[MDEV-18003] Assertion `grantee->counter > 0' failed in merge_role_privileges upon concurrent CREATE ROLE and FLUSH PRIVILEGES Created: 2018-12-13  Updated: 2023-11-28

Status: Confirmed
Project: MariaDB Server
Component/s: Authentication and Privilege System
Affects Version/s: 10.0, 10.1, 10.2, 10.3, 10.4, 10.5, 10.6, 10.7, 10.8, 10.9
Fix Version/s: 10.4, 10.5, 10.6, 10.11

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Vicențiu Ciorbaru
Resolution: Unresolved Votes: 0
Labels: None

Issue Links:
Relates
relates to MDEV-22521 Server crashes in traverse_role_graph... Closed
relates to MDEV-30526 Assertion `rights == merged->cols' f... Closed

 Description   

_Note: The test fails for me every time, but it employs a race condition, so it's still non-deterministic. Run with --repeat=N if it doesn't fail right away. _
Note: FLUSH TABLES isn't necessary for the scenario, the failure can happen without it; but somehow, it makes it much more probable.

--connect (con1,localhost,root,,test)
 
CREATE ROLE a;
 
FLUSH TABLES;
 
 
 
--connection default
 
--send
 
  CREATE ROLE b WITH ADMIN a;
 
 
 
--connection con1
 
FLUSH PRIVILEGES;
 
 
 
# Cleanup
 
--disconnect con1
 
--connection default
 
--reap
 
DROP ROLE a, b;

10.0 4886d14827c

 
mysqld: /data/src/10.0/sql/sql_acl.cc:5364: int merge_role_privileges(ACL_ROLE*, ACL_ROLE*, void*): Assertion `grantee->counter > 0' failed.
 
181213 17:31:16 [ERROR] mysqld got signal 6 ;
 
 
 
#7  0x00007f631ba80ee2 in __assert_fail () from /lib/x86_64-linux-gnu/libc.so.6
 
#8  0x00000000005d17e4 in merge_role_privileges (role=0x7f63158cc4f0, grantee=0x7f63158cc3e0, context=0x7f631d8ea7a0) at /data/src/10.0/sql/sql_acl.cc:5364
 
#9  0x00000000005d0187 in traverse_role_graph_impl (user=0x7f63158cc4f0, context=0x7f631d8ea7a0, offset=88, on_node=0x0, on_edge=0x5d178b <merge_role_privileges(ACL_ROLE*, ACL_ROLE*, void*)>) at /data/src/10.0/sql/sql_acl.cc:4773
 
#10 0x00000000005d03de in traverse_role_graph_up (role=0x7f63158cc4f0, context=0x7f631d8ea7a0, on_node=0x0, on_edge=0x5d178b <merge_role_privileges(ACL_ROLE*, ACL_ROLE*, void*)>) at /data/src/10.0/sql/sql_acl.cc:4838
 
#11 0x00000000005d503a in propagate_role_grants_action (role_ptr=0x7f63158cc4f0, ptr=0x0) at /data/src/10.0/sql/sql_acl.cc:6568
 
#12 0x0000000000e065ee in my_hash_iterate (hash=0x17e7200 <acl_roles>, action=0x5d4f87 <propagate_role_grants_action(void*, void*)>, argument=0x0) at /data/src/10.0/mysys/hash.c:770
 
#13 0x00000000005d5846 in grant_reload (thd=0x7f6315aa8070) at /data/src/10.0/sql/sql_acl.cc:6651
 
#14 0x000000000079a188 in reload_acl_and_cache (thd=0x7f6315aa8070, options=1, tables=0x0, write_to_binlog=0x7f631d8ec27c) at /data/src/10.0/sql/sql_reload.cc:84
 
#15 0x0000000000652d7b in mysql_execute_command (thd=0x7f6315aa8070) at /data/src/10.0/sql/sql_parse.cc:4309
 
#16 0x00000000006589d0 in mysql_parse (thd=0x7f6315aa8070, rawbuf=0x7f6313c22088 "FLUSH PRIVILEGES", length=16, parser_state=0x7f631d8ec640) at /data/src/10.0/sql/sql_parse.cc:6637
 
#17 0x000000000064b2f0 in dispatch_command (command=COM_QUERY, thd=0x7f6315aa8070, packet=0x7f6316fea071 "FLUSH PRIVILEGES", packet_length=16) at /data/src/10.0/sql/sql_parse.cc:1300
 
#18 0x000000000064a5f0 in do_command (thd=0x7f6315aa8070) at /data/src/10.0/sql/sql_parse.cc:1003
 
#19 0x000000000076bf08 in do_handle_one_connection (thd_arg=0x7f6315aa8070) at /data/src/10.0/sql/sql_connect.cc:1377
 
#20 0x000000000076bc7a in handle_one_connection (arg=0x7f6315aa8070) at /data/src/10.0/sql/sql_connect.cc:1292
 
#21 0x0000000000acdb54 in pfs_spawn_thread (arg=0x7f63159a2870) at /data/src/10.0/storage/perfschema/pfs.cc:1861
 
#22 0x00007f631d569494 in start_thread (arg=0x7f631d8ed700) at pthread_create.c:333
 
#23 0x00007f631bb3d93f in clone () from /lib/x86_64-linux-gnu/libc.so.6



 Comments   
Comment by Roel Van de Paar [ 2022-05-03 ]

This bug can also be seen with the following testcase (single thread replay suffices):

CREATE TABLE mysql.host (c INT);
 
CREATE ROLE r WITH ADMIN u;
 
CREATE ROLE q WITH ADMIN r;
 
FLUSH PRIVILEGES;

Leads to:

10.9.0 0b14dbd45b5a1c02616d611876158d44b92b77bf (Debug)

 
mysqld: /test/10.9_dbg/sql/sql_acl.cc:6893: int merge_role_privileges(ACL_ROLE*, ACL_ROLE*, void*): Assertion `grantee->counter > 0' failed.

10.9.0 0b14dbd45b5a1c02616d611876158d44b92b77bf (Debug)

 
Core was generated by `/test/MD030522-mariadb-10.9.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
 
Program terminated with signal SIGABRT, Aborted.
 
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
 
[Current thread is 1 (Thread 0x1476cc054700 (LWP 362797))]
 
(gdb) bt
 
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
 
#1  0x00001476e3fff859 in __GI_abort () at abort.c:79
 
#2  0x00001476e3fff729 in __assert_fail_base (fmt=0x1476e4195588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x564053e635c0 "grantee->counter > 0", file=0x564053e63f1d "/test/10.9_dbg/sql/sql_acl.cc", line=6893, function=<optimized out>) at assert.c:92
 
#3  0x00001476e4011006 in __GI___assert_fail (assertion=assertion@entry=0x564053e635c0 "grantee->counter > 0", file=file@entry=0x564053e63f1d "/test/10.9_dbg/sql/sql_acl.cc", line=line@entry=6893, function=function@entry=0x564053e61498 "int merge_role_privileges(ACL_ROLE*, ACL_ROLE*, void*)") at assert.c:101
 
#4  0x00005640531e2591 in merge_role_privileges (role=role@entry=0x56405579f7c8, grantee=0x56405579f718, context=context@entry=0x1476cc052a30) at /test/10.9_dbg/sql/sql_acl.cc:6893
 
#5  0x00005640531d99bb in traverse_role_graph_impl (user=<optimized out>, user@entry=0x56405579f7c8, context=context@entry=0x1476cc052a30, offset=offset@entry=112, on_node=on_node@entry=0x0, on_edge=on_edge@entry=0x5640531e2505 <merge_role_privileges(ACL_ROLE*, ACL_ROLE*, void*)>) at /test/10.9_dbg/sql/sql_acl.cc:6291
 
#6  0x00005640531e03b1 in traverse_role_graph_up (on_edge=0x5640531e2505 <merge_role_privileges(ACL_ROLE*, ACL_ROLE*, void*)>, on_node=0x0, context=0x1476cc052a30, role=0x56405579f7c8) at /test/10.9_dbg/sql/sql_acl.cc:7992
 
#7  propagate_role_grants_action (role_ptr=0x56405579f7c8, ptr=<optimized out>) at /test/10.9_dbg/sql/sql_acl.cc:7992
 
#8  0x0000564053ca7079 in my_hash_iterate (hash=hash@entry=0x56405475e060 <acl_roles>, action=action@entry=0x5640531e0340 <propagate_role_grants_action(void*, void*)>, argument=argument@entry=0x0) at /test/10.9_dbg/mysys/hash.c:808
 
#9  0x00005640531e4af4 in grant_reload (thd=thd@entry=0x147680000db8) at /test/10.9_dbg/sql/sql_acl.cc:8069
 
#10 0x00005640534203cd in reload_acl_and_cache (thd=<optimized out>, thd@entry=0x147680000db8, options=1, tables=tables@entry=0x0, write_to_binlog=write_to_binlog@entry=0x1476cc053080) at /test/10.9_dbg/sql/sql_reload.cc:88
 
#11 0x0000564053298925 in mysql_execute_command (thd=thd@entry=0x147680000db8, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.9_dbg/sql/sql_parse.cc:5473
 
#12 0x000056405328267b in mysql_parse (thd=thd@entry=0x147680000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x1476cc053470) at /test/10.9_dbg/sql/sql_parse.cc:8046
 
#13 0x000056405328ff79 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x147680000db8, packet=packet@entry=0x14768000b699 "FLUSH PRIVILEGES", packet_length=packet_length@entry=16, blocking=blocking@entry=true) at /test/10.9_dbg/sql/sql_class.h:1364
 
#14 0x0000564053292686 in do_command (thd=0x147680000db8, blocking=blocking@entry=true) at /test/10.9_dbg/sql/sql_parse.cc:1408
 
#15 0x00005640533efd02 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x564055808ae8, put_in_cache=put_in_cache@entry=true) at /test/10.9_dbg/sql/sql_connect.cc:1418
 
#16 0x00005640533f020b in handle_one_connection (arg=0x564055808ae8) at /test/10.9_dbg/sql/sql_connect.cc:1312
 
#17 0x00001476e4510609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#18 0x00001476e40fc163 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

And on optimized, we see this:

10.9.0 0b14dbd45b5a1c02616d611876158d44b92b77bf (Optimized)

 
10.9.0-opt>FLUSH PRIVILEGES;
 
ERROR 1105 (HY000): Fatal error: mysql.host table is damaged or in unsupported 3.20 format

Bug confirmed present in:
MariaDB: 10.4.25 (dbg), 10.5.16 (dbg), 10.6.8 (dbg), 10.7.4 (dbg), 10.8.3 (dbg), 10.9.0 (dbg)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.2.44 (dbg), 10.2.44 (opt), 10.3.35 (dbg), 10.3.35 (opt), 10.4.25 (opt), 10.5.16 (opt), 10.6.8 (opt), 10.7.4 (opt), 10.8.3 (opt), 10.9.0 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.37 (dbg), 5.7.37 (opt), 8.0.28 (dbg), 8.0.28 (opt)

Generated at Thu Feb 08 08:40:46 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.