[MDEV-26280] MariaDB server crash at my_decimal::operator= Created: 2021-07-30  Updated: 2022-04-13  Resolved: 2021-07-30

Status: Closed
Project: MariaDB Server
Component/s: Optimizer
Affects Version/s: 10.6.0, 10.6.1, 10.6.2, 10.6.3
Fix Version/s: N/A

Type: Bug Priority: Major
Reporter: yaoguang Assignee: Unassigned
Resolution: Duplicate Votes: 0
Labels: crash
Environment:

Linux 5.4.0-39-generic #43-Ubuntu SMP Fri Jun 19 10:28:31 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

Issue Links:
Duplicate
duplicates MDEV-25994 Crash with union of my_decimal type i... Closed

 Description   

step to reproduce:

CREATE TABLE v0 ( v1 INTEGER UNIQUE , v2 INT UNIQUE ) ; 
INSERT INTO v0 ( v2 , v1 ) VALUES ( 26 , 8 ) ;
 
 UPDATE v0 SET v1 = CASE 41219694.000000 WHEN 0 THEN 'x' WHEN 'x' THEN 'x' END ORDER BY v1 , ( SELECT 25027969.000000 UNION SELECT 0 UNION SELECT -1 ) , v2 DESC , v2 , v1 ;

Core was generated by `/home/supersix/fuzz/security/MariaDB/install/bin/mysqld --defaults-file=/home/s'.Program terminated with signal SIGSEGV, Segmentation fault.

#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=0xb)
 
    at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
 
56	../sysdeps/unix/sysv/linux/pthread_kill.c: No such file or directory.
 
[Current thread is 1 (Thread 0x7f62f009b700 (LWP 166191))]
 
gdb-peda$ bt
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=0xb)
 
    at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
 
#1  0x000055fcfb78307f in my_write_core (sig=sig@entry=0xb)
 
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/mysys/stacktrace.c:424
 
#2  0x000055fcfb107f80 in handle_fatal_signal (sig=0xb)
 
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/signal_handler.cc:344
 
#3  <signal handler called>
 
#4  0x000055fcfb26d753 in my_decimal::operator= (rhs=..., this=0x7f62f0099560)
 
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/my_decimal.h:353
 
#5  my_decimal2decimal (to=0x7f62f0099560, from=0x0)
 
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/my_decimal.h:353
 
#6  my_decimal::to_binary (this=0x0, bin=bin@entry=0x7f61f8192e8d "\177", prec=0xf, scale=0x6,
 
    mask=mask@entry=0x1e)
 
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/my_decimal.cc:206
 
#7  0x000055fcfb101f64 in Type_handler_decimal_result::make_sort_key_part (this=<optimized out>,
 
    to=0x7f61f8192e8d "\177", item=0x7f61f80132b0, sort_field=0x7f61f8015df8, param=<optimized out>)
 
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/filesort.cc:1321
 
#8  0x000055fcfb10328d in make_sortkey (to=0x7f61f8192e8d "\177", param=0x7f62f00997c0)
 
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/filesort.cc:3027
 
#9  make_sortkey (param=param@entry=0x7f62f00997c0, to=0x7f61f8192e88 "\001\200",
 
    ref_pos=ref_pos@entry=0x7f61f81846e0 "", using_packed_sortkeys=using_packed_sortkeys@entry=0x0)
 
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/filesort.cc:1354
 
#10 0x000055fcfb106107 in find_all_keys (found_rows=0x7f61f818faa0, pq=0x7f62f0099770,
 
    tempfile=0x7f62f0099880, buffpek_pointers=0x7f62f0099970, fs_info=0x7f61f818f930, select=0x0,
 
    param=0x7f62f00997c0, thd=0x7f61f8000c58)
 
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/filesort.cc:969
 
#11 filesort (thd=thd@entry=0x7f61f8000c58, table=table@entry=0x7f61f81833e8,
 
    filesort=filesort@entry=0x7f62f0099bc0, tracker=0x7f61f8015d58, join=join@entry=0x0,
 
    first_table_bit=first_table_bit@entry=0x0)
 
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/filesort.cc:357
 
#12 0x000055fcfaf5300c in mysql_update (thd=thd@entry=0x7f61f8000c58, table_list=<optimized out>,
 
    fields=..., values=..., conds=<optimized out>, order_num=<optimized out>, order=0x7f61f8011678,
 
    limit=0xffffffffffffffff, ignore=<optimized out>, found_return=<optimized out>,
 
    updated_return=<optimized out>)
 
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_update.cc:796
 
#13 0x000055fcfae1fd89 in mysql_execute_command (thd=0x7f61f8000c58,
 
    is_called_from_prepared_stmt=<optimized out>)
 
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_limit.h:83
 
#14 0x000055fcfae02e35 in mysql_parse (thd=0x7f61f8000c58, rawbuf=<optimized out>,
 
    length=<optimized out>, parser_state=<optimized out>)
 
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:8028
 
#15 0x000055fcfae15391 in dispatch_command (command=<optimized out>, thd=0x7f61f8000c58,
 
    packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>)
 
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_class.h:1340
 
#16 0x000055fcfae18652 in do_command (thd=0x7f61f8000c58, blocking=blocking@entry=0x1)
 
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:1406
 
#17 0x000055fcfafb336e in do_handle_one_connection (connect=<optimized out>, put_in_cache=0x1)
 
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1410
 
#18 0x000055fcfafb3c77 in handle_one_connection (arg=arg@entry=0x55fcfe4236c8)
 
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1312
 
#19 0x000055fcfb3df20d in pfs_spawn_thread (arg=0x55fcfe4d2e08)
 
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/storage/perfschema/pfs.cc:2201
 
#20 0x00007f62f0eb0609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#21 0x00007f62f0a84293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95



 Comments   
Comment by Alice Sherepa [ 2021-07-30 ]

Thanks for the report!
This is the same issue as MDEV-25994

Generated at Thu Feb 08 09:44:06 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.