[MDEV-27079] When creating a table, the abnormal default domain will cause the service to hang Created: 2021-11-18  Updated: 2023-08-30  Resolved: 2023-08-30

Status: Closed
Project: MariaDB Server
Component/s: Server
Affects Version/s: 10.3.32, 10.4.20, 10.4.21, 10.4.22, 10.5.11, 10.5.12, 10.5.13, 10.6.3, 10.6.4, 10.6.5, 10.7.0, 10.7.1
Fix Version/s: N/A

Type: Bug Priority: Critical
Reporter: willcao Assignee: Unassigned
Resolution: Cannot Reproduce Votes: 0
Labels: crash
Environment:

x86 server

MariaDB [test]> create table tb6 (col2 date default (col1 mod 68321183.000000), col1 datetime null);
ERROR 2013 (HY000): Lost connection to MySQL server during query

Issue Links:
Relates
relates to MDEV-25012 Server crash in find_field_in_tables,... Confirmed

 Description    

 MariaDB [test]> create table tb6 (col2 date default (col1 mod 68321183.000000), col1 datetime null);
 
ERROR 2013 (HY000): Lost connection to MySQL server during query 


Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
 
Core was generated by `/usr/sbin/mysqld'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
 
56      ../sysdeps/unix/sysv/linux/pthread_kill.c: 没有那个文件或目录.
 
[Current thread is 1 (Thread 0x7fbfdd3fb700 (LWP 8791))]
 
(gdb) bt
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
 
#1  0x00005651f913d30a in my_write_core (sig=sig@entry=11) at /home/uos/fsdownload/mariadb-10.3/mysys/stacktrace.c:481
 
#2  0x00005651f8ccb438 in handle_fatal_signal (sig=11) at /home/uos/fsdownload/mariadb-10.3/sql/signal_handler.cc:343
 
#3  <signal handler called>
 
#4  0x00005651f8ab49bd in find_field_in_table (thd=thd@entry=0x7fbf78000c08, table=0x0, name=name@entry=0x7fbf78011f98 "col1", 
    length=length@entry=4, allow_rowid=true, cached_field_index_ptr=cached_field_index_ptr@entry=0x7fbf7801207c)
 
    at /home/uos/fsdownload/mariadb-10.3/sql/sql_base.cc:5785
 
#5  0x00005651f8ab50c2 in find_field_in_table_ref (thd=thd@entry=0x7fbf78000c08, table_list=table_list@entry=0x7fbf78011828, 
    name=name@entry=0x7fbf78011f98 "col1", length=length@entry=4, item_name=0x7fbf78011f98 "col1", db_name=db_name@entry=0x0, table_name=0x0, 
    ref=0x7fbf78012220, check_privileges=true, allow_rowid=true, cached_field_index_ptr=0x7fbf7801207c, register_tree_change=true, 
    actual_table=0x7fbfdd3f5728) at /home/uos/fsdownload/mariadb-10.3/sql/sql_base.cc:5949
 
#6  0x00005651f8ab5656 in find_field_in_tables (thd=thd@entry=0x7fbf78000c08, item=item@entry=0x7fbf78011fa8, first_table=<optimized out>, 
    last_table=0x0, ref=ref@entry=0x7fbf78012220, report_error=IGNORE_EXCEPT_NON_UNIQUE, check_privileges=true, register_tree_change=true)
 
    at /home/uos/fsdownload/mariadb-10.3/sql/sql_base.cc:6242
 
#7  0x00005651f8ceb770 in Item_field::fix_fields (this=0x7fbf78011fa8, thd=0x7fbf78000c08, reference=0x7fbf78012220)
 
    at /home/uos/fsdownload/mariadb-10.3/sql/item.cc:6082
 
#8  0x00005651f8d20c7d in Item::fix_fields_if_needed (ref=0x7fbf78012220, thd=0x7fbf78000c08, this=<optimized out>)
 
    at /home/uos/fsdownload/mariadb-10.3/sql/item.h:821
 
#9  Item::fix_fields_if_needed (ref=0x7fbf78012220, thd=0x7fbf78000c08, this=<optimized out>)
 
    at /home/uos/fsdownload/mariadb-10.3/sql/item.h:821
 
#10 Item_func::fix_fields (ref=<optimized out>, thd=0x7fbf78000c08, this=0x7fbf78012190)
 
    at /home/uos/fsdownload/mariadb-10.3/sql/item_func.cc:365
 
#11 Item_func::fix_fields (this=0x7fbf78012190, thd=0x7fbf78000c08, ref=<optimized out>)
 
    at /home/uos/fsdownload/mariadb-10.3/sql/item_func.cc:332
 
#12 0x00005651f8bc27fa in Item::fix_fields_if_needed (ref=0x7fbfdd3f5d18, thd=0x7fbf78000c08, this=0x7fbf78012190)



 Comments   
Comment by willcao [ 2021-11-18 ]

Submit the following patch to solve the problem

diff --git a/sql/sql_base.cc b/sql/sql_base.cc
 
index 0c72b4c1..5588dfac 100644
 
--- a/sql/sql_base.cc
 
+++ b/sql/sql_base.cc
 
@@ -5781,8 +5781,13 @@ Field *
 
 find_field_in_table(THD *thd, TABLE *table, const char *name, size_t length,
 
                     bool allow_rowid, uint *cached_field_index_ptr)
 
 {
 
-  Field *field;
 
-  uint cached_field_index= *cached_field_index_ptr;
 
+  Field *field = nullptr;
 
+  uint cached_field_index=0;
 
+  if(table == nullptr || table->s == nullptr)
 
+  {
 
+    DBUG_RETURN((Field*)0);
 
+  }
 
+  cached_field_index = *cached_field_index_ptr;
 
   DBUG_ENTER("find_field_in_table");
 
   DBUG_PRINT("enter", ("table: '%s', field name: '%s'", table->alias.c_ptr(),
 
                        name));
 
diff --git a/sql/sql_select.cc b/sql/sql_select.cc
 
index ae26458d..20956495 100644
 
--- a/sql/sql_select.cc
 
+++ b/sql/sql_select.cc
 
@@ -9314,6 +9314,10 @@ prev_record_reads(const POSITION *positions, uint idx, table_map found_ref)
 
 static JOIN_TAB *next_breadth_first_tab(JOIN_TAB *first_top_tab,
 
                                         uint n_top_tabs_count, JOIN_TAB *tab)
 
 {
 
+  if(tab == NULL || tab->join == NULL)
 
+  {
 
+    return NULL;
 
+  }
 
   n_top_tabs_count += tab->join->aggr_tables;
 
   if (!tab->bush_root_tab)
 
   {
 
@@ -18018,6 +18022,10 @@ create_tmp_table(THD *thd, TMP_TABLE_PARAM *param, List<Item> &fields,
 
     for (; cur_group ; cur_group= cur_group->next, key_part_info++)
 
     {
 
       Field *field=(*cur_group->item)->get_tmp_table_field();
 
+      if(field == NULL)
 
+      {
 
+        goto err;
 
+      }
 
       DBUG_ASSERT(field->table == table);
 
       bool maybe_null=(*cur_group->item)->maybe_null;
 
       key_part_info->null_bit=0;

Comment by Alice Sherepa [ 2023-08-30 ]

no crash on current 10.4-11.2

Generated at Thu Feb 08 09:50:10 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.