[MDEV-7774] Crash when dropping user within rebuild_role_grants Created: 2015-03-13  Updated: 2015-05-03  Resolved: 2015-05-03

Status: Closed
Project: MariaDB Server
Component/s: Admin statements
Affects Version/s: 10.1.3, 10.0
Fix Version/s: 10.0.18

Type: Bug Priority: Major
Reporter: Vicențiu Ciorbaru Assignee: Vicențiu Ciorbaru
Resolution: Fixed Votes: 0
Labels: None


 Description   

Server crashes when running the following test case:

CREATE USER u1;
 
 CREATE ROLE r1;
 
 CREATE ROLE r2;
 
 GRANT r1 to u1;
 
 GRANT r2 to r1;
 
 delimiter |;
 
 create procedure mysql.test_proc (OUT param1 INT)
 
 begin
 
   select COUNT(*) into param1 from mysql.roles_mapping;
 
 end|
 
 delimiter ;|
 
 GRANT EXECUTE ON PROCEDURE mysql.test_proc TO r1;
 
 GRANT EXECUTE ON PROCEDURE mysql.test_proc TO u1;
 
 CREATE FUNCTION mysql.test_func (param INT) RETURNS INT
 
   RETURN (SELECT COUNT(*) FROM mysql.user);
 
 GRANT EXECUTE ON FUNCTION mysql.test_func TO r1;
 
 GRANT EXECUTE ON FUNCTION mysql.test_func TO u1;
 
 DROP PROCEDURE mysql.test_proc;
 
 DROP FUNCTION mysql.test_func;
 
 DROP ROLE r1;
 
 DROP USER u1;

Stack trace is:

Server version: 10.1.3-MariaDB-wsrep-debug-log
 
key_buffer_size=1048576
 
read_buffer_size=131072
 
max_used_connections=1
 
max_threads=153
 
thread_count=1
 
It is possible that mysqld could use up to 
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 63099 K  bytes of memory
 
Hope that's ok; if not, decrease some variables in the equation.
 
 
 
Thread pointer: 0x0x7f80cf212070
 
Attempting backtrace. You can use the following information to find out
 
where mysqld died. If you see no messages after this, something went
 
terribly wrong...
 
stack_bottom = 0x7f80d7dfcde8 thread_stack 0x48000
 
mysys/stacktrace.c:246(my_print_stacktrace)[0xfcf223]
 
sql/signal_handler.cc:155(handle_fatal_signal)[0x88e3cb]
 
/lib/x86_64-linux-gnu/libpthread.so.0(+0xfc90)[0x7f80d6fb4c90]
 
/lib/x86_64-linux-gnu/libc.so.6(gsignal+0x37)[0x7f80d63ebe37]
 
/lib/x86_64-linux-gnu/libc.so.6(abort+0x148)[0x7f80d63ed528]
 
/lib/x86_64-linux-gnu/libc.so.6(+0x2fce6)[0x7f80d63e4ce6]
 
/lib/x86_64-linux-gnu/libc.so.6(+0x2fd92)[0x7f80d63e4d92]
 
sql/sql_acl.cc:2611(add_role_user_mapping_action)[0x5cd9b6]
 
mysys/hash.c:761(my_hash_iterate)[0xfa6c1e]
 
sql/sql_acl.cc:2637(rebuild_role_grants)[0x5cda68]
 
sql/sql_acl.cc:9582(mysql_drop_user(THD*, List<st_lex_user>&, bool))[0x5e4047]
 
sql/sql_parse.cc:4543(mysql_execute_command(THD*))[0x664443]
 
sql/sql_parse.cc:7152(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x66c1d0]
 
sql/sql_parse.cc:1463(dispatch_command(enum_server_command, THD*, char*, unsigned int))[0x65b24f]
 
sql/sql_parse.cc:1090(do_command(THD*))[0x65a00c]
 
sql/sql_connect.cc:1347(do_handle_one_connection(THD*))[0x791e27]
 
sql/sql_connect.cc:1259(handle_one_connection)[0x791b70]
 
perfschema/pfs.cc:1862(pfs_spawn_thread)[0xc1aaff]
 
/lib/x86_64-linux-gnu/libpthread.so.0(+0x80a5)[0x7f80d6fad0a5]
 
/lib/x86_64-linux-gnu/libc.so.6(clone+0x6d)[0x7f80d64aecfd]
 
 
 
Trying to get some variables.
 
Some pointers may be invalid and cause the dump to abort.
 
Query (0x7f80ccce4088): DROP USER u1
 
Connection ID (thread ID): 3
 
Status: NOT_KILLED



 Comments   
Comment by Elena Stepanova [ 2015-03-13 ]

Smaller test case (at least for a debug build):

CREATE ROLE r1;
 
CREATE ROLE r2;
 
GRANT r2 to r1;
 
DROP ROLE r1;
 
DROP USER u1;
 

mysqld: 10.1/sql/sql_acl.cc:2610: my_bool add_role_user_mapping_action(void*, void*): Assertion `status == 0' failed.
 
150313 16:02:10 [ERROR] mysqld got signal 6 ;

Stack trace from 10.1 commit 702fba1511c90ea9c72b6c00122e0f31a05237b4

 
#6  0x00007fd951d89311 in *__GI___assert_fail (assertion=0x7fd954fd9a26 "status == 0", file=<optimized out>, line=2610, function=0x7fd954fdd000 "my_bool add_role_user_mapping_action(void*, void*)") at assert.c:81
 
#7  0x00007fd954625ec1 in add_role_user_mapping_action (ptr=0x7fd94aded8c0, unused=0x0) at 10.1/sql/sql_acl.cc:2610
 
#8  0x00007fd954f03952 in my_hash_iterate (hash=0x7fd95599d620, action=0x7fd954625e5f <add_role_user_mapping_action(void*, void*)>, argument=0x0) at 10.1/mysys/hash.c:761
 
#9  0x00007fd954625f6d in rebuild_role_grants () at 10.1/sql/sql_acl.cc:2635
 
#10 0x00007fd95463bd74 in mysql_drop_user (thd=0x7fd94ae5b070, list=..., handle_as_role=false) at 10.1/sql/sql_acl.cc:9579
 
#11 0x00007fd9546b8d6a in mysql_execute_command (thd=0x7fd94ae5b070) at 10.1/sql/sql_parse.cc:4544
 
#12 0x00007fd9546c0b4c in mysql_parse (thd=0x7fd94ae5b070, rawbuf=0x7fd9488e0088 "DROP USER u1", length=12, parser_state=0x7fd95416c1b0) at 10.1/sql/sql_parse.cc:7152
 
#13 0x00007fd9546afb97 in dispatch_command (command=COM_QUERY, thd=0x7fd94ae5b070, packet=0x7fd94cffa071 "DROP USER u1", packet_length=12) at 10.1/sql/sql_parse.cc:1461
 
#14 0x00007fd9546ae972 in do_command (thd=0x7fd94ae5b070) at 10.1/sql/sql_parse.cc:1090
 
#15 0x00007fd9547df757 in do_handle_one_connection (thd_arg=0x7fd94ae5b070) at 10.1/sql/sql_connect.cc:1347
 
#16 0x00007fd9547df49c in handle_one_connection (arg=0x7fd94ae5b070) at 10.1/sql/sql_connect.cc:1258
 
#17 0x00007fd954d94496 in pfs_spawn_thread (arg=0x7fd9514235f0) at 10.1/storage/perfschema/pfs.cc:1860
 
#18 0x00007fd953da5b50 in start_thread (arg=<optimized out>) at pthread_create.c:304
 
#19 0x00007fd951e3a70d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112

Comment by Sergei Golubchik [ 2015-03-13 ]

Does this also happen in 10.0?

Comment by Elena Stepanova [ 2015-03-13 ]

Yes, it also happens in 10.0.

Comment by Vicențiu Ciorbaru [ 2015-05-03 ]

Fixed with:
https://github.com/MariaDB/server/commit/6c55e52b108d43dead9aef82e791f3de7a2dd93f

Generated at Thu Feb 08 07:22:10 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.