[MDEV-25637] Bug report: abortion in sql/set_var.cc:0 Created: 2021-05-10  Updated: 2022-02-09  Resolved: 2021-05-10

Status: Closed
Project: MariaDB Server
Component/s: None
Affects Version/s: 10.5.9, 10.3, 10.4, 10.5
Fix Version/s: 10.3.32, 10.4.22, 10.5.13, 10.6.5

Type: Bug Priority: Major
Reporter: Zuming Jiang Assignee: Alice Sherepa
Resolution: Duplicate Votes: 0
Labels: crash
Environment:

Ubuntu 18.04
MariaDB 10.5.9

Attachments: Text File abortion_report.txt     File fuzz.sql    
Issue Links:
Duplicate
duplicates MDEV-22464 Server crash on UPDATE with nested su... Closed

 Description   

I used my fuzzing tool to test Mariadb , and found a bug that can result in an abortion.

Mariadb installation:
1) cd mariadb-10.5.9
2) mkdir build; cd build
3) cmake -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_DEBUG=ON ../
4) make -j8 && sudo make install

How to Repeat:
export ASAN_OPTIONS=detect_leaks=0
/usr/local/mysql/bin/mysqld_safe &
/usr/local/mysql/bin/mysql -uroot -p123456(your password)
MariaDB> drop database if exists test_db;
MariaDB> create database test_db;
MariaDB> source fuzz.sql;

I have simplified the content of fuzz.sql, and I hope fuzz.sql can help you reproduce the bug and fix it. In addition, I attach the abortion report (which has its stack trace).

 Comments   
Comment by Alice Sherepa [ 2021-05-10 ]

Thanks! Repeatable on 10.3-10.5. This is a duplicate of MDEV-22464:

10.3 98e6159892ae36d4ab82c

 
Version: '10.3.29-MariaDB-debug-log'  
210510 12:19:43 [ERROR] mysqld got signal 11 ;
 
 
 
sigaction.c:0(__restore_rt)[0x7fef67b3f3c0]
 
sql/item.cc:7956(Item_ref::fix_fields(THD*, Item**))[0x55e2b7725dfd]
 
sql/item.h:829(Item::fix_fields_if_needed(THD*, Item**))[0x55e2b6cbc75b]
 
sql/item_func.cc:352(Item_func::fix_fields(THD*, Item**))[0x55e2b77e33e6]
 
sql/item.h:829(Item::fix_fields_if_needed(THD*, Item**))[0x55e2b6cbc75b]
 
sql/item.h:833(Item::fix_fields_if_needed_for_scalar(THD*, Item**))[0x55e2b6cbc795]
 
sql/item.h:838(Item::fix_fields_if_needed_for_bool(THD*, Item**))[0x55e2b6de1589]
 
sql/sql_select.cc:1211(JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*))[0x55e2b6fd5c77]
 
sql/item_subselect.cc:3790(subselect_single_select_engine::prepare(THD*))[0x55e2b78d64fa]
 
sql/item_subselect.cc:280(Item_subselect::fix_fields(THD*, Item**))[0x55e2b78b04c3]
 
sql/item.h:829(Item::fix_fields_if_needed(THD*, Item**))[0x55e2b6cbc75b]
 
sql/item_func.cc:352(Item_func::fix_fields(THD*, Item**))[0x55e2b77e33e6]
 
sql/item.h:829(Item::fix_fields_if_needed(THD*, Item**))[0x55e2b6cbc75b]
 
sql/item_func.cc:352(Item_func::fix_fields(THD*, Item**))[0x55e2b77e33e6]
 
sql/item.h:829(Item::fix_fields_if_needed(THD*, Item**))[0x55e2b6cbc75b]
 
sql/item.h:833(Item::fix_fields_if_needed_for_scalar(THD*, Item**))[0x55e2b6cbc795]
 
sql/item.h:838(Item::fix_fields_if_needed_for_bool(THD*, Item**))[0x55e2b6de1589]
 
sql/sql_base.cc:8299(setup_conds(THD*, TABLE_LIST*, List<TABLE_LIST>&, Item**))[0x55e2b6dd8ed1]
 
sql/sql_select.cc:660(setup_without_group(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, List<TABLE_LIST>&, List<Item>&, List<Item>&, Item**, st_order*, st_order*, List<Window_spec>&, List<Item_window_func>&, bool*, unsigned int*))[0x55e2b6fcf2bc]
 
sql/sql_select.cc:1153(JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*))[0x55e2b6fd504e]
 
sql/sql_select.cc:4318(mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55e2b6ff6846]
 
sql/sql_update.cc:1816(mysql_multi_update(THD*, TABLE_LIST*, List<Item>*, List<Item>*, Item*, unsigned long long, enum_duplicates, bool, st_select_lex_unit*, st_select_lex*, multi_update**))[0x55e2b71e1b4e]
 
sql/sql_parse.cc:4422(mysql_execute_command(THD*))[0x55e2b6f2ff56]
 
sql/sql_parse.cc:7873(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x55e2b6f48888]
 
sql/sql_parse.cc:1855(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x55e2b6f1f66d]
 
sql/sql_parse.cc:1398(do_command(THD*))[0x55e2b6f1c1a4]
 
sql/sql_connect.cc:1403(do_handle_one_connection(CONNECT*))[0x55e2b72ea2c9]
 
sql/sql_connect.cc:1309(handle_one_connection)[0x55e2b72e9b83]
 
perfschema/pfs.cc:1871(pfs_spawn_thread)[0x55e2b891d7a7]
 
nptl/pthread_create.c:478(start_thread)[0x7fef67b33609]
 
x86_64/clone.S:97(__GI___clone)[0x7fef67a5a293]
 
 
 
Query (0x62b000000290): UPDATE v0 SET 
v1 = 26 WHERE ( 
SELECT 33 FROM v0 AS v2 
JOIN v0 
ON 0<>0 ) = ( SELECT ( v1 + v1 ) / 127 AS v3 FROM v0 AS v4 GROUP BY NOT v1 <= 'x' HAVING v1 ) - v1

Generated at Thu Feb 08 09:39:12 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.