Bug #73635 mrg_myisam storage may result in crash in RPR Replication
Submitted: 19 Aug 2014 9:06 Modified: 11 Jul 2016 12:04
Reporter: qinglin zhang (OCA) Email Updates:
Status: Duplicate Impact on me:
None 
Category:MySQL Server: Replication Severity:S3 (Non-critical)
Version:5.5 OS:Any
Assigned to: CPU Architecture:Any
Tags: insert, MRG_MyISAM

[19 Aug 2014 9:06] qinglin zhang 
Description:
when binlog_format= row, binlog events in single transactin may lie as follows:

begin;
table_map_event1
table_map_event2
table_map_event3
table_map_event4
...
table_map_eventn
row_log_event
commit;

but in replication mode, relay log thread ananlyze the events above and push them to the list of rli->tables_to_lock and begin to lock them in rows_log_event::apply_log_event.the bt lie bellow:
#1  0x000000000055456a in open_and_process_table (thd=0x2ab420c11000, start=0x2ab44d68a6a8, counter=0x2ab44d68a6cc, 
    flags=0, prelocking_strategy=0x2ab44d68a760)   tables->table->file->extra  
    at /home/ads/build23_6u0_x64/workspace/t-alisql-5.5.18/label/build23_6u0_x64/t-alisql-5.5.18/sql/sql_base.cc:4603
#2  open_tables (thd=0x2ab420c11000, start=0x2ab44d68a6a8, counter=0x2ab44d68a6cc, flags=0, 
    prelocking_strategy=0x2ab44d68a760)
    at /home/ads/build23_6u0_x64/workspace/t-alisql-5.5.18/label/build23_6u0_x64/t-alisql-5.5.18/sql/sql_base.cc:4938
#3  0x0000000000554da4 in open_and_lock_tables (thd=0x2ab420c11000, tables=0x2ab420c50700, derived=false, flags=0, 
    prelocking_strategy=<value optimized out>)
    at /home/ads/build23_6u0_x64/workspace/t-alisql-5.5.18/label/build23_6u0_x64/t-alisql-5.5.18/sql/sql_base.cc:5535
#4  0x000000000074d58b in open_and_lock_tables (this=0x2ab420c3b140, rli=0x2ab3e5293328)
    at /home/ads/build23_6u0_x64/workspace/t-alisql-5.5.18/label/build23_6u0_x64/t-alisql-5.5.18/sql/sql_base.h:475
#5  Rows_log_event::do_apply_event (this=0x2ab420c3b140, rli=0x2ab3e5293328)
    at /home/ads/build23_6u0_x64/workspace/t-alisql-5.5.18/label/build23_6u0_x64/t-alisql-5.5.18/sql/log_event.cc:7647
#6  0x0000000000522e15 in apply_event (ev=0x2ab420c3b140, thd=<value optimized out>, rli=0x2ab3e5293328)
    at /home/ads/build23_6u0_x64/workspace/t-alisql-5.5.18/label/build23_6u0_x64/t-alisql-5.5.18/sql/log_event.h:1137
#7  apply_event_and_update_pos (ev=0x2ab420c3b140, thd=<value optimized out>, rli=0x2ab3e5293328)
    at /home/ads/build23_6u0_x64/workspace/t-alisql-5.5.18/label/build23_6u0_x64/t-alisql-5.5.18/sql/slave.cc:2932
#8  0x000000000052d2a2 in exec_relay_log_event (arg=0x2ab3e5292000)
    at /home/ads/build23_6u0_x64/workspace/t-alisql-5.5.18/label/build23_6u0_x64/t-alisql-5.5.18/sql/slave.cc:4156
#9  handle_slave_sql (arg=0x2ab3e5292000)

when the storage is myisam_merge, ha_myisammrg::extra will be called and tables_list->next_global will be written again, which will corrupte tables_list->m_tabledef->m_field_metadata , the crash bt lie bellow:

#0  0x00000000007bb70f in field_metadata (this=0x2acd09c30550, thd=0x2acd09c11000, rli=0x2acccca93328, table=0x2acd074ece00, 
    conv_table_var=0x2acd3510f7a8)
    at /home/ads/build23_6u0_x64/workspace/t-alisql-5.5.18/label/build23_6u0_x64/t-alisql-5.5.18/sql/rpl_utility.h:129
#1  table_def::compatible_with (this=0x2acd09c30550, thd=0x2acd09c11000, rli=0x2acccca93328, table=0x2acd074ece00, 
    conv_table_var=0x2acd3510f7a8)
    at /home/ads/build23_6u0_x64/workspace/t-alisql-5.5.18/label/build23_6u0_x64/t-alisql-5.5.18/sql/rpl_utility.cc:788
#2  0x000000000074d78f in Rows_log_event::do_apply_event (this=0x2acd09c3b140, rli=0x2acccca93328)
    at /home/ads/build23_6u0_x64/workspace/t-alisql-5.5.18/label/build23_6u0_x64/t-alisql-5.5.18/sql/log_event.cc:7686
#3  0x0000000000522e15 in apply_event (ev=0x2acd09c3b140, thd=<value optimized out>, rli=0x2acccca93328)
    at /home/ads/build23_6u0_x64/workspace/t-alisql-5.5.18/label/build23_6u0_x64/t-alisql-5.5.18/sql/log_event.h:1137
#4  apply_event_and_update_pos (ev=0x2acd09c3b140, thd=<value optimized out>, rli=0x2acccca93328)
    at /home/ads/build23_6u0_x64/workspace/t-alisql-5.5.18/label/build23_6u0_x64/t-alisql-5.5.18/sql/slave.cc:2932
#5  0x000000000052d2a2 in exec_relay_log_event (arg=0x2acccca92000)
    at /home/ads/build23_6u0_x64/workspace/t-alisql-5.5.18/label/build23_6u0_x64/t-alisql-5.5.18/sql/slave.cc:4156
#6  handle_slave_sql (arg=0x2acccca92000)
    at /home/ads/build23_6u0_x64/workspace/t-alisql-5.5.18/label/build23_6u0_x64/t-alisql-5.5.18/sql/slave.cc:5001
#7  0x0000003689407851 in start_thread () from /lib64/libpthread.so.0
#8  0x00000036890e767d in clone () from /lib64/libc.so.6
 

How to repeat:
none.

Suggested fix:
skip extra() if execute thread is sql_thread.
[11 Jul 2016 12:04] MySQL Verification Team 
Hello qinglin zhang,

Thank you for the report.
This reminds me of Bug #47103, please see Bug #47103

Thanks,
Umesh