Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-24901

SIGSEGV in fts_get_table_name, SIGSEGV in ib_vector_size, SIGSEGV in row_merge_fts_doc_tokenize, stack smashing

Details

    Description

      SET collation_connection='tis620_bin';
      SET @@session.character_set_server='tis620';
      CREATE DATABASE a;
      USE a;
      CREATE TABLE t(c TEXT,FULLTEXT KEY f(c)) ENGINE=InnoDB;
      INSERT INTO t VALUES(100);
      ALTER TABLE t ADD (c2 INT);
      

      Leads to:

      10.6.0 bfb4761ca04704d68dba51f76d7c9967f880a6ee (Debug)

      Core was generated by `/test/MD110221-mariadb-10.6.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
      Program terminated with signal SIGSEGV, Segmentation fault.
      #0  0x000014ed559bbc30 in ?? () from /lib/x86_64-linux-gnu/libgcc_s.so.1
      [Current thread is 1 (Thread 0x14ed31bfd700 (LWP 1630450))]
      (gdb) bt
      #0  0x000014ed559bbc30 in ?? () from /lib/x86_64-linux-gnu/libgcc_s.so.1
      #1  0x000014ed559bd76b in _Unwind_Backtrace () from /lib/x86_64-linux-gnu/libgcc_s.so.1
      #2  0x000014ed55c4b136 in __GI___backtrace (array=array@entry=0x14ed31bfbde0, size=size@entry=128) at backtrace.c:116
      #3  0x000055817622e76d in my_print_stacktrace (stack_bottom=0x0, thread_stack=299008, silent=silent@entry=0 '\000') at /test/10.6_dbg/mysys/stacktrace.c:212
      #4  0x00005581759c6221 in handle_fatal_signal (sig=11) at /test/10.6_dbg/sql/signal_handler.cc:208
      #5  <signal handler called>
      #6  0x0000558175efb556 in row_merge_fts_doc_tokenize (t_ctx=0x14ed31bfca80, opt_doc_id_size=<optimized out>, merge_file=<optimized out>, doc=0x14ed31bfc9d0, doc_id=<optimized out>, sort_buf=<optimized out>) at /test/10.6_dbg/storage/innobase/row/row0ftsort.cc:577
      #7  fts_parallel_tokenization (arg=<optimized out>) at /test/10.6_dbg/storage/innobase/row/row0ftsort.cc:839
      #8  0xb7c336e496240000 in ?? ()
      #9  0x112e0be826d694b3 in ?? ()
      #10 0x00005581761b7cc7 in std::condition_variable::__wait_until_impl<std::chrono::duration<long, std::ratio<1l, 1000000000l> > > (__atime=<synthetic pointer>: <optimized out>, __lock=<error reading variable: Cannot access memory at address 0x166476a9e69be61c>, this=0x558178a5a230) at /usr/include/x86_64-linux-gnu/c++/9/bits/gthr-default.h:872
      #11 std::condition_variable::wait_until<std::chrono::_V2::steady_clock, std::chrono::duration<long, std::ratio<1l, 1000000000l> > > (__atime=<optimized out>, __lock=<error reading variable: Cannot access memory at address 0x166476a9e69be61c>, this=0x558178a5a230) at /usr/include/c++/9/condition_variable:121
      #12 std::condition_variable::wait_for<long, std::ratio<1l, 1000l> > (__rtime=@0x14ed31bfcea8: {__r = 0}, __lock=<error reading variable: Cannot access memory at address 0x166476a9e69be61c>, this=0x558178a5a230) at /usr/include/c++/9/condition_variable:152
      #13 tpool::thread_pool_generic::wait_for_tasks (this=0x14ed31bfcd70, lk=<error reading variable: Cannot access memory at address 0x166476a9e69be61c>, thread_data=0x558178a5a230) at /test/10.6_dbg/tpool/tpool_generic.cc:446
      Backtrace stopped: Cannot access memory at address 0x166476a9e69be674
      

      10.2.37 (Debug)

      Core was generated by `/test/MD260121-mariadb-10.2.37-linux-x86_64-dbg/bin/mysqld --no-defaults --core'.
      Program terminated with signal SIGSEGV, Segmentation fault.
      #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
          at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
      [Current thread is 1 (Thread 0x14d6d6cb5700 (LWP 1640311))]
      (gdb) bt
      #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
      #1  0x000056162b81d087 in my_write_core (sig=sig@entry=11) at /data/builds/10.2_dbg/mysys/stacktrace.c:382
      #2  0x000056162b114a91 in handle_fatal_signal (sig=11) at /data/builds/10.2_dbg/sql/signal_handler.cc:343
      #3  <signal handler called>
      #4  ib_vector_size (vec=0x0) at /data/builds/10.2_dbg/storage/innobase/include/ut0vec.ic:118
      #5  fts_sync_write_words (unlock_cache=<optimized out>, index_cache=0x14d690046a10, trx=<optimized out>) at /data/builds/10.2_dbg/storage/innobase/fts/fts0fts.cc:4005
      #6  fts_sync_index (sync=<optimized out>, index_cache=0x14d690046a10) at /data/builds/10.2_dbg/storage/innobase/fts/fts0fts.cc:4107
      #7  0x000056162b81c033 in my_thread_var_dbug () at /data/builds/10.2_dbg/mysys/my_thr_init.c:444
      #8  0x000056162b835054 in code_state () at /data/builds/10.2_dbg/dbug/dbug.c:375
      #9  0x000014d690046680 in ?? ()
      #10 0x0000000000000000 in ?? ()
      

      10.2.37 (Optimized)

      Core was generated by `/test/MD260121-mariadb-10.2.37-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
      Program terminated with signal SIGSEGV, Segmentation fault.
      #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
          at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
      [Current thread is 1 (Thread 0x14f24e86d700 (LWP 1639811))]
      (gdb) bt
      #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
      #1  0x000055a6ea4cd57f in my_write_core (sig=sig@entry=11) at /data/builds/10.2_opt/mysys/stacktrace.c:382
      #2  0x000055a6e9f748a8 in handle_fatal_signal (sig=11) at /data/builds/10.2_opt/sql/signal_handler.cc:343
      #3  <signal handler called>
      #4  __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:440
      #5  0x000055a6ea323b5a in memcpy (__len=18446721043960435969, __src=0x14f20803eb00, __dest=0x14f24e86c560) at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34
      #6  fts_get_table_name (fts_table=fts_table@entry=0x14f24e86c7f0, table_name=table_name@entry=0x14f24e86c560 "", dict_locked=dict_locked@entry=false) at /data/builds/10.2_opt/storage/innobase/fts/fts0sql.cc:124
      #7  0x000055a6ea30b662 in fts_write_node (trx=0x14f208039390, graph=0x14f2080393f0, fts_table=0x14f24e86c7f0, word=0x14f208057f10, node=0x14f208039900) at /data/builds/10.2_opt/storage/innobase/fts/fts0fts.cc:3857
      #8  0x000055a6ea30b8d5 in fts_sync_write_words (unlock_cache=<optimized out>, index_cache=0x14f208039390, trx=<optimized out>) at /data/builds/10.2_opt/storage/innobase/fts/fts0fts.cc:4023
      #9  fts_sync_index (sync=<optimized out>, index_cache=0x14f208039390) at /data/builds/10.2_opt/storage/innobase/fts/fts0fts.cc:4107
      #10 0x0000000000000000 in ?? ()
      

      10.4.18 e626f511f9dc4faee9ae98fb5a8c8c6ddd06679b (Optimized)

      Core was generated by `/test/MD260121-mariadb-10.4.18-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
      Program terminated with signal SIGSEGV, Segmentation fault.
      #0  0x000055c0e45b6823 in my_read (Filedes=Filedes@entry=70, 
          Buffer=Buffer@entry=0x14bef8ee22f0 "Limit", ' ' <repeats 21 times>, "Soft Limit", ' ' <repeats 11 times>, "Hard Limit", ' ' <repeats 11 times>, "Units     \nMax cpu time", ' ' <repeats 14 times>, "unlimited", ' ' <repeats 12 times>, "unlimited", ' ' <repeats 12 times>, "seconds   \nMax file size", ' ' <repeats 13 times>, "unlimited       "..., Count=Count@entry=4096, MyFlags=MyFlags@entry=0)
          at /data/builds/10.4_opt/mysys/my_read.c:63
      [Current thread is 1 (Thread 0x14bef8ee4700 (LWP 1644189))]
      (gdb) bt
      #0  0x000055c0e45b6823 in my_read (Filedes=Filedes@entry=70, Buffer=Buffer@entry=0x14bef8ee22f0 "Limit", ' ' <repeats 21 times>, "Soft Limit", ' ' <repeats 11 times>, "Hard Limit", ' ' <repeats 11 times>, "Units     \nMax cpu time", ' ' <repeats 14 times>, "unlimited", ' ' <repeats 12 times>, "unlimited", ' ' <repeats 12 times>, "seconds   \nMax file size", ' ' <repeats 13 times>, "unlimited       "..., Count=Count@entry=4096, MyFlags=MyFlags@entry=0) at /data/builds/10.4_opt/mysys/my_read.c:63
      #1  0x000055c0e3fc870a in output_core_info () at /data/builds/10.4_opt/sql/signal_handler.cc:66
      #2  0x000055c0e3fc8b4e in handle_fatal_signal (sig=11) at /data/builds/10.4_opt/sql/signal_handler.cc:339
      #3  <signal handler called>
      #4  row_merge_fts_doc_tokenize (t_ctx=0x14bef8ee3b90, opt_doc_id_size=<optimized out>, merge_file=<optimized out>, doc=0x14bef8ee3ae0, doc_id=<optimized out>, sort_buf=<optimized out>) at /data/builds/10.4_opt/storage/innobase/row/row0ftsort.cc:586
      #5  fts_parallel_tokenization (arg=<optimized out>) at /data/builds/10.4_opt/storage/innobase/row/row0ftsort.cc:854
      #6  0x0000000000000000 in ?? ()
      

      Note the various errors reading the backtrace. Some corruption going on.

      Bug confirmed present in:
      MariaDB: 10.2.37 (dbg), 10.2.37 (opt), 10.3.28 (dbg), 10.3.28 (opt), 10.4.18 (dbg), 10.4.18 (opt), 10.5.9 (dbg), 10.5.9 (opt), 10.6.0 (dbg), 10.6.0 (opt)

      Bug (or feature/syntax) confirmed not present in:
      MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.33 (dbg), 5.7.33 (opt), 8.0.23 (dbg), 8.0.23 (opt)

      Attachments

        Issue Links

          Activity

            Roel Roel Van de Paar added a comment - - edited

            MTR Also crashes on same SQL.

            /test/MD180921-mariadb-10.7.0-linux-x86_64-dbg/mysql-test$ cat main/test.test 
            --source include/have_innodb.inc
            SET collation_connection='tis620_bin';
            SET @@session.character_set_server='tis620';
            CREATE DATABASE a;
            USE a;
            CREATE TABLE t(c TEXT,FULLTEXT KEY f(c)) ENGINE=InnoDB;
            INSERT INTO t VALUES(100);
            ALTER TABLE t ADD (c2 INT);
            /test/MD180921-mariadb-10.7.0-linux-x86_64-dbg/mysql-test$ ./mysql-test-run test
            

            Leads to:

            ==============================================================================
             
            TEST                                      RESULT   TIME (ms) or COMMENT
            --------------------------------------------------------------------------
             
            worker[1] Using MTR_BUILD_THREAD 300, with reserved ports 16000..16019
            SET collation_connection='tis620_bin';
            SET @@session.character_set_server='tis620';
            CREATE DATABASE a;
            USE a;
            CREATE TABLE t(c TEXT,FULLTEXT KEY f(c)) ENGINE=InnoDB;
            INSERT INTO t VALUES(100);
            ALTER TABLE t ADD (c2 INT);
            main.test 'innodb'                       [ fail ]
                    Test ended at 2021-09-18 07:48:15
             
            CURRENT_TEST: main.test
            mysqltest: At line 8: query 'ALTER TABLE t ADD (c2 INT)' failed: <Unknown> (2013): Lost connection to server during query
            ...
            [Thread debugging using libthread_db enabled]
            Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
            Core was generated by `/test/MD180921-mariadb-10.7.0-linux-x86_64-dbg/bin/mariadbd --defaults-group-su'.
            Program terminated with signal SIGSEGV, Segmentation fault.
            [Current thread is 1 (Thread 0x1522d031e700 (LWP 689375))]
            #0  0x000055f724f41f79 in row_merge_fts_doc_tokenize (t_ctx=0x1522d031da80, opt_doc_id_size=<optimized out>, merge_file=<optimized out>, doc=0x1522d031d9d0, doc_id=<optimized out>, sort_buf=<optimized out>) at /test/10.7_dbg/storage/innobase/row/row0ftsort.cc:577
            #1  fts_parallel_tokenization (arg=<optimized out>) at /test/10.7_dbg/storage/innobase/row/row0ftsort.cc:838
            #2  0xcaa89188363c1a00 in ?? ()
            #3  0x112e0be826d694b3 in ?? ()
            #4  0x000055f7251f0601 in std::condition_variable::__wait_until_impl<std::chrono::duration<long, std::ratio<1l, 1000000000l> > > (__atime=<synthetic pointer>..., __lock=<error reading variable: Cannot access memory at address 0x16a5ba5d46e8dd3b>, this=0x55f7281aa6c0) at /usr/include/x86_64-linux-gnu/c++/9/bits/gthr-default.h:872
            ...
            

            Roel Roel Van de Paar added a comment - - edited MTR Also crashes on same SQL. /test/MD180921-mariadb-10.7.0-linux-x86_64-dbg/mysql-test$ cat main/test.test --source include/have_innodb.inc SET collation_connection='tis620_bin'; SET @@session.character_set_server='tis620'; CREATE DATABASE a; USE a; CREATE TABLE t(c TEXT,FULLTEXT KEY f(c)) ENGINE=InnoDB; INSERT INTO t VALUES(100); ALTER TABLE t ADD (c2 INT); /test/MD180921-mariadb-10.7.0-linux-x86_64-dbg/mysql-test$ ./mysql-test-run test Leads to: ==============================================================================   TEST RESULT TIME (ms) or COMMENT --------------------------------------------------------------------------   worker[1] Using MTR_BUILD_THREAD 300, with reserved ports 16000..16019 SET collation_connection='tis620_bin'; SET @@session.character_set_server='tis620'; CREATE DATABASE a; USE a; CREATE TABLE t(c TEXT,FULLTEXT KEY f(c)) ENGINE=InnoDB; INSERT INTO t VALUES(100); ALTER TABLE t ADD (c2 INT); main.test 'innodb' [ fail ] Test ended at 2021-09-18 07:48:15   CURRENT_TEST: main.test mysqltest: At line 8: query 'ALTER TABLE t ADD (c2 INT)' failed: <Unknown> (2013): Lost connection to server during query ... [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Core was generated by `/test/MD180921-mariadb-10.7.0-linux-x86_64-dbg/bin/mariadbd --defaults-group-su'. Program terminated with signal SIGSEGV, Segmentation fault. [Current thread is 1 (Thread 0x1522d031e700 (LWP 689375))] #0 0x000055f724f41f79 in row_merge_fts_doc_tokenize (t_ctx=0x1522d031da80, opt_doc_id_size=<optimized out>, merge_file=<optimized out>, doc=0x1522d031d9d0, doc_id=<optimized out>, sort_buf=<optimized out>) at /test/10.7_dbg/storage/innobase/row/row0ftsort.cc:577 #1 fts_parallel_tokenization (arg=<optimized out>) at /test/10.7_dbg/storage/innobase/row/row0ftsort.cc:838 #2 0xcaa89188363c1a00 in ?? () #3 0x112e0be826d694b3 in ?? () #4 0x000055f7251f0601 in std::condition_variable::__wait_until_impl<std::chrono::duration<long, std::ratio<1l, 1000000000l> > > (__atime=<synthetic pointer>..., __lock=<error reading variable: Cannot access memory at address 0x16a5ba5d46e8dd3b>, this=0x55f7281aa6c0) at /usr/include/x86_64-linux-gnu/c++/9/bits/gthr-default.h:872 ...

            For some reason, the CREATE DATABASE is necessary for reproducing the crash. I was only able to simplify the test to request a simple table rebuild (no ADD COLUMN needed):

            --source include/have_innodb.inc
            SET collation_connection='tis620_bin';
            SET @@session.character_set_server='tis620';
            CREATE DATABASE a;
            USE a;
            CREATE TABLE t(c TEXT,FULLTEXT KEY f(c)) ENGINE=InnoDB;
            INSERT INTO t VALUES(100);
            OPTIMIZE TABLE t;
            DROP DATABASE a;
            

            10.7 da46c37bc7cf784c781d3c89d81b33911c10fedd

            Version: '10.7.1-MariaDB-debug-log'  socket: '/dev/shm/10.7/mysql-test/var/tmp/mysqld.1.sock'  port: 16000  Source distribution
            =================================================================
            ==2241578==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f19c82e1f72 at pc 0x5570206a2483 bp 0x7f19c82e1ee0 sp 0x7f19c82e1ed8
            WRITE of size 1 at 0x7f19c82e1f72 thread T5
                #0 0x5570206a2482 in strmake /mariadb/10.7/strings/strmake.c:66
                #1 0x5570206411cc in my_strnxfrm_tis620 /mariadb/10.7/strings/ctype-tis620.c:612
                #2 0x55701fb4bd5f in charset_info_st::strnxfrm(unsigned char*, unsigned long, unsigned char const*, unsigned long) const /mariadb/10.7/include/m_ctype.h:830
                #3 0x55701fb4bd5f in innobase_strnxfrm(charset_info_st const*, unsigned char const*, unsigned long) /mariadb/10.7/storage/innobase/handler/ha_innodb.cc:6478
                #4 0x55701fe55a59 in fts_select_index_by_range /mariadb/10.7/storage/innobase/include/fts0types.ic:140
                #5 0x55701fe55a59 in fts_select_index /mariadb/10.7/storage/innobase/include/fts0types.ic:214
                #6 0x55701fe60933 in row_merge_fts_doc_tokenize /mariadb/10.7/storage/innobase/row/row0ftsort.cc:569
                #7 0x55701fe63386 in fts_parallel_tokenization /mariadb/10.7/storage/innobase/row/row0ftsort.cc:838
            …
            Address 0x7f19c82e1f72 is located in stack of thread T5 at offset 34 in frame
                #0 0x55701fb4bc49 in innobase_strnxfrm(charset_info_st const*, unsigned char const*, unsigned long) /mariadb/10.7/storage/innobase/handler/ha_innodb.cc:6470
             
              This frame has 1 object(s):
                [32, 34) 'mystr' (line 6471) <== Memory access at offset 34 overflows this variable
            

            marko Marko Mäkelä added a comment - For some reason, the CREATE DATABASE is necessary for reproducing the crash. I was only able to simplify the test to request a simple table rebuild (no ADD COLUMN needed): --source include/have_innodb.inc SET collation_connection= 'tis620_bin' ; SET @@session.character_set_server= 'tis620' ; CREATE DATABASE a; USE a; CREATE TABLE t(c TEXT,FULLTEXT KEY f(c)) ENGINE=InnoDB; INSERT INTO t VALUES (100); OPTIMIZE TABLE t; DROP DATABASE a; 10.7 da46c37bc7cf784c781d3c89d81b33911c10fedd Version: '10.7.1-MariaDB-debug-log' socket: '/dev/shm/10.7/mysql-test/var/tmp/mysqld.1.sock' port: 16000 Source distribution ================================================================= ==2241578==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f19c82e1f72 at pc 0x5570206a2483 bp 0x7f19c82e1ee0 sp 0x7f19c82e1ed8 WRITE of size 1 at 0x7f19c82e1f72 thread T5 #0 0x5570206a2482 in strmake /mariadb/10.7/strings/strmake.c:66 #1 0x5570206411cc in my_strnxfrm_tis620 /mariadb/10.7/strings/ctype-tis620.c:612 #2 0x55701fb4bd5f in charset_info_st::strnxfrm(unsigned char*, unsigned long, unsigned char const*, unsigned long) const /mariadb/10.7/include/m_ctype.h:830 #3 0x55701fb4bd5f in innobase_strnxfrm(charset_info_st const*, unsigned char const*, unsigned long) /mariadb/10.7/storage/innobase/handler/ha_innodb.cc:6478 #4 0x55701fe55a59 in fts_select_index_by_range /mariadb/10.7/storage/innobase/include/fts0types.ic:140 #5 0x55701fe55a59 in fts_select_index /mariadb/10.7/storage/innobase/include/fts0types.ic:214 #6 0x55701fe60933 in row_merge_fts_doc_tokenize /mariadb/10.7/storage/innobase/row/row0ftsort.cc:569 #7 0x55701fe63386 in fts_parallel_tokenization /mariadb/10.7/storage/innobase/row/row0ftsort.cc:838 … Address 0x7f19c82e1f72 is located in stack of thread T5 at offset 34 in frame #0 0x55701fb4bc49 in innobase_strnxfrm(charset_info_st const*, unsigned char const*, unsigned long) /mariadb/10.7/storage/innobase/handler/ha_innodb.cc:6470   This frame has 1 object(s): [32, 34) 'mystr' (line 6471) <== Memory access at offset 34 overflows this variable
            bar Alexander Barkov added a comment - - edited

            Marko suggested this script for 10.2. It crashes in the current 10.2 commit 2ed148c8d7b0133ecd17377587facadc7e76e9e8:

            DROP TABLE IF EXISTS t1;
            CREATE TABLE t1(c TEXT CHARACTER SET tis620) ENGINE=InnoDB;
            INSERT INTO t1 VALUES('100');
            ALTER TABLE t1 ADD FULLTEXT INDEX(c), ALGORITHM=INPLACE;
            

            bar Alexander Barkov added a comment - - edited Marko suggested this script for 10.2. It crashes in the current 10.2 commit 2ed148c8d7b0133ecd17377587facadc7e76e9e8: DROP TABLE IF EXISTS t1; CREATE TABLE t1(c TEXT CHARACTER SET tis620) ENGINE=InnoDB; INSERT INTO t1 VALUES ( '100' ); ALTER TABLE t1 ADD FULLTEXT INDEX (c), ALGORITHM=INPLACE;
            bar Alexander Barkov added a comment - marko , please review a patch: https://github.com/MariaDB/server/commits/bb-10.2-bar-MDEV-24901

            The InnoDB tests look good to me.

            marko Marko Mäkelä added a comment - The InnoDB tests look good to me.

            People

              bar Alexander Barkov
              Roel Roel Van de Paar
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.