[#MDEV-30727] SIGSEGV's in spider_direct_sql_init_body, spider_direct_sql_body, my_hash_insert, thd_ha_data, thd_get_ha_data and safe_mutex

[MDEV-30727] SIGSEGV's in spider_direct_sql_init_body, spider_direct_sql_body, my_hash_insert, thd_ha_data, thd_get_ha_data and safe_mutex_lock Created: 2023-02-25 Updated: 2024-02-07
Status:	Confirmed
Project:	MariaDB Server
Component/s:	Locking, Storage Engine - Spider
Affects Version/s:	10.3, 10.4, 10.5, 10.6, 10.11, 11.0, 11.1, 11.2, 11.3, 11.4
Fix Version/s:	10.4, 10.5, 10.6, 10.11, 11.0, 11.1, 11.2, 11.3

Type:

Bug

Priority:

Critical

Reporter:

Roel Van de Paar

Assignee:

Yuchen Pei

Resolution:

Unresolved

Votes:

Labels:

affects-tests, locking, stack-smashing

Issue Links:

Relates

Description

CREATE FUNCTION spider_direct_sql RETURNS INT SONAME 'ha_spider.so';

SELECT spider_direct_sql ('SELECT * FROM s','a','srv "b"');

Leads to:

11.0.1 f2dc4d4c10ac36a73b5c1eb765352d3aee808d66 (Debug)
Core was generated by `/test/MD180223-mariadb-11.0.1-linux-x86_64-dbg/bin/mariadbd --no-defaults --cor'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000015255cb023be in spider_direct_sql_body (initid=0x152510013a68,
args=0x152510013a28, is_null=<optimized out>, error=0x152510013a98 "",
bg=bg@entry=0 '\000')
at /test/11.0_dbg/storage/spider/spd_direct_sql.cc:1516
1516 if (!(direct_sql = (SPIDER_DIRECT_SQL *)
[Current thread is 1 (Thread 0x15255cbdd640 (LWP 2348034))]
(gdb) bt
#0 0x000015255cb023be in spider_direct_sql_body (initid=0x152510013a68, args=0x152510013a28, is_null=<optimized out>, error=0x152510013a98 "", bg=bg@entry=0 '\000') at /test/11.0_dbg/storage/spider/spd_direct_sql.cc:1516
#1 0x000015255cb02dbd in spider_direct_sql (initid=<optimized out>, args=<optimized out>, is_null=<optimized out>, error=<optimized out>) at /test/11.0_dbg/storage/spider/spd_udf.cc:29
#2 0x000055c3720494d7 in udf_handler::val_int (null_value=<synthetic pointer>, this=0x152510013a18) at /test/11.0_dbg/sql/sql_udf.h:108
#3 Item_func_udf_int::val_int (this=0x152510013968) at /test/11.0_dbg/sql/item_func.cc:3818
#4 0x000055c371ef1013 in Type_handler::Item_send_longlong (this=<optimized out>, item=0x152510013968, protocol=0x152510001368, buf=<optimized out>) at /test/11.0_dbg/sql/sql_type.cc:7496
#5 0x000055c371ef7889 in Type_handler_longlong::Item_send (this=<optimized out>, item=<optimized out>, protocol=<optimized out>, buf=<optimized out>) at /test/11.0_dbg/sql/sql_type.h:5765
#6 0x000055c371bcf5dc in Item::send (this=0x152510013968, protocol=0x152510001368, buffer=0x15255cbdaff0) at /test/11.0_dbg/sql/item.h:1235
#7 0x000055c371c050f9 in Protocol::send_result_set_row (this=this@entry=0x152510001368, row_items=row_items@entry=0x1525100134d0) at /test/11.0_dbg/sql/protocol.cc:1332
#8 0x000055c371c876d1 in select_send::send_data (this=0x152510014460, items=@0x1525100134d0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x152510013ae0, last = 0x152510013ae0, elements = 1}, <No data fields>}) at /test/11.0_dbg/sql/sql_class.cc:3102
#9 0x000055c371d76d15 in select_result_sink::send_data_with_check (sent=0, u=<optimized out>, items=<optimized out>, this=<optimized out>) at /test/11.0_dbg/sql/sql_class.h:5748
#10 JOIN::exec_inner (this=this@entry=0x152510014488) at /test/11.0_dbg/sql/sql_select.cc:4754
#11 0x000055c371d77be0 in JOIN::exec (this=this@entry=0x152510014488) at /test/11.0_dbg/sql/sql_select.cc:4666
#12 0x000055c371d75b18 in mysql_select (thd=thd@entry=0x152510000d58, tables=0x0, fields=@0x1525100134d0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x152510013ae0, last = 0x152510013ae0, elements = 1}, <No data fields>}, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2164525824, result=0x152510014460, unit=0x152510004fa0, select_lex=0x152510013218) at /test/11.0_dbg/sql/sql_select.cc:5146
#13 0x000055c371d7628b in handle_select (thd=thd@entry=0x152510000d58, lex=lex@entry=0x152510004ec8, result=result@entry=0x152510014460, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/11.0_dbg/sql/sql_select.cc:608
#14 0x000055c371cdbe8d in execute_sqlcom_select (thd=thd@entry=0x152510000d58, all_tables=0x0) at /test/11.0_dbg/sql/sql_parse.cc:6267
#15 0x000055c371ce74af in mysql_execute_command (thd=thd@entry=0x152510000d58, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/11.0_dbg/sql/sql_parse.cc:3949
#16 0x000055c371cee7cf in mysql_parse (thd=thd@entry=0x152510000d58, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x15255cbdc2c0) at /test/11.0_dbg/sql/sql_parse.cc:8002
#17 0x000055c371cf0963 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x152510000d58, packet=packet@entry=0x15251000ae19 "", packet_length=packet_length@entry=58, blocking=blocking@entry=true) at /test/11.0_dbg/sql/sql_class.h:242
#18 0x000055c371cf27bc in do_command (thd=0x152510000d58, blocking=blocking@entry=true) at /test/11.0_dbg/sql/sql_parse.cc:1407
#19 0x000055c371e436e2 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55c3750d6b98, put_in_cache=put_in_cache@entry=true) at /test/11.0_dbg/sql/sql_connect.cc:1416
#20 0x000055c371e43941 in handle_one_connection (arg=0x55c3750d6b98) at /test/11.0_dbg/sql/sql_connect.cc:1318
#21 0x00001525760a3b43 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
#22 0x0000152576135a00 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

10.11.2 483ddb5684ad7e5b0ffd19d4b0cb81de56d776f8 (Debug)
Core was generated by `/test/MD110223-mariadb-10.11.2-linux-x86_64-dbg/bin/mariadbd --no-defaults --co'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000015104f0205f3 in spider_direct_sql_body (initid=0x15102c013a38,
args=0x15102c0139f8, is_null=<optimized out>, error=0x15102c013a68 "",
bg=bg@entry=0 '\000')
at /test/10.11_dbg/storage/spider/spd_direct_sql.cc:1518
[Current thread is 1 (Thread 0x15104f0fc640 (LWP 2347983))]
(gdb) bt
#0 0x000015104f0205f3 in spider_direct_sql_body (initid=0x15102c013a38, args=0x15102c0139f8, is_null=<optimized out>, error=0x15102c013a68 "", bg=bg@entry=0 '\000') at /test/10.11_dbg/storage/spider/spd_direct_sql.cc:1518
#1 0x000015104f020ff2 in spider_direct_sql (initid=<optimized out>, args=<optimized out>, is_null=<optimized out>, error=<optimized out>) at /test/10.11_dbg/storage/spider/spd_udf.cc:29
#2 0x0000558917c18b07 in udf_handler::val_int (null_value=<synthetic pointer>, this=0x15102c0139e8) at /test/10.11_dbg/sql/sql_udf.h:108
#3 Item_func_udf_int::val_int (this=0x15102c013940) at /test/10.11_dbg/sql/item_func.cc:3818
#4 0x0000558917ac1e3f in Type_handler::Item_send_longlong (this=<optimized out>, item=0x15102c013940, protocol=0x15102c001368, buf=<optimized out>) at /test/10.11_dbg/sql/sql_type.cc:7496
#5 0x0000558917ac8649 in Type_handler_longlong::Item_send (this=<optimized out>, item=<optimized out>, protocol=<optimized out>, buf=<optimized out>) at /test/10.11_dbg/sql/sql_type.h:5769
#6 0x00005589177a937c in Item::send (this=0x15102c013940, protocol=0x15102c001368, buffer=0x15104f0f9ff0) at /test/10.11_dbg/sql/item.h:1235
#7 0x00005589177dd7bb in Protocol::send_result_set_row (this=this@entry=0x15102c001368, row_items=row_items@entry=0x15102c0134c0) at /test/10.11_dbg/sql/protocol.cc:1332
#8 0x0000558917860685 in select_send::send_data (this=0x15102c014428, items=@0x15102c0134c0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x15102c013ab0, last = 0x15102c013ab0, elements = 1}, <No data fields>}) at /test/10.11_dbg/sql/sql_class.cc:3103
#9 0x000055891794a92f in select_result_sink::send_data_with_check (sent=0, u=<optimized out>, items=<optimized out>, this=<optimized out>) at /test/10.11_dbg/sql/sql_class.h:5746
#10 JOIN::exec_inner (this=this@entry=0x15102c014450) at /test/10.11_dbg/sql/sql_select.cc:4699
#11 0x000055891794b7c8 in JOIN::exec (this=this@entry=0x15102c014450) at /test/10.11_dbg/sql/sql_select.cc:4611
#12 0x0000558917949731 in mysql_select (thd=thd@entry=0x15102c000d58, tables=0x0, fields=@0x15102c0134c0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x15102c013ab0, last = 0x15102c013ab0, elements = 1}, <No data fields>}, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2164525824, result=0x15102c014428, unit=0x15102c004f98, select_lex=0x15102c013208) at /test/10.11_dbg/sql/sql_select.cc:5091
#13 0x0000558917949ea4 in handle_select (thd=thd@entry=0x15102c000d58, lex=lex@entry=0x15102c004ec0, result=result@entry=0x15102c014428, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.11_dbg/sql/sql_select.cc:581
#14 0x00005589178b4b69 in execute_sqlcom_select (thd=thd@entry=0x15102c000d58, all_tables=0x0) at /test/10.11_dbg/sql/sql_parse.cc:6267
#15 0x00005589178c016a in mysql_execute_command (thd=thd@entry=0x15102c000d58, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.11_dbg/sql/sql_parse.cc:3949
#16 0x00005589178c7484 in mysql_parse (thd=thd@entry=0x15102c000d58, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x15104f0fb2c0) at /test/10.11_dbg/sql/sql_parse.cc:8002
#17 0x00005589178c9618 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x15102c000d58, packet=packet@entry=0x15102c00ae09 "", packet_length=packet_length@entry=58, blocking=blocking@entry=true) at /test/10.11_dbg/sql/sql_class.h:243
#18 0x00005589178cb471 in do_command (thd=0x15102c000d58, blocking=blocking@entry=true) at /test/10.11_dbg/sql/sql_parse.cc:1407
#19 0x0000558917a1653a in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55891aaedb98, put_in_cache=put_in_cache@entry=true) at /test/10.11_dbg/sql/sql_connect.cc:1416
#20 0x0000558917a16799 in handle_one_connection (arg=0x55891aaedb98) at /test/10.11_dbg/sql/sql_connect.cc:1318
#21 0x000015107f7f6b43 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
#22 0x000015107f888a00 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

The SIGSEGV's in thd_ha_data only shows in 10.3:

10.3.38 2743a510a156456fe57429032bf41c0da0f11198 (Optimized)
Core was generated by `/test/MD110223-mariadb-10.3.38-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 thd_ha_data (thd=0x14c3ec000c58, hton=0x0)
at /test/10.3_opt/sql/sql_class.cc:423
[Current thread is 1 (Thread 0x14c4440cf640 (LWP 2348216))]
(gdb) bt
#0 thd_ha_data (thd=0x14c3ec000c58, hton=0x0) at /test/10.3_opt/sql/sql_class.cc:423
#1 0x00005595be7d166d in thd_get_ha_data (thd=<optimized out>, hton=<optimized out>) at /test/10.3_opt/sql/sql_class.cc:438
#2 0x000014c4218debb9 in spider_direct_sql_body (initid=0x14c3ec00f9d8, args=0x14c3ec00f998, is_null=<optimized out>, error=0x14c3ec00fa08 "", bg=<optimized out>) at /test/10.3_opt/storage/spider/spd_direct_sql.cc:1604
#3 0x00005595bea795de in udf_handler::val_int (null_value=<synthetic pointer>, this=<optimized out>) at /test/10.3_opt/sql/sql_udf.h:107
#4 udf_handler::val_int (null_value=<synthetic pointer>, this=0x14c3ec00f988) at /test/10.3_opt/sql/sql_udf.h:98
#5 Item_func_udf_int::val_int (this=0x14c3ec00f8c8) at /test/10.3_opt/sql/item_func.cc:3608
#6 0x00005595be95fb3d in Type_handler::Item_send_longlong (this=<optimized out>, item=0x14c3ec00f8c8, protocol=0x14c3ec0011b0, buf=<optimized out>) at /test/10.3_opt/sql/sql_type.cc:5454
#7 0x00005595be769fbe in Protocol::send_result_set_row (this=this@entry=0x14c3ec0011b0, row_items=row_items@entry=0x14c3ec0050b8) at /test/10.3_opt/sql/protocol.cc:1000
#8 0x00005595be7d8da7 in select_send::send_data (this=0x14c3ec00fb90, items=@0x14c3ec0050b8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14c3ec00fa50, last = 0x14c3ec00fa50, elements = 1}, <No data fields>}) at /test/10.3_opt/sql/sql_class.cc:3049
#9 0x00005595be87cc22 in JOIN::exec_inner (this=this@entry=0x14c3ec00fbb8) at /test/10.3_opt/sql/sql_select.cc:4065
#10 0x00005595be87d2b6 in JOIN::exec (this=this@entry=0x14c3ec00fbb8) at /test/10.3_opt/sql/sql_select.cc:3984
#11 0x00005595be87d446 in mysql_select (thd=0x14c3ec000c58, tables=<optimized out>, wild_num=0, fields=<optimized out>, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x14c3ec00fb90, unit=0x14c3ec0047b8, select_lex=0x14c3ec004f78) at /test/10.3_opt/sql/sql_select.cc:4393
#12 0x00005595be87dd43 in handle_select (thd=thd@entry=0x14c3ec000c58, lex=lex@entry=0x14c3ec0046f8, result=result@entry=0x14c3ec00fb90, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.3_opt/sql/sql_select.cc:372
#13 0x00005595be811d9d in execute_sqlcom_select (thd=0x14c3ec000c58, all_tables=0x0) at /test/10.3_opt/sql/sql_parse.cc:6340
#14 0x00005595be81f7cd in mysql_execute_command (thd=<optimized out>) at /test/10.3_opt/sql/sql_parse.cc:3871
#15 0x00005595be8221a2 in mysql_parse (thd=0x14c3ec000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /test/10.3_opt/sql/sql_parse.cc:7855
#16 0x00005595be8239e5 in dispatch_command (command=COM_QUERY, thd=0x14c3ec000c58, packet=<optimized out>, packet_length=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /test/10.3_opt/sql/sql_parse.cc:1941
#17 0x00005595be825bae in do_command (thd=0x14c3ec000c58) at /test/10.3_opt/sql/sql_parse.cc:1398
#18 0x00005595be90867e in do_handle_one_connection (connect=<optimized out>) at /test/10.3_opt/sql/sql_connect.cc:1404
#19 0x00005595be9086fd in handle_one_connection (arg=<optimized out>) at /test/10.3_opt/sql/sql_connect.cc:1309
#20 0x000014c44813eb43 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
#21 0x000014c4481d0a00 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

10.3.38 2743a510a156456fe57429032bf41c0da0f11198 (Debug)
Core was generated by `/test/MD110223-mariadb-10.3.38-linux-x86_64-dbg/bin/mysqld --no-defaults --core'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 thd_ha_data (thd=0x149fe4000d38, hton=0x0)
at /test/10.3_dbg/sql/sql_class.cc:423
[Current thread is 1 (Thread 0x14a0440ea640 (LWP 2348487))]
(gdb) bt
#0 thd_ha_data (thd=0x149fe4000d38, hton=0x0) at /test/10.3_dbg/sql/sql_class.cc:423
#1 0x000055557392a26b in thd_get_ha_data (thd=<optimized out>, hton=<optimized out>) at /test/10.3_dbg/sql/sql_class.cc:438
#2 0x000014a0219f5a1e in spider_direct_sql_body (initid=0x149fe4010e68, args=0x149fe4010e28, is_null=<optimized out>, error=0x149fe4010e98 "", bg=bg@entry=0 '\000') at /test/10.3_dbg/storage/spider/spd_direct_sql.cc:1604
#3 0x000014a0219f63ab in spider_direct_sql (initid=<optimized out>, args=<optimized out>, is_null=<optimized out>, error=<optimized out>) at /test/10.3_dbg/storage/spider/spd_udf.cc:29
#4 0x0000555573c511f7 in udf_handler::val_int (null_value=<synthetic pointer>, this=0x149fe4010e18) at /test/10.3_dbg/sql/sql_udf.h:107
#5 Item_func_udf_int::val_int (this=0x149fe4010d58) at /test/10.3_dbg/sql/item_func.cc:3608
#6 0x0000555573af9983 in Type_handler::Item_send_longlong (this=<optimized out>, item=0x149fe4010d58, protocol=0x149fe4001318, buf=<optimized out>) at /test/10.3_dbg/sql/sql_type.cc:5454
#7 0x0000555573afd62d in Type_handler_longlong::Item_send (this=<optimized out>, item=<optimized out>, protocol=<optimized out>, buf=<optimized out>) at /test/10.3_dbg/sql/sql_type.h:2498
#8 0x00005555738b7910 in Item::send (this=0x149fe4010d58, protocol=0x149fe4001318, buffer=0x14a0440e73a0) at /test/10.3_dbg/sql/item.h:886
#9 0x00005555738b55d4 in Protocol::send_result_set_row (this=this@entry=0x149fe4001318, row_items=row_items@entry=0x149fe4005358) at /test/10.3_dbg/sql/protocol.cc:1000
#10 0x000055557393308a in select_send::send_data (this=0x149fe4011020, items=@0x149fe4005358: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x149fe4010ee0, last = 0x149fe4010ee0, elements = 1}, <No data fields>}) at /test/10.3_dbg/sql/sql_class.cc:3049
#11 0x00005555739e870c in JOIN::exec_inner (this=this@entry=0x149fe4011048) at /test/10.3_dbg/sql/sql_select.cc:4065
#12 0x00005555739e9384 in JOIN::exec (this=this@entry=0x149fe4011048) at /test/10.3_dbg/sql/sql_select.cc:3984
#13 0x00005555739e9576 in mysql_select (thd=thd@entry=0x149fe4000d38, tables=0x0, wild_num=0, fields=@0x149fe4005358: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x149fe4010ee0, last = 0x149fe4010ee0, elements = 1}, <No data fields>}, conds=0x0, og_num=<optimized out>, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x149fe4011020, unit=0x149fe4004a58, select_lex=0x149fe4005218) at /test/10.3_dbg/sql/sql_select.cc:4393
#14 0x00005555739ea02b in handle_select (thd=thd@entry=0x149fe4000d38, lex=lex@entry=0x149fe4004998, result=result@entry=0x149fe4011020, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.3_dbg/sql/sql_select.cc:372
#15 0x0000555573973fd7 in execute_sqlcom_select (thd=thd@entry=0x149fe4000d38, all_tables=0x0) at /test/10.3_dbg/sql/sql_parse.cc:6340
#16 0x000055557397d9a1 in mysql_execute_command (thd=thd@entry=0x149fe4000d38) at /test/10.3_dbg/sql/sql_parse.cc:3871
#17 0x0000555573986694 in mysql_parse (thd=thd@entry=0x149fe4000d38, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14a0440e9510, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.3_dbg/sql/sql_parse.cc:7855
#18 0x0000555573988609 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x149fe4000d38, packet=packet@entry=0x149fe4018ae9 "", packet_length=packet_length@entry=58, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.3_dbg/sql/sql_class.h:200
#19 0x000055557398a5cf in do_command (thd=0x149fe4000d38) at /test/10.3_dbg/sql/sql_parse.cc:1398
#20 0x0000555573a8e01f in do_handle_one_connection (connect=<optimized out>) at /test/10.3_dbg/sql/sql_connect.cc:1404
#21 0x0000555573a8e150 in handle_one_connection (arg=<optimized out>) at /test/10.3_dbg/sql/sql_connect.cc:1309
#22 0x000014a0485a8b43 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
#23 0x000014a04863aa00 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

Bug confirmed present in:
MariaDB: 10.3.38 (dbg), 10.3.38 (opt), 10.4.29 (dbg), 10.4.29 (opt), 10.5.20 (dbg), 10.5.20 (opt), 10.6.13 (dbg), 10.6.13 (opt), 10.7.8 (dbg), 10.7.8 (opt), 10.8.8 (dbg), 10.8.8 (opt), 10.9.6 (dbg), 10.9.6 (opt), 10.10.4 (dbg), 10.10.4 (opt), 10.11.2 (dbg), 10.11.2 (opt), 11.0.1 (dbg), 11.0.1 (opt)

UniqueID/stacks summary:

SIGSEGV|spider_direct_sql_body|spider_direct_sql|udf_handler::val_int|Item_func_udf_int::val_int

SIGSEGV|spider_direct_sql_body|udf_handler::val_int|udf_handler::val_int|Item_func_udf_int::val_int

SIGSEGV|thd_ha_data|thd_get_ha_data|spider_direct_sql_body|spider_direct_sql

SIGSEGV|thd_ha_data|thd_get_ha_data|spider_direct_sql_body|udf_handler::val_int

Comments

Comment by Roel Van de Paar [ 2024-01-03 ]

Additional stacks with:

INSTALL PLUGIN Spider SONAME 'ha_spider.so';

UNINSTALL SONAME IF EXISTS "ha_spider";

SELECT spider_direct_sql ('','tmp_a','SRV "s",DATABASE "test"');

SIGSEGV|my_hash_insert|spider_get_trx|spider_direct_sql_body|udf_handler::val_int

SIGSEGV|thd_get_ha_data|spider_direct_sql_body|spider_direct_sql|udf_handler::val_int

Present in 10.4-11.4 in both opt and dbg builds.

Comment by Roel Van de Paar [ 2024-01-03 ]

Additional stacks with:

CREATE FUNCTION spider_bg_direct_sql RETURNS INT SONAME 'ha_spider.so';

SELECT spider_bg_direct_sql ('SET SESSION AUTO_INCREMENT_OFFSET=3','','SRV "s"');

SIGSEGV|spider_direct_sql_init_body|spider_bg_direct_sql_init|udf_handler::fix_fields|Item_udf_func::fix_fields

SIGSEGV|spider_direct_sql_init_body|udf_handler::fix_fields|udf_handler::fix_fields|Item_udf_func::fix_fields

Comment by Roel Van de Paar [ 2024-01-03 ]

Additional stacks with:

INSTALL PLUGIN Spider SONAME 'ha_spider.so';

UNINSTALL SONAME IF EXISTS 'ha_spider';

SELECT spider_copy_tables ('a','','');

SIGSEGV|thd_get_ha_data|spider_copy_tables_body|spider_copy_tables|udf_handler::val_int

SIGSEGV|my_hash_insert|spider_get_trx|spider_copy_tables_body|udf_handler::val_int

Comment by Roel Van de Paar [ 2024-01-03 ]

Additional stacks with:

INSTALL PLUGIN Spider SONAME 'ha_spider.so';

UNINSTALL SONAME IF EXISTS "ha_spider";

SELECT spider_bg_direct_sql ('SET SESSION _offset=3','','SRV "s"');

SIGSEGV|thd_get_ha_data|spider_direct_sql_init_body|spider_bg_direct_sql_init|udf_handler::fix_fields

SIGSEGV|my_hash_insert|spider_get_trx|spider_direct_sql_body|udf_handler::add

Comment by Roel Van de Paar [ 2024-01-03 ]

Additional optimized build only stack with:

INSTALL SONAME 'ha_spider';

UNINSTALL SONAME IF EXISTS "ha_spider";

CREATE TABLE t (a INT DEFAULT 1,b CHAR DEFAULT'',c DATE DEFAULT'') DEFAULT CHARSET=utf8;

SELECT spider_direct_sql ('SET SESSION _increment=4','','SRV "s"');

SIGSEGV|thd_get_ha_data|spider_direct_sql_body|udf_handler::val_int|udf_handler::val_int

Debug crashes with previously seen

SIGSEGV|thd_get_ha_data|spider_direct_sql_body|spider_direct_sql|udf_handler::val_int

Comment by Roel Van de Paar [ 2024-01-03 ]

I saw a single occurrence of

Backtrace stopped: Cannot access memory at address

In a SIGSEGV stack starting with the (previously seen) first frame my_hash_insert:

11.4.0 f93c20081a8a505ac502850ec02630f95673dfba (Optimized)
Core was generated by `/test/MDEV-28861_MD301223-mariadb-11.4.0-linux-x86_64-opt/bin/mariadbd --no-def'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 my_hash_insert (info=0x150b481716c0,
record=<error reading variable: Cannot access memory at address 0x150b481bdde0>) at /test/bb-11.4-mdev-28861_opt/mysys/hash.c:521
521 empty[0]= pos[0];
[Current thread is 1 (LWP 1007995)]
(gdb) bt
#0 my_hash_insert (info=0x150b481716c0, record=<error reading variable: Cannot access memory at address 0x150b481bdde0>) at /test/bb-11.4-mdev-28861_opt/mysys/hash.c:521
Backtrace stopped: Cannot access memory at address 0x150b481bde58

So it is possible there is memory corruption and/or stack smashing.

Comment by Roel Van de Paar [ 2024-01-05 ]

INSTALL PLUGIN Spider SONAME 'ha_spider.so';

UNINSTALL SONAME IF EXISTS "ha_spider";

CREATE TABLE t (a INT DEFAULT 1,b CHAR DEFAULT'',c DATE DEFAULT'') DEFAULT CHARSET=utf8;

SELECT spider_bg_direct_sql ('SET SESSION _offset=1','','SRV "s"');

11.4.0 9bd95e914f3f12d0d9d93e7a1f2c49e6e8841f17 (Optimized)
SIGSEGV\|thd_get_ha_data\|spider_direct_sql_init_body\|udf_handler::fix_fields\|udf_handler::fix_fields

Comment by Yuchen Pei [ 2024-01-09 ]

In 10.4 ca276a0f3fcb45ff0abc011e334c700e0c5d4315 the problem is that
spider_hton_ptr is NULL but accessed in spider_current_trx:

#define spider_current_trx \

  (current_thd && spider_hton_ptr->slot != HA_SLOT_UNDEF ? ((SPIDER_TRX *) thd_get_ha_data(current_thd, spider_hton_ptr)) : NULL)

A simple fix would be just return failure when calling any spider udf
without spider installed (spider_hton_ptr == 0).

Here's a demo patch

upstream/bb-10.4-mdev-30727-demo 10.4 3b1fbf9808c7c1a026ac67c0a093e0684a77b7f7

MDEV-30727 [demo] Check spider_hton_ptr in spider udf

This will output NULL in the test case. It may be better to simply not

allow CREATE FUNCTION ... SONAME 'ha_spider'; without installing

spider first, depending on the convention and expectations.

Comment by Yuchen Pei [ 2024-01-11 ]

After discussions with holyfoot, we agreed we could follow the idea in the demo patch above (because the user could execute an INSTALL SONAME after the CREATE FUNCTION in which case the function still functions afterwards), but it may be good to output an error. So I updated the patch with an error, but somehow it segfaults at the call to my_error():

a2bc999190e bb-10.4-mdev-30727-demo MDEV-30727 [demo] Check spider_hton_ptr in spider udf

Comment by Roel Van de Paar [ 2024-01-17 ]

Confirmed stack smashing:

11.4.0 f93c20081a8a505ac502850ec02630f95673dfba (Optimized)
Core was generated by `/test/MDEV-28861_MD301223-mariadb-11.4.0-linux-x86_64-opt/bin/mariadbd --no-def'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x0000559bd76ed87b in thd_get_ha_data (thd=0x14f550000c68,
hton=0x14f54c0317a8) at /test/bb-11.4-mdev-28861_opt/sql/sql_class.cc:455
[Current thread is 1 (LWP 2958119)]
(gdb) bt
#0 0x0000559bd76ed87b in thd_get_ha_data (thd=0x14f550000c68, hton=0x14f54c0317a8) at /test/bb-11.4-mdev-28861_opt/sql/sql_class.cc:455
#1 0x000014f5800a7510 in ?? ()
#2 0x0000000000000010 in ?? ()
#3 0x0000000000000010 in ?? ()
#4 0x000014f5500115f8 in ?? ()
#5 0x000014f550011550 in ?? ()
#6 0x000014f550011440 in ?? ()
#7 0x0000000000000010 in ?? ()
#8 0x0000000000000000 in ?? ()

And in an another occurrence (note end of stack)

11.4.0 f93c20081a8a505ac502850ec02630f95673dfba (Optimized)
(gdb) bt
#0 0x000055f65f31487b in thd_get_ha_data (thd=0x1535f0000c68, hton=0x1535fc0317a8) at /test/bb-11.4-mdev-28861_opt/sql/sql_class.cc:455
#1 0x000015362c10334d in spider_get_trx (thd=thd@entry=0x1535f0000c68, regist_allocated_thds=regist_allocated_thds@entry=true, error_num=error_num@entry=0x1536380ef648) at /test/bb-11.4-mdev-28861_opt/storage/spider/spd_trx.cc:1141
#2 0x000015362c148644 in spider_copy_tables_body (initid=<optimized out>, args=0x1535f00113b8, is_null=<optimized out>, error=0x1535f0011428 "") at /test/bb-11.4-mdev-28861_opt/storage/spider/spd_copy_tables.cc:779
#3 0x000055f65f67292e in udf_handler::val_int (null_value=<synthetic pointer>, this=<optimized out>) at /test/bb-11.4-mdev-28861_opt/sql/sql_udf.h:108
#4 udf_handler::val_int (null_value=<synthetic pointer>, this=0x1535f00113a8) at /test/bb-11.4-mdev-28861_opt/sql/sql_udf.h:99
#5 Item_func_udf_int::val_int (this=0x1535f00112f8) at /test/bb-11.4-mdev-28861_opt/sql/item_func.cc:3783
#6 0x000055f65f54c2dd in Type_handler::Item_send_longlong (this=<optimized out>, item=0x1535f00112f8, protocol=0x1535f00011f0, buf=<optimized out>) at /test/bb-11.4-mdev-28861_opt/sql/sql_type.cc:7487
#7 0x000055f65f2a1b7a in Protocol::send_result_set_row (this=this@entry=0x1535f00011f0, row_items=row_items@entry=0x1535f0010ea0) at /test/bb-11.4-mdev-28861_opt/sql/protocol.cc:1334
#8 0x000055f65f312cf7 in select_send::send_data (this=0x1535f0011dc8, items=@0x1535f0010ea0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1535f0011470, last = 0x1535f0011470, elements = 1}, <No data fields>}) at /test/bb-11.4-mdev-28861_opt/sql/sql_class.cc:3127
#9 0x000055f65f3f66b0 in select_result_sink::send_data_with_check (u=<optimized out>, sent=0, items=<optimized out>, this=<optimized out>) at /test/bb-11.4-mdev-28861_opt/sql/sql_class.h:5945
#10 select_result_sink::send_data_with_check (sent=0, u=<optimized out>, items=<optimized out>, this=<optimized out>) at /test/bb-11.4-mdev-28861_opt/sql/sql_class.h:5935
#11 JOIN::exec_inner (this=0x1535f0011df0) at /test/bb-11.4-mdev-28861_opt/sql/sql_select.cc:4814
#12 0x000055f65f3f6e5e in JOIN::exec (this=this@entry=0x1535f0011df0) at /test/bb-11.4-mdev-28861_opt/sql/sql_select.cc:4726
#13 0x000055f65f3f4ddc in mysql_select (thd=0x1535f0000c68, tables=0x0, fields=<optimized out>, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x1535f0011dc8, unit=0x1535f0004f20, select_lex=0x1535f0010be8) at /test/bb-11.4-mdev-28861_opt/sql/sql_select.cc:5249
#14 0x000055f65f3f55d4 in handle_select (thd=thd@entry=0x1535f0000c68, lex=lex@entry=0x1535f0004e40, result=result@entry=0x1535f0011dc8, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/bb-11.4-mdev-28861_opt/sql/sql_select.cc:628
#15 0x000055f65f369d75 in execute_sqlcom_select (thd=0x1535f0000c68, all_tables=0x0) at /test/bb-11.4-mdev-28861_opt/sql/sql_parse.cc:6029
#16 0x000055f65f378f12 in mysql_execute_command (thd=0x1535f0000c68, is_called_from_prepared_stmt=<optimized out>) at /test/bb-11.4-mdev-28861_opt/sql/sql_parse.cc:3924
#17 0x000055f65f37a2e6 in mysql_parse (thd=0x1535f0000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/bb-11.4-mdev-28861_opt/sql/sql_parse.cc:7748
#18 0x000055f65f37ca8d in dispatch_command (command=COM_QUERY, thd=0x1535f0000c68, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/bb-11.4-mdev-28861_opt/sql/sql_parse.cc:1992
#19 0x000055f65f37e840 in do_command (thd=0x1535f0000c68, blocking=blocking@entry=true) at /test/bb-11.4-mdev-28861_opt/sql/sql_parse.cc:1406
#20 0x000055f65f4a898f in do_handle_one_connection (connect=<optimized out>, put_in_cache=true) at /test/bb-11.4-mdev-28861_opt/sql/sql_connect.cc:1418
#21 0x000055f65f4a8cdd in handle_one_connection (arg=arg@entry=0x55f662612048) at /test/bb-11.4-mdev-28861_opt/sql/sql_connect.cc:1320
#22 0x000055f65f852471 in pfs_spawn_thread (arg=0x55f6625cb408) at /test/bb-11.4-mdev-28861_opt/storage/perfschema/pfs.cc:2201
#23 0x0000153642094ac3 in allocate_stack (stacksize=<synthetic pointer>, stack=<synthetic pointer>, pdp=<synthetic pointer>, attr=0xb) at ./nptl/allocatestack.c:490
#24 __pthread_create_2_1 (newthread=0xb, attr=0x1536380f2640, start_routine=0x7fffe9708250, arg=0x4aa9bb0a052db5a0) at ./nptl/pthread_create.c:647
#25 0x0000000000000000 in ?? ()

The latter is also another stack variation:

SIGSEGV|thd_get_ha_data|spider_get_trx|spider_copy_tables_body|udf_handler::val_int

Comment by Roel Van de Paar [ 2024-01-17 ]

Another variation seen

SIGSEGV|thd_get_ha_data|spider_get_trx|spider_direct_sql_body|spider_direct_sql

Comment by Roel Van de Paar [ 2024-02-07 ]

CREATE TABLE t (a INT) ENGINE=InnoDB;

INSTALL SONAME 'ha_spider';

UNINSTALL SONAME 'ha_spider';

SELECT * FROM t GROUP BY a;

SELECT spider_copy_tables ('foota_l','','');

Leads to:

11.4.0 9b1ea6904965dd345478dedd80e181ad54c767da (Debug)
SIGABRT\|safe_mutex_lock\|inline_mysql_mutex_lock\|spider_alloc_mem_calc\|spider_bulk_alloc_mem

When removing only GROUP BY it leads to a stack seen earlier in this issue:

SIGSEGV|thd_get_ha_data|spider_copy_tables_body|spider_copy_tables|udf_handler::val_int

Full stack for the safe_mutex_lock issue:

11.4.0 9b1ea6904965dd345478dedd80e181ad54c767da (Debug)
Core was generated by `/test/MD060224-mariadb-11.4.0-linux-x86_64-dbg/bin/mariadbd --no-defaults --max'.
Program terminated with signal SIGABRT, Aborted.
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=22886339290688)
at ./nptl/pthread_kill.c:44
[Current thread is 1 (LWP 2706942)]
(gdb) bt
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=22886339290688) at ./nptl/pthread_kill.c:44
#1 __pthread_kill_internal (signo=6, threadid=22886339290688) at ./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=22886339290688, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3 0x000014d0ba042476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4 0x000014d0ba0287f3 in __GI_abort () at ./stdlib/abort.c:79
#5 0x000055ccbd45b33c in safe_mutex_lock (mp=<optimized out>, my_flags=0, file=0x14d0a41857c0 "/test/11.4_dbg/storage/spider/spd_malloc.cc", line=153) at /test/11.4_dbg/mysys/thr_mutex.c:245
#6 0x000014d0a41293b2 in inline_mysql_mutex_lock (src_line=153, src_file=0x14d0a41857c0 "/test/11.4_dbg/storage/spider/spd_malloc.cc", that=0x14d0a41af300 <spider_mem_calc_mutex>) at /test/11.4_dbg/include/mysql/psi/mysql_thread.h:750
#7 spider_alloc_mem_calc (trx=trx@entry=0x0, id=id@entry=1, func_name=func_name@entry=0x14d0a417d4a9 "<unknown>", file_name=file_name@entry=0x14d0a41854c0 "/test/11.4_dbg/storage/spider/spd_copy_tables.cc", line_no=line_no@entry=772, size=size@entry=1984) at /test/11.4_dbg/storage/spider/spd_malloc.cc:153
#8 0x000014d0a4129748 in spider_bulk_alloc_mem (trx=0x0, id=id@entry=1, func_name=func_name@entry=0x14d0a417d4a9 "<unknown>", file_name=file_name@entry=0x14d0a41854c0 "/test/11.4_dbg/storage/spider/spd_copy_tables.cc", line_no=line_no@entry=772, my_flags=my_flags@entry=48) at /test/11.4_dbg/storage/spider/spd_malloc.cc:234
#9 0x000014d0a4126d0e in spider_copy_tables_body (initid=<optimized out>, args=0x14d070019658, is_null=<optimized out>, error=0x14d0700196c8 "") at /test/11.4_dbg/storage/spider/spd_copy_tables.cc:771
#10 0x000014d0a41207b4 in spider_copy_tables (initid=<optimized out>, args=<optimized out>, is_null=<optimized out>, error=<optimized out>) at /test/11.4_dbg/storage/spider/spd_udf.cc:137
#11 0x000055ccbcdb564d in udf_handler::val_int (null_value=<synthetic pointer>, this=0x14d070019648) at /test/11.4_dbg/sql/sql_udf.h:108
#12 Item_func_udf_int::val_int (this=0x14d070019598) at /test/11.4_dbg/sql/item_func.cc:3801
#13 0x000055ccbcc55dc9 in Type_handler::Item_send_longlong (this=<optimized out>, item=0x14d070019598, protocol=0x14d070001370, buf=<optimized out>) at /test/11.4_dbg/sql/sql_type.cc:7510
#14 0x000055ccbcc5c8af in Type_handler_longlong::Item_send (this=<optimized out>, item=<optimized out>, protocol=<optimized out>, buf=<optimized out>) at /test/11.4_dbg/sql/sql_type.h:5803
#15 0x000055ccbc8f3036 in Item::send (this=0x14d070019598, protocol=0x14d070001370, buffer=0x14d0a41f7d70) at /test/11.4_dbg/sql/item.h:1241
#16 0x000055ccbc92a82d in Protocol::send_result_set_row (this=this@entry=0x14d070001370, row_items=row_items@entry=0x14d070019160) at /test/11.4_dbg/sql/protocol.cc:1333
#17 0x000055ccbc9a0f57 in select_send::send_data (this=0x14d07001a068, items=@0x14d070019160: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14d070019710, last = 0x14d070019710, elements = 1}, <No data fields>}) at /test/11.4_dbg/sql/sql_class.cc:3136
#18 0x000055ccbcaa8418 in select_result_sink::send_data_with_check (sent=0, u=<optimized out>, items=<optimized out>, this=<optimized out>) at /test/11.4_dbg/sql/sql_class.h:5978
#19 JOIN::exec_inner (this=this@entry=0x14d07001a090) at /test/11.4_dbg/sql/sql_select.cc:4862
#20 0x000055ccbcaa926e in JOIN::exec (this=this@entry=0x14d07001a090) at /test/11.4_dbg/sql/sql_select.cc:4774
#21 0x000055ccbcaa7079 in mysql_select (thd=thd@entry=0x14d070000d58, tables=0x0, fields=@0x14d070019160: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14d070019710, last = 0x14d070019710, elements = 1}, <No data fields>}, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2164525824, result=0x14d07001a068, unit=0x14d0700051d8, select_lex=0x14d070018ea8) at /test/11.4_dbg/sql/sql_select.cc:5304
#22 0x000055ccbcaa78a2 in handle_select (thd=thd@entry=0x14d070000d58, lex=lex@entry=0x14d0700050f8, result=result@entry=0x14d07001a068, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/11.4_dbg/sql/sql_select.cc:630
#23 0x000055ccbca067ee in execute_sqlcom_select (thd=thd@entry=0x14d070000d58, all_tables=0x0) at /test/11.4_dbg/sql/sql_parse.cc:6077
#24 0x000055ccbca12866 in mysql_execute_command (thd=thd@entry=0x14d070000d58, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/11.4_dbg/sql/sql_parse.cc:3926
#25 0x000055ccbca18e39 in mysql_parse (thd=thd@entry=0x14d070000d58, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14d0a41f91e0) at /test/11.4_dbg/sql/sql_parse.cc:7798
#26 0x000055ccbca1b1fc in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14d070000d58, packet=packet@entry=0x14d07000b1c9 "", packet_length=packet_length@entry=43, blocking=blocking@entry=true) at /test/11.4_dbg/sql/sql_class.h:254
#27 0x000055ccbca1d333 in do_command (thd=0x14d070000d58, blocking=blocking@entry=true) at /test/11.4_dbg/sql/sql_parse.cc:1406
#28 0x000055ccbcb839fd in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55ccc09fc5a8, put_in_cache=put_in_cache@entry=true) at /test/11.4_dbg/sql/sql_connect.cc:1417
#29 0x000055ccbcb83cf2 in handle_one_connection (arg=arg@entry=0x55ccc09fc5a8) at /test/11.4_dbg/sql/sql_connect.cc:1319
#30 0x000055ccbcfd0e9a in pfs_spawn_thread (arg=0x55ccc09b4868) at /test/11.4_dbg/storage/perfschema/pfs.cc:2201
#31 0x000014d0ba094ac3 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
#32 0x000014d0ba126850 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

The error log also shows:

11.4.0 9b1ea6904965dd345478dedd80e181ad54c767da (Debug)
safe_mutex: Trying to lock uninitialized mutex at /test/11.4_dbg/storage/spider/spd_malloc.cc, line 153

It could be that this is a new/different issue, if so please let me know and I will create a new ticket for this.

Generated at Thu Feb 08 10:18:26 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.

[MDEV-30727] SIGSEGV's in spider_direct_sql_init_body, spider_direct_sql_body, my_hash_insert, thd_ha_data, thd_get_ha_data and safe_mutex_lock Created: 2023-02-25 Updated: 2024-02-07