Percona Server moved to https://jira.percona.com/projects/PS

Merge lp:~laurynas-biveinis/percona-server/bug1380010 into lp:percona-server/5.6

  1. bug1380010
  2. Merge into 5.6
Proposed by Laurynas Biveinis
Status: Merged
Approved by: Alexey Kopytov
Approved revision: no longer in the source branch.
Merged at revision: 697
Proposed branch: lp:~laurynas-biveinis/percona-server/bug1380010
Merge into: lp:percona-server/5.6
To merge this branch: bzr merge lp:~laurynas-biveinis/percona-server/bug1380010
Reviewer Review Type Date Requested Status
Alexey Kopytov (community) Approve
Review via email: mp+242164@code.launchpad.net

Description of the change

Fix bug 1380010 (replication crash on slave server in unpack_row).

The crash happens as a result of the following:
- RBR (or MBR) replication;
- master and slave table definitions differ so that a virtual
  temporary table is required to convert the data for row events;
- there is a table_map event followed by two row events.

The table_map event will fill rli->tables_to_lock during its event
application, leaving the m_conv_table NULL. Then the first row log
event will determine that a conversion is needed, and will create the
table for that in its private memory root m_event_mem_root, and
initialize rli->tables_to_lock...->m_event_mem_root. The memory root
will be freeed after the execution of event, leaving the
rli->tables_to_lock...->m_event_mem_root pointer to dangle.

Then the second row event will see that tables are already locked,
will skip the table compatibility check, and will proceed with the
event application, which at some point will attempt to use the temp
table to convert the data, dereferencing the dangling pointer.

This bug is an upstream regression introduced in lp:mysql-server/5.6
rev 6065 that attempted m_event_mem_root with a life time equal to
that of the event object itself. That commit fixed too large memory
use for replication setup with many row events in a single transaction
where conversion was needed: each row event created a new temp table,
and they were getting released only at the end of transaction. This
was bug http://bugs.mysql.com/bug.php?id=72610.

The problem with rev 6065 is that a conversion table should live until
tables_to_lock itself is freed, at
Relay_log_info::clear_tables_to_lock, outliving Log_event. To achieve
this, introduce new memory root Relay_log_info::lock_tables_mem_root,
and use it for allocating the conversion temp tables. The memory root
introduced in rev 6065 is not removed, as later upstream introduced
more dependant data (rev 6096), whose lifetime seems to be correct.

Add testcases for both the current bug and bug 72610.

http://jenkins.percona.com/job/percona-server-5.6-param/758/
Valgrinded selected testcases locally.
72610 fix verified by manual inspection of conv table lifetimes.

To post a comment you must log in.
Revision history for this message
Laurynas Biveinis (laurynas-biveinis) wrote :

ST 46906

Revision history for this message
Alexey Kopytov (akopytov) :
review: Approve

Subscribers

People subscribed via source and target branches