[MDEV-32155] MariaDB Server crashes with ill-formed partitions Created: 2023-09-12  Updated: 2023-11-28

Status: Confirmed
Project: MariaDB Server
Component/s: Server
Affects Version/s: 10.4, 10.5, 10.6, 10.9, 10.10, 10.11, 11.0, 11.1, 11.3.0
Fix Version/s: 10.4, 10.5, 10.6, 10.11, 11.0, 11.1

Type: Bug Priority: Critical
Reporter: Yu Liang Assignee: Michael Widenius
Resolution: Unresolved Votes: 0
Labels: crash
Environment:

Ubuntu Desktop 20.04 LTS
Intel(R) Core(TM) i7-10700 CPU @ 2.90GHz

Issue Links:
Relates
relates to MDEV-31417 ASAN errors in ha_partition::create_h... Closed

 Description   

The latest version of MariDB Server: Git commit hash: `e987b9350cb83038c73` crashes when executing the following query: 

drop database if exists test;
 
create database test;
 
use test;
 
CREATE TABLE IF NOT EXISTS v0 ( c1 SET ( 'abc' ) BINARY UNICODE ) PARTITION BY LINEAR HASH ( c1 MOD c1 ) PARTITIONS 0x100 ;
 
ALTER TABLE v0 CHECK PARTITION ALL FOR UPGRADE ;
 
ALTER TABLE v0 LOCK SHARED , ORDER BY v0 ;

Here is a crashing stack trace: 

(gdb) bt
 
#0  0x0000aaaada90e030 in ha_partition::create_handlers (mem_root=0xffff8412ceb0, this=0xffff280caa90) at /home/mysql/mariadb/sql/ha_partition.cc:3034
 
#1  ha_partition::create_handlers (this=0xffff280caa90, mem_root=0xffff8412ceb0) at /home/mysql/mariadb/sql/ha_partition.cc:3015
 
#2  0x0000aaaada90e2b0 in ha_partition::setup_engine_array (this=0xffff280caa90, mem_root=0xffff8412ceb0, first_engine=0xaaaae03f49c8)
 
    at /home/mysql/mariadb/sql/ha_partition.cc:3271
 
#3  0x0000aaaada90f310 in ha_partition::initialize_partition (this=0xffff280caa90, mem_root=<optimized out>) at /home/mysql/mariadb/sql/ha_partition.cc:569
 
#4  0x0000aaaada9108fc in partition_create_handler (hton=0xaaaae03e1108, share=0xffff8412ce28, mem_root=0xffff8412ceb0) at /home/mysql/mariadb/sql/ha_partition.cc:264
 
#5  0x0000aaaada7220d0 in get_new_handler (share=share@entry=0xffff8412ce28, alloc=0xffff8412ceb0, db_type=<optimized out>) at /home/mysql/mariadb/sql/handler.cc:384
 
#6  0x0000aaaada5cc184 in TABLE_SHARE::init_from_binary_frm_image (this=this@entry=0xffff8412ce28, thd=thd@entry=0xffff28000c68, write=<optimized out>,
 
    frm_image=<optimized out>, frm_length=<optimized out>, par_image=par_image@entry=0x0, par_length=par_length@entry=0) at /home/mysql/mariadb/sql/handler.h:1717
 
#7  0x0000aaaada72a780 in ha_create_table (thd=thd@entry=0xffff28000c68, path=path@entry=0xffff8412fa47 "./test/#sql-alter-5c73-3", db=0xffff28012b48 "test",
 
    table_name=0xffff28012400 "v0", create_info=0xffff8412fde0, create_info@entry=0xffff8412fb90, frm=frm@entry=0xffff8412d4e8, skip_frm_file=false,
 
    skip_frm_file@entry=64) at /home/mysql/mariadb/sql/handler.cc:6122
 
#8  0x0000aaaada5a732c in mysql_alter_table (thd=thd@entry=0xffff28000c68, new_db=new_db@entry=0xffff280058b8, new_name=new_name@entry=0xffff28005d08,
 
    create_info=0xffff8412fb90, create_info@entry=0xffff8412fde0, table_list=<optimized out>, table_list@entry=0xffff28012438, recreate_info=0xffff00000000,
 
    recreate_info@entry=0xffff8412fce0, alter_info=alter_info@entry=0xffff8412fcf8, order_num=2215836944, order=<optimized out>, ignore=<optimized out>,
 
    if_exists=<optimized out>) at /home/mysql/mariadb/sql/sql_alter.h:298
 
#9  0x0000aaaada603c94 in Sql_cmd_alter_table::execute (this=<optimized out>, thd=0xffff28000c68) at /home/mysql/mariadb/sql/structs.h:568
 
#10 0x0000aaaada507028 in mysql_execute_command (thd=thd@entry=0xffff28000c68, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false)
 
    at /home/mysql/mariadb/sql/sql_parse.cc:5733
 
#11 0x0000aaaada4f9760 in mysql_parse (thd=thd@entry=0xffff28000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>)
 
    at /home/mysql/mariadb/sql/sql_parse.cc:7760
 
#12 0x0000aaaada50382c in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0xffff28000c68,
 
    packet=packet@entry=0xffff280087b9 "ALTER TABLE v0 LOCK SHARED , ORDER BY v0", packet_length=packet_length@entry=40, blocking=blocking@entry=true)
 
    at /home/mysql/mariadb/sql/sql_class.h:1489
 
#13 0x0000aaaada505488 in do_command (thd=0xffff28000c68, blocking=blocking@entry=true) at /home/mysql/mariadb/sql/sql_parse.cc:1406
 
#14 0x0000aaaada5ff814 in do_handle_one_connection (connect=<optimized out>, put_in_cache=put_in_cache@entry=true) at /home/mysql/mariadb/sql/sql_connect.cc:1445
 
#15 0x0000aaaada5ffbf0 in handle_one_connection (arg=arg@entry=0xaaaae0a66aa8) at /home/mysql/mariadb/sql/sql_connect.cc:1347
 
#16 0x0000aaaada917698 in pfs_spawn_thread (arg=<optimized out>) at /home/mysql/mariadb/storage/perfschema/pfs.cc:2201
 
#17 0x0000ffff9ac3d624 in start_thread (arg=0xaaaada9175f8 <pfs_spawn_thread(void*)>) at pthread_create.c:477
 
#18 0x0000ffff9a8cc49c in thread_start () at ../sysdeps/unix/sysv/linux/aarch64/clone.S:78
 
```
 
 
 
Some other useful information: 
 
 
```
 
Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=on,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on,split_materialized=on,condition_pushdown_for_subquery=on,rowid_filter=on,condition_pushdown_from_having=on,not_null_range_scan=off,hash_join_cardinality=on,sargable_casefold=on

The bug could corrupt the database, causing future MariaDB access to the same database to also crash. Therefore, I label the bug as `Critical`.



 Comments   
Comment by Alice Sherepa [ 2023-09-13 ]

Thank you!
I repeated as described on 10.4-11.3

Version: '10.4.32-MariaDB-debug-log' 
=================================================================
 
==1350357==ERROR: AddressSanitizer: use-after-poison on address 0x617000049cb0 at pc 0x5631cfe5b539 bp 0x7ff535bee930 sp 0x7ff535bee920
 
READ of size 8 at 0x617000049cb0 thread T27
 
    #0 0x5631cfe5b538 in ha_partition::create_handlers(st_mem_root*) /10.4/src/sql/ha_partition.cc:2888
 
    #1 0x5631cfe5d763 in ha_partition::setup_engine_array(st_mem_root*, handlerton*) /10.4/src/sql/ha_partition.cc:3124
 
    #2 0x5631cfe5e5e0 in ha_partition::get_from_handler_file(char const*, st_mem_root*, bool) /10.4/src/sql/ha_partition.cc:3237
 
    #3 0x5631cfe4ae14 in ha_partition::initialize_partition(st_mem_root*) /10.4/src/sql/ha_partition.cc:512
 
    #4 0x5631cfe48715 in partition_create_handler /10.4/src/sql/ha_partition.cc:185
 
    #5 0x5631cf64accf in get_new_handler(TABLE_SHARE*, st_mem_root*, handlerton*) /10.4/src/sql/handler.cc:316
 
    #6 0x5631cf19e151 in TABLE_SHARE::init_from_binary_frm_image(THD*, bool, unsigned char const*, unsigned long) /10.4/src/sql/table.cc:2091
 
    #7 0x5631cf671504 in ha_create_table(THD*, char const*, char const*, char const*, HA_CREATE_INFO*, st_mysql_const_unsigned_lex_string*) /10.4/src/sql/handler.cc:5299
 
    #8 0x5631cf111f64 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Recreate_info*, Alter_info*, unsigned int, st_order*, bool) /10.4/src/sql/sql_table.cc:10504
 
    #9 0x5631cf29e48b in Sql_cmd_alter_table::execute(THD*) /10.4/src/sql/sql_alter.cc:531
 
    #10 0x5631cee98c49 in mysql_execute_command(THD*) /10.4/src/sql/sql_parse.cc:6218
 
    #11 0x5631ceea4794 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.4/src/sql/sql_parse.cc:8012
 
    #12 0x5631cee7abba in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.4/src/sql/sql_parse.cc:1857
 
    #13 0x5631cee776e5 in do_command(THD*) /10.4/src/sql/sql_parse.cc:1378
 
    #14 0x5631cf28531a in do_handle_one_connection(CONNECT*) /10.4/src/sql/sql_connect.cc:1420
 
    #15 0x5631cf284bbe in handle_one_connection /10.4/src/sql/sql_connect.cc:1324
 
    #16 0x5631cff2ece7 in pfs_spawn_thread /10.4/src/storage/perfschema/pfs.cc:1869
 
    #17 0x7ff54c7c2608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
 
    #18 0x7ff54c393132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)
 
 
 
0x617000049cb0 is located 176 bytes inside of 652-byte region [0x617000049c00,0x617000049e8c)
 
allocated by thread T27 here:
 
    #0 0x7ff54cdc0808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
 
    #1 0x5631d0ac452e in sf_malloc /10.4/src/mysys/safemalloc.c:118
 
    #2 0x5631d0a92a92 in my_malloc /10.4/src/mysys/my_malloc.c:101
 
    #3 0x5631d0a6d9db in init_alloc_root /10.4/src/mysys/my_alloc.c:85
 
    #4 0x5631cfe48a6c in ha_partition::ha_partition_init() /10.4/src/sql/ha_partition.cc:247
 
    #5 0x5631cfe48921 in ha_partition::ha_partition(handlerton*, TABLE_SHARE*) /10.4/src/sql/ha_partition.cc:238
 
    #6 0x5631cfe486f7 in partition_create_handler /10.4/src/sql/ha_partition.cc:184
 
    #7 0x5631cf64accf in get_new_handler(TABLE_SHARE*, st_mem_root*, handlerton*) /10.4/src/sql/handler.cc:316
 
    #8 0x5631cf19e151 in TABLE_SHARE::init_from_binary_frm_image(THD*, bool, unsigned char const*, unsigned long) /10.4/src/sql/table.cc:2091
 
    #9 0x5631cf671504 in ha_create_table(THD*, char const*, char const*, char const*, HA_CREATE_INFO*, st_mysql_const_unsigned_lex_string*) /10.4/src/sql/handler.cc:5299
 
    #10 0x5631cf111f64 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Recreate_info*, Alter_info*, unsigned int, st_order*, bool) /10.4/src/sql/sql_table.cc:10504
 
    #11 0x5631cf29e48b in Sql_cmd_alter_table::execute(THD*) /10.4/src/sql/sql_alter.cc:531
 
    #12 0x5631cee98c49 in mysql_execute_command(THD*) /10.4/src/sql/sql_parse.cc:6218
 
    #13 0x5631ceea4794 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.4/src/sql/sql_parse.cc:8012
 
    #14 0x5631cee7abba in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.4/src/sql/sql_parse.cc:1857
 
    #15 0x5631cee776e5 in do_command(THD*) /10.4/src/sql/sql_parse.cc:1378
 
    #16 0x5631cf28531a in do_handle_one_connection(CONNECT*) /10.4/src/sql/sql_connect.cc:1420
 
    #17 0x5631cf284bbe in handle_one_connection /10.4/src/sql/sql_connect.cc:1324
 
    #18 0x5631cff2ece7 in pfs_spawn_thread /10.4/src/storage/perfschema/pfs.cc:1869
 
    #19 0x7ff54c7c2608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
 
 
 
Thread T27 created by T0 here:
 
    #0 0x7ff54cced815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208
 
    #1 0x5631cff2f0d8 in spawn_thread_v1 /10.4/src/storage/perfschema/pfs.cc:1919
 
    #2 0x5631ceb73f71 in inline_mysql_thread_create /10.4/src/include/mysql/psi/mysql_thread.h:1275
 
    #3 0x5631ceb8c0e0 in create_thread_to_handle_connection(CONNECT*) /10.4/src/sql/mysqld.cc:6287
 
    #4 0x5631ceb8c87b in create_new_thread(CONNECT*) /10.4/src/sql/mysqld.cc:6357
 
    #5 0x5631ceb8cd61 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /10.4/src/sql/mysqld.cc:6455
 
    #6 0x5631ceb8dc1d in handle_connections_sockets() /10.4/src/sql/mysqld.cc:6613
 
    #7 0x5631ceb8b7e5 in mysqld_main(int, char**) /10.4/src/sql/mysqld.cc:5945
 
    #8 0x5631ceb71f3c in main /10.4/src/sql/main.cc:25
 
    #9 0x7ff54c298082 in __libc_start_main ../csu/libc-start.c:308
 
 
 
SUMMARY: AddressSanitizer: use-after-poison /10.4/src/sql/ha_partition.cc:2888 in ha_partition::create_handlers(st_mem_root*)
 
Shadow bytes around the buggy address:
 
  0x0c2e80001340: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c2e80001350: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c2e80001360: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c2e80001370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c2e80001380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
=>0x0c2e80001390: 00 f7 00 00 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c2e800013a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c2e800013b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c2e800013c0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c2e800013d0: f7 04 fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c2e800013e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
  Shadow gap:              cc
 
==1350357==ABORTING
 
----------SERVER LOG END-------------


Version: '10.11.5-MariaDB'  
230913 12:03:44 [ERROR] mysqld got signal 11 ;
 
 
 
 
 
Server version: 10.11.5-MariaDB source revision: 7875294b6b74b53dd3aaa723e6cc103d2bb47b2c
 
 
 
sql/signal_handler.cc:241(handle_fatal_signal)[0x5555f967e4c7]
 
sigaction.c:0(__restore_rt)[0x7f064a938420]
 
sql/ha_partition.cc:583(ha_partition::initialize_partition(st_mem_root*))[0x5555f98c1bbf]
 
sql/ha_partition.cc:264(partition_create_handler(handlerton*, TABLE_SHARE*, st_mem_root*))[0x5555f98c38d2]
 
sql/handler.cc:379(get_new_handler(TABLE_SHARE*, st_mem_root*, handlerton*))[0x5555f9680ef1]
 
sql/table.cc:2311(TABLE_SHARE::init_from_binary_frm_image(THD*, bool, unsigned char const*, unsigned long, unsigned char const*, unsigned long))[0x5555f951fb9e]
 
sql/handler.cc:5962(ha_create_table(THD*, char const*, char const*, char const*, HA_CREATE_INFO*, st_mysql_const_unsigned_lex_string*, bool))[0x5555f968a0bf]
 
sql/sql_table.cc:10947(mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, Table_specification_st*, TABLE_LIST*, Recreate_info*, Alter_info*, unsigned int, st_order*, bool, bool))[0x5555f94eb4b1]
 
sql/sql_alter.cc:609(Sql_cmd_alter_table::execute(THD*))[0x5555f9552850]
 
sql/sql_parse.cc:6025(mysql_execute_command(THD*, bool))[0x5555f943a047]
 
sql/sql_parse.cc:8035(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x5555f943dd8b]
 
sql/sql_parse.cc:1953(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x5555f94401c8]
 
sql/sql_parse.cc:1409(do_command(THD*, bool))[0x5555f94416f3]
 
sql/sql_connect.cc:1416(do_handle_one_connection(CONNECT*, bool))[0x5555f954d5e7]
 
sql/sql_connect.cc:1324(handle_one_connection)[0x5555f954d884]
 
perfschema/pfs.cc:2204(pfs_spawn_thread)[0x5555f98d0d6c]
 
nptl/pthread_create.c:478(start_thread)[0x7f064a92c609]
 
 
 
Query (0x7f05f8010c20): ALTER TABLE v0 LOCK SHARED , ORDER BY v0

when trying to start server after the crash:

230913 18:12:52 [ERROR] mysqld got signal 11 ;
 
 
 
Server version: 10.11.5-MariaDB source revision: 7875294b6b74b53dd3aaa723e6cc103d2bb47b2c
 
 
 
Thread pointer: 0x55d38ce34918
 
sql/signal_handler.cc:241(handle_fatal_signal)[0x55d389a7e4c7]
 
sigaction.c:0(__restore_rt)[0x7fcea6da8420]
 
sql/ha_partition.cc:2468(ha_partition::del_ren_table(char const*, char const*))[0x55d389cc1cc2]
 
sql/handler.cc:573(hton_drop_table(handlerton*, char const*))[0x55d389a8471f]
 
sql/ddl_log.cc:2239(ddl_log_execute_entry_no_lock(THD*, unsigned int))[0x55d3898ff35d]
 
sql/ddl_log.cc:2795(ddl_log_execute_recovery())[0x55d389900afc]
 
sql/mysqld.cc:5508(init_server_components())[0x55d38973e6ba]
 
sql/mysqld.cc:5838(mysqld_main(int, char**))[0x55d389745084]
 
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0x7fcea688d083]
 
 
 
Query (0x55d38ad26d60): INTERNAL DDL LOG RECOVER IN PROGRESS

Generated at Thu Feb 08 10:29:14 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.