[MDEV-25632] Bug report: abortion in sql/sql_plugin.cc:1204 - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Duplicate
Affects Version/s: 10.5.9
Fix Version/s: N/A
Component/s: Optimizer
Labels:
- crash
Environment:
Ubuntu 18.04
MariaDB 10.5.9

Description

I used my fuzzing tool to test Mariadb , and found a bug that can result in an abortion.

Mariadb installation：
1) cd mariadb-10.5.9
2) mkdir build; cd build
3) cmake -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_DEBUG=ON ../
4) make -j8 && sudo make install

How to Repeat:
export ASAN_OPTIONS=detect_leaks=0
/usr/local/mysql/bin/mysqld_safe &
/usr/local/mysql/bin/mysql -uroot -p123456(your password)
MariaDB> drop database if exists test_db;
MariaDB> create database test_db;
MariaDB> source fuzz.sql;

I have simplified the content of fuzz.sql, and I hope fuzz.sql can help you reproduce the bug and fix it. In addition, I attach the abortion report (which has its stack trace).

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

fuzz.sql
0.8 kB
2021-05-10 08:40
abortion_report.txt
7 kB
2021-05-10 08:41

Issue Links

duplicates

MDEV-25643 Assertion `table->no_keyread || !table->covering_keys.is_set(tab->index) || table->file->keyread == tab->index' failed in join_read_first

Closed

Activity

Ascending order - Click to sort in descending order

Zuming Jiang created issue - 2021-05-10 08:41

Alice Sherepa made changes - 2021-05-10 14:44

Field	Original Value	New Value
Link		This issue duplicates ~~MDEV-25643~~ [ ~~MDEV-25643~~ ]

Alice Sherepa added a comment - 2021-05-10 14:45

the same bug as ~~MDEV-25643~~

Version: '10.5.10-MariaDB-debug-log'

mariadbd: 10.5/src/sql/sql_select.cc:21824: int join_read_first(JOIN_TAB*): Assertion `table->no_keyread || !table->covering_keys.is_set(tab->index) || table->file->keyread == tab->index' failed.

210510 16:43:16 [ERROR] mysqld got signal 6 ;

Server version: 10.5.10-MariaDB-debug-log

sigaction.c:0(__restore_rt)[0x7fc8a6bd83c0]

linux/raise.c:51(__GI_raise)[0x7fc8a66c418b]

stdlib/abort.c:81(__GI_abort)[0x7fc8a66a3859]

intl/loadmsgcat.c:509(get_sysdep_segment_value)[0x7fc8a66a3729]

:0(__GI___assert_fail)[0x7fc8a66b4f36]

sql/sql_select.cc:21827(join_read_first(st_join_table*))[0x55d3891625eb]

sql/sql_select.cc:20822(sub_select(JOIN*, st_join_table*, bool))[0x55d38915ad17]

sql/sql_select.cc:20359(do_select(JOIN*, Procedure*))[0x55d389158a46]

sql/sql_select.cc:4505(JOIN::exec_inner())[0x55d3890e3a8a]

sql/sql_select.cc:4286(JOIN::exec())[0x55d3890e1070]

sql/sql_union.cc:2236(st_select_lex_unit::exec())[0x55d38930d7e3]

sql/item_subselect.cc:4103(subselect_union_engine::exec())[0x55d389aa7ce9]

sql/item_subselect.cc:834(Item_subselect::exec())[0x55d389a8213f]

sql/item_subselect.cc:1441(Item_singlerow_subselect::val_int())[0x55d389a87ec8]

sql/item.h:1571(Item::val_int_result())[0x55d388d35864]

sql/item.cc:9917(Item_cache_int::cache_value())[0x55d3898ed847]

sql/item.cc:8704(Item_cache_wrapper::cache())[0x55d389903866]

sql/item.cc:8758(Item_cache_wrapper::val_int())[0x55d3898e2c01]

sql/item_cmpfunc.cc:942(Arg_comparator::compare_int_signed())[0x55d3899166e6]

sql/item_cmpfunc.h:102(Arg_comparator::compare())[0x55d38995a7ee]

sql/item_cmpfunc.cc:1775(Item_func_eq::val_int())[0x55d38992057d]

sql/sql_select.cc:20923(evaluate_join_record(JOIN*, st_join_table*, int))[0x55d38915bc09]

sql/sql_select.cc:20864(sub_select(JOIN*, st_join_table*, bool))[0x55d38915b545]

sql/sql_select.cc:20359(do_select(JOIN*, Procedure*))[0x55d389158a46]

sql/sql_select.cc:4505(JOIN::exec_inner())[0x55d3890e3a8a]

sql/sql_select.cc:4286(JOIN::exec())[0x55d3890e1070]

sql/sql_select.cc:4763(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55d3890e54c7]

sql/sql_select.cc:443(handle_select(THD*, LEX*, select_result*, unsigned long))[0x55d3890b6653]

sql/sql_parse.cc:6313(execute_sqlcom_select(THD*, TABLE_LIST*))[0x55d38901cf52]

sql/sql_parse.cc:4009(mysql_execute_command(THD*))[0x55d38900bf7c]

sql/sql_parse.cc:8099(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x55d389028342]

sql/sql_parse.cc:1894(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x55d388ffe03a]

sql/sql_parse.cc:1370(do_command(THD*))[0x55d388ffa985]

sql/sql_connect.cc:1410(do_handle_one_connection(CONNECT*, bool))[0x55d389457834]

sql/sql_connect.cc:1314(handle_one_connection)[0x55d389457198]

perfschema/pfs.cc:2203(pfs_spawn_thread)[0x55d38a1c6661]

nptl/pthread_create.c:478(start_thread)[0x7fc8a6bcc609]

x86_64/clone.S:97(__GI___clone)[0x7fc8a67a0293]

Trying to get some variables.

Some pointers may be invalid and cause the dump to abort.

Query (0x6160008b2fb0): select

ref_4.c_fd1o2a as c9

from

t_eid as ref_4

where ref_4.c_s = (

select distinct

(select c_s from t_eid order by c_s limit 1 offset 1)

as c0

from

t_eid as ref_5

where (ref_4.c_m between (select c_s from t_eid order by c_s limit 1 offset 5)

and ref_4.c_s)

or (1=1)

union

select

ref_6.c_s as c0

from

t_eid as ref_6

where ((select c_s from t_eid order by c_s limit 1 offset 5) <> ref_4.c_m)

Alice Sherepa added a comment - 2021-05-10 14:45 the same bug as MDEV-25643 Version: '10.5.10-MariaDB-debug-log' mariadbd: 10.5/src/sql/sql_select.cc:21824: int join_read_first(JOIN_TAB*): Assertion `table->no_keyread || !table->covering_keys.is_set(tab->index) || table->file->keyread == tab->index' failed. 210510 16:43:16 [ERROR] mysqld got signal 6 ; Server version: 10.5.10-MariaDB-debug-log sigaction.c:0(__restore_rt)[0x7fc8a6bd83c0] linux/raise.c:51(__GI_raise)[0x7fc8a66c418b] stdlib/abort.c:81(__GI_abort)[0x7fc8a66a3859] intl/loadmsgcat.c:509(get_sysdep_segment_value)[0x7fc8a66a3729] :0(__GI___assert_fail)[0x7fc8a66b4f36] sql/sql_select.cc:21827(join_read_first(st_join_table*))[0x55d3891625eb] sql/sql_select.cc:20822(sub_select(JOIN*, st_join_table*, bool))[0x55d38915ad17] sql/sql_select.cc:20359(do_select(JOIN*, Procedure*))[0x55d389158a46] sql/sql_select.cc:4505(JOIN::exec_inner())[0x55d3890e3a8a] sql/sql_select.cc:4286(JOIN::exec())[0x55d3890e1070] sql/sql_union.cc:2236(st_select_lex_unit::exec())[0x55d38930d7e3] sql/item_subselect.cc:4103(subselect_union_engine::exec())[0x55d389aa7ce9] sql/item_subselect.cc:834(Item_subselect::exec())[0x55d389a8213f] sql/item_subselect.cc:1441(Item_singlerow_subselect::val_int())[0x55d389a87ec8] sql/item.h:1571(Item::val_int_result())[0x55d388d35864] sql/item.cc:9917(Item_cache_int::cache_value())[0x55d3898ed847] sql/item.cc:8704(Item_cache_wrapper::cache())[0x55d389903866] sql/item.cc:8758(Item_cache_wrapper::val_int())[0x55d3898e2c01] sql/item_cmpfunc.cc:942(Arg_comparator::compare_int_signed())[0x55d3899166e6] sql/item_cmpfunc.h:102(Arg_comparator::compare())[0x55d38995a7ee] sql/item_cmpfunc.cc:1775(Item_func_eq::val_int())[0x55d38992057d] sql/sql_select.cc:20923(evaluate_join_record(JOIN*, st_join_table*, int))[0x55d38915bc09] sql/sql_select.cc:20864(sub_select(JOIN*, st_join_table*, bool))[0x55d38915b545] sql/sql_select.cc:20359(do_select(JOIN*, Procedure*))[0x55d389158a46] sql/sql_select.cc:4505(JOIN::exec_inner())[0x55d3890e3a8a] sql/sql_select.cc:4286(JOIN::exec())[0x55d3890e1070] sql/sql_select.cc:4763(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55d3890e54c7] sql/sql_select.cc:443(handle_select(THD*, LEX*, select_result*, unsigned long))[0x55d3890b6653] sql/sql_parse.cc:6313(execute_sqlcom_select(THD*, TABLE_LIST*))[0x55d38901cf52] sql/sql_parse.cc:4009(mysql_execute_command(THD*))[0x55d38900bf7c] sql/sql_parse.cc:8099(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x55d389028342] sql/sql_parse.cc:1894(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x55d388ffe03a] sql/sql_parse.cc:1370(do_command(THD*))[0x55d388ffa985] sql/sql_connect.cc:1410(do_handle_one_connection(CONNECT*, bool))[0x55d389457834] sql/sql_connect.cc:1314(handle_one_connection)[0x55d389457198] perfschema/pfs.cc:2203(pfs_spawn_thread)[0x55d38a1c6661] nptl/pthread_create.c:478(start_thread)[0x7fc8a6bcc609] x86_64/clone.S:97(__GI___clone)[0x7fc8a67a0293] Trying to get some variables. Some pointers may be invalid and cause the dump to abort. Query (0x6160008b2fb0): select ref_4.c_fd1o2a as c9 from t_eid as ref_4 where ref_4.c_s = ( select distinct (select c_s from t_eid order by c_s limit 1 offset 1) as c0 from t_eid as ref_5 where (ref_4.c_m between (select c_s from t_eid order by c_s limit 1 offset 5) and ref_4.c_s) or (1=1) union select ref_6.c_s as c0 from t_eid as ref_6 where ((select c_s from t_eid order by c_s limit 1 offset 5) <> ref_4.c_m) )

Alice Sherepa made changes - 2021-05-10 14:45

Component/s		Optimizer [ 10200 ]
Fix Version/s		N/A [ 14700 ]
Resolution		Duplicate [ 3 ]
Status	Open [ 1 ]	Closed [ 6 ]

Sergei Golubchik made changes - 2021-05-14 11:49

Epic/Theme

server

Sergei Golubchik made changes - 2021-05-14 11:49

Component/s

Query Cache [ 10120 ]

Sergei Golubchik made changes - 2021-12-06 21:53

Workflow

MariaDB v3 [ 121710 ]

MariaDB v4 [ 159255 ]

People

Assignee:: Unassigned

Reporter:: Zuming Jiang

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2021-05-10 08:41

Updated:: 2021-05-14 11:49

Resolved:: 2021-05-10 14:45

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates

Git Integration