[MDEV-22652] SIGSEGV in in_vector::find on INSERT in 10.5.3 but not 10.5.4 Created: 2020-05-21  Updated: 2023-09-27  Resolved: 2023-09-25

Status: Closed
Project: MariaDB Server
Component/s: Data Definition - Alter Table, Data Manipulation - Insert
Affects Version/s: 10.4.13, 10.5.3
Fix Version/s: N/A

Type: Bug Priority: Major
Reporter: Roel Van de Paar Assignee: Unassigned
Resolution: Fixed Votes: 0
Labels: not-10.1, not-10.2, not-10.3


 Description   

It may be that this bug was fixed somehow in 10.5.4, however that is not sure (it may be masked).

USE test;
 
CREATE TEMPORARY TABLE t(a INT);
 
ALTER TABLE t ADD c0 INT;
 
ALTER TABLE t ADD CONSTRAINT CHECK(c0 NOT IN (0,0,0));
 
ALTER TABLE t ADD c0 BLOB;
 
INSERT INTO t VALUES(0,0),(0,0),(0,0),(0,0),(0,0),(0,0),(0,0);

Leads to:

10.5.3 cfe5ee90c8e4b9dfa98a41fcd299197a59261be7

 
Core was generated by `/test/MD110520-mariadb-10.5.3-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
 
    at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
 
[Current thread is 1 (Thread 0x14c6eff8f700 (LWP 2261309))]
 
(gdb) bt
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
 
#1  0x000055f3c0bdcc11 in my_write_core (sig=sig@entry=11) at /test/10.5_dbg/mysys/stacktrace.c:518
 
#2  0x000055f3c0381f8d in handle_fatal_signal (sig=11) at /test/10.5_dbg/sql/signal_handler.cc:329
 
#3  <signal handler called>
 
#4  0x000055f3c03d771f in in_vector::find (this=0x14c6ccc35938, item=0x14c6ccc539a0) at /test/10.5_dbg/sql/item_cmpfunc.cc:3653
 
#5  0x000055f3c03d9a14 in Item_func_in::val_int (this=0x14c6ccc53c10) at /test/10.5_dbg/sql/item_cmpfunc.cc:4690
 
#6  0x000055f3c01debe1 in TABLE::verify_constraints (this=0x14c6cccc7088, ignore_failure=ignore_failure@entry=false) at /test/10.5_dbg/sql/table.cc:5965
 
#7  0x000055f3c01def87 in TABLE_LIST::view_check_option (this=this@entry=0x14c6ccc741c8, thd=thd@entry=0x14c6ccc15088, ignore_failure=<optimized out>) at /test/10.5_dbg/sql/table.cc:5940
 
#8  0x000055f3c00a25ce in mysql_insert (thd=thd@entry=0x14c6ccc15088, table_list=0x14c6ccc741c8, fields=..., values_list=..., update_fields=..., update_values=..., duplic=DUP_ERROR, ignore=false, result=0x0) at /test/10.5_dbg/sql/sql_insert.cc:1068
 
#9  0x000055f3c00da1e5 in mysql_execute_command (thd=thd@entry=0x14c6ccc15088) at /test/10.5_dbg/sql/sql_parse.cc:4515
 
#10 0x000055f3c00e5804 in mysql_parse (thd=thd@entry=0x14c6ccc15088, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14c6eff8e3e0, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:7957
 
#11 0x000055f3c00d1ffd in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14c6ccc15088, packet=packet@entry=0x14c6ccc67089 "INSERT INTO t VALUES(0,0),(0,0),(0,0),(0,0),(0,0),(0,0),(0,0)", packet_length=packet_length@entry=61, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:1839
 
#12 0x000055f3c00d08cc in do_command (thd=0x14c6ccc15088) at /test/10.5_dbg/sql/sql_parse.cc:1358
 
#13 0x000055f3c022a99d in do_handle_one_connection (connect=<optimized out>, connect@entry=0x14c6ce8433a8, put_in_cache=put_in_cache@entry=true) at /test/10.5_dbg/sql/sql_connect.cc:1411
 
#14 0x000055f3c022b0b9 in handle_one_connection (arg=arg@entry=0x14c6ce8433a8) at /test/10.5_dbg/sql/sql_connect.cc:1313
 
#15 0x000055f3c068910a in pfs_spawn_thread (arg=0x14c6edc45888) at /test/10.5_dbg/storage/perfschema/pfs.cc:2201
 
#16 0x000014c6ef3b66db in start_thread (arg=0x14c6eff8f700) at pthread_create.c:463
 
#17 0x000014c6ee7b488f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.4.13 (dbg), 10.5.3 (dbg)

Bug confirmed not present in:
MariaDB: 10.1.45 (dbg), 10.1.45 (opt), 10.2.32 (dbg), 10.2.32 (opt), 10.3.23 (dbg), 10.3.23 (opt), 10.4.13 (opt), 10.5.2 (dbg), 10.5.2 (opt), 10.5.3 (opt), 10.5.4 (dbg), 10.5.4 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.47 (dbg), 5.6.47 (opt), 5.7.29 (dbg), 5.7.29 (opt), 8.0.19 (dbg), 8.0.19 (opt)

MariaDB 10.5.4 (dbg):

10.5.4 69077dea25f6e7cab4ff8927e4429ad62af9de49

 
10.5.4>ALTER TABLE t ADD c0 BLOB;
 
ERROR 1060 (42S21): Duplicate column name 'c0'
 
10.5.4>INSERT INTO t VALUES(0,0),(0,0),(0,0),(0,0),(0,0),(0,0),(0,0);
 
ERROR 4025 (23000): CONSTRAINT `CONSTRAINT_1` failed for `test`.`t`

Also, interestingly, on 10.5.3 (dbg), if the ADD BLOB is removed (even though it just fails), the testcase does not crash anymore, and the same output as 10.5.4 is produced:

10.5.3 cfe5ee90c8e4b9dfa98a41fcd299197a59261be7

 
10.5.3>INSERT INTO t VALUES(0,0),(0,0),(0,0),(0,0),(0,0),(0,0),(0,0);
 
ERROR 4025 (23000): CONSTRAINT `CONSTRAINT_1` failed for `test`.`t`



 Comments   
Comment by Aleksey Midenkov [ 2023-09-24 ]

Does not reproduce in 10.4.32 b1ab4ec4e25:

CURRENT_TEST: bug/b.a
 
mysqltest: At line 5: query 'ALTER TABLE t ADD c0 BLOB' failed: 1060: Duplicate column name 'c0'

Comment by Roel Van de Paar [ 2023-09-25 ]

Confirmed non-reproducible anymore. Tested current 10.4,10.5,11.3

Generated at Thu Feb 08 09:16:25 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.