Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-25158

SIGSEGV in hp_rec_key_cmp and Assertion `curr_op_type != INTERSECT_ALL' failed on SELECT ... UNION SELECT, ASAN heap-use-after-free in ha_heap::find_unique_row

    XMLWordPrintable

Details

    Description

      SET SQL_MODE='ORACLE';
      CREATE TABLE t (c CHAR(1)) ENGINE=InnoDB;
      INSERT INTO t VALUES(0), (1), (1), (1), (1);
      SELECT * FROM t UNION SELECT * FROM t INTERSECT ALL SELECT * FROM t;
      

      Leads to:

      10.6.0 8dd35a2507f8d63ca8df9335d2c6072d5c0e3b86 (Optimized)

      Core was generated by `/test/MD160321-mariadb-10.6.0-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
      Program terminated with signal SIGSEGV, Segmentation fault.
      #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
          at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
      [Current thread is 1 (Thread 0x14b8807b0700 (LWP 3114391))]
      (gdb) bt
      #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
      #1  0x000055d2d41af26f in my_write_core (sig=sig@entry=11) at /test/10.6_opt/mysys/stacktrace.c:424
      #2  0x000055d2d3c2a5e0 in handle_fatal_signal (sig=11) at /test/10.6_opt/sql/signal_handler.cc:331
      #3  <signal handler called>
      #4  0x000055d2d3f3c29f in hp_rec_key_cmp (keydef=keydef@entry=0x14b82804d9c8, rec1=0x3 <error: Cannot access memory at address 0x3>, rec2=rec2@entry=0x14b82804cd58 "\377\376") at /test/10.6_opt/storage/heap/hp_hash.c:389
      #5  0x000055d2d3f3a557 in ha_heap::find_unique_row (this=0x14b82804cec0, record=0x14b82804cd58 "\377\376", unique_idx=<optimized out>) at /test/10.6_opt/storage/heap/ha_heap.cc:813
      #6  0x000055d2d3ad3f83 in select_unit_ext::send_data (this=0x14b828013a38, values=<optimized out>) at /test/10.6_opt/sql/sql_union.cc:670
      #7  0x000055d2d3a72b5e in select_result_sink::send_data_with_check (u=<optimized out>, sent=<optimized out>, items=@0x14b828012d70: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14b8280131e8, last = 0x14b8280131e8, elements = 1}, <No data fields>}, this=<optimized out>) at /test/10.6_opt/sql/sql_class.h:5554
      #8  select_result_sink::send_data_with_check (sent=<optimized out>, u=<optimized out>, items=@0x14b828012d70: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14b8280131e8, last = 0x14b8280131e8, elements = 1}, <No data fields>}, this=<optimized out>) at /test/10.6_opt/sql/sql_class.h:5544
      #9  end_send (join=0x14b828014a28, join_tab=0x14b828051be8, end_of_records=<optimized out>) at /test/10.6_opt/sql/sql_select.cc:21952
      #10 0x000055d2d3a4a9de in evaluate_join_record (join=0x14b828014a28, join_tab=0x14b828051838, error=<optimized out>) at /test/10.6_opt/sql/sql_select.cc:20975
      #11 0x000055d2d3a5bb9b in sub_select (end_of_records=false, join_tab=0x14b828051838, join=0x14b828014a28) at /test/10.6_opt/sql/sql_select.cc:20752
      #12 sub_select (join=0x14b828014a28, join_tab=0x14b828051838, end_of_records=false) at /test/10.6_opt/sql/sql_select.cc:20681
      #13 0x000055d2d3a898c2 in do_select (procedure=<optimized out>, join=0x14b828014a28) at /test/10.6_opt/sql/sql_select.cc:20299
      #14 JOIN::exec_inner (this=0x14b828014a28) at /test/10.6_opt/sql/sql_select.cc:4477
      #15 0x000055d2d3a89c78 in JOIN::exec (this=0x14b828014a28) at /test/10.6_opt/sql/sql_select.cc:4257
      #16 0x000055d2d3ad6edc in st_select_lex_unit::exec (this=0x14b828004c70) at /test/10.6_opt/sql/sql_union.cc:2235
      #17 0x000055d2d3adaf18 in mysql_union (thd=thd@entry=0x14b828000c58, lex=lex@entry=0x14b828004ba8, result=result@entry=0x14b828013a10, unit=unit@entry=0x14b828004c70, setup_tables_done_option=<optimized out>) at /test/10.6_opt/sql/sql_union.cc:41
      #18 0x000055d2d3a884da in handle_select (thd=thd@entry=0x14b828000c58, lex=lex@entry=0x14b828004ba8, result=result@entry=0x14b828013a10, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.6_opt/sql/sql_select.cc:407
      #19 0x000055d2d3a18e8e in execute_sqlcom_select (thd=0x14b828000c58, all_tables=0x14b828010ba8) at /test/10.6_opt/sql/sql_parse.cc:6230
      #20 0x000055d2d3a26de7 in mysql_execute_command (thd=0x14b828000c58) at /test/10.6_opt/sql/sql_parse.cc:3926
      #21 0x000055d2d3a13dc4 in mysql_parse (thd=0x14b828000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.6_opt/sql/sql_parse.cc:7998
      #22 0x000055d2d3a1fd2d in dispatch_command (command=COM_QUERY, thd=0x14b828000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.6_opt/sql/sql_class.h:1318
      #23 0x000055d2d3a21db6 in do_command (thd=0x14b828000c58, blocking=blocking@entry=true) at /test/10.6_opt/sql/sql_parse.cc:1397
      #24 0x000055d2d3b24557 in do_handle_one_connection (connect=<optimized out>, put_in_cache=true) at /test/10.6_opt/sql/sql_connect.cc:1410
      #25 0x000055d2d3b248bd in handle_one_connection (arg=arg@entry=0x55d2d62dc148) at /test/10.6_opt/sql/sql_connect.cc:1312
      #26 0x000055d2d3ea4f97 in pfs_spawn_thread (arg=0x55d2d6257f68) at /test/10.6_opt/storage/perfschema/pfs.cc:2201
      #27 0x000014b884831609 in start_thread (arg=<optimized out>) at pthread_create.c:477
      #28 0x000014b884420293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
      

      10.5.10 031b3dfc22c3d37769d49da902401b26a24f12b4 (Optimized)

      Core was generated by `/test/MD160321-mariadb-10.5.10-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
      Program terminated with signal SIGSEGV, Segmentation fault.
      #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
          at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
      [Current thread is 1 (Thread 0x154928a62700 (LWP 3115332))]
      (gdb) bt
      #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
      #1  0x000056359cf64fdf in my_write_core (sig=sig@entry=11) at /test/10.5_opt/mysys/stacktrace.c:424
      #2  0x000056359c985820 in handle_fatal_signal (sig=11) at /test/10.5_opt/sql/signal_handler.cc:331
      #3  <signal handler called>
      #4  0x000056359cca227f in hp_rec_key_cmp (keydef=keydef@entry=0x1548ec04ec28, rec1=0x3 <error: Cannot access memory at address 0x3>, rec2=rec2@entry=0x1548ec04dfb8 "\377\376") at /test/10.5_opt/storage/heap/hp_hash.c:389
      #5  0x000056359cca0537 in ha_heap::find_unique_row (this=0x1548ec04e120, record=0x1548ec04dfb8 "\377\376", unique_idx=<optimized out>) at /test/10.5_opt/storage/heap/ha_heap.cc:813
      #6  0x000056359c8292f3 in select_unit_ext::send_data (this=0x1548ec013978, values=<optimized out>) at /test/10.5_opt/sql/sql_union.cc:670
      #7  0x000056359c7c710e in select_result_sink::send_data_with_check (u=<optimized out>, sent=<optimized out>, items=@0x1548ec012cb0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1548ec013128, last = 0x1548ec013128, elements = 1}, <No data fields>}, this=<optimized out>) at /test/10.5_opt/sql/sql_class.h:5328
      #8  select_result_sink::send_data_with_check (sent=<optimized out>, u=<optimized out>, items=@0x1548ec012cb0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1548ec013128, last = 0x1548ec013128, elements = 1}, <No data fields>}, this=<optimized out>) at /test/10.5_opt/sql/sql_class.h:5318
      #9  end_send (join=0x1548ec014968, join_tab=0x1548ec052de8, end_of_records=<optimized out>) at /test/10.5_opt/sql/sql_select.cc:21973
      #10 0x000056359c79edd0 in evaluate_join_record (join=join@entry=0x1548ec014968, join_tab=join_tab@entry=0x1548ec052a40, error=<optimized out>) at /test/10.5_opt/sql/sql_select.cc:21004
      #11 0x000056359c7aff6b in sub_select (end_of_records=false, join_tab=0x1548ec052a40, join=0x1548ec014968) at /test/10.5_opt/sql/sql_select.cc:20781
      #12 sub_select (join=0x1548ec014968, join_tab=0x1548ec052a40, end_of_records=false) at /test/10.5_opt/sql/sql_select.cc:20710
      #13 0x000056359c7de372 in do_select (procedure=<optimized out>, join=0x1548ec014968) at /test/10.5_opt/sql/sql_select.cc:20315
      #14 JOIN::exec_inner (this=0x1548ec014968) at /test/10.5_opt/sql/sql_select.cc:4467
      #15 0x000056359c7de728 in JOIN::exec (this=0x1548ec014968) at /test/10.5_opt/sql/sql_select.cc:4247
      #16 0x000056359c82c36c in st_select_lex_unit::exec (this=0x1548ec004c48) at /test/10.5_opt/sql/sql_union.cc:2235
      #17 0x000056359c8303a8 in mysql_union (thd=thd@entry=0x1548ec000c58, lex=lex@entry=0x1548ec004b80, result=result@entry=0x1548ec013950, unit=unit@entry=0x1548ec004c48, setup_tables_done_option=<optimized out>) at /test/10.5_opt/sql/sql_union.cc:41
      #18 0x000056359c7dcf8a in handle_select (thd=thd@entry=0x1548ec000c58, lex=lex@entry=0x1548ec004b80, result=result@entry=0x1548ec013950, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.5_opt/sql/sql_select.cc:407
      #19 0x000056359c76bc0e in execute_sqlcom_select (thd=0x1548ec000c58, all_tables=0x1548ec010ae8) at /test/10.5_opt/sql/sql_parse.cc:6308
      #20 0x000056359c77a348 in mysql_execute_command (thd=0x1548ec000c58) at /test/10.5_opt/sql/sql_parse.cc:4004
      #21 0x000056359c7667f6 in mysql_parse (thd=thd@entry=0x1548ec000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x154928a61420, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_opt/sql/sql_parse.cc:8089
      #22 0x000056359c772f97 in dispatch_command (command=COM_QUERY, thd=0x1548ec000c58, packet=0x1548ec008059 "SELECT * FROM t UNION SELECT * FROM t INTERSECT ALL SELECT * FROM t", packet_length=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /test/10.5_opt/sql/sql_class.h:1257
      #23 0x000056359c7753ba in do_command (thd=0x1548ec000c58) at /test/10.5_opt/sql/sql_parse.cc:1370
      #24 0x000056359c87aac1 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x56359fe24c38, put_in_cache=put_in_cache@entry=true) at /test/10.5_opt/sql/sql_connect.cc:1410
      #25 0x000056359c87af3d in handle_one_connection (arg=arg@entry=0x56359fe24c38) at /test/10.5_opt/sql/sql_connect.cc:1312
      #26 0x000056359cc09077 in pfs_spawn_thread (arg=0x56359fda2028) at /test/10.5_opt/storage/perfschema/pfs.cc:2201
      #27 0x000015493edd1609 in start_thread (arg=<optimized out>) at pthread_create.c:477
      #28 0x000015493e9c0293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
      

      Bug confirmed present in:
      MariaDB: 10.5.10 (opt), 10.6.0 (opt)

      Bug (or feature/syntax) confirmed not present in:
      MariaDB: 10.2.38 (opt), 10.3.29 (opt), 10.4.19 (opt)

      Attachments

        Issue Links

          Activity

            People

              sanja Oleksandr Byelkin
              ramesh Ramesh Sivaraman
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.