[MDEV-22875] Various SIGSEGV crashes on optimized builds which may be masked, or fixed, by recent changes related to max_sort_length Created: 2020-06-12  Updated: 2020-06-13  Resolved: 2020-06-13

Status: Closed
Project: MariaDB Server
Component/s: Optimizer
Affects Version/s: 10.1, 10.2, 10.3, 10.4, 10.5
Fix Version/s: N/A

Type: Bug Priority: Major
Reporter: Roel Van de Paar Assignee: Varun Gupta (Inactive)
Resolution: Duplicate Votes: 0
Labels: None

Issue Links:
Duplicate
is duplicated by MDEV-22715 SIGSEGV in radixsort_for_str_ptr and ... Closed
Relates
relates to MDEV-22267 Assertion `length == Field_timef::pac... Closed
relates to MDEV-22715 SIGSEGV in radixsort_for_str_ptr and ... Closed

 Description   

I found various other testcases, related to small max_sort_length settings, which crash older optimized builds, but not the most recent ones. This is likely due to the changes in this area. I just want to make sure that these bugs are not 'masked' somehow by changes while they are still present underneath (even if masked), and could then potentially be triggered in other ways. Please use the older revisions as listed to reproduce if required. We can discuss further online. Feel free to close if it is certain these are fixed by the recent changes also.

USE test;
 
SET SQL_MODE='';
 
CREATE TABLE t (c1 DECIMAL UNSIGNED ZEROFILL,c2 DECIMAL(65) UNSIGNED,c3 VARCHAR(255) BINARY CHARACTER SET 'latin1' COLLATE 'latin1_bin') ENGINE=MEMORY;
 
INSERT INTO t VALUES ('a','a','a');
 
set max_sort_length=5;
 
INSERT INTO t VALUES (29,5,NULL);
 
INSERT INTO t SELECT * FROM t;
 
SELECT * FROM t WHERE c1 >= '00:00:00' ORDER BY c1,c2 LIMIT 2;

Leads to:

10.5.4 6877ef9a7c9c7ee55d67e4baaf4e8f7b874c9f89

 
Core was generated by `/test/MD060620-mariadb-10.5.4-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
 
    at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
 
[Current thread is 1 (Thread 0x14bd2af14700 (LWP 2493781))]
 
(gdb) bt
 
(gdb) (gdb) #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
 
#1  0x000055a5f3a44927 in my_write_core (sig=sig@entry=11) at /test/10.5_opt/mysys/stacktrace.c:518
 
#2  0x000055a5f341033a in handle_fatal_signal (sig=11) at /test/10.5_opt/sql/signal_handler.cc:330
 
#3  <signal handler called>
 
#4  0x000055a5f371f98b in heap_rrnd (info=0x14bd064a1318, record=0x14bd0645f038 "\377\200", pos=0x14bd05000000 <error: Cannot access memory at address 0x14bd05000000>) at /test/10.5_opt/storage/heap/hp_rrnd.c:40
 
#5  0x000055a5f3415922 in handler::ha_rnd_pos (this=0x14bd0646ea30, buf=0x14bd0645f038 "\377\200", pos=0x14bd06450328 "") at /test/10.5_opt/sql/handler.cc:3021
 
#6  0x000055a5f3544ae8 in rr_from_pointers (info=0x14bd0644b000) at /test/10.5_opt/sql/records.cc:607
 
#7  0x000055a5f3255e07 in sub_select (join=0x14bd06448ee8, join_tab=0x14bd0644af38, end_of_records=false) at /test/10.5_opt/sql/sql_select.cc:20626
 
#8  0x000055a5f32774ee in do_select (procedure=<optimized out>, join=0x14bd06448ee8) at /test/10.5_opt/sql/sql_select.cc:20163
 
#9  JOIN::exec_inner (this=this@entry=0x14bd06448ee8) at /test/10.5_opt/sql/sql_select.cc:4475
 
#10 0x000055a5f3277927 in JOIN::exec (this=this@entry=0x14bd06448ee8) at /test/10.5_opt/sql/sql_select.cc:4256
 
#11 0x000055a5f3275c72 in mysql_select (thd=thd@entry=0x14bd06412018, tables=0x14bd06447708, fields=@0x14bd06447260: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14bd064476c0, last = 0x14bd06449888, elements = 3}, <No data fields>}, conds=0x14bd06447ff0, og_num=<optimized out>, order=0x14bd06448ba8, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x14bd06448ec0, unit=0x14bd06415e70, select_lex=0x14bd06447110) at /test/10.5_opt/sql/sql_select.cc:4680
 
#12 0x000055a5f3276631 in handle_select (thd=thd@entry=0x14bd06412018, lex=lex@entry=0x14bd06415da8, result=result@entry=0x14bd06448ec0, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.5_opt/sql/sql_select.cc:417
 
#13 0x000055a5f321d081 in execute_sqlcom_select (thd=thd@entry=0x14bd06412018, all_tables=0x14bd06447708) at /test/10.5_opt/sql/sql_parse.cc:6208
 
#14 0x000055a5f32197b1 in mysql_execute_command (thd=thd@entry=0x14bd06412018) at /test/10.5_opt/sql/sql_parse.cc:3939
 
#15 0x000055a5f322019c in mysql_parse (thd=0x14bd06412018, rawbuf=<optimized out>, length=61, parser_state=0x14bd2af13430, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /test/10.5_opt/sql/sql_parse.cc:7992
 
#16 0x000055a5f3215485 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14bd06412018, packet=packet@entry=0x14bd0643a019 "", packet_length=packet_length@entry=61, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_opt/sql/sql_parse.cc:1874
 
#17 0x000055a5f3213874 in do_command (thd=0x14bd06412018) at /test/10.5_opt/sql/sql_parse.cc:1355
 
#18 0x000055a5f3308e51 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x14bd27c33958, put_in_cache=put_in_cache@entry=true) at /test/10.5_opt/sql/sql_connect.cc:1411
 
#19 0x000055a5f33091b4 in handle_one_connection (arg=arg@entry=0x14bd27c33958) at /test/10.5_opt/sql/sql_connect.cc:1313
 
#20 0x000055a5f36768ca in pfs_spawn_thread (arg=0x14bd27c4e818) at /test/10.5_opt/storage/perfschema/pfs.cc:2201
 
#21 0x000014bd29e8d6db in start_thread (arg=0x14bd2af14700) at pthread_create.c:463
 
#22 0x000014bd2928b88f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.1.46 (dbg), 10.1.46 (opt), 10.2.33 (dbg), 10.2.33 (opt), 10.3.24 (dbg), 10.3.24 (opt), 10.4.14 (dbg), 10.4.14 (opt), 10.5.4 (dbg), 10.5.4 (opt)

Bug confirmed not present in:
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.47 (dbg), 5.6.47 (opt), 5.7.29 (dbg), 5.7.29 (opt), 8.0.19 (dbg), 8.0.19 (opt)

Does not reproduce on 10.5.4 07d1c8567cbfe94398a9857c47fb9919cad42651

 Comments   
Comment by Roel Van de Paar [ 2020-06-12 ]

Note to self; unique bug ID's

SIGSEGV|heap_rrnd|handler::ha_rnd_pos|rr_from_pointers|sub_select  # Testcases: original report above, #4
 
SIGSEGV|heap_rrnd|handler::ha_rnd_pos|rr_from_pointers|AGGR_OP::end_send  # Testcases: below: #1, #2, #3

Comment by Roel Van de Paar [ 2020-06-12 ]

#1

USE test;
 
SET SQL_MODE='';
 
SET SESSION sql_buffer_result = ON;
 
CREATE TEMPORARY TABLE t2 (c1 TIME PRIMARY KEY,c2 DECIMAL(65,10),c3 BIGINT(254)) ENGINE=Aria;
 
INSERT INTO t2 VALUES ('a','b','c');
 
SET SESSION max_sort_length=-1;
 
INSERT INTO t2 VALUES (55,42,'aaa');
 
INSERT INTO t2 VALUES (1,'aaa','aaa');
 
INSERT INTO t2 VALUES(CURRENT_TIME(),CURRENT_TIME(),'2009-01-17');
 
SELECT * FROM t2 WHERE c2 >=0 AND c2 <= 16777215 ORDER BY c2,c1 LIMIT 2;

Leads to:

10.5.4 6877ef9a7c9c7ee55d67e4baaf4e8f7b874c9f89

 
Core was generated by `/test/MD060620-mariadb-10.5.4-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
 
    at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
 
[Current thread is 1 (Thread 0x149f81b76700 (LWP 2636345))]
 
(gdb) bt
 
(gdb) (gdb) #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
 
#1  0x0000561d02e69927 in my_write_core (sig=sig@entry=11) at /test/10.5_opt/mysys/stacktrace.c:518
 
#2  0x0000561d0283533a in handle_fatal_signal (sig=11) at /test/10.5_opt/sql/signal_handler.cc:330
 
#3  <signal handler called>
 
#4  0x0000561d02b4498b in heap_rrnd (info=0x149f5e085318, record=0x149f5e0546c8 "\377\200", pos=0x55b3 <error: Cannot access memory at address 0x55b3>) at /test/10.5_opt/storage/heap/hp_rrnd.c:40
 
#5  0x0000561d0283a922 in handler::ha_rnd_pos (this=0x149f5e090a30, buf=0x149f5e0546c8 "\377\200", pos=0x149f5e0501a8 "\263U") at /test/10.5_opt/sql/handler.cc:3021
 
#6  0x0000561d02969ae8 in rr_from_pointers (info=0x149f5e04bbc8) at /test/10.5_opt/sql/records.cc:607
 
#7  0x0000561d02694bc3 in AGGR_OP::end_send (this=0x149f5e04c978) at /test/10.5_opt/sql/sql_select.cc:28906
 
#8  0x0000561d02694d8e in sub_select_postjoin_aggr (join=0x149f5e049440, join_tab=0x149f5e04bb00, end_of_records=<optimized out>) at /test/10.5_opt/sql/sql_select.cc:20339
 
#9  0x0000561d0269c51d in do_select (procedure=<optimized out>, join=0x149f5e049440) at /test/10.5_opt/sql/sql_select.cc:20165
 
#10 JOIN::exec_inner (this=this@entry=0x149f5e049440) at /test/10.5_opt/sql/sql_select.cc:4475
 
#11 0x0000561d0269c927 in JOIN::exec (this=this@entry=0x149f5e049440) at /test/10.5_opt/sql/sql_select.cc:4256
 
#12 0x0000561d0269ac72 in mysql_select (thd=thd@entry=0x149f5e012018, tables=0x149f5e047718, fields=@0x149f5e047270: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x149f5e0476d0, last = 0x149f5e049de0, elements = 3}, <No data fields>}, conds=0x149f5e048660, og_num=<optimized out>, order=0x149f5e049118, group=0x0, having=0x0, proc_param=0x0, select_options=2147879680, result=0x149f5e049418, unit=0x149f5e015e70, select_lex=0x149f5e047120) at /test/10.5_opt/sql/sql_select.cc:4680
 
#13 0x0000561d0269b631 in handle_select (thd=thd@entry=0x149f5e012018, lex=lex@entry=0x149f5e015da8, result=result@entry=0x149f5e049418, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.5_opt/sql/sql_select.cc:417
 
#14 0x0000561d02642081 in execute_sqlcom_select (thd=thd@entry=0x149f5e012018, all_tables=0x149f5e047718) at /test/10.5_opt/sql/sql_parse.cc:6208
 
#15 0x0000561d0263e7b1 in mysql_execute_command (thd=thd@entry=0x149f5e012018) at /test/10.5_opt/sql/sql_parse.cc:3939
 
#16 0x0000561d0264519c in mysql_parse (thd=0x149f5e012018, rawbuf=<optimized out>, length=71, parser_state=0x149f81b75430, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /test/10.5_opt/sql/sql_parse.cc:7992
 
#17 0x0000561d0263a485 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x149f5e012018, packet=packet@entry=0x149f5e03a019 "", packet_length=packet_length@entry=71, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_opt/sql/sql_parse.cc:1874
 
#18 0x0000561d02638874 in do_command (thd=0x149f5e012018) at /test/10.5_opt/sql/sql_parse.cc:1355
 
#19 0x0000561d0272de51 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x149f7e833958, put_in_cache=put_in_cache@entry=true) at /test/10.5_opt/sql/sql_connect.cc:1411
 
#20 0x0000561d0272e1b4 in handle_one_connection (arg=arg@entry=0x149f7e833958) at /test/10.5_opt/sql/sql_connect.cc:1313
 
#21 0x0000561d02a9b8ca in pfs_spawn_thread (arg=0x149f7e84e818) at /test/10.5_opt/storage/perfschema/pfs.cc:2201
 
#22 0x0000149f80aef6db in start_thread (arg=0x149f81b76700) at pthread_create.c:463
 
#23 0x0000149f7feed88f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.2.33 (dbg), 10.2.33 (opt), 10.3.24 (dbg), 10.3.24 (opt), 10.4.14 (dbg), 10.4.14 (opt), 10.5.4 (dbg), 10.5.4 (opt)

Bug confirmed not present in:
MariaDB: 10.1.46 (dbg), 10.1.46 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.47 (dbg), 5.6.47 (opt), 5.7.29 (dbg), 5.7.29 (opt), 8.0.19 (dbg), 8.0.19 (opt)

Does not reproduce on 10.5.4 07d1c8567cbfe94398a9857c47fb9919cad42651

Comment by Roel Van de Paar [ 2020-06-12 ]

#2

USE test;
 
SET sql_mode='';
 
SET max_sort_length=5;
 
SET sql_buffer_result=1;
 
CREATE TABLE t2(c1 BIGINT,c2 NUMERIC(65,10));
 
INSERT INTO t2 VALUES(0,STR_TO_DATE('a','%M,%Y'));
 
INSERT INTO t2 VALUES(0,0);
 
INSERT INTO t2 VALUES(0,0);
 
INSERT INTO t2 VALUES(0,0);
 
SELECT * FROM t2 ORDER BY c1,c2 DESC LIMIT 2;

Leads to:

10.5.4 6877ef9a7c9c7ee55d67e4baaf4e8f7b874c9f89

 
Core was generated by `/test/MD060620-mariadb-10.5.4-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
 
    at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
 
[Current thread is 1 (Thread 0x153256113700 (LWP 3495426))]
 
(gdb) bt
 
(gdb) (gdb) #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
 
#1  0x00005648edff8927 in my_write_core (sig=sig@entry=11) at /test/10.5_opt/mysys/stacktrace.c:518
 
#2  0x00005648ed9c433a in handle_fatal_signal (sig=11) at /test/10.5_opt/sql/signal_handler.cc:330
 
#3  <signal handler called>
 
#4  0x00005648edcd398b in heap_rrnd (info=0x153232100318, record=0x1532320601e8 "\377", pos=0x150000000000 <error: Cannot access memory at address 0x150000000000>) at /test/10.5_opt/storage/heap/hp_rrnd.c:40
 
#5  0x00005648ed9c9922 in handler::ha_rnd_pos (this=0x1532320a2630, buf=0x1532320601e8 "\377", pos=0x153232050358 "") at /test/10.5_opt/sql/handler.cc:3021
 
#6  0x00005648edaf8ae8 in rr_from_pointers (info=0x15323204a4f8) at /test/10.5_opt/sql/records.cc:607
 
#7  0x00005648ed823bc3 in AGGR_OP::end_send (this=0x15323204afd0) at /test/10.5_opt/sql/sql_select.cc:28906
 
#8  0x00005648ed823d8e in sub_select_postjoin_aggr (join=0x153232048a80, join_tab=0x15323204a430, end_of_records=<optimized out>) at /test/10.5_opt/sql/sql_select.cc:20339
 
#9  0x00005648ed82b51d in do_select (procedure=<optimized out>, join=0x153232048a80) at /test/10.5_opt/sql/sql_select.cc:20165
 
#10 JOIN::exec_inner (this=this@entry=0x153232048a80) at /test/10.5_opt/sql/sql_select.cc:4475
 
#11 0x00005648ed82b927 in JOIN::exec (this=this@entry=0x153232048a80) at /test/10.5_opt/sql/sql_select.cc:4256
 
#12 0x00005648ed829c72 in mysql_select (thd=thd@entry=0x153232012018, tables=0x1532320476e8, fields=@0x153232047240: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1532320476a0, last = 0x1532320492b8, elements = 2}, <No data fields>}, conds=0x0, og_num=<optimized out>, order=0x153232048750, group=0x0, having=0x0, proc_param=0x0, select_options=2147879680, result=0x153232048a58, unit=0x153232015e70, select_lex=0x1532320470f0) at /test/10.5_opt/sql/sql_select.cc:4680
 
#13 0x00005648ed82a631 in handle_select (thd=thd@entry=0x153232012018, lex=lex@entry=0x153232015da8, result=result@entry=0x153232048a58, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.5_opt/sql/sql_select.cc:417
 
#14 0x00005648ed7d1081 in execute_sqlcom_select (thd=thd@entry=0x153232012018, all_tables=0x1532320476e8) at /test/10.5_opt/sql/sql_parse.cc:6208
 
#15 0x00005648ed7cd7b1 in mysql_execute_command (thd=thd@entry=0x153232012018) at /test/10.5_opt/sql/sql_parse.cc:3939
 
#16 0x00005648ed7d419c in mysql_parse (thd=0x153232012018, rawbuf=<optimized out>, length=44, parser_state=0x153256112430, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /test/10.5_opt/sql/sql_parse.cc:7992
 
#17 0x00005648ed7c9485 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x153232012018, packet=packet@entry=0x15323203a019 "", packet_length=packet_length@entry=44, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_opt/sql/sql_parse.cc:1874
 
#18 0x00005648ed7c7874 in do_command (thd=0x153232012018) at /test/10.5_opt/sql/sql_parse.cc:1355
 
#19 0x00005648ed8bce51 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x153252c33958, put_in_cache=put_in_cache@entry=true) at /test/10.5_opt/sql/sql_connect.cc:1411
 
#20 0x00005648ed8bd1b4 in handle_one_connection (arg=arg@entry=0x153252c33958) at /test/10.5_opt/sql/sql_connect.cc:1313
 
#21 0x00005648edc2a8ca in pfs_spawn_thread (arg=0x153252c4e818) at /test/10.5_opt/storage/perfschema/pfs.cc:2201
 
#22 0x000015325508c6db in start_thread (arg=0x153256113700) at pthread_create.c:463
 
#23 0x000015325448a88f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.2.33 (dbg), 10.2.33 (opt), 10.3.24 (dbg), 10.3.24 (opt), 10.4.14 (dbg), 10.4.14 (opt), 10.5.4 (dbg), 10.5.4 (opt)

Bug confirmed not present in:
MariaDB: 10.1.46 (dbg), 10.1.46 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.47 (dbg), 5.6.47 (opt), 5.7.29 (dbg), 5.7.29 (opt), 8.0.19 (dbg), 8.0.19 (opt)

Does not reproduce on 10.5.4 07d1c8567cbfe94398a9857c47fb9919cad42651

Comment by Roel Van de Paar [ 2020-06-12 ]

Perhaps it would also be a good idea to add these testcases to MTR?

Comment by Roel Van de Paar [ 2020-06-12 ]

#3

CREATE DATABASE test;
 
USE test;
 
SET sql_mode='';
 
SET SESSION max_sort_length=3;
 
SET SESSION sql_buffer_result=ON;
 
CREATE TABLE t2(c1 NUMERIC(65,10)UNSIGNED ZEROFILL,c2 NUMERIC(65,10),c3 NUMERIC(65,30) ZEROFILL,KEY (c1));
 
ALTER TABLE t2 DROP PRIMARY KEY;;
 
INSERT INTO t2 VALUES(-128,0,1),(-1,1,1),(-2,2,2),(-3,3,3),(-4,4,4),(-5,5,5),(-6,6,6),(0,0,7),(1,1,8),(127,255,9);
 
SELECT * FROM t2 ORDER BY c1,c2 DESC LIMIT 2;

Comment by Roel Van de Paar [ 2020-06-12 ]

#4

USE test;
 
SET sql_mode='';
 
SET max_sort_length=5;
 
SET @@session.enforce_storage_engine=MEMORY;
 
CREATE TEMPORARY TABLE IF NOT EXISTS t2 (c1 INTEGER(254) ZEROFILL,c2 DECIMAL(65) ZEROFILL,c3 VARCHAR(2037)) ;
 
insert into t2 values (9,"abc","def"),(5,"opq","lmn"),(2,"test t","t test");
 
INSERT INTO t2 SELECT * FROM t2;
 
SELECT * FROM t2 WHERE c1 <= '1000-00-01' ORDER BY c1,c2 LIMIT 2; ;

Comment by Roel Van de Paar [ 2020-06-13 ]

Tested testcases with `SET max_sort_length=8;` and they all did not crash either.

Comment by Roel Van de Paar [ 2020-06-13 ]

I am fine with closing this if varun does not see any other possible underlaying issues, or worded another way; that the issues caused against older revisions by these testcases are what was fixed in the related max_sort_length=8 improvement. Thanks!

Generated at Thu Feb 08 09:18:08 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.