Details
-
Bug
-
Status: Confirmed (View Workflow)
-
Critical
-
Resolution: Unresolved
-
10.5, 10.6, 10.11, 11.4, 11.8, 12.0
Description
The latest release version of MariaDB crashes when running the following fuzzer generated query:
This bug could relates to a race condition, as the following query might not reliably trigger the crash. To reproduce the bug, we repeatedly feed the following query sequence to the MariaDB server using a loop, and the crash would occur after less than one hundred iterations.
DROP DATABASE IF EXISTS test123; |
CREATE DATABASE IF NOT EXISTS test123; |
USE test123; |
CREATE TABLE v00 (c01 INT, c02 TEXT); |
CREATE INDEX i03 ON v00 (c01); |
INSERT INTO v00 (c01, c02) VALUES (0, 'abc'); |
CREATE TABLE IF NOT EXISTS v00 MIN_ROWS 1234567890 CONNECTION := 'string' IGNORE SELECT * FROM v00 AS ta35554701 NATURAL STRAIGHT_JOIN v00 AS ta35554702 RIGHT OUTER JOIN v00 AS ta35554703 NATURAL LEFT OUTER JOIN v00 AS ta35554704 ON FALSE <=> TRUE NOT IN ( SELECT 'string' ) AND FALSE <=> FALSE IN ( SELECT 'string' ) || TRUE ORDER BY TRUE ASC, FALSE <=> FALSE IN ( SELECT 'string' ) FOR UPDATE; |
CREATE TABLE IF NOT EXISTS v00 STORAGE DISK IGNORE SELECT * FROM v00 AS ta29673400 CROSS JOIN v00 AS ta29673401 NATURAL LEFT OUTER JOIN v00 AS ta29673402 NATURAL RIGHT JOIN ( v00 AS ta29673403 LEFT JOIN v00 AS ta29673404 ON FALSE ) ORDER BY TRUE ASC, FALSE <=> FALSE IN ( SELECT 'string' ) FOR UPDATE; |
ALTER SEQUENCE IF EXISTS sequence_name_0 RESTART WITH + 1234567890 START := 1234567890; |
ALTER DATABASE COMMENT 'string' COMMENT := 'string'; |
ALTER DATABASE COMMENT = 'string' COMMENT := 'string'; |
CREATE INDEX IF NOT EXISTS i27225501 USING BTREE ON v00 ( c01 ) WAIT 1234567890 USING BTREE USING BTREE LOCK DEFAULT; |
SELECT * FROM v00 AS ta3979400 NATURAL JOIN v00 AS ta3979401 LEFT JOIN v00 AS ta3979402 USING ( c02 ) WHERE FALSE <=> FALSE IN ( SELECT 'string' ) GROUP BY TRUE DESC HAVING + INTERVAL TRUE <=> TRUE IN ( SELECT 'string' ) HOUR_MICROSECOND + TRUE <=> TRUE IN ( SELECT 'string' ) <=> TRUE IN ( SELECT 'string' ); |
ALTER SEQUENCE IF EXISTS sequence_name_0 NOMAXVALUE; |
SELECT FALSE <=> FALSE IN ( SELECT 'string' ), FALSE <=> TRUE IN ( SELECT 'string' ) FROM v00 AS ta18770000 NATURAL LEFT JOIN v00 AS ta18770001 LEFT JOIN ( v00 AS ta18770002 ) USING ( c01, c02, c01 ) GROUP BY FALSE IS NOT TRUE; |
CREATE INDEX i29675701 USING BTREE ON v00 ( c02 ( 1234567890 ) ASC ) WAIT + 1234567890 USING HASH LOCK DEFAULT; |
SELECT * FROM v00, ( v00 AS ta24670301 LEFT OUTER JOIN v00 AS ta24670302 ON TRUE <=> FALSE IN ( SELECT - INTERVAL TRUE XOR FALSE <=> FALSE IN ( SELECT 'string' ) HOUR_SECOND + TRUE <=> TRUE IN ( SELECT 'string' ) <=> TRUE NOT IN ( SELECT 'string' ) OR TRUE IS NOT FALSE <=> TRUE IN ( SELECT 'string' ) ) ) GROUP BY TRUE ASC WITH ROLLUP; |
SELECT * FROM ( v00 AS ta24671100 NATURAL LEFT OUTER JOIN v00 AS ta24671101 ) INNER JOIN ( v00 AS ta24671102 NATURAL JOIN ( ( ( SELECT 'string' ) = ta24671104 ) NATURAL STRAIGHT_JOIN v00 AS ta24671103 ) ) GROUP BY TIME ( TRUE <=> FALSE IN ( SELECT 'string' ) ) + INTERVAL REPEAT ( FALSE <=> TRUE IN ( SELECT 'string' ), FALSE ) % TRUE * INTERVAL TRUE DAY_MICROSECOND + FALSE <=> FALSE IN ( SELECT 'string' ) <=> TRUE NOT IN ( SELECT 'string' ) DAY_SECOND <=> TRUE NOT IN ( SELECT 'string' ); |
BACKUP UNLOCK;
|
SELECT TRUE <=> COLUMN_ADD ( TRUE, FALSE, FALSE AS DECIMAL, FALSE, TRUE <=> FALSE IN ( SELECT 'string' ) ) & INTERVAL FALSE QUARTER + FALSE <=> TRUE IN ( SELECT 'string' ) IN ( SELECT TRUE <=> TRUE IN ( SELECT 'string' ) XOR TRUE && TRUE ) FROM v00, ( v00 AS ta27229601 LEFT OUTER JOIN v00 AS ta27229602 CROSS JOIN v00 AS ta27229603 USING ( c01 ) ON TRUE <=> FALSE IN ( SELECT 'string' ) ) GROUP BY CASE WHEN FALSE <=> TRUE IN ( SELECT 'string' ) || FALSE OR TRUE <=> FALSE IN ( SELECT 'string' ) THEN TRUE END MOD CASE WHEN FALSE THEN FALSE END IS NOT TRUE; |
SELECT *, TRUE <=> TRUE IN ( SELECT 'string' ) FROM v00 AS ta29677600 NATURAL LEFT JOIN ( v00 AS ta29677601 NATURAL RIGHT OUTER JOIN v00 AS ta29677602 ) LEFT JOIN v00 AS ta29677603 USING ( c02 ) WHERE FALSE <=> TRUE IN ( SELECT 'string' ) GROUP BY FALSE IN ( SELECT NOT TRUE OR TRUE <=> CASE FALSE WHEN FALSE THEN TRUE END + TIME ( - INTERVAL TRUE <=> FALSE IN ( SELECT 'string' ) MINUTE_SECOND + TRUE <=> FALSE IN ( SELECT FALSE <=> TRUE IN ( SELECT 'string' ) FROM v00 ) <=> FALSE IN ( SELECT 'string' ) ) ^ FALSE ^ CASE WHEN TRUE THEN TRUE END IN ( SELECT 'string' ) OR TRUE ) ORDER BY TRUE LIMIT ROWS EXAMINED 1234567890 LOCK IN SHARE MODE NOWAIT; |
SELECT * FROM v00 AS ta27230900 NATURAL LEFT OUTER JOIN ( SELECT 'string' ) AS ta27230902 LEFT JOIN v00 AS ta27230901 USING ( c01 ) GROUP BY TRUE IS UNKNOWN; |
SELECT * FROM ( SELECT NOT TRUE <=> TRUE IN ( SELECT 'string' ) ) ta29679500 GROUP BY NOT TRUE <=> TRUE IN ( SELECT ( SELECT 'string' ) * FALSE / TRUE % TRUE DIV LAST_VALUE ( FALSE <=> FALSE IN ( SELECT 'string' ) ) OVER ( PARTITION BY FALSE ROWS CURRENT ROW ) IS NOT NULL ); |
( SELECT * FROM v00 AS ta29680100 JOIN v00 AS ta29680101 CROSS JOIN ( v00 AS ta29680102 INNER JOIN v00 AS ta29680103 USING ( c01 ) ) RIGHT JOIN ( ( v00 AS ta29680104 INNER JOIN v00 AS ta29680105 USING ( c01 ), v00 AS ta29680106 ) ) LEFT OUTER JOIN v00 AS ta29680107 ON TRUE ON FALSE <=> FALSE IN ( SELECT NOT TRUE <=> FALSE NOT IN ( SELECT FALSE <=> TRUE IN ( SELECT 'string' ) FROM v00 AS ta29680111 ) ) LEFT JOIN v00 AS ta29680108 ON 'string' LEFT OUTER JOIN v00 AS ta29680109 RIGHT OUTER JOIN ( v00 AS ta29680110 ) ON FALSE ON NOT TRUE <=> FALSE IN ( SELECT 'string' ) ON FALSE <=> TRUE IN ( SELECT 'string' ) ON TRUE ) ORDER BY TRUE ASC LIMIT ROWS EXAMINED 1234567890 LOCK IN SHARE MODE SKIP LOCKED; |
SELECT *, FALSE <=> TRUE IN ( SELECT 'string' ), TRUE FROM v00 AS ta29680300 CROSS JOIN v00 AS ta29680301; |
SELECT * FROM ( v00 AS ta29680700 LEFT JOIN v00 AS ta29680701 ON FALSE <=> TRUE IN ( SELECT 'string' ) OR TRUE AND TRUE <=> FALSE NOT IN ( SELECT 'string' ) ) GROUP BY TRUE ORDER BY FALSE OR FALSE <=> FALSE IN ( SELECT 'string' ) || FALSE AND TRUE <=> FALSE IN ( SELECT 'string' ) ASC FETCH NEXT ROWS WITH TIES FOR UPDATE WAIT + 1234567890; |
SELECT SQL_NO_CACHE TRUE <=> TRUE IN ( SELECT 'string' ), TRUE <=> FALSE IN ( SELECT 'string' ), FALSE FROM v00 HAVING TRUE <=> FALSE - TRUE + INTERVAL FALSE > WEIGHT_STRING ( TRUE <=> TRUE IN ( SELECT 'string' ) AS BINARY ( 1234567890 ) ) DAY_HOUR IN ( SELECT 'string' ) WINDOW no_window_name AS ( PARTITION BY FALSE, FALSE <=> FALSE IN ( SELECT 'string' ) ASC, FALSE <=> FALSE IN ( SELECT 'string' ) DESC ); |
SELECT * FROM v00 AS ta35559400 NATURAL LEFT JOIN v00 AS ta35559401 LEFT JOIN v00 AS ta35559402 USING ( c01 ) GROUP BY TRUE ASC, FALSE <=> TIMESTAMP ( - CASE WHEN FALSE THEN FALSE END - FALSE % CASE WHEN TRUE THEN FALSE ELSE FALSE END <=> FALSE IN ( SELECT 'string' ) ) IN ( SELECT - INTERVAL TRUE <=> TRUE IN ( SELECT 'string' ) HOUR_SECOND + FALSE + INTERVAL FALSE XOR TRUE <=> CASE WHEN TRUE THEN FALSE END & FALSE & FALSE IN ( SELECT 'string' ) HOUR_MINUTE <=> TRUE IN ( SELECT 'string' ) != FALSE ); |
SELECT * FROM ( SELECT FALSE <=> FALSE IN ( SELECT 'string' ) AND FALSE <=> TRUE IN ( SELECT 'string' ) ) ta35559600 GROUP BY NOT TRUE <=> TRUE IN ( SELECT ( SELECT TRUE <=> FALSE IN ( SELECT 'string' ) OR TRUE <=> FALSE IN ( SELECT 'string' ) ) * TRUE / - ~ CASE WHEN FALSE THEN FALSE ELSE TRUE END % TRUE DIV CONVERT ( FALSE <=> TRUE IN ( SELECT 'string' ), UNSIGNED INT ) IS NOT NULL ); |
SELECT TRUE <=> FALSE IN ( SELECT 'string' ) FROM ( v00 AS ta35560200 RIGHT JOIN v00 AS ta35560201 USING ( c02 ) ) GROUP BY TRUE ORDER BY TRUE <=> FALSE IN ( SELECT 'string' ) OR FALSE <=> TRUE IN ( SELECT 'string' ) DESC OFFSET 1234567890 ROW FOR UPDATE NOWAIT; |
SELECT TRUE <=> COLUMN_ADD ( TRUE, FALSE, FALSE, TRUE <=> TRUE NOT IN ( SELECT 'string' ), FALSE <=> TRUE IN ( SELECT 'string' ) XOR TRUE AS DECIMAL ( 1234567890, 1234567890 ) ) & INTERVAL FALSE QUARTER + FALSE <=> TRUE IN ( SELECT 'string' ) IN ( SELECT TRUE <=> TRUE IN ( SELECT 'string' ) XOR TRUE && TRUE ) FROM v00, ( v00 AS ta35560401 LEFT OUTER JOIN v00 AS ta35560402 CROSS JOIN v00 AS ta35560403 USING ( c02 ) ON TRUE <=> FALSE IN ( SELECT 'string' ) ) GROUP BY CASE WHEN TRUE THEN TRUE END MOD CASE WHEN FALSE THEN FALSE END IS NOT TRUE; |
SELECT * FROM ( v00 ) WHERE TRUE <=> FALSE IN ( SELECT 'string' ) WINDOW no_window_name AS ( ORDER BY FALSE, FALSE <=> TRUE IN ( SELECT 'string' ) DESC ROWS UNBOUNDED PRECEDING ); |
SELECT TRUE <=> FALSE IN ( SELECT 'string' ) FROM ( v00 AS ta35561400 NATURAL LEFT OUTER JOIN v00 AS ta35561401 LEFT OUTER JOIN v00 AS ta35561402 ON FALSE <=> TRUE IN ( SELECT 'string' ) RIGHT JOIN ( v00 AS ta35561403 LEFT OUTER JOIN v00 AS ta35561404 ON TRUE ) ON FALSE <=> FALSE IN ( SELECT TRUE <=> TRUE IN ( SELECT 'string' ) ) ) GROUP BY 'string' ORDER BY FALSE <=> FALSE IN ( SELECT - INTERVAL TRUE <=> FALSE IN ( SELECT 'string' ) HOUR_SECOND + TRUE <=> FALSE IN ( SELECT 'string' ) XOR FALSE <=> FALSE IN ( SELECT 'string' ) IS UNKNOWN ) DESC OFFSET 1234567890 ROWS FETCH NEXT 1234567890 ROWS ONLY FOR UPDATE NOWAIT; |
( SELECT FALSE <=> FALSE IN ( SELECT 'string' ) FROM v00 ); |
CREATE TABLE v00 (c01 INT, c02 TEXT); |
CREATE INDEX i03 ON v00 (c01); |
INSERT INTO v00 (c01, c02) VALUES (0, 'abc'); |
CREATE TABLE IF NOT EXISTS v00 MIN_ROWS 1234567890 CONNECTION := 'string' IGNORE SELECT * FROM v00 AS ta35554701 NATURAL STRAIGHT_JOIN v00 AS ta35554702 RIGHT OUTER JOIN v00 AS ta35554703 NATURAL LEFT OUTER JOIN v00 AS ta35554704 ON FALSE <=> TRUE NOT IN ( ( SELECT * FROM v00 ) LIMIT IDENT . IDENT_QUOTED OFFSET 1234567890 ROWS EXAMINED 1234567890 ) AND FALSE <=> FALSE IN ( SELECT 'string' ) || TRUE ORDER BY TRUE ASC, FALSE <=> FALSE IN ( SELECT 'string' ) FOR UPDATE; |
CREATE TABLE IF NOT EXISTS v00 MIN_ROWS 1234567890 CONNECTION := 'string' IGNORE SELECT * FROM v00 AS ta35554701 NATURAL STRAIGHT_JOIN v00 AS ta35554702 RIGHT OUTER JOIN v00 AS ta35554703 NATURAL LEFT OUTER JOIN v00 AS ta35554704 ON FALSE <=> TRUE NOT IN ( SELECT 'string' ) AND FALSE <=> FALSE IN ( SELECT 'string' ) || TRUE ORDER BY TRUE ASC, FALSE <=> FALSE IN ( SELECT 'string' ) FOR UPDATE; |
CREATE TABLE IF NOT EXISTS v00 STORAGE DISK IGNORE SELECT * FROM v00 AS ta29673400 CROSS JOIN v00 AS ta29673401 NATURAL LEFT OUTER JOIN v00 AS ta29673402 NATURAL RIGHT JOIN ( v00 AS ta29673403 LEFT JOIN v00 AS ta29673404 ON FALSE ) ORDER BY TRUE <=> TRUE IN ( SELECT 'string' ) ASC, FALSE <=> FALSE IN ( SELECT 'string' ) FOR UPDATE; |
ALTER SEQUENCE IF EXISTS sequence_name_0 RESTART NOMINVALUE; |
INSERT LOW_PRIORITY IGNORE v00 SET c02 = FALSE <=> TRUE IN ( SELECT 'string' ) ON DUPLICATE KEY UPDATE c02 = DEFAULT RETURNING VALUE ( c02 ) + FALSE ^ + INTERVAL FALSE - INTERVAL TRUE YEAR_MONTH / CASE TRUE WHEN FALSE <=> FALSE IN ( SELECT 'string' ) XOR TRUE <=> TRUE IN ( SELECT 'string' ) XOR FALSE THEN FALSE END <=> FALSE IN ( SELECT 'string' ) YEAR_MONTH + NOT TRUE && TRUE <=> FALSE NOT IN ( SELECT 'string' ) <=> FALSE IN ( SELECT 'string' ); |
Crash stack:
#0 0x0000000002fc68c8 in my_strtod_int (s00=0x4ce944000 <error: Cannot access memory at address 0x4ce944000>, se=0xffff785fac40, error=0xffff785fac48,
|
buf=<optimized out>, buf_size=3680) at /home/mariadb/mariadb-server/strings/dtoa.c:1378
|
#1 my_strtod (str=<optimized out>, end=0xffff785fac40, error=<optimized out>) at /home/mariadb/mariadb-server/strings/dtoa.c:469
|
#2 0x00000000017b0168 in charset_info_st::strntod (this=0xffffa6016088, str=0x4ce944000 <error: Cannot access memory at address 0x4ce944000>, length=255,
|
endptr=0xffff785fac40, error=0xffff785fac48) at /home/mariadb/mariadb-server/include/m_ctype.h:996
|
#3 Value_source::Converter_strntod::Converter_strntod (this=0xffff785fac40, cs=0xffffa6016088,
|
str=0x4ce944000 <error: Cannot access memory at address 0x4ce944000>, length=255) at /home/mariadb/mariadb-server/sql/field.h:217
|
#4 Value_source::Converter_strntod_with_warn::Converter_strntod_with_warn (this=0xffff785fac40, thd=0xffff78862218, filter=..., cs=0xffffa6016088,
|
str=0x4ce944000 <error: Cannot access memory at address 0x4ce944000>, length=255) at /home/mariadb/mariadb-server/sql/field.h:288
|
#5 Field_blob::val_real (this=<optimized out>) at /home/mariadb/mariadb-server/sql/field.cc:8929
|
#6 0x00000000018892a4 in Item_field::val_real (this=<optimized out>) at /home/mariadb/mariadb-server/sql/item.cc:3475
|
#7 0x00000000019fc41c in Item_func_plus::real_op (this=0xffffa02f6f38) at /home/mariadb/mariadb-server/sql/item_func.cc:1111
|
#8 0x000000000151e4d0 in Type_handler_real_result::Item_val_bool (this=<optimized out>, item=0xffff785f9a78)
|
at /home/mariadb/mariadb-server/sql/sql_type.cc:5231
|
#9 0x0000000001959e60 in Item_cond_and::val_bool (this=<optimized out>) at /home/mariadb/mariadb-server/sql/item_cmpfunc.cc:5671
|
#10 0x00000000009a20c8 in Item_bool_func::val_int (this=0xffff785f9a78) at /home/mariadb/mariadb-server/sql/item_cmpfunc.h:245
|
#11 0x0000000001561144 in Type_handler::Item_send_long (this=<optimized out>, item=0xffffa0233858, protocol=<optimized out>, buf=<optimized out>)
|
at /home/mariadb/mariadb-server/sql/sql_type.cc:7697
|
#12 Type_handler_long::Item_send (this=<optimized out>, item=0xffffa0233858, protocol=0xffff788627b0, buf=0xffff785f9aa0)
|
at /home/mariadb/mariadb-server/sql/sql_type.h:5986
|
#13 0x00000000009cb280 in Protocol::send_result_set_row (this=<optimized out>, row_items=<optimized out>)
|
at /home/mariadb/mariadb-server/sql/protocol.cc:1353
|
#14 0x0000000000ba768c in select_send::send_data (this=<optimized out>, items=...) at /home/mariadb/mariadb-server/sql/sql_class.cc:3294
|
#15 0x0000000000c34a3c in write_record (thd=0xffff78862218, table=0xffffa766cc98, info=0xffff785fb890, sink=0xffffa0233ab0)
|
at /home/mariadb/mariadb-server/sql/sql_insert.cc:2339
|
#16 0x0000000000c28874 in mysql_insert (thd=<optimized out>, table_list=0xffffa02f08a8, fields=..., values_list=..., update_fields=..., update_values=...,
|
duplic=<optimized out>, ignore=<optimized out>, result=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_insert.cc:1152
|
#17 0x0000000000d3f5dc in mysql_execute_command (thd=0xffff78862218, is_called_from_prepared_stmt=<optimized out>)
|
at /home/mariadb/mariadb-server/sql/sql_parse.cc:4484
|
#18 0x0000000000d1cd24 in mysql_parse (thd=0xffff78862218, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>)
|
at /home/mariadb/mariadb-server/sql/sql_parse.cc:7915
|
#19 0x0000000000d120f0 in dispatch_command (command=<optimized out>, thd=<optimized out>, packet=<optimized out>, packet_length=<optimized out>,
|
blocking=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_parse.cc:1902
|
#20 0x0000000000d1dbf4 in do_command (thd=0xffff78862218, blocking=true) at /home/mariadb/mariadb-server/sql/sql_parse.cc:1415
|
#21 0x00000000012846f8 in do_handle_one_connection (connect=<optimized out>, put_in_cache=true) at /home/mariadb/mariadb-server/sql/sql_connect.cc:1415
|
#22 0x00000000012841b4 in handle_one_connection (arg=0xffff810c5638) at /home/mariadb/mariadb-server/sql/sql_connect.cc:1327
|
#23 0x0000000002200c38 in pfs_spawn_thread (arg=0xffff9fe09718) at /home/mariadb/mariadb-server/storage/perfschema/pfs.cc:2198
|
#24 0x0000ffffabfef624 in start_thread (arg=0x883ac8 <asan_thread_start(void*)>) at pthread_create.c:477
|
#25 0x0000ffffabd1166c in thread_start () at ../sysdeps/unix/sysv/linux/aarch64/clone.S:78
|
Attachments
Issue Links
- relates to
-
-
- Confirmed
-
Activity
Interestingly, with neither the original t/c nor the reduced one, an UBASAN build
CS 11.4.6 ef966af801afc2a07222b5df65dddd52c77431dd (Debug, UBASAN, Clang) Build 15/02/2025
|
Does not crash (nor gives any UB/ASAN error) whereas
CS 11.4.6 ef966af801afc2a07222b5df65dddd52c77431dd (Debug, Clang) Build 15/02/2025
|
Does. On UBASAN the query completes normally instead of crashing:
|
CS 11.4.6 ef966af801afc2a07222b5df65dddd52c77431dd (Debug, UBASAN, Clang) Build 15/02/2025 |
11.4.6-dbg>CREATE TABLE t (c1 INT,c2 TEXT);
|
Query OK, 0 rows affected (0.009 sec)
|
|
|
11.4.6-dbg>INSERT t SET c2=1 ON DUPLICATE KEY UPDATE c2=DEFAULT RETURNING VALUE (c2)+1;
|
+--------------+
|
| VALUE (c2)+1 |
|
+--------------+
|
| 1 |
|
+--------------+
|
1 row in set (0.003 sec)
|
Bug confirmed, thank you for reporting.
CREATE TABLE t (c1 INT,c2 TEXT); |
INSERT t SET c2=1 ON DUPLICATE KEY UPDATE c2=DEFAULT RETURNING VALUE (c2)+1; |
Leads to:
|
CS 11.4.6 ef966af801afc2a07222b5df65dddd52c77431dd (Debug) Build 15/02/2025 |
Core was generated by `/test/MD150225-mariadb-11.4.6-linux-x86_64-dbg/bin/mariadbd --no-defaults --max'.
|
Program terminated with signal SIGSEGV, Segmentation fault.
|
#0 0x0000559550ade82b in my_strtod_int (s00=0xa5a5a5a5a5a5a5a5 <error: Cannot access memory at address 0xa5a5a5a5a5a5a5a5>, se=0x14fb85a9c748, error=0x14fb85a9c750, buf=0x14fb85a9b780 "X\200\001 \373\024", buf_size=3680)at /test/11.4_dbg/strings/dtoa.c:1378
|
|
|
[Current thread is 1 (LWP 253082)]
|
(gdb) bt
|
#0 0x0000559550ade82b in my_strtod_int (s00=0xa5a5a5a5a5a5a5a5 <error: Cannot access memory at address 0xa5a5a5a5a5a5a5a5>, se=0x14fb85a9c748, error=0x14fb85a9c750, buf=0x14fb85a9b780 "X\200\001 \373\024", buf_size=3680)at /test/11.4_dbg/strings/dtoa.c:1378
|
#1 0x0000559550ade6c2 in my_strtod (str=0xa5a5a5a5a5a5a5a5 <error: Cannot access memory at address 0xa5a5a5a5a5a5a5a5>, end=0x14fb85a9c748, error=0x14fb85a9c750)at /test/11.4_dbg/strings/dtoa.c:469
|
#2 0x0000559550a9af22 in my_strntod_8bit (cs=0x559551731530 <my_charset_latin1>, str=0xa5a5a5a5a5a5a5a5 <error: Cannot access memory at address 0xa5a5a5a5a5a5a5a5>, length=42405, end=0x14fb85a9c748, err=0x14fb85a9c750)at /test/11.4_dbg/strings/ctype-simple.c:825
|
#3 0x000055954fc1fb60 in charset_info_st::strntod (this=0x559551731530 <my_charset_latin1>, str=0xa5a5a5a5a5a5a5a5 <error: Cannot access memory at address 0xa5a5a5a5a5a5a5a5>, length=42405, endptr=0x14fb85a9c748, error=0x14fb85a9c750)at /test/11.4_dbg/include/m_ctype.h:931
|
#4 0x000055954fc1fad8 in Value_source::Converter_strntod::Converter_strntod (this=0x14fb85a9c748, cs=0x559551731530 <my_charset_latin1>, str=0xa5a5a5a5a5a5a5a5 <error: Cannot access memory at address 0xa5a5a5a5a5a5a5a5>, length=42405) at /test/11.4_dbg/sql/field.h:219
|
#5 0x000055954fc1fa0c in Value_source::Converter_strntod_with_warn::Converter_strntod_with_warn (this=0x14fb85a9c748, thd=0x14fb20000d58, filter={m_want_warning_edom = true, m_want_note_truncated_spaces = true}, cs=0x559551731530 <my_charset_latin1>, str=0xa5a5a5a5a5a5a5a5 <error: Cannot access memory at address 0xa5a5a5a5a5a5a5a5>, length=42405) at /test/11.4_dbg/sql/field.h:290
|
#6 0x00005595501344a1 in Field_blob::val_real (this=0x14fb2001ad60)at /test/11.4_dbg/sql/field.cc:8853
|
#7 0x0000559550184eef in Item_field::val_real (this=0x14fb2001a800)at /test/11.4_dbg/sql/item.cc:3433
|
#8 0x00005595501f8374 in Item_func_plus::real_op (this=0x14fb2001a9b0)at /test/11.4_dbg/sql/item_func.cc:1124
|
#9 0x0000559550031ce9 in Item_func_hybrid_field_type::val_real_from_real_op (this=0x14fb2001a9b0) at /test/11.4_dbg/sql/item_func.h:930
|
#10 0x000055955001b289 in Type_handler_real_result::Item_func_hybrid_field_type_val_real (this=0x5595518c54c8 <type_handler_double>, item=0x14fb2001a9b0)at /test/11.4_dbg/sql/sql_type.cc:5642
|
#11 0x000055954fd37e0a in Item_func_hybrid_field_type::val_real (this=0x14fb2001a9b0) at /test/11.4_dbg/sql/item_func.h:976
|
#12 0x0000559550021575 in Type_handler::Item_send_double (this=0x5595518c54c8 <type_handler_double>, item=0x14fb2001a9b0, protocol=0x14fb20001370, buf=0x14fb85a9c990)at /test/11.4_dbg/sql/sql_type.cc:7742
|
#13 0x000055955003685d in Type_handler_double::Item_send (this=0x5595518c54c8 <type_handler_double>, item=0x14fb2001a9b0, protocol=0x14fb20001370, buf=0x14fb85a9c990)at /test/11.4_dbg/sql/sql_type.h:6238
|
#14 0x000055954fbbefad in Item::send (this=0x14fb2001a9b0, protocol=0x14fb20001370, buffer=0x14fb85a9c990)at /test/11.4_dbg/sql/item.h:1261
|
#15 0x000055954fc0a282 in Protocol::send_result_set_row (this=0x14fb20001370, row_items=0x14fb20005af0) at /test/11.4_dbg/sql/protocol.cc:1333
|
#16 0x000055954fcc4a8e in select_send::send_data (this=0x14fb2001aaa0, items=@0x14fb20005af0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14fb2001aa68, last = 0x14fb2001aa68, elements = 1}, <No data fields>})at /test/11.4_dbg/sql/sql_class.cc:3264
|
#17 0x000055954fcfa41d in write_record (thd=0x14fb20000d58, table=0x14fb200268b8, info=0x14fb85a9d138, sink=0x14fb2001aaa0)at /test/11.4_dbg/sql/sql_insert.cc:2315
|
#18 0x000055954fcf68e8 in mysql_insert (thd=0x14fb20000d58, table_list=0x14fb20019c08, fields=@0x14fb20005f40: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14fb2001a4f0, last = 0x14fb2001a4f0, elements = 1}, <No data fields>}, values_list=@0x14fb20005f88: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14fb2001a330, last = 0x14fb2001a330, elements = 1}, <No data fields>}, update_fields=@0x14fb20005f70: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14fb2001a6a8, last = 0x14fb2001a6a8, elements = 1}, <No data fields>}, update_values=@0x14fb20005f58: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14fb2001a6b8, last = 0x14fb2001a6b8, elements = 1}, <No data fields>}, duplic=DUP_UPDATE, ignore=false, result=0x14fb2001aaa0)at /test/11.4_dbg/sql/sql_insert.cc:1140
|
#19 0x000055954fd53aa2 in mysql_execute_command (thd=0x14fb20000d58, is_called_from_prepared_stmt=false) at /test/11.4_dbg/sql/sql_parse.cc:4480
|
#20 0x000055954fd497a4 in mysql_parse (thd=0x14fb20000d58, rawbuf=0x14fb20019ac0 "INSERT t SET c2=1 ON DUPLICATE KEY UPDATE c2=DEFAULT RETURNING VALUE (c2)+1", length=75, parser_state=0x14fb85a9ea30)at /test/11.4_dbg/sql/sql_parse.cc:7907
|
#21 0x000055954fd46c54 in dispatch_command (command=COM_QUERY, thd=0x14fb20000d58, packet=0x14fb2000afd9 "", packet_length=75, blocking=true) at /test/11.4_dbg/sql/sql_parse.cc:1904
|
#22 0x000055954fd4a353 in do_command (thd=0x14fb20000d58, blocking=true)at /test/11.4_dbg/sql/sql_parse.cc:1417
|
#23 0x000055954ff2c5a9 in do_handle_one_connection (connect=0x559554549c58, put_in_cache=true) at /test/11.4_dbg/sql/sql_connect.cc:1408
|
#24 0x000055954ff2c342 in handle_one_connection (arg=0x55955461a0c8)at /test/11.4_dbg/sql/sql_connect.cc:1320
|
#25 0x000014fb8c29ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
|
#26 0x000014fb8c329c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
|
|
Bug Detection Matrix |
Rel o/d Build Commit UniqueID observed
|
CS 10.5 dbg 150225 c43d0a015f974c5a0142e6779332089a7a979853 SIGSEGV|my_strtod_int|my_strtod|my_strntod_8bit|charset_info_st::strntod
|
CS 10.5 opt 150225 c43d0a015f974c5a0142e6779332089a7a979853 No bug found
|
CS 10.6 dbg 150225 f1d7e0c17e33f77278e6226dd94aeb30fc856bf0 SIGSEGV|my_strtod_int|my_strtod|my_strntod_8bit|charset_info_st::strntod
|
CS 10.6 opt 150225 f1d7e0c17e33f77278e6226dd94aeb30fc856bf0 No bug found
|
CS 10.11 dbg 150225 43c5d1303f5c7c726db276815c459436110f342f SIGSEGV|my_strtod_int|my_strtod|my_strntod_8bit|charset_info_st::strntod
|
CS 10.11 opt 150225 43c5d1303f5c7c726db276815c459436110f342f No bug found
|
CS 11.4 dbg 150225 ef966af801afc2a07222b5df65dddd52c77431dd SIGSEGV|my_strtod_int|my_strtod|my_strntod_8bit|charset_info_st::strntod
|
CS 11.4 opt 150225 ef966af801afc2a07222b5df65dddd52c77431dd No bug found
|
CS 11.8 dbg 150225 33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d SIGSEGV|my_strtod_int|my_strtod|my_strntod_8bit|charset_info_st::strntod
|
CS 11.8 opt 150225 33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d No bug found
|
CS 12.0 dbg 150225 c92add291e636c797e6d6ddca605905541b2a441 SIGSEGV|my_strtod_int|my_strtod|my_strntod_8bit|charset_info_st::strntod
|
CS 12.0 opt 150225 c92add291e636c797e6d6ddca605905541b2a441 No bug found
|
ES 10.5 dbg 130325 52e0fd3f76eaa4b1e88fd2028f5640c48b6cbb06 SIGSEGV|my_strtod_int|my_strtod|my_strntod_8bit|charset_info_st::strntod
|
ES 10.5 opt 130325 52e0fd3f76eaa4b1e88fd2028f5640c48b6cbb06 No bug found
|
ES 10.6 dbg 130325 66c9276fa67d1aacf5cf47b31254e79a9d0e4a5d SIGSEGV|my_strtod_int|my_strtod|my_strntod_8bit|charset_info_st::strntod
|
ES 10.6 opt 130325 66c9276fa67d1aacf5cf47b31254e79a9d0e4a5d No bug found
|
ES 11.4 dbg 130325 ca7a2a835c4c982ffa35d3f0b5748b30c4c22763 SIGSEGV|my_strtod_int|my_strtod|my_strntod_8bit|charset_info_st::strntod
|
ES 11.4 opt 130325 ca7a2a835c4c982ffa35d3f0b5748b30c4c22763 No bug found
|
MS 5.5 dbg 070123 bac287c315b1792e7ae33f91add6a60292f9bae8 No bug found
|
MS 5.5 opt 070123 bac287c315b1792e7ae33f91add6a60292f9bae8 No bug found
|
MS 5.6 dbg 070123 dab95781a1244104d6b87020ac2fc4d190ba2946 No bug found
|
MS 5.6 opt 070123 dab95781a1244104d6b87020ac2fc4d190ba2946 No bug found
|
MS 5.7 dbg 060224 f7680e98b6bbe3500399fbad465d08a6b75d7a5c No bug found
|
MS 5.7 opt 060224 f7680e98b6bbe3500399fbad465d08a6b75d7a5c No bug found
|
MS 8.0 dbg 060224 49ef33f7edadef3ae04665e73d1babd40179a4f1 No bug found
|
MS 8.0 opt 060224 49ef33f7edadef3ae04665e73d1babd40179a4f1 No bug found
|
MS 9.1 dbg 211024 61a3a1d8ef15512396b4c2af46e922a19bf2b174 No bug found
|
MS 9.1 opt 211024 61a3a1d8ef15512396b4c2af46e922a19bf2b174 No bug found
|
Please note the "error: Cannot access memory at address" errors in the stack.
Seems to be the same problem with MDEV-36354.
INSERT ..ON DUPLICATE KEY UPDATE + value(text column), in different combinations
CREATE TABLE t (c1 INT,c2 TEXT); |
INSERT t SET c2=VALUE (c2) ON DUPLICATE KEY UPDATE c1=1; |
250324 18:15:17 [ERROR] /10.5/bld/sql/mariadbd got signal 11 ;
|
|
|
Server version: 10.5.29-MariaDB-debug-log source revision: f1deebbb0bcff9bd83c057c3164eefb345619a6f
|
|
|
sql/signal_handler.cc:229(handle_fatal_signal)[0x5620639d8ac6]
|
sigaction.c:0(__restore_rt)[0x7f2c01d7b420]
|
/lib/x86_64-linux-gnu/libc.so.6(+0x18b963)[0x7f2c01916963]
|
myisam/mi_dynrec.c:999(_mi_rec_pack)[0x5620643832ac]
|
myisam/mi_dynrec.c:290(_mi_write_blob_record)[0x5620643806c1]
|
myisam/mi_write.c:146(mi_write)[0x5620643a533d]
|
myisam/ha_myisam.cc:997(ha_myisam::write_row(unsigned char const*))[0x56206435ef1d]
|
sql/handler.cc:7363(handler::ha_write_row(unsigned char const*))[0x5620639f2d13]
|
sql/sql_insert.cc:1839(write_record(THD*, TABLE*, st_copy_info*, select_result*))[0x5620635cd686]
|
sql/sql_insert.cc:1110(mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*))[0x5620635ca03c]
|
sql/sql_parse.cc:4664(mysql_execute_command(THD*))[0x562063621d8c]
|
sql/sql_parse.cc:8252(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x56206362e283]
|
sql/sql_parse.cc:1894(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x562063618eff]
|
sql/sql_parse.cc:1375(do_command(THD*))[0x56206361768e]
|
sql/sql_connect.cc:1386(do_handle_one_connection(CONNECT*, bool))[0x5620637e71db]
|
sql/sql_connect.cc:1300(handle_one_connection)[0x5620637e6f57]
|
perfschema/pfs.cc:2203(pfs_spawn_thread)[0x562063d4fb0e]
|
nptl/pthread_create.c:478(start_thread)[0x7f2c01d6f609]
|
|
|
Query (0x7faa100154e0): INSERT t SET c2=VALUE (c2) ON DUPLICATE KEY UPDATE c1=1
|
the same, but with InnoDB:
250324 18:16:35 [ERROR] /10.5/bld/sql/mariadbd got signal 11 ;
|
|
|
sql/signal_handler.cc:229(handle_fatal_signal)[0x55d216850ac6]
|
sigaction.c:0(__restore_rt)[0x7f52af9e0420]
|
include/mtr0log.h:498(void mtr_t::memcpy<(mtr_t::write_type)1>(buf_block_t const&, void*, void const*, unsigned long))[0x55d216e461c1]
|
btr/btr0cur.cc:7550(btr_store_big_rec_extern_fields(btr_pcur_t*, unsigned short*, big_rec_t const*, mtr_t*, blob_op))[0x55d2170456be]
|
row/row0ins.cc:2582(row_ins_index_entry_big_rec(dtuple_t const*, big_rec_t const*, unsigned short*, mem_block_info_t**, dict_index_t*, void const*))[0x55d216eb941c]
|
row/row0ins.cc:2844(row_ins_clust_index_entry_low(unsigned long, unsigned long, dict_index_t*, unsigned long, dtuple_t*, unsigned long, que_thr_t*))[0x55d216eba97c]
|
row/row0ins.cc:3276(row_ins_clust_index_entry(dict_index_t*, dtuple_t*, que_thr_t*, unsigned long))[0x55d216ebc1e1]
|
row/row0ins.cc:3402(row_ins_index_entry(dict_index_t*, dtuple_t*, que_thr_t*))[0x55d216ebc788]
|
row/row0ins.cc:3568(row_ins_index_entry_step(ins_node_t*, que_thr_t*))[0x55d216ebd119]
|
row/row0ins.cc:3705(row_ins(ins_node_t*, que_thr_t*))[0x55d216ebd641]
|
row/row0ins.cc:3848(row_ins_step(que_thr_t*))[0x55d216ebdf4b]
|
row/row0mysql.cc:1379(row_insert_for_mysql(unsigned char const*, row_prebuilt_t*, ins_mode_t))[0x55d216ee7397]
|
handler/ha_innodb.cc:7730(ha_innobase::write_row(unsigned char const*))[0x55d216ccb629]
|
sql/handler.cc:7363(handler::ha_write_row(unsigned char const*))[0x55d21686ad13]
|
sql/sql_insert.cc:1839(write_record(THD*, TABLE*, st_copy_info*, select_result*))[0x55d216445686]
|
sql/sql_insert.cc:1110(mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*))[0x55d21644203c]
|
sql/sql_parse.cc:4664(mysql_execute_command(THD*))[0x55d216499d8c]
|
sql/sql_parse.cc:8252(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x55d2164a6283]
|
sql/sql_parse.cc:1894(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x55d216490eff]
|
sql/sql_parse.cc:1375(do_command(THD*))[0x55d21648f68e]
|
sql/sql_connect.cc:1386(do_handle_one_connection(CONNECT*, bool))[0x55d21665f1db]
|
sql/sql_connect.cc:1300(handle_one_connection)[0x55d21665ef57]
|
perfschema/pfs.cc:2203(pfs_spawn_thread)[0x55d216bc7b0e]
|
|
|
Query (0x7f52600154e0): INSERT t SET c2=VALUE (c2) ON DUPLICATE KEY UPDATE c1=1
|
|
with Aria:
250324 18:23:49 [ERROR] /10.5/bld/sql/mariadbd got signal 11 ;
|
|
|
Server version: 10.5.29-MariaDB-debug-log source revision: f1deebbb0bcff9bd83c057c3164eefb345619a6f
|
|
|
sql/signal_handler.cc:229(handle_fatal_signal)[0x5613b6882ac6]
|
sigaction.c:0(__restore_rt)[0x7f35fedff420]
|
/lib/x86_64-linux-gnu/libc.so.6(+0x18ba80)[0x7f35fe99aa80]
|
maria/ma_blockrec.c:2001(write_tail)[0x5613b6b6f348]
|
maria/ma_blockrec.c:2936(write_block_record)[0x5613b6b7204b]
|
maria/ma_blockrec.c:3571(allocate_and_write_block_record)[0x5613b6b73e5d]
|
maria/ma_blockrec.c:3611(_ma_write_init_block_record)[0x5613b6b73f80]
|
maria/ma_write.c:157(maria_write)[0x5613b6b88016]
|
maria/ha_maria.cc:1246(ha_maria::write_row(unsigned char const*))[0x5613b6afbda1]
|
sql/handler.cc:7363(handler::ha_write_row(unsigned char const*))[0x5613b689cd13]
|
sql/sql_insert.cc:1839(write_record(THD*, TABLE*, st_copy_info*, select_result*))[0x5613b6477686]
|
sql/sql_insert.cc:1110(mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*))[0x5613b647403c]
|
sql/sql_parse.cc:4664(mysql_execute_command(THD*))[0x5613b64cbd8c]
|
sql/sql_parse.cc:8252(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x5613b64d8283]
|
sql/sql_parse.cc:1894(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x5613b64c2eff]
|
sql/sql_parse.cc:1375(do_command(THD*))[0x5613b64c168e]
|
sql/sql_connect.cc:1386(do_handle_one_connection(CONNECT*, bool))[0x5613b66911db]
|
sql/sql_connect.cc:1300(handle_one_connection)[0x5613b6690f57]
|
perfschema/pfs.cc:2203(pfs_spawn_thread)[0x5613b6bf9b0e]
|
nptl/pthread_create.c:478(start_thread)[0x7f35fedf3609]
|
/lib/x86_64-linux-gnu/libc.so.6(clone+0x43)[0x7f35fe92e353]
|
|
|
Connection ID (thread ID): 4
|
Status: NOT_KILLED
|
Query (0x7f35b80154e0): INSERT t SET c2=VALUE (c2) ON DUPLICATE KEY UPDATE c1=1
|
CREATE TABLE t (c1 INT,c2 TEXT); |
INSERT t Values(1,1) ON DUPLICATE KEY UPDATE c1=1 returning value(c2); |
250324 18:31:56 [ERROR] /10.5/bld/sql/mariadbd got signal 11 ;
|
|
|
Server version: 10.5.29-MariaDB-debug-log source revision: f1deebbb0bcff9bd83c057c3164eefb345619a6f
|
|
|
sql/signal_handler.cc:229(handle_fatal_signal)[0x5604bce74ac6]
|
sigaction.c:0(__restore_rt)[0x7fb7d4e67420]
|
/lib/x86_64-linux-gnu/libc.so.6(+0x18b963)[0x7fb7d4a02963]
|
sql/protocol.cc:62(Protocol::net_store_data(unsigned char const*, unsigned long))[0x5604bc96b953]
|
sql/protocol.cc:1191(Protocol::store_string_aux(char const*, unsigned long, charset_info_st const*, charset_info_st const*))[0x5604bc96ee37]
|
sql/protocol.cc:1228(Protocol_text::store_str(char const*, unsigned long, charset_info_st const*, charset_info_st const*))[0x5604bc96f25c]
|
sql/protocol.h:151(Protocol::store(char const*, unsigned long, charset_info_st const*))[0x5604bc9729a8]
|
sql/field.cc:7306(Field_longstr::send(Protocol*))[0x5604bce4dc91]
|
sql/protocol.cc:1343(Protocol_text::store(Field*))[0x5604bc96fd98]
|
sql/item.cc:7577(Item_field::send(Protocol*, st_value*))[0x5604bceb3499]
|
sql/protocol.cc:1086(Protocol::send_result_set_row(List<Item>*))[0x5604bc96e9dc]
|
sql/sql_class.cc:3173(select_send::send_data(List<Item>&))[0x5604bca38aa1]
|
sql/sql_insert.cc:2243(write_record(THD*, TABLE*, st_copy_info*, select_result*))[0x5604bca6995e]
|
sql/sql_insert.cc:1110(mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*))[0x5604bca6603c]
|
sql/sql_parse.cc:4664(mysql_execute_command(THD*))[0x5604bcabdd8c]
|
sql/sql_parse.cc:8252(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x5604bcaca283]
|
sql/sql_parse.cc:1894(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x5604bcab4eff]
|
sql/sql_parse.cc:1375(do_command(THD*))[0x5604bcab368e]
|
sql/sql_connect.cc:1386(do_handle_one_connection(CONNECT*, bool))[0x5604bcc831db]
|
sql/sql_connect.cc:1300(handle_one_connection)[0x5604bcc82f57]
|
perfschema/pfs.cc:2203(pfs_spawn_thread)[0x5604bd1ebb0e]
|
nptl/pthread_create.c:478(start_thread)[0x7fb7d4e5b609]
|
|
Query (0x7fb7880154e0): INSERT t Values(1,1) ON DUPLICATE KEY UPDATE c1=1 returning value(c2)
|
|
Reduced testcase:
Crashes with at least InnoDB and MyISAM.