[MDEV-26120] MariaDB server crash at base_ilist::append Created: 2021-07-09  Updated: 2021-07-12  Resolved: 2021-07-12

Status: Closed
Project: MariaDB Server
Component/s: N/A
Affects Version/s: 10.6.0, 10.6.1, 10.6.2, 10.6.3
Fix Version/s: N/A

Type: Bug Priority: Major
Reporter: yaoguang Assignee: Unassigned
Resolution: Duplicate Votes: 0
Labels: None
Environment:

Linux 5.4.0-39-generic #43-Ubuntu SMP Fri Jun 19 10:28:31 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

Issue Links:
Duplicate
duplicates MDEV-25638 Assertion `!result' failed in conver... Closed

 Description   

build MariaDB server with asan

Steps to reproduce:

CREATE TABLE v0 ( v1 BIGINT ) ;
 
 ALTER TABLE v0 ADD CONSTRAINT v0 CHECK ( v1 IN ( 'x' , 'x' , 'x' ) ) ;

backtrace report:

Program terminated with signal SIGABRT, Aborted.
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=0x6)
 
    at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
 
[Current thread is 1 (Thread 0x7ff5e2d03300 (LWP 1913678))]
 
gdb-peda$ #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=0x6)
 
    at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
 
#1  0x000055ba276da98f in my_write_core (sig=sig@entry=0x6)
 
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/mysys/stacktrace.c:424
 
#2  0x000055ba26147583 in handle_fatal_signal (sig=<optimized out>)
 
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/signal_handler.cc:344
 
#3  <signal handler called>
 
#4  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
 
#5  0x00007ff60188c859 in __GI_abort () at abort.c:79
 
#6  0x00007ff60235e6a2 in ?? () from /lib/x86_64-linux-gnu/libasan.so.5
 
#7  0x00007ff60236924c in ?? () from /lib/x86_64-linux-gnu/libasan.so.5
 
#8  0x00007ff60234a8ec in ?? () from /lib/x86_64-linux-gnu/libasan.so.5
 
#9  0x00007ff60234a363 in ?? () from /lib/x86_64-linux-gnu/libasan.so.5
 
#10 0x00007ff60234b74e in __asan_report_store8 ()
 
   from /lib/x86_64-linux-gnu/libasan.so.5
 
#11 0x000055ba256b43fc in base_ilist::append (a=0x61d000beb540,
 
    this=0x62b00007e2d8)
 
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_list.h:750
 
#12 I_List<Item_change_record>::append (a=0x61d000beb540, this=0x62b00007e2d8)
 
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_list.h:825
 
#13 Item_change_list::nocheck_register_item_tree_change (this=0x62b00007e2d8,
 
    place=0x6190004202b0, old_value=0x619000420800,
 
    runtime_memroot=<optimized out>)
 
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_class.cc:2917
 
#14 0x000055ba25a1e5e9 in THD::change_item_tree (this=0x62b00007e218,
 
    place=0x6190004202b0, new_value=0x61d000beb4b8)
 
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_class.h:4368
 
#15 0x000055ba26260da6 in convert_const_to_int (thd=<optimized out>,
 
    field_item=<optimized out>, item=0x6190004202b0)
 
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.cc:358
 
#16 0x000055ba26278c56 in Item_func_in::value_list_convert_const_to_int (
 
    this=this@entry=0x619000420178, thd=thd@entry=0x62b00007e218)
 
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.cc:4493
 
#17 0x000055ba25e7b490 in Type_handler_real_result::Item_func_in_fix_comparator_compatible_types (this=<optimized out>, func=0x619000420178,
 
    thd=0x62b00007e218)
 
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_type.cc:5881
 
#18 Type_handler_real_result::Item_func_in_fix_comparator_compatible_types (
 
    this=<optimized out>, thd=0x62b00007e218, func=0x619000420178)
 
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_type.cc:5881
 
#19 0x000055ba2628ec2c in Item_func_in::fix_length_and_dec (
 
    this=0x619000420178)
 
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_type.h:7434
 
#20 0x000055ba26320f32 in Item_func::fix_fields (this=0x619000420178,
 
    thd=<optimized out>, ref=<optimized out>)
 
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_func.cc:359
 
#21 0x000055ba262778c3 in Item_func_in::fix_fields (this=<optimized out>,
 
    thd=<optimized out>, ref=<optimized out>)
 
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.cc:4326
 
#22 0x000055ba25bf8197 in fix_vcol_expr (thd=<optimized out>,
 
    vcol=0x619000420320)
 
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/table.cc:3583
 
#23 0x000055ba25bf964d in fix_and_check_vcol_expr (table=0x7ff5e2cfba20,
 
    vcol=0x619000420320, thd=0x62b00007e218)
 
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/table.cc:3668
 
#24 unpack_vcol_info_from_frm (thd=<optimized out>, table=<optimized out>,
 
    expr_str=<optimized out>, vcol_ptr=<optimized out>,
 
    error_reported=<optimized out>, mem_root=<optimized out>)
 
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/table.cc:3794
 
#25 0x000055ba25c02c46 in parse_vcol_defs (thd=<optimized out>,
 
    mem_root=<optimized out>, table=0x7ff5e2cfba20,
 
    error_reported=<optimized out>, mode=<optimized out>)
 
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/table.cc:1251
 
#26 0x000055ba25c1da70 in open_table_from_share (thd=thd@entry=0x62b00007e218,
 
    share=share@entry=0x7ff5e2cfbe70, alias=<optimized out>,
 
    db_stat=db_stat@entry=0x0, prgflag=prgflag@entry=0x1,
 
    ha_open_flags=ha_open_flags@entry=0x0, outparam=<optimized out>,
 
    is_create_table=<optimized out>, partitions_to_open=<optimized out>)
 
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/table.cc:4174
 
#27 0x000055ba261743ab in ha_create_table (thd=thd@entry=0x62b00007e218,
 
    path=path@entry=0x7ff5e2cff41e "./test1972/#sql-alter-1d32c6-f69",
 
    db=<optimized out>, table_name=<optimized out>,
 
    create_info=create_info@entry=0x7ff5e2cfffa0,
 
    frm=frm@entry=0x7ff5e2cfc960, skip_frm_file=<optimized out>)
 
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/handler.cc:5862
 
#28 0x000055ba25b4ca01 in mysql_alter_table (thd=thd@entry=0x62b00007e218,
 
    new_db=new_db@entry=0x62b000082c68,
 
    new_name=new_name@entry=0x62b000083080,
 
    create_info=create_info@entry=0x7ff5e2cfffa0, table_list=<optimized out>,
 
    table_list@entry=0x62b0000868c0,
 
    alter_info=alter_info@entry=0x7ff5e2cffe70, order_num=<optimized out>,
 
    order=<optimized out>, ignore=<optimized out>, if_exists=<optimized out>)
 
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_alter.h:295
 
#29 0x000055ba25d0dd1b in Sql_cmd_alter_table::execute (this=<optimized out>,
 
    thd=0x62b00007e218)
 
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/structs.h:568
 
#30 0x000055ba2583da67 in mysql_execute_command (thd=<optimized out>,
 
    is_called_from_prepared_stmt=<optimized out>)
 
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:5995
 
#31 0x000055ba257fc8dd in mysql_parse (thd=0x62b00007e218,
 
    rawbuf=<optimized out>, length=<optimized out>,
 
    parser_state=<optimized out>)
 
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:8028
 
#32 0x000055ba25832db9 in dispatch_command (command=COM_QUERY,
 
    thd=0x62b00007e218, packet=<optimized out>, packet_length=<optimized out>,
 
    blocking=<optimized out>)
 
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:1995
 
#33 0x000055ba25837704 in do_command (thd=0x62b00007e218,
 
    blocking=blocking@entry=0x1)
 
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:1406
 
#34 0x000055ba25cf714d in do_handle_one_connection (connect=<optimized out>,
 
    put_in_cache=<optimized out>)
 
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1410
 
#35 0x000055ba25cf8807 in handle_one_connection (arg=arg@entry=0x60800ccab738)
 
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1312
 
#36 0x000055ba26b43ef0 in pfs_spawn_thread (arg=0x617000005f18)
 
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/storage/perfschema/pfs.cc:2201
 
#37 0x00007ff601db5609 in start_thread (arg=<optimized out>)
 
    at pthread_create.c:477
 
#38 0x00007ff601989293 in clone ()
 
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
 
 
 
gdb-peda$ quit



 Comments   
Comment by Elena Stepanova [ 2021-07-09 ]

Probably related to MDEV-25638.

Comment by Alice Sherepa [ 2021-07-12 ]

Thank you for the report!
I repeated on 10.2-10.6, it is the same bug as MDEV-25638.

:0(__GI___assert_fail)[0x7f2a60511f36]
 
sql/item_cmpfunc.cc:369(convert_const_to_int(THD*, Item_field*, Item**))[0x5632cb27cc13]
 
sql/item_cmpfunc.cc:4497(Item_func_in::value_list_convert_const_to_int(THD*))[0x5632cb2a8eb9]
 
sql/sql_type.cc:5886(Type_handler_real_result::Item_func_in_fix_comparator_compatible_types(THD*, Item_func_in*) const)[0x5632caf5f801]
 
sql/item_cmpfunc.cc:4413(Item_func_in::fix_length_and_dec())[0x5632cb2a84a6]
 
sql/item_func.cc:359(Item_func::fix_fields(THD*, Item**))[0x5632cb3072b7]
 
sql/item_cmpfunc.cc:4329(Item_func_in::fix_fields(THD*, Item**))[0x5632cb2a77d7]
 
sql/table.cc:3583(fix_vcol_expr(THD*, Virtual_column_info*))[0x5632caced45e]
 
sql/table.cc:3668(fix_and_check_vcol_expr(THD*, TABLE*, Virtual_column_info*))[0x5632cacee121]
 
sql/table.cc:3794(unpack_vcol_info_from_frm(THD*, st_mem_root*, TABLE*, String*, Virtual_column_info**, bool*))[0x5632cacef047]
 
sql/table.cc:1251(parse_vcol_defs(THD*, st_mem_root*, TABLE*, bool*, vcol_init_mode))[0x5632cacd9224]
 
sql/table.cc:4174(open_table_from_share(THD*, TABLE_SHARE*, st_mysql_const_lex_string const*, unsigned int, unsigned int, unsigned int, TABLE*, bool, List<String>*))[0x5632cacf2b10]
 
sql/sql_table.cc:9210(create_table_for_inplace_alter(THD*, Alter_table_ctx const&, st_mysql_const_unsigned_lex_string*, TABLE_SHARE*, TABLE*))[0x5632cac2bfbb]
 
sql/sql_table.cc:10125(mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool, bool))[0x5632cac31fdb]
 
sql/sql_alter.cc:550(Sql_cmd_alter_table::execute(THD*))[0x5632cadf1b6b]
 
sql/sql_parse.cc:5995(mysql_execute_command(THD*, bool))[0x5632ca990f2f]
 
sql/sql_parse.cc:8028(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x5632ca99e712]
 
sql/sql_parse.cc:1900(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x5632ca9747c6]
 
sql/sql_parse.cc:1406(do_command(THD*, bool))[0x5632ca9714ea]
 
sql/sql_connect.cc:1410(do_handle_one_connection(CONNECT*, bool))[0x5632cadd44e6]
 
sql/sql_connect.cc:1314(handle_one_connection)[0x5632cadd3e43]
 
perfschema/pfs.cc:2203(pfs_spawn_thread)[0x5632cbaec525]
 
nptl/pthread_create.c:478(start_thread)[0x7f2a60a28609]
 
x86_64/clone.S:97(__GI___clone)[0x7f2a605fd293]
 
 
 
Query (0x62b0000a82a8): ALTER TABLE v0 ADD CONSTRAINT v0 CHECK ( v1 IN ( 'x' , 'x' , 'x' ) )

Generated at Thu Feb 08 09:42:54 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.