Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-30191

SIGSEGV & heap-use-after-free in spider_db_print_item_type, SIGABRT in __cxa_pure_virtual/spider_db_print_item_type, Got error 128 "Out of memory in engine", 56/112 memory not freed, and Assertion `fixed()' failed in Item_sp_variable::val_str on SP call

    XMLWordPrintable

Details

    Description

      INSTALL PLUGIN Spider SONAME 'ha_spider.so';
      		 
      CREATE USER Spider@localhost IDENTIFIED BY 'PWD123';
      		 
      CREATE SERVER s FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET '../socket.sock',DATABASE'',USER 'Spider',PASSWORD 'PWD123');
      		 
      CREATE TABLE t (c INT) ENGINE=InnoDB;
      		 
      CREATE TABLE ts (c INT) ENGINE=Spider COMMENT='WRAPPER "mysql",srv "s",TABLE "t"';
      		 
      DELIMITER $$
      		 
      CREATE PROCEDURE sp() BEGIN
      		 
      DECLARE v1 DATE; SELECT c FROM ts;
      		 
      WHILE EXISTS (SELECT 1 FROM ts WHERE c>v1 AND c<=v1) DO SELECT st.c; END WHILE;
      		 
      WHILE EXISTS (SELECT 1 FROM ts WHERE c<v1 AND EXISTS (SELECT 1 FROM t WHERE ts.c=t.c)) DO SELECT ts.c; DELETE ts FROM ts; END WHILE; 
      END $$
      		 
      DELIMITER ;
      		 
      CALL sp();

      Leads to:

      10.11.2 936436ef437c73911c18854a8ce8dad1216331b8 (Optimized)

      		 
      Core was generated by `/test/MD291122-mariadb-10.11.2-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
      		 
      Program terminated with signal SIGABRT, Aborted.
      		 
      #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
      		 
      [Current thread is 1 (Thread 0x145774da7700 (LWP 1274163))]
      		 
      (gdb) bt
      		 
      #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
      		 
      #1  0x000014578d6c9859 in __GI_abort () at abort.c:79
      		 
      #2  0x000014578da88911 in ?? () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
      		 
      #3  0x000014578da9438c in ?? () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
      		 
      #4  0x000014578da943f7 in std::terminate() () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
      		 
      #5  0x000014578da95155 in __cxa_pure_virtual () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
      		 
      #6  0x0000145774cafb15 in spider_db_print_item_type (item=0x1457340b0a38, field=0x0, spider=0x14573407d0f0, str=0x145734084770, alias=0x0, alias_length=0, dbton_id=0, use_fields=false, fields=0x0) at /test/10.11_opt/storage/spider/spd_db_conn.cc:7384
      		 
      #7  0x0000145774d19f88 in spider_mbase_handler::append_condition (this=0x145734084710, str=0x145734084770, alias=0x0, alias_length=0, start_where=false, sql_type=<optimized out>) at /test/10.11_opt/storage/spider/spd_db_mysql.cc:11040
      		 
      #8  0x0000145774cf2661 in ha_spider::append_condition_sql_part (this=0x14573407d0f0, alias=0x0, alias_length=0, sql_type=sql_type@entry=1, test_flg=test_flg@entry=false) at /test/10.11_opt/storage/spider/ha_spider.cc:10977
      		 
      #9  0x0000145774cb0461 in spider_db_append_condition (spider=spider@entry=0x14573407d0f0, alias=alias@entry=0x0, alias_length=alias_length@entry=0, test_flg=test_flg@entry=false) at /test/10.11_opt/storage/spider/spd_db_conn.cc:8248
      		 
      #10 0x0000145774cf62e9 in ha_spider::rnd_next_internal (this=0x14573407d0f0, buf=0x14573404cdc8 "\377") at /test/10.11_opt/storage/spider/ha_spider.cc:5669
      		 
      #11 0x000055f4b2ac08b6 in handler::ha_rnd_next (this=0x14573407d0f0, buf=0x14573404cdc8 "\377") at /test/10.11_opt/sql/handler.cc:3414
      		 
      #12 0x000055f4b27a67e4 in rr_sequential (info=0x1457340b0378) at /test/10.11_opt/sql/records.h:82
      		 
      #13 0x000055f4b28bfd72 in sub_select (end_of_records=false, join_tab=0x1457340b02b0, join=0x14573407b120) at /test/10.11_opt/sql/sql_select.cc:21841
      		 
      #14 sub_select (join=0x14573407b120, join_tab=0x1457340b02b0, end_of_records=<optimized out>) at /test/10.11_opt/sql/sql_select.cc:21771
      		 
      #15 0x000055f4b28eec51 in do_select (procedure=<optimized out>, join=0x14573407b120) at /test/10.11_opt/sql/sql_select.cc:21387
      		 
      #16 JOIN::exec_inner (this=0x14573407b120) at /test/10.11_opt/sql/sql_select.cc:4824
      		 
      #17 0x000055f4b28ef018 in JOIN::exec (this=0x14573407b120) at /test/10.11_opt/sql/sql_select.cc:4602
      		 
      #18 0x000055f4b2b93186 in subselect_single_select_engine::exec (this=0x145734070b58) at /test/10.11_opt/sql/item_subselect.cc:4101
      		 
      #19 0x000055f4b2b927dc in Item_subselect::exec (this=0x1457340709b8) at /test/10.11_opt/sql/item_subselect.cc:811
      		 
      #20 0x000055f4b2b92535 in Item_exists_subselect::val_bool (this=0x1457340709b8) at /test/10.11_opt/sql/item_subselect.cc:1853
      		 
      #21 0x000055f4b27c2033 in sp_instr_jump_if_not::exec_core (this=0x145734070be0, thd=<optimized out>, nextp=0x145774da5484) at /test/10.11_opt/sql/sp_head.cc:4161
      		 
      #22 0x000055f4b27c96f6 in sp_lex_keeper::reset_lex_and_exec_core (this=0x145734070c38, thd=0x145734000c58, nextp=<optimized out>, open_tables=<optimized out>, instr=0x145734070be0) at /test/10.11_opt/sql/sp_head.cc:3582
      		 
      #23 0x000055f4b27c3d36 in sp_head::execute (this=0x14573405cf90, thd=0x145734000c58, merge_da_on_success=true) at /test/10.11_opt/sql/sp_head.cc:1459
      		 
      #24 0x000055f4b27c575a in sp_head::execute_procedure (this=0x14573405cf90, thd=thd@entry=0x145734000c58, args=0x145734005bd8) at /test/10.11_opt/sql/sp_head.cc:2446
      		 
      #25 0x000055f4b286eb97 in do_execute_sp (thd=thd@entry=0x145734000c58, sp=sp@entry=0x14573405cf90) at /test/10.11_opt/sql/sql_parse.cc:3026
      		 
      #26 0x000055f4b28736e6 in Sql_cmd_call::execute (this=0x1457340107f8, thd=0x145734000c58) at /test/10.11_opt/sql/sql_parse.cc:3271
      		 
      #27 0x000055f4b28794d6 in mysql_execute_command (thd=0x145734000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.11_opt/sql/sql_parse.cc:5999
      		 
      #28 0x000055f4b2869da5 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x145734000c58) at /test/10.11_opt/sql/sql_parse.cc:7998
      		 
      #29 mysql_parse (thd=0x145734000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.11_opt/sql/sql_parse.cc:7920
      		 
      #30 0x000055f4b2875aea in dispatch_command (command=COM_QUERY, thd=0x145734000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.11_opt/sql/sql_class.h:1346
      		 
      #31 0x000055f4b28778d2 in do_command (thd=0x145734000c58, blocking=blocking@entry=true) at /test/10.11_opt/sql/sql_parse.cc:1407
      		 
      #32 0x000055f4b2990e8f in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55f4b5316d88, put_in_cache=put_in_cache@entry=true) at /test/10.11_opt/sql/sql_connect.cc:1415
      		 
      #33 0x000055f4b299116d in handle_one_connection (arg=0x55f4b5316d88) at /test/10.11_opt/sql/sql_connect.cc:1317
      		 
      #34 0x000014578dbda609 in start_thread (arg=<optimized out>) at pthread_create.c:477
      		 
      #35 0x000014578d7c6133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

      10.11.2 936436ef437c73911c18854a8ce8dad1216331b8 (Debug)

      		 
      Core was generated by `/test/MD291122-mariadb-10.11.2-linux-x86_64-dbg/bin/mysqld --no-defaults --core'.
      		 
      Program terminated with signal SIGSEGV, Segmentation fault.
      		 
      #0  0x000014deaa3edefb in spider_db_print_item_type (item=0x14de700ec0e0, 
          field=field@entry=0x0, spider=0x14de70099450, 
          str=str@entry=0x14de700a5b40, alias=alias@entry=0x0, 
          alias_length=alias_length@entry=0, dbton_id=0, use_fields=false, 
          fields=0x0) at /test/10.11_dbg/storage/spider/spd_db_conn.cc:7384
      		 
      7384	  switch (item->type())
      		 
      [Current thread is 1 (Thread 0x14deaa4fe700 (LWP 1803669))]
      		 
      (gdb) bt
      		 
      #0  0x000014deaa3edefb in spider_db_print_item_type (item=0x14de700ec0e0, field=field@entry=0x0, spider=0x14de70099450, str=str@entry=0x14de700a5b40, alias=alias@entry=0x0, alias_length=alias_length@entry=0, dbton_id=0, use_fields=false, fields=0x0) at /test/10.11_dbg/storage/spider/spd_db_conn.cc:7384
      		 
      #1  0x000014deaa46c133 in spider_mbase_handler::append_condition (this=this@entry=0x14de700a5ae0, str=str@entry=0x14de700a5b40, alias=alias@entry=0x0, alias_length=alias_length@entry=0, start_where=false, sql_type=sql_type@entry=1) at /test/10.11_dbg/storage/spider/spd_db_mysql.cc:11040
      		 
      #2  0x000014deaa46c287 in spider_mbase_handler::append_condition_part (this=0x14de700a5ae0, alias=0x0, alias_length=0, sql_type=1, test_flg=<optimized out>) at /test/10.11_dbg/storage/spider/spd_db_mysql.cc:10996
      		 
      #3  0x000014deaa43a2da in ha_spider::append_condition_sql_part (this=0x14de70099450, alias=0x0, alias_length=0, sql_type=sql_type@entry=1, test_flg=test_flg@entry=false) at /test/10.11_dbg/storage/spider/ha_spider.cc:10977
      		 
      #4  0x000014deaa3ee65c in spider_db_append_condition (spider=spider@entry=0x14de70099450, alias=alias@entry=0x0, alias_length=alias_length@entry=0, test_flg=test_flg@entry=false) at /test/10.11_dbg/storage/spider/spd_db_conn.cc:8248
      		 
      #5  0x000014deaa43f43c in ha_spider::rnd_next_internal (this=this@entry=0x14de70099450, buf=buf@entry=0x14de70061748 "\377") at /test/10.11_dbg/storage/spider/ha_spider.cc:5669
      		 
      #6  0x000014deaa4400f8 in ha_spider::rnd_next (this=0x14de70099450, buf=0x14de70061748 "\377") at /test/10.11_dbg/storage/spider/ha_spider.cc:5963
      		 
      #7  0x0000562911e1148a in handler::ha_rnd_next (this=0x14de70099450, buf=0x14de70061748 "\377") at /test/10.11_dbg/sql/handler.cc:3414
      		 
      #8  0x0000562911a44cbf in rr_sequential (info=0x14de700eb958) at /test/10.11_dbg/sql/records.h:82
      		 
      #9  0x0000562911b9ef37 in READ_RECORD::read_record (this=0x14de700eb958) at /test/10.11_dbg/sql/records.h:81
      		 
      #10 join_init_read_record (tab=0x14de700eb890) at /test/10.11_dbg/sql/sql_select.cc:22838
      		 
      #11 0x0000562911b85e81 in sub_select (join=0x14de70096440, join_tab=0x14de700eb890, end_of_records=false) at /test/10.11_dbg/sql/sql_select.cc:21841
      		 
      #12 0x0000562911bbaf0d in do_select (procedure=<optimized out>, join=0x14de70096440) at /test/10.11_dbg/sql/sql_select.cc:21387
      		 
      #13 JOIN::exec_inner (this=this@entry=0x14de70096440) at /test/10.11_dbg/sql/sql_select.cc:4824
      		 
      #14 0x0000562911bbb3f6 in JOIN::exec (this=0x14de70096440) at /test/10.11_dbg/sql/sql_select.cc:4602
      		 
      #15 0x0000562911f1b20c in subselect_single_select_engine::exec (this=0x14de7008be78) at /test/10.11_dbg/sql/item_subselect.cc:4101
      		 
      #16 0x0000562911f1a85a in Item_subselect::exec (this=0x14de7008bcd8) at /test/10.11_dbg/sql/item_subselect.cc:811
      		 
      #17 0x0000562911f1974d in Item_exists_subselect::val_bool (this=0x14de7008bcd8) at /test/10.11_dbg/sql/item_subselect.cc:1853
      		 
      #18 0x0000562911a68aff in sp_instr_jump_if_not::exec_core (this=0x14de7008bf00, thd=<optimized out>, nextp=0x14deaa4fc364) at /test/10.11_dbg/sql/sp_head.cc:4161
      		 
      #19 0x0000562911a72012 in sp_lex_keeper::reset_lex_and_exec_core (this=0x14de7008bf58, thd=0x14de70000d48, nextp=<optimized out>, open_tables=open_tables@entry=true, instr=<optimized out>) at /test/10.11_dbg/sql/sp_head.cc:3582
      		 
      #20 0x0000562911a72b53 in sp_instr_jump_if_not::execute (this=<optimized out>, thd=<optimized out>, nextp=<optimized out>) at /test/10.11_dbg/sql/sp_head.cc:4143
      		 
      #21 0x0000562911a6ac8e in sp_head::execute (this=this@entry=0x14de700782b0, thd=thd@entry=0x14de70000d48, merge_da_on_success=merge_da_on_success@entry=true) at /test/10.11_dbg/sql/sp_head.cc:1459
      		 
      #22 0x0000562911a6cf23 in sp_head::execute_procedure (this=0x14de700782b0, thd=thd@entry=0x14de70000d48, args=0x14de70005e88) at /test/10.11_dbg/sql/sp_head.cc:2446
      		 
      #23 0x0000562911b26973 in do_execute_sp (thd=thd@entry=0x14de70000d48, sp=sp@entry=0x14de700782b0) at /test/10.11_dbg/sql/sql_parse.cc:3026
      		 
      #24 0x0000562911b2bece in Sql_cmd_call::execute (this=0x14de700131c8, thd=0x14de70000d48) at /test/10.11_dbg/sql/sql_parse.cc:3271
      		 
      #25 0x0000562911b38a03 in mysql_execute_command (thd=thd@entry=0x14de70000d48, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.11_dbg/sql/sql_parse.cc:5999
      		 
      #26 0x0000562911b215a6 in mysql_parse (thd=thd@entry=0x14de70000d48, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14deaa4fd300) at /test/10.11_dbg/sql/sql_parse.cc:7998
      		 
      #27 0x0000562911b2eae1 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14de70000d48, packet=packet@entry=0x14de7000adf9 "", packet_length=packet_length@entry=9, blocking=blocking@entry=true) at /test/10.11_dbg/sql/sql_class.h:1346
      		 
      #28 0x0000562911b30f1f in do_command (thd=0x14de70000d48, blocking=blocking@entry=true) at /test/10.11_dbg/sql/sql_parse.cc:1407
      		 
      #29 0x0000562911c8bb27 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5629148fd928, put_in_cache=put_in_cache@entry=true) at /test/10.11_dbg/sql/sql_connect.cc:1415
      		 
      #30 0x0000562911c8bff6 in handle_one_connection (arg=0x5629148fd928) at /test/10.11_dbg/sql/sql_connect.cc:1317
      		 
      #31 0x000014dec7785609 in start_thread (arg=<optimized out>) at pthread_create.c:477
      		 
      #32 0x000014dec7371133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

      Bug confirmed present in:
      MariaDB: 10.5.19 (dbg), 10.5.19 (opt), 10.6.12 (dbg), 10.6.12 (opt), 10.7.8 (dbg), 10.7.8 (opt), 10.8.7 (dbg), 10.8.7 (opt), 10.9.5 (dbg), 10.9.5 (opt), 10.10.3 (dbg), 10.10.3 (opt), 10.11.2 (dbg), 10.11.2 (opt)

      Bug (or feature/syntax) confirmed not present in:
      MariaDB: 10.4.28 (dbg), 10.4.28 (opt)

      Observed UniqueID's for this testcase accross versions:

      SIGABRT|__cxa_pure_virtual|spider_db_print_item_type|spider_mbase_handler::append_condition|ha_spider::append_condition_sql_part
      		 
      SIGSEGV|spider_db_print_item_type|spider_mbase_handler::append_condition|spider_mbase_handler::append_condition_part|ha_spider::append_condition_sql_part

      Attachments

        Issue Links

          is caused by

          Task - A task that needs to be done. MDEV-19002 Partition performance optimization

          • Major - Major loss of function.
          • Stalled
          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-26541 Undefined symbol: _ZTI12ha_partition when attempting to use ha_spider.so in UBSAN builds

          • Major - Major loss of function.
          • Closed
          split from

          Bug - A problem which impairs or prevents the functions of the product. MDEV-27438 Spider: crash in spider_sys_open_table, directly after crash recovery finished

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Activity

            People

              ycp Yuchen Pei
              Roel Roel Van de Paar
              Votes:
              1 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.