Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-10951

Server crashes in Field_newdate::cmp when run under appverifier

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Fixed
    • 10.0(EOL), 10.1(EOL), 10.2(EOL)
    • 10.0.28
    • Optimizer
    • None

    Description

      Reproducible on a non-debug server (RelWithDebInfo) run under appverifier.
      The test case is attached.

      Stack trace from 10.0

       	vrfcore.dll!00007ffeae732190()	Unknown
       	vrfcore.dll!00007ffeae738540()	Unknown
       	verifier.dll!00007ffeae77a9d0()	Unknown
       	ntdll.dll!00007ffeb654a963()	Unknown
       	vfbasics.dll!00007ffeae6c26c5()	Unknown
       	vfbasics.dll!00007ffeae6c4606()	Unknown
       	vfbasics.dll!00007ffeae6c3c4a()	Unknown
       	ntdll.dll!00007ffeb64d5ef2()	Unknown
       	ntdll.dll!00007ffeb64d4713()	Unknown
       	ntdll.dll!00007ffeb651258a()	Unknown
      >	mysqld.exe!Field_newdate::cmp(const unsigned char * a_ptr, const unsigned char * b_ptr) Line 5941	C++
       	mysqld.exe!group_concat_key_cmp_with_order(void * arg, const void * key1, const void * key2) Line 3071	C++
       	mysqld.exe!tree_insert(st_tree * tree, void * key, unsigned int key_size, void * custom_arg) Line 214	C
       	mysqld.exe!Item_func_group_concat::add() Line 3406	C++
       	mysqld.exe!update_sum_func(Item_sum * * func_ptr) Line 22656	C++
       	mysqld.exe!end_send_group(JOIN * join, st_join_table * join_tab, bool end_of_records) Line 19184	C++
       	mysqld.exe!evaluate_join_record(JOIN * join, st_join_table * join_tab, int error) Line 18084	C++
       	mysqld.exe!sub_select(JOIN * join, st_join_table * join_tab, bool end_of_records) Line 17900	C++
       	mysqld.exe!do_select(JOIN * join, List<Item> * fields, TABLE * table, Procedure * procedure) Line 17523	C++
       	mysqld.exe!JOIN::exec_inner() Line 3084	C++
       	mysqld.exe!JOIN::exec() Line 2375	C++
       	mysqld.exe!mysql_select(THD * thd, Item * * * rref_pointer_array, TABLE_LIST * tables, unsigned int wild_num, List<Item> & fields, Item * conds, unsigned int og_num, st_order * order, st_order * group, Item * having, st_order * proc_param, unsigned __int64 select_options, select_result * result, st_select_lex_unit * unit, st_select_lex * select_lex) Line 3310	C++
       	mysqld.exe!handle_select(THD * thd, LEX * lex, select_result * result, unsigned long setup_tables_done_option) Line 373	C++
       	mysqld.exe!execute_sqlcom_select(THD * thd, TABLE_LIST * all_tables) Line 5294	C++
       	mysqld.exe!mysql_execute_command(THD * thd) Line 2563	C++
       	mysqld.exe!mysql_parse(THD * thd, char * rawbuf, unsigned int length, Parser_state * parser_state) Line 6581	C++
       	mysqld.exe!dispatch_command(enum_server_command command, THD * thd, char * packet, unsigned int packet_length) Line 1312	C++
       	mysqld.exe!do_command(THD * thd) Line 1007	C++
       	mysqld.exe!threadpool_process_request(THD * thd) Line 239	C++
       	mysqld.exe!io_completion_callback(_TP_CALLBACK_INSTANCE * instance, void * context, void * overlapped, unsigned long io_result, unsigned __int64 nbytes, _TP_IO * io) Line 568	C++
      

      Attachments

        1. t1.test
          128 kB
          Elena Stepanova

        Activity

          int Field_newdate::cmp(const uchar *a_ptr, const uchar *b_ptr)
          {
            uint32 a,b;
            a=(uint32) uint3korr(a_ptr);
            b=(uint32) uint3korr(b_ptr);
            return (a < b) ? -1 : (a > b) ? 1 : 0;
          }
          

          The crash happens when uint3korr reads 1 byte past the end of allocated memory page. Here is the relevant definition of uint3korr

          /*
            Attention: Please, note, uint3korr reads 4 bytes (not 3)!
            It means, that you have to provide enough allocated space.
          */
           
          #define uint3korr(A)	(long) (*((const unsigned int *) (A)) & 0xFFFFFF)
          
          

          wlad Vladislav Vaintroub added a comment - int Field_newdate::cmp(const uchar *a_ptr, const uchar *b_ptr) { uint32 a,b; a=(uint32) uint3korr(a_ptr); b=(uint32) uint3korr(b_ptr); return (a < b) ? -1 : (a > b) ? 1 : 0; } The crash happens when uint3korr reads 1 byte past the end of allocated memory page. Here is the relevant definition of uint3korr /* Attention: Please, note, uint3korr reads 4 bytes (not 3)! It means, that you have to provide enough allocated space. */   #define uint3korr(A) (long) (*((const unsigned int *) (A)) & 0xFFFFFF)
          wlad Vladislav Vaintroub added a comment - - edited Patch : http://lists.askmonty.org/pipermail/commits/2016-October/009965.html

          serg, could you take a look? I think that this won't affect anything performance related much, so this would be the simplest thing possible.

          See also
          https://github.com/percona/percona-server/pull/1088/commits/a8d31dc24e6cfd95480e7ba81590a1dc5c6fa789

          wlad Vladislav Vaintroub added a comment - serg , could you take a look? I think that this won't affect anything performance related much, so this would be the simplest thing possible. See also https://github.com/percona/percona-server/pull/1088/commits/a8d31dc24e6cfd95480e7ba81590a1dc5c6fa789

          ok to push

          serg Sergei Golubchik added a comment - ok to push

          People

            wlad Vladislav Vaintroub
            elenst Elena Stepanova
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.