Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-13356

10.0.29 crashes on REGEXP with "(.|x)*" on certain conditions

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 10.0.24, 10.0.29
    • Fix Version/s: 10.1.24, 10.0.31, 10.2.7
    • Component/s: OTHER
    • Labels:
      None
    • Environment:
      Ubuntu Xenial (16.04)

      Description

      On at least MariaDB server 10.0.24 and 10.0.29 I can let the MariaDB server crash with a simple REGEXP query.

      Use the following table:

      CREATE TABLE `dummy` (
        `id` int(11) NOT NULL AUTO_INCREMENT,
        `info` longtext NOT NULL,
        PRIMARY KEY (`id`)
      ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
      

      With the following content:

      INSERT INTO `dummy` (`id`, `info`) VALUES 
      	(1,'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa');
      

      Now execute the following query:

      SELECT * FROM dummy WHERE info REGEXP '(.|a)*';
      

      This will result in MySQL crashing everytime. (note: we actually used (.|[\n\s])* in our code but I simplified it a bit here)

      Some things I have already noticed:

      • It does not happen if you make the string in the info column 1 character shorter (i.e. it seems to only happen with 241 characters and up). The exact contents of the string does not seem to matter, as long as it is at least 241 characters long.
      • It also happens if you change the info column to a varchar(255) or any other text column.

      My my.cnf is attached, as well as a core dump (created with MariaDB 10.0.29-MariaDB-0ubuntu0.16.04.1 on Ubuntu 16.04).

      The stack trace for the core dump is:

      #0  0x00007fb0782aadfa in ?? () from /lib/x86_64-linux-gnu/libpcre.so.3
      #1  0x00007fb0782b8fec in ?? () from /lib/x86_64-linux-gnu/libpcre.so.3
      #2  0x00007fb0782ab16a in ?? () from /lib/x86_64-linux-gnu/libpcre.so.3
      #3  0x00007fb0782b8fec in ?? () from /lib/x86_64-linux-gnu/libpcre.so.3
      #4  0x00007fb0782ab16a in ?? () from /lib/x86_64-linux-gnu/libpcre.so.3
      #5  0x00007fb0782b8fec in ?? () from /lib/x86_64-linux-gnu/libpcre.so.3
      #6  0x00007fb0782ab16a in ?? () from /lib/x86_64-linux-gnu/libpcre.so.3
      #7  0x00007fb0782b8fec in ?? () from /lib/x86_64-linux-gnu/libpcre.so.3
      #8  0x00007fb0782ab16a in ?? () from /lib/x86_64-linux-gnu/libpcre.so.3
      [... more of these lines...]
      #481 0x00007fb0782b8fec in ?? () from /lib/x86_64-linux-gnu/libpcre.so.3
      #482 0x00007fb0782ab16a in ?? () from /lib/x86_64-linux-gnu/libpcre.so.3
      #483 0x00007fb0782ad06e in ?? () from /lib/x86_64-linux-gnu/libpcre.so.3
      #484 0x00007fb0782bc903 in pcre_exec () from /lib/x86_64-linux-gnu/libpcre.so.3
      #485 0x0000000000780f69 in Regexp_processor_pcre::exec(String*, int, unsigned int) ()
      #486 0x00000000007811a1 in Regexp_processor_pcre::exec(Item*, int, unsigned int) ()
      #487 0x00000000007811e4 in Item_func_regex::val_int() ()
      #488 0x00000000005f5aa1 in ?? ()
      #489 0x00000000006015d9 in sub_select(JOIN*, st_join_table*, bool) ()
      #490 0x000000000060cf2d in ?? ()
      #491 0x0000000000620bbc in JOIN::exec_inner() ()
      #492 0x0000000000622761 in JOIN::exec() ()
      #493 0x000000000061f34e in mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) ()
      #494 0x000000000061fcc2 in handle_select(THD*, LEX*, select_result*, unsigned long) ()
      #495 0x00000000005bbfda in ?? ()
      #496 0x00000000005cb31f in mysql_execute_command(THD*) ()
      #497 0x00000000005cccda in mysql_parse(THD*, char*, unsigned int, Parser_state*) ()
      #498 0x00000000005ce4de in dispatch_command(enum_server_command, THD*, char*, unsigned int) ()
      #499 0x000000000069e92b in do_handle_one_connection(THD*) ()
      #500 0x000000000069e989 in handle_one_connection ()
      #501 0x00007fb077c456ba in start_thread (arg=0x7fb078a85700) at pthread_create.c:333
      #502 0x00007fb0772f03dd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
      

      If I need to supply anything else please let me know!

        Attachments

        1. core.zip
          3.11 MB
        2. my.cnf
          1 kB

          Issue Links

            Activity

              People

              • Assignee:
                serg Sergei Golubchik
                Reporter:
                nickygerritsen Nicky Gerritsen
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: