[MDEV-22317] SIGSEGV in my_free/delete_dynamic in optimized builds (ARIA) Created: 2020-04-21  Updated: 2020-09-02  Resolved: 2020-04-29

Status: Closed
Project: MariaDB Server
Component/s: Replication
Affects Version/s: 10.5.2, 10.5.3
Fix Version/s: 10.5.3

Type: Bug Priority: Critical
Reporter: Roel Van de Paar Assignee: Sujatha Sivakumar (Inactive)
Resolution: Fixed Votes: 0
Labels: not-10.1, not-10.2, not-10.3, not-10.4, replicate_do_table, sprint-week-18

Issue Links:
Relates
relates to MDEV-22059 MSAN report at replicate_ignore_table... Closed

 Description    

USE test;
 
CREATE TABLE t(c int) ENGINE=Aria;
 
SET @@SESSION.default_master_connection='0';
 
CHANGE MASTER TO master_use_gtid=slave_pos;
 
SET @@GLOBAL.replicate_wild_ignore_table='';

Leads to:

10.5.3 181f17c3cd4366f58d9efbff9d7556bb49742ed4

 
Core was generated by `/test/MD180420-mariadb-10.5.3-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
 
    at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
 
[Current thread is 1 (Thread 0x7f31b996c700 (LWP 19532))]
 
(gdb) bt
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
 
#1  0x000055e2e4266e87 in my_write_core (sig=sig@entry=11) at /test/10.5_opt/mysys/stacktrace.c:518
 
#2  0x000055e2e3c292ca in handle_fatal_signal (sig=11) at /test/10.5_opt/sql/signal_handler.cc:329
 
#3  <signal handler called>
 
#4  my_free (ptr=0x200000) at /test/10.5_opt/mysys/my_malloc.c:196
 
#5  0x000055e2e423cc3f in delete_dynamic (array=array@entry=0x7f318ac912c8) at /test/10.5_opt/mysys/array.c:305
 
#6  0x000055e2e397ff77 in Rpl_filter::set_wild_ignore_table (this=this@entry=0x7f318ac911c0, table_spec=table_spec@entry=0x7f318ac47208 "") at /test/10.5_opt/sql/rpl_filter.cc:441
 
#7  0x000055e2e3b3676b in Sys_var_rpl_filter::set_filter_value (this=this@entry=0x55e2e4ddb0a0 <Sys_replicate_wild_ignore_table>, value=0x7f318ac47208 "", mi=mi@entry=0x7f318ac98000) at /test/10.5_opt/sql/sys_vars.cc:5254
 
#8  0x000055e2e3b36813 in Sys_var_rpl_filter::global_update (this=0x55e2e4ddb0a0 <Sys_replicate_wild_ignore_table>, thd=<optimized out>, var=0x7f318ac471b8) at /test/10.5_opt/sql/sys_vars.cc:5221
 
#9  0x000055e2e398315f in sys_var::update (this=0x55e2e4ddb0a0 <Sys_replicate_wild_ignore_table>, thd=0x7f318ac12018, var=0x7f318ac471b8) at /test/10.5_opt/sql/set_var.cc:207
 
#10 0x000055e2e3983637 in set_var::update (this=<optimized out>, thd=<optimized out>) at /test/10.5_opt/sql/set_var.cc:859
 
#11 0x000055e2e3984949 in sql_set_variables (thd=thd@entry=0x7f318ac12018, var_list=var_list@entry=0x7f318ac16d70, free=free@entry=true) at /test/10.5_opt/sql/set_var.cc:746
 
#12 0x000055e2e3a354d1 in mysql_execute_command (thd=thd@entry=0x7f318ac12018) at /test/10.5_opt/sql/sql_parse.cc:4976
 
#13 0x000055e2e3a3ab9c in mysql_parse (thd=thd@entry=0x7f318ac12018, rawbuf=<optimized out>, length=43, parser_state=parser_state@entry=0x7f31b996b4d0, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_opt/sql/sql_parse.cc:7953
 
#14 0x000055e2e3a2fa10 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x7f318ac12018, packet=packet@entry=0x7f318ac3a019 "SET @@GLOBAL.replicate_wild_ignore_table=''", packet_length=packet_length@entry=43, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_opt/sql/sql_parse.cc:1839
 
#15 0x000055e2e3a2dd2f in do_command (thd=0x7f318ac12018) at /test/10.5_opt/sql/sql_parse.cc:1358
 
#16 0x000055e2e3b22d7e in do_handle_one_connection (connect=<optimized out>, connect@entry=0x7f31b74329b8, put_in_cache=put_in_cache@entry=true) at /test/10.5_opt/sql/sql_connect.cc:1422
 
#17 0x000055e2e3b22f24 in handle_one_connection (arg=arg@entry=0x7f31b74329b8) at /test/10.5_opt/sql/sql_connect.cc:1319
 
#18 0x000055e2e3e8f52a in pfs_spawn_thread (arg=0x7f31b744b018) at /test/10.5_opt/storage/perfschema/pfs.cc:2201
 
#19 0x00007f31b8d936db in start_thread (arg=0x7f31b996c700) at pthread_create.c:463
 
#20 0x00007f31b819188f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.5.2 (opt), 10.5.3 (opt)

Bug confirmed not present in:
MariaDB: 10.1.45 (dbg), 10.1.45 (opt), 10.2.32 (dbg), 10.2.32 (opt), 10.3.23 (dbg), 10.3.23 (opt), 10.4.13 (dbg), 10.4.13 (opt), 10.5.2 (dbg), 10.5.3 (dbg)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.47 (dbg), 5.6.47 (opt), 5.7.29 (dbg), 5.7.29 (opt), 8.0.19 (dbg), 8.0.19 (opt)

 Comments   
Comment by Sujatha Sivakumar (Inactive) [ 2020-04-27 ]

The above test scenario along with valgrind provides following details.

Problem exists for 'wild_do_table' and 'wild_ignore_table' options.

1. Wild_ignore_table:

==19870== Thread 16:
 
==19870== Conditional jump or move depends on uninitialised value(s)
 
==19870==    at 0x74F451: Rpl_filter::set_wild_ignore_table(char const*) (rpl_filter.cc:439)
 
==19870==    by 0x8F04DA: Sys_var_rpl_filter::set_filter_value(char const*, Master_info*) (sys_vars.cc:5254)
 
==19870==    by 0x8F0583: Sys_var_rpl_filter::global_update(THD*, set_var*) (sys_vars.cc:5221)
 
==19870==    by 0x752186: sys_var::update(THD*, set_var*) (set_var.cc:207)
 
==19870==    by 0x752646: set_var::update(THD*) (set_var.cc:859)
 
==19870==    by 0x7539C8: sql_set_variables(THD*, List<set_var_base>*, bool) (set_var.cc:746)
 
==19870==    by 0x7F7D68: mysql_execute_command(THD*) (sql_parse.cc:4976)
 
==19870==    by 0x7FEEDA: mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) (sql_parse.cc:7957)
 
==19870==    by 0x7F3F14: dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) (sql_parse.cc:1839)
 
==19870==    by 0x7F2332: do_command(THD*) (sql_parse.cc:1358)
 
==19870==    by 0x8DD26B: do_handle_one_connection(CONNECT*, bool) (sql_connect.cc:1422)
 
==19870==    by 0x8DD442: handle_one_connection (sql_connect.cc:1319)
 
==19870==    by 0xC0EC2D: pfs_spawn_thread (pfs.cc:2201)
 
==19870==    by 0x58D16DA: start_thread (pthread_create.c:463)
 
==19870==    by 0x67A488E: clone (clone.S:95)

2. wild_do_table:

==18765== Conditional jump or move depends on uninitialised value(s)
 
==18765==    at 0xF60390: delete_dynamic (array.c:304)
 
==18765==    by 0x74F3F2: Rpl_filter::set_wild_do_table(char const*) (rpl_filter.cc:421)
 
==18765==    by 0x8F04CA: Sys_var_rpl_filter::set_filter_value(char const*, Master_info*) (sys_vars.cc:5251)
 
==18765==    by 0x8F0593: Sys_var_rpl_filter::global_update(THD*, set_var*) (sys_vars.cc:5221)
 
==18765==    by 0x752196: sys_var::update(THD*, set_var*) (set_var.cc:207)
 
==18765==    by 0x752656: set_var::update(THD*) (set_var.cc:859)
 
==18765==    by 0x7539D8: sql_set_variables(THD*, List<set_var_base>*, bool) (set_var.cc:746)
 
==18765==    by 0x7F7D78: mysql_execute_command(THD*) (sql_parse.cc:4976)
 
==18765==    by 0x7FEEEA: mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) (sql_parse.cc:7957)
 
==18765==    by 0x7F3F24: dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) (sql_parse.cc:1839)
 
==18765==    by 0x7F2342: do_command(THD*) (sql_parse.cc:1358)
 
==18765==    by 0x8DD27B: do_handle_one_connection(CONNECT*, bool) (sql_connect.cc:1422)
 
==18765==    by 0x8DD452: handle_one_connection (sql_connect.cc:1319)
 
==18765==    by 0xC0EC3D: pfs_spawn_thread (pfs.cc:2201)
 
==18765==    by 0x58D16DA: start_thread (pthread_create.c:463)
 
==18765==    by 0x67A488E: clone (clone.S:95)
 
^ Found warnings in /home/sujatha/bug_repo/MDEV-22317-10.5/bld/mysql-test/var/log/mysqld.1.err

Comment by Sujatha Sivakumar (Inactive) [ 2020-04-27 ]

Hello Andrei,

Please review the fix for MDEV-22317.

https://github.com/MariaDB/server/commit/85b116d1ab9ea85dcef63d259b8f6366466e2750
BuildBot: http://buildbot.askmonty.org/buildbot/grid?category=main&branch=bb-10.5-sujatha

Thank you.

Comment by Andrei Elkin [ 2020-04-27 ]

One suggestion is done
to address.

Comment by Andrei Elkin [ 2020-04-28 ]

Approved after mail exchange.

Generated at Thu Feb 08 09:13:49 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.