[MDEV-28481] SIGSEGV in Lex_charset_collation_st::find_bin_collation Created: 2022-05-06  Updated: 2022-05-19  Resolved: 2022-05-12

Status: Closed
Project: MariaDB Server
Component/s: Character Sets, Data types
Affects Version/s: 10.9
Fix Version/s: 10.9.1

Type: Bug Priority: Critical
Reporter: Roel Van de Paar Assignee: Alexander Barkov
Resolution: Fixed Votes: 0
Labels: not-10.2, not-10.3, not-10.4, not-10.5, not-10.6, not-10.7, not-10.8, regression


 Description    

DROP DATABASE test;
 
SET SESSION collation_server=filename;
 
CREATE DATABASE test;
 
USE test;
 
CREATE TABLE t (c CHAR BINARY);

Leads to:

10.9.0 0b14dbd45b5a1c02616d611876158d44b92b77bf (Optimized)

 
Core was generated by `/test/MD030522-mariadb-10.9.0-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  Lex_charset_collation_st::find_bin_collation (cs=0x0)
 
    at /test/10.9_opt/sql/lex_charset.cc:47
 
47	    strxnmov(tmp, sizeof(tmp)-1, cs->cs_name.str, "_bin", NULL);
 
[Current thread is 1 (Thread 0x14f1281bf700 (LWP 1256133))]
 
(gdb) bt
 
#0  Lex_charset_collation_st::find_bin_collation (cs=0x0) at /test/10.9_opt/sql/lex_charset.cc:47
 
#1  Lex_charset_collation_st::find_bin_collation (cs=<optimized out>) at /test/10.9_opt/sql/lex_charset.cc:26
 
#2  0x00005607b69776d1 in Column_definition::prepare_charset_for_string (this=this@entry=0x14f0e4010fd0, dattr=dattr@entry=0x14f1281bcdb0) at /test/10.9_opt/sql/sql_type.h:273
 
#3  0x00005607b6a5d740 in Type_handler_string_result::Column_definition_prepare_stage1 (this=<optimized out>, thd=0x14f0e4000c58, mem_root=0x14f0e40067c8, def=0x14f0e4010fd0, file=0x14f0e40112b0, table_flags=2954625839647655134, derived_attr=0x14f1281bcdb0) at /test/10.9_opt/sql/sql_type.cc:3132
 
#4  0x00005607b6977996 in Column_definition::prepare_stage1 (this=this@entry=0x14f0e4010fd0, thd=thd@entry=0x14f0e4000c58, mem_root=<optimized out>, file=file@entry=0x14f0e40112b0, table_flags=<optimized out>, derived_attr=derived_attr@entry=0x14f1281bcdb0) at /test/10.9_opt/sql/sql_type.h:7441
 
#5  0x00005607b6978703 in mysql_prepare_create_table (thd=0x14f0e4000c58, create_info=0x14f1281bdcc0, alter_info=0x14f1281bdbd0, db_options=0x14f1281bcf08, file=0x14f0e40112b0, key_info_buffer=0x14f1281bd7a8, key_count=0x14f1281bd7a4, create_table_mode=0, db=<optimized out>, table_name=<optimized out>) at /test/10.9_opt/sql/handler.h:3453
 
#6  0x00005607b697c299 in mysql_create_frm_image (thd=0x14f0e4000c58, db=@0x14f0e40107e0: {str = 0x14f0e4010ea8 "test", length = 4}, table_name=@0x14f0e40107f0: {str = 0x14f0e4010790 "t", length = 1}, create_info=0x14f1281bdcc0, alter_info=0x14f1281bdbd0, create_table_mode=0, key_info=0x14f1281bd7a8, key_count=0x14f1281bd7a4, frm=0x14f1281bd7c0) at /test/10.9_opt/sql/sql_table.cc:4291
 
#7  0x00005607b698455a in create_table_impl (thd=thd@entry=0x14f0e4000c58, ddl_log_state_create=ddl_log_state_create@entry=0x14f1281bda70, ddl_log_state_rm=<optimized out>, orig_db=@0x14f0e40107e0: {str = 0x14f0e4010ea8 "test", length = 4}, orig_table_name=@0x14f0e40107f0: {str = 0x14f0e4010790 "t", length = 1}, db=@0x14f0e40107e0: {str = 0x14f0e4010ea8 "test", length = 4}, table_name=@0x14f0e40107f0: {str = 0x14f0e4010790 "t", length = 1}, path=@0x14f1281bd7b0: {str = 0x14f1281bd7d0 "./test/t", length = 8}, options={m_options = DDL_options_st::OPT_NONE}, create_info=0x14f1281bdcc0, alter_info=0x14f1281bdbd0, create_table_mode=0, is_trans=0x14f1281bda6f, key_info=0x14f1281bd7a8, key_count=0x14f1281bd7a4, frm=0x14f1281bd7c0) at /test/10.9_opt/sql/sql_table.cc:4603
 
#8  0x00005607b6984e68 in mysql_create_table_no_lock (thd=thd@entry=0x14f0e4000c58, ddl_log_state_create=ddl_log_state_create@entry=0x14f1281bda70, ddl_log_state_rm=ddl_log_state_rm@entry=0x14f1281bda90, db=db@entry=0x14f0e40107e0, table_name=table_name@entry=0x14f0e40107f0, create_info=create_info@entry=0x14f1281bdcc0, alter_info=0x14f1281bdbd0, is_trans=0x14f1281bda6f, create_table_mode=0, table_list=0x14f0e40107c8) at /test/10.9_opt/sql/sql_table.cc:4726
 
#9  0x00005607b6985254 in mysql_create_table (thd=thd@entry=0x14f0e4000c58, create_table=create_table@entry=0x14f0e40107c8, create_info=create_info@entry=0x14f1281bdcc0, alter_info=alter_info@entry=0x14f1281bdbd0) at /test/10.9_opt/sql/sql_table.cc:4838
 
#10 0x00005607b6986af9 in Sql_cmd_create_table_like::execute (this=<optimized out>, thd=0x14f0e4000c58) at /test/10.9_opt/sql/sql_table.cc:12342
 
#11 0x00005607b68d6256 in mysql_execute_command (thd=0x14f0e4000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.9_opt/sql/sql_parse.cc:6006
 
#12 0x00005607b68c6a55 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x14f0e4000c58) at /test/10.9_opt/sql/sql_parse.cc:8046
 
#13 mysql_parse (thd=0x14f0e4000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.9_opt/sql/sql_parse.cc:7968
 
#14 0x00005607b68d271a in dispatch_command (command=COM_QUERY, thd=0x14f0e4000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.9_opt/sql/sql_class.h:1364
 
#15 0x00005607b68d4642 in do_command (thd=0x14f0e4000c58, blocking=blocking@entry=true) at /test/10.9_opt/sql/sql_parse.cc:1408
 
#16 0x00005607b69e95bf in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5607b9f239d8, put_in_cache=put_in_cache@entry=true) at /test/10.9_opt/sql/sql_connect.cc:1418
 
#17 0x00005607b69e989d in handle_one_connection (arg=0x5607b9f239d8) at /test/10.9_opt/sql/sql_connect.cc:1312
 
#18 0x000014f14caa7609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#19 0x000014f14c693163 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

10.9.0 0b14dbd45b5a1c02616d611876158d44b92b77bf (Debug)

 
Core was generated by `/test/MD030522-mariadb-10.9.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  0x0000563d7736f453 in Lex_charset_collation_st::find_bin_collation (
 
    cs=0x0, cs@entry=0x563d78639840 <my_charset_filename>)
 
    at /test/10.9_dbg/sql/lex_charset.cc:47
 
47	    strxnmov(tmp, sizeof(tmp)-1, cs->cs_name.str, "_bin", NULL);
 
[Current thread is 1 (Thread 0x1531000a1700 (LWP 1259414))]
 
(gdb) bt
 
#0  0x0000563d7736f453 in Lex_charset_collation_st::find_bin_collation (cs=0x0, cs@entry=0x563d78639840 <my_charset_filename>) at /test/10.9_dbg/sql/lex_charset.cc:47
 
#1  0x0000563d7736f7d4 in Lex_charset_collation_st::resolved_to_character_set (this=this@entry=0x15310009ec30, def=0x563d78639840 <my_charset_filename>) at /test/10.9_dbg/sql/lex_charset.cc:129
 
#2  0x0000563d7724e33c in Column_definition::prepare_charset_for_string (this=this@entry=0x15305c0144f0, dattr=dattr@entry=0x15310009edc8) at /test/10.9_dbg/sql/sql_type.h:273
 
#3  0x0000563d77373062 in Type_handler_string_result::Column_definition_prepare_stage1 (this=<optimized out>, thd=0x15305c000db8, mem_root=0x15305c006ae8, def=0x15305c0144f0, file=0x15305c0147d0, table_flags=2954625839647655134, derived_attr=0x15310009edc8) at /test/10.9_dbg/sql/sql_type.cc:3132
 
#4  0x0000563d7724e649 in Column_definition::prepare_stage1 (this=this@entry=0x15305c0144f0, thd=thd@entry=0x15305c000db8, mem_root=<optimized out>, file=file@entry=0x15305c0147d0, table_flags=<optimized out>, derived_attr=derived_attr@entry=0x15310009edc8) at /test/10.9_dbg/sql/sql_type.h:7441
 
#5  0x0000563d77257911 in mysql_prepare_create_table (thd=thd@entry=0x15305c000db8, create_info=create_info@entry=0x15310009fca0, alter_info=alter_info@entry=0x15310009fbb0, db_options=db_options@entry=0x15310009ef08, file=file@entry=0x15305c0147d0, key_info_buffer=key_info_buffer@entry=0x15310009f798, key_count=0x15310009f794, create_table_mode=0, db=<optimized out>, table_name=<optimized out>) at /test/10.9_dbg/sql/handler.h:3453
 
#6  0x0000563d7725bbf5 in mysql_create_frm_image (thd=thd@entry=0x15305c000db8, db=@0x15305c013d00: {str = 0x15305c0143c8 "test", length = 4}, table_name=@0x15305c013d10: {str = 0x15305c013cb0 "t", length = 1}, create_info=create_info@entry=0x15310009fca0, alter_info=alter_info@entry=0x15310009fbb0, create_table_mode=create_table_mode@entry=0, key_info=0x15310009f798, key_count=0x15310009f794, frm=0x15310009f7b0) at /test/10.9_dbg/sql/sql_table.cc:4291
 
#7  0x0000563d7725c94e in create_table_impl (thd=thd@entry=0x15305c000db8, ddl_log_state_create=ddl_log_state_create@entry=0x15310009fa50, ddl_log_state_rm=<optimized out>, ddl_log_state_rm@entry=0x15310009fa70, orig_db=@0x15305c013d00: {str = 0x15305c0143c8 "test", length = 4}, orig_table_name=@0x15305c013d10: {str = 0x15305c013cb0 "t", length = 1}, db=@0x15305c013d00: {str = 0x15305c0143c8 "test", length = 4}, table_name=@0x15305c013d10: {str = 0x15305c013cb0 "t", length = 1}, path=@0x15310009f7a0: {str = 0x15310009f7c0 "./test/t", length = 8}, options=<optimized out>, create_info=0x15310009fca0, alter_info=0x15310009fbb0, create_table_mode=0, is_trans=0x15310009fa4f, key_info=0x15310009f798, key_count=0x15310009f794, frm=0x15310009f7b0) at /test/10.9_dbg/sql/sql_table.cc:4603
 
#8  0x0000563d7725d593 in mysql_create_table_no_lock (thd=thd@entry=0x15305c000db8, ddl_log_state_create=ddl_log_state_create@entry=0x15310009fa50, ddl_log_state_rm=ddl_log_state_rm@entry=0x15310009fa70, db=db@entry=0x15305c013d00, table_name=table_name@entry=0x15305c013d10, create_info=create_info@entry=0x15310009fca0, alter_info=0x15310009fbb0, is_trans=0x15310009fa4f, create_table_mode=0, table_list=0x15305c013ce8) at /test/10.9_dbg/sql/sql_table.cc:4726
 
#9  0x0000563d7725d98a in mysql_create_table (thd=thd@entry=0x15305c000db8, create_table=create_table@entry=0x15305c013ce8, create_info=create_info@entry=0x15310009fca0, alter_info=alter_info@entry=0x15310009fbb0) at /test/10.9_dbg/sql/sql_table.cc:4838
 
#10 0x0000563d7725f715 in Sql_cmd_create_table_like::execute (this=<optimized out>, thd=0x15305c000db8) at /test/10.9_dbg/sql/sql_table.cc:12342
 
#11 0x0000563d7718a03a in mysql_execute_command (thd=thd@entry=0x15305c000db8, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.9_dbg/sql/sql_parse.cc:6006
 
#12 0x0000563d7717267b in mysql_parse (thd=thd@entry=0x15305c000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x1531000a0470) at /test/10.9_dbg/sql/sql_parse.cc:8046
 
#13 0x0000563d7717ff79 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x15305c000db8, packet=packet@entry=0x15305c00b699 "CREATE TABLE t (c CHAR BINARY)", packet_length=packet_length@entry=30, blocking=blocking@entry=true) at /test/10.9_dbg/sql/sql_class.h:1364
 
#14 0x0000563d77182686 in do_command (thd=0x15305c000db8, blocking=blocking@entry=true) at /test/10.9_dbg/sql/sql_parse.cc:1408
 
#15 0x0000563d772dfd02 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x563d7a8c08a8, put_in_cache=put_in_cache@entry=true) at /test/10.9_dbg/sql/sql_connect.cc:1418
 
#16 0x0000563d772e020b in handle_one_connection (arg=0x563d7a8c08a8) at /test/10.9_dbg/sql/sql_connect.cc:1312
 
#17 0x00001531197b7609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#18 0x00001531193a3163 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.9.0 (dbg), 10.9.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.2.44 (dbg), 10.2.44 (opt), 10.3.35 (dbg), 10.3.35 (opt), 10.4.25 (dbg), 10.4.25 (opt), 10.5.16 (dbg), 10.5.16 (opt), 10.6.8 (dbg), 10.6.8 (opt), 10.7.4 (dbg), 10.7.4 (opt), 10.8.3 (dbg), 10.8.3 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.37 (dbg), 5.7.37 (opt), 8.0.28 (dbg), 8.0.28 (opt)

10.8:

10.8.3 9f5a3e568913e0810109554608c56c93f3ec24f8 (Debug)

 
10.8.3-dbg>CREATE TABLE t (a INT KEY,s1 CHAR(2) BINARY);
 
ERROR 1273 (HY000): Unknown collation: 'filename_bin'



 Comments   
Comment by Alexander Barkov [ 2022-05-12 ]

A shorter script reproducing the problem:

DROP TABLE IF EXISTS t1;
 
CREATE TABLE t1 (c CHAR BINARY) CHARACTER SET filename;

Comment by Roel Van de Paar [ 2022-05-19 ]

Some new stacks seen with this testcase:

DROP DATABASE test;
 
SET SESSION collation_server=filename;
 
CREATE DATABASE test;
 
USE test;
 
CREATE TABLE t0 (c ENUM ('') BINARY);

Likely already fixed with the bugfix, adding for completeness/testing.

UniqueID's/Stacks seen with this testcase:

SIGSEGV|Lex_charset_collation_st::find_bin_collation|Lex_charset_collation_st::find_bin_collation|Column_definition::prepare_charset_for_string|Type_handler_typelib::Column_definition_prepare_stage1
 
SIGSEGV|Lex_charset_collation_st::find_bin_collation|Lex_charset_collation_st::resolved_to_character_set|Column_definition::prepare_charset_for_string|Type_handler_typelib::Column_definition_prepare_stage1

Generated at Thu Feb 08 10:01:05 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.