Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-24901

SIGSEGV in fts_get_table_name, SIGSEGV in ib_vector_size, SIGSEGV in row_merge_fts_doc_tokenize, stack smashing

    XMLWordPrintable

    Details

      Description

      SET collation_connection='tis620_bin';
      SET @@session.character_set_server='tis620';
      CREATE DATABASE a;
      USE a;
      CREATE TABLE t(c TEXT,FULLTEXT KEY f(c)) ENGINE=InnoDB;
      INSERT INTO t VALUES(100);
      ALTER TABLE t ADD (c2 INT);
      

      Leads to:

      10.6.0 bfb4761ca04704d68dba51f76d7c9967f880a6ee (Debug)

      Core was generated by `/test/MD110221-mariadb-10.6.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
      Program terminated with signal SIGSEGV, Segmentation fault.
      #0  0x000014ed559bbc30 in ?? () from /lib/x86_64-linux-gnu/libgcc_s.so.1
      [Current thread is 1 (Thread 0x14ed31bfd700 (LWP 1630450))]
      (gdb) bt
      #0  0x000014ed559bbc30 in ?? () from /lib/x86_64-linux-gnu/libgcc_s.so.1
      #1  0x000014ed559bd76b in _Unwind_Backtrace () from /lib/x86_64-linux-gnu/libgcc_s.so.1
      #2  0x000014ed55c4b136 in __GI___backtrace (array=array@entry=0x14ed31bfbde0, size=size@entry=128) at backtrace.c:116
      #3  0x000055817622e76d in my_print_stacktrace (stack_bottom=0x0, thread_stack=299008, silent=silent@entry=0 '\000') at /test/10.6_dbg/mysys/stacktrace.c:212
      #4  0x00005581759c6221 in handle_fatal_signal (sig=11) at /test/10.6_dbg/sql/signal_handler.cc:208
      #5  <signal handler called>
      #6  0x0000558175efb556 in row_merge_fts_doc_tokenize (t_ctx=0x14ed31bfca80, opt_doc_id_size=<optimized out>, merge_file=<optimized out>, doc=0x14ed31bfc9d0, doc_id=<optimized out>, sort_buf=<optimized out>) at /test/10.6_dbg/storage/innobase/row/row0ftsort.cc:577
      #7  fts_parallel_tokenization (arg=<optimized out>) at /test/10.6_dbg/storage/innobase/row/row0ftsort.cc:839
      #8  0xb7c336e496240000 in ?? ()
      #9  0x112e0be826d694b3 in ?? ()
      #10 0x00005581761b7cc7 in std::condition_variable::__wait_until_impl<std::chrono::duration<long, std::ratio<1l, 1000000000l> > > (__atime=<synthetic pointer>: <optimized out>, __lock=<error reading variable: Cannot access memory at address 0x166476a9e69be61c>, this=0x558178a5a230) at /usr/include/x86_64-linux-gnu/c++/9/bits/gthr-default.h:872
      #11 std::condition_variable::wait_until<std::chrono::_V2::steady_clock, std::chrono::duration<long, std::ratio<1l, 1000000000l> > > (__atime=<optimized out>, __lock=<error reading variable: Cannot access memory at address 0x166476a9e69be61c>, this=0x558178a5a230) at /usr/include/c++/9/condition_variable:121
      #12 std::condition_variable::wait_for<long, std::ratio<1l, 1000l> > (__rtime=@0x14ed31bfcea8: {__r = 0}, __lock=<error reading variable: Cannot access memory at address 0x166476a9e69be61c>, this=0x558178a5a230) at /usr/include/c++/9/condition_variable:152
      #13 tpool::thread_pool_generic::wait_for_tasks (this=0x14ed31bfcd70, lk=<error reading variable: Cannot access memory at address 0x166476a9e69be61c>, thread_data=0x558178a5a230) at /test/10.6_dbg/tpool/tpool_generic.cc:446
      Backtrace stopped: Cannot access memory at address 0x166476a9e69be674
      

      10.2.37 (Debug)

      Core was generated by `/test/MD260121-mariadb-10.2.37-linux-x86_64-dbg/bin/mysqld --no-defaults --core'.
      Program terminated with signal SIGSEGV, Segmentation fault.
      #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
          at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
      [Current thread is 1 (Thread 0x14d6d6cb5700 (LWP 1640311))]
      (gdb) bt
      #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
      #1  0x000056162b81d087 in my_write_core (sig=sig@entry=11) at /data/builds/10.2_dbg/mysys/stacktrace.c:382
      #2  0x000056162b114a91 in handle_fatal_signal (sig=11) at /data/builds/10.2_dbg/sql/signal_handler.cc:343
      #3  <signal handler called>
      #4  ib_vector_size (vec=0x0) at /data/builds/10.2_dbg/storage/innobase/include/ut0vec.ic:118
      #5  fts_sync_write_words (unlock_cache=<optimized out>, index_cache=0x14d690046a10, trx=<optimized out>) at /data/builds/10.2_dbg/storage/innobase/fts/fts0fts.cc:4005
      #6  fts_sync_index (sync=<optimized out>, index_cache=0x14d690046a10) at /data/builds/10.2_dbg/storage/innobase/fts/fts0fts.cc:4107
      #7  0x000056162b81c033 in my_thread_var_dbug () at /data/builds/10.2_dbg/mysys/my_thr_init.c:444
      #8  0x000056162b835054 in code_state () at /data/builds/10.2_dbg/dbug/dbug.c:375
      #9  0x000014d690046680 in ?? ()
      #10 0x0000000000000000 in ?? ()
      

      10.2.37 (Optimized)

      Core was generated by `/test/MD260121-mariadb-10.2.37-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
      Program terminated with signal SIGSEGV, Segmentation fault.
      #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
          at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
      [Current thread is 1 (Thread 0x14f24e86d700 (LWP 1639811))]
      (gdb) bt
      #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
      #1  0x000055a6ea4cd57f in my_write_core (sig=sig@entry=11) at /data/builds/10.2_opt/mysys/stacktrace.c:382
      #2  0x000055a6e9f748a8 in handle_fatal_signal (sig=11) at /data/builds/10.2_opt/sql/signal_handler.cc:343
      #3  <signal handler called>
      #4  __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:440
      #5  0x000055a6ea323b5a in memcpy (__len=18446721043960435969, __src=0x14f20803eb00, __dest=0x14f24e86c560) at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34
      #6  fts_get_table_name (fts_table=fts_table@entry=0x14f24e86c7f0, table_name=table_name@entry=0x14f24e86c560 "", dict_locked=dict_locked@entry=false) at /data/builds/10.2_opt/storage/innobase/fts/fts0sql.cc:124
      #7  0x000055a6ea30b662 in fts_write_node (trx=0x14f208039390, graph=0x14f2080393f0, fts_table=0x14f24e86c7f0, word=0x14f208057f10, node=0x14f208039900) at /data/builds/10.2_opt/storage/innobase/fts/fts0fts.cc:3857
      #8  0x000055a6ea30b8d5 in fts_sync_write_words (unlock_cache=<optimized out>, index_cache=0x14f208039390, trx=<optimized out>) at /data/builds/10.2_opt/storage/innobase/fts/fts0fts.cc:4023
      #9  fts_sync_index (sync=<optimized out>, index_cache=0x14f208039390) at /data/builds/10.2_opt/storage/innobase/fts/fts0fts.cc:4107
      #10 0x0000000000000000 in ?? ()
      

      10.4.18 e626f511f9dc4faee9ae98fb5a8c8c6ddd06679b (Optimized)

      Core was generated by `/test/MD260121-mariadb-10.4.18-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
      Program terminated with signal SIGSEGV, Segmentation fault.
      #0  0x000055c0e45b6823 in my_read (Filedes=Filedes@entry=70, 
          Buffer=Buffer@entry=0x14bef8ee22f0 "Limit", ' ' <repeats 21 times>, "Soft Limit", ' ' <repeats 11 times>, "Hard Limit", ' ' <repeats 11 times>, "Units     \nMax cpu time", ' ' <repeats 14 times>, "unlimited", ' ' <repeats 12 times>, "unlimited", ' ' <repeats 12 times>, "seconds   \nMax file size", ' ' <repeats 13 times>, "unlimited       "..., Count=Count@entry=4096, MyFlags=MyFlags@entry=0)
          at /data/builds/10.4_opt/mysys/my_read.c:63
      [Current thread is 1 (Thread 0x14bef8ee4700 (LWP 1644189))]
      (gdb) bt
      #0  0x000055c0e45b6823 in my_read (Filedes=Filedes@entry=70, Buffer=Buffer@entry=0x14bef8ee22f0 "Limit", ' ' <repeats 21 times>, "Soft Limit", ' ' <repeats 11 times>, "Hard Limit", ' ' <repeats 11 times>, "Units     \nMax cpu time", ' ' <repeats 14 times>, "unlimited", ' ' <repeats 12 times>, "unlimited", ' ' <repeats 12 times>, "seconds   \nMax file size", ' ' <repeats 13 times>, "unlimited       "..., Count=Count@entry=4096, MyFlags=MyFlags@entry=0) at /data/builds/10.4_opt/mysys/my_read.c:63
      #1  0x000055c0e3fc870a in output_core_info () at /data/builds/10.4_opt/sql/signal_handler.cc:66
      #2  0x000055c0e3fc8b4e in handle_fatal_signal (sig=11) at /data/builds/10.4_opt/sql/signal_handler.cc:339
      #3  <signal handler called>
      #4  row_merge_fts_doc_tokenize (t_ctx=0x14bef8ee3b90, opt_doc_id_size=<optimized out>, merge_file=<optimized out>, doc=0x14bef8ee3ae0, doc_id=<optimized out>, sort_buf=<optimized out>) at /data/builds/10.4_opt/storage/innobase/row/row0ftsort.cc:586
      #5  fts_parallel_tokenization (arg=<optimized out>) at /data/builds/10.4_opt/storage/innobase/row/row0ftsort.cc:854
      #6  0x0000000000000000 in ?? ()
      

      Note the various errors reading the backtrace. Some corruption going on.

      Bug confirmed present in:
      MariaDB: 10.2.37 (dbg), 10.2.37 (opt), 10.3.28 (dbg), 10.3.28 (opt), 10.4.18 (dbg), 10.4.18 (opt), 10.5.9 (dbg), 10.5.9 (opt), 10.6.0 (dbg), 10.6.0 (opt)

      Bug (or feature/syntax) confirmed not present in:
      MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.33 (dbg), 5.7.33 (opt), 8.0.23 (dbg), 8.0.23 (opt)

        Attachments

          Activity

            People

            Assignee:
            sanja Oleksandr Byelkin
            Reporter:
            Roel Roel Van de Paar
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated: