|
mleich reported a crash while testing MDEV-32898:
|
bb-10.6-MDEV-32898-pkgtest 7a77e04d87c81e386fecffe3b56320cb0be29671
|
#4 0x000055af192f2791 in handle_fatal_signal (sig=11) at /data/Server/bb-10.6-MDEV-32898-pkgtest/sql/signal_handler.cc:357
|
#5 <signal handler called>
|
#6 mach_read_from_4 (b=0x8 <error: Cannot access memory at address 0x8>) at /data/Server/bb-10.6-MDEV-32898-pkgtest/storage/innobase/include/mach0data.inl:179
|
#7 buf_read_ahead_linear (page_id=..., zip_size=zip_size@entry=0, ibuf=ibuf@entry=false) at /data/Server/bb-10.6-MDEV-32898-pkgtest/storage/innobase/buf/buf0rea.cc:597
|
#8 0x000055af198d0aa7 in btr_cur_t::open_leaf (this=this@entry=0x7f255001faf8, first=first@entry=true, index=index@entry=0x7f2598081d50, latch_mode=latch_mode@entry=BTR_SEARCH_LEAF, mtr=mtr@entry=0x7f25c43c1ea0)
|
at /data/Server/bb-10.6-MDEV-32898-pkgtest/storage/innobase/btr/btr0cur.cc:2056
|
#9 0x000055af19813276 in btr_pcur_t::open_leaf (mtr=0x7f25c43c1ea0, latch_mode=BTR_SEARCH_LEAF, index=0x7f2598081d50, first=true, this=0x7f255001faf8)
|
at /data/Server/bb-10.6-MDEV-32898-pkgtest/storage/innobase/include/btr0pcur.h:393
|
#10 row_search_mvcc (buf=buf@entry=0x7f255001c520 "\377\377\377", mode=PAGE_CUR_G, prebuilt=<optimized out>, match_mode=<optimized out>, direction=direction@entry=0)
|
at /data/Server/bb-10.6-MDEV-32898-pkgtest/storage/innobase/row/row0sel.cc:4840
|
I checked the core dump, and bpage is pointing to the last element of buf_pool.watch, which is dummy block descriptors related to the change buffer, causing the frame address to be a null pointer.
This does not affect MariaDB Server 11.0 or later because MDEV-29694 removed that code.
It looks like in this function we are missing a call to buf_pool.watch_is_sentinel(bpage) here, similar to what we have in buf_page_init_for_read(). This bug could have been introduced in MDEV-15053 when some contention on buf_pool.mutex was removed.
|