[MDEV-27522] SIGSEGV in spider_set_direct_limit_offset on INSERT Created: 2022-01-16  Updated: 2022-04-25  Resolved: 2022-01-19

Status: Closed
Project: MariaDB Server
Component/s: Storage Engine - Spider
Affects Version/s: 10.5, 10.6, 10.7, 10.8
Fix Version/s: N/A

Type: Bug Priority: Critical
Reporter: Roel Van de Paar Assignee: Nayuta Yanagisawa (Inactive)
Resolution: Duplicate Votes: 0
Labels: not-10.2, not-10.3, not-10.4, regression

Issue Links:
Duplicate
duplicates MDEV-27240 SIGSEGV in ha_spider::store_lock on L... Closed
Relates
relates to MDEV-28406 Spider: SIGSEGV in ha_spider::index_l... Closed
relates to MDEV-24769 Spider crash when selecting all rows ... Closed

 Description   

Possibly related to MDEV-27171, MDEV-27388, MDEV-27240.
MDEV-27171 comes closest, though this bug is debug-only whereas MDEV-27171 was specifically optimized-only.

INSTALL PLUGIN spider SONAME 'ha_spider.so';
 
invalid;
 
CREATE TABLE t2 (a INT KEY,b INT UNIQUE AUTO_INCREMENT) ENGINE=SPIDER;
 
SELECT a FROM t2 UNION ALL SELECT a FROM t2;
 
ALTER TABLE t2 CHANGE c c INT;
 
invalid;
 
INSERT INTO t2 (a) VALUES (1);

Leads to:

10.8.0 347f6d01e3b570dce49aa1ab42cb83021905a14d (Debug)

 
Core was generated by `/test/MD150122-mariadb-10.8.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  0x00001494840e8ef2 in spider_set_direct_limit_offset (
 
    spider=spider@entry=0x1493f80c96f0)
 
    at /test/10.8_dbg/storage/spider/spd_table.cc:9535
 
[Current thread is 1 (Thread 0x14949c7ed700 (LWP 1016275))]
 
(gdb) bt
 
#0  0x00001494840e8ef2 in spider_set_direct_limit_offset (spider=spider@entry=0x1493f80c96f0) at /test/10.8_dbg/storage/spider/spd_table.cc:9535
 
#1  0x0000149484118e0b in ha_spider::check_direct_order_limit (this=this@entry=0x1493f80c96f0) at /test/10.8_dbg/storage/spider/ha_spider.cc:13105
 
#2  0x0000149484128ed9 in ha_spider::index_last_internal (this=this@entry=0x1493f80c96f0, buf=buf@entry=0x1493f80c9278 '\245' <repeats 16 times>, "\360\222\f\370\223\024") at /test/10.8_dbg/storage/spider/ha_spider.cc:3350
 
#3  0x0000149484129fc7 in ha_spider::index_last (this=this@entry=0x1493f80c96f0, buf=0x1493f80c9278 '\245' <repeats 16 times>, "\360\222\f\370\223\024") at /test/10.8_dbg/storage/spider/ha_spider.cc:3710
 
#4  0x00001494841367b5 in ha_spider::get_auto_increment (this=0x1493f80c96f0, offset=<optimized out>, increment=1, nb_desired_values=1, first_value=0x14949c7eb960, nb_reserved_values=0x14949c7eb968) at /test/10.8_dbg/storage/spider/ha_spider.cc:9812
 
#5  0x00005567087fdba1 in handler::update_auto_increment (this=this@entry=0x1493f80c96f0) at /test/10.8_dbg/sql/handler.cc:3951
 
#6  0x000014948411c524 in ha_spider::update_auto_increment (this=this@entry=0x1493f80c96f0) at /test/10.8_dbg/storage/spider/ha_spider.cc:9755
 
#7  0x00001494841384eb in ha_spider::write_row (this=0x1493f80c96f0, buf=0x1493f80c9268 "\377\001") at /test/10.8_dbg/storage/spider/ha_spider.cc:10014
 
#8  0x0000556708805a25 in handler::ha_write_row (this=0x1493f80c96f0, buf=0x1493f80c9268 "\377\001") at /test/10.8_dbg/sql/handler.cc:7516
 
#9  0x00005567084a4160 in write_record (thd=thd@entry=0x1493f8000db8, table=table@entry=0x1493f80c8e18, info=info@entry=0x14949c7ebcd0, sink=sink@entry=0x0) at /test/10.8_dbg/sql/sql_insert.cc:2156
 
#10 0x00005567084afdcf in mysql_insert (thd=thd@entry=0x1493f8000db8, table_list=0x1493f8013eb0, fields=@0x1493f8006078: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1493f80146b8, last = 0x1493f80146b8, elements = 1}, <No data fields>}, values_list=@0x1493f80060c0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1493f8014be8, last = 0x1493f8014be8, elements = 1}, <No data fields>}, update_fields=@0x1493f80060a8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x556709b2fb00 <end_of_list>, last = 0x1493f80060a8, elements = 0}, <No data fields>}, update_values=@0x1493f8006090: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x556709b2fb00 <end_of_list>, last = 0x1493f8006090, elements = 0}, <No data fields>}, duplic=DUP_ERROR, ignore=false, result=0x0) at /test/10.8_dbg/sql/sql_insert.cc:1127
 
#11 0x00005567084f651a in mysql_execute_command (thd=thd@entry=0x1493f8000db8, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.8_dbg/sql/sql_parse.cc:4562
 
#12 0x00005567084e0f05 in mysql_parse (thd=thd@entry=0x1493f8000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14949c7ec400) at /test/10.8_dbg/sql/sql_parse.cc:8027
 
#13 0x00005567084efba1 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x1493f8000db8, packet=packet@entry=0x1493f800b879 "INSERT INTO t2 (a) VALUES (1)", packet_length=packet_length@entry=29, blocking=blocking@entry=true) at /test/10.8_dbg/sql/sql_class.h:1360
 
#14 0x00005567084f2fe8 in do_command (thd=0x1493f8000db8, blocking=blocking@entry=true) at /test/10.8_dbg/sql/sql_parse.cc:1402
 
#15 0x000055670866c9cc in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55670ca8cc08, put_in_cache=put_in_cache@entry=true) at /test/10.8_dbg/sql/sql_connect.cc:1418
 
#16 0x000055670866cfd1 in handle_one_connection (arg=arg@entry=0x55670ca8cc08) at /test/10.8_dbg/sql/sql_connect.cc:1312
 
#17 0x0000556708aee9a2 in pfs_spawn_thread (arg=0x55670c9a0798) at /test/10.8_dbg/storage/perfschema/pfs.cc:2201
 
#18 0x00001494a6f60609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#19 0x00001494a6b4e293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.5.14 (dbg), 10.6.6 (dbg), 10.7.2 (dbg), 10.8.0 (dbg)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.2.42 (dbg), 10.2.42 (opt), 10.3.33 (dbg), 10.3.33 (opt), 10.4.23 (dbg), 10.4.23 (opt), 10.5.14 (opt), 10.6.6 (opt), 10.7.2 (opt), 10.8.0 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.36 (dbg), 5.7.36 (opt), 8.0.27 (dbg), 8.0.27 (opt)

 Comments   
Comment by Roel Van de Paar [ 2022-01-17 ]

This similar testcase crashes only 10.6 to 10.8 in debug, and 10.7 as well as 10.8 in optimized builds. There seem to be multiple regressions.
Besides the stack listed in the original description, also seen with this testcase, the optimized builds have stacks similar to the one in MDEV-27171.

INSTALL PLUGIN spider SONAME 'ha_spider.so';
 
CREATE TABLE t (pk INT,cik INT);
 
CREATE TABLE t2 (a INT KEY,b INT UNIQUE AUTO_INCREMENT) ENGINE=SPIDER;
 
SELECT (SELECT a FROM t2 WHERE t.a=t2.a UNION ALL SELECT a FROM t2 WHERE t5.a=t2.a);
 
ALTER TABLE t2 CHANGE c c DECIMAL(0,0) UNSIGNED,CHANGE c2 c2 DECIMAL(0,0) SIGNED;
 
CREATE TABLE t3 (fk INT,FOREIGN KEY(fk) REFERENCES a (pk)) ENGINE=InnoDB;
 
INSERT INTO t2 (a) VALUES (1),(2),(3),(4);

Leads to:

10.8.0 347f6d01e3b570dce49aa1ab42cb83021905a14d (Optimized)

 
Core was generated by `/test/MD150122-mariadb-10.8.0-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  0x000014730012028b in spider_set_direct_limit_offset (
 
    spider=spider@entry=0x1472600851d0)
 
    at /test/10.8_opt/storage/spider/spd_table.cc:9535
 
[Current thread is 1 (Thread 0x14730c139700 (LWP 2431473))]
 
(gdb) bt
 
#0  0x000014730012028b in spider_set_direct_limit_offset (spider=spider@entry=0x1472600851d0) at /test/10.8_opt/storage/spider/spd_table.cc:9535
 
#1  0x000014730013decf in ha_spider::check_direct_order_limit (this=0x1472600851d0) at /test/10.8_opt/storage/spider/ha_spider.cc:13105
 
#2  ha_spider::check_direct_order_limit (this=0x1472600851d0) at /test/10.8_opt/storage/spider/ha_spider.cc:13089
 
#3  0x0000147300147f1d in ha_spider::index_last_internal (buf=0x147260077c08 "", this=0x1472600851d0) at /test/10.8_opt/storage/spider/ha_spider.cc:3350
 
#4  ha_spider::index_last_internal (this=0x1472600851d0, buf=0x147260077c08 "") at /test/10.8_opt/storage/spider/ha_spider.cc:3310
 
#5  0x0000147300151079 in ha_spider::get_auto_increment (this=0x1472600851d0, offset=<optimized out>, increment=1, nb_desired_values=4, first_value=0x14730c1379c0, nb_reserved_values=0x14730c1379c8) at /test/10.8_opt/storage/spider/ha_spider.cc:9812
 
#6  0x000055c872788b08 in handler::update_auto_increment (this=this@entry=0x1472600851d0) at /test/10.8_opt/sql/handler.cc:3951
 
#7  0x00001473001401d6 in ha_spider::update_auto_increment (this=0x1472600851d0) at /test/10.8_opt/storage/spider/ha_spider.cc:9755
 
#8  0x00001473001522a5 in ha_spider::write_row (this=0x1472600851d0, buf=0x147260077bf8 "\377\001") at /test/10.8_opt/storage/spider/ha_spider.cc:10014
 
#9  0x000055c87278e4d0 in handler::ha_write_row (this=0x1472600851d0, buf=0x147260077bf8 "\377\001") at /test/10.8_opt/sql/handler.cc:7516
 
#10 0x000055c8724fec3d in write_record (thd=thd@entry=0x147260000c58, table=table@entry=0x147260077818, info=info@entry=0x14730c137c80, sink=sink@entry=0x0) at /test/10.8_opt/sql/sql_insert.cc:2156
 
#11 0x000055c872505478 in mysql_insert (thd=thd@entry=0x147260000c58, table_list=<optimized out>, fields=@0x147260005d58: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1472600111b0, last = 0x1472600111b0, elements = 1}, <No data fields>}, values_list=@0x147260005da0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1472600116e0, last = 0x147260011908, elements = 4}, <No data fields>}, update_fields=@0x147260005d88: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55c8736af510 <end_of_list>, last = 0x147260005d88, elements = 0}, <No data fields>}, update_values=@0x147260005d70: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55c8736af510 <end_of_list>, last = 0x147260005d70, elements = 0}, <No data fields>}, duplic=<optimized out>, ignore=<optimized out>, result=<optimized out>) at /test/10.8_opt/sql/sql_insert.cc:1127
 
#12 0x000055c87254022f in mysql_execute_command (thd=0x147260000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.8_opt/sql/sql_parse.cc:4562
 
#13 0x000055c87252fa86 in mysql_parse (thd=0x147260000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.8_opt/sql/sql_parse.cc:8027
 
#14 0x000055c87253bc35 in dispatch_command (command=COM_QUERY, thd=0x147260000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.8_opt/sql/sql_class.h:1360
 
#15 0x000055c87253de27 in do_command (thd=0x147260000c58, blocking=blocking@entry=true) at /test/10.8_opt/sql/sql_parse.cc:1402
 
#16 0x000055c87265c427 in do_handle_one_connection (connect=<optimized out>, put_in_cache=true) at /test/10.8_opt/sql/sql_connect.cc:1418
 
#17 0x000055c87265c76d in handle_one_connection (arg=arg@entry=0x55c875535fe8) at /test/10.8_opt/sql/sql_connect.cc:1312
 
#18 0x000055c8729ca858 in pfs_spawn_thread (arg=0x55c875536058) at /test/10.8_opt/storage/perfschema/pfs.cc:2201
 
#19 0x0000147317a73609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#20 0x0000147317661293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.6.6 (dbg), 10.7.2 (dbg), 10.7.2 (opt), 10.8.0 (dbg), 10.8.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.2.42 (dbg), 10.2.42 (opt), 10.3.33 (dbg), 10.3.33 (opt), 10.4.23 (dbg), 10.4.23 (opt), 10.5.14 (dbg), 10.5.14 (opt), 10.6.6 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.36 (dbg), 5.7.36 (opt), 8.0.27 (dbg), 8.0.27 (opt)

Comment by Roel Van de Paar [ 2022-01-18 ]

Increased prio based on MDEV-24769 findings, ref this comment.

Comment by Nayuta Yanagisawa (Inactive) [ 2022-01-19 ]

The bug no longer reproduces on 10.5 HEAD. It has been fixed by MDEV-27240.

Generated at Thu Feb 08 09:53:33 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.