[MDEV-16994] Server crashes in base_list_iterator::next upon TRUNCATE PARTITION through SPs or Assertion `!alloced || !Ptr || !Alloced_length || (Alloced_length >= (str_length + 1))' fails in String::c_ptr Created: 2018-08-15  Updated: 2023-08-24  Resolved: 2023-08-24

Status: Closed
Project: MariaDB Server
Component/s: Partitioning, Stored routines
Affects Version/s: 10.1, 10.2
Fix Version/s: N/A

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Oleksandr Byelkin
Resolution: Won't Fix Votes: 0
Labels: None


 Description    

--source include/have_partition.inc
 
 
 
CREATE TABLE t1 (a INT) PARTITION BY HASH (a) PARTITIONS 4;
 
CREATE PROCEDURE sp1() ALTER TABLE t1 TRUNCATE PARTITION p3;
 
CREATE PROCEDURE sp2() CALL sp1;
 
CALL sp1;
 
CALL sp2;
 
 
 
# Cleanup
 
DROP PROCEDURE sp2;
 
DROP PROCEDURE sp1;
 
DROP TABLE t1;

10.1 68eb9b1a784

 
#3  <signal handler called>
 
#4  0x0000555c0acfcf3c in base_list_iterator::next (this=0x7fba7d9fc080) at /data/src/10.1/sql/sql_list.h:451
 
#5  0x0000555c0ad17ef3 in List_iterator<String>::operator++ (this=0x7fba7d9fc080) at /data/src/10.1/sql/sql_list.h:551
 
#6  0x0000555c0ae828a3 in partition_info::prune_partition_bitmaps (this=0x7fba72ca0bf8, table_list=0x7fba72d5ed10) at /data/src/10.1/sql/partition_info.cc:227
 
#7  0x0000555c0ae82a69 in partition_info::set_partition_bitmaps (this=0x7fba72ca0bf8, table_list=0x7fba72d5ed10) at /data/src/10.1/sql/partition_info.cc:268
 
#8  0x0000555c0ad05ad3 in open_table (thd=0x7fba748d5070, table_list=0x7fba72d5ed10, ot_ctx=0x7fba7d9fc5b0) at /data/src/10.1/sql/sql_base.cc:2613
 
#9  0x0000555c0ad0820d in open_and_process_table (thd=0x7fba748d5070, lex=0x7fba72d61088, tables=0x7fba72d5ed10, counter=0x7fba7d9fc678, flags=0, prelocking_strategy=0x7fba7d9fc630, has_prelocking_list=false, ot_ctx=0x7fba7d9fc5b0) at /data/src/10.1/sql/sql_base.cc:4091
 
#10 0x0000555c0ad09288 in open_tables (thd=0x7fba748d5070, options=..., start=0x7fba7d9fc688, counter=0x7fba7d9fc678, flags=0, prelocking_strategy=0x7fba7d9fc630) at /data/src/10.1/sql/sql_base.cc:4602
 
#11 0x0000555c0ad49d2d in open_tables (thd=0x7fba748d5070, tables=0x7fba7d9fc688, counter=0x7fba7d9fc678, flags=0) at /data/src/10.1/sql/sql_base.h:510
 
#12 0x0000555c0b14aede in Sql_cmd_alter_table_truncate_partition::execute (this=0x7fba72d5f320, thd=0x7fba748d5070) at /data/src/10.1/sql/sql_partition_admin.cc:803
 
#13 0x0000555c0ad77411 in mysql_execute_command (thd=0x7fba748d5070) at /data/src/10.1/sql/sql_parse.cc:5699
 
#14 0x0000555c0b1026c6 in sp_instr_stmt::exec_core (this=0x7fba72d5f330, thd=0x7fba748d5070, nextp=0x7fba7d9fd694) at /data/src/10.1/sql/sp_head.cc:3218
 
#15 0x0000555c0b101db8 in sp_lex_keeper::reset_lex_and_exec_core (this=0x7fba72d5f370, thd=0x7fba748d5070, nextp=0x7fba7d9fd694, open_tables=false, instr=0x7fba72d5f330) at /data/src/10.1/sql/sp_head.cc:2984
 
#16 0x0000555c0b10238c in sp_instr_stmt::execute (this=0x7fba72d5f330, thd=0x7fba748d5070, nextp=0x7fba7d9fd694) at /data/src/10.1/sql/sp_head.cc:3134
 
#17 0x0000555c0b0fdbfe in sp_head::execute (this=0x7fba72d5e088, thd=0x7fba748d5070, merge_da_on_success=true) at /data/src/10.1/sql/sp_head.cc:1315
 
#18 0x0000555c0b0ffa98 in sp_head::execute_procedure (this=0x7fba72d5e088, thd=0x7fba748d5070, args=0x7fba72e5fde0) at /data/src/10.1/sql/sp_head.cc:2102
 
#19 0x0000555c0ad6cb36 in do_execute_sp (thd=0x7fba748d5070, sp=0x7fba72d5e088) at /data/src/10.1/sql/sql_parse.cc:2425
 
#20 0x0000555c0ad75ce9 in mysql_execute_command (thd=0x7fba748d5070) at /data/src/10.1/sql/sql_parse.cc:5299
 
#21 0x0000555c0b1026c6 in sp_instr_stmt::exec_core (this=0x7fba72e29e50, thd=0x7fba748d5070, nextp=0x7fba7d9fe614) at /data/src/10.1/sql/sp_head.cc:3218
 
#22 0x0000555c0b101db8 in sp_lex_keeper::reset_lex_and_exec_core (this=0x7fba72e29e90, thd=0x7fba748d5070, nextp=0x7fba7d9fe614, open_tables=false, instr=0x7fba72e29e50) at /data/src/10.1/sql/sp_head.cc:2984
 
#23 0x0000555c0b10238c in sp_instr_stmt::execute (this=0x7fba72e29e50, thd=0x7fba748d5070, nextp=0x7fba7d9fe614) at /data/src/10.1/sql/sp_head.cc:3134
 
#24 0x0000555c0b0fdbfe in sp_head::execute (this=0x7fba72e29088, thd=0x7fba748d5070, merge_da_on_success=true) at /data/src/10.1/sql/sp_head.cc:1315
 
#25 0x0000555c0b0ffa98 in sp_head::execute_procedure (this=0x7fba72e29088, thd=0x7fba748d5070, args=0x7fba748d9838) at /data/src/10.1/sql/sp_head.cc:2102
 
#26 0x0000555c0ad6cb36 in do_execute_sp (thd=0x7fba748d5070, sp=0x7fba72e29088) at /data/src/10.1/sql/sql_parse.cc:2425
 
#27 0x0000555c0ad75ce9 in mysql_execute_command (thd=0x7fba748d5070) at /data/src/10.1/sql/sql_parse.cc:5299
 
#28 0x0000555c0ad7bc40 in mysql_parse (thd=0x7fba748d5070, rawbuf=0x7fba72c43088 "CALL sp2", length=8, parser_state=0x7fba7d9ff5e0) at /data/src/10.1/sql/sql_parse.cc:7463
 
#29 0x0000555c0ad6a5d5 in dispatch_command (command=COM_QUERY, thd=0x7fba748d5070, packet=0x7fba773f9071 "CALL sp2", packet_length=8) at /data/src/10.1/sql/sql_parse.cc:1495
 
#30 0x0000555c0ad6935a in do_command (thd=0x7fba748d5070) at /data/src/10.1/sql/sql_parse.cc:1124
 
#31 0x0000555c0aea3773 in do_handle_one_connection (thd_arg=0x7fba748d5070) at /data/src/10.1/sql/sql_connect.cc:1330
 
#32 0x0000555c0aea34d7 in handle_one_connection (arg=0x7fba748d5070) at /data/src/10.1/sql/sql_connect.cc:1242
 
#33 0x0000555c0b260ec6 in pfs_spawn_thread (arg=0x7fba7b03a170) at /data/src/10.1/storage/perfschema/pfs.cc:1861
 
#34 0x00007fba7d67f494 in start_thread (arg=0x7fba7da00b00) at pthread_create.c:333
 
#35 0x00007fba7ba3893f in clone () from /lib/x86_64-linux-gnu/libc.so.6

Reproducible on 10.1, 10.2 with at least MyISAM and InnoDB.
Couldn't reproduce on 10.0, 10.3, 10.4.

 Comments   
Comment by Elena Stepanova [ 2019-01-07 ]

Here is a variation of the same problem. Same test case, only reverse order of SP calls, run with --mysqld=--performance-schema=off. On my machine a debug ASAN build of 10.2 produces the assertion below, while a debug non-ASAN build – the SIGSEGV above.

# Run with --mysqld=--performance-schema=off
 
 
 
--source include/have_partition.inc
 
 
CREATE TABLE t1 (a INT) PARTITION BY HASH (a) PARTITIONS 4;
 
CREATE PROCEDURE sp1() ALTER TABLE t1 TRUNCATE PARTITION p3;
 
CREATE PROCEDURE sp2() CALL sp1;
 
CALL sp2;
 
CALL sp1;
 
 
# Cleanup
 
DROP PROCEDURE sp2;
 
DROP PROCEDURE sp1;
 
DROP TABLE t1;

10.2 ASAN 0c20b247de0

 
Assertion `!alloced || !Ptr || !Alloced_length || (Alloced_length >= (str_length + 1))' failed in String::c_ptr
 
190107  3:55:24 [ERROR] mysqld got signal 6 ;
 
 
 
assert/assert.c:92(__assert_fail_base)[0x7f0d74f9ae37]
 
/lib/x86_64-linux-gnu/libc.so.6(+0x2bee2)[0x7f0d74f9aee2]
 
sql/sql_string.h:218(String::c_ptr())[0x5615d8fe2358]
 
sql/partition_info.cc:228(partition_info::prune_partition_bitmaps(TABLE_LIST*))[0x5615d93f6eb0]
 
sql/partition_info.cc:267(partition_info::set_partition_bitmaps(TABLE_LIST*))[0x5615d93f72f7]
 
sql/sql_base.cc:1973(open_table(THD*, TABLE_LIST*, Open_table_context*))[0x5615d8ff73b4]
 
sql/sql_base.cc:3488(open_and_process_table(THD*, LEX*, TABLE_LIST*, unsigned int*, unsigned int, Prelocking_strategy*, bool, Open_table_context*))[0x5615d8ffd964]
 
sql/sql_base.cc:4011(open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*))[0x5615d9000155]
 
sql/sql_base.h:475(open_tables(THD*, TABLE_LIST**, unsigned int*, unsigned int))[0x5615d90a7bfa]
 
sql/sql_partition_admin.cc:778(Sql_cmd_alter_table_truncate_partition::execute(THD*))[0x5615d9b653b1]
 
sql/sql_parse.cc:6228(mysql_execute_command(THD*))[0x5615d911cd0a]
 
sql/sp_head.cc:3246(sp_instr_stmt::exec_core(THD*, unsigned int*))[0x5615d9aac44a]
 
sql/sp_head.cc:3009(sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*))[0x5615d9aab096]
 
sql/sp_head.cc:3162(sp_instr_stmt::execute(THD*, unsigned int*))[0x5615d9aabd14]
 
sql/sp_head.cc:1327(sp_head::execute(THD*, bool))[0x5615d9aa1615]
 
sql/sp_head.cc:2116(sp_head::execute_procedure(THD*, List<Item>*))[0x5615d9aa5402]
 
sql/sql_parse.cc:2915(do_execute_sp(THD*, sp_head*))[0x5615d9107dbc]
 
sql/sql_parse.cc:5828(mysql_execute_command(THD*))[0x5615d911a183]
 
sql/sql_parse.cc:8015(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x5615d9127840]
 
sql/sql_parse.cc:1828(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x5615d910222d]
 
sql/sql_parse.cc:1379(do_command(THD*))[0x5615d90ff2c2]
 
sql/sql_connect.cc:1335(do_handle_one_connection(CONNECT*))[0x5615d9444d69]
 
sql/sql_connect.cc:1242(handle_one_connection)[0x5615d944477e]
 
nptl/pthread_create.c:333(start_thread)[0x7f0d76c71494]
 
x86_64/clone.S:99(clone)[0x7f0d7505793f]

Comment by Elena Stepanova [ 2019-10-12 ]

Another very slightly different stack trace

==7422==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x563b77b7e5b6 bp 0x7fdab441f370 sp 0x7fdab441f360 T35)
 
==7422==The signal is caused by a READ memory access.
 
    #0 0x563b77b7e5b5 in String::length() const /home/mdbe/tests/src/10.2e/sql/sql_string.h:194
 
    #1 0x563b7808da14 in partition_info::prune_partition_bitmaps(TABLE_LIST*) /home/mdbe/tests/src/10.2e/sql/partition_info.cc:228
 
    #2 0x563b7808df80 in partition_info::set_partition_bitmaps(TABLE_LIST*) /home/mdbe/tests/src/10.2e/sql/partition_info.cc:267
 
    #3 0x563b77c4c65c in open_table(THD*, TABLE_LIST*, Open_table_context*) /home/mdbe/tests/src/10.2e/sql/sql_base.cc:2146
 
    #4 0x563b77c53928 in open_and_process_table /home/mdbe/tests/src/10.2e/sql/sql_base.cc:3723
 
    #5 0x563b77c56853 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /home/mdbe/tests/src/10.2e/sql/sql_base.cc:4221
 
    #6 0x563b77d08a69 in open_tables(THD*, TABLE_LIST**, unsigned int*, unsigned int) /home/mdbe/tests/src/10.2e/sql/sql_base.h:487
 
    #7 0x563b7884436e in Sql_cmd_alter_table_truncate_partition::execute(THD*) /home/mdbe/tests/src/10.2e/sql/sql_partition_admin.cc:824
 
    #8 0x563b77d8377e in mysql_execute_command(THD*) /home/mdbe/tests/src/10.2e/sql/sql_parse.cc:5999
 
    #9 0x563b7877e19b in sp_instr_stmt::exec_core(THD*, unsigned int*) /home/mdbe/tests/src/10.2e/sql/sp_head.cc:3248
 
    #10 0x563b7877cd02 in sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) /home/mdbe/tests/src/10.2e/sql/sp_head.cc:3011
 
    #11 0x563b7877da2d in sp_instr_stmt::execute(THD*, unsigned int*) /home/mdbe/tests/src/10.2e/sql/sp_head.cc:3164
 
    #12 0x563b78772434 in sp_head::execute(THD*, bool) /home/mdbe/tests/src/10.2e/sql/sp_head.cc:1329
 
    #13 0x563b78776724 in sp_head::execute_procedure(THD*, List<Item>*) /home/mdbe/tests/src/10.2e/sql/sp_head.cc:2118
 
    #14 0x563b77d6e499 in do_execute_sp /home/mdbe/tests/src/10.2e/sql/sql_parse.cc:2956
 
    #15 0x563b77d80ad1 in mysql_execute_command(THD*) /home/mdbe/tests/src/10.2e/sql/sql_parse.cc:5599
 
    #16 0x563b77ddec41 in Prepared_statement::execute(String*, bool) /home/mdbe/tests/src/10.2e/sql/sql_prepare.cc:4916
 
    #17 0x563b77dd9fab in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /home/mdbe/tests/src/10.2e/sql/sql_prepare.cc:4329
 
    #18 0x563b77dd3cab in mysql_stmt_execute_common /home/mdbe/tests/src/10.2e/sql/sql_prepare.cc:3302
 
    #19 0x563b77dd33fb in mysqld_stmt_execute(THD*, char*, unsigned int) /home/mdbe/tests/src/10.2e/sql/sql_prepare.cc:3192
 
    #20 0x563b77d679aa in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/mdbe/tests/src/10.2e/sql/sql_parse.cc:1773
 
    #21 0x563b77d647dc in do_command(THD*) /home/mdbe/tests/src/10.2e/sql/sql_parse.cc:1384
 
    #22 0x563b780e0e7f in do_handle_one_connection(CONNECT*) /home/mdbe/tests/src/10.2e/sql/sql_connect.cc:1336
 
    #23 0x563b780e073c in handle_one_connection /home/mdbe/tests/src/10.2e/sql/sql_connect.cc:1241
 
    #24 0x7fdaecb716da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
 
    #25 0x7fdaebf5b88e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x12188e)
 
    #0 0x7fdaedfe5d2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
 
    #1 0x563b795abfef in spawn_thread_noop /home/mdbe/tests/src/10.2e/mysys/psi_noop.c:187
 
    #2 0x563b77b40720 in inline_mysql_thread_create /home/mdbe/tests/src/10.2e/include/mysql/psi/mysql_thread.h:1239
 
    #3 0x563b77b57a68 in create_thread_to_handle_connection(CONNECT*) /home/mdbe/tests/src/10.2e/sql/mysqld.cc:6518
 
    #4 0x563b77b58239 in create_new_thread /home/mdbe/tests/src/10.2e/sql/mysqld.cc:6586
 
    #5 0x563b77b59512 in handle_connections_sockets() /home/mdbe/tests/src/10.2e/sql/mysqld.cc:6861
 
    #6 0x563b77b56e20 in mysqld_main(int, char**) /home/mdbe/tests/src/10.2e/sql/mysqld.cc:6135
 
    #7 0x563b77b3f069 in main /home/mdbe/tests/src/10.2e/sql/main.cc:25
 
    #8 0x7fdaebe5bb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

Comment by Elena Stepanova [ 2020-02-28 ]

Here is a test case which causes a noticeably different test case, but only on a release build on a one machine. The results on other machines/builds range from no failure at all to one of those described here, mainly ASAN errors in `partition_info::prune_partition_bitmaps`; so I will for now assume it has the same root cause. Adding the stack trace for the record, and the test case to be checked when the bug is fixed (it is worth checking even though the failure seems machine/build-specific).

--source include/have_partition.inc
 
 
 
CREATE TABLE t1 (a INT) ENGINE=MEMORY PARTITION BY HASH(a) PARTITIONS 4;
 
CREATE TABLE t2 (b INT) ENGINE=MYISAM PARTITION BY HASH(b) PARTITIONS 4;
 
 
 
CREATE PROCEDURE p1() ALTER TABLE t1 TRUNCATE PARTITION p1;
 
CREATE PROCEDURE p2() CALL p1;
 
CALL p2;
 
UPDATE t2 SET b = 0 WHERE b = 3;
 
CALL p1;


Thread 1 (Thread 0x7f383415e700 (LWP 16281)):
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
 
#1  0x000055c418df6b97 in my_write_core (sig=sig@entry=11) at /home/mdbe/enterprise-tests/src/10.2-based-branch/mysys/stacktrace.c:477
 
#2  0x000055c41888c13a in handle_fatal_signal (sig=11) at /home/mdbe/enterprise-tests/src/10.2-based-branch/sql/signal_handler.cc:343
 
#3  <signal handler called>
 
#4  I_P_List<Sql_condition, I_P_List_adapter<Sql_condition, &Sql_condition::next_in_wi, &Sql_condition::prev_in_wi>, I_P_List_counter, I_P_List_fast_push_back<Sql_condition> >::remove (a=0x800000000, this=0x7f3824005eb8) at /home/mdbe/enterprise-tests/src/10.2-based-branch/sql/sql_plist.h:126
 
#5  Warning_info::remove_marked_sql_conditions (this=0x7f3824005e80) at /home/mdbe/enterprise-tests/src/10.2-based-branch/sql/sql_error.cc:663
 
#6  0x000055c418674434 in Diagnostics_area::remove_marked_sql_conditions (this=0x7f3824005c50) at /home/mdbe/enterprise-tests/src/10.2-based-branch/sql/sql_error.h:861
 
#7  sp_head::execute (this=this@entry=0x7f382409c340, thd=thd@entry=0x7f3824000c08, merge_da_on_success=merge_da_on_success@entry=true) at /home/mdbe/enterprise-tests/src/10.2-based-branch/sql/sp_head.cc:1427
 
#8  0x000055c418675d3f in sp_head::execute_procedure (this=0x7f382409c340, thd=thd@entry=0x7f3824000c08, args=0x7f38240053a8) at /home/mdbe/enterprise-tests/src/10.2-based-branch/sql/sp_head.cc:2109
 
#9  0x000055c4186dfad0 in do_execute_sp (thd=thd@entry=0x7f3824000c08, sp=<optimized out>) at /home/mdbe/enterprise-tests/src/10.2-based-branch/sql/sql_parse.cc:2955
 
#10 0x000055c4186e82c3 in mysql_execute_command (thd=thd@entry=0x7f3824000c08) at /home/mdbe/enterprise-tests/src/10.2-based-branch/sql/sql_parse.cc:5608
 
#11 0x000055c4186eefe2 in mysql_parse (thd=0x7f3824000c08, rawbuf=<optimized out>, length=7, parser_state=0x7f383415d1e0, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /home/mdbe/enterprise-tests/src/10.2-based-branch/sql/sql_parse.cc:7768
 
#12 0x000055c4186f1d95 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x7f3824000c08, packet=packet@entry=0x7f3824006fb9 "CALL p1", packet_length=packet_length@entry=7, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /home/mdbe/enterprise-tests/src/10.2-based-branch/sql/sql_parse.cc:1829
 
#13 0x000055c4186f2968 in do_command (thd=0x7f3824000c08) at /home/mdbe/enterprise-tests/src/10.2-based-branch/sql/sql_parse.cc:1383
 
#14 0x000055c4187bf36e in do_handle_one_connection (connect=connect@entry=0x55c41bdd74d8) at /home/mdbe/enterprise-tests/src/10.2-based-branch/sql/sql_connect.cc:1336
 
#15 0x000055c4187bf43d in handle_one_connection (arg=arg@entry=0x55c41bdd74d8) at /home/mdbe/enterprise-tests/src/10.2-based-branch/sql/sql_connect.cc:1241
 
#16 0x000055c418dac2aa in pfs_spawn_thread (arg=0x55c41bddc5e8) at /home/mdbe/enterprise-tests/src/10.2-based-branch/storage/perfschema/pfs.cc:1869
 
#17 0x00007f383bdd26db in start_thread (arg=0x7f383415e700) at pthread_create.c:463
 
#18 0x00007f383b3d488f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Comment by Elena Stepanova [ 2023-08-24 ]

10.2 is EOL

Generated at Thu Feb 08 08:33:07 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.