[MDEV-26395] SIGSEGV in memset|JOIN::make_aggr_tables_info Created: 2021-08-18  Updated: 2023-11-28

Status: Open
Project: MariaDB Server
Component/s: None
Affects Version/s: 10.2
Fix Version/s: 10.4, 10.5, 10.6, 10.11, 11.0, 11.1, 11.2, 11.3

Type: Bug Priority: Critical
Reporter: Ramesh Sivaraman Assignee: Oleksandr Byelkin
Resolution: Unresolved Votes: 0
Labels: None


 Description   

The crash is from galera multi-master pquery run.

10.2.41

 
Core was generated by `/test/mtest/GAL_MD170821-mariadb-10.2.41-linux-x86_64-dbg/bin/mysqld --defaults'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  0x0000000070000002 in ?? ()
 
[Current thread is 1 (Thread 0x6ded1ff72700 (LWP 2134592))]
 
(gdb) bt
 
#0  0x0000000070000002 in ?? ()
 
#1  0x00000dd20edf8766 in _raw_syscall () at /home/roc/rr/rr/src/preload/raw_syscall.S:120
 
#2  0x00000dd20edf404e in traced_raw_syscall (call=<optimized out>) at /home/roc/rr/rr/src/preload/syscallbuf.c:272
 
#3  0x00000dd20edf74d1 in syscall_hook_internal (call=0x14aa34e1efa0) at /home/roc/rr/rr/src/preload/syscallbuf.c:3295
 
#4  syscall_hook (call=0x14aa34e1efa0) at /home/roc/rr/rr/src/preload/syscallbuf.c:3329
 
#5  0x00000dd20edf3e50 in _syscall_hook_trampoline () at /home/roc/rr/rr/src/preload/syscall_hook.S:313
 
#6  0x00000dd20edf3eaf in __morestack () at /home/roc/rr/rr/src/preload/syscall_hook.S:458
 
#7  0x00000dd20edf3f08 in _syscall_hook_trampoline_89_c2_f7_da () at /home/roc/rr/rr/src/preload/syscall_hook.S:504
 
#8  0x000014aa55827f0c in __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
 
#9  0x000055cec51c6fe2 in my_write_core (sig=sig@entry=11) at /test/mtest/10.2_dbg/mysys/stacktrace.c:382
 
#10 0x000055cec4ab77b3 in handle_fatal_signal (sig=11) at /test/mtest/10.2_dbg/sql/signal_handler.cc:355
 
#11 <signal handler called>
 
#12 memset (__len=944, __ch=0, __dest=0x0) at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:71
 
#13 JOIN::make_aggr_tables_info (this=this@entry=0x62cc28012b58) at /test/mtest/10.2_dbg/sql/sql_select.cc:2477
 
#14 0x000055cec491a856 in JOIN::optimize_inner (this=this@entry=0x62cc28012b58) at /test/mtest/10.2_dbg/sql/sql_select.cc:2295
 
#15 0x000055cec491ac5e in JOIN::optimize (this=this@entry=0x62cc28012b58) at /test/mtest/10.2_dbg/sql/sql_select.cc:1127
 
#16 0x000055cec491cd69 in mysql_select (thd=thd@entry=0x62cc28000d90, tables=0x62cc28011548, wild_num=0, fields=@0x62cc28005200: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x62cc280114c8, last = 0x62cc280114c8, elements = 1}, <No data fields>}, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x62cc28012b38, unit=0x62cc28004988, select_lex=0x62cc280050d8) at /test/mtest/10.2_dbg/sql/sql_select.cc:3835
 
#17 0x000055cec491d84b in handle_select (thd=thd@entry=0x62cc28000d90, lex=lex@entry=0x62cc280048c8, result=result@entry=0x62cc28012b38, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/mtest/10.2_dbg/sql/sql_select.cc:361
 
#18 0x000055cec48a1e85 in execute_sqlcom_select (thd=thd@entry=0x62cc28000d90, all_tables=0x62cc28011548) at /test/mtest/10.2_dbg/sql/sql_parse.cc:6271
 
#19 0x000055cec48ac16c in mysql_execute_command (thd=thd@entry=0x62cc28000d90) at /test/mtest/10.2_dbg/sql/sql_parse.cc:3582
 
#20 0x000055cec48b5809 in mysql_parse (thd=thd@entry=0x62cc28000d90, rawbuf=rawbuf@entry=0x62cc28011248 "select count(NULL) from seq_1_to_3 limit 0", length=length@entry=42, parser_state=parser_state@entry=0x6ded1ff71540, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/mtest/10.2_dbg/sql/sql_parse.cc:7793
 
#21 0x000055cec48b6e12 in wsrep_mysql_parse (thd=thd@entry=0x62cc28000d90, rawbuf=0x62cc28011248 "select count(NULL) from seq_1_to_3 limit 0", length=42, parser_state=parser_state@entry=0x6ded1ff71540, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/mtest/10.2_dbg/sql/sql_parse.cc:7585
 
#22 0x000055cec48b836b in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x62cc28000d90, packet=packet@entry=0x62cc28008a61 "select count(NULL) from seq_1_to_3 limit 0;", packet_length=packet_length@entry=43, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/mtest/10.2_dbg/sql/sql_class.h:1109
 
#23 0x000055cec48bb14a in do_command (thd=0x62cc28000d90) at /test/mtest/10.2_dbg/sql/sql_parse.cc:1381
 
#24 0x000055cec49c11b1 in do_handle_one_connection (connect=connect@entry=0x14aa57fc50b0) at /test/mtest/10.2_dbg/sql/sql_connect.cc:1336
 
#25 0x000055cec49c13dc in handle_one_connection (arg=0x14aa57fc50b0) at /test/mtest/10.2_dbg/sql/sql_connect.cc:1241
 
#26 0x000014aa5581f609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#27 0x000014aa55a73293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95



 Comments   
Comment by Ramesh Sivaraman [ 2022-05-04 ]

Reproducible test case

SET sql_select_limit=0;
 
SELECT COUNT(*) FROM seq_1_to_15_step_2;

10.2.44 (Debug)

 
Core was generated by `/test/mtest/GAL_MD040522-mariadb-10.2.44-linux-x86_64-dbg/bin/mysqld --defaults'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
 
    at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
 
[Current thread is 1 (Thread 0x146bb80eb700 (LWP 1682897))]
 
(gdb) bt
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
 
#1  0x00005575049bac14 in my_write_core (sig=sig@entry=11) at /test/mtest/10.2_dbg/mysys/stacktrace.c:382
 
#2  0x00005575042ab1ff in handle_fatal_signal (sig=11) at /test/mtest/10.2_dbg/sql/signal_handler.cc:355
 
#3  <signal handler called>
 
#4  memset (__len=944, __ch=0, __dest=0x0) at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:71
 
#5  JOIN::make_aggr_tables_info (this=this@entry=0x146b3c012a80) at /test/mtest/10.2_dbg/sql/sql_select.cc:2477
 
#6  0x000055750410e179 in JOIN::optimize_inner (this=this@entry=0x146b3c012a80) at /test/mtest/10.2_dbg/sql/sql_select.cc:2295
 
#7  0x000055750410e5e4 in JOIN::optimize (this=this@entry=0x146b3c012a80) at /test/mtest/10.2_dbg/sql/sql_select.cc:1127
 
#8  0x00005575041106fb in mysql_select (thd=thd@entry=0x146b3c000d90, tables=0x146b3c011498, wild_num=0, fields=@0x146b3c005200: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x146b3c011420, last = 0x146b3c011420, elements = 1}, <No data fields>}, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x146b3c012a60, unit=0x146b3c004988, select_lex=0x146b3c0050d8) at /test/mtest/10.2_dbg/sql/sql_select.cc:3835
 
#9  0x00005575041111dd in handle_select (thd=thd@entry=0x146b3c000d90, lex=lex@entry=0x146b3c0048c8, result=result@entry=0x146b3c012a60, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/mtest/10.2_dbg/sql/sql_select.cc:361
 
#10 0x00005575040955c5 in execute_sqlcom_select (thd=thd@entry=0x146b3c000d90, all_tables=0x146b3c011498) at /test/mtest/10.2_dbg/sql/sql_parse.cc:6271
 
#11 0x000055750409f8ef in mysql_execute_command (thd=thd@entry=0x146b3c000d90) at /test/mtest/10.2_dbg/sql/sql_parse.cc:3582
 
#12 0x00005575040a90df in mysql_parse (thd=thd@entry=0x146b3c000d90, rawbuf=rawbuf@entry=0x146b3c0111a8 "select count(*) from seq_1_to_15_step_2", length=length@entry=39, parser_state=parser_state@entry=0x146bb80ea540, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/mtest/10.2_dbg/sql/sql_parse.cc:7793
 
#13 0x00005575040aa6e8 in wsrep_mysql_parse (thd=thd@entry=0x146b3c000d90, rawbuf=0x146b3c0111a8 "select count(*) from seq_1_to_15_step_2", length=39, parser_state=parser_state@entry=0x146bb80ea540, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/mtest/10.2_dbg/sql/sql_parse.cc:7585
 
#14 0x00005575040abc41 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x146b3c000d90, packet=packet@entry=0x146b3c0195e1 "select count(*) from seq_1_to_15_step_2", packet_length=packet_length@entry=39, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/mtest/10.2_dbg/sql/sql_class.h:1109
 
#15 0x00005575040aea23 in do_command (thd=0x146b3c000d90) at /test/mtest/10.2_dbg/sql/sql_parse.cc:1381
 
#16 0x00005575041b4cfd in do_handle_one_connection (connect=connect@entry=0x557507d2e550) at /test/mtest/10.2_dbg/sql/sql_connect.cc:1336
 
#17 0x00005575041b4f28 in handle_one_connection (arg=0x557507d2e550) at /test/mtest/10.2_dbg/sql/sql_connect.cc:1241
 
#18 0x0000146bc9b91609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#19 0x0000146bc9785293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Comment by Elena Stepanova [ 2022-05-04 ]

The failure disappeared from 10.3+ after this commit:

commit b7408be0c3a4027b505f6122306c8d88ad0e92b2
 
Author: Oleksandr Byelkin
 
Date:   Fri Oct 4 16:46:41 2019 +0200
 
 
 
    MDEV-20753: Sequence with limit 0 crashes server

Generated at Thu Feb 08 09:44:59 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.