Bug#37486661 ndb_metadata thread can deadlock with truncate table

Summary: Prevent errors through lock corruption during TRUNCATE by not closing and reopening the NDB shared table handler while the table is recreated. Problem: When running continuous TRUNCATE SQL commands, while concurrently performing a NDB Backup, the MySQL Server could hang or ultimately crash. The hang and crash occurred around the same code point, at thr_lock(..), respectively with `wait_for_lock` and `has_old_lock`. Analysis: The order of operations of the TRUNCATE command, at the NDB plugin layer, can be narrowed to three main operations: 1. CLOSE table (ha_ndbcluster::close) 2. CREATE TABLE (TRUNCATE <=> DROP AND CREATE with ha_ndbcluster::create) 3. OPEN table (ha_ndbcluster::open) By observing the patterns, it is seen that if the Table undergoing TRUNCATE is still under BACKUP then the DROP fails and thus step (2) returns early. This causes the NDB_SHARE, a similar table handle as TABLE_SHARE, to continue to exist. On a success case, DROP would cause NDB_SHARE to be marked as dropped (ref count = 0) and CREATE would create a new NDB_SHARE. On a failed DROP case, the original NDB_SHARE is not marked as dropped. At this point, the OPEN step (3) is run and one of the operations is to initialize the thr_lock data for the handler, linking it with the NDB_SHARE thr_lock, and setting it into TL_UNLOCK. But, the NDB_SHARE and the handler's thr_lock data was LOCK'ed (specifically TL_WRITE_ALLOW_WRITE) therefore the aforementioned operation (set to TL_UNLOCK) effectively tramples the current lock data. The result is a badly cleaned and "unlocked" lock. The subsequent operations on that Table that require SQL locks might find the two problematic scenarios: 1. Found old lock with an owner and will wait thus, but that owner has already exited and trampled the lock 2. Will find old lock with some bad data and will SIGSEGV when reading the owner. Solution: Going back the call trace for the TRUNCATE command, the following list is an approximate order of operations: - OPEN table (SQL code) - LOCK table (1) (SQL code) - CLOSE table (NDB code) - TRUNCATE table, i.e., DROP/CREATE (2) (NDB code) - OPEN table (3) (NDB code) - UNLOCK table (4) (SQL code) - CLOSE TABLE (SQL code) The Table is already opened before TRUNCATE of SE is called. Therefore, if CLOSE and OPEN around TRUNCATE (ha_ndbcluster::create) can be ignored, then the LOCK structure remains untouched. The Table is already CLOSED when UNLOCKED, so it is expected that the resources the HANDLER has established when OPEN (buffers, etc) are to be freed. More specifically: On success: - DROP will mark the existing (locked) NDB_SHARE as Dropped (not yet physically released as the session has a reference to it) - OPEN will create a new NDB_SHARE (2 shares will exist) - UNLOCK will remove locks from old NDB_SHARE - CLOSE will reduce ref count on old NDB_SHARE decrementing to zero + freeing it (1 share exists) On failure: - DROP will do nothing - UNLOCK will remove locks from old NDB_SHARE - CLOSE will reduce ref count on old NDB_SHARE, but it will be retained (1 share exists) Change-Id: Ib2cbb3cf49ceac6ad2717e000b5b89beb026e4e4

Author: dtcpatricio

mysql-test/suite/ndb/r/ndb_truncate_fail.result

@@ -0,0 +1,71 @@
+# [connection default]
+CALL create_tables(20);
+CALL insert_row(20);
+SELECT COUNT(*) FROM t1;
+COUNT(*)
+1
+SELECT COUNT(*) FROM t20;
+COUNT(*)
+1
+SET GLOBAL ndb_metadata_sync = 'ON';
+# Start truncating
+CALL truncate_list(1,10);
+# Now fail all drops (1st phase of truncate)
+SET @saved_debug = @@GLOBAL.debug;
+SET @@GLOBAL.debug = '+d,ndb_fail_drop';
+CALL truncate_list(11, 20);
+ERROR HY000: Got error 761 'Unable to drop table as backup is in progress' from NDBCLUSTER
+CALL truncate_list(11, 20);
+ERROR HY000: Got error 761 'Unable to drop table as backup is in progress' from NDBCLUSTER
+# t1->t10 must have been truncated
+SELECT COUNT(*) FROM t1;
+COUNT(*)
+0
+SELECT COUNT(*) FROM t10;
+COUNT(*)
+0
+# t11->t20 must have failed
+SELECT COUNT(*) FROM t11;
+COUNT(*)
+1
+SELECT COUNT(*) FROM t20;
+COUNT(*)
+1
+# [connection server1]
+SET DEBUG_SYNC='truncate_stop_after_execute SIGNAL signal1 WAIT_FOR go_signal1';
+CALL truncate_list(1,20);
+# [connection server2]
+CALL truncate_list(1,20);
+# [connection default]
+SET DEBUG_SYNC='now SIGNAL go_signal1';
+# [connection server1]
+ERROR HY000: Got error 761 'Unable to drop table as backup is in progress' from NDBCLUSTER
+# [connection server2]
+# [connection server1]
+SET DEBUG_SYNC='truncate_stop_after_execute SIGNAL signal1 WAIT_FOR go_signal1';
+CALL truncate_list(1,20);
+# [connection server2]
+CALL truncate_list(1,20);
+# [connection default]
+SET DEBUG_SYNC='now SIGNAL go_signal1';
+# [connection server1]
+ERROR HY000: Got error 761 'Unable to drop table as backup is in progress' from NDBCLUSTER
+# [connection server2]
+# [connection default]
+# Re-insert data to assess that share locks were properly cleaned
+CALL insert_row(20);
+# All tables should have data (t1->t20 1 row, by server2)
+SELECT COUNT(*) FROM t1;
+COUNT(*)
+1
+SELECT COUNT(*) FROM t20;
+COUNT(*)
+1
+# Cleanup
+DROP PROCEDURE truncate_list;
+SET GLOBAL debug = @saved_debug;
+CALL drop_tables(20);
+DROP PROCEDURE create_tables;
+DROP PROCEDURE drop_tables;
+DROP PROCEDURE insert_row;
+DROP PROCEDURE truncate_list;

mysql-test/suite/ndb/t/ndb_truncate_fail.test

@@ -0,0 +1,151 @@
+--source include/have_ndb.inc
+--source include/have_debug.inc
+
+connect(server1,127.0.0.1,root,,test,$MASTER_MYPORT,);
+connect(server2,127.0.0.1,root,,test,$MASTER_MYPORT1,);
+--echo # [connection default]
+--connection default
+
+--disable_query_log
+DELIMITER //;
+CREATE PROCEDURE create_tables (IN ntables INT)
+BEGIN
+ SET @idx = 1;
+ WHILE @idx <= ntables DO
+ SET @pstmt = CONCAT('CREATE TABLE t', @idx, ' (a INT PRIMARY KEY AUTO_INCREMENT, c CHAR(3)) ENGINE = NDB');
+ PREPARE stmt FROM @pstmt;
+ EXECUTE stmt;
+ DEALLOCATE PREPARE stmt;
+ SET @idx = @idx + 1;
+ END WHILE;
+END //
+
+CREATE PROCEDURE drop_tables (IN ntables INT)
+BEGIN
+ SET @idx = 1;
+ WHILE @idx <= ntables DO
+ SET @pstmt = CONCAT('DROP TABLE t', @idx);
+ PREPARE stmt FROM @pstmt;
+ EXECUTE stmt;
+ DEALLOCATE PREPARE stmt;
+ SET @idx = @idx + 1;
+ END WHILE;
+END //
+
+CREATE PROCEDURE insert_row (IN ntables INT)
+BEGIN
+ SET @idx = 1;
+ WHILE @idx <= ntables DO
+ SET @pstmt = CONCAT('INSERT INTO t', @idx, ' (c) VALUES (\'val\')');
+ PREPARE stmt FROM @pstmt;
+ EXECUTE stmt;
+ DEALLOCATE PREPARE stmt;
+ SET @idx = @idx + 1;
+ END WHILE;
+END //
+
+CREATE PROCEDURE truncate_list(IN first_tab_idx INT, IN last_tab_idx INT)
+BEGIN
+ SET @idx = first_tab_idx;
+ WHILE @idx <= last_tab_idx DO
+ SET @pstmt = CONCAT('TRUNCATE TABLE t', @idx);
+ PREPARE stmt FROM @pstmt;
+ EXECUTE stmt;
+ DEALLOCATE PREPARE stmt;
+ SET @idx = @idx + 1;
+ END WHILE;
+END //
+
+--connection server2
+CREATE PROCEDURE truncate_list(IN first_tab_idx INT, IN last_tab_idx INT)
+BEGIN
+ SET @idx = first_tab_idx;
+ WHILE @idx <= last_tab_idx DO
+ SET @pstmt = CONCAT('TRUNCATE TABLE t', @idx);
+ PREPARE stmt FROM @pstmt;
+ EXECUTE stmt;
+ DEALLOCATE PREPARE stmt;
+ SET @idx = @idx + 1;
+ END WHILE;
+END //
+
+--connection default
+DELIMITER ;//
+--enable_query_log
+
+CALL create_tables(20);
+CALL insert_row(20);
+
+# Data at t1
+SELECT COUNT(*) FROM t1;
+# Data at t20
+SELECT COUNT(*) FROM t20;
+SET GLOBAL ndb_metadata_sync = 'ON';
+
+--echo # Start truncating
+CALL truncate_list(1,10);
+
+--echo # Now fail all drops (1st phase of truncate)
+SET @saved_debug = @@GLOBAL.debug;
+SET @@GLOBAL.debug = '+d,ndb_fail_drop';
+--error 1296
+CALL truncate_list(11, 20);
+# repeat once again to stress out share locks
+--error 1296
+CALL truncate_list(11, 20);
+
+--echo # t1->t10 must have been truncated
+SELECT COUNT(*) FROM t1;
+SELECT COUNT(*) FROM t10;
+--echo # t11->t20 must have failed
+SELECT COUNT(*) FROM t11;
+SELECT COUNT(*) FROM t20;
+
+# Do the same with two connections. Server1 fails all but server2 queues and is successful
+--let $iter=2
+while($iter)
+{
+ --echo # [connection server1]
+ --connection server1
+ SET DEBUG_SYNC='truncate_stop_after_execute SIGNAL signal1 WAIT_FOR go_signal1';
+ --send CALL truncate_list(1,20)
+
+ --echo # [connection server2]
+ --connection server2
+ --send CALL truncate_list(1,20)
+
+ --echo # [connection default]
+ --connection default
+ SET DEBUG_SYNC='now SIGNAL go_signal1';
+
+ --echo # [connection server1]
+ --connection server1
+ --error 1296
+ --reap
+ --echo # [connection server2]
+ --connection server2
+ --reap
+
+ --dec $iter
+}
+
+--echo # [connection default]
+--connection default
+--echo # Re-insert data to assess that share locks were properly cleaned
+CALL insert_row(20);
+--echo # All tables should have data (t1->t20 1 row, by server2)
+SELECT COUNT(*) FROM t1;
+SELECT COUNT(*) FROM t20;
+
+--echo # Cleanup
+--connection server2
+DROP PROCEDURE truncate_list;
+--connection default
+SET GLOBAL debug = @saved_debug;
+CALL drop_tables(20);
+DROP PROCEDURE create_tables;
+DROP PROCEDURE drop_tables;
+DROP PROCEDURE insert_row;
+DROP PROCEDURE truncate_list;
+--disconnect server1
+--disconnect server2

storage/ndb/plugin/ha_ndbcluster.cc

@@ -9388,7 +9388,12 @@ int ha_ndbcluster::create(const char *path [[maybe_unused]],
  const char *dbname = table_share->db.str;
  const char *tabname = table_share->table_name.str;
 
- ndb_log_info("Creating table '%s.%s'", dbname, tabname);
+ {
+ const int sql_cmd = thd_sql_command(thd);
+ ndb_log_info("%s table '%s.%s'",
+ sql_cmd == SQLCOM_TRUNCATE ? "Truncating" : "Creating", dbname,
+ tabname);
+ }
 
  Ndb_schema_dist_client schema_dist_client(thd);
 
@@ -10386,21 +10391,40 @@ int ha_ndbcluster::truncate(dd::Table *table_def) {
  /* Fill in create_info from the open table */
  HA_CREATE_INFO create_info;
  update_create_info_from_table(&create_info, table);
-
- // Close the table, will always return 0
- (void)close();
+#ifndef NDEBUG
+ const NDB_SHARE *old_share_ptr_for_sanity_check = m_share;
+#endif
 
  // Call ha_ndbcluster::create which will detect that this is a
  // truncate and thus drop the table before creating it again.
  const int truncate_error =
  create(table->s->normalized_path.str, table, &create_info, table_def);
 
- // Open the table again even if the truncate failed, the caller
- // expect the table to be open. Report any error during open.
- const int open_error = open(table->s->normalized_path.str, 0, 0, table_def);
+ DBUG_PRINT("debug", ("truncate res: %d", truncate_error));
+#ifndef NDEBUG
+ /**
+ * This sync point is used by tests that want to assess the
+ * concurrency of the truncate, specially the correct state of the
+ * THR_LOCK_DATA (m_lock) to avoid deadlocks.
+ */
+ if (current_thd) DEBUG_SYNC(current_thd, "truncate_stop_after_execute");
+ /**
+ * create() creates a new ndb_share, but it is NOT set as this
+ * handler's m_share, because the currently opened ndb_share is the
+ * old one. This old share will thus be released through the closing
+ * of this handler's usage of the table. Following is a sanity check
+ * that this handler's share pointer does not change despite there
+ * being a new share.
+ */
+ if (unlikely(old_share_ptr_for_sanity_check != m_share)) {
+ ndb_log_error(
+ "Fatal! Truncate table re-create modified "
+ "the handler's currently opened share pointer.");
+ abort();
+ }
+#endif
 
- if (truncate_error) return truncate_error;
- return open_error;
+ return truncate_error;
 }
 
 int ha_ndbcluster::prepare_inplace__add_index(THD *thd, KEY *key_info,
@@ -11120,6 +11144,11 @@ static bool drop_table_and_related(THD *thd, Ndb *ndb,
  return false;
  }
 
+ DBUG_EXECUTE_IF("ndb_fail_drop", {
+ // Simulate failure. A bogus error code will be set on the caller.
+ return false;
+ });
+
  // Drop the table
  if (dict->dropTableGlobal(*table, drop_flags) != 0) {
  const NdbError &ndb_err = dict->getNdbError();
@@ -11232,6 +11261,11 @@ int drop_table_impl(THD *thd, Ndb *ndb,
 
  Thd_ndb *thd_ndb = get_thd_ndb(thd);
  const int dict_error_code = dict->getNdbError().code;
+ DBUG_EXECUTE_IF("ndb_fail_drop", {
+ int *ec = const_cast<int *>(&dict_error_code);
+ // backup in progress (e.g.)
+ *ec = 761;
+ });
  // Check if an error has occurred. Note that if the table didn't exist in NDB
  // (denoted by error codes 709 or 723), it's considered a success
  if (dict_error_code && dict_error_code != 709 && dict_error_code != 723) {
@@ -11548,6 +11582,7 @@ int ha_ndbcluster::open(const char *path [[maybe_unused]],
  return HA_ERR_NO_CONNECTION;
  }
 
+ DBUG_EXECUTE("debug", NDB_SHARE::dbg_print_locks(m_share););
  // Init table lock structure
  thr_lock_data_init(&m_share->lock, &m_lock, (void *)nullptr);
 
@@ -11864,6 +11899,23 @@ inline void ha_ndbcluster::release_key_fields() {
  }
 }
 
+static void check_thr_lock_data_unused(const THR_LOCK_DATA *thr_lock_data) {
+ /**
+ * Check that the handler is not involved in any SQL (thr_lock) locking before
+ * ending its lifecycle.
+ */
+ if (unlikely(thr_lock_data->type > TL_UNLOCK)) {
+ ndb_log_error(
+ "Fatal! Closing handler involved in thr_lock: "
+ "thread_id %u "
+ "type %u "
+ "thr_lock %p",
+ thr_lock_data->owner ? thr_lock_data->owner->thread_id : 0,
+ thr_lock_data->type, thr_lock_data->lock);
+ abort();
+ }
+}
+
 /**
  Close an open ha_ndbcluster instance.
 
@@ -11887,6 +11939,8 @@ inline void ha_ndbcluster::release_key_fields() {
 int ha_ndbcluster::close(void) {
  DBUG_TRACE;
 
+ check_thr_lock_data_unused(&m_lock);
+
  release_key_fields();
  release_ndb_share();