[MDEV-24942] Server crashes in _ma_rec_pack / _ma_write_blob_record with DEFAULT() on BLOB Created: 2021-02-22  Updated: 2021-05-10  Resolved: 2021-03-02

Status: Closed
Project: MariaDB Server
Component/s: Server
Affects Version/s: 10.3
Fix Version/s: 10.3.29, 10.4.19, 10.5.10

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Michael Widenius
Resolution: Fixed Votes: 0
Labels: regression

Issue Links:
Relates
relates to MDEV-24958 Server crashes in my_strtod / Value_s... Closed
relates to MDEV-22703 DEFAULT() on a BLOB column can overwr... Closed
relates to MDEV-25627 Unexpected warning ER_TRUNCATED_WRONG... Open

 Description    

CREATE TABLE t1 (id INT, f MEDIUMTEXT NOT NULL DEFAULT '');
 
INSERT INTO t1 VALUES (1,'foo'),(2,'bar');
 
SELECT f FROM t1 GROUP BY id ORDER BY DEFAULT(f);
 
 
 
# Cleanup
 
DROP TABLE t1;

10.3 8db5274d

 
#3  <signal handler called>
 
#4  __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:383
 
#5  0x00005609089bade2 in _ma_rec_pack (info=0x7f4b50098af0, to=0x7f4b501951de '\245' <repeats 200 times>..., from=0x7f4b5003b1c5 '\245' <repeats 11 times>, "\003") at /data/src/10.3/storage/maria/ma_dynrec.c:1005
 
#6  0x00005609089b801d in _ma_write_blob_record (info=0x7f4b50098af0, record=0x7f4b5003b1c0 "\376\001") at /data/src/10.3/storage/maria/ma_dynrec.c:262
 
#7  0x0000560908a4b735 in maria_write (info=0x7f4b50098af0, record=0x7f4b5003b1c0 "\376\001") at /data/src/10.3/storage/maria/ma_write.c:284
 
#8  0x00005609089c7b3d in ha_maria::write_row (this=0x7f4b5003b2f8, buf=0x7f4b5003b1c0 "\376\001") at /data/src/10.3/storage/maria/ha_maria.cc:1211
 
#9  0x000056090808ebb8 in handler::ha_write_tmp_row (this=0x7f4b5003b2f8, buf=0x7f4b5003b1c0 "\376\001") at /data/src/10.3/sql/sql_class.h:6481
 
#10 0x0000560908077d4d in end_write (join=0x7f4b50013850, join_tab=0x7f4b50014fc0, end_of_records=false) at /data/src/10.3/sql/sql_select.cc:21130
 
#11 0x000056090808a270 in AGGR_OP::put_record (this=0x7f4b50015ca8, end_of_records=false) at /data/src/10.3/sql/sql_select.cc:27757
 
#12 0x000056090808fb2b in AGGR_OP::put_record (this=0x7f4b50015ca8) at /data/src/10.3/sql/sql_select.h:1024
 
#13 0x0000560908073ad3 in sub_select_postjoin_aggr (join=0x7f4b50013850, join_tab=0x7f4b50014fc0, end_of_records=false) at /data/src/10.3/sql/sql_select.cc:19433
 
#14 0x000056090807477b in evaluate_join_record (join=0x7f4b50013850, join_tab=0x7f4b50014c30, error=0) at /data/src/10.3/sql/sql_select.cc:19931
 
#15 0x0000560908074035 in sub_select (join=0x7f4b50013850, join_tab=0x7f4b50014c30, end_of_records=false) at /data/src/10.3/sql/sql_select.cc:19711
 
#16 0x0000560908073507 in do_select (join=0x7f4b50013850, procedure=0x0) at /data/src/10.3/sql/sql_select.cc:19251
 
#17 0x000056090804a4cf in JOIN::exec_inner (this=0x7f4b50013850) at /data/src/10.3/sql/sql_select.cc:4124
 
#18 0x000056090804988e in JOIN::exec (this=0x7f4b50013850) at /data/src/10.3/sql/sql_select.cc:3918
 
#19 0x000056090804abab in mysql_select (thd=0x7f4b50000d90, tables=0x7f4b50012ce8, wild_num=0, fields=..., conds=0x0, og_num=2, order=0x7f4b50013700, group=0x7f4b50013470, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7f4b50013828, unit=0x7f4b50004c58, select_lex=0x7f4b500053e0) at /data/src/10.3/sql/sql_select.cc:4323
 
#20 0x000056090803c13e in handle_select (thd=0x7f4b50000d90, lex=0x7f4b50004b98, result=0x7f4b50013828, setup_tables_done_option=0) at /data/src/10.3/sql/sql_select.cc:370
 
#21 0x0000560908002804 in execute_sqlcom_select (thd=0x7f4b50000d90, all_tables=0x7f4b50012ce8) at /data/src/10.3/sql/sql_parse.cc:6316
 
#22 0x0000560907ff9011 in mysql_execute_command (thd=0x7f4b50000d90) at /data/src/10.3/sql/sql_parse.cc:3847
 
#23 0x0000560908006b88 in mysql_parse (thd=0x7f4b50000d90, rawbuf=0x7f4b50012ab8 "SELECT f FROM t1 GROUP BY id ORDER BY DEFAULT(f)", length=48, parser_state=0x7f4b60e9d5c0, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:7840
 
#24 0x0000560907ff32ec in dispatch_command (command=COM_QUERY, thd=0x7f4b50000d90, packet=0x7f4b50008f11 "", packet_length=48, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:1852
 
#25 0x0000560907ff1c8c in do_command (thd=0x7f4b50000d90) at /data/src/10.3/sql/sql_parse.cc:1398
 
#26 0x0000560908170295 in do_handle_one_connection (connect=0x56090b6f9090) at /data/src/10.3/sql/sql_connect.cc:1403
 
#27 0x000056090816fff1 in handle_one_connection (arg=0x56090b6f9090) at /data/src/10.3/sql/sql_connect.cc:1308
 
#28 0x0000560908b3c073 in pfs_spawn_thread (arg=0x56090b6dc460) at /data/src/10.3/storage/perfschema/pfs.cc:1869
 
#29 0x00007f4b67388609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#30 0x00007f4b66f64293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Reproducible with MyISAM, InnoDB, Aria.
Non-debug build doesn't crash on my machine, but non-debug ASAN build does, so it's probably just the matter of luck.

The failure started happening on 10.3 after this commit:

commit 8db5274dce7f8710b25ca954559843c9cd812ac5 (origin/10.3, 10.3)
 
Author: Monty
 
Date:   Sun Feb 21 20:38:32 2021 +0200
 
 
 
    MDEV-22703 DEFAULT() on a BLOB column can overwrite the default record



 Comments   
Comment by Michael Widenius [ 2021-03-02 ]

Pushed into 10.3

Generated at Thu Feb 08 09:33:52 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.