Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-32831

Server crash in SORT_FIELD_ATTR::compare_packed_varstrings or assertion failure

    XMLWordPrintable

Details

    • Bug
    • Status: Open (View Workflow)
    • Major
    • Resolution: Unresolved
    • 10.11, 11.0, 11.1, 11.2
    • 10.11, 11.1, 11.2
    • Server
    • None

    Description

      The test case is only applicable to 10.11+ (to 10.10+, but 10.10 goes EOL) because of the use of RANDOM_BYTES. Maybe it can be replaced by some other function, I tried a few but didn't succeed.

      --source include/have_sequence.inc
      		 
       
      		 
      SET sql_mode= REPLACE(REPLACE(@@sql_mode,'STRICT_ALL_TABLES',''),'STRICT_TRANS_TABLES','');
      		 
      SELECT * FROM seq_1_to_2 GROUP BY RANDOM_BYTES(1025);

      10.11 ae0afad56ffc86f69555ae31d681232b1cd04825

      		 
      ==3287362==ERROR: AddressSanitizer: negative-size-param: (size=-2)
      		 
          #0 0x7f1e71caa36e in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:860
      		 
          #1 0x7f1e71caa908 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:892
      		 
          #2 0x7f1e71caa908 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:887
      		 
          #3 0x55fbb298a6d6 in my_strnncoll_binary /data/bld/10.11-rel-asan/strings/ctype-bin.c:89
      		 
          #4 0x55fbb298a6d6 in my_strnncollsp_binary /data/bld/10.11-rel-asan/strings/ctype-bin.c:128
      		 
          #5 0x55fbb1943cc2 in charset_info_st::strnncollsp(unsigned char const*, unsigned long, unsigned char const*, unsigned long) const /data/bld/10.11-rel-asan/include/m_ctype.h:1015
      		 
          #6 0x55fbb1943cc2 in SORT_FIELD_ATTR::compare_packed_varstrings(unsigned char*, unsigned long*, unsigned char*, unsigned long*) /data/bld/10.11-rel-asan/sql/filesort.cc:2853
      		 
          #7 0x55fbb1944397 in compare_packed_sort_keys(void*, unsigned char**, unsigned char**) /data/bld/10.11-rel-asan/sql/filesort.cc:2941
      		 
          #8 0x55fbb2927dd1 in my_qsort2 /data/bld/10.11-rel-asan/mysys/mf_qsort.c:131
      		 
          #9 0x55fbb1932ea0 in Filesort_buffer::sort_buffer(Sort_param const*, unsigned int) /data/bld/10.11-rel-asan/sql/filesort_utils.cc:185
      		 
          #10 0x55fbb19419c7 in SORT_INFO::sort_buffer(Sort_param*, unsigned int) /data/bld/10.11-rel-asan/sql/filesort.h:165
      		 
          #11 0x55fbb19419c7 in save_index /data/bld/10.11-rel-asan/sql/filesort.cc:1470
      		 
          #12 0x55fbb19419c7 in filesort(THD*, TABLE*, Filesort*, Filesort_tracker*, JOIN*, unsigned long long) /data/bld/10.11-rel-asan/sql/filesort.cc:372
      		 
          #13 0x55fbb12e88ab in create_sort_index(THD*, JOIN*, st_join_table*, Filesort*) /data/bld/10.11-rel-asan/sql/sql_select.cc:25703
      		 
          #14 0x55fbb12e92d4 in st_join_table::sort_table() /data/bld/10.11-rel-asan/sql/sql_select.cc:23316
      		 
          #15 0x55fbb12e954a in join_init_read_record(st_join_table*) /data/bld/10.11-rel-asan/sql/sql_select.cc:23255
      		 
          #16 0x55fbb131ebf0 in AGGR_OP::end_send() /data/bld/10.11-rel-asan/sql/sql_select.cc:31207
      		 
          #17 0x55fbb131f63f in sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) /data/bld/10.11-rel-asan/sql/sql_select.cc:21956
      		 
          #18 0x55fbb13458ff in do_select /data/bld/10.11-rel-asan/sql/sql_select.cc:21793
      		 
          #19 0x55fbb13458ff in JOIN::exec_inner() /data/bld/10.11-rel-asan/sql/sql_select.cc:4885
      		 
          #20 0x55fbb1347414 in JOIN::exec() /data/bld/10.11-rel-asan/sql/sql_select.cc:4663
      		 
          #21 0x55fbb133fabd in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/bld/10.11-rel-asan/sql/sql_select.cc:5143
      		 
          #22 0x55fbb13415b6 in handle_select(THD*, LEX*, select_result*, unsigned long long) /data/bld/10.11-rel-asan/sql/sql_select.cc:588
      		 
          #23 0x55fbb1171487 in execute_sqlcom_select /data/bld/10.11-rel-asan/sql/sql_parse.cc:6290
      		 
          #24 0x55fbb119a68a in mysql_execute_command(THD*, bool) /data/bld/10.11-rel-asan/sql/sql_parse.cc:3961
      		 
          #25 0x55fbb119f429 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/bld/10.11-rel-asan/sql/sql_parse.cc:8031
      		 
          #26 0x55fbb11a53aa in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/bld/10.11-rel-asan/sql/sql_parse.cc:1894
      		 
          #27 0x55fbb11aaa25 in do_command(THD*, bool) /data/bld/10.11-rel-asan/sql/sql_parse.cc:1407
      		 
          #28 0x55fbb15987ee in do_handle_one_connection(CONNECT*, bool) /data/bld/10.11-rel-asan/sql/sql_connect.cc:1416
      		 
          #29 0x55fbb15990ec in handle_one_connection /data/bld/10.11-rel-asan/sql/sql_connect.cc:1318
      		 
          #30 0x55fbb2098bf2 in pfs_spawn_thread /data/bld/10.11-rel-asan/storage/perfschema/pfs.cc:2201
      		 
          #31 0x7f1e714a8043 in start_thread nptl/pthread_create.c:442
      		 
          #32 0x7f1e7152861b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
      		 
       
      		 
      0x62800000411e is located 30 bytes inside of 15704-byte region [0x628000004100,0x628000007e58)
      		 
      allocated by thread T5 here:
      		 
          #0 0x7f1e71cb89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
      		 
          #1 0x55fbb293f003 in my_malloc /data/bld/10.11-rel-asan/mysys/my_malloc.c:92
      		 
          #2 0x55fbb193292d in Filesort_buffer::alloc_sort_buffer(unsigned int, unsigned int) /data/bld/10.11-rel-asan/sql/filesort_utils.cc:136
      		 
          #3 0x55fbb193e856 in SORT_INFO::alloc_sort_buffer(unsigned int, unsigned int) /data/bld/10.11-rel-asan/sql/filesort.h:174
      		 
          #4 0x55fbb193e856 in filesort(THD*, TABLE*, Filesort*, Filesort_tracker*, JOIN*, unsigned long long) /data/bld/10.11-rel-asan/sql/filesort.cc:323
      		 
          #5 0x55fbb12e88ab in create_sort_index(THD*, JOIN*, st_join_table*, Filesort*) /data/bld/10.11-rel-asan/sql/sql_select.cc:25703
      		 
          #6 0x55fbb12e92d4 in st_join_table::sort_table() /data/bld/10.11-rel-asan/sql/sql_select.cc:23316
      		 
          #7 0x55fbb12e954a in join_init_read_record(st_join_table*) /data/bld/10.11-rel-asan/sql/sql_select.cc:23255
      		 
          #8 0x55fbb131ebf0 in AGGR_OP::end_send() /data/bld/10.11-rel-asan/sql/sql_select.cc:31207
      		 
          #9 0x55fbb131f63f in sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) /data/bld/10.11-rel-asan/sql/sql_select.cc:21956
      		 
          #10 0x55fbb13458ff in do_select /data/bld/10.11-rel-asan/sql/sql_select.cc:21793
      		 
          #11 0x55fbb13458ff in JOIN::exec_inner() /data/bld/10.11-rel-asan/sql/sql_select.cc:4885
      		 
          #12 0x55fbb1347414 in JOIN::exec() /data/bld/10.11-rel-asan/sql/sql_select.cc:4663
      		 
          #13 0x55fbb133fabd in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/bld/10.11-rel-asan/sql/sql_select.cc:5143
      		 
          #14 0x55fbb13415b6 in handle_select(THD*, LEX*, select_result*, unsigned long long) /data/bld/10.11-rel-asan/sql/sql_select.cc:588
      		 
          #15 0x55fbb1171487 in execute_sqlcom_select /data/bld/10.11-rel-asan/sql/sql_parse.cc:6290
      		 
          #16 0x55fbb119a68a in mysql_execute_command(THD*, bool) /data/bld/10.11-rel-asan/sql/sql_parse.cc:3961
      		 
          #17 0x55fbb119f429 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/bld/10.11-rel-asan/sql/sql_parse.cc:8031
      		 
          #18 0x55fbb11a53aa in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/bld/10.11-rel-asan/sql/sql_parse.cc:1894
      		 
          #19 0x55fbb11aaa25 in do_command(THD*, bool) /data/bld/10.11-rel-asan/sql/sql_parse.cc:1407
      		 
          #20 0x55fbb15987ee in do_handle_one_connection(CONNECT*, bool) /data/bld/10.11-rel-asan/sql/sql_connect.cc:1416
      		 
          #21 0x55fbb15990ec in handle_one_connection /data/bld/10.11-rel-asan/sql/sql_connect.cc:1318
      		 
          #22 0x55fbb2098bf2 in pfs_spawn_thread /data/bld/10.11-rel-asan/storage/perfschema/pfs.cc:2201
      		 
          #23 0x7f1e714a8043 in start_thread nptl/pthread_create.c:442
      		 
       
      		 
      Thread T5 created by T0 here:
      		 
          #0 0x7f1e71c49726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
      		 
          #1 0x55fbb2098e6f in my_thread_create /data/bld/10.11-rel-asan/storage/perfschema/my_thread.h:52
      		 
          #2 0x55fbb2098e6f in pfs_spawn_thread_v1 /data/bld/10.11-rel-asan/storage/perfschema/pfs.cc:2252
      		 
          #3 0x55fbb0e53d23 in inline_mysql_thread_create /data/bld/10.11-rel-asan/include/mysql/psi/mysql_thread.h:1139
      		 
          #4 0x55fbb0e53d23 in create_thread_to_handle_connection(CONNECT*) /data/bld/10.11-rel-asan/sql/mysqld.cc:6111
      		 
          #5 0x55fbb0e5f745 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/bld/10.11-rel-asan/sql/mysqld.cc:6232
      		 
          #6 0x55fbb0e601d7 in handle_connections_sockets() /data/bld/10.11-rel-asan/sql/mysqld.cc:6356
      		 
          #7 0x55fbb0e61b18 in mysqld_main(int, char**) /data/bld/10.11-rel-asan/sql/mysqld.cc:6006
      		 
          #8 0x7f1e714461c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
      		 
       
      		 
      SUMMARY: AddressSanitizer: negative-size-param ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:860 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long)

      The above is an ASAN error on a non-debug ASAN build. SIGSEGVs on non-ASAN binaries were also seen, but they are not reproducible on all builds.

      Debug variation:

      10.11 ae0afad56ffc86f69555ae31d681232b1cd04825

      		 
      mariadbd: /data/src/10.11-asan/sql/filesort.cc:2609: virtual uint Type_handler_string_result::make_packed_sort_key_part(uchar*, Item*, const SORT_FIELD_ATTR*, String*) const: Assertion `0' failed.
      		 
       
      		 
      #9  0x00007fa851853e32 in __GI___assert_fail (assertion=0x556aa3784660 "0", file=0x556aa3785020 "/data/src/10.11-asan/sql/filesort.cc", line=2609, function=0x556aa37877a0 "virtual uint Type_handler_string_result::make_packed_sort_key_part(uchar*, Item*, const SORT_FIELD_ATTR*, String*) const") at ./assert/assert.c:101
      		 
      #10 0x0000556aa1aa3262 in Type_handler_string_result::make_packed_sort_key_part (this=0x556aa5709e40 <type_handler_varchar>, to=0x62800000411c '\276' <repeats 200 times>..., item=0x6290000e71b8, sort_field=0x629000273478, tmp=0x7fa849e685e8) at /data/src/10.11-asan/sql/filesort.cc:2609
      		 
      #11 0x0000556aa1aa614b in make_packed_sortkey (param=0x7fa849e68570, to=0x62800000411c '\276' <repeats 200 times>...) at /data/src/10.11-asan/sql/filesort.cc:3097
      		 
      #12 0x0000556aa1a9a9a6 in make_sortkey (param=0x7fa849e68570, to=0x628000004118 '\276' <repeats 200 times>..., ref_pos=0x61900009c708 "", using_packed_sortkeys=true) at /data/src/10.11-asan/sql/filesort.cc:1363
      		 
      #13 0x0000556aa1a97ecf in find_all_keys (thd=0x62c0000b0218, param=0x7fa849e68570, select=0x0, fs_info=0x615000011880, buffpek_pointers=0x7fa849e68820, tempfile=0x7fa849e68670, pq=0x0, found_rows=0x615000011a70) at /data/src/10.11-asan/sql/filesort.cc:979
      		 
      #14 0x0000556aa1a931f4 in filesort (thd=0x62c0000b0218, table=0x6200000150b8, filesort=0x629000272c00, tracker=0x629000272dd8, join=0x6290000e8e98, first_table_bit=1) at /data/src/10.11-asan/sql/filesort.cc:357
      		 
      #15 0x0000556aa1385459 in create_sort_index (thd=0x62c0000b0218, join=0x6290000e8e98, tab=0x629000272270, fsort=0x629000272c00) at /data/src/10.11-asan/sql/sql_select.cc:25703
      		 
      #16 0x0000556aa13736ef in st_join_table::sort_table (this=0x629000272270) at /data/src/10.11-asan/sql/sql_select.cc:23316
      		 
      #17 0x0000556aa1372cbc in join_init_read_record (tab=0x629000272270) at /data/src/10.11-asan/sql/sql_select.cc:23255
      		 
      #18 0x0000556aa13adcab in AGGR_OP::end_send (this=0x6290000e9ea0) at /data/src/10.11-asan/sql/sql_select.cc:31207
      		 
      #19 0x0000556aa136af2e in sub_select_postjoin_aggr (join=0x6290000e8e98, join_tab=0x629000272270, end_of_records=true) at /data/src/10.11-asan/sql/sql_select.cc:21956
      		 
      #20 0x0000556aa136ba8a in sub_select (join=0x6290000e8e98, join_tab=0x629000271ea8, end_of_records=true) at /data/src/10.11-asan/sql/sql_select.cc:22209
      		 
      #21 0x0000556aa136a22c in do_select (join=0x6290000e8e98, procedure=0x0) at /data/src/10.11-asan/sql/sql_select.cc:21793
      		 
      #22 0x0000556aa12f0b28 in JOIN::exec_inner (this=0x6290000e8e98) at /data/src/10.11-asan/sql/sql_select.cc:4885
      		 
      #23 0x0000556aa12ee000 in JOIN::exec (this=0x6290000e8e98) at /data/src/10.11-asan/sql/sql_select.cc:4663
      		 
      #24 0x0000556aa12f247b in mysql_select (thd=0x62c0000b0218, tables=0x6290000e6978, fields=..., conds=0x0, og_num=1, order=0x0, group=0x6290000e7268, having=0x0, proc_param=0x0, select_options=2164525824, result=0x6290000e8e68, unit=0x62c0000b46b0, select_lex=0x6290000e6310) at /data/src/10.11-asan/sql/sql_select.cc:5143
      		 
      #25 0x0000556aa12c1aae in handle_select (thd=0x62c0000b0218, lex=0x62c0000b45d8, result=0x6290000e8e68, setup_tables_done_option=0) at /data/src/10.11-asan/sql/sql_select.cc:588
      		 
      #26 0x0000556aa11e83e9 in execute_sqlcom_select (thd=0x62c0000b0218, all_tables=0x6290000e6978) at /data/src/10.11-asan/sql/sql_parse.cc:6290
      		 
      #27 0x0000556aa11d6974 in mysql_execute_command (thd=0x62c0000b0218, is_called_from_prepared_stmt=false) at /data/src/10.11-asan/sql/sql_parse.cc:3961
      		 
      #28 0x0000556aa11f2f27 in mysql_parse (thd=0x62c0000b0218, rawbuf=0x6290000e6238 "SELECT * FROM seq_1_to_2 GROUP BY RANDOM_BYTES(1025)", length=52, parser_state=0x7fa849e6a9e0) at /data/src/10.11-asan/sql/sql_parse.cc:8031
      		 
      #29 0x0000556aa11c8da7 in dispatch_command (command=COM_QUERY, thd=0x62c0000b0218, packet=0x629000258219 "", packet_length=52, blocking=true) at /data/src/10.11-asan/sql/sql_parse.cc:1894
      		 
      #30 0x0000556aa11c5ad4 in do_command (thd=0x62c0000b0218, blocking=true) at /data/src/10.11-asan/sql/sql_parse.cc:1407
      		 
      #31 0x0000556aa167efe0 in do_handle_one_connection (connect=0x608000002eb8, put_in_cache=true) at /data/src/10.11-asan/sql/sql_connect.cc:1416
      		 
      #32 0x0000556aa167e9a1 in handle_one_connection (arg=0x608000002e38) at /data/src/10.11-asan/sql/sql_connect.cc:1318
      		 
      #33 0x0000556aa227b32c in pfs_spawn_thread (arg=0x617000005b98) at /data/src/10.11-asan/storage/perfschema/pfs.cc:2201
      		 
      #34 0x00007fa8518a8044 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
      		 
      #35 0x00007fa85192861c in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

      Attachments

        Activity

          People

            sanja Oleksandr Byelkin
            elenst Elena Stepanova
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.