Details
-
Bug
-
Status: Closed (View Workflow)
-
Blocker
-
Resolution: Fixed
-
10.5.9, 10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5
-
Ubuntu 18.04
MariaDB 10.5.9
Description
I used my fuzzing tool to test Mariadb , and found a bug that can result in an abortion.
Mariadb installation:
1) cd mariadb-10.5.9
2) mkdir build; cd build
3) cmake -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_DEBUG=ON ../
4) make -j8 && sudo make install
How to Repeat:
export ASAN_OPTIONS=detect_leaks=0
/usr/local/mysql/bin/mysqld_safe &
/usr/local/mysql/bin/mysql -uroot -p123456(your password)
MariaDB> drop database if exists test_db;
MariaDB> create database test_db;
MariaDB> source fuzz.sql;
I have simplified the content of fuzz.sql, and I hope fuzz.sql can help you reproduce the bug and fix it. In addition, I attach the abortion report (which has its stack trace).
--fuzz.sql
|
create table t_ykc ( |
c_l2i8lidec INTEGER , |
c_iv TEXT ,
|
c_mp TEXT ,
|
primary key(c_l2i8lidec), |
unique(c_l2i8lidec), |
check((t_ykc.c_l2i8lidec <= case when t_ykc.c_l2i8lidec in ( |
t_ykc.c_l2i8lidec, t_ykc.c_l2i8lidec) then t_ykc.c_l2i8lidec else t_ykc.c_l2i8lidec end |
)
|
or (t_ykc.c_iv like 'cfirh%e' AND t_ykc.c_l2i8lidec < t_ykc.c_l2i8lidec)) |
);
|
|
|
create view t_wk as |
select |
subq_0.c2 as c1, |
subq_0.c4 as c2, |
subq_0.c1 as c3, |
subq_0.c4 as c4, |
subq_0.c0 as c5, |
11 as c6, |
subq_0.c3 as c7, |
(subq_0.c0 / subq_0.c1) as c8, |
subq_0.c2 as c9, |
(subq_0.c0 + subq_0.c3) as c10 |
from |
(select |
ref_0.c_l2i8lidec as c0, |
ref_0.c_l2i8lidec as c1, |
ref_0.c_iv as c2, |
ref_0.c_l2i8lidec as c3, |
ref_0.c_l2i8lidec as c4, |
ref_0.c_l2i8lidec as c5 |
from |
t_ykc as ref_0 |
where ((select min(c_l2i8lidec) from t_ykc) |
between ref_0.c_l2i8lidec and ref_0.c_l2i8lidec) |
or (ref_0.c_l2i8lidec < ref_0.c_l2i8lidec) |
order by c0, c1, c2, c3, -c4, c5 asc) as subq_0 |
where subq_0.c2 not like 'rpch%4go' |
order by c1, c2, c3, c4, c5, -c6, c7, c8, c9, c10 desc; |
|
|
WITH |
jennifer_0 AS (select |
subq_0.c4 as c6 |
from |
((select |
11 as c4 |
from |
t_wk as ref_0 |
) as subq_0 |
left outer join t_wk as ref_2 |
on (11 <> 19)) |
)
|
select |
subq_2.c2 as c4 |
from |
(select distinct |
61 as c2 |
from |
t_ykc as ref_13 |
) as subq_2 |
;
|
|
abortion_report.txt |
This could be because you hit a bug. It is also possible that this binary
|
or one of the libraries it was linked against is corrupt, improperly built,
|
or misconfigured. This error can also be caused by malfunctioning hardware.
|
|
|
To report this bug, see https://mariadb.com/kb/en/reporting-bugs
|
|
|
We will try our best to scrape up some info that will hopefully help
|
diagnose the problem, but since we have already crashed,
|
something is definitely wrong and this may fail.
|
|
|
Server version: 10.5.9-MariaDB
|
key_buffer_size=134217728
|
read_buffer_size=131072
|
max_used_connections=2
|
max_threads=153
|
thread_count=2
|
It is possible that mysqld could use up to
|
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 467864 K bytes of memory
|
Hope that's ok; if not, decrease some variables in the equation.
|
|
|
Thread pointer: 0x62b00007e218
|
Attempting backtrace. You can use the following information to find out
|
where mysqld died. If you see no messages after this, something went
|
terribly wrong...
|
stack_bottom = 0x7f26a2226600 thread_stack 0x5fc00
|
/usr/local/mysql/bin/mariadbd(__interceptor_backtrace+0x5b)[0x917bfb]
|
:0(mi_state_info_read)[0x6ad5ad8]
|
sql/sql_yacc.cc:46457(MYSQLparse(THD*))[0x2beef02]
|
sigaction.c:0(__restore_rt)[0x7f26c1a133c0]
|
sql/protocol.h:0(Protocol_text)[0xe8530c]
|
sql/sql_lex.cc:1164(Lex_input_stream::add_digest_token(unsigned int, YYSTYPE*))[0x1567533]
|
sql/sql_parse.cc:8709(st_select_lex::add_cross_joined_table(TABLE_LIST*, TABLE_LIST*, bool))[0x17aeebc]
|
??:0(Lex_input_stream::body_utf8_append(char const*, char const*))[0x1564878]
|
sql/sql_lex.cc:120(sp_expr_lex::case_stmt_action_when(bool))[0x155372f]
|
sql_select.cc:0(change_cond_ref_to_const(THD*, I_List<COND_CMP>*, Item*, Item*, Item_bool_func2*, Item*, Item*))[0x1c45226]
|
sql_select.cc:0(trace_table_dependencies(THD*, st_join_table*, unsigned int))[0x1c05a9e]
|
??:0(JOIN_CACHE::create_remaining_fields())[0x260f8eb]
|
??:0(JOIN_CACHE::create_remaining_fields())[0x260ee4d]
|
??:0(LEX::create_item_for_sp_var(Lex_ident_cli_st const*, sp_variable*))[0x15571b6]
|
??:0(select_create::abort_result_set())[0x1536385]
|
sql/sql_insert.cc:5068(select_create::abort_result_set())[0x1534614]
|
sql/sql_class.cc:2550(THD::make_string_literal_charset(Lex_string_with_metadata_st const&, charset_info_st const*))[0x1386f2f]
|
sql/sql_cache.cc:4324(Query_cache::move_by_type(unsigned char**, Query_cache_block**, unsigned long*, Query_cache_block*))[0x133cf2d]
|
??:0(Query_cache::store_query(THD*, TABLE_LIST*))[0x1308593]
|
??:0(Query_cache::lock_and_suspend())[0x12f7243]
|
??:0(Query_cache::is_cacheable(THD*, LEX*, TABLE_LIST*, unsigned char*))[0x130cd19]
|
??:0(st_select_lex_unit::cleanup())[0x2023c1d]
|
??:0(st_select_lex_unit::cleanup())[0x202215d]
|
maria/ma_write.c:402(maria_write)[0x46e90f3]
|
nptl/pthread_create.c:478(start_thread)[0x7f26c1a07609]
|
??:0(clone)[0x7f26c0d79293]
|
|
|
Trying to get some variables.
|
Some pointers may be invalid and cause the dump to abort.
|
Query (0x62b000085238): WITH
|
jennifer_0 AS (select
|
subq_0.c4 as c6
|
from
|
((select
|
11 as c4
|
from
|
t_wk as ref_0
|
) as subq_0
|
left outer join t_wk as ref_2
|
on (11 <> 19))
|
)
|
select
|
subq_2.c2 as c4
|
from
|
(select distinct
|
61 as c2
|
from
|
t_ykc as ref_13
|
) as subq_2
|
|
|
Connection ID (thread ID): 637
|
Status: NOT_KILLED
|
|
|
Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=on,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on,split_materialized=on,condition_pushdown_for_subquery=on,rowid_filter=on,condition_pushdown_from_having=on,not_null_range_scan=off
|
|
|
The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ contains
|
information that should help you find out what is causing the crash.
|
Writing a core file...
|
Working directory at /usr/local/mysql/data
|
Resource Limits:
|
Limit Soft Limit Hard Limit Units
|
Max cpu time unlimited unlimited seconds
|
Max file size unlimited unlimited bytes
|
Max data size unlimited unlimited bytes
|
Max stack size 8388608 unlimited bytes
|
Max core file size 0 0 bytes
|
Max resident set unlimited unlimited bytes
|
Max processes 79624 79624 processes
|
Max open files 1048576 1048576 files
|
Max locked memory 67108864 67108864 bytes
|
Max address space unlimited unlimited bytes
|
Max file locks unlimited unlimited locks
|
Max pending signals 79624 79624 signals
|
Max msgqueue size 819200 819200 bytes
|
Max nice priority 0 0
|
Max realtime priority 0 0
|
Max realtime timeout unlimited unlimited us
|
Core pattern: core
|
|
Attachments
Issue Links
- relates to
-
-
- Closed
-
- links to