Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-24206

SIGSEGV in replace_db_table on GRANT: mysql_grant|Sql_cmd_grant_table::execute_table_mask|Sql_cmd_grant_table::execute

    XMLWordPrintable

    Details

      Description

      DROP DATABASE test;
      CREATE DATABASE test;
      USE test;
      RENAME TABLE mysql.db TO mysql.db_bak;
      CREATE TABLE mysql.db ENGINE=MEMORY SELECT * FROM mysql.db_bak;
      GRANT SELECT ON mysql.* to 'a'@'a' IDENTIFIED BY 'a';
      

      Sporadically (it needs about 10 repeats to reproduce) leads to:

      10.5.8 4cbfdeca840098b9ed0d8147d43288c36743a328 (Debug)

      Core was generated by `/test/MD041120-mariadb-10.5.8-linux-x86_64-dbg.3/bin/mysqld --no-defaults --cor'.
      Program terminated with signal SIGSEGV, Segmentation fault.
      #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
          at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
      [Current thread is 1 (Thread 0x15302c138700 (LWP 709932))]
      (gdb) bt
      #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
      #1  0x000055d74b945fb4 in my_write_core (sig=sig@entry=11) at /test/10.5_dbg/mysys/stacktrace.c:424
      #2  0x000055d74b11c7ad in handle_fatal_signal (sig=11) at /test/10.5_dbg/sql/signal_handler.cc:330
      #3  <signal handler called>
      #4  0x000055d74adce381 in replace_db_table (table=0x152fd80ad5c8, db=<optimized out>, db@entry=0x152fd80129e0 "mysql", combo=@0x152fd8012a18: {<AUTHID> = {user = {str = 0x152fd8012a08 "a", length = 1}, host = {str = 0x152fd8012a10 "a", length = 1}}, auth = 0x152fd8012a48}, rights=SELECT_ACL, revoke_grant=revoke_grant@entry=false) at /test/10.5_dbg/sql/sql_acl.cc:4781
      #5  0x000055d74add3ef7 in mysql_grant (thd=thd@entry=0x152fd8000d78, db=0x152fd80129e0 "mysql", list=@0x152fd8005da0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x152fd8012a80, last = 0x152fd8012a80, elements = 1}, <No data fields>}, rights=SELECT_ACL, revoke_grant=false, is_proxy=is_proxy@entry=false) at /test/10.5_dbg/sql/sql_acl.cc:7670
      #6  0x000055d74add54e9 in Sql_cmd_grant_table::execute_table_mask (this=0x152fd8012a90, thd=0x152fd8000d78) at /test/10.5_dbg/sql/sql_acl.cc:12066
      #7  0x000055d74add55a9 in Sql_cmd_grant_table::execute (this=<optimized out>, thd=<optimized out>) at /test/10.5_dbg/sql/sql_acl.cc:12082
      #8  0x000055d74ae6d15d in mysql_execute_command (thd=thd@entry=0x152fd8000d78) at /test/10.5_dbg/sql/sql_parse.cc:6008
      #9  0x000055d74ae74a98 in mysql_parse (thd=thd@entry=0x152fd8000d78, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x15302c137390, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:8044
      #10 0x000055d74ae613af in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x152fd8000d78, packet=packet@entry=0x152fd8008f49 "GRANT SELECT ON mysql.* to 'a'@'a' IDENTIFIED BY 'a'", packet_length=packet_length@entry=52, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:1872
      #11 0x000055d74ae5fb99 in do_command (thd=0x152fd8000d78) at /test/10.5_dbg/sql/sql_parse.cc:1353
      #12 0x000055d74afc06ef in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55d74ea3fc88, put_in_cache=put_in_cache@entry=true) at /test/10.5_dbg/sql/sql_connect.cc:1410
      #13 0x000055d74afc0e13 in handle_one_connection (arg=arg@entry=0x55d74ea3fc88) at /test/10.5_dbg/sql/sql_connect.cc:1312
      #14 0x000055d74b42cab2 in pfs_spawn_thread (arg=0x55d74e969588) at /test/10.5_dbg/storage/perfschema/pfs.cc:2201
      #15 0x000015302e6cd6db in start_thread (arg=0x15302c138700) at pthread_create.c:463
      #16 0x000015302dacba3f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
      

      10.5.8 4cbfdeca840098b9ed0d8147d43288c36743a328 (Optimized)

      Core was generated by `/test/MD041120-mariadb-10.5.8-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
      Program terminated with signal SIGSEGV, Segmentation fault.
      #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
          at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
      [Current thread is 1 (Thread 0x152061616700 (LWP 2493474))]
      (gdb) bt
      #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
      #1  0x0000558795e7e0e7 in my_write_core (sig=sig@entry=11) at /test/10.5_opt/mysys/stacktrace.c:424
      #2  0x00005587958600da in handle_fatal_signal (sig=11) at /test/10.5_opt/sql/signal_handler.cc:330
      #3  <signal handler called>
      #4  0x00005587955ec9e8 in replace_db_table (table=0x15203006a058, db=db@entry=0x152030010480 "mysql", combo=@0x1520300104b8: {<AUTHID> = {user = {str = 0x1520300104a8 "a", length = 1}, host = {str = 0x1520300104b0 "a", length = 1}}, auth = 0x1520300104e8}, rights=rights@entry=SELECT_ACL, revoke_grant=revoke_grant@entry=false) at /test/10.5_opt/sql/sql_acl.cc:4781
      #5  0x00005587955f4c20 in mysql_grant (thd=thd@entry=0x152030000c18, db=0x152030010480 "mysql", list=@0x152030005a80: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x152030010520, last = 0x152030010520, elements = 1}, <No data fields>}, rights=SELECT_ACL, revoke_grant=false, is_proxy=is_proxy@entry=false) at /test/10.5_opt/sql/sql_acl.cc:7670
      #6  0x00005587955f52d2 in Sql_cmd_grant_table::execute_table_mask (this=0x152030010530, thd=0x152030000c18) at /test/10.5_opt/sql/sql_acl.cc:12066
      #7  0x0000558795665a59 in mysql_execute_command (thd=thd@entry=0x152030000c18) at /test/10.5_opt/sql/sql_parse.cc:6008
      #8  0x000055879566c6ac in mysql_parse (thd=0x152030000c18, rawbuf=<optimized out>, length=52, parser_state=0x152061615470, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /test/10.5_opt/sql/sql_parse.cc:8044
      #9  0x0000558795661955 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x152030000c18, packet=packet@entry=0x152030007fd9 "GRANT SELECT ON mysql.* to 'a'@'a' IDENTIFIED BY 'a'", packet_length=packet_length@entry=52, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_opt/sql/sql_parse.cc:1872
      #10 0x000055879565fc74 in do_command (thd=0x152030000c18) at /test/10.5_opt/sql/sql_parse.cc:1353
      #11 0x0000558795757681 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5587983d3e38, put_in_cache=put_in_cache@entry=true) at /test/10.5_opt/sql/sql_connect.cc:1410
      #12 0x00005587957579f4 in handle_one_connection (arg=arg@entry=0x5587983d3e38) at /test/10.5_opt/sql/sql_connect.cc:1312
      #13 0x0000558795acb31a in pfs_spawn_thread (arg=0x558798389328) at /test/10.5_opt/storage/perfschema/pfs.cc:2201
      #14 0x00001520799c56db in start_thread (arg=0x152061616700) at pthread_create.c:463
      #15 0x0000152078dc3a3f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
      

      Bug confirmed present in:
      MariaDB: 10.1.47 (dbg), 10.1.47 (opt), 10.1.49 (dbg), 10.1.49 (opt), 10.2.34 (dbg), 10.2.34 (opt), 10.2.36 (dbg), 10.2.36 (opt), 10.3.25 (dbg), 10.3.25 (opt), 10.3.27 (dbg), 10.3.27 (opt), 10.4.15 (dbg), 10.4.15 (opt), 10.4.17 (dbg), 10.4.17 (opt), 10.5.6 (dbg), 10.5.6 (opt), 10.5.8 (dbg), 10.5.8 (opt), 10.6.0 (dbg), 10.6.0 (opt)

      Debug server log.
      Debug core files.
      Optimised core files.

        Attachments

          Activity

            People

            Assignee:
            sanja Oleksandr Byelkin
            Reporter:
            stepan.patryshev Stepan Patryshev (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated: