[MDEV-29544] SIGSEGV in HA_CREATE_INFO::finalize_locked_tables Created: 2022-09-15  Updated: 2023-05-18  Resolved: 2023-01-26

Status: Closed
Project: MariaDB Server
Component/s: Data Definition - Create Table, Locking, Storage Engine - InnoDB
Affects Version/s: None
Fix Version/s: N/A

Type: Bug Priority: Critical
Reporter: Roel Van de Paar Assignee: Aleksey Midenkov
Resolution: Fixed Votes: 0
Labels: locking, regression

Issue Links:
Problem/Incident
is caused by MDEV-25292 Atomic CREATE OR REPLACE TABLE Stalled
Relates
relates to MDEV-28956 Locking is broken if CREATE OR REPLAC... Closed
relates to MDEV-29831 Galera crashes when running CoR for a... Closed

 Description    

SET sql_mode='';
 
CREATE TABLE t (c INT) ENGINE=InnoDB;
 
ALTER TABLE mysql.innodb_index_stats MODIFY stat_description CHAR(10);
 
LOCK TABLE t WRITE;
 
CREATE OR REPLACE TABLE t (c INT);

Leads to:

10.11.0 8f9df08f02294f4828d40ef0a298dc0e72b01f60 (Debug)

 
Core was generated by `/test/MD130922-mariadb-10.11.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  0x0000560c13360363 in HA_CREATE_INFO::finalize_locked_tables (
 
    this=this@entry=0x14ec98c090f0, thd=thd@entry=0x14ec5c000d48, 
    operation_failed=operation_failed@entry=true)
 
    at /test/10.11_dbg/sql/sql_table.cc:4544
 
4544	    table->mdl_ticket->downgrade_lock(MDL_SHARED_NO_READ_WRITE);
 
[Current thread is 1 (Thread 0x14ec98c0c700 (LWP 1187004))]
 
(gdb) bt
 
#0  0x0000560c13360363 in HA_CREATE_INFO::finalize_locked_tables (this=this@entry=0x14ec98c090f0, thd=thd@entry=0x14ec5c000d48, operation_failed=operation_failed@entry=true) at /test/10.11_dbg/sql/sql_table.cc:4544
 
#1  0x0000560c13371aff in mysql_create_table (alter_info=0x14ec98c08f10, create_info=0x14ec98c090f0, create_table=<optimized out>, thd=0x14ec5c000d48) at /test/10.11_dbg/sql/sql_table.cc:5302
 
#2  Sql_cmd_create_table_like::execute (this=<optimized out>, thd=0x14ec5c000d48) at /test/10.11_dbg/sql/sql_table.cc:12797
 
#3  0x0000560c13297a7b in mysql_execute_command (thd=thd@entry=0x14ec5c000d48, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.11_dbg/sql/sql_parse.cc:5997
 
#4  0x0000560c1328003c in mysql_parse (thd=thd@entry=0x14ec5c000d48, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14ec98c0b330) at /test/10.11_dbg/sql/sql_parse.cc:8037
 
#5  0x0000560c1328d66d in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14ec5c000d48, packet=packet@entry=0x14ec5c00aed9 "CREATE OR REPLACE TABLE t (id INT,s DATE,e DATE,PERIOD FOR p (s,e),PRIMARY KEY(id,p WITHOUT OVERLAPS)) PARTITION BY HASH (id)", packet_length=packet_length@entry=125, blocking=blocking@entry=true) at /test/10.11_dbg/sql/sql_class.h:1345
 
#6  0x0000560c1328fd97 in do_command (thd=0x14ec5c000d48, blocking=blocking@entry=true) at /test/10.11_dbg/sql/sql_parse.cc:1407
 
#7  0x0000560c133f3fb8 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x560c16a7b608, put_in_cache=put_in_cache@entry=true) at /test/10.11_dbg/sql/sql_connect.cc:1418
 
#8  0x0000560c133f44c1 in handle_one_connection (arg=0x560c16a7b608) at /test/10.11_dbg/sql/sql_connect.cc:1312
 
#9  0x000014ecb1e79609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#10 0x000014ecb1a65133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

10.11.0 8f9df08f02294f4828d40ef0a298dc0e72b01f60 (Optimized)

 
Core was generated by `/test/MD130922-mariadb-10.11.0-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  0x0000563f4ccae7bd in HA_CREATE_INFO::finalize_locked_tables (thd=
 
    0x147948000c58, operation_failed=<optimized out>, this=0x147985c52250)
 
    at /test/10.11_opt/sql/sql_table.cc:4544
 
4544	    table->mdl_ticket->downgrade_lock(MDL_SHARED_NO_READ_WRITE);
 
[Current thread is 1 (Thread 0x147985c55700 (LWP 1289549))]
 
(gdb) bt
 
#0  0x0000563f4ccae7bd in HA_CREATE_INFO::finalize_locked_tables (thd=0x147948000c58, operation_failed=<optimized out>, this=0x147985c52250) at /test/10.11_opt/sql/sql_table.cc:4544
 
#1  HA_CREATE_INFO::finalize_locked_tables (this=0x147985c52250, thd=0x147948000c58, operation_failed=<optimized out>) at /test/10.11_opt/sql/sql_table.cc:4519
 
#2  0x0000563f4ccbee2f in mysql_create_table (alter_info=0x147985c52070, create_info=0x147985c52250, create_table=<optimized out>, thd=0x147948000c58) at /test/10.11_opt/sql/sql_table.cc:5302
 
#3  Sql_cmd_create_table_like::execute (this=<optimized out>, thd=0x147948000c58) at /test/10.11_opt/sql/sql_table.cc:12797
 
#4  0x0000563f4cc056d6 in mysql_execute_command (thd=0x147948000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.11_opt/sql/sql_parse.cc:5997
 
#5  0x0000563f4cbf6055 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x147948000c58) at /test/10.11_opt/sql/sql_parse.cc:8037
 
#6  mysql_parse (thd=0x147948000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.11_opt/sql/sql_parse.cc:7959
 
#7  0x0000563f4cc01bba in dispatch_command (command=COM_QUERY, thd=0x147948000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.11_opt/sql/sql_class.h:1345
 
#8  0x0000563f4cc03b02 in do_command (thd=0x147948000c58, blocking=blocking@entry=true) at /test/10.11_opt/sql/sql_parse.cc:1407
 
#9  0x0000563f4cd1cfcf in do_handle_one_connection (connect=<optimized out>, connect@entry=0x563f4f8f6398, put_in_cache=put_in_cache@entry=true) at /test/10.11_opt/sql/sql_connect.cc:1418
 
#10 0x0000563f4cd1d2ad in handle_one_connection (arg=0x563f4f8f6398) at /test/10.11_opt/sql/sql_connect.cc:1312
 
#11 0x000014799eea4609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#12 0x000014799ea90133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95



 Comments   
Comment by Marko Mäkelä [ 2022-09-15 ]

Roel, thank you. I do not see how the fix of MDEV-29507 would be related to this in any way. That fix was for a case where a TEMPORARY table contained SPATIAL indexes. The test case for this bug involves neither TEMPORARY TABLE nor SPATIAL INDEX. The code that was changed in MDEV-29507 should not be reachable by this SQL at all.

This looks more like a bug in metadata locking to me. The crash occurs outside InnoDB.

The ALTER TABLE statement may be relevant in that it will cause InnoDB to skip updates of persistent statistics due to an invalid system table definition.

Comment by Marko Mäkelä [ 2022-09-15 ]

This slightly simpler test case that Roel provided to me in a private chat would not crash for me on 10.6:

--source include/have_innodb.inc
 
SET sql_mode='';
 
CREATE TABLE t (c INT) ENGINE=InnoDB;
 
ALTER TABLE mysql.innodb_index_stats MODIFY stat_description CHAR(10);
 
LOCK TABLE t WRITE;
 
CREATE OR REPLACE TABLE t (c INT);

10.6 fd0bdd3180a7d5f4b9804d372d6a63b6a202818c

 
2022-09-15 12:50:10 4 [Warning] InnoDB: Table mysql.innodb_index_stats has length mismatch in the column name stat_description. Please run mariadb-upgrade
 
2022-09-15 12:50:10 4 [ERROR] InnoDB: Column stat_description in table mysql.innodb_index_stats is CHAR(30) but should be VARCHAR(3072) NOT NULL
 
2022-09-15 12:50:10 4 [ERROR] InnoDB: Fetch of persistent statistics requested for table `test`.`t` but the required system tables mysql.innodb_table_stats and mysql.innodb_index_stats are not present or have unexpected structure. Using transient stats instead.
 
2022-09-15 12:50:10 4 [Warning] InnoDB: Table mysql.innodb_index_stats has length mismatch in the column name stat_description. Please run mariadb-upgrade
 
2022-09-15 12:50:10 4 [ERROR] InnoDB: Column stat_description in table mysql.innodb_index_stats is CHAR(30) but should be VARCHAR(3072) NOT NULL
 
2022-09-15 12:50:10 4 [Warning] InnoDB: Table mysql.innodb_index_stats has length mismatch in the column name stat_description. Please run mariadb-upgrade
 
2022-09-15 12:50:10 4 [ERROR] InnoDB: Column stat_description in table mysql.innodb_index_stats is CHAR(30) but should be VARCHAR(3072) NOT NULL
 
^ Found warnings in /dev/shm/10.6/mysql-test/var/log/mysqld.1.err
 
ok

Comment by Roel Van de Paar [ 2022-09-15 ] 

10.11 86da0f4ee8381e7543733fae209252ff2b873631 dbg: does not crash
 
10.11 cf6c5176328c8fbfadac80f337ef285732cc8d06 dbg: crashes

This issue is caused by MDEV-25292.

Comment by Aleksey Midenkov [ 2022-09-19 ]

Please review bb-10.11-midenok

Comment by Roel Van de Paar [ 2023-01-20 ]

midenok Please check:

11.0.1 bb-11.0-midenok-MDEV-25292 b986107a777e3f900f235d969d569358c7a5edfe (Debug)

 
11.0.1-dbg>SET sql_mode='';
 
Query OK, 0 rows affected (0.000 sec)
 
 
 
11.0.1-dbg>CREATE TABLE t (c INT) ENGINE=InnoDB;
 
Query OK, 0 rows affected (0.013 sec)
 
 
 
11.0.1-dbg>ALTER TABLE mysql.innodb_index_stats MODIFY stat_description CHAR(10);
 
Query OK, 7 rows affected, 5 warnings (0.019 sec)  
Records: 7  Duplicates: 0  Warnings: 5
 
 
 
11.0.1-dbg>LOCK TABLE t WRITE;
 
Query OK, 0 rows affected (0.000 sec)
 
 
 
11.0.1-dbg>CREATE OR REPLACE TABLE t (c INT);
 
ERROR 1932 (42S02): Table 'test.t' doesn't exist in engine

And using MyISAM:

11.0.1 bb-11.0-midenok-MDEV-25292 b986107a777e3f900f235d969d569358c7a5edfe (Debug)

 
11.0.1-dbg>SET sql_mode='';
 
Query OK, 0 rows affected (0.000 sec)
 
 
 
11.0.1-dbg>CREATE TABLE t (c INT) ENGINE=MyISAM;
 
Query OK, 0 rows affected (0.008 sec)
 
 
 
11.0.1-dbg>ALTER TABLE mysql.innodb_index_stats MODIFY stat_description CHAR(10);
 
Query OK, 4 rows affected, 3 warnings (0.020 sec)  
Records: 4  Duplicates: 0  Warnings: 3
 
 
 
11.0.1-dbg>LOCK TABLE t WRITE;
 
Query OK, 0 rows affected (0.000 sec)
 
 
 
11.0.1-dbg>CREATE OR REPLACE TABLE t (c INT);
 
ERROR 1005 (HY000): Can't create table `test`.`./test/t` (errno: 168 "Unknown (generic) error from engine")

Comment by Roel Van de Paar [ 2023-01-28 ]

Re-fix in latest feature branch https://github.com/MariaDB/server/commit/9c054e95e0ebdea00780005a269c03c7861ca32d

Generated at Thu Feb 08 10:09:25 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.