[#MDEV-25239] UBSAN: srv0start.cc:2069:31: runtime error: member call on null pointer of type 'struct fil_space_t' on shutdown of InnoDB

[MDEV-25239] UBSAN: srv0start.cc:2069:31: runtime error: member call on null pointer of type 'struct fil_space_t' on shutdown of InnoDB Created: 2021-03-24 Updated: 2021-03-24 Resolved: 2021-03-24
Status:	Closed
Project:	MariaDB Server
Component/s:	Storage Engine - InnoDB
Affects Version/s:	10.6
Fix Version/s:	10.6.0

Type:

Bug

Priority:

Major

Reporter:

Roel Van de Paar

Assignee:

Marko Mäkelä

Resolution:

Duplicate

Votes:

0

Labels:

None

Issue Links:

Duplicate
duplicates	~~MDEV-24751~~	runtime error: member call on null po...	Closed

Description

Build with

-DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON

And set

export UBSAN_OPTIONS=print_stacktrace=1

export ASAN_OPTIONS=quarantine_size_mb=512:atexit=1:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1

Then startup and shutdown the server manually (./bin/mysqld --options ...) and you should see:

10.6.0 3f871b339429441ad907ecf7dfabdc414797e664 (Debug)
2021-03-24 20:13:22 0 [Note] InnoDB: Starting shutdown...
2021-03-24 20:13:22 0 [Note] InnoDB: Dumping buffer pool(s) to /test/UBASAN_MD260121-mariadb-10.6.0-linux-x86_64-dbg/data/ib_buffer_pool
2021-03-24 20:13:22 0 [Note] InnoDB: Buffer pool(s) dump completed at 210324 20:13:22
/data/builds/10.6_dbg_san/storage/innobase/srv/srv0start.cc:2069:31: runtime error: member call on null pointer of type 'struct fil_space_t'
#0 0x55b3789cf44f in innodb_shutdown() /data/builds/10.6_dbg_san/storage/innobase/srv/srv0start.cc:2069
#1 0x55b378182457 in innobase_end /data/builds/10.6_dbg_san/storage/innobase/handler/ha_innodb.cc:3762
#2 0x55b3763df122 in ha_finalize_handlerton(st_plugin_int*) /data/builds/10.6_dbg_san/sql/handler.cc:583
#3 0x55b374e7a210 in plugin_deinitialize /data/builds/10.6_dbg_san/sql/sql_plugin.cc:1262
#4 0x55b374e8957c in reap_plugins /data/builds/10.6_dbg_san/sql/sql_plugin.cc:1338
#5 0x55b374e8d530 in plugin_shutdown() /data/builds/10.6_dbg_san/sql/sql_plugin.cc:2045
#6 0x55b3745c56a9 in clean_up /data/builds/10.6_dbg_san/sql/mysqld.cc:1981
#7 0x55b3745f48ed in mysqld_main(int, char**) /data/builds/10.6_dbg_san/sql/mysqld.cc:5728
#8 0x55b3745bdbaa in main /data/builds/10.6_dbg_san/sql/main.cc:25
#9 0x14a2d352e0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#10 0x55b3744915ad in _start (/test/UBASAN_MD260121-mariadb-10.6.0-linux-x86_64-dbg/bin/mariadbd+0x7b275ad)

2021-03-24 20:13:23 0 [Note] InnoDB: Removed temporary tablespace data file: "ibtmp1"
2021-03-24 20:13:23 0 [Note] InnoDB: Shutdown completed; log sequence number 43230; transaction id 19

If hard to reproduce, or if the issue is not clear, I can make a more detailed testcase.

Present in 10.6, other versions not tested yet.

Comments

Comment by Marko Mäkelä [ 2021-03-24 ]

The code in question is as follows:

        srv_sys_space.shutdown();

        if (srv_tmp_space.get_sanity_check_status()) {

                fil_system.temp_space->close();

This is a duplicate of ~~MDEV-24751~~, which had already been fixed 5 commits later, on February 1. Please try to test with the newest version.

Generated at Thu Feb 08 09:36:11 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.