Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-30575

SIGSEGV in my_charlen_utf8mb3 (corruption)

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Fixed
    • 10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL), 10.11, 11.0(EOL)
    • N/A
    • Character Sets

    Description

      This bug is really interesting. First we have:

      CREATE TABLE t (c CHAR(10),PRIMARY KEY(c)) CHARSET=utf8 ENGINE=InnoDB;
      INSERT INTO t VALUES (1);
      SELECT * FROM t AS a JOIN t WINDOW b AS (PARTITION BY t.c AND 1 BETWEEN (SELECT * FROM t GROUP BY t.c WINDOW d AS (PARTITION BY t.c)) AND 1);
      

      Which will produce this specific charset related SIGSEV on optimized builds:

      11.0.1 b075191ba8598af6aff5549e6e19f6255aef258a (Optimized)

      Core was generated by `/test/MD090123-mariadb-11.0.1-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
      Program terminated with signal SIGSEGV, Segmentation fault.
      #0  my_charlen_utf8mb3 (cs=0x5627ba060a80 <my_charset_utf8mb3_general_ci>, 
          s=0x14fd6404b029 <error: Cannot access memory at address 0x14fd6404b029>, 
          e=0x14fd6404b047 <error: Cannot access memory at address 0x14fd6404b047>)
          at /test/11.0_opt/strings/ctype-utf8.c:5468
      [Current thread is 1 (Thread 0x14fc9a46c640 (LWP 1492803))]
      (gdb) bt
      #0  my_charlen_utf8mb3 (cs=0x5627ba060a80 <my_charset_utf8mb3_general_ci>, s=0x14fd6404b029 <error: Cannot access memory at address 0x14fd6404b029>, e=0x14fd6404b047 <error: Cannot access memory at address 0x14fd6404b047>) at /test/11.0_opt/strings/ctype-utf8.c:5468
      #1  0x00005627b9715126 in my_ismbchar (end=0x14fd6404b047 <error: Cannot access memory at address 0x14fd6404b047>, str=0x14fd6404b029 <error: Cannot access memory at address 0x14fd6404b029>, cs=0x5627ba060a80 <my_charset_utf8mb3_general_ci>) at /test/11.0_opt/include/m_ctype.h:1788
      #2  my_charpos_mb (cs=0x5627ba060a80 <my_charset_utf8mb3_general_ci>, pos=0x14fd6404b029 <error: Cannot access memory at address 0x14fd6404b029>, end=0x14fd6404b047 <error: Cannot access memory at address 0x14fd6404b047>, length=10) at /test/11.0_opt/strings/ctype-mb.c:326
      #3  0x00005627b94b170b in my_ci_charpos (pos=<optimized out>, e=<optimized out>, b=0x14fd6404b029 <error: Cannot access memory at address 0x14fd6404b029>, cs=0x5627ba060a80 <my_charset_utf8mb3_general_ci>) at /test/11.0_opt/include/m_ctype.h:1105
      #4  hp_charpos (num=<optimized out>, e=<optimized out>, b=0x14fd6404b029 <error: Cannot access memory at address 0x14fd6404b029>, cs=0x5627ba060a80 <my_charset_utf8mb3_general_ci>) at /test/11.0_opt/storage/heap/hp_hash.c:27
      #5  hp_rec_hashnr (keydef=keydef@entry=0x14fc64057478, rec=rec@entry=0x14fc640528c0 "\375\001") at /test/11.0_opt/storage/heap/hp_hash.c:315
      #6  0x00005627b94b4b56 in hp_write_key (info=<optimized out>, keyinfo=0x14fc64057478, record=0x14fc640528c0 "\375\001", recpos=0x14fc64057978 "") at /test/11.0_opt/storage/heap/hp_write.c:349
      #7  0x00005627b94b4694 in heap_write (info=0x14fc6401a388, record=0x14fc640528c0 "\375\001") at /test/11.0_opt/storage/heap/hp_write.c:52
      #8  0x00005627b94af880 in ha_heap::write_row (this=0x14fc64052370, buf=<optimized out>) at /test/11.0_opt/storage/heap/ha_heap.cc:239
      #9  0x00005627b9058398 in handler::ha_write_tmp_row (buf=0x14fc640528c0 "\375\001", this=0x14fc64052370) at /test/11.0_opt/sql/sql_class.h:7453
      #10 end_write (join=0x14fc640453f0, join_tab=0x14fc6404f4d8, end_of_records=<optimized out>) at /test/11.0_opt/sql/sql_select.cc:23336
      #11 0x00005627b9140039 in JOIN_CACHE::generate_full_extensions (rec_ptr=0x14fc64052cc8 "\001", this=0x14fc64050058) at /test/11.0_opt/sql/sql_join_cache.cc:2478
      #12 JOIN_CACHE::generate_full_extensions (this=0x14fc64050058, rec_ptr=0x14fc64052cc8 "\001") at /test/11.0_opt/sql/sql_join_cache.cc:2461
      #13 0x00005627b914043e in JOIN_CACHE::join_matching_records (this=0x14fc64050058, skip_last=false) at /test/11.0_opt/sql/sql_join_cache.cc:2370
      #14 0x00005627b913fd81 in JOIN_CACHE::join_records (this=this@entry=0x14fc64050058, skip_last=skip_last@entry=false) at /test/11.0_opt/sql/sql_join_cache.cc:2151
      #15 0x00005627b903f30a in sub_select_cache (join=0x14fc640453f0, join_tab=0x14fc6404f120, end_of_records=<optimized out>) at /test/11.0_opt/sql/sql_select.cc:21615
      #16 0x00005627b906e579 in do_select (procedure=<optimized out>, join=0x14fc640453f0) at /test/11.0_opt/sql/sql_select.cc:21388
      #17 JOIN::exec_inner (this=0x14fc640453f0) at /test/11.0_opt/sql/sql_select.cc:4822
      #18 0x00005627b906eb08 in JOIN::exec (this=this@entry=0x14fc640453f0) at /test/11.0_opt/sql/sql_select.cc:4600
      #19 0x00005627b906cc11 in mysql_select (thd=0x14fc64000c68, tables=0x14fc64010ed8, fields=@0x14fc64010b88: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14fc64010e80, last = 0x14fc64045d70, elements = 2}, <No data fields>}, conds=0x0, og_num=1, order=0x0, group=0x14fc64013528, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x14fc64014670, unit=0x14fc64004ce8, select_lex=0x14fc640108e8) at /test/11.0_opt/sql/sql_select.cc:5080
      #20 0x00005627b906d354 in handle_select (thd=thd@entry=0x14fc64000c68, lex=lex@entry=0x14fc64004c10, result=result@entry=0x14fc64014670, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/11.0_opt/sql/sql_select.cc:581
      #21 0x00005627b8fe8b25 in execute_sqlcom_select (thd=0x14fc64000c68, all_tables=0x14fc64010ed8) at /test/11.0_opt/sql/sql_parse.cc:6265
      #22 0x00005627b8ff7870 in mysql_execute_command (thd=0x14fc64000c68, is_called_from_prepared_stmt=<optimized out>) at /test/11.0_opt/sql/sql_parse.cc:3949
      #23 0x00005627b8ff9104 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x14fc64000c68) at /test/11.0_opt/sql/sql_parse.cc:8000
      #24 mysql_parse (thd=0x14fc64000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/11.0_opt/sql/sql_parse.cc:7922
      #25 0x00005627b8ffb6e2 in dispatch_command (command=COM_QUERY, thd=0x14fc64000c68, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/11.0_opt/sql/sql_parse.cc:1991
      #26 0x00005627b8ffce80 in do_command (thd=0x14fc64000c68, blocking=blocking@entry=true) at /test/11.0_opt/sql/sql_parse.cc:1407
      #27 0x00005627b9112ab7 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5627bbbffbd8, put_in_cache=put_in_cache@entry=true) at /test/11.0_opt/sql/sql_connect.cc:1416
      #28 0x00005627b9112d8d in handle_one_connection (arg=0x5627bbbffbd8) at /test/11.0_opt/sql/sql_connect.cc:1318
      #29 0x000014fcb7134b43 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
      #30 0x000014fcb71c6a00 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
      

      (Sidenote: note the "Cannot access memory at address" messages. No UBSAN nor ASAN issues observed.)
      On debug however, this testcase will produce the field->table == table SIGABRT also seen in MDEV-28515/MDEV-29052/MDEV-29353, which seems unrelated to the charset issue described here. If the CHARSET=utf8 clause is removed from the testcase above, the server will again SIGSEGV in my_hash_sort_simple, i.e. MDEV-29052.
      In summary: the charset issue described here looks to be a standalone issue, different from other existing bugs. Likely, when the charset issue is resolved, the other bugs will still apply (and the testcase will thus still crash) but those crashes can be handled in the other tickets.

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              Roel Roel Van de Paar
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.