[MDEV-26423] MariaDB server crash in Create_tmp_table::finalize Created: 2021-08-19  Updated: 2023-10-02  Resolved: 2022-04-15

Status: Closed
Project: MariaDB Server
Component/s: OTHER
Affects Version/s: 10.2, 10.3, 10.4, 10.5, 10.6, 10.7
Fix Version/s: 10.2.44, 10.3.35, 10.4.25, 10.5.16, 10.6.8, 10.7.4, 10.8.3, 10.9.1

Type: Bug Priority: Blocker
Reporter: yaoguang Assignee: Oleksandr Byelkin
Resolution: Fixed Votes: 0
Labels: crash
Environment:

Linux version 5.13.0-1-MANJARO (builduser@LEGION) (gcc (GCC) 11.1.0, GNU ld (GNU Binutils) 2.36.1) #1 SMP PREEMPT Mon Jun 7 06:16:10 UTC 2021 x86_64

Issue Links:
Relates
relates to MDEV-11590 Server crashes in create_tmp_table / ... Closed

 Description   

PoC:

CREATE TABLE v0 ( v2 DATE DEFAULT ( v1 MOD 68321183.000000 ) , v1 DATETIME NULL ) ;
 
 SHOW DATABASES LIKE 'x' ;
 
 SELECT DISTINCT v2 , v1 , DEFAULT ( v2 ) FROM v0 ;

Crash Log:

We will try our best to scrape up some info that will hopefully help
diagnose the problem, but since we have already crashed,
something is definitely wrong and this may fail.

Server version: 10.7.0-MariaDB
 
key_buffer_size=134217728
 
read_buffer_size=131072
 
max_used_connections=1
 
max_threads=153
 
thread_count=1
 
It is possible that mysqld could use up to 
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 467956 K  bytes of memory
 
Hope that's ok; if not, decrease some variables in the equation.
 
 
 
Thread pointer: 0x62b0000bd218
 
Attempting backtrace. You can use the following information to find out
 
where mysqld died. If you see no messages after this, something went
 
terribly wrong...
 
stack_bottom = 0x7fbccf9b6850 thread_stack 0x5fc00
 
sanitizer_common/sanitizer_common_interceptors.inc:4203(__interceptor_backtrace.part.0)[0x7fbcf53e9c3e]
 
mysys/stacktrace.c:213(my_print_stacktrace)[0x55da8b1e8747]
 
sql/signal_handler.cc:222(handle_fatal_signal)[0x55da8a1b0120]
 
sigaction.c:0(__restore_rt)[0x7fbcf4dd3870]
 
sql/sql_select.cc:19307(Create_tmp_table::finalize(THD*, TABLE*, TMP_TABLE_PARAM*, bool, bool))[0x55da89b716a6]
 
sql/sql_select.cc:19606(create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, st_mysql_const_lex_string const*, bool, bool))[0x55da89b736a4]
 
sql/sql_select.cc:4015(JOIN::create_postjoin_aggr_table(st_join_table*, List<Item>*, st_order*, bool, bool, bool))[0x55da89ba26b3]
 
sql/sql_select.cc:3589(JOIN::make_aggr_tables_info())[0x55da89ba5424]
 
sql/sql_select.cc:3225(JOIN::optimize_stage2())[0x55da89bd5e72]
 
sql/sql_select.cc:2479(JOIN::optimize_inner())[0x55da89bdfd07]
 
sql/sql_select.cc:1811(JOIN::optimize())[0x55da89be17b1]
 
sql/sql_select.cc:4977(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55da89be1a0e]
 
sql/sql_select.cc:545(handle_select(THD*, LEX*, select_result*, unsigned long))[0x55da89be3655]
 
sql/sql_parse.cc:6256(execute_sqlcom_select(THD*, TABLE_LIST*))[0x55da89a26d7d]
 
sql/sql_parse.cc:3946(mysql_execute_command(THD*, bool))[0x55da89a50421]
 
sql/sql_parse.cc:8047(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x55da89a555a1]
 
sql/sql_parse.cc:1898(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x55da89a5b60c]
 
sql/sql_parse.cc:1406(do_command(THD*, bool))[0x55da89a6073d]
 
sql/sql_connect.cc:1418(do_handle_one_connection(CONNECT*, bool))[0x55da89e1be57]
 
sql/sql_connect.cc:1312(handle_one_connection)[0x55da89e1c33d]
 
perfschema/pfs.cc:2204(pfs_spawn_thread)[0x55da8a8acc2c]
 
pthread_create.c:0(start_thread)[0x7fbcf4dc9259]
 
:0(__GI___clone)[0x7fbcf49745e3]
 
 
 
Trying to get some variables.
 
Some pointers may be invalid and cause the dump to abort.
 
Query (0x629000087238): SELECT DISTINCT v2 , v1 , DEFAULT ( v2 ) FROM v0
 
 
 
Connection ID (thread ID): 4
 
Status: NOT_KILLED



 Comments   
Comment by Alice Sherepa [ 2021-08-25 ]

Thanks!
Repeatable on 10.2-10.6

CREATE TABLE t1 (v1 DATE, v2 DATE DEFAULT(v1)) engine=innodb;
 
SELECT DISTINCT DEFAULT(v2) FROM t1 ;

10.2 1f1d5606e08c928e3da98b

 
#3  <signal handler called>
 
#4  0x000055b9f38681c4 in create_tmp_table (thd=0x7f540c000d90, param=0x7f540c014f58, fields=..., group=0x7f540c014f00, distinct=false, save_sum_fields=false, select_options=2147748609, rows_limit=18446744073709551615, table_alias=0x55b9f42a4e3a "", do_not_open=true, keep_row_order=false) at /10.2/src/sql/sql_select.cc:17331
 
#5  0x000055b9f3842ab9 in JOIN::create_postjoin_aggr_table (this=0x7f540c013158, tab=0x7f540c014790, table_fields=0x7f540c013478, table_group=0x7f540c014f00, save_sum_fields=false, distinct=false, keep_row_order=false) at /10.2/src/sql/sql_select.cc:2983
 
#6  0x000055b9f384130e in JOIN::make_aggr_tables_info (this=0x7f540c013158) at /10.2/src/sql/sql_select.cc:2588
 
#7  0x000055b9f383fec8 in JOIN::optimize_inner (this=0x7f540c013158) at /10.2/src/sql/sql_select.cc:2259
 
#8  0x000055b9f383bfe6 in JOIN::optimize (this=0x7f540c013158) at /10.2/src/sql/sql_select.cc:1127
 
#9  0x000055b9f384553c in mysql_select (thd=0x7f540c000d90, tables=0x7f540c012a48, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748609, result=0x7f540c013138, unit=0x7f540c004988, select_lex=0x7f540c0050d8) at /10.2/src/sql/sql_select.cc:3835
 
#10 0x000055b9f3839720 in handle_select (thd=0x7f540c000d90, lex=0x7f540c0048c8, result=0x7f540c013138, setup_tables_done_option=0) at /10.2/src/sql/sql_select.cc:361
 
#11 0x000055b9f3803d86 in execute_sqlcom_select (thd=0x7f540c000d90, all_tables=0x7f540c012a48) at /10.2/src/sql/sql_parse.cc:6271
 
#12 0x000055b9f37fa8fa in mysql_execute_command (thd=0x7f540c000d90) at /10.2/src/sql/sql_parse.cc:3582
 
#13 0x000055b9f3807b42 in mysql_parse (thd=0x7f540c000d90, rawbuf=0x7f540c012708 "SELECT DISTINCT DEFAULT(v2) FROM t1", length=35, parser_state=0x7f545d318560, is_com_multi=false, is_next_command=false) at /10.2/src/sql/sql_parse.cc:7793
 
#14 0x000055b9f37f5d9d in dispatch_command (command=COM_QUERY, thd=0x7f540c000d90, packet=0x7f540c008b61 "SELECT DISTINCT DEFAULT(v2) FROM t1 ", packet_length=36, is_com_multi=false, is_next_command=false) at /10.2/src/sql/sql_parse.cc:1827
 
#15 0x000055b9f37f4898 in do_command (thd=0x7f540c000d90) at /10.2/src/sql/sql_parse.cc:1381
 
#16 0x000055b9f3950661 in do_handle_one_connection (connect=0x55b9f70feac0) at /10.2/src/sql/sql_connect.cc:1336
 
#17 0x000055b9f39503c6 in handle_one_connection (arg=0x55b9f70feac0) at /10.2/src/sql/sql_connect.cc:1241
 
#18 0x000055b9f4179ec4 in pfs_spawn_thread (arg=0x55b9f70e1d80) at /10.2/src/storage/perfschema/pfs.cc:1869
 
#19 0x00007f54634f3609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#20 0x00007f54630ce293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Comment by Alice Sherepa [ 2021-10-28 ] 

CREATE TABLE t1 (pk varchar(36) DEFAULT uuid());
 
INSERT INTO t1 VALUES (),();
 
 
 
SELECT 1 FROM t1 GROUP BY DEFAULT(pk);

10.6 1193a793c40b806c6f1f00

 
211028 15:14:26 [ERROR] mysqld got signal 11 ;
 
 
 
Server version: 10.6.5-MariaDB-debug-log
 
 
 
sql/signal_handler.cc:226(handle_fatal_signal)[0x55cb38ca7a5b]
 
sigaction.c:0(__restore_rt)[0x7f6fb1a653c0]
 
sql/sql_select.cc:19315(Create_tmp_table::finalize(THD*, TABLE*, TMP_TABLE_PARAM*, bool, bool))[0x55cb3858d863]
 
sql/sql_select.cc:19618(create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, st_mysql_const_lex_string const*, bool, bool))[0x55cb38591cff]
 
sql/sql_select.cc:4012(JOIN::create_postjoin_aggr_table(st_join_table*, List<Item>*, st_order*, bool, bool, bool))[0x55cb3851e050]
 
sql/sql_select.cc:3591(JOIN::make_aggr_tables_info())[0x55cb38519882]
 
sql/sql_select.cc:3227(JOIN::optimize_stage2())[0x55cb38515304]
 
sql/sql_select.cc:2479(JOIN::optimize_inner())[0x55cb3850d944]
 
sql/sql_select.cc:1809(JOIN::optimize())[0x55cb38506700]
 
sql/sql_select.cc:4980(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55cb38527bf6]
 
sql/sql_select.cc:545(handle_select(THD*, LEX*, select_result*, unsigned long))[0x55cb384f8333]
 
sql/sql_parse.cc:6256(execute_sqlcom_select(THD*, TABLE_LIST*))[0x55cb3845d3e7]
 
sql/sql_parse.cc:3946(mysql_execute_command(THD*, bool))[0x55cb3844beb5]
 
sql/sql_parse.cc:8030(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x55cb384686aa]
 
sql/sql_parse.cc:1898(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x55cb3843e76b]
 
sql/sql_parse.cc:1404(do_command(THD*, bool))[0x55cb3843b48f]
 
sql/sql_connect.cc:1418(do_handle_one_connection(CONNECT*, bool))[0x55cb388a1b1b]
 
sql/sql_connect.cc:1314(handle_one_connection)[0x55cb388a13a7]
 
perfschema/pfs.cc:2203(pfs_spawn_thread)[0x55cb395c0be1]
 
nptl/pthread_create.c:478(start_thread)[0x7f6fb1a59609]
 
x86_64/clone.S:97(__GI___clone)[0x7f6fb162e293]
 
 
 
Query (0x62b0000c42a8): SELECT 1 FROM t1 GROUP BY DEFAULT(pk)

Comment by Oleksandr Byelkin [ 2022-04-14 ]

Using innodb is really needed:

  • with innodb we endup trying to get temporary table field from "default" (Item_default_value) item.
  • with aria it is normal "result filed" and return temporary table field.
Comment by Oleksandr Byelkin [ 2022-04-14 ]

The second test suite also repeatable on 10.2 (test was made from 10.6 so I had doubts) and exploit the "deafult" Item directly.

Comment by Oleksandr Byelkin [ 2022-04-14 ] 

commit bf399cac92f8675bbca5647a6127a1dceff64a44 (HEAD -> bb-10.2-MDEV-26423, origin/bb-10.2-MDEV-26423)
 
Author: Oleksandr Byelkin <sanja@mariadb.com>
 
Date:   Thu Apr 14 13:51:46 2022 +0200
 
 
 
    MDEV-26423 MariaDB server crash in Create_tmp_table::finalize
 
    
    Removed prohibition of creating temporary field of Item_default_value
 
    (added by mistake by 1d9b043a1f5db7ff229d5200652cff7a78ea6266 fix of
 
    MDEV-10780 and MDEV-11265).

Comment by Alexander Barkov [ 2022-04-15 ]

The patch looks OK to push for me. Just one thing, the version number is wrong:

+--echo #
+--echo # End of 1.2 tests
+--echo #

I guess it should be "End of 10.2 tests"

Generated at Thu Feb 08 09:45:12 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.