[#MDEV-21946] Server crash in store_length upon GROUP BY WITH ROLLUP with geometry field

10.5 c8ae3573
#3 <signal handler called>
#4 0x0000559ab5fd974f in store_length (to=0x7f1878066458 <error: Cannot access memory at address 0x7f1878066458>, length=25, pack_length=4) at /data/src/10.5/sql/filesort.cc:1090
#5 0x0000559ab5fd9aa3 in Type_handler_string_result::make_sort_key_part (this=0x559ab77edad0 <type_handler_geometry>, to=0x7f1778066459 '\245' <repeats 200 times>..., item=0x7f17780140e8, sort_field=0x7f1778017c28, param=0x7f178ae820a0) at /data/src/10.5/sql/filesort.cc:1158
#6 0x0000559ab5fdea69 in make_sortkey (param=0x7f178ae820a0, to=0x7f1778066458 "\001", '\245' <repeats 199 times>...) at /data/src/10.5/sql/filesort.cc:3000
#7 0x0000559ab5fda4b9 in make_sortkey (param=0x7f178ae820a0, to=0x7f1778066458 "\001", '\245' <repeats 199 times>..., ref_pos=0x7f17782128d8 "", using_packed_sortkeys=false) at /data/src/10.5/sql/filesort.cc:1340
#8 0x0000559ab5fd9135 in find_all_keys (thd=0x7f1778000b18, param=0x7f178ae820a0, select=0x7f1778017118, fs_info=0x7f17780661d0, buffpek_pointers=0x7f178ae822b0, tempfile=0x7f178ae82140, pq=0x0, found_rows=0x7f17780663c0) at /data/src/10.5/sql/filesort.cc:957
#9 0x0000559ab5fd7121 in filesort (thd=0x7f1778000b18, table=0x7f17780f8c78, filesort=0x7f17780174a8, tracker=0x7f1778017b98, join=0x7f17780153d0, first_table_bit=1) at /data/src/10.5/sql/filesort.cc:363
#10 0x0000559ab5d1f161 in create_sort_index (thd=0x7f1778000b18, join=0x7f17780153d0, tab=0x7f17780167d8, fsort=0x7f17780174a8) at /data/src/10.5/sql/sql_select.cc:23787
#11 0x0000559ab5d19314 in st_join_table::sort_table (this=0x7f17780167d8) at /data/src/10.5/sql/sql_select.cc:21526
#12 0x0000559ab5d18ef0 in join_init_read_record (tab=0x7f17780167d8) at /data/src/10.5/sql/sql_select.cc:21465
#13 0x0000559ab5d16c98 in sub_select (join=0x7f17780153d0, join_tab=0x7f17780167d8, end_of_records=false) at /data/src/10.5/sql/sql_select.cc:20539
#14 0x0000559ab5d16159 in do_select (join=0x7f17780153d0, procedure=0x0) at /data/src/10.5/sql/sql_select.cc:20076
#15 0x0000559ab5cea0cf in JOIN::exec_inner (this=0x7f17780153d0) at /data/src/10.5/sql/sql_select.cc:4459
#16 0x0000559ab5ce91fb in JOIN::exec (this=0x7f17780153d0) at /data/src/10.5/sql/sql_select.cc:4240
#17 0x0000559ab5cea92c in mysql_select (thd=0x7f1778000b18, tables=0x7f1778014228, fields=..., conds=0x0, og_num=1, order=0x0, group=0x7f1778014a58, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7f17780153a8, unit=0x7f1778004b20, select_lex=0x7f1778013a00) at /data/src/10.5/sql/sql_select.cc:4664
#18 0x0000559ab5cda4a0 in handle_select (thd=0x7f1778000b18, lex=0x7f1778004a58, result=0x7f17780153a8, setup_tables_done_option=0) at /data/src/10.5/sql/sql_select.cc:429
#19 0x0000559ab5c9fb32 in execute_sqlcom_select (thd=0x7f1778000b18, all_tables=0x7f1778014228) at /data/src/10.5/sql/sql_parse.cc:6147
#20 0x0000559ab5c96790 in mysql_execute_command (thd=0x7f1778000b18) at /data/src/10.5/sql/sql_parse.cc:3899
#21 0x0000559ab5ca49ce in mysql_parse (thd=0x7f1778000b18, rawbuf=0x7f1778013920 "SELECT IF( 0, NULL, a ) AS f FROM t1 GROUP BY f WITH ROLLUP", length=59, parser_state=0x7f178ae83520, is_com_multi=false, is_next_command=false) at /data/src/10.5/sql/sql_parse.cc:7926
#22 0x0000559ab5c904d7 in dispatch_command (command=COM_QUERY, thd=0x7f1778000b18, packet=0x7f177816ddb9 "", packet_length=59, is_com_multi=false, is_next_command=false) at /data/src/10.5/sql/sql_parse.cc:1840
#23 0x0000559ab5c8ec0d in do_command (thd=0x7f1778000b18) at /data/src/10.5/sql/sql_parse.cc:1359
#24 0x0000559ab5e305f9 in do_handle_one_connection (connect=0x559ab9213f08, put_in_cache=true) at /data/src/10.5/sql/sql_connect.cc:1422
#25 0x0000559ab5e30328 in handle_one_connection (arg=0x559ab9213f08) at /data/src/10.5/sql/sql_connect.cc:1319
#26 0x0000559ab635f7a2 in pfs_spawn_thread (arg=0x559ab924a248) at /data/src/10.5/storage/perfschema/pfs.cc:2201
#27 0x00007f17922704a4 in start_thread (arg=0x7f178ae84700) at pthread_create.c:456
#28 0x00007f17903a4d0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97

Reproducible on debug and non-debug builds, with at least MyISAM and InnoDB.
The failure appeared in 10.5 tree with this commit:

10.5 c7ab67619

==3734==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a000038f24 at pc 0x7feac605131e bp 0x7fea9d4bac50 sp 0x7fea9d4ba400

READ of size 4294967295 at 0x61a000038f24 thread T24

    #0 0x7feac605131d  (/lib/x86_64-linux-gnu/libasan.so.5+0x3f31d)

    #1 0x556ff9d6e045 in SORT_FIELD_ATTR::pack_sort_string(unsigned char*, st_mysql_const_lex_string const&, charset_info_st const*) const /data/src/10.5-bug/sql/filesort.cc:2961

    #2 0x556ff9d6b741 in Type_handler_string_result::make_packed_sort_key_part(unsigned char*, Item*, SORT_FIELD_ATTR const*, Sort_param*) const /data/src/10.5-bug/sql/filesort.cc:2588

    #3 0x556ff9d6e776 in make_packed_sortkey /data/src/10.5-bug/sql/filesort.cc:3058

    #4 0x556ff9d62af5 in make_sortkey /data/src/10.5-bug/sql/filesort.cc:1339

    #5 0x556ff9d5fb74 in find_all_keys /data/src/10.5-bug/sql/filesort.cc:954

    #6 0x556ff9d5b579 in filesort(THD*, TABLE*, Filesort*, Filesort_tracker*, JOIN*, unsigned long long) /data/src/10.5-bug/sql/filesort.cc:356

    #7 0x556ff9714949 in create_sort_index(THD*, JOIN*, st_join_table*, Filesort*) /data/src/10.5-bug/sql/sql_select.cc:23860

    #8 0x556ff97033ec in st_join_table::sort_table() /data/src/10.5-bug/sql/sql_select.cc:21589

    #9 0x556ff97028f5 in join_init_read_record(st_join_table*) /data/src/10.5-bug/sql/sql_select.cc:21528

    #10 0x556ff96fc16b in sub_select(JOIN*, st_join_table*, bool) /data/src/10.5-bug/sql/sql_select.cc:20602

    #11 0x556ff96fa3b4 in do_select /data/src/10.5-bug/sql/sql_select.cc:20139

    #12 0x556ff96884df in JOIN::exec_inner() /data/src/10.5-bug/sql/sql_select.cc:4463

    #13 0x556ff9685b31 in JOIN::exec() /data/src/10.5-bug/sql/sql_select.cc:4244

    #14 0x556ff9689a46 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.5-bug/sql/sql_select.cc:4668

    #15 0x556ff965bd89 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.5-bug/sql/sql_select.cc:417

    #16 0x556ff95ce0d7 in execute_sqlcom_select /data/src/10.5-bug/sql/sql_parse.cc:6168

    #17 0x556ff95bc4f9 in mysql_execute_command(THD*) /data/src/10.5-bug/sql/sql_parse.cc:3901

    #18 0x556ff9629a8c in Prepared_statement::execute(String*, bool) /data/src/10.5-bug/sql/sql_prepare.cc:4786

    #19 0x556ff962543d in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /data/src/10.5-bug/sql/sql_prepare.cc:4275

    #20 0x556ff961ecb2 in mysql_stmt_execute_common /data/src/10.5-bug/sql/sql_prepare.cc:3277

    #21 0x556ff961e3a4 in mysqld_stmt_execute(THD*, char*, unsigned int) /data/src/10.5-bug/sql/sql_prepare.cc:3172

    #22 0x556ff95ae7a8 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.5-bug/sql/sql_parse.cc:1763

    #23 0x556ff95ab949 in do_command(THD*) /data/src/10.5-bug/sql/sql_parse.cc:1358

    #24 0x556ff99cabc2 in do_handle_one_connection(CONNECT*, bool) /data/src/10.5-bug/sql/sql_connect.cc:1422

    #25 0x556ff99ca45d in handle_one_connection /data/src/10.5-bug/sql/sql_connect.cc:1319

    #26 0x556ffa669305 in pfs_spawn_thread /data/src/10.5-bug/storage/perfschema/pfs.cc:2201

    #27 0x7feac5ff8fa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486

    #28 0x7feac58474ce in clone (/lib/x86_64-linux-gnu/libc.so.6+0xf94ce)

[MDEV-21946] Server crash in store_length upon GROUP BY WITH ROLLUP with geometry field Created: 2020-03-16 Updated: 2020-04-14 Resolved: 2020-04-09
Status:	Closed
Project:	MariaDB Server
Component/s:	GIS, Server
Affects Version/s:	10.5
Fix Version/s:	10.5.3

[MDEV-21946] Server crash in store_length upon GROUP BY WITH ROLLUP with geometry field Created: 2020-03-16 Updated: 2020-04-14 Resolved: 2020-04-09