[MDEV-31523] Using two temporary tables in OPTIMIZE TABLE lead to crash - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 11.2(EOL)
Fix Version/s: 10.4.33, 10.5.24, 10.6.17, 10.11.7, 11.0.5, 11.1.4, 11.2.3
Component/s: OTHER
Labels:
- UBSAN

Description

CREATE TEMPORARY TABLE t1 (c INT) ENGINE=MyISAM;

CREATE TEMPORARY TABLE t2 (c INT) ENGINE=MyISAM;

PREPARE s FROM 'optimize TABLE t1,t2';

EXECUTE s;

SHOW TABLES;

Leads to

11.2.0 acb02f646ebbd8b100c30621b92dcc0e2e4db7b3 (Optimized, UBASAN)
/test/mtest/MDEV-5816/11.1_opt_san/sql/sql_show.cc:5315:44: runtime error: member access within null pointer of type 'struct TABLE'
#0 0x5564335b3acb in get_all_tables(THD, TABLE_LIST, Item*) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_show.cc:5315
#1 0x5564335bc9bc in get_schema_tables_result(JOIN*, enum_schema_table_state) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_show.cc:9129
#2 0x5564334b801c in JOIN::exec_inner() /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_select.cc:4890
#3 0x5564334be849 in JOIN::exec() /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_select.cc:4710
#4 0x5564334abc6c in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_select.cc:5239
#5 0x5564334af873 in handle_select(THD, LEX, select_result*, unsigned long long) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_select.cc:627
#6 0x55643308bb3f in execute_sqlcom_select /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_parse.cc:6030
#7 0x5564330da217 in mysql_execute_command(THD*, bool) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_parse.cc:3944
#8 0x55643305b2f0 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_parse.cc:7769
#9 0x5564330b09a8 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_parse.cc:1892
#10 0x5564330bc14d in do_command(THD*, bool) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_parse.cc:1405
#11 0x5564339ec6bd in do_handle_one_connection(CONNECT*, bool) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_connect.cc:1416
#12 0x5564339eed2c in handle_one_connection /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_connect.cc:1318
#13 0x150b40c80608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
#14 0x150b3fef5132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)

230622 7:06:53 [ERROR] mysqld got signal 11 ;

Setup

Compiled with GCC 9.4.0

-DWITH_UBSAN=ON -DCMAKE_CXX_FLAGS=-static-libasan

Attachments

Activity

Ascending order - Click to sort in descending order

View 7 older comments

Oleksandr Byelkin added a comment - 2024-01-10 09:41

ramesh it has nothing to do not only with UBSAN but also with prepared statements:

CREATE TEMPORARY TABLE t1 (c INT) ENGINE=MyISAM;

CREATE TEMPORARY TABLE t2 (c INT) ENGINE=MyISAM;

optimize TABLE t1,t2;

SHOW TABLES;

Oleksandr Byelkin added a comment - 2024-01-10 09:41 ramesh it has nothing to do not only with UBSAN but also with prepared statements: CREATE TEMPORARY TABLE t1 (c INT) ENGINE=MyISAM; CREATE TEMPORARY TABLE t2 (c INT) ENGINE=MyISAM; optimize TABLE t1,t2; SHOW TABLES;

Oleksandr Byelkin added a comment - 2024-01-10 12:56

It looks like only OPTIMIZE TABLE affected.

There is no way to see temporary tables created by user before 11.2, so versions before 11.2 is not affected.

SELECT opens its tables in any case so it is not afected.

Oleksandr Byelkin added a comment - 2024-01-10 12:56 It looks like only OPTIMIZE TABLE affected. There is no way to see temporary tables created by user before 11.2, so versions before 11.2 is not affected. SELECT opens its tables in any case so it is not afected.

Oleksandr Byelkin added a comment - 2024-01-11 10:26

commit f807a9f874a8079d95bc71c9f27216e4d952f157 (HEAD -> bb-10.4-MDEV-31523, origin/bb-10.4-MDEV-31523)

Author: Oleksandr Byelkin <sanja@mariadb.com>

Date:   Thu Jan 11 11:21:32 2024 +0100

    MDEV-31523 Using two temporary tables in OPTIMIZE TABLE lead to crash

    Fixed typo in mysql_admin_table which cused call of

    close_unused_temporary_table_instances alwas for the first table

    instead of the current table.

    Added ASSERT that close_unused_temporary_table_instances should not

    remove all instances of user created temporary table.

Oleksandr Byelkin added a comment - 2024-01-11 10:26 commit f807a9f874a8079d95bc71c9f27216e4d952f157 (HEAD -> bb-10.4-MDEV-31523, origin/bb-10.4-MDEV-31523) Author: Oleksandr Byelkin <sanja@mariadb.com> Date: Thu Jan 11 11:21:32 2024 +0100 MDEV-31523 Using two temporary tables in OPTIMIZE TABLE lead to crash Fixed typo in mysql_admin_table which cused call of close_unused_temporary_table_instances alwas for the first table instead of the current table. Added ASSERT that close_unused_temporary_table_instances should not remove all instances of user created temporary table.

Sergei Golubchik added a comment - 2024-01-11 19:09

f807a9f874a is ok to push

Sergei Golubchik added a comment - 2024-01-11 19:09 f807a9f874a is ok to push

Roel Van de Paar added a comment - 2024-06-21 07:15 - edited

Observed the following crash in 11.2.5:

11.2.5 a21e49cbcc5f4adb1a1b4970ceead6a85e968063 (Optimized)
Core was generated by `/test/MD180624-mariadb-11.2.5-linux-x86_64-opt/bin/mariadbd --no-defaults --max'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 get_all_tables (thd=0x155374000c68, tables=0x155374011340, cond=<optimized out>) at /test/11.2_opt/sql/sql_show.cc:5385
[Current thread is 1 (LWP 556454)]
(gdb) bt
#0 get_all_tables (thd=0x155374000c68, tables=0x155374011340, cond=<optimized out>) at /test/11.2_opt/sql/sql_show.cc:5385
#1 0x0000559427472ffe in get_schema_tables_result (join=join@entry=0x155374011dc8, executed_place=executed_place@entry=PROCESSED_BY_JOIN_EXEC)at /test/11.2_opt/sql/sql_show.cc:9328
#2 0x00005594274551bd in JOIN::exec_inner (this=this@entry=0x155374011dc8)at /test/11.2_opt/sql/sql_select.cc:4975
#3 0x0000559427455a5e in JOIN::exec (this=this@entry=0x155374011dc8)at /test/11.2_opt/sql/sql_select.cc:4795
#4 0x00005594274539bc in mysql_select (thd=thd@entry=0x155374000c68, tables=0x155374011340, fields=@0x155374005ad0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1553740112c8, last = 0x1553740112c8, elements = 1}, <No data fields>}, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x155374011da0, unit=0x155374004fe0, select_lex=0x155374005818)at /test/11.2_opt/sql/sql_select.cc:5333
#5 0x00005594274541b4 in handle_select (thd=thd@entry=0x155374000c68, lex=lex@entry=0x155374004f00, result=result@entry=0x155374011da0, setup_tables_done_option=setup_tables_done_option@entry=0)at /test/11.2_opt/sql/sql_select.cc:628
#6 0x00005594273c75e5 in execute_sqlcom_select (thd=thd@entry=0x155374000c68, all_tables=0x155374011340) at /test/11.2_opt/sql/sql_parse.cc:6161
#7 0x00005594273d626f in mysql_execute_command (thd=thd@entry=0x155374000c68, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false)at /test/11.2_opt/sql/sql_parse.cc:3984
#8 0x00005594273d77d6 in mysql_parse (thd=0x155374000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/11.2_opt/sql/sql_parse.cc:7920
#9 0x00005594273d99a5 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x155374000c68, packet=packet@entry=0x1553748aaea9 "SHOW TABLES;", packet_length=packet_length@entry=12, blocking=blocking@entry=true)at /test/11.2_opt/sql/sql_parse.cc:1993
#10 0x00005594273dbe90 in do_command (thd=0x155374000c68, blocking=blocking@entry=true) at /test/11.2_opt/sql/sql_parse.cc:1407
#11 0x00005594275083af in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55942a55ce68, put_in_cache=put_in_cache@entry=true)at /test/11.2_opt/sql/sql_connect.cc:1439
#12 0x00005594275086fd in handle_one_connection (arg=arg@entry=0x55942a55ce68)at /test/11.2_opt/sql/sql_connect.cc:1341
#13 0x00005594278b43f1 in pfs_spawn_thread (arg=0x55942a5108a8)at /test/11.2_opt/storage/perfschema/pfs.cc:2201
#14 0x00001553bb697ada in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:444
#15 0x00001553bb72847c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

Note the crashing query is again SHOW TABLES;
All testcase creation attempts for this occurence have failed thus far.
NTS: KEEP/983261/121

Roel Van de Paar added a comment - 2024-06-21 07:15 - edited Observed the following crash in 11.2.5: 11.2.5 a21e49cbcc5f4adb1a1b4970ceead6a85e968063 (Optimized) Core was generated by `/test/MD180624-mariadb-11.2.5-linux-x86_64-opt/bin/mariadbd --no-defaults --max'. Program terminated with signal SIGSEGV, Segmentation fault. #0 get_all_tables (thd=0x155374000c68, tables=0x155374011340, cond=<optimized out>) at /test/11.2_opt/sql/sql_show.cc:5385 [Current thread is 1 (LWP 556454)] (gdb) bt #0 get_all_tables (thd=0x155374000c68, tables=0x155374011340, cond=<optimized out>) at /test/11.2_opt/sql/sql_show.cc:5385 #1 0x0000559427472ffe in get_schema_tables_result (join=join@entry=0x155374011dc8, executed_place=executed_place@entry=PROCESSED_BY_JOIN_EXEC)at /test/11.2_opt/sql/sql_show.cc:9328 #2 0x00005594274551bd in JOIN::exec_inner (this=this@entry=0x155374011dc8)at /test/11.2_opt/sql/sql_select.cc:4975 #3 0x0000559427455a5e in JOIN::exec (this=this@entry=0x155374011dc8)at /test/11.2_opt/sql/sql_select.cc:4795 #4 0x00005594274539bc in mysql_select (thd=thd@entry=0x155374000c68, tables=0x155374011340, fields=@0x155374005ad0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1553740112c8, last = 0x1553740112c8, elements = 1}, <No data fields>}, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x155374011da0, unit=0x155374004fe0, select_lex=0x155374005818)at /test/11.2_opt/sql/sql_select.cc:5333 #5 0x00005594274541b4 in handle_select (thd=thd@entry=0x155374000c68, lex=lex@entry=0x155374004f00, result=result@entry=0x155374011da0, setup_tables_done_option=setup_tables_done_option@entry=0)at /test/11.2_opt/sql/sql_select.cc:628 #6 0x00005594273c75e5 in execute_sqlcom_select (thd=thd@entry=0x155374000c68, all_tables=0x155374011340) at /test/11.2_opt/sql/sql_parse.cc:6161 #7 0x00005594273d626f in mysql_execute_command (thd=thd@entry=0x155374000c68, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false)at /test/11.2_opt/sql/sql_parse.cc:3984 #8 0x00005594273d77d6 in mysql_parse (thd=0x155374000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/11.2_opt/sql/sql_parse.cc:7920 #9 0x00005594273d99a5 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x155374000c68, packet=packet@entry=0x1553748aaea9 "SHOW TABLES;", packet_length=packet_length@entry=12, blocking=blocking@entry=true)at /test/11.2_opt/sql/sql_parse.cc:1993 #10 0x00005594273dbe90 in do_command (thd=0x155374000c68, blocking=blocking@entry=true) at /test/11.2_opt/sql/sql_parse.cc:1407 #11 0x00005594275083af in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55942a55ce68, put_in_cache=put_in_cache@entry=true)at /test/11.2_opt/sql/sql_connect.cc:1439 #12 0x00005594275086fd in handle_one_connection (arg=arg@entry=0x55942a55ce68)at /test/11.2_opt/sql/sql_connect.cc:1341 #13 0x00005594278b43f1 in pfs_spawn_thread (arg=0x55942a5108a8)at /test/11.2_opt/storage/perfschema/pfs.cc:2201 #14 0x00001553bb697ada in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:444 #15 0x00001553bb72847c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78 Note the crashing query is again SHOW TABLES; All testcase creation attempts for this occurence have failed thus far. NTS: KEEP/983261/121

People

Assignee:: Oleksandr Byelkin

Reporter:: Ramesh Sivaraman

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2023-06-22 04:13

Updated:: 2024-06-21 07:33

Resolved:: 2024-01-12 11:30

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server