Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-9723

MariaDB segfault and fake rows in ha_connect.so when using thread=yes



    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Fixed
    • 10.1.13, 10.0, 10.1
    • 10.0.25, 10.1.14
    • None
    • 3.2.0-4-amd64 #1 SMP Debian 3.2.35-2 x86_64 GNU/Linux


      I've found two critical problems (fake rows and segfault) using CONNECT engine with simplest queries. The probles are reproducable using Debian Wheezy, Jessy and 3 different ha_connect.so files including self-compiled.


      CREATE TABLE t1 ENGINE=CONNECT TABLE_TYPE=MYSQL DBNAME=my_db OPTION_LIST='user=xxx,host=localhost,password=yyy'
      SRCDEF='select 11 as v';
      CREATE TABLE t2 ENGINE=CONNECT TABLE_TYPE=MYSQL DBNAME=my_db OPTION_LIST='user=xxx,host=localhost,password=yyy'
      SRCDEF='select 22 as v';
      CREATE TABLE t (
        `v` bigint(20) unsigned NOT NULL
      select * from t;

      Actual result

      | v  |
      | 11 |
      | 22 |
      |  0 |
      |  0 |

      We have 2 fake rows filled by zero.

      Repeat step 4 several times and you got "Lost connection to MySQL".

      Please look below for gdb stacktrace:

      #0  0x00007f5bd707ed61 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
      #1  0x00007f5bd2d525ba in MYSQLCOL::ReadColumn (this=0x7f5ba00009d0, g=0x7f5bdc4a4d30) at /storage/connect/tabmysql.cpp:1383
      #2  0x00007f5bd2d0ede7 in Eval (g=0x7f5bdc4a4d30, this=0x7f5ba00009d0) at /storage/connect/colblk.cpp:140
      #3  COLBLK::Eval (this=0x7f5ba00009d0, g=0x7f5bdc4a4d30) at /storage/connect/colblk.cpp:129
      #4  0x00007f5bd2d5bead in PRXCOL::ReadColumn (this=0x7f5b9ffffc88, g=0x7f5bdc4a4d30) at /storage/connect/tabutil.cpp:736
      #5  0x00007f5bd2d0ede7 in Eval (g=0x7f5bdc4a4d30, this=0x7f5b9ffffc88) at /storage/connect/colblk.cpp:140
      #6  COLBLK::Eval (this=0x7f5b9ffffc88, g=0x7f5bdc4a4d30) at /storage/connect/colblk.cpp:129
      #7  0x00007f5bd2d065e4 in EvalColumns (g=g@entry=0x1, tdbp=tdbp@entry=0x7f5b9ffff2c8, reset=reset@entry=false, mrr=mrr@entry=false) at /storage/connect/connect.cc:420
      #8  0x00007f5bd2d067b0 in CntReadNext (g=0x7f5bdc4a4d30, tdbp=0x7f5b9ffff2c8) at /storage/connect/connect.cc:472
      #9  0x00007f5bd2cfd120 in ha_connect::rnd_next (this=0x7f5bdc4d3660, buf=0x7f5bdc54b1e0 "\377") at /storage/connect/ha_connect.cc:3768
      #10 0x00007f5bd8b6dbaf in handler::ha_rnd_next (this=0x7f5bdc4d3660, buf=0x7f5bdc54b1e0 "\377") at /sql/handler.cc:2577
      #11 0x00007f5bd8c55519 in rr_sequential (info=0x7f5bdc4ecfb0) at /sql/records.cc:470
      #12 0x00007f5bd8a3c8a9 in sub_select (join=0x7f5bdc4ebe50, join_tab=0x7f5bdc4ecef0, end_of_records=<optimized out>) at /sql/sql_select.cc:18256
      #13 0x00007f5bd8a488dd in do_select (join=0x7f5bdc4ebe50, fields=0x7f5bdc4871c8, table=0x0, procedure=0x0) at /sql/sql_select.cc:17914
      #14 0x00007f5bd8a58c04 in JOIN::exec_inner (this=this@entry=0x7f5bdc4ebe50) at /sql/sql_select.cc:3228
      #15 0x00007f5bd8a5a8ac in JOIN::exec (this=0x7f5bdc4ebe50) at /sql/sql_select.cc:2518
      #16 0x00007f5bd8a57530 in mysql_select (thd=thd@entry=0x7f5bdc4830d8, rref_pointer_array=rref_pointer_array@entry=0x7f5bdc487328, tables=0x7f5bdc4eb768, wild_num=<optimized out>, fields=...,
          conds=<optimized out>, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=result@entry=0x7f5bdc4ebe30, unit=unit@entry=0x7f5bdc4869b0,
          select_lex=select_lex@entry=0x7f5bdc4870b0) at /sql/sql_select.cc:3451
      #17 0x00007f5bd8a5ab8c in handle_select (thd=0x7f5bdc4830d8, lex=0x7f5bdc4868e8, result=0x7f5bdc4ebe30, setup_tables_done_option=0) at /sql/sql_select.cc:384
      #18 0x00007f5bd8a03a1e in execute_sqlcom_select (thd=thd@entry=0x7f5bdc4830d8, all_tables=0x7f5bdc4eb768) at /sql/sql_parse.cc:5936
      #19 0x00007f5bd8a0f9b8 in mysql_execute_command (thd=thd@entry=0x7f5bdc4830d8) at /sql/sql_parse.cc:2962
      #20 0x00007f5bd8a12d3e in mysql_parse (thd=0x7f5bdc4830d8, rawbuf=<optimized out>, length=<optimized out>, parser_state=0x7f5bbaa1fd00) at /sql/sql_parse.cc:7336
      #21 0x00007f5bd8a1570e in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x7f5bdc4830d8, packet=packet@entry=0x7f5bdc47e6d9 "", packet_length=3696145712, packet_length@entry=50)
          at /sql/sql_parse.cc:1488
      #22 0x00007f5bd8a15cb0 in do_command (thd=0x7f5bdc4830d8) at /sql/sql_parse.cc:1109
      #23 0x00007f5bd8ac608a in do_handle_one_connection (thd_arg=thd_arg@entry=0x7f5bdc4830d8) at /sql/sql_connect.cc:1349
      #24 0x00007f5bd8ac61f6 in handle_one_connection (arg=0x7f5bdc4830d8) at /sql/sql_connect.cc:1261
      #25 0x00007f5bd8174b50 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
      #26 0x00007f5bd70dd30d in clone () from /lib/x86_64-linux-gnu/libc.so.6

      I have found the following strange behaviour in the MYSQLCOL::ReadColumn (tabmysql.cpp). When fake row appear, this function is called and Rank is equal to -1 and segfault appears on strlen(p).

      The problems can't be reproduced when t table is created using option_list='thread=no';




            bertrandop Olivier Bertrand
            Sergey.Antonyuk Sergey Antonyuk
            0 Vote for this issue
            3 Start watching this issue



              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.