[MDEV-28503] SIGSEGV in get_addon_fields and UBSAN: runtime error: member access within null pointer of type 'struct Field' in get_addon_fields - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Duplicate
Affects Version/s: 10.2(EOL), 10.3(EOL)
Fix Version/s: N/A
Component/s: Storage Engine - InnoDB, Storage Engine - MyISAM
Labels:
- UBSAN
- fuzzer
- not-10.4
- not-10.5
- not-10.6
- not-10.7
- not-10.8
- not-10.9

Description

Original testcase (reduced version in comments below):

CREATE TABLE v744 ( v745 TEXT ) ;

 INSERT INTO v744 ( v745 ) VALUES ( 'x' ) , ( NULL ) , ( 'x' ) , ( NULL ) ;

 SELECT v745 , 'x' / 25968760.000000 IS NOT NULL AS v746 FROM ( SELECT DISTINCT 'x' , ( WITH RECURSIVE v747 ( v748 ) AS ( SELECT v745 FROM v744 ) SELECT v745 FROM ( SELECT DISTINCT ( ( NOT ( 64393195.000000 AND v745 = 73 ) ) = 90 AND v745 = 41 ) % -1 , ( v745 = 38 OR v745 > 'x' ) FROM v744 WHERE FALSE = 127 AND ( v745 = 81 OR v745 = 127 OR CASE v745 * 0 = -128 WHEN 59 THEN 'x' WHEN 24 THEN 'x' ELSE 46 END != -1 ) ) AS v749 NATURAL JOIN v747 WHERE ( v748 = 0 OR v745 = 255 ) NOT LIKE 'x' AND CASE v745 * 1 = 28 WHEN 35 THEN 'x' WHEN 7 THEN 'x' ELSE -128 END != 0 GROUP BY v748 , v745 ORDER BY v745 DESC LIMIT 1 OFFSET 1 ) , 47 , 56091498.000000 FROM v744 ) AS v750 NATURAL JOIN v744 AS v751 WINDOW v752 AS ( ) ;

Leads to:

10.3.35 6a2d88c132221ea07dd322060089c85ff5e469b5 (Optimized)
Core was generated by `/test/MD160322-mariadb-10.3.35-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 get_addon_fields (addon_buf=0x148d401550a8, sortlength=1025,
ptabfield=0x148ce0044660, max_length_for_sort_data=1024)
at /test/10.3_opt/sql/filesort.cc:2024
[Current thread is 1 (Thread 0x148d40158700 (LWP 2589661))]
(gdb) bt
#0 get_addon_fields (addon_buf=0x148d401550a8, sortlength=1025, ptabfield=0x148ce0044660, max_length_for_sort_data=1024) at /test/10.3_opt/sql/filesort.cc:2024
#1 Sort_param::init_for_filesort (this=this@entry=0x148d40155060, sortlen=sortlen@entry=1025, table=table@entry=0x148ce0043680, max_length_for_sort_data=max_length_for_sort_data@entry=1024, maxrows=maxrows@entry=18446744073709551615, sort_positions=sort_positions@entry=false) at /test/10.3_opt/sql/filesort.cc:83
#2 0x000055fafd4efaa3 in filesort (thd=thd@entry=0x148ce0000c48, table=table@entry=0x148ce0043680, filesort=filesort@entry=0x148ce003be88, tracker=0x148ce003c018, join=join@entry=0x148ce0026fb8, first_table_bit=<optimized out>) at /test/10.3_opt/sql/filesort.cc:1983
#3 0x000055fafd343377 in create_sort_index (thd=0x148ce0000c48, join=0x148ce0026fb8, tab=tab@entry=0x148ce0038148, fsort=0x148ce003be88, fsort@entry=0x0) at /test/10.3_opt/sql/sql_select.cc:23120
#4 0x000055fafd3436c7 in st_join_table::sort_table (this=this@entry=0x148ce0038148) at /test/10.3_opt/sql/sql_select.cc:20862
#5 0x000055fafd34372d in join_init_read_record (tab=0x148ce0038148) at /test/10.3_opt/sql/sql_select.cc:20803
#6 0x000055fafd353885 in AGGR_OP::end_send (this=0x148ce003bce8) at /test/10.3_opt/sql/sql_select.cc:28042
#7 0x000055fafd353bf8 in sub_select_postjoin_aggr (join=0x148ce0026fb8, join_tab=0x148ce0038148, end_of_records=<optimized out>) at /test/10.3_opt/sql/sql_select.cc:19597
#8 0x000055fafd358f76 in do_select (procedure=<optimized out>, join=0x148ce0026fb8) at /test/10.3_opt/sql/sql_select.cc:19421
#9 JOIN::exec_inner (this=0x148ce0026fb8) at /test/10.3_opt/sql/sql_select.cc:4150
#10 0x000055fafd359416 in JOIN::exec (this=this@entry=0x148ce0026fb8) at /test/10.3_opt/sql/sql_select.cc:3944
#11 0x000055fafd3595b2 in mysql_select (thd=thd@entry=0x148ce0000c48, tables=0x148ce0024cb0, wild_num=0, fields=@0x148ce00101e8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x148ce0010d30, last = 0x148ce0024c68, elements = 4}, <No data fields>}, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x148ce0026ed0, unit=0x148ce0010500, select_lex=0x148ce00100c0) at /test/10.3_opt/sql/sql_select.cc:4353
#12 0x000055fafd2ba736 in mysql_derived_fill (thd=<optimized out>, lex=0x148ce0004878, derived=<optimized out>) at /test/10.3_opt/sql/sql_derived.cc:1179
#13 0x000055fafd2ba150 in mysql_handle_single_derived (lex=0x148ce0004878, derived=derived@entry=0x148ce0025360, phases=phases@entry=96) at /test/10.3_opt/sql/sql_derived.cc:193
#14 0x000055fafd32e730 in st_join_table::preread_init (this=this@entry=0x148ce003d548) at /test/10.3_opt/sql/sql_select.cc:12909
#15 0x000055fafd32e918 in sub_select (end_of_records=false, join_tab=0x148ce003d548, join=0x148ce0026968) at /test/10.3_opt/sql/sql_select.cc:19923
#16 sub_select (join=0x148ce0026968, join_tab=0x148ce003d548, end_of_records=false) at /test/10.3_opt/sql/sql_select.cc:19816
#17 0x000055fafd35909e in do_select (procedure=<optimized out>, join=0x148ce0026968) at /test/10.3_opt/sql/sql_select.cc:19419
#18 JOIN::exec_inner (this=0x148ce0026968) at /test/10.3_opt/sql/sql_select.cc:4150
#19 0x000055fafd359416 in JOIN::exec (this=this@entry=0x148ce0026968) at /test/10.3_opt/sql/sql_select.cc:3944
#20 0x000055fafd3595b2 in mysql_select (thd=0x148ce0000c48, tables=0x148ce0025360, wild_num=0, fields=@0x148ce00051f8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x148ce000fd80, last = 0x148ce00100a0, elements = 2}, <No data fields>}, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x148ce0026940, unit=0x148ce0004938, select_lex=0x148ce00050d0) at /test/10.3_opt/sql/sql_select.cc:4353
#21 0x000055fafd359f4b in handle_select (thd=thd@entry=0x148ce0000c48, lex=lex@entry=0x148ce0004878, result=result@entry=0x148ce0026940, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.3_opt/sql/sql_select.cc:372
#22 0x000055fafd2e9ef1 in execute_sqlcom_select (thd=0x148ce0000c48, all_tables=0x148ce0025360) at /test/10.3_opt/sql/sql_parse.cc:6339
#23 0x000055fafd2f7cfd in mysql_execute_command (thd=<optimized out>) at /test/10.3_opt/sql/sql_parse.cc:3870
#24 0x000055fafd2fa957 in mysql_parse (thd=0x148ce0000c48, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /test/10.3_opt/sql/sql_parse.cc:7870
#25 0x000055fafd2fccf5 in dispatch_command (command=COM_QUERY, thd=0x148ce0000c48, packet=<optimized out>, packet_length=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /test/10.3_opt/sql/sql_class.h:1152
#26 0x000055fafd2fecdd in do_command (thd=0x148ce0000c48) at /test/10.3_opt/sql/sql_parse.cc:1398
#27 0x000055fafd3e74a6 in do_handle_one_connection (connect=connect@entry=0x55faff932ca8) at /test/10.3_opt/sql/sql_connect.cc:1403
#28 0x000055fafd3e767f in handle_one_connection (arg=0x55faff932ca8) at /test/10.3_opt/sql/sql_connect.cc:1308
#29 0x0000148d43e59609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#30 0x0000148d43d7e133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

10.3.35 6a2d88c132221ea07dd322060089c85ff5e469b5 (Debug)
Core was generated by `/test/MD160322-mariadb-10.3.35-linux-x86_64-dbg/bin/mysqld --no-defaults --core'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000055afa255948b in get_addon_fields (addon_buf=0x145c0c0798c8,
sortlength=1025, ptabfield=0x145bb40508c8, max_length_for_sort_data=1024)
at /test/10.3_dbg/sql/filesort.cc:2024
[Current thread is 1 (Thread 0x145c0c07d700 (LWP 2590015))]
(gdb) bt
#0 0x000055afa255948b in get_addon_fields (addon_buf=0x145c0c0798c8, sortlength=1025, ptabfield=0x145bb40508c8, max_length_for_sort_data=1024) at /test/10.3_dbg/sql/filesort.cc:2024
#1 Sort_param::init_for_filesort (this=this@entry=0x145c0c079880, sortlen=sortlen@entry=1025, table=table@entry=0x145bb404f7e8, max_length_for_sort_data=max_length_for_sort_data@entry=1024, maxrows=maxrows@entry=18446744073709551615, sort_positions=sort_positions@entry=false) at /test/10.3_dbg/sql/filesort.cc:83
#2 0x000055afa255bcd5 in filesort (thd=thd@entry=0x145bb4000d90, table=table@entry=0x145bb404f7e8, filesort=filesort@entry=0x145bb40480a8, tracker=0x145bb4048240, join=join@entry=0x145bb402eeb8, first_table_bit=<optimized out>) at /test/10.3_dbg/sql/filesort.cc:1983
#3 0x000055afa23326bc in create_sort_index (thd=0x145bb4000d90, join=0x145bb402eeb8, tab=tab@entry=0x145bb4043cf0, fsort=0x145bb40480a8, fsort@entry=0x0) at /test/10.3_dbg/sql/sql_select.cc:23120
#4 0x000055afa2332a8b in st_join_table::sort_table (this=this@entry=0x145bb4043cf0) at /test/10.3_dbg/sql/sql_select.cc:20862
#5 0x000055afa2332b94 in join_init_read_record (tab=0x145bb4043cf0) at /test/10.3_dbg/sql/sql_select.cc:20803
#6 0x000055afa234342d in AGGR_OP::end_send (this=this@entry=0x145bb4046f10) at /test/10.3_dbg/sql/sql_select.cc:28042
#7 0x000055afa23437d3 in sub_select_postjoin_aggr (join=0x145bb402eeb8, join_tab=0x145bb4043cf0, end_of_records=<optimized out>) at /test/10.3_dbg/sql/sql_select.cc:19597
#8 0x000055afa231a244 in sub_select (join=0x145bb402eeb8, join_tab=0x145bb4043960, end_of_records=<optimized out>) at /test/10.3_dbg/sql/sql_select.cc:19831
#9 0x000055afa234b7d2 in do_select (procedure=<optimized out>, join=0x145bb402eeb8) at /test/10.3_dbg/sql/sql_select.cc:19421
#10 JOIN::exec_inner (this=this@entry=0x145bb402eeb8) at /test/10.3_dbg/sql/sql_select.cc:4150
#11 0x000055afa234bb9c in JOIN::exec (this=this@entry=0x145bb402eeb8) at /test/10.3_dbg/sql/sql_select.cc:3944
#12 0x000055afa234c5e4 in mysql_select (thd=thd@entry=0x145bb4000d90, tables=0x145bb402cbb0, wild_num=0, fields=@0x145bb40120f8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x145bb4012c40, last = 0x145bb402cb68, elements = 4}, <No data fields>}, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2416184065, result=0x145bb402edd0, unit=0x145bb4012410, select_lex=0x145bb4011fd0) at /test/10.3_dbg/sql/sql_select.cc:4353
#13 0x000055afa2289c23 in mysql_derived_fill (thd=0x145bb4000d90, lex=0x145bb4004b80, derived=0x145bb402d260) at /test/10.3_dbg/sql/sql_derived.cc:1179
#14 0x000055afa2289705 in mysql_handle_single_derived (lex=0x145bb4004b80, derived=derived@entry=0x145bb402d260, phases=phases@entry=96) at /test/10.3_dbg/sql/sql_derived.cc:193
#15 0x000055afa231a017 in st_join_table::preread_init (this=this@entry=0x145bb4049770) at /test/10.3_dbg/sql/sql_select.cc:12909
#16 0x000055afa231a26f in sub_select (join=0x145bb402e868, join_tab=0x145bb4049770, end_of_records=<optimized out>) at /test/10.3_dbg/sql/sql_select.cc:19846
#17 0x000055afa234b7a0 in do_select (procedure=<optimized out>, join=0x145bb402e868) at /test/10.3_dbg/sql/sql_select.cc:19419
#18 JOIN::exec_inner (this=this@entry=0x145bb402e868) at /test/10.3_dbg/sql/sql_select.cc:4150
#19 0x000055afa234bb9c in JOIN::exec (this=this@entry=0x145bb402e868) at /test/10.3_dbg/sql/sql_select.cc:3944
#20 0x000055afa234c5e4 in mysql_select (thd=thd@entry=0x145bb4000d90, tables=0x145bb402d260, wild_num=0, fields=@0x145bb4005500: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x145bb4011c88, last = 0x145bb4011fb0, elements = 2}, <No data fields>}, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x145bb402e840, unit=0x145bb4004c40, select_lex=0x145bb40053d8) at /test/10.3_dbg/sql/sql_select.cc:4353
#21 0x000055afa234c893 in handle_select (thd=thd@entry=0x145bb4000d90, lex=lex@entry=0x145bb4004b80, result=result@entry=0x145bb402e840, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.3_dbg/sql/sql_select.cc:372
#22 0x000055afa22c3a4b in execute_sqlcom_select (thd=thd@entry=0x145bb4000d90, all_tables=0x145bb402d260) at /test/10.3_dbg/sql/sql_parse.cc:6339
#23 0x000055afa22ce9c2 in mysql_execute_command (thd=thd@entry=0x145bb4000d90) at /test/10.3_dbg/sql/sql_parse.cc:3870
#24 0x000055afa22d8d24 in mysql_parse (thd=thd@entry=0x145bb4000d90, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x145c0c07c530, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.3_dbg/sql/sql_parse.cc:7870
#25 0x000055afa22db495 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x145bb4000d90, packet=packet@entry=0x145bb40198f1 "", packet_length=packet_length@entry=711, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.3_dbg/sql/sql_class.h:1152
#26 0x000055afa22de625 in do_command (thd=0x145bb4000d90) at /test/10.3_dbg/sql/sql_parse.cc:1398
#27 0x000055afa240685f in do_handle_one_connection (connect=connect@entry=0x55afa4cb5770) at /test/10.3_dbg/sql/sql_connect.cc:1403
#28 0x000055afa2406a96 in handle_one_connection (arg=0x55afa4cb5770) at /test/10.3_dbg/sql/sql_connect.cc:1308
#29 0x0000145c14ad5609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#30 0x0000145c149fa133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.2.44 (dbg), 10.2.44 (opt), 10.3.35 (dbg), 10.3.35 (opt)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.4.25 (dbg), 10.4.25 (opt), 10.5.16 (dbg), 10.5.16 (opt), 10.6.8 (dbg), 10.6.8 (opt), 10.7.4 (dbg), 10.7.4 (opt), 10.8.3 (dbg), 10.8.3 (opt), 10.9.0 (dbg), 10.9.0 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.37 (dbg), 5.7.37 (opt), 8.0.28 (dbg), 8.0.28 (opt)

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

9_stack
8 kB
2022-05-08 09:59

Issue Links

duplicates

MDEV-15161 Server crashes in get_addon_fields upon using combination of functions

Closed

SIGSEGV in get_addon_fields and UBSAN: runtime error: member access within null pointer of type 'struct Field' in get_addon_fields

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates

Git Integration