[#MDEV-27240] SIGSEGV in ha_spider::store

[MDEV-27240] SIGSEGV in ha_spider::store_lock on LOCK TABLE Created: 2021-12-12 Updated: 2022-11-07 Resolved: 2022-01-15
Status:	Closed
Project:	MariaDB Server
Component/s:	Locking, Storage Engine - Spider
Affects Version/s:	10.5, 10.6, 10.7, 10.8
Fix Version/s:	10.5.14, 10.6.6, 10.7.2

Type:

Bug

Priority:

Critical

Reporter:

Roel Van de Paar

Assignee:

Nayuta Yanagisawa (Inactive)

Resolution:

Fixed

Votes:

Labels:

not-10.2, not-10.3, not-10.4, regression, spider

Issue Links:

Blocks
Duplicate
duplicates	~~MDEV-27404~~	SIGSEGV in rbt_free_node, hang in 'cl...	Closed
is duplicated by	~~MDEV-27171~~	Spider: SIGSEGV in spider_set_direct_...	Closed
is duplicated by	~~MDEV-27388~~	SIGSEGV in spider_set_direct_limit_of...	Closed
is duplicated by	~~MDEV-27522~~	SIGSEGV in spider_set_direct_limit_of...	Closed
Problem/Incident
is caused by	MDEV-19002	Partition performance optimization	Stalled
Relates
relates to	~~MDEV-24769~~	Spider crash when selecting all rows ...	Closed
relates to	MDEV-27334	Assertion `!is_set() \|\| (m_status == ...	Open
relates to	~~MDEV-27526~~	Spider: SIGSEGV in ha_spider::lock_ta...	Closed
relates to	~~MDEV-29963~~	SIGSEGV in spider_db_mbase::append_lo...	Closed
relates to	~~MDEV-24769~~	Spider crash when selecting all rows ...	Closed
relates to	MDEV-27369	Renaming Spider table fails due to ER...	Stalled

Description

Note the different stacks across versions.

INSTALL PLUGIN spider SONAME 'ha_spider.so';

CREATE TABLE t2 (a INT KEY) ENGINE=SPIDER;

SELECT a.z FROM t2 AS a,t2 b WHERE a.z=b.z;

CREATE TABLE t (a INT);

ALTER TABLE t2 CHANGE c c INT;

LOCK TABLE t WRITE,t2 READ;

Leads to:

10.7.2 979b23d5bfb11bb698ea65c9468b374978737ec0 (Debug)
Core was generated by `/test/MD121221-mariadb-10.7.2-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000014c29c14becf in ha_spider::store_lock (this=0x14c2100c9de0,
thd=<optimized out>, to=0x14c2100b1418, lock_type=TL_READ_NO_INSERT)
at /test/10.7_dbg/storage/spider/ha_spider.cc:1178
1178 if (unlikely((store_error_num =
[Current thread is 1 (Thread 0x14c2a89a5700 (LWP 3053893))]
(gdb) bt
#0 0x000014c29c14becf in ha_spider::store_lock (this=0x14c2100c9de0, thd=<optimized out>, to=0x14c2100b1418, lock_type=TL_READ_NO_INSERT) at /test/10.7_dbg/storage/spider/ha_spider.cc:1178
#1 0x0000558c6a6be05a in get_lock_data (thd=thd@entry=0x14c210000db8, table_ptr=table_ptr@entry=0x14c210014e68, count=count@entry=2, flags=flags@entry=1) at /test/10.7_dbg/sql/lock.cc:809
#2 0x0000558c6a6be618 in mysql_lock_tables (thd=thd@entry=0x14c210000db8, tables=tables@entry=0x14c210014e68, count=count@entry=2, flags=flags@entry=0) at /test/10.7_dbg/sql/lock.cc:298
#3 0x0000558c6a1a66ca in lock_tables (thd=thd@entry=0x14c210000db8, tables=0x14c210013ea0, count=<optimized out>, flags=flags@entry=0) at /test/10.7_dbg/sql/sql_base.cc:5559
#4 0x0000558c6a2357d2 in lock_tables_open_and_lock_tables (thd=thd@entry=0x14c210000db8, tables=<optimized out>) at /test/10.7_dbg/sql/sql_parse.cc:2958
#5 0x0000558c6a241c4a in mysql_execute_command (thd=thd@entry=0x14c210000db8, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.7_dbg/sql/sql_parse.cc:5124
#6 0x0000558c6a22ae0f in mysql_parse (thd=thd@entry=0x14c210000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14c2a89a4400) at /test/10.7_dbg/sql/sql_parse.cc:8028
#7 0x0000558c6a239aab in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14c210000db8, packet=packet@entry=0x14c21000b879 "LOCK TABLE t WRITE,t2 READ", packet_length=packet_length@entry=26, blocking=blocking@entry=true) at /test/10.7_dbg/sql/sql_class.h:1360
#8 0x0000558c6a23ceea in do_command (thd=0x14c210000db8, blocking=blocking@entry=true) at /test/10.7_dbg/sql/sql_parse.cc:1402
#9 0x0000558c6a3b6902 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x558c6c8f4ae8, put_in_cache=put_in_cache@entry=true) at /test/10.7_dbg/sql/sql_connect.cc:1418
#10 0x0000558c6a3b6f07 in handle_one_connection (arg=arg@entry=0x558c6c8f4ae8) at /test/10.7_dbg/sql/sql_connect.cc:1312
#11 0x0000558c6a83733e in pfs_spawn_thread (arg=0x558c6c8084c8) at /test/10.7_dbg/storage/perfschema/pfs.cc:2201
#12 0x000014c2b3118609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#13 0x000014c2b2d06293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

10.5.14 88b339805d7a9ddebc3fd61e9dee83270dbf474d (Optimized)
Core was generated by `/test/MD121221-mariadb-10.5.14-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000014dcac134f47 in ha_spider::store_lock (lock_type=TL_READ_NO_INSERT,
to=0x14dc100574f8, thd=<optimized out>, this=0x14dc1007ae30)
at /test/10.5_opt/storage/spider/ha_spider.cc:1178
1178 if (unlikely((store_error_num =
[Current thread is 1 (Thread 0x14dcac917700 (LWP 3053217))]
(gdb) bt
#0 0x000014dcac134f47 in ha_spider::store_lock (lock_type=TL_READ_NO_INSERT, to=0x14dc100574f8, thd=<optimized out>, this=0x14dc1007ae30) at /test/10.5_opt/storage/spider/ha_spider.cc:1178
#1 ha_spider::store_lock (this=0x14dc1007ae30, thd=<optimized out>, to=0x14dc100574f8, lock_type=TL_READ_NO_INSERT) at /test/10.5_opt/storage/spider/ha_spider.cc:1042
#2 0x0000563f90a0d532 in get_lock_data (thd=thd@entry=0x14dc10000c58, table_ptr=table_ptr@entry=0x14dc10011488, count=count@entry=2, flags=<optimized out>) at /test/10.5_opt/sql/lock.cc:809
#3 0x0000563f90a0d7f9 in mysql_lock_tables (thd=thd@entry=0x14dc10000c58, tables=0x14dc10011488, count=count@entry=2, flags=flags@entry=0) at /test/10.5_opt/sql/lock.cc:298
#4 0x0000563f90678e5f in lock_tables (thd=thd@entry=0x14dc10000c58, tables=tables@entry=0x14dc100104d0, count=<optimized out>, flags=flags@entry=0) at /test/10.5_opt/sql/sql_base.cc:5512
#5 0x0000563f906df414 in lock_tables_open_and_lock_tables (thd=thd@entry=0x14dc10000c58, tables=<optimized out>) at /test/10.5_opt/sql/sql_parse.cc:3024
#6 0x0000563f906eafab in mysql_execute_command (thd=0x14dc10000c58) at /test/10.5_opt/sql/sql_parse.cc:5185
#7 0x0000563f906d6243 in mysql_parse (thd=0x14dc10000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /test/10.5_opt/sql/sql_parse.cc:8100
#8 0x0000563f906e305d in dispatch_command (command=COM_QUERY, thd=0x14dc10000c58, packet=<optimized out>, packet_length=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /test/10.5_opt/sql/sql_class.h:1290
#9 0x0000563f906e5832 in do_command (thd=0x14dc10000c58) at /test/10.5_opt/sql/sql_parse.cc:1370
#10 0x0000563f907ed2e1 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x563f92eee4b8, put_in_cache=put_in_cache@entry=true) at /test/10.5_opt/sql/sql_connect.cc:1418
#11 0x0000563f907ed75d in handle_one_connection (arg=arg@entry=0x563f92eee4b8) at /test/10.5_opt/sql/sql_connect.cc:1312
#12 0x0000563f90b7d999 in pfs_spawn_thread (arg=0x563f92e5c908) at /test/10.5_opt/storage/perfschema/pfs.cc:2201
#13 0x000014dcb8272609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#14 0x000014dcb7e60293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

10.8.0 ccdf5711a8fff0cd610a91fdcf37c8ff1182878c (Optimized)
Core was generated by `/test/MD121221-mariadb-10.8.0-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x0000148c0417026d in ha_spider::lock_tables (this=0x148b94047530)
at /test/10.8_opt/storage/spider/ha_spider.cc:16358
16358 if (!conns[search_link_idx])
[Current thread is 1 (Thread 0x148c0474c700 (LWP 3053251))]
(gdb) bt
#0 0x0000148c0417026d in ha_spider::lock_tables (this=0x148b94047530) at /test/10.8_opt/storage/spider/ha_spider.cc:16358
#1 0x0000148c04170744 in ha_spider::external_lock (this=0x148b9407d830, thd=<optimized out>, lock_type=<optimized out>) at /test/10.8_opt/storage/spider/ha_spider.cc:1342
#2 0x000055accaf51484 in handler::ha_external_lock (this=0x148b9407d830, thd=thd@entry=0x148b94000c58, lock_type=lock_type@entry=0) at /test/10.8_opt/sql/handler.cc:7042
#3 0x000055accb069c69 in lock_external (count=<optimized out>, tables=0x148b94061510, thd=0x148b94000c58) at /test/10.8_opt/sql/lock.cc:393
#4 mysql_lock_tables (thd=0x148b94000c58, sql_lock=0x148b940614d8, flags=<optimized out>) at /test/10.8_opt/sql/lock.cc:338
#5 0x000055accb06a98f in mysql_lock_tables (thd=thd@entry=0x148b94000c58, tables=0x148b94011948, count=count@entry=2, flags=flags@entry=0) at /test/10.8_opt/sql/lock.cc:301
#6 0x000055accac916f3 in lock_tables (thd=thd@entry=0x148b94000c58, tables=tables@entry=0x148b94010980, count=<optimized out>, flags=flags@entry=0) at /test/10.8_opt/sql/sql_base.cc:5559
#7 0x000055accacfc2b4 in lock_tables_open_and_lock_tables (thd=thd@entry=0x148b94000c58, tables=<optimized out>) at /test/10.8_opt/sql/sql_parse.cc:2958
#8 0x000055accad074e7 in mysql_execute_command (thd=0x148b94000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.8_opt/sql/sql_parse.cc:5124
#9 0x000055accacf3986 in mysql_parse (thd=0x148b94000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.8_opt/sql/sql_parse.cc:8028
#10 0x000055accacffb35 in dispatch_command (command=COM_QUERY, thd=0x148b94000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.8_opt/sql/sql_class.h:1360
#11 0x000055accad01d27 in do_command (thd=0x148b94000c58, blocking=blocking@entry=true) at /test/10.8_opt/sql/sql_parse.cc:1402
#12 0x000055accae202e7 in do_handle_one_connection (connect=<optimized out>, put_in_cache=true) at /test/10.8_opt/sql/sql_connect.cc:1418
#13 0x000055accae2062d in handle_one_connection (arg=arg@entry=0x55acceae5be8) at /test/10.8_opt/sql/sql_connect.cc:1312
#14 0x000055accb18e5d8 in pfs_spawn_thread (arg=0x55accea9d218) at /test/10.8_opt/storage/perfschema/pfs.cc:2201
#15 0x0000148c0fe85609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#16 0x0000148c0fa73293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.5.14 (dbg), 10.5.14 (opt), 10.6.6 (dbg), 10.6.6 (opt), 10.7.2 (dbg), 10.7.2 (opt), 10.8.0 (dbg), 10.8.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.2.42 (dbg), 10.2.42 (opt), 10.3.33 (dbg), 10.3.33 (opt), 10.4.23 (dbg), 10.4.23 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.36 (dbg), 5.7.36 (opt), 8.0.27 (dbg), 8.0.27 (opt)

Comments

Comment by Roel Van de Paar [ 2021-12-12 ]

UnqiueID's across versions

SIGSEGV|ha_spider::lock_tables|ha_spider::external_lock|handler::ha_external_lock|lock_external

SIGSEGV|ha_spider::store_lock|get_lock_data|mysql_lock_tables|lock_tables

SIGSEGV|ha_spider::store_lock|ha_spider::store_lock|get_lock_data|mysql_lock_tables

Comment by Nayuta Yanagisawa (Inactive) [ 2021-12-16 ]

Observation: In the test case above, ha_spider::partition_handler_share is freed and nullified by ha_spider::close() (and ha_spider::~ha_spider()) at the end of ALTER TABLE execution. However, the attribute is accessed during the execution of the last LOCK TABLE.

Comment by Nayuta Yanagisawa (Inactive) [ 2021-12-16 ]

The bug seems to be introduced by MDEV-19002.

Comment by Nayuta Yanagisawa (Inactive) [ 2021-12-16 ]

By the below debugging by rr-debugger, we can now see that ...

partition_handler_share is referenced by two different ha_spider, 0x7f2d7415f7e0 and 0x7f2d740ed3b0;
ha_spider::close() is called for the latter ha_spider and the partition_handler_share is freed in the function;
ha_spider::store_lock() is called for the former ha_spider and the partition_handler_share is dereferenced (SIGSEGV !).

...Thread 2 received signal SIGSEGV, Segmentation fault.

0x00007f2d80264203 in ha_spider::store_lock (this=0x7f2d7415f7e0, thd=0x7f2d74002b08, to=0x7f2d7403d130, lock_type=TL_READ_NO_INSERT)

    at /home/nayuta_mariadb/repo/mariadb-server/10.5/storage/spider/ha_spider.cc:1178

1178                if (unlikely((store_error_num =

(rr) watch -l partition_handler_share->handlers

Hardware watchpoint 4: -location partition_handler_share->handlers

(rr) rc

Continuing.

…

Thread 2 hit Hardware watchpoint 4: -location partition_handler_share->handlers

Old value = (ha_spider **) 0x8f8f8f8f8f8f8f8f

New value = (ha_spider **) 0x0

0x00007f2d9473a419 in ?? () from /lib/x86_64-linux-gnu/libc.so.6

(rr) bt

#0  0x00007f2d9473a419 in ?? () from /lib/x86_64-linux-gnu/libc.so.6

#1  0x000056243c4e7ef1 in free_memory (ptr=0x7f2d741474c0) at /home/nayuta_mariadb/repo/mariadb-server/10.5/mysys/safemalloc.c:279

#2  0x000056243c4e7ba7 in sf_free (ptr=0x7f2d741474c0) at /home/nayuta_mariadb/repo/mariadb-server/10.5/mysys/safemalloc.c:198

#3  0x000056243c4d4eed in my_free (ptr=0x7f2d741474d8) at /home/nayuta_mariadb/repo/mariadb-server/10.5/mysys/my_malloc.c:211

#4  0x00007f2d802525ca in spider_free_mem (trx=0x7f2d740ee788, ptr=0x7f2d741474e8, my_flags=0)

    at /home/nayuta_mariadb/repo/mariadb-server/10.5/storage/spider/spd_malloc.cc:188

#5  0x00007f2d80263195 in ha_spider::close (this=0x7f2d740ed3b0) at /home/nayuta_mariadb/repo/mariadb-server/10.5/storage/spider/ha_spider.cc:785

#6  0x000056243bbb70bf in handler::ha_close (this=0x7f2d740ed3b0) at /home/nayuta_mariadb/repo/mariadb-server/10.5/sql/handler.cc:3066

#7  0x000056243b98a2ee in closefrm (table=0x7f2d740fdce8) at /home/nayuta_mariadb/repo/mariadb-server/10.5/sql/table.cc:4346

#8  0x000056243bad5a34 in intern_close_table (table=0x7f2d740fdce8) at /home/nayuta_mariadb/repo/mariadb-server/10.5/sql/table_cache.cc:220

#9  0x000056243bad5bd3 in tc_remove_table (table=0x7f2d740fdce8) at /home/nayuta_mariadb/repo/mariadb-server/10.5/sql/table_cache.cc:258

#10 0x000056243bad6784 in tc_release_table (table=0x7f2d740fdce8) at /home/nayuta_mariadb/repo/mariadb-server/10.5/sql/table_cache.cc:449

#11 0x000056243b78cd57 in close_thread_table (thd=0x7f2d74002b08, table_ptr=0x7f2d74002be8) at /home/nayuta_mariadb/repo/mariadb-server/10.5/sql/sql_base.cc:977

#12 0x000056243b78c98e in close_thread_tables (thd=0x7f2d74002b08) at /home/nayuta_mariadb/repo/mariadb-server/10.5/sql/sql_base.cc:919

#13 0x000056243b846183 in mysql_execute_command (thd=0x7f2d74002b08) at /home/nayuta_mariadb/repo/mariadb-server/10.5/sql/sql_parse.cc:6122

#14 0x000056243b84bcd5 in mysql_parse (thd=0x7f2d74002b08, rawbuf=0x7f2d74017890 "ALTER TABLE t2 CHANGE c c INT", length=29, parser_state=0x7f2d806af3f0,

    is_com_multi=false, is_next_command=false) at /home/nayuta_mariadb/repo/mariadb-server/10.5/sql/sql_parse.cc:8100

#15 0x000056243b837c55 in dispatch_command (command=COM_QUERY, thd=0x7f2d74002b08, packet=0x7f2d7400efa9 "ALTER TABLE t2 CHANGE c c INT", packet_length=29,

    is_com_multi=false, is_next_command=false) at /home/nayuta_mariadb/repo/mariadb-server/10.5/sql/sql_parse.cc:1891

#16 0x000056243b83644d in do_command (thd=0x7f2d74002b08) at /home/nayuta_mariadb/repo/mariadb-server/10.5/sql/sql_parse.cc:1370

#17 0x000056243b9e8265 in do_handle_one_connection (connect=0x56243f09e1c8, put_in_cache=true) at /home/nayuta_mariadb/repo/mariadb-server/10.5/sql/sql_connect.cc:1418

#18 0x000056243b9e7f1b in handle_one_connection (arg=0x56243f09e1c8) at /home/nayuta_mariadb/repo/mariadb-server/10.5/sql/sql_connect.cc:1312

#19 0x000056243bf0f370 in pfs_spawn_thread (arg=0x56243f078728) at /home/nayuta_mariadb/repo/mariadb-server/10.5/storage/perfschema/pfs.cc:2201

#20 0x00007f2d94b35450 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0

#21 0x00007f2d946ced53 in clone () from /lib/x86_64-linux-gnu/libc.so.6

(rr) rc

Continuing.

Thread 2 hit Hardware watchpoint 3: -location partition_handler_share

Old value = (SPIDER_PARTITION_HANDLER_SHARE *) 0x7f2d741474e8

New value = (SPIDER_PARTITION_HANDLER_SHARE *) 0x0

0x00007f2d80261697 in ha_spider::open (this=0x7f2d7415f7e0, name=0x7f2d740ff1f8 "./auto_test_local/t2", mode=2, test_if_locked=18)

    at /home/nayuta_mariadb/repo/mariadb-server/10.5/storage/spider/ha_spider.cc:454

454         if (!(partition_handler_share = (SPIDER_PARTITION_HANDLER_SHARE*)

Comment by Nayuta Yanagisawa (Inactive) [ 2021-12-16 ]

The table t in the above test case is nothing to do with the present bug. So, the following is enough:

INSTALL PLUGIN spider SONAME 'ha_spider.so';

CREATE TABLE t2 (a INT KEY) ENGINE=SPIDER;

SELECT a.z FROM t2 AS a,t2 b WHERE a.z=b.z;

ALTER TABLE t2 CHANGE c c INT;

LOCK TABLE t2 READ;

Comment by Nayuta Yanagisawa (Inactive) [ 2021-12-16 ]

The corresponding MTR test case:

storage/spider/mysql-test/spider/bugfix/t/mdev_27240.test
--disable_query_log
--disable_result_log
--source ../../t/test_init.inc
--enable_result_log
--enable_query_log

CREATE DATABASE auto_test_local;
USE auto_test_local;

CREATE TABLE t2 (a INT KEY) ENGINE=SPIDER;
--error 1054
SELECT a.z FROM t2 AS a,t2 b WHERE a.z=b.z;
--error 1054
ALTER TABLE t2 CHANGE c c INT;
LOCK TABLE t2 READ;

DROP DATABASE auto_test_local;

--disable_query_log
--disable_result_log
--source ../../t/test_deinit.inc
--enable_result_log
--enable_query_log

storage/spider/mysql-test/spider/bugfix/t/mdev_27240.cnf
!include include/default_mysqld.cnf
!include ../my_1_1.cnf

Comment by Nayuta Yanagisawa (Inactive) [ 2021-12-17 ]

The root cause of the bug seems to be that Spider stores the partition_handler_share in the wide_share->pt_handler_hash and shares it between different ha_spider.

A problematic senario is that multiple ha_spider refer the partition_handler_share and then it is deleted from the hash and freed by the owner (at ha_spider::close()). In that case, non-owner ha_spider may keep the partition_handler_share and this results in the use-after-free.

Here are possible solutions for this problem:

Stop sharing partition_handler_share (if we did so, the attribute name became so inconsistent);
Or, stop freeing partition_handler_share at ha_spider::close() (v10.4 or lower do this. Leak?).
Or, use the smart shared pointer for partition_handler_share and let it be automatically freed.
- If we adopted this way, the concept "owner" might not be no longer necessary.

Comment by Nayuta Yanagisawa (Inactive) [ 2021-12-20 ]

Another solution: Do not allocate partition_handler_share for non-partitioned tables. partition_handler_share seems to be for partitioned tables.

Comment by Nayuta Yanagisawa (Inactive) [ 2021-12-20 ]

Do not allocate partition_handler_share for non-partitioned tables. partition_handler_share seems to be for partitioned tables.

This seems to work. In fact, the following an makeshift patch fixes the problem (of course, I will refactor it):
https://github.com/MariaDB/server/commit/fa1c45ff6d3e85407f99ea02bda3d758669b1f73

Comment by Nayuta Yanagisawa (Inactive) [ 2021-12-20 ]

The above patch seems to also fix ~~MDEV-27171~~. However, the patch only covers the non-partitioned tables and thus it may not fix MDEV-19002.

Comment by Nayuta Yanagisawa (Inactive) [ 2021-12-20 ]

A slightly refined one: https://github.com/MariaDB/server/commit/c5b466bcf00fd3eeb1ac9a8664ee3558001f43fb

Comment by Nayuta Yanagisawa (Inactive) [ 2021-12-21 ]

holyfoot Please review: https://github.com/MariaDB/server/commit/82b74a0e7cfb7082e7bef3840df5d172fe6cc834

Comment by Roel Van de Paar [ 2021-12-21 ]

Found another testcase with a different stack.

INSTALL PLUGIN spider SONAME 'ha_spider.so';

CREATE TABLE t (c TIME,c2 BLOB) ENGINE=SPIDER PARTITION BY LIST COLUMNS (c) (PARTITION p DEFAULT ENGINE=SPIDER);

CREATE TRIGGER t AFTER INSERT ON t FOR EACH ROW INSERT INTO t VALUES (0);

ALTER TABLE t ALGORITHM=INPLACE,ADD KEY(y);

INSERT INTO t VALUES (0);

CREATE TABLE s (b CHAR,INDEX (b)) DEFAULT CHARSET=sjis ENGINE=InnoDB;

ALTER TABLE t CHANGE COLUMN d d INT;

LOCK TABLE t WRITE;

Leads to:

10.8.0 ccdf5711a8fff0cd610a91fdcf37c8ff1182878c (Optimized)
Core was generated by `/test/MD121221-mariadb-10.8.0-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000014b006154037 in ha_spider::store_lock (lock_type=TL_WRITE,
to=0x14af70099ed8, thd=<optimized out>, this=0x14af70088e30)
at /test/10.8_opt/storage/spider/ha_spider.cc:1178
1178 if (unlikely((store_error_num =
[Current thread is 1 (Thread 0x14b01c09c700 (LWP 1659062))]
(gdb) bt
#0 0x000014b006154037 in ha_spider::store_lock (lock_type=TL_WRITE, to=0x14af70099ed8, thd=<optimized out>, this=0x14af70088e30) at /test/10.8_opt/storage/spider/ha_spider.cc:1178
#1 ha_spider::store_lock (this=0x14af70088e30, thd=<optimized out>, to=0x14af70099ed8, lock_type=TL_WRITE) at /test/10.8_opt/storage/spider/ha_spider.cc:1042
#2 0x00005575c843ac88 in ha_partition::store_lock (lock_type=TL_WRITE, to=0x14af70099ed8, thd=0x14af70000c58, this=0x14af700885f0) at /test/10.8_opt/sql/ha_partition.cc:4203
#3 ha_partition::store_lock (this=0x14af700885f0, thd=0x14af70000c58, to=<optimized out>, lock_type=TL_WRITE) at /test/10.8_opt/sql/ha_partition.cc:4173
#4 0x00005575c832967b in get_lock_data (thd=thd@entry=0x14af70000c58, table_ptr=table_ptr@entry=0x14af70012348, count=count@entry=2, flags=<optimized out>) at /test/10.8_opt/sql/lock.cc:809
#5 0x00005575c8329979 in mysql_lock_tables (thd=thd@entry=0x14af70000c58, tables=0x14af70012348, count=count@entry=2, flags=flags@entry=0) at /test/10.8_opt/sql/lock.cc:298
#6 0x00005575c7f506f3 in lock_tables (thd=thd@entry=0x14af70000c58, tables=tables@entry=0x14af70010970, count=<optimized out>, flags=flags@entry=0) at /test/10.8_opt/sql/sql_base.cc:5559
#7 0x00005575c7fbb2b4 in lock_tables_open_and_lock_tables (thd=thd@entry=0x14af70000c58, tables=<optimized out>) at /test/10.8_opt/sql/sql_parse.cc:2958
#8 0x00005575c7fc64e7 in mysql_execute_command (thd=0x14af70000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.8_opt/sql/sql_parse.cc:5124
#9 0x00005575c7fb2986 in mysql_parse (thd=0x14af70000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.8_opt/sql/sql_parse.cc:8028
#10 0x00005575c7fbeb35 in dispatch_command (command=COM_QUERY, thd=0x14af70000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.8_opt/sql/sql_class.h:1360
#11 0x00005575c7fc0d27 in do_command (thd=0x14af70000c58, blocking=blocking@entry=true) at /test/10.8_opt/sql/sql_parse.cc:1402
#12 0x00005575c80df2e7 in do_handle_one_connection (connect=<optimized out>, put_in_cache=true) at /test/10.8_opt/sql/sql_connect.cc:1418
#13 0x00005575c80df62d in handle_one_connection (arg=arg@entry=0x5575cb7c2658) at /test/10.8_opt/sql/sql_connect.cc:1312
#14 0x00005575c844d5d8 in pfs_spawn_thread (arg=0x5575cb7c26c8) at /test/10.8_opt/storage/perfschema/pfs.cc:2201
#15 0x000014b0253d4609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#16 0x000014b024fc2293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.4.23 (dbg), 10.5.14 (dbg), 10.5.14 (opt), 10.6.6 (dbg), 10.7.2 (dbg), 10.7.2 (opt), 10.8.0 (dbg), 10.8.0 (opt) - Please read note below on difference opt/dbg

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.2.42 (dbg), 10.2.42 (opt), 10.3.33 (dbg), 10.3.33 (opt), 10.4.23 (opt), 10.6.6 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.36 (dbg), 5.7.36 (opt), 8.0.27 (dbg), 8.0.27 (opt)

*NOTE: *For the debug builds, it actually crashes earlier (on the CREATE TRIGGER) and that was just logged as MDEV-27334. So this particular test case, could in a way be seen as "opt" (optimized builds) only.

Comment by Nayuta Yanagisawa (Inactive) [ 2022-01-11 ]

holyfoot Let me withdraw the patch. I'd like to try to cover the case of partitioned tables.

Comment by Nayuta Yanagisawa (Inactive) [ 2022-01-12 ]

holyfoot https://github.com/MariaDB/server/commit/634e392a4f1410ac3c65b728b4a4650af5df626a

Comment by Nayuta Yanagisawa (Inactive) [ 2022-01-13 ]

holyfoot I pushed a slightly modified version of the above patch. Sorry if I'm making you do the review twice. However, the direction of the revision has not changed at all. Only the cleanup is added.https://github.com/MariaDB/server/commit/f51cb16ed3ddddb05d7f02bda34f937d9c8fdb91

Comment by Alexey Botchkov [ 2022-01-14 ]

ok to push.
Check the comment to the patch.

Comment by Roel Van de Paar [ 2022-01-16 ]

Found another testcase with slightly different stack. For debug, it runs into the ~~MDEV-27239~~ assert. nayuta-yanagisawa assume it is the same bug?

INSTALL PLUGIN spider SONAME 'ha_spider.so';

CREATE TABLE t (c INT KEY,c2 INT,INDEX i (c2)) ENGINE=SPIDER;

ALTER TABLE t ADD c4 TIME AFTER c2;

FLUSH TABLE t WITH READ LOCK;

invalid;

START TRANSACTION WITH CONSISTENT SNAPSHOT,READ ONLY;

Leads to:

10.7.2 c669e764d86a5b575df41d287947816878e21697 (Optimized)
Core was generated by `/test/MD150122-mariadb-10.7.2-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000014c67014f2f1 in ha_spider::lock_tables (
this=this@entry=0x14c5f805c970)
at /test/10.7_opt/storage/spider/ha_spider.cc:16410
16410 if (
[Current thread is 1 (Thread 0x14c6840ad700 (LWP 1287155))]
(gdb) bt
#0 0x000014c67014f2f1 in ha_spider::lock_tables (this=this@entry=0x14c5f805c970) at /test/10.7_opt/storage/spider/ha_spider.cc:16410
#1 0x000014c67014f808 in ha_spider::external_lock (this=0x14c5f805c970, thd=<optimized out>, lock_type=2) at /test/10.7_opt/storage/spider/ha_spider.cc:1350
#2 0x00005604afadeef4 in handler::ha_external_lock (this=0x14c5f805c970, thd=thd@entry=0x14c5f8000c58, lock_type=lock_type@entry=2) at /test/10.7_opt/sql/handler.cc:7042
#3 0x00005604afbf733a in handler::ha_external_unlock (thd=0x14c5f8000c58, this=<optimized out>) at /test/10.7_opt/sql/handler.h:3515
#4 unlock_external (count=<optimized out>, table=0x14c5f806d288, thd=0x14c5f8000c58) at /test/10.7_opt/sql/lock.cc:727
#5 mysql_unlock_tables (thd=0x14c5f8000c58, sql_lock=0x14c5f806d258, free_lock=<optimized out>) at /test/10.7_opt/sql/lock.cc:432
#6 0x00005604afbf79b8 in mysql_unlock_tables (thd=thd@entry=0x14c5f8000c58, sql_lock=<optimized out>) at /test/10.7_opt/sql/lock.cc:415
#7 0x00005604af81c5c5 in close_thread_tables (thd=thd@entry=0x14c5f8000c58) at /test/10.7_opt/sql/sql_base.cc:913
#8 0x00005604af81d38b in Locked_tables_list::unlock_locked_tables (thd=0x14c5f8000c58, this=0x14c5f8004cc0) at /test/10.7_opt/sql/sql_base.cc:2378
#9 Locked_tables_list::unlock_locked_tables (this=this@entry=0x14c5f8004cc0, thd=thd@entry=0x14c5f8000c58) at /test/10.7_opt/sql/sql_base.cc:2349
#10 0x00005604af9beffc in trans_begin (thd=thd@entry=0x14c5f8000c58, flags=3) at /test/10.7_opt/sql/transaction.cc:115
#11 0x00005604af893cca in mysql_execute_command (thd=0x14c5f8000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.7_opt/sql/sql_parse.cc:5596
#12 0x00005604af8828c6 in mysql_parse (thd=0x14c5f8000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.7_opt/sql/sql_parse.cc:8027
#13 0x00005604af88ea75 in dispatch_command (command=COM_QUERY, thd=0x14c5f8000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.7_opt/sql/sql_class.h:1360
#14 0x00005604af890c67 in do_command (thd=0x14c5f8000c58, blocking=blocking@entry=true) at /test/10.7_opt/sql/sql_parse.cc:1402
#15 0x00005604af9af2a7 in do_handle_one_connection (connect=<optimized out>, put_in_cache=true) at /test/10.7_opt/sql/sql_connect.cc:1418
#16 0x00005604af9af5ed in handle_one_connection (arg=arg@entry=0x5604b26d6708) at /test/10.7_opt/sql/sql_connect.cc:1312
#17 0x00005604afd1c168 in pfs_spawn_thread (arg=0x5604b268e138) at /test/10.7_opt/storage/perfschema/pfs.cc:2201
#18 0x000014c68f9e7609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#19 0x000014c68f5d5293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

10.8.0 347f6d01e3b570dce49aa1ab42cb83021905a14d (Debug)
mysqld: /test/10.8_dbg/sql/handler.cc:1635: int ha_commit_trans(THD*, bool): Assertion `thd->transaction->stmt.ha_list == __null \|\| trans == &thd->transaction->stmt' failed.

10.8.0 347f6d01e3b570dce49aa1ab42cb83021905a14d (Debug)
Core was generated by `/test/MD150122-mariadb-10.8.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
Program terminated with signal SIGABRT, Aborted.
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
[Current thread is 1 (Thread 0x147bf00ef700 (LWP 1288098))]
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x0000147bf24aa859 in __GI_abort () at abort.c:79
#2 0x0000147bf24aa729 in __assert_fail_base (fmt=0x147bf2640588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x5626afed1a30 "thd->transaction->stmt.ha_list == __null \|\| trans == &thd->transaction->stmt", file=0x5626afed0203 "/test/10.8_dbg/sql/handler.cc", line=1635, function=<optimized out>) at assert.c:92
#3 0x0000147bf24bbf36 in __GI___assert_fail (assertion=assertion@entry=0x5626afed1a30 "thd->transaction->stmt.ha_list == __null \|\| trans == &thd->transaction->stmt", file=file@entry=0x5626afed0203 "/test/10.8_dbg/sql/handler.cc", line=line@entry=1635, function=function@entry=0x5626afed3fa0 "int ha_commit_trans(THD*, bool)") at assert.c:101
#4 0x00005626af384a82 in ha_commit_trans (thd=thd@entry=0x147b4c000db8, all=all@entry=true) at /test/10.8_dbg/sql/handler.cc:1635
#5 0x00005626af1fc79d in trans_begin (thd=thd@entry=0x147b4c000db8, flags=3) at /test/10.8_dbg/sql/transaction.cc:127
#6 0x00005626af07330b in mysql_execute_command (thd=thd@entry=0x147b4c000db8, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.8_dbg/sql/sql_parse.cc:5596
#7 0x00005626af05af05 in mysql_parse (thd=thd@entry=0x147b4c000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x147bf00ee400) at /test/10.8_dbg/sql/sql_parse.cc:8027
#8 0x00005626af069ba1 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x147b4c000db8, packet=packet@entry=0x147b4c00b879 "START TRANSACTION WITH CONSISTENT SNAPSHOT,READ ONLY", packet_length=packet_length@entry=52, blocking=blocking@entry=true) at /test/10.8_dbg/sql/sql_class.h:1360
#9 0x00005626af06cfe8 in do_command (thd=0x147b4c000db8, blocking=blocking@entry=true) at /test/10.8_dbg/sql/sql_parse.cc:1402
#10 0x00005626af1e69cc in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5626b340f288, put_in_cache=put_in_cache@entry=true) at /test/10.8_dbg/sql/sql_connect.cc:1418
#11 0x00005626af1e6fd1 in handle_one_connection (arg=arg@entry=0x5626b340f288) at /test/10.8_dbg/sql/sql_connect.cc:1312
#12 0x00005626af6689a2 in pfs_spawn_thread (arg=0x5626b3322d28) at /test/10.8_dbg/storage/perfschema/pfs.cc:2201
#13 0x0000147bf29b9609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#14 0x0000147bf25a7293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.5.14 (dbg), 10.6.6 (dbg), 10.6.6 (opt), 10.7.2 (dbg), 10.7.2 (opt), 10.8.0 (dbg), 10.8.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.2.42 (dbg), 10.2.42 (opt), 10.3.33 (dbg), 10.3.33 (opt), 10.4.23 (dbg), 10.4.23 (opt), 10.5.14 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.36 (dbg), 5.7.36 (opt), 8.0.27 (dbg), 8.0.27 (opt)

Comment by Roel Van de Paar [ 2022-01-17 ]

Found another testcase with yet another stack.

INSTALL PLUGIN spider SONAME 'ha_spider.so';

CREATE TABLE t (code CHAR(1),KEY(code)) ENGINE=SPIDER;

EXPLAIN SELECT * FROM t WHERE t2.a IN (SELECT a FROM t);

ALTER TABLE t CHANGE a a ENUM ('','') CHARACTER SET utf32;

CREATE TABLE test (a TEXT,FULLTEXT KEY(a)) ENGINE=InnoDB;

LOCK TABLES t WRITE;

Leads to:

10.8.0 347f6d01e3b570dce49aa1ab42cb83021905a14d (Debug)
Core was generated by `/test/MD150122-mariadb-10.8.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 ha_spider::append_lock_tables_list (this=0x8f8f8f8f00000001)
at /test/10.8_dbg/storage/spider/ha_spider.cc:16284
[Current thread is 1 (Thread 0x14e6465fb700 (LWP 3381812))]
(gdb) bt
#0 ha_spider::append_lock_tables_list (this=0x8f8f8f8f00000001) at /test/10.8_dbg/storage/spider/ha_spider.cc:16284
#1 0x000014e646502ed8 in ha_spider::store_lock (this=0x14e5e40c9d30, thd=<optimized out>, to=0x14e5e408c258, lock_type=TL_WRITE) at /test/10.8_dbg/storage/spider/ha_spider.cc:1178
#2 0x000055dd9d63c4c2 in get_lock_data (thd=thd@entry=0x14e5e4000db8, table_ptr=table_ptr@entry=0x14e5e4014738, count=count@entry=1, flags=flags@entry=1) at /test/10.8_dbg/sql/lock.cc:809
#3 0x000055dd9d63ca80 in mysql_lock_tables (thd=thd@entry=0x14e5e4000db8, tables=tables@entry=0x14e5e4014738, count=count@entry=1, flags=flags@entry=0) at /test/10.8_dbg/sql/lock.cc:298
#4 0x000055dd9d1237c0 in lock_tables (thd=thd@entry=0x14e5e4000db8, tables=0x14e5e4013e90, count=<optimized out>, flags=flags@entry=0) at /test/10.8_dbg/sql/sql_base.cc:5561
#5 0x000055dd9d1b28c8 in lock_tables_open_and_lock_tables (thd=thd@entry=0x14e5e4000db8, tables=<optimized out>) at /test/10.8_dbg/sql/sql_parse.cc:2958
#6 0x000055dd9d1bed75 in mysql_execute_command (thd=thd@entry=0x14e5e4000db8, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.8_dbg/sql/sql_parse.cc:5123
#7 0x000055dd9d1a7f05 in mysql_parse (thd=thd@entry=0x14e5e4000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14e6465fa400) at /test/10.8_dbg/sql/sql_parse.cc:8027
#8 0x000055dd9d1b6ba1 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14e5e4000db8, packet=packet@entry=0x14e5e400b879 "LOCK TABLES t WRITE", packet_length=packet_length@entry=19, blocking=blocking@entry=true) at /test/10.8_dbg/sql/sql_class.h:1360
#9 0x000055dd9d1b9fe8 in do_command (thd=0x14e5e4000db8, blocking=blocking@entry=true) at /test/10.8_dbg/sql/sql_parse.cc:1402
#10 0x000055dd9d3339cc in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55dda0313ba8, put_in_cache=put_in_cache@entry=true) at /test/10.8_dbg/sql/sql_connect.cc:1418
#11 0x000055dd9d333fd1 in handle_one_connection (arg=arg@entry=0x55dda0313ba8) at /test/10.8_dbg/sql/sql_connect.cc:1312
#12 0x000055dd9d7b59a2 in pfs_spawn_thread (arg=0x55dda02258d8) at /test/10.8_dbg/storage/perfschema/pfs.cc:2201
#13 0x000014e66577a609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#14 0x000014e665368293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.5.14 (dbg), 10.6.6 (dbg), 10.6.6 (opt), 10.7.2 (dbg), 10.7.2 (opt), 10.8.0 (dbg), 10.8.0 (opt)

Comment by Roel Van de Paar [ 2022-01-17 ]

Confirmed that the last testcase above does not crash in bb-10.5-~~MDEV-27240~~ in both debug and optimized builds.

The second last testcase above does crash on the same branch however:

10.5.14 c5b466bcf00fd3eeb1ac9a8664ee3558001f43fb (Debug)
10.5.14-dbg>START TRANSACTION WITH CONSISTENT SNAPSHOT,READ ONLY;
ERROR 2013 (HY000): Lost connection to MySQL server during query

10.5.14 c5b466bcf00fd3eeb1ac9a8664ee3558001f43fb (Debug)
mysqld: /test/bb-10.5-MDEV-27240_dbg/sql/handler.cc:1572: int ha_commit_trans(THD*, bool): Assertion `thd->transaction->stmt.ha_list == __null \|\| trans == &thd->transaction->stmt' failed.

10.5.14 c5b466bcf00fd3eeb1ac9a8664ee3558001f43fb (Debug)
Core was generated by `/test/MDEV-27106-MD170122-mariadb-10.5.14-linux-x86_64-dbg/bin/mysqld --no-defa'.
Program terminated with signal SIGABRT, Aborted.
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
[Current thread is 1 (Thread 0x14d8645d3700 (LWP 3285360))]
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x000014d86da59859 in __GI_abort () at abort.c:79
#2 0x000014d86da59729 in __assert_fail_base (fmt=0x14d86dbef588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x55f38fb92298 "thd->transaction->stmt.ha_list == __null \|\| trans == &thd->transaction->stmt", file=0x55f38fb91a30 "/test/bb-10.5-MDEV-27240_dbg/sql/handler.cc", line=1572, function=<optimized out>) at assert.c:92
#3 0x000014d86da6af36 in __GI___assert_fail (assertion=assertion@entry=0x55f38fb92298 "thd->transaction->stmt.ha_list == __null \|\| trans == &thd->transaction->stmt", file=file@entry=0x55f38fb91a30 "/test/bb-10.5-MDEV-27240_dbg/sql/handler.cc", line=line@entry=1572, function=function@entry=0x55f38fb94768 "int ha_commit_trans(THD*, bool)") at assert.c:101
#4 0x000055f38efd12f5 in ha_commit_trans (thd=thd@entry=0x14d7cc000db8, all=all@entry=true) at /test/bb-10.5-MDEV-27240_dbg/sql/handler.cc:1572
#5 0x000055f38ee5fa29 in trans_begin (thd=thd@entry=0x14d7cc000db8, flags=3) at /test/bb-10.5-MDEV-27240_dbg/sql/transaction.cc:127
#6 0x000055f38ecf3078 in mysql_execute_command (thd=thd@entry=0x14d7cc000db8) at /test/bb-10.5-MDEV-27240_dbg/sql/sql_parse.cc:5658
#7 0x000055f38ecd9bce in mysql_parse (thd=thd@entry=0x14d7cc000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14d8645d23d0, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/bb-10.5-MDEV-27240_dbg/sql/sql_parse.cc:8100
#8 0x000055f38ece9421 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14d7cc000db8, packet=packet@entry=0x14d7cc00b4a9 "START TRANSACTION WITH CONSISTENT SNAPSHOT,READ ONLY", packet_length=packet_length@entry=52, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/bb-10.5-MDEV-27240_dbg/sql/sql_class.h:1290
#9 0x000055f38ececc9d in do_command (thd=0x14d7cc000db8) at /test/bb-10.5-MDEV-27240_dbg/sql/sql_parse.cc:1370
#10 0x000055f38ee4a082 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55f39234c638, put_in_cache=put_in_cache@entry=true) at /test/bb-10.5-MDEV-27240_dbg/sql/sql_connect.cc:1418
#11 0x000055f38ee4a785 in handle_one_connection (arg=arg@entry=0x55f39234c638) at /test/bb-10.5-MDEV-27240_dbg/sql/sql_connect.cc:1312
#12 0x000055f38f306f6f in pfs_spawn_thread (arg=0x55f3922961a8) at /test/bb-10.5-MDEV-27240_dbg/storage/perfschema/pfs.cc:2201
#13 0x000014d86df68609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#14 0x000014d86db56293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Comment by Nayuta Yanagisawa (Inactive) [ 2022-01-17 ]

Thank you for your confirmation. Then, the still crashing test case seems to be due to a different bug. Could you file another bug report, please?

Comment by Roel Van de Paar [ 2022-01-17 ]

Ack, thank you.

Created ~~MDEV-27526~~ Spider: SIGSEGV in ha_spider::lock_tables and Assertion `thd->transaction->stmt.ha_list == __null || trans == &thd->transaction->stmt' failed in ha_commit_trans on START TRANSACTION

Comment by Roel Van de Paar [ 2022-01-17 ]

Another testcase with yet another stack added. Confirmed fixed in patched tree. Just adding for completeness and to add test filter.

INSTALL PLUGIN spider SONAME 'ha_spider.so';

CREATE TABLE t (code CHAR(1),KEY(code)) ENGINE=SPIDER;

EXPLAIN SELECT * FROM t WHERE t2.a IN (SELECT a FROM t);

ALTER TABLE t CHANGE a a ENUM ('','') CHARACTER SET utf32;

CREATE TABLE test (a TEXT,FULLTEXT KEY(a)) ENGINE=InnoDB;

LOCK TABLES t WRITE;

UniqueID's for this testcase:

SIGSEGV|ha_spider::append_lock_tables_list|ha_spider::store_lock|get_lock_data|mysql_lock_tables

SIGSEGV|ha_spider::append_lock_tables_list|ha_spider::store_lock|ha_spider::store_lock|get_lock_data  # new

Generated at Thu Feb 08 09:51:25 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.

[MDEV-27240] SIGSEGV in ha_spider::store_lock on LOCK TABLE Created: 2021-12-12 Updated: 2022-11-07 Resolved: 2022-01-15