Details
-
Bug
-
Status: Open (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.3, 10.4, 10.5, 10.6, 10.7, 10.8, 10.9, 10.10
-
None
Description
REPLACE doesn't seem to work correctly with Spider tables, with slight variations producing different errors on different versions.
1. UNIQUE on underlying table, no key on Spider table
--source plugin/spider/spider/include/init_spider.inc
|
|
|
SET spider_same_server_link= on; |
eval create server s foreign data wrapper mysql options (host "127.0.0.1", database "test", user "root", port $MASTER_MYPORT); |
|
|
CREATE TABLE t (b INT, UNIQUE(b)); |
CREATE TABLE t_spider (b INT) ENGINE=SPIDER COMMENT = "wrapper 'mysql', srv 's', table 't'"; |
REPLACE INTO t_spider (b) VALUES (0),(0); |
|
|
# Cleanup
|
DROP TABLE t_spider, t; |
|
|
--source plugin/spider/spider/include/deinit_spider.inc |
|
10.3 d6e80c21 |
mysqltest: At line 8: query 'REPLACE INTO t_spider (b) VALUES (0),(0)' failed: 1022: Can't write; duplicate key in table 't_spider' |
which really shouldn't be happening, given that it's REPLACE.
Not surprising however, as underneath it is converted into inserts:
25 Query set session transaction isolation level repeatable read;set session autocommit = 1;set session sql_log_off = 0;start transaction
|
25 Query insert into `test`.`t`(`b`)values(0)
|
25 Query insert into `test`.`t`(`b`)values(0)
|
25 Query rollback
|
Reproducible on 10.3-10.10.
2. UNIQUE on underlying table, key on Spider table
CREATE TABLE t (b INT, UNIQUE(b)); |
CREATE TABLE t_spider (b INT, KEY(b)) ENGINE=SPIDER COMMENT = "wrapper 'mysql', srv 's', table 't'"; |
REPLACE INTO t_spider (b) VALUES (0),(0); |
|
10.3 d6e80c21 |
==1913971==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7f75f53465e0 at pc 0x561d660ac9ce bp 0x7f75f5346530 sp 0x7f75f5346528
|
WRITE of size 1 at 0x7f75f53465e0 thread T5
|
#0 0x561d660ac9cd in key_copy(unsigned char*, unsigned char const*, st_key*, unsigned int, bool) /data/src/10.3/sql/key.cc:129
|
#1 0x561d65657423 in write_record(THD*, TABLE*, st_copy_info*) /data/src/10.3/sql/sql_insert.cc:1802
|
#2 0x561d65674628 in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.3/sql/sql_insert.cc:1077
|
#3 0x561d6570c1ee in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4504
|
#4 0x561d6571b5d7 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7870
|
#5 0x561d65720119 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852
|
#6 0x561d65725ebd in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398
|
#7 0x561d65a43c36 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403
|
#8 0x561d65a4449a in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
|
#9 0x561d66c8a1b4 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869
|
#10 0x7f75ffd6cea6 in start_thread nptl/pthread_create.c:477
|
#11 0x7f75ffc9cdee in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xfddee)
|
|
|
Address 0x7f75f53465e0 is located in stack of thread T5
|
SUMMARY: AddressSanitizer: dynamic-stack-buffer-overflow /data/src/10.3/sql/key.cc:129 in key_copy(unsigned char*, unsigned char const*, st_key*, unsigned int, bool)
|
Shadow bytes around the buggy address:
|
0x0fef3ea60c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0fef3ea60c70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0fef3ea60c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0fef3ea60c90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0fef3ea60ca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
=>0x0fef3ea60cb0: 00 00 00 00 00 00 00 00 ca ca ca ca[cb]cb cb cb
|
0x0fef3ea60cc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0fef3ea60cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0fef3ea60ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0fef3ea60cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0fef3ea60d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
Shadow gap: cc
|
Thread T5 created by T0 here:
|
#0 0x7f76005ba2a2 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:214
|
#1 0x561d66c8e80a in spawn_thread_v1 /data/src/10.3/storage/perfschema/pfs.cc:1919
|
#2 0x561d654b2f3b in inline_mysql_thread_create /data/src/10.3/include/mysql/psi/mysql_thread.h:1275
|
#3 0x561d654b2f3b in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6668
|
#4 0x561d654c324d in create_new_thread /data/src/10.3/sql/mysqld.cc:6738
|
#5 0x561d654c324d in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6996
|
#6 0x561d654c51f5 in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6290
|
#7 0x7f75ffbc5d09 in __libc_start_main ../csu/libc-start.c:308
|
Reproducible on 10.3-10.10.
3. Extra column and more keys
CREATE TABLE t (a INT NOT NULL AUTO_INCREMENT, b INT DEFAULT 0, UNIQUE(a), UNIQUE(b)); |
CREATE TABLE t_spider (a INT NOT NULL AUTO_INCREMENT, b INT DEFAULT 0, KEY(a), KEY(b)) ENGINE=SPIDER COMMENT = "wrapper 'mysql', srv 's', table 't'"; |
REPLACE INTO t_spider () VALUES (),(); |
|
10.3 d6e80c21 debug |
mysqld: /data/src/10.3/sql/handler.cc:6462: int handler::ha_reset(): Assertion `bitmap_is_set_all(&table->s->all_set)' failed.
|
220708 2:34:57 [ERROR] mysqld got signal 6 ;
|
|
|
#7 0x00007fbb66686662 in __GI___assert_fail (assertion=0x55907aabe328 "bitmap_is_set_all(&table->s->all_set)", file=0x55907aabb5be "/data/src/10.3/sql/handler.cc", line=6462, function=0x55907aabe30b "int handler::ha_reset()") at assert.c:101
|
No locals.
|
#8 0x000055907a02ddf2 in handler::ha_reset (this=0x7fbb500ba598) at /data/src/10.3/sql/handler.cc:6462
|
_db_stack_frame_ = {func = 0x55907a91d0ad "close_thread_table", file = 0x55907a91cc88 "/data/src/10.3/sql/sql_base.cc", level = 2147483655, line = -1, prev = 0x7fbb606acc80}
|
__PRETTY_FUNCTION__ = "int handler::ha_reset()"
|
#9 0x0000559079c5f495 in close_thread_table (thd=0x7fbb50000d90, table_ptr=0x7fbb50000e70) at /data/src/10.3/sql/sql_base.cc:922
|
table = 0x7fbb500b9930
|
_db_stack_frame_ = {func = 0x55907a91cfb6 "close_thread_tables", file = 0x55907a91cc88 "/data/src/10.3/sql/sql_base.cc", level = 2147483654, line = -1, prev = 0x7fbb606accf0}
|
__PRETTY_FUNCTION__ = "void close_thread_table(THD*, TABLE**)"
|
#10 0x0000559079c5f0ec in close_thread_tables (thd=0x7fbb50000d90) at /data/src/10.3/sql/sql_base.cc:871
|
table = 0x0
|
_db_stack_frame_ = {func = 0x55907a9332c8 "mysql_execute_command", file = 0x55907a9326a8 "/data/src/10.3/sql/sql_parse.cc", level = 2147483653, line = -1, prev = 0x7fbb606aced0}
|
__PRETTY_FUNCTION__ = "void close_thread_tables(THD*)"
|
#11 0x0000559079d03179 in mysql_execute_command (thd=0x7fbb50000d90) at /data/src/10.3/sql/sql_parse.cc:6160
|
res = 0
|
up_result = 0
|
lex = 0x7fbb50004b80
|
select_lex = 0x7fbb500053d8
|
first_table = 0x7fbb50012bd8
|
all_tables = 0x7fbb50012bd8
|
unit = 0x7fbb50004c40
|
have_table_map_for_update = false
|
rpl_filter = 0x3887a8b51dc
|
_db_stack_frame_ = {func = 0x55907a9345a0 "mysql_parse", file = 0x55907a9326a8 "/data/src/10.3/sql/sql_parse.cc", level = 2147483652, line = -1, prev = 0x7fbb606ad400}
|
__PRETTY_FUNCTION__ = "int mysql_execute_command(THD*)"
|
orig_binlog_format = BINLOG_FORMAT_MIXED
|
orig_current_stmt_binlog_format = BINLOG_FORMAT_STMT
|
#12 0x0000559079d08090 in mysql_parse (thd=0x7fbb50000d90, rawbuf=0x7fbb50012ad8 "REPLACE INTO t_spider () VALUES (),()", length=37, parser_state=0x7fbb606ad5b0, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:7870
|
found_semicolon = 0x0
|
error = 32699
|
lex = 0x7fbb50004b80
|
err = false
|
_db_stack_frame_ = {func = 0x55907a932b32 "dispatch_command", file = 0x55907a9326a8 "/data/src/10.3/sql/sql_parse.cc", level = 2147483651, line = -1, prev = 0x7fbb606ad590}
|
__PRETTY_FUNCTION__ = "void mysql_parse(THD*, char*, uint, Parser_state*, bool, bool)"
|
#13 0x0000559079cf48c5 in dispatch_command (command=COM_QUERY, thd=0x7fbb50000d90, packet=0x7fbb50008f31 "REPLACE INTO t_spider () VALUES (),()", packet_length=37, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:1852
|
packet_end = 0x7fbb50012afd ""
|
parser_state = {m_lip = {lookahead_token = -1, lookahead_yylval = 0x0, m_thd = 0x7fbb50000d90, m_ptr = 0x7fbb50012afe "\004", m_tok_start = 0x7fbb50012afe "\004", m_tok_end = 0x7fbb50012afe "\004", m_end_of_query = 0x7fbb50012afd "", m_tok_start_prev = 0x7fbb50012afd "", m_buf = 0x7fbb50012ad8 "REPLACE INTO t_spider () VALUES (),()", m_buf_length = 37, m_echo = true, m_echo_saved = 12, m_cpp_buf = 0x7fbb50012b58 "REPLACE INTO t_spider () VALUES (),()", m_cpp_ptr = 0x7fbb50012b7d "", m_cpp_tok_start = 0x7fbb50012b7d "", m_cpp_tok_start_prev = 0x7fbb50012b7d "", m_cpp_tok_end = 0x7fbb50012b7d "", m_body_utf8 = 0x0, m_body_utf8_ptr = 0x100007a88f993 <error: Cannot access memory at address 0x100007a88f993>, m_cpp_utf8_processed_ptr = 0x0, next_state = MY_LEX_END, found_semicolon = 0x0, ignore_space = false, stmt_prepare_mode = false, multi_statements = true, yylineno = 1, m_digest = 0x0, in_comment = NO_COMMENT, in_comment_saved = PRESERVE_COMMENT, m_cpp_text_start = 0x7fbb50012b65 "t_spider () VALUES (),()", m_cpp_text_end = 0x7fbb50012b6d " () VALUES (),()", m_underscore_cs = 0x0}, m_yacc = {yacc_yyss = 0x0, yacc_yyvs = 0x0, m_set_signal_info = {m_item = {0x0 <repeats 12 times>}}, m_lock_type = TL_READ_DEFAULT, m_mdl_type = MDL_SHARED_READ}, m_digest_psi = 0x7fbb50004658}
|
net = 0x7fbb50001098
|
error = false
|
do_end_of_statement = true
|
_db_stack_frame_ = {func = 0x55907a9328bd "do_command", file = 0x55907a9326a8 "/data/src/10.3/sql/sql_parse.cc", level = 2147483650, line = -1, prev = 0x7fbb606addf0}
|
drop_more_results = false
|
__PRETTY_FUNCTION__ = "bool dispatch_command(enum_server_command, THD*, char*, uint, bool, bool)"
|
res = <optimized out>
|
#14 0x0000559079cf3283 in do_command (thd=0x7fbb50000d90) at /data/src/10.3/sql/sql_parse.cc:1398
|
return_value = false
|
packet = 0x7fbb50008f30 "\003REPLACE INTO t_spider () VALUES (),()"
|
packet_length = 38
|
net = 0x7fbb50001098
|
command = COM_QUERY
|
_db_stack_frame_ = {func = 0x55907acb47d0 "?func", file = 0x55907acb47d6 "?file", level = 2147483649, line = -1, prev = 0x0}
|
__PRETTY_FUNCTION__ = "bool do_command(THD*)"
|
#15 0x0000559079e70878 in do_handle_one_connection (connect=0x55907c29c170) at /data/src/10.3/sql/sql_connect.cc:1403
|
create_user = true
|
thr_create_utime = 3659009253887
|
thd = 0x7fbb50000d90
|
#16 0x0000559079e705e3 in handle_one_connection (arg=0x55907c29c170) at /data/src/10.3/sql/sql_connect.cc:1308
|
connect = 0x55907c29c170
|
#17 0x000055907a81fb62 in pfs_spawn_thread (arg=0x55907c39ca40) at /data/src/10.3/storage/perfschema/pfs.cc:1869
|
typed_arg = 0x55907c39ca40
|
user_arg = 0x55907c29c170
|
user_start_routine = 0x559079e705b3 <handle_one_connection(void*)>
|
pfs = 0x7fbb6497d6c0
|
klass = 0x55907c08f280
|
#18 0x00007fbb6681fea7 in start_thread (arg=<optimized out>) at pthread_create.c:477
|
ret = <optimized out>
|
pd = <optimized out>
|
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140442753230592, -3937929035520758171, 140721286345934, 140721286345935, 140442753228736, 311296, 3904456715782237797, 3904453081207451237}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
|
not_first_call = 0
|
#19 0x00007fbb6674fdef in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
|
Reproducible on 10.3-10.4.