We're updating the issue view to help you get more done.Learn more

Query cache destroys uninitialized rwlock

The following tests crashes the server when compiled with -DUSE_MUTEX_INSTEAD_OF_RW_LOCKS:
main.cache_innodb
main.mysql_client_test
main.mysql_client_test_nonblock
main.partition_cache
main.query_cache
main.query_cache_debug
main.query_cache_notembedded
main.query_cache_ps_no_prot
perfschema.query_cache
rpl.rpl_row_basic_11bugs
sys_vars.query_cache_limit_func
sys_vars.query_cache_type_func

A simpler way to reproduce crash is to compile with the following patch:

=== modified file 'sql/sql_cache.cc'
--- sql/sql_cache.cc	2013-11-19 12:16:25 +0000
+++ sql/sql_cache.cc	2014-02-04 13:30:20 +0000
@@ -976,6 +976,7 @@ void Query_cache_query::unlock_n_destroy
   */
   this->unlock_writing();
   mysql_rwlock_destroy(&lock);
+  memset(&lock, 0xA5, sizeof(lock));
   DBUG_VOID_RETURN;
 }

Test case:

SET @global_query_cache_size = @@global.query_cache_size;
SET @global_query_cache_type = @@global.query_cache_type;
SET GLOBAL query_cache_type = ON;
SET GLOBAL query_cache_size = 131072;

CREATE TABLE t1(a INT);
SELECT * FROM t1;

SET GLOBAL query_cache_size = @global_query_cache_size;
SET GLOBAL query_cache_type = @global_query_cache_type;
DROP TABLE t1;

Stack trace:

Thread 1 (Thread 0x7f3e5307a700 (LWP 9804)):
#0  0x00007f3e52657f0c in __pthread_kill (threadid=<optimized out>, signo=11) at ../nptl/sysdeps/unix/sysv/linux/pthread_kill.c:62
#1  0x0000000000cbc3ac in my_write_core (sig=11) at /home/svoj/devel/maria/5.5-mdev5089-test/mysys/stacktrace.c:457
#2  0x00000000007c28ba in handle_fatal_signal (sig=11) at /home/svoj/devel/maria/5.5-mdev5089-test/sql/signal_handler.cc:262
#3  <signal handler called>
#4  0x0000000000b8c885 in pfs_lock::allocated_to_free (this=0xa5a5a5a5a5a5a5a5) at /home/svoj/devel/maria/5.5-mdev5089-test/storage/perfschema/pfs_lock.h:145
#5  0x0000000000b8b124 in destroy_rwlock (pfs=0xa5a5a5a5a5a5a5a5) at /home/svoj/devel/maria/5.5-mdev5089-test/storage/perfschema/pfs_instr.cc:668
#6  0x0000000000b98a3d in destroy_rwlock_v1 (rwlock=0xa5a5a5a5a5a5a5a5) at /home/svoj/devel/maria/5.5-mdev5089-test/storage/perfschema/pfs.cc:895
#7  0x00000000005b5f79 in inline_mysql_rwlock_destroy (that=0x7f3e4c93f1b0) at /home/svoj/devel/maria/5.5-mdev5089-test/include/mysql/psi/mysql_thread.h:720
#8  0x00000000005bc6b3 in Query_cache::free_cache (this=0x1504960 <query_cache>) at /home/svoj/devel/maria/5.5-mdev5089-test/sql/sql_cache.cc:2698
#9  0x00000000005b873d in Query_cache::resize (this=0x1504960 <query_cache>, query_cache_size_arg=0) at /home/svoj/devel/maria/5.5-mdev5089-test/sql/sql_cache.cc:1331
#10 0x0000000000720032 in fix_query_cache_size (self=0x1513ac0 <Sys_query_cache_size>, thd=0x7f3e4d67e060, type=OPT_GLOBAL) at /home/svoj/devel/maria/5.5-mdev5089-test/sql/sys_vars.cc:1864
#11 0x000000000056af06 in sys_var::update (this=0x1513ac0 <Sys_query_cache_size>, thd=0x7f3e4d67e060, var=0x7f3e4c81a270) at /home/svoj/devel/maria/5.5-mdev5089-test/sql/set_var.cc:200
#12 0x000000000056c022 in set_var::update (this=0x7f3e4c81a270, thd=0x7f3e4d67e060) at /home/svoj/devel/maria/5.5-mdev5089-test/sql/set_var.cc:667
#13 0x000000000056bbe9 in sql_set_variables (thd=0x7f3e4d67e060, var_list=0x7f3e4d682040) at /home/svoj/devel/maria/5.5-mdev5089-test/sql/set_var.cc:570
#14 0x0000000000605771 in mysql_execute_command (thd=0x7f3e4d67e060) at /home/svoj/devel/maria/5.5-mdev5089-test/sql/sql_parse.cc:3253
#15 0x000000000060c6bf in mysql_parse (thd=0x7f3e4d67e060, rawbuf=0x7f3e4c81a078 "SET GLOBAL query_cache_size = @global_query_cache_size", length=54, parser_state=0x7f3e530795d0) at /home/svoj/devel/maria/5.5-mdev5089-test/sql/sql_parse.cc:5799
#16 0x00000000005fff3c in dispatch_command (command=COM_QUERY, thd=0x7f3e4d67e060, packet=0x7f3e4d7d8061 "SET GLOBAL query_cache_size = @global_query_cache_size", packet_length=54) at /home/svoj/devel/maria/5.5-mdev5089-test/sql/sql_parse.cc:1078
#17 0x00000000005ff0a3 in do_command (thd=0x7f3e4d67e060) at /home/svoj/devel/maria/5.5-mdev5089-test/sql/sql_parse.cc:793
#18 0x000000000070af5d in do_handle_one_connection (thd_arg=0x7f3e4d67e060) at /home/svoj/devel/maria/5.5-mdev5089-test/sql/sql_connect.cc:1266
#19 0x000000000070aa2f in handle_one_connection (arg=0x7f3e4d67e060) at /home/svoj/devel/maria/5.5-mdev5089-test/sql/sql_connect.cc:1181
#20 0x0000000000b98ddc in pfs_spawn_thread (arg=0x7f3e4d685760) at /home/svoj/devel/maria/5.5-mdev5089-test/storage/perfschema/pfs.cc:1015
#21 0x00007f3e52652f6e in start_thread (arg=0x7f3e5307a700) at pthread_create.c:311
#22 0x00007f3e51d759cd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113

Status

Assignee

Oleksandr Byelkin

Reporter

Sergey Vojtovich