[MDEV-26457] REPAIR TABLE on MyISAM fails with SIGSEGV's in Item_func_concat::append_value, Item_func_concat::val_str, and ha_maria::drop_table and UBSAN: member access within null pointer in Item_func_concat::append_value Created: 2021-08-21  Updated: 2023-12-07

Status: Stalled
Project: MariaDB Server
Component/s: Storage Engine - MyISAM
Affects Version/s: 10.2, 10.3, 10.4, 10.5, 10.6, 10.7, 10.8, 10.9, 10.10, 10.11, 11.0
Fix Version/s: 10.4, 10.5, 10.6, 10.11

Type: Bug Priority: Major
Reporter: Roel Van de Paar Assignee: Aleksey Midenkov
Resolution: Unresolved Votes: 0
Labels: UBSAN, duplicate

Issue Links:
Duplicate
duplicates MDEV-23294 Segfault or assertion upon MyISAM repair Closed

 Description    

SET sql_mode='', myisam_repair_threads=2;
 
CREATE TABLE t (id INT,a VARCHAR(1),b VARCHAR(1),c VARCHAR(1) GENERATED ALWAYS AS (CONCAT (a,b)),KEY(c)) ENGINE=MyISAM;
 
INSERT INTO t VALUES (0,0,9687,0);
 
REPAIR TABLE t QUICK;

Leads to (note the different stacks):

10.7.0 52505bf20de0ce77a5c0b0a74af021051987bb0d (Debug)

 
Core was generated by `/test/MD160821-mariadb-10.7.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  0x000055f10f57baff in Item_func_concat::append_value (
 
    this=this@entry=0x1483cc026178, thd=thd@entry=0x0, 
    res=res@entry=0x1483cc0261a0, app=0x1483cc026088)
 
    at /test/10.7_dbg/sql/sql_string.h:274
 
[Current thread is 1 (Thread 0x1483eedfe700 (LWP 2336320))]
 
(gdb) bt
 
#0  0x000055f10f57baff in Item_func_concat::append_value (this=this@entry=0x1483cc026178, thd=thd@entry=0x0, res=res@entry=0x1483cc0261a0, app=0x1483cc026088) at /test/10.7_dbg/sql/sql_string.h:274
 
#1  0x000055f10f57bea8 in Item_func_concat::val_str (this=0x1483cc026178, str=0x1483cc0261a0) at /test/10.7_dbg/sql/item_strfunc.cc:628
 
#2  0x000055f10f4ca49b in Item::save_str_in_field (this=0x1483cc026178, field=0x1483cc025440, no_conversions=<optimized out>) at /test/10.7_dbg/sql/item.cc:6664
 
#3  0x000055f10f3a3b08 in Type_handler_string_result::Item_save_in_field (this=<optimized out>, item=<optimized out>, field=<optimized out>, no_conversions=<optimized out>) at /test/10.7_dbg/sql/sql_type.cc:4330
 
#4  0x000055f10f4b0847 in Item::save_in_field (this=0x1483cc026178, field=0x1483cc025440, no_conversions=<optimized out>) at /test/10.7_dbg/sql/item.cc:6712
 
#5  0x000055f10f2cb9eb in TABLE::update_virtual_field (this=this@entry=0x1483cc0242d8, vf=0x1483cc025440) at /test/10.7_dbg/sql/table.cc:8770
 
#6  0x000055f10fc1f36b in compute_vcols (info=0x1483cc0271f8, record=<optimized out>, keynum=<optimized out>) at /test/10.7_dbg/storage/myisam/ha_myisam.cc:710
 
#7  0x000055f10fc25b49 in sort_get_next_record (sort_param=sort_param@entry=0x1483cc0b6038) at /test/10.7_dbg/storage/myisam/mi_check.c:3672
 
#8  0x000055f10fc2afec in sort_key_read (sort_param=0x1483cc0b6038, key=0x1483c0000dd0) at /test/10.7_dbg/storage/myisam/mi_check.c:3135
 
#9  0x000055f10fc60342 in thr_find_all_keys_exec (sort_param=0x1483cc0b6038) at /test/10.7_dbg/storage/myisam/sort.c:451
 
#10 thr_find_all_keys (arg=0x1483cc0b6038) at /test/10.7_dbg/storage/myisam/sort.c:510
 
#11 0x00001484134e4609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#12 0x00001484130d2293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

10.7.0 52505bf20de0ce77a5c0b0a74af021051987bb0d (Optimized)

 
Core was generated by `/test/MD160821-mariadb-10.7.0-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  0x00005620e730915b in Item_func_concat::append_value (this=0x15126c01cf08, 
    thd=0x0, res=0x15126c01cf30, app=0x15126c01ce18)
 
    at /test/10.7_opt/sql/sql_string.h:274
 
[Current thread is 1 (Thread 0x1512999fc700 (LWP 2388670))]
 
(gdb) bt
 
#0  0x00005620e730915b in Item_func_concat::append_value (this=0x15126c01cf08, thd=0x0, res=0x15126c01cf30, app=0x15126c01ce18) at /test/10.7_opt/sql/sql_string.h:274
 
#1  0x00005620e73092fe in Item_func_concat::val_str (this=0x15126c01cf08, str=0x15126c01cf30) at /test/10.7_opt/sql/item_strfunc.cc:626
 
#2  0x00005620e7282425 in Item::save_str_in_field (this=0x15126c01cf08, field=0x15126c017e20, no_conversions=<optimized out>) at /test/10.7_opt/sql/item.cc:6664
 
#3  0x00005620e72721d7 in Item::save_in_field (this=0x15126c01cf08, field=0x15126c017e20, no_conversions=<optimized out>) at /test/10.7_opt/sql/item.cc:6712
 
#4  0x00005620e710dc31 in TABLE::update_virtual_field (this=this@entry=0x15126c01b6d8, vf=0x15126c017e20) at /test/10.7_opt/sql/table.cc:8770
 
#5  0x00005620e772bcb7 in compute_vcols (info=0x15126c01dda8, record=<optimized out>, keynum=<optimized out>) at /test/10.7_opt/storage/myisam/ha_myisam.cc:710
 
#6  0x00005620e77328a4 in sort_get_next_record (sort_param=sort_param@entry=0x15126c083928) at /test/10.7_opt/storage/myisam/mi_check.c:3672
 
#7  0x00005620e7738ac5 in sort_key_read (sort_param=0x15126c083928, key=0x151270000c70) at /test/10.7_opt/storage/myisam/mi_check.c:3135
 
#8  0x00005620e7769b0f in thr_find_all_keys_exec (sort_param=0x15126c083928) at /test/10.7_opt/storage/myisam/sort.c:451
 
#9  thr_find_all_keys (arg=0x15126c083928) at /test/10.7_opt/storage/myisam/sort.c:510
 
#10 0x00001512be3e1609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#11 0x00001512bdfcf293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

10.6.5 9ac1ac006197c8979db1dc73f4e983f623e831e8 (Debug)

 
Core was generated by `/test/MD160821-mariadb-10.6.5-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  0x000056280e8c9637 in Item_func_concat::append_value (
 
    this=this@entry=0x15106c0270c8, thd=thd@entry=0x0, 
    res=res@entry=0x15106c0270f0, app=0x15106c026fd8)
 
    at /test/10.6_dbg/sql/sql_string.h:274
 
[Current thread is 1 (Thread 0x15108e7fb700 (LWP 2388769))]
 
(gdb) bt
 
#0  0x000056280e8c9637 in Item_func_concat::append_value (this=this@entry=0x15106c0270c8, thd=thd@entry=0x0, res=res@entry=0x15106c0270f0, app=0x15106c026fd8) at /test/10.6_dbg/sql/sql_string.h:274
 
#1  0x000056280e8c99e0 in Item_func_concat::val_str (this=0x15106c0270c8, str=0x15106c0270f0) at /test/10.6_dbg/sql/item_strfunc.cc:628
 
#2  0x000056280e81760b in Item::save_str_in_field (this=0x15106c0270c8, field=0x15106c0263b0, no_conversions=<optimized out>) at /test/10.6_dbg/sql/item.cc:6664
 
#3  0x000056280e6f1412 in Type_handler_string_result::Item_save_in_field (this=<optimized out>, item=<optimized out>, field=<optimized out>, no_conversions=<optimized out>) at /test/10.6_dbg/sql/sql_type.cc:4330
 
#4  0x000056280e7fd9b5 in Item::save_in_field (this=0x15106c0270c8, field=0x15106c0263b0, no_conversions=<optimized out>) at /test/10.6_dbg/sql/item.cc:6712
 
#5  0x000056280e619e71 in TABLE::update_virtual_field (this=this@entry=0x15106c025268, vf=0x15106c0263b0) at /test/10.6_dbg/sql/table.cc:8770
 
#6  0x000056280efb7d5b in compute_vcols (info=0x15106c028108, record=<optimized out>, keynum=<optimized out>) at /test/10.6_dbg/storage/myisam/ha_myisam.cc:710
 
#7  0x000056280efbe539 in sort_get_next_record (sort_param=sort_param@entry=0x15106c0b6b88) at /test/10.6_dbg/storage/myisam/mi_check.c:3672
 
#8  0x000056280efc39dc in sort_key_read (sort_param=0x15106c0b6b88, key=0x151060000dd0) at /test/10.6_dbg/storage/myisam/mi_check.c:3135
 
#9  0x000056280eff8d32 in thr_find_all_keys_exec (sort_param=0x15106c0b6b88) at /test/10.6_dbg/storage/myisam/sort.c:451
 
#10 thr_find_all_keys (arg=0x15106c0b6b88) at /test/10.6_dbg/storage/myisam/sort.c:510
 
#11 0x00001510b2f6a609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#12 0x00001510b2b58293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

10.2.41 (Optimized)

 
Core was generated by `/test/MD160821-mariadb-10.2.41-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
 
    at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
 
[Current thread is 1 (Thread 0x150eb74b0700 (LWP 2388689))]
 
(gdb) bt
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
 
#1  0x0000563051a3d69f in my_write_core (sig=sig@entry=11) at /test/10.2_opt/mysys/stacktrace.c:382
 
#2  0x00005630514e2628 in handle_fatal_signal (sig=11) at /test/10.2_opt/sql/signal_handler.cc:355
 
#3  <signal handler called>
 
#4  0x000056305157a97f in Item_func_concat::val_str (this=0x150e9001a780, str=0x150e9001a7b0) at /test/10.2_opt/sql/sql_string.h:198
 
#5  0x00005630514f31ca in Item::save_in_field (this=0x150e9001a780, field=0x150e90017998, no_conversions=<optimized out>) at /test/10.2_opt/sql/item.cc:6397
 
#6  0x00005630513efc34 in TABLE::update_virtual_field (this=this@entry=0x150e900194c8, vf=0x150e90017998) at /test/10.2_opt/sql/table.cc:7830
 
#7  0x0000563051940c63 in compute_vcols (info=<optimized out>, record=<optimized out>, keynum=<optimized out>) at /test/10.2_opt/storage/myisam/ha_myisam.cc:683
 
#8  0x0000563051948874 in sort_get_next_record (sort_param=sort_param@entry=0x150e900592a8) at /test/10.2_opt/storage/myisam/mi_check.c:3667
 
#9  0x000056305194e8e5 in sort_key_read (sort_param=0x150e900592a8, key=0x150e88000c60) at /test/10.2_opt/storage/myisam/mi_check.c:3131
 
#10 0x0000563051980172 in thr_find_all_keys_exec (sort_param=0x150e900592a8) at /test/10.2_opt/storage/myisam/sort.c:450
 
#11 thr_find_all_keys (arg=0x150e900592a8) at /test/10.2_opt/storage/myisam/sort.c:509
 
#12 0x0000150eee82e609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#13 0x0000150eee424293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.2.41 (dbg), 10.2.41 (opt), 10.3.32 (dbg), 10.3.32 (opt), 10.4.22 (dbg), 10.4.22 (opt), 10.5.13 (dbg), 10.5.13 (opt), 10.6.5 (dbg), 10.6.5 (opt), 10.7.0 (dbg), 10.7.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.35 (dbg), 5.7.35 (opt), 8.0.26 (dbg), 8.0.26 (opt)

 Comments   
Comment by Roel Van de Paar [ 2023-03-04 ]

The testcase produces the following UBSAN error on both optimized and debug builds:

11.0.1 4d09050ca77a7efac4565d46e4bcd85a5f210c53 (Optimized, UBASAN)

 
/test/11.0_opt_san/sql/item_strfunc.cc:698:12: runtime error: member access within null pointer of type 'struct THD'
 
    #0 0x5629041245b3 in Item_func_concat::append_value(THD*, String*, String const*) /test/11.0_opt_san/sql/item_strfunc.cc:698
 
    #1 0x562904124c8e in Item_func_concat::val_str(String*) /test/11.0_opt_san/sql/item_strfunc.cc:644
 
    #2 0x562903a8775a in Item::save_str_in_field(Field*, bool) /test/11.0_opt_san/sql/item.cc:6808
 
    #3 0x5629039da72a in Item::save_in_field(Field*, bool) /test/11.0_opt_san/sql/item.cc:6856
 
    #4 0x562902c414a7 in TABLE::update_virtual_field(Field*, bool) /test/11.0_opt_san/sql/table.cc:8951
 
    #5 0x562905d3f270 in compute_vcols /test/11.0_opt_san/storage/myisam/ha_myisam.cc:734
 
    #6 0x562905d700a9 in sort_get_next_record /test/11.0_opt_san/storage/myisam/mi_check.c:3672
 
    #7 0x562905d8847b in sort_key_read /test/11.0_opt_san/storage/myisam/mi_check.c:3135
 
    #8 0x562905ebae6a in thr_find_all_keys_exec /test/11.0_opt_san/storage/myisam/sort.c:453
 
    #9 0x562905ebae6a in thr_find_all_keys /test/11.0_opt_san/storage/myisam/sort.c:511
 
    #10 0x152088b10b42 in start_thread nptl/pthread_create.c:442
 
    #11 0x152088ba29ff  (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)

Generated at Thu Feb 08 09:45:28 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.