[MDEV-24206] SIGSEGV in replace_db_table on GRANT: mysql_grant|Sql_cmd_grant_table::execute_table_mask|Sql_cmd_grant_table::execute - Jira

Details

Type: Bug
Status: Open (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.1.47, 10.2.34, 10.3.25, 10.4.15, 10.5.6, 10.6.0
Fix Version/s: 10.5
Component/s: Authentication and Privilege System, Storage Engine - Memory
Labels:
None

Description

DROP DATABASE test;

CREATE DATABASE test;

USE test;

RENAME TABLE mysql.db TO mysql.db_bak;

CREATE TABLE mysql.db ENGINE=MEMORY SELECT * FROM mysql.db_bak;

GRANT SELECT ON mysql.* to 'a'@'a' IDENTIFIED BY 'a';

Sporadically (it needs about 10 repeats to reproduce) leads to:

10.5.8 4cbfdeca840098b9ed0d8147d43288c36743a328 (Debug)
Core was generated by `/test/MD041120-mariadb-10.5.8-linux-x86_64-dbg.3/bin/mysqld --no-defaults --cor'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
[Current thread is 1 (Thread 0x15302c138700 (LWP 709932))]
(gdb) bt
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
#1 0x000055d74b945fb4 in my_write_core (sig=sig@entry=11) at /test/10.5_dbg/mysys/stacktrace.c:424
#2 0x000055d74b11c7ad in handle_fatal_signal (sig=11) at /test/10.5_dbg/sql/signal_handler.cc:330
#3 <signal handler called>
#4 0x000055d74adce381 in replace_db_table (table=0x152fd80ad5c8, db=<optimized out>, db@entry=0x152fd80129e0 "mysql", combo=@0x152fd8012a18: {<AUTHID> = {user = {str = 0x152fd8012a08 "a", length = 1}, host = {str = 0x152fd8012a10 "a", length = 1}}, auth = 0x152fd8012a48}, rights=SELECT_ACL, revoke_grant=revoke_grant@entry=false) at /test/10.5_dbg/sql/sql_acl.cc:4781
#5 0x000055d74add3ef7 in mysql_grant (thd=thd@entry=0x152fd8000d78, db=0x152fd80129e0 "mysql", list=@0x152fd8005da0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x152fd8012a80, last = 0x152fd8012a80, elements = 1}, <No data fields>}, rights=SELECT_ACL, revoke_grant=false, is_proxy=is_proxy@entry=false) at /test/10.5_dbg/sql/sql_acl.cc:7670
#6 0x000055d74add54e9 in Sql_cmd_grant_table::execute_table_mask (this=0x152fd8012a90, thd=0x152fd8000d78) at /test/10.5_dbg/sql/sql_acl.cc:12066
#7 0x000055d74add55a9 in Sql_cmd_grant_table::execute (this=<optimized out>, thd=<optimized out>) at /test/10.5_dbg/sql/sql_acl.cc:12082
#8 0x000055d74ae6d15d in mysql_execute_command (thd=thd@entry=0x152fd8000d78) at /test/10.5_dbg/sql/sql_parse.cc:6008
#9 0x000055d74ae74a98 in mysql_parse (thd=thd@entry=0x152fd8000d78, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x15302c137390, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:8044
#10 0x000055d74ae613af in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x152fd8000d78, packet=packet@entry=0x152fd8008f49 "GRANT SELECT ON mysql.* to 'a'@'a' IDENTIFIED BY 'a'", packet_length=packet_length@entry=52, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:1872
#11 0x000055d74ae5fb99 in do_command (thd=0x152fd8000d78) at /test/10.5_dbg/sql/sql_parse.cc:1353
#12 0x000055d74afc06ef in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55d74ea3fc88, put_in_cache=put_in_cache@entry=true) at /test/10.5_dbg/sql/sql_connect.cc:1410
#13 0x000055d74afc0e13 in handle_one_connection (arg=arg@entry=0x55d74ea3fc88) at /test/10.5_dbg/sql/sql_connect.cc:1312
#14 0x000055d74b42cab2 in pfs_spawn_thread (arg=0x55d74e969588) at /test/10.5_dbg/storage/perfschema/pfs.cc:2201
#15 0x000015302e6cd6db in start_thread (arg=0x15302c138700) at pthread_create.c:463
#16 0x000015302dacba3f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

10.5.8 4cbfdeca840098b9ed0d8147d43288c36743a328 (Optimized)
Core was generated by `/test/MD041120-mariadb-10.5.8-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
[Current thread is 1 (Thread 0x152061616700 (LWP 2493474))]
(gdb) bt
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
#1 0x0000558795e7e0e7 in my_write_core (sig=sig@entry=11) at /test/10.5_opt/mysys/stacktrace.c:424
#2 0x00005587958600da in handle_fatal_signal (sig=11) at /test/10.5_opt/sql/signal_handler.cc:330
#3 <signal handler called>
#4 0x00005587955ec9e8 in replace_db_table (table=0x15203006a058, db=db@entry=0x152030010480 "mysql", combo=@0x1520300104b8: {<AUTHID> = {user = {str = 0x1520300104a8 "a", length = 1}, host = {str = 0x1520300104b0 "a", length = 1}}, auth = 0x1520300104e8}, rights=rights@entry=SELECT_ACL, revoke_grant=revoke_grant@entry=false) at /test/10.5_opt/sql/sql_acl.cc:4781
#5 0x00005587955f4c20 in mysql_grant (thd=thd@entry=0x152030000c18, db=0x152030010480 "mysql", list=@0x152030005a80: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x152030010520, last = 0x152030010520, elements = 1}, <No data fields>}, rights=SELECT_ACL, revoke_grant=false, is_proxy=is_proxy@entry=false) at /test/10.5_opt/sql/sql_acl.cc:7670
#6 0x00005587955f52d2 in Sql_cmd_grant_table::execute_table_mask (this=0x152030010530, thd=0x152030000c18) at /test/10.5_opt/sql/sql_acl.cc:12066
#7 0x0000558795665a59 in mysql_execute_command (thd=thd@entry=0x152030000c18) at /test/10.5_opt/sql/sql_parse.cc:6008
#8 0x000055879566c6ac in mysql_parse (thd=0x152030000c18, rawbuf=<optimized out>, length=52, parser_state=0x152061615470, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /test/10.5_opt/sql/sql_parse.cc:8044
#9 0x0000558795661955 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x152030000c18, packet=packet@entry=0x152030007fd9 "GRANT SELECT ON mysql.* to 'a'@'a' IDENTIFIED BY 'a'", packet_length=packet_length@entry=52, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_opt/sql/sql_parse.cc:1872
#10 0x000055879565fc74 in do_command (thd=0x152030000c18) at /test/10.5_opt/sql/sql_parse.cc:1353
#11 0x0000558795757681 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5587983d3e38, put_in_cache=put_in_cache@entry=true) at /test/10.5_opt/sql/sql_connect.cc:1410
#12 0x00005587957579f4 in handle_one_connection (arg=arg@entry=0x5587983d3e38) at /test/10.5_opt/sql/sql_connect.cc:1312
#13 0x0000558795acb31a in pfs_spawn_thread (arg=0x558798389328) at /test/10.5_opt/storage/perfschema/pfs.cc:2201
#14 0x00001520799c56db in start_thread (arg=0x152061616700) at pthread_create.c:463
#15 0x0000152078dc3a3f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.1.47 (dbg), 10.1.47 (opt), 10.1.49 (dbg), 10.1.49 (opt), 10.2.34 (dbg), 10.2.34 (opt), 10.2.36 (dbg), 10.2.36 (opt), 10.3.25 (dbg), 10.3.25 (opt), 10.3.27 (dbg), 10.3.27 (opt), 10.4.15 (dbg), 10.4.15 (opt), 10.4.17 (dbg), 10.4.17 (opt), 10.5.6 (dbg), 10.5.6 (opt), 10.5.8 (dbg), 10.5.8 (opt), 10.6.0 (dbg), 10.6.0 (opt)

Debug server log.
Debug core files.
Optimised core files.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

dbg_master.err
10 kB
2020-11-12 19:14

SIGSEGV in replace_db_table on GRANT: mysql_grant|Sql_cmd_grant_table::execute_table_mask|Sql_cmd_grant_table::execute

Details

Description

Attachments

Attachments

Activity

People

Dates

Git Integration