[#MDEV-20563] Server crash in row_upd_del_mark_clust_rec or in wsrep_row_upd_index_is_foreign or Assertion `update->n_fields < ulint(table->n_cols + table->n_v_cols)' failed upon DELETE from precise-versioned table

[MDEV-20563] Server crash in row_upd_del_mark_clust_rec or in wsrep_row_upd_index_is_foreign or Assertion `update->n_fields < ulint(table->n_cols + table->n_v_cols)' failed upon DELETE from precise-versioned table Created: 2019-09-11 Updated: 2020-12-10 Resolved: 2020-12-10
Status:	Closed
Project:	MariaDB Server
Component/s:	Storage Engine - InnoDB, Versioned Tables
Affects Version/s:	10.5.4, 10.5.3, 10.3, 10.4
Fix Version/s:	N/A

Type:

Bug

Priority:

Critical

Reporter:

Elena Stepanova

Assignee:

Aleksey Midenkov

Resolution:

Duplicate

Votes:

Labels:

affects-tests, not-10.1, not-10.2, trx-versioning

Issue Links:

Duplicate
duplicates	~~MDEV-22061~~	InnoDB: Assertion of missing row in s...	Closed
Relates
relates to	~~MDEV-16554~~	InnoDB: Assertion failure in file mar...	Closed
relates to	~~MDEV-20906~~	MariaDB crashed on DELETE (lock0priv....	Closed

Description

--source include/have_innodb.inc

CREATE  TABLE t1 (a INT, s BIGINT UNSIGNED AS ROW START, e BIGINT UNSIGNED AS ROW END, PERIOD FOR SYSTEM_TIME(s,e)) WITH SYSTEM VERSIONING ENGINE=InnoDB;

INSERT INTO t1 (a) VALUES (1),(2),(3),(4),(5),(6),(7),(8);

START TRANSACTION;

INSERT INTO t1 (a) VALUES (1),(2),(3),(4),(5),(6),(7),(8);

DELETE FROM t1;

# Cleanup

COMMIT;

DROP TABLE t1;

10.3 f1309fac non-debug
#3 <signal handler called>
#4 row_upd_del_mark_clust_rec (mtr=0x7f1eca6c9fc0, foreign=false, referenced=0, thr=0x7f1e7806bc08, offsets=0x7f1eca6c96a0, index=0x7f1e780803e0, node=0x7f1e7806b8e0) at /data/src/10.3/storage/innobase/row/row0upd.cc:2983
#5 row_upd_clust_step (node=node@entry=0x7f1e7806b8e0, thr=thr@entry=0x7f1e7806bc08) at /data/src/10.3/storage/innobase/row/row0upd.cc:3168
#6 0x00005595175efa94 in row_upd (thr=0x7f1e7806bc08, node=0x7f1e7806b8e0) at /data/src/10.3/storage/innobase/row/row0upd.cc:3295
#7 row_upd_step (thr=thr@entry=0x7f1e7806bc08) at /data/src/10.3/storage/innobase/row/row0upd.cc:3439
#8 0x00005595175c48ac in row_update_for_mysql (prebuilt=0x7f1e7806adf0) at /data/src/10.3/storage/innobase/row/row0mysql.cc:1888
#9 0x00005595175181d3 in ha_innobase::delete_row (this=0x7f1e7806a660, record=0x7f1e780655d8 "\375\a") at /data/src/10.3/storage/innobase/handler/ha_innodb.cc:8983
#10 0x00005595173b0a04 in handler::ha_delete_row (this=0x7f1e7806a660, buf=0x7f1e780655d8 "\375\a") at /data/src/10.3/sql/handler.cc:6534
#11 0x00005595174bf1ba in mysql_delete (thd=thd@entry=0x7f1e780009a8, table_list=0x7f1e7800f528, conds=<optimized out>, order_list=order_list@entry=0x7f1e780050b0, limit=18446744073709551601, options=<optimized out>, result=0x0) at /data/src/10.3/sql/sql_delete.cc:750
#12 0x00005595171e4817 in mysql_execute_command (thd=thd@entry=0x7f1e780009a8) at /data/src/10.3/sql/sql_parse.cc:4654
#13 0x00005595171e5859 in mysql_parse (thd=thd@entry=0x7f1e780009a8, rawbuf=<optimized out>, length=14, parser_state=parser_state@entry=0x7f1eca6cc620, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /data/src/10.3/sql/sql_parse.cc:7830
#14 0x00005595171e806d in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x7f1e780009a8, packet=packet@entry=0x7f1e780070b9 "DELETE FROM t1", packet_length=packet_length@entry=14, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /data/src/10.3/sql/sql_parse.cc:1856
#15 0x00005595171e8ce6 in do_command (thd=0x7f1e780009a8) at /data/src/10.3/sql/sql_parse.cc:1401
#16 0x00005595172afca4 in do_handle_one_connection (connect=connect@entry=0x559519241958) at /data/src/10.3/sql/sql_connect.cc:1403
#17 0x00005595172afd54 in handle_one_connection (arg=arg@entry=0x559519241958) at /data/src/10.3/sql/sql_connect.cc:1308
#18 0x000055951781f1e4 in pfs_spawn_thread (arg=0x5595192024c8) at /data/src/10.3/storage/perfschema/pfs.cc:1862
#19 0x00007f1ed6e834a4 in start_thread (arg=0x7f1eca6cd700) at pthread_create.c:456
#20 0x00007f1ed53cbd0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97

10.3 f1309fac debug
mysqld: /data/src/10.3/storage/innobase/row/row0upd.cc:3486: void upd_node_t::make_versioned_helper(const trx_t*, ulint): Assertion `update->n_fields < ulint(table->n_cols + table->n_v_cols)' failed.
190911 16:59:14 [ERROR] mysqld got signal 6 ;

#7 0x00007f9056c21f12 in __GI___assert_fail (assertion=0x55e4c728ae28 "update->n_fields < ulint(table->n_cols + table->n_v_cols)", file=0x55e4c7289fd8 "/data/src/10.3/storage/innobase/row/row0upd.cc", line=3486, function=0x55e4c728da40 <upd_node_t::make_versioned_helper(trx_t const, unsigned long)::__PRETTY_FUNCTION__> "void upd_node_t::make_versioned_helper(const trx_t, ulint)") at assert.c:101
#8 0x000055e4c6b0ba2b in upd_node_t::make_versioned_helper (this=0x7f90000a5330, trx=0x7f9050ab80f0, idx=1) at /data/src/10.3/storage/innobase/row/row0upd.cc:3486
#9 0x000055e4c6aa17dc in upd_node_t::make_versioned_update (this=0x7f90000a5330, trx=0x7f9050ab80f0) at /data/src/10.3/storage/innobase/include/row0upd.h:606
#10 0x000055e4c6a99179 in row_update_for_mysql (prebuilt=0x7f90000a4808) at /data/src/10.3/storage/innobase/row/row0mysql.cc:1879
#11 0x000055e4c68fa0af in ha_innobase::delete_row (this=0x7f90000a4058, record=0x7f9000006af0 "\375\006") at /data/src/10.3/storage/innobase/handler/ha_innodb.cc:8983
#12 0x000055e4c66d294a in handler::ha_delete_row (this=0x7f90000a4058, buf=0x7f9000006af0 "\375\006") at /data/src/10.3/sql/handler.cc:6534
#13 0x000055e4c687f205 in TABLE::delete_row (this=0x7f9000162a70) at /data/src/10.3/sql/sql_delete.cc:253
#14 0x000055e4c687c409 in mysql_delete (thd=0x7f9000000b00, table_list=0x7f90000128e0, conds=0x0, order_list=0x7f90000053c8, limit=18446744073709551602, options=0, result=0x0) at /data/src/10.3/sql/sql_delete.cc:750
#15 0x000055e4c63a4d6c in mysql_execute_command (thd=0x7f9000000b00) at /data/src/10.3/sql/sql_parse.cc:4654
#16 0x000055e4c63af9fd in mysql_parse (thd=0x7f9000000b00, rawbuf=0x7f9000012818 "DELETE FROM t1", length=14, parser_state=0x7f904bfb35e0, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:7830
#17 0x000055e4c639c2fb in dispatch_command (command=COM_QUERY, thd=0x7f9000000b00, packet=0x7f9000008c71 "DELETE FROM t1", packet_length=14, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:1856
#18 0x000055e4c639ac22 in do_command (thd=0x7f9000000b00) at /data/src/10.3/sql/sql_parse.cc:1401
#19 0x000055e4c6513d40 in do_handle_one_connection (connect=0x55e4c97900c0) at /data/src/10.3/sql/sql_connect.cc:1403
#20 0x000055e4c6513aa2 in handle_one_connection (arg=0x55e4c97900c0) at /data/src/10.3/sql/sql_connect.cc:1308
#21 0x000055e4c6ef60a0 in pfs_spawn_thread (arg=0x55e4c96d3710) at /data/src/10.3/storage/perfschema/pfs.cc:1862
#22 0x00007f90587964a4 in start_thread (arg=0x7f904bfb4700) at pthread_create.c:456
#23 0x00007f9056cded0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97

10.5 non-debug ASAN 0186b0a0
==18014==ERROR: AddressSanitizer: use-after-poison on address 0x620000077e68 at pc 0x55abf29dc770 bp 0x7f5fa8fcbd90 sp 0x7f5fa8fcbd88
WRITE of size 2 at 0x620000077e68 thread T14
#0 0x55abf29dc76f in upd_field_set_field_no /data/src/10.5/storage/innobase/include/row0upd.ic:100
#1 0x55abf29dc76f in upd_node_t::make_versioned_helper(trx_t const*, unsigned long) /data/src/10.5/storage/innobase/row/row0upd.cc:3195
#2 0x55abf2970266 in upd_node_t::make_versioned_update(trx_t const*) /data/src/10.5/storage/innobase/include/row0upd.h:504
#3 0x55abf2970266 in row_update_for_mysql(row_prebuilt_t*) /data/src/10.5/storage/innobase/row/row0mysql.cc:1879
#4 0x55abf277cabf in ha_innobase::delete_row(unsigned char const*) /data/src/10.5/storage/innobase/handler/ha_innodb.cc:8657
#5 0x55abf1f8cb51 in handler::ha_delete_row(unsigned char const*) /data/src/10.5/sql/handler.cc:7100
#6 0x55abf2323f90 in mysql_delete(THD, TABLE_LIST, Item, SQL_I_List<st_order>, unsigned long long, unsigned long long, select_result*) /data/src/10.5/sql/sql_delete.cc:794
#7 0x55abf1a2b535 in mysql_execute_command(THD*) /data/src/10.5/sql/sql_parse.cc:4749
#8 0x55abf1a3a014 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.5/sql/sql_parse.cc:7957
#9 0x55abf1a1e706 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.5/sql/sql_parse.cc:1840
#10 0x55abf1a1a176 in do_command(THD*) /data/src/10.5/sql/sql_parse.cc:1359
#11 0x55abf1cc7867 in do_handle_one_connection(CONNECT*, bool) /data/src/10.5/sql/sql_connect.cc:1411
#12 0x55abf1cc8576 in handle_one_connection /data/src/10.5/sql/sql_connect.cc:1313
#13 0x55abf25cae33 in pfs_spawn_thread /data/src/10.5/storage/perfschema/pfs.cc:2201
#14 0x7f5fb9a2c4a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
#15 0x7f5fb7b60d0e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8d0e)

0x620000077e68 is located 3560 bytes inside of 3784-byte region [0x620000077080,0x620000077f48)
allocated by thread T14 here:
#0 0x7f5fb9d03d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
#1 0x55abf287dcfc in ut_allocator<unsigned char, true>::allocate(unsigned long, unsigned char const, char const, bool, bool) /data/src/10.5/storage/innobase/include/ut0new.h:372
#2 0x55abf287dcfc in mem_heap_create_block_func(mem_block_info_t*, unsigned long, unsigned long) /data/src/10.5/storage/innobase/mem/mem0mem.cc:277

Thread T14 created by T0 here:
#0 0x7f5fb9c72f59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
#1 0x55abf25cb0aa in my_thread_create /data/src/10.5/storage/perfschema/my_thread.h:34
#2 0x55abf25cb0aa in pfs_spawn_thread_v1 /data/src/10.5/storage/perfschema/pfs.cc:2252

SUMMARY: AddressSanitizer: use-after-poison /data/src/10.5/storage/innobase/include/row0upd.ic:100 in upd_field_set_field_no
Shadow bytes around the buggy address:
0x0c4080006f70: 00 00 00 00 00 00 00 00 00 00 00 00 00 f7 00 00
0x0c4080006f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4080006f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4080006fa0: 00 00 f7 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4080006fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4080006fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00[f7]00 00
0x0c4080006fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4080006fe0: 00 00 00 00 f7 f7 f7 f7 f7 fa fa fa fa fa fa fa
0x0c4080006ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4080007000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4080007010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==18014==ABORTING

Comments

Comment by Elena Stepanova [ 2020-03-31 ]

Here is a variation of the test case which causes a different crash on a non-debug build (the debug assertion remains the same):

--source include/have_innodb.inc

CREATE TABLE t2 (a INT, KEY(a)) ENGINE=InnoDB;

INSERT INTO t2 (a) VALUES (1),(2),(3),(4),(5),(6),(7),(8);

CREATE  TABLE t1 (a INT, s BIGINT UNSIGNED AS ROW START, e BIGINT UNSIGNED AS ROW END, PERIOD FOR SYSTEM_TIME(s,e), FOREIGN KEY (a) REFERENCES t2(a)) WITH SYSTEM VERSIONING ENGINE=InnoDB;

INSERT INTO t1 (a) VALUES (1),(2),(3),(4),(5),(6),(7),(8);

START TRANSACTION;

INSERT INTO t1 (a) VALUES (1),(2),(3),(4),(5),(6),(7),(8);

DELETE FROM t1;

# Cleanup

COMMIT;

DROP TABLE t1,t2;

10.4 ba679ae52 RelWithDebInfo
#3 <signal handler called>
#4 0x0000564db94479aa in wsrep_row_upd_index_is_foreign (index=index@entry=0x7f7d90036278, trx=trx@entry=0x80600004708) at /usr/include/c++/8/bits/stl_set.h:414
#5 0x0000564db944c7f7 in row_upd_clust_step (node=0x7f7d90039af8, thr=0x7f7d90039e20) at /data/src/10.4/storage/innobase/row/row0upd.cc:3064
#6 0x0000564db944db7b in row_upd (thr=0x7f7d90039e20, node=0x7f7d90039af8) at /data/src/10.4/storage/innobase/row/row0upd.cc:3298
#7 row_upd_step (thr=thr@entry=0x7f7d90039e20) at /data/src/10.4/storage/innobase/row/row0upd.cc:3442
#8 0x0000564db942956c in row_update_for_mysql (prebuilt=0x7f7d90038ff8) at /data/src/10.4/storage/innobase/row/row0mysql.cc:1889
#9 0x0000564db9380f30 in ha_innobase::delete_row (this=0x7f7d90034780, record=0x7f7d9008f828 "\375\a") at /data/src/10.4/storage/innobase/handler/ha_innodb.cc:8961
#10 0x0000564db920a613 in handler::ha_delete_row (this=0x7f7d90034780, buf=0x7f7d9008f828 "\375\a") at /data/src/10.4/sql/handler.cc:6785
#11 0x0000564db9326418 in mysql_delete (thd=thd@entry=0x7f7d90000c08, table_list=0x7f7d900100e8, conds=<optimized out>, order_list=order_list@entry=0x7f7d90005400, limit=18446744073709551601, options=<optimized out>, result=<optimized out>) at /data/src/10.4/sql/sql_delete.cc:804
#12 0x0000564db90111ff in mysql_execute_command (thd=0x7f7d90000c08) at /data/src/10.4/sql/sql_parse.cc:4722
#13 0x0000564db9017fd8 in mysql_parse (thd=thd@entry=0x7f7d90000c08, rawbuf=<optimized out>, length=14, parser_state=parser_state@entry=0x7f7de00e3190, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /data/src/10.4/sql/sql_parse.cc:7900
#14 0x0000564db901a2af in dispatch_command (command=COM_QUERY, thd=0x7f7d90000c08, packet=<optimized out>, packet_length=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /data/src/10.4/sql/sql_class.h:1168
#15 0x0000564db901b9df in do_command (thd=0x7f7d90000c08) at /data/src/10.4/sql/sql_parse.cc:1359
#16 0x0000564db90ef8f4 in do_handle_one_connection (connect=connect@entry=0x564dbc773d68) at /data/src/10.4/sql/sql_connect.cc:1412
#17 0x0000564db90ef9e4 in handle_one_connection (arg=arg@entry=0x564dbc773d68) at /data/src/10.4/sql/sql_connect.cc:1316
#18 0x0000564db96492bf in pfs_spawn_thread (arg=0x564dbc783888) at /data/src/10.4/storage/perfschema/pfs.cc:1869
#19 0x00007f7de6191fa3 in start_thread (arg=<optimized out>) at pthread_create.c:486
#20 0x00007f7de59e04cf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Comment by Roel Van de Paar [ 2020-05-19 ]

Additional testcase

USE test;

CREATE TABLE t(i INT KEY,f INT) ENGINE=InnoDB;

INSERT INTO t VALUES (1,1);

ALTER TABLE t ADD COLUMN c1 BIGINT UNSIGNED AS ROW START INVISIBLE,

              ADD COLUMN c2 BIGINT UNSIGNED AS ROW END INVISIBLE,

              ADD PERIOD FOR SYSTEM_TIME(c1,c2),

              ADD SYSTEM VERSIONING;

START TRANSACTION WITH CONSISTENT SNAPSHOT;

INSERT INTO t VALUES (7,0),(6,0),(5,0),(4,0),(3,0),(2,0),(100,0);

DELETE FROM t;

INSERT INTO t VALUES (0,0);

DELETE FROM t;

Leads to:

10.5.4 69077dea25f6e7cab4ff8927e4429ad62af9de49
Core was generated by `/test/MD160520-mariadb-10.5.4-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
[Current thread is 1 (Thread 0x14b665402700 (LWP 120877))]
(gdb) bt
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
#1 0x000055e9bc152617 in my_write_core (sig=sig@entry=11) at /test/10.5_opt/mysys/stacktrace.c:518
#2 0x000055e9bbb150fa in handle_fatal_signal (sig=11) at /test/10.5_opt/sql/signal_handler.cc:329
#3 <signal handler called>
#4 row_upd_del_mark_clust_rec (mtr=0x14b6653fffa0, foreign=false, referenced=0, thr=0x14b6414f7ed0, offsets=0x14b6653ff4e0, index=0x14b641434b80, node=0x14b6414f7b80) at /test/10.5_opt/storage/innobase/row/row0upd.cc:2680
#5 row_upd_clust_step (node=node@entry=0x14b6414f7b80, thr=thr@entry=0x14b6414f7ed0) at /test/10.5_opt/storage/innobase/row/row0upd.cc:2866
#6 0x000055e9bbf367e7 in row_upd (thr=0x14b6414f7ed0, node=0x14b6414f7b80) at /test/10.5_opt/storage/innobase/row/row0upd.cc:2995
#7 row_upd_step (thr=thr@entry=0x14b6414f7ed0) at /test/10.5_opt/storage/innobase/row/row0upd.cc:3139
#8 0x000055e9bbf0a9a4 in row_update_for_mysql (prebuilt=0x14b6414f7080) at /test/10.5_opt/storage/innobase/row/row0mysql.cc:1888
#9 0x000055e9bbe3848c in ha_innobase::delete_row (this=0x14b64146b030, record=0x14b641458c38 <incomplete sequence \375>) at /test/10.5_opt/storage/innobase/handler/ha_innodb.cc:8629
#10 0x000055e9bbb2175f in handler::ha_delete_row (this=0x14b64146b030, buf=0x14b641458c38 <incomplete sequence \375>) at /test/10.5_opt/sql/handler.cc:7100
#11 0x000055e9bbc61422 in mysql_delete (thd=thd@entry=0x14b641412018, table_list=0x14b6414470f8, conds=<optimized out>, order_list=order_list@entry=0x14b641416908, limit=18446744073709551615, options=<optimized out>, result=0x0) at /test/10.5_opt/sql/sql_delete.cc:794
#12 0x000055e9bb920509 in mysql_execute_command (thd=thd@entry=0x14b641412018) at /test/10.5_opt/sql/sql_parse.cc:4749
#13 0x000055e9bb92682c in mysql_parse (thd=0x14b641412018, rawbuf=<optimized out>, length=13, parser_state=0x14b6654014b0, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /test/10.5_opt/sql/sql_parse.cc:7957
#14 0x000055e9bb91be75 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14b641412018, packet=packet@entry=0x14b64143a019 "DELETE FROM t", packet_length=packet_length@entry=13, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_opt/sql/sql_parse.cc:1839
#15 0x000055e9bb91a106 in do_command (thd=0x14b641412018) at /test/10.5_opt/sql/sql_parse.cc:1358
#16 0x000055e9bba0ebf1 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x14b6630329b8, put_in_cache=put_in_cache@entry=true) at /test/10.5_opt/sql/sql_connect.cc:1411
#17 0x000055e9bba0ef54 in handle_one_connection (arg=arg@entry=0x14b6630329b8) at /test/10.5_opt/sql/sql_connect.cc:1313
#18 0x000055e9bbd7a43a in pfs_spawn_thread (arg=0x14b66304b018) at /test/10.5_opt/storage/perfschema/pfs.cc:2201
#19 0x000014b6648296db in start_thread (arg=0x14b665402700) at pthread_create.c:463
#20 0x000014b663c2788f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.3.23 (dbg), 10.3.23 (opt), 10.4.13 (dbg), 10.4.13 (opt), 10.5.2 (dbg), 10.5.2 (opt), 10.5.3 (dbg), 10.5.3 (opt), 10.5.4 (dbg), 10.5.4 (opt)

Bug confirmed not present in:
MariaDB: 10.1.45 (dbg), 10.1.45 (opt), 10.2.32 (dbg), 10.2.32 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.47 (dbg), 5.6.47 (opt), 5.7.29 (dbg), 5.7.29 (opt), 8.0.19 (dbg), 8.0.19 (opt)

Comment by Roel Van de Paar [ 2020-06-19 ]

USE test;

SET SQL_MODE='';

CREATE TABLE t (i INT PRIMARY KEY, f INT) ENGINE = InnoDB;

INSERT IGNORE INTO t VALUES (NULL,0),(NULL,0),(0,21),(4,0),(1,8),(5,66);

ALTER TABLE t ADD COLUMN trx_start BIGINT(20) UNSIGNED AS ROW START INVISIBLE, ADD COLUMN trx_end BIGINT(20) UNSIGNED AS ROW END INVISIBLE, ADD PERIOD FOR SYSTEM_TIME(trx_start, trx_end), ADD SYSTEM VERSIONING;

START TRANSACTION WITH CONSISTENT SNAPSHOT;

INSERT INTO t VALUES (5390,0),(8677,0),(9563,0),(3207,0),(5123,0),(700,0),(757,0);

DELETE FROM t;

# Last statement immediately crashes debug. Optimized builds requires mysqladmin shutdown and then crashes.

Leads to:

10.5.4 4080e3acefd7e58d88c2f3539fb6a0fb359cf057
mysqld: /test/10.5_dbg/storage/innobase/row/row0upd.cc:3186: void upd_node_t::make_versioned_helper(const trx_t*, ulint): Assertion `update->n_fields < ulint(table->n_cols + table->n_v_cols)' failed.

10.5.4 4080e3acefd7e58d88c2f3539fb6a0fb359cf057
Core was generated by `/test/MD150620-mariadb-10.5.4-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
Program terminated with signal SIGABRT, Aborted.
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=6)
at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
[Current thread is 1 (Thread 0x1533dfc54700 (LWP 484216))]
(gdb) bt
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
#1 0x0000556543fae4c6 in my_write_core (sig=sig@entry=6) at /test/10.5_dbg/mysys/stacktrace.c:518
#2 0x0000556543750d60 in handle_fatal_signal (sig=6) at /test/10.5_dbg/sql/signal_handler.cc:330
#3 <signal handler called>
#4 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#5 0x00001533e08c7801 in __GI_abort () at abort.c:79
#6 0x00001533e08b739a in __assert_fail_base (fmt=0x1533e0a3e7d8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x55654440fd48 "update->n_fields < ulint(table->n_cols + table->n_v_cols)", file=file@entry=0x55654440f5d8 "/test/10.5_dbg/storage/innobase/row/row0upd.cc", line=line@entry=3186, function=function@entry=0x556544410140 <upd_node_t::make_versioned_helper(trx_t const, unsigned long)::__PRETTY_FUNCTION__> "void upd_node_t::make_versioned_helper(const trx_t, ulint)") at assert.c:92
#7 0x00001533e08b7412 in __GI___assert_fail (assertion=assertion@entry=0x55654440fd48 "update->n_fields < ulint(table->n_cols + table->n_v_cols)", file=file@entry=0x55654440f5d8 "/test/10.5_dbg/storage/innobase/row/row0upd.cc", line=line@entry=3186, function=function@entry=0x556544410140 <upd_node_t::make_versioned_helper(trx_t const, unsigned long)::__PRETTY_FUNCTION__> "void upd_node_t::make_versioned_helper(const trx_t, ulint)") at assert.c:101
#8 0x0000556543ce308f in upd_node_t::make_versioned_helper (this=this@entry=0x1533bfcfbbd8, trx=trx@entry=0x1533cd402390, idx=2) at /test/10.5_dbg/storage/innobase/row/row0upd.cc:3186
#9 0x0000556543c90ac2 in upd_node_t::make_versioned_update (trx=0x1533cd402390, this=0x1533bfcfbbd8) at /test/10.5_dbg/storage/innobase/include/row0upd.h:504
#10 row_update_for_mysql (prebuilt=0x1533bfcfb098) at /test/10.5_dbg/storage/innobase/row/row0mysql.cc:1878
#11 0x0000556543b1372a in ha_innobase::delete_row (this=0x1533bfc380a0, record=0x1533bfc584a8 "\375[%") at /test/10.5_dbg/storage/innobase/handler/ha_innodb.cc:8646
#12 0x0000556543765a1d in handler::ha_delete_row (this=0x1533bfc380a0, buf=0x1533bfc584a8 "\375[%") at /test/10.5_dbg/sql/handler.cc:7247
#13 0x000055654391831f in TABLE::delete_row (this=0x1533bfcfa088) at /test/10.5_dbg/sql/sql_delete.cc:277
#14 0x000055654391738c in mysql_delete (thd=thd@entry=0x1533bfc15088, table_list=0x1533bfc74168, conds=<optimized out>, order_list=order_list@entry=0x1533bfc19b40, limit=18446744073709551605, options=<optimized out>, result=<optimized out>) at /test/10.5_dbg/sql/sql_delete.cc:794
#15 0x00005565434a86c5 in mysql_execute_command (thd=thd@entry=0x1533bfc15088) at /test/10.5_dbg/sql/sql_parse.cc:4787
#16 0x00005565434b315c in mysql_parse (thd=thd@entry=0x1533bfc15088, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x1533dfc53350, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:7993
#17 0x000055654349fc60 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x1533bfc15088, packet=packet@entry=0x1533bfc67089 "DELETE FROM t", packet_length=packet_length@entry=13, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:1874
#18 0x000055654349e43a in do_command (thd=0x1533bfc15088) at /test/10.5_dbg/sql/sql_parse.cc:1355
#19 0x00005565435f9c47 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x1533c1d7a808, put_in_cache=put_in_cache@entry=true) at /test/10.5_dbg/sql/sql_connect.cc:1411
#20 0x00005565435fa363 in handle_one_connection (arg=arg@entry=0x1533c1d7a808) at /test/10.5_dbg/sql/sql_connect.cc:1313
#21 0x0000556543a5b902 in pfs_spawn_thread (arg=0x1533df446c88) at /test/10.5_dbg/storage/perfschema/pfs.cc:2201
#22 0x00001533e15aa6db in start_thread (arg=0x1533dfc54700) at pthread_create.c:463
#23 0x00001533e09a888f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.3.24 (dbg), 10.3.24 (opt), 10.4.14 (dbg), 10.4.14 (opt), 10.5.4 (dbg), 10.5.4 (opt)

Bug confirmed not present in:
MariaDB: 10.1.46 (dbg), 10.1.46 (opt), 10.2.33 (dbg), 10.2.33 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.47 (dbg), 5.6.47 (opt), 5.7.29 (dbg), 5.7.29 (opt), 8.0.19 (dbg), 8.0.19 (opt)

Comment by Roel Van de Paar [ 2020-06-19 ]

10.5.4 opt crash. Requires shutdown (mysqladmin shutdown) after testcase execution.

10.5.4 4080e3acefd7e58d88c2f3539fb6a0fb359cf057
2020-06-19 10:19:17 0 [Note] /test/MD150620-mariadb-10.5.4-linux-x86_64-opt/bin/mysqld: ready for connections.
Version: '10.5.4-MariaDB' socket: '/test/MD150620-mariadb-10.5.4-linux-x86_64-opt/socket.sock' port: 11311 MariaDB Server
2020-06-19 10:19:22 0 [Note] /test/MD150620-mariadb-10.5.4-linux-x86_64-opt/bin/mysqld (initiated by: root[root] @ localhost []): Normal shutdown
2020-06-19 10:19:22 0 [Note] Event Scheduler: Purging the queue. 0 events
2020-06-19 10:19:22 0 [Note] InnoDB: FTS optimize thread exiting.
2020-06-19 10:19:22 0x154023172840 InnoDB: Assertion failure in file /test/10.5_opt/storage/innobase/que/que0que.cc line 536
InnoDB: We intentionally generate a memory trap.
...
200619 10:19:22 [ERROR] mysqld got signal 6 ;

10.5.4 4080e3acefd7e58d88c2f3539fb6a0fb359cf057
Core was generated by `/test/MD150620-mariadb-10.5.4-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
Program terminated with signal SIGABRT, Aborted.
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=6)
at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
[Current thread is 1 (Thread 0x154023172840 (LWP 640824))]
(gdb) bt
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=6)
at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
#1 0x000055b5607690b7 in my_write_core (sig=sig@entry=6) at /test/10.5_opt/mysys/stacktrace.c:518
#2 0x000055b560132e4a in handle_fatal_signal (sig=6) at /test/10.5_opt/sql/signal_handler.cc:330
#3 <signal handler called>
#4 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#5 0x000015402134c801 in __GI_abort () at abort.c:79
#6 0x000055b55fe393a4 in ut_dbg_assertion_failed (expr=expr@entry=0x0,
file=file@entry=0x55b560a8b818 "/test/10.5_opt/storage/innobase/que/que0que.cc",
line=line@entry=536) at /test/10.5_opt/storage/innobase/ut/ut0dbg.cc:60
#7 0x000055b5604f1bfb in que_graph_free_recursive (node=<optimized out>)
at /test/10.5_opt/storage/innobase/que/que0que.cc:536
#8 0x000055b560527109 in row_prebuilt_free (prebuilt=0x15401fe96080, dict_locked=dict_locked@entry=0)
at /test/10.5_opt/storage/innobase/row/row0mysql.cc:1004
#9 0x000055b560447c0a in ha_innobase::close (this=0x15400ead5030)
at /test/10.5_opt/storage/innobase/handler/ha_innodb.cc:6188
#10 0x000055b55fff2309 in closefrm (table=table@entry=0x154005765c18)
at /test/10.5_opt/sql/table.cc:4288
#11 0x000055b5600b5ee1 in intern_close_table (table=0x154005765c18)
at /test/10.5_opt/sql/table_cache.cc:220
#12 tc_purge () at /test/10.5_opt/sql/table_cache.cc:312
#13 0x000055b55fed606e in purge_tables () at /test/10.5_opt/sql/sql_base.cc:327
#14 0x000055b5600b45a2 in tdc_start_shutdown () at /test/10.5_opt/sql/table_cache.cc:634
#15 0x000055b55fe721ee in clean_up (print_message=print_message@entry=true)
at /test/10.5_opt/sql/mysqld.cc:1980
#16 0x000055b55fe7df1a in clean_up (print_message=true)
at /test/10.5_opt/include/mysql/psi/mysql_thread.h:1137
#17 mysqld_main (argc=<optimized out>, argv=<optimized out>) at /test/10.5_opt/sql/mysqld.cc:5647
#18 0x000015402132db97 in __libc_start_main (main=0x55b55fe3f6c0 <main(int, char**)>, argc=10,
argv=0x7ffceba3c288, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>,
stack_end=0x7ffceba3c278) at ../csu/libc-start.c:310
#19 0x000055b55fe7103a in _start ()

Comment by Roel Van de Paar [ 2020-06-19 ]

4 Unique ID's seen so far

SIGABRT|ut_dbg_assertion_failed|que_graph_free_recursive|row_prebuilt_free|ha_innobase::close

SIGSEGV|row_upd_del_mark_clust_rec|row_upd_clust_step|row_upd|row_upd_step

update->n_fields < ulint(table->n_cols + table->n_v_cols)|SIGABRT|upd_node_t::make_versioned_helper|upd_node_t::make_versioned_update|row_update_for_mysql|ha_innobase::delete_row

SIGSEGV|wsrep_row_upd_index_is_foreign|row_upd_clust_step|row_upd|row_upd_step

Generated at Thu Feb 08 09:00:26 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.

[MDEV-20563] Server crash in row_upd_del_mark_clust_rec or in wsrep_row_upd_index_is_foreign or Assertion `update->n_fields < ulint(table->n_cols + table->n_v_cols)' failed upon DELETE from precise-versioned table Created: 2019-09-11 Updated: 2020-12-10 Resolved: 2020-12-10