[MDEV-32025] Crashes in MDL_key::mdl_key_init with lower-case-table-names=2 Created: 2023-08-28  Updated: 2023-10-23  Resolved: 2023-10-23

Status: Closed
Project: MariaDB Server
Component/s: OTHER
Affects Version/s: 10.4, 10.5, 10.6, 10.7, 10.8, 10.9, 10.10, 10.11, 11.0, 11.1, 11.2, 11.3
Fix Version/s: 10.8.8, 10.4.32, 10.5.23, 10.6.16, 10.9.8, 10.10.7, 10.11.6, 11.0.3, 11.0.4, 11.1.3, 11.2.2, 11.3.1

Type: Bug Priority: Critical
Reporter: Alexander Barkov Assignee: Alexander Barkov
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
Blocks
blocks MDEV-31531 Remove my_casedn_str() and my_caseup_... In Testing

 Description   

Crashes in MDL lock in MDL_key::mdl_key_init with lower-case-table-names=2

This problem needs a case insensitive file system to reproduce.

It should be reproducible on Windows.

It's reproducible on Linux if I make a case insensitive vfat filesystem, mount it using a loop device, and run MTR on it:

truncate -s 18G /home/bar/CIFS
 
mkdir /home/bar/CIFSDIR
 
sudo losetup /dev/loop0 /home/bar/CIFS
 
sudo mkfs.vfat /dev/loop0
 
sudo mount -o uid=bar,gid=bar /dev/loop0 /home/bar/CIFSDIR
 
 
 
./mtr --tmpdir=/home/bar/tmpdir \
 
 --vardir=/home/bar/CIFSDIR/var \
 
 --do-test="(lowercase)"

The crash happens if I add this script into the end of lowercase_table2.test:

CREATE DATABASE Db1;
 
ALTER DATABASE Db1 DEFAULT CHARACTER SET utf8;
 
DROP DATABASE Db1;


#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
 
#1  0x00007ffff75bd8d9 in __GI_abort () at abort.c:79
 
#2  0x00007ffff75bd7a9 in __assert_fail_base (fmt=0x7ffff7728af8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x15285c8 "mdl_namespace_arg == USER_LOCK || ok_for_lower_case_names(db)", 
    file=0x15284f0 "/home/bar/maria-git/server.10.4/sql/mdl.h", line=436, function=<optimized out>) at assert.c:92
 
#3  0x00007ffff75cca66 in __GI___assert_fail (assertion=0x15285c8 "mdl_namespace_arg == USER_LOCK || ok_for_lower_case_names(db)", file=0x15284f0 "/home/bar/maria-git/server.10.4/sql/mdl.h", line=436, 
    function=0x1528520 "void MDL_key::mdl_key_init(MDL_key::enum_mdl_namespace, const char*, const char*)") at assert.c:101
 
#4  0x000000000094dc8e in MDL_key::mdl_key_init (this=0x7ffff07a9b20, mdl_namespace_arg=MDL_key::SCHEMA, db=0x7fffa4014898 "Db1", name_arg=0x16d8289 "") at /home/bar/maria-git/server.10.4/sql/mdl.h:436
 
#5  0x00000000009d90bd in MDL_request::init (this=0x7ffff07a9b00, mdl_namespace=MDL_key::SCHEMA, db_arg=0x7fffa4014898 "Db1", name_arg=0x16d8289 "", mdl_type_arg=MDL_EXCLUSIVE, mdl_duration_arg=MDL_TRANSACTION)
 
    at /home/bar/maria-git/server.10.4/sql/mdl.cc:1001
 
#6  0x0000000000cbb631 in lock_schema_name (thd=0x7fffa4000d90, db=0x7fffa4014898 "Db1") at /home/bar/maria-git/server.10.4/sql/lock.cc:869
 
#7  0x00000000007ee44f in mysql_alter_db_internal (thd=0x7fffa4000d90, db=0x7fffa40059f0, create_info=0x7ffff07aa268) at /home/bar/maria-git/server.10.4/sql/sql_db.cc:718
 
#8  0x00000000007ee795 in mysql_alter_db (thd=0x7fffa4000d90, db=0x7fffa40059f0, create_info=0x7fffa4006200) at /home/bar/maria-git/server.10.4/sql/sql_db.cc:790
 
#9  0x000000000084f59d in mysql_execute_command (thd=0x7fffa4000d90) at /home/bar/maria-git/server.10.4/sql/sql_parse.cc:5223
 
#10 0x00000000008583a9 in mysql_parse (thd=0x7fffa4000d90, rawbuf=0x7fffa40147e8 "ALTER DATABASE Db1 DEFAULT CHARACTER SET utf8", length=45, parser_state=0x7ffff07ab380, is_com_multi=false, is_next_command=false)
 
    at /home/bar/maria-git/server.10.4/sql/sql_parse.cc:8010
 
#11 0x0000000000844c88 in dispatch_command (command=COM_QUERY, thd=0x7fffa4000d90, packet=0x7fffa400ac41 "ALTER DATABASE Db1 DEFAULT CHARACTER SET utf8", packet_length=45, is_com_multi=false, is_next_command=false)
 
    at /home/bar/maria-git/server.10.4/sql/sql_parse.cc:1857

A similar crash happens if I add this script into the end of lowercase_table2.test:

CREATE DATABASE `#mysql50#D+b1`;
 
ALTER DATABASE `#mysql50#D+b1` UPGRADE DATA DIRECTORY NAME;
 
DROP DATABASE `#mysql50#D+b1`;


#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
 
#1  0x00007ffff75bd8d9 in __GI_abort () at abort.c:79
 
#2  0x00007ffff75bd7a9 in __assert_fail_base (fmt=0x7ffff7728af8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", 
    assertion=0x15285c8 "mdl_namespace_arg == USER_LOCK || ok_for_lower_case_names(db)", file=0x15284f0 "/home/bar/maria-git/server.10.4/sql/mdl.h", line=436, function=<optimized out>)
 
    at assert.c:92
 
#3  0x00007ffff75cca66 in __GI___assert_fail (assertion=0x15285c8 "mdl_namespace_arg == USER_LOCK || ok_for_lower_case_names(db)", 
    file=0x15284f0 "/home/bar/maria-git/server.10.4/sql/mdl.h", line=436, function=0x1528520 "void MDL_key::mdl_key_init(MDL_key::enum_mdl_namespace, const char*, const char*)")
 
    at assert.c:101
 
#4  0x000000000094dc8e in MDL_key::mdl_key_init (this=0x7ffff07a97f0, mdl_namespace_arg=MDL_key::SCHEMA, db=0x7fffa40148c8 "#mysql50#D+b1", name_arg=0x16d8289 "")
 
    at /home/bar/maria-git/server.10.4/sql/mdl.h:436
 
#5  0x00000000009d90bd in MDL_request::init (this=0x7ffff07a97d0, mdl_namespace=MDL_key::SCHEMA, db_arg=0x7fffa40148c8 "#mysql50#D+b1", name_arg=0x16d8289 "", mdl_type_arg=MDL_EXCLUSIVE, 
    mdl_duration_arg=MDL_TRANSACTION) at /home/bar/maria-git/server.10.4/sql/mdl.cc:1001
 
#6  0x0000000000cbb631 in lock_schema_name (thd=0x7fffa4000d90, db=0x7fffa40148c8 "#mysql50#D+b1") at /home/bar/maria-git/server.10.4/sql/lock.cc:869
 
#7  0x00000000007f0769 in mysql_upgrade_db (thd=0x7fffa4000d90, old_db=0x7fffa40059f0) at /home/bar/maria-git/server.10.4/sql/sql_db.cc:1690
 
#8  0x000000000084f489 in mysql_execute_command (thd=0x7fffa4000d90) at /home/bar/maria-git/server.10.4/sql/sql_parse.cc:5212
 
#9  0x00000000008583a9 in mysql_parse (thd=0x7fffa4000d90, rawbuf=0x7fffa40147e8 "ALTER DATABASE `#mysql50#D+b1` UPGRADE DATA DIRECTORY NAME", length=58, parser_state=0x7ffff07ab380, 
    is_com_multi=false, is_next_command=false) at /home/bar/maria-git/server.10.4/sql/sql_parse.cc:8010
 
#10 0x0000000000844c88 in dispatch_command (command=COM_QUERY, thd=0x7fffa4000d90, packet=0x7fffa400ac41 "ALTER DATABASE `#mysql50#D+b1` UPGRADE DATA DIRECTORY NAME", packet_length=58, 
    is_com_multi=false, is_next_command=false) at /home/bar/maria-git/server.10.4/sql/sql_parse.cc:1857

The crashes happens because mysql_alter_db_internal() and mysql_upgrade_db() do not normalize the database name. In case of lower-case-table-names>0 it should normalize the database name to lower case.

 Comments   
Comment by Alexander Barkov [ 2023-08-30 ]

This problem was fixed in 11.3 by the patch for MDEV-32026.

Still need to backport to 10.4.

Comment by Alexander Barkov [ 2023-09-04 ]

The crash is also repeatable with Debug builds on Windows:

#
 
# MDEV-32025 Crashes in MDL_key::mdl_key_init with lower-case-table-names=2
 
#
 
CREATE DATABASE `#mysql50#D+b1`;
 
ALTER DATABASE `#mysql50#D+b1` UPGRADE DATA DIRECTORY NAME;
 
 
 
More results from queries before failure can be found in D:\Buildbot\amd64-windows\build\mysql-test\var\3\log\lowercase_table2.log
 
 
 
 
 
Server [mysqld.1 - pid: 24900, winpid: 24900, exit: 768] failed during test run
 
Server log from this test:
 
----------SERVER LOG START-----------
 
$ D:/Buildbot/amd64-windows/build/sql//Debug/mysqld.exe --defaults-group-suffix=.1 --defaults-file=D:/Buildbot/amd64-windows/build/mysql-test/var/3/my.cnf --log-output=file --innodb --innodb-cmpmem --innodb-cmp-per-index --innodb-trx --innodb-locks --innodb-lock-waits --innodb-metrics --innodb-buffer-pool-stats --innodb-buffer-page --innodb-buffer-page-lru --innodb-sys-columns --innodb-sys-fields --innodb-sys-foreign --innodb-sys-foreign-cols --innodb-sys-indexes --innodb-sys-tables --innodb-sys-virtual --lower-case-table-names=2 --core-file --loose-debug-sync-timeout=300
 
2023-09-04 12:22:28 0 [Note] Starting MariaDB 10.4.32-MariaDB-debug-log source revision bd89317e2543e09d342a30e713027f33e9710c52 as process 14108
 
2023-09-04 12:22:28 0 [Note] Plugin 'partition' is disabled.
 
2023-09-04 12:22:28 0 [Note] Plugin 'SEQUENCE' is disabled.
 
2023-09-04 12:22:28 0 [Note] InnoDB: !!!!!!!! UNIV_DEBUG switched on !!!!!!!!!
 
2023-09-04 12:22:28 0 [Note] InnoDB: Mutexes and rw_locks use Windows interlocked functions
 
2023-09-04 12:22:28 0 [Note] InnoDB: Uses event mutexes
 
2023-09-04 12:22:28 0 [Note] InnoDB: Compressed tables use zlib 1.2.13
 
2023-09-04 12:22:28 0 [Note] InnoDB: Number of pools: 1
 
2023-09-04 12:22:28 0 [Note] InnoDB: Using SSE2 crc32 instructions
 
2023-09-04 12:22:28 0 [Note] InnoDB: Initializing buffer pool, total size = 8M, instances = 1, chunk size = 8M
 
2023-09-04 12:22:28 0 [Note] InnoDB: Completed initialization of buffer pool
 
2023-09-04 12:22:28 0 [Note] InnoDB: 128 out of 128 rollback segments are active.
 
2023-09-04 12:22:28 0 [Note] InnoDB: Creating shared tablespace for temporary tables
 
2023-09-04 12:22:28 0 [Note] InnoDB: Setting file '.\ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...
 
2023-09-04 12:22:28 0 [Note] InnoDB: File '.\ibtmp1' size is now 12 MB.
 
2023-09-04 12:22:28 0 [Note] InnoDB: Waiting for purge to start
 
2023-09-04 12:22:28 0 [Note] InnoDB: 10.4.32 started; log sequence number 68767; transaction id 33
 
2023-09-04 12:22:28 0 [Note] InnoDB: Loading buffer pool(s) from D:\Buildbot\amd64-windows\build\mysql-test\var\3\mysqld.1\data\ib_buffer_pool
 
2023-09-04 12:22:28 0 [Note] Plugin 'INNODB_SYS_DATAFILES' is disabled.
 
2023-09-04 12:22:28 0 [Note] Plugin 'INNODB_SYS_TABLESTATS' is disabled.
 
2023-09-04 12:22:28 0 [Note] Plugin 'INNODB_MUTEXES' is disabled.
 
2023-09-04 12:22:28 0 [Note] Plugin 'INNODB_CMP' is disabled.
 
2023-09-04 12:22:28 0 [Note] Plugin 'INNODB_FT_DELETED' is disabled.
 
2023-09-04 12:22:28 0 [Note] Plugin 'INNODB_CMP_RESET' is disabled.
 
2023-09-04 12:22:28 0 [Note] Plugin 'INNODB_TABLESPACES_ENCRYPTION' is disabled.
 
2023-09-04 12:22:28 0 [Note] Plugin 'INNODB_CMPMEM_RESET' is disabled.
 
2023-09-04 12:22:28 0 [Note] Plugin 'FEEDBACK' is disabled.
 
2023-09-04 12:22:28 0 [Note] InnoDB: Buffer pool(s) load completed at 230904 12:22:28
 
2023-09-04 12:22:28 0 [Note] Plugin 'INNODB_FT_INDEX_TABLE' is disabled.
 
2023-09-04 12:22:28 0 [Note] Plugin 'INNODB_CMP_PER_INDEX_RESET' is disabled.
 
2023-09-04 12:22:28 0 [Note] Plugin 'user_variables' is disabled.
 
2023-09-04 12:22:28 0 [Note] Plugin 'INNODB_FT_INDEX_CACHE' is disabled.
 
2023-09-04 12:22:28 0 [Note] Plugin 'INNODB_FT_BEING_DELETED' is disabled.
 
2023-09-04 12:22:28 0 [Note] Plugin 'INNODB_FT_DEFAULT_STOPWORD' is disabled.
 
2023-09-04 12:22:28 0 [Note] Plugin 'INNODB_FT_CONFIG' is disabled.
 
2023-09-04 12:22:28 0 [Note] Plugin 'INNODB_SYS_TABLESPACES' is disabled.
 
2023-09-04 12:22:28 0 [Note] Plugin 'INNODB_TABLESPACES_SCRUBBING' is disabled.
 
2023-09-04 12:22:28 0 [Note] Plugin 'INNODB_SYS_SEMAPHORE_WAITS' is disabled.
 
2023-09-04 12:22:28 0 [Warning] D:/Buildbot/amd64-windows/build/sql//Debug/mysqld.exe: unknown option '--loose-pam-debug'
 
2023-09-04 12:22:28 0 [Warning] D:/Buildbot/amd64-windows/build/sql//Debug/mysqld.exe: unknown option '--loose-aria'
 
2023-09-04 12:22:28 0 [Note] Server socket created on IP: '::'.
 
2023-09-04 12:22:28 0 [Note] Reading of all Master_info entries succeeded
 
2023-09-04 12:22:28 0 [Note] Added new Master_info '' to hash table
 
2023-09-04 12:22:28 0 [Note] D:/Buildbot/amd64-windows/build/sql//Debug/mysqld.exe: ready for connections.
 
Version: '10.4.32-MariaDB-debug-log'  socket: ''  port: 16040  Source distribution
 
Assertion failed: mdl_namespace_arg == USER_LOCK || ok_for_lower_case_names(db), file D:\Buildbot\amd64-windows\build\sql\mdl.h, line 436
 
230904 12:22:28 [ERROR] mysqld got exception 0x80000003 ;
 
This could be because you hit a bug. It is also possible that this binary
 
or one of the libraries it was linked against is corrupt, improperly built,
 
or misconfigured. This error can also be caused by malfunctioning hardware.
 
 
 
To report this bug, see https://mariadb.com/kb/en/reporting-bugs
 
 
 
We will try our best to scrape up some info that will hopefully help
 
diagnose the problem, but since we have already crashed, 
something is definitely wrong and this may fail.
 
 
 
Server version: 10.4.32-MariaDB-debug-log source revision: bd89317e2543e09d342a30e713027f33e9710c52
 
key_buffer_size=1048576
 
read_buffer_size=131072
 
max_used_connections=2
 
max_threads=65537
 
thread_count=6
 
It is possibleOS debug symbols will be downloaded and stored in C:\symbols.
 
You can control the location of symbol cache with _NT_SYMBOL_PATH
 
environment variable. Please refer to Microsoft KB article
 
http://support.microsoft.com/kb/311503  for details about _NT_SYMBOL_PATH
 
-------------------------------------------------------------------------
 
Output from cdb follows. Faulting thread is printed twice,with and without function parameters
 
Search for STACK_TEXT to see the stack trace of 
the faulting thread. Callstacks of other threads are printed after it.
 
 
 
Microsoft (R) Windows Debugger Version 10.0.19041.685 AMD64
 
Copyright (c) Microsoft Corporation. All rights reserved.
 
 
 
 
 
Loading Dump File [D:\Buildbot\amd64-windows\build\mysql-test\var\3\log\main.lowercase_table2-innodb\mysqld.1\data\mysqld.dmp]
 
User Mini Dump File: Only registers, stack and portions of memory are available
 
 
 
 
 
Response                         Time (ms)     Location
 
OK                                             D:\Buildbot\amd64-windows\build\sql\Debug
 
OK                                             C:\Windows\System32
 
OK                                             .
 
 
 
Response                         Time (ms)     Location
 
OK                                             D:\Buildbot\amd64-windows\build\sql\Debug
 
OK                                             C:\Windows\System32
 
OK                                             .
 
Deferred                                       srv*C:\symbols*http://msdl.microsoft.com/download/symbols
 
Symbol search path is: D:\Buildbot\amd64-windows\build\sql\Debug;C:\Windows\System32;.;srv*C:\symbols*http://msdl.microsoft.com/download/symbols
 
Executable search path is: D:\Buildbot\amd64-windows\build\sql\Debug;C:\Windows\System32;.
 
Windows 10 Version 17763 MP (64 procs) Free x64
 
Product: Server, suite: TerminalServer SingleUserTS
 
17763.1.amd64fre.rs5_release.180914-1434
 
Machine Name:
 
Debug session time: Mon Sep  4 12:22:29.000 2023 (UTC + 2:00)
 
System Uptime: not available
 
Process Uptime: 0 days 0:00:01.000
 
..................................
 
This dump file has a breakpoint exception stored in it.
 
The stored exception information can be accessed via .ecxr.
 
For analysis of this file, run !analyze -v
 
ntdll!NtGetContextThread:
 
             ret
 
0:030> cdb: Reading initial command '!sym prompts off; !analyze -v; .ecxr; !for_each_frame dv /t;!uniqstack -p;q'
 
quiet mode - symbol prompts off
 
 
 
 
 
 
 
KEY_VALUES_STRING: 1
 
 
 
    Key  : Analysis.CPU.Sec
 
    Value: 0
 
 
 
    Key  : Analysis.DebugAnalysisProvider.CPP
 
    Value: Create: 8007007e on WIN-HI7PPJVFI2B
 
 
 
    Key  : Analysis.DebugData
 
    Value: CreateObject
 
 
 
    Key  : Analysis.DebugModel
 
    Value: CreateObject
 
 
 
    Key  : Analysis.Elapsed.Sec
 
    Value: 0
 
 
 
    Key  : Analysis.Memory.CommitPeak.Mb
 
    Value: 177
 
 
 
    Key  : Analysis.System
 
    Value: CreateObject
 
 
 
    Key  : Timeline.Process.Start.DeltaSec
 
    Value: 1
 
 
 
 
 
CONTEXT:  (.ecxr)
 
rax=00007ff78da22a40 rbx=0000000000000016 rcx=0000000000000016
 
rdx=00007fffd42382f0 rsi=00007ff78da22a40 rdi=00007ff78dcc9201
 
rip=00007ff78da22a45 rsp=000000cac714b770 rbp=00007ff78cb45dbd
 
 r8=000000cac7149b08  r9=000000cac714b820 r10=0000000000000000
 
r11=000000cac714b730 r12=0000000000000910 r13=0000000000000000
 
r14=0000000000000000 r15=00007fffd42db6f0
 
iopl=0         nv up ei pl nz ac pe nc
 
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
 
mysqld!my_sigabrt_handler:
 
             int     3
 
Resetting default scope
 
 
 
EXCEPTION_RECORD:  (.exr -1)
 
ExceptionAddress: 00007ff78da22a45 (mysqld!my_sigabrt_handler)
 
   ExceptionCode: 80000003 (Break instruction exception)
 
  ExceptionFlags: 00000000
 
NumberParameters: 1
 
   Parameter[0]: 0000000000000000
 
 
 
WRONG_SYMBOLS_TIMESTAMP: 7dd1a0eb
 
 
 
WRONG_SYMBOLS_SIZE: 1ee000
 
 
 
FAULTING_MODULE: 00007fffd7400000 ntdll
 
 
 
ADDITIONAL_DEBUG_TEXT:  
You can run '.symfix; .reload' to try to fix the symbol path and load symbols. ; Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD]
 
 
 
STACK_TEXT:  
mysqld!my_sigabrt_handler
 
ucrtbase!raise
 
ucrtbase!abort
 
ucrtbase!get_wpgmptr
 
ucrtbase!wassert
 
mysqld!MDL_key::mdl_key_init
 
mysqld!MDL_request::init
 
mysqld!lock_schema_name
 
mysqld!mysql_upgrade_db
 
mysqld!mysql_execute_command
 
mysqld!mysql_parse
 
mysqld!dispatch_command
 
mysqld!do_command
 
mysqld!threadpool_process_request
 
mysqld!tp_callback
 
mysqld!tp_callback
 
mysqld!work_callback
 
ntdll!RtlInitializeCriticalSection
 
ntdll!RtlAcquireSRWLockExclusive
 
kernel32!BaseThreadInitThunk
 
ntdll!RtlUserThreadStart
 
 
 
 
 
STACK_COMMAND:  .ecxr ; kb ; ** Pseudo Context ** Pseudo ** Value: 2700c839f20 ** ; kb
 
 
 
FAULTING_SOURCE_LINE:  D:\Buildbot\amd64-windows\build\mysys\my_thr_init.c
 
 
 
FAULTING_SOURCE_FILE:  D:\Buildbot\amd64-windows\build\mysys\my_thr_init.c
 
 
 
FAULTING_SOURCE_LINE_NUMBER:  485
 
 
 
FAULTING_SOURCE_CODE:  
   481: 
   482: #if (_MSC_VER >= 1400)
 
   483: static void my_sigabrt_handler(int sig)
 
   484: {
 
>  485:   __debugbreak();
 
   486: }
 
   487: #endif /*_MSC_VER >=1400 */
 
   488: 
   489: static void install_sigabrt_handler(void)
 
   490: {

Comment by Alexander Barkov [ 2023-09-05 ]

serg, can you please review this patch:
https://github.com/MariaDB/server/commit/3875fc0858cc26b17568aa808b0300398c2273da
?
Thanks.

Comment by Sergei Golubchik [ 2023-10-22 ]

3875fc0858c is ok to push

Generated at Thu Feb 08 10:28:14 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.