[MDEV-14041] Server crashes in String::length on queries with functions and ROLLUP - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 5.5(EOL), 10.0(EOL), 10.1(EOL), 10.2(EOL), 10.3(EOL), 10.4(EOL)
Fix Version/s: 10.2.24, 10.1.39, 10.3.15, 10.4.5
Component/s: Server
Labels:
None

Description

Note: This report has two separate test cases, one only fails on 5.5 and another one only fails on 10.2/10.3, don't know if there are cases where 10.0 and 10.1 would fail, so far it hasn't happened in my tests.

Test case for 5.5
CREATE TABLE t1 (i INT);
INSERT INTO t1 VALUES (1),(2);
SELECT GET_LOCK( 'foo', 0 );
SELECT HEX( RELEASE_LOCK( 'foo' ) ) AS f FROM t1 GROUP BY f WITH ROLLUP;

# Cleanup
DROP TABLE t1;

5.5 8539e4b1b609f80
#3 <signal handler called>
#4 0x000000000056443a in String::length (this=0x0) at /data/src/5.5/sql/sql_string.h:114
#5 0x00000000006901f7 in sortcmp (s=0x7fcba0149ed0, t=0x0, cs=0x1403d00 <my_charset_latin1>) at /data/src/5.5/sql/sql_string.cc:736
#6 0x00000000007dd420 in Cached_item_str::cmp (this=0x7fcba0149eb0) at /data/src/5.5/sql/item_buff.cc:94
#7 0x000000000066348c in test_if_group_changed (list=...) at /data/src/5.5/sql/sql_select.cc:21373
#8 0x000000000065c4d6 in end_send_group (join=0x7fcba0148d20, join_tab=0x7fcba0180398, end_of_records=false) at /data/src/5.5/sql/sql_select.cc:18370
#9 0x00000000006599e8 in evaluate_join_record (join=0x7fcba0148d20, join_tab=0x7fcba0180078, error=0) at /data/src/5.5/sql/sql_select.cc:17301
#10 0x000000000065932a in sub_select (join=0x7fcba0148d20, join_tab=0x7fcba0180078, end_of_records=false) at /data/src/5.5/sql/sql_select.cc:17084
#11 0x0000000000658b96 in do_select (join=0x7fcba0148d20, fields=0x7fcba0149100, table=0x0, procedure=0x0) at /data/src/5.5/sql/sql_select.cc:16746
#12 0x000000000063702e in JOIN::exec (this=0x7fcba0148d20) at /data/src/5.5/sql/sql_select.cc:2894
#13 0x000000000063780a in mysql_select (thd=0x7fcba1264060, rref_pointer_array=0x7fcba1267d08, tables=0x7fcba0148528, wild_num=0, fields=..., conds=0x0, og_num=1, order=0x0, group=0x7fcba0148c20, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7fcba0148d00, unit=0x7fcba1267388, select_lex=0x7fcba1267a68) at /data/src/5.5/sql/sql_select.cc:3115
#14 0x000000000062dfc8 in handle_select (thd=0x7fcba1264060, lex=0x7fcba12672d8, result=0x7fcba0148d00, setup_tables_done_option=0) at /data/src/5.5/sql/sql_select.cc:323
#15 0x000000000060745e in execute_sqlcom_select (thd=0x7fcba1264060, all_tables=0x7fcba0148528) at /data/src/5.5/sql/sql_parse.cc:4678
#16 0x00000000006007df in mysql_execute_command (thd=0x7fcba1264060) at /data/src/5.5/sql/sql_parse.cc:2224
#17 0x000000000060a02a in mysql_parse (thd=0x7fcba1264060, rawbuf=0x7fcba0148078 "SELECT HEX( RELEASE_LOCK( 'foo' ) ) AS f FROM t1 GROUP BY f WITH ROLLUP", length=71, parser_state=0x7fcba6f1e640) at /data/src/5.5/sql/sql_parse.cc:5923
#18 0x00000000005fdd3f in dispatch_command (command=COM_QUERY, thd=0x7fcba1264060, packet=0x7fcba4f5b061 "", packet_length=71) at /data/src/5.5/sql/sql_parse.cc:1066
#19 0x00000000005fcf31 in do_command (thd=0x7fcba1264060) at /data/src/5.5/sql/sql_parse.cc:793
#20 0x000000000070003b in do_handle_one_connection (thd_arg=0x7fcba1264060) at /data/src/5.5/sql/sql_connect.cc:1268
#21 0x00000000006ffdc8 in handle_one_connection (arg=0x7fcba1264060) at /data/src/5.5/sql/sql_connect.cc:1184
#22 0x0000000000a0dbbb in pfs_spawn_thread (arg=0x7fcba1f76fc0) at /data/src/5.5/storage/perfschema/pfs.cc:1015
#23 0x00007fcba6b51494 in start_thread (arg=0x7fcba6f1f700) at pthread_create.c:333
#24 0x00007fcba556793f in clone () from /lib/x86_64-linux-gnu/libc.so.6

Test case for 10.2 / 10.3
CREATE TABLE t1 (i INT);
INSERT INTO t1 VALUES (1),(2);

SELECT i FROM t1 GROUP BY i WITH ROLLUP
UNION ALL
SELECT ELT( FOUND_ROWS(), 1 ) f FROM t1 GROUP BY f WITH ROLLUP
;

# Cleanup
DROP TABLE t1;

10.2 95f393394442437eea4
#3 <signal handler called>
#4 0x000055b4381e33a6 in String::length (this=0x0) at /data/src/10.2/sql/sql_string.h:203
#5 0x000055b438368553 in sortcmp (s=0x7f19c80183a0, t=0x0, cs=0x55b439726b00 <my_charset_latin1>) at /data/src/10.2/sql/sql_string.cc:776
#6 0x000055b43855b2ca in Cached_item_str::cmp (this=0x7f19c8018380) at /data/src/10.2/sql/item_buff.cc:95
#7 0x000055b4383280f4 in test_if_group_changed (list=...) at /data/src/10.2/sql/sql_select.cc:23004
#8 0x000055b438320fa1 in end_send_group (join=0x7f19c8014b60, join_tab=0x7f19c8110c38, end_of_records=false) at /data/src/10.2/sql/sql_select.cc:20028
#9 0x000055b43831e154 in evaluate_join_record (join=0x7f19c8014b60, join_tab=0x7f19c8110888, error=0) at /data/src/10.2/sql/sql_select.cc:18884
#10 0x000055b43831da64 in sub_select (join=0x7f19c8014b60, join_tab=0x7f19c8110888, end_of_records=false) at /data/src/10.2/sql/sql_select.cc:18664
#11 0x000055b43831cffd in do_select (join=0x7f19c8014b60, procedure=0x0) at /data/src/10.2/sql/sql_select.cc:18208
#12 0x000055b4382f7703 in JOIN::exec_inner (this=0x7f19c8014b60) at /data/src/10.2/sql/sql_select.cc:3540
#13 0x000055b4382f6bb2 in JOIN::exec (this=0x7f19c8014b60) at /data/src/10.2/sql/sql_select.cc:3335
#14 0x000055b438394e7a in st_select_lex_unit::exec (this=0x7f19c80046a0) at /data/src/10.2/sql/sql_union.cc:1005
#15 0x000055b438391934 in mysql_union (thd=0x7f19c8000b00, lex=0x7f19c80045d8, result=0x7f19c8014240, unit=0x7f19c80046a0, setup_tables_done_option=0) at /data/src/10.2/sql/sql_union.cc:41
#16 0x000055b4382ec436 in handle_select (thd=0x7f19c8000b00, lex=0x7f19c80045d8, result=0x7f19c8014240, setup_tables_done_option=0) at /data/src/10.2/sql/sql_select.cc:351
#17 0x000055b4382b8305 in execute_sqlcom_select (thd=0x7f19c8000b00, all_tables=0x7f19c8012788) at /data/src/10.2/sql/sql_parse.cc:6456
#18 0x000055b4382ae38c in mysql_execute_command (thd=0x7f19c8000b00) at /data/src/10.2/sql/sql_parse.cc:3467
#19 0x000055b4382bbcc3 in mysql_parse (thd=0x7f19c8000b00, rawbuf=0x7f19c80124e8 "SELECT i FROM t1 GROUP BY i WITH ROLLUP\nUNION ALL\nSELECT ELT( FOUND_ROWS(), 1 ) f FROM t1 GROUP BY f WITH ROLLUP", length=112, parser_state=0x7f19daba2200, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:7898
#20 0x000055b4382a9c5d in dispatch_command (command=COM_QUERY, thd=0x7f19c8000b00, packet=0x7f19c8170451 "", packet_length=113, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1806
#21 0x000055b4382a85c0 in do_command (thd=0x7f19c8000b00) at /data/src/10.2/sql/sql_parse.cc:1360
#22 0x000055b4383f67b6 in do_handle_one_connection (connect=0x55b43bd6c110) at /data/src/10.2/sql/sql_connect.cc:1335
#23 0x000055b4383f6543 in handle_one_connection (arg=0x55b43bd6c110) at /data/src/10.2/sql/sql_connect.cc:1241
#24 0x000055b438815898 in pfs_spawn_thread (arg=0x55b43bccb000) at /data/src/10.2/storage/perfschema/pfs.cc:1862
#25 0x00007f19e259d494 in start_thread (arg=0x7f19daba3700) at pthread_create.c:333
#26 0x00007f19e098393f in clone () from /lib/x86_64-linux-gnu/libc.so.6

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

master.err.gz
30 kB
2017-10-10 20:18
master.log.gz
4.05 MB
2017-10-10 20:18
threads1
35 kB
2017-10-10 20:17
threads1_full
128 kB
2017-10-10 20:17

Issue Links

relates to

MDEV-19299 ASAN: heap-use-after-free upon LEAST(..CHARSET(..),..)

Confirmed

Server crashes in String::length on queries with functions and ROLLUP

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates

Git Integration