Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-21946

Server crash in store_length upon GROUP BY WITH ROLLUP with geometry field

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Fixed
    • 10.5
    • 10.5.3
    • GIS, Server
    • None

    Description

      CREATE TABLE t1 (a GEOMETRY);
      		 
      INSERT INTO t1 VALUES (ST_GEOMFROMTEXT('Point(0 0)')),(ST_GEOMFROMTEXT('Point(1 1)'));
      		 
      SELECT IF( 0, NULL, a ) AS f FROM t1 GROUP BY f WITH ROLLUP;
      		 
       
      		 
      # Cleanup
      		 
      DROP TABLE t1;

      10.5 c8ae3573

      		 
      #3  <signal handler called>
      		 
      #4  0x0000559ab5fd974f in store_length (to=0x7f1878066458 <error: Cannot access memory at address 0x7f1878066458>, length=25, pack_length=4) at /data/src/10.5/sql/filesort.cc:1090
      		 
      #5  0x0000559ab5fd9aa3 in Type_handler_string_result::make_sort_key_part (this=0x559ab77edad0 <type_handler_geometry>, to=0x7f1778066459 '\245' <repeats 200 times>..., item=0x7f17780140e8, sort_field=0x7f1778017c28, param=0x7f178ae820a0) at /data/src/10.5/sql/filesort.cc:1158
      		 
      #6  0x0000559ab5fdea69 in make_sortkey (param=0x7f178ae820a0, to=0x7f1778066458 "\001", '\245' <repeats 199 times>...) at /data/src/10.5/sql/filesort.cc:3000
      		 
      #7  0x0000559ab5fda4b9 in make_sortkey (param=0x7f178ae820a0, to=0x7f1778066458 "\001", '\245' <repeats 199 times>..., ref_pos=0x7f17782128d8 "", using_packed_sortkeys=false) at /data/src/10.5/sql/filesort.cc:1340
      		 
      #8  0x0000559ab5fd9135 in find_all_keys (thd=0x7f1778000b18, param=0x7f178ae820a0, select=0x7f1778017118, fs_info=0x7f17780661d0, buffpek_pointers=0x7f178ae822b0, tempfile=0x7f178ae82140, pq=0x0, found_rows=0x7f17780663c0) at /data/src/10.5/sql/filesort.cc:957
      		 
      #9  0x0000559ab5fd7121 in filesort (thd=0x7f1778000b18, table=0x7f17780f8c78, filesort=0x7f17780174a8, tracker=0x7f1778017b98, join=0x7f17780153d0, first_table_bit=1) at /data/src/10.5/sql/filesort.cc:363
      		 
      #10 0x0000559ab5d1f161 in create_sort_index (thd=0x7f1778000b18, join=0x7f17780153d0, tab=0x7f17780167d8, fsort=0x7f17780174a8) at /data/src/10.5/sql/sql_select.cc:23787
      		 
      #11 0x0000559ab5d19314 in st_join_table::sort_table (this=0x7f17780167d8) at /data/src/10.5/sql/sql_select.cc:21526
      		 
      #12 0x0000559ab5d18ef0 in join_init_read_record (tab=0x7f17780167d8) at /data/src/10.5/sql/sql_select.cc:21465
      		 
      #13 0x0000559ab5d16c98 in sub_select (join=0x7f17780153d0, join_tab=0x7f17780167d8, end_of_records=false) at /data/src/10.5/sql/sql_select.cc:20539
      		 
      #14 0x0000559ab5d16159 in do_select (join=0x7f17780153d0, procedure=0x0) at /data/src/10.5/sql/sql_select.cc:20076
      		 
      #15 0x0000559ab5cea0cf in JOIN::exec_inner (this=0x7f17780153d0) at /data/src/10.5/sql/sql_select.cc:4459
      		 
      #16 0x0000559ab5ce91fb in JOIN::exec (this=0x7f17780153d0) at /data/src/10.5/sql/sql_select.cc:4240
      		 
      #17 0x0000559ab5cea92c in mysql_select (thd=0x7f1778000b18, tables=0x7f1778014228, fields=..., conds=0x0, og_num=1, order=0x0, group=0x7f1778014a58, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7f17780153a8, unit=0x7f1778004b20, select_lex=0x7f1778013a00) at /data/src/10.5/sql/sql_select.cc:4664
      		 
      #18 0x0000559ab5cda4a0 in handle_select (thd=0x7f1778000b18, lex=0x7f1778004a58, result=0x7f17780153a8, setup_tables_done_option=0) at /data/src/10.5/sql/sql_select.cc:429
      		 
      #19 0x0000559ab5c9fb32 in execute_sqlcom_select (thd=0x7f1778000b18, all_tables=0x7f1778014228) at /data/src/10.5/sql/sql_parse.cc:6147
      		 
      #20 0x0000559ab5c96790 in mysql_execute_command (thd=0x7f1778000b18) at /data/src/10.5/sql/sql_parse.cc:3899
      		 
      #21 0x0000559ab5ca49ce in mysql_parse (thd=0x7f1778000b18, rawbuf=0x7f1778013920 "SELECT IF( 0, NULL, a ) AS f FROM t1 GROUP BY f WITH ROLLUP", length=59, parser_state=0x7f178ae83520, is_com_multi=false, is_next_command=false) at /data/src/10.5/sql/sql_parse.cc:7926
      		 
      #22 0x0000559ab5c904d7 in dispatch_command (command=COM_QUERY, thd=0x7f1778000b18, packet=0x7f177816ddb9 "", packet_length=59, is_com_multi=false, is_next_command=false) at /data/src/10.5/sql/sql_parse.cc:1840
      		 
      #23 0x0000559ab5c8ec0d in do_command (thd=0x7f1778000b18) at /data/src/10.5/sql/sql_parse.cc:1359
      		 
      #24 0x0000559ab5e305f9 in do_handle_one_connection (connect=0x559ab9213f08, put_in_cache=true) at /data/src/10.5/sql/sql_connect.cc:1422
      		 
      #25 0x0000559ab5e30328 in handle_one_connection (arg=0x559ab9213f08) at /data/src/10.5/sql/sql_connect.cc:1319
      		 
      #26 0x0000559ab635f7a2 in pfs_spawn_thread (arg=0x559ab924a248) at /data/src/10.5/storage/perfschema/pfs.cc:2201
      		 
      #27 0x00007f17922704a4 in start_thread (arg=0x7f178ae84700) at pthread_create.c:456
      		 
      #28 0x00007f17903a4d0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97

      Reproducible on debug and non-debug builds, with at least MyISAM and InnoDB.
      The failure appeared in 10.5 tree with this commit:

      commit b753ac066bc26acda9deb707a31c112f1bbf9ec2
      		 
      Author: Varun Gupta <varun.gupta@mariadb.com>
      		 
      Date:   Tue Mar 10 04:56:38 2020 +0530
      		 
       
      		 
          MDEV-21580: Allow packed sort keys in sort buffer

      Attachments

        Issue Links

          is caused by

          Technical task - A technical task. MDEV-21580 Allow packed sort keys in sort buffer

          • Major - Major loss of function.
          • Closed

          Activity

            Ascending order - Click to sort in descending order
            varun Varun Gupta (Inactive) added a comment -

            Patch
            http://lists.askmonty.org/pipermail/commits/2020-April/014232.html

            varun Varun Gupta (Inactive) added a comment - Patch http://lists.askmonty.org/pipermail/commits/2020-April/014232.html
            psergei Sergei Petrunia added a comment -

            Review input: http://lists.askmonty.org/pipermail/commits/2020-April/014236.html

            psergei Sergei Petrunia added a comment - Review input: http://lists.askmonty.org/pipermail/commits/2020-April/014236.html
            psergei Sergei Petrunia added a comment -

            Ok to push

            psergei Sergei Petrunia added a comment - Ok to push
            elenst Elena Stepanova added a comment -

            For a record, the same patch also fixed this failure on a similar test case:

            10.5 c7ab67619

            		 
            ==3734==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a000038f24 at pc 0x7feac605131e bp 0x7fea9d4bac50 sp 0x7fea9d4ba400
            		 
            READ of size 4294967295 at 0x61a000038f24 thread T24
            		 
                #0 0x7feac605131d  (/lib/x86_64-linux-gnu/libasan.so.5+0x3f31d)
            		 
                #1 0x556ff9d6e045 in SORT_FIELD_ATTR::pack_sort_string(unsigned char*, st_mysql_const_lex_string const&, charset_info_st const*) const /data/src/10.5-bug/sql/filesort.cc:2961
            		 
                #2 0x556ff9d6b741 in Type_handler_string_result::make_packed_sort_key_part(unsigned char*, Item*, SORT_FIELD_ATTR const*, Sort_param*) const /data/src/10.5-bug/sql/filesort.cc:2588
            		 
                #3 0x556ff9d6e776 in make_packed_sortkey /data/src/10.5-bug/sql/filesort.cc:3058
            		 
                #4 0x556ff9d62af5 in make_sortkey /data/src/10.5-bug/sql/filesort.cc:1339
            		 
                #5 0x556ff9d5fb74 in find_all_keys /data/src/10.5-bug/sql/filesort.cc:954
            		 
                #6 0x556ff9d5b579 in filesort(THD*, TABLE*, Filesort*, Filesort_tracker*, JOIN*, unsigned long long) /data/src/10.5-bug/sql/filesort.cc:356
            		 
                #7 0x556ff9714949 in create_sort_index(THD*, JOIN*, st_join_table*, Filesort*) /data/src/10.5-bug/sql/sql_select.cc:23860
            		 
                #8 0x556ff97033ec in st_join_table::sort_table() /data/src/10.5-bug/sql/sql_select.cc:21589
            		 
                #9 0x556ff97028f5 in join_init_read_record(st_join_table*) /data/src/10.5-bug/sql/sql_select.cc:21528
            		 
                #10 0x556ff96fc16b in sub_select(JOIN*, st_join_table*, bool) /data/src/10.5-bug/sql/sql_select.cc:20602
            		 
                #11 0x556ff96fa3b4 in do_select /data/src/10.5-bug/sql/sql_select.cc:20139
            		 
                #12 0x556ff96884df in JOIN::exec_inner() /data/src/10.5-bug/sql/sql_select.cc:4463
            		 
                #13 0x556ff9685b31 in JOIN::exec() /data/src/10.5-bug/sql/sql_select.cc:4244
            		 
                #14 0x556ff9689a46 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.5-bug/sql/sql_select.cc:4668
            		 
                #15 0x556ff965bd89 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.5-bug/sql/sql_select.cc:417
            		 
                #16 0x556ff95ce0d7 in execute_sqlcom_select /data/src/10.5-bug/sql/sql_parse.cc:6168
            		 
                #17 0x556ff95bc4f9 in mysql_execute_command(THD*) /data/src/10.5-bug/sql/sql_parse.cc:3901
            		 
                #18 0x556ff9629a8c in Prepared_statement::execute(String*, bool) /data/src/10.5-bug/sql/sql_prepare.cc:4786
            		 
                #19 0x556ff962543d in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /data/src/10.5-bug/sql/sql_prepare.cc:4275
            		 
                #20 0x556ff961ecb2 in mysql_stmt_execute_common /data/src/10.5-bug/sql/sql_prepare.cc:3277
            		 
                #21 0x556ff961e3a4 in mysqld_stmt_execute(THD*, char*, unsigned int) /data/src/10.5-bug/sql/sql_prepare.cc:3172
            		 
                #22 0x556ff95ae7a8 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.5-bug/sql/sql_parse.cc:1763
            		 
                #23 0x556ff95ab949 in do_command(THD*) /data/src/10.5-bug/sql/sql_parse.cc:1358
            		 
                #24 0x556ff99cabc2 in do_handle_one_connection(CONNECT*, bool) /data/src/10.5-bug/sql/sql_connect.cc:1422
            		 
                #25 0x556ff99ca45d in handle_one_connection /data/src/10.5-bug/sql/sql_connect.cc:1319
            		 
                #26 0x556ffa669305 in pfs_spawn_thread /data/src/10.5-bug/storage/perfschema/pfs.cc:2201
            		 
                #27 0x7feac5ff8fa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486
            		 
                #28 0x7feac58474ce in clone (/lib/x86_64-linux-gnu/libc.so.6+0xf94ce)

            elenst Elena Stepanova added a comment - For a record, the same patch also fixed this failure on a similar test case: 10.5 c7ab67619 ==3734==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a000038f24 at pc 0x7feac605131e bp 0x7fea9d4bac50 sp 0x7fea9d4ba400 READ of size 4294967295 at 0x61a000038f24 thread T24 #0 0x7feac605131d (/lib/x86_64-linux-gnu/libasan.so.5+0x3f31d) #1 0x556ff9d6e045 in SORT_FIELD_ATTR::pack_sort_string(unsigned char*, st_mysql_const_lex_string const&, charset_info_st const*) const /data/src/10.5-bug/sql/filesort.cc:2961 #2 0x556ff9d6b741 in Type_handler_string_result::make_packed_sort_key_part(unsigned char*, Item*, SORT_FIELD_ATTR const*, Sort_param*) const /data/src/10.5-bug/sql/filesort.cc:2588 #3 0x556ff9d6e776 in make_packed_sortkey /data/src/10.5-bug/sql/filesort.cc:3058 #4 0x556ff9d62af5 in make_sortkey /data/src/10.5-bug/sql/filesort.cc:1339 #5 0x556ff9d5fb74 in find_all_keys /data/src/10.5-bug/sql/filesort.cc:954 #6 0x556ff9d5b579 in filesort(THD*, TABLE*, Filesort*, Filesort_tracker*, JOIN*, unsigned long long) /data/src/10.5-bug/sql/filesort.cc:356 #7 0x556ff9714949 in create_sort_index(THD*, JOIN*, st_join_table*, Filesort*) /data/src/10.5-bug/sql/sql_select.cc:23860 #8 0x556ff97033ec in st_join_table::sort_table() /data/src/10.5-bug/sql/sql_select.cc:21589 #9 0x556ff97028f5 in join_init_read_record(st_join_table*) /data/src/10.5-bug/sql/sql_select.cc:21528 #10 0x556ff96fc16b in sub_select(JOIN*, st_join_table*, bool) /data/src/10.5-bug/sql/sql_select.cc:20602 #11 0x556ff96fa3b4 in do_select /data/src/10.5-bug/sql/sql_select.cc:20139 #12 0x556ff96884df in JOIN::exec_inner() /data/src/10.5-bug/sql/sql_select.cc:4463 #13 0x556ff9685b31 in JOIN::exec() /data/src/10.5-bug/sql/sql_select.cc:4244 #14 0x556ff9689a46 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.5-bug/sql/sql_select.cc:4668 #15 0x556ff965bd89 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.5-bug/sql/sql_select.cc:417 #16 0x556ff95ce0d7 in execute_sqlcom_select /data/src/10.5-bug/sql/sql_parse.cc:6168 #17 0x556ff95bc4f9 in mysql_execute_command(THD*) /data/src/10.5-bug/sql/sql_parse.cc:3901 #18 0x556ff9629a8c in Prepared_statement::execute(String*, bool) /data/src/10.5-bug/sql/sql_prepare.cc:4786 #19 0x556ff962543d in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /data/src/10.5-bug/sql/sql_prepare.cc:4275 #20 0x556ff961ecb2 in mysql_stmt_execute_common /data/src/10.5-bug/sql/sql_prepare.cc:3277 #21 0x556ff961e3a4 in mysqld_stmt_execute(THD*, char*, unsigned int) /data/src/10.5-bug/sql/sql_prepare.cc:3172 #22 0x556ff95ae7a8 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.5-bug/sql/sql_parse.cc:1763 #23 0x556ff95ab949 in do_command(THD*) /data/src/10.5-bug/sql/sql_parse.cc:1358 #24 0x556ff99cabc2 in do_handle_one_connection(CONNECT*, bool) /data/src/10.5-bug/sql/sql_connect.cc:1422 #25 0x556ff99ca45d in handle_one_connection /data/src/10.5-bug/sql/sql_connect.cc:1319 #26 0x556ffa669305 in pfs_spawn_thread /data/src/10.5-bug/storage/perfschema/pfs.cc:2201 #27 0x7feac5ff8fa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486 #28 0x7feac58474ce in clone (/lib/x86_64-linux-gnu/libc.so.6+0xf94ce)

            People

              varun Varun Gupta (Inactive)
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.