[MDEV-22284] Aria table key read crash because wrong index used Created: 2020-04-18  Updated: 2021-11-08  Resolved: 2021-11-02

Status: Closed
Project: MariaDB Server
Component/s: Partitioning, Storage Engine - Aria
Affects Version/s: 10.2, 10.3, 10.4, 10.5, 10.6
Fix Version/s: 10.2.42, 10.3.33, 10.4.23, 10.5.14, 10.6.6

Type: Bug Priority: Critical
Reporter: Elena Stepanova Assignee: Aleksey Midenkov
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
Relates
relates to MDEV-21085 Error 175 "File too short; Expected m... Open

 Description   

Server crashes in _ma_keylength_part or Assertion `info->last_key.keyinfo == key->keyinfo' failed in _ma_search_no_save

Note: I'm not sure it's related to versioning, but I couldn't modify the test case to avoid it.

--source include/have_partition.inc
 
 
 
CREATE TABLE t1 (
 
    a INT NOT NULL AUTO_INCREMENT,
 
    b INT,
 
    c CHAR,
 
    PRIMARY KEY (b),
 
    UNIQUE(b),
 
    KEY(c,a)
 
) ENGINE=Aria WITH SYSTEM VERSIONING
 
 PARTITION BY SYSTEM_TIME INTERVAL 1 HOUR (
 
    PARTITION p1 HISTORY,
 
    PARTITION pn CURRENT
 
);
 
ALTER TABLE t1 DROP PRIMARY KEY;
 
REPLACE INTO t1 VALUES (1,0,''),(2,0,''),(0,0,'');
 
 
 
# Cleanup
 
DROP TABLE t1;

10.4 non-debug ba679ae52

 
#3  <signal handler called>
 
#4  0x000055850e58c7d9 in _ma_keylength_part (keyinfo=keyinfo@entry=0x7f6cb008eca0, key=0x7f6cb01993db <error: Cannot access memory at address 0x7f6cb01993db>, end=0x7f6cb008eda0) at /data/src/10.4/storage/maria/ma_search.c:1626
 
#5  0x000055850e58996c in maria_rkey (info=0x7f6cb00346a8, buf=buf@entry=0x7f6cb011dfc0 "\375\002", inx=inx@entry=0, key_data=<optimized out>, keypart_map=<optimized out>, search_flag=HA_READ_KEY_EXACT) at /data/src/10.4/storage/maria/ma_rkey.c:200
 
#6  0x000055850e55f2f4 in ha_maria::index_read_idx_map (this=0x7f6cb00c61a0, buf=0x7f6cb011dfc0 "\375\002", index=0, key=<optimized out>, keypart_map=<optimized out>, find_flag=<optimized out>) at /data/src/10.4/storage/maria/ha_maria.cc:2377
 
#7  0x000055850e1e8c9a in handler::ha_index_read_idx_map (this=0x7f6cb00c61a0, buf=buf@entry=0x7f6cb011dfc0 "\375\002", index=index@entry=0, key=key@entry=0x7f6cc2b72720 "", keypart_map=keypart_map@entry=3, find_flag=find_flag@entry=HA_READ_KEY_EXACT) at /data/src/10.4/sql/handler.cc:2914
 
#8  0x000055850e641565 in ha_partition::index_read_idx_map (find_flag=HA_READ_KEY_EXACT, keypart_map=3, key=0x7f6cc2b72720 "", index=0, buf=0x7f6cb011dfc0 "\375\002", this=0x7f6cb011c910) at /data/src/10.4/sql/ha_partition.cc:5838
 
#9  ha_partition::index_read_idx_map (this=0x7f6cb011c910, buf=0x7f6cb011dfc0 "\375\002", index=0, key=0x7f6cc2b72720 "", keypart_map=3, find_flag=<optimized out>) at /data/src/10.4/sql/ha_partition.cc:5810
 
#10 0x000055850e1e8bed in handler::ha_index_read_idx_map (this=0x7f6cb011c910, buf=0x7f6cb011dfc0 "\375\002", index=index@entry=0, key=key@entry=0x7f6cc2b72720 "", keypart_map=3, find_flag=find_flag@entry=HA_READ_KEY_EXACT) at /data/src/10.4/sql/handler.cc:2914
 
#11 0x000055850dfc37a8 in write_record (thd=thd@entry=0x7f6cb0000c08, table=table@entry=0x7f6cb00c4c28, info=info@entry=0x7f6cc2b728b0) at /data/src/10.4/sql/sql_insert.cc:1806
 
#12 0x000055850dfc9896 in mysql_insert (thd=thd@entry=0x7f6cb0000c08, table_list=<optimized out>, fields=..., values_list=..., update_fields=..., update_values=..., duplic=<optimized out>, ignore=<optimized out>) at /data/src/10.4/sql/sql_insert.cc:1078
 
#13 0x000055850dff535a in mysql_execute_command (thd=0x7f6cb0000c08) at /data/src/10.4/sql/sql_parse.cc:4528
 
#14 0x000055850dffbfd8 in mysql_parse (thd=thd@entry=0x7f6cb0000c08, rawbuf=<optimized out>, length=49, parser_state=parser_state@entry=0x7f6cc2b75190, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /data/src/10.4/sql/sql_parse.cc:7900
 
#15 0x000055850dffe2af in dispatch_command (command=COM_QUERY, thd=0x7f6cb0000c08, packet=<optimized out>, packet_length=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /data/src/10.4/sql/sql_class.h:1168
 
#16 0x000055850dfff9df in do_command (thd=0x7f6cb0000c08) at /data/src/10.4/sql/sql_parse.cc:1359
 
#17 0x000055850e0d38f4 in do_handle_one_connection (connect=connect@entry=0x558510515188) at /data/src/10.4/sql/sql_connect.cc:1412
 
#18 0x000055850e0d39e4 in handle_one_connection (arg=arg@entry=0x558510515188) at /data/src/10.4/sql/sql_connect.cc:1316
 
#19 0x000055850e62d2bf in pfs_spawn_thread (arg=0x558510524cd8) at /data/src/10.4/storage/perfschema/pfs.cc:1869
 
#20 0x00007f6cc941afa3 in start_thread (arg=<optimized out>) at pthread_create.c:486
 
#21 0x00007f6cc8c694cf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
 
 
 
Trying to get some variables.
 
Some pointers may be invalid and cause the dump to abort.
 
Query (0x7f6cb0010020): REPLACE INTO t1 VALUES (1,0,''),(2,0,''),(0,0,'')
 
Connection ID (thread ID): 4
 
Status: NOT_KILLED

10.3 debug 6577a7a8

 
mysqld: /data/src/10.3/storage/maria/ma_search.c:130: _ma_search_no_save: Assertion `info->last_key.keyinfo == key->keyinfo' failed.
 
200418  3:18:51 [ERROR] mysqld got signal 6 ;
 
 
 
#7  0x00007f4c736b8102 in __GI___assert_fail (assertion=0x55f97e383f20 "info->last_key.keyinfo == key->keyinfo", file=0x55f97e383da0 "/data/src/10.3/storage/maria/ma_search.c", line=130, function=0x55f97e384e40 <__PRETTY_FUNCTION__.18407> "_ma_search_no_save") at assert.c:101
 
#8  0x000055f97d545200 in _ma_search_no_save (info=0x629000168270, key=0x7f4c69525d10, nextflag=1, pos=8192, res_page_link=0x7f4c69525b60, res_page_buff=0x7f4c69525ba0) at /data/src/10.3/storage/maria/ma_search.c:130
 
#9  0x000055f97d544a8d in _ma_search (info=0x629000168270, key=0x7f4c69525d10, nextflag=1, pos=8192) at /data/src/10.3/storage/maria/ma_search.c:77
 
#10 0x000055f97d54072a in maria_rkey (info=0x629000168270, buf=0x619000092a60 "\375\002", inx=0, key_data=0x7f4c69526200 "", keypart_map=3, search_flag=HA_READ_KEY_EXACT) at /data/src/10.3/storage/maria/ma_rkey.c:104
 
#11 0x000055f97d479dc2 in ha_maria::index_read_idx_map (this=0x61d000218510, buf=0x619000092a60 "\375\002", index=0, key=0x7f4c69526200 "", keypart_map=3, find_flag=HA_READ_KEY_EXACT) at /data/src/10.3/storage/maria/ha_maria.cc:2298
 
#12 0x000055f97c4e3bba in handler::ha_index_read_idx_map (this=0x61d000218510, buf=0x619000092a60 "\375\002", index=0, key=0x7f4c69526200 "", keypart_map=3, find_flag=HA_READ_KEY_EXACT) at /data/src/10.3/sql/handler.cc:2932
 
#13 0x000055f97d8c1d32 in ha_partition::index_read_idx_map (this=0x61d000217110, buf=0x619000092a60 "\375\002", index=0, key=0x7f4c69526200 "", keypart_map=3, find_flag=HA_READ_KEY_EXACT) at /data/src/10.3/sql/ha_partition.cc:5805
 
#14 0x000055f97c4e3aa3 in handler::ha_index_read_idx_map (this=0x61d000217110, buf=0x619000092a60 "\375\002", index=0, key=0x7f4c69526200 "", keypart_map=3, find_flag=HA_READ_KEY_EXACT) at /data/src/10.3/sql/handler.cc:2932
 
#15 0x000055f97bc97075 in write_record (thd=0x62a000060270, table=0x61f000056af0, info=0x7f4c69526810) at /data/src/10.3/sql/sql_insert.cc:1784
 
#16 0x000055f97bc90e4b in mysql_insert (thd=0x62a000060270, table_list=0x62b0000003d0, fields=..., values_list=..., update_fields=..., update_values=..., duplic=DUP_REPLACE, ignore=false) at /data/src/10.3/sql/sql_insert.cc:1072
 
#17 0x000055f97bd3c3f1 in mysql_execute_command (thd=0x62a000060270) at /data/src/10.3/sql/sql_parse.cc:4454
 
#18 0x000055f97bd54c47 in mysql_parse (thd=0x62a000060270, rawbuf=0x62b000000290 "REPLACE INTO t1 VALUES (1,0,''),(2,0,''),(0,0,'')", length=49, parser_state=0x7f4c695289a0, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:7817
 
#19 0x000055f97bd2b827 in dispatch_command (command=COM_QUERY, thd=0x62a000060270, packet=0x6290000e6271 "REPLACE INTO t1 VALUES (1,0,''),(2,0,''),(0,0,'')", packet_length=49, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:1855
 
#20 0x000055f97bd27fc7 in do_command (thd=0x62a000060270) at /data/src/10.3/sql/sql_parse.cc:1401
 
#21 0x000055f97c11126c in do_handle_one_connection (connect=0x611000005830) at /data/src/10.3/sql/sql_connect.cc:1403
 
#22 0x000055f97c110b24 in handle_one_connection (arg=0x611000005830) at /data/src/10.3/sql/sql_connect.cc:1308
 
#23 0x000055f97d85c8cf in pfs_spawn_thread (arg=0x61600000cff0) at /data/src/10.3/storage/perfschema/pfs.cc:1869
 
#24 0x00007f4c73f32fa3 in start_thread (arg=<optimized out>) at pthread_create.c:486
 
#25 0x00007f4c737814cf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Reproducible on 10.3-10.5.
The test case is not applicable to 10.2 due to versioning.

 Comments   
Comment by Elena Stepanova [ 2020-05-29 ]

Here is a similar test case, which, in addition to the failures above, can also produce on non-debug builds the ones below.

--source include/have_partition.inc
 
  
CREATE TABLE t1 (
 
    a VARCHAR(128),
 
    b DATETIME DEFAULT '1900-01-01 00:00:00',
 
    id INT AUTO_INCREMENT,
 
    UNIQUE(a,id),
 
    UNIQUE(b)
 
) ENGINE=Aria WITH SYSTEM VERSIONING
 
PARTITION BY system_time INTERVAL 1 DAY (PARTITION p1 HISTORY, PARTITION pn CURRENT);
 
 
 
REPLACE INTO t1 () VALUES (),(),(),();
 
 
 
# Cleanup
 
DROP TABLE t1;

10.3-e fe4e3027 non-debug

 
#3  <signal handler called>
 
#4  __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:325
 
#5  0x00005648107b0b97 in memcpy (__len=<optimized out>, __src=0x0, __dest=<optimized out>) at /usr/include/x86_64-linux-gnu/bits/string3.h:53
 
#6  _ma_search_no_save (info=info@entry=0x7fdde00b1638, key=key@entry=0x7fddfc507130, nextflag=nextflag@entry=1, pos=16384, res_page_link=0x0, res_page_link@entry=0x7fddfc5070a0, res_page_buff=0x0, res_page_buff@entry=0x7fddfc5070a8) at /data/src/10.3-enterprise/storage/maria/ma_search.c:230
 
#7  0x00005648107b0ffc in _ma_search (info=info@entry=0x7fdde00b1638, key=key@entry=0x7fddfc507130, nextflag=nextflag@entry=1, pos=<optimized out>) at /data/src/10.3-enterprise/storage/maria/ma_search.c:77
 
#8  0x00005648107ae9fa in maria_rkey (info=0x7fdde00b1638, buf=buf@entry=0x7fdde0063e30 "\375", inx=inx@entry=1, key_data=<optimized out>, keypart_map=<optimized out>, search_flag=HA_READ_KEY_EXACT) at /data/src/10.3-enterprise/storage/maria/ma_rkey.c:104
 
#9  0x000056481077b7e2 in ha_maria::index_read_idx_map (this=0x7fdde0066c10, buf=0x7fdde0063e30 "\375", index=1, key=<optimized out>, keypart_map=<optimized out>, find_flag=<optimized out>) at /data/src/10.3-enterprise/storage/maria/ha_maria.cc:2308
 
#10 0x0000564810379d6b in handler::ha_index_read_idx_map (this=0x7fdde0066c10, buf=buf@entry=0x7fdde0063e30 "\375", index=index@entry=1, key=key@entry=0x7fddfc5073a0 "", keypart_map=keypart_map@entry=3, find_flag=find_flag@entry=HA_READ_KEY_EXACT) at /data/src/10.3-enterprise/sql/handler.cc:3005
 
#11 0x0000564810897270 in ha_partition::index_read_idx_map (this=0x7fdde0073e80, buf=0x7fdde0063e30 "\375", index=1, key=0x7fddfc5073a0 "", keypart_map=3, find_flag=<optimized out>) at /data/src/10.3-enterprise/sql/ha_partition.cc:5816
 
#12 0x0000564810379cbe in handler::ha_index_read_idx_map (this=0x7fdde0073e80, buf=0x7fdde0063e30 "\375", index=index@entry=1, key=key@entry=0x7fddfc5073a0 "", keypart_map=3, find_flag=find_flag@entry=HA_READ_KEY_EXACT) at /data/src/10.3-enterprise/sql/handler.cc:3005
 
#13 0x0000564810157f6b in write_record (thd=thd@entry=0x7fdde00009a8, table=table@entry=0x7fdde0072a78, info=info@entry=0x7fddfc5075d0) at /data/src/10.3-enterprise/sql/sql_insert.cc:1784
 
#14 0x000056481015f2f7 in mysql_insert (thd=thd@entry=0x7fdde00009a8, table_list=<optimized out>, fields=..., values_list=..., update_fields=..., update_values=..., duplic=<optimized out>, ignore=<optimized out>) at /data/src/10.3-enterprise/sql/sql_insert.cc:1072
 
#15 0x000056481018907d in mysql_execute_command (thd=thd@entry=0x7fdde00009a8) at /data/src/10.3-enterprise/sql/sql_parse.cc:4465
 
#16 0x000056481018d60a in mysql_parse (thd=thd@entry=0x7fdde00009a8, rawbuf=<optimized out>, length=37, parser_state=parser_state@entry=0x7fddfc5095f0, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /data/src/10.3-enterprise/sql/sql_parse.cc:7855
 
#17 0x000056481018f222 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x7fdde00009a8, packet=packet@entry=0x7fdde00071f9 "REPLACE INTO t1 () VALUES (),(),(),()", packet_length=packet_length@entry=37, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /data/src/10.3-enterprise/sql/sql_parse.cc:1857
 
#18 0x0000564810190c8e in do_command (thd=0x7fdde00009a8) at /data/src/10.3-enterprise/sql/sql_parse.cc:1403
 
#19 0x0000564810269a22 in do_handle_one_connection (connect=connect@entry=0x5648130257b8) at /data/src/10.3-enterprise/sql/sql_connect.cc:1403
 
#20 0x0000564810269b7d in handle_one_connection (arg=arg@entry=0x5648130257b8) at /data/src/10.3-enterprise/sql/sql_connect.cc:1308
 
#21 0x0000564810882421 in pfs_spawn_thread (arg=0x564813025818) at /data/src/10.3-enterprise/storage/perfschema/pfs.cc:1869
 
#22 0x00007fde0b7044a4 in start_thread (arg=0x7fddfc50a700) at pthread_create.c:456
 
#23 0x00007fde09a40d0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97

10.3e fe4e3027 non-debug

 
ASAN:DEADLYSIGNAL
 
=================================================================
 
==27948==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55b0cf706c1c bp 0x7fdb74f7d120 sp 0x7fdb74f7ce80 T5)
 
    #0 0x55b0cf706c1b in _ma_row_pos_from_key /data/src/10.3-enterprise/storage/maria/ma_search.c:782
 
    #1 0x55b0cf707987 in _ma_search_no_save /data/src/10.3-enterprise/storage/maria/ma_search.c:234
 
    #2 0x55b0cf708513 in _ma_search /data/src/10.3-enterprise/storage/maria/ma_search.c:77
 
    #3 0x55b0cf701afe in maria_rkey /data/src/10.3-enterprise/storage/maria/ma_rkey.c:104
 
    #4 0x55b0cf6908df in ha_maria::index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /data/src/10.3-enterprise/storage/maria/ha_maria.cc:2308
 
    #5 0x55b0cec14743 in handler::ha_index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /data/src/10.3-enterprise/sql/handler.cc:3005
 
    #6 0x55b0cf9543b7 in ha_partition::index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /data/src/10.3-enterprise/sql/ha_partition.cc:5816
 
    #7 0x55b0cec1453c in handler::ha_index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /data/src/10.3-enterprise/sql/handler.cc:3005
 
    #8 0x55b0ce64f351 in write_record(THD*, TABLE*, st_copy_info*) /data/src/10.3-enterprise/sql/sql_insert.cc:1784
 
    #9 0x55b0ce671047 in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.3-enterprise/sql/sql_insert.cc:1072
 
    #10 0x55b0ce6e7cfd in mysql_execute_command(THD*) /data/src/10.3-enterprise/sql/sql_parse.cc:4465
 
    #11 0x55b0ce6f81c2 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3-enterprise/sql/sql_parse.cc:7855
 
    #12 0x55b0ce6fc3ba in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3-enterprise/sql/sql_parse.cc:1857
 
    #13 0x55b0ce700499 in do_command(THD*) /data/src/10.3-enterprise/sql/sql_parse.cc:1403
 
    #14 0x55b0ce95f67f in do_handle_one_connection(CONNECT*) /data/src/10.3-enterprise/sql/sql_connect.cc:1403
 
    #15 0x55b0ce95faaa in handle_one_connection /data/src/10.3-enterprise/sql/sql_connect.cc:1308
 
    #16 0x55b0cf9137e3 in pfs_spawn_thread /data/src/10.3-enterprise/storage/perfschema/pfs.cc:1869
 
    #17 0x7fdb87ae04a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
 
    #18 0x7fdb855d8d0e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8d0e)
 
 
 
AddressSanitizer can not provide additional info.
 
SUMMARY: AddressSanitizer: SEGV /data/src/10.3-enterprise/storage/maria/ma_search.c:782 in _ma_row_pos_from_key
 
Thread T5 created by T0 here:
 
    #0 0x7fdb87d26f59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
 
    #1 0x55b0cf91ba62 in spawn_thread_v1 /data/src/10.3-enterprise/storage/perfschema/pfs.cc:1919
 
 
 
==27948==ABORTING

10.3 19da9a51 non-debug

 
mysqltest: At line 12: query 'REPLACE INTO t1 () VALUES (),(),(),()' failed: 1032: Can't find record in 't1'

Comment by Aleksey Midenkov [ 2021-10-17 ]

Reproducible without System Versioning:

--source include/have_partition.inc
 
 
 
create table t1 (
 
    a int auto_increment,
 
    b int, c int,
 
    key(c, a), unique(b)
 
) engine aria
 
partition by hash (b);
 
 
 
replace into t1 values (1, 0, 0), (2, 0, 0), (0, 0, 0);
 
 
 
# cleanup
 
drop table t1;

Comment by Aleksey Midenkov [ 2021-10-17 ]

Please review bb-10.2-midenok2

Comment by Oleksandr Byelkin [ 2021-10-26 ]

OK to push

Generated at Thu Feb 08 09:13:35 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.