Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-36362

MariaDB crashes when parsing fuzzer generated PARTITION

Details

    • Bug
    • Status: Confirmed (View Workflow)
    • Critical
    • Resolution: Unresolved
    • 11.7.2, 10.5, 10.6, 10.11, 11.4, 11.8
    • 10.11, 11.4, 11.8
    • Parser, Sequences
    • UBUNTU ARM64 VM

    Description

      The MariaDB server crashes when executing the following statement: 

      DROP DATABASE IF EXISTS test123;
      		 
      CREATE DATABASE IF NOT EXISTS test123;
      		 
      USE test123;
      		 
      CREATE TABLE v00 (c01 INT, c02 TEXT);
      		 
      CREATE INDEX i03 ON v00 (c01);
      		 
      INSERT INTO v00 (c01, c02) VALUES (0, 'abc');
      		 
      CREATE TEMPORARY TABLE IF NOT EXISTS v00 UNION ( ) PARTITION BY SYSTEM_TIME INTERVAL TRUE <=> SETVAL ( c02, 1234567890 ) SECOND_MICROSECOND SUBPARTITION BY KEY ( c01, c01 ) SUBPARTITIONS 1234567890;

      It seems to be another issue related to parsing, according to the crash stack:

      #0 0x0000000001a463e4 in Item_func_nextval::update_table (this=0xffff8aef18f8) at /home/mariadb/mariadb-server/sql/item_func.h:4318
      #1 Item_func_setval::val_int (this=0xffff8aef18f8) at /home/mariadb/mariadb-server/sql/item_func.cc:7222
      #2 0x000000000191f750 in Arg_comparator::compare_e_int (this=0xffff8aef1a98) at /home/mariadb/mariadb-server/sql/item_cmpfunc.cc:1125
      #3 0x000000000192a8dc in Arg_comparator::compare (this=<optimized out>) at /home/mariadb/mariadb-server/sql/item_cmpfunc.h:114
      #4 Item_func_equal::val_bool (this=<optimized out>) at /home/mariadb/mariadb-server/sql/item_cmpfunc.cc:1909
      #5 0x00000000009a20c8 in Item_bool_func::val_int (this=0x100) at /home/mariadb/mariadb-server/sql/item_cmpfunc.h:245
      #6 0x00000000019f6b24 in Item_int_func::val_str (this=0xffff8aef19e0, str=0xffff64ffa2a0) at /home/mariadb/mariadb-server/sql/item_func.cc:768
      #7 0x0000000001861b6c in Item::val_str_ascii (this=0xffff8aef19e0, str=<optimized out>) at /home/mariadb/mariadb-server/sql/item.cc:166
      #8 0x0000000001c5370c in get_interval_value (thd=<optimized out>, args=<optimized out>, int_type=<optimized out>, interval=<optimized out>)
      at /home/mariadb/mariadb-server/sql/item_timefunc.cc:1399
      #9 0x0000000001233e8c in partition_info::vers_set_interval (this=<optimized out>, thd=<optimized out>, interval=0xffff64ffa2a0, int_type=<optimized out>,
      starts=<optimized out>, auto_hist=<optimized out>, table_name=<optimized out>) at /home/mariadb/mariadb-server/sql/partition_info.cc:2801
      #10 0x000000000168cee0 in MYSQLparse (thd=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_yacc.yy:5487
      #11 0x0000000000d575c0 in parse_sql (thd=0xffff65462218, parser_state=<optimized out>, creation_ctx=0x0, do_pfs_digest=true)
      at /home/mariadb/mariadb-server/sql/sql_parse.cc:10328
      #12 0x0000000000d1c8b8 in mysql_parse (thd=0xffff65462218,
      rawbuf=0xffff8aef0438 "CREATE TEMPORARY TABLE IF NOT EXISTS v00 UNION ( ) PARTITION BY SYSTEM_TIME INTERVAL TRUE <=> SETVAL ( c02, 1234567890 ) SECOND_MICROSECOND SUBPARTITION BY KEY ( c01, c01 ) SUBPARTITIONS 1234567890", length=<optimized out>, parser_state=<optimized out>)
      at /home/mariadb/mariadb-server/sql/sql_parse.cc:7867
      #13 0x0000000000d120f0 in dispatch_command (command=<optimized out>, thd=<optimized out>, packet=<optimized out>, packet_length=<optimized out>,
      blocking=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_parse.cc:1902
      #14 0x0000000000d1dbf4 in do_command (thd=0xffff65462218, blocking=true) at /home/mariadb/mariadb-server/sql/sql_parse.cc:1415
      #15 0x00000000012846f8 in do_handle_one_connection (connect=<optimized out>, put_in_cache=true) at /home/mariadb/mariadb-server/sql/sql_connect.cc:1415
      #16 0x00000000012841b4 in handle_one_connection (arg=0xffff9100ff38) at /home/mariadb/mariadb-server/sql/sql_connect.cc:1327
      #17 0x0000000002200c38 in pfs_spawn_thread (arg=0xffff8aa09a98) at /home/mariadb/mariadb-server/storage/perfschema/pfs.cc:2198
      #18 0x0000ffff96b42624 in start_thread (arg=0x883ac8 <asan_thread_start(void*)>) at pthread_create.c:477
      #19 0x0000ffff9686466c in thread_start () at ../sysdeps/unix/sysv/linux/aarch64/clone.S:78

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-31854 Server crash, ASAN errors, assertion failure upon using NEXTVAL as default

          • Major - Major loss of function.
          • Confirmed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-33985 Server crashes at Item_func_nextval::val_int

          • Major - Major loss of function.
          • Confirmed

          Activity

            People

              bar Alexander Barkov
              luy70 Yu Liang
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.