[MDEV-26348] BUG: segfault in sql/item_func.cc:0 Created: 2021-08-13  Updated: 2021-08-18  Resolved: 2021-08-18

Status: Closed
Project: MariaDB Server
Component/s: Optimizer - CTE
Affects Version/s: 10.5.9
Fix Version/s: N/A

Type: Bug Priority: Critical
Reporter: Zuming Jiang Assignee: Daniel Black
Resolution: Cannot Reproduce Votes: 0
Labels: crash
Environment:

Ubuntu 18.04
MariaDB 10.5.9

Attachments: File fuzz.sql     Text File report.txt    

 Description   

I used my fuzzing tool to test Mariadb , and found a bug that can result in an abortion.

Mariadb installation:
1) cd mariadb-10.5.9
2) mkdir build; cd build
3) cmake -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DCMAKE_BUILD_TYPE=Debug ../
4) make -j8 && sudo make install

How to Repeat:
export ASAN_OPTIONS=detect_leaks=0
/usr/local/mysql/bin/mysqld_safe &
/usr/local/mysql/bin/mysql -uroot -p123456(your password)
MariaDB> drop database if exists test_db;
MariaDB> create database test_db;
MariaDB> use test_db;
MariaDB> source fuzz.sql;

I have simplified the content of fuzz.sql, and I hope fuzz.sql can help you reproduce the bug and fix it. In addition, I attach the failure report (which has its stack trace).

 Comments   
Comment by Daniel Black [ 2021-08-13 ]

Failed to reproduce on:

10.5.13-0268b871228

 
CMakeCache.txt:WITH_ASAN:BOOL=ON
 
CMakeCache.txt:WITH_ASAN_SCOPE:BOOL=ON
 
CMAKE_CXX_COMPILER:STRING=/usr/lib64/ccache/clang++
 
CMAKE_C_COMPILER:STRING=/usr/lib64/ccache/clang
 
CMAKE_BUILD_TYPE:STRING=RelWithDebInfo
 
 
 
$ /usr/lib64/ccache/clang++ --version
 
clang version 12.0.0 (Fedora 12.0.0-2.fc34)
 
Target: x86_64-unknown-linux-gnu
 
Thread model: posix
 
InstalledDir: /usr/bin

Also failed to reproduce on same commit with CMAKE_BUILD_TYPE=Debug

Welcome to the MariaDB monitor.  Commands end with ; or \g.
 
Your MariaDB connection id is 3
 
Server version: 10.5.13-MariaDB-debug Source distribution
 
 
 
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
 
 
 
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
 
 
 
MariaDB [(none)]> create or replace database  test_db;
 
Query OK, 1 row affected (0.001 sec)
 
 
 
MariaDB [(none)]> use test_db;
 
Database changed
 
MariaDB [test_db]> source ~/Downloads/fuzz-MDEV-26348.sql
 
Query OK, 0 rows affected (0.007 sec)
 
 
 
Query OK, 0 rows affected (0.008 sec)
 
Records: 0  Duplicates: 0  Warnings: 0
 
 
 
Empty set (0.005 sec)
 
 
 
MariaDB [test_db]>

Comment by Daniel Black [ 2021-08-13 ]

also checked 10.2.41, 10.3.32, 10.4.42 latest as of today and couldn't reproduce segfault on non-debug versions.

Note difference in signal 11 (segfault) vs assertion (6).

Generated at Thu Feb 08 09:44:37 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.