[MDEV-26423] MariaDB server crash in Create_tmp_table::finalize - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Blocker
Resolution: Fixed
Affects Version/s: 10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL)
Fix Version/s: 10.7.4, 10.2.44, 10.3.35, 10.4.25, 10.5.16, 10.6.8, 10.8.3, 10.9.1
Component/s: OTHER
Labels:
- crash
Environment:
Linux version 5.13.0-1-MANJARO (builduser@LEGION) (gcc (GCC) 11.1.0, GNU ld (GNU Binutils) 2.36.1) #1 SMP PREEMPT Mon Jun 7 06:16:10 UTC 2021 x86_64

Description

PoC:

CREATE TABLE v0 ( v2 DATE DEFAULT ( v1 MOD 68321183.000000 ) , v1 DATETIME NULL ) ;

 SHOW DATABASES LIKE 'x' ;

 SELECT DISTINCT v2 , v1 , DEFAULT ( v2 ) FROM v0 ;

Crash Log:

We will try our best to scrape up some info that will hopefully help
diagnose the problem, but since we have already crashed,
something is definitely wrong and this may fail.

Server version: 10.7.0-MariaDB

key_buffer_size=134217728

read_buffer_size=131072

max_used_connections=1

max_threads=153

thread_count=1

It is possible that mysqld could use up to

key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 467956 K  bytes of memory

Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x62b0000bd218

Attempting backtrace. You can use the following information to find out

where mysqld died. If you see no messages after this, something went

terribly wrong...

stack_bottom = 0x7fbccf9b6850 thread_stack 0x5fc00

sanitizer_common/sanitizer_common_interceptors.inc:4203(__interceptor_backtrace.part.0)[0x7fbcf53e9c3e]

mysys/stacktrace.c:213(my_print_stacktrace)[0x55da8b1e8747]

sql/signal_handler.cc:222(handle_fatal_signal)[0x55da8a1b0120]

sigaction.c:0(__restore_rt)[0x7fbcf4dd3870]

sql/sql_select.cc:19307(Create_tmp_table::finalize(THD*, TABLE*, TMP_TABLE_PARAM*, bool, bool))[0x55da89b716a6]

sql/sql_select.cc:19606(create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, st_mysql_const_lex_string const*, bool, bool))[0x55da89b736a4]

sql/sql_select.cc:4015(JOIN::create_postjoin_aggr_table(st_join_table*, List<Item>*, st_order*, bool, bool, bool))[0x55da89ba26b3]

sql/sql_select.cc:3589(JOIN::make_aggr_tables_info())[0x55da89ba5424]

sql/sql_select.cc:3225(JOIN::optimize_stage2())[0x55da89bd5e72]

sql/sql_select.cc:2479(JOIN::optimize_inner())[0x55da89bdfd07]

sql/sql_select.cc:1811(JOIN::optimize())[0x55da89be17b1]

sql/sql_select.cc:4977(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55da89be1a0e]

sql/sql_select.cc:545(handle_select(THD*, LEX*, select_result*, unsigned long))[0x55da89be3655]

sql/sql_parse.cc:6256(execute_sqlcom_select(THD*, TABLE_LIST*))[0x55da89a26d7d]

sql/sql_parse.cc:3946(mysql_execute_command(THD*, bool))[0x55da89a50421]

sql/sql_parse.cc:8047(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x55da89a555a1]

sql/sql_parse.cc:1898(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x55da89a5b60c]

sql/sql_parse.cc:1406(do_command(THD*, bool))[0x55da89a6073d]

sql/sql_connect.cc:1418(do_handle_one_connection(CONNECT*, bool))[0x55da89e1be57]

sql/sql_connect.cc:1312(handle_one_connection)[0x55da89e1c33d]

perfschema/pfs.cc:2204(pfs_spawn_thread)[0x55da8a8acc2c]

pthread_create.c:0(start_thread)[0x7fbcf4dc9259]

:0(__GI___clone)[0x7fbcf49745e3]

Trying to get some variables.

Some pointers may be invalid and cause the dump to abort.

Query (0x629000087238): SELECT DISTINCT v2 , v1 , DEFAULT ( v2 ) FROM v0

Connection ID (thread ID): 4

Status: NOT_KILLED

Attachments

Issue Links

relates to

MDEV-11590 Server crashes in create_tmp_table / JOIN::create_postjoin_aggr_table

Closed

links to

CVE-2022-27378

Activity

Ascending order - Click to sort in descending order

Alice Sherepa added a comment - 2021-08-25 13:52

Thanks!
Repeatable on 10.2-10.6

CREATE TABLE t1 (v1 DATE, v2 DATE DEFAULT(v1)) engine=innodb;

SELECT DISTINCT DEFAULT(v2) FROM t1 ;

10.2 1f1d5606e08c928e3da98b
#3 <signal handler called>
#4 0x000055b9f38681c4 in create_tmp_table (thd=0x7f540c000d90, param=0x7f540c014f58, fields=..., group=0x7f540c014f00, distinct=false, save_sum_fields=false, select_options=2147748609, rows_limit=18446744073709551615, table_alias=0x55b9f42a4e3a "", do_not_open=true, keep_row_order=false) at /10.2/src/sql/sql_select.cc:17331
#5 0x000055b9f3842ab9 in JOIN::create_postjoin_aggr_table (this=0x7f540c013158, tab=0x7f540c014790, table_fields=0x7f540c013478, table_group=0x7f540c014f00, save_sum_fields=false, distinct=false, keep_row_order=false) at /10.2/src/sql/sql_select.cc:2983
#6 0x000055b9f384130e in JOIN::make_aggr_tables_info (this=0x7f540c013158) at /10.2/src/sql/sql_select.cc:2588
#7 0x000055b9f383fec8 in JOIN::optimize_inner (this=0x7f540c013158) at /10.2/src/sql/sql_select.cc:2259
#8 0x000055b9f383bfe6 in JOIN::optimize (this=0x7f540c013158) at /10.2/src/sql/sql_select.cc:1127
#9 0x000055b9f384553c in mysql_select (thd=0x7f540c000d90, tables=0x7f540c012a48, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748609, result=0x7f540c013138, unit=0x7f540c004988, select_lex=0x7f540c0050d8) at /10.2/src/sql/sql_select.cc:3835
#10 0x000055b9f3839720 in handle_select (thd=0x7f540c000d90, lex=0x7f540c0048c8, result=0x7f540c013138, setup_tables_done_option=0) at /10.2/src/sql/sql_select.cc:361
#11 0x000055b9f3803d86 in execute_sqlcom_select (thd=0x7f540c000d90, all_tables=0x7f540c012a48) at /10.2/src/sql/sql_parse.cc:6271
#12 0x000055b9f37fa8fa in mysql_execute_command (thd=0x7f540c000d90) at /10.2/src/sql/sql_parse.cc:3582
#13 0x000055b9f3807b42 in mysql_parse (thd=0x7f540c000d90, rawbuf=0x7f540c012708 "SELECT DISTINCT DEFAULT(v2) FROM t1", length=35, parser_state=0x7f545d318560, is_com_multi=false, is_next_command=false) at /10.2/src/sql/sql_parse.cc:7793
#14 0x000055b9f37f5d9d in dispatch_command (command=COM_QUERY, thd=0x7f540c000d90, packet=0x7f540c008b61 "SELECT DISTINCT DEFAULT(v2) FROM t1 ", packet_length=36, is_com_multi=false, is_next_command=false) at /10.2/src/sql/sql_parse.cc:1827
#15 0x000055b9f37f4898 in do_command (thd=0x7f540c000d90) at /10.2/src/sql/sql_parse.cc:1381
#16 0x000055b9f3950661 in do_handle_one_connection (connect=0x55b9f70feac0) at /10.2/src/sql/sql_connect.cc:1336
#17 0x000055b9f39503c6 in handle_one_connection (arg=0x55b9f70feac0) at /10.2/src/sql/sql_connect.cc:1241
#18 0x000055b9f4179ec4 in pfs_spawn_thread (arg=0x55b9f70e1d80) at /10.2/src/storage/perfschema/pfs.cc:1869
#19 0x00007f54634f3609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#20 0x00007f54630ce293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Alice Sherepa added a comment - 2021-08-25 13:52 Thanks! Repeatable on 10.2-10.6 CREATE TABLE t1 (v1 DATE , v2 DATE DEFAULT (v1)) engine=innodb; SELECT DISTINCT DEFAULT (v2) FROM t1 ; 10.2 1f1d5606e08c928e3da98b #3 <signal handler called> #4 0x000055b9f38681c4 in create_tmp_table (thd=0x7f540c000d90, param=0x7f540c014f58, fields=..., group=0x7f540c014f00, distinct=false, save_sum_fields=false, select_options=2147748609, rows_limit=18446744073709551615, table_alias=0x55b9f42a4e3a "", do_not_open=true, keep_row_order=false) at /10.2/src/sql/sql_select.cc:17331 #5 0x000055b9f3842ab9 in JOIN::create_postjoin_aggr_table (this=0x7f540c013158, tab=0x7f540c014790, table_fields=0x7f540c013478, table_group=0x7f540c014f00, save_sum_fields=false, distinct=false, keep_row_order=false) at /10.2/src/sql/sql_select.cc:2983 #6 0x000055b9f384130e in JOIN::make_aggr_tables_info (this=0x7f540c013158) at /10.2/src/sql/sql_select.cc:2588 #7 0x000055b9f383fec8 in JOIN::optimize_inner (this=0x7f540c013158) at /10.2/src/sql/sql_select.cc:2259 #8 0x000055b9f383bfe6 in JOIN::optimize (this=0x7f540c013158) at /10.2/src/sql/sql_select.cc:1127 #9 0x000055b9f384553c in mysql_select (thd=0x7f540c000d90, tables=0x7f540c012a48, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748609, result=0x7f540c013138, unit=0x7f540c004988, select_lex=0x7f540c0050d8) at /10.2/src/sql/sql_select.cc:3835 #10 0x000055b9f3839720 in handle_select (thd=0x7f540c000d90, lex=0x7f540c0048c8, result=0x7f540c013138, setup_tables_done_option=0) at /10.2/src/sql/sql_select.cc:361 #11 0x000055b9f3803d86 in execute_sqlcom_select (thd=0x7f540c000d90, all_tables=0x7f540c012a48) at /10.2/src/sql/sql_parse.cc:6271 #12 0x000055b9f37fa8fa in mysql_execute_command (thd=0x7f540c000d90) at /10.2/src/sql/sql_parse.cc:3582 #13 0x000055b9f3807b42 in mysql_parse (thd=0x7f540c000d90, rawbuf=0x7f540c012708 "SELECT DISTINCT DEFAULT(v2) FROM t1", length=35, parser_state=0x7f545d318560, is_com_multi=false, is_next_command=false) at /10.2/src/sql/sql_parse.cc:7793 #14 0x000055b9f37f5d9d in dispatch_command (command=COM_QUERY, thd=0x7f540c000d90, packet=0x7f540c008b61 "SELECT DISTINCT DEFAULT(v2) FROM t1 ", packet_length=36, is_com_multi=false, is_next_command=false) at /10.2/src/sql/sql_parse.cc:1827 #15 0x000055b9f37f4898 in do_command (thd=0x7f540c000d90) at /10.2/src/sql/sql_parse.cc:1381 #16 0x000055b9f3950661 in do_handle_one_connection (connect=0x55b9f70feac0) at /10.2/src/sql/sql_connect.cc:1336 #17 0x000055b9f39503c6 in handle_one_connection (arg=0x55b9f70feac0) at /10.2/src/sql/sql_connect.cc:1241 #18 0x000055b9f4179ec4 in pfs_spawn_thread (arg=0x55b9f70e1d80) at /10.2/src/storage/perfschema/pfs.cc:1869 #19 0x00007f54634f3609 in start_thread (arg=<optimized out>) at pthread_create.c:477 #20 0x00007f54630ce293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Alice Sherepa added a comment - 2021-10-28 13:16

CREATE TABLE t1 (pk varchar(36) DEFAULT uuid());

INSERT INTO t1 VALUES (),();

SELECT 1 FROM t1 GROUP BY DEFAULT(pk);

10.6 1193a793c40b806c6f1f00
211028 15:14:26 [ERROR] mysqld got signal 11 ;

Server version: 10.6.5-MariaDB-debug-log

sql/signal_handler.cc:226(handle_fatal_signal)[0x55cb38ca7a5b]
sigaction.c:0(__restore_rt)[0x7f6fb1a653c0]
sql/sql_select.cc:19315(Create_tmp_table::finalize(THD, TABLE, TMP_TABLE_PARAM*, bool, bool))[0x55cb3858d863]
sql/sql_select.cc:19618(create_tmp_table(THD, TMP_TABLE_PARAM, List<Item>&, st_order, bool, bool, unsigned long long, unsigned long long, st_mysql_const_lex_string const, bool, bool))[0x55cb38591cff]
sql/sql_select.cc:4012(JOIN::create_postjoin_aggr_table(st_join_table, List<Item>, st_order*, bool, bool, bool))[0x55cb3851e050]
sql/sql_select.cc:3591(JOIN::make_aggr_tables_info())[0x55cb38519882]
sql/sql_select.cc:3227(JOIN::optimize_stage2())[0x55cb38515304]
sql/sql_select.cc:2479(JOIN::optimize_inner())[0x55cb3850d944]
sql/sql_select.cc:1809(JOIN::optimize())[0x55cb38506700]
sql/sql_select.cc:4980(mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex))[0x55cb38527bf6]
sql/sql_select.cc:545(handle_select(THD, LEX, select_result*, unsigned long))[0x55cb384f8333]
sql/sql_parse.cc:6256(execute_sqlcom_select(THD, TABLE_LIST))[0x55cb3845d3e7]
sql/sql_parse.cc:3946(mysql_execute_command(THD*, bool))[0x55cb3844beb5]
sql/sql_parse.cc:8030(mysql_parse(THD, char, unsigned int, Parser_state*))[0x55cb384686aa]
sql/sql_parse.cc:1898(dispatch_command(enum_server_command, THD, char, unsigned int, bool))[0x55cb3843e76b]
sql/sql_parse.cc:1404(do_command(THD*, bool))[0x55cb3843b48f]
sql/sql_connect.cc:1418(do_handle_one_connection(CONNECT*, bool))[0x55cb388a1b1b]
sql/sql_connect.cc:1314(handle_one_connection)[0x55cb388a13a7]
perfschema/pfs.cc:2203(pfs_spawn_thread)[0x55cb395c0be1]
nptl/pthread_create.c:478(start_thread)[0x7f6fb1a59609]
x86_64/clone.S:97(__GI___clone)[0x7f6fb162e293]

Query (0x62b0000c42a8): SELECT 1 FROM t1 GROUP BY DEFAULT(pk)

Alice Sherepa added a comment - 2021-10-28 13:16 CREATE TABLE t1 (pk varchar (36) DEFAULT uuid()); INSERT INTO t1 VALUES (),(); SELECT 1 FROM t1 GROUP BY DEFAULT (pk); 10.6 1193a793c40b806c6f1f00 211028 15:14:26 [ERROR] mysqld got signal 11 ; Server version: 10.6.5-MariaDB-debug-log sql/signal_handler.cc:226(handle_fatal_signal)[0x55cb38ca7a5b] sigaction.c:0(__restore_rt)[0x7f6fb1a653c0] sql/sql_select.cc:19315(Create_tmp_table::finalize(THD*, TABLE*, TMP_TABLE_PARAM*, bool, bool))[0x55cb3858d863] sql/sql_select.cc:19618(create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, st_mysql_const_lex_string const*, bool, bool))[0x55cb38591cff] sql/sql_select.cc:4012(JOIN::create_postjoin_aggr_table(st_join_table*, List<Item>*, st_order*, bool, bool, bool))[0x55cb3851e050] sql/sql_select.cc:3591(JOIN::make_aggr_tables_info())[0x55cb38519882] sql/sql_select.cc:3227(JOIN::optimize_stage2())[0x55cb38515304] sql/sql_select.cc:2479(JOIN::optimize_inner())[0x55cb3850d944] sql/sql_select.cc:1809(JOIN::optimize())[0x55cb38506700] sql/sql_select.cc:4980(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55cb38527bf6] sql/sql_select.cc:545(handle_select(THD*, LEX*, select_result*, unsigned long))[0x55cb384f8333] sql/sql_parse.cc:6256(execute_sqlcom_select(THD*, TABLE_LIST*))[0x55cb3845d3e7] sql/sql_parse.cc:3946(mysql_execute_command(THD*, bool))[0x55cb3844beb5] sql/sql_parse.cc:8030(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x55cb384686aa] sql/sql_parse.cc:1898(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x55cb3843e76b] sql/sql_parse.cc:1404(do_command(THD*, bool))[0x55cb3843b48f] sql/sql_connect.cc:1418(do_handle_one_connection(CONNECT*, bool))[0x55cb388a1b1b] sql/sql_connect.cc:1314(handle_one_connection)[0x55cb388a13a7] perfschema/pfs.cc:2203(pfs_spawn_thread)[0x55cb395c0be1] nptl/pthread_create.c:478(start_thread)[0x7f6fb1a59609] x86_64/clone.S:97(__GI___clone)[0x7f6fb162e293] Query (0x62b0000c42a8): SELECT 1 FROM t1 GROUP BY DEFAULT(pk)

Oleksandr Byelkin added a comment - 2022-04-14 11:04 - edited

Using innodb is really needed:

with innodb we endup trying to get temporary table field from "default" (Item_default_value) item.
with aria it is normal "result filed" and return temporary table field.

Oleksandr Byelkin added a comment - 2022-04-14 11:04 - edited Using innodb is really needed: with innodb we endup trying to get temporary table field from "default" (Item_default_value) item. with aria it is normal "result filed" and return temporary table field.

Oleksandr Byelkin added a comment - 2022-04-14 11:10

The second test suite also repeatable on 10.2 (test was made from 10.6 so I had doubts) and exploit the "deafult" Item directly.

Oleksandr Byelkin added a comment - 2022-04-14 11:10 The second test suite also repeatable on 10.2 (test was made from 10.6 so I had doubts) and exploit the "deafult" Item directly.

Oleksandr Byelkin added a comment - 2022-04-14 11:53

commit bf399cac92f8675bbca5647a6127a1dceff64a44 (HEAD -> bb-10.2-MDEV-26423, origin/bb-10.2-MDEV-26423)

Author: Oleksandr Byelkin <sanja@mariadb.com>

Date:   Thu Apr 14 13:51:46 2022 +0200

    MDEV-26423 MariaDB server crash in Create_tmp_table::finalize

    Removed prohibition of creating temporary field of Item_default_value

    (added by mistake by 1d9b043a1f5db7ff229d5200652cff7a78ea6266 fix of

    MDEV-10780 and MDEV-11265).

Oleksandr Byelkin added a comment - 2022-04-14 11:53 commit bf399cac92f8675bbca5647a6127a1dceff64a44 (HEAD -> bb-10.2-MDEV-26423, origin/bb-10.2-MDEV-26423) Author: Oleksandr Byelkin <sanja@mariadb.com> Date: Thu Apr 14 13:51:46 2022 +0200 MDEV-26423 MariaDB server crash in Create_tmp_table::finalize Removed prohibition of creating temporary field of Item_default_value (added by mistake by 1d9b043a1f5db7ff229d5200652cff7a78ea6266 fix of MDEV-10780 and MDEV-11265).

Alexander Barkov added a comment - 2022-04-15 13:11

The patch looks OK to push for me. Just one thing, the version number is wrong:

+--echo #
+--echo # End of 1.2 tests
+--echo #

I guess it should be "End of 10.2 tests"

Alexander Barkov added a comment - 2022-04-15 13:11 The patch looks OK to push for me. Just one thing, the version number is wrong: +--echo # +--echo # End of 1.2 tests +--echo # I guess it should be "End of 10.2 tests"

People

Assignee:: Oleksandr Byelkin

Reporter:: yaoguang

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2021-08-19 03:15

Updated:: 2023-10-02 12:18

Resolved:: 2022-04-15 15:15

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server