MySQL Bugs: #41212: crash after race condition between merge table and table

Bug #41212	crash after race condition between merge table and table_cache evictions
Submitted:	3 Dec 2008 19:31	Modified:	16 Jul 2009 14:15
Reporter:	Shane Bester (Platinum Quality Contributor)	Email Updates:
Status:	Closed	Impact on me:	None
Category:	MySQL Server: Merge storage engine	Severity:	S1 (Critical)
Version:	5.0.74, 5.1.30, 6.0.5	OS:	Windows (64-bit)
Assigned to:	Sergei Glukhov	CPU Architecture:	Any
Tags:	crash, merge

Description:
00000001403C452F    mysqld.exe!memcpy()[memcpy.asm:151]
00000001402A275F    mysqld.exe!ha_myisammrg::info()[ha_myisammrg.cc:854]
00000001402A2471    mysqld.exe!ha_myisammrg::attach_children()[ha_myisammrg.cc:488]
00000001402A2788    mysqld.exe!ha_myisammrg::extra()[ha_myisammrg.cc:863]
000000014015FC5D    mysqld.exe!attach_merge_children()[sql_base.cc:4135]
000000014016A4C1    mysqld.exe!open_tables()[sql_base.cc:4697]
000000014016A898    mysqld.exe!open_and_lock_tables_derived()[sql_base.cc:4956]
000000014018BB54    mysqld.exe!mysql_insert()[sql_insert.cc:613]
000000014019EDD3    mysqld.exe!mysql_execute_command()[sql_parse.cc:3066]
00000001401A2F06    mysqld.exe!mysql_parse()[sql_parse.cc:5791]
00000001401A3C1A    mysqld.exe!dispatch_command()[sql_parse.cc:1202]
00000001401A4CD7    mysqld.exe!do_command()[sql_parse.cc:857]
0000000140246327    mysqld.exe!handle_one_connection()[sql_connect.cc:1115]
00000001402B82C5    mysqld.exe!pthread_start()[my_winthread.c:85]
00000001403CAC37    mysqld.exe!_callthreadstart()[thread.c:295]
00000001403CAD05    mysqld.exe!_threadstart()[thread.c:275]
0000000077D6B69A    kernel32.dll!BaseThreadStart()
Trying to get some variables.
Some pointers may be invalid and cause the dump to abort...

How to repeat:
wait and see

testcase. set host to some windows box and run. use release binary which is quicker to crash.

Attachment: bug41212.c (text/plain), 7.50 KiB.

This testcase uses "flush tables" to provoke the problem.  But, in real life the problem can happen normally if a merge table contains many base tables, and the table_cache gets evicted.   Also, show indexes is not only command to cause a problem.  insert into merge can also do it.

Looks like this is not specific to windows.  Here's a stack trace from linux
which show the same hallmarks:

/usr/sbin/mysqld(my_print_stacktrace+0x2e)[0x83d3fe]
/usr/sbin/mysqld(handle_segfault+0x322)[0x5b98a2]
/lib64/libpthread.so.0[0x3c16c0de80]
/usr/sbin/mysqld(_Z23remove_table_from_cacheP3THDPKcS2_j+0xe0)[0x5fd870]
/usr/sbin/mysqld(_Z15lock_table_nameP3THDP10TABLE_LISTb+0x10e)[0x5b353e]
/usr/sbin/mysqld(_Z16lock_table_namesP3THDP10TABLE_LIST+0x40)[0x5b3590]
/usr/sbin/mysqld(_Z28lock_table_names_exclusivelyP3THDP10TABLE_LIST+0x9)[0x5b35e9]
/usr/sbin/mysqld(_Z20mysql_rm_table_part2P3THDP10TABLE_LISTbbbb+0x4d7)[0x69f5e7]
/usr/sbin/mysqld(_Z14mysql_rm_tableP3THDP10TABLE_LISTcc+0x4d)[0x69f9ad]
/usr/sbin/mysqld(_Z21mysql_execute_commandP3THD+0x2e45)[0x5c91d5]
/usr/sbin/mysqld(_Z11mysql_parseP3THDPKcjPS2_+0x1f1)[0x5cba11]
/usr/sbin/mysqld(_ZN15Query_log_event14do_apply_eventEPK14Relay_log_infoPKcj+0x389)[0x66e2d9]
/usr/sbin/mysqld(_Z26apply_event_and_update_posP9Log_eventP3THDP14Relay_log_infob+0x13d)[0x6c9ead]
/usr/sbin/mysqld(handle_slave_sql+0x6e8)[0x6ce788]
/lib64/libpthread.so.0[0x3c16c06307]
/lib64/libc.so.6(clone+0x6d)[0x3c164d1ded]

This occurred while dropping a merge table.

Shane,

It was commented that it was reproducible also on Linux environment. Can you please check if you are able to reproduce it on Linux?

I have tried running your script on linux but couldn't reproduce. Please help

Hi Satja!

I found out that my win64 mysqld crashed almost instantly on this testcase.
However, win32 mysqld on same box doesn't.   So, this appears to be 64-bit specific.  Can you test on 64-bit linux? I don't have one here.

Couldn't reproduce on 64bit Linux machine and I don't have 64bit windows machine to reproduce it :( .

See also BUG#40321.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/74540

2750 Sergey Glukhov	2009-05-20
      Bug#41212 crash after race condition between merge table and table_cache evictions
      On 64-bit platforms: querying MERGE table with keys may cause
      server crash. The problem is generic and may affect any statement
      accessing MERGE table cardinality values.
      
      When MERGE engine was copying cardinality statistics, it was
      using incorrect size of element in cardinality statistics array
      (sizeof(ptr)==8 instead of sizeof(ulong)==4), causing access
      of memory beyond of the allocated bounds.
      
      This patch fixes the same issue for MyISAM in 5.0 (5.1 and up
      were fixed before).
      
      Also fixed that multiple-column indexes in MERGE table may cause
      incomplete cardinality statistics (for the following indexes)
      returned to the server.
     @ mysql-test/r/merge.result
        test result
     @ mysql-test/t/merge.test
        test case
     @ sql/ha_myisam.cc
        When copying rec_per_key array (an array of ulong) use proper
        size of element, that is sizeof(ulong).
     @ sql/ha_myisammrg.cc
        Removed obsolete rec_per_key array initialization.
        When copying rec_per_key array (an array of ulong) use proper
        size of element, that is sizeof(ulong).
     @ sql/table.cc
        When allocating rec_per_key array (an array of ulong) use proper
        size of element, that is sizeof(ulong).

Gluh!

The patch worked for me. testcase didn't crash anymore...

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/75047

2755 Sergey Glukhov	2009-05-27
      Bug#41212 crash after race condition between merge table and table_cache evictions
      On 64-bit Windows: querying MERGE table with keys may cause
      server crash.The problem is generic and may affect any statement
      accessing MERGE table cardinality values.
      When MERGE engine was copying cardinality statistics, it was
      using incorrect size of element in cardinality statistics array
      (sizeof(ptr)==8 instead of sizeof(ulong)==4), causing access
      of memory beyond of the allocated bounds.
     @ sql/ha_myisam.cc
        When copying rec_per_key array (an array of ulong) use proper
        size of element, that is sizeof(ulong).
     @ sql/ha_myisammrg.cc
        When copying rec_per_key array (an array of ulong) use proper
        size of element, that is sizeof(ulong).
     @ sql/table.cc
        When allocating rec_per_key array (an array of ulong) use proper
        size of element, that is sizeof(ulong).

Pushed into 5.0.83 (revid:joro@sun.com-20090528073529-q9b8s60vlpu28fny) (version source revid:sergey.glukhov@sun.com-20090527103421-kno1uvnu8vj2nokh) (merge vers: 5.0.83) (pib:6)

Pushed into 5.1.36 (revid:joro@sun.com-20090528073639-yohsb4q1jzg7ycws) (version source revid:sergey.glukhov@sun.com-20090527104219-3bd8cjcpasq2us4k) (merge vers: 5.1.36) (pib:6)

Pushed into 5.4.4-alpha (revid:alik@sun.com-20090616183122-chjzbaa30qopdra9) (version source revid:azundris@mysql.com-20090529170733-wxq9j0idmss9rllz) (merge vers: 6.0.12-alpha) (pib:11)

An entry was added to each of the 5.0.83, 5.1.36 and 5.4.4 changelogs:

A crash occurred due to a race condition between the merge table and table_cache evictions.

00000001403C452F    mysqld.exe!memcpy()[memcpy.asm:151]
00000001402A275F    mysqld.exe!ha_myisammrg::info()[ha_myisammrg.cc:854]
00000001402A2471    mysqld.exe!ha_myisammrg::attach_children()[ha_myisammrg.cc:488]
00000001402A2788    mysqld.exe!ha_myisammrg::extra()[ha_myisammrg.cc:863]
000000014015FC5D    mysqld.exe!attach_merge_children()[sql_base.cc:4135]
000000014016A4C1    mysqld.exe!open_tables()[sql_base.cc:4697]
000000014016A898    mysqld.exe!open_and_lock_tables_derived()[sql_base.cc:4956]
000000014018BB54    mysqld.exe!mysql_insert()[sql_insert.cc:613]
000000014019EDD3    mysqld.exe!mysql_execute_command()[sql_parse.cc:3066]
00000001401A2F06    mysqld.exe!mysql_parse()[sql_parse.cc:5791]
00000001401A3C1A    mysqld.exe!dispatch_command()[sql_parse.cc:1202]
00000001401A4CD7    mysqld.exe!do_command()[sql_parse.cc:857]
0000000140246327    mysqld.exe!handle_one_connection()[sql_connect.cc:1115]
00000001402B82C5    mysqld.exe!pthread_start()[my_winthread.c:85]
00000001403CAC37    mysqld.exe!_callthreadstart()[thread.c:295]
00000001403CAD05    mysqld.exe!_threadstart()[thread.c:275]
0000000077D6B69A    kernel32.dll!BaseThreadStart()
Trying to get some variables.
Some pointers may be invalid and cause the dump to abort...

Noted in 5.4.2 changelog because next 5.4 version will be 5.4.2 and not 5.4.4.

Ignore previous comment about 5.4.2.

Pushed into 5.1.37-ndb-7.0.8 (revid:jonas@mysql.com-20090826132541-yablppc59e3yb54l) (version source revid:jonas@mysql.com-20090826132541-yablppc59e3yb54l) (merge vers: 5.1.37-ndb-7.0.8) (pib:11)

Pushed into 5.1.37-ndb-6.3.27 (revid:jonas@mysql.com-20090826105955-bkj027t47gfbamnc) (version source revid:jonas@mysql.com-20090826105955-bkj027t47gfbamnc) (merge vers: 5.1.37-ndb-6.3.27) (pib:11)

Pushed into 5.1.37-ndb-6.2.19 (revid:jonas@mysql.com-20090825194404-37rtosk049t9koc4) (version source revid:jonas@mysql.com-20090825194404-37rtosk049t9koc4) (merge vers: 5.1.37-ndb-6.2.19) (pib:11)

Pushed into 5.1.35-ndb-7.1.0 (revid:magnus.blaudd@sun.com-20090827163030-6o3kk6r2oua159hr) (version source revid:jonas@mysql.com-20090826132541-yablppc59e3yb54l) (merge vers: 5.1.37-ndb-7.0.8) (pib:11)

The 5.4 fix has been pushed to 5.4.2.