[MDEV-30351] crash in Item_func_left::val_str - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.3.37, 10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL), 10.11
Fix Version/s: 10.4.29, 10.5.20, 10.6.13, 10.8.8, 10.9.6, 10.10.4, 11.0.2, 11.1.1
Component/s: Data types, Optimizer
Labels:
- crash
Environment:
linux x64

Description

Version: '11.0.0-preview-MariaDB'  socket: 's'  port: 3333  MariaDB Server

Thread 17 "mysqld" received signal SIGSEGV, Segmentation fault.

(gdb) bt

#0  String::charpos at ./sql/sql_string.h:1062

#1  Item_func_left::val_str at ./sql/item_strfunc.cc:1867

#2  in in_string::set at ./sql/item_cmpfunc.cc:3700

#3  in Item_func_in::fix_in_vector at ./sql/item_cmpfunc.cc:4514

#4  in Item_func_in::fix_for_scalar_comparison_using_bisection at ./sql/item_cmpfunc.h:2548

#5  in Type_handler_string_result::Item_func_in_fix_comparator_compatible_types at ./sql/sql_type.cc:5864

#6  in Item_func_in::fix_length_and_dec at ./sql/item_cmpfunc.cc:4480

#7  in Item_func::fix_fields at ./sql/item_func.cc:362

#8  in Item::fix_fields_if_needed at ./sql/item.h:1147

#9  in Item::fix_fields_if_needed_for_scalar at ./sql/item.h:1156

#10 in setup_fields at ./sql/sql_base.cc:7978

#11 in mysql_do at ./sql/sql_do.cc:32

#12 in mysql_execute_command at ./sql/sql_parse.cc:3978

#13 in mysql_parse at ./sql/sql_parse.cc:8000

#14 in dispatch_command at ./sql/sql_parse.cc:1894

#15 in do_command at ./sql/sql_parse.cc:1408

#16 in do_handle_one_connection at ./sql/sql_connect.cc:1416

#17 in handle_one_connection at ./sql/sql_connect.cc:1318

How to Repeat:

set @e:= current_timestamp ;

do cast(2 as char(14))

not in(

 left(weight_string(@e),

 version()),

 sha1(month(18446744073709551615))

);

Attachments

Issue Links

is duplicated by

MDEV-31433 SIGSEGV in charset_info_st::charpos | Charset::charpos

Closed

relates to

MDEV-24742 Server crashes in Charset::numchars / String::numchars

Closed

Activity

Ascending order - Click to sort in descending order

Daniel Black added a comment - 2023-01-06 00:36

10.3-758c24dae2c1e03f6c0837028e7e7f931497a9b5
0x000000000094a174 in String::charpos (this=0x7fff900122f0, i=10, offset=0) at /home/dan/repos/mariadb-server-10.3/sql/sql_string.cc:691
691 return (int)str_charset->cset->charpos(str_charset,Ptr+offset,Ptr+str_length,(size_t)i);
(gdb) bt full
#0 0x000000000094a174 in String::charpos (this=0x7fff900122f0, i=10, offset=0) at /home/dan/repos/mariadb-server-10.3/sql/sql_string.cc:691
No locals.
#1 Item_func_left::val_str (this=0x7fff90011cc0, str=<optimized out>) at /home/dan/repos/mariadb-server-10.3/sql/item_strfunc.cc:1650
res = 0x7fff900122f0
length = <optimized out>
char_pos = <optimized out>
#2 0x00000000008e184d in in_string::set (this=<optimized out>, pos=<optimized out>, item=0x0) at /home/dan/repos/mariadb-server-10.3/sql/item_cmpfunc.cc:3583
str = 0x7fff900122f0
res = <optimized out>
#3 0x00000000007e5ddd in Item_func_in::fix_in_vector (this=0x7fff900120b8) at /home/dan/repos/mariadb-server-10.3/sql/item_cmpfunc.cc:4271
i = 1
j = 0
i = <optimized out>
#4 Item_func_in::fix_for_scalar_comparison_using_bisection (this=0x7fff900120b8, thd=0x7fff90000c58) at /home/dan/repos/mariadb-server-10.3/sql/item_cmpfunc.h:2357
No locals.
#5 Type_handler_string_result::Item_func_in_fix_comparator_compatible_types (this=<optimized out>, thd=0x7fff90000c58, func=0x7fff900120b8) at /home/dan/repos/mariadb-server-10.3/sql/sql_type.cc:3954
No locals.
#6 0x00000000008e3afe in Item_func_in::fix_length_and_dec (this=0x7fff900120b8) at /home/dan/repos/mariadb-server-10.3/sql/item_cmpfunc.cc:4238
thd = 0x7fff90000c58
found_types = 1
#7 0x0000000000910d35 in Item_func::fix_fields (this=0x7fff900120b8, thd=0x7fff90000c58, ref=<optimized out>) at /home/dan/repos/mariadb-server-10.3/sql/item_func.cc:370
arg_end = <optimized out>
arg = <optimized out>
buff = <optimized out>
#8 0x000000000061bde0 in Item::fix_fields_if_needed (this=0x7fff900120b8, thd=0x7fff90000c58, ref=0x7fff90012248) at /home/dan/repos/mariadb-server-10.3/sql/item.h:831
No locals.
#9 Item::fix_fields_if_needed_for_scalar (this=0x7fff900120b8, thd=0x7fff90000c58, ref=0x7fff90012248) at /home/dan/repos/mariadb-server-10.3/sql/item.h:835
No locals.
#10 setup_fields (thd=0x7fff90000c58, ref_pointer_array={m_array = 0x0, m_size = 0}, fields=@0x7fff90012228: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x7fff90012240, last = 0x7fff90012240, elements = 1}, <No data fields>}, column_usage=<optimized out>, sum_func_list=0x0, pre_fix=0x0, allow_sum_func=<optimized out>) at /home/dan/repos/mariadb-server-10.3/sql/sql_base.cc:7544
saved_column_usage = MARK_COLUMNS_READ
save_allow_sum_func = {map = 0}
it = {<base_list_iterator> = {list = <optimized out>, el = 0x7fff90012240, prev = <optimized out>, current = 0x7fff90012240}, <No data fields>}
make_pre_fix = false
save_is_item_list_lookup = false
li = <optimized out>
var = <optimized out>
ref = {m_array = 0x0, m_size = <synthetic pointer>}
item = 0x7fff900120b8
#11 0x0000000000a10530 in mysql_do (thd=0x0, values=@0x7fff90012228: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x7fff90012240, last = 0x7fff90012240, elements = 1}, <No data fields>}) at /home/dan/repos/mariadb-server-10.3/sql/sql_do.cc:32
li = {<base_list_iterator> = {list = 0x7fff90012228, el = 0x7fff90012228, prev = 0x0, current = 0x0}, <No data fields>}
value = <optimized out>
#12 0x000000000067f077 in mysql_execute_command (thd=0x7fff90000c58) at /home/dan/repos/mariadb-server-10.3/sql/sql_parse.cc:3900
res = 0
up_result = 0
lex = 0x7fff90004890
select_lex = <optimized out>
first_table = 0x0
unit = 0x7fff90004950
have_table_map_for_update = <optimized out>
all_tables = 0x0
rpl_filter = <optimized out>
orig_binlog_format = <optimized out>
orig_current_stmt_binlog_format = <optimized out>
error = <optimized out>
wsrep_error_label = <optimized out>
#13 0x000000000067ba41 in mysql_parse (thd=0x7fff90000c58, rawbuf=0x7fff90011750 "do cast(2 as char(14)) not in( left(weight_string(@e), version()), sha1(month(18446744073709551615)) )", length=110, parser_state=0x7ffff424b6d0, is_com_multi=<optimized out>, is_next_command=false) at /home/dan/repos/mariadb-server-10.3/sql/sql_parse.cc:7855
found_semicolon = <optimized out>
error = <optimized out>
lex = 0x7fff90004890
err = false
#14 0x00000000006791ba in dispatch_command (command=COM_QUERY, thd=0x7fff90000c58, packet=<optimized out>, packet_length=<optimized out>, is_com_multi=false, is_next_command=false) at /home/dan/repos/mariadb-server-10.3/sql/sql_parse.cc:1852
parser_state = {m_lip = {lookahead_token = -1, lookahead_yylval = 0x0, m_thd = 0x7fff90000c58, m_ptr = 0x7fff900117bf "\004", m_tok_start = 0x7fff900117bf "\004", m_tok_end = 0x7fff900117bf "\004", m_end_of_query = 0x7fff900117be "", m_tok_start_prev = 0x7fff900117be "", m_buf = 0x7fff90011750 "do cast(2 as char(14)) not in( left(weight_string(@e), version()), sha1(month(18446744073709551615)) )", m_buf_length = 110, m_echo = true, m_echo_saved = false, m_cpp_buf = 0x7fff90011818 "do cast(2 as char(14)) not in( left(weight_string(@e), version()), sha1(month(18446744073709551615)) )", m_cpp_ptr = 0x7fff90011886 "", m_cpp_tok_start = 0x7fff90011886 "", m_cpp_tok_start_prev = 0x7fff90011886 "", m_cpp_tok_end = 0x7fff90011886 "", m_body_utf8 = 0x0, m_body_utf8_ptr = 0x0, m_cpp_utf8_processed_ptr = 0x0, next_state = MY_LEX_END, found_semicolon = 0x0, ignore_space = false, stmt_prepare_mode = false, multi_statements = true, yylineno = 1, m_digest = 0x0, in_comment = NO_COMMENT, in_comment_saved = NO_COMMENT, m_cpp_text_start = 0x7fff9001186d "18446744073709551615)) )", m_cpp_text_end = 0x7fff90011881 ")) )", m_underscore_cs = 0x0}, m_yacc = {yacc_yyss = 0x0, yacc_yyvs = 0x0, m_set_signal_info = {m_item = {0x0 <repeats 12 times>}}, m_lock_type = TL_READ_DEFAULT, m_mdl_type = MDL_SHARED_READ}, m_digest_psi = 0x0}
packet_end = <optimized out>
net = <optimized out>
error = false
do_end_of_statement = true
drop_more_results = false
#15 0x00000000006875be in do_command (thd=0x7fff90000c58) at /home/dan/repos/mariadb-server-10.3/sql/sql_parse.cc:1398
packet = <optimized out>
packet_length = <optimized out>
net = <optimized out>
command = COM_QUERY
return_value = <optimized out>
#16 0x000000000078bed8 in do_handle_one_connection (connect=<optimized out>) at /home/dan/repos/mariadb-server-10.3/sql/sql_connect.cc:1404
create_user = true
thr_create_utime = <optimized out>
thd = 0x7fff90000c58
#17 0x000000000078bc93 in handle_one_connection (arg=0x1eae508) at /home/dan/repos/mariadb-server-10.3/sql/sql_connect.cc:1309
connect = 0x1eae508
#18 0x00007ffff78ae14d in start_thread () from /lib64/libc.so.6
No symbol table info available.
#19 0x00007ffff792fa00 in clone3 () from /lib64/libc.so.6
No symbol table info available.
(gdb) p *this
$1 = {<Sql_alloc> = {<No data fields>}, Ptr = 0x7fff90011698 "2023-01-06 11:28:31", str_length = 19, Alloced_length = 24, extra_alloc = 0, alloced = true, thread_specific = false, str_charset = 0x0}
(gdb) list
686
687 int String::charpos(longlong i,uint32 offset)
688 {
689 if (i <= 0)
690 return (int)i;
691 return (int)str_charset->cset->charpos(str_charset,Ptr+offset,Ptr+str_length,(size_t)i);
692 }
693
694 int String::strstr(const String &s,uint32 offset)
695 {

So str_charset is null

Daniel Black added a comment - 2023-01-06 00:36 10.3-758c24dae2c1e03f6c0837028e7e7f931497a9b5 0x000000000094a174 in String::charpos (this=0x7fff900122f0, i=10, offset=0) at /home/dan/repos/mariadb-server-10.3/sql/sql_string.cc:691 691 return (int)str_charset->cset->charpos(str_charset,Ptr+offset,Ptr+str_length,(size_t)i); (gdb) bt full #0 0x000000000094a174 in String::charpos (this=0x7fff900122f0, i=10, offset=0) at /home/dan/repos/mariadb-server-10.3/sql/sql_string.cc:691 No locals. #1 Item_func_left::val_str (this=0x7fff90011cc0, str=<optimized out>) at /home/dan/repos/mariadb-server-10.3/sql/item_strfunc.cc:1650 res = 0x7fff900122f0 length = <optimized out> char_pos = <optimized out> #2 0x00000000008e184d in in_string::set (this=<optimized out>, pos=<optimized out>, item=0x0) at /home/dan/repos/mariadb-server-10.3/sql/item_cmpfunc.cc:3583 str = 0x7fff900122f0 res = <optimized out> #3 0x00000000007e5ddd in Item_func_in::fix_in_vector (this=0x7fff900120b8) at /home/dan/repos/mariadb-server-10.3/sql/item_cmpfunc.cc:4271 i = 1 j = 0 i = <optimized out> #4 Item_func_in::fix_for_scalar_comparison_using_bisection (this=0x7fff900120b8, thd=0x7fff90000c58) at /home/dan/repos/mariadb-server-10.3/sql/item_cmpfunc.h:2357 No locals. #5 Type_handler_string_result::Item_func_in_fix_comparator_compatible_types (this=<optimized out>, thd=0x7fff90000c58, func=0x7fff900120b8) at /home/dan/repos/mariadb-server-10.3/sql/sql_type.cc:3954 No locals. #6 0x00000000008e3afe in Item_func_in::fix_length_and_dec (this=0x7fff900120b8) at /home/dan/repos/mariadb-server-10.3/sql/item_cmpfunc.cc:4238 thd = 0x7fff90000c58 found_types = 1 #7 0x0000000000910d35 in Item_func::fix_fields (this=0x7fff900120b8, thd=0x7fff90000c58, ref=<optimized out>) at /home/dan/repos/mariadb-server-10.3/sql/item_func.cc:370 arg_end = <optimized out> arg = <optimized out> buff = <optimized out> #8 0x000000000061bde0 in Item::fix_fields_if_needed (this=0x7fff900120b8, thd=0x7fff90000c58, ref=0x7fff90012248) at /home/dan/repos/mariadb-server-10.3/sql/item.h:831 No locals. #9 Item::fix_fields_if_needed_for_scalar (this=0x7fff900120b8, thd=0x7fff90000c58, ref=0x7fff90012248) at /home/dan/repos/mariadb-server-10.3/sql/item.h:835 No locals. #10 setup_fields (thd=0x7fff90000c58, ref_pointer_array={m_array = 0x0, m_size = 0}, fields=@0x7fff90012228: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x7fff90012240, last = 0x7fff90012240, elements = 1}, <No data fields>}, column_usage=<optimized out>, sum_func_list=0x0, pre_fix=0x0, allow_sum_func=<optimized out>) at /home/dan/repos/mariadb-server-10.3/sql/sql_base.cc:7544 saved_column_usage = MARK_COLUMNS_READ save_allow_sum_func = {map = 0} it = {<base_list_iterator> = {list = <optimized out>, el = 0x7fff90012240, prev = <optimized out>, current = 0x7fff90012240}, <No data fields>} make_pre_fix = false save_is_item_list_lookup = false li = <optimized out> var = <optimized out> ref = {m_array = 0x0, m_size = <synthetic pointer>} item = 0x7fff900120b8 #11 0x0000000000a10530 in mysql_do (thd=0x0, values=@0x7fff90012228: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x7fff90012240, last = 0x7fff90012240, elements = 1}, <No data fields>}) at /home/dan/repos/mariadb-server-10.3/sql/sql_do.cc:32 li = {<base_list_iterator> = {list = 0x7fff90012228, el = 0x7fff90012228, prev = 0x0, current = 0x0}, <No data fields>} value = <optimized out> #12 0x000000000067f077 in mysql_execute_command (thd=0x7fff90000c58) at /home/dan/repos/mariadb-server-10.3/sql/sql_parse.cc:3900 res = 0 up_result = 0 lex = 0x7fff90004890 select_lex = <optimized out> first_table = 0x0 unit = 0x7fff90004950 have_table_map_for_update = <optimized out> all_tables = 0x0 rpl_filter = <optimized out> orig_binlog_format = <optimized out> orig_current_stmt_binlog_format = <optimized out> error = <optimized out> wsrep_error_label = <optimized out> #13 0x000000000067ba41 in mysql_parse (thd=0x7fff90000c58, rawbuf=0x7fff90011750 "do cast(2 as char(14)) not in( left(weight_string(@e), version()), sha1(month(18446744073709551615)) )", length=110, parser_state=0x7ffff424b6d0, is_com_multi=<optimized out>, is_next_command=false) at /home/dan/repos/mariadb-server-10.3/sql/sql_parse.cc:7855 found_semicolon = <optimized out> error = <optimized out> lex = 0x7fff90004890 err = false #14 0x00000000006791ba in dispatch_command (command=COM_QUERY, thd=0x7fff90000c58, packet=<optimized out>, packet_length=<optimized out>, is_com_multi=false, is_next_command=false) at /home/dan/repos/mariadb-server-10.3/sql/sql_parse.cc:1852 parser_state = {m_lip = {lookahead_token = -1, lookahead_yylval = 0x0, m_thd = 0x7fff90000c58, m_ptr = 0x7fff900117bf "\004", m_tok_start = 0x7fff900117bf "\004", m_tok_end = 0x7fff900117bf "\004", m_end_of_query = 0x7fff900117be "", m_tok_start_prev = 0x7fff900117be "", m_buf = 0x7fff90011750 "do cast(2 as char(14)) not in( left(weight_string(@e), version()), sha1(month(18446744073709551615)) )", m_buf_length = 110, m_echo = true, m_echo_saved = false, m_cpp_buf = 0x7fff90011818 "do cast(2 as char(14)) not in( left(weight_string(@e), version()), sha1(month(18446744073709551615)) )", m_cpp_ptr = 0x7fff90011886 "", m_cpp_tok_start = 0x7fff90011886 "", m_cpp_tok_start_prev = 0x7fff90011886 "", m_cpp_tok_end = 0x7fff90011886 "", m_body_utf8 = 0x0, m_body_utf8_ptr = 0x0, m_cpp_utf8_processed_ptr = 0x0, next_state = MY_LEX_END, found_semicolon = 0x0, ignore_space = false, stmt_prepare_mode = false, multi_statements = true, yylineno = 1, m_digest = 0x0, in_comment = NO_COMMENT, in_comment_saved = NO_COMMENT, m_cpp_text_start = 0x7fff9001186d "18446744073709551615)) )", m_cpp_text_end = 0x7fff90011881 ")) )", m_underscore_cs = 0x0}, m_yacc = {yacc_yyss = 0x0, yacc_yyvs = 0x0, m_set_signal_info = {m_item = {0x0 <repeats 12 times>}}, m_lock_type = TL_READ_DEFAULT, m_mdl_type = MDL_SHARED_READ}, m_digest_psi = 0x0} packet_end = <optimized out> net = <optimized out> error = false do_end_of_statement = true drop_more_results = false #15 0x00000000006875be in do_command (thd=0x7fff90000c58) at /home/dan/repos/mariadb-server-10.3/sql/sql_parse.cc:1398 packet = <optimized out> packet_length = <optimized out> net = <optimized out> command = COM_QUERY return_value = <optimized out> #16 0x000000000078bed8 in do_handle_one_connection (connect=<optimized out>) at /home/dan/repos/mariadb-server-10.3/sql/sql_connect.cc:1404 create_user = true thr_create_utime = <optimized out> thd = 0x7fff90000c58 #17 0x000000000078bc93 in handle_one_connection (arg=0x1eae508) at /home/dan/repos/mariadb-server-10.3/sql/sql_connect.cc:1309 connect = 0x1eae508 #18 0x00007ffff78ae14d in start_thread () from /lib64/libc.so.6 No symbol table info available. #19 0x00007ffff792fa00 in clone3 () from /lib64/libc.so.6 No symbol table info available. (gdb) p *this $1 = {<Sql_alloc> = {<No data fields>}, Ptr = 0x7fff90011698 "2023-01-06 11:28:31", str_length = 19, Alloced_length = 24, extra_alloc = 0, alloced = true, thread_specific = false, str_charset = 0x0} (gdb) list 686 687 int String::charpos(longlong i,uint32 offset) 688 { 689 if (i <= 0) 690 return (int)i; 691 return (int)str_charset->cset->charpos(str_charset,Ptr+offset,Ptr+str_length,(size_t)i); 692 } 693 694 int String::strstr(const String &s,uint32 offset) 695 { So str_charset is null

Daniel Black added a comment - 2023-03-30 01:15

Simpler test:

SELECT UNHEX('0032') in (LEFT(UNHEX('003200'), 2),'dog');

bar can you review https://github.com/MariaDB/server/pull/2542 please. I and/or Weijun Huang can incorporate improved tests or implementation.

Daniel Black added a comment - 2023-03-30 01:15 Simpler test: SELECT UNHEX( '0032' ) in ( LEFT (UNHEX( '003200' ), 2), 'dog' ); bar can you review https://github.com/MariaDB/server/pull/2542 please. I and/or Weijun Huang can incorporate improved tests or implementation.

Alexander Barkov added a comment - 2023-03-30 04:30

Please find review comments in https://github.com/MariaDB/server/pull/2542
Thanks.

Alexander Barkov added a comment - 2023-03-30 04:30 Please find review comments in https://github.com/MariaDB/server/pull/2542 Thanks.

Daniel Black added a comment - 2023-03-31 03:56 - edited

Thanks Weijun Huang for the fix

Daniel Black added a comment - 2023-03-31 03:56 - edited Thanks Weijun Huang for the fix

MariaDB Server

crash in Item_func_left::val_str

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration