[MDEV-22464] Server crash on UPDATE with nested subquery - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.5.2, 10.3, 10.4, 10.5, 10.6
Fix Version/s: 10.3.32, 10.4.22, 10.5.13, 10.6.5
Component/s: Data Manipulation - Update
Labels:
None

Description

Server crashes in Item_ref::fix_fields/Item::fix_fields_if_needed, assertion `*ref && (*ref)->fixed()' failed in Item_ref::fix_fields

We found a memory corruption bug that crash the debug build of mariadb.

POC:
—

CREATE TABLE v0 ( v1 INT ) ;

INSERT INTO v0 ( v1 ) VALUES ( 60 ) ;

UPDATE v0 SET v1 = NULL BETWEEN ( SELECT 95 FROM v0 WHERE v1 = 95 AND v1 < -1 GROUP BY - 'x' >= v1 HAVING ( -128 = 2147483647 AND v1 = 94 ) ) AND 36 WHERE v1 = 2 ;

—

Stack dump:
—

200505  5:53:28 [ERROR] mysqld got signal 11 ;

This could be because you hit a bug. It is also possible that this binary

or one of the libraries it was linked against is corrupt, improperly built,

or misconfigured. This error can also be caused by malfunctioning hardware.

To report this bug, see https://mariadb.com/kb/en/reporting-bugs

We will try our best to scrape up some info that will hopefully help

diagnose the problem, but since we have already crashed,

something is definitely wrong and this may fail.

Server version: 10.5.3-MariaDB-debug

key_buffer_size=134217728

read_buffer_size=131072

max_used_connections=3

max_threads=153

thread_count=4

It is possible that mysqld could use up to

key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 467925 K  bytes of memory

Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x7f32b8000d78

Attempting backtrace. You can use the following information to find out

where mysqld died. If you see no messages after this, something went

terribly wrong...

stack_bottom = 0x7f32f8ea9dc0 thread_stack 0x49000

fil/fil0fil.cc:3410(fil_ibd_discover(unsigned long, Datafile&))[0x32d4681]

sql/multi_range_read.cc:764(Mrr_ordered_index_reader::refill_buffer(bool))[0x13c0898]

??:0(__restore_rt)[0x7f331352b890]

sql/sql_list.h:696(Ack_receiver::~Ack_receiver())[0x147a8e0]

sql/sql_bitmap.h:78(TABLE::prune_range_rowid_filters())[0x1570027]

sql/field.h:3573(Field_time_with_dec::Field_time_with_dec(unsigned char*, unsigned char*, unsigned char, Field::utype, st_mysql_const_lex_string const*, unsigned int))[0x14fa4b4]

psi/mysql_thread.h:738(inline_mysql_mutex_lock(st_mysql_mutex*, char const*, unsigned int))[0xaf14d0]

sql-common/client.c:1103(cli_fetch_lengths)[0x16bb78b]

sql/sql_yacc_ora.yy:2919(ORAparse(THD*))[0x168f4ba]

sql/sql_bitmap.h:78(TABLE::prune_range_rowid_filters())[0x1570027]

/usr/local/mysql/bin/mysqld(_Z12setup_fieldsP3THD20Bounds_checked_arrayIP4ItemER4ListIS2_E17enum_column_usagePS6_S9_b+0x864)[0x84aa74]

sql/sql_lex.cc:6312(LEX::sp_variable_declarations_copy_type_finalize(THD*, int, Column_definition const&, Row_definition_list*, Item*))[0xd908a2]

sql/slave.cc:4171(apply_event_and_update_pos_for_parallel(Log_event*, THD*, rpl_group_info*))[0xaf4a5d]

sql/sql_alloc.h:39(show_master_info_get_fields(THD*, List<Item>*, bool, unsigned long))[0xae3e76]

sql/item.h:3609(Item_null::Item_null(THD*, char const*, charset_info_st const*))[0xd8f934]

handler/i_s.cc:312(__cxx_global_var_init.15)[0xa25a6b]

sql/sys_vars.ic:627(Sys_var_charptr_fscs::Sys_var_charptr(char const*, char const, int, long, unsigned long, CMD_LINE, char const, PolyLock*, sys_var::binlog_status_enum, bool (*)(PolyLock**, THD*, set_var*), bool (*)(sys_var::binlog_status_enum, THD, enum_var_type), char const))[0xa07b70]

sql/set_var.h:258(_GLOBAL__sub_I_sys_vars.cc)[0x9fd70e]

sql/sys_vars.cc:5730(__cxx_global_var_init.1236)[0xa099cb]

sql/item.h:4563(Item_empty_string::Item_empty_string(THD*, char const*, unsigned int, charset_info_st const*))[0xedb6d1]

sql/item.h:746(show_binlog_info_get_fields(THD*, List<Item>*))[0xedaec1]

gcalc_slicescan.cc:0(__afl_fork_wait_loop)[0x1e8dfc6]

nptl/pthread_create.c:463(start_thread)[0x7f33135206db]

x86_64/clone.S:97(clone)[0x7f33112c088f]

Trying to get some variables.

Some pointers may be invalid and cause the dump to abort.

Query (0x7f32b8015055): UPDATE v0 SET v1 = NULL BETWEEN ( SELECT 95 FROM v0 WHERE v1 = 95 AND v1 < -1 GROUP BY - 'x' >= v1 HAVING ( -128 = 2147483647 AND v1 = 94 ) ) AND 36 WHERE v1 = 2

Connection ID (thread ID): 7521

Status: NOT_KILLED

Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=on,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on,split_materialized=on,condition_pushdown_for_subquery=on,rowid_filter=on,condition_pushdown_from_having=on,not_null_range_scan=off

The manual page at http://dev.mysql.com/doc/mysql/en/crashing.html contains

information that should help you find out what is causing the crash.

Writing a core file...

Working directory at /usr/local/mysql/data

Resource Limits:

Limit                     Soft Limit           Hard Limit           Units

Max cpu time              unlimited            unlimited            seconds

Max file size             unlimited            unlimited            bytes

Max data size             unlimited            unlimited            bytes

Max stack size            8388608              unlimited            bytes

Max core file size        unlimited            unlimited            bytes

Max resident set          unlimited            unlimited            bytes

Max processes             unlimited            unlimited            processes

Max open files            1048576              1048576              files

Max locked memory         16777216             16777216             bytes

Max address space         unlimited            unlimited            bytes

Max file locks            unlimited            unlimited            locks

Max pending signals       1030951              1030951              signals

Max msgqueue size         819200               819200               bytes

Max nice priority         0                    0

Max realtime priority     0                    0

Max realtime timeout      unlimited            unlimited            us

Core pattern: co...

---

Attachments

Issue Links

duplicates

MDEV-26160 crash/valgrind error in resolve_ref_in_select_and_group

Closed

is duplicated by

MDEV-22476 Crash bug in update-related functions, MDEV

Closed

MDEV-25637 Bug report: abortion in sql/set_var.cc:0

Closed

MDEV-26415 MariaDB server crash in Used_tables_and_const_cache::used_tables_and_const_cache_join

Closed

relates to

MDEV-16549 Server crashes in Item_field::fix_fields on query with view and subquery, Assertion `context' failed, Assertion `field' failed

Closed

Activity

People

Assignee:: Aleksey Midenkov

Reporter:: Yongheng Chen

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 2020-05-05 06:35

Updated:: 2021-10-11 11:46

Resolved:: 2021-10-11 11:46

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.