[MDEV-22941] Assertion `idx < array.elements' failed in Dynamic_array<st_mysql_const_lex_string*>::at Created: 2020-06-19  Updated: 2020-07-14  Resolved: 2020-06-19

Status: Closed
Project: MariaDB Server
Component/s: Character Sets
Affects Version/s: 10.1, 10.2, 10.3, 10.4, 10.5
Fix Version/s: 10.1.46, 10.2.33, 10.3.24, 10.4.14, 10.5.5

Type: Bug Priority: Critical
Reporter: Roel Van de Paar Assignee: Alexander Barkov
Resolution: Fixed Votes: 0
Labels: debug


 Description    

SET NAMES latin1, COLLATION_CONNECTION=ucs2_general_ci, CHARACTER_SET_CLIENT=cp932;
 
SELECT SCHEMA_NAME from information_schema.schemata where schema_name='имя_базы_в_кодировке_утф8_длиной_больше_чем_45';

Leads to:

10.5.4 4080e3acefd7e58d88c2f3539fb6a0fb359cf057

 
mysqld: /test/10.5_dbg/sql/sql_array.h:140: Elem& Dynamic_array<Elem>::at(size_t) [with Elem = st_mysql_const_lex_string*; size_t = long unsigned int]: Assertion `idx < array.elements' failed.

10.5.4 4080e3acefd7e58d88c2f3539fb6a0fb359cf057

 
Query (0x149a8f0740a0): SELECT SCHEMA_NAME from information_schema.schemata where schema_name='      _        _  _                  _      8_            _            _      _45'
 
Connection ID (thread ID): 4

Note the spaces in the query ^

10.5.4 4080e3acefd7e58d88c2f3539fb6a0fb359cf057

 
Core was generated by `/test/MD150620-mariadb-10.5.4-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
 
Program terminated with signal SIGABRT, Aborted.
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=6)
 
    at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
 
[Current thread is 1 (Thread 0x14940fd3e700 (LWP 2544238))]
 
(gdb) bt
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
 
#1  0x000055f32fdea4c6 in my_write_core (sig=sig@entry=6) at /test/10.5_dbg/mysys/stacktrace.c:518
 
#2  0x000055f32f58cd60 in handle_fatal_signal (sig=6) at /test/10.5_dbg/sql/signal_handler.cc:330
 
#3  <signal handler called>
 
#4  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
 
#5  0x00001494109b1801 in __GI_abort () at abort.c:79
 
#6  0x00001494109a139a in __assert_fail_base (fmt=0x149410b287d8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x55f32ff5120b "idx < array.elements", file=file@entry=0x55f32ff4c3d8 "/test/10.5_dbg/sql/sql_array.h", line=line@entry=140, function=function@entry=0x55f32ff80ec0 <Dynamic_array<st_mysql_const_lex_string*>::at(unsigned long)::__PRETTY_FUNCTION__> "Elem& Dynamic_array<Elem>::at(size_t) [with Elem = st_mysql_const_lex_string*; size_t = long unsigned int]") at assert.c:92
 
#7  0x00001494109a1412 in __GI___assert_fail (assertion=assertion@entry=0x55f32ff5120b "idx < array.elements", file=file@entry=0x55f32ff4c3d8 "/test/10.5_dbg/sql/sql_array.h", line=line@entry=140, function=function@entry=0x55f32ff80ec0 <Dynamic_array<st_mysql_const_lex_string*>::at(unsigned long)::__PRETTY_FUNCTION__> "Elem& Dynamic_array<Elem>::at(size_t) [with Elem = st_mysql_const_lex_string*; size_t = long unsigned int]") at assert.c:101
 
#8  0x000055f32f388369 in Dynamic_array<st_mysql_const_lex_string*>::at (idx=0, this=0x14940fd3c080) at /test/10.5_dbg/sql/sql_array.h:140
 
#9  fill_schema_schemata (thd=0x1493ee815088, tables=0x1493ee874898, cond=0x1493ee875358) at /test/10.5_dbg/sql/sql_show.cc:5304
 
#10 0x000055f32f38d15d in get_schema_tables_result (join=join@entry=0x1493ee876220, executed_place=executed_place@entry=PROCESSED_BY_JOIN_EXEC) at /test/10.5_dbg/sql/sql_show.cc:8673
 
#11 0x000055f32f3608e1 in JOIN::exec_inner (this=this@entry=0x1493ee876220) at /test/10.5_dbg/sql/sql_select.cc:4401
 
#12 0x000055f32f361289 in JOIN::exec (this=this@entry=0x1493ee876220) at /test/10.5_dbg/sql/sql_select.cc:4225
 
#13 0x000055f32f35f59e in mysql_select (thd=thd@entry=0x1493ee815088, tables=<optimized out>, fields=@0x1493ee874388: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1493ee8747f8, last = 0x1493ee8747f8, elements = 1}, <No data fields>}, conds=0x1493ee875358, og_num=0, order=<optimized out>, group=0x0, having=0x0, proc_param=0x0, select_options=2684619520, result=0x1493ee8761f8, unit=0x1493ee8190a0, select_lex=0x1493ee874238) at /test/10.5_dbg/sql/sql_select.cc:4649
 
#14 0x000055f32f35f8cd in handle_select (thd=thd@entry=0x1493ee815088, lex=lex@entry=0x1493ee818fd8, result=result@entry=0x1493ee8761f8, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.5_dbg/sql/sql_select.cc:417
 
#15 0x000055f32f2e91ed in execute_sqlcom_select (thd=thd@entry=0x1493ee815088, all_tables=0x1493ee874898) at /test/10.5_dbg/sql/sql_parse.cc:6209
 
#16 0x000055f32f2e2312 in mysql_execute_command (thd=thd@entry=0x1493ee815088) at /test/10.5_dbg/sql/sql_parse.cc:3939
 
#17 0x000055f32f2ef15c in mysql_parse (thd=thd@entry=0x1493ee815088, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14940fd3d350, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:7993
 
#18 0x000055f32f2dbc60 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x1493ee815088, packet=packet@entry=0x1493ee867089 "SELECT SCHEMA_NAME from information_schema.schemata where schema_name='имя_базы_в_кодировке_утф8_длиной_больше_чем_45'", packet_length=packet_length@entry=153, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:1874
 
#19 0x000055f32f2da43a in do_command (thd=0x1493ee815088) at /test/10.5_dbg/sql/sql_parse.cc:1355
 
#20 0x000055f32f435c47 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x1493f1d7a808, put_in_cache=put_in_cache@entry=true) at /test/10.5_dbg/sql/sql_connect.cc:1411
 
#21 0x000055f32f436363 in handle_one_connection (arg=arg@entry=0x1493f1d7a808) at /test/10.5_dbg/sql/sql_connect.cc:1313
 
#22 0x000055f32f897902 in pfs_spawn_thread (arg=0x14940f446c88) at /test/10.5_dbg/storage/perfschema/pfs.cc:2201
 
#23 0x00001494116946db in start_thread (arg=0x14940fd3e700) at pthread_create.c:463
 
#24 0x0000149410a9288f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.1.46 (dbg), 10.2.33 (dbg), 10.3.24 (dbg), 10.4.14 (dbg), 10.5.4 (dbg)

Bug confirmed not present in:
MariaDB: 10.1.46 (opt), 10.2.33 (opt), 10.3.24 (opt), 10.4.14 (opt), 10.5.4 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.47 (dbg), 5.6.47 (opt), 5.7.29 (dbg), 5.7.29 (opt), 8.0.19 (dbg), 8.0.19 (opt)

 Comments   
Comment by Alexander Barkov [ 2020-06-19 ]

The same crash is repeatable with:

EXECUTE IMMEDIATE CONCAT('SELECT SCHEMA_NAME from information_schema.schemata where schema_name=''' , REPEAT('a',193), '''');

and with:

SELECT SCHEMA_NAME from information_schema.schemata where schema_name='aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'

also with:

SELECT SCHEMA_NAME from information_schema.schemata where schema_name=REPEAT('a',193);

Comment by Roel Van de Paar [ 2020-06-19 ]

Thank you Bar!

Comment by Roel Van de Paar [ 2020-06-25 ]

Filters updated.

Comment by Roel Van de Paar [ 2020-07-06 ] 

SET COLLATION_CONNECTION=eucjpms_bin, SESSION CHARACTER_SET_CLIENT=cp932;
 
SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.schemata WHERE schema_name='имя_базы_в_кодировке_утф8_длиной_больше_чем_45';

Leads to:

10.5.5 e1013725ce0f3f947e728491eef75d9985e8db2f

 
mysqld: /test/10.5_dbg/sql/sql_array.h:140: Elem& Dynamic_array<Elem>::at(size_t) [with Elem = st_mysql_const_lex_string*; size_t = long unsigned int]: Assertion `idx < array.elements' failed.

10.5.5 e1013725ce0f3f947e728491eef75d9985e8db2f

 
Core was generated by `/test/MD250620-mariadb-10.5.5-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
 
Program terminated with signal SIGABRT, Aborted.
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=6)
 
    at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
 
[Current thread is 1 (Thread 0x146f7d299700 (LWP 2963673))]
 
(gdb) bt
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
 
#1  0x000055eed390b7d0 in my_write_core (sig=sig@entry=6) at /test/10.5_dbg/mysys/stacktrace.c:518
 
#2  0x000055eed30c447a in handle_fatal_signal (sig=6) at /test/10.5_dbg/sql/signal_handler.cc:330
 
#3  <signal handler called>
 
#4  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
 
#5  0x0000146f7b52f801 in __GI_abort () at abort.c:79
 
#6  0x0000146f7b51f39a in __assert_fail_base (fmt=0x146f7b6a67d8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x55eed3a7226b "idx < array.elements", file=file@entry=0x55eed3a6d438 "/test/10.5_dbg/sql/sql_array.h", line=line@entry=140, function=function@entry=0x55eed3aa1f20 <Dynamic_array<st_mysql_const_lex_string*>::at(unsigned long)::__PRETTY_FUNCTION__> "Elem& Dynamic_array<Elem>::at(size_t) [with Elem = st_mysql_const_lex_string*; size_t = long unsigned int]") at assert.c:92
 
#7  0x0000146f7b51f412 in __GI___assert_fail (assertion=assertion@entry=0x55eed3a7226b "idx < array.elements", file=file@entry=0x55eed3a6d438 "/test/10.5_dbg/sql/sql_array.h", line=line@entry=140, function=function@entry=0x55eed3aa1f20 <Dynamic_array<st_mysql_const_lex_string*>::at(unsigned long)::__PRETTY_FUNCTION__> "Elem& Dynamic_array<Elem>::at(size_t) [with Elem = st_mysql_const_lex_string*; size_t = long unsigned int]") at assert.c:101
 
#8  0x000055eed2ebf857 in Dynamic_array<st_mysql_const_lex_string*>::at (idx=0, this=0x146f7d297080) at /test/10.5_dbg/sql/sql_array.h:140
 
#9  fill_schema_schemata (thd=0x146f59815088, tables=0x146f59874898, cond=0x146f598753a8) at /test/10.5_dbg/sql/sql_show.cc:5306
 
#10 0x000055eed2ec464b in get_schema_tables_result (join=join@entry=0x146f59876270, executed_place=executed_place@entry=PROCESSED_BY_JOIN_EXEC) at /test/10.5_dbg/sql/sql_show.cc:8675
 
#11 0x000055eed2e97dc3 in JOIN::exec_inner (this=this@entry=0x146f59876270) at /test/10.5_dbg/sql/sql_select.cc:4401
 
#12 0x000055eed2e9876b in JOIN::exec (this=this@entry=0x146f59876270) at /test/10.5_dbg/sql/sql_select.cc:4225
 
#13 0x000055eed2e96a80 in mysql_select (thd=thd@entry=0x146f59815088, tables=<optimized out>, fields=@0x146f59874388: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x146f598747f8, last = 0x146f598747f8, elements = 1}, <No data fields>}, conds=0x146f598753a8, og_num=0, order=<optimized out>, group=0x0, having=0x0, proc_param=0x0, select_options=2684619520, result=0x146f59876248, unit=0x146f598190a0, select_lex=0x146f59874238) at /test/10.5_dbg/sql/sql_select.cc:4649
 
#14 0x000055eed2e96daf in handle_select (thd=thd@entry=0x146f59815088, lex=lex@entry=0x146f59818fd8, result=result@entry=0x146f59876248, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.5_dbg/sql/sql_select.cc:417
 
#15 0x000055eed2e206c9 in execute_sqlcom_select (thd=thd@entry=0x146f59815088, all_tables=0x146f59874898) at /test/10.5_dbg/sql/sql_parse.cc:6211
 
#16 0x000055eed2e197c2 in mysql_execute_command (thd=thd@entry=0x146f59815088) at /test/10.5_dbg/sql/sql_parse.cc:3939
 
#17 0x000055eed2e26638 in mysql_parse (thd=thd@entry=0x146f59815088, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x146f7d298350, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:7995
 
#18 0x000055eed2e13110 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x146f59815088, packet=packet@entry=0x146f59867089 "SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.schemata WHERE schema_name='имя_базы_в_кодировке_утф8_длиной_больше_чем_45'", packet_length=packet_length@entry=153, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:1874
 
#19 0x000055eed2e118ea in do_command (thd=0x146f59815088) at /test/10.5_dbg/sql/sql_parse.cc:1355
 
#20 0x000055eed2f6d15f in do_handle_one_connection (connect=<optimized out>, connect@entry=0x146f5c0d2028, put_in_cache=put_in_cache@entry=true) at /test/10.5_dbg/sql/sql_connect.cc:1411
 
#21 0x000055eed2f6d87b in handle_one_connection (arg=arg@entry=0x146f5c0d2028) at /test/10.5_dbg/sql/sql_connect.cc:1313
 
#22 0x000055eed33d011c in pfs_spawn_thread (arg=0x146f7a046508) at /test/10.5_dbg/storage/perfschema/pfs.cc:2201
 
#23 0x0000146f7c2126db in start_thread (arg=0x146f7d299700) at pthread_create.c:463
 
#24 0x0000146f7b61088f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.2.33 (dbg), 10.3.24 (dbg), 10.4.14 (dbg), 10.5.5 (dbg)

Bug confirmed not present in:
MariaDB: 10.1.46 (dbg), 10.1.46 (opt), 10.2.33 (opt), 10.3.24 (opt), 10.4.14 (opt), 10.5.5 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.47 (dbg), 5.6.47 (opt), 5.7.29 (dbg), 5.7.29 (opt), 8.0.19 (dbg), 8.0.19 (opt)

Comment by Roel Van de Paar [ 2020-07-14 ]

One more testcase from historical run

SET @@global.character_set_connection=utf8; 
SET NAMES sjis; 
SET @@collation_connection=DEFAULT;
 
SELECT SCHEMA_NAME FROM information_schema.schemata WHERE SCHEMA_NAME='имя_базы_в_кодировке_утф8_длиной_больше_чем_45';

Generated at Thu Feb 08 09:18:38 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.