[MDEV-26139] Spider crashes with segmentation fault (signal 11) on CREATE TABLE when COMMENT does not contain embedded double quotes Created: 2021-07-14  Updated: 2021-07-15  Resolved: 2021-07-15

Status: Closed
Project: MariaDB Server
Component/s: Storage Engine - Spider
Affects Version/s: 10.5.9, 10.4.20, 10.6.3
Fix Version/s: 10.4.21, 10.5.12, 10.6.4

Type: Bug Priority: Critical
Reporter: Nayuta Yanagisawa (Inactive) Assignee: Nayuta Yanagisawa (Inactive)
Resolution: Fixed Votes: 0
Labels: Crash, not-10.3, regression

Issue Links:
Problem/Incident

 Description   

On MariaDB Server 10.5.9 on Ubuntu 20.04, Spider causes a crash when the following CREATE TABLE statement is executed:

CREATE TABLE test.fed_test_spider (     
   id INT PRIMARY KEY AUTO_INCREMENT,     
   name VARCHAR(50) 
) ENGINE = Spider 
COMMENT "host '<user_ip_address>', port 3306, user 'spider_user', password 'user_passwd', database 'ken_test', table 'fed_test'";


ERROR 2013 (HY000): Lost connection to MySQL server during query

The error log says that the crash occurred in st_spider_param_string_parse::get_next_parameter_head(). Especially, it appears to refer to this line of code: https://github.com/MariaDB/server/blob/mariadb-10.5.9/storage/spider/spd_table.h#L197

Thread pointer: 0x7f3f10000db8
 
Attempting backtrace. You can use the following information to find out
 
where mysqld died. If you see no messages after this, something went
 
terribly wrong...
 
stack_bottom = 0x7f3f501f6d98 thread_stack 0x49000
 
mysys/stacktrace.c:212(my_print_stacktrace)[0x560ae22279da]
 
sql/signal_handler.cc:211(handle_fatal_signal)[0x560ae1906955]
 
??:0(__restore_rt)[0x7f3f9874e3c0]
 
spider/spd_table.h:197(st_spider_param_string_parse::get_next_parameter_head(char*, char**))[0x7f3f97cbd8ac]
 
spider/spd_table.cc:2273(spider_parse_connect_info(st_spider_share*, TABLE_SHARE*, partition_info*, unsigned int))[0x7f3f97c8e2fb]
 
spider/ha_spider.cc:11630(ha_spider::create(char const*, TABLE*, HA_CREATE_INFO*))[0x7f3f97d0ea13]
 
sql/handler.cc:5092(handler::ha_create(char const*, TABLE*, HA_CREATE_INFO*))[0x560ae1918760]
 
sql/handler.cc:5557(ha_create_table(THD*, char const*, char const*, char const*, HA_CREATE_INFO*, st_mysql_const_unsigned_lex_string*))[0x560ae1919fae]
 
sql/sql_table.cc:5376(create_table_impl(THD*, st_mysql_const_lex_string const&, st_mysql_const_lex_string const&, st_mysql_const_lex_string const&, st_mysql_const_lex_string const&, char const*, DDL_options_st, HA_CREATE_INFO*, Alter_info*, int, bool*, st_key**, unsigned int*, st_mysql_const_unsigned_lex_string*))[0x560ae1699aed]
 
sql/sql_table.cc:5460(mysql_create_table_no_lock(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, Table_specification_st*, Alter_info*, bool*, int, TABLE_LIST*))[0x560ae1699f2d]
 
sql/sql_table.cc:5564(mysql_create_table(THD*, TABLE_LIST*, Table_specification_st*, Alter_info*))[0x560ae169a3c5]
 
sql/sql_table.cc:12142(Sql_cmd_create_table_like::execute(THD*))[0x560ae16ae165]
 
sql/sql_parse.cc:6024(mysql_execute_command(THD*))[0x560ae15a7c0c]
 
sql/sql_parse.cc:8063(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x560ae15adfe2]
 
sql/sql_parse.cc:1892(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x560ae1599f47]
 
sql/sql_parse.cc:1370(do_command(THD*))[0x560ae159873b]
 
sql/sql_connect.cc:1410(do_handle_one_connection(CONNECT*, bool))[0x560ae174690f]
 
sql/sql_connect.cc:1314(handle_one_connection)[0x560ae1746672]
 
perfschema/pfs.cc:2203(pfs_spawn_thread)[0x560ae1c66439]
 
??:0(start_thread)[0x7f3f98742609]
 
??:0(clone)[0x7f3f98315293]



 Comments   
Comment by Nayuta Yanagisawa (Inactive) [ 2021-07-14 ]

The bug is reproducible on 10.5.7 but not on 10.5.6, and it seems to be introduced by the following commit: https://github.com/MariaDB/server/commit/314a90e12b72a4c889278847b8d2a8c3f21f41e3

Comment by Nayuta Yanagisawa (Inactive) [ 2021-07-14 ]

The bug is not reproducible on 10.3. However, the bug is also reproducible on 10.4 because a commit similar to the above one was merged to 10.4 https://github.com/MariaDB/server/commit/5c8a1249ddeff70a3ffb6ce963a6eed3d55d4510

Comment by Nayuta Yanagisawa (Inactive) [ 2021-07-14 ]

A simpler table definition is enough for reproduction:

CREATE TABLE test.tbl_a (     
   id INT PRIMARY KEY
 
) ENGINE = Spider COMMENT "host '<user_ip_address>'";

Comment by Nayuta Yanagisawa (Inactive) [ 2021-07-14 ]

I pushed a patch. My analysis is in the commit message. https://github.com/MariaDB/server/commit/e3814a74eee4f47b5d58997f90c8ee9742452681

Comment by Sergei Golubchik [ 2021-07-15 ]

perfect! ok to push!

Comment by Nayuta Yanagisawa (Inactive) [ 2021-07-15 ]

Thank you for your review! I've pushed it to 10.4.

Generated at Thu Feb 08 09:43:02 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.