Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
10.0(EOL), 10.1(EOL), 10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.11, 11.0(EOL), 11.1(EOL), 11.2(EOL), 11.3(EOL), 11.4, 11.5(EOL)
Description
If mroonga is not installed, creating at least the mroonga_escape function and running it results in unexpected problems:
In 10.1.37
CREATE FUNCTION mroonga_escape RETURNS STRING SONAME 'ha_mroonga.so';
|
Query OK, 0 rows affected (0.04 sec)
|
|
|
select mroonga_escape('10');
|
ERROR 2013 (HY000): Lost connection to MySQL server during query
|
|
|
select mroonga_escape('10');
|
ERROR 2006 (HY000): MySQL server has gone away
|
No connection. Trying to reconnect...
|
In 10.2.27:
CREATE FUNCTION mroonga_escape RETURNS STRING SONAME 'ha_mroonga.so';
|
Query OK, 0 rows affected (0.01 sec)
|
|
|
SELECT mroonga_escape("+-<>~*()\"\:");
|
ERROR 2013 (HY000): Lost connection to MySQL server during query
|
In 10.3.20 and 10.4.10
CREATE FUNCTION mroonga_escape RETURNS STRING SONAME 'ha_mroonga.so';
|
ERROR 1041 (HY000): Out of memory.
|
Attachments
Issue Links
- split to
-
-
- Open
-
Activity
Is Mrooga officially supported?
The crash is inside UDF, so it is question to them who wrote it.
From 'mrn::ContextPool::pull'; mroonga_command_init, mroonga_escape_init, mroonga_highlight_html_init, mroonga_normalize_init, mroonga_snippet_html_init
And from 'mrn::DatabaseManager::open'; mroonga_query_expand_init (first one below)
CREATE FUNCTION mroonga_query_expand RETURNS STRING SONAME 'ha_mroonga.so'; |
SELECT mroonga_query_expand ('a', 'a', 'a', 'a'); |
|
11.4.0 9b1ea6904965dd345478dedd80e181ad54c767da (Debug) |
SIGSEGV|mrn::DatabaseManager::open|mroonga_query_expand_init|udf_handler::fix_fields|Item_udf_func::fix_fields
|
|
10.4.33 3812e1c95886c23aba418c4ecaed0d3d6aeec3ef (Optimized) |
SIGSEGV|mrn::DatabaseManager::open|mroonga_query_expand_init|udf_handler::fix_fields|udf_handler::fix_fields
|
CREATE FUNCTION mroonga_normalize RETURNS STRING SONAME 'ha_mroonga.so'; |
SELECT mroonga_normalize('a'); |
|
11.4.0 9b1ea6904965dd345478dedd80e181ad54c767da (Debug) |
SIGSEGV|mrn::ContextPool::pull|mroonga_normalize_init|udf_handler::fix_fields|Item_udf_func::fix_fields
|
|
10.4.33 3812e1c95886c23aba418c4ecaed0d3d6aeec3ef (Optimized) |
SIGSEGV|mrn::ContextPool::pull|mroonga_normalize_init|udf_handler::fix_fields|udf_handler::fix_fields
|
CREATE FUNCTION mroonga_command RETURNS STRING SONAME 'ha_mroonga.so'; |
SELECT mroonga_command('a'); |
|
11.4.0 9b1ea6904965dd345478dedd80e181ad54c767da (Debug) |
SIGSEGV|mrn::ContextPool::pull|mroonga_command_init|udf_handler::fix_fields|Item_udf_func::fix_fields
|
|
10.4.33 3812e1c95886c23aba418c4ecaed0d3d6aeec3ef (Optimized) |
SIGSEGV|mrn::ContextPool::pull|mroonga_command_init|udf_handler::fix_fields|udf_handler::fix_fields
|
CREATE FUNCTION mroonga_escape RETURNS STRING SONAME 'ha_mroonga.so'; |
SELECT mroonga_escape('+'); |
|
11.4.0 9b1ea6904965dd345478dedd80e181ad54c767da (Debug) |
SIGSEGV|mrn::ContextPool::pull|mroonga_escape_init|udf_handler::fix_fields|Item_udf_func::fix_fields
|
|
10.4.33 3812e1c95886c23aba418c4ecaed0d3d6aeec3ef (Optimized) |
SIGSEGV|mrn::ContextPool::pull|mroonga_escape_init|udf_handler::fix_fields|udf_handler::fix_fields
|
CREATE FUNCTION mroonga_highlight_html RETURNS STRING SONAME 'ha_mroonga.so'; |
SELECT mroonga_highlight_html('a' AS query); |
|
11.4.0 9b1ea6904965dd345478dedd80e181ad54c767da (Debug) |
SIGSEGV|mrn::ContextPool::pull|mroonga_highlight_html_init|udf_handler::fix_fields|udf_handler::fix_fields
|
|
10.4.33 3812e1c95886c23aba418c4ecaed0d3d6aeec3ef (Optimized) |
SIGSEGV|mrn::ContextPool::pull|mroonga_highlight_html_init|udf_handler::fix_fields|Item_udf_func::fix_fields
|
CREATE FUNCTION mroonga_snippet_html RETURNS STRING SONAME 'ha_mroonga.so'; |
SELECT mroonga_snippet_html('a','',''); |
|
11.4.0 9b1ea6904965dd345478dedd80e181ad54c767da (Debug) |
SIGSEGV|mrn::ContextPool::pull|mroonga_snippet_html_init|udf_handler::fix_fields|Item_udf_func::fix_fields
|
|
10.4.33 3812e1c95886c23aba418c4ecaed0d3d6aeec3ef (Optimized) |
SIGSEGV|mrn::ContextPool::pull|mroonga_snippet_html_init|udf_handler::fix_fields|udf_handler::fix_fields
|
kou Hi! Any possibility of a fix? Thank you!
This one is in thd_get_ha_data():
CREATE FUNCTION last_insert_grn_id RETURNS INTEGER SONAME 'ha_mroonga.so'; |
SELECT last_insert_grn_id(); |
|
11.4.0 9b1ea6904965dd345478dedd80e181ad54c767da (Debug) |
Core was generated by `/test/MD060224-mariadb-11.4.0-linux-x86_64-dbg/bin/mariadbd --no-defaults --max'.
|
Program terminated with signal SIGSEGV, Segmentation fault.
|
#0 thd_get_ha_data (thd=0x14c398000d58, hton=0x0)
|
at /test/11.4_dbg/sql/sql_class.cc:455
|
[Current thread is 1 (LWP 960083)]
|
(gdb) bt
|
#0 thd_get_ha_data (thd=0x14c398000d58, hton=0x0) at /test/11.4_dbg/sql/sql_class.cc:455
|
#1 0x000014c3b68e55c0 in mrn_get_slot_data (thd=0x14c398000d58, can_create=<optimized out>) at /test/11.4_dbg/storage/mroonga/mrn_table.cpp:1136
|
#2 0x000014c3b68e5804 in last_insert_grn_id (init=<optimized out>, args=<optimized out>, is_null=<optimized out>, error=<optimized out>) at /test/11.4_dbg/storage/mroonga/udf/mrn_udf_last_insert_grn_id.cpp:43
|
#3 0x0000559ada2b764d in udf_handler::val_int (null_value=<synthetic pointer>, this=0x14c398019418) at /test/11.4_dbg/sql/sql_udf.h:108
|
#4 Item_func_udf_int::val_int (this=0x14c398019368) at /test/11.4_dbg/sql/item_func.cc:3801
|
#5 0x0000559ada157dc9 in Type_handler::Item_send_longlong (this=<optimized out>, item=0x14c398019368, protocol=0x14c398001370, buf=<optimized out>) at /test/11.4_dbg/sql/sql_type.cc:7510
|
#6 0x0000559ada15e8af in Type_handler_longlong::Item_send (this=<optimized out>, item=<optimized out>, protocol=<optimized out>, buf=<optimized out>) at /test/11.4_dbg/sql/sql_type.h:5803
|
#7 0x0000559ad9df5036 in Item::send (this=0x14c398019368, protocol=0x14c398001370, buffer=0x14c3d40d0d70) at /test/11.4_dbg/sql/item.h:1241
|
#8 0x0000559ad9e2c82d in Protocol::send_result_set_row (this=this@entry=0x14c398001370, row_items=row_items@entry=0x14c398019140) at /test/11.4_dbg/sql/protocol.cc:1333
|
#9 0x0000559ad9ea2f57 in select_send::send_data (this=0x14c398019dd8, items=@0x14c398019140: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14c3980194b0, last = 0x14c3980194b0, elements = 1}, <No data fields>}) at /test/11.4_dbg/sql/sql_class.cc:3136
|
#10 0x0000559ad9faa418 in select_result_sink::send_data_with_check (sent=0, u=<optimized out>, items=<optimized out>, this=<optimized out>) at /test/11.4_dbg/sql/sql_class.h:5978
|
#11 JOIN::exec_inner (this=this@entry=0x14c398019e00) at /test/11.4_dbg/sql/sql_select.cc:4862
|
#12 0x0000559ad9fab26e in JOIN::exec (this=this@entry=0x14c398019e00) at /test/11.4_dbg/sql/sql_select.cc:4774
|
#13 0x0000559ad9fa9079 in mysql_select (thd=thd@entry=0x14c398000d58, tables=0x0, fields=@0x14c398019140: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14c3980194b0, last = 0x14c3980194b0, elements = 1}, <No data fields>}, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2164525824, result=0x14c398019dd8, unit=0x14c3980051d8, select_lex=0x14c398018e88) at /test/11.4_dbg/sql/sql_select.cc:5304
|
#14 0x0000559ad9fa98a2 in handle_select (thd=thd@entry=0x14c398000d58, lex=lex@entry=0x14c3980050f8, result=result@entry=0x14c398019dd8, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/11.4_dbg/sql/sql_select.cc:630
|
#15 0x0000559ad9f087ee in execute_sqlcom_select (thd=thd@entry=0x14c398000d58, all_tables=0x0) at /test/11.4_dbg/sql/sql_parse.cc:6077
|
#16 0x0000559ad9f14866 in mysql_execute_command (thd=thd@entry=0x14c398000d58, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/11.4_dbg/sql/sql_parse.cc:3926
|
#17 0x0000559ad9f1ae39 in mysql_parse (thd=thd@entry=0x14c398000d58, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14c3d40d21e0) at /test/11.4_dbg/sql/sql_parse.cc:7798
|
#18 0x0000559ad9f1d1fc in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14c398000d58, packet=packet@entry=0x14c39800b1c9 "", packet_length=packet_length@entry=27, blocking=blocking@entry=true) at /test/11.4_dbg/sql/sql_class.h:254
|
#19 0x0000559ad9f1f333 in do_command (thd=0x14c398000d58, blocking=blocking@entry=true) at /test/11.4_dbg/sql/sql_parse.cc:1406
|
#20 0x0000559ada0859fd in do_handle_one_connection (connect=<optimized out>, connect@entry=0x559add963c48, put_in_cache=put_in_cache@entry=true) at /test/11.4_dbg/sql/sql_connect.cc:1417
|
#21 0x0000559ada085cf2 in handle_one_connection (arg=arg@entry=0x559add963c48) at /test/11.4_dbg/sql/sql_connect.cc:1319
|
#22 0x0000559ada4d2e9a in pfs_spawn_thread (arg=0x559add8e4118) at /test/11.4_dbg/storage/perfschema/pfs.cc:2201
|
#23 0x000014c3df094ac3 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
|
#24 0x000014c3df126850 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
|
Note: it is the only testcase with INTEGER instead of STRING, if it matters.
Oh, sorry. I missed this.
"INSTALL PLUGIN mroonga SONAME 'ha_mroonga';" is required for UDFs provided by Mroonga. So this is not a bug. This is expected.
UDFs provided Mroonga use Groonga APIs. We need to call "grn_init()" before we use any Groonga API. Mroonga calls it in plugin initialization hook. So we need to run "INSTALL PLUGIN mroonga SONAME 'ha_mroonga';" to use UDFs provided by Mroonga.
BTW, why do you want to use UDFs provided by Mroonga without "INSTALL PLUGIN mroonga SONAME 'ha_mroonga';"?
Hi kou! No worries, and thank you for the reply!
While we understand that INSTALL PLUGIN mroonga is required, any SIGSEGV is a serious bug (i.e. server halted due to arbitrary SQL - with all sorts of possible secondary consequences for the user including data corruption) that can be covered and prevented in code.
Could you please add a check if the plugin is loaded at UDF call time and provide an error message to the user along the line of "ERROR: To use this function, please load the Mroonga plugin first by using INSTALL PLUGIN mroonga SONAME 'ha_mroonga';" and prevent the server from crashing?
Thank you!
And please note there are various code paths in which this happens, at least 3 major ones with one of them having many sub code-paths, as detailed above. Thank you.
Hmm. I want to report an error for CREATE FUNCTION without INSTALL PLUGIN instead of call time check. Can we do this with the current CREATE FUNCTION mechanism?
Thank you!
As CREATE FUNCTION can be used in other areas, I am not sure if it is the right location? Can you clarify the reasoning?
In general, an error should be reported when it's happen. It's easy to debug, understand what's wrong and so on.
In this case, CREATE FUNCTION without INSTALL PLUGIN is invalid. So I want to report it for the invalid CREATE FUNCTION.
If this explanation isn't enough, please let me know.
ed25519 plugin does that, kind of.
See https://github.com/MariaDB/server/blob/10.5/plugin/auth_ed25519/server_ed25519.c#L163-L168
Thanks for the information!
It seems that call time check is recommended than CREATE FUNCTION time error. I'll create a patch for the "11.5" branch.
It's not quite call time check. _init called once per statement, not per row. Not as good as a check at CREATE FUNCTION but not as terrible as per row.
CREATE FUNCTION mroonga_snippet RETURNS STRING SONAME 'ha_mroonga.so'; |
SELECT mroonga_snippet ('',0,0,'',0,0,'','','','',''); # UBSAN, or |
SELECT mroonga_snippet ('',0,0, 0,0,0,'','','','',''); # UBSAN + SIGSEGV |
Leads to, respectively:
|
11.5.0 3f9182126c64bcec359bebe9ebad2a0e559b13e2 (Debug) |
Core was generated by `/test/MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd --no-defaults --max'.
|
Program terminated with signal SIGSEGV, Segmentation fault.
|
#0 mrn::ContextPool::pull (this=0x0)at /test/11.5_dbg/storage/mroonga/lib/mrn_context_pool.cpp:111
|
[Current thread is 1 (LWP 2864197)]
|
(gdb) bt
|
#0 mrn::ContextPool::pull (this=0x0)at /test/11.5_dbg/storage/mroonga/lib/mrn_context_pool.cpp:111
|
#1 0x00001495c14e5f2e in mroonga_snippet_init (init=0x14959c01bba8, args=0x14959c01bb68, message=0x1495cc1f91f0 "p\224\037Ì•\024")at /test/11.5_dbg/storage/mroonga/udf/mrn_udf_snippet.cpp:189
|
#2 0x0000557df277fc84 in udf_handler::fix_fields (this=this@entry=0x14959c01bb58, thd=thd@entry=0x14959c000d58, func=func@entry=0x14959c01baa8, arg_count=<optimized out>, arguments=<optimized out>) at /test/11.5_dbg/sql/item_func.cc:3589
|
#3 0x0000557df2798a3d in Item_udf_func::fix_fields (this=0x14959c01baa8, thd=0x14959c000d58, ref=<optimized out>)at /test/11.5_dbg/sql/item_func.h:2941
|
#4 0x0000557df23510c1 in Item::fix_fields_if_needed (ref=0x14959c01bca8, thd=0x14959c000d58, this=0x14959c01baa8) at /test/11.5_dbg/sql/item.h:1166
|
#5 Item::fix_fields_if_needed_for_scalar (ref=0x14959c01bca8, thd=0x14959c000d58, this=0x14959c01baa8) at /test/11.5_dbg/sql/item.h:1175
|
#6 setup_fields (thd=0x14959c000d58, ref_pointer_array=<optimized out>, fields=<optimized out>, column_usage=<optimized out>, sum_func_list=sum_func_list@entry=0x14959c01c9e8, pre_fix=0x14959c01b1d8, allow_sum_func=true) at /test/11.5_dbg/sql/sql_base.cc:8070
|
#7 0x0000557df2454f20 in JOIN::prepare (this=this@entry=0x14959c01c640, tables_init=tables_init@entry=0x0, conds_init=conds_init@entry=0x0, og_num=og_num@entry=0, order_init=order_init@entry=0x0, skip_order_by=skip_order_by@entry=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x14959c01af08, unit_arg=0x14959c0051e0) at /test/11.5_dbg/sql/sql_select.cc:1549
|
#8 0x0000557df246b1a4 in mysql_select (thd=thd@entry=0x14959c000d58, tables=0x0, fields=@0x14959c01b1c0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14959c01bca0, last = 0x14959c01bca0, elements = 1}, <No data fields>}, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2164525824, result=0x14959c01c618, unit=0x14959c0051e0, select_lex=0x14959c01af08) at /test/11.5_dbg/sql/sql_select.cc:5279
|
#9 0x0000557df246b3ce in handle_select (thd=thd@entry=0x14959c000d58, lex=lex@entry=0x14959c005100, result=result@entry=0x14959c01c618, setup_tables_done_option=setup_tables_done_option@entry=0)at /test/11.5_dbg/sql/sql_select.cc:630
|
#10 0x0000557df23cb76a in execute_sqlcom_select (thd=thd@entry=0x14959c000d58, all_tables=0x0) at /test/11.5_dbg/sql/sql_parse.cc:6093
|
#11 0x0000557df23d678a in mysql_execute_command (thd=thd@entry=0x14959c000d58, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false)at /test/11.5_dbg/sql/sql_parse.cc:3942
|
#12 0x0000557df23dd122 in mysql_parse (thd=thd@entry=0x14959c000d58, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x1495cc1fa270)at /test/11.5_dbg/sql/sql_parse.cc:7815
|
#13 0x0000557df23df5ec in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14959c000d58, packet=packet@entry=0x14959c00b1d9 "SELECT mroonga_snippet ('',0,0, 0,0,0,'','','','','')", packet_length=packet_length@entry=53, blocking=blocking@entry=true) at /test/11.5_dbg/sql/sql_class.h:254
|
#14 0x0000557df23e18f8 in do_command (thd=0x14959c000d58, blocking=blocking@entry=true) at /test/11.5_dbg/sql/sql_parse.cc:1405
|
#15 0x0000557df254fae1 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x557df5e6b688, put_in_cache=put_in_cache@entry=true)at /test/11.5_dbg/sql/sql_connect.cc:1445
|
#16 0x0000557df254fde0 in handle_one_connection (arg=arg@entry=0x557df5e6b688)at /test/11.5_dbg/sql/sql_connect.cc:1347
|
#17 0x0000557df2998c3e in pfs_spawn_thread (arg=0x557df5e20868)at /test/11.5_dbg/storage/perfschema/pfs.cc:2201
|
#18 0x00001495e5a8f18a in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:444
|
#19 0x00001495e5b1dbd0 in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
|
And UBSAN:
|
11.5.0 3f9182126c64bcec359bebe9ebad2a0e559b13e2 (Debug, UBASAN) |
/test/11.5_dbg_san/storage/mroonga/udf/mrn_udf_snippet.cpp:189:42: runtime error: member call on null pointer of type 'struct ContextPool'
|
#0 0x150fd9b283cb in mroonga_snippet_init /test/11.5_dbg_san/storage/mroonga/udf/mrn_udf_snippet.cpp:189
|
#1 0x55e527aafb11 in udf_handler::fix_fields(THD*, Item_func_or_sum*, unsigned int, Item**) /test/11.5_dbg_san/sql/item_func.cc:3589
|
#2 0x55e527bf4a5f in Item_udf_func::fix_fields(THD*, Item**) /test/11.5_dbg_san/sql/item_func.h:2941
|
#3 0x55e52577da97 in Item::fix_fields_if_needed(THD*, Item**) /test/11.5_dbg_san/sql/item.h:1166
|
#4 0x55e52577da97 in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /test/11.5_dbg_san/sql/item.h:1175
|
#5 0x55e52577da97 in setup_fields(THD*, Bounds_checked_array<Item*>, List<Item>&, enum_column_usage, List<Item>*, List<Item>*, bool) /test/11.5_dbg_san/sql/sql_base.cc:8070
|
#6 0x55e525f65ba9 in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /test/11.5_dbg_san/sql/sql_select.cc:1549
|
#7 0x55e526007e30 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_dbg_san/sql/sql_select.cc:5279
|
#8 0x55e52600967d in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_dbg_san/sql/sql_select.cc:630
|
#9 0x55e525b79467 in execute_sqlcom_select /test/11.5_dbg_san/sql/sql_parse.cc:6093
|
#10 0x55e525bd3dae in mysql_execute_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:3942
|
#11 0x55e525bfa1c5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_dbg_san/sql/sql_parse.cc:7815
|
#12 0x55e525c0a546 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1892
|
#13 0x55e525c19387 in do_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1405
|
#14 0x55e52665154b in do_handle_one_connection(CONNECT*, bool) /test/11.5_dbg_san/sql/sql_connect.cc:1445
|
#15 0x55e526652af4 in handle_one_connection /test/11.5_dbg_san/sql/sql_connect.cc:1347
|
#16 0x150ffe48f189 in start_thread nptl/pthread_create.c:444
|
#17 0x150ffe51dbcf in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
|
|
|
/test/11.5_dbg_san/storage/mroonga/lib/mrn_context_pool.cpp:111:20: runtime error: member access within null pointer of type 'struct ContextPool'
|
#0 0x150fd9b67e76 in mrn::ContextPool::pull() /test/11.5_dbg_san/storage/mroonga/lib/mrn_context_pool.cpp:111
|
#1 0x150fd9b28144 in mroonga_snippet_init /test/11.5_dbg_san/storage/mroonga/udf/mrn_udf_snippet.cpp:189
|
#2 0x55e527aafb11 in udf_handler::fix_fields(THD*, Item_func_or_sum*, unsigned int, Item**) /test/11.5_dbg_san/sql/item_func.cc:3589
|
#3 0x55e527bf4a5f in Item_udf_func::fix_fields(THD*, Item**) /test/11.5_dbg_san/sql/item_func.h:2941
|
#4 0x55e52577da97 in Item::fix_fields_if_needed(THD*, Item**) /test/11.5_dbg_san/sql/item.h:1166
|
#5 0x55e52577da97 in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /test/11.5_dbg_san/sql/item.h:1175
|
#6 0x55e52577da97 in setup_fields(THD*, Bounds_checked_array<Item*>, List<Item>&, enum_column_usage, List<Item>*, List<Item>*, bool) /test/11.5_dbg_san/sql/sql_base.cc:8070
|
#7 0x55e525f65ba9 in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /test/11.5_dbg_san/sql/sql_select.cc:1549
|
#8 0x55e526007e30 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_dbg_san/sql/sql_select.cc:5279
|
#9 0x55e52600967d in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_dbg_san/sql/sql_select.cc:630
|
#10 0x55e525b79467 in execute_sqlcom_select /test/11.5_dbg_san/sql/sql_parse.cc:6093
|
#11 0x55e525bd3dae in mysql_execute_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:3942
|
#12 0x55e525bfa1c5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_dbg_san/sql/sql_parse.cc:7815
|
#13 0x55e525c0a546 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1892
|
#14 0x55e525c19387 in do_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1405
|
#15 0x55e52665154b in do_handle_one_connection(CONNECT*, bool) /test/11.5_dbg_san/sql/sql_connect.cc:1445
|
#16 0x55e526652af4 in handle_one_connection /test/11.5_dbg_san/sql/sql_connect.cc:1347
|
#17 0x150ffe48f189 in start_thread nptl/pthread_create.c:444
|
#18 0x150ffe51dbcf in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
|
|
|
240503 16:20:41 [ERROR] mysqld got signal 11 ;
|
Observed new UBSAN runtime error: member access within null pointer of type 'const struct handlerton':
CREATE FUNCTION last_insert_grn_id RETURNS INT SONAME 'ha_mroonga.so'; |
SELECT last_insert_grn_id(); |
Leads to:
|
11.5.0 e4afa610539ae01164485554e2de839bea9de816 (Debug, UBASAN) |
/test/11.5_dbg_san/sql/sql_class.cc:453:29: runtime error: member access within null pointer of type 'const struct handlerton'
|
#0 0x555843dd719c in thd_get_ha_data /test/11.5_dbg_san/sql/sql_class.cc:453
|
#1 0x14ce2f2ccdeb in mrn_get_slot_data /test/11.5_dbg_san/storage/mroonga/mrn_table.cpp:1136
|
#2 0x14ce2f2cd78c in last_insert_grn_id /test/11.5_dbg_san/storage/mroonga/udf/mrn_udf_last_insert_grn_id.cpp:43
|
#3 0x555846075ec5 in udf_handler::val_int(char*) /test/11.5_dbg_san/sql/sql_udf.h:108
|
#4 0x555846075ec5 in Item_func_udf_int::val_int() /test/11.5_dbg_san/sql/item_func.cc:3792
|
#5 0x55584523d39c in Type_handler::Item_send_longlong(Item*, Protocol*, st_value*) const /test/11.5_dbg_san/sql/sql_type.cc:7543
|
#6 0x5558452a6704 in Type_handler_longlong::Item_send(Item*, Protocol*, st_value*) const /test/11.5_dbg_san/sql/sql_type.h:5964
|
#7 0x5558438aef6e in Item::send(Protocol*, st_value*) /test/11.5_dbg_san/sql/item.h:1254
|
#8 0x555843a78570 in Protocol::send_result_set_row(List<Item>*) /test/11.5_dbg_san/sql/protocol.cc:1359
|
#9 0x555843dbc74e in select_send::send_data(List<Item>&) /test/11.5_dbg_san/sql/sql_class.cc:3189
|
#10 0x5558445c9ada in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.5_dbg_san/sql/sql_class.h:6090
|
#11 0x5558445c9ada in JOIN::exec_inner() /test/11.5_dbg_san/sql/sql_select.cc:4862
|
#12 0x5558445d00ec in JOIN::exec() /test/11.5_dbg_san/sql/sql_select.cc:4774
|
#13 0x5558445be50f in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_dbg_san/sql/sql_select.cc:5304
|
#14 0x5558445c2a20 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_dbg_san/sql/sql_select.cc:630
|
#15 0x555844133056 in execute_sqlcom_select /test/11.5_dbg_san/sql/sql_parse.cc:6093
|
#16 0x55584418f007 in mysql_execute_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:3942
|
#17 0x5558441b6190 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_dbg_san/sql/sql_parse.cc:7815
|
#18 0x5558441c5ff2 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1892
|
#19 0x5558441d4856 in do_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1405
|
#20 0x555844c060df in do_handle_one_connection(CONNECT*, bool) /test/11.5_dbg_san/sql/sql_connect.cc:1445
|
#21 0x555844c075fa in handle_one_connection /test/11.5_dbg_san/sql/sql_connect.cc:1347
|
#22 0x14ce55897ad9 in start_thread nptl/pthread_create.c:444
|
#23 0x14ce5592847b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
|
|
|
240603 12:55:22 [ERROR] mysqld got signal 11 ;
|
Sorry for not working on this.
How about the attached patch that is for the `11.6` branch?
0001-MDEV-21166-Add-Mroonga-initialized-check-to-Mroonga-.patch
(I'll open a PR for it later.)
CREATE FUNCTION mroonga_command RETURNS STRING SONAME 'ha_mroonga.so'; |
SELECT mroonga_command ('dump -- dump_plugins no -- dump_schema no'); |
UBSAN|member call on null pointer of type 'struct ContextPool'|storage/mroonga/udf/mrn_udf_command.cpp|mroonga_command_init|udf_handler::fix_fields|Item_udf_func::fix_fields|Item::fix_fields_if_needed
|
Hi kou!
I tested https://github.com/MariaDB/server/pull/3329 and in all instances/for all testcases above I now see:
|
10.5-mroonga-udf-initialized-check github.com/kou/server.git 10.5.26 ed9fa5c22266bb7dbc39870825694d880b4ad953 (Debug, UBASAN) |
10.5.26-dbg>CREATE FUNCTION mroonga_normalize RETURNS STRING SONAME 'ha_mroonga.so';
|
Query OK, 0 rows affected (0.044 sec)
|
|
|
10.5.26-dbg>SELECT mroonga_normalize('a');
|
ERROR 1123 (HY000): Can't initialize function 'mroonga_normalize'; mroonga_normalize(): Mroonga isn't initialized
|
Which would look to be correct.
And, when loading the plugin, operation also seems normal:
|
10.5-mroonga-udf-initialized-check github.com/kou/server.git 10.5.26 ed9fa5c22266bb7dbc39870825694d880b4ad953 (Debug, UBASAN) |
10.5.26-dbg>INSTALL PLUGIN mroonga SONAME 'ha_mroonga';
|
Query OK, 0 rows affected (0.077 sec)
|
|
|
10.5.26-dbg>CREATE FUNCTION mroonga_command RETURNS STRING SONAME 'ha_mroonga.so';
|
Query OK, 0 rows affected (0.003 sec)
|
|
|
10.5.26-dbg>SELECT mroonga_command ('dump -- dump_plugins no -- dump_schema no');
|
+---------------------------------------------------------------+
|
| mroonga_command ('dump -- dump_plugins no -- dump_schema no') |
|
+---------------------------------------------------------------+
|
| NULL |
|
+---------------------------------------------------------------+
|
1 row in set (0.051 sec)
|
And no UBSAN error was seen, nor any crash in a debug build.
Perhaps of some interest are these outputs (after loading the plugin):
|
10.5-mroonga-udf-initialized-check github.com/kou/server.git 10.5.26 ed9fa5c22266bb7dbc39870825694d880b4ad953 (Debug, UBASAN) |
10.5.26-dbg>SELECT mroonga_snippet ('',0,0,'',0,0,'','','','',''); # UBSAN, or
|
ERROR 1123 (HY000): Can't initialize function 'mroonga_snippet'; Unknown charset: <>
|
10.5.26-dbg>SELECT mroonga_snippet ('',0,0, 0,0,0,'','','','',''); # UBSAN + SIGSEGV
|
ERROR 1123 (HY000): Can't initialize function 'mroonga_snippet'; Unknown charset ID: <0>
|
|
10.5-mroonga-udf-initialized-check github.com/kou/server.git 10.5.26 ed9fa5c22266bb7dbc39870825694d880b4ad953 (Debug, UBASAN) |
10.5.26-dbg>CREATE FUNCTION mroonga_snippet_html RETURNS STRING SONAME 'ha_mroonga.so';
|
Query OK, 0 rows affected (0.002 sec)
|
|
|
10.5.26-dbg>SELECT mroonga_snippet_html('a','','');
|
ERROR 1123 (HY000): Can't initialize function 'mroonga_snippet_html'; mroonga_snippet_html(): failed to add a condition to grn_snip: <>
|
Though they are likely correct given the non-sensical input.
Thanks for confirming the patch!
> Perhaps of some interest are these outputs (after loading the plugin):
How about opening a new issue for the former? (It seems that error handling may be incorrect.)
The latter is an expected error.
TheLinuxJedi The patch has already proved itself in testing. As soon as your review is done, this can be pushed. Thank you!
> How about opening a new issue for the former? (It seems that error handling may be incorrect.)
Thank you for confirming! Created as: MDEV-34415 Mroonga: mroonga_snippet: Unknown charset ID: <0> / <>
Thanks! Reproduced on 10.0-10.4:
10.1 a51f3b09bb99f2927ce
#0 0x7fc5e7e98a88 in mrn::ContextPool::pull() /10.1/storage/mroonga/lib/mrn_context_pool.cpp:111#1 0x7fc5e7e7cb81 in mroonga_escape_init /10.1/storage/mroonga/udf/mrn_udf_escape.cpp:95#2 0xccce7a in udf_handler::fix_fields(THD*, Item_func_or_sum*, unsigned int, Item**) /10.1/sql/item_func.cc:3596#3 0xce63b2 in Item_udf_func::fix_fields(THD*, Item**) /10.1/sql/item_func.h:1409#4 0x60c469 in setup_fields(THD*, Item**, List<Item>&, enum_mark_columns, List<Item>*, List<Item>*, bool) /10.1/sql/sql_base.cc:8049#5 0x7c0a94 in JOIN::prepare(Item***, TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /10.1/sql/sql_select.cc:807#6 0x7e9669 in mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.1/sql/sql_select.cc:3479#7 0x7e9fe8 in handle_select(THD*, LEX*, select_result*, unsigned long) /10.1/sql/sql_select.cc:389#8 0x6c76a0 in execute_sqlcom_select /10.1/sql/sql_parse.cc:5691#9 0x6e17a8 in mysql_execute_command(THD*) /10.1/sql/sql_parse.cc:3038#10 0x6f7307 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /10.1/sql/sql_parse.cc:7209#11 0x6fd8b7 in dispatch_command(enum_server_command, THD*, char*, unsigned int) /10.1/sql/sql_parse.cc:1499#12 0x703f1e in do_command(THD*) /10.1/sql/sql_parse.cc:1131#13 0x987de9 in do_handle_one_connection(THD*) /10.1/sql/sql_connect.cc:1331#14 0x9882ed in handle_one_connection /10.1/sql/sql_connect.cc:1242#15 0x17da5a9 in pfs_spawn_thread /10.1/storage/perfschema/pfs.cc:1861#16 0x7fc5fe1046b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)#17 0x7fc5fd7af41c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)10.0 15b9d04bdc66f4d5d6c
#3 <signal handler called>#4 0x00007f69c565f8ea in grn_ctx_init_internal (ctx=0x7f69cdbf83f0, flags=0) at /10.0/storage/mroonga/vendor/groonga/lib/ctx.c:644#5 0x00007f69c565f99d in grn_ctx_init (ctx=0x7f69cdbf83f0, flags=0) at /10.0/storage/mroonga/vendor/groonga/lib/ctx.c:660#6 0x00007f69c5650e98 in mroonga_escape_init (initid=0x7f69c68f8340, args=0x7f69c68f8300, message=0x7f69daddbee0 "@\300\335\332i\177") at /10.0/storage/mroonga/udf/mrn_udf_escape.cpp:73#7 0x00000000008db6f3 in udf_handler::fix_fields (this=0x7f69c68f82f0, thd=0x7f69cde4f070, func=0x7f69c68f8228, arg_count=1, arguments=0x7f69c68f82c0) at /10.0/sql/item_func.cc:3618#8 0x00000000008e7182 in Item_udf_func::fix_fields (this=0x7f69c68f8228, thd=0x7f69cde4f070, ref=0x7f69c68f8398) at /10.0/sql/item_func.h:1404#9 0x00000000005fd94b in setup_fields (thd=0x7f69cde4f070, ref_pointer_array=0x7f69c68f89f0, fields=..., mark_used_columns=MARK_COLUMNS_READ, sum_func_list=0x7f69c68f87f0, pre_fix=0x7f69cde53230, allow_sum_func=true) at /10.0/sql/sql_base.cc:7983#10 0x0000000000691dc1 in JOIN::prepare (this=0x7f69c68f8498, rref_pointer_array=0x7f69cde533a8, tables_init=0x0, wild_num=0, conds_init=0x0, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7f69cde53100, unit_arg=0x7f69cde52a08) at /10.0/sql/sql_select.cc:796#11 0x000000000069b4c2 in mysql_select (thd=0x7f69cde4f070, rref_pointer_array=0x7f69cde533a8, tables=0x0, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7f69c68f8478, unit=0x7f69cde52a08, select_lex=0x7f69cde53100) at /10.0/sql/sql_select.cc:3328#12 0x0000000000690ee4 in handle_select (thd=0x7f69cde4f070, lex=0x7f69cde52940, result=0x7f69c68f8478, setup_tables_done_option=0) at /10.0/sql/sql_select.cc:378#13 0x000000000066146f in execute_sqlcom_select (thd=0x7f69cde4f070, all_tables=0x0) at /10.0/sql/sql_parse.cc:5313#14 0x000000000065945a in mysql_execute_command (thd=0x7f69cde4f070) at /10.0/sql/sql_parse.cc:2555#15 0x0000000000664650 in mysql_parse (thd=0x7f69cde4f070, rawbuf=0x7f69c68f8088 "select mroonga_escape('10')", length=27, parser_state=0x7f69daddd660) at /10.0/sql/sql_parse.cc:6649#16 0x00000000006564ee in dispatch_command (command=COM_QUERY, thd=0x7f69cde4f070, packet=0x7f69d31b4071 "select mroonga_escape('10')", packet_length=27) at /10.0/sql/sql_parse.cc:1301#17 0x0000000000655755 in do_command (thd=0x7f69cde4f070) at /10.0/sql/sql_parse.cc:1003#18 0x000000000078d5ee in do_handle_one_connection (thd_arg=0x7f69cde4f070) at /10.0/sql/sql_connect.cc:1377#19 0x000000000078d33c in handle_one_connection (arg=0x7f69cde4f070) at /10.0/sql/sql_connect.cc:1292#20 0x0000000000e4e0b8 in pfs_spawn_thread (arg=0x7f69cdbf83f0) at /10.0/storage/perfschema/pfs.cc:1861#21 0x00007f69d9f896ba in start_thread (arg=0x7f69dadde700) at pthread_create.c:333#22 0x00007f69d963441d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109MariaDB [test]> CREATE FUNCTION mroonga_escape RETURNS STRING SONAME 'ha_mroonga.so';Query OK, 0 rows affected (0.010 sec)MariaDB [test]> show create function mroonga_escape;ERROR 1305 (42000): FUNCTION mroonga_escape does not existMariaDB [test]> CREATE FUNCTION mroonga_escape RETURNS STRING SONAME 'ha_mroonga.so';ERROR 1125 (HY000): Function 'mroonga_escape' already existsMariaDB [test]> select version();+-----------------+| version() |+-----------------+| 10.3.20-MariaDB |+-----------------+1 row in set (0.000 sec)