[MDEV-23222] MDEV-23222 SIGSEG in maria_create() because of double free Created: 2020-07-20  Updated: 2021-10-22  Resolved: 2020-10-29

Status: Closed
Project: MariaDB Server
Component/s: Storage Engine - Aria
Affects Version/s: 10.1, 10.2, 10.3, 10.4, 10.5
Fix Version/s: 10.3.26, 10.4.16, 10.5.7

Type: Bug Priority: Critical
Reporter: Roel Van de Paar Assignee: Michael Widenius
Resolution: Fixed Votes: 1
Labels: None

Issue Links:
Relates
relates to MDEV-16826 [draft]different crashes Open
relates to MDEV-18496 Crashes, asserts, errors and hangs wh... Closed
relates to MDEV-26887 Assertion `(longlong) thd->status_var... Confirmed

 Description    

USE test;
 
CREATE TABLE t1 (a INT); 
INSERT INTO t1 VALUES (1);
 
CREATE TABLE t2 (i INT) DATA DIRECTORY = '/tmp', ENGINE=Aria;
 
CREATE TABLE t2 (i INT) DATA DIRECTORY = '/tmp', ENGINE=Aria;

Leads to:

10.5.5 30e7a0a866dce530d8328c6d614e48d39a264f9b (Debug)

 
mysqld: /test/10.5_dbg/sql/mysqld.cc:3518: void my_malloc_size_cb_func(long long int, my_bool): Assertion `(longlong) thd->status_var.local_memory_used >= 0 || !debug_assert_on_not_freed_memory' failed.

10.5.5 30e7a0a866dce530d8328c6d614e48d39a264f9b (Debug)

 
Core was generated by `/test/MD140720-mariadb-10.5.5-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
 
Program terminated with signal SIGABRT, Aborted.
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=6)
 
    at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
 
[Current thread is 1 (Thread 0x1489a2f4c700 (LWP 64544))]
 
(gdb) bt
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
 
#1  0x000056228f57e4d7 in my_write_core (sig=sig@entry=6) at /test/10.5_dbg/mysys/stacktrace.c:518
 
#2  0x000056228ed389ba in handle_fatal_signal (sig=6) at /test/10.5_dbg/sql/signal_handler.cc:330
 
#3  <signal handler called>
 
#4  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
 
#5  0x00001489a11e28b1 in __GI_abort () at abort.c:79
 
#6  0x00001489a11d242a in __assert_fail_base (fmt=0x1489a1359a38 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x56228f6cde28 "(longlong) thd->status_var.local_memory_used >= 0 || !debug_assert_on_not_freed_memory", file=file@entry=0x56228f6ca004 "/test/10.5_dbg/sql/mysqld.cc", line=line@entry=3518, function=function@entry=0x56228f6d4020 <my_malloc_size_cb_func::__PRETTY_FUNCTION__> "void my_malloc_size_cb_func(long long int, my_bool)") at assert.c:92
 
#7  0x00001489a11d24a2 in __GI___assert_fail (assertion=assertion@entry=0x56228f6cde28 "(longlong) thd->status_var.local_memory_used >= 0 || !debug_assert_on_not_freed_memory", file=file@entry=0x56228f6ca004 "/test/10.5_dbg/sql/mysqld.cc", line=line@entry=3518, function=function@entry=0x56228f6d4020 <my_malloc_size_cb_func::__PRETTY_FUNCTION__> "void my_malloc_size_cb_func(long long int, my_bool)") at assert.c:101
 
#8  0x000056228e98836f in my_malloc_size_cb_func (size=<optimized out>, is_thread_specific=<optimized out>) at /test/10.5_dbg/sql/mysqld.cc:3517
 
#9  0x000056228f579849 in my_free (ptr=ptr@entry=0x14897ec28b08) at /test/10.5_dbg/mysys/my_malloc.c:200
 
#10 0x000056228ef83463 in maria_create (name=<optimized out>, datafile_type=<optimized out>, datafile_type@entry=BLOCK_RECORD, keys=<optimized out>, keys@entry=0, keydefs=keydefs@entry=0x14897ec10268, columns=columns@entry=1, columndef=columndef@entry=0x14897ec10188, uniques=0, uniquedefs=0x0, ci=<optimized out>, flags=32) at /test/10.5_dbg/storage/maria/ma_create.c:1280
 
#11 0x000056228ef8bd00 in ha_maria::create (this=0x14897ed4f0a0, name=0x1489a2f4a4a0 "./test/t2", table_arg=0x1489a2f490c0, ha_create_info=0x1489a2f4a8f0) at /test/10.5_dbg/storage/maria/ha_maria.cc:3255
 
#12 0x000056228ed47ab9 in handler::ha_create (this=0x14897ed4f0a0, name=0x1489a2f4a4a0 "./test/t2", form=form@entry=0x1489a2f490c0, info_arg=info_arg@entry=0x1489a2f4a8f0) at /test/10.5_dbg/sql/handler.cc:5072
 
#13 0x000056228ed487b3 in ha_create_table (thd=thd@entry=0x14897ec15088, path=path@entry=0x1489a2f4a4a0 "./test/t2", db=0x14897ec748b0 "test", table_name=0x14897ec741a8 "t2", create_info=create_info@entry=0x1489a2f4a8f0, frm=frm@entry=0x1489a2f4a490) at /test/10.5_dbg/sql/handler.cc:5536
 
#14 0x000056228eb5dfd4 in create_table_impl (thd=thd@entry=0x14897ec15088, orig_db=@0x14897ec741f8: {str = 0x14897ec748b0 "test", length = 4}, orig_table_name=@0x14897ec74208: {str = 0x14897ec741a8 "t2", length = 2}, db=@0x14897ec741f8: {str = 0x14897ec748b0 "test", length = 4}, table_name=@0x14897ec74208: {str = 0x14897ec741a8 "t2", length = 2}, path=path@entry=0x1489a2f4a4a0 "./test/t2", options={m_options = DDL_options_st::OPT_NONE}, create_info=0x1489a2f4a8f0, alter_info=0x1489a2f4a820, create_table_mode=0, is_trans=0x1489a2f4a727, key_info=0x1489a2f4a488, key_count=0x1489a2f4a484, frm=0x1489a2f4a490) at /test/10.5_dbg/sql/sql_table.cc:5290
 
#15 0x000056228eb5e4b9 in mysql_create_table_no_lock (thd=thd@entry=0x14897ec15088, db=db@entry=0x14897ec741f8, table_name=table_name@entry=0x14897ec74208, create_info=create_info@entry=0x1489a2f4a8f0, alter_info=alter_info@entry=0x1489a2f4a820, is_trans=is_trans@entry=0x1489a2f4a727, create_table_mode=0, table_list=0x14897ec741e0) at /test/10.5_dbg/sql/sql_table.cc:5374
 
#16 0x000056228eb5e800 in mysql_create_table (thd=thd@entry=0x14897ec15088, create_table=create_table@entry=0x14897ec741e0, create_info=create_info@entry=0x1489a2f4a8f0, alter_info=alter_info@entry=0x1489a2f4a820) at /test/10.5_dbg/sql/sql_table.cc:5466
 
#17 0x000056228eb6011b in Sql_cmd_create_table_like::execute (this=0x14897ec74180, thd=0x14897ec15088) at /test/10.5_dbg/sql/sql_table.cc:11998
 
#18 0x000056228ea91e4a in mysql_execute_command (thd=thd@entry=0x14897ec15088) at /test/10.5_dbg/sql/sql_parse.cc:5951
 
#19 0x000056228ea99752 in mysql_parse (thd=thd@entry=0x14897ec15088, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x1489a2f4b350, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:7993
 
#20 0x000056228ea86204 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14897ec15088, packet=packet@entry=0x14897ec67089 "CREATE TABLE t2 (i INT) DATA DIRECTORY = '/tmp', ENGINE=Aria", packet_length=packet_length@entry=60, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:1866
 
#21 0x000056228ea849de in do_command (thd=0x14897ec15088) at /test/10.5_dbg/sql/sql_parse.cc:1347
 
#22 0x000056228ebe0c3b in do_handle_one_connection (connect=<optimized out>, connect@entry=0x1489820c7808, put_in_cache=put_in_cache@entry=true) at /test/10.5_dbg/sql/sql_connect.cc:1411
 
#23 0x000056228ebe1357 in handle_one_connection (arg=arg@entry=0x1489820c7808) at /test/10.5_dbg/sql/sql_connect.cc:1313
 
#24 0x000056228f044ca8 in pfs_spawn_thread (arg=0x14899fc46508) at /test/10.5_dbg/storage/perfschema/pfs.cc:2201
 
#25 0x00001489a1ec56db in start_thread (arg=0x1489a2f4c700) at pthread_create.c:463
 
#26 0x00001489a12c3a3f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

On optimized:

10.5.5 30e7a0a866dce530d8328c6d614e48d39a264f9b (Optimized)

 
Core was generated by `/test/MD140720-mariadb-10.5.5-linux-x86_64-opt/bin/mysqld --no-defaults --lc-me'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  0x000014f905925237 in kill () at ../sysdeps/unix/syscall-template.S:78
 
[Current thread is 1 (Thread 0x14f90774c840 (LWP 66105))]
 
(gdb) bt
 
#0  0x000014f905925237 in kill () at ../sysdeps/unix/syscall-template.S:78
 
#1  0x000055cc46e7c037 in handle_fatal_signal (sig=11) at /test/10.5_opt/sql/signal_handler.cc:342
 
#2  <signal handler called>
 
#3  maria_status (info=0x0, x=x@entry=0x7ffceecd1850, flag=flag@entry=16) at /test/10.5_opt/storage/maria/ma_info.c:47
 
#4  0x000055cc47046edd in ha_maria::info (this=0x14f8f32d5030, flag=16) at /test/10.5_opt/storage/maria/ha_maria.cc:2549
 
#5  0x000055cc46cc9aa8 in free_tmp_table (thd=thd@entry=0x14f904739018, entry=entry@entry=0x14f904744030) at /test/10.5_opt/sql/sql_select.cc:19936
 
#6  0x000055cc46cc9e6c in Create_tmp_table::cleanup_on_failure (this=this@entry=0x7ffceecd1c00, thd=thd@entry=0x14f904739018, table=table@entry=0x14f904744030) at /test/10.5_opt/sql/sql_select.cc:19179
 
#7  0x000055cc46ccbcd6 in create_tmp_table_for_schema (thd=thd@entry=0x14f904739018, param=param@entry=0x14f8dd433880, schema_table=@0x55cc47f7bc60: {table_name = 0x55cc4762962e "VIEWS", fields_info = 0x55cc48028e40 <Show::view_fields_info>, reset_table = 0x0, fill_table = 0x55cc46cfb010 <get_all_tables(THD*, TABLE_LIST*, Item*)>, old_format = 0x0, process_table = 0x55cc46cf4880 <get_schema_views_record(THD*, TABLE_LIST*, TABLE*, bool, LEX_CSTRING const*, LEX_CSTRING const*)>, idx_field1 = 1, idx_field2 = 2, hidden = false, i_s_requested_object = 655360}, bitmap=@0x7ffceecd1d20: {bitmap = 0x14f8dd433878, last_word_ptr = 0x14f8dd433878, mutex = 0x0, last_word_mask = 4294965248, n_bits = 11}, select_options=<optimized out>, table_alias=@0x14f8dd431840: {str = 0x14f8dd4317f0 "VIEWS", length = 5}, keep_row_order=false) at /test/10.5_opt/sql/sql_select.cc:19219
 
#8  0x000055cc46cfc30c in create_schema_table (thd=thd@entry=0x14f904739018, table_list=table_list@entry=0x14f8dd4317f8) at /test/10.5_opt/sql/sql_show.cc:8138
 
#9  0x000055cc46cfc412 in mysql_schema_table (thd=thd@entry=0x14f904739018, lex=lex@entry=0x14f90473cda8, table_list=table_list@entry=0x14f8dd4317f8) at /test/10.5_opt/sql/sql_show.cc:8349
 
#10 0x000055cc46c254f9 in open_and_process_table (ot_ctx=0x7ffceecd1e80, has_prelocking_list=false, prelocking_strategy=0x7ffceecd21f0, flags=0, counter=0x7ffceecd20ec, tables=0x14f8dd4317f8, thd=0x14f904739018) at /test/10.5_opt/sql/sql_base.cc:3662
 
#11 open_tables (thd=thd@entry=0x14f904739018, options=@0x14f90473e330: {m_options = DDL_options_st::OPT_NONE}, start=start@entry=0x7ffceecd20d8, counter=counter@entry=0x7ffceecd20ec, flags=flags@entry=0, prelocking_strategy=prelocking_strategy@entry=0x7ffceecd21f0) at /test/10.5_opt/sql/sql_base.cc:4256
 
#12 0x000055cc46c26565 in open_and_lock_tables (thd=thd@entry=0x14f904739018, options=<optimized out>, tables=<optimized out>, derived=derived@entry=true, flags=flags@entry=0, prelocking_strategy=prelocking_strategy@entry=0x7ffceecd21f0) at /test/10.5_opt/sql/sql_base.cc:5160
 
#13 0x000055cc46c85871 in open_and_lock_tables (flags=0, derived=true, tables=<optimized out>, thd=0x14f904739018) at /test/10.5_opt/sql/sql_base.h:509
 
#14 mysql_execute_command (thd=thd@entry=0x14f904739018) at /test/10.5_opt/sql/sql_parse.cc:5006
 
#15 0x000055cc46c8c46c in mysql_parse (thd=0x14f904739018, rawbuf=<optimized out>, length=148, parser_state=parser_state@entry=0x7ffceecd2630, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_opt/sql/sql_parse.cc:7993
 
#16 0x000055cc46c7f480 in bootstrap (file=0x55cc488fb430 <instrumented_stdin>) at /test/10.5_opt/sql/sql_parse.cc:1081
 
#17 0x000055cc46bc7596 in mysqld_main (argc=<optimized out>, argv=<optimized out>) at /test/10.5_opt/sql/mysqld.cc:5582
 
#18 0x000014f905907b97 in __libc_start_main (main=0x55cc46b89940 <main(int, char**)>, argc=12, argv=0x7ffceecd78d8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffceecd78c8) at ../csu/libc-start.c:310
 
#19 0x000055cc46bbb1fa in _start ()

Bug confirmed present in:
MariaDB: 10.1.46 (dbg), 10.1.46 (opt), 10.2.33 (dbg), 10.2.33 (opt), 10.3.24 (dbg), 10.3.24 (opt), 10.4.14 (dbg), 10.4.14 (opt), 10.5.5 (dbg), 10.5.5 (opt)

Bug confirmed not present in:
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.47 (dbg), 5.6.47 (opt), 5.7.29 (dbg), 5.7.29 (opt), 8.0.19 (dbg), 8.0.19 (opt)

Whereas 10.5.5 debug will assert on the second CREATE TABLE attempt near the end of the testcase, 10.4.14 debug will produce the error (seen on the first CREATE TABLE attempt in all versions) twice (i.e. on the second CREATE TABLE - as well as for any subsequent CREATE TABLE attempts). Then, on shutdown, depending on how many times CREATE TABLE was attempted, a matching memory loss size is shown in the error log:

10.4.14 dc68846ec5ffdd6f08d93dc3bda123ff9cef04fa (Debug)

 
10.4.14>INSERT INTO t1 VALUES (1);
 
Query OK, 1 row affected (0.008 sec)
 
10.4.14>CREATE TABLE t2 (i INT) DATA DIRECTORY = '/tmp', ENGINE=Aria;
 
ERROR 1 (HY000): Can't create/write to file '/tmp/t2.MAD' (Errcode: 17 "File exists")
 
10.4.14>CREATE TABLE t2 (i INT) DATA DIRECTORY = '/tmp', ENGINE=Aria;
 
ERROR 1 (HY000): Can't create/write to file '/tmp/t2.MAD' (Errcode: 17 "File exists")
 
10.4.14>CREATE TABLE t2 (i INT) DATA DIRECTORY = '/tmp', ENGINE=Aria;
 
...etc...

10.4.14 dc68846ec5ffdd6f08d93dc3bda123ff9cef04fa (Debug)

 
2020-07-20 13:37:21 0 [Note] /test/MD250620-mariadb-10.4.14-linux-x86_64-dbg/bin/mysqld: Shutdown complete
 
 
 
Warning: Memory not freed: -2304

Similar outcome on for example 10.2.33 debug:

10.2.33 (Debug)

 
2020-07-20 13:43:38 22646027314944 [Note] /test/MD250620-mariadb-10.2.33-linux-x86_64-dbg/bin/mysqld: Shutdown complete
 
 
 
Warning: Memory not freed: -1152



 Comments   
Comment by Roel Van de Paar [ 2020-07-20 ]

This can produce various other stack traces, when using ES, or C++ API, and perhaps in other cases. Issue is sporadic at times.

2 06ce1ef4857c26b91c8b068a98c9f5ee22b25d4d (Optimized)

 
Core was generated by `/test/EMD020720-mariadb-10.5.4-2-linux-x86_64-opt/bin/mysqld --no-defaults --ba'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
 
    at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
 
[Current thread is 1 (Thread 0x14c676cc4700 (LWP 188288))]
 
(gdb) bt
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
 
    at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
 
#1  0x00005559b72df3a7 in my_write_core (sig=sig@entry=11)
 
    at /test/MariaDBEnterprise_opt/mysys/stacktrace.c:518
 
#2  0x00005559b6c9f71a in handle_fatal_signal (sig=11)
 
    at /test/MariaDBEnterprise_opt/sql/signal_handler.cc:330
 
#3  <signal handler called>
 
#4  0x000014c67694319d in free () from /usr/lib/x86_64-linux-gnu/libjemalloc.so.1
 
#5  0x00005559b72db8b3 in my_free (ptr=<optimized out>)
 
    at /test/MariaDBEnterprise_opt/mysys/my_malloc.c:209
 
#6  0x00005559b6e69d1f in maria_create (name=<optimized out>, datafile_type=<optimized out>, 
    datafile_type@entry=BLOCK_RECORD, keys=<optimized out>, keys@entry=0, 
    keydefs=keydefs@entry=0x14c638ca61f8, columns=columns@entry=1, 
    columndef=columndef@entry=0x14c638ca6118, uniques=0, uniquedefs=0x0, ci=0x14c676cc0710, flags=32)
 
    at /test/MariaDBEnterprise_opt/storage/maria/ma_create.c:1176
 
#7  0x00005559b6e6d941 in ha_maria::create (this=<optimized out>, name=<optimized out>, 
    table_arg=<optimized out>, ha_create_info=<optimized out>)
 
    at /test/MariaDBEnterprise_opt/storage/maria/ha_maria.cc:3256
 
#8  0x00005559b6ca8498 in handler::ha_create (this=0x14c638c5e830, name=<optimized out>, 
    form=0x14c676cc0ac0, info_arg=0x14c676cc2be0) at /test/MariaDBEnterprise_opt/sql/handler.cc:5105
 
#9  0x00005559b6ca8cf9 in ha_create_table (thd=thd@entry=0x14c638c12018, 
    path=path@entry=0x14c676cc2760 "./test/t", db=0x14c638c47840 "test", 
    table_name=0x14c638c47138 "t", create_info=create_info@entry=0x14c676cc2be0, 
    frm=frm@entry=0x14c676cc2750) at /test/MariaDBEnterprise_opt/sql/handler.cc:5569
 
#10 0x00005559b6b3a152 in create_table_impl (thd=thd@entry=0x14c638c12018, orig_db=..., 
    orig_table_name=..., db=..., table_name=..., path=path@entry=0x14c676cc2760 "./test/t", 
    options=..., create_info=0x14c676cc2be0, alter_info=0x14c676cc2b10, create_table_mode=0, 
    is_trans=0x14c676cc29ef, key_info=0x14c676cc2748, key_count=0x14c676cc2744, frm=0x14c676cc2750)
 
    at /test/MariaDBEnterprise_opt/sql/sql_table.cc:5368
 
#11 0x00005559b6b3a58b in mysql_create_table_no_lock (thd=thd@entry=0x14c638c12018, 
    db=db@entry=0x14c638c47188, table_name=table_name@entry=0x14c638c47198, 
    create_info=create_info@entry=0x14c676cc2be0, alter_info=0x14c676cc2b10, 
    is_trans=is_trans@entry=0x14c676cc29ef, create_table_mode=0, table_list=0x14c638c47170)
 
    at /test/MariaDBEnterprise_opt/sql/sql_table.cc:5452
 
#12 0x00005559b6b3a7c3 in mysql_create_table (thd=thd@entry=0x14c638c12018, 
    create_table=create_table@entry=0x14c638c47170, create_info=create_info@entry=0x14c676cc2be0, 
    alter_info=alter_info@entry=0x14c676cc2b10) at /test/MariaDBEnterprise_opt/sql/sql_table.cc:5544
 
#13 0x00005559b6b3bce9 in Sql_cmd_create_table_like::execute (this=<optimized out>, 
    thd=0x14c638c12018) at /test/MariaDBEnterprise_opt/sql/sql_table.cc:12227
 
#14 0x00005559b6aa4efa in mysql_execute_command (thd=thd@entry=0x14c638c12018)
 
    at /test/MariaDBEnterprise_opt/sql/sql_parse.cc:5958
 
#15 0x00005559b6aabfec in mysql_parse (thd=0x14c638c12018, rawbuf=<optimized out>, length=63, 
    parser_state=0x14c676cc3430, is_com_multi=<optimized out>, is_next_command=<optimized out>)
 
    at /test/MariaDBEnterprise_opt/sql/sql_parse.cc:8020
 
#16 0x00005559b6aa0ab5 in dispatch_command (command=command@entry=COM_QUERY, 
    thd=thd@entry=0x14c638c12018, 
    packet=packet@entry=0x14c638c3a019 "CREATE TABLE t(i int) DATA DIRECTORY = '/tmp', ENGINE = RocksDB;", packet_length=packet_length@entry=64, is_com_multi=is_com_multi@entry=false, 
    is_next_command=is_next_command@entry=false) at /test/MariaDBEnterprise_opt/sql/sql_parse.cc:1874
 
#17 0x00005559b6a9ef60 in do_command (thd=0x14c638c12018)
 
    at /test/MariaDBEnterprise_opt/sql/sql_parse.cc:1355
 
#18 0x00005559b6b96b51 in do_handle_one_connection (connect=<optimized out>, 
    connect@entry=0x14c673833658, put_in_cache=put_in_cache@entry=true)
 
    at /test/MariaDBEnterprise_opt/sql/sql_connect.cc:1411
 
#19 0x00005559b6b96ec4 in handle_one_connection (arg=arg@entry=0x14c673833658)
 
    at /test/MariaDBEnterprise_opt/sql/sql_connect.cc:1313
 
#20 0x00005559b6f0a88a in pfs_spawn_thread (arg=0x14c67384f218)
 
    at /test/MariaDBEnterprise_opt/storage/perfschema/pfs.cc:2201
 
#21 0x000014c675a356db in start_thread (arg=0x14c676cc4700) at pthread_create.c:463
 
#22 0x000014c674e33a3f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

If more testcases are required, please let me know and I see what I can find.

Comment by Roel Van de Paar [ 2020-07-20 ]

Unique bug ID's/issues seen so far:

(longlong) thd->status_var.local_memory_used >= 0 || !debug_assert_on_not_freed_memory|SIGABRT|my_malloc_size_cb_func|my_free|maria_create|ha_maria::create  ## DBG |MDEV-23222
 
SIGSEGV|maria_status|ha_maria::info|free_tmp_table|Create_tmp_table::cleanup_on_failure  ## OPT |MDEV-23222
 
SIGSEGV|free () from|my_free|maria_create|ha_maria::create  ## OPT |MDEV-23222
 
SIGSEGV|tcache_get|__GI___libc_malloc|ut_allocator<unsigned char, true>::allocate|sel_col_prefetch_buf_alloc  ## OPT |MDEV-23222

Comment by Michael Widenius [ 2020-10-29 ]

The second back trace is impossible for the given test case, as there is no creation of temporary tables in it.

I was not able to initially repeat the problem as in current 10.3 the test of 'table exists' is done way before maria_create()
is called and thus the execution path shown in the traces are not repeatable as such.

In any case, I was able to create a repeatable test case by removing the .frm tables between the create table tests.
The crash happens because a double free in the case create table fails because there is a conflicting tables on disk.

Fixed by ensuring that the double free can't happen.

Comment by Michael Widenius [ 2020-10-29 ]

Fix pushed

Generated at Thu Feb 08 09:20:47 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.