Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-15243

Server crashes in in Field_blob::pack upon REPLACE into view with virtual columns with binlog enabled

    XMLWordPrintable

Details

    Description

      --source include/have_innodb.inc
      		 
      --source include/have_binlog_format_mixed.inc
      		 
       
      		 
      CREATE TABLE t1 ( 
       pk SERIAL,
      		 
       vcol_date DATE AS (col_date) PERSISTENT,
      		 
       vcol_int INT AS (col_int) VIRTUAL,
      		 
       vcol_year YEAR AS (col_year) PERSISTENT,
      		 
       vcol_blob BLOB AS (col_blob) VIRTUAL,
      		 
       col_date DATE,
      		 
       col_int INT NULL,
      		 
       col_blob BLOB NULL,
      		 
       col_year YEAR,
      		 
       PRIMARY KEY(pk)
      		 
      ) ENGINE=InnoDB;
      		 
      CREATE VIEW v1 AS SELECT * FROM t1;
      		 
      INSERT INTO t1 (col_date,col_int,col_blob,col_year) VALUES ('2010-04-24',5,'foo',1981);
      		 
      SET SQL_MODE='';
      		 
      REPLACE INTO v1 SELECT * FROM t1;
      		 
       
      		 
      # Cleanup
      		 
      DROP VIEW v1;
      		 
      DROP TABLE t1;

      10.1 8812a2f8580

      		 
      #3  <signal handler called>
      		 
      #4  0x00007f1351d80c6f in __memmove_avx_unaligned_erms () from /lib/x86_64-linux-gnu/libc.so.6
      		 
      #5  0x000055d647be0708 in Field_blob::pack (this=0x7f133c0a0f88, to=0x7f133c297082 '\245' <repeats 200 times>..., from=0xa5a5a5a5a5a5a5a5 <error: Cannot access memory at address 0xa5a5a5a5a5a5a5a5>, max_length=65535) at /data/src/10.1/sql/field.cc:8331
      		 
      #6  0x000055d647d09451 in pack_row (table=0x7f133c081c70, cols=0x7f133c068d88, row_data=0x7f133c297070 "\245\245\001", record=0x7f1348750eb8 "") at /data/src/10.1/sql/rpl_record.cc:107
      		 
      #7  0x000055d64798540d in THD::binlog_delete_row (this=0x7f13487bd070, table=0x7f133c081c70, is_trans=true, record=0x7f1348750eb8 "") at /data/src/10.1/sql/sql_class.cc:6567
      		 
      #8  0x000055d647c08c50 in Delete_rows_log_event::binlog_row_logging_function (thd=0x7f13487bd070, table=0x7f133c081c70, is_transactional=true, before_record=0x7f1348750eb8 "", after_record=0x0) at /data/src/10.1/sql/log_event.h:4705
      		 
      #9  0x000055d647c06116 in binlog_log_row (table=0x7f133c081c70, before_record=0x7f1348750eb8 "", after_record=0x0, log_func=0x55d647c08c1b <Delete_rows_log_event::binlog_row_logging_function(THD*, TABLE*, bool, unsigned char const*, unsigned char const*)>) at /data/src/10.1/sql/handler.cc:5826
      		 
      #10 0x000055d647c06e28 in handler::ha_delete_row (this=0x7f133c0b0088, buf=0x7f1348750eb8 "") at /data/src/10.1/sql/handler.cc:6048
      		 
      #11 0x000055d64799d6c0 in write_record (thd=0x7f13487bd070, table=0x7f133c081c70, info=0x7f133c047518) at /data/src/10.1/sql/sql_insert.cc:1877
      		 
      #12 0x000055d6479a24d5 in select_insert::send_data (this=0x7f133c0474d8, values=...) at /data/src/10.1/sql/sql_insert.cc:3710
      		 
      #13 0x000055d647a29046 in end_send (join=0x7f133c047578, join_tab=0x7f133c0fe138, end_of_records=false) at /data/src/10.1/sql/sql_select.cc:19575
      		 
      #14 0x000055d647a26dbf in evaluate_join_record (join=0x7f133c047578, join_tab=0x7f133c0fddf0, error=0) at /data/src/10.1/sql/sql_select.cc:18664
      		 
      #15 0x000055d647a266d1 in sub_select (join=0x7f133c047578, join_tab=0x7f133c0fddf0, end_of_records=false) at /data/src/10.1/sql/sql_select.cc:18441
      		 
      #16 0x000055d647a25f34 in do_select (join=0x7f133c047578, fields=0x7f133c047948, table=0x0, procedure=0x0) at /data/src/10.1/sql/sql_select.cc:18096
      		 
      #17 0x000055d647a008e6 in JOIN::exec_inner (this=0x7f133c047578) at /data/src/10.1/sql/sql_select.cc:3252
      		 
      #18 0x000055d6479fdb77 in JOIN::exec (this=0x7f133c047578) at /data/src/10.1/sql/sql_select.cc:2539
      		 
      #19 0x000055d647a0110d in mysql_select (thd=0x7f13487bd070, rref_pointer_array=0x7f13487c1520, tables=0x7f133c0438a8, wild_num=1, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=3489925888, result=0x7f133c0474d8, unit=0x7f13487c0b78, select_lex=0x7f13487c1278) at /data/src/10.1/sql/sql_select.cc:3476
      		 
      #20 0x000055d6479f69f0 in handle_select (thd=0x7f13487bd070, lex=0x7f13487c0ab0, result=0x7f133c0474d8, setup_tables_done_option=1073741824) at /data/src/10.1/sql/sql_select.cc:388
      		 
      #21 0x000055d6479bffd9 in mysql_execute_command (thd=0x7f13487bd070) at /data/src/10.1/sql/sql_parse.cc:4022
      		 
      #22 0x000055d6479ca1c3 in mysql_parse (thd=0x7f13487bd070, rawbuf=0x7f133c043088 "REPLACE INTO v1 SELECT * FROM t1", length=32, parser_state=0x7f1353cb35e0) at /data/src/10.1/sql/sql_parse.cc:7352
      		 
      #23 0x000055d6479b9042 in dispatch_command (command=COM_QUERY, thd=0x7f13487bd070, packet=0x7f134a6c5071 "REPLACE INTO v1 SELECT * FROM t1", packet_length=32) at /data/src/10.1/sql/sql_parse.cc:1477
      		 
      #24 0x000055d6479b7dc7 in do_command (thd=0x7f13487bd070) at /data/src/10.1/sql/sql_parse.cc:1106
      		 
      #25 0x000055d647af0b0f in do_handle_one_connection (thd_arg=0x7f13487bd070) at /data/src/10.1/sql/sql_connect.cc:1330
      		 
      #26 0x000055d647af0873 in handle_one_connection (arg=0x7f13487bd070) at /data/src/10.1/sql/sql_connect.cc:1242
      		 
      #27 0x000055d647eab04e in pfs_spawn_thread (arg=0x7f134cbf78f0) at /data/src/10.1/storage/perfschema/pfs.cc:1861
      		 
      #28 0x00007f1353987494 in start_thread (arg=0x7f1353cb4b00) at pthread_create.c:333
      		 
      #29 0x00007f1351d4093f in clone () from /lib/x86_64-linux-gnu/libc.so.6

      Variation with LOAD:

      --source include/have_innodb.inc
      		 
      --source include/have_binlog_format_mixed.inc
      		 
       
      		 
      CREATE TABLE t1 ( 
       pk SERIAL,
      		 
       vcol_date DATE AS (col_date) PERSISTENT,
      		 
       vcol_int INT AS (col_int) VIRTUAL,
      		 
       vcol_year YEAR AS (col_year) PERSISTENT,
      		 
       vcol_blob BLOB AS (col_blob) VIRTUAL,
      		 
       col_date DATE,
      		 
       col_int INT NULL,
      		 
       col_blob BLOB NULL,
      		 
       col_year YEAR,
      		 
       PRIMARY KEY(pk)
      		 
      ) ENGINE=InnoDB;
      		 
      CREATE VIEW v1 AS SELECT * FROM t1;
      		 
      INSERT INTO t1 (col_date,col_int,col_blob,col_year) VALUES ('2010-04-24',5,'foo',1981);
      		 
      SET SQL_MODE='';
      		 
      SELECT * FROM t1 INTO OUTFILE 't1.data';
      		 
      LOAD DATA INFILE 't1.data' REPLACE INTO TABLE v1;
      		 
       
      		 
      # Cleanup
      		 
      DROP VIEW v1;
      		 
      DROP TABLE t1;


      #3  <signal handler called>
      		 
      #4  0x00007f1d0046fc6f in __memmove_avx_unaligned_erms () from /lib/x86_64-linux-gnu/libc.so.6
      		 
      #5  0x00005616f80cd708 in Field_blob::pack (this=0x7f1cea4a0f88, to=0x7f1cea632082 '\245' <repeats 200 times>..., from=0xa5a5a5a5a5a5a5a5 <error: Cannot access memory at address 0xa5a5a5a5a5a5a5a5>, max_length=65535) at /data/src/10.1/sql/field.cc:8331
      		 
      #6  0x00005616f81f6451 in pack_row (table=0x7f1cea481c70, cols=0x7f1cea468d88, row_data=0x7f1cea632070 "\245\245\001", record=0x7f1cf6b50eb8 "") at /data/src/10.1/sql/rpl_record.cc:107
      		 
      #7  0x00005616f7e7240d in THD::binlog_delete_row (this=0x7f1cf6bbd070, table=0x7f1cea481c70, is_trans=true, record=0x7f1cf6b50eb8 "") at /data/src/10.1/sql/sql_class.cc:6567
      		 
      #8  0x00005616f80f5c50 in Delete_rows_log_event::binlog_row_logging_function (thd=0x7f1cf6bbd070, table=0x7f1cea481c70, is_transactional=true, before_record=0x7f1cf6b50eb8 "", after_record=0x0) at /data/src/10.1/sql/log_event.h:4705
      		 
      #9  0x00005616f80f3116 in binlog_log_row (table=0x7f1cea481c70, before_record=0x7f1cf6b50eb8 "", after_record=0x0, log_func=0x5616f80f5c1b <Delete_rows_log_event::binlog_row_logging_function(THD*, TABLE*, bool, unsigned char const*, unsigned char const*)>) at /data/src/10.1/sql/handler.cc:5826
      		 
      #10 0x00005616f80f3e28 in handler::ha_delete_row (this=0x7f1cea4b0088, buf=0x7f1cf6b50eb8 "") at /data/src/10.1/sql/handler.cc:6048
      		 
      #11 0x00005616f7e8a6c0 in write_record (thd=0x7f1cf6bbd070, table=0x7f1cea481c70, info=0x7f1d023a14c0) at /data/src/10.1/sql/sql_insert.cc:1877
      		 
      #12 0x00005616f825db85 in read_sep_field (thd=0x7f1cf6bbd070, info=..., table_list=0x7f1cea4431f0, fields_vars=..., set_fields=..., set_values=..., read_info=..., enclosed=..., skip_lines=0, ignore_check_option_errors=false) at /data/src/10.1/sql/sql_load.cc:1195
      		 
      #13 0x00005616f825be18 in mysql_load (thd=0x7f1cf6bbd070, ex=0x7f1cea443168, table_list=0x7f1cea4431f0, fields_vars=..., set_fields=..., set_values=..., handle_duplicates=DUP_REPLACE, ignore=false, read_file_from_client=false) at /data/src/10.1/sql/sql_load.cc:589
      		 
      #14 0x00005616f7eae039 in mysql_execute_command (thd=0x7f1cf6bbd070) at /data/src/10.1/sql/sql_parse.cc:4306
      		 
      #15 0x00005616f7eb71c3 in mysql_parse (thd=0x7f1cf6bbd070, rawbuf=0x7f1cea443088 "LOAD DATA INFILE 't1.data' REPLACE INTO TABLE v1", length=48, parser_state=0x7f1d023a25e0) at /data/src/10.1/sql/sql_parse.cc:7352
      		 
      #16 0x00005616f7ea6042 in dispatch_command (command=COM_QUERY, thd=0x7f1cf6bbd070, packet=0x7f1cf8ac5071 "LOAD DATA INFILE 't1.data' REPLACE INTO TABLE v1", packet_length=48) at /data/src/10.1/sql/sql_parse.cc:1477
      		 
      #17 0x00005616f7ea4dc7 in do_command (thd=0x7f1cf6bbd070) at /data/src/10.1/sql/sql_parse.cc:1106
      		 
      #18 0x00005616f7fddb0f in do_handle_one_connection (thd_arg=0x7f1cf6bbd070) at /data/src/10.1/sql/sql_connect.cc:1330
      		 
      #19 0x00005616f7fdd873 in handle_one_connection (arg=0x7f1cf6bbd070) at /data/src/10.1/sql/sql_connect.cc:1242
      		 
      #20 0x00005616f839804e in pfs_spawn_thread (arg=0x7f1cfaff78f0) at /data/src/10.1/storage/perfschema/pfs.cc:1861
      		 
      #21 0x00007f1d02076494 in start_thread (arg=0x7f1d023a3b00) at pthread_create.c:333
      		 
      #22 0x00007f1d0042f93f in clone () from /lib/x86_64-linux-gnu/libc.so.6

      Reproducible with 10.1, 10.2, 10.3.
      Not reproducible with 10.0.

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-15330 Server crash or assertion `table->insert_values' failure in write_record upon LOAD DATA

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-30441 ASAN heap-use-after-free in Field_blob::pack/pack_row

          • Major - Major loss of function.
          • Open

          Activity

            People

              monty Michael Widenius
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.