[MCOL-838] ExeMgr StringStore crash Created: 2017-07-27  Updated: 2017-09-05  Resolved: 2017-09-05

Status: Closed
Project: MariaDB ColumnStore
Component/s: ExeMgr
Affects Version/s: 1.1.0
Fix Version/s: 1.1.0

Type: Bug Priority: Major
Reporter: Andrew Hutchings (Inactive) Assignee: Daniel Lee (Inactive)
Resolution: Fixed Votes: 1
Labels: None

Sprint: 2017-15, 2017-16, 2017-17, 2017-18

 Description   

The 1.1 StringStore caused a crash in the regression suite:

Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  __memcmp_sse4_1 () at ../sysdeps/x86_64/multiarch/memcmp-sse4.S:798
 
798	../sysdeps/x86_64/multiarch/memcmp-sse4.S: No such file or directory.
 
[Current thread is 1 (Thread 0x7f78a8fb1700 (LWP 31217))]
 
(gdb) bt
 
#0  __memcmp_sse4_1 () at ../sysdeps/x86_64/multiarch/memcmp-sse4.S:798
 
#1  0x00007f7d82595f48 in std::char_traits<char>::compare (
 
    __n=<optimised out>, __s2=<optimised out>, __s1=<optimised out>)
 
    at /usr/include/c++/5/bits/char_traits.h:262
 
#2  std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::compare (__str="_CpNuLl_", this=<optimised out>)
 
    at /usr/include/c++/5/bits/basic_string.h:2318
 
#3  rowgroup::StringStore::isNullValue (this=<optimised out>, 
    off=<optimised out>, len=<optimised out>)
 
    at /home/linuxjedi/Programming/Git/mariadb-columnstore-server/mariadb-columnstore-engine/utils/rowgroup/rowgroup.h:1489
 
#4  0x00007f7d8259779b in rowgroup::StringStore::isNullValue (
 
    len=<optimised out>, off=<optimised out>, this=<optimised out>)
 
    at /home/linuxjedi/Programming/Git/mariadb-columnstore-server/mariadb-columnstore-engine/utils/rowgroup/rowgroup.h:1478
 
#5  rowgroup::Row::isNullValue (this=this@entry=0x7f7d680085b0, 
    colIndex=<optimised out>)
 
    at /home/linuxjedi/Programming/Git/mariadb-columnstore-server/mariadb-columnstore-engine/utils/rowgroup/rowgroup.cpp:601
 
#6  0x00007f7d82a2f90e in ordering::StringCompare::operator() (
 
    this=0x7f7d680086f0, l=0x7f7d68008430, r1=..., r2=...)
 
    at /home/linuxjedi/Programming/Git/mariadb-columnstore-server/mariadb-columnstore-engine/utils/windowfunction/idborderby.cpp:120
 
#7  0x00007f7d82a2fe35 in ordering::CompareRule::less (this=0x7f7d68008620, 
    r1=..., r2=...)
 
    at /home/linuxjedi/Programming/Git/mariadb-columnstore-server/mariadb-columnstore-engine/utils/windowfunction/idborderby.cpp:214
 
#8  0x00007f7d82a359f3 in ordering::OrderByData::operator() (p2=..., p1=..., 
    this=<optimised out>)
 
    at /home/linuxjedi/Programming/Git/mariadb-columnstore-server/mariadb-columnstore-engine/utils/windowfunction/idborderby.h:199
 
#9  windowfunction::WindowFunction::sort (this=this@entry=0x7f7a62a352e0, 
    v=..., v@entry=..., n=n@entry=3)
 
    at /home/linuxjedi/Programming/Git/mariadb-columnstore-server/mariadb-columnstore-engine/utils/windowfunction/windowfunction.cpp:221
 
#10 0x00007f7d82a353a6 in windowfunction::WindowFunction::sort (
 
    this=this@entry=0x7f7a62a352e0, v=..., v@entry=..., n=n@entry=8)
 
    at /home/linuxjedi/Programming/Git/mariadb-columnstore-server/mariadb-columnstore-engine/utils/windowfunction/windowfunction.cpp:234
 
#11 0x00007f7d82a353a6 in windowfunction::WindowFunction::sort (
 
    this=this@entry=0x7f7a62a352e0, v=..., n=17)
 
    at /home/linuxjedi/Programming/Git/mariadb-columnstore-server/mariadb-columnstore-engine/utils/windowfunction/windowfunction.cpp:234
 
#12 0x00007f7d82a35e3b in windowfunction::WindowFunction::operator() (
 
    this=0x7f7a62a352e0)
 
    at /home/linuxjedi/Programming/Git/mariadb-columnstore-server/mariadb-columnstore-engine/utils/windowfunction/windowfunction.cpp:76
 
#13 0x00007f7d8320b984 in joblist::WindowFunctionStep::doFunction (
 
    this=0x7f7a62059470)
 
    at /home/linuxjedi/Programming/Git/mariadb-columnstore-server/mariadb-columnstore-engine/dbcon/joblist/windowfunctionstep.cpp:926
 
#14 0x00007f7d7e4acfd7 in boost::function0<void>::operator() (
 
    this=0x7f7a680008f8)
 
    at /usr/include/boost/function/function_template.hpp:773
 
#15 threadpool::ThreadPool::beginThread (
 
    this=0x631780 <joblist::JobStep::jobstepThreadPool>)
 
    at /home/linuxjedi/Programming/Git/mariadb-columnstore-server/mariadb-columnstore-engine/utils/threadpool/threadpool.cpp:307
 
#16 0x00007f7d7f9f25d5 in boost::(anonymous namespace)::thread_proxy (
 
    param=<optimised out>) at libs/thread/src/pthread/thread.cpp:168
 
#17 0x00007f7d7eea86ba in start_thread (arg=0x7f78a8fb1700)
 
    at pthread_create.c:333
 
#18 0x00007f7d7d4d13dd in clone ()
 
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109



 Comments   
Comment by Andrew Hutchings (Inactive) [ 2017-07-27 ]

For my reference: core.ExeMgr.25941 on lxj2

Comment by Andrew Hutchings (Inactive) [ 2017-07-31 ]

StringStore use after free crash was possible because deserialize was doing a zero copy.

To reproduce this I had to run test001 repeatedly and would hit it about 1 in 4 runs. I've run test001 repeatedly for 24 hours straight with this patch and not been able to reproduce it again.

Comment by Daniel Lee (Inactive) [ 2017-09-05 ]

Build verified: 1.1.0 Github source

/root/columnstore/mariadb-columnstore-server
commit 9e855a6415e0edd6771c449a6591c21c3915bfec
Merge: 6ed33d1 c206e51
Author: David.Hall <david.hall@mariadb.com>
Date: Tue Sep 5 09:43:29 2017 -0500

/root/columnstore/mariadb-columnstore-server/mariadb-columnstore-engine
commit 90353b9b908e1c9ee241c4a156a2a377c53cc807
Author: david hill <david.hill@mariadb.com>
Date: Fri Sep 1 14:46:07 2017 -0500

I could not reproduce the error.

Generated at Thu Feb 08 02:24:12 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.