Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-26348

BUG: segfault in sql/item_func.cc:0

Details

    • Bug
    • Status: Closed (View Workflow)
    • Critical
    • Resolution: Cannot Reproduce
    • 10.5.9
    • N/A
    • Optimizer - CTE
    • Ubuntu 18.04
      MariaDB 10.5.9

    Description

      I used my fuzzing tool to test Mariadb , and found a bug that can result in an abortion.

      Mariadb installation:
      1) cd mariadb-10.5.9
      2) mkdir build; cd build
      3) cmake -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DCMAKE_BUILD_TYPE=Debug ../
      4) make -j8 && sudo make install

      How to Repeat:
      export ASAN_OPTIONS=detect_leaks=0
      /usr/local/mysql/bin/mysqld_safe &
      /usr/local/mysql/bin/mysql -uroot -p123456(your password)
      MariaDB> drop database if exists test_db;
      MariaDB> create database test_db;
      MariaDB> use test_db;
      MariaDB> source fuzz.sql;

      I have simplified the content of fuzz.sql, and I hope fuzz.sql can help you reproduce the bug and fix it. In addition, I attach the failure report (which has its stack trace).

      Attachments

        1. report.txt
          10 kB
        2. fuzz.sql
          3 kB

        Activity

          Ascending order - Click to sort in descending order
          Zuming Jiang Zuming Jiang created issue -
          Zuming Jiang Zuming Jiang made changes -
          Field Original Value New Value
          Attachment fuzz.sql [ 58528 ]
          Zuming Jiang Zuming Jiang made changes -
          Attachment fuzz.sql [ 58529 ]
          danblack Daniel Black added a comment -

          Failed to reproduce on:

          10.5.13-0268b871228

          		 
          CMakeCache.txt:WITH_ASAN:BOOL=ON
          		 
          CMakeCache.txt:WITH_ASAN_SCOPE:BOOL=ON
          		 
          CMAKE_CXX_COMPILER:STRING=/usr/lib64/ccache/clang++
          		 
          CMAKE_C_COMPILER:STRING=/usr/lib64/ccache/clang
          		 
          CMAKE_BUILD_TYPE:STRING=RelWithDebInfo
          		 
           
          		 
          $ /usr/lib64/ccache/clang++ --version
          		 
          clang version 12.0.0 (Fedora 12.0.0-2.fc34)
          		 
          Target: x86_64-unknown-linux-gnu
          		 
          Thread model: posix
          		 
          InstalledDir: /usr/bin

          Also failed to reproduce on same commit with CMAKE_BUILD_TYPE=Debug

          Welcome to the MariaDB monitor.  Commands end with ; or \g.
          		 
          Your MariaDB connection id is 3
          		 
          Server version: 10.5.13-MariaDB-debug Source distribution
          		 
           
          		 
          Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
          		 
           
          		 
          Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
          		 
           
          		 
          MariaDB [(none)]> create or replace database  test_db;
          		 
          Query OK, 1 row affected (0.001 sec)
          		 
           
          		 
          MariaDB [(none)]> use test_db;
          		 
          Database changed
          		 
          MariaDB [test_db]> source ~/Downloads/fuzz-MDEV-26348.sql
          		 
          Query OK, 0 rows affected (0.007 sec)
          		 
           
          		 
          Query OK, 0 rows affected (0.008 sec)
          		 
          Records: 0  Duplicates: 0  Warnings: 0
          		 
           
          		 
          Empty set (0.005 sec)
          		 
           
          		 
          MariaDB [test_db]>

          danblack Daniel Black added a comment - Failed to reproduce on: 10.5.13-0268b871228 CMakeCache.txt:WITH_ASAN:BOOL=ON CMakeCache.txt:WITH_ASAN_SCOPE:BOOL=ON CMAKE_CXX_COMPILER:STRING=/usr/lib64/ccache/clang++ CMAKE_C_COMPILER:STRING=/usr/lib64/ccache/clang CMAKE_BUILD_TYPE:STRING=RelWithDebInfo   $ /usr/lib64/ccache/clang++ --version clang version 12.0.0 (Fedora 12.0.0-2.fc34) Target: x86_64-unknown-linux-gnu Thread model: posix InstalledDir: /usr/bin Also failed to reproduce on same commit with CMAKE_BUILD_TYPE=Debug Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 3 Server version: 10.5.13-MariaDB-debug Source distribution   Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.   Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.   MariaDB [(none)]> create or replace database test_db; Query OK, 1 row affected (0.001 sec)   MariaDB [(none)]> use test_db; Database changed MariaDB [test_db]> source ~/Downloads/fuzz-MDEV-26348.sql Query OK, 0 rows affected (0.007 sec)   Query OK, 0 rows affected (0.008 sec) Records: 0 Duplicates: 0 Warnings: 0   Empty set (0.005 sec)   MariaDB [test_db]>
          danblack Daniel Black made changes -
          Summary BUG: Abortion in sql/item_func.cc:0 BUG: segfault in sql/item_func.cc:0
          danblack Daniel Black added a comment -

          also checked 10.2.41, 10.3.32, 10.4.42 latest as of today and couldn't reproduce segfault on non-debug versions.

          Note difference in signal 11 (segfault) vs assertion (6).

          danblack Daniel Black added a comment - also checked 10.2.41, 10.3.32, 10.4.42 latest as of today and couldn't reproduce segfault on non-debug versions. Note difference in signal 11 (segfault) vs assertion (6).
          danblack Daniel Black made changes -
          Fix Version/s N/A [ 14700 ]
          Assignee Daniel Black [ danblack ]
          Resolution Cannot Reproduce [ 5 ]
          Status Open [ 1 ] Closed [ 6 ]
          serg Sergei Golubchik made changes -
          Workflow MariaDB v3 [ 124257 ] MariaDB v4 [ 159572 ]

          People

            danblack Daniel Black
            Zuming Jiang Zuming Jiang
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.