[MDEV-34639] SIGSEGV in ha_spider::field_exchange and UBSAN: runtime error: member access within null pointer of type 'struct Field' on attempting to update a VIEW - Jira

Details

Type: Bug
Status: Confirmed (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.5, 10.6, 10.11, 11.1(EOL), 11.2, 11.4, 11.6, 11.5(EOL)
Fix Version/s: 10.5, 10.6, 10.11, 11.2, 11.4
Component/s: Data Manipulation - Update, Storage Engine - Spider, Views
Labels:
- UBSAN
- views

Description

The stack for this bug is similar to the MDEV-29018 stack, however no UNION is used here, and we get an UBSAN error rather than an ASAN error. It looks like a separate bug.

INSTALL PLUGIN Spider SONAME 'ha_spider.so';

CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET '../socket.sock', DATABASE 'test', USER 'Spider', PASSWORD '');

CREATE TABLE t1 (c1 INT,c2 INT) ENGINE=MyISAM;

CREATE TABLE t2 (c1 INT,c2 INT) ENGINE=Spider COMMENT='WRAPPER "mysql", SRV "srv", TABLE "t1"';

CREATE VIEW v AS SELECT * FROM t2;

UPDATE v SET c1=1;

Leads to:

11.2.5 03807c8449cdccbf5b8afc0dddabb1d8ec7ba85a (Debug)
Core was generated by `/test/MD200724-mariadb-11.2.5-linux-x86_64-dbg/bin/mariadbd --no-defaults --max'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x0000151074177aad in ha_spider::field_exchange (this=this@entry=0x151050149220, field=0x0)at /test/11.2_dbg/storage/spider/ha_spider.cc:9090
[Current thread is 1 (LWP 3108202)]
(gdb) bt
#0 0x0000151074177aad in ha_spider::field_exchange (this=this@entry=0x151050149220, field=0x0)at /test/11.2_dbg/storage/spider/ha_spider.cc:9090
#1 0x0000151074177dc5 in ha_spider::set_searched_bitmap (this=this@entry=0x151050149220)at /test/11.2_dbg/storage/spider/ha_spider.cc:9330
#2 0x00001510741786d3 in ha_spider::set_select_column_mode (this=this@entry=0x151050149220)at /test/11.2_dbg/storage/spider/ha_spider.cc:9426
#3 0x000015107418e1d5 in ha_spider::rnd_init (this=0x151050149220, scan=<optimized out>) at /test/11.2_dbg/storage/spider/ha_spider.cc:5438
#4 0x000056247ac70797 in handler::ha_rnd_init (scan=true, this=0x151050149220)at /test/11.2_dbg/sql/handler.h:3493
#5 handler::ha_rnd_init_with_error (this=0x151050149220, scan=scan@entry=true)at /test/11.2_dbg/sql/handler.cc:3893
#6 0x000056247a8770bf in init_read_record (info=info@entry=0x1510801639d0, thd=thd@entry=0x151050000d58, table=table@entry=0x1510502b3108, select=select@entry=0x0, filesort=filesort@entry=0x0, use_record_cache=use_record_cache@entry=0, print_error=true, disable_rr_cache=false) at /test/11.2_dbg/sql/records.cc:327
#7 0x000056247aa7479d in Sql_cmd_update::update_single_table (this=<optimized out>, thd=0x151050000d58)at /test/11.2_dbg/sql/sql_update.cc:859
#8 0x000056247aa75d38 in Sql_cmd_update::execute_inner (this=0x151050014000, thd=0x151050000d58) at /test/11.2_dbg/sql/sql_update.cc:3076
#9 0x000056247a9a0d83 in Sql_cmd_dml::execute (this=0x151050014000, thd=0x151050000d58) at /test/11.2_dbg/sql/sql_select.cc:33791
#10 0x000056247a95d1c4 in mysql_execute_command (thd=thd@entry=0x151050000d58, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false)at /test/11.2_dbg/sql/sql_parse.cc:4433
#11 0x000056247a962753 in mysql_parse (thd=thd@entry=0x151050000d58, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x1510801642e0)at /test/11.2_dbg/sql/sql_parse.cc:7920
#12 0x000056247a964ada in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x151050000d58, packet=packet@entry=0x15105000b309 "UPDATE v SET c1=1", packet_length=packet_length@entry=17, blocking=blocking@entry=true)at /test/11.2_dbg/sql/sql_class.h:247
#13 0x000056247a966dff in do_command (thd=0x151050000d58, blocking=blocking@entry=true) at /test/11.2_dbg/sql/sql_parse.cc:1407
#14 0x000056247aacde61 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x56247d8419c8, put_in_cache=put_in_cache@entry=true)at /test/11.2_dbg/sql/sql_connect.cc:1439
#15 0x000056247aace156 in handle_one_connection (arg=arg@entry=0x56247d8419c8)at /test/11.2_dbg/sql/sql_connect.cc:1341
#16 0x000056247af1f192 in pfs_spawn_thread (arg=0x56247d7b6a18)at /test/11.2_dbg/storage/perfschema/pfs.cc:2201
#17 0x0000151097c97ada in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:444
#18 0x0000151097d2847c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

11.2.5 03807c8449cdccbf5b8afc0dddabb1d8ec7ba85a (Optimized)
Core was generated by `/test/MD200724-mariadb-11.2.5-linux-x86_64-opt/bin/mariadbd --no-defaults --max'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000014a0581531cd in ha_spider::field_exchange (this=this@entry=0x14a02c096980, field=0x0)at /test/11.2_opt/storage/spider/ha_spider.cc:9091
[Current thread is 1 (LWP 3107650)]
(gdb) bt
#0 0x000014a0581531cd in ha_spider::field_exchange (this=this@entry=0x14a02c096980, field=0x0)at /test/11.2_opt/storage/spider/ha_spider.cc:9091
#1 0x000014a05815352e in ha_spider::set_searched_bitmap (this=0x14a02c096980)at /test/11.2_opt/storage/spider/ha_spider.cc:9330
#2 ha_spider::set_searched_bitmap (this=0x14a02c096980)at /test/11.2_opt/storage/spider/ha_spider.cc:9300
#3 0x000014a058153e18 in ha_spider::set_select_column_mode (this=0x14a02c096980) at /test/11.2_opt/storage/spider/ha_spider.cc:9426
#4 ha_spider::set_select_column_mode (this=0x14a02c096980)at /test/11.2_opt/storage/spider/ha_spider.cc:9405
#5 0x000014a058166a9c in ha_spider::rnd_init (this=0x14a02c096980, scan=<optimized out>) at /test/11.2_opt/storage/spider/ha_spider.cc:5438
#6 0x0000557eb2b4461d in handler::ha_rnd_init (scan=true, this=0x14a02c096980)at /test/11.2_opt/sql/handler.h:3493
#7 handler::ha_rnd_init_with_error (this=0x14a02c096980, scan=scan@entry=true)at /test/11.2_opt/sql/handler.cc:3893
#8 0x0000557eb27e43c9 in init_read_record (info=info@entry=0x14a064120330, thd=thd@entry=0x14a02c000c68, table=table@entry=0x14a02c0b7bb8, select=select@entry=0x0, filesort=filesort@entry=0x0, use_record_cache=use_record_cache@entry=0, print_error=true, disable_rr_cache=false) at /test/11.2_opt/sql/records.cc:327
#9 0x0000557eb29a352a in Sql_cmd_update::update_single_table (this=0x14a02c011520, thd=0x14a02c000c68)at /test/11.2_opt/sql/sql_update.cc:859
#10 0x0000557eb29a510d in Sql_cmd_update::execute_inner (this=0x14a02c011520, thd=0x14a02c000c68) at /test/11.2_opt/sql/sql_update.cc:3076
#11 0x0000557eb28f3f61 in Sql_cmd_dml::execute (this=0x14a02c011520, thd=0x14a02c000c68) at /test/11.2_opt/sql/sql_select.cc:33791
#12 0x0000557eb28bc6c2 in mysql_execute_command (thd=thd@entry=0x14a02c000c68, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false)at /test/11.2_opt/sql/sql_parse.cc:4433
#13 0x0000557eb28bd6f6 in mysql_parse (thd=0x14a02c000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/11.2_opt/sql/sql_parse.cc:7920
#14 0x0000557eb28bf905 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14a02c000c68, packet=packet@entry=0x14a02c008839 "UPDATE v SET c1=1", packet_length=packet_length@entry=17, blocking=blocking@entry=true)at /test/11.2_opt/sql/sql_parse.cc:1993
#15 0x0000557eb28c1dd3 in do_command (thd=0x14a02c000c68, blocking=blocking@entry=true) at /test/11.2_opt/sql/sql_parse.cc:1407
#16 0x0000557eb29eec7f in do_handle_one_connection (connect=<optimized out>, connect@entry=0x557eb6af1ba8, put_in_cache=put_in_cache@entry=true)at /test/11.2_opt/sql/sql_connect.cc:1439
#17 0x0000557eb29eefcd in handle_one_connection (arg=arg@entry=0x557eb6af1ba8)at /test/11.2_opt/sql/sql_connect.cc:1341
#18 0x0000557eb2d9b081 in pfs_spawn_thread (arg=0x557eb6b36868)at /test/11.2_opt/storage/perfschema/pfs.cc:2201
#19 0x000014a06f297ada in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:444
#20 0x000014a06f32847c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

11.2.5 03807c8449cdccbf5b8afc0dddabb1d8ec7ba85a (Debug, UBASAN)
/test/11.2_dbg_san/storage/spider/ha_spider.cc:9090:14: runtime error: member access within null pointer of type 'struct Field'
#0 0x14c86c6235fc in ha_spider::field_exchange(Field*) /test/11.2_dbg_san/storage/spider/ha_spider.cc:9090
#1 0x14c86c6263fc in ha_spider::set_searched_bitmap() /test/11.2_dbg_san/storage/spider/ha_spider.cc:9330
#2 0x14c86c62e11d in ha_spider::set_select_column_mode() /test/11.2_dbg_san/storage/spider/ha_spider.cc:9426
#3 0x14c86c6eaf64 in ha_spider::rnd_init(bool) /test/11.2_dbg_san/storage/spider/ha_spider.cc:5438
#4 0x55c1ca4141f4 in handler::ha_rnd_init(bool) /test/11.2_dbg_san/sql/handler.h:3493
#5 0x55c1ca4141f4 in handler::ha_rnd_init_with_error(bool) /test/11.2_dbg_san/sql/handler.cc:3893
#6 0x55c1c8497295 in init_read_record(READ_RECORD, THD, TABLE, SQL_SELECT, SORT_INFO*, int, bool, bool) /test/11.2_dbg_san/sql/records.cc:327
#7 0x55c1c9386d74 in Sql_cmd_update::update_single_table(THD*) /test/11.2_dbg_san/sql/sql_update.cc:859
#8 0x55c1c9390e8e in Sql_cmd_update::execute_inner(THD*) /test/11.2_dbg_san/sql/sql_update.cc:3076
#9 0x55c1c8d61b79 in Sql_cmd_dml::execute(THD*) /test/11.2_dbg_san/sql/sql_select.cc:33791
#10 0x55c1c8b7d182 in mysql_execute_command(THD*, bool) /test/11.2_dbg_san/sql/sql_parse.cc:4433
#11 0x55c1c8ba052c in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.2_dbg_san/sql/sql_parse.cc:7920
#12 0x55c1c8bb0374 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.2_dbg_san/sql/sql_parse.cc:1894
#13 0x55c1c8bbeb3d in do_command(THD*, bool) /test/11.2_dbg_san/sql/sql_parse.cc:1407
#14 0x55c1c95d7fb3 in do_handle_one_connection(CONNECT*, bool) /test/11.2_dbg_san/sql/sql_connect.cc:1439
#15 0x55c1c95d94ce in handle_one_connection /test/11.2_dbg_san/sql/sql_connect.cc:1341
#16 0x14c890a97ad9 in start_thread nptl/pthread_create.c:444
#17 0x14c890b2847b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

240723 16:02:39 [ERROR] mysqld got signal 11 ;

SIGSEGV in ha_spider::field_exchange and UBSAN: runtime error: member access within null pointer of type 'struct Field' on attempting to update a VIEW

Details

Description

Attachments

Activity

People

Dates

Git Integration