[MDEV-23208] SIGSEGV's in TABLE_LIST::print and TABLE::versioned, and Assertion `s' failed in TABLE::versioned on SHOW FUNCTION CODE - Jira

Details

Type: Bug
Status: Confirmed (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.11, 11.1(EOL), 11.2(EOL), 11.4, 11.8, 12.0
Fix Version/s: 10.5, 10.6, 10.11, 11.4, 11.8
Component/s: Data Definition - Temporary
Labels:

Description

USE test;

SET SQL_MODE='';

CREATE FUNCTION f(z INT) RETURNS INT READS SQL DATA RETURN (SELECT x FROM t WHERE x = z);

CREATE TEMPORARY TABLE t (c INT) ENGINE=InnoDB;

SELECT f('a');

DROP TEMPORARY TABLES t;

SHOW FUNCTION CODE f;

Leads to:

10.5.5 30e7a0a866dce530d8328c6d614e48d39a264f9b
Core was generated by `/test/MD140720-mariadb-10.5.5-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
[Current thread is 1 (Thread 0x153fb7541700 (LWP 1691430))]
(gdb) bt
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
#1 0x000056063413d4d7 in my_write_core (sig=sig@entry=11) at /test/10.5_dbg/mysys/stacktrace.c:518
#2 0x00005606338f79ba in handle_fatal_signal (sig=11) at /test/10.5_dbg/sql/signal_handler.cc:330
#3 <signal handler called>
#4 TABLE_LIST::print (this=0x153f92c90568, thd=thd@entry=0x153f92c15088, eliminated_tables=eliminated_tables@entry=0, str=str@entry=0x153fb753f2a0, query_type=query_type@entry=QT_ITEM_ORIGINAL_FUNC_NULLIF) at /test/10.5_dbg/sql/sql_select.cc:27553
#5 0x00005606336a8876 in print_table_array (query_type=QT_ITEM_ORIGINAL_FUNC_NULLIF, end=0x153f92c742e8, table=0x153f92c742e0, str=0x153fb753f2a0, eliminated_tables=0, thd=0x153f92c15088) at /test/10.5_dbg/sql/sql_select.cc:27243
#6 print_join (thd=thd@entry=0x153f92c15088, eliminated_tables=0, str=str@entry=0x153fb753f2a0, tables=0x153f92c90130, query_type=query_type@entry=QT_ITEM_ORIGINAL_FUNC_NULLIF) at /test/10.5_dbg/sql/sql_select.cc:27399
#7 0x00005606336a8e23 in st_select_lex::print (this=0x153f92c8ff68, thd=thd@entry=0x153f92c15088, str=str@entry=0x153fb753f2a0, query_type=query_type@entry=QT_ITEM_ORIGINAL_FUNC_NULLIF) at /test/10.5_dbg/sql/sql_select.cc:27699
#8 0x00005606339e4696 in subselect_single_select_engine::print (this=0x153f92c91030, str=0x153fb753f2a0, query_type=QT_ITEM_ORIGINAL_FUNC_NULLIF) at /test/10.5_dbg/sql/item_subselect.cc:4478
#9 0x00005606339e4c03 in Item_subselect::print (this=0x153f92c90e88, str=0x153fb753f2a0, query_type=QT_ITEM_ORIGINAL_FUNC_NULLIF) at /test/10.5_dbg/sql/item_subselect.cc:1038
#10 0x000056063357fd83 in sp_instr_freturn::print (this=0x153f92c8dea0, str=0x153fb753f2a0) at /test/10.5_dbg/sql/sp_head.cc:4203
#11 0x000056063358a50e in sp_head::show_routine_code (this=0x153f92c8f0a0, thd=thd@entry=0x153f92c15088) at /test/10.5_dbg/sql/sp_head.cc:3385
#12 0x00005606336505e5 in mysql_execute_command (thd=thd@entry=0x153f92c15088) at /test/10.5_dbg/sql/sql_parse.cc:5728
#13 0x0000560633658752 in mysql_parse (thd=thd@entry=0x153f92c15088, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x153fb7540350, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:7993
#14 0x0000560633645204 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x153f92c15088, packet=packet@entry=0x153f92c67089 "", packet_length=packet_length@entry=20, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:1866
#15 0x00005606336439de in do_command (thd=0x153f92c15088) at /test/10.5_dbg/sql/sql_parse.cc:1347
#16 0x000056063379fc3b in do_handle_one_connection (connect=<optimized out>, connect@entry=0x153f964c7808, put_in_cache=put_in_cache@entry=true) at /test/10.5_dbg/sql/sql_connect.cc:1411
#17 0x00005606337a0357 in handle_one_connection (arg=arg@entry=0x153f964c7808) at /test/10.5_dbg/sql/sql_connect.cc:1313
#18 0x0000560633c03ca8 in pfs_spawn_thread (arg=0x153fb4446508) at /test/10.5_dbg/storage/perfschema/pfs.cc:2201
#19 0x0000153fb64ba6db in start_thread (arg=0x153fb7541700) at pthread_create.c:463
#20 0x0000153fb58b8a3f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.3.24 (dbg), 10.4.15 (dbg), 10.5.5 (dbg)

Bug confirmed not present in:
MariaDB: 10.1.46 (dbg), 10.1.46 (opt), 10.2.33 (dbg), 10.2.33 (opt), 10.3.24 (opt), 10.4.14 (dbg), 10.4.14 (opt), 10.5.5 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.47 (dbg), 5.6.47 (opt), 5.7.29 (dbg), 5.7.29 (opt), 8.0.19 (dbg), 8.0.19 (opt)

Attachments

Issue Links

relates to

MDEV-25784 Server crashes in Table_function_json_table::print upon SHOW FUNCTION CODE/SHOW CREATE VIEW, UBSAN: member access within null pointer

Confirmed

Activity

Ascending order - Click to sort in descending order

Roel Van de Paar created issue - 2020-07-18 06:03

Roel Van de Paar made changes - 2020-09-09 06:26

Field	Original Value	New Value
Description	{noformat} USE test; SET SQL_MODE=''; CREATE FUNCTION f(z INT) RETURNS INT READS SQL DATA RETURN (SELECT x FROM t WHERE x = z); CREATE TEMPORARY TABLE t (c INT) ENGINE=InnoDB; SELECT f('a'); DROP TEMPORARY TABLES t; SHOW FUNCTION CODE f; {noformat} Leads to: {noformat:title=10.5.5 30e7a0a866dce530d8328c6d614e48d39a264f9b} Core was generated by `/test/MD140720-mariadb-10.5.5-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'. Program terminated with signal SIGSEGV, Segmentation fault. #0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57 [Current thread is 1 (Thread 0x153fb7541700 (LWP 1691430))] (gdb) bt #0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57 #1 0x000056063413d4d7 in my_write_core (sig=sig@entry=11) at /test/10.5_dbg/mysys/stacktrace.c:518 #2 0x00005606338f79ba in handle_fatal_signal (sig=11) at /test/10.5_dbg/sql/signal_handler.cc:330 #3 <signal handler called> #4 TABLE_LIST::print (this=0x153f92c90568, thd=thd@entry=0x153f92c15088, eliminated_tables=eliminated_tables@entry=0, str=str@entry=0x153fb753f2a0, query_type=query_type@entry=QT_ITEM_ORIGINAL_FUNC_NULLIF) at /test/10.5_dbg/sql/sql_select.cc:27553 #5 0x00005606336a8876 in print_table_array (query_type=QT_ITEM_ORIGINAL_FUNC_NULLIF, end=0x153f92c742e8, table=0x153f92c742e0, str=0x153fb753f2a0, eliminated_tables=0, thd=0x153f92c15088) at /test/10.5_dbg/sql/sql_select.cc:27243 #6 print_join (thd=thd@entry=0x153f92c15088, eliminated_tables=0, str=str@entry=0x153fb753f2a0, tables=0x153f92c90130, query_type=query_type@entry=QT_ITEM_ORIGINAL_FUNC_NULLIF) at /test/10.5_dbg/sql/sql_select.cc:27399 #7 0x00005606336a8e23 in st_select_lex::print (this=0x153f92c8ff68, thd=thd@entry=0x153f92c15088, str=str@entry=0x153fb753f2a0, query_type=query_type@entry=QT_ITEM_ORIGINAL_FUNC_NULLIF) at /test/10.5_dbg/sql/sql_select.cc:27699 #8 0x00005606339e4696 in subselect_single_select_engine::print (this=0x153f92c91030, str=0x153fb753f2a0, query_type=QT_ITEM_ORIGINAL_FUNC_NULLIF) at /test/10.5_dbg/sql/item_subselect.cc:4478 #9 0x00005606339e4c03 in Item_subselect::print (this=0x153f92c90e88, str=0x153fb753f2a0, query_type=QT_ITEM_ORIGINAL_FUNC_NULLIF) at /test/10.5_dbg/sql/item_subselect.cc:1038 #10 0x000056063357fd83 in sp_instr_freturn::print (this=0x153f92c8dea0, str=0x153fb753f2a0) at /test/10.5_dbg/sql/sp_head.cc:4203 #11 0x000056063358a50e in sp_head::show_routine_code (this=0x153f92c8f0a0, thd=thd@entry=0x153f92c15088) at /test/10.5_dbg/sql/sp_head.cc:3385 #12 0x00005606336505e5 in mysql_execute_command (thd=thd@entry=0x153f92c15088) at /test/10.5_dbg/sql/sql_parse.cc:5728 #13 0x0000560633658752 in mysql_parse (thd=thd@entry=0x153f92c15088, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x153fb7540350, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:7993 #14 0x0000560633645204 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x153f92c15088, packet=packet@entry=0x153f92c67089 "", packet_length=packet_length@entry=20, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:1866 #15 0x00005606336439de in do_command (thd=0x153f92c15088) at /test/10.5_dbg/sql/sql_parse.cc:1347 #16 0x000056063379fc3b in do_handle_one_connection (connect=<optimized out>, connect@entry=0x153f964c7808, put_in_cache=put_in_cache@entry=true) at /test/10.5_dbg/sql/sql_connect.cc:1411 #17 0x00005606337a0357 in handle_one_connection (arg=arg@entry=0x153f964c7808) at /test/10.5_dbg/sql/sql_connect.cc:1313 #18 0x0000560633c03ca8 in pfs_spawn_thread (arg=0x153fb4446508) at /test/10.5_dbg/storage/perfschema/pfs.cc:2201 #19 0x0000153fb64ba6db in start_thread (arg=0x153fb7541700) at pthread_create.c:463 #20 0x0000153fb58b8a3f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 {noformat} Bug confirmed present in: MariaDB: 10.3.24 (dbg), 10.5.5 (dbg) Bug confirmed not present in: MariaDB: 10.1.46 (dbg), 10.1.46 (opt), 10.2.33 (dbg), 10.2.33 (opt), 10.3.24 (opt), 10.4.14 (dbg), 10.4.14 (opt), 10.5.5 (opt) MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.47 (dbg), 5.6.47 (opt), 5.7.29 (dbg), 5.7.29 (opt), 8.0.19 (dbg), 8.0.19 (opt)	{noformat} USE test; SET SQL_MODE=''; CREATE FUNCTION f(z INT) RETURNS INT READS SQL DATA RETURN (SELECT x FROM t WHERE x = z); CREATE TEMPORARY TABLE t (c INT) ENGINE=InnoDB; SELECT f('a'); DROP TEMPORARY TABLES t; SHOW FUNCTION CODE f; {noformat} Leads to: {noformat:title=10.5.5 30e7a0a866dce530d8328c6d614e48d39a264f9b} Core was generated by `/test/MD140720-mariadb-10.5.5-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'. Program terminated with signal SIGSEGV, Segmentation fault. #0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57 [Current thread is 1 (Thread 0x153fb7541700 (LWP 1691430))] (gdb) bt #0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57 #1 0x000056063413d4d7 in my_write_core (sig=sig@entry=11) at /test/10.5_dbg/mysys/stacktrace.c:518 #2 0x00005606338f79ba in handle_fatal_signal (sig=11) at /test/10.5_dbg/sql/signal_handler.cc:330 #3 <signal handler called> #4 TABLE_LIST::print (this=0x153f92c90568, thd=thd@entry=0x153f92c15088, eliminated_tables=eliminated_tables@entry=0, str=str@entry=0x153fb753f2a0, query_type=query_type@entry=QT_ITEM_ORIGINAL_FUNC_NULLIF) at /test/10.5_dbg/sql/sql_select.cc:27553 #5 0x00005606336a8876 in print_table_array (query_type=QT_ITEM_ORIGINAL_FUNC_NULLIF, end=0x153f92c742e8, table=0x153f92c742e0, str=0x153fb753f2a0, eliminated_tables=0, thd=0x153f92c15088) at /test/10.5_dbg/sql/sql_select.cc:27243 #6 print_join (thd=thd@entry=0x153f92c15088, eliminated_tables=0, str=str@entry=0x153fb753f2a0, tables=0x153f92c90130, query_type=query_type@entry=QT_ITEM_ORIGINAL_FUNC_NULLIF) at /test/10.5_dbg/sql/sql_select.cc:27399 #7 0x00005606336a8e23 in st_select_lex::print (this=0x153f92c8ff68, thd=thd@entry=0x153f92c15088, str=str@entry=0x153fb753f2a0, query_type=query_type@entry=QT_ITEM_ORIGINAL_FUNC_NULLIF) at /test/10.5_dbg/sql/sql_select.cc:27699 #8 0x00005606339e4696 in subselect_single_select_engine::print (this=0x153f92c91030, str=0x153fb753f2a0, query_type=QT_ITEM_ORIGINAL_FUNC_NULLIF) at /test/10.5_dbg/sql/item_subselect.cc:4478 #9 0x00005606339e4c03 in Item_subselect::print (this=0x153f92c90e88, str=0x153fb753f2a0, query_type=QT_ITEM_ORIGINAL_FUNC_NULLIF) at /test/10.5_dbg/sql/item_subselect.cc:1038 #10 0x000056063357fd83 in sp_instr_freturn::print (this=0x153f92c8dea0, str=0x153fb753f2a0) at /test/10.5_dbg/sql/sp_head.cc:4203 #11 0x000056063358a50e in sp_head::show_routine_code (this=0x153f92c8f0a0, thd=thd@entry=0x153f92c15088) at /test/10.5_dbg/sql/sp_head.cc:3385 #12 0x00005606336505e5 in mysql_execute_command (thd=thd@entry=0x153f92c15088) at /test/10.5_dbg/sql/sql_parse.cc:5728 #13 0x0000560633658752 in mysql_parse (thd=thd@entry=0x153f92c15088, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x153fb7540350, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:7993 #14 0x0000560633645204 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x153f92c15088, packet=packet@entry=0x153f92c67089 "", packet_length=packet_length@entry=20, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:1866 #15 0x00005606336439de in do_command (thd=0x153f92c15088) at /test/10.5_dbg/sql/sql_parse.cc:1347 #16 0x000056063379fc3b in do_handle_one_connection (connect=<optimized out>, connect@entry=0x153f964c7808, put_in_cache=put_in_cache@entry=true) at /test/10.5_dbg/sql/sql_connect.cc:1411 #17 0x00005606337a0357 in handle_one_connection (arg=arg@entry=0x153f964c7808) at /test/10.5_dbg/sql/sql_connect.cc:1313 #18 0x0000560633c03ca8 in pfs_spawn_thread (arg=0x153fb4446508) at /test/10.5_dbg/storage/perfschema/pfs.cc:2201 #19 0x0000153fb64ba6db in start_thread (arg=0x153fb7541700) at pthread_create.c:463 #20 0x0000153fb58b8a3f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 {noformat} Bug confirmed present in: MariaDB: 10.3.24 (dbg), 10.4.15 (dbg), 10.5.5 (dbg) Bug confirmed not present in: MariaDB: 10.1.46 (dbg), 10.1.46 (opt), 10.2.33 (dbg), 10.2.33 (opt), 10.3.24 (opt), 10.4.14 (dbg), 10.4.14 (opt), 10.5.5 (opt) MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.47 (dbg), 5.6.47 (opt), 5.7.29 (dbg), 5.7.29 (opt), 8.0.19 (dbg), 8.0.19 (opt)

Roel Van de Paar made changes - 2020-09-09 06:26

Affects Version/s

10.4 [ 22408 ]

Roel Van de Paar made changes - 2020-09-09 06:26

Fix Version/s

10.4 [ 22408 ]

Roel Van de Paar made changes - 2020-09-09 06:26

Labels

not-10.1 not-10.2 not-10.4 regression

not-10.1 not-10.2 regression

Roel Van de Paar added a comment - 2020-09-09 06:27 - edited

DROP DATABASE test;

CREATE DATABASE test;

USE test;

SET INNODB_DEFAULT_ENCRYPTION_KEY_ID=99;

CREATE TABLE t(c INT) ENGINE=InnoDB;

CREATE FUNCTION f() RETURNS INT RETURN (SELECT * FROM t);

SELECT f();

ALTER TABLE t ADD COLUMN d INT;

SHOW FUNCTION CODE f;

Also reproduces the issue (seemingly deterministic) on 10.5, and highly sporadically on 10.4, both with the same Unique Bug ID. However, 10.4 also has an assert being triggered (hard to hit), ref next comment

Roel Van de Paar added a comment - 2020-09-09 06:27 - edited DROP DATABASE test; CREATE DATABASE test; USE test; SET INNODB_DEFAULT_ENCRYPTION_KEY_ID=99; CREATE TABLE t(c INT) ENGINE=InnoDB; CREATE FUNCTION f() RETURNS INT RETURN (SELECT * FROM t); SELECT f(); ALTER TABLE t ADD COLUMN d INT; SHOW FUNCTION CODE f; Also reproduces the issue (seemingly deterministic) on 10.5, and highly sporadically on 10.4, both with the same Unique Bug ID. However, 10.4 also has an assert being triggered (hard to hit), ref next comment

Roel Van de Paar added a comment - 2020-09-09 06:31

This testcase:

set innodb_default_encryption_key_id = 99;

USE test;

CREATE TABLE t1(c1 VARBINARY(30) NOT NULL, INDEX i1 (c1));

select SQL_CALC_FOUND_ROWS b,count(*) as c FROM t1  group by b order by c desc limit 1;

CREATE FUNCTION f1 () RETURNS int RETURN (SELECT COUNT(*) FROM t1 );

DROP TABLE IF EXISTS t1;

create TABLE t1 (c1 int) engine=InnoDB pack_keys=0;

INSERT INTO t VALUES (-2954245530716247387,3303582,'Fs0j8Aoxn9zWAkm4hJx8IMXQLF3KIryMiFyvWj','A0OosL','nY05l6MK6PKBLwvYA1vDzAjBzkjHxaOmzEPi4VMMwalMVQqZrFI2F12E2idYFD','Ryw','R','O',7);

select test.f1();

ALTER TABLE `t1` ADD COLUMN `b` INT;

SHOW FUNCTION CODE f1; ;

SELECT SLEEP(3);

Can at times (highly sporadically and may require the C-API i.e. pquery) produce the assertion below.

10.4.15 eae968f62d285de97ed607c87bc131cd863d5d03
mysqld: /test/10.4_dbg/sql/table.h:1680: bool TABLE::versioned() const: Assertion `s' failed.

10.4.15 eae968f62d285de97ed607c87bc131cd863d5d03
Core was generated by `/test/MD110820-mariadb-10.4.15-linux-x86_64-dbg/bin/mysqld --no-defaults --max_'.
Program terminated with signal SIGABRT, Aborted.
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=6)
at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
[Current thread is 1 (Thread 0x147dc40b2700 (LWP 1029395))]
(gdb) bt
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
#1 0x00005581112a18a6 in my_write_core (sig=sig@entry=6) at /test/10.4_dbg/mysys/stacktrace.c:482
#2 0x0000558110a1dcdc in handle_fatal_signal (sig=6) at /test/10.4_dbg/sql/signal_handler.cc:343
#3 <signal handler called>
#4 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#5 0x0000147dcdbf88b1 in __GI_abort () at abort.c:79
#6 0x0000147dcdbe842a in __assert_fail_base (fmt=0x147dcdd6fa38 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x55811167aba5 "s", file=file@entry=0x55811137b959 "/test/10.4_dbg/sql/table.h", line=line@entry=1680, function=function@entry=0x5581113a4d30 <_ZZNK5TABLE9versionedEvE19__PRETTY_FUNCTION__> "bool TABLE::versioned() const") at assert.c:92
#7 0x0000147dcdbe84a2 in __GI___assert_fail (assertion=assertion@entry=0x55811167aba5 "s", file=file@entry=0x55811137b959 "/test/10.4_dbg/sql/table.h", line=line@entry=1680, function=function@entry=0x5581113a4d30 <_ZZNK5TABLE9versionedEvE19__PRETTY_FUNCTION__> "bool TABLE::versioned() const") at assert.c:101
#8 0x00005581107d6562 in TABLE::versioned (this=0x147d5c5f0fc0) at /test/10.4_dbg/sql/table.h:1680
#9 TABLE_LIST::print (this=0x147d5c61d168, thd=thd@entry=0x147d5c000d50, eliminated_tables=eliminated_tables@entry=0, str=str@entry=0x147dc40ae9b0, query_type=query_type@entry=QT_ITEM_ORIGINAL_FUNC_NULLIF) at /test/10.4_dbg/sql/sql_select.cc:27360
#10 0x00005581107d6ab4 in print_table_array (query_type=QT_ITEM_ORIGINAL_FUNC_NULLIF, end=0x147d5c6bf390, table=0x147d5c6bf388, str=0x147dc40ae9b0, eliminated_tables=0, thd=0x147d5c000d50) at /test/10.4_dbg/sql/sql_select.cc:27050
#11 print_join (thd=thd@entry=0x147d5c000d50, eliminated_tables=0, str=str@entry=0x147dc40ae9b0, tables=0x147d5c61cc88, query_type=query_type@entry=QT_ITEM_ORIGINAL_FUNC_NULLIF) at /test/10.4_dbg/sql/sql_select.cc:27206
#12 0x00005581107d705e in st_select_lex::print (this=this@entry=0x147d5c61cac8, thd=0x147d5c000d50, str=str@entry=0x147dc40ae9b0, query_type=query_type@entry=QT_ITEM_ORIGINAL_FUNC_NULLIF) at /test/10.4_dbg/sql/sql_select.cc:27506
#13 0x0000558110b076da in subselect_single_select_engine::print (this=0x147d5c61d9d0, str=0x147dc40ae9b0, query_type=QT_ITEM_ORIGINAL_FUNC_NULLIF) at /test/10.4_dbg/sql/item_subselect.cc:4457
#14 0x0000558110b07c39 in Item_subselect::print (this=0x147d5c61d848, str=0x147dc40ae9b0, query_type=QT_ITEM_ORIGINAL_FUNC_NULLIF) at /test/10.4_dbg/sql/item_subselect.cc:1002
#15 0x00005581106a271a in sp_instr_freturn::print (this=0x147d5c61da10, str=0x147dc40ae9b0) at /test/10.4_dbg/sql/sp_head.cc:4112
#16 0x00005581106aca8a in sp_head::show_routine_code (this=0x147d5c61bdf8, thd=thd@entry=0x147d5c000d50) at /test/10.4_dbg/sql/sp_head.cc:3312
#17 0x0000558110772221 in mysql_execute_command (thd=thd@entry=0x147d5c000d50) at /test/10.4_dbg/sql/sql_parse.cc:5888
#18 0x0000558110775090 in mysql_parse (thd=thd@entry=0x147d5c000d50, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x147dc40b1470, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.4_dbg/sql/sql_parse.cc:7896
#19 0x0000558110777920 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x147d5c000d50, packet=packet@entry=0x147d5cd3d361 "", packet_length=packet_length@entry=22, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.4_dbg/sql/sql_parse.cc:1834
#20 0x000055811077b35b in do_command (thd=0x147d5c000d50) at /test/10.4_dbg/sql/sql_parse.cc:1352
#21 0x00005581108a78b6 in do_handle_one_connection (connect=connect@entry=0x558114a66560) at /test/10.4_dbg/sql/sql_connect.cc:1412
#22 0x00005581108a79d6 in handle_one_connection (arg=arg@entry=0x558114a66560) at /test/10.4_dbg/sql/sql_connect.cc:1316
#23 0x00005581111b4898 in pfs_spawn_thread (arg=0x558114974440) at /test/10.4_dbg/storage/perfschema/pfs.cc:1869
#24 0x0000147dceb5f6db in start_thread (arg=0x147dc40b2700) at pthread_create.c:463
#25 0x0000147dcdcd9a3f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Roel Van de Paar added a comment - 2020-09-09 06:31 This testcase: set innodb_default_encryption_key_id = 99; USE test; CREATE TABLE t1(c1 VARBINARY(30) NOT NULL, INDEX i1 (c1)); select SQL_CALC_FOUND_ROWS b,count(*) as c FROM t1 group by b order by c desc limit 1; CREATE FUNCTION f1 () RETURNS int RETURN (SELECT COUNT(*) FROM t1 ); DROP TABLE IF EXISTS t1; create TABLE t1 (c1 int) engine=InnoDB pack_keys=0; INSERT INTO t VALUES (-2954245530716247387,3303582,'Fs0j8Aoxn9zWAkm4hJx8IMXQLF3KIryMiFyvWj','A0OosL','nY05l6MK6PKBLwvYA1vDzAjBzkjHxaOmzEPi4VMMwalMVQqZrFI2F12E2idYFD','Ryw','R','O',7); select test.f1(); ALTER TABLE `t1` ADD COLUMN `b` INT; SHOW FUNCTION CODE f1; ; SELECT SLEEP(3); Can at times (highly sporadically and may require the C-API i.e. pquery) produce the assertion below. 10.4.15 eae968f62d285de97ed607c87bc131cd863d5d03 mysqld: /test/10.4_dbg/sql/table.h:1680: bool TABLE::versioned() const: Assertion `s' failed. 10.4.15 eae968f62d285de97ed607c87bc131cd863d5d03 Core was generated by `/test/MD110820-mariadb-10.4.15-linux-x86_64-dbg/bin/mysqld --no-defaults --max_'. Program terminated with signal SIGABRT, Aborted. #0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57 [Current thread is 1 (Thread 0x147dc40b2700 (LWP 1029395))] (gdb) bt #0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57 #1 0x00005581112a18a6 in my_write_core (sig=sig@entry=6) at /test/10.4_dbg/mysys/stacktrace.c:482 #2 0x0000558110a1dcdc in handle_fatal_signal (sig=6) at /test/10.4_dbg/sql/signal_handler.cc:343 #3 <signal handler called> #4 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51 #5 0x0000147dcdbf88b1 in __GI_abort () at abort.c:79 #6 0x0000147dcdbe842a in __assert_fail_base (fmt=0x147dcdd6fa38 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x55811167aba5 "s", file=file@entry=0x55811137b959 "/test/10.4_dbg/sql/table.h", line=line@entry=1680, function=function@entry=0x5581113a4d30 <_ZZNK5TABLE9versionedEvE19__PRETTY_FUNCTION__> "bool TABLE::versioned() const") at assert.c:92 #7 0x0000147dcdbe84a2 in __GI___assert_fail (assertion=assertion@entry=0x55811167aba5 "s", file=file@entry=0x55811137b959 "/test/10.4_dbg/sql/table.h", line=line@entry=1680, function=function@entry=0x5581113a4d30 <_ZZNK5TABLE9versionedEvE19__PRETTY_FUNCTION__> "bool TABLE::versioned() const") at assert.c:101 #8 0x00005581107d6562 in TABLE::versioned (this=0x147d5c5f0fc0) at /test/10.4_dbg/sql/table.h:1680 #9 TABLE_LIST::print (this=0x147d5c61d168, thd=thd@entry=0x147d5c000d50, eliminated_tables=eliminated_tables@entry=0, str=str@entry=0x147dc40ae9b0, query_type=query_type@entry=QT_ITEM_ORIGINAL_FUNC_NULLIF) at /test/10.4_dbg/sql/sql_select.cc:27360 #10 0x00005581107d6ab4 in print_table_array (query_type=QT_ITEM_ORIGINAL_FUNC_NULLIF, end=0x147d5c6bf390, table=0x147d5c6bf388, str=0x147dc40ae9b0, eliminated_tables=0, thd=0x147d5c000d50) at /test/10.4_dbg/sql/sql_select.cc:27050 #11 print_join (thd=thd@entry=0x147d5c000d50, eliminated_tables=0, str=str@entry=0x147dc40ae9b0, tables=0x147d5c61cc88, query_type=query_type@entry=QT_ITEM_ORIGINAL_FUNC_NULLIF) at /test/10.4_dbg/sql/sql_select.cc:27206 #12 0x00005581107d705e in st_select_lex::print (this=this@entry=0x147d5c61cac8, thd=0x147d5c000d50, str=str@entry=0x147dc40ae9b0, query_type=query_type@entry=QT_ITEM_ORIGINAL_FUNC_NULLIF) at /test/10.4_dbg/sql/sql_select.cc:27506 #13 0x0000558110b076da in subselect_single_select_engine::print (this=0x147d5c61d9d0, str=0x147dc40ae9b0, query_type=QT_ITEM_ORIGINAL_FUNC_NULLIF) at /test/10.4_dbg/sql/item_subselect.cc:4457 #14 0x0000558110b07c39 in Item_subselect::print (this=0x147d5c61d848, str=0x147dc40ae9b0, query_type=QT_ITEM_ORIGINAL_FUNC_NULLIF) at /test/10.4_dbg/sql/item_subselect.cc:1002 #15 0x00005581106a271a in sp_instr_freturn::print (this=0x147d5c61da10, str=0x147dc40ae9b0) at /test/10.4_dbg/sql/sp_head.cc:4112 #16 0x00005581106aca8a in sp_head::show_routine_code (this=0x147d5c61bdf8, thd=thd@entry=0x147d5c000d50) at /test/10.4_dbg/sql/sp_head.cc:3312 #17 0x0000558110772221 in mysql_execute_command (thd=thd@entry=0x147d5c000d50) at /test/10.4_dbg/sql/sql_parse.cc:5888 #18 0x0000558110775090 in mysql_parse (thd=thd@entry=0x147d5c000d50, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x147dc40b1470, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.4_dbg/sql/sql_parse.cc:7896 #19 0x0000558110777920 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x147d5c000d50, packet=packet@entry=0x147d5cd3d361 "", packet_length=packet_length@entry=22, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.4_dbg/sql/sql_parse.cc:1834 #20 0x000055811077b35b in do_command (thd=0x147d5c000d50) at /test/10.4_dbg/sql/sql_parse.cc:1352 #21 0x00005581108a78b6 in do_handle_one_connection (connect=connect@entry=0x558114a66560) at /test/10.4_dbg/sql/sql_connect.cc:1412 #22 0x00005581108a79d6 in handle_one_connection (arg=arg@entry=0x558114a66560) at /test/10.4_dbg/sql/sql_connect.cc:1316 #23 0x00005581111b4898 in pfs_spawn_thread (arg=0x558114974440) at /test/10.4_dbg/storage/perfschema/pfs.cc:1869 #24 0x0000147dceb5f6db in start_thread (arg=0x147dc40b2700) at pthread_create.c:463 #25 0x0000147dcdcd9a3f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Roel Van de Paar made changes - 2020-09-09 06:31

Summary

SIGSEGV in TABLE_LIST::print on SHOW FUNCTION CODE

SIGSEGV in TABLE_LIST::print on SHOW FUNCTION CODE *and* Assertion `s' failed in TABLE::versioned

Roel Van de Paar made changes - 2020-09-09 06:32

Summary

SIGSEGV in TABLE_LIST::print on SHOW FUNCTION CODE *and* Assertion `s' failed in TABLE::versioned

SIGSEGV in TABLE_LIST::print on SHOW FUNCTION CODE *and* Assertion `s' failed in TABLE::versioned on SHOW FUNCTION CODE

Roel Van de Paar added a comment - 2020-09-09 09:30 - edited

# mysqld options in use during reduction: --sql_mode=ONLY_FULL_GROUP_BY --log-output=none --performance-schema --performance-schema-instrument='%=on' --default-tmp-storage-engine=MyISAM --innodb_file_per_table=1 --innodb_flush_method=O_DIRECT

USE test;

CREATE TEMPORARY TABLE t1 ( i int) ;

CREATE TABLE ti (a SMALLINT UNSIGNED NOT NULL, b BIGINT UNSIGNED, c BINARY(94), d VARCHAR(56), e VARBINARY(95) NOT NULL, f VARCHAR(58) NOT NULL, g LONGBLOB, h TINYBLOB NOT NULL, id BIGINT NOT NULL, KEY(b), KEY(e), PRIMARY KEY(id)) ;

CREATE TABLE  t2  (a BINARY(246));

CREATE TABLE t1 (a INT, b VARCHAR(20)) ;

create function f1() returns int deterministic return (select max(a) from  t4 );

CREATE TABLE  t4  (f1 INTEGER, PRIMARY KEY (f1)) ;

DROP TABLE t1;

SET @@global.table_open_cache = FALSE;

SELECT f1();

call mtr.add_suppression("Plugin keyring_vault reported");

SELECT EVENT_ID, EVENT_NAME, TIMER_WAIT FROM performance_schema.events_waits_history WHERE EVENT_NAME LIKE 'abcdefghijklmnopqrstuvwxyz';

UPDATE t1 SET field1 = 'abcdefghijklmnopqrstuvwxyz' WHERE field2 = 'abcdefghijklmnopqrstuvwxyz';

INSERT INTO ti VALUES (17667088284071814827,115,'abcdefghijklmnopqrstuvwxyz','abcdefghijklmnopqrstuvwxyz','abcdefghijklmnopqrstuvwxyz','abcdefghijklmnopqrstuvwxyz','abcdefghijklmnopqrstuvwxyz','abcdefghijklmnopqrstuvwxyz',10);

SELECT * FROM performance_schema.hosts;

INSERT INTO  t2  VALUES (-1340711133,14018,'abcdefghijklmnopqrstuvwxyz','abcdefghijklmnopqrstuvwxyz','abcdefghijklmnopqrstuvwxyz','abcdefghijklmnopqrstuvwxyz','abcdefghijklmnopqrstuvwxyz','abcdefghijklmnopqrstuvwxyz',4);

select * from t1 A, t1 B where B.rowkey=A.a;

show function code f1; ;

Will produce the issue better on 10.4. It is also capable of producing the 's' assert, but may need high frequency for this as well as replay via the C-API/pquery. While it can likely be reduced further, I am not confident the 's' assert can then still be produced with the same.

Roel Van de Paar added a comment - 2020-09-09 09:30 - edited # mysqld options in use during reduction: --sql_mode=ONLY_FULL_GROUP_BY --log-output=none --performance-schema --performance-schema-instrument='%=on' --default-tmp-storage-engine=MyISAM --innodb_file_per_table=1 --innodb_flush_method=O_DIRECT USE test; CREATE TEMPORARY TABLE t1 ( i int) ; CREATE TABLE ti (a SMALLINT UNSIGNED NOT NULL, b BIGINT UNSIGNED, c BINARY(94), d VARCHAR(56), e VARBINARY(95) NOT NULL, f VARCHAR(58) NOT NULL, g LONGBLOB, h TINYBLOB NOT NULL, id BIGINT NOT NULL, KEY(b), KEY(e), PRIMARY KEY(id)) ; CREATE TABLE t2 (a BINARY(246)); CREATE TABLE t1 (a INT, b VARCHAR(20)) ; create function f1() returns int deterministic return (select max(a) from t4 ); CREATE TABLE t4 (f1 INTEGER, PRIMARY KEY (f1)) ; DROP TABLE t1; SET @@global.table_open_cache = FALSE; SELECT f1(); call mtr.add_suppression("Plugin keyring_vault reported"); SELECT EVENT_ID, EVENT_NAME, TIMER_WAIT FROM performance_schema.events_waits_history WHERE EVENT_NAME LIKE 'abcdefghijklmnopqrstuvwxyz'; UPDATE t1 SET field1 = 'abcdefghijklmnopqrstuvwxyz' WHERE field2 = 'abcdefghijklmnopqrstuvwxyz'; INSERT INTO ti VALUES (17667088284071814827,115,'abcdefghijklmnopqrstuvwxyz','abcdefghijklmnopqrstuvwxyz','abcdefghijklmnopqrstuvwxyz','abcdefghijklmnopqrstuvwxyz','abcdefghijklmnopqrstuvwxyz','abcdefghijklmnopqrstuvwxyz',10); SELECT * FROM performance_schema.hosts; INSERT INTO t2 VALUES (-1340711133,14018,'abcdefghijklmnopqrstuvwxyz','abcdefghijklmnopqrstuvwxyz','abcdefghijklmnopqrstuvwxyz','abcdefghijklmnopqrstuvwxyz','abcdefghijklmnopqrstuvwxyz','abcdefghijklmnopqrstuvwxyz',4); select * from t1 A, t1 B where B.rowkey=A.a; show function code f1; ; Will produce the issue better on 10.4. It is also capable of producing the 's' assert, but may need high frequency for this as well as replay via the C-API/pquery. While it can likely be reduced further, I am not confident the 's' assert can then still be produced with the same.

Sergei Golubchik made changes - 2021-12-06 21:34

Workflow

MariaDB v3 [ 111388 ]

MariaDB v4 [ 142105 ]

Elena Stepanova made changes - 2022-07-30 12:19

Link

This issue is duplicated by MDEV-25784 [ MDEV-25784 ]

Roel Van de Paar made changes - 2023-04-27 02:33

Link

This issue relates to MDEV-25784 [ MDEV-25784 ]

Roel Van de Paar made changes - 2023-04-27 02:33

Link

This issue is duplicated by MDEV-25784 [ MDEV-25784 ]

Julien Fritsch made changes - 2023-04-27 13:51

Fix Version/s

10.3 [ 22126 ]

Ramesh Sivaraman added a comment - 2023-06-22 04:59

Found similar stack on UBSAN debug build.

CREATE FUNCTION f0() RETURNS INT RETURN (SELECT * FROM t);

CREATE TABLE t (a INT);

CREATE TABLE t2 SELECT f0();

DROP TABLE IF EXISTS t;

SHOW FUNCTION f0;

11.2.0 acb02f646ebbd8b100c30621b92dcc0e2e4db7b3 (Debug, UBASAN)
==3332064==ERROR: AddressSanitizer: heap-use-after-free on address 0x619000074998 at pc 0x55ce9f30a582 bp 0x151ed1b83ae0 sp 0x151ed1b83ad0
READ of size 8 at 0x619000074998 thread T22
#0 0x55ce9f30a581 in TABLE::versioned() const /test/mtest/MDEV-5816/11.1_dbg_san/sql/table.h:1844
#1 0x55ce9f30a581 in TABLE_LIST::print(THD, unsigned long long, String, enum_query_type) /test/mtest/MDEV-5816/11.1_dbg_san/sql/sql_select.cc:30721
#2 0x55ce9f30c3c3 in print_table_array /test/mtest/MDEV-5816/11.1_dbg_san/sql/sql_select.cc:30403
#3 0x55ce9f30c3c3 in print_join /test/mtest/MDEV-5816/11.1_dbg_san/sql/sql_select.cc:30559
#4 0x55ce9f312f73 in st_select_lex::print(THD, String, enum_query_type) /test/mtest/MDEV-5816/11.1_dbg_san/sql/sql_select.cc:31072
#5 0x55cea13f9958 in subselect_single_select_engine::print(String*, enum_query_type) /test/mtest/MDEV-5816/11.1_dbg_san/sql/item_subselect.cc:4668
#6 0x55cea141cda9 in Item_subselect::print(String*, enum_query_type) /test/mtest/MDEV-5816/11.1_dbg_san/sql/item_subselect.cc:1081
#7 0x55ce9ff262e8 in sp_instr_freturn::print(String*) /test/mtest/MDEV-5816/11.1_dbg_san/sql/sp_instr.cc:1402
#8 0x55ce9e95fdb3 in sp_head::show_routine_code(THD*) /test/mtest/MDEV-5816/11.1_dbg_san/sql/sp_head.cc:3341
#9 0x55ce9efa58f9 in mysql_execute_command(THD*, bool) /test/mtest/MDEV-5816/11.1_dbg_san/sql/sql_parse.cc:5543
#10 0x55ce9eef2d8f in mysql_parse(THD, char, unsigned int, Parser_state*) /test/mtest/MDEV-5816/11.1_dbg_san/sql/sql_parse.cc:7769
#11 0x55ce9ef60edc in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/mtest/MDEV-5816/11.1_dbg_san/sql/sql_parse.cc:1892
#12 0x55ce9ef72804 in do_command(THD*, bool) /test/mtest/MDEV-5816/11.1_dbg_san/sql/sql_parse.cc:1405
#13 0x55ce9fa11c11 in do_handle_one_connection(CONNECT*, bool) /test/mtest/MDEV-5816/11.1_dbg_san/sql/sql_connect.cc:1416
#14 0x55ce9fa1438b in handle_one_connection /test/mtest/MDEV-5816/11.1_dbg_san/sql/sql_connect.cc:1318
#15 0x151ef5dd0608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
#16 0x151ef5045132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)

Ramesh Sivaraman added a comment - 2023-06-22 04:59 Found similar stack on UBSAN debug build. CREATE FUNCTION f0() RETURNS INT RETURN ( SELECT * FROM t); CREATE TABLE t (a INT ); CREATE TABLE t2 SELECT f0(); DROP TABLE IF EXISTS t; SHOW FUNCTION f0; 11.2.0 acb02f646ebbd8b100c30621b92dcc0e2e4db7b3 (Debug, UBASAN) ==3332064==ERROR: AddressSanitizer: heap-use-after-free on address 0x619000074998 at pc 0x55ce9f30a582 bp 0x151ed1b83ae0 sp 0x151ed1b83ad0 READ of size 8 at 0x619000074998 thread T22 #0 0x55ce9f30a581 in TABLE::versioned() const /test/mtest/MDEV-5816/11.1_dbg_san/sql/table.h:1844 #1 0x55ce9f30a581 in TABLE_LIST::print(THD*, unsigned long long, String*, enum_query_type) /test/mtest/MDEV-5816/11.1_dbg_san/sql/sql_select.cc:30721 #2 0x55ce9f30c3c3 in print_table_array /test/mtest/MDEV-5816/11.1_dbg_san/sql/sql_select.cc:30403 #3 0x55ce9f30c3c3 in print_join /test/mtest/MDEV-5816/11.1_dbg_san/sql/sql_select.cc:30559 #4 0x55ce9f312f73 in st_select_lex::print(THD*, String*, enum_query_type) /test/mtest/MDEV-5816/11.1_dbg_san/sql/sql_select.cc:31072 #5 0x55cea13f9958 in subselect_single_select_engine::print(String*, enum_query_type) /test/mtest/MDEV-5816/11.1_dbg_san/sql/item_subselect.cc:4668 #6 0x55cea141cda9 in Item_subselect::print(String*, enum_query_type) /test/mtest/MDEV-5816/11.1_dbg_san/sql/item_subselect.cc:1081 #7 0x55ce9ff262e8 in sp_instr_freturn::print(String*) /test/mtest/MDEV-5816/11.1_dbg_san/sql/sp_instr.cc:1402 #8 0x55ce9e95fdb3 in sp_head::show_routine_code(THD*) /test/mtest/MDEV-5816/11.1_dbg_san/sql/sp_head.cc:3341 #9 0x55ce9efa58f9 in mysql_execute_command(THD*, bool) /test/mtest/MDEV-5816/11.1_dbg_san/sql/sql_parse.cc:5543 #10 0x55ce9eef2d8f in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/mtest/MDEV-5816/11.1_dbg_san/sql/sql_parse.cc:7769 #11 0x55ce9ef60edc in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/mtest/MDEV-5816/11.1_dbg_san/sql/sql_parse.cc:1892 #12 0x55ce9ef72804 in do_command(THD*, bool) /test/mtest/MDEV-5816/11.1_dbg_san/sql/sql_parse.cc:1405 #13 0x55ce9fa11c11 in do_handle_one_connection(CONNECT*, bool) /test/mtest/MDEV-5816/11.1_dbg_san/sql/sql_connect.cc:1416 #14 0x55ce9fa1438b in handle_one_connection /test/mtest/MDEV-5816/11.1_dbg_san/sql/sql_connect.cc:1318 #15 0x151ef5dd0608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477 #16 0x151ef5045132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)

Ramesh Sivaraman made changes - 2023-06-22 04:59

Affects Version/s

11.2 [ 28603 ]

Ramesh Sivaraman made changes - 2023-06-22 05:00

Fix Version/s		11.1 [ 28549 ]
Fix Version/s		11.2 [ 28603 ]

Ramesh Sivaraman made changes - 2023-06-22 05:00

Affects Version/s

11.1 [ 28549 ]

Roel Van de Paar added a comment - 2024-02-27 01:29 - edited

The testcase in the last comment needs "CODE" in the last SQL command to crash, i.e. SHOW FUNCTION CODE f0. Please also test any fix with this testcase:

CREATE FUNCTION f1() RETURNS INT RETURN (SELECT * FROM t1);

CREATE TABLE t1 (c1 INT,c2 INT) ENGINE=MEMORY UNION=(t3,t4) INSERT_METHOD=LAST;

INSERT INTO t1 VALUES (f1(),"max");

DROP TABLE t1;

SHOW FUNCTION CODE f1;

Which produces the same outcome. Debug builds only as SHOW FUNCTION CODE is otherwise not available. 10.4+

Roel Van de Paar added a comment - 2024-02-27 01:29 - edited The testcase in the last comment needs " CODE " in the last SQL command to crash, i.e. SHOW FUNCTION CODE f0 . Please also test any fix with this testcase: CREATE FUNCTION f1() RETURNS INT RETURN ( SELECT * FROM t1); CREATE TABLE t1 (c1 INT ,c2 INT ) ENGINE=MEMORY UNION =(t3,t4) INSERT_METHOD= LAST ; INSERT INTO t1 VALUES (f1(), "max" ); DROP TABLE t1; SHOW FUNCTION CODE f1; Which produces the same outcome. Debug builds only as SHOW FUNCTION CODE is otherwise not available. 10.4+

Julien Fritsch made changes - 2024-09-10 14:44

Fix Version/s		10.6 [ 24028 ]
Fix Version/s		10.11 [ 27614 ]

Julien Fritsch made changes - 2024-09-10 15:05

Fix Version/s

10.4 [ 22408 ]

Julien Fritsch made changes - 2024-09-10 15:28

Fix Version/s

11.1 [ 28549 ]

Julien Fritsch made changes - 2024-11-22 17:11

Fix Version/s

11.2(EOL) [ 28603 ]

Roel Van de Paar made changes - 1 week ago

Summary

SIGSEGV in TABLE_LIST::print on SHOW FUNCTION CODE *and* Assertion `s' failed in TABLE::versioned on SHOW FUNCTION CODE

SIGSEGV's in TABLE_LIST::print and TABLE::versioned, and Assertion `s' failed in TABLE::versioned on SHOW FUNCTION CODE

Roel Van de Paar added a comment - 1 week ago - edited

Additional SIGSEGV in TABLE::versioned with this testcase:

SET GLOBAL log_bin_trust_function_creators=1;

CREATE FUNCTION f2() RETURNS INT RETURN (SELECT 1 FROM t1);

CREATE TABLE t1 (c1 CHAR BINARY CHARACTER SET 'latin1' COLLATE 'latin1_bin',c2 YEAR,c3 YEAR,PRIMARY KEY(c1)) ENGINE=InnoDB;

SELECT f2()='_u1@localhost';

DROP TABLE t1,t2,t3,t4,t5,t6;

SHOW FUNCTION CODE f2;

Leads to:

CS 11.4.6 ef966af801afc2a07222b5df65dddd52c77431dd (Debug) Build 15/02/2025
Core was generated by `/test/MD150225-mariadb-11.4.6-linux-x86_64-dbg/bin/mariadbd --no-defaults --max'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000055b873b6666f in TABLE::versioned (this=0x14df50027e08)at /test/11.4_dbg/sql/table.h:1828
1828 return s->versioned;
[Current thread is 1 (LWP 1955430)]
(gdb) bt
#0 0x000055b873b6666f in TABLE::versioned (this=0x14df50027e08)at /test/11.4_dbg/sql/table.h:1828
#1 0x000055b873cc30d8 in TABLE_LIST::print (this=0x14df500261c8, thd=0x14df50000d58, eliminated_tables=0, str=0x14dfa1d45a50, query_type=QT_ITEM_ORIGINAL_FUNC_NULLIF)at /test/11.4_dbg/sql/sql_select.cc:31698
#2 0x000055b873cd1acc in print_table_array (thd=0x14df50000d58, eliminated_tables=0, str=0x14dfa1d45a50, table=0x14df50019ce0, end=0x14df50019ce8, query_type=QT_ITEM_ORIGINAL_FUNC_NULLIF)at /test/11.4_dbg/sql/sql_select.cc:31380
#3 0x000055b873cc36e9 in print_join (thd=0x14df50000d58, eliminated_tables=0, str=0x14dfa1d45a50, tables=0x14df50025de8, query_type=QT_ITEM_ORIGINAL_FUNC_NULLIF)at /test/11.4_dbg/sql/sql_select.cc:31536
#4 0x000055b873cc45ff in st_select_lex::print (this=0x14df50025c30, thd=0x14df50000d58, str=0x14dfa1d45a50, query_type=QT_ITEM_ORIGINAL_FUNC_NULLIF)at /test/11.4_dbg/sql/sql_select.cc:32049
#5 0x000055b874159b8c in subselect_single_select_engine::print (this=0x14df50026a88, str=0x14dfa1d45a50, query_type=QT_ITEM_ORIGINAL_FUNC_NULLIF)at /test/11.4_dbg/sql/item_subselect.cc:4713
#6 0x000055b87414a03d in Item_subselect::print (this=0x14df500268f8, str=0x14dfa1d45a50, query_type=QT_ITEM_ORIGINAL_FUNC_NULLIF)at /test/11.4_dbg/sql/item_subselect.cc:1086
#7 0x000055b873eb9b21 in sp_instr_freturn::print (this=0x14df50026b28, str=0x14dfa1d45a50) at /test/11.4_dbg/sql/sp_instr.cc:1508
#8 0x000055b873b05426 in sp_head::show_routine_code (this=0x14df50024cc0, thd=0x14df50000d58) at /test/11.4_dbg/sql/sp_head.cc:3440
#9 0x000055b873c1475f in mysql_execute_command (thd=0x14df50000d58, is_called_from_prepared_stmt=false) at /test/11.4_dbg/sql/sql_parse.cc:5655
#10 0x000055b873c047a4 in mysql_parse (thd=0x14df50000d58, rawbuf=0x14df50019ac0 "SHOW FUNCTION CODE f2", length=21, parser_state=0x14dfa1d47a30) at /test/11.4_dbg/sql/sql_parse.cc:7907
#11 0x000055b873c01c54 in dispatch_command (command=COM_QUERY, thd=0x14df50000d58, packet=0x14df5000afd9 "", packet_length=21, blocking=true) at /test/11.4_dbg/sql/sql_parse.cc:1904
#12 0x000055b873c05353 in do_command (thd=0x14df50000d58, blocking=true)at /test/11.4_dbg/sql/sql_parse.cc:1417
#13 0x000055b873de75a9 in do_handle_one_connection (connect=0x55b878273c68, put_in_cache=true) at /test/11.4_dbg/sql/sql_connect.cc:1408
#14 0x000055b873de7342 in handle_one_connection (arg=0x55b8783440d8)at /test/11.4_dbg/sql/sql_connect.cc:1320
#15 0x000014dfa909ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
#16 0x000014dfa9129c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

Bug confirmed present in:
MariaDB: 10.5.29 (dbg), 10.6.22 (dbg), 10.11.12 (dbg), 11.4.6 (dbg), 11.8.1 (dbg), 12.0.0 (dbg)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.5.29 (opt), 10.6.22 (opt), 10.11.12 (opt), 11.4.6 (opt), 11.8.1 (opt), 12.0.0 (opt)

This testcase also produces the previously seen ASAN heap-use-after-free:

ASAN|heap-use-after-free|sql/table.h|TABLE::versioned|TABLE_LIST::print|print_table_array|print_join

Roel Van de Paar added a comment - 1 week ago - edited Additional SIGSEGV in TABLE::versioned with this testcase: SET GLOBAL log_bin_trust_function_creators=1; CREATE FUNCTION f2() RETURNS INT RETURN ( SELECT 1 FROM t1); CREATE TABLE t1 (c1 CHAR BINARY CHARACTER SET 'latin1' COLLATE 'latin1_bin' ,c2 YEAR ,c3 YEAR , PRIMARY KEY (c1)) ENGINE=InnoDB; SELECT f2()= '_u1@localhost' ; DROP TABLE t1,t2,t3,t4,t5,t6; SHOW FUNCTION CODE f2; Leads to: CS 11.4.6 ef966af801afc2a07222b5df65dddd52c77431dd (Debug) Build 15/02/2025 Core was generated by `/test/MD150225-mariadb-11.4.6-linux-x86_64-dbg/bin/mariadbd --no-defaults --max'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x000055b873b6666f in TABLE::versioned (this=0x14df50027e08)at /test/11.4_dbg/sql/table.h:1828 1828 return s->versioned; [Current thread is 1 (LWP 1955430)] (gdb) bt #0 0x000055b873b6666f in TABLE::versioned (this=0x14df50027e08)at /test/11.4_dbg/sql/table.h:1828 #1 0x000055b873cc30d8 in TABLE_LIST::print (this=0x14df500261c8, thd=0x14df50000d58, eliminated_tables=0, str=0x14dfa1d45a50, query_type=QT_ITEM_ORIGINAL_FUNC_NULLIF)at /test/11.4_dbg/sql/sql_select.cc:31698 #2 0x000055b873cd1acc in print_table_array (thd=0x14df50000d58, eliminated_tables=0, str=0x14dfa1d45a50, table=0x14df50019ce0, end=0x14df50019ce8, query_type=QT_ITEM_ORIGINAL_FUNC_NULLIF)at /test/11.4_dbg/sql/sql_select.cc:31380 #3 0x000055b873cc36e9 in print_join (thd=0x14df50000d58, eliminated_tables=0, str=0x14dfa1d45a50, tables=0x14df50025de8, query_type=QT_ITEM_ORIGINAL_FUNC_NULLIF)at /test/11.4_dbg/sql/sql_select.cc:31536 #4 0x000055b873cc45ff in st_select_lex::print (this=0x14df50025c30, thd=0x14df50000d58, str=0x14dfa1d45a50, query_type=QT_ITEM_ORIGINAL_FUNC_NULLIF)at /test/11.4_dbg/sql/sql_select.cc:32049 #5 0x000055b874159b8c in subselect_single_select_engine::print (this=0x14df50026a88, str=0x14dfa1d45a50, query_type=QT_ITEM_ORIGINAL_FUNC_NULLIF)at /test/11.4_dbg/sql/item_subselect.cc:4713 #6 0x000055b87414a03d in Item_subselect::print (this=0x14df500268f8, str=0x14dfa1d45a50, query_type=QT_ITEM_ORIGINAL_FUNC_NULLIF)at /test/11.4_dbg/sql/item_subselect.cc:1086 #7 0x000055b873eb9b21 in sp_instr_freturn::print (this=0x14df50026b28, str=0x14dfa1d45a50) at /test/11.4_dbg/sql/sp_instr.cc:1508 #8 0x000055b873b05426 in sp_head::show_routine_code (this=0x14df50024cc0, thd=0x14df50000d58) at /test/11.4_dbg/sql/sp_head.cc:3440 #9 0x000055b873c1475f in mysql_execute_command (thd=0x14df50000d58, is_called_from_prepared_stmt=false) at /test/11.4_dbg/sql/sql_parse.cc:5655 #10 0x000055b873c047a4 in mysql_parse (thd=0x14df50000d58, rawbuf=0x14df50019ac0 "SHOW FUNCTION CODE f2", length=21, parser_state=0x14dfa1d47a30) at /test/11.4_dbg/sql/sql_parse.cc:7907 #11 0x000055b873c01c54 in dispatch_command (command=COM_QUERY, thd=0x14df50000d58, packet=0x14df5000afd9 "", packet_length=21, blocking=true) at /test/11.4_dbg/sql/sql_parse.cc:1904 #12 0x000055b873c05353 in do_command (thd=0x14df50000d58, blocking=true)at /test/11.4_dbg/sql/sql_parse.cc:1417 #13 0x000055b873de75a9 in do_handle_one_connection (connect=0x55b878273c68, put_in_cache=true) at /test/11.4_dbg/sql/sql_connect.cc:1408 #14 0x000055b873de7342 in handle_one_connection (arg=0x55b8783440d8)at /test/11.4_dbg/sql/sql_connect.cc:1320 #15 0x000014dfa909ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447 #16 0x000014dfa9129c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78 Bug confirmed present in: MariaDB: 10.5.29 (dbg), 10.6.22 (dbg), 10.11.12 (dbg), 11.4.6 (dbg), 11.8.1 (dbg), 12.0.0 (dbg) Bug (or feature/syntax) confirmed not present in: MariaDB: 10.5.29 (opt), 10.6.22 (opt), 10.11.12 (opt), 11.4.6 (opt), 11.8.1 (opt), 12.0.0 (opt) This testcase also produces the previously seen ASAN heap-use-after-free : ASAN|heap-use-after-free|sql/table.h|TABLE::versioned|TABLE_LIST::print|print_table_array|print_join

Roel Van de Paar made changes - 1 week ago

Labels

not-10.1 not-10.2 regression

ASAN heap-use-after-free not-10.1 not-10.2 regression

Roel Van de Paar made changes - 1 week ago

Status

Open [ 1 ]

Confirmed [ 10101 ]

Roel Van de Paar made changes - 1 week ago

Fix Version/s		11.4 [ 29301 ]
Fix Version/s		11.8 [ 29921 ]
Affects Version/s		10.6 [ 24028 ]
Affects Version/s		10.11 [ 27614 ]
Affects Version/s		11.4 [ 29301 ]
Affects Version/s		11.8 [ 29921 ]
Affects Version/s		12.0 [ 29945 ]

People

Assignee:: Oleksandr Byelkin

Reporter:: Roel Van de Paar

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2020-07-18 06:03

Updated:: 1 week ago 03:42

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration