MDEV-17540 Server crashes in row_purge after TRUNCATE TABLE

row_purge_upd_exist_or_extern_func(): Check for node->vcol_op_failed()
after row_purge_remove_sec_if_poss(), like row_purge_del_mark() did.
This avoids us dereferencing the node->table=NULL pointer.

The test case, submitted by Elena Stepanova, is not deterministic and
does not repeat the bug on 10.2. With the added loop, for me, it reliably
crashes 10.3 without the fix. I was unable to create a deterministic
test case for either 10.2 or 10.3.

Reviewed by Thirunarayanan Balathandayuthapani
This commit is contained in:
Marko Mäkelä 2019-05-10 10:49:09 +03:00
parent b2f3755c8e
commit 8ce702aa90
3 changed files with 60 additions and 0 deletions

View file

@ -142,4 +142,21 @@ CREATE TABLE t1 (a VARCHAR(30), b INT, a2 VARCHAR(30) GENERATED ALWAYS AS (a) VI
CREATE INDEX idx ON t1(a2(10), b, a2(20));
ERROR 42S21: Duplicate column name 'a2'
DROP TABLE t1;
#
# MDEV-17540 Server crashes in row_purge after TRUNCATE TABLE
#
CREATE TABLE t1 (a BIT(14)) ENGINE=InnoDB;
INSERT INTO t1 VALUES
(b'01110110101011'),(b'01100111111000'),(b'00001011110100'),
(b'01110110111010'),(b'10001010101011'),(b'01100111001111');
CREATE TABLE t2 (
pk INT DEFAULT 1,
b YEAR,
c BIT(14),
d YEAR AS (b),
e BIT(14) AS (c),
UNIQUE(pk),
KEY(e)
) ENGINE=InnoDB;
DROP TABLE t1, t2;
SET GLOBAL innodb_purge_rseg_truncate_frequency = @saved_frequency;

View file

@ -137,5 +137,40 @@ CREATE INDEX idx ON t1(a2(10), b, a2(20));
DROP TABLE t1;
--echo #
--echo # MDEV-17540 Server crashes in row_purge after TRUNCATE TABLE
--echo #
# Note: this test case is nondeterministic and should depend on
# MDEV-12288 to trigger the needed purge activity.
# The test does not seem to repeat the bug on MariaDB 10.2.
CREATE TABLE t1 (a BIT(14)) ENGINE=InnoDB;
INSERT INTO t1 VALUES
(b'01110110101011'),(b'01100111111000'),(b'00001011110100'),
(b'01110110111010'),(b'10001010101011'),(b'01100111001111');
CREATE TABLE t2 (
pk INT DEFAULT 1,
b YEAR,
c BIT(14),
d YEAR AS (b),
e BIT(14) AS (c),
UNIQUE(pk),
KEY(e)
) ENGINE=InnoDB;
# Run a few times in order to improve the chances of triggering the bug.
--disable_query_log
let $n=10;
while ($n) {
REPLACE INTO t2 (c) SELECT a FROM t1;
TRUNCATE TABLE t2;
dec $n;
}
--enable_query_log
DROP TABLE t1, t2;
--source include/wait_until_count_sessions.inc
SET GLOBAL innodb_purge_rseg_truncate_frequency = @saved_frequency;

View file

@ -824,6 +824,14 @@ row_purge_upd_exist_or_extern_func(
node->row, NULL, node->index,
heap, ROW_BUILD_FOR_PURGE);
row_purge_remove_sec_if_poss(node, node->index, entry);
if (node->vcol_op_failed()) {
ut_ad(!node->table);
mem_heap_free(heap);
return;
}
ut_ad(node->table);
mem_heap_empty(heap);
}