Details
-
Bug
-
Status: Open (View Workflow)
-
Critical
-
Resolution: Unresolved
-
10.5, 10.6, 10.11, 11.0(EOL), 11.1(EOL), 11.2(EOL), 11.3(EOL), 11.4, 11.5(EOL)
-
None
-
None
Description
CREATE TABLE t (c1 BIT,UNIQUE KEY(c1) USING HASH) ENGINE=MyISAM; |
INSERT INTO t VALUES (0); |
CHECK TABLE t; |
INSERT INTO t VALUES(); |
"CHECK TABLE" statement crashes the debug builds from the above testcase with a different stack. MDEV-28514
|
11.5.0 929c2e06aae47f2dabf51b843ac84911de95bc7f (Optimized) |
Core was generated by `/test/MD290224-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd --no-defaults --max'.
|
Program terminated with signal SIGSEGV, Segmentation fault.
|
#0 0x00005622194c41c8 in I_P_List<MDL_ticket, I_P_List_adapter<MDL_ticket, &MDL_ticket::next_in_context, &MDL_ticket::prev_in_context>, I_P_List_null_counter, I_P_List_no_push_back<MDL_ticket> >::remove (this=<optimized out>,
|
a=0x1531b0014130) at /test/server_opt/sql/sql_plist.h:122
|
[Current thread is 1 (Thread 0x1531ec1c1700 (LWP 1304697))]
|
(gdb) bt
|
#0 0x00005622194c41c8 in I_P_List<MDL_ticket, I_P_List_adapter<MDL_ticket, &MDL_ticket::next_in_context, &MDL_ticket::prev_in_context>, I_P_List_null_counter, I_P_List_no_push_back<MDL_ticket> >::remove (this=<optimized out>, a=0x1531b0014130) at /test/server_opt/sql/sql_plist.h:122
|
#1 MDL_context::release_lock (this=<optimized out>, duration=<optimized out>, ticket=0x1531b0014130) at /test/server_opt/sql/mdl.cc:2908
|
#2 0x00005622194c424f in MDL_context::release_locks_stored_before (this=this@entry=0x1531b0000db0, duration=duration@entry=MDL_STATEMENT, sentinel=sentinel@entry=0x0) at /test/server_opt/sql/mdl.cc:2956
|
#3 0x00005622194c457a in MDL_context::release_transactional_locks (this=0x1531b0000db0, thd=thd@entry=0x1531b0000c58) at /test/server_opt/sql/mdl.cc:3141
|
#4 0x000056221938cca8 in THD::release_transactional_locks (this=0x1531b0000c58) at /test/server_opt/sql/sql_class.h:5333
|
#5 mysql_execute_command (thd=0x1531b0000c58, is_called_from_prepared_stmt=<optimized out>) at /test/server_opt/sql/sql_parse.cc:5945
|
#6 0x0000562219379786 in mysql_parse (thd=0x1531b0000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/server_opt/sql/sql_parse.cc:7815
|
#7 0x0000562219385e95 in dispatch_command (command=COM_QUERY, thd=0x1531b0000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/server_opt/sql/sql_class.h:1604
|
#8 0x000056221938821e in do_command (thd=0x1531b0000c58, blocking=blocking@entry=true) at /test/server_opt/sql/sql_parse.cc:1406
|
#9 0x00005622194b9137 in do_handle_one_connection (connect=<optimized out>, put_in_cache=true) at /test/server_opt/sql/sql_connect.cc:1437
|
#10 0x00005622194b947d in handle_one_connection (arg=arg@entry=0x56221cc56a88) at /test/server_opt/sql/sql_connect.cc:1339
|
#11 0x000056221986a41c in pfs_spawn_thread (arg=0x56221cc370d8) at /test/server_opt/storage/perfschema/pfs.cc:2201
|
#12 0x0000153201a04609 in start_thread (arg=<optimized out>) at pthread_create.c:477
|
#13 0x00001532015f0133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
|
Bug confirmed present in:
MariaDB: 10.5.25 (opt), 10.6.18 (opt), 10.11.8 (opt), 11.0.6 (opt), 11.1.4 (opt), 11.2.4 (opt), 11.3.2 (opt), 11.4.2 (opt), 11.5.0 (opt)
Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.4.33 (opt)
UBSAN build crashes with different stack (including 10.4 build)
|
10.5.25 d57c44f62635d6afe026345c11b13f543741e83e (Optimized, UBASAN) |
==729806==ERROR: AddressSanitizer: heap-use-after-free on address 0x6060000104d8 at pc 0x5603f173ce33 bp 0x149ced8cf050 sp 0x149ced8cf040
|
READ of size 1 at 0x6060000104d8 thread T32
|
#0 0x5603f173ce32 in Field::is_null(long long) const /test/server_opt_san/sql/field.h:1394
|
#1 0x5603f173ce32 in Item_field::hash_not_null(Hasher*) /test/server_opt_san/sql/item.h:3527
|
#2 0x5603f33aacbf in Item_func_hash::val_int() /test/server_opt_san/sql/item_func.cc:1753
|
#3 0x5603f3042442 in Item::save_int_in_field(Field*, bool) /test/server_opt_san/sql/item.cc:6891
|
#4 0x5603f2f8fafc in Item::save_in_field(Field*, bool) /test/server_opt_san/sql/item.cc:6901
|
#5 0x5603f22f6e34 in TABLE::update_virtual_fields(handler*, enum_vcol_update_mode) /test/server_opt_san/sql/table.cc:8765
|
#6 0x5603f18a2051 in fill_record(THD*, TABLE*, List<Item>&, List<Item>&, bool, bool) /test/server_opt_san/sql/sql_base.cc:8642
|
#7 0x5603f18a4a6a in fill_record_n_invoke_before_triggers(THD*, TABLE*, List<Item>&, List<Item>&, bool, trg_event_type) /test/server_opt_san/sql/sql_base.cc:8770
|
#8 0x5603f1a5ca51 in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*) /test/server_opt_san/sql/sql_insert.cc:1024
|
#9 0x5603f1c5e495 in mysql_execute_command(THD*) /test/server_opt_san/sql/sql_parse.cc:4643
|
#10 0x5603f1bdeb0d in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /test/server_opt_san/sql/sql_parse.cc:8196
|
#11 0x5603f1c3d94f in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /test/server_opt_san/sql/sql_parse.cc:1891
|
#12 0x5603f1c49ad2 in do_command(THD*) /test/server_opt_san/sql/sql_parse.cc:1375
|
#13 0x5603f2465488 in do_handle_one_connection(CONNECT*, bool) /test/server_opt_san/sql/sql_connect.cc:1415
|
#14 0x5603f2467afc in handle_one_connection /test/server_opt_san/sql/sql_connect.cc:1317
|
#15 0x149d14d43608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
|
#16 0x149d13fb8132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)
|