Details
-
Bug
-
Status: Closed (View Workflow)
-
Blocker
-
Resolution: Fixed
-
10.5, 10.5.9, 10.2(EOL), 10.3(EOL), 10.4(EOL)
-
Ubuntu 18.04
MariaDB 10.5.9
Description
I used my fuzzing tool to test Mariadb , and found a bug that can result in an abortion.
Mariadb installation:
1) cd mariadb-10.5.9
2) mkdir build; cd build
3) cmake -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_DEBUG=ON ../
4) make -j8 && sudo make install
How to Repeat:
export ASAN_OPTIONS=detect_leaks=0
/usr/local/mysql/bin/mysqld_safe &
/usr/local/mysql/bin/mysql -uroot -p123456(your password)
MariaDB> drop database if exists test_db;
MariaDB> create database test_db;
MariaDB> source fuzz.sql;
I have simplified the content of fuzz.sql, and I hope fuzz.sql can help you reproduce the bug and fix it. In addition, I attach the abortion report (which has its stack trace).
--fuzz.sql
|
create table t_ykc ( |
c_l2i8lmdew INTEGER NOT NULL, |
c_axhvkeda INTEGER , |
primary key(c_l2i8lmdew), |
unique(c_l2i8lmdew) |
);
|
|
create table t_c2lhzj as |
select
|
ref_0.c_l2i8lmdew as c0, |
ref_0.c_l2i8lmdew as c2, |
ref_0.c_l2i8lmdew as c3 |
from |
t_ykc as ref_0 |
where ref_0.c_l2i8lmdew < ref_0.c_l2i8lmdew; |
|
alter table t_ykc rename column c_l2i8lmdew to c_o2btif85c; |
|
insert into t_ykc values |
((55 << 94), (84 + 5)),
|
((65 / 16), 9),
|
(31, 76);
|
|
delete from t_ykc |
where
|
t_ykc.c_o2btif85c = (
|
select distinct |
t_ykc.c_o2btif85c as c0 |
from |
(t_c2lhzj as ref_0 |
cross join t_c2lhzj as ref_1 |
)
|
union all |
select distinct |
52 as c0 |
from |
t_c2lhzj as ref_2 |
where t_ykc.c_o2btif85c >= t_ykc.c_o2btif85c); |
abortion_report.txt |
This could be because you hit a bug. It is also possible that this binary
|
or one of the libraries it was linked against is corrupt, improperly built,
|
or misconfigured. This error can also be caused by malfunctioning hardware.
|
|
To report this bug, see https://mariadb.com/kb/en/reporting-bugs
|
|
We will try our best to scrape up some info that will hopefully help
|
diagnose the problem, but since we have already crashed,
|
something is definitely wrong and this may fail.
|
|
Server version: 10.5.9-MariaDB
|
key_buffer_size=134217728
|
read_buffer_size=131072
|
max_used_connections=2
|
max_threads=153
|
thread_count=2
|
It is possible that mysqld could use up to
|
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 467864 K bytes of memory
|
Hope that's ok; if not, decrease some variables in the equation.
|
|
Thread pointer: 0x62b0003aa218
|
Attempting backtrace. You can use the following information to find out
|
where mysqld died. If you see no messages after this, something went
|
terribly wrong...
|
stack_bottom = 0x7f5164121600 thread_stack 0x5fc00
|
/usr/local/mysql/bin/mariadbd(__interceptor_backtrace+0x5b)[0x917bfb]
|
:0(mi_state_info_read)[0x6ad5ad8]
|
sql/sql_yacc.cc:46457(MYSQLparse(THD*))[0x2beef02]
|
sigaction.c:0(__restore_rt)[0x7f518fcf13c0]
|
sql/sql_parse.cc:0(execute_sqlcom_select(THD*, TABLE_LIST*))[0x17847aa]
|
sql/sql_lex.cc:11194(LEX::stmt_alter_procedure_start(sp_name*))[0x1656121]
|
sql/sql_parse.cc:6294(execute_sqlcom_select(THD*, TABLE_LIST*))[0x17877dd]
|
??:0(Item_func_trim_oracle::Item_func_trim_oracle(THD*, Item*, Item*))[0x1687930]
|
sql/item_cmpfunc.h:3452(Item_func_cursor_isopen)[0x167fc53]
|
sql/sql_explain.h:350(Explain_union)[0x1676897]
|
sql/sql_select.cc:9737(best_extension_by_limited_search(JOIN*, unsigned long long, unsigned int, double, double, unsigned int, unsigned int, unsigned int))[0x1c19a34]
|
??:0(cmp_item_int::cmp(Item*))[0x33658c1]
|
??:0(Item_func_in::mark_as_condition_AND_part(TABLE_LIST*))[0x32f5c99]
|
??:0(Item_cond_and::val_int())[0x33080b9]
|
sql/field.cc:5397(Field_timestamp::val_str(String*, String*))[0x2e73cef]
|
sql/field.h:3309(Field_timestamp_hires::size_of() const)[0x2f4f45a]
|
??:0(Field_time0::get_date(st_mysql_time*, date_mode_t))[0x2e96d3a]
|
sql_show.cc:0(show_create_view(THD*, TABLE_LIST*, String*))[0x1cca61c]
|
??:0(Rotate_log_event::do_update_pos(rpl_group_info*))[0x3b1d4b5]
|
??:0(Load_log_event::do_apply_event(st_net*, rpl_group_info*, bool))[0x3b136ce]
|
??:0(THD::THD(unsigned long long, bool))[0x1355914]
|
??:0(Query_cache::store_query(THD*, TABLE_LIST*))[0x1308593]
|
??:0(Query_cache::lock_and_suspend())[0x12f7243]
|
??:0(Query_cache::is_cacheable(THD*, LEX*, TABLE_LIST*, unsigned char*))[0x130cd19]
|
??:0(st_select_lex_unit::cleanup())[0x2023c1d]
|
??:0(st_select_lex_unit::cleanup())[0x202215d]
|
maria/ma_write.c:402(maria_write)[0x46e90f3]
|
nptl/pthread_create.c:478(start_thread)[0x7f518fce5609]
|
??:0(clone)[0x7f518f057293]
|
|
Trying to get some variables.
|
Some pointers may be invalid and cause the dump to abort.
|
Query (0x62b0003b1238): delete from t_ykc
|
where
|
t_ykc.c_o2btif85c = (
|
select distinct
|
t_ykc.c_o2btif85c as c0
|
from
|
(t_c2lhzj as ref_0
|
cross join t_c2lhzj as ref_1
|
)
|
union all
|
select distinct
|
52 as c0
|
from
|
t_c2lhzj as ref_2
|
where t_ykc.c_o2btif85c >= t_ykc.c_o2btif85c)
|
|
Connection ID (thread ID): 171
|
Status: NOT_KILLED
|
|
Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=on,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on,split_materialized=on,condition_pushdown_for_subquery=on,rowid_filter=on,condition_pushdown_from_having=on,not_null_range_scan=off
|
|
The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ contains
|
information that should help you find out what is causing the crash.
|
Writing a core file...
|
Working directory at /usr/local/mysql/data
|
Resource Limits:
|
Limit Soft Limit Hard Limit Units
|
Max cpu time unlimited unlimited seconds
|
Max file size unlimited unlimited bytes
|
Max data size unlimited unlimited bytes
|
Max stack size 8388608 unlimited bytes
|
Max core file size 0 0 bytes
|
Max resident set unlimited unlimited bytes
|
Max processes 79624 79624 processes
|
Max open files 1048576 1048576 files
|
Max locked memory 67108864 67108864 bytes
|
Max address space unlimited unlimited bytes
|
Max file locks unlimited unlimited locks
|
Max pending signals 79624 79624 signals
|
Max msgqueue size 819200 819200 bytes
|
Max nice priority 0 0
|
Max realtime priority 0 0
|
Max realtime timeout unlimited unlimited us
|
Core pattern: core
|
|
Attachments
Issue Links
- relates to
-
MDEV-25636 Bug report: abortion in sql/sql_parse.cc:6294
- Closed
-
MDEV-28945 SIGSEGV in AGGR_OP::put_record and Assertion `aggr != __null' failed in sub_select_postjoin_aggr
- Closed
- links to