Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-39830

MariaDB 10.11.16 crash with SIGSEGV in setup_fields() during prepared UPDATE users statement

    XMLWordPrintable

Details

    • Not for Release Notes

    Description

      Hello team,

      We are reporting a reproducible crash observed on MariaDB 10.11.16. The server terminated with SIGSEGV while processing a COM_STMT_PREPARE request for an UPDATE statement against the users table.

      Environment:
      MariaDB Version: 10.11.16
      Linux x86_64
      InnoDB
      Production workload
      Crash Details

      MariaDB terminated unexpectedly with:
      /usr/sbin/mariadbd got signal 11

      Core dump analysis shows the following call path:
      mysqld_stmt_prepare()
      mysql_test_update()
      setup_fields()

      The failure occurred inside setup_fields() while iterating the Item_field list generated during statement preparation.

      The prepared statement is similar to:
      UPDATE users
      SET col1=?, col2=?, col3=?, ...
      WHERE userIndex=?

      The actual statement contains approximately 86 columns in the SET clause.

      Core Analysis Findings

      Crash location:
      setup_fields()+351

      Register state at crash:
      RIP = setup_fields()+351
      R12 = 0xe71bb1de92014ea7
      R11 = 69

      The invalid value stored in R12 was dereferenced during field processing.

      Additional observations:
      The corrupted pointer value was identified in a list node used by the Item_field processing logic.
      The corruption was observed around field index 69.
      The affected field was identified as:
      maxUserSessions
      The following field in the list was:
      skipPasswordCheck

      The pointer value observed was:
      0xe71bb1de92014ea7

      which is a non-canonical address.

      Environment Health Checks

      At the time of the crash:

      No OOM events were detected.
      No hardware errors were detected.
      No ECC memory errors were reported.
      No storage issues were observed.
      Swap usage was zero.
      Approximately 45 GB RAM was available.
      CPU was largely idle.

      The crash therefore appears to originate from an internal memory corruption or concurrency-related condition within MariaDB rather than resource exhaustion.

      Could you please advise:

      Whether this matches any known MDEV or bug in MariaDB 10.11.x.
      Whether similar issues involving:
      setup_fields()
      mysql_test_update()
      prepared statements
      Item_field processing
      large UPDATE statements
      have already been reported.
      Whether this issue is known to be fixed in a later 10.11.x release.

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. MDEV-39809 MariaDB 10.11.16 crashed signal 11

          • Major - Major loss of function.
          • Needs Feedback

          Activity

            People

              shipjain Shipra Jain
              monica.reyes@alepo.com Monica Reyes
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.