Bug #78336 handle_fatal_signal (sig=11) in dict_table_t::get_ref_count
Submitted: 5 Sep 2015 4:26 Modified: 22 Sep 2015 14:40
Reporter: Roel Van de Paar (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: InnoDB storage engine Severity:S1 (Critical)
Version:5.7.8 (RC2) OS:Any
Assigned to: CPU Architecture:Any

[5 Sep 2015 4:26] Roel Van de Paar
Description:
+bt
#0  0x00007fc2f8688771 in __pthread_kill (threadid=<optimized out>, signo=11) at ../nptl/sysdeps/unix/sysv/linux/pthread_kill.c:61
#1  0x0000000001721318 in my_write_core (sig=11) at /git/mysql-server_dbg/mysys/stacktrace.c:247
#2  0x0000000000dd6008 in handle_fatal_signal (sig=11) at /git/mysql-server_dbg/sql/signal_handler.cc:220
#3  <signal handler called>
#4  0x0000000001881e03 in dict_table_t::get_ref_count (this=0x0) at /git/mysql-server_dbg/storage/innobase/include/dict0dict.ic:1777
#5  0x00000000018ab6cc in i_s_sys_tables_fill_table_stats (thd=0x7fc22d81a000, tables=0x7fc22d82ceb0) at /git/mysql-server_dbg/storage/innobase/handler/i_s.cc:6775
#6  0x00000000014954d9 in do_fill_table (thd=0x7fc22d81a000, table_list=0x7fc22d82ceb0, qep_tab=0x7fc22d8a18f8) at /git/mysql-server_dbg/sql/sql_show.cc:7834
#7  0x00000000014958be in get_schema_tables_result (join=0x7fc22d8a1470, executed_place=PROCESSED_BY_JOIN_EXEC) at /git/mysql-server_dbg/sql/sql_show.cc:7936
#8  0x000000000146e923 in JOIN::prepare_result (this=0x7fc22d8a1470) at /git/mysql-server_dbg/sql/sql_select.cc:912
#9  0x00000000013d6704 in JOIN::exec (this=0x7fc22d8a1470) at /git/mysql-server_dbg/sql/sql_executor.cc:125
#10 0x000000000146d4e2 in handle_query (thd=0x7fc22d81a000, lex=0x7fc22d81c210, result=0x7fc22d82dc60, added_options=0, removed_options=0) at /git/mysql-server_dbg/sql/sql_select.cc:184
#11 0x0000000001424906 in execute_sqlcom_select (thd=0x7fc22d81a000, all_tables=0x7fc22d82ceb0) at /git/mysql-server_dbg/sql/sql_parse.cc:4843
#12 0x000000000141e332 in mysql_execute_command (thd=0x7fc22d81a000) at /git/mysql-server_dbg/sql/sql_parse.cc:2521
#13 0x000000000142584f in mysql_parse (thd=0x7fc22d81a000, parser_state=0x7fc2f8c81680) at /git/mysql-server_dbg/sql/sql_parse.cc:5255
#14 0x000000000141b458 in dispatch_command (thd=0x7fc22d81a000, com_data=0x7fc2f8c81dc0, command=COM_QUERY) at /git/mysql-server_dbg/sql/sql_parse.cc:1272
#15 0x000000000141a10e in do_command (thd=0x7fc22d81a000) at /git/mysql-server_dbg/sql/sql_parse.cc:852
#16 0x0000000001541c80 in handle_connection (arg=0x7fc2417c9200) at /git/mysql-server_dbg/sql/conn_handler/connection_handler_per_thread.cc:300
#17 0x000000000174e31f in pfs_spawn_thread (arg=0x7fc2ee7e8d20) at /git/mysql-server_dbg/storage/perfschema/pfs.cc:2178
#18 0x00007fc2f8683df5 in start_thread (arg=0x7fc2f8c82700) at pthread_create.c:308
#19 0x00007fc2f734d1ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113

How to repeat:
# mysqld options required for replay: --sql_mode=
DROP DATABASE test;CREATE DATABASE test;USE test;
set global innodb_trx_rseg_n_slots_debug=1;
CREATE TABLE t1(a int KEY,b int)ENGINE=TokuDB;
insert INTO t1 values(0,0),(0,0),(0,0),(0,0),(0,0),(0,0),(0,0),(0,0),(0,0),(0,0),(0,0),(0,0),(0,0),(0,0),(0,0),(0,0);
DROP TABLE IF EXISTS t1,t2,t3,t2aA,t1Aa;
select CLUST_INDEX_SIZE from information_schema.INNODB_SYS_TABLESTATS;

Crashes debug only
[5 Sep 2015 7:07] Shane Bester
Thanks for the report.   Verified on 5.7, 5.8.

---
set global innodb_trx_rseg_n_slots_debug=1;
drop table if exists t;
create table t(a int,key(a))engine=innodb;
insert into t values(1),(1),(1);
select 1 from information_schema.innodb_sys_tablestats;
---

Even release build could not recover from this situation.
Subsequent DROP TABLE caused a crash in dict_set_corrupted_index_cache_only.
My wish is that DROP TABLE never crashes, no matter how corrupted things are.
[22 Sep 2015 14:40] Daniel Price
Posted by developer:
 
Fixed as of the upcoming 5.7.10, 5.8.0 release, and here's the changelog entry:

A DROP TABLE operation resulted in a server exit. The return value of a
function call was not checked which lead to dereferencing of a null
pointer. The patch for this bug also addresses a potential race condition.

Thank you for the bug report.