[MDEV-26349] BUG: Abortion in sql/sql_show.cc:9239 Created: 2021-08-13  Updated: 2021-08-13  Resolved: 2021-08-13

Status: Closed
Project: MariaDB Server
Component/s: Optimizer - CTE
Affects Version/s: 10.5.9
Fix Version/s: N/A

Type: Bug Priority: Critical
Reporter: Zuming Jiang Assignee: Daniel Black
Resolution: Cannot Reproduce Votes: 0
Labels: crash
Environment:

Ubuntu 18.04
MariaDB 10.5.9

Attachments: File fuzz.sql     Text File report.txt    

 Description   

I used my fuzzing tool to test Mariadb , and found a bug that can result in an abortion.

Mariadb installation:
1) cd mariadb-10.5.9
2) mkdir build; cd build
3) cmake -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DCMAKE_BUILD_TYPE=Debug ../
4) make -j8 && sudo make install

How to Repeat:
export ASAN_OPTIONS=detect_leaks=0
/usr/local/mysql/bin/mysqld_safe &
/usr/local/mysql/bin/mysql -uroot -p123456(your password)
MariaDB> drop database if exists test_db;
MariaDB> create database test_db;
MariaDB> use test_db;
MariaDB> source fuzz.sql;

I have simplified the content of fuzz.sql, and I hope fuzz.sql can help you reproduce the bug and fix it. In addition, I attach the failure report (which has its stack trace).

 Comments   
Comment by Daniel Black [ 2021-08-13 ]

Failed to reproduce on:

10.5.13-0268b871228

 
CMakeCache.txt:WITH_ASAN:BOOL=ON
 
CMakeCache.txt:WITH_ASAN_SCOPE:BOOL=ON
 
CMAKE_CXX_COMPILER:STRING=/usr/lib64/ccache/clang++
 
CMAKE_C_COMPILER:STRING=/usr/lib64/ccache/clang
 
CMAKE_BUILD_TYPE:STRING=RelWithDebInfo
 
 
 
$ /usr/lib64/ccache/clang++ --version
 
clang version 12.0.0 (Fedora 12.0.0-2.fc34)
 
Target: x86_64-unknown-linux-gnu
 
Thread model: posix
 
InstalledDir: /usr/bin

CMAKE_BUILD_TYPE=Debug

 
MariaDB [test_db]> create or replace database  test_db;
 
Query OK, 2 rows affected (0.012 sec)
 
 
 
MariaDB [test_db]> use test_db;
 
Database changed
 
MariaDB [test_db]> select version();
 
+-----------------------+
 
| version()             |
 
+-----------------------+
 
| 10.5.13-MariaDB-debug |
 
+-----------------------+
 
1 row in set (0.001 sec)
 
 
 
MariaDB [test_db]> source ~/Downloads/fuzz-MDEV-26349.sql
 
Query OK, 0 rows affected (0.006 sec)
 
 
 
Query OK, 2 rows affected (0.002 sec)
 
Records: 2  Duplicates: 0  Warnings: 0
 
 
 
+------+----+------+------+------+------+----+----+----+----+-----+
 
| c0   | c1 | c2   | c3   | c4   | c5   | c6 | c7 | c8 | c9 | c10 |
 
+------+----+------+------+------+------+----+----+----+----+-----+
 
|   75 | 75 | NULL |   75 |    2 |   11 | 75 | 75 | 75 | 75 |  75 |
 
|   90 | 90 | NULL |   90 |    2 |   11 | 90 | 90 | 90 | 90 |  90 |
 
+------+----+------+------+------+------+----+----+----+----+-----+
 
2 rows in set (0.007 sec)
 
 
 
MariaDB [test_db]>

Comment by Daniel Black [ 2021-08-13 ]

also checked 10.2.41, 10.3.32, 10.4.42 latest as of today and couldn't reproduce segfault on non-debug versions.

Generated at Thu Feb 08 09:44:37 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.