Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-26280

MariaDB server crash at my_decimal::operator=

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Duplicate
    • 10.6.0, 10.6.1, 10.6.2, 10.6.3
    • N/A
    • Optimizer
    • Linux 5.4.0-39-generic #43-Ubuntu SMP Fri Jun 19 10:28:31 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

    Description

      step to reproduce:

      CREATE TABLE v0 ( v1 INTEGER UNIQUE , v2 INT UNIQUE ) ; 
      INSERT INTO v0 ( v2 , v1 ) VALUES ( 26 , 8 ) ;
       UPDATE v0 SET v1 = CASE 41219694.000000 WHEN 0 THEN 'x' WHEN 'x' THEN 'x' END ORDER BY v1 , ( SELECT 25027969.000000 UNION SELECT 0 UNION SELECT -1 ) , v2 DESC , v2 , v1 ;
      

      Core was generated by `/home/supersix/fuzz/security/MariaDB/install/bin/mysqld --defaults-file=/home/s'.Program terminated with signal SIGSEGV, Segmentation fault.

      #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=0xb)
          at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
      56	../sysdeps/unix/sysv/linux/pthread_kill.c: No such file or directory.
      [Current thread is 1 (Thread 0x7f62f009b700 (LWP 166191))]
      gdb-peda$ bt
      #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=0xb)
          at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
      #1  0x000055fcfb78307f in my_write_core (sig=sig@entry=0xb)
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/mysys/stacktrace.c:424
      #2  0x000055fcfb107f80 in handle_fatal_signal (sig=0xb)
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/signal_handler.cc:344
      #3  <signal handler called>
      #4  0x000055fcfb26d753 in my_decimal::operator= (rhs=..., this=0x7f62f0099560)
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/my_decimal.h:353
      #5  my_decimal2decimal (to=0x7f62f0099560, from=0x0)
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/my_decimal.h:353
      #6  my_decimal::to_binary (this=0x0, bin=bin@entry=0x7f61f8192e8d "\177", prec=0xf, scale=0x6,
          mask=mask@entry=0x1e)
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/my_decimal.cc:206
      #7  0x000055fcfb101f64 in Type_handler_decimal_result::make_sort_key_part (this=<optimized out>,
          to=0x7f61f8192e8d "\177", item=0x7f61f80132b0, sort_field=0x7f61f8015df8, param=<optimized out>)
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/filesort.cc:1321
      #8  0x000055fcfb10328d in make_sortkey (to=0x7f61f8192e8d "\177", param=0x7f62f00997c0)
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/filesort.cc:3027
      #9  make_sortkey (param=param@entry=0x7f62f00997c0, to=0x7f61f8192e88 "\001\200",
          ref_pos=ref_pos@entry=0x7f61f81846e0 "", using_packed_sortkeys=using_packed_sortkeys@entry=0x0)
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/filesort.cc:1354
      #10 0x000055fcfb106107 in find_all_keys (found_rows=0x7f61f818faa0, pq=0x7f62f0099770,
          tempfile=0x7f62f0099880, buffpek_pointers=0x7f62f0099970, fs_info=0x7f61f818f930, select=0x0,
          param=0x7f62f00997c0, thd=0x7f61f8000c58)
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/filesort.cc:969
      #11 filesort (thd=thd@entry=0x7f61f8000c58, table=table@entry=0x7f61f81833e8,
          filesort=filesort@entry=0x7f62f0099bc0, tracker=0x7f61f8015d58, join=join@entry=0x0,
          first_table_bit=first_table_bit@entry=0x0)
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/filesort.cc:357
      #12 0x000055fcfaf5300c in mysql_update (thd=thd@entry=0x7f61f8000c58, table_list=<optimized out>,
          fields=..., values=..., conds=<optimized out>, order_num=<optimized out>, order=0x7f61f8011678,
          limit=0xffffffffffffffff, ignore=<optimized out>, found_return=<optimized out>,
          updated_return=<optimized out>)
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_update.cc:796
      #13 0x000055fcfae1fd89 in mysql_execute_command (thd=0x7f61f8000c58,
          is_called_from_prepared_stmt=<optimized out>)
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_limit.h:83
      #14 0x000055fcfae02e35 in mysql_parse (thd=0x7f61f8000c58, rawbuf=<optimized out>,
          length=<optimized out>, parser_state=<optimized out>)
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:8028
      #15 0x000055fcfae15391 in dispatch_command (command=<optimized out>, thd=0x7f61f8000c58,
          packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>)
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_class.h:1340
      #16 0x000055fcfae18652 in do_command (thd=0x7f61f8000c58, blocking=blocking@entry=0x1)
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:1406
      #17 0x000055fcfafb336e in do_handle_one_connection (connect=<optimized out>, put_in_cache=0x1)
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1410
      #18 0x000055fcfafb3c77 in handle_one_connection (arg=arg@entry=0x55fcfe4236c8)
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1312
      #19 0x000055fcfb3df20d in pfs_spawn_thread (arg=0x55fcfe4d2e08)
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/storage/perfschema/pfs.cc:2201
      #20 0x00007f62f0eb0609 in start_thread (arg=<optimized out>) at pthread_create.c:477
      #21 0x00007f62f0a84293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
      

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              yaoguang yaoguang
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.