Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-20261

NULL passed to String::eq, SEGV, server crash, regression in 10.4

    XMLWordPrintable

Details

    Description

      On upgrade from MariaDB 10.3 to 10.4, merge_key_fields() calls eq_by_collation(), Item_const_eq() and finally String::eq(NULL, <String>, <charset>), and thus SEGV. MariaDB 10.3 and below are not affected. The bug is reliably reproduced, but hard to narrow down, as the same query will execute twice correctly, and crash the server on the third go.

      The client in this case is "mythbackend," the server component to the MythTV DVR. It communicates with MariaDB via QT, using prepared statements. The statement that causes the crash is always the same:

      SELECT recordid, category, (category = ?) AS catmatch, (category = ?) AS typematch FROM record WHERE type = ? AND (category = ? OR category = ? OR category = 'Default') ORDER BY catmatch DESC, typematch DESC

      The mythbackend program reports the DB error as follows:

      Query was:
      SELECT recordid, category, (category = ?) AS catmatch, (category = ?) AS typematch FROM record WHERE type = ? AND (category = ? OR category = ? OR category = 'Default') ORDER BY catmatch DESC, typematch DESC
      Bindings were:
      :CAT1="", :CAT2="", :CATTYPE1="", :CATTYPE2="", :TEMPLATE=11
      Driver error was:
      QMYSQL3: Unable to execute statement
      Database error was:
      MySQL server has gone away

      As mentioned, this query has been run twice before in the same session, successfully. Immediately prior to the third (and failing) execution is a "smoking gun" of sorts, this log entry in mythbackend's log file:

      QMYSQLResult::cleanup: unable to free statement handle

      Immediately afterwards, the SELECT statement is prepared, executed, and crashes. This suggests that the "Close stmt" operation from the immediately preceding prepared statement returned an error. I upgraded QT from 5.12.2 to 5.12.4 (and also MythTV), but the result was the same.

      I am attaching the MariaDB error.log and general.log showing the SQL executed and the resulting crash. Also attaching the log generated by mythbackend/QT, showing its activity. I recompiled MariaDB with CMAKE_BUILD_TYPE=Debug, and used that with GDB to obtain a more useful backtrace, also attached.

      Attachments

        1. mythbackend-3.log
          13 kB
        2. mariadb-backtrace-1.txt
          5 kB
        3. general-3.log
          9 kB
        4. error-3.log
          6 kB

        Issue Links

          Activity

            People

              bar Alexander Barkov
              ktk Kris Karas
              Votes:
              2 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.