[MDEV-24513] SIGSEGV in Bitmap<64u>::set_bit from sort_and_filter_keyuse and UBSAN runtime error: member access within null pointer of type 'struct st_join_table' on SELECT Created: 2021-01-02  Updated: 2023-12-07

Status: Stalled
Project: MariaDB Server
Component/s: Optimizer
Affects Version/s: 10.2, 10.3, 10.4, 10.5, 10.6, 10.9, 10.10, 10.11, 11.0, 11.1
Fix Version/s: 10.4, 10.5, 10.6, 10.11, 11.0, 11.1

Type: Bug Priority: Major
Reporter: Roel Van de Paar Assignee: Igor Babaev
Resolution: Unresolved Votes: 0
Labels: UBSAN


 Description    

CREATE TABLE t1 (a TEXT, FULLTEXT INDEX (a));
 
SET SESSION sql_select_limit=0;
 
SELECT (SELECT 1 FROM (SELECT 1) f WHERE MATCH (a) AGAINST ('')) FROM t1;

Leads to:

10.6.0 9118fd360a3da0bba521caf2a35c424968235ac4 (Debug)

 
Core was generated by `/test/MD010121-mariadb-10.6.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
 
    at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
 
[Current thread is 1 (Thread 0x14a82c0fb700 (LWP 700708))]
 
(gdb) bt
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
 
#1  0x000055d101af00d7 in my_write_core (sig=sig@entry=11) at /test/10.6_dbg/mysys/stacktrace.c:424
 
#2  0x000055d101284ab1 in handle_fatal_signal (sig=11) at /test/10.6_dbg/sql/signal_handler.cc:330
 
#3  <signal handler called>
 
#4  0x000055d100ffbac0 in Bitmap<64u>::set_bit (n=<optimized out>, this=0x188) at /test/10.6_dbg/sql/sql_bitmap.h:70
 
#5  sort_and_filter_keyuse (thd=thd@entry=0x14a7f4000db8, keyuse=keyuse@entry=0x14a7f4016d38, skip_unprefixed_keyparts=true) at /test/10.6_dbg/sql/sql_select.cc:6913
 
#6  0x000055d10103727c in make_join_statistics (join=join@entry=0x14a7f4016a48, tables_list=@0x14a7f4012e60: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14a7f4017708, last = 0x14a7f4017708, elements = 1}, <No data fields>}, keyuse_array=keyuse_array@entry=0x14a7f4016d38) at /test/10.6_dbg/sql/sql_select.cc:5064
 
#7  0x000055d10103fd9b in JOIN::optimize_inner (this=this@entry=0x14a7f4016a48) at /test/10.6_dbg/sql/sql_select.cc:2251
 
#8  0x000055d10104006c in JOIN::optimize (this=this@entry=0x14a7f4016a48) at /test/10.6_dbg/sql/sql_select.cc:1627
 
#9  0x000055d100f88517 in st_select_lex::optimize_unflattened_subqueries (this=0x14a7f40127b8, const_only=const_only@entry=false) at /test/10.6_dbg/sql/sql_lex.cc:4852
 
#10 0x000055d1011794cb in JOIN::optimize_unflattened_subqueries (this=this@entry=0x14a7f40163e8) at /test/10.6_dbg/sql/opt_subselect.cc:5555
 
#11 0x000055d10103e453 in JOIN::optimize_stage2 (this=this@entry=0x14a7f40163e8) at /test/10.6_dbg/sql/sql_select.cc:3037
 
#12 0x000055d10103fe3b in JOIN::optimize_inner (this=this@entry=0x14a7f40163e8) at /test/10.6_dbg/sql/sql_select.cc:2277
 
#13 0x000055d10104006c in JOIN::optimize (this=this@entry=0x14a7f40163e8) at /test/10.6_dbg/sql/sql_select.cc:1627
 
#14 0x000055d1010409ba in mysql_select (thd=thd@entry=0x14a7f4000db8, tables=0x14a7f4015370, fields=@0x14a7f4012908: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14a7f40152e8, last = 0x14a7f40152e8, elements = 1}, <No data fields>}, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x14a7f40163c0, unit=0x14a7f4004f80, select_lex=0x14a7f40127b8) at /test/10.6_dbg/sql/sql_select.cc:4654
 
#15 0x000055d101040cd0 in handle_select (thd=thd@entry=0x14a7f4000db8, lex=lex@entry=0x14a7f4004eb8, result=result@entry=0x14a7f40163c0, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.6_dbg/sql/sql_select.cc:417
 
#16 0x000055d100fb319d in execute_sqlcom_select (thd=thd@entry=0x14a7f4000db8, all_tables=0x14a7f4015370) at /test/10.6_dbg/sql/sql_parse.cc:6116
 
#17 0x000055d100fbfc7c in mysql_execute_command (thd=thd@entry=0x14a7f4000db8) at /test/10.6_dbg/sql/sql_parse.cc:3820
 
#18 0x000055d100fac072 in mysql_parse (thd=thd@entry=0x14a7f4000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14a82c0fa3d0) at /test/10.6_dbg/sql/sql_parse.cc:7881
 
#19 0x000055d100fba1ec in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14a7f4000db8, packet=packet@entry=0x14a7f4008d39 "SELECT (SELECT 1 FROM (SELECT 1) f WHERE MATCH (a) AGAINST ('')) FROM t1", packet_length=packet_length@entry=72) at /test/10.6_dbg/sql/sql_class.h:1293
 
#20 0x000055d100fbd52d in do_command (thd=0x14a7f4000db8) at /test/10.6_dbg/sql/sql_parse.cc:1348
 
#21 0x000055d1011197fc in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55d103e5eb78, put_in_cache=put_in_cache@entry=true) at /test/10.6_dbg/sql/sql_connect.cc:1410
 
#22 0x000055d101119f03 in handle_one_connection (arg=arg@entry=0x55d103e5eb78) at /test/10.6_dbg/sql/sql_connect.cc:1312
 
#23 0x000055d1015cf88f in pfs_spawn_thread (arg=0x55d103d99f58) at /test/10.6_dbg/storage/perfschema/pfs.cc:2201
 
#24 0x000014a8442ae609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#25 0x000014a843e9d293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.2.37 (dbg), 10.2.37 (opt), 10.3.28 (dbg), 10.3.28 (opt), 10.4.18 (dbg), 10.4.18 (opt), 10.5.9 (dbg), 10.5.9 (opt), 10.6.0 (dbg), 10.6.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.50 (dbg), 5.6.50 (opt), 5.7.32 (dbg), 5.7.32 (opt), 8.0.22 (dbg), 8.0.22 (opt)

 Comments   
Comment by Igor Babaev [ 2021-01-06 ]

The following query crashes the server in the same way:

SELECT (SELECT 1 FROM (SELECT 1) f WHERE MATCH (a) AGAINST ('')) FROM t1 LIMIT 0;

(This could be expected.)
If to insert rows to t1 

INSERT INTO t1 VALUES (3), (7), (1);

the same kind of crash happens.

This query that does not use LIMIT also causes the same kind of crash:

SELECT * FROM t1 WHERE 1=2 AND (SELECT SUM(b) FROM t2 WHERE MATCH (a) AGAINST ('')) > 1;

The above query uses table t2 besides table t1:

CREATE TABLE t2 (b int);
 
INSERT INTO t2 VALUES (2), (8), (4);

Comment by Roel Van de Paar [ 2021-01-11 ]

Igor, confirmed, I have the same. Thank you

Comment by Roel Van de Paar [ 2023-06-08 ]

UBSAN also sees the issue as member access within null pointer of type 'struct st_join_table':

CREATE TABLE t (a CHAR(0),FULLTEXT (a));
 
SET SESSION sql_select_limit=0;
 
SELECT (SELECT 0 FROM (SELECT 0) f WHERE MATCH (a) AGAINST (0)) FROM t;

Leads to:

11.0.2 368dd22a816f3b437bccd0b9ff28b9de9b1abf0a (Debug)

 
/test/11.0_dbg_san/sql/sql_select.cc:7503:37: runtime error: member access within null pointer of type 'struct st_join_table'

11.0.2 368dd22a816f3b437bccd0b9ff28b9de9b1abf0a (Debug)

 
    #0 0x556f3093c536 in sort_and_filter_keyuse(JOIN*, st_dynamic_array*, bool) /test/11.0_dbg_san/sql/sql_select.cc:7503
 
    #1 0x556f30afa920 in make_join_statistics /test/11.0_dbg_san/sql/sql_select.cc:5587
 
    #2 0x556f30b2a738 in JOIN::optimize_inner() /test/11.0_dbg_san/sql/sql_select.cc:2577
 
    #3 0x556f30b2c64e in JOIN::optimize() /test/11.0_dbg_san/sql/sql_select.cc:1905
 
    #4 0x556f3056e8ac in st_select_lex::optimize_unflattened_subqueries(bool) /test/11.0_dbg_san/sql/sql_lex.cc:4903
 
    #5 0x556f313e4026 in JOIN::optimize_unflattened_subqueries() /test/11.0_dbg_san/sql/opt_subselect.cc:5803
 
    #6 0x556f30b0b56c in JOIN::optimize_stage2() /test/11.0_dbg_san/sql/sql_select.cc:3406
 
    #7 0x556f30b2a97c in JOIN::optimize_inner() /test/11.0_dbg_san/sql/sql_select.cc:2603
 
    #8 0x556f30b2c64e in JOIN::optimize() /test/11.0_dbg_san/sql/sql_select.cc:1905
 
    #9 0x556f30b2cdd7 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.0_dbg_san/sql/sql_select.cc:5144
 
    #10 0x556f30b3151c in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.0_dbg_san/sql/sql_select.cc:616
 
    #11 0x556f306a3a01 in execute_sqlcom_select /test/11.0_dbg_san/sql/sql_parse.cc:6279
 
    #12 0x556f30704ef5 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3949
 
    #13 0x556f30734973 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014
 
    #14 0x556f30744707 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894
 
    #15 0x556f30752542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407
 
    #16 0x556f311278b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416
 
    #17 0x556f31128dd0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318
 
    #18 0x152aff294b42 in start_thread nptl/pthread_create.c:442
 
    #19 0x152aff3269ff  (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)

Setup:

Compiled with GCC >=7.5.0 (I use GCC 11.3.0) and:
 
    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF -DWSREP_LIB_WITH_ASAN=ON
 
Set before execution:
 
    export UBSAN_OPTIONS=print_stacktrace=1

Generated at Thu Feb 08 09:30:34 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.