[MDEV-33197] SIGSEGV and UBSAN member access [within/on] null pointer in spider_db_get_row_from_tmp_tbl, Assertion in spider_db_errorno and SIGSEGV in spider_db_store_result - Jira

Details

Type: Bug
Status: Confirmed (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.4(EOL), 10.5, 10.6, 10.11, 11.0(EOL), 11.1(EOL), 11.2, 11.3(EOL), 11.4, 11.6, 11.7
Fix Version/s: 10.5, 10.6, 10.11, 11.2, 11.4, 11.6
Component/s: Storage Engine - Spider
Labels:

Description

INSTALL PLUGIN Spider SONAME 'ha_spider.so';

CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET '../socket.sock',DATABASE'',USER'',PASSWORD'');

CREATE TABLE t (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=InnoDB;

INSERT INTO t VALUES (1,0,0),(2,0,0);

CREATE TABLE t1 (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=Spider COMMENT='WRAPPER "mysql",SRV "srv",TABLE "t"';

SET spider_disable_group_by_handler=1, spider_quick_page_byte=0, spider_bgs_mode=1;

SELECT * FROM t1;

Leads to:

11.4.0 9bd95e914f3f12d0d9d93e7a1f2c49e6e8841f17 (Optimized)
Core was generated by `/test/MD271223-mariadb-11.4.0-linux-x86_64-opt/bin/mariadbd --no-defaults --cor'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000014e33c0679e1 in spider_db_get_row_from_tmp_tbl (
current=0x14e2a0015a48, row=row@entry=0x14e33c165938)
at /test/11.4_opt/storage/spider/spd_db_conn.cc:2326
[Current thread is 1 (Thread 0x14e33c168640 (LWP 1622666))]
(gdb) bt
#0 0x000014e33c0679e1 in spider_db_get_row_from_tmp_tbl (current=0x14e2a0015a48, row=row@entry=0x14e33c165938) at /test/11.4_opt/storage/spider/spd_db_conn.cc:2326
#1 0x000014e33c0683c9 in spider_db_fetch_minimum_columns (spider=spider@entry=0x14e30c05cbe0, buf=0x14e30c212af8 "\374\002", table=0x14e30c2126e8, result_list=0x14e30c05d1a8) at /test/11.4_opt/storage/spider/spd_db_conn.cc:2655
#2 0x000014e33c06b9ab in spider_db_fetch (buf=<optimized out>, spider=0x14e30c05cbe0, table=<optimized out>) at /test/11.4_opt/storage/spider/spd_db_conn.cc:3956
#3 0x000014e33c06bc69 in spider_db_seek_next (buf=buf@entry=0x14e30c212af8 "\374\002", spider=spider@entry=0x14e30c05cbe0, link_idx=<optimized out>, table=0x14e30c212af8) at /test/11.4_opt/storage/spider/spd_db_conn.cc:4406
#4 0x000014e33c0b6c90 in ha_spider::rnd_next_internal (this=0x14e30c05cbe0, buf=<optimized out>) at /test/11.4_opt/storage/spider/ha_spider.cc:5772
#5 0x00005615b2311cf7 in handler::ha_rnd_next (this=0x14e30c05cbe0, buf=0x14e30c212af8 "\374\002") at /test/11.4_opt/sql/handler.cc:3627
#6 0x00005615b1fb9144 in rr_sequential (info=0x14e30c023660) at /test/11.4_opt/sql/records.cc:513
#7 0x00005615b20d89d7 in READ_RECORD::read_record (this=0x14e30c023660) at /test/11.4_opt/sql/records.h:81
#8 sub_select (join=0x14e30c012330, join_tab=0x14e30c023590, end_of_records=false) at /test/11.4_opt/sql/sql_select.cc:23517
#9 0x00005615b210ba9f in do_select (procedure=<optimized out>, join=0x14e30c012330) at /test/11.4_opt/sql/sql_select.cc:23017
#10 JOIN::exec_inner (this=0x14e30c012330) at /test/11.4_opt/sql/sql_select.cc:4940
#11 0x00005615b210beee in JOIN::exec (this=this@entry=0x14e30c012330) at /test/11.4_opt/sql/sql_select.cc:4726
#12 0x00005615b2109e6c in mysql_select (thd=0x14e30c000c68, tables=0x14e30c0111a0, fields=<optimized out>, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x14e30c012308, unit=0x14e30c004f20, select_lex=0x14e30c010b80) at /test/11.4_opt/sql/sql_select.cc:5249
#13 0x00005615b210a664 in handle_select (thd=thd@entry=0x14e30c000c68, lex=lex@entry=0x14e30c004e40, result=result@entry=0x14e30c012308, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/11.4_opt/sql/sql_select.cc:628
#14 0x00005615b207edd5 in execute_sqlcom_select (thd=0x14e30c000c68, all_tables=0x14e30c0111a0) at /test/11.4_opt/sql/sql_parse.cc:6029
#15 0x00005615b208df72 in mysql_execute_command (thd=0x14e30c000c68, is_called_from_prepared_stmt=<optimized out>) at /test/11.4_opt/sql/sql_parse.cc:3924
#16 0x00005615b208f346 in mysql_parse (thd=0x14e30c000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/11.4_opt/sql/sql_parse.cc:7748
#17 0x00005615b2091aed in dispatch_command (command=COM_QUERY, thd=0x14e30c000c68, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/11.4_opt/sql/sql_parse.cc:1992
#18 0x00005615b20938a0 in do_command (thd=0x14e30c000c68, blocking=blocking@entry=true) at /test/11.4_opt/sql/sql_parse.cc:1406
#19 0x00005615b21bda1f in do_handle_one_connection (connect=<optimized out>, put_in_cache=true) at /test/11.4_opt/sql/sql_connect.cc:1418
#20 0x00005615b21bdd6d in handle_one_connection (arg=arg@entry=0x5615b44b2188) at /test/11.4_opt/sql/sql_connect.cc:1320
#21 0x00005615b2567561 in pfs_spawn_thread (arg=0x5615b44d9b38) at /test/11.4_opt/storage/perfschema/pfs.cc:2201
#22 0x000014e354c94ac3 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
#23 0x000014e354d26660 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

11.4.0 9bd95e914f3f12d0d9d93e7a1f2c49e6e8841f17 (Debug)

mariadbd: /test/11.4_dbg/storage/spider/spd_db_conn.cc:672: int spider_db_errorno(SPIDER_CONN*): Assertion `((&(&conn->mta_conn_mutex)->m_mutex)->count > 0 && pthread_equal(pthread_self(), (&(&conn->mta_conn_mutex)->m_mutex)->thread))' failed.

11.4.0 9bd95e914f3f12d0d9d93e7a1f2c49e6e8841f17 (Debug)
Core was generated by `/test/MD271223-mariadb-11.4.0-linux-x86_64-dbg/bin/mariadbd --no-defaults --max'.
Program terminated with signal SIGABRT, Aborted.
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=23427545036352)
at ./nptl/pthread_kill.c:44
[Current thread is 1 (Thread 0x154ea67ff640 (LWP 1630543))]
(gdb) bt
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=23427545036352) at ./nptl/pthread_kill.c:44
#1 __pthread_kill_internal (signo=6, threadid=23427545036352) at ./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=23427545036352, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3 0x0000154f11842476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4 0x0000154f118287f3 in __GI_abort () at ./stdlib/abort.c:79
#5 0x0000154f1182871b in __assert_fail_base (fmt=0x154f119dd130 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x154efc1c88d0 "((&(&conn->mta_conn_mutex)->m_mutex)->count > 0 && pthread_equal(pthread_self(), (&(&conn->mta_conn_mutex)->m_mutex)->thread))", file=0x154efc1c87b0 "/test/11.4_dbg/storage/spider/spd_db_conn.cc", line=672, function=<optimized out>) at ./assert/assert.c:92
#6 0x0000154f11839e96 in __GI___assert_fail (assertion=0x154efc1c88d0 "((&(&conn->mta_conn_mutex)->m_mutex)->count > 0 && pthread_equal(pthread_self(), (&(&conn->mta_conn_mutex)->m_mutex)->thread))", file=0x154efc1c87b0 "/test/11.4_dbg/storage/spider/spd_db_conn.cc", line=672, function=0x154efc1c89a8 "int spider_db_errorno(SPIDER_CONN*)") at ./assert/assert.c:101
#7 0x0000154efc125cfb in spider_db_errorno (conn=conn@entry=0x154ec423ea58) at /test/11.4_dbg/storage/spider/spd_db_conn.cc:672
#8 0x0000154efc12b642 in spider_db_store_result (spider=spider@entry=0x154ec40aaca0, link_idx=0, table=0x154ec40c0968) at /test/11.4_dbg/storage/spider/spd_db_conn.cc:3304
#9 0x0000154efc1434af in spider_bg_conn_action (arg=0x154ec423ea58) at /test/11.4_dbg/storage/spider/spd_conn.cc:2672
#10 0x0000154f11894ac3 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
#11 0x0000154f11926660 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

Bug confirmed present in:
MariaDB: 10.11.7 (dbg), 10.11.7 (opt), 11.0.5 (dbg), 11.0.5 (opt), 11.1.4 (dbg), 11.1.4 (opt), 11.2.3 (dbg), 11.2.3 (opt), 11.3.2 (dbg), 11.3.2 (opt), 11.4.0 (dbg), 11.4.0 (opt)

Attachments

Issue Links

relates to

MDEV-32238 Add a switch to disable spider group by handler

Closed

SIGSEGV and UBSAN member access [within/on] null pointer in spider_db_get_row_from_tmp_tbl, Assertion in spider_db_errorno and SIGSEGV in spider_db_store_result

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration