List of all stacks seen with the testcase above across versions:
SIGSEGV|Binary_string::q_append|spider_string::q_append|spider_db_mbase_row::append_to_str|spider_db_fetch_for_item_sum_func
|
SIGSEGV|Static_binary_string::q_append|spider_string::q_append|spider_db_mbase_row::append_to_str|spider_db_fetch_for_item_sum_func
|
SIGSEGV|my_strntoull10rnd_8bit|charset_info_st::strntoull10rnd|Field_longlong::store|spider_db_mbase_row::store_to_field
|
I've confirmed that the bug is reproducible on 10.5 HEAD.
The crash happens because invalid data is passed to q_append.
(rr) frame
|
#3 0x00007fdb0d36ed6b in spider_db_mbase_row::append_to_str (this=0x7fdafc03c5b0, str=0x7fdb0d807cb0)
|
at /home/nayuta_mariadb/repo/mariadb-community-server/10.5/storage/spider/spd_db_mysql.cc:454
|
454 str->q_append(*row, *lengths);
|
(rr) p *row
|
$17 = 0xa5a5a5a5a5a50031 <error: Cannot access memory at address 0xa5a5a5a5a5a50031>
|
$29 = 0xa5a5a5a5a5a50031 <error: Cannot access memory at address 0xa5a5a5a5a5a50031>
|
(rr) watch -l ((spider_db_mbase_row*) row)->row
|
Hardware watchpoint 3: -location ((spider_db_mbase_row*) row)->row
|
(rr) rc
|
Continuing.
|
...
|
Thread 2 hit Hardware watchpoint 3: -location ((spider_db_mbase_row*) row)->row
|
|
|
Old value = (char **) 0x7fdafc0ca140
|
New value = (char **) 0x7fdafc0ca138
|
0x00007fdb0d36f134 in spider_db_mbase_row::next (this=0x7fdafc03c5b0) at /home/nayuta_mariadb/repo/mariadb-community-server/10.5/storage/spider/spd_db_mysql.cc:486
|
486 row++;
|
(rr) bt
|
#0 0x00007fdb0d36f134 in spider_db_mbase_row::next (this=0x7fdafc03c5b0) at /home/nayuta_mariadb/repo/mariadb-community-server/10.5/storage/spider/spd_db_mysql.cc:486
|
#1 0x00007fdb0d2924e4 in spider_db_fetch_for_item_sum_func (row=0x7fdafc03c5b0, item_sum=0x7fdafc015998, spider=0x7fdafc0ca900)
|
at /home/nayuta_mariadb/repo/mariadb-community-server/10.5/storage/spider/spd_db_conn.cc:2936
|
#2 0x00007fdb0d291bb0 in spider_db_fetch_for_item_sum_funcs (row=0x7fdafc03c5b0, spider=0x7fdafc0ca900)
|
at /home/nayuta_mariadb/repo/mariadb-community-server/10.5/storage/spider/spd_db_conn.cc:2794
|
#3 0x00007fdb0d2931e7 in spider_db_fetch_table (spider=0x7fdafc0ca900, buf=0x7fdafc14f168 "\377", table=0x7fdafc14e090, result_list=0x7fdafc0cae90)
|
at /home/nayuta_mariadb/repo/mariadb-community-server/10.5/storage/spider/spd_db_conn.cc:3204
|
#4 0x00007fdb0d29ab92 in spider_db_fetch (buf=0x7fdafc14f168 "\377", spider=0x7fdafc0ca900, table=0x7fdafc14e090)
|
at /home/nayuta_mariadb/repo/mariadb-community-server/10.5/storage/spider/spd_db_conn.cc:4978
|
#5 0x00007fdb0d29e0db in spider_db_seek_next (buf=0x7fdafc14f168 "\377", spider=0x7fdafc0ca900, link_idx=0, table=0x7fdafc14e090)
|
at /home/nayuta_mariadb/repo/mariadb-community-server/10.5/storage/spider/spd_db_conn.cc:5496
|
#6 0x00007fdb0d3ca156 in spider_group_by_handler::next_row (this=0x7fdafc0fccc0)
|
at /home/nayuta_mariadb/repo/mariadb-community-server/10.5/storage/spider/spd_group_by_handler.cc:1597
|
#7 0x00005642b103cd38 in Pushdown_query::execute (this=0x7fdafc0198c0, join=0x7fdafc017088)
|
at /home/nayuta_mariadb/repo/mariadb-community-server/10.5/sql/group_by_handler.cc:64
|
#8 0x00005642b0fe25b7 in do_select (join=0x7fdafc017088, procedure=0x0) at /home/nayuta_mariadb/repo/mariadb-community-server/10.5/sql/sql_select.cc:20396
|
#9 0x00005642b0fb529d in JOIN::exec_inner (this=0x7fdafc017088) at /home/nayuta_mariadb/repo/mariadb-community-server/10.5/sql/sql_select.cc:4560
|
#10 0x00005642b0fb435f in JOIN::exec (this=0x7fdafc017088) at /home/nayuta_mariadb/repo/mariadb-community-server/10.5/sql/sql_select.cc:4340
|
#11 0x00005642b0fb5c40 in mysql_select (thd=0x7fdafc000dc8, tables=0x7fdafc015f40, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0,
|
select_options=2147748608, result=0x7fdafc017060, unit=0x7fdafc004f70, select_lex=0x7fdafc0153c8)
|
at /home/nayuta_mariadb/repo/mariadb-community-server/10.5/sql/sql_select.cc:4817
|
#12 0x00005642b0fa4e82 in handle_select (thd=0x7fdafc000dc8, lex=0x7fdafc004ea8, result=0x7fdafc017060, setup_tables_done_option=0)
|
at /home/nayuta_mariadb/repo/mariadb-community-server/10.5/sql/sql_select.cc:444
|
#13 0x00005642b0f6513c in execute_sqlcom_select (thd=0x7fdafc000dc8, all_tables=0x7fdafc015f40)
|
at /home/nayuta_mariadb/repo/mariadb-community-server/10.5/sql/sql_parse.cc:6315
|
#14 0x00005642b0f5c148 in mysql_execute_command (thd=0x7fdafc000dc8) at /home/nayuta_mariadb/repo/mariadb-community-server/10.5/sql/sql_parse.cc:4006
|
#15 0x00005642b0f6a1d7 in mysql_parse (thd=0x7fdafc000dc8, rawbuf=0x7fdafc015320 "SELECT MAX(a),MAX(COALESCE(a)) FROM t1", length=38, parser_state=0x7fdb0d8092b0,
|
is_com_multi=false, is_next_command=false) at /home/nayuta_mariadb/repo/mariadb-community-server/10.5/sql/sql_parse.cc:8101
|
#16 0x00005642b0f55998 in dispatch_command (command=COM_QUERY, thd=0x7fdafc000dc8, packet=0x7fdafc00b5d9 "", packet_length=38, is_com_multi=false,
|
is_next_command=false) at /home/nayuta_mariadb/repo/mariadb-community-server/10.5/sql/sql_parse.cc:1891
|
#17 0x00005642b0f5413a in do_command (thd=0x7fdafc000dc8) at /home/nayuta_mariadb/repo/mariadb-community-server/10.5/sql/sql_parse.cc:1375
|
#18 0x00005642b110fa46 in do_handle_one_connection (connect=0x5642b4e08608, put_in_cache=true)
|
at /home/nayuta_mariadb/repo/mariadb-community-server/10.5/sql/sql_connect.cc:1416
|
#19 0x00005642b110f7b6 in handle_one_connection (arg=0x5642b4e08608) at /home/nayuta_mariadb/repo/mariadb-community-server/10.5/sql/sql_connect.cc:1318
|
#20 0x00005642b165990c in pfs_spawn_thread (arg=0x5642b4e50648) at /home/nayuta_mariadb/repo/mariadb-community-server/10.5/storage/perfschema/pfs.cc:2201
|
#21 0x00007fdb13a94b43 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
|
#22 0x00007fdb13b25bb4 in clone () from /lib/x86_64-linux-gnu/libc.so.6
|
Based on the above rr trace, I think that the problem lies in the implementation of the feature so-called "direct aggregate."
Additional stacks with this testcase:
INSTALL PLUGIN Spider SONAME 'ha_spider.so'; |
CREATE USER Spider@localhost IDENTIFIED BY 'PWD123'; |
CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET '../socket.sock', DATABASE 'test', USER 'Spider', PASSWORD 'PWD123'); |
CREATE TABLE t (c INT) ENGINE=InnoDB; |
CREATE TABLE t1 (c INT) ENGINE=Spider COMMENT='WRAPPER "mysql", srv "srv", TABLE "t"'; |
SELECT * FROM t1 ORDER BY CAST(c AS INET6); |
UniqueID's observed (all new):
SIGSEGV|Binary_string::q_append|spider_string::q_append|spider_db_mbase_util::open_item_func|spider_db_open_item_func
|
SIGSEGV|Binary_string::q_append|spider_string::q_append|spider_db_mbase_util::open_item_func|spider_mbase_handler::append_list_item_select
|
SIGSEGV|Static_binary_string::q_append|spider_string::q_append|spider_db_mbase_util::open_item_func|spider_db_open_item_func
|
SIGSEGV|Static_binary_string::q_append|spider_string::q_append|spider_db_mbase_util::open_item_func|spider_mbase_handler::append_list_item_select
|
MTR test case:
--disable_query_log
|
--disable_result_log
|
--source ../../t/test_init.inc
|
--enable_result_log
|
--enable_query_log
|
|
|
CREATE TABLE t (a INT) ENGINE=InnoDB; |
INSERT INTO t VALUES (1); |
|
|
--disable_query_log
|
eval CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET "$MASTER_1_MYSOCK", DATABASE 'test',user 'root'); |
--enable_query_log
|
CREATE TABLE t1 (a INT KEY) ENGINE=Spider COMMENT='WRAPPER "mysql",srv "srv",TABLE "t"'; |
|
|
SELECT MAX(a),MAX(COALESCE(a)) FROM t1; |
|
|
DROP TABLE t; |
|
|
--disable_query_log
|
--disable_result_log
|
--source ../../t/test_deinit.inc
|
--enable_result_log
|
--enable_query_log |
I've confirmed that the above test case crashes even on mariadb-10.5.15. So, the bug is not introduced recently. Not a blocker.
The following testcase (repeat SQL if needed) produces a slightly different stack on 10.11 optimized.
INSTALL PLUGIN Spider SONAME 'ha_spider.so'; |
CREATE USER Spider@localhost IDENTIFIED BY 'PWD123'; |
CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET '../socket.sock', DATABASE 'test', USER 'Spider', PASSWORD 'PWD123'); |
CREATE TABLE t (c1 INT) ENGINE=InnoDB; |
CREATE TABLE t1 (c1 INT AUTO_INCREMENT, PRIMARY KEY(c1)) ENGINE=Spider COMMENT='WRAPPER "mysql", srv "srv", TABLE "t"' COMMENT='TABLE "st"' PARTITION BY LIST COLUMNS (c1) (PARTITION p1 DEFAULT COMMENT='srv "d"' ENGINE=Spider COMMENT='WRAPPER "mysql", srv "srv", TABLE "t"'); |
INSERT INTO t1 VALUES (0xA9DA); |
SELECT COUNT(*) AS total_rows, MIN(c1) AS min_value, MAX(c1) FROM t1; |
Leads to:
|
10.11.1 50c5743adc87e1cdec1431a02558f6540fe5a6d5 (Optimized) |
Core was generated by `/test/MD221022-mariadb-10.11.1-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
|
Program terminated with signal SIGSEGV, Segmentation fault.
|
#0 __memmove_avx_unaligned_erms ()
|
at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:238
|
[Current thread is 1 (Thread 0x1512ec8a0700 (LWP 428186))]
|
(gdb) bt
|
#0 __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:238
|
#1 0x00001512ec7e290f in memcpy (__len=33, __src=<optimized out>, __dest=<optimized out>) at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34
|
#2 Binary_string::q_append (this=0x1512ec89df10, this=0x1512ec89df10, data_len=33, data=<optimized out>) at /test/10.11_opt/sql/sql_string.h:375
|
#3 spider_string::q_append (this=this@entry=0x1512ec89df00, data=<optimized out>, data_len=33) at /test/10.11_opt/storage/spider/spd_malloc.cc:1112
|
#4 0x00001512ec7ffe69 in spider_db_mbase_row::append_to_str (str=0x1512ec89df00, this=0x151294068240) at /test/10.11_opt/storage/spider/spd_db_mysql.cc:443
|
#5 spider_db_mbase_row::append_to_str (this=0x151294068240, str=0x1512ec89df00) at /test/10.11_opt/storage/spider/spd_db_mysql.cc:436
|
#6 0x00001512ec79d4c1 in spider_db_fetch_for_item_sum_func (row=0x151294068240, item_sum=0x151294011358, spider=0x15129403ea30) at /test/10.11_opt/storage/spider/spd_db_conn.cc:2221
|
#7 0x00001512ec79d880 in spider_db_fetch_for_item_sum_funcs (row=0x151294068240, spider=spider@entry=0x15129403ea30) at /test/10.11_opt/storage/spider/spd_db_conn.cc:2108
|
#8 0x00001512ec79de9c in spider_db_fetch_table (spider=spider@entry=0x15129403ea30, buf=0x1512940828b0 "\377", table=0x1512940817e0, result_list=result_list@entry=0x15129403efb0) at /test/10.11_opt/storage/spider/spd_db_conn.cc:2449
|
#9 0x00001512ec7a1955 in spider_db_fetch (buf=<optimized out>, spider=0x15129403ea30, table=<optimized out>) at /test/10.11_opt/storage/spider/spd_db_conn.cc:3948
|
#10 0x00001512ec7a1c59 in spider_db_seek_next (buf=0x15129403ea30 "\bu\204\354\022\025", spider=<optimized out>, link_idx=<optimized out>, table=0x151294012548) at /test/10.11_opt/storage/spider/spd_db_conn.cc:4427
|
#11 0x00001512ec81de53 in spider_group_by_handler::next_row (this=0x5633992a93c0) at /test/10.11_opt/storage/spider/spd_group_by_handler.cc:1575
|
#12 spider_group_by_handler::next_row (this=0x5633992a93c0) at /test/10.11_opt/storage/spider/spd_group_by_handler.cc:1508
|
#13 0x0000563395b529ea in Pushdown_query::execute (this=0x151294014390, join=join@entry=0x151294012548) at /test/10.11_opt/sql/group_by_handler.cc:64
|
#14 0x0000563395b34435 in do_select (procedure=<optimized out>, join=0x151294012548) at /test/10.11_opt/sql/sql_select.cc:21207
|
#15 JOIN::exec_inner (this=0x151294012548) at /test/10.11_opt/sql/sql_select.cc:4813
|
#16 0x0000563395b34dc8 in JOIN::exec (this=this@entry=0x151294012548) at /test/10.11_opt/sql/sql_select.cc:4591
|
#17 0x0000563395b32fd1 in mysql_select (thd=0x151294000c58, tables=0x1512940114f8, fields=@0x151294010be8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x151294010f68, last = 0x151294011498, elements = 3}, <No data fields>}, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x151294012520, unit=0x151294004cd8, select_lex=0x151294010948) at /test/10.11_opt/sql/sql_select.cc:5071
|
#18 0x0000563395b33717 in handle_select (thd=thd@entry=0x151294000c58, lex=lex@entry=0x151294004c00, result=result@entry=0x151294012520, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.11_opt/sql/sql_select.cc:582
|
#19 0x0000563395ab52e1 in execute_sqlcom_select (thd=0x151294000c58, all_tables=0x1512940114f8) at /test/10.11_opt/sql/sql_parse.cc:6261
|
#20 0x0000563395ac2e6b in mysql_execute_command (thd=0x151294000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.11_opt/sql/sql_parse.cc:3945
|
#21 0x0000563395ab0335 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x151294000c58) at /test/10.11_opt/sql/sql_parse.cc:8023
|
#22 mysql_parse (thd=0x151294000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.11_opt/sql/sql_parse.cc:7945
|
#23 0x0000563395abc0ea in dispatch_command (command=COM_QUERY, thd=0x151294000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.11_opt/sql/sql_class.h:1346
|
#24 0x0000563395abdee2 in do_command (thd=0x151294000c58, blocking=blocking@entry=true) at /test/10.11_opt/sql/sql_parse.cc:1407
|
#25 0x0000563395bd7fbf in do_handle_one_connection (connect=<optimized out>, connect@entry=0x563399592c18, put_in_cache=put_in_cache@entry=true) at /test/10.11_opt/sql/sql_connect.cc:1416
|
#26 0x0000563395bd829d in handle_one_connection (arg=0x563399592c18) at /test/10.11_opt/sql/sql_connect.cc:1318
|
#27 0x00001513062ef609 in start_thread (arg=<optimized out>) at pthread_create.c:477
|
#28 0x0000151305edb133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
|
Across versions we see:
SIGSEGV|Binary_string::q_append|spider_string::q_append|spider_db_mbase_row::append_to_str|spider_db_fetch_for_item_sum_func
|
SIGSEGV|Binary_string::q_append|spider_string::q_append|spider_db_mbase_row::append_to_str|spider_db_mbase_row::append_to_str
|
SIGSEGV|Static_binary_string::q_append|spider_string::q_append|spider_db_mbase_row::append_to_str|spider_db_fetch_for_item_sum_func
|
SIGSEGV|Static_binary_string::q_append|spider_string::q_append|spider_db_mbase_row::append_to_str|spider_db_mbase_row::append_to_str
|
I find the testcase in the report somewhat contrived and complicated, and I modified it by changing `SELECT MAX(a),MAX(COALESCE(a)) FROM t1;` (let's call it q1) to `SELECT MAX(a),SUM(a) FROM t1;` (let's call it q2), and I got the same kind of failure in 10.5, i.e. caused by the second iteration in the for loop in `spider_db_fetch_for_item_sum_funcs` using a `row` at an inaccessible memory address, which was caused by the `row++` in `spider_db_mbase_row::next`.
The problem with using q2 is that the test fails in even very old commits, e.g. 29098083f7a which is from 2021-06-25. Whereas the test using q1 passes not-so-old commits, e.g. e928fdbff13690 which was from 2022-02-14. Why this happens, including whether the sigsegv in q2 with older commits has the same cause as the original report requires further investigation.
Some other observations:
in 10.5 HEAD, the following combination of `SELECT f1(a), f2(a) from t1;` pass
- MAX, MIN
- MAX, MAX
- SUM, COUNT
the following fail with sigsegv with the same cause as this report
- MAX, SUM
- MAX,COUNT
Of these, the (SUM, COUNT)-combination does not trigger direct aggregate. (MAX, MIN) triggers direct aggregate, but the loop inside spider_db_fetch_for_item_sum_funcs() is empty (iterates 0 times), avoiding the sigsegv.
These analysis are of course rather low level, not accounting the meaning of statments like row->next().
The direct aggregate code is very old, from 2013, so I would like to `git bisect` the error. However, given q2 causes tests failure as far back as 2021-06 with seemingly different sorts of failures for older commits, it is a bit tricky how to proceed. I will try the following and decide:
1. analyse q2 failures from old commits, to find out whether it has the same cause as this report (in a low level sense as above)
2. look for an old commit where q2 passes. it is possible that q2 failed even from 2013 when direct aggregate was introduced
The test failure with a similar symptom (inaccessible memory addr) in the report is reproducible at commit 1015cbde5985e7e89c887ab30ce7c772671194c5 which is from 2021-01. So both SELECT MAX(a),MAX(COALESCE(a)) FROM t1; and SELECT MAX(a),SUM(a) FROM t1; fail in older commits.
Omitting trace from 36 threads:
[Current thread is 1 (Thread 0x7f8ba9a5e700 (LWP 314229))]
|
#0 0x00007f8bb139cf44 in pthread_kill () from /lib/x86_64-linux-gnu/libpthread.so.0
|
#1 0x000055604faf56ab in my_write_core (sig=11) at /home/ycp/source/mariadb-server/10.5/src/mysys/stacktrace.c:424
|
#2 0x000055604f1fd0ed in handle_fatal_signal (sig=11) at /home/ycp/source/mariadb-server/10.5/src/sql/signal_handler.cc:330
|
#3 <signal handler called>
|
#4 0x000055604fb339e6 in my_strntoull10rnd_8bit (cs=0x55605069bc80 <my_charset_latin1>, str=0xa5a5a5a5a5a50031 <error: Cannot access memory at address 0xa5a5a5a5a5a50031>, length=360330344, unsigned_flag=0, endptr=0x7f8ba9a5c108, error=0x7f8ba9a5c104) at /home/ycp/source/mariadb-server/10.5/src/strings/ctype-simple.c:1601
|
#5 0x000055604f1e76c2 in charset_info_st::strntoull10rnd (this=0x55605069bc80 <my_charset_latin1>, str=0xa5a5a5a5a5a50031 <error: Cannot access memory at address 0xa5a5a5a5a5a50031>, length=360330344, unsigned_fl=0, endptr=0x7f8ba9a5c108, error=0x7f8ba9a5c104) at /home/ycp/source/mariadb-server/10.5/src/include/m_ctype.h:722
|
#6 0x000055604f1cd64b in Field_longlong::store (this=0x7f8b78145900, from=0xa5a5a5a5a5a50031 <error: Cannot access memory at address 0xa5a5a5a5a5a50031>, len=360330344, cs=0x55605069bc80 <my_charset_latin1>) at /home/ycp/source/mariadb-server/10.5/src/sql/field.cc:4466
|
#7 0x00007f8b9975d564 in spider_db_mbase_row::store_to_field (this=0x7f8b7803cd60, field=0x7f8b78145900, access_charset=0x55605069bc80 <my_charset_latin1>) at /home/ycp/source/mariadb-server/10.5/src/storage/spider/spd_db_mysql.cc:442
|
#8 0x00007f8b996896b8 in spider_db_fetch_row (share=0x7f8b780f0c48, field=0x7f8b78145900, row=0x7f8b7803cd60, ptr_diff=0) at /home/ycp/source/mariadb-server/10.5/src/storage/spider/spd_db_conn.cc:3097
|
#9 0x00007f8b99689c48 in spider_db_fetch_table (spider=0x7f8b780c66f0, buf=0x7f8b781459d8 "\375", table=0x7f8b78144930, result_list=0x7f8b780c6c70) at /home/ycp/source/mariadb-server/10.5/src/storage/spider/spd_db_conn.cc:3235
|
#10 0x00007f8b996910ad in spider_db_fetch (buf=0x7f8b781459d8 "\375", spider=0x7f8b780c66f0, table=0x7f8b78144930) at /home/ycp/source/mariadb-server/10.5/src/storage/spider/spd_db_conn.cc:4963
|
#11 0x00007f8b996943be in spider_db_seek_next (buf=0x7f8b781459d8 "\375", spider=0x7f8b780c66f0, link_idx=0, table=0x7f8b78144930) at /home/ycp/source/mariadb-server/10.5/src/storage/spider/spd_db_conn.cc:5481
|
#12 0x00007f8b997b3389 in spider_group_by_handler::next_row (this=0x7f8b781447f0) at /home/ycp/source/mariadb-server/10.5/src/storage/spider/spd_group_by_handler.cc:1597
|
#13 0x000055604ef7c2b9 in Pushdown_query::execute (this=0x7f8b78016d90, join=0x7f8b78014920) at /home/ycp/source/mariadb-server/10.5/src/sql/group_by_handler.cc:64
|
#14 0x000055604ef2539a in do_select (join=0x7f8b78014920, procedure=0x0) at /home/ycp/source/mariadb-server/10.5/src/sql/sql_select.cc:20073
|
#15 0x000055604eef9720 in JOIN::exec_inner (this=0x7f8b78014920) at /home/ycp/source/mariadb-server/10.5/src/sql/sql_select.cc:4462
|
#16 0x000055604eef8845 in JOIN::exec (this=0x7f8b78014920) at /home/ycp/source/mariadb-server/10.5/src/sql/sql_select.cc:4242
|
#17 0x000055604eef9edc in mysql_select (thd=0x7f8b78000db8, tables=0x7f8b780137f0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147486464, result=0x7f8b780148f8, unit=0x7f8b78004f58, select_lex=0x7f8b78012c98) at /home/ycp/source/mariadb-server/10.5/src/sql/sql_select.cc:4658
|
#18 0x000055604eee9ce8 in handle_select (thd=0x7f8b78000db8, lex=0x7f8b78004e90, result=0x7f8b780148f8, setup_tables_done_option=0) at /home/ycp/source/mariadb-server/10.5/src/sql/sql_select.cc:417
|
#19 0x000055604eead95a in execute_sqlcom_select (thd=0x7f8b78000db8, all_tables=0x7f8b780137f0) at /home/ycp/source/mariadb-server/10.5/src/sql/sql_parse.cc:6272
|
#20 0x000055604eea4a63 in mysql_execute_command (thd=0x7f8b78000db8) at /home/ycp/source/mariadb-server/10.5/src/sql/sql_parse.cc:3968
|
#21 0x000055604eeb2733 in mysql_parse (thd=0x7f8b78000db8, rawbuf=0x7f8b78012bf0 "SELECT MAX(a),MAX(COALESCE(a)) FROM t1", length=38, parser_state=0x7f8ba9a5d490, is_com_multi=false, is_next_command=false) at /home/ycp/source/mariadb-server/10.5/src/sql/sql_parse.cc:8053
|
#22 0x000055604ee9e84e in dispatch_command (command=COM_QUERY, thd=0x7f8b78000db8, packet=0x7f8b780091c9 "", packet_length=38, is_com_multi=false, is_next_command=false) at /home/ycp/source/mariadb-server/10.5/src/sql/sql_parse.cc:1872
|
#23 0x000055604ee9d069 in do_command (thd=0x7f8b78000db8) at /home/ycp/source/mariadb-server/10.5/src/sql/sql_parse.cc:1353
|
#24 0x000055604f0454ac in do_handle_one_connection (connect=0x556051aeb098, put_in_cache=true) at /home/ycp/source/mariadb-server/10.5/src/sql/sql_connect.cc:1410
|
#25 0x000055604f04521e in handle_one_connection (arg=0x556051aeb098) at /home/ycp/source/mariadb-server/10.5/src/sql/sql_connect.cc:1312
|
#26 0x000055604f54a55c in pfs_spawn_thread (arg=0x556051a29918) at /home/ycp/source/mariadb-server/10.5/src/storage/perfschema/pfs.cc:2201
|
#27 0x00007f8bb1394ea7 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
|
#28 0x00007f8bb0c16a2f in clone () from /lib/x86_64-linux-gnu/libc.so.6
|
I just tried an older commit, ae3a7d5e437 from 2020-06, and it does not build on my debian 11 system with its standard versions of packages. From this and the fact that commits as old as 2021-01 display the same sort of failures, I think it is safe to conclude git bisect is not a productive path to tackle this issue.
Build error just in case:
In file included from /home/ycp/source/mariadb-server/10.5/src/include/my_sys.h:22, |
from /home/ycp/source/mariadb-server/10.5/src/include/waiting_threads.h:20, |
from /home/ycp/source/mariadb-server/10.5/src/sql/sql_class.h:24, |
from /home/ycp/source/mariadb-server/10.5/src/sql/sql_class.cc:33: |
/home/ycp/source/mariadb-server/10.5/src/sql/sql_class.cc: In constructor ‘THD::THD(bool)’: |
/home/ycp/source/mariadb-server/10.5/src/include/m_string.h:60:49: error: ‘void* memset(void*, int, size_t)’ clearing an object of non-trivial type ‘struct Ha_data’; use assignment or value-initialization instead [-Werror=class-memaccess] |
60 | # define bzero(A,B) memset((A),0,(B)) |
| ^
|
/home/ycp/source/mariadb-server/10.5/src/sql/sql_class.cc:872:3: note: in expansion of macro ‘bzero’ |
872 | bzero(ha_data, sizeof(ha_data)); |
| ^~~~~
|
In file included from /home/ycp/source/mariadb-server/10.5/src/sql/sql_class.cc:33: |
/home/ycp/source/mariadb-server/10.5/src/sql/sql_class.h:1709:8: note: ‘struct Ha_data’ declared here |
1709 | struct Ha_data |
| ^~~~~~~
|
[ 92%] Building CXX object sql/CMakeFiles/sql.dir/sql_digest.cc.o |
[ 92%] Building CXX object sql/CMakeFiles/sql.dir/sql_do.cc.o |
[ 92%] Building CXX object sql/CMakeFiles/sql.dir/sql_error.cc.o |
cc1plus: all warnings being treated as errors
|
gmake[2]: *** [sql/CMakeFiles/sql.dir/build.make:916: sql/CMakeFiles/sql.dir/sql_class.cc.o] Error 1 |
gmake[2]: *** Waiting for unfinished jobs.... |
gmake[1]: *** [CMakeFiles/Makefile2:7922: sql/CMakeFiles/sql.dir/all] Error 2 |
gmake: *** [Makefile:182: all] Error 2 |
So there seems to be a mismatch between the item and the "row" in the direct aggregate.
Let's for example consider this case
--disable_query_log
|
--disable_result_log
|
--source ../../t/test_init.inc
|
--enable_result_log
|
--enable_query_log
|
|
CREATE TABLE t (a INT) ENGINE=InnoDB; |
INSERT INTO t VALUES (23),(38); |
|
--disable_query_log
|
eval CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET "$MASTER_1_MYSOCK", DATABASE 'test',user 'root'); |
--enable_query_log
|
CREATE TABLE t1 (a INT KEY) ENGINE=Spider COMMENT='WRAPPER "mysql",srv "srv",TABLE "t"'; |
|
SELECT MAX(a),SUM(a) FROM t1; |
|
DROP TABLE t; |
|
--disable_query_log
|
--disable_result_log
|
--source ../../t/test_deinit.inc
|
--enable_result_log
|
--enable_query_log |
When the code first reaches the direct aggregate "dispatcher" spider_db_fetch_for_item_sum_func(), item_sum corresponds to MAX(a) but row corresponds to SUM(a). To see this, break at the point where item_sum is cast to an item_sum_min_max:
Item_sum_min_max *item_sum_min_max = (Item_sum_min_max *) item_sum;
|
|
(rr) p item_sum_min_max->name
|
$14 = {str = 0x7f57300157f8 "MAX(a)", length = 6}
|
(rr) p row->val_int()
|
$16 = 61
|
It is no wonder row->next() results in an invalid item, because it already corresponds to the second of the two aggregate items!
The row was set in spider_db_fetch_table():
row = current->first_position[result_list->current_row_num].row;
|
How this mismatch happens requires further investigation.
The commit for MDEV-20502 introduces a skip of const items, which causes the problem in this ticket.
Indeed, the commit (69c86abb646361c607a248f079f8fd4e600dcada) in MDEV-20502 caused the breakage. The test passes on its parent commit, and fails on this commit.
Reverting the commit 69c86abb646361c607a248f079f8fd4e600dcada in 10.5 HEAD results in a similar failure, though the trace is slightly different
#0 0x0000558a563e9e42 in internal_str2dec (
|
from=0xa5a5003137003834 <error: Cannot access memory at address 0xa5a5003137003834>, to=0x7ff8baf20f80, end=0x7ff8baf20e78, fixed=0 '\000')
|
at /home/ycp/source/mariadb-server/10.5/src/strings/decimal.c:806
|
#1 0x0000558a55c10672 in str2my_decimal (mask=20,
|
from=0xa5a5003137003834 <error: Cannot access memory at address 0xa5a5003137003834>, length=10344644713796744296,
|
charset=0x558a56f526a0 <my_charset_latin1>, decimal_value=0x7ff8baf20f80,
|
end_ptr=0x7ff8baf20f50)
|
at /home/ycp/source/mariadb-server/10.5/src/sql/my_decimal.cc:256
|
#2 0x0000558a55a4b30e in Field_new_decimal::store (this=0x7ff8d8171f10,
|
from=0xa5a5003137003834 <error: Cannot access memory at address 0xa5a5003137003834>, length=10344644713796744296,
|
charset_arg=0x558a56f526a0 <my_charset_latin1>)
|
at /home/ycp/source/mariadb-server/10.5/src/sql/field.cc:3441
|
#3 0x00007ff8ba95cdd0 in spider_db_mbase_row::store_to_field (
|
this=0x7ff8d803fb10, field=0x7ff8d8171f10,
|
access_charset=0x558a56f526a0 <my_charset_latin1>)
|
at /home/ycp/source/mariadb-server/10.5/src/storage/spider/spd_db_mysql.cc:442
|
#4 0x00007ff8ba889990 in spider_db_fetch_row (share=0x7ff8d811ea18,
|
field=0x7ff8d8171f10, row=0x7ff8d803fb10, ptr_diff=0)
|
at /home/ycp/source/mariadb-server/10.5/src/storage/spider/spd_db_conn.cc:3112
|
#5 0x00007ff8ba889f20 in spider_db_fetch_table (spider=0x7ff8d80f4720,
|
buf=0x7ff8d8171ff0 <incomplete sequence \375\200>, table=0x7ff8d8170f20,
|
result_list=0x7ff8d80f4cb0)
|
at /home/ycp/source/mariadb-server/10.5/src/storage/spider/spd_db_conn.cc:3250
|
#6 0x00007ff8ba891347 in spider_db_fetch (
|
buf=0x7ff8d8171ff0 <incomplete sequence \375\200>, spider=0x7ff8d80f4720,
|
table=0x7ff8d8170f20)
|
at /home/ycp/source/mariadb-server/10.5/src/storage/spider/spd_db_conn.cc:4975
|
#7 0x00007ff8ba894658 in spider_db_seek_next (
|
buf=0x7ff8d8171ff0 <incomplete sequence \375\200>, spider=0x7ff8d80f4720,
|
link_idx=0, table=0x7ff8d8170f20)
|
at /home/ycp/source/mariadb-server/10.5/src/storage/spider/spd_db_conn.cc:5493
|
#8 0x00007ff8ba9b2fef in spider_group_by_handler::next_row (
|
this=0x7ff8d8170de0)
|
at /home/ycp/source/mariadb-server/10.5/src/storage/spider/spd_group_by_handler.cc:1597
|
#9 0x0000558a557f39e1 in Pushdown_query::execute (this=0x7ff8d8019be0,
|
join=0x7ff8d80176c0)
|
at /home/ycp/source/mariadb-server/10.5/src/sql/group_by_handler.cc:64
|
#10 0x0000558a5579b934 in do_select (join=0x7ff8d80176c0, procedure=0x0)
|
at /home/ycp/source/mariadb-server/10.5/src/sql/sql_select.cc:20472
|
#11 0x0000558a5576f0a9 in JOIN::exec_inner (this=0x7ff8d80176c0)
|
at /home/ycp/source/mariadb-server/10.5/src/sql/sql_select.cc:4569
|
#12 0x0000558a5576e1ab in JOIN::exec (this=0x7ff8d80176c0)
|
at /home/ycp/source/mariadb-server/10.5/src/sql/sql_select.cc:4349
|
#13 0x0000558a5576fa01 in mysql_select (thd=0x7ff8d8002718,
|
tables=0x7ff8d8016528, fields=..., conds=0x0, og_num=0, order=0x0,
|
group=0x0, having=0x0, proc_param=0x0, select_options=2147486464,
|
result=0x7ff8d8017698, unit=0x7ff8d80068c8, select_lex=0x7ff8d80159f8)
|
at /home/ycp/source/mariadb-server/10.5/src/sql/sql_select.cc:4826
|
#14 0x0000558a5575f16f in handle_select (thd=0x7ff8d8002718,
|
lex=0x7ff8d8006800, result=0x7ff8d8017698, setup_tables_done_option=0)
|
at /home/ycp/source/mariadb-server/10.5/src/sql/sql_select.cc:445
|
#15 0x0000558a55721ecb in execute_sqlcom_select (thd=0x7ff8d8002718,
|
all_tables=0x7ff8d8016528)
|
at /home/ycp/source/mariadb-server/10.5/src/sql/sql_parse.cc:6317
|
#16 0x0000558a557191ba in mysql_execute_command (thd=0x7ff8d8002718)
|
at /home/ycp/source/mariadb-server/10.5/src/sql/sql_parse.cc:4008
|
#17 0x0000558a55726c60 in mysql_parse (thd=0x7ff8d8002718,
|
rawbuf=0x7ff8d8015960 "SELECT MAX(a),SUM(a) FROM t1", length=28,
|
parser_state=0x7ff8baf22320, is_com_multi=false, is_next_command=false)
|
at /home/ycp/source/mariadb-server/10.5/src/sql/sql_parse.cc:8089
|
#18 0x0000558a55712d41 in dispatch_command (command=COM_QUERY,
|
thd=0x7ff8d8002718, packet=0x7ff8d800d079 "", packet_length=28,
|
is_com_multi=false, is_next_command=false)
|
at /home/ycp/source/mariadb-server/10.5/src/sql/sql_parse.cc:1891
|
#19 0x0000558a55711579 in do_command (thd=0x7ff8d8002718)
|
at /home/ycp/source/mariadb-server/10.5/src/sql/sql_parse.cc:1375
|
#20 0x0000558a558c0731 in do_handle_one_connection (connect=0x558a59a0e9a8,
|
put_in_cache=true)
|
at /home/ycp/source/mariadb-server/10.5/src/sql/sql_connect.cc:1415
|
#21 0x0000558a558c04a3 in handle_one_connection (arg=0x558a59a0e9a8)
|
at /home/ycp/source/mariadb-server/10.5/src/sql/sql_connect.cc:1317
|
#22 0x0000558a55dd1ce6 in pfs_spawn_thread (arg=0x558a59a0ea88)
|
at /home/ycp/source/mariadb-server/10.5/src/storage/perfschema/pfs.cc:2201
|
#23 0x00007ff8e6737ea7 in start_thread ()
|
from /lib/x86_64-linux-gnu/libpthread.so.0
|
#24 0x00007ff8e6016a2f in clone () from /lib/x86_64-linux-gnu/libc.so.6
|
(rr) s
|
spider_db_mbase_row::store_to_field (this=0x7ff8d803fb10, field=0x7ff8d8171f10,
|
access_charset=0x558a56f526a0 <my_charset_latin1>)
|
at /home/ycp/source/mariadb-server/10.5/src/storage/spider/spd_db_mysql.cc:410
|
410 DBUG_ENTER("spider_db_mbase_row::store_to_field");
|
(rr) n
|
411 DBUG_PRINT("info",("spider this=%p", this));
|
(rr) p this
|
$14 = (spider_db_mbase_row * const) 0x7ff8d803fb10
|
(rr) p *this
|
$15 = {<spider_db_row> = {
|
_vptr.spider_db_row = 0x7ff8baa17340 <vtable for spider_db_mbase_row+16>,
|
dbton_id = 0, next_pos = 0x0}, row = 0x7ff8d8172c18,
|
row_first = 0x7ff8d8172c08, lengths = 0x7ff8d8172c30,
|
lengths_first = 0x7ff8d8172c20, field_count = 2, record_size = 4,
|
cloned = true}
|
(rr) n
|
412 if (!*row)
|
(rr) p *row
|
$16 = 0xa5a5003137003834 <error: Cannot access memory at address 0xa5a5003137003834>
|
When the change is reverted in HEAD, spider_db_fetch_for_item_sum_funcs does manage to iterate twice with matching items and rows. But the spider_db_fetch_table function that called spider_db_fetch_for_item_sum_funcs would go on to call spider_db_fetch_row which will still try to access the row, which has become inaccessible because spider_db_fetch_for_item_sum_funcs already iterated over it.
In the following rr session I use the test where the table has two rows, 23 and 48. The max is 48 and the sum is 71.
(rr) s
|
spider_db_fetch_for_item_sum_funcs (row=0x7ff8d803fb10, spider=0x7ff8d80f4720)
|
at /home/ycp/source/mariadb-server/10.5/src/storage/spider/spd_db_conn.cc:2787
|
2787 DBUG_ENTER("spider_db_fetch_for_item_sum_funcs");
|
(rr) p row->val_int()
|
$18 = 48
|
(rr) n
|
2788 select_lex = spider_get_select_lex(spider);
|
(rr)
|
2789 JOIN *join = select_lex->join;
|
(rr)
|
2791 spider->direct_aggregate_item_current = NULL;
|
(rr)
|
2792 for (item_sum_ptr = join->sum_funcs; *item_sum_ptr; ++item_sum_ptr)
|
(rr)
|
2794 if ((error_num = spider_db_fetch_for_item_sum_func(row, *item_sum_ptr,
|
(rr)
|
2792 for (item_sum_ptr = join->sum_funcs; *item_sum_ptr; ++item_sum_ptr)
|
(rr) p row->val_int()
|
$19 = 71
|
(rr) n
|
2794 if ((error_num = spider_db_fetch_for_item_sum_func(row, *item_sum_ptr,
|
(rr)
|
2792 for (item_sum_ptr = join->sum_funcs; *item_sum_ptr; ++item_sum_ptr)
|
(rr) p row->val_int()
|
|
|
Thread 39 received signal SIGSEGV, Segmentation fault.
|
0x00007ff8e5f57518 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
|
The program being debugged was signaled while in a function called from GDB.
|
GDB has restored the context to what it was before the call.
|
To change this behavior use "set unwindonsignal off".
|
Evaluation of the expression containing the function
|
(spider_db_mbase_row::val_int()) will be abandoned.
|
...
|
(rr) p *((spider_db_mbase_row*) row)->row
|
$27 = 0xa5a5003137003834 <error: Cannot access memory at address 0xa5a5003137003834>
|
Given the error: Cannot access memory at address found by ycp (great!), I ran this through ASAN, and we see (this is for the testcase in the original description):
|
10.5.19 851816532b39b4bf04b1d352cf3c28929ec99cf1 (Debug, ASAN) |
==2456882==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6060000d8000 at pc 0x14b8adce79aa bp 0x14b8adf02f70 sp 0x14b8adf02f60
|
READ of size 8 at 0x6060000d8000 thread T15
|
#0 0x14b8adce79a9 in spider_db_mbase_row::append_to_str(spider_string*) /test/10.55_dbg_san/storage/spider/spd_db_mysql.cc:452
|
#1 0x14b8adb996e6 in spider_db_fetch_for_item_sum_func(spider_db_row*, Item_sum*, ha_spider*) /test/10.55_dbg_san/storage/spider/spd_db_conn.cc:2925
|
#2 0x14b8adb99b43 in spider_db_fetch_for_item_sum_funcs(spider_db_row*, ha_spider*) /test/10.55_dbg_san/storage/spider/spd_db_conn.cc:2794
|
#3 0x14b8adb9b429 in spider_db_fetch_table(ha_spider*, unsigned char*, TABLE*, st_spider_result_list*) /test/10.55_dbg_san/storage/spider/spd_db_conn.cc:3204
|
#4 0x14b8adbabe85 in spider_db_fetch(unsigned char*, ha_spider*, TABLE*) /test/10.55_dbg_san/storage/spider/spd_db_conn.cc:4978
|
#5 0x14b8adbb009e in spider_db_seek_next(unsigned char*, ha_spider*, int, TABLE*) /test/10.55_dbg_san/storage/spider/spd_db_conn.cc:5496
|
#6 0x14b8add539c4 in spider_group_by_handler::next_row() /test/10.55_dbg_san/storage/spider/spd_group_by_handler.cc:1597
|
#7 0x56529e9eb54e in Pushdown_query::execute(JOIN*) /test/10.55_dbg_san/sql/group_by_handler.cc:64
|
#8 0x56529e92c947 in do_select /test/10.55_dbg_san/sql/sql_select.cc:20472
|
#9 0x56529e92c947 in JOIN::exec_inner() /test/10.55_dbg_san/sql/sql_select.cc:4569
|
#10 0x56529e92ed81 in JOIN::exec() /test/10.55_dbg_san/sql/sql_select.cc:4349
|
#11 0x56529e92674f in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.55_dbg_san/sql/sql_select.cc:4826
|
#12 0x56529e92903a in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.55_dbg_san/sql/sql_select.cc:445
|
#13 0x56529e77d4b6 in execute_sqlcom_select /test/10.55_dbg_san/sql/sql_parse.cc:6317
|
#14 0x56529e7a5448 in mysql_execute_command(THD*) /test/10.55_dbg_san/sql/sql_parse.cc:4008
|
#15 0x56529e76947d in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /test/10.55_dbg_san/sql/sql_parse.cc:8089
|
#16 0x56529e797bca in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /test/10.55_dbg_san/sql/sql_parse.cc:1891
|
#17 0x56529e79efa3 in do_command(THD*) /test/10.55_dbg_san/sql/sql_parse.cc:1375
|
#18 0x56529ebe5cfb in do_handle_one_connection(CONNECT*, bool) /test/10.55_dbg_san/sql/sql_connect.cc:1415
|
#19 0x56529ebe67ff in handle_one_connection /test/10.55_dbg_san/sql/sql_connect.cc:1317
|
#20 0x14b8cf6ae608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
|
#21 0x14b8cf290132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)
|
|
|
0x6060000d8000 is located 0 bytes to the right of 64-byte region [0x6060000d7fc0,0x6060000d8000)
|
allocated by thread T15 here:
|
#0 0x56529e4570e8 in __interceptor_malloc (/test/ASAN_SPIDER_MD101222-mariadb-10.5.19-linux-x86_64-dbg/bin/mariadbd+0xd220e8)
|
#1 0x5652a0622fba in my_malloc /test/10.55_dbg_san/mysys/my_malloc.c:90
|
#2 0x14b8adc79f05 in spider_bulk_alloc_mem(st_spider_transaction*, unsigned int, char const*, char const*, unsigned long, unsigned long, ...) /test/10.55_dbg_san/storage/spider/spd_malloc.cc:236
|
#3 0x14b8add150e9 in spider_db_mbase_row::clone() /test/10.55_dbg_san/storage/spider/spd_db_mysql.cc:557
|
#4 0x14b8adba344f in spider_db_store_result(ha_spider*, int, TABLE*) /test/10.55_dbg_san/storage/spider/spd_db_conn.cc:4291
|
#5 0x14b8add520cb in spider_group_by_handler::init_scan() /test/10.55_dbg_san/storage/spider/spd_group_by_handler.cc:1497
|
#6 0x56529e9eb466 in Pushdown_query::execute(JOIN*) /test/10.55_dbg_san/sql/group_by_handler.cc:49
|
#7 0x56529e92c947 in do_select /test/10.55_dbg_san/sql/sql_select.cc:20472
|
#8 0x56529e92c947 in JOIN::exec_inner() /test/10.55_dbg_san/sql/sql_select.cc:4569
|
#9 0x56529e92ed81 in JOIN::exec() /test/10.55_dbg_san/sql/sql_select.cc:4349
|
#10 0x56529e92674f in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.55_dbg_san/sql/sql_select.cc:4826
|
#11 0x56529e92903a in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.55_dbg_san/sql/sql_select.cc:445
|
#12 0x56529e77d4b6 in execute_sqlcom_select /test/10.55_dbg_san/sql/sql_parse.cc:6317
|
#13 0x56529e7a5448 in mysql_execute_command(THD*) /test/10.55_dbg_san/sql/sql_parse.cc:4008
|
#14 0x56529e76947d in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /test/10.55_dbg_san/sql/sql_parse.cc:8089
|
#15 0x56529e797bca in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /test/10.55_dbg_san/sql/sql_parse.cc:1891
|
#16 0x56529e79efa3 in do_command(THD*) /test/10.55_dbg_san/sql/sql_parse.cc:1375
|
#17 0x56529ebe5cfb in do_handle_one_connection(CONNECT*, bool) /test/10.55_dbg_san/sql/sql_connect.cc:1415
|
#18 0x56529ebe67ff in handle_one_connection /test/10.55_dbg_san/sql/sql_connect.cc:1317
|
#19 0x14b8cf6ae608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
|
|
|
Thread T15 created by T0 here:
|
#0 0x56529e384125 in pthread_create (/test/ASAN_SPIDER_MD101222-mariadb-10.5.19-linux-x86_64-dbg/bin/mariadbd+0xc4f125)
|
#1 0x56529e4a368d in create_thread_to_handle_connection(CONNECT*) /test/10.55_dbg_san/sql/mysqld.cc:6067
|
#2 0x56529e4a9965 in create_new_thread(CONNECT*) /test/10.55_dbg_san/sql/mysqld.cc:6126
|
#3 0x56529e4a9d22 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/10.55_dbg_san/sql/mysqld.cc:6191
|
#4 0x56529e4aa4f9 in handle_connections_sockets() /test/10.55_dbg_san/sql/mysqld.cc:6318
|
#5 0x56529e4af5ba in mysqld_main(int, char**) /test/10.55_dbg_san/sql/mysqld.cc:5713
|
#6 0x56529e4986aa in main /test/10.55_dbg_san/sql/main.cc:25
|
#7 0x14b8cf195082 in __libc_start_main ../csu/libc-start.c:308
|
|
|
SUMMARY: AddressSanitizer: heap-buffer-overflow /test/10.55_dbg_san/storage/spider/spd_db_mysql.cc:452 in spider_db_mbase_row::append_to_str(spider_string*)
|
Shadow bytes around the buggy address:
|
0x0c0c80012fb0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
|
0x0c0c80012fc0: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fa
|
0x0c0c80012fd0: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
|
0x0c0c80012fe0: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
|
0x0c0c80012ff0: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
|
=>0x0c0c80013000:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c0c80013010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c0c80013020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c0c80013030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c0c80013040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c0c80013050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
Shadow gap: cc
|
==2456882==ABORTING
|
The second testcase here gives two additional ASAN issues:
|
10.11.1 d186cb180e424fb4e166959145b3bccb5e7f5164 (Optimized, ASAN) |
==809636==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x14b16334e7bf at pc 0x55e86e007cfd bp 0x14b16334de00 sp 0x14b16334d5a8
|
READ of size 1 at 0x14b16334e7bf thread T16
|
#0 0x55e86e007cfc in __interceptor_strlen.part.0 (/test/ASAN_SPIDER_MD151122-mariadb-10.11.1-linux-x86_64-opt/bin/mariadbd+0xbc2cfc)
|
#1 0x14b163231bcc in spider_db_mbase_util::open_item_func(Item_func*, ha_spider*, spider_string*, char const*, unsigned int, bool, spider_fields*) /test/10.11_opt_san/storage/spider/spd_db_mysql.cc:6259
|
#2 0x14b16326423d in spider_mbase_handler::append_list_item_select(List<Item>*, spider_string*, char const*, unsigned int, bool, spider_fields*) /test/10.11_opt_san/storage/spider/spd_db_mysql.cc:15476
|
#3 0x14b16326f15b in spider_group_by_handler::init_scan() /test/10.11_opt_san/storage/spider/spd_group_by_handler.cc:1301
|
#4 0x55e86e6acab4 in Pushdown_query::execute(JOIN*) /test/10.11_opt_san/sql/group_by_handler.cc:49
|
#5 0x55e86e635139 in do_select /test/10.11_opt_san/sql/sql_select.cc:21257
|
#6 0x55e86e635139 in JOIN::exec_inner() /test/10.11_opt_san/sql/sql_select.cc:4823
|
#7 0x55e86e637afd in JOIN::exec() /test/10.11_opt_san/sql/sql_select.cc:4601
|
#8 0x55e86e630798 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.11_opt_san/sql/sql_select.cc:5081
|
#9 0x55e86e6320f7 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/10.11_opt_san/sql/sql_select.cc:581
|
#10 0x55e86e4623c3 in execute_sqlcom_select /test/10.11_opt_san/sql/sql_parse.cc:6263
|
#11 0x55e86e4914d2 in mysql_execute_command(THD*, bool) /test/10.11_opt_san/sql/sql_parse.cc:3947
|
#12 0x55e86e4510ba in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.11_opt_san/sql/sql_parse.cc:7998
|
#13 0x55e86e4510ba in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.11_opt_san/sql/sql_parse.cc:7920
|
#14 0x55e86e47c713 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.11_opt_san/sql/sql_parse.cc:1894
|
#15 0x55e86e482897 in do_command(THD*, bool) /test/10.11_opt_san/sql/sql_parse.cc:1407
|
#16 0x55e86e885f7b in do_handle_one_connection(CONNECT*, bool) /test/10.11_opt_san/sql/sql_connect.cc:1416
|
#17 0x55e86e88677c in handle_one_connection /test/10.11_opt_san/sql/sql_connect.cc:1318
|
#18 0x14b184c5a608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
|
#19 0x14b18483c132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)
|
|
|
Address 0x14b16334e7bf is located in stack of thread T16 at offset 2303 in frame
|
#0 0x14b16323040f in spider_db_mbase_util::open_item_func(Item_func*, ha_spider*, spider_string*, char const*, unsigned int, bool, spider_fields*) /test/10.11_opt_san/storage/spider/spd_db_mysql.cc:5492
|
|
|
This frame has 8 object(s):
|
[32, 48) 'org_func_name' (line 5497)
|
[64, 96) 'lif' (line 6272)
|
[128, 216) 'tmp_str' (line 5955)
|
[256, 344) 'tmp_str' (line 6088)
|
[384, 472) 'tmp_str' (line 6240)
|
[512, 1278) 'tmp_buf' (line 5954)
|
[1408, 2174) 'tmp_buf' (line 6087)
|
[2304, 3070) 'tmp_buf' (line 6239) <== Memory access at offset 2303 underflows this variable
|
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
|
(longjmp and C++ exceptions *are* supported)
|
Thread T16 created by T0 here:
|
#0 0x55e86dfdaa95 in pthread_create (/test/ASAN_SPIDER_MD151122-mariadb-10.11.1-linux-x86_64-opt/bin/mariadbd+0xb95a95)
|
#1 0x55e86e0f84ff in create_thread_to_handle_connection(CONNECT*) /test/10.11_opt_san/sql/mysqld.cc:6102
|
#2 0x55e86e100396 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/10.11_opt_san/sql/mysqld.cc:6223
|
#3 0x55e86e100cef in handle_connections_sockets() /test/10.11_opt_san/sql/mysqld.cc:6347
|
#4 0x55e86e1059c4 in mysqld_main(int, char**) /test/10.11_opt_san/sql/mysqld.cc:5997
|
#5 0x14b184741082 in __libc_start_main ../csu/libc-start.c:308
|
|
|
SUMMARY: AddressSanitizer: stack-buffer-overflow (/test/ASAN_SPIDER_MD151122-mariadb-10.11.1-linux-x86_64-opt/bin/mariadbd+0xbc2cfc) in __interceptor_strlen.part.0
|
Shadow bytes around the buggy address:
|
0x0296ac661ca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0296ac661cb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0296ac661cc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0296ac661cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0296ac661ce0: 00 00 00 00 00 00 00 06 f2 f2 f2 f2 f2 f2 f2 f2
|
=>0x0296ac661cf0: f2 f2 f2 f2 f2 f2 f2[f2]00 00 00 00 00 00 00 00
|
0x0296ac661d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0296ac661d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0296ac661d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0296ac661d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0296ac661d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
Shadow gap: cc
|
==809636==ABORTING
|
On debug we see a somehwat different stack:
|
10.11.1 d186cb180e424fb4e166959145b3bccb5e7f5164 (Debug, ASAN) |
==1683922==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x14acc814399f at pc 0x55771f7f23cd bp 0x14acc8142fe0 sp 0x14acc8142788
|
READ of size 1 at 0x14acc814399f thread T17
|
#0 0x55771f7f23cc in __interceptor_strlen.part.0 (/test/ASAN_SPIDER_MD151122-mariadb-10.11.1-linux-x86_64-dbg/bin/mariadbd+0xcb23cc)
|
#1 0x14acc7f72509 in spider_db_mbase_util::open_item_func(Item_func*, ha_spider*, spider_string*, char const*, unsigned int, bool, spider_fields*) /test/10.11_dbg_san/storage/spider/spd_db_mysql.cc:6259
|
#2 0x14acc7e2a56a in spider_db_open_item_func(Item_func*, ha_spider*, spider_string*, char const*, unsigned int, unsigned int, bool, spider_fields*) /test/10.11_dbg_san/storage/spider/spd_db_conn.cc:7556
|
#3 0x14acc7e2d975 in spider_db_print_item_type(Item*, Field*, ha_spider*, spider_string*, char const*, unsigned int, unsigned int, bool, spider_fields*) /test/10.11_dbg_san/storage/spider/spd_db_conn.cc:7387
|
#4 0x14acc7fa3e94 in spider_mbase_handler::append_list_item_select(List<Item>*, spider_string*, char const*, unsigned int, bool, spider_fields*) /test/10.11_dbg_san/storage/spider/spd_db_mysql.cc:15476
|
#5 0x14acc7fa4207 in spider_mbase_handler::append_list_item_select_part(List<Item>*, char const*, unsigned int, bool, spider_fields*, unsigned long) /test/10.11_dbg_san/storage/spider/spd_db_mysql.cc:15447
|
#6 0x14acc7fafca6 in spider_group_by_handler::init_scan() /test/10.11_dbg_san/storage/spider/spd_group_by_handler.cc:1301
|
#7 0x55771ff33c52 in Pushdown_query::execute(JOIN*) /test/10.11_dbg_san/sql/group_by_handler.cc:49
|
#8 0x55771fe6e1ca in do_select /test/10.11_dbg_san/sql/sql_select.cc:21257
|
#9 0x55771fe6e1ca in JOIN::exec_inner() /test/10.11_dbg_san/sql/sql_select.cc:4823
|
#10 0x55771fe7063b in JOIN::exec() /test/10.11_dbg_san/sql/sql_select.cc:4601
|
#11 0x55771fe68ae2 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.11_dbg_san/sql/sql_select.cc:5081
|
#12 0x55771fe6a4dd in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/10.11_dbg_san/sql/sql_select.cc:581
|
#13 0x55771fc8098c in execute_sqlcom_select /test/10.11_dbg_san/sql/sql_parse.cc:6263
|
#14 0x55771fca821a in mysql_execute_command(THD*, bool) /test/10.11_dbg_san/sql/sql_parse.cc:3947
|
#15 0x55771fc6d671 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.11_dbg_san/sql/sql_parse.cc:7998
|
#16 0x55771fc9ad6e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.11_dbg_san/sql/sql_parse.cc:1894
|
#17 0x55771fca1969 in do_command(THD*, bool) /test/10.11_dbg_san/sql/sql_parse.cc:1407
|
#18 0x55772014d5b0 in do_handle_one_connection(CONNECT*, bool) /test/10.11_dbg_san/sql/sql_connect.cc:1416
|
#19 0x55772014e0b3 in handle_one_connection /test/10.11_dbg_san/sql/sql_connect.cc:1318
|
#20 0x14ace9ee1608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
|
#21 0x14ace9ac3132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)
|
|
|
Address 0x14acc814399f is located in stack of thread T17 at offset 2303 in frame
|
#0 0x14acc7f6faed in spider_db_mbase_util::open_item_func(Item_func*, ha_spider*, spider_string*, char const*, unsigned int, bool, spider_fields*) /test/10.11_dbg_san/storage/spider/spd_db_mysql.cc:5492
|
|
|
This frame has 8 object(s):
|
[32, 48) 'org_func_name' (line 5497)
|
[64, 96) 'lif' (line 6272)
|
[128, 216) 'tmp_str' (line 5955)
|
[256, 344) 'tmp_str' (line 6088)
|
[384, 472) 'tmp_str' (line 6240)
|
[512, 1278) 'tmp_buf' (line 5954)
|
[1408, 2174) 'tmp_buf' (line 6087)
|
[2304, 3070) 'tmp_buf' (line 6239) <== Memory access at offset 2303 underflows this variable
|
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
|
(longjmp and C++ exceptions *are* supported)
|
Thread T17 created by T0 here:
|
#0 0x55771f7c5165 in pthread_create (/test/ASAN_SPIDER_MD151122-mariadb-10.11.1-linux-x86_64-dbg/bin/mariadbd+0xc85165)
|
#1 0x55771f8e454b in create_thread_to_handle_connection(CONNECT*) /test/10.11_dbg_san/sql/mysqld.cc:6102
|
#2 0x55771f8ec838 in create_new_thread(CONNECT*) /test/10.11_dbg_san/sql/mysqld.cc:6161
|
#3 0x55771f8ecd0d in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/10.11_dbg_san/sql/mysqld.cc:6223
|
#4 0x55771f8edd39 in handle_connections_sockets() /test/10.11_dbg_san/sql/mysqld.cc:6347
|
#5 0x55771f8f3a94 in mysqld_main(int, char**) /test/10.11_dbg_san/sql/mysqld.cc:5997
|
#6 0x55771f8d96ea in main /test/10.11_dbg_san/sql/main.cc:34
|
#7 0x14ace99c8082 in __libc_start_main ../csu/libc-start.c:308
|
|
|
SUMMARY: AddressSanitizer: stack-buffer-overflow (/test/ASAN_SPIDER_MD151122-mariadb-10.11.1-linux-x86_64-dbg/bin/mariadbd+0xcb23cc) in __interceptor_strlen.part.0
|
Shadow bytes around the buggy address:
|
0x0296190206e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0296190206f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x029619020700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x029619020710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x029619020720: 00 00 00 06 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
|
=>0x029619020730: f2 f2 f2[f2]00 00 00 00 00 00 00 00 00 00 00 00
|
0x029619020740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x029619020750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x029619020760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x029619020770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x029619020780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
Shadow gap: cc
|
==1683922==ABORTING
|
All *SAN UniqueID's seen so far:
ASAN|heap-buffer-overflow|storage/spider/spd_db_mysql.cc|spider_db_mbase_row::append_to_str|spider_db_fetch_for_item_sum_func|spider_db_fetch_for_item_sum_funcs|spider_db_fetch_table # Original testcase
|
ASAN|stack-buffer-overflow|storage/spider/spd_db_mysql.cc|__interceptor_strlen.part.0|spider_db_mbase_util::open_item_func|spider_mbase_handler::append_list_item_select|spider_group_by_handler::init_scan # Second testcase (optimized)
|
ASAN|stack-buffer-overflow|storage/spider/spd_db_mysql.cc|__interceptor_strlen.part.0|spider_db_mbase_util::open_item_func|spider_db_open_item_func|spider_db_print_item_type # Second testcase (debug)
|
(The third testcase in this comment produces SAN stacks already seen elsewhere in this ticket.
> Given the error: Cannot access memory at address found by Yuchen Pei (great!)
Thanks, but it was nayuta-yanagisawa who found this problem.
I compared three runs: before the commit for MDEV-20502 (pre-20502, 1be707286ef), the current 11.0 which is after that commit (post-20502, 944beb9e7ac) and the revert of the commit at the current 11.0 (a0eb464d934):
If the select is MAX(a), SUM(a), then
- pre-20502: during spider_db_fetch_for_item_sum_funcs, at the first iteration, the sum item starts with the second item i.e. SUM, and the row starts with the MAX value 48. So it only iterates once. When it exits to spider_db_fetch_table, it iterates once calling spider_db_fetch_row. Using the remaining "row" (sum). In summary,
- join->sum_funcs->name: initially SUM
- row: initially MAX
- post-20502: during spider_db_fetch_for_item_sum_funcs, at the first iteration, the sum starts with the first item i.e. MAX and the row starts with the SUM value 71. So it iterates twice, but the second time "boom!" it tries to access an invalid row, causing the bug reported in this ticket
- join->sum_funcs->name: initially MAX
- row: initially SUM
- revert-20502: during spider_db_fetch_for_item_sum_funcs, at the first iteration, the sum starts with the first item i.e. MAX and the row starts with the MAX value 48. So it iterates twice, "consuming" both "row"s. When it exits to spider_db_fetch_table, it iterates at least once (maybe twice) calling spider_db_fetch_row, which fails because both "row"s were "consumed", as my comment[1] mentioned.
- join->sum_funcs->name: initially MAX
- row: initially MAX
Notably none of them seem to work correctly with selecting three fields COUNT, MAX, SUM. pre-20502 would skip max in sum_funcs, leaving the third row item for iterating for spider_fetch_row, but there are two iterations, causing an invalid access as usual. I have not tested post- and revert-20502 but I expect them to face similar problems exhibited when selecting two fields.
I tried to find a testcase that takes the path of calling spider_db_fetch_for_item_sum_funcs inside spider_db_fetch_row, but could not find any.
A very curious phenomenon is that the item_sum_foo::direct_add functions were introduced in a 2017 commit (da26d16dd1c) thought the calls to these functions had existed in the code since 2013 (dc01d230ed2). And the test named spider.direct_aggregate updated in da26d16dd1c no longer exercises path of calling item_sum_foo::direct_add (did it exercise it in 2017? maybe, but I haven't tested).
Since it looks like there has been no success story with these paths, I'll need to understand the intention and purpose of the relevant spider_db_fetch_foo functions to proceed with this ticket.
I can confirm that the functions
{Item_sum_sum (2x),Item_sum_count,Item_sum_min_max}::direct_add() are not called in any of the mtr testcases at commit 944beb9 (current 11.0).
Additional testcase which results in a SIGSEGV in internal_str2dec on both optimized and debug builds, and that stack partially matches with this comment by Yuchen:
INSTALL PLUGIN Spider SONAME 'ha_spider.so'; |
CREATE USER Spider@localhost IDENTIFIED BY ''; |
CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET '../socket.sock',DATABASE 'test',user 'Spider',PASSWORD ''); |
CREATE TABLE t (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=InnoDB; |
INSERT INTO t VALUES (0,1,0),(1,0,0),(2,0,0); |
CREATE TABLE t1 (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=Spider COMMENT='WRAPPER "mysql",srv "srv",TABLE "t"'; |
SELECT COUNT(*) as total_rows,MIN(c) AS min_value,MAX(c) AS max_value,SUM(c) AS sum,AVG(c) AS avg FROM t1; |
Leads to:
|
11.0.1 f2dc4d4c10ac36a73b5c1eb765352d3aee808d66 (Debug) |
Core was generated by `/test/MD180223-mariadb-11.0.1-linux-x86_64-dbg/bin/mariadbd --no-defaults --cor'.
|
Program terminated with signal SIGSEGV, Segmentation fault.
|
#0 0x000055d110183971 in internal_str2dec (from=<optimized out>,
|
to=0x153cc9b77e50, end=0x153cc9b77d38, fixed=<optimized out>)
|
at /test/11.0_dbg/strings/decimal.c:809
|
809 while (s < end_of_string && my_isspace(&my_charset_latin1, *s))
|
[Current thread is 1 (Thread 0x153cc9b7a640 (LWP 4072540))]
|
(gdb) bt
|
#0 0x000055d110183971 in internal_str2dec (from=<optimized out>, to=0x153cc9b77e50, end=0x153cc9b77d38, fixed=<optimized out>) at /test/11.0_dbg/strings/decimal.c:809
|
#1 0x000055d10fc259e1 in str2my_decimal (mask=mask@entry=0, from=0x30302e3100330033 <error: Cannot access memory at address 0x30302e3100330033>, length=<optimized out>, charset=<optimized out>, decimal_value=decimal_value@entry=0x153cc9b77e50, end_ptr=end_ptr@entry=0x153cc9b77e08) at /test/11.0_dbg/sql/my_decimal.cc:257
|
#2 0x0000153cc9acc828 in str2my_decimal (decimal_value=0x153cc9b77e50, charset=<optimized out>, length=<optimized out>, from=<optimized out>, mask=0) at /test/11.0_dbg/sql/my_decimal.h:423
|
#3 spider_db_mbase_row::val_decimal (this=<optimized out>, decimal_value=0x153cc9b77e50, access_charset=<optimized out>) at /test/11.0_dbg/storage/spider/spd_db_mysql.cc:511
|
#4 0x0000153cc9a5d31f in spider_db_fetch_for_item_sum_func (row=row@entry=0x153c6c0f7a10, item_sum=0x153c6c013f90, spider=spider@entry=0x153c6c0c0500) at /test/11.0_dbg/storage/spider/spd_db_conn.cc:2142
|
#5 0x0000153cc9a5d90e in spider_db_fetch_for_item_sum_funcs (row=0x153c6c0f7a10, spider=spider@entry=0x153c6c0c0500) at /test/11.0_dbg/storage/spider/spd_db_conn.cc:2107
|
#6 0x0000153cc9a5e061 in spider_db_fetch_table (spider=spider@entry=0x153c6c0c0500, buf=buf@entry=0x153c6c118bc0 "\377", table=0x153c6c117490, result_list=0x153c6c0c0a88) at /test/11.0_dbg/storage/spider/spd_db_conn.cc:2448
|
#7 0x0000153cc9a62f84 in spider_db_fetch (buf=buf@entry=0x153c6c118bc0 "\377", spider=spider@entry=0x153c6c0c0500, table=table@entry=0x153c6c117490) at /test/11.0_dbg/storage/spider/spd_db_conn.cc:3947
|
#8 0x0000153cc9a64635 in spider_db_seek_next (buf=0x153c6c118bc0 "\377", spider=0x153c6c0c0500, link_idx=0, table=0x153c6c117490) at /test/11.0_dbg/storage/spider/spd_db_conn.cc:4426
|
#9 0x0000153cc9af59ef in spider_group_by_handler::next_row (this=0x55d113023670) at /test/11.0_dbg/storage/spider/spd_group_by_handler.cc:1575
|
#10 0x000055d10f891f5f in Pushdown_query::execute (this=0x153c6c016cc8, join=join@entry=0x153c6c015718) at /test/11.0_dbg/sql/group_by_handler.cc:64
|
#11 0x000055d10f8661c0 in do_select (procedure=<optimized out>, join=0x153c6c015718) at /test/11.0_dbg/sql/sql_select.cc:22214
|
#12 JOIN::exec_inner (this=this@entry=0x153c6c015718) at /test/11.0_dbg/sql/sql_select.cc:4888
|
#13 0x000055d10f866be0 in JOIN::exec (this=this@entry=0x153c6c015718) at /test/11.0_dbg/sql/sql_select.cc:4666
|
#14 0x000055d10f864b18 in mysql_select (thd=thd@entry=0x153c6c000d58, tables=0x153c6c014588, fields=@0x153c6c013528: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x153c6c0138d8, last = 0x153c6c014530, elements = 5}, <No data fields>}, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2164525824, result=0x153c6c0156f0, unit=0x153c6c004fa0, select_lex=0x153c6c013270) at /test/11.0_dbg/sql/sql_select.cc:5146
|
#15 0x000055d10f86528b in handle_select (thd=thd@entry=0x153c6c000d58, lex=lex@entry=0x153c6c004ec8, result=result@entry=0x153c6c0156f0, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/11.0_dbg/sql/sql_select.cc:608
|
#16 0x000055d10f7cae8d in execute_sqlcom_select (thd=thd@entry=0x153c6c000d58, all_tables=0x153c6c014588) at /test/11.0_dbg/sql/sql_parse.cc:6267
|
#17 0x000055d10f7d64af in mysql_execute_command (thd=thd@entry=0x153c6c000d58, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/11.0_dbg/sql/sql_parse.cc:3949
|
#18 0x000055d10f7dd7cf in mysql_parse (thd=thd@entry=0x153c6c000d58, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x153cc9b792c0) at /test/11.0_dbg/sql/sql_parse.cc:8002
|
#19 0x000055d10f7df963 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x153c6c000d58, packet=packet@entry=0x153c6c00ae19 "", packet_length=packet_length@entry=105, blocking=blocking@entry=true) at /test/11.0_dbg/sql/sql_class.h:242
|
#20 0x000055d10f7e17bc in do_command (thd=0x153c6c000d58, blocking=blocking@entry=true) at /test/11.0_dbg/sql/sql_parse.cc:1407
|
#21 0x000055d10f9326e2 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55d1130d9168, put_in_cache=put_in_cache@entry=true) at /test/11.0_dbg/sql/sql_connect.cc:1416
|
#22 0x000055d10f932941 in handle_one_connection (arg=0x55d1130d9168) at /test/11.0_dbg/sql/sql_connect.cc:1318
|
#23 0x0000153ce78c5b43 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
|
#24 0x0000153ce7957a00 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
|
Bug confirmed present in:
MariaDB: 10.5.20 (dbg), 10.5.20 (opt), 10.6.13 (dbg), 10.6.13 (opt), 10.7.8 (dbg), 10.7.8 (opt), 10.8.8 (dbg), 10.8.8 (opt), 10.9.6 (dbg), 10.9.6 (opt), 10.10.4 (dbg), 10.10.4 (opt), 10.11.2 (dbg), 10.11.2 (opt), 11.0.1 (dbg), 11.0.1 (opt)
Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.3.38 (dbg), 10.3.38 (opt), 10.4.29 (dbg), 10.4.29 (opt)
Some additional findings. This testcase:
INSTALL PLUGIN Spider SONAME 'ha_spider.so'; |
CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET '../socket.sock',DATABASE'',USER'',PASSWORD''); |
CREATE TABLE t1 (c1 INT KEY,c2 INT) ENGINE=InnoDB; |
CREATE TABLE t2 (c1 INT KEY,c2 INT) ENGINE=Spider COMMENT='WRAPPER "mysql",srv "srv",TABLE "t1"'; |
INSERT INTO t1 VALUES (1,1),(11,0),(12,0); |
SELECT COUNT(*),MIN(c1),SUM(c1),AVG(c1) FROM t2; |
Or, the same but with the last line changed to:
SELECT MAX(c1),SUM(c1),AVG(c1) FROM t2; |
Leads to:
|
11.0.2 368dd22a816f3b437bccd0b9ff28b9de9b1abf0a (Debug, UBASAN) |
11.0.2-dbg>SELECT MAX(c1),SUM(c1),AVG(c1) AS avg FROM t2;
|
ERROR 1030 (HY000): Got error 12801 "Unknown error 12801" from storage engine SPIDER
|
And the following testcase:
INSTALL PLUGIN Spider SONAME 'ha_spider.so'; |
CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET '../socket.sock',DATABASE'',USER'',PASSWORD''); |
CREATE TABLE t1 (c1 INT KEY,c2 INT) ENGINE=InnoDB; |
CREATE TABLE t2 (c1 INT KEY,c2 INT) ENGINE=Spider COMMENT='WRAPPER "mysql",srv "srv",TABLE "t1"'; |
INSERT INTO t1 VALUES (1,1),(11,0),(12,0); |
SELECT COUNT(*),MIN(c1),MAX(c1),SUM(c1),AVG(c1) FROM t2; |
Leads to:
|
11.0.2 368dd22a816f3b437bccd0b9ff28b9de9b1abf0a (Debug, UBASAN) |
==3791673==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b00002be98 at pc 0x14cfdff7baa5 bp 0x14cfe0b00f90 sp 0x14cfe0b00f80
|
READ of size 8 at 0x60b00002be98 thread T32
|
#0 0x14cfdff7baa4 in spider_db_mbase_row::val_decimal(my_decimal*, charset_info_st const*) /test/11.0_dbg_san/storage/spider/spd_db_mysql.cc:512
|
#1 0x14cfdfcc2615 in spider_db_fetch_for_item_sum_func(spider_db_row*, Item_sum*, ha_spider*) /test/11.0_dbg_san/storage/spider/spd_db_conn.cc:2142
|
#2 0x14cfdfcc65b5 in spider_db_fetch_for_item_sum_funcs(spider_db_row*, ha_spider*) /test/11.0_dbg_san/storage/spider/spd_db_conn.cc:2107
|
#3 0x14cfdfcca9c5 in spider_db_fetch_table(ha_spider*, unsigned char*, TABLE*, st_spider_result_list*) /test/11.0_dbg_san/storage/spider/spd_db_conn.cc:2448
|
#4 0x14cfdfceb538 in spider_db_fetch(unsigned char*, ha_spider*, TABLE*) /test/11.0_dbg_san/storage/spider/spd_db_conn.cc:3933
|
#5 0x14cfdfcf3a49 in spider_db_seek_next(unsigned char*, ha_spider*, int, TABLE*) /test/11.0_dbg_san/storage/spider/spd_db_conn.cc:4412
|
#6 0x14cfe007d686 in spider_group_by_handler::next_row() /test/11.0_dbg_san/storage/spider/spd_group_by_handler.cc:1575
|
#7 0x56256e62ee24 in Pushdown_query::execute(JOIN*) /test/11.0_dbg_san/sql/group_by_handler.cc:64
|
#8 0x56256e4b868f in do_select /test/11.0_dbg_san/sql/sql_select.cc:22665
|
#9 0x56256e4b868f in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900
|
#10 0x56256e4bb916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677
|
#11 0x56256e4aa0c1 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.0_dbg_san/sql/sql_select.cc:5158
|
#12 0x56256e4ae51c in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.0_dbg_san/sql/sql_select.cc:616
|
#13 0x56256e020a01 in execute_sqlcom_select /test/11.0_dbg_san/sql/sql_parse.cc:6279
|
#14 0x56256e081ef5 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3949
|
#15 0x56256e0b1973 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014
|
#16 0x56256e0c1707 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894
|
#17 0x56256e0cf542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407
|
#18 0x56256eaa48b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416
|
#19 0x56256eaa5dd0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318
|
#20 0x14d005494b42 in start_thread nptl/pthread_create.c:442
|
#21 0x14d0055269ff (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)
|
|
|
0x60b00002be98 is located 0 bytes to the right of 104-byte region [0x60b00002be30,0x60b00002be98)
|
allocated by thread T32 here:
|
#0 0x56256d736337 in __interceptor_malloc (/test/UBASAN_MD120523-mariadb-11.0.2-linux-x86_64-dbg/bin/mariadbd+0x7964337)
|
#1 0x562571e4d703 in my_malloc /test/11.0_dbg_san/mysys/my_malloc.c:91
|
#2 0x14cfdfe52583 in spider_bulk_alloc_mem(st_spider_transaction*, unsigned int, char const*, char const*, unsigned long, unsigned long, ...) /test/11.0_dbg_san/storage/spider/spd_malloc.cc:231
|
#3 0x14cfdffd329f in spider_db_mbase_row::clone() /test/11.0_dbg_san/storage/spider/spd_db_mysql.cc:547
|
#4 0x14cfdfcdab12 in spider_db_store_result(ha_spider*, int, TABLE*) /test/11.0_dbg_san/storage/spider/spd_db_conn.cc:3378
|
#5 0x14cfe007ab0c in spider_group_by_handler::init_scan() /test/11.0_dbg_san/storage/spider/spd_group_by_handler.cc:1479
|
#6 0x56256e62ec9a in Pushdown_query::execute(JOIN*) /test/11.0_dbg_san/sql/group_by_handler.cc:49
|
#7 0x56256e4b868f in do_select /test/11.0_dbg_san/sql/sql_select.cc:22665
|
#8 0x56256e4b868f in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900
|
#9 0x56256e4bb916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677
|
#10 0x56256e4aa0c1 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.0_dbg_san/sql/sql_select.cc:5158
|
#11 0x56256e4ae51c in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.0_dbg_san/sql/sql_select.cc:616
|
#12 0x56256e020a01 in execute_sqlcom_select /test/11.0_dbg_san/sql/sql_parse.cc:6279
|
#13 0x56256e081ef5 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3949
|
#14 0x56256e0b1973 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014
|
#15 0x56256e0c1707 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894
|
#16 0x56256e0cf542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407
|
#17 0x56256eaa48b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416
|
#18 0x56256eaa5dd0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318
|
#19 0x14d005494b42 in start_thread nptl/pthread_create.c:442
|
|
|
Thread T32 created by T0 here:
|
#0 0x56256d6da175 in pthread_create (/test/UBASAN_MD120523-mariadb-11.0.2-linux-x86_64-dbg/bin/mariadbd+0x7908175)
|
#1 0x56256d79098b in create_thread_to_handle_connection(CONNECT*) /test/11.0_dbg_san/sql/mysqld.cc:6129
|
#2 0x56256d79de67 in create_new_thread(CONNECT*) /test/11.0_dbg_san/sql/mysqld.cc:6191
|
#3 0x56256d79e6e7 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.0_dbg_san/sql/mysqld.cc:6253
|
#4 0x56256d79f738 in handle_connections_sockets() /test/11.0_dbg_san/sql/mysqld.cc:6377
|
#5 0x56256d7a6ee7 in mysqld_main(int, char**) /test/11.0_dbg_san/sql/mysqld.cc:6024
|
#6 0x56256d77beca in main /test/11.0_dbg_san/sql/main.cc:34
|
#7 0x14d005429d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
|
|
|
SUMMARY: AddressSanitizer: heap-buffer-overflow /test/11.0_dbg_san/storage/spider/spd_db_mysql.cc:512 in spider_db_mbase_row::val_decimal(my_decimal*, charset_info_st const*)
|
Shadow bytes around the buggy address:
|
0x0c167fffd780: fa fa fa fa 00 00 00 00 00 00 00 f7 00 00 f7 00
|
0x0c167fffd790: f7 fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
|
0x0c167fffd7a0: 00 f7 00 00 f7 00 00 f7 fa fa fa fa fa fa fa fa
|
0x0c167fffd7b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
|
0x0c167fffd7c0: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
|
=>0x0c167fffd7d0: 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c167fffd7e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c167fffd7f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c167fffd800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c167fffd810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c167fffd820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
Shadow gap: cc
|
==3791673==ABORTING
|
(And to the SIGSEGV in internal_str2dec on non-UBASAN builds)
So as of commit 8d1c68d51b1cf739539e2ce401435e36bd1f29f0, the test
spider.direct_aggregate_part does exercise
Item_sum_count::direct_add() with a COUNT query, with
partitioned table of two data nodes. one containing 3 rows, the other
2 rows, so the count result is 5.
How it works:
- no DA:
- query all rows with select `a` from `auto_test_remote`.`ta_r2` order by `a`", same query for the other table ta_r3
- then iterate over rows when incrementing count
- with DA:
- query for count in each table select count(0),min(`a`) from `auto_test_remote`.`ta_r2`, same query sent to ta_r3
- then add up the count
the min(`a`) looks unnecessary. consider removing
- the relevant code that happens in sub_select():
if (rc != NESTED_LOOP_NO_MORE_ROWS)
{// First read. This is where spider sends queries to data nodes
// This is where the Item_sum_count::direct_add() was called
error= (*join_tab->read_first_record)(join_tab);...// First update of count result from the first spider query result.
// 1 without DA, and 3 with DA
rc= evaluate_join_record(join, join_tab, error);}...while (rc == NESTED_LOOP_OK && join->return_tab >= join_tab)
{...// Continues reading spider result list
// This is also where the Item_sum_count::direct_add() was called
error= info->read_record();...// Continues updating count result. slow incrementing to 5 without
// DA, and one off incrementing by 2 to 5 with DA
rc= evaluate_join_record(join, join_tab, error);}
Item_sum_count::direct_add > spider_db_fetch_for_item_sum_func > spider_db_fetch_for_item_sum_funcs > spider_db_refetch_for_item_sum_funcs > ha_spider::return_record_by_parent > ha_partition::return_top_record > ha_partition::handle_ordered_index_scan > ha_partition::common_first_last > ha_partition::index_first > handler::ha_index_first > join_read_first > sub_select > do_select > JOIN::exec_inner > JOIN::exec > mysql_select > handle_select > execute_sqlcom_select > mysql_execute_command > mysql_parse > dispatch_command > do_command > do_handle_one_connection > handle_one_connection > pfs_spawn_thread
I am going to make some hypothesis based on observations.
The direct aggregate mechanism is only intended to work when otherwise
a full table scan query will be executed from the spider node and the
aggregation done at the spider node too. Typically this happens in
sub_select() as in the previous comment. In the test
spider.direct_aggregate_part direct aggregate allows to
send COUNT statements directly to the data nodes and adds up the
results at the spider node, instead of iterating over the rows one by
one at the spider node.
By contrast, the group by handler (GBH) typically sends aggregated queries
directly to data nodes, in which case DA does not improve the
situation here.
That is why we should fix it by disabling DA when GBH is used.
There are other reasons supporting this change. First, the creation of
GBH results in a call to change_to_use_tmp_fields() (as opposed to
setup_copy_fields()) which causes the spider DA function
spider_db_fetch_for_item_sum_funcs() to work on wrong items.
Second, the spider DA function only calls direct_add() on the
items, and the follow-up add() needs to be called by the sql layer
code. In do_select(), after executing the query with the GBH, it
seems that the required add() would not necessarily be called.
Disabling DA when GBH is used does fix the bug[1]. There are a few
other things that would be good to be done for this ticket:
1. Add a session variable that allows user to disable DA completely,
this will help as a temporary measure when further bugs with DA
emerge.
2. Move the increment of direct_aggregate_count to the spider DA
function. Currently this is done in rather bizarre and random
locations.
3. Fix the spider_db_mbase_row creation so that the last of its row
field (sentinel) is NULL. The code is already doing a null check,
but somehow the sentinel field is on an invalid address, causing
the segfaults. With a correct implementation of the row creation,
we can avoid such segfaults.
Hi holyfoot, ptal thanks (based on 11.0):
- https://github.com/MariaDB/server/commit/3b5cecbacd46ea8607b4e5379633e60a98d71bc5 (cleanup, no change of logic)
- https://github.com/MariaDB/server/commit/bb7646e7fd6a7256d874b9ab458dcba8b716608f (cleanup, no change of logic)
- https://github.com/MariaDB/server/commit/4e374f3003bc8e2ad7eecc6d9c4308d4ceb95697 (the actual bugfix, quite small in c++ code change)
As usual, I have a corresponding set of changes for the minimum fixversion 10.5:
- https://github.com/MariaDB/server/commit/753946130a5534fbe6fd8411154c638146170b08
- https://github.com/MariaDB/server/commit/39a9467d09ba4730932e772596aec7d23e2f8ac8
- https://github.com/MariaDB/server/commit/eb06eeba9c67282bab76078d0c7ac3026fe07d83
Update on [2023-07-26 Wed]: holyfoot I'm not sure whether you
have looked at these commits yet. In the past few days I've been
thinking about the changes in the first cleanup commit, about
spider_conn_before_query() and spider_conn_after_query(). I
don't think in its current form this clean up gives us much gain,
and we should either defer this cleanup to a separate task, or
(better yet) have a discussion on it. In any case, feel free to
disregard the first commit, and review the second and third only.
ok to push.
Minor comment on the first patch.
Pushed the following to 10.5
68a002071b7 MDEV-29502 Fix some issues with spider direct aggregate
expected conflicts and solutions:
- 10.6->10.10 6f31e962c87920ea6695372e5ddc59dcaabf2021
- 10.6->10.6 ES 296a7a2feefab0c21277dcfa49a863c9bd1db21c
- 11.2->23.08 ES 49049fe27c52323f6ea652497b9659ca2e69cabd