MDEV-39261 MariaDB crash on startup in presence of indexed virtual columns

Thirunarayanan · Thirunarayanan · commit 60d16688d178 · 2026-04-09T14:49:54.000+05:30
Problem:
========
A single InnoDB purge worker thread can process undo logs from different
tables within the same batch. But get_purge_table(), open_purge_table()
incorrectly assumes that a 1:1 relationship between a purge worker thread
and a table within a single batch. Based on this wrong assumtion,
InnoDB attempts to reuse TABLE objects cached in thd-&gt;open_tables for
virtual column computation.

1) Purge worker opens Table A and caches the TABLE pointer in thd-&gt;open_tables.
2) Same purge worker moves to Table B in the same batch, get_purge_table()
retrieves the cached pointer for Table A instead of opening Table B.
3) Because innobase::open() is ignored for Table B, the virtual column
template is never initialized.
4) virtual column computation for Table B aborts the server

Solution:
========
The purge coordinator thread now opens both InnoDB dict_table_t* and
MariaDB TABLE* handles during batch preparation in
trx_purge_attach_undo_recs(). These handles are stored in a new
purge_table_ctx_t structure within each purge_node_t-&gt;tables map,
keyed by table_id. When worker thread needs TABLE* for virtual column
computation, it fetches the TABLE* from purge_node_t-&gt;tables.

purge_table_ctx_t(): Structure to hold dict_table_t*, MDL_ticket* and
TABLE* for each table during batch processing. TABLE* is being opened
only when virtual index exists for the table.

innobase_open_purge_table(), innobase_close_thread_table(): wrapper to
make open_purge_table(), close_thread_tables() accessible from InnoDB
purge subsystem

trx_purge_table_open(): Modified to open TABLE* using the
coordinator's MDL ticket

open_purge_table(): Accept and use the MDL ticket from coordinator thread

purge_sys_t::coordinator_thd: To track the coordinator thread in purge
subsystem

purge_node_t::end(): Skip innobase_reset_background_thd() for the coordinator
thread to prevent the premature table closure

trx_purge(): Closes the coordinator's TABLE* objects after all workers
are completed
diff --git a/mysql-test/suite/vcol/r/races.result b/mysql-test/suite/vcol/r/races.result
@@ -14,3 +14,17 @@ disconnect con1;
 connection default;
 drop table t1;
 set debug_sync='reset';
+#
+# MDEV-39261 MariaDB crash on startup in presence of
+#        indexed virtual columns
+#
+# Create 33 tables with virtual index
+InnoDB		0 transactions not purged
+connect purge_control,localhost,root;
+START TRANSACTION WITH CONSISTENT SNAPSHOT;
+connection default;
+# Do update on all 33 tables
+# restart: --innodb_purge_threads=1 --debug_dbug=d,ib_purge_virtual_index_callback
+InnoDB		0 transactions not purged
+# Drop all 33 tables
+# restart
diff --git a/mysql-test/suite/vcol/t/races.test b/mysql-test/suite/vcol/t/races.test
@@ -20,3 +20,59 @@ disconnect con1;
 connection default;
 drop table t1;
 set debug_sync='reset';
+
+--echo #
+--echo # MDEV-39261 MariaDB crash on startup in presence of
+--echo #        indexed virtual columns
+--echo #
+# To make purge thread to work on multiple tables on the same batch,
+# we need 33 tables because there are 32 pre-existing purge_node exists.
+
+--echo # Create 33 tables with virtual index
+--disable_query_log
+let $i = 33;
+while ($i)
+{
+  eval CREATE TABLE t$i(
+    a INT PRIMARY KEY,
+    b INT DEFAULT 1, INDEX(b),
+    c INT GENERATED ALWAYS AS (a + b) VIRTUAL,
+    INDEX(c)
+  ) ENGINE=InnoDB;
+  eval INSERT INTO t$i(a) VALUES(1);
+  dec $i;
+}
+--enable_query_log
+--source ../../innodb/include/wait_all_purged.inc
+--connect purge_control,localhost,root
+START TRANSACTION WITH CONSISTENT SNAPSHOT;
+
+--connection default
+--echo # Do update on all 33 tables
+--disable_query_log
+let $i = 33;
+while ($i)
+{
+  eval UPDATE t$i SET b = 11 WHERE a = 1;
+  dec $i;
+}
+--enable_query_log
+
+let $shutdown_timeout=0;
+let $restart_parameters=--innodb_purge_threads=1 --debug_dbug=d,ib_purge_virtual_index_callback;
+--source include/restart_mysqld.inc
+--source ../../innodb/include/wait_all_purged.inc
+
+--echo # Drop all 33 tables
+--disable_query_log
+let $i = 33;
+while ($i)
+{
+  eval DROP TABLE t$i;
+  dec $i;
+}
+--enable_query_log
+
+let $restart_parameters=;
+let $shutdown_timeout=;
+--source include/restart_mysqld.inc
diff --git a/sql/sql_base.cc b/sql/sql_base.cc
@@ -820,7 +820,7 @@ static inline bool check_field_pointers(const TABLE *table)
     leave prelocked mode if needed.
 */
 
-int close_thread_tables(THD *thd)
+int close_thread_tables(THD *thd) noexcept
 {
   TABLE *table;
   int error= 0;
diff --git a/sql/sql_base.h b/sql/sql_base.h
@@ -163,7 +163,7 @@ TABLE_LIST *find_table_in_list(TABLE_LIST *table,
                                TABLE_LIST *TABLE_LIST::*link,
                                const LEX_CSTRING *db_name,
                                const LEX_CSTRING *table_name);
-int close_thread_tables(THD *thd);
+int close_thread_tables(THD *thd) noexcept;
 void switch_to_nullable_trigger_fields(List<Item> &items, TABLE *);
 void switch_defaults_to_nullable_trigger_fields(TABLE *table);
 bool fill_record_n_invoke_before_triggers(THD *thd, TABLE *table,
diff --git a/sql/sql_class.cc b/sql/sql_class.cc
@@ -5024,10 +5024,10 @@ extern "C" const char *thd_priv_user(MYSQL_THD thd, size_t *length)
   have only one table open at any given time.
 */
 TABLE *open_purge_table(THD *thd, const char *db, size_t dblen,
-                        const char *tb, size_t tblen)
+                        const char *tb, size_t tblen,
+                        MDL_ticket *mdl_ticket) noexcept
 {
   DBUG_ENTER("open_purge_table");
-  DBUG_ASSERT(thd->open_tables == NULL);
   DBUG_ASSERT(thd->locked_tables_mode < LTM_PRELOCKED);
 
   /* Purge already hold the MDL for the table */
@@ -5038,6 +5038,7 @@ TABLE *open_purge_table(THD *thd, const char *db, size_t dblen,
 
   tl->init_one_table(&db_name, &table_name, 0, TL_READ);
   tl->i_s_requested_object= OPEN_TABLE_ONLY;
+  tl->mdl_request.ticket= mdl_ticket;
 
   bool error= open_table(thd, tl, &ot_ctx);
 
@@ -5050,13 +5051,6 @@ TABLE *open_purge_table(THD *thd, const char *db, size_t dblen,
   DBUG_RETURN(error ? NULL : tl->table);
 }
 
-TABLE *get_purge_table(THD *thd)
-{
-  /* see above, at most one table can be opened */
-  DBUG_ASSERT(thd->open_tables == NULL || thd->open_tables->next == NULL);
-  return thd->open_tables;
-}
-
 /** Find an open table in the list of prelocked tabled
 
   Used for foreign key actions, for example, in UPDATE t1 SET a=1;
diff --git a/storage/innobase/dict/dict0dict.cc b/storage/innobase/dict/dict0dict.cc
@@ -626,13 +626,13 @@ bool dict_table_t::parse_name(char (&db_name)[NAME_LEN + 1],
     dict_sys.unfreeze();
 
   *db_name_len= filename_to_tablename(db_buf, db_name,
-                                      MAX_DATABASE_NAME_LEN + 1, true);
+                                      NAME_LEN + 1, true);
 
   if (is_temp)
     return false;
 
   *tbl_name_len= filename_to_tablename(tbl_buf, tbl_name,
-                                       MAX_TABLE_NAME_LEN + 1, true);
+                                       NAME_LEN + 1, true);
   return true;
 }
 
diff --git a/storage/innobase/handler/ha_innodb.cc b/storage/innobase/handler/ha_innodb.cc
@@ -124,10 +124,10 @@ TABLE *find_fk_open_table(THD *thd, const char *db, size_t db_len,
 			  const char *table, size_t table_len);
 MYSQL_THD create_background_thd();
 void reset_thd(MYSQL_THD thd);
-TABLE *get_purge_table(THD *thd);
 TABLE *open_purge_table(THD *thd, const char *db, size_t dblen,
-			const char *tb, size_t tblen);
-void close_thread_tables(THD* thd);
+			const char *tb, size_t tblen,
+			MDL_ticket *mdl_ticket) noexcept;
+int close_thread_tables(THD* thd) noexcept;
 
 #ifdef MYSQL_DYNAMIC_PLUGIN
 #define tc_size  400
@@ -8536,7 +8536,7 @@ ATTRIBUTE_COLD bool wsrep_append_table_key(MYSQL_THD thd, const dict_table_t &ta
 {
   char db_buf[NAME_LEN + 1];
   char tbl_buf[NAME_LEN + 1];
-  ulint db_buf_len, tbl_buf_len;
+  size_t db_buf_len, tbl_buf_len;
 
   if (!table.parse_name(db_buf, tbl_buf, &db_buf_len, &tbl_buf_len))
   {
@@ -20071,33 +20071,18 @@ ha_innobase::multi_range_read_explain_info(
 for purge thread */
 static TABLE* innodb_find_table_for_vc(THD* thd, dict_table_t* table)
 {
-	TABLE *mysql_table;
-	const bool  bg_thread = THDVAR(thd, background_thread);
-
-	if (bg_thread) {
-		if ((mysql_table = get_purge_table(thd))) {
-			return mysql_table;
-		}
-	} else {
-		if (table->vc_templ->mysql_table_query_id
-		    == thd_get_query_id(thd)) {
-			return table->vc_templ->mysql_table;
-		}
+	if (table->vc_templ->mysql_table_query_id == thd_get_query_id(thd)) {
+		return table->vc_templ->mysql_table;
 	}
 
+	TABLE *mysql_table;
 	char	db_buf[NAME_LEN + 1];
 	char	tbl_buf[NAME_LEN + 1];
-	ulint	db_buf_len, tbl_buf_len;
+	size_t	db_buf_len, tbl_buf_len;
 
 	if (!table->parse_name(db_buf, tbl_buf, &db_buf_len, &tbl_buf_len)) {
 		return NULL;
 	}
-
-	if (bg_thread) {
-		return open_purge_table(thd, db_buf, db_buf_len,
-					tbl_buf, tbl_buf_len);
-	}
-
 	mysql_table = find_fk_open_table(thd, db_buf, db_buf_len,
 					 tbl_buf, tbl_buf_len);
 	table->vc_templ->mysql_table = mysql_table;
@@ -21306,3 +21291,16 @@ void alter_stats_rebuild(dict_table_t *table, THD *thd)
                         " table rebuild: %s", ut_strerr(ret));
   DBUG_VOID_RETURN;
 }
+
+TABLE* innobase_open_purge_table(THD *thd, const char *db_buf,
+                                 size_t db_len, const char *tbl_buf,
+                                 size_t tbl_len,
+                                 MDL_ticket *mdl_ticket) noexcept
+{
+  return open_purge_table(thd, db_buf, db_len, tbl_buf, tbl_len, mdl_ticket);
+}
+
+int innobase_close_thread_tables(THD *thd) noexcept
+{
+  return close_thread_tables(thd);
+}
diff --git a/storage/innobase/include/dict0mem.h b/storage/innobase/include/dict0mem.h
@@ -2551,6 +2551,18 @@ struct dict_table_t {
   static dict_table_t *create(const span<const char> &name, fil_space_t *space,
                               ulint n_cols, ulint n_v_cols, ulint flags,
                               ulint flags2);
+
+  /** @return whether the table has any indexed virtual column */
+  bool has_virtual_index() const
+  {
+    for (dict_index_t *index = indexes.start;
+         index; index = UT_LIST_GET_NEXT(indexes, index))
+    {
+      if (index->has_virtual())
+        return true;
+    }
+    return false;
+  }
 };
 
 inline void dict_index_t::set_modified(mtr_t& mtr) const
diff --git a/storage/innobase/include/row0mysql.h b/storage/innobase/include/row0mysql.h
@@ -40,6 +40,7 @@ Created 9/17/2000 Heikki Tuuri
 struct row_prebuilt_t;
 class ha_innobase;
 class ha_handler_stats;
+class MDL_ticket;
 
 /*******************************************************************//**
 Frees the blob heap in prebuilt when no longer needed. */
@@ -830,6 +831,26 @@ void
 innobase_rename_vc_templ(
 	dict_table_t*	table);
 
+/** Open a table for purge operations with MariaDB TABLE handle.
+This is a wrapper to make open_purge_table() accessible from InnoDB
+purge subsystem.
+@param thd     thread handle
+@param db_buf  database name buffer
+@param db_len  database name length
+@param tbl_buf table name buffer
+@param tbl_len table name length
+@return MariaDB TABLE handle, or NULL if not opened */
+TABLE* innobase_open_purge_table(THD *thd, const char *db_buf,
+                                 size_t db_len, const char *tbl_buf,
+                                 size_t tbl_len,
+                                 MDL_ticket *mdl_ticket) noexcept;
+
+/** Close all tables opened by the thread.
+This is a wrapper to make close_thread_tables() accessible from
+InnoDB purge subsytem.
+@param thd thread handle */
+int innobase_close_thread_tables(THD *thd) noexcept;
+
 #define ROW_PREBUILT_FETCH_MAGIC_N	465765687
 
 #define ROW_MYSQL_WHOLE_ROW	0
diff --git a/storage/innobase/include/row0purge.h b/storage/innobase/include/row0purge.h
@@ -67,6 +67,29 @@ row_purge_step(
 	que_thr_t*	thr)	/*!< in: query thread */
 	MY_ATTRIBUTE((nonnull, warn_unused_result));
 
+/** Table context for purge operations. Holds InnoDB table handle,
+MDL ticket, and MariaDB TABLE* for a table_id with indexed virtual
+columns. This information is fetched by the purge
+coordinator thread during batch preparation. Purge worker threads
+can retrieve the TABLE* when needed for virtual column computation. */
+struct purge_table_ctx_t
+{
+  /** InnoDB table handle */
+  dict_table_t *table;
+
+  /** MDL ticket for the table */
+  MDL_ticket *mdl_ticket;
+
+  /** MariaDB TABLE handle (for virtual column computation) */
+  TABLE *maria_table;
+
+  purge_table_ctx_t()
+    : table(nullptr), mdl_ticket(nullptr), maria_table(nullptr) {}
+
+  purge_table_ctx_t(dict_table_t *t, MDL_ticket *m, TABLE *mt)
+    : table(t), mdl_ticket(m), maria_table(mt) {}
+};
+
 /** Purge worker context */
 struct purge_node_t
 {
@@ -111,8 +134,9 @@ struct purge_node_t
   /** Undo recs to purge */
   std::queue<trx_purge_rec_t> undo_recs;
 
-  /** map of table identifiers to table handles and meta-data locks */
-  std::unordered_map<table_id_t, std::pair<dict_table_t*,MDL_ticket*>> tables;
+  /** map of table identifiers to purge table context which has
+  set by purge co-ordinator thread */
+  std::unordered_map<table_id_t, purge_table_ctx_t> tables;
 
   /** Constructor */
   explicit purge_node_t(que_thr_t *parent) :
diff --git a/storage/innobase/include/row0vers.h b/storage/innobase/include/row0vers.h
@@ -65,13 +65,15 @@ bool dtuple_vcol_data_missing(const dtuple_t &tuple,
 @param[in,out]	row		the cluster index row in dtuple form
 @param[in]	clust_index	clustered index
 @param[in]	index		the secondary index
-@param[in]	heap		heap used to build virtual dtuple. */
+@param[in]	heap		heap used to build virtual dtuple.
+@param[in]	maria_table	MariaDB table object */
 bool
 row_vers_build_clust_v_col(
 	dtuple_t*		row,
 	dict_index_t*		clust_index,
 	dict_index_t*		index,
-	mem_heap_t*		heap);
+	mem_heap_t*		heap,
+	TABLE*			maria_table= nullptr);
 /** Build a dtuple contains virtual column data for current cluster index
 @param[in]	rec		cluster index rec
 @param[in]	clust_index	cluster index
@@ -83,6 +85,7 @@ row_vers_build_clust_v_col(
 @param[in,out]	heap		heap memory
 @param[in,out]	v_heap		heap memory to keep virtual column tuple
 @param[in,out]	mtr		mini-transaction
+@param[in]	maria_table	MariaDB table object
 @return dtuple contains virtual column data */
 dtuple_t*
 row_vers_build_cur_vrow(
@@ -94,7 +97,8 @@ row_vers_build_cur_vrow(
 	roll_ptr_t		roll_ptr,
 	mem_heap_t*		heap,
 	mem_heap_t*		v_heap,
-	mtr_t*			mtr);
+	mtr_t*			mtr,
+	TABLE*			maria_table= nullptr);
 
 /*****************************************************************//**
 Constructs the version of a clustered index record which a consistent
diff --git a/storage/innobase/include/trx0purge.h b/storage/innobase/include/trx0purge.h
@@ -229,6 +229,15 @@ class purge_sys_t
 					to purge */
 	trx_rseg_t*	rseg;		/*!< Rollback segment for the next undo
 					record to purge */
+
+	/** Coordinator thread's THD during batch processing.
+	The coordinator thread sets this at the start of trx_purge()
+	and clears it at the end. This is being used in
+	purge_node_t::end() to determine whether InnoDB should
+	call innobase_reset_background_thd(). The coordinator
+	skips this call because it manages table cleanup centrally in
+	trx_purge() after all workers complete. */
+       THD* coordinator_thd= nullptr;
 private:
 	uint32_t	page_no;	/*!< Page number for the next undo
 					record to purge, page number of the
@@ -317,7 +326,9 @@ class purge_sys_t
   void resume();
 
   /** Close and reopen all tables in case of a MDL conflict with DDL */
-  dict_table_t *close_and_reopen(table_id_t id, THD *thd, MDL_ticket **mdl);
+  dict_table_t *close_and_reopen(table_id_t id, THD *thd,
+                                 MDL_ticket **mdl,
+                                 TABLE **maria_table);
 private:
   /** Suspend purge during a DDL operation on FULLTEXT INDEX tables */
   void wait_FTS(bool also_sys);
diff --git a/storage/innobase/row/row0purge.cc b/storage/innobase/row/row0purge.cc
diff --git a/storage/innobase/row/row0vers.cc b/storage/innobase/row/row0vers.cc
diff --git a/storage/innobase/trx/trx0purge.cc b/storage/innobase/trx/trx0purge.cc

Original file line number	Diff line number	Diff line change
`@@ -820,7 +820,7 @@ static inline bool check_field_pointers(const TABLE *table)`
`820`	`820`	`leave prelocked mode if needed.`
`821`	`821`	`*/`
`822`	`822`
`823`		`-int close_thread_tables(THD *thd)`
	`823`	`+int close_thread_tables(THD *thd) noexcept`
`824`	`824`	`{`
`825`	`825`	`TABLE *table;`
`826`	`826`	`int error= 0;`