[MDEV-19304] Segfault in ALTER TABLE after UPDATE for SIMULTANEOUS_ASSIGNMENT Created: 2019-04-22  Updated: 2020-05-13  Resolved: 2019-08-11

Status: Closed
Project: MariaDB Server
Component/s: Data Definition - Alter Table, Versioned Tables
Affects Version/s: 10.3, 10.4
Fix Version/s: 10.3.18, 10.4.8

Type: Bug Priority: Critical
Reporter: Elena Stepanova Assignee: Aleksey Midenkov
Resolution: Fixed Votes: 0
Labels: affects-tests

Issue Links:
Duplicate
duplicates MDEV-18217 [Draft] [ERROR] InnoDB: Apparent cor... Closed
is duplicated by MDEV-19644 Server crashes in ha_partition::try_s... Closed
is duplicated by MDEV-20121 Server crashes in handler::ha_write_r... Closed
Problem/Incident
is caused by MDEV-14792 INSERT without column list into table... Closed
Relates
relates to MDEV-13417 UPDATE produces wrong values if an up... Closed
relates to MDEV-16937 Strict SQL with system versioned tabl... Closed
relates to MDEV-19597 Refactor TABLE::vers_update_fields() ... Stalled
relates to MDEV-20120 Server crashes in extra_cb or in ha_p... Closed
relates to MDEV-20121 Server crashes in handler::ha_write_r... Closed

 Description   

SIGSEGV / ASAN unknown-crash in row_sel_field_store_in_mysql_format_func or create_tmp_table or my_timestamp_from_binary or Field::cmp_binary or calc_row_difference upon action on system-versioned table with SIMULTANEOUS_ASSIGNMENT.

With MyISAM or Aria

 
CREATE TABLE t1 (a INT, s TIMESTAMP(6) AS ROW START, e TIMESTAMP(6) AS ROW END, PERIOD FOR SYSTEM_TIME(s,e)) ENGINE=MyISAM WITH SYSTEM VERSIONING;
 
REPLACE INTO t1 () VALUES (),();
 
SET SQL_MODE= CONCAT(@@sql_mode,',SIMULTANEOUS_ASSIGNMENT');
 
UPDATE IGNORE t1 SET e = 1;
 
ALTER TABLE t1 FORCE;
 
 
 
# Cleanup
 
DROP TABLE t1;

10.3 ASAN 765ae6e8

 
==31680==ERROR: AddressSanitizer: unknown-crash on address 0x61900009e7b7 at pc 0x55b4ad0ff184 bp 0x7f6245a018a0 sp 0x7f6245a01898
 
READ of size 1 at 0x61900009e7b7 thread T5
 
    #0 0x55b4ad0ff183 in my_timestamp_from_binary(timeval*, unsigned char const*, unsigned int) /data/src/10.3/sql/compat56.cc:394
 
    #1 0x55b4ad144336 in Field_timestampf::get_timestamp(unsigned char const*, unsigned long*) const /data/src/10.3/sql/field.cc:5574
 
    #2 0x55b4ad18ecd6 in Field_timestamp::get_timestamp(unsigned long*) const /data/src/10.3/sql/field.h:2678
 
    #3 0x55b4ad14068c in Field_timestamp::get_date(st_mysql_time*, unsigned long long) /data/src/10.3/sql/field.cc:5307
 
    #4 0x55b4ad13f85f in Field_timestamp::val_str(String*, String*) /data/src/10.3/sql/field.cc:5232
 
    #5 0x55b4ac8463ed in Field::val_str(String*) /data/src/10.3/sql/field.h:840
 
    #6 0x55b4ad18a023 in Field::val_str(String*, unsigned char const*) /data/src/10.3/sql/field.h:1328
 
    #7 0x55b4ad183d7b in Column_definition::Column_definition(THD*, Field*, Field*) /data/src/10.3/sql/field.cc:11018
 
    #8 0x55b4aca29c43 in Create_field::Create_field(THD*, Field*, Field*) /data/src/10.3/sql/field.h:4754
 
    #9 0x55b4accbe91c in mysql_prepare_alter_table(THD*, TABLE*, HA_CREATE_INFO*, Alter_info*, Alter_table_ctx*) /data/src/10.3/sql/sql_table.cc:8023
 
    #10 0x55b4accc73bc in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /data/src/10.3/sql/sql_table.cc:9440
 
    #11 0x55b4ace1441d in Sql_cmd_alter_table::execute(THD*) /data/src/10.3/sql/sql_alter.cc:494
 
    #12 0x55b4acaaf84e in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:6285
 
    #13 0x55b4acaba6dd in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:8091
 
    #14 0x55b4aca94805 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1857
 
    #15 0x55b4aca9185b in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1403
 
    #16 0x55b4ace054cf in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1402
 
    #17 0x55b4ace04edb in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
 
    #18 0x55b4ad731269 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1862
 
    #19 0x7f6252414493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
 
    #20 0x7f62503dc93e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
 
 
 
0x61900009e7b7 is located 55 bytes inside of 992-byte region [0x61900009e780,0x61900009eb60)
 
allocated by thread T5 here:
 
    #0 0x7f625267e73f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
 
    #1 0x55b4ae2c0046 in my_malloc /data/src/10.3/mysys/my_malloc.c:101
 
    #2 0x55b4ae29f89e in alloc_root /data/src/10.3/mysys/my_alloc.c:250
 
    #3 0x55b4ae2a1410 in memdup_root /data/src/10.3/mysys/my_alloc.c:491
 
    #4 0x55b4acd37568 in TABLE_SHARE::init_from_binary_frm_image(THD*, bool, unsigned char const*, unsigned long) /data/src/10.3/sql/table.cc:1273
 
    #5 0x55b4acd32d15 in open_table_def(THD*, TABLE_SHARE*, unsigned int) /data/src/10.3/sql/table.cc:677
 
    #6 0x55b4acfb7578 in tdc_acquire_share(THD*, TABLE_LIST*, unsigned int, TABLE**) /data/src/10.3/sql/table_cache.cc:840
 
    #7 0x55b4ac946ea2 in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/10.3/sql/sql_base.cc:1831
 
    #8 0x55b4ac94f2a8 in open_and_process_table /data/src/10.3/sql/sql_base.cc:3619
 
    #9 0x55b4ac951c8a in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.3/sql/sql_base.cc:4144
 
    #10 0x55b4ac9564a3 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /data/src/10.3/sql/sql_base.cc:5019
 
    #11 0x55b4ac8c74d6 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /data/src/10.3/sql/sql_base.h:502
 
    #12 0x55b4aca07e2d in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.3/sql/sql_insert.cc:760
 
    #13 0x55b4acaa48e9 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4730
 
    #14 0x55b4acaba6dd in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:8091
 
    #15 0x55b4aca94805 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1857
 
    #16 0x55b4aca9185b in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1403
 
    #17 0x55b4ace054cf in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1402
 
    #18 0x55b4ace04edb in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
 
    #19 0x55b4ad731269 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1862
 
    #20 0x7f6252414493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
 
 
 
Thread T5 created by T0 here:
 
    #0 0x7f625264dbba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
 
    #1 0x55b4ad731831 in spawn_thread_v1 /data/src/10.3/storage/perfschema/pfs.cc:1912
 
    #2 0x55b4ac7fcf48 in inline_mysql_thread_create /data/src/10.3/include/mysql/psi/mysql_thread.h:1268
 
    #3 0x55b4ac812801 in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6589
 
    #4 0x55b4ac812f06 in create_new_thread /data/src/10.3/sql/mysqld.cc:6659
 
    #5 0x55b4ac813f1d in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6934
 
    #6 0x55b4ac811cbe in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6211
 
    #7 0x55b4ac7fafcf in main /data/src/10.3/sql/main.cc:25
 
    #8 0x7f62503142b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
 
 
 
SUMMARY: AddressSanitizer: unknown-crash /data/src/10.3/sql/compat56.cc:394 my_timestamp_from_binary(timeval*, unsigned char const*, unsigned int)
 
Shadow bytes around the buggy address:
 
  0x0c328000bca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c328000bcb0: 00 00 00 00 00 00 00 00 00 04 00 00 f7 f7 f7 f7
 
  0x0c328000bcc0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 fa fa fa fa
 
  0x0c328000bcd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c328000bce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
=>0x0c328000bcf0: 00 00 00 00 00 00[01]02 00 00 03 01 00 00 00 00
 
  0x0c328000bd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c328000bd10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c328000bd20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c328000bd30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c328000bd40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Heap right redzone:      fb
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack partial redzone:   f4
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Contiguous container OOB:fc
 
  ASan internal:           fe
 
==31680==ABORTING

With InnoDB

 
--source include/have_innodb.inc
 
 
 
CREATE TABLE t1 (a INT, s TIMESTAMP(6) AS ROW START, e TIMESTAMP(6) AS ROW END, PERIOD FOR SYSTEM_TIME(s,e)) ENGINE=InnoDB WITH SYSTEM VERSIONING;
 
REPLACE INTO t1 () VALUES (),();
 
SET SQL_MODE= CONCAT(@@sql_mode,',SIMULTANEOUS_ASSIGNMENT');
 
UPDATE IGNORE t1 SET e = 1;
 
ALTER TABLE t1 FORCE;
 
 
 
# Cleanup
 
DROP TABLE t1;

10.3 ASAN 765ae6e8

 
==31919==ERROR: AddressSanitizer: SEGV on unknown address 0x61910010b8b4 (pc 0x7f3cc9c53a20 sp 0x7f3caf85de08 bp 0x7f3caf85de50 T27)
 
    #0 0x7f3cc9c53a1f (/lib/x86_64-linux-gnu/libc.so.6+0x144a1f)
 
    #1 0x7f3ccbe7f23e in memcmp (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x3a23e)
 
    #2 0x55dac54f2eab in calc_row_difference /data/src/10.3/storage/innobase/handler/ha_innodb.cc:8491
 
    #3 0x55dac54f4ff7 in ha_innobase::update_row(unsigned char const*, unsigned char const*) /data/src/10.3/storage/innobase/handler/ha_innodb.cc:8838
 
    #4 0x55dac4f56533 in handler::ha_update_row(unsigned char const*, unsigned char const*) /data/src/10.3/sql/handler.cc:6351
 
    #5 0x55dac4a8168e in mysql_update(THD*, TABLE_LIST*, List<Item>&, List<Item>&, Item*, unsigned int, st_order*, unsigned long long, bool, unsigned long long*, unsigned long long*) /data/src/10.3/sql/sql_update.cc:946
 
    #6 0x55dac4819d61 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4584
 
    #7 0x55dac48306dd in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:8091
 
    #8 0x55dac480a805 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1857
 
    #9 0x55dac480785b in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1403
 
    #10 0x55dac4b7b4cf in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1402
 
    #11 0x55dac4b7aedb in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
 
    #12 0x55dac54a7269 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1862
 
    #13 0x7f3ccbc2f493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
 
    #14 0x7f3cc9bf793e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
 
 
 
AddressSanitizer can not provide additional info.
 
SUMMARY: AddressSanitizer: SEGV ??:0 ??
 
Thread T27 created by T0 here:
 
    #0 0x7f3ccbe68bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
 
    #1 0x55dac54a7831 in spawn_thread_v1 /data/src/10.3/storage/perfschema/pfs.cc:1912
 
    #2 0x55dac4572f48 in inline_mysql_thread_create /data/src/10.3/include/mysql/psi/mysql_thread.h:1268
 
    #3 0x55dac4588801 in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6589
 
    #4 0x55dac4588f06 in create_new_thread /data/src/10.3/sql/mysqld.cc:6659
 
    #5 0x55dac4589f1d in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6934
 
    #6 0x55dac4587cbe in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6211
 
    #7 0x55dac4570fcf in main /data/src/10.3/sql/main.cc:25
 
    #8 0x7f3cc9b2f2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

Another one with InnoDB, DOUBLE instead of INT, different stack trace

 
--source include/have_innodb.inc
 
 
 
CREATE TABLE t1 (a DOUBLE, s TIMESTAMP(6) AS ROW START, e TIMESTAMP(6) AS ROW END, PERIOD FOR SYSTEM_TIME(s,e)) ENGINE=InnoDB WITH SYSTEM VERSIONING;
 
REPLACE INTO t1 () VALUES (),();
 
SET SQL_MODE= CONCAT(@@sql_mode,',SIMULTANEOUS_ASSIGNMENT');
 
UPDATE IGNORE t1 SET e = 1;
 
ALTER TABLE t1 FORCE;
 
 
 
# Cleanup
 
DROP TABLE t1;

10.3 ASAN 765ae6e8

 
==32361==ERROR: AddressSanitizer: unknown-crash on address 0x6190000fbea0 at pc 0x560a21e0e168 bp 0x7f0fc34f2420 sp 0x7f0fc34f2418
 
READ of size 7 at 0x6190000fbea0 thread T27
 
    #0 0x560a21e0e167 in Field::cmp_binary(unsigned char const*, unsigned char const*, unsigned int) /data/src/10.3/sql/field.h:1083
 
    #1 0x560a21e0e347 in Field::cmp_binary_offset(unsigned int) /data/src/10.3/sql/field.h:1087
 
    #2 0x560a2198aeb5 in compare_record(TABLE const*) /data/src/10.3/sql/sql_update.cc:92
 
    #3 0x560a219903e3 in mysql_update(THD*, TABLE_LIST*, List<Item>&, List<Item>&, Item*, unsigned int, st_order*, unsigned long long, bool, unsigned long long*, unsigned long long*) /data/src/10.3/sql/sql_update.cc:888
 
    #4 0x560a21728d61 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4584
 
    #5 0x560a2173f6dd in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:8091
 
    #6 0x560a21719805 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1857
 
    #7 0x560a2171685b in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1403
 
    #8 0x560a21a8a4cf in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1402
 
    #9 0x560a21a89edb in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
 
    #10 0x560a223b6269 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1862
 
    #11 0x7f0fdf8c3493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
 
    #12 0x7f0fdd88b93e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
 
 
 
0x6190000fbea0 is located 32 bytes inside of 992-byte region [0x6190000fbe80,0x6190000fc260)
 
allocated by thread T27 here:
 
    #0 0x7f0fdfb2d73f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
 
    #1 0x560a22f45046 in my_malloc /data/src/10.3/mysys/my_malloc.c:101
 
    #2 0x560a22f2489e in alloc_root /data/src/10.3/mysys/my_alloc.c:250
 
    #3 0x560a22f2629a in strmake_root /data/src/10.3/mysys/my_alloc.c:479
 
    #4 0x560a219ccaa0 in open_table_from_share(THD*, TABLE_SHARE*, st_mysql_const_lex_string const*, unsigned int, unsigned int, unsigned int, TABLE*, bool, List<String>*) /data/src/10.3/sql/table.cc:3173
 
    #5 0x560a215cc98e in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/10.3/sql/sql_base.cc:1975
 
    #6 0x560a215d42a8 in open_and_process_table /data/src/10.3/sql/sql_base.cc:3619
 
    #7 0x560a215d6c8a in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.3/sql/sql_base.cc:4144
 
    #8 0x560a215db4a3 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /data/src/10.3/sql/sql_base.cc:5019
 
    #9 0x560a2154c4d6 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /data/src/10.3/sql/sql_base.h:502
 
    #10 0x560a2168ce2d in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.3/sql/sql_insert.cc:760
 
    #11 0x560a217298e9 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4730
 
    #12 0x560a2173f6dd in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:8091
 
    #13 0x560a21719805 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1857
 
    #14 0x560a2171685b in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1403
 
    #15 0x560a21a8a4cf in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1402
 
    #16 0x560a21a89edb in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
 
    #17 0x560a223b6269 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1862
 
    #18 0x7f0fdf8c3493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
 
 
 
Thread T27 created by T0 here:
 
    #0 0x7f0fdfafcbba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
 
    #1 0x560a223b6831 in spawn_thread_v1 /data/src/10.3/storage/perfschema/pfs.cc:1912
 
    #2 0x560a21481f48 in inline_mysql_thread_create /data/src/10.3/include/mysql/psi/mysql_thread.h:1268
 
    #3 0x560a21497801 in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6589
 
    #4 0x560a21497f06 in create_new_thread /data/src/10.3/sql/mysqld.cc:6659
 
    #5 0x560a21498f1d in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6934
 
    #6 0x560a21496cbe in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6211
 
    #7 0x560a2147ffcf in main /data/src/10.3/sql/main.cc:25
 
    #8 0x7f0fdd7c32b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
 
 
 
SUMMARY: AddressSanitizer: unknown-crash /data/src/10.3/sql/field.h:1083 Field::cmp_binary(unsigned char const*, unsigned char const*, unsigned int)
 
Shadow bytes around the buggy address:
 
  0x0c3280017780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c3280017790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c32800177a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c32800177b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c32800177c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
=>0x0c32800177d0: 00 00 00 00[03]00 00 07 00 00 07 00 00 07 00 00
 
  0x0c32800177e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c32800177f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c3280017800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c3280017810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c3280017820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Heap right redzone:      fb
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack partial redzone:   f4
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Contiguous container OOB:fc
 
  ASan internal:           fe
 
==32361==ABORTING

InnoDB variations also crash on debug and release:

10.3 debug 765ae6e8

 
Thread 1 (Thread 0x7fae4c58c700 (LWP 32502)):
 
#0  __pthread_kill (threadid=<optimized out>, signo=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
 
#1  0x00005613e2b0127b in my_write_core (sig=11) at /data/src/10.3/mysys/stacktrace.c:481
 
#2  0x00005613e235bca0 in handle_fatal_signal (sig=11) at /data/src/10.3/sql/signal_handler.cc:305
 
#3  <signal handler called>
 
#4  0x00007fae5cee1a20 in __memcmp_sse4_1 () from /lib/x86_64-linux-gnu/libc.so.6
 
#5  0x00005613e25bd66f in calc_row_difference (uvect=0x7fae000a87b0, old_row=0x7fae0000cba8 "\377", new_row=0x7fae0000cb90 "\377", table=0x7fae000a6770, upd_buff=0x7fae000ab340 '\245' <repeats 120 times>, "h4z\025", '\217' <repeats 12 times>, "\025\001", buff_len=119, prebuilt=0x7fae000a7b58, auto_inc=@0x7fae4c589ea8: 0) at /data/src/10.3/storage/innobase/handler/ha_innodb.cc:8491
 
#6  0x00005613e25be613 in ha_innobase::update_row (this=0x7fae000a73b8, old_row=0x7fae0000cba8 "\377", new_row=0x7fae0000cb90 "\377") at /data/src/10.3/storage/innobase/handler/ha_innodb.cc:8838
 
#7  0x00005613e236cd57 in handler::ha_update_row (this=0x7fae000a73b8, old_data=0x7fae0000cba8 "\377", new_data=0x7fae0000cb90 "\377") at /data/src/10.3/sql/handler.cc:6351
 
#8  0x00005613e215e23c in mysql_update (thd=0x7fae00000b00, table_list=0x7fae00014dd0, fields=..., values=..., conds=0x0, order_num=0, order=0x0, limit=18446744073709551615, ignore=true, found_return=0x7fae4c58a700, updated_return=0x7fae4c58a7c0) at /data/src/10.3/sql/sql_update.cc:946
 
#9  0x00005613e2065480 in mysql_execute_command (thd=0x7fae00000b00) at /data/src/10.3/sql/sql_parse.cc:4584
 
#10 0x00005613e207084b in mysql_parse (thd=0x7fae00000b00, rawbuf=0x7fae00014ce8 "UPDATE IGNORE t1 SET e = 1", length=26, parser_state=0x7fae4c58b5f0, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:8091
 
#11 0x00005613e205db1a in dispatch_command (command=COM_QUERY, thd=0x7fae00000b00, packet=0x7fae001624e1 "UPDATE IGNORE t1 SET e = 1", packet_length=26, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:1857
 
#12 0x00005613e205c504 in do_command (thd=0x7fae00000b00) at /data/src/10.3/sql/sql_parse.cc:1403
 
#13 0x00005613e21c515b in do_handle_one_connection (connect=0x5613e64cdfd0) at /data/src/10.3/sql/sql_connect.cc:1402
 
#14 0x00005613e21c4edf in handle_one_connection (arg=0x5613e64cdfd0) at /data/src/10.3/sql/sql_connect.cc:1308
 
#15 0x00005613e259c04d in pfs_spawn_thread (arg=0x5613e64d66c0) at /data/src/10.3/storage/perfschema/pfs.cc:1862
 
#16 0x00007fae5eebd494 in start_thread (arg=0x7fae4c58c700) at pthread_create.c:333
 
#17 0x00007fae5ce8593f in clone () from /lib/x86_64-linux-gnu/libc.so.6

MyISAM version doesn't crash without ASAN for me, but on a debug build ALTER produces a strange failure:

mysqltest: At line 5: query 'ALTER TABLE t1 FORCE' failed: 1292: Incorrect datetime value: '2046-04-28 20:44:47.486223' for column ``.``.`e` at row 1



 Comments   
Comment by Elena Stepanova [ 2019-04-22 ]

More variations:

--source include/have_innodb.inc
 
 
CREATE TABLE t1 (a INT, s TIMESTAMP(6) AS ROW START, e TIMESTAMP(6) AS ROW END, PERIOD FOR SYSTEM_TIME(s,e)) ENGINE=InnoDB WITH SYSTEM VERSIONING;
 
REPLACE INTO t1 () VALUES (),();
 
SET SQL_MODE= CONCAT(@@sql_mode,',SIMULTANEOUS_ASSIGNMENT');
 
--error ER_WARNING_NON_DEFAULT_VALUE_FOR_GENERATED_COLUMN
 
UPDATE t1 SET s = '2033-09-15 16:00:34.010453';
 
DELETE FROM t1;
 
 
# Cleanup
 
DROP TABLE t1;

10.3 765ae6e8

 
#3  <signal handler called>
 
#4  0x00007fa34eaffdc5 in __memmove_sse2_unaligned_erms () from /lib/x86_64-linux-gnu/libc.so.6
 
#5  0x00005563ed07266e in row_sel_field_store_in_mysql_format_func (dest=0x7fa3f000ec8d <error: Cannot access memory at address 0x7fa3f000ec8d>, templ=0x7fa2f0038010, index=0x7fa2f0072568, field_no=4, data=0x7fa33c4e4091 "\\\275\356\315\005X\245\177\377\377\377\017B?\001", len=7) at /data/src/10.3/storage/innobase/row/row0sel.cc:2907
 
#6  0x00005563ed072ce3 in row_sel_store_mysql_field (mysql_rec=0x7fa2f000eca0 "\377", prebuilt=0x7fa2f00a6d78, rec=0x7fa33c4e407e "", index=0x7fa2f0072568, offsets=0x7fa3495ca160, field_no=4, templ=0x7fa2f0038010) at /data/src/10.3/storage/innobase/row/row0sel.cc:3047
 
#7  0x00005563ed0732ab in row_sel_store_mysql_rec (mysql_rec=0x7fa2f000eca0 "\377", prebuilt=0x7fa2f00a6d78, rec=0x7fa33c4e407e "", vrow=0x0, rec_clust=false, index=0x7fa2f0072568, offsets=0x7fa3495ca160) at /data/src/10.3/storage/innobase/row/row0sel.cc:3184
 
#8  0x00005563ed078f11 in row_search_mvcc (buf=0x7fa2f000eca0 "\377", mode=PAGE_CUR_G, prebuilt=0x7fa2f00a6d78, match_mode=0, direction=0) at /data/src/10.3/storage/innobase/row/row0sel.cc:5466
 
#9  0x00005563ecee55a5 in ha_innobase::index_read (this=0x7fa2f000d408, buf=0x7fa2f000eca0 "\377", key_ptr=0x0, key_len=0, find_flag=HA_READ_AFTER_KEY) at /data/src/10.3/storage/innobase/handler/ha_innodb.cc:9332
 
#10 0x00005563ecee63c8 in ha_innobase::index_first (this=0x7fa2f000d408, buf=0x7fa2f000eca0 "\377") at /data/src/10.3/storage/innobase/handler/ha_innodb.cc:9706
 
#11 0x00005563ecee65d3 in ha_innobase::rnd_next (this=0x7fa2f000d408, buf=0x7fa2f000eca0 "\377") at /data/src/10.3/storage/innobase/handler/ha_innodb.cc:9799
 
#12 0x00005563ecc8924d in handler::ha_rnd_next (this=0x7fa2f000d408, buf=0x7fa2f000eca0 "\377") at /data/src/10.3/sql/handler.cc:2813
 
#13 0x00005563ece0aaf3 in rr_sequential (info=0x7fa3495cad60) at /data/src/10.3/sql/records.cc:481
 
#14 0x00005563ec8ef6ab in READ_RECORD::read_record (this=0x7fa3495cad60) at /data/src/10.3/sql/records.h:73
 
#15 0x00005563ece28438 in mysql_delete (thd=0x7fa2f0000b00, table_list=0x7fa2f0014db0, conds=0x0, order_list=0x7fa2f00053b0, limit=18446744073709551615, options=0, result=0x0) at /data/src/10.3/sql/sql_delete.cc:730
 
#16 0x00005563ec98c79c in mysql_execute_command (thd=0x7fa2f0000b00) at /data/src/10.3/sql/sql_parse.cc:4927
 
#17 0x00005563ec99684b in mysql_parse (thd=0x7fa2f0000b00, rawbuf=0x7fa2f0014ce8 "DELETE FROM t1", length=14, parser_state=0x7fa3495cc5f0, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:8091
 
#18 0x00005563ec983b1a in dispatch_command (command=COM_QUERY, thd=0x7fa2f0000b00, packet=0x7fa2f01622c1 "DELETE FROM t1", packet_length=14, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:1857
 
#19 0x00005563ec982504 in do_command (thd=0x7fa2f0000b00) at /data/src/10.3/sql/sql_parse.cc:1403
 
#20 0x00005563ecaeb15b in do_handle_one_connection (connect=0x5563efdc43f0) at /data/src/10.3/sql/sql_connect.cc:1402
 
#21 0x00005563ecaeaedf in handle_one_connection (arg=0x5563efdc43f0) at /data/src/10.3/sql/sql_connect.cc:1308
 
#22 0x00005563ecec204d in pfs_spawn_thread (arg=0x5563efdccae0) at /data/src/10.3/storage/perfschema/pfs.cc:1862
 
#23 0x00007fa350b9c494 in start_thread (arg=0x7fa3495cd700) at pthread_create.c:333
 
#24 0x00007fa34eb6493f in clone () from /lib/x86_64-linux-gnu/libc.so.6

All of debug, ASAN and release fail.

Comment by Elena Stepanova [ 2019-04-22 ]

More variations:

CREATE TABLE t1 (f INT, s TIMESTAMP(6) AS ROW START, e TIMESTAMP(6) AS ROW END, PERIOD FOR SYSTEM_TIME(s,e)) WITH SYSTEM VERSIONING;
 
CREATE TABLE t2 (f INT);
 
CREATE OR REPLACE ALGORITHM=MERGE VIEW v AS SELECT * FROM t1 NATURAL JOIN t2;
 
 
 
SET SQL_MODE= CONCAT(@@sql_mode,',SIMULTANEOUS_ASSIGNMENT');
 
INSERT INTO t1 (f) VALUES (0),(1);
 
 
 
--error ER_WARNING_NON_DEFAULT_VALUE_FOR_GENERATED_COLUMN
 
UPDATE t1 SET e = 5;
 
 
 
--error ER_VIEW_DELETE_MERGE_VIEW
 
DELETE FROM v;
 
 
 
# Cleanup
 
DROP VIEW v;
 
DROP TABLE t1, t2;

10.3 ASAN 765ae6e8

 
==29087==ERROR: AddressSanitizer: unknown-crash on address 0x61900009ddb4 at pc 0x557625f69b37 bp 0x7f5cb89cd700 sp 0x7f5cb89cd6f8
 
READ of size 7 at 0x61900009ddb4 thread T5
 
    #0 0x557625f69b36 in create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, st_mysql_const_lex_string const*, bool, bool) /data/src/10.3/sql/sql_select.cc:17670
 
    #1 0x5576260b12fb in select_unit::create_result_table(THD*, List<Item>*, bool, unsigned long long, st_mysql_const_lex_string const*, bool, bool, bool, unsigned int) /data/src/10.3/sql/sql_union.cc:375
 
    #2 0x557625dae2eb in mysql_derived_prepare(THD*, LEX*, TABLE_LIST*) /data/src/10.3/sql/sql_derived.cc:773
 
    #3 0x557625dab3ff in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /data/src/10.3/sql/sql_derived.cc:199
 
    #4 0x55762612c5ce in TABLE_LIST::handle_derived(LEX*, unsigned int) /data/src/10.3/sql/table.cc:8189
 
    #5 0x557625de95c0 in LEX::handle_list_of_derived(TABLE_LIST*, unsigned int) /data/src/10.3/sql/sql_lex.h:3970
 
    #6 0x557626974680 in mysql_delete(THD*, TABLE_LIST*, Item*, SQL_I_List<st_order>*, unsigned long long, unsigned long long, select_result*) /data/src/10.3/sql/sql_delete.cc:339
 
    #7 0x557625e6533e in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4927
 
    #8 0x557625e796dd in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:8091
 
    #9 0x557625e53805 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1857
 
    #10 0x557625e5085b in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1403
 
    #11 0x5576261c44cf in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1402
 
    #12 0x5576261c3edb in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
 
    #13 0x557626af0269 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1862
 
    #14 0x7f5cc53de493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
 
    #15 0x7f5cc33a693e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
 
 
 
0x61900009ddb4 is located 52 bytes inside of 992-byte region [0x61900009dd80,0x61900009e160)
 
allocated by thread T5 here:
 
    #0 0x7f5cc564873f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
 
    #1 0x55762767f046 in my_malloc /data/src/10.3/mysys/my_malloc.c:101
 
    #2 0x55762765e89e in alloc_root /data/src/10.3/mysys/my_alloc.c:250
 
    #3 0x557627660410 in memdup_root /data/src/10.3/mysys/my_alloc.c:491
 
    #4 0x5576260f6568 in TABLE_SHARE::init_from_binary_frm_image(THD*, bool, unsigned char const*, unsigned long) /data/src/10.3/sql/table.cc:1273
 
    #5 0x5576260f1d15 in open_table_def(THD*, TABLE_SHARE*, unsigned int) /data/src/10.3/sql/table.cc:677
 
    #6 0x557626376578 in tdc_acquire_share(THD*, TABLE_LIST*, unsigned int, TABLE**) /data/src/10.3/sql/table_cache.cc:840
 
    #7 0x557625d05ea2 in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/10.3/sql/sql_base.cc:1831
 
    #8 0x557625d0e2a8 in open_and_process_table /data/src/10.3/sql/sql_base.cc:3619
 
    #9 0x557625d10c8a in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.3/sql/sql_base.cc:4144
 
    #10 0x557625d154a3 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /data/src/10.3/sql/sql_base.cc:5019
 
    #11 0x557625c864d6 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /data/src/10.3/sql/sql_base.h:502
 
    #12 0x5576260de9bd in mysql_create_view(THD*, TABLE_LIST*, enum_view_create_mode) /data/src/10.3/sql/sql_view.cc:450
 
    #13 0x557625e6d932 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:6108
 
    #14 0x557625e796dd in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:8091
 
    #15 0x557625e53805 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1857
 
    #16 0x557625e5085b in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1403
 
    #17 0x5576261c44cf in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1402
 
    #18 0x5576261c3edb in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
 
    #19 0x557626af0269 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1862
 
    #20 0x7f5cc53de493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
 
 
 
Thread T5 created by T0 here:
 
    #0 0x7f5cc5617bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
 
    #1 0x557626af0831 in spawn_thread_v1 /data/src/10.3/storage/perfschema/pfs.cc:1912
 
    #2 0x557625bbbf48 in inline_mysql_thread_create /data/src/10.3/include/mysql/psi/mysql_thread.h:1268
 
    #3 0x557625bd1801 in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6589
 
    #4 0x557625bd1f06 in create_new_thread /data/src/10.3/sql/mysqld.cc:6659
 
    #5 0x557625bd2f1d in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6934
 
    #6 0x557625bd0cbe in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6211
 
    #7 0x557625bb9fcf in main /data/src/10.3/sql/main.cc:25
 
    #8 0x7f5cc32de2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
 
 
 
SUMMARY: AddressSanitizer: unknown-crash /data/src/10.3/sql/sql_select.cc:17670 create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, st_mysql_const_lex_string const*, bool, bool)
 
Shadow bytes around the buggy address:
 
  0x0c328000bb60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c328000bb70: 00 00 00 00 00 00 00 00 00 04 00 00 f7 f7 f7 f7
 
  0x0c328000bb80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 fa fa fa fa
 
  0x0c328000bb90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c328000bba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
=>0x0c328000bbb0: 00 00 00 00 00 00[01]02 00 00 03 01 00 00 00 00
 
  0x0c328000bbc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c328000bbd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c328000bbe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c328000bbf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c328000bc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Heap right redzone:      fb
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack partial redzone:   f4
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Contiguous container OOB:fc
 
  ASan internal:           fe
 
==29087==ABORTING

Comment by Aleksey Midenkov [ 2019-05-27 ]

PR commit:
https://github.com/MariaDB/server/pull/1289/commits/2a51b50db41cf09cb9b06f324637c37464635a39

Generated at Thu Feb 08 08:50:38 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.