_waitevents (poll.c:669)
      ==25870==    by 0x5BC5554: start_thread (in /usr/lib64/libpthread-2.21.so)
      ==25870==    by 0x7614B9C: clone (in /usr/lib64/libc-2.21.so)
      ==25870== Invalid write of size 8
      ==25870==    at 0x5951A7: my_malloc_size_cb_func (in /home/markusjm/build/bin/maxscale)
      ==25870==    by 0x58B46E: my_malloc (in /home/markusjm/build/bin/maxscale)
      ==25870==    by 0x561A36: mysql_init (in /home/markusjm/build/bin/maxscale)
      ==25870==    by 0x1CE3423E: parsing_info_init (query_classifier.cc:1406)
      ==25870==    by 0x1CE320DC: parse_query (query_classifier.cc:158)
      ==25870==    by 0x1CE34D98: query_classifier_get_operation (query_classifier.cc:1608)
      ==25870==    by 0x1CC1F1A7: route_single_stmt (readwritesplit.c:2192)
      ==25870==    by 0x1CC1E91B: routeQuery (readwritesplit.c:2039)
      ==25870==    by 0x1DE75326: route_by_statement (mysql_client.c:1891)
      ==25870==    by 0x1DE7304D: gw_read_client_event (mysql_client.c:1092)
      ==25870==    by 0x54799F: process_pollq (poll.c:915)
      ==25870==    by 0x547029: poll_waitevents (poll.c:669)
      ==25870==  Address 0x1b738f38 is 4,344 bytes inside a block of size 20,240 free'd
      ==25870==    at 0x4C29D6A: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
      ==25870==    by 0x599F99: emb_free_embedded_thd (in /home/markusjm/build/bin/maxscale)
      ==25870==    by 0x1CE34474: parsing_info_done (query_classifier.cc:1470)
      ==25870==    by 0x52E537: gwbuf_remove_buffer_object (buffer.c:687)
      ==25870==    by 0x52CFCA: gwbuf_free (buffer.c:256)
      ==25870==    by 0x1CC2165F: clientReply (readwritesplit.c:2970)
      ==25870==    by 0x20C8FBD6: gw_read_backend_event (mysql_backend.c:565)
      ==25870==    by 0x54799F: process_pollq (poll.c:915)
      ==25870==    by 0x547029: poll_waitevents (poll.c:669)
      ==25870==    by 0x5BC5554: start_thread (in /usr/lib64/libpthread-2.21.so)
      ==25870==    by 0x7614B9C: clone (in /usr/lib64/libc-2.21.so)
      ==25870== 

      This does not occur with 10.0.22.

      From MaxScale's point of view, we've ruled out concurrent usage and closing of the THD, it always seems to be a different THD which causes the segfault.

      Attachments

        1. CMakeLists.txt
          0.7 kB
        2. data.sql
          0.5 kB
        3. FindMySQL.cmake
          5 kB
        4. FindPCRE.cmake
          0.6 kB
        5. lib.cc
          3 kB
        6. old.php
          0.6 kB
        7. README.md
          0.2 kB
        8. test.cc
          2 kB

        Issue Links

          Activity

            People

              Unassigned Unassigned
              markus makela markus makela
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.