Details
-
Bug
-
Status: Open (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.5, 10.6, 10.11, 11.1(EOL), 11.2, 11.4, 11.6, 11.5(EOL)
Description
CREATE TABLE t (a GEOMETRY,b GEOMETRY DEFAULT BOUNDARY (a)); |
INSERT INTO t (a) VALUES (''); |
Leads to:
11.2.5 a21e49cbcc5f4adb1a1b4970ceead6a85e968063 (Optimized) |
Core was generated by `/test/MD190624-mariadb-11.2.5-linux-x86_64-opt/bin/mariadbd --no-defaults --max'.
|
Program terminated with signal SIGSEGV, Segmentation fault.
|
#0 Item::save_str_in_field (this=0x14bed00185d0, field=0x14bed0018218, no_conversions=<optimized out>) at /test/11.2_opt/sql/sql_string.h:359
|
[Current thread is 1 (LWP 1650342)]
|
(gdb) bt
|
#0 Item::save_str_in_field (this=0x14bed00185d0, field=0x14bed0018218, no_conversions=<optimized out>) at /test/11.2_opt/sql/sql_string.h:359
|
#1 0x00005611b41b5b57 in Item::save_in_field (this=0x14bed00185d0, field=0x14bed0018218, no_conversions=<optimized out>)at /test/11.2_opt/sql/item.cc:7003
|
#2 0x00005611b4021e76 in TABLE::update_default_fields (this=this@entry=0x14bed0017c38, ignore_errors=ignore_errors@entry=false)at /test/11.2_opt/sql/table.cc:9381
|
#3 0x00005611b3eaf34e in fill_record (thd=thd@entry=0x14bed0000c68, table_arg=table_arg@entry=0x14bed0017c38, fields=@0x14bed0005f20: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14bed0011480, last = 0x14bed0011480, elements = 1}, <No data fields>}, values=@0x14bed0011958: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14bed00119f0, last = 0x14bed00119f0, elements = 1}, <No data fields>}, ignore_errors=ignore_errors@entry=false, update=update@entry=false)at /test/11.2_opt/sql/sql_base.cc:9114
|
#4 0x00005611b3eaf53e in fill_record_n_invoke_before_triggers (thd=thd@entry=0x14bed0000c68, table=table@entry=0x14bed0017c38, fields=@0x14bed0005f20: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14bed0011480, last = 0x14bed0011480, elements = 1}, <No data fields>}, values=@0x14bed0011958: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14bed00119f0, last = 0x14bed00119f0, elements = 1}, <No data fields>}, ignore_errors=ignore_errors@entry=false, event=event@entry=TRG_EVENT_INSERT) at /test/11.2_opt/sql/sql_base.cc:9250
|
#5 0x00005611b3ee6ff7 in mysql_insert (thd=thd@entry=0x14bed0000c68, table_list=<optimized out>, fields=@0x14bed0005f20: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14bed0011480, last = 0x14bed0011480, elements = 1}, <No data fields>}, values_list=@0x14bed0005f68: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14bed0011a00, last = 0x14bed0011a00, elements = 1}, <No data fields>}, update_fields=@0x14bed0005f50: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x5611b52cfbd0 <end_of_list>, last = 0x14bed0005f50, elements = 0}, <No data fields>}, update_values=@0x14bed0005f38: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x5611b52cfbd0 <end_of_list>, last = 0x14bed0005f38, elements = 0}, <No data fields>}, duplic=DUP_ERROR, ignore=false, result=0x0)at /test/11.2_opt/sql/sql_insert.cc:1056
|
#6 0x00005611b3f1c833 in mysql_execute_command (thd=thd@entry=0x14bed0000c68, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false)at /test/11.2_opt/sql/sql_parse.cc:4489
|
#7 0x00005611b3f207d6 in mysql_parse (thd=0x14bed0000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/11.2_opt/sql/sql_parse.cc:7920
|
#8 0x00005611b3f229a5 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14bed0000c68, packet=packet@entry=0x14bed0008839 "INSERT INTO t (a) VALUES ('')", packet_length=packet_length@entry=29, blocking=blocking@entry=true)at /test/11.2_opt/sql/sql_parse.cc:1993
|
#9 0x00005611b3f24e90 in do_command (thd=0x14bed0000c68, blocking=blocking@entry=true) at /test/11.2_opt/sql/sql_parse.cc:1407
|
#10 0x00005611b40513af in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5611b77629d8, put_in_cache=put_in_cache@entry=true)at /test/11.2_opt/sql/sql_connect.cc:1439
|
#11 0x00005611b40516fd in handle_one_connection (arg=arg@entry=0x5611b77629d8)at /test/11.2_opt/sql/sql_connect.cc:1341
|
#12 0x00005611b43fd3f1 in pfs_spawn_thread (arg=0x5611b77a7698)at /test/11.2_opt/storage/perfschema/pfs.cc:2201
|
#13 0x000014bf13e97ada in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:444
|
#14 0x000014bf13f2847c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
|
11.2.5 a21e49cbcc5f4adb1a1b4970ceead6a85e968063 (Debug) |
Core was generated by `/test/MD190624-mariadb-11.2.5-linux-x86_64-dbg/bin/mariadbd --no-defaults --max'.
|
Program terminated with signal SIGSEGV, Segmentation fault.
|
#0 Item::save_str_in_field (this=0x14e4c00263d8, field=0x14e4c0025068, no_conversions=<optimized out>) at /test/11.2_dbg/sql/sql_string.h:359
|
[Current thread is 1 (LWP 1650267)]
|
(gdb) bt
|
#0 Item::save_str_in_field (this=0x14e4c00263d8, field=0x14e4c0025068, no_conversions=<optimized out>) at /test/11.2_dbg/sql/sql_string.h:359
|
#1 0x0000559a94be1e8e in Type_handler_string_result::Item_save_in_field (this=<optimized out>, item=<optimized out>, field=<optimized out>, no_conversions=<optimized out>) at /test/11.2_dbg/sql/sql_type.cc:4340
|
#2 0x0000559a94cd93f1 in Item::save_in_field (this=0x14e4c00263d8, field=0x14e4c0025068, no_conversions=<optimized out>)at /test/11.2_dbg/sql/item.cc:7003
|
#3 0x0000559a94ae7707 in TABLE::update_default_fields (this=this@entry=0x14e4c001e3e8, ignore_errors=ignore_errors@entry=false)at /test/11.2_dbg/sql/table.cc:9381
|
#4 0x0000559a9493b995 in fill_record (thd=thd@entry=0x14e4c0000d58, table_arg=table_arg@entry=0x14e4c001e3e8, fields=@0x14e4c00061d8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14e4c0013f50, last = 0x14e4c0013f50, elements = 1}, <No data fields>}, values=@0x14e4c0014428: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14e4c00144c0, last = 0x14e4c00144c0, elements = 1}, <No data fields>}, ignore_errors=ignore_errors@entry=false, update=update@entry=false)at /test/11.2_dbg/sql/sql_base.cc:9114
|
#5 0x0000559a9493bb87 in fill_record_n_invoke_before_triggers (thd=thd@entry=0x14e4c0000d58, table=table@entry=0x14e4c001e3e8, fields=@0x14e4c00061d8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14e4c0013f50, last = 0x14e4c0013f50, elements = 1}, <No data fields>}, values=@0x14e4c0014428: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14e4c00144c0, last = 0x14e4c00144c0, elements = 1}, <No data fields>}, ignore_errors=ignore_errors@entry=false, event=event@entry=TRG_EVENT_INSERT) at /test/11.2_dbg/sql/sql_base.cc:9250
|
#6 0x0000559a9497af50 in mysql_insert (thd=thd@entry=0x14e4c0000d58, table_list=0x14e4c0013718, fields=@0x14e4c00061d8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14e4c0013f50, last = 0x14e4c0013f50, elements = 1}, <No data fields>}, values_list=@0x14e4c0006220: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14e4c00144d0, last = 0x14e4c00144d0, elements = 1}, <No data fields>}, update_fields=@0x14e4c0006208: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x559a961c1100 <end_of_list>, last = 0x14e4c0006208, elements = 0}, <No data fields>}, update_values=@0x14e4c00061f0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x559a961c1100 <end_of_list>, last = 0x14e4c00061f0, elements = 0}, <No data fields>}, duplic=DUP_ERROR, ignore=false, result=0x0)at /test/11.2_dbg/sql/sql_insert.cc:1056
|
#7 0x0000559a949b6d46 in mysql_execute_command (thd=thd@entry=0x14e4c0000d58, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false)at /test/11.2_dbg/sql/sql_parse.cc:4489
|
#8 0x0000559a949bc010 in mysql_parse (thd=thd@entry=0x14e4c0000d58, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14e50008b2e0)at /test/11.2_dbg/sql/sql_parse.cc:7920
|
#9 0x0000559a949be3d3 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14e4c0000d58, packet=packet@entry=0x14e4c000b2f9 "INSERT INTO t (a) VALUES ('')", packet_length=packet_length@entry=29, blocking=blocking@entry=true)at /test/11.2_dbg/sql/sql_class.h:247
|
#10 0x0000559a949c076c in do_command (thd=0x14e4c0000d58, blocking=blocking@entry=true) at /test/11.2_dbg/sql/sql_parse.cc:1407
|
#11 0x0000559a94b27c49 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x559a976748c8, put_in_cache=put_in_cache@entry=true)at /test/11.2_dbg/sql/sql_connect.cc:1439
|
#12 0x0000559a94b27f3e in handle_one_connection (arg=arg@entry=0x559a976748c8)at /test/11.2_dbg/sql/sql_connect.cc:1341
|
#13 0x0000559a94f7a52c in pfs_spawn_thread (arg=0x559a97608838)at /test/11.2_dbg/storage/perfschema/pfs.cc:2201
|
#14 0x000014e509697ada in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:444
|
#15 0x000014e50972847c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
|
And we see UBSAN: member access within null pointer of type 'struct String' in sql/item.cc from Item::save_str_in_field:
11.5.0 e4afa610539ae01164485554e2de839bea9de816 (Optimized, UBASAN) |
2024-07-13 7:18:41 0 [Note] /test/UBASAN_MD250524-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd: ready for connections.
|
Version: '11.5.0-MariaDB' socket: '/test/UBASAN_MD250524-mariadb-11.5.0-linux-x86_64-opt/socket.sock' port: 10643 MariaDB Server
|
/test/11.5_opt_san/sql/item.cc:6826:55: runtime error: member access within null pointer of type 'struct String'
|
#0 0x55709b4a1e2d in Item::save_str_in_field(Field*, bool) /test/11.5_opt_san/sql/item.cc:6826
|
#1 0x55709b3f07fa in Item::save_in_field(Field*, bool) /test/11.5_opt_san/sql/item.cc:6864
|
#2 0x55709a51c5de in TABLE::update_default_fields(bool) /test/11.5_opt_san/sql/table.cc:9301
|
#3 0x5570998fb297 in fill_record(THD*, TABLE*, List<Item>&, List<Item>&, bool, bool) /test/11.5_opt_san/sql/sql_base.cc:9079
|
#4 0x5570998fd93a in fill_record_n_invoke_before_triggers(THD*, TABLE*, List<Item>&, List<Item>&, bool, trg_event_type) /test/11.5_opt_san/sql/sql_base.cc:9215
|
#5 0x557099af4fbc in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*) /test/11.5_opt_san/sql/sql_insert.cc:1066
|
#6 0x557099ce8dbd in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:4447
|
#7 0x557099d05382 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815
|
#8 0x557099d10853 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892
|
#9 0x557099d1d428 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405
|
#10 0x55709a6956fc in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445
|
#11 0x55709a697cfc in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347
|
#12 0x153e27c97ad9 in start_thread nptl/pthread_create.c:444
|
#13 0x153e27d2847b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
|
|
240713 7:18:42 [ERROR] mysqld got signal 11 ;
|
11.5.0 e4afa610539ae01164485554e2de839bea9de816 (Debug, UBASAN) |
2024-07-13 7:19:36 0 [Note] /test/UBASAN_MD250524-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd: ready for connections.
|
Version: '11.5.0-MariaDB-debug' socket: '/test/UBASAN_MD250524-mariadb-11.5.0-linux-x86_64-dbg/socket.sock' port: 12714 MariaDB Server
|
/test/11.5_dbg_san/sql/item.cc:6826:55: runtime error: member access within null pointer of type 'struct String'
|
#0 0x559d54de767e in Item::save_str_in_field(Field*, bool) /test/11.5_dbg_san/sql/item.cc:6826
|
#1 0x559d543c62c6 in Type_handler_string_result::Item_save_in_field(Item*, Field*, bool) const /test/11.5_dbg_san/sql/sql_type.cc:4339
|
#2 0x559d54d29631 in Item::save_in_field(Field*, bool) /test/11.5_dbg_san/sql/item.cc:6864
|
#3 0x559d53c9f555 in TABLE::update_default_fields(bool) /test/11.5_dbg_san/sql/table.cc:9301
|
#4 0x559d52f91adf in fill_record(THD*, TABLE*, List<Item>&, List<Item>&, bool, bool) /test/11.5_dbg_san/sql/sql_base.cc:9079
|
#5 0x559d52f928b1 in fill_record_n_invoke_before_triggers(THD*, TABLE*, List<Item>&, List<Item>&, bool, trg_event_type) /test/11.5_dbg_san/sql/sql_base.cc:9215
|
#6 0x559d531ddc83 in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*) /test/11.5_dbg_san/sql/sql_insert.cc:1066
|
#7 0x559d533e4651 in mysql_execute_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:4447
|
#8 0x559d53403190 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_dbg_san/sql/sql_parse.cc:7815
|
#9 0x559d53412ff2 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1892
|
#10 0x559d53421856 in do_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1405
|
#11 0x559d53e530df in do_handle_one_connection(CONNECT*, bool) /test/11.5_dbg_san/sql/sql_connect.cc:1445
|
#12 0x559d53e545fa in handle_one_connection /test/11.5_dbg_san/sql/sql_connect.cc:1347
|
#13 0x14e130e97ad9 in start_thread nptl/pthread_create.c:444
|
#14 0x14e130f2847b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
|
|
240713 7:19:38 [ERROR] mysqld got signal 11 ;
|
Bug confirmed present in:
MariaDB: 10.5.26 (dbg), 10.5.26 (opt), 10.6.19 (dbg), 10.6.19 (opt), 10.11.9 (dbg), 10.11.9 (opt), 11.1.6 (dbg), 11.1.6 (opt), 11.2.5 (dbg), 11.2.5 (opt), 11.4.3 (dbg), 11.4.3 (opt), 11.5.2 (dbg), 11.5.2 (opt), 11.6.0 (dbg), 11.6.0 (opt)
Bug (or feature/syntax) confirmed not present in:
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.44 (dbg), 5.7.44 (opt), 8.0.36 (dbg), 8.0.36 (opt)