[MDEV-20261] NULL passed to String::eq, SEGV, server crash, regression in 10.4 - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.4(EOL)
Fix Version/s: 10.5.4, 10.4.14
Component/s: Character Sets, Prepared Statements
Labels:
- mythtv
Environment:
Linux, GCC 9.1, QT 5.12.4, MythTV 30+

Description

On upgrade from MariaDB 10.3 to 10.4, merge_key_fields() calls eq_by_collation(), Item_const_eq() and finally String::eq(NULL, <String>, <charset>), and thus SEGV. MariaDB 10.3 and below are not affected. The bug is reliably reproduced, but hard to narrow down, as the same query will execute twice correctly, and crash the server on the third go.

The client in this case is "mythbackend," the server component to the MythTV DVR. It communicates with MariaDB via QT, using prepared statements. The statement that causes the crash is always the same:

SELECT recordid, category, (category = ?) AS catmatch, (category = ?) AS typematch FROM record WHERE type = ? AND (category = ? OR category = ? OR category = 'Default') ORDER BY catmatch DESC, typematch DESC

The mythbackend program reports the DB error as follows:

Query was:
SELECT recordid, category, (category = ?) AS catmatch, (category = ?) AS typematch FROM record WHERE type = ? AND (category = ? OR category = ? OR category = 'Default') ORDER BY catmatch DESC, typematch DESC
Bindings were:
:CAT1="", :CAT2="", :CATTYPE1="", :CATTYPE2="", :TEMPLATE=11
Driver error was:
QMYSQL3: Unable to execute statement
Database error was:
MySQL server has gone away

As mentioned, this query has been run twice before in the same session, successfully. Immediately prior to the third (and failing) execution is a "smoking gun" of sorts, this log entry in mythbackend's log file:

QMYSQLResult::cleanup: unable to free statement handle

Immediately afterwards, the SELECT statement is prepared, executed, and crashes. This suggests that the "Close stmt" operation from the immediately preceding prepared statement returned an error. I upgraded QT from 5.12.2 to 5.12.4 (and also MythTV), but the result was the same.

I am attaching the MariaDB error.log and general.log showing the SQL executed and the resulting crash. Also attaching the log generated by mythbackend/QT, showing its activity. I recompiled MariaDB with CMAKE_BUILD_TYPE=Debug, and used that with GDB to obtain a more useful backtrace, also attached.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

error-3.log
6 kB
2019-08-05 23:39
general-3.log
9 kB
2019-08-05 23:39
mariadb-backtrace-1.txt
5 kB
2019-08-05 23:39
mythbackend-3.log
13 kB
2019-08-05 23:39

Issue Links

is duplicated by

MDEV-21629 MythTV query causes MariaDB crash

Closed

MDEV-22050 OR + incorrect bound null causes segfault

Closed

MDEV-23220 MythTV SELECT request causes Mariadb server to get a segmentation violation

Closed

Activity

People

Assignee:: Alexander Barkov

Reporter:: Kris Karas

Votes:: 2 Vote for this issue

Watchers:: 9 Start watching this issue

Dates

Created:: 2019-08-05 23:51

Updated:: 2021-12-11 21:50

Resolved:: 2020-05-13 05:01

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.