[MDEV-26334] Assertion map->bitmap, prebuilt->magic_n == ROW_PREBUILT_ALLOCATED, !table->file || table->file->inited == handler::NONE, bit < map->n_bits, SIGSEGV's in bitmap_clear_bit, and handler::ha_close Created: 2021-08-10  Updated: 2023-11-28

Status: Confirmed
Project: MariaDB Server
Component/s: Stored routines, Views
Affects Version/s: 10.3, 10.4, 10.5, 10.6, 10.7, 10.8, 10.9, 10.10, 10.11, 11.0, 11.1, 11.2
Fix Version/s: 10.4, 10.5, 10.6, 10.11, 11.0, 11.1, 11.2

Type: Bug Priority: Critical
Reporter: Roel Van de Paar Assignee: Dmitry Shulga
Resolution: Unresolved Votes: 1
Labels: affects-tests

Issue Links:
Relates
relates to MDEV-23204 Server crash in ha_partition::handle_... Open

 Description    

CREATE VIEW v AS SELECT 1;
 
PREPARE p FROM "SHOW CREATE VIEW v";
 
DROP VIEW v;
 
CREATE TABLE v AS SELECT 1;
 
EXECUTE p;

Leads to:

10.7.0 71ed8c136fa203b9b3a678a6d5cc72235ef73ef7 (Debug)

 
mysqld: /test/10.7_dbg/mysys/my_bitmap.c:751: bitmap_lock_clear_bit: Assertion `map->bitmap' failed.

10.7.0 71ed8c136fa203b9b3a678a6d5cc72235ef73ef7 (Debug)

 
Core was generated by `/test/MD200721-mariadb-10.7.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
 
Program terminated with signal SIGABRT, Aborted.
 
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
 
[Current thread is 1 (Thread 0x154a3c16a700 (LWP 1655699))]
 
(gdb) bt
 
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
 
#1  0x0000154a52218859 in __GI_abort () at abort.c:79
 
#2  0x0000154a52218729 in __assert_fail_base (fmt=0x154a523ae588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x55b6c8d20334 "map->bitmap", file=0x55b6c8d20278 "/test/10.7_dbg/mysys/my_bitmap.c", line=751, function=<optimized out>) at assert.c:92
 
#3  0x0000154a52229f36 in __GI___assert_fail (assertion=assertion@entry=0x55b6c8d20334 "map->bitmap", file=file@entry=0x55b6c8d20278 "/test/10.7_dbg/mysys/my_bitmap.c", line=line@entry=751, function=function@entry=0x55b6c8d20450 <__PRETTY_FUNCTION__.16877> "bitmap_lock_clear_bit") at assert.c:101
 
#4  0x000055b6c88a7c73 in bitmap_lock_clear_bit (map=0x55b6c9384440 <temp_pool>, bitmap_bit=0) at /test/10.7_dbg/mysys/my_bitmap.c:751
 
#5  0x000055b6c7e26133 in free_tmp_table (thd=thd@entry=0x154a0c000db8, entry=0x154a0c032978) at /test/10.7_dbg/sql/sql_select.cc:20319
 
#6  0x000055b6c7d204ea in close_thread_tables (thd=thd@entry=0x154a0c000db8) at /test/10.7_dbg/sql/sql_base.cc:840
 
#7  0x000055b6c7e6b9ef in mysqld_show_create (thd=thd@entry=0x154a0c000db8, table_list=table_list@entry=0x154a0c01eea8) at /test/10.7_dbg/sql/sql_show.cc:1364
 
#8  0x000055b6c7dbe981 in mysql_execute_command (thd=0x154a0c000db8, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=true) at /test/10.7_dbg/sql/sql_parse.cc:4371
 
#9  0x000055b6c7de8dda in Prepared_statement::execute (this=this@entry=0x154a0c01cdb8, expanded_query=expanded_query@entry=0x154a3c168da0, open_cursor=open_cursor@entry=false) at /test/10.7_dbg/sql/sql_prepare.cc:5184
 
#10 0x000055b6c7de914f in Prepared_statement::execute_loop (this=this@entry=0x154a0c01cdb8, expanded_query=expanded_query@entry=0x154a3c168da0, open_cursor=open_cursor@entry=false, packet=packet@entry=0x0, packet_end=packet_end@entry=0x0) at /test/10.7_dbg/sql/sql_prepare.cc:4612
 
#11 0x000055b6c7de967f in mysql_sql_stmt_execute (thd=thd@entry=0x154a0c000db8) at /test/10.7_dbg/sql/sql_prepare.cc:3672
 
#12 0x000055b6c7dbd94a in mysql_execute_command (thd=thd@entry=0x154a0c000db8, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.7_dbg/sql/sql_parse.cc:3963
 
#13 0x000055b6c7da9ead in mysql_parse (thd=thd@entry=0x154a0c000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x154a3c169400) at /test/10.7_dbg/sql/sql_parse.cc:8026
 
#14 0x000055b6c7db89f8 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x154a0c000db8, packet=packet@entry=0x154a0c00b749 "", packet_length=packet_length@entry=9, blocking=blocking@entry=true) at /test/10.7_dbg/sql/sql_class.h:1340
 
#15 0x000055b6c7dbbe05 in do_command (thd=0x154a0c000db8, blocking=blocking@entry=true) at /test/10.7_dbg/sql/sql_parse.cc:1404
 
#16 0x000055b6c7f31f48 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55b6cadadf08, put_in_cache=put_in_cache@entry=true) at /test/10.7_dbg/sql/sql_connect.cc:1410
 
#17 0x000055b6c7f3254d in handle_one_connection (arg=arg@entry=0x55b6cadadf08) at /test/10.7_dbg/sql/sql_connect.cc:1312
 
#18 0x000055b6c839a5b2 in pfs_spawn_thread (arg=0x55b6cacd6b08) at /test/10.7_dbg/storage/perfschema/pfs.cc:2201
 
#19 0x0000154a52727609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#20 0x0000154a52315293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

10.7.0 71ed8c136fa203b9b3a678a6d5cc72235ef73ef7 (Optimized)

 
Core was generated by `/test/MD200721-mariadb-10.7.0-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  0x000055575c91d371 in bitmap_clear_bit (map=0x55575d2bd540 <temp_pool>, 
    bit=<optimized out>) at /test/10.7_opt/include/my_bitmap.h:112
 
[Current thread is 1 (Thread 0x14dff4136700 (LWP 1682176))]
 
(gdb) bt
 
#0  0x000055575c91d371 in bitmap_clear_bit (map=0x55575d2bd540 <temp_pool>, bit=<optimized out>) at /test/10.7_opt/include/my_bitmap.h:112
 
#1  bitmap_lock_clear_bit (map=0x55575d2bd540 <temp_pool>, bitmap_bit=<optimized out>) at /test/10.7_opt/mysys/my_bitmap.c:753
 
#2  0x000055575c207a9e in free_tmp_table (thd=thd@entry=0x14df88000c58, entry=0x14df880214f8) at /test/10.7_opt/sql/sql_select.cc:20319
 
#3  0x000055575c141400 in close_thread_tables (thd=thd@entry=0x14df88000c58) at /test/10.7_opt/sql/sql_base.cc:840
 
#4  0x000055575c23685e in mysqld_show_create (thd=thd@entry=0x14df88000c58, table_list=table_list@entry=0x14df8801a988) at /test/10.7_opt/sql/sql_show.cc:1364
 
#5  0x000055575c1b86ef in mysql_execute_command (thd=0x14df88000c58, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=true) at /test/10.7_opt/sql/sql_parse.cc:4371
 
#6  0x000055575c1d75ba in Prepared_statement::execute (this=0x14df88016878, expanded_query=<optimized out>, open_cursor=false) at /test/10.7_opt/sql/sql_prepare.cc:5184
 
#7  0x000055575c1d77c9 in Prepared_statement::execute_loop (packet=<optimized out>, packet_end=<optimized out>, open_cursor=<optimized out>, expanded_query=0x14dff4134e90, this=0x14df88016878) at /test/10.7_opt/sql/sql_prepare.cc:4612
 
#8  Prepared_statement::execute_loop (this=0x14df88016878, expanded_query=0x14dff4134e90, open_cursor=<optimized out>, packet=<optimized out>, packet_end=<optimized out>) at /test/10.7_opt/sql/sql_prepare.cc:4567
 
#9  0x000055575c1d7ac3 in mysql_sql_stmt_execute (thd=thd@entry=0x14df88000c58) at /test/10.7_opt/sql/sql_prepare.cc:3672
 
#10 0x000055575c1b917c in mysql_execute_command (thd=0x14df88000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.7_opt/sql/sql_parse.cc:3963
 
#11 0x000055575c1a6d46 in mysql_parse (thd=0x14df88000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.7_opt/sql/sql_parse.cc:8026
 
#12 0x000055575c1b2c35 in dispatch_command (command=COM_QUERY, thd=0x14df88000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.7_opt/sql/sql_class.h:1340
 
#13 0x000055575c1b4b57 in do_command (thd=0x14df88000c58, blocking=blocking@entry=true) at /test/10.7_opt/sql/sql_parse.cc:1404
 
#14 0x000055575c2cffe7 in do_handle_one_connection (connect=<optimized out>, put_in_cache=true) at /test/10.7_opt/sql/sql_connect.cc:1410
 
#15 0x000055575c2d034d in handle_one_connection (arg=arg@entry=0x55575ec5d958) at /test/10.7_opt/sql/sql_connect.cc:1312
 
#16 0x000055575c6222d8 in pfs_spawn_thread (arg=0x55575e899c88) at /test/10.7_opt/storage/perfschema/pfs.cc:2201
 
#17 0x000014dff6bc7609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#18 0x000014dff67b5293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

10.4.20 8a2b4d531dc661ee605eeecdfc901bc833f86564 (Debug)

 
mysqld: /test/10.4_dbg/sql/sql_base.cc:1035: void close_thread_table(THD*, TABLE**): Assertion `!table->file || table->file->inited == handler::NONE' failed.

10.4.20 8a2b4d531dc661ee605eeecdfc901bc833f86564 (Debug)

 
Core was generated by `/test/MD140621-mariadb-10.4.20-linux-x86_64-dbg/bin/mysqld --no-defaults --core'.
 
Program terminated with signal SIGABRT, Aborted.
 
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
 
[Current thread is 1 (Thread 0x1469900d7700 (LWP 1686921))]
 
(gdb) bt
 
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
 
#1  0x00001469a8179859 in __GI_abort () at abort.c:79
 
#2  0x00001469a8179729 in __assert_fail_base (fmt=0x1469a830f588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x55728c583f60 "!table->file || table->file->inited == handler::NONE", file=0x55728c5838d0 "/test/10.4_dbg/sql/sql_base.cc", line=1035, function=<optimized out>) at assert.c:92
 
#3  0x00001469a818af36 in __GI___assert_fail (assertion=assertion@entry=0x55728c583f60 "!table->file || table->file->inited == handler::NONE", file=file@entry=0x55728c5838d0 "/test/10.4_dbg/sql/sql_base.cc", line=line@entry=1035, function=function@entry=0x55728c583f38 "void close_thread_table(THD*, TABLE**)") at assert.c:101
 
#4  0x000055728b84fe7c in close_thread_table (thd=thd@entry=0x146948000d90, table_ptr=table_ptr@entry=0x146948000e70) at /test/10.4_dbg/sql/sql_base.cc:1035
 
#5  0x000055728b85026b in close_thread_tables (thd=thd@entry=0x146948000d90) at /test/10.4_dbg/sql/sql_base.cc:1020
 
#6  0x000055728b974d5b in mysqld_show_create (thd=thd@entry=0x146948000d90, table_list=table_list@entry=0x146948020060) at /test/10.4_dbg/sql/sql_show.cc:1452
 
#7  0x000055728b8deee9 in mysql_execute_command (thd=0x146948000d90) at /test/10.4_dbg/sql/sql_parse.cc:4398
 
#8  0x000055728b90143f in Prepared_statement::execute (this=this@entry=0x14694800d240, expanded_query=expanded_query@entry=0x1469900d4a80, open_cursor=open_cursor@entry=false) at /test/10.4_dbg/sql/sql_prepare.cc:5004
 
#9  0x000055728b90179b in Prepared_statement::execute_loop (this=this@entry=0x14694800d240, expanded_query=expanded_query@entry=0x1469900d4a80, open_cursor=open_cursor@entry=false, packet=packet@entry=0x0, packet_end=packet_end@entry=0x0) at /test/10.4_dbg/sql/sql_prepare.cc:4473
 
#10 0x000055728b901ec4 in mysql_sql_stmt_execute (thd=thd@entry=0x146948000d90) at /test/10.4_dbg/sql/sql_prepare.cc:3563
 
#11 0x000055728b8dc618 in mysql_execute_command (thd=thd@entry=0x146948000d90) at /test/10.4_dbg/sql/sql_parse.cc:3981
 
#12 0x000055728b8e719e in mysql_parse (thd=thd@entry=0x146948000d90, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x1469900d6490, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.4_dbg/sql/sql_parse.cc:7992
 
#13 0x000055728b8e9b10 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x146948000d90, packet=packet@entry=0x14694801a371 "", packet_length=packet_length@entry=9, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.4_dbg/sql/sql_class.h:1184
 
#14 0x000055728b8ed3a6 in do_command (thd=0x146948000d90) at /test/10.4_dbg/sql/sql_parse.cc:1373
 
#15 0x000055728ba2ab7a in do_handle_one_connection (connect=connect@entry=0x55728e8ef150) at /test/10.4_dbg/sql/sql_connect.cc:1412
 
#16 0x000055728ba2ac99 in handle_one_connection (arg=0x55728e8ef150) at /test/10.4_dbg/sql/sql_connect.cc:1316
 
#17 0x00001469a8688609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#18 0x00001469a8276293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

10.4.20 8a2b4d531dc661ee605eeecdfc901bc833f86564 (Optimized)

 
Core was generated by `/test/MD140621-mariadb-10.4.20-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  0x0000561ffdc8aa65 in handler::ha_close (this=0x153444023820)
 
    at /test/10.4_opt/sql/handler.cc:2842
 
[Current thread is 1 (Thread 0x1534a71177c0 (LWP 1685597))]
 
(gdb) bt
 
#0  0x0000561ffdc8aa65 in handler::ha_close (this=0x153444023820) at /test/10.4_opt/sql/handler.cc:2842
 
#1  0x0000561ffdb21db9 in closefrm (table=table@entry=0x153444022a28) at /test/10.4_opt/sql/table.cc:4082
 
#2  0x0000561ffdc086a5 in intern_close_table (table=0x153444022a28) at /test/10.4_opt/sql/table_cache.cc:221
 
#3  tc_purge (mark_flushed=mark_flushed@entry=true) at /test/10.4_opt/sql/table_cache.cc:334
 
#4  0x0000561ffd9f230c in purge_tables (purge_flag=purge_flag@entry=true) at /test/10.4_opt/sql/sql_base.cc:335
 
#5  0x0000561ffdc06396 in tdc_start_shutdown () at /test/10.4_opt/sql/table_cache.cc:657
 
#6  0x0000561ffd98e24d in clean_up (print_message=print_message@entry=true) at /test/10.4_opt/sql/mysqld.cc:1959
 
#7  0x0000561ffd99968d in clean_up (print_message=true) at /test/10.4_opt/sql/mysqld.cc:5921
 
#8  mysqld_main (argc=<optimized out>, argv=<optimized out>) at /test/10.4_opt/sql/mysqld.cc:5921
 
#9  0x00001534a72d50b3 in __libc_start_main (main=0x561ffd974130 <main(int, char**)>, argc=10, argv=0x7ffcaaea68b8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffcaaea68a8) at ../csu/libc-start.c:308
 
#10 0x0000561ffd98c8ae in _start () at /test/10.4_opt/sql/mysqld.cc:4651

10.3.30 75a65d3201a4486af96cf3277b6c5a4ba460eef7 (Optimized)

 
InnoDB: Failing assertion: prebuilt->magic_n == ROW_PREBUILT_ALLOCATED

10.3.30 75a65d3201a4486af96cf3277b6c5a4ba460eef7 (Optimized)

 
Core was generated by `/test/MD140621-mariadb-10.3.30-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
 
Program terminated with signal SIGABRT, Aborted.
 
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
 
[Current thread is 1 (Thread 0x14e2340a9700 (LWP 1698376))]
 
(gdb) bt
 
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
 
#1  0x000014e23f6aa859 in __GI_abort () at abort.c:79
 
#2  0x00005576d9e11837 in ut_dbg_assertion_failed (expr=expr@entry=0x5576da8591d0 "prebuilt->magic_n == ROW_PREBUILT_ALLOCATED", file=file@entry=0x5576da858d18 "/test/10.3_opt/storage/innobase/row/row0mysql.cc", line=line@entry=980) at /test/10.3_opt/storage/innobase/ut/ut0dbg.cc:60
 
#3  0x00005576d9dfda0b in row_prebuilt_free (prebuilt=<optimized out>, dict_locked=dict_locked@entry=0) at /test/10.3_opt/storage/innobase/row/row0mysql.cc:980
 
#4  0x00005576da2a3fae in ha_innobase::close (this=0x14e1dc01e160) at /test/10.3_opt/storage/innobase/handler/ha_innodb.cc:6558
 
#5  0x00005576d9fcb3b9 in closefrm (table=table@entry=0x14e1dc022a68) at /test/10.3_opt/sql/table.cc:3674
 
#6  0x00005576da091225 in intern_close_table (table=0x14e1dc022a68) at /test/10.3_opt/sql/table_cache.cc:222
 
#7  tc_purge (mark_flushed=mark_flushed@entry=true) at /test/10.3_opt/sql/table_cache.cc:335
 
#8  0x00005576d9eaee07 in close_cached_tables (thd=thd@entry=0x0, tables=tables@entry=0x0, wait_for_refresh=wait_for_refresh@entry=false, timeout=timeout@entry=31536000) at /test/10.3_opt/sql/sql_base.cc:377
 
#9  0x00005576da08ec7c in tdc_start_shutdown () at /test/10.3_opt/sql/table_cache.cc:660
 
#10 0x00005576d9e4c85b in clean_up (print_message=print_message@entry=true) at /test/10.3_opt/sql/mysqld.cc:2239
 
#11 0x00005576d9e4d105 in clean_up (print_message=true) at /test/10.3_opt/sql/mysqld.cc:2209
 
#12 unireg_end () at /test/10.3_opt/sql/mysqld.cc:2114
 
#13 0x00005576d9e4fc73 in kill_server (sig_ptr=0x0) at /test/10.3_opt/sql/mysqld.cc:2041
 
#14 0x00005576d9e502b2 in kill_server_thread (arg=<optimized out>) at /test/10.3_opt/sql/mysqld.cc:2064
 
#15 0x000014e23f880609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#16 0x000014e23f7a7293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.2.39 (dbg), 10.2.39 (opt), 10.3.30 (dbg), 10.3.30 (opt), 10.4.20 (dbg), 10.4.20 (opt), 10.5.11 (dbg), 10.5.11 (opt), 10.6.4 (dbg), 10.6.4 (opt), 10.7.0 (dbg), 10.7.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.34 (dbg), 5.7.34 (opt), 8.0.24 (dbg), 8.0.24 (opt)

Looking at the stacks, something changed in 10.4 in this area, and again in 10.5.

 Comments   
Comment by Roel Van de Paar [ 2021-08-10 ]

All uniqueID's seen across all versions thus far

!table->file || table->file->inited == handler::NONE|SIGABRT|close_thread_table|close_thread_tables|mysqld_show_create|mysql_execute_command
 
map->bitmap|SIGABRT|bitmap_lock_clear_bit|free_tmp_table|close_thread_tables|mysqld_show_create
 
prebuilt->magic_n == ROW_PREBUILT_ALLOCATED|SIGABRT|ut_dbg_assertion_failed|row_prebuilt_free|ha_innobase::close|closefrm
 
bit < map->n_bits|SIGABRT|bitmap_clear_bit|temp_pool_clear_bit|free_tmp_table|close_thread_tables
 
SIGSEGV|bitmap_clear_bit|bitmap_lock_clear_bit|free_tmp_table|close_thread_tables
 
SIGSEGV|bitmap_clear_bit|temp_pool_clear_bit|free_tmp_table|close_thread_tables
 
SIGSEGV|handler::ha_close|closefrm|intern_close_table|tc_purge

Comment by Oleksandr Byelkin [ 2021-09-21 ]

innodb engine is completly irrelevant to the bug

Comment by Oleksandr Byelkin [ 2021-09-21 ] 

CREATE VIEW v1 AS SELECT 1;
 
PREPARE stmt FROM "SHOW CREATE VIEW v1";
 
DROP VIEW v1;
 
CREATE TABLE v1  AS SELECT 1;
 
EXECUTE stmt;
 
DROP TABLE v1;

Comment by Oleksandr Byelkin [ 2021-09-21 ]

could be seriouse problem: because I see rests of view in TABLE_LIST so probably the statment was not reprepared

Comment by Oleksandr Byelkin [ 2021-09-21 ]

yes, there was no reprepare

Comment by Roel Van de Paar [ 2022-06-16 ]

Two additional new assert/stack observed in 10.7.5 to 10.10.0 with this testcase:

CREATE VIEW v AS SELECT 1 c;
 
PREPARE p FROM 'SHOW CREATE VIEW v';
 
CREATE TABLE t (c INT) UNION (t);
 
DROP VIEW v;
 
CREATE TABLE v AS SELECT 1 t;
 
EXECUTE p;

Leads to:

10.10.0 081a284712bb661349e2e3802077b12211cede3e (Debug)

 
mysqld: /test/10.10_dbg/include/my_bitmap.h:99: void bitmap_clear_bit(MY_BITMAP*, uint): Assertion `bit < map->n_bits' failed.

10.10.0 081a284712bb661349e2e3802077b12211cede3e (Debug)

 
Core was generated by `/test/MD310522-mariadb-10.10.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core'.
 
Program terminated with signal SIGABRT, Aborted.
 
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
 
[Current thread is 1 (Thread 0x14dc873f9700 (LWP 2210963))]
 
(gdb) bt
 
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
 
#1  0x000014dcc0bd9859 in __GI_abort () at abort.c:79
 
#2  0x000014dcc0bd9729 in __assert_fail_base (fmt=0x14dcc0d6f588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x55e0360d71b9 "bit < map->n_bits", file=0x55e035e02850 "/test/10.10_dbg/include/my_bitmap.h", line=99, function=<optimized out>) at assert.c:92
 
#3  0x000014dcc0beafd6 in __GI___assert_fail (assertion=assertion@entry=0x55e0360d71b9 "bit < map->n_bits", file=file@entry=0x55e035e02850 "/test/10.10_dbg/include/my_bitmap.h", line=line@entry=99, function=function@entry=0x55e035e02878 "void bitmap_clear_bit(MY_BITMAP*, uint)") at assert.c:101
 
#4  0x000055e03510daa8 in bitmap_clear_bit (bit=0, map=0x55e03671c030 <temp_pool>) at /test/10.10_dbg/include/my_bitmap.h:99
 
#5  temp_pool_clear_bit (bit=0) at /test/10.10_dbg/sql/mysqld.cc:652
 
#6  0x000055e0352aa539 in free_tmp_table (thd=thd@entry=0x14dc20000db8, entry=0x14dc2002b368) at /test/10.10_dbg/sql/sql_select.cc:20491
 
#7  0x000055e0351b631a in close_thread_tables (thd=thd@entry=0x14dc20000db8) at /test/10.10_dbg/sql/sql_base.cc:861
 
#8  0x000055e0352eaf13 in mysqld_show_create (thd=thd@entry=0x14dc20000db8, table_list=table_list@entry=0x14dc2001efa0) at /test/10.10_dbg/sql/sql_show.cc:1367
 
#9  0x000055e035248fd3 in mysql_execute_command (thd=0x14dc20000db8, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=true) at /test/10.10_dbg/sql/sql_parse.cc:4367
 
#10 0x000055e03527139e in Prepared_statement::execute (this=this@entry=0x14dc2001ce18, expanded_query=expanded_query@entry=0x14dc873f7e60, open_cursor=open_cursor@entry=false) at /test/10.10_dbg/sql/sql_prepare.cc:5221
 
#11 0x000055e035271737 in Prepared_statement::execute_loop (this=this@entry=0x14dc2001ce18, expanded_query=expanded_query@entry=0x14dc873f7e60, open_cursor=open_cursor@entry=false, packet=packet@entry=0x0, packet_end=packet_end@entry=0x0) at /test/10.10_dbg/sql/sql_prepare.cc:4644
 
#12 0x000055e035271de2 in mysql_sql_stmt_execute (thd=thd@entry=0x14dc20000db8) at /test/10.10_dbg/sql/sql_prepare.cc:3688
 
#13 0x000055e035247ecd in mysql_execute_command (thd=thd@entry=0x14dc20000db8, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.10_dbg/sql/sql_parse.cc:3960
 
#14 0x000055e035235e3a in mysql_parse (thd=thd@entry=0x14dc20000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14dc873f8470) at /test/10.10_dbg/sql/sql_parse.cc:8036
 
#15 0x000055e035243422 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14dc20000db8, packet=packet@entry=0x14dc2000b6d9 "", packet_length=packet_length@entry=9, blocking=blocking@entry=true) at /test/10.10_dbg/sql/sql_class.h:1364
 
#16 0x000055e035245b2c in do_command (thd=0x14dc20000db8, blocking=blocking@entry=true) at /test/10.10_dbg/sql/sql_parse.cc:1407
 
#17 0x000055e0353a53c0 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55e038f39a38, put_in_cache=put_in_cache@entry=true) at /test/10.10_dbg/sql/sql_connect.cc:1418
 
#18 0x000055e0353a58c9 in handle_one_connection (arg=0x55e038f39a38) at /test/10.10_dbg/sql/sql_connect.cc:1312
 
#19 0x000014dcc10ea609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#20 0x000014dcc0cd6133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

10.10.0 081a284712bb661349e2e3802077b12211cede3e (Optimized)

 
Core was generated by `/test/MD310522-mariadb-10.10.0-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  0x00005562d6eb2806 in bitmap_clear_bit (map=0x5562d8036e90 <temp_pool>, 
    bit=<optimized out>) at /test/10.10_opt/include/my_bitmap.h:100
 
[Current thread is 1 (Thread 0x14f6dd9fe700 (LWP 2210465))]
 
(gdb) bt
 
#0  0x00005562d6eb2806 in bitmap_clear_bit (map=0x5562d8036e90 <temp_pool>, bit=<optimized out>) at /test/10.10_opt/include/my_bitmap.h:100
 
#1  temp_pool_clear_bit (bit=<optimized out>) at /test/10.10_opt/sql/mysqld.cc:652
 
#2  0x00005562d700bfcf in free_tmp_table (thd=thd@entry=0x14f684000c58, entry=0x14f684021178) at /test/10.10_opt/sql/sql_select.cc:20491
 
#3  0x00005562d6f46050 in close_thread_tables (thd=thd@entry=0x14f684000c58) at /test/10.10_opt/sql/sql_base.cc:861
 
#4  0x00005562d7039c7e in mysqld_show_create (thd=thd@entry=0x14f684000c58, table_list=table_list@entry=0x14f68401a980) at /test/10.10_opt/sql/sql_show.cc:1367
 
#5  0x00005562d6fbb587 in mysql_execute_command (thd=0x14f684000c58, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=true) at /test/10.10_opt/sql/sql_parse.cc:4367
 
#6  0x00005562d6fdbd7a in Prepared_statement::execute (this=0x14f6840167d8, expanded_query=<optimized out>, open_cursor=false) at /test/10.10_opt/sql/sql_prepare.cc:5221
 
#7  0x00005562d6fdbfa1 in Prepared_statement::execute_loop (packet=<optimized out>, packet_end=<optimized out>, open_cursor=<optimized out>, expanded_query=0x14f6dd9fce90, this=0x14f6840167d8) at /test/10.10_opt/sql/sql_prepare.cc:4644
 
#8  Prepared_statement::execute_loop (this=0x14f6840167d8, expanded_query=0x14f6dd9fce90, open_cursor=<optimized out>, packet=<optimized out>, packet_end=<optimized out>) at /test/10.10_opt/sql/sql_prepare.cc:4593
 
#9  0x00005562d6fdc2cb in mysql_sql_stmt_execute (thd=thd@entry=0x14f684000c58) at /test/10.10_opt/sql/sql_prepare.cc:3688
 
#10 0x00005562d6fbcb66 in mysql_execute_command (thd=0x14f684000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.10_opt/sql/sql_parse.cc:3960
 
#11 0x00005562d6faabb5 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x14f684000c58) at /test/10.10_opt/sql/sql_parse.cc:8036
 
#12 mysql_parse (thd=0x14f684000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.10_opt/sql/sql_parse.cc:7958
 
#13 0x00005562d6fb66ca in dispatch_command (command=COM_QUERY, thd=0x14f684000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.10_opt/sql/sql_class.h:1364
 
#14 0x00005562d6fb85f2 in do_command (thd=0x14f684000c58, blocking=blocking@entry=true) at /test/10.10_opt/sql/sql_parse.cc:1407
 
#15 0x00005562d70ce8af in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5562d9221ef8, put_in_cache=put_in_cache@entry=true) at /test/10.10_opt/sql/sql_connect.cc:1418
 
#16 0x00005562d70ceb8d in handle_one_connection (arg=0x5562d9221ef8) at /test/10.10_opt/sql/sql_connect.cc:1312
 
#17 0x000014f6fb67b609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#18 0x000014f6fb267133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.3.36 (dbg), 10.3.36 (opt), 10.4.26 (dbg), 10.4.26 (opt), 10.5.17 (dbg), 10.5.17 (opt), 10.6.9 (dbg), 10.6.9 (opt), 10.7.5 (dbg), 10.7.5 (opt), 10.8.4 (dbg), 10.8.4 (opt), 10.9.2 (dbg), 10.9.2 (opt), 10.10.0 (dbg), 10.10.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.38 (dbg), 5.7.38 (opt), 8.0.29 (dbg), 8.0.29 (opt)

Comment by Roel Van de Paar [ 2022-06-16 ]

sanja Can you please have a look why the Assert/SIGSEGV is different on 10.7 to 10.10? Thanks

Comment by Alice Sherepa [ 2023-01-16 ]

with ASAN on 10.3,10.4:

10.3 7a98d232e42b66efc759d584

 
Version: '10.3.38-MariaDB-debug-log'  
=================================================================
 
==1479563==ERROR: AddressSanitizer: heap-use-after-free on address 0x61d000217c9c at pc 0x55df678ad845 bp 0x7f5431766f90 sp 0x7f5431766f80
 
READ of size 4 at 0x61d000217c9c thread T27
 
    #0 0x55df678ad844 in handler::keyread_enabled() /10.3/src/sql/handler.h:3100
 
    #1 0x55df6787c287 in close_thread_table(THD*, TABLE**) /10.3/src/sql/sql_base.cc:885
 
    #2 0x55df6787bfac in close_thread_tables(THD*) /10.3/src/sql/sql_base.cc:871
 
    #3 0x55df67b9dddd in mysqld_show_create(THD*, TABLE_LIST*) /10.3/src/sql/sql_show.cc:1466
 
    #4 0x55df67a009c1 in mysql_execute_command(THD*) /10.3/src/sql/sql_parse.cc:4304
 
    #5 0x55df67a6d05e in Prepared_statement::execute(String*, bool) /10.3/src/sql/sql_prepare.cc:5029
 
    #6 0x55df67a681b0 in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /10.3/src/sql/sql_prepare.cc:4457
 
    #7 0x55df67a6204c in mysql_sql_stmt_execute(THD*) /10.3/src/sql/sql_prepare.cc:3545
 
    #8 0x55df679fe6fa in mysql_execute_command(THD*) /10.3/src/sql/sql_parse.cc:3887
 
    #9 0x55df67a1a371 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.3/src/sql/sql_parse.cc:7855
 
    #10 0x55df679f132e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.3/src/sql/sql_parse.cc:1852
 
    #11 0x55df679ede4d in do_command(THD*) /10.3/src/sql/sql_parse.cc:1398
 
    #12 0x55df67dc4556 in do_handle_one_connection(CONNECT*) /10.3/src/sql/sql_connect.cc:1404
 
    #13 0x55df67dc3e10 in handle_one_connection /10.3/src/sql/sql_connect.cc:1309
 
    #14 0x55df693fb36c in pfs_spawn_thread /10.3/src/storage/perfschema/pfs.cc:1869
 
    #15 0x7f5447f25608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
 
    #16 0x7f5447e4a132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)
 
 
 
0x61d000217c9c is located 540 bytes inside of 1940-byte region [0x61d000217a80,0x61d000218214)
 
freed by thread T27 here:
 
    #0 0x7f544887740f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
 
    #1 0x55df6954924c in free_memory /10.3/src/mysys/safemalloc.c:279
 
    #2 0x55df69548808 in sf_free /10.3/src/mysys/safemalloc.c:197
 
    #3 0x55df69516b44 in my_free /10.3/src/mysys/my_malloc.c:223
 
    #4 0x55df694f31a9 in free_root /10.3/src/mysys/my_alloc.c:421
 
    #5 0x55df67b341a3 in free_tmp_table(THD*, TABLE*) /10.3/src/sql/sql_select.cc:19245
 
    #6 0x55df6787baf5 in close_thread_tables(THD*) /10.3/src/sql/sql_base.cc:790
 
    #7 0x55df67b9dddd in mysqld_show_create(THD*, TABLE_LIST*) /10.3/src/sql/sql_show.cc:1466
 
    #8 0x55df67a009c1 in mysql_execute_command(THD*) /10.3/src/sql/sql_parse.cc:4304
 
    #9 0x55df67a6d05e in Prepared_statement::execute(String*, bool) /10.3/src/sql/sql_prepare.cc:5029
 
    #10 0x55df67a681b0 in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /10.3/src/sql/sql_prepare.cc:4457
 
    #11 0x55df67a6204c in mysql_sql_stmt_execute(THD*) /10.3/src/sql/sql_prepare.cc:3545
 
    #12 0x55df679fe6fa in mysql_execute_command(THD*) /10.3/src/sql/sql_parse.cc:3887
 
    #13 0x55df67a1a371 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.3/src/sql/sql_parse.cc:7855
 
    #14 0x55df679f132e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.3/src/sql/sql_parse.cc:1852
 
    #15 0x55df679ede4d in do_command(THD*) /10.3/src/sql/sql_parse.cc:1398
 
    #16 0x55df67dc4556 in do_handle_one_connection(CONNECT*) /10.3/src/sql/sql_connect.cc:1404
 
    #17 0x55df67dc3e10 in handle_one_connection /10.3/src/sql/sql_connect.cc:1309
 
    #18 0x55df693fb36c in pfs_spawn_thread /10.3/src/storage/perfschema/pfs.cc:1869
 
    #19 0x7f5447f25608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
 
 
 
previously allocated by thread T27 here:
 
    #0 0x7f5448877808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
 
    #1 0x55df695481bc in sf_malloc /10.3/src/mysys/safemalloc.c:118
 
    #2 0x55df6951604d in my_malloc /10.3/src/mysys/my_malloc.c:101
 
    #3 0x55df694f20ba in alloc_root /10.3/src/mysys/my_alloc.c:251
 
    #4 0x55df6773873a in Sql_alloc::operator new(unsigned long, st_mem_root*) /10.3/src/sql/sql_alloc.h:39
 
    #5 0x55df6923335a in myisam_create_handler /10.3/src/storage/myisam/ha_myisam.cc:130
 
    #6 0x55df6817fb4f in get_new_handler(TABLE_SHARE*, st_mem_root*, handlerton*) /10.3/src/sql/handler.cc:294
 
    #7 0x55df67cf5277 in open_table_from_share(THD*, TABLE_SHARE*, st_mysql_const_lex_string const*, unsigned int, unsigned int, unsigned int, TABLE*, bool, List<String>*) /10.3/src/sql/table.cc:3365
 
    #8 0x55df67881d9d in open_table(THD*, TABLE_LIST*, Open_table_context*) /10.3/src/sql/sql_base.cc:2005
 
    #9 0x55df67975ed7 in select_create::create_table_from_items(THD*, List<Item>*, st_mysql_lock**, TABLEOP_HOOKS*) /10.3/src/sql/sql_insert.cc:4374
 
    #10 0x55df67977331 in select_create::prepare(List<Item>&, st_select_lex_unit*) /10.3/src/sql/sql_insert.cc:4541
 
    #11 0x55df67aaae71 in JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /10.3/src/sql/sql_select.cc:1431
 
    #12 0x55df67ac9739 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.3/src/sql/sql_select.cc:4360
 
    #13 0x55df67a9fa22 in handle_select(THD*, LEX*, select_result*, unsigned long) /10.3/src/sql/sql_select.cc:372
 
    #14 0x55df67c6e7ab in Sql_cmd_create_table_like::execute(THD*) /10.3/src/sql/sql_table.cc:11454
 
    #15 0x55df67a0e0c1 in mysql_execute_command(THD*) /10.3/src/sql/sql_parse.cc:6076
 
    #16 0x55df67a1a371 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.3/src/sql/sql_parse.cc:7855
 
    #17 0x55df679f132e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.3/src/sql/sql_parse.cc:1852
 
    #18 0x55df679ede4d in do_command(THD*) /10.3/src/sql/sql_parse.cc:1398
 
    #19 0x55df67dc4556 in do_handle_one_connection(CONNECT*) /10.3/src/sql/sql_connect.cc:1404
 
    #20 0x55df67dc3e10 in handle_one_connection /10.3/src/sql/sql_connect.cc:1309
 
    #21 0x55df693fb36c in pfs_spawn_thread /10.3/src/storage/perfschema/pfs.cc:1869
 
    #22 0x7f5447f25608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
 
 
 
Thread T27 created by T0 here:
 
    #0 0x7f54487a4815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208
 
    #1 0x55df693fb75d in spawn_thread_v1 /10.3/src/storage/perfschema/pfs.cc:1919
 
    #2 0x55df677124b7 in inline_mysql_thread_create /10.3/src/include/mysql/psi/mysql_thread.h:1275
 
    #3 0x55df6772b171 in create_thread_to_handle_connection(CONNECT*) /10.3/src/sql/mysqld.cc:6672
 
    #4 0x55df6772b90c in create_new_thread /10.3/src/sql/mysqld.cc:6742
 
    #5 0x55df6772ca9e in handle_connections_sockets() /10.3/src/sql/mysqld.cc:7000
 
    #6 0x55df6772a462 in mysqld_main(int, char**) /10.3/src/sql/mysqld.cc:6294
 
    #7 0x55df67710bdc in main /10.3/src/sql/main.cc:25
 
    #8 0x7f5447d4f082 in __libc_start_main ../csu/libc-start.c:308
 
 
 
SUMMARY: AddressSanitizer: heap-use-after-free /10.3/src/sql/handler.h:3100 in handler::keyread_enabled()
 
Shadow bytes around the buggy address:
 
  0x0c3a8003af40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c3a8003af50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3a8003af60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3a8003af70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3a8003af80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
=>0x0c3a8003af90: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3a8003afa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3a8003afb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3a8003afc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3a8003afd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3a8003afe0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
  Shadow gap:              cc
 
==1479563==ABORTING
 
----------SERVER LOG END-------------

Generated at Thu Feb 08 09:44:31 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.