Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-36362

MariaDB crashes when parsing fuzzer generated PARTITION

Details

    • Bug
    • Status: Confirmed (View Workflow)
    • Critical
    • Resolution: Unresolved
    • 11.7.2, 10.5, 10.6, 10.11, 11.4, 11.8
    • 10.11, 11.4, 11.8
    • Parser, Sequences
    • UBUNTU ARM64 VM

    Description

      The MariaDB server crashes when executing the following statement: 

      DROP DATABASE IF EXISTS test123;
      		 
      CREATE DATABASE IF NOT EXISTS test123;
      		 
      USE test123;
      		 
      CREATE TABLE v00 (c01 INT, c02 TEXT);
      		 
      CREATE INDEX i03 ON v00 (c01);
      		 
      INSERT INTO v00 (c01, c02) VALUES (0, 'abc');
      		 
      CREATE TEMPORARY TABLE IF NOT EXISTS v00 UNION ( ) PARTITION BY SYSTEM_TIME INTERVAL TRUE <=> SETVAL ( c02, 1234567890 ) SECOND_MICROSECOND SUBPARTITION BY KEY ( c01, c01 ) SUBPARTITIONS 1234567890;

      It seems to be another issue related to parsing, according to the crash stack:

      #0 0x0000000001a463e4 in Item_func_nextval::update_table (this=0xffff8aef18f8) at /home/mariadb/mariadb-server/sql/item_func.h:4318
      #1 Item_func_setval::val_int (this=0xffff8aef18f8) at /home/mariadb/mariadb-server/sql/item_func.cc:7222
      #2 0x000000000191f750 in Arg_comparator::compare_e_int (this=0xffff8aef1a98) at /home/mariadb/mariadb-server/sql/item_cmpfunc.cc:1125
      #3 0x000000000192a8dc in Arg_comparator::compare (this=<optimized out>) at /home/mariadb/mariadb-server/sql/item_cmpfunc.h:114
      #4 Item_func_equal::val_bool (this=<optimized out>) at /home/mariadb/mariadb-server/sql/item_cmpfunc.cc:1909
      #5 0x00000000009a20c8 in Item_bool_func::val_int (this=0x100) at /home/mariadb/mariadb-server/sql/item_cmpfunc.h:245
      #6 0x00000000019f6b24 in Item_int_func::val_str (this=0xffff8aef19e0, str=0xffff64ffa2a0) at /home/mariadb/mariadb-server/sql/item_func.cc:768
      #7 0x0000000001861b6c in Item::val_str_ascii (this=0xffff8aef19e0, str=<optimized out>) at /home/mariadb/mariadb-server/sql/item.cc:166
      #8 0x0000000001c5370c in get_interval_value (thd=<optimized out>, args=<optimized out>, int_type=<optimized out>, interval=<optimized out>)
      at /home/mariadb/mariadb-server/sql/item_timefunc.cc:1399
      #9 0x0000000001233e8c in partition_info::vers_set_interval (this=<optimized out>, thd=<optimized out>, interval=0xffff64ffa2a0, int_type=<optimized out>,
      starts=<optimized out>, auto_hist=<optimized out>, table_name=<optimized out>) at /home/mariadb/mariadb-server/sql/partition_info.cc:2801
      #10 0x000000000168cee0 in MYSQLparse (thd=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_yacc.yy:5487
      #11 0x0000000000d575c0 in parse_sql (thd=0xffff65462218, parser_state=<optimized out>, creation_ctx=0x0, do_pfs_digest=true)
      at /home/mariadb/mariadb-server/sql/sql_parse.cc:10328
      #12 0x0000000000d1c8b8 in mysql_parse (thd=0xffff65462218,
      rawbuf=0xffff8aef0438 "CREATE TEMPORARY TABLE IF NOT EXISTS v00 UNION ( ) PARTITION BY SYSTEM_TIME INTERVAL TRUE <=> SETVAL ( c02, 1234567890 ) SECOND_MICROSECOND SUBPARTITION BY KEY ( c01, c01 ) SUBPARTITIONS 1234567890", length=<optimized out>, parser_state=<optimized out>)
      at /home/mariadb/mariadb-server/sql/sql_parse.cc:7867
      #13 0x0000000000d120f0 in dispatch_command (command=<optimized out>, thd=<optimized out>, packet=<optimized out>, packet_length=<optimized out>,
      blocking=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_parse.cc:1902
      #14 0x0000000000d1dbf4 in do_command (thd=0xffff65462218, blocking=true) at /home/mariadb/mariadb-server/sql/sql_parse.cc:1415
      #15 0x00000000012846f8 in do_handle_one_connection (connect=<optimized out>, put_in_cache=true) at /home/mariadb/mariadb-server/sql/sql_connect.cc:1415
      #16 0x00000000012841b4 in handle_one_connection (arg=0xffff9100ff38) at /home/mariadb/mariadb-server/sql/sql_connect.cc:1327
      #17 0x0000000002200c38 in pfs_spawn_thread (arg=0xffff8aa09a98) at /home/mariadb/mariadb-server/storage/perfschema/pfs.cc:2198
      #18 0x0000ffff96b42624 in start_thread (arg=0x883ac8 <asan_thread_start(void*)>) at pthread_create.c:477
      #19 0x0000ffff9686466c in thread_start () at ../sysdeps/unix/sysv/linux/aarch64/clone.S:78

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-31854 Server crash, ASAN errors, assertion failure upon using NEXTVAL as default

          • Major - Major loss of function.
          • Confirmed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-33985 Server crashes at Item_func_nextval::val_int

          • Major - Major loss of function.
          • Confirmed

          Activity

            Ascending order - Click to sort in descending order
            luy70 Yu Liang added a comment - - edited

            Very likely it is the same problem mentioned in: MDEV-36354. Just occur in different statement.

            luy70 Yu Liang added a comment - - edited Very likely it is the same problem mentioned in: MDEV-36354 . Just occur in different statement.
            alice Alice Sherepa added a comment -

            Thanks!
            I repeated as described on 10.5-11.8

            CREATE TABLE t PARTITION BY SYSTEM_TIME INTERVAL SETVAL (a,1) SECOND_MICROSECOND;


            Version: '11.8.1-MariaDB-debug-log'  
            250325 13:14:10 [ERROR] /11.8/bld/sql/mariadbd got signal 11 ;
            		 
             
            		 
            Server version: 11.8.1-MariaDB-debug-log source revision: cc831f16c82f00d3531e09c2f5c59eadc0abb0d7
            		 
             
            		 
            sql/signal_handler.cc:230(handle_fatal_signal)[0x56357294bce5]
            		 
            sigaction.c:0(__restore_rt)[0x7f540d4ec420]
            		 
            sql/item_func.h:4392(Item_func_nextval::update_table())[0x563572b15be4]
            		 
            sql/item_func.cc:7223(Item_func_setval::val_int())[0x563572b04daf]
            		 
            sql/item_func.cc:768(Item_int_func::val_str(String*))[0x563572ac15fc]
            		 
            sql/item.cc:166(Item::val_str_ascii(String*))[0x5635729ad261]
            		 
            sql/item_timefunc.cc:1399(get_interval_value(THD*, Item*, interval_type, INTERVAL*))[0x563572caa33a]
            		 
            sql/partition_info.cc:2802(partition_info::vers_set_interval(THD*, Item*, interval_type, Item*, bool, char const*))[0x56357241baae]
            		 
            sql/sql_yacc.yy:5564(MYSQLparse(THD*))[0x5635727c1bba]
            		 
            sql/sql_parse.cc:10327(parse_sql(THD*, Parser_state*, Object_creation_ctx*, bool))[0x563571f9ef2d]
            		 
            sql/sql_parse.cc:7867(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x563571f8fbe0]
            		 
            sql/sql_parse.cc:1904(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x563571f664c4]
            		 
            sql/sql_parse.cc:1415(do_command(THD*, bool))[0x563571f6315b]
            		 
            sql/sql_connect.cc:1415(do_handle_one_connection(CONNECT*, bool))[0x56357247d6ea]
            		 
            sql/sql_connect.cc:1329(handle_one_connection)[0x56357247d23d]
            		 
            perfschema/pfs.cc:2200(pfs_spawn_thread)[0x5635731a92c4]
            		 
            nptl/pthread_create.c:478(start_thread)[0x7f540d4e0609]
            		 
             
            		 
            Query (0x62d0003e84a8): CREATE TABLE t PARTITION BY SYSTEM_TIME INTERVAL SETVAL (a,1) SECOND_MICROSECOND

            alice Alice Sherepa added a comment - Thanks! I repeated as described on 10.5-11.8 CREATE TABLE t PARTITION BY SYSTEM_TIME INTERVAL SETVAL (a,1) SECOND_MICROSECOND; Version: '11.8.1-MariaDB-debug-log' 250325 13:14:10 [ERROR] /11.8/bld/sql/mariadbd got signal 11 ;   Server version: 11.8.1-MariaDB-debug-log source revision: cc831f16c82f00d3531e09c2f5c59eadc0abb0d7   sql/signal_handler.cc:230(handle_fatal_signal)[0x56357294bce5] sigaction.c:0(__restore_rt)[0x7f540d4ec420] sql/item_func.h:4392(Item_func_nextval::update_table())[0x563572b15be4] sql/item_func.cc:7223(Item_func_setval::val_int())[0x563572b04daf] sql/item_func.cc:768(Item_int_func::val_str(String*))[0x563572ac15fc] sql/item.cc:166(Item::val_str_ascii(String*))[0x5635729ad261] sql/item_timefunc.cc:1399(get_interval_value(THD*, Item*, interval_type, INTERVAL*))[0x563572caa33a] sql/partition_info.cc:2802(partition_info::vers_set_interval(THD*, Item*, interval_type, Item*, bool, char const*))[0x56357241baae] sql/sql_yacc.yy:5564(MYSQLparse(THD*))[0x5635727c1bba] sql/sql_parse.cc:10327(parse_sql(THD*, Parser_state*, Object_creation_ctx*, bool))[0x563571f9ef2d] sql/sql_parse.cc:7867(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x563571f8fbe0] sql/sql_parse.cc:1904(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x563571f664c4] sql/sql_parse.cc:1415(do_command(THD*, bool))[0x563571f6315b] sql/sql_connect.cc:1415(do_handle_one_connection(CONNECT*, bool))[0x56357247d6ea] sql/sql_connect.cc:1329(handle_one_connection)[0x56357247d23d] perfschema/pfs.cc:2200(pfs_spawn_thread)[0x5635731a92c4] nptl/pthread_create.c:478(start_thread)[0x7f540d4e0609]   Query (0x62d0003e84a8): CREATE TABLE t PARTITION BY SYSTEM_TIME INTERVAL SETVAL (a,1) SECOND_MICROSECOND

            People

              bar Alexander Barkov
              luy70 Yu Liang
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.