innodb_buffer_pool_evict_uncompressed might attempt to process non-unzip_LRU page, crashing debug build

Bug #1659548 reported by Laurynas Biveinis on 2017-01-26
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Percona Server moved to https://jira.percona.com/projects/PS
Status tracked in 5.7
5.5
Invalid
Undecided
Unassigned
5.6
Fix Released
Medium
Laurynas Biveinis
5.7
Fix Released
Medium
Laurynas Biveinis

Bug Description

innodb_buffer_pool_evict_uncompressed(void)
{
...
  mutex_enter(&buf_pool->LRU_list_mutex);

  for (buf_block_t* block = UT_LIST_GET_LAST(
        buf_pool->unzip_LRU);
       block != NULL; ) {
   buf_block_t* prev_block = UT_LIST_GET_PREV(
    unzip_LRU, block);
...
   if (!buf_LRU_free_page(&block->page, false)) {
    mutex_exit(&block->mutex);
    all_evicted = false;
   } else {
    mutex_exit(&block->mutex);
    mutex_enter(&buf_pool->LRU_list_mutex);
   }

   block = prev_block;
  }

  mutex_exit(&buf_pool->LRU_list_mutex);
 }
...
}

When buf_LRU_free_page returns true, it has released the LRU list mutex. That mutex is retaken, and the loop continues with block = prev_block. But, while the LRU list mutex was released, there was nothing preventing prev_block being removed from unzip_LRU list as well, rendering loop invariants invalid.

This shows up as a crash on Jenkins:

innodb.xtradb_compressed_columns_consistency_barracuda_compressed w1 [ fail ]
...
At line 119: query 'SET GLOBAL innodb_buffer_pool_evict = 'uncompressed'' failed: 2013: Lost connection to MySQL server during query
...
2017-01-03 17:15:04 a9285b70 InnoDB: Assertion failure in thread 2837994352 in file ha_innodb.cc line 16654
InnoDB: Failing assertion: buf_block_get_state(block) == BUF_BLOCK_FILE_PAGE
...
#5 0xb7272802 in *__GI_abort () at abort.c:92
#6 0x087e0e86 in innodb_buffer_pool_evict_uncompressed () at /home/jenkins/workspace/percona-server-5.6-trunk/BUILD_TYPE/debug/Host/debian-wheezy-x32/storage/innobase/handler/ha_innodb.cc:16653
#7 0x087e0ffb in innodb_buffer_pool_evict_update (thd=0x9eb1e20, var=0x8f29f44, var_ptr=0x921b0e0, save=0x9f6c990) at /home/jenkins/workspace/percona-server-5.6-trunk/BUILD_TYPE/debug/Host/debian-wheezy-x32/storage/innobase/handler/ha_innodb.cc:16694
#8 0x0843987a in sys_var_pluginvar::global_update (this=0x9d09568, thd=0x9eb1e20, var=0x9f6c980) at /home/jenkins/workspace/percona-server-5.6-trunk/BUILD_TYPE/debug/Host/debian-wheezy-x32/sql/sql_plugin.cc:3396
#9 0x0836eae3 in sys_var::update (this=0x9d09568, thd=0x9eb1e20, var=0x9f6c980) at /home/jenkins/workspace/percona-server-5.6-trunk/BUILD_TYPE/debug/Host/debian-wheezy-x32/sql/set_var.cc:193
#10 0x0836fc60 in set_var::update (this=0x9f6c980, thd=0x9eb1e20) at /home/jenkins/workspace/percona-server-5.6-trunk/BUILD_TYPE/debug/Host/debian-wheezy-x32/sql/set_var.cc:679
#11 0x0836f7fb in sql_set_variables (thd=0x9eb1e20, var_list=0x9eb3ce0) at /home/jenkins/workspace/percona-server-5.6-trunk/BUILD_TYPE/debug/Host/debian-wheezy-x32/sql/set_var.cc:579
#12 0x08424240 in mysql_execute_command (thd=0x9eb1e20) at /home/jenkins/workspace/percona-server-5.6-trunk/BUILD_TYPE/debug/Host/debian-wheezy-x32/sql/sql_parse.cc:4191
#13 0x0842b7ed in mysql_parse (thd=0x9eb1e20, rawbuf=0x9f6c7f8 "SET GLOBAL innodb_buffer_pool_evict = 'uncompressed'", length=52, parser_state=0xa9284700) at /home/jenkins/workspace/percona-server-5.6-trunk/BUILD_TYPE/debug/Host/debian-wheezy-x32/sql/sql_parse.cc:7011
#14 0x0841d8c0 in dispatch_command (command=COM_QUERY, thd=0x9eb1e20, packet=0x9f647c9 "SET GLOBAL innodb_buffer_pool_evict = 'uncompressed'", packet_length=52) at /home/jenkins/workspace/percona-server-5.6-trunk/BUILD_TYPE/debug/Host/debian-wheezy-x32/sql/sql_parse.cc:1455
#15 0x0841c8f4 in do_command (thd=0x9eb1e20) at /home/jenkins/workspace/percona-server-5.6-trunk/BUILD_TYPE/debug/Host/debian-wheezy-x32/sql/sql_parse.cc:1062
#16 0x083e4a48 in do_handle_one_connection (thd_arg=0x9eb1e20) at /home/jenkins/workspace/percona-server-5.6-trunk/BUILD_TYPE/debug/Host/debian-wheezy-x32/sql/sql_connect.cc:1553
#17 0x083e4521 in handle_one_connection (arg=0x9eb1e20) at /home/jenkins/workspace/percona-server-5.6-trunk/BUILD_TYPE/debug/Host/debian-wheezy-x32/sql/sql_connect.cc:1456
#18 0x0873a2e2 in pfs_spawn_thread (arg=0x9dfa158) at /home/jenkins/workspace/percona-server-5.6-trunk/BUILD_TYPE/debug/Host/debian-wheezy-x32/storage/perfschema/pfs.cc:1860
#19 0xb7751954 in start_thread (arg=0xa9285b70) at pthread_create.c:304
#20 0xb731daae in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130

tags: added: bp-split ci regression xtradb

Percona now uses JIRA for bug reports so this bug report is migrated to: https://jira.percona.com/browse/PS-1778

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers