[MDEV-29353] SIGSEGV's in _ma_unique_hash, _ma_make_key and _ma_calc_blob_length on SELECT (on optimized builds) - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL), 10.11, 11.0(EOL)
Fix Version/s: 10.11.2, 10.3.38, 10.4.28, 10.5.19, 10.6.12, 10.7.8, 10.8.7, 10.9.5, 10.10.3
Component/s: Optimizer, Parser
Labels:
- affects-tests

Description

I am creating this as a new bug as we have not thus far seen a SIGSEGV in _ma_unique_hash. However, this is the outcome only on all versions' optimized builds.

On debug builds on the other hand, with the same testcase, the outcome presents itself like the stacks in ~~MDEV-28515~~. Furthermore, when the BLOB column type in the testcase is changed to INT the outcome on optimized builds looks like ~~MDEV-29052~~. Both these issues are intertwined as well.

It looks like there are various clusters of issues at play here as discussed earlier. While all versions are affected by this testcase, this bug is thus primarily for the SIGSEGV in _ma_unique_hash in optimized 10.3+ builds.

CREATE TABLE t (c BLOB);

INSERT INTO t VALUES (0);

DELETE FROM t;

INSERT INTO t VALUES (0);

SELECT * FROM (SELECT * FROM t) AS a JOIN t WINDOW b AS (PARTITION BY t.c AND 0 BETWEEN (SELECT * FROM t GROUP BY t.c WINDOW d AS (PARTITION BY t.c)) AND 0);

Leads to:

10.11.0 bc563f1a4b0b38de3b41fd0f0d3d8b7f1aacbd8b (Optimized)
Core was generated by `/test/MD190822-mariadb-10.11.0-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x0000555eafa3bf4f in _ma_unique_hash (def=def@entry=0x15234c08c2b8,
record=record@entry=0x15234c05a100 <incomplete sequence \362>)
at /test/10.11_opt/storage/maria/ma_unique.c:117
[Current thread is 1 (Thread 0x1523e80bf700 (LWP 1929823))]
(gdb) bt
#0 0x0000555eafa3bf4f in _ma_unique_hash (def=def@entry=0x15234c08c2b8, record=record@entry=0x15234c05a100 <incomplete sequence \362>) at /test/10.11_opt/storage/maria/ma_unique.c:117
#1 0x0000555eafa8b15d in maria_write (info=0x15234c08c6f8, record=0x15234c05a100 <incomplete sequence \362>) at /test/10.11_opt/storage/maria/ma_write.c:133
#2 0x0000555eaf6ae018 in handler::ha_write_tmp_row (buf=0x15234c05a100 <incomplete sequence \362>, this=0x15234c05a630) at /test/10.11_opt/include/mysql/psi/mysql_thread.h:795
#3 end_write (join=0x15234c04b878, join_tab=0x15234c055800, end_of_records=<optimized out>) at /test/10.11_opt/sql/sql_select.cc:23256
#4 0x0000555eaf793169 in JOIN_CACHE::generate_full_extensions (rec_ptr=0x15234c05ae08 "\376\001", this=0x15234c0535f0) at /test/10.11_opt/sql/sql_join_cache.cc:2478
#5 JOIN_CACHE::generate_full_extensions (this=0x15234c0535f0, rec_ptr=0x15234c05ae08 "\376\001") at /test/10.11_opt/sql/sql_join_cache.cc:2461
#6 0x0000555eaf79356e in JOIN_CACHE::join_matching_records (this=0x15234c0535f0, skip_last=false) at /test/10.11_opt/sql/sql_join_cache.cc:2370
#7 0x0000555eaf792db1 in JOIN_CACHE::join_records (this=this@entry=0x15234c0535f0, skip_last=skip_last@entry=false) at /test/10.11_opt/sql/sql_join_cache.cc:2151
#8 0x0000555eaf6954aa in sub_select_cache (join=0x15234c04b878, join_tab=0x15234c055448, end_of_records=<optimized out>) at /test/10.11_opt/sql/sql_select.cc:21537
#9 0x0000555eaf6c39ff in do_select (procedure=<optimized out>, join=0x15234c04b878) at /test/10.11_opt/sql/sql_select.cc:21310
#10 JOIN::exec_inner (this=0x15234c04b878) at /test/10.11_opt/sql/sql_select.cc:4812
#11 0x0000555eaf6c3f68 in JOIN::exec (this=this@entry=0x15234c04b878) at /test/10.11_opt/sql/sql_select.cc:4590
#12 0x0000555eaf6c2171 in mysql_select (thd=0x15234c000c58, tables=0x15234c012380, fields=@0x15234c010b58: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x15234c010e48, last = 0x15234c04ca20, elements = 2}, <No data fields>}, conds=0x0, og_num=1, order=0x0, group=0x15234c014218, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x15234c04b850, unit=0x15234c004cd0, select_lex=0x15234c0108b8) at /test/10.11_opt/sql/sql_select.cc:5070
#13 0x0000555eaf6c28b7 in handle_select (thd=thd@entry=0x15234c000c58, lex=lex@entry=0x15234c004bf8, result=result@entry=0x15234c04b850, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.11_opt/sql/sql_select.cc:581
#14 0x0000555eaf6445b1 in execute_sqlcom_select (thd=0x15234c000c58, all_tables=0x15234c012380) at /test/10.11_opt/sql/sql_parse.cc:6261
#15 0x0000555eaf6521f8 in mysql_execute_command (thd=0x15234c000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.11_opt/sql/sql_parse.cc:3945
#16 0x0000555eaf63f7b5 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x15234c000c58) at /test/10.11_opt/sql/sql_parse.cc:8035
#17 mysql_parse (thd=0x15234c000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.11_opt/sql/sql_parse.cc:7957
#18 0x0000555eaf64b2ca in dispatch_command (command=COM_QUERY, thd=0x15234c000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.11_opt/sql/sql_class.h:1339
#19 0x0000555eaf64d1f2 in do_command (thd=0x15234c000c58, blocking=blocking@entry=true) at /test/10.11_opt/sql/sql_parse.cc:1407
#20 0x0000555eaf76546f in do_handle_one_connection (connect=<optimized out>, connect@entry=0x555eb2152398, put_in_cache=put_in_cache@entry=true) at /test/10.11_opt/sql/sql_connect.cc:1418
#21 0x0000555eaf76574d in handle_one_connection (arg=0x555eb2152398) at /test/10.11_opt/sql/sql_connect.cc:1312
#22 0x000015240713d609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#23 0x0000152406d29133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.3.37 (dbg), 10.3.37 (opt), 10.4.27 (dbg), 10.4.27 (opt), 10.5.18 (dbg), 10.5.18 (opt), 10.6.10 (dbg), 10.6.10 (opt), 10.7.6 (dbg), 10.7.6 (opt), 10.8.5 (dbg), 10.8.5 (opt), 10.9.2 (dbg), 10.9.2 (opt), 10.10.2 (dbg), 10.10.2 (opt), 10.11.0 (dbg), 10.11.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.38 (dbg), 5.7.38 (opt), 8.0.29 (dbg), 8.0.29 (opt)

Attachments

Issue Links

is part of

MDEV-30052 Crash with a query containing nested WINDOW clauses

Closed

relates to

MDEV-28515 Assertion `field->table == table' failed in Create_tmp_table::finalize and create_tmp_table and SIGSEGV in hp_rec_hashnr

Closed

MDEV-29052 SIGSEGV's in hp_rec_hashnr and my_hash_sort_simple (from hp_rec_hashnr and my_ci_hash_sort) on SELECT when using window functions

Closed

MDEV-35620 UBSAN: runtime error: applying zero offset to null pointer in _ma_unique_hash, skip_trailing_space, my_hash_sort_mb_nopad_bin and my_strnncollsp_utf8mb4_bin

Closed

MDEV-28506 SIGSEGV's in find_field_in_table[s][_ref], Item_field::fix_fields, create_view_field and MemcmpInterceptorCommon | Assertions `(*select_ref)->fixed' or '->is_fixed' and `table_list->table' failed

Stalled

MDEV-30575 SIGSEGV in my_charlen_utf8mb3 (corruption)

Closed

(1 relates to)

Activity

Ascending order - Click to sort in descending order

Roel Van de Paar added a comment - 2022-08-23 06:02 - edited

Another testcase, not using BLOB, shows a similar crash in _ma_make_key, and
otherwise similar outcome (i.e. assert in (*select_ref)->fixed()) as explained above.

CREATE TABLE t (a INT);

INSERT INTO t VALUES();

INSERT INTO t SELECT * FROM t;

SET big_tables=1;

SELECT 1, (SELECT a FROM (SELECT 1) dt HAVING (a IN (1))) FROM t WINDOW w1 AS (ORDER BY (SELECT a FROM t GROUP BY a WINDOW w2 AS (PARTITION BY a)));

Leads to:

10.11.0 bc563f1a4b0b38de3b41fd0f0d3d8b7f1aacbd8b (Optimized)
Core was generated by `/test/MD190822-mariadb-10.11.0-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000055876ba77750 in _ma_make_key (info=0x146da0062058,
int_key=0x146e2a8b5430, keynr=<optimized out>, key=0x146da006678f "",
record=0x146da004b770 "\377", filepos=0, trid=0)
at /test/10.11_opt/storage/maria/ma_key.c:214
[Current thread is 1 (Thread 0x146e2a8b7700 (LWP 2413192))]
(gdb) bt
#0 0x000055876ba77750 in _ma_make_key (info=0x146da0062058, int_key=0x146e2a8b5430, keynr=<optimized out>, key=0x146da006678f "", record=0x146da004b770 "\377", filepos=0, trid=0) at /test/10.11_opt/storage/maria/ma_key.c:214
#1 0x000055876ba8d5e6 in maria_write (info=0x146da0062058, record=0x146da004b770 "\377") at /test/10.11_opt/storage/maria/ma_write.c:189
#2 0x000055876b6b0018 in handler::ha_write_tmp_row (buf=0x146da004b770 "\377", this=0x146da0060510) at /test/10.11_opt/include/mysql/psi/mysql_thread.h:795
#3 end_write (join=0x146da004eb48, join_tab=0x146da0054448, end_of_records=<optimized out>) at /test/10.11_opt/sql/sql_select.cc:23256
#4 0x000055876b6854d3 in evaluate_join_record (join=join@entry=0x146da004eb48, join_tab=join_tab@entry=0x146da0054090, error=<optimized out>) at /test/10.11_opt/sql/sql_select.cc:21993
#5 0x000055876b696feb in sub_select (end_of_records=false, join_tab=0x146da0054090, join=0x146da004eb48) at /test/10.11_opt/sql/sql_select.cc:21763
#6 sub_select (join=0x146da004eb48, join_tab=0x146da0054090, end_of_records=false) at /test/10.11_opt/sql/sql_select.cc:21692
#7 0x000055876b6c5ba1 in do_select (procedure=<optimized out>, join=0x146da004eb48) at /test/10.11_opt/sql/sql_select.cc:21308
#8 JOIN::exec_inner (this=0x146da004eb48) at /test/10.11_opt/sql/sql_select.cc:4812
#9 0x000055876b6c5f68 in JOIN::exec (this=this@entry=0x146da004eb48) at /test/10.11_opt/sql/sql_select.cc:4590
#10 0x000055876b6c4171 in mysql_select (thd=0x146da0000c58, tables=0x146da0013608, fields=@0x146da0010b48: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x146da0010da0, last = 0x146da0013530, elements = 2}, <No data fields>}, conds=0x0, og_num=1, order=0x0, group=0x146da0014438, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x146da004eb20, unit=0x146da0004cd0, select_lex=0x146da00108a8) at /test/10.11_opt/sql/sql_select.cc:5070
#11 0x000055876b6c48b7 in handle_select (thd=thd@entry=0x146da0000c58, lex=lex@entry=0x146da0004bf8, result=result@entry=0x146da004eb20, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.11_opt/sql/sql_select.cc:581
#12 0x000055876b6465b1 in execute_sqlcom_select (thd=0x146da0000c58, all_tables=0x146da0013608) at /test/10.11_opt/sql/sql_parse.cc:6261
#13 0x000055876b6541f8 in mysql_execute_command (thd=0x146da0000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.11_opt/sql/sql_parse.cc:3945
#14 0x000055876b6417b5 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x146da0000c58) at /test/10.11_opt/sql/sql_parse.cc:8035
#15 mysql_parse (thd=0x146da0000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.11_opt/sql/sql_parse.cc:7957
#16 0x000055876b64d2ca in dispatch_command (command=COM_QUERY, thd=0x146da0000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.11_opt/sql/sql_class.h:1339
#17 0x000055876b64f1f2 in do_command (thd=0x146da0000c58, blocking=blocking@entry=true) at /test/10.11_opt/sql/sql_parse.cc:1407
#18 0x000055876b76746f in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55876ed2b218, put_in_cache=put_in_cache@entry=true) at /test/10.11_opt/sql/sql_connect.cc:1418
#19 0x000055876b76774d in handle_one_connection (arg=0x55876ed2b218) at /test/10.11_opt/sql/sql_connect.cc:1312
#20 0x0000146e5a1a7609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#21 0x0000146e59d93133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.3.37 (dbg), 10.3.37 (opt), 10.4.27 (dbg), 10.4.27 (opt), 10.5.18 (dbg), 10.5.18 (opt), 10.6.10 (dbg), 10.6.10 (opt), 10.7.6 (dbg), 10.7.6 (opt), 10.8.5 (dbg), 10.8.5 (opt), 10.9.2 (dbg), 10.9.2 (opt), 10.10.2 (dbg), 10.10.2 (opt), 10.11.0 (dbg), 10.11.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.38 (dbg), 5.7.38 (opt), 8.0.29 (dbg), 8.0.29 (opt)

Roel Van de Paar added a comment - 2022-08-23 06:02 - edited Another testcase, not using BLOB, shows a similar crash in _ma_make_key , and otherwise similar outcome (i.e. assert in (*select_ref)->fixed() ) as explained above. CREATE TABLE t (a INT ); INSERT INTO t VALUES (); INSERT INTO t SELECT * FROM t; SET big_tables=1; SELECT 1, ( SELECT a FROM ( SELECT 1) dt HAVING (a IN (1))) FROM t WINDOW w1 AS ( ORDER BY ( SELECT a FROM t GROUP BY a WINDOW w2 AS (PARTITION BY a))); Leads to: 10.11.0 bc563f1a4b0b38de3b41fd0f0d3d8b7f1aacbd8b (Optimized) Core was generated by `/test/MD190822-mariadb-10.11.0-linux-x86_64-opt/bin/mysqld --no-defaults --core'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x000055876ba77750 in _ma_make_key (info=0x146da0062058, int_key=0x146e2a8b5430, keynr=<optimized out>, key=0x146da006678f "", record=0x146da004b770 "\377", filepos=0, trid=0) at /test/10.11_opt/storage/maria/ma_key.c:214 [Current thread is 1 (Thread 0x146e2a8b7700 (LWP 2413192))] (gdb) bt #0 0x000055876ba77750 in _ma_make_key (info=0x146da0062058, int_key=0x146e2a8b5430, keynr=<optimized out>, key=0x146da006678f "", record=0x146da004b770 "\377", filepos=0, trid=0) at /test/10.11_opt/storage/maria/ma_key.c:214 #1 0x000055876ba8d5e6 in maria_write (info=0x146da0062058, record=0x146da004b770 "\377") at /test/10.11_opt/storage/maria/ma_write.c:189 #2 0x000055876b6b0018 in handler::ha_write_tmp_row (buf=0x146da004b770 "\377", this=0x146da0060510) at /test/10.11_opt/include/mysql/psi/mysql_thread.h:795 #3 end_write (join=0x146da004eb48, join_tab=0x146da0054448, end_of_records=<optimized out>) at /test/10.11_opt/sql/sql_select.cc:23256 #4 0x000055876b6854d3 in evaluate_join_record (join=join@entry=0x146da004eb48, join_tab=join_tab@entry=0x146da0054090, error=<optimized out>) at /test/10.11_opt/sql/sql_select.cc:21993 #5 0x000055876b696feb in sub_select (end_of_records=false, join_tab=0x146da0054090, join=0x146da004eb48) at /test/10.11_opt/sql/sql_select.cc:21763 #6 sub_select (join=0x146da004eb48, join_tab=0x146da0054090, end_of_records=false) at /test/10.11_opt/sql/sql_select.cc:21692 #7 0x000055876b6c5ba1 in do_select (procedure=<optimized out>, join=0x146da004eb48) at /test/10.11_opt/sql/sql_select.cc:21308 #8 JOIN::exec_inner (this=0x146da004eb48) at /test/10.11_opt/sql/sql_select.cc:4812 #9 0x000055876b6c5f68 in JOIN::exec (this=this@entry=0x146da004eb48) at /test/10.11_opt/sql/sql_select.cc:4590 #10 0x000055876b6c4171 in mysql_select (thd=0x146da0000c58, tables=0x146da0013608, fields=@0x146da0010b48: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x146da0010da0, last = 0x146da0013530, elements = 2}, <No data fields>}, conds=0x0, og_num=1, order=0x0, group=0x146da0014438, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x146da004eb20, unit=0x146da0004cd0, select_lex=0x146da00108a8) at /test/10.11_opt/sql/sql_select.cc:5070 #11 0x000055876b6c48b7 in handle_select (thd=thd@entry=0x146da0000c58, lex=lex@entry=0x146da0004bf8, result=result@entry=0x146da004eb20, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.11_opt/sql/sql_select.cc:581 #12 0x000055876b6465b1 in execute_sqlcom_select (thd=0x146da0000c58, all_tables=0x146da0013608) at /test/10.11_opt/sql/sql_parse.cc:6261 #13 0x000055876b6541f8 in mysql_execute_command (thd=0x146da0000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.11_opt/sql/sql_parse.cc:3945 #14 0x000055876b6417b5 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x146da0000c58) at /test/10.11_opt/sql/sql_parse.cc:8035 #15 mysql_parse (thd=0x146da0000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.11_opt/sql/sql_parse.cc:7957 #16 0x000055876b64d2ca in dispatch_command (command=COM_QUERY, thd=0x146da0000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.11_opt/sql/sql_class.h:1339 #17 0x000055876b64f1f2 in do_command (thd=0x146da0000c58, blocking=blocking@entry=true) at /test/10.11_opt/sql/sql_parse.cc:1407 #18 0x000055876b76746f in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55876ed2b218, put_in_cache=put_in_cache@entry=true) at /test/10.11_opt/sql/sql_connect.cc:1418 #19 0x000055876b76774d in handle_one_connection (arg=0x55876ed2b218) at /test/10.11_opt/sql/sql_connect.cc:1312 #20 0x0000146e5a1a7609 in start_thread (arg=<optimized out>) at pthread_create.c:477 #21 0x0000146e59d93133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 Bug confirmed present in: MariaDB: 10.3.37 (dbg), 10.3.37 (opt), 10.4.27 (dbg), 10.4.27 (opt), 10.5.18 (dbg), 10.5.18 (opt), 10.6.10 (dbg), 10.6.10 (opt), 10.7.6 (dbg), 10.7.6 (opt), 10.8.5 (dbg), 10.8.5 (opt), 10.9.2 (dbg), 10.9.2 (opt), 10.10.2 (dbg), 10.10.2 (opt), 10.11.0 (dbg), 10.11.0 (opt) Bug (or feature/syntax) confirmed not present in: MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.38 (dbg), 5.7.38 (opt), 8.0.29 (dbg), 8.0.29 (opt)

Roel Van de Paar added a comment - 2023-01-17 07:25 - edited

Another testcase which leads to a SIGSEGV in _ma_calc_blob_length

SET sql_mode='';

CREATE TABLE t (a BLOB NOT NULL,b DATE NOT NULL) ENGINE=InnoDB;

INSERT INTO t (b) VALUES (1);

SELECT 0, (SELECT a FROM (SELECT 0) dt HAVING (a IN (0))) FROM t WINDOW w0 AS (ORDER BY (SELECT a FROM t GROUP BY a WINDOW w0 AS (PARTITION BY a)));

Leads to:

11.0.1 b075191ba8598af6aff5549e6e19f6255aef258a (Optimized)
Core was generated by `/test/MD090123-mariadb-11.0.1-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 _ma_calc_blob_length (length=2,
pos=pos@entry=0x14f3ec053820 <error: Cannot access memory at address 0x14f3ec053820>) at /test/11.0_opt/storage/maria/ma_dynrec.c:1417
1417 return (uint) uint2korr(pos);
[Current thread is 1 (Thread 0x14f320404640 (LWP 444249))]
(gdb) bt
#0 _ma_calc_blob_length (length=2, pos=pos@entry=0x14f3ec053820 <error: Cannot access memory at address 0x14f3ec053820>) at /test/11.0_opt/storage/maria/ma_dynrec.c:1417
#1 0x0000557133b26d90 in _ma_unique_hash (def=def@entry=0x14f2ec07e608, record=record@entry=0x14f2ec0788d0 <incomplete sequence \374>) at /test/11.0_opt/storage/maria/ma_unique.c:140
#2 0x0000557133b75d9d in maria_write (info=0x14f2ec07ea58, record=0x14f2ec0788d0 <incomplete sequence \374>) at /test/11.0_opt/storage/maria/ma_write.c:133
#3 0x000055713378e398 in handler::ha_write_tmp_row (buf=0x14f2ec0788d0 <incomplete sequence \374>, this=0x14f2ec078bd0) at /test/11.0_opt/sql/sql_class.h:7453
#4 end_write (join=0x14f2ec049850, join_tab=0x14f2ec052210, end_of_records=<optimized out>) at /test/11.0_opt/sql/sql_select.cc:23336
#5 0x00005571337637c3 in evaluate_join_record (join=join@entry=0x14f2ec049850, join_tab=join_tab@entry=0x14f2ec051e58, error=<optimized out>) at /test/11.0_opt/sql/sql_select.cc:22073
#6 0x0000557133774dcf in sub_select (end_of_records=false, join_tab=0x14f2ec051e58, join=0x14f2ec049850) at /test/11.0_opt/sql/sql_select.cc:21843
#7 sub_select (join=0x14f2ec049850, join_tab=0x14f2ec051e58, end_of_records=<optimized out>) at /test/11.0_opt/sql/sql_select.cc:21770
#8 0x00005571337a46b8 in do_select (procedure=0x0, join=0x14f2ec049850) at /test/11.0_opt/sql/sql_select.cc:21386
#9 JOIN::exec_inner (this=0x14f2ec049850) at /test/11.0_opt/sql/sql_select.cc:4822
#10 0x00005571337a4b08 in JOIN::exec (this=this@entry=0x14f2ec049850) at /test/11.0_opt/sql/sql_select.cc:4600
#11 0x00005571337a2c11 in mysql_select (thd=0x14f2ec000c68, tables=0x14f2ec013700, fields=@0x14f2ec010b98: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14f2ec010df8, last = 0x14f2ec013628, elements = 2}, <No data fields>}, conds=0x0, og_num=1, order=0x0, group=0x14f2ec014568, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x14f2ec049828, unit=0x14f2ec004ce8, select_lex=0x14f2ec0108f8) at /test/11.0_opt/sql/sql_select.cc:5080
#12 0x00005571337a3354 in handle_select (thd=thd@entry=0x14f2ec000c68, lex=lex@entry=0x14f2ec004c10, result=result@entry=0x14f2ec049828, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/11.0_opt/sql/sql_select.cc:581
#13 0x000055713371eb25 in execute_sqlcom_select (thd=0x14f2ec000c68, all_tables=0x14f2ec013700) at /test/11.0_opt/sql/sql_parse.cc:6265
#14 0x000055713372d870 in mysql_execute_command (thd=0x14f2ec000c68, is_called_from_prepared_stmt=<optimized out>) at /test/11.0_opt/sql/sql_parse.cc:3949
#15 0x000055713372f104 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x14f2ec000c68) at /test/11.0_opt/sql/sql_parse.cc:8000
#16 mysql_parse (thd=0x14f2ec000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/11.0_opt/sql/sql_parse.cc:7922
#17 0x00005571337316e2 in dispatch_command (command=COM_QUERY, thd=0x14f2ec000c68, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/11.0_opt/sql/sql_parse.cc:1991
#18 0x0000557133732e80 in do_command (thd=0x14f2ec000c68, blocking=blocking@entry=true) at /test/11.0_opt/sql/sql_parse.cc:1407
#19 0x0000557133848ab7 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5571370fe0c8, put_in_cache=put_in_cache@entry=true) at /test/11.0_opt/sql/sql_connect.cc:1416
#20 0x0000557133848d8d in handle_one_connection (arg=0x5571370fe0c8) at /test/11.0_opt/sql/sql_connect.cc:1318
#21 0x000014f338ea7b43 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
#22 0x000014f338f39a00 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

Present in 10.3-10.11, dbg+opt builds, though dbg builds crash on crash from MDEV-28506

Roel Van de Paar added a comment - 2023-01-17 07:25 - edited Another testcase which leads to a SIGSEGV in _ma_calc_blob_length SET sql_mode= '' ; CREATE TABLE t (a BLOB NOT NULL ,b DATE NOT NULL ) ENGINE=InnoDB; INSERT INTO t (b) VALUES (1); SELECT 0, ( SELECT a FROM ( SELECT 0) dt HAVING (a IN (0))) FROM t WINDOW w0 AS ( ORDER BY ( SELECT a FROM t GROUP BY a WINDOW w0 AS (PARTITION BY a))); Leads to: 11.0.1 b075191ba8598af6aff5549e6e19f6255aef258a (Optimized) Core was generated by `/test/MD090123-mariadb-11.0.1-linux-x86_64-opt/bin/mysqld --no-defaults --core-'. Program terminated with signal SIGSEGV, Segmentation fault. #0 _ma_calc_blob_length (length=2, pos=pos@entry=0x14f3ec053820 <error: Cannot access memory at address 0x14f3ec053820>) at /test/11.0_opt/storage/maria/ma_dynrec.c:1417 1417 return (uint) uint2korr(pos); [Current thread is 1 (Thread 0x14f320404640 (LWP 444249))] (gdb) bt #0 _ma_calc_blob_length (length=2, pos=pos@entry=0x14f3ec053820 <error: Cannot access memory at address 0x14f3ec053820>) at /test/11.0_opt/storage/maria/ma_dynrec.c:1417 #1 0x0000557133b26d90 in _ma_unique_hash (def=def@entry=0x14f2ec07e608, record=record@entry=0x14f2ec0788d0 <incomplete sequence \374>) at /test/11.0_opt/storage/maria/ma_unique.c:140 #2 0x0000557133b75d9d in maria_write (info=0x14f2ec07ea58, record=0x14f2ec0788d0 <incomplete sequence \374>) at /test/11.0_opt/storage/maria/ma_write.c:133 #3 0x000055713378e398 in handler::ha_write_tmp_row (buf=0x14f2ec0788d0 <incomplete sequence \374>, this=0x14f2ec078bd0) at /test/11.0_opt/sql/sql_class.h:7453 #4 end_write (join=0x14f2ec049850, join_tab=0x14f2ec052210, end_of_records=<optimized out>) at /test/11.0_opt/sql/sql_select.cc:23336 #5 0x00005571337637c3 in evaluate_join_record (join=join@entry=0x14f2ec049850, join_tab=join_tab@entry=0x14f2ec051e58, error=<optimized out>) at /test/11.0_opt/sql/sql_select.cc:22073 #6 0x0000557133774dcf in sub_select (end_of_records=false, join_tab=0x14f2ec051e58, join=0x14f2ec049850) at /test/11.0_opt/sql/sql_select.cc:21843 #7 sub_select (join=0x14f2ec049850, join_tab=0x14f2ec051e58, end_of_records=<optimized out>) at /test/11.0_opt/sql/sql_select.cc:21770 #8 0x00005571337a46b8 in do_select (procedure=0x0, join=0x14f2ec049850) at /test/11.0_opt/sql/sql_select.cc:21386 #9 JOIN::exec_inner (this=0x14f2ec049850) at /test/11.0_opt/sql/sql_select.cc:4822 #10 0x00005571337a4b08 in JOIN::exec (this=this@entry=0x14f2ec049850) at /test/11.0_opt/sql/sql_select.cc:4600 #11 0x00005571337a2c11 in mysql_select (thd=0x14f2ec000c68, tables=0x14f2ec013700, fields=@0x14f2ec010b98: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14f2ec010df8, last = 0x14f2ec013628, elements = 2}, <No data fields>}, conds=0x0, og_num=1, order=0x0, group=0x14f2ec014568, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x14f2ec049828, unit=0x14f2ec004ce8, select_lex=0x14f2ec0108f8) at /test/11.0_opt/sql/sql_select.cc:5080 #12 0x00005571337a3354 in handle_select (thd=thd@entry=0x14f2ec000c68, lex=lex@entry=0x14f2ec004c10, result=result@entry=0x14f2ec049828, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/11.0_opt/sql/sql_select.cc:581 #13 0x000055713371eb25 in execute_sqlcom_select (thd=0x14f2ec000c68, all_tables=0x14f2ec013700) at /test/11.0_opt/sql/sql_parse.cc:6265 #14 0x000055713372d870 in mysql_execute_command (thd=0x14f2ec000c68, is_called_from_prepared_stmt=<optimized out>) at /test/11.0_opt/sql/sql_parse.cc:3949 #15 0x000055713372f104 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x14f2ec000c68) at /test/11.0_opt/sql/sql_parse.cc:8000 #16 mysql_parse (thd=0x14f2ec000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/11.0_opt/sql/sql_parse.cc:7922 #17 0x00005571337316e2 in dispatch_command (command=COM_QUERY, thd=0x14f2ec000c68, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/11.0_opt/sql/sql_parse.cc:1991 #18 0x0000557133732e80 in do_command (thd=0x14f2ec000c68, blocking=blocking@entry=true) at /test/11.0_opt/sql/sql_parse.cc:1407 #19 0x0000557133848ab7 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5571370fe0c8, put_in_cache=put_in_cache@entry=true) at /test/11.0_opt/sql/sql_connect.cc:1416 #20 0x0000557133848d8d in handle_one_connection (arg=0x5571370fe0c8) at /test/11.0_opt/sql/sql_connect.cc:1318 #21 0x000014f338ea7b43 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442 #22 0x000014f338f39a00 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81 Present in 10.3-10.11, dbg+opt builds, though dbg builds crash on crash from MDEV-28506

Rex Johnston added a comment - 2023-01-19 21:08

Igor's patch currently in ~~MDEV-30052~~/comments fixes this issue.

Rex Johnston added a comment - 2023-01-19 21:08 Igor's patch currently in MDEV-30052 /comments fixes this issue.

MariaDB Server

SIGSEGV's in _ma_unique_hash, _ma_make_key and _ma_calc_blob_length on SELECT (on optimized builds)

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration