innodb_buffer_pool_evict_uncompressed might attempt to process non-unzip_LRU page, crashing debug build

Bug #1659548 reported by Laurynas Biveinis
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Percona Server moved to https://jira.percona.com/projects/PS
Status tracked in 5.7
5.5
Invalid
Undecided
Unassigned
5.6
Fix Released
Medium
Laurynas Biveinis
5.7
Fix Released
Medium
Laurynas Biveinis

Bug Description

innodb_buffer_pool_evict_uncompressed(void)
{
...
  mutex_enter(&buf_pool->LRU_list_mutex);

  for (buf_block_t* block = UT_LIST_GET_LAST(
        buf_pool->unzip_LRU);
       block != NULL; ) {
   buf_block_t* prev_block = UT_LIST_GET_PREV(
    unzip_LRU, block);
...
   if (!buf_LRU_free_page(&block->page, false)) {
    mutex_exit(&block->mutex);
    all_evicted = false;
   } else {
    mutex_exit(&block->mutex);
    mutex_enter(&buf_pool->LRU_list_mutex);
   }

   block = prev_block;
  }

  mutex_exit(&buf_pool->LRU_list_mutex);
 }
...
}

When buf_LRU_free_page returns true, it has released the LRU list mutex. That mutex is retaken, and the loop continues with block = prev_block. But, while the LRU list mutex was released, there was nothing preventing prev_block being removed from unzip_LRU list as well, rendering loop invariants invalid.

This shows up as a crash on Jenkins:

innodb.xtradb_compressed_columns_consistency_barracuda_compressed w1 [ fail ]
...
At line 119: query 'SET GLOBAL innodb_buffer_pool_evict = 'uncompressed'' failed: 2013: Lost connection to MySQL server during query
...
2017-01-03 17:15:04 a9285b70 InnoDB: Assertion failure in thread 2837994352 in file ha_innodb.cc line 16654
InnoDB: Failing assertion: buf_block_get_state(block) == BUF_BLOCK_FILE_PAGE
...
#5 0xb7272802 in *__GI_abort () at abort.c:92
#6 0x087e0e86 in innodb_buffer_pool_evict_uncompressed () at /home/jenkins/workspace/percona-server-5.6-trunk/BUILD_TYPE/debug/Host/debian-wheezy-x32/storage/innobase/handler/ha_innodb.cc:16653
#7 0x087e0ffb in innodb_buffer_pool_evict_update (thd=0x9eb1e20, var=0x8f29f44, var_ptr=0x921b0e0, save=0x9f6c990) at /home/jenkins/workspace/percona-server-5.6-trunk/BUILD_TYPE/debug/Host/debian-wheezy-x32/storage/innobase/handler/ha_innodb.cc:16694
#8 0x0843987a in sys_var_pluginvar::global_update (this=0x9d09568, thd=0x9eb1e20, var=0x9f6c980) at /home/jenkins/workspace/percona-server-5.6-trunk/BUILD_TYPE/debug/Host/debian-wheezy-x32/sql/sql_plugin.cc:3396
#9 0x0836eae3 in sys_var::update (this=0x9d09568, thd=0x9eb1e20, var=0x9f6c980) at /home/jenkins/workspace/percona-server-5.6-trunk/BUILD_TYPE/debug/Host/debian-wheezy-x32/sql/set_var.cc:193
#10 0x0836fc60 in set_var::update (this=0x9f6c980, thd=0x9eb1e20) at /home/jenkins/workspace/percona-server-5.6-trunk/BUILD_TYPE/debug/Host/debian-wheezy-x32/sql/set_var.cc:679
#11 0x0836f7fb in sql_set_variables (thd=0x9eb1e20, var_list=0x9eb3ce0) at /home/jenkins/workspace/percona-server-5.6-trunk/BUILD_TYPE/debug/Host/debian-wheezy-x32/sql/set_var.cc:579
#12 0x08424240 in mysql_execute_command (thd=0x9eb1e20) at /home/jenkins/workspace/percona-server-5.6-trunk/BUILD_TYPE/debug/Host/debian-wheezy-x32/sql/sql_parse.cc:4191
#13 0x0842b7ed in mysql_parse (thd=0x9eb1e20, rawbuf=0x9f6c7f8 "SET GLOBAL innodb_buffer_pool_evict = 'uncompressed'", length=52, parser_state=0xa9284700) at /home/jenkins/workspace/percona-server-5.6-trunk/BUILD_TYPE/debug/Host/debian-wheezy-x32/sql/sql_parse.cc:7011
#14 0x0841d8c0 in dispatch_command (command=COM_QUERY, thd=0x9eb1e20, packet=0x9f647c9 "SET GLOBAL innodb_buffer_pool_evict = 'uncompressed'", packet_length=52) at /home/jenkins/workspace/percona-server-5.6-trunk/BUILD_TYPE/debug/Host/debian-wheezy-x32/sql/sql_parse.cc:1455
#15 0x0841c8f4 in do_command (thd=0x9eb1e20) at /home/jenkins/workspace/percona-server-5.6-trunk/BUILD_TYPE/debug/Host/debian-wheezy-x32/sql/sql_parse.cc:1062
#16 0x083e4a48 in do_handle_one_connection (thd_arg=0x9eb1e20) at /home/jenkins/workspace/percona-server-5.6-trunk/BUILD_TYPE/debug/Host/debian-wheezy-x32/sql/sql_connect.cc:1553
#17 0x083e4521 in handle_one_connection (arg=0x9eb1e20) at /home/jenkins/workspace/percona-server-5.6-trunk/BUILD_TYPE/debug/Host/debian-wheezy-x32/sql/sql_connect.cc:1456
#18 0x0873a2e2 in pfs_spawn_thread (arg=0x9dfa158) at /home/jenkins/workspace/percona-server-5.6-trunk/BUILD_TYPE/debug/Host/debian-wheezy-x32/storage/perfschema/pfs.cc:1860
#19 0xb7751954 in start_thread (arg=0xa9285b70) at pthread_create.c:304
#20 0xb731daae in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130

tags: added: bp-split ci regression xtradb
Revision history for this message
Laurynas Biveinis (laurynas-biveinis) wrote :
Revision history for this message
Shahriyar Rzayev (rzayev-sehriyar) wrote :

Percona now uses JIRA for bug reports so this bug report is migrated to: https://jira.percona.com/browse/PS-1778

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.