[MDEV-22928] SUMMARY: AddressSanitizer: SEGV storage/innobase/include/dict0mem.h:1178 in dict_index_t::is_spatial() const Created: 2020-06-17  Updated: 2021-05-05  Resolved: 2021-04-27

Status: Closed
Project: MariaDB Server
Component/s: Storage Engine - InnoDB
Affects Version/s: 10.5.4, 10.2, 10.3, 10.4
Fix Version/s: 10.2.38, 10.3.29, 10.4.19, 10.5.10, 10.6.1

Type: Bug Priority: Major
Reporter: Matthias Leich Assignee: Thirunarayanan Balathandayuthapani
Resolution: Fixed Votes: 0
Labels: need_rr

Attachments: File 001032.log    
Issue Links:
Relates
relates to MDEV-17567 Atomic DDL Closed

 Description    

SEGV hit during RQG testing
 
 
 
Workflow of RQG test
 
1. Start the server + generate some data
 
2. Several connections run a DDL/DML mix on the same tables
 
3. At some point of time during 2. the server process gets killed
 
4. Restart of the server
 
5. Try to check the integrity of InnoDB tables
 
Within 5. some
 
      SHOW KEYS FROM `test`.`t3` harvested
 
2013: Lost connection to MySQL server
 
and the server error log shows
 
SUMMARY: AddressSanitizer: SEGV /storage/innobase/include/dict0mem.h:1178 in dict_index_t::is_spatial() const
 
Thread T33 created by T0 here:
 
    #0 0x131f70338d2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
 
    #1 0x560720863ff6 in my_thread_create /storage/perfschema/my_thread.h:34
 
    #2 0x560720869693 in pfs_spawn_thread_v1 /storage/perfschema/pfs.cc:2252
 
    #3 0x56071f48814c in inline_mysql_thread_create /include/mysql/psi/mysql_thread.h:1321
 
    #4 0x56071f49d5e9 in create_thread_to_handle_connection(CONNECT*) /sql/mysqld.cc:5951
 
    #5 0x56071f49dc4a in create_new_thread(CONNECT*) /sql/mysqld.cc:6010
 
    #6 0x56071f49df70 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /sql/mysqld.cc:6075
 
    #7 0x56071f49ea8d in handle_connections_sockets() /sql/mysqld.cc:6202
 
    #8 0x56071f49ce47 in mysqld_main(int, char**) /sql/mysqld.cc:5620
 
    #9 0x56071f486879 in main /sql/main.cc:25
 
    #10 0x7f3a327f6b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
 
 
 
==8558==ABORTING
 
 
 
origin/HEAD, origin/10.5, 10.5 bd62a636a42f1486437cbed21198315f44d9e7b6 2020-06-14T18:40:07+09:00
 
Per Thiru all MariaDB versions >= 10.2 are affected.
 
 
 
RQG
 
git clone https://github.com/mleich1/rqg --branch experimental RQG
 
origin/experimental 611a31e38a3bc157392c0748c95991b6a248bb3b 2020-06-09T15:31:46+02:00
 
 
 
perl rqg.pl \
 
--grammar=conf/mariadb/table_stress_innodb_nocopy.yy \
 
--gendata=conf/mariadb/table_stress.zz \
 
--gendata_sql=conf/mariadb/table_stress.sql \
 
--reporters=CrashRecovery1 \
 
--mysqld=--innodb_use_native_aio=1 \
 
--mysqld=--innodb_stats_persistent=off \
 
--mysqld=--innodb_lock_schedule_algorithm=fcfs \
 
--mysqld=--loose-idle_write_transaction_timeout=0 \
 
--mysqld=--loose-idle_transaction_timeout=0 \
 
--mysqld=--loose-idle_readonly_transaction_timeout=0 \
 
--mysqld=--connect_timeout=60 \
 
--mysqld=--interactive_timeout=28800 \
 
--mysqld=--slave_net_timeout=60 \
 
--mysqld=--net_read_timeout=30 \
 
--mysqld=--net_write_timeout=60 \
 
--mysqld=--loose-table_lock_wait_timeout=50 \
 
--mysqld=--wait_timeout=28800 \
 
--mysqld=--lock-wait-timeout=86400 \
 
--mysqld=--innodb-lock-wait-timeout=50 \
 
--no-mask \
 
--queries=10000000 \
 
--duration=300 \
 
--seed=random \
 
--reporters=Backtrace \
 
--reporters=ErrorLog \
 
--reporters=Deadlock1 \
 
--validators=None \
 
--mysqld=--log_output=none \
 
--mysqld=--log-bin \
 
--mysqld=--log_bin_trust_function_creators=1 \
 
--mysqld=--loose-max-statement-time=30 \
 
--mysqld=--loose-debug_assert_on_not_freed_memory=0 \
 
--engine=InnoDB \
 
--restart_timeout=60 \
 
--threads=9 \
 
--redefine=conf/mariadb/redefine_ment-601.yy \
 
... certain local settings



 Comments   
Comment by Marko Mäkelä [ 2020-07-16 ]

mleich, sorry, the rr replay trace is not available any more. Can you please generate a new one?

001032.log contains the following stack trace for the crash, which occurs because a member function is being invoked on a this=nullptr:

10.5 bd62a636a42f1486437cbed21198315f44d9e7b6

 
dict_index_t::is_spatial() const /home/mleich/10.5_A/storage/innobase/include/dict0mem.h:1178
 
ha_innobase::index_type(unsigned int) /home/mleich/10.5_A/storage/innobase/handler/ha_innodb.cc:4931
 
get_schema_stat_record /home/mleich/10.5_A/sql/sql_show.cc:6664
 
fill_schema_table_by_open /home/mleich/10.5_A/sql/sql_show.cc:4635
 
get_all_tables(THD*, TABLE_LIST*, Item*) /home/mleich/10.5_A/sql/sql_show.cc:5125
 
get_schema_tables_result(JOIN*, enum_schema_table_state) /home/mleich/10.5_A/sql/sql_show.cc:8673
 
JOIN::exec_inner() /home/mleich/10.5_A/sql/sql_select.cc:4401
 
JOIN::exec() /home/mleich/10.5_A/sql/sql_select.cc:4225

Possibly this happens due to us not having crash-safe DDL operations with respect to .frm files (to be fixed in MDEV-17567).

Comment by Marko Mäkelä [ 2021-04-27 ]

The fix looks OK to me. But, I do not like DBUG_SUICIDE in tests, because that at least used to make ./mtr --valgrind hang.

I prefer to halt the server from a non-default connection and then kill and restart the server. A simple example of that is in mysql-test/suite/innodb/t/rename_table_debug.test.

We seem to lack a DEBUG_SYNC point after the commit. I would suggest the following:

diff --git a/sql/sql_table.cc b/sql/sql_table.cc
 
index 07762e64259..2b26af6e9ba 100644
 
--- a/sql/sql_table.cc
 
+++ b/sql/sql_table.cc
 
@@ -7537,6 +7537,7 @@ static bool mysql_inplace_alter_table(THD *thd,
 
     goto rollback;
 
   }
 
 
+  DEBUG_SYNC(thd, "alter_table_inplace_after_commit");
 
   close_all_tables_for_name(thd, table->s,
 
                             alter_ctx->is_table_renamed() ?
 
                             HA_EXTRA_PREPARE_FOR_RENAME :

Generated at Thu Feb 08 09:18:32 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.