[MDEV-22019] Sig 11 in next_breadth_first_tab | max_sort_length setting + double GROUP BY leads to crash Created: 2020-03-24  Updated: 2020-03-31  Resolved: 2020-03-30

Status: Closed
Project: MariaDB Server
Component/s: Information Schema
Affects Version/s: 10.2, 10.3, 10.4, 10.5
Fix Version/s: 10.2.32, 10.3.23, 10.4.13, 10.5.3

Type: Bug Priority: Major
Reporter: Roel Van de Paar Assignee: Varun Gupta (Inactive)
Resolution: Fixed Votes: 0
Labels: not-10.1


 Description   

This testcase:

SET @@SESSION.max_sort_length=2000000;
 
USE INFORMATION_SCHEMA;
 
SELECT * FROM tables t JOIN columns c ON t.table_schema=c.table_schema WHERE c.table_schema=(SELECT COUNT(*) FROM INFORMATION_SCHEMA.columns GROUP BY column_type) GROUP BY t.table_name;

Leads to:

Core was generated by `/data/MD140320-mariadb-10.4.13-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
 
    at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
 
57	../sysdeps/unix/sysv/linux/pthread_kill.c: No such file or directory.
 
[Current thread is 1 (Thread 0x7f2ebdbde700 (LWP 18246))]
 
(gdb) bt
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
 
    at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
 
#1  0x000055e9e382a987 in my_write_core (sig=sig@entry=11) at /data/git/10.4_opt/mysys/stacktrace.c:481
 
#2  0x000055e9e329de3a in handle_fatal_signal (sig=11) at /data/git/10.4_opt/sql/signal_handler.cc:343
 
#3  <signal handler called>
 
#4  0x000055e9e30ca011 in next_breadth_first_tab (tab=0x7f2e76cf7800, n_top_tabs_count=2, 
    first_top_tab=0x7f2e76cf70b0) at /data/git/10.4_opt/sql/sql_select.cc:9921
 
#5  JOIN::cleanup (this=this@entry=0x7f2e76c516b0, full=full@entry=true)
 
    at /data/git/10.4_opt/sql/sql_select.cc:13766
 
#6  0x000055e9e30ca6f6 in JOIN::destroy (this=0x7f2e76c516b0) at /data/git/10.4_opt/sql/sql_select.cc:4481
 
#7  0x000055e9e312a4d8 in st_select_lex::cleanup (this=this@entry=0x7f2e76c3f208)
 
    at /data/git/10.4_opt/sql/sql_union.cc:2070
 
#8  0x000055e9e30e3392 in mysql_select (thd=thd@entry=0x7f2e76c12008, tables=0x7f2e76c3f7d8, wild_num=1, 
    fields=..., conds=<optimized out>, og_num=1, order=0x0, group=0x7f2e76c42f88, having=0x0, 
    proc_param=0x0, select_options=2684619520, result=0x7f2e76c51688, unit=0x7f2e76c15d70, 
    select_lex=0x7f2e76c3f208) at /data/git/10.4_opt/sql/sql_select.cc:4688
 
#9  0x000055e9e30e35a1 in handle_select (thd=thd@entry=0x7f2e76c12008, lex=lex@entry=0x7f2e76c15cb0, 
    result=result@entry=0x7f2e76c51688, setup_tables_done_option=setup_tables_done_option@entry=0)
 
    at /data/git/10.4_opt/sql/sql_select.cc:410
 
#10 0x000055e9e307f681 in execute_sqlcom_select (thd=thd@entry=0x7f2e76c12008, all_tables=0x7f2e76c3f7d8)
 
    at /data/git/10.4_opt/sql/sql_parse.cc:6359
 
#11 0x000055e9e3088747 in mysql_execute_command (thd=thd@entry=0x7f2e76c12008)
 
    at /data/git/10.4_opt/sql/sql_parse.cc:3898
 
#12 0x000055e9e308f37a in mysql_parse (thd=thd@entry=0x7f2e76c12008, rawbuf=<optimized out>, length=184, 
    parser_state=parser_state@entry=0x7f2ebdbdd140, is_com_multi=is_com_multi@entry=false, 
    is_next_command=is_next_command@entry=false) at /data/git/10.4_opt/sql/sql_parse.cc:7900
 
#13 0x000055e9e3091939 in dispatch_command (command=command@entry=COM_QUERY, 
    thd=thd@entry=0x7f2e76c12008, 
    packet=packet@entry=0x7f2e76c32009 "SELECT * FROM tables t JOIN columns c ON t.table_schema=c.table_schema WHERE c.table_schema=(SELECT COUNT(*) FROM INFORMATION_SCHEMA.columns GROUP BY column_type) GROUP BY t.table_name", packet_length=packet_length@entry=184, is_com_multi=is_com_multi@entry=false, 
    is_next_command=is_next_command@entry=false) at /data/git/10.4_opt/sql/sql_parse.cc:1841
 
#14 0x000055e9e3093220 in do_command (thd=0x7f2e76c12008) at /data/git/10.4_opt/sql/sql_parse.cc:1359
 
#15 0x000055e9e316fb2e in do_handle_one_connection (connect=connect@entry=0x7f2ebac31748)
 
    at /data/git/10.4_opt/sql/sql_connect.cc:1412
 
#16 0x000055e9e316fbed in handle_one_connection (arg=0x7f2ebac31748)
 
    at /data/git/10.4_opt/sql/sql_connect.cc:1316
 
#17 0x00007f2ebcb676db in start_thread (arg=0x7f2ebdbde700) at pthread_create.c:463
 
#18 0x00007f2ebb80d88f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.2.32 (dbg), 10.2.32 (opt), 10.3.23 (dbg), 10.3.23 (opt), 10.4.13 (dbg), 10.4.13 (opt), 10.5.2 (dbg), 10.5.2 (opt)

Bug confirmed not present in:
MariaDB: 10.1.45 (dbg), 10.1.45 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.47 (dbg), 5.6.47 (opt), 5.7.29 (dbg), 5.7.29 (opt), 8.0.19 (dbg), 8.0.19 (opt)

A few observations;

  • Lowering the SESSION.max_sort_length stops the bug from occurring.

10.4.13>SET @@SESSION.max_sort_length=200000;           # <- one less zero
 
Query OK, 0 rows affected (0.000 sec)       
10.4.13>USE INFORMATION_SCHEMA;
 
Database changed
 
10.4.13>SELECT * FROM tables t JOIN columns c ON t.table_schema=c.table_schema WHERE c.table_schema=(SELECT COUNT(*) FROM INFORMATION_SCHEMA.columns GROUP BY column_type) GROUP BY t.table_name;
 
ERROR 1242 (21000): Subquery returns more than 1 row
 
 
 
10.4.13>SET @@SESSION.max_sort_length=2000000;
 
Query OK, 0 rows affected (0.000 sec)
 
10.4.13>SELECT * FROM tables t JOIN columns c ON t.table_schema=c.table_schema WHERE c.table_schema=(SELECT COUNT(*) FROM INFORMATION_SCHEMA.columns GROUP BY column_type) GROUP BY t.table_name;
 
ERROR 2013 (HY000): Lost connection to MySQL server during query

  • Removing the second GROUP BY stops this bug from occurring:

10.4.13>SET @@SESSION.max_sort_length=2000000; 
Query OK, 0 rows affected (0.000 sec)
 
10.4.13>USE INFORMATION_SCHEMA;
 
Database changed
 
10.4.13>SELECT * FROM tables t JOIN columns c ON t.table_schema=c.table_schema WHERE c.table_schema=(SELECT COUNT(*) FROM INFORMATION_SCHEMA.columns GROUP BY column_type);
 
ERROR 1038 (HY001): Out of sort memory, consider increasing server sort buffer size



 Comments   
Comment by Marko Mäkelä [ 2020-03-24 ]

Out of curiosity, I checked what cmake -DWITH_UBSAN has to say on 10.2. Quite a bit, actually:

10.2 a7cbce06d432cbcb88e071731089aacfd41750fd

 
2020-03-24  8:08:24 140280106074624 [Warning] /dev/shm/10.2u/sql/mysqld: unknown option '--loose-pam-debug'
 
2020-03-24  8:08:24 140280106074624 [Note] Server socket created on IP: '127.0.0.1'.
 
/mariadb/10.2o/mysys/hash.c:792:9: runtime error: applying zero offset to null pointer
 
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /mariadb/10.2o/mysys/hash.c:792:9 in 
2020-03-24  8:08:24 140280106074624 [Note] Reading of all Master_info entries succeeded
 
2020-03-24  8:08:24 140280106074624 [Note] Added new Master_info '' to hash table
 
2020-03-24  8:08:24 140280106074624 [Note] /dev/shm/10.2u/sql/mysqld: ready for connections.
 
Version: '10.2.32-MariaDB-debug-log'  socket: '/dev/shm/10.2u/mysql-test/var/tmp/mysqld.1.sock'  port: 16000  Source distribution
 
/mariadb/10.2o/strings/ctype.c:1151:46: runtime error: applying zero offset to null pointer
 
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /mariadb/10.2o/strings/ctype.c:1151:46 in 
/mariadb/10.2o/sql/sql_select.cc:2914:22: runtime error: applying non-zero offset 4054449126480 to null pointer
 
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /mariadb/10.2o/sql/sql_select.cc:2914:22 in 
/mariadb/10.2o/mysys/mf_iocache.c:807:10: runtime error: null pointer passed as argument 1, which is declared to never be null
 
/usr/include/string.h:44:28: note: nonnull attribute specified here
 
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /mariadb/10.2o/mysys/mf_iocache.c:807:10 in 
/mariadb/10.2o/mysys/my_alloc.c:452:16: runtime error: null pointer passed as argument 2, which is declared to never be null
 
/usr/include/string.h:44:28: note: nonnull attribute specified here
 
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /mariadb/10.2o/mysys/my_alloc.c:452:16 in 
/mariadb/10.2o/sql/item_cmpfunc.cc:3643:14: runtime error: call to function srtcmp_in(charset_info_st const*, String const*, String const*) through pointer to incorrect function type 'int (*)(const void *, const void *, const void *)'
 
/mariadb/10.2o/sql/item_cmpfunc.cc:4157: note: srtcmp_in(charset_info_st const*, String const*, String const*) defined here
 
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /mariadb/10.2o/sql/item_cmpfunc.cc:3643:14 in 
/mariadb/10.2o/sql/item_cmpfunc.cc:3650:11: runtime error: call to function srtcmp_in(charset_info_st const*, String const*, String const*) through pointer to incorrect function type 'int (*)(const void *, const void *, const void *)'
 
/mariadb/10.2o/sql/item_cmpfunc.cc:4157: note: srtcmp_in(charset_info_st const*, String const*, String const*) defined here
 
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /mariadb/10.2o/sql/item_cmpfunc.cc:3650:11 in 
/mariadb/10.2o/sql/sql_show.cc:3558:7: runtime error: call to function show_binlog_vars(THD*, st_mysql_show_var*, char*) through pointer to incorrect function type 'int (*)(THD *, st_mysql_show_var *, void *, system_status_var *, enum_var_type)'
 
/mariadb/10.2o/sql/log.cc:10410: note: show_binlog_vars(THD*, st_mysql_show_var*, char*) defined here
 
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /mariadb/10.2o/sql/sql_show.cc:3558:7 in 
/mariadb/10.2o/sql/debug_sync.cc:322:14: runtime error: null pointer passed as argument 2, which is declared to never be null
 
/usr/include/string.h:44:28: note: nonnull attribute specified here
 
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /mariadb/10.2o/sql/debug_sync.cc:322:14 in 
/mariadb/10.2o/sql/sql_string.h:554:30: runtime error: null pointer passed as argument 2, which is declared to never be null
 
/usr/include/string.h:44:28: note: nonnull attribute specified here
 
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /mariadb/10.2o/sql/sql_string.h:554:30 in 
/mariadb/10.2o/sql/sql_select.cc:17520:3: runtime error: null pointer passed as argument 1, which is declared to never be null
 
/usr/include/string.h:61:62: note: nonnull attribute specified here
 
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /mariadb/10.2o/sql/sql_select.cc:17520:3 in 
/mariadb/10.2o/sql/sql_select.cc:18521:5: runtime error: null pointer passed as argument 1, which is declared to never be null
 
/usr/include/string.h:61:62: note: nonnull attribute specified here
 
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /mariadb/10.2o/sql/sql_select.cc:18521:5 in 
/mariadb/10.2o/strings/ctype-mb.c:328:32: runtime error: applying non-zero offset 2 to null pointer
 
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /mariadb/10.2o/strings/ctype-mb.c:328:32 in 
/mariadb/10.2o/sql/sql_select.cc:26755:5: runtime error: null pointer passed as argument 1, which is declared to never be null
 
/usr/include/string.h:61:62: note: nonnull attribute specified here
 
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /mariadb/10.2o/sql/sql_select.cc:26755:5 in 
/mariadb/10.2o/mysys/my_compare.c:309:12: runtime error: left shift of negative value -29
 
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /mariadb/10.2o/mysys/my_compare.c:309:12 in 
/mariadb/10.2o/mysys/my_compare.c:310:12: runtime error: left shift of negative value -80
 
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /mariadb/10.2o/mysys/my_compare.c:310:12 in 
2020-03-24  8:08:24 140279805519616 [ERROR] mysqld: Out of sort memory, consider increasing server sort buffer size
 
2020-03-24  8:08:24 140279805519616 [Warning] Sort aborted, host: localhost, user: root, thread: 4, query: SELECT * FROM tables t JOIN columns c ON t.table_schema=c.table_schema WHERE c.table_schema=(SELECT COUNT(*) FROM INFORMATION_SCHEMA.columns GROUP BY column_type) GROUP BY t.table_name
 
/mariadb/10.2o/sql/sql_select.cc:8742:34: runtime error: member access within null pointer of type 'JOIN'
 
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /mariadb/10.2o/sql/sql_select.cc:8742:34 in 
200324  8:08:24 [ERROR] mysqld got signal 11 ;

The stack trace is as follows:

10.2 a7cbce06d432cbcb88e071731089aacfd41750fd

 
Thread 1 (Thread 0x7f956ffa2700 (LWP 14617)):
 
#0  __pthread_kill (threadid=<optimized out>, signo=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
 
#1  0x0000000000b9e3c2 in handle_fatal_signal (sig=11) at /mariadb/10.2o/sql/signal_handler.cc:343
 
#2  <signal handler called>
 
#3  0x0000000000854735 in next_breadth_first_tab (first_top_tab=0x7f9560052450, n_top_tabs_count=2, tab=0x7f9560052bb0) at /mariadb/10.2o/sql/sql_select.cc:8742
 
#4  0x0000000000846b9a in JOIN::cleanup (this=0x7f9560174158, full=<optimized out>) at /mariadb/10.2o/sql/sql_select.cc:12351
 
#5  0x0000000000846705 in JOIN::destroy (this=0x7f9560174158) at /mariadb/10.2o/sql/sql_select.cc:3655
 
#6  0x0000000000934bbb in st_select_lex::cleanup (this=0x7f9560005060) at /mariadb/10.2o/sql/sql_union.cc:1539
 
#7  0x0000000000814614 in mysql_select (thd=<optimized out>, tables=0x7f9560011cb0, wild_num=<optimized out>, fields=..., conds=<optimized out>, og_num=<optimized out>, order=<optimized out>, group=<optimized out>, having=<optimized out>, proc_param=<optimized out>, select_options=<optimized out>, result=<optimized out>, unit=<optimized out>, select_lex=<optimized out>) at /mariadb/10.2o/sql/sql_select.cc:3836
 
#8  0x00000000008140d1 in handle_select (thd=0x7f9560000d28, lex=<optimized out>, result=0x7f9560174138, setup_tables_done_option=0) at /mariadb/10.2o/sql/sql_select.cc:361
 
#9  0x00000000007cb4d6 in execute_sqlcom_select (thd=0x7f9560000d28, all_tables=0x7f9560011cb0) at /mariadb/10.2o/sql/sql_parse.cc:6224
 
#10 0x00000000007bb8f6 in mysql_execute_command (thd=<optimized out>) at /mariadb/10.2o/sql/sql_parse.cc:3531

Comment by Varun Gupta (Inactive) [ 2020-03-26 ]

Patch
http://lists.askmonty.org/pipermail/commits/2020-March/014223.html

Comment by Sergei Petrunia [ 2020-03-29 ]

Ok to push.

Generated at Thu Feb 08 09:11:34 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.