[MDEV-31284] SIGSEGV in VDec2_lazy::VDec2_lazy | Item_func_plus::decimal_op Created: 2023-05-16  Updated: 2023-11-28

Status: Open
Project: MariaDB Server
Component/s: None
Affects Version/s: 10.4, 10.5, 10.6, 10.9, 10.10, 10.11, 11.0
Fix Version/s: 10.4, 10.5, 10.6, 10.11, 11.0

Type: Bug Priority: Major
Reporter: Ramesh Sivaraman Assignee: Alexander Barkov
Resolution: Unresolved Votes: 0
Labels: None

Issue Links:
Relates
relates to MDEV-31629 Assertion `(m_ptr == __null) == item-... Open

 Description    

CREATE TABLE t (t INT KEY) ENGINE=INNODB;
 
INSERT INTO t (t) VALUES (t +0+t + t+t +0+t + t -0+t +-0+-0+t + t +-0+t +-0+t + t+t +0+t + t+t + t +0+t + t +-0+t +-0+-0+t + t +-0+t +-0.0+t +-0+0+t +-0+0.0+t + t +-0+0.0+0.0+0+t +-0+0.0+-0+0.0+0.0+0+t +-0+0.0+0+0.0+0+t +-0+t + t +-0+0.0+0.0+0+t +-0+0.0+0.0+0+t + t+t +0.0+t + t +-0+0+t +-0+0.0+-0+t + t +-0+0.0+0.0+0+t +-0+0.0+0+t + t+t +0+t + t+t + t +0.0+t + t +-0+0+t +-0+0.0+-0+t + t +-0+0.0+0.0+0+t +-0+0+t + t+t +0+t + t+t +0.0+t + t +-0+0+t +-0+0.0+t + t +0.0+0+t + t+t +0.0+t + t +-0+0+t +0.0+0.0+0+t + t+t +0.0+t + t +-0+0+t +-0+0.0+-0+t + t +-0+0.0+0.0+0+t +-0+0.0+0+t + t+t +0+t + t+t + t +0.0+t + t +-0+0+t +0.0+0+0.0+0.0+0+t + t+t +0.0+t + t +-0+0+t +-0+0.0+-0+t + t +-0+0.0+0.0+0+t +-0+0.0+0+t + t+t +0+t + t+t + t +0.0+t + t +-0+0+t +-0+0.0+-0+t + t +-0+0.0+0.0+0+t +-0+0.0+t +-0+0+t +-0+0.0+t + t +-0+0.0+0.0+0+t +-0+0.0+-0+0.0+0.0+0+t +-0+0.0+0+0.0+0+t +-0+t + t +-0+0.0+0.0+0+t +-0+0.0+0.0+0+t + t+t +0.0+t + t +-0+0+t +-0+0.0+-0+t + t +-0+0.0+0.0+0+t +-0+0.0+0+t + t+t +0+t + t+t + t +0.0+t + t +-0+0+t +-0+0.0+-0+t + t +-0+0.0+0.0+0+t +-0+0+t + t+t +0+t + t+t +-0+0.0+t +0+t + t+t +0.0+t + t +-0+0+t +-0+0.0+-0+t + t+t +0.0+0+0.0+0.0+0+t + t+t +0.0+t + t +-0+0+t +-0+0.0+-0+t + t +-0+0.0+0.0+0+t +-0+0.0+0+t + t+t +0+t + t+t + t +0.0+t + t +-0+0+t +-0+0.0+-0+t + t +-0+0.0+0.0+0+t +-0+0.0+t +-0+0+t +-0+0.0+t + t +-0+0.0+0.0+0+t +-0+0.0+-0+0.0+0.0+0+t +-0+0.0+0+0.0+0+t +-0+t + t +-0+0.0+0.0+0+t +-0+0.0+0.0+0+t + t+t +0.0+t + t +-0+0+t +-0+0.0+-0+t + t +-0+0.0+0.0+0+t +-0+0.0+0+t  ),(0.0);

Leads to:

11.0.2 368dd22a816f3b437bccd0b9ff28b9de9b1abf0a (Debug)

 
Core was generated by `/test/MD120523-mariadb-11.0.2-linux-x86_64-dbg/bin/mariadbd --no-defaults --cor'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  0x00005558faaf45e3 in VDec2_lazy::VDec2_lazy (b=0x153b4c028b10, 
    a=0x153b4c028a50, this=0x153b84064fd0) at /test/11.0_dbg/sql/sql_type.h:507
 
[Current thread is 1 (Thread 0x153b840ae700 (LWP 1016112))]
 
(gdb) bt
 
#0  0x00005558faaf45e3 in VDec2_lazy::VDec2_lazy (b=0x153b4c028b10, a=0x153b4c028a50, this=0x153b84064fd0) at /test/11.0_dbg/sql/sql_type.h:507
 
#1  Item_func_plus::decimal_op (this=0x153b4c028c30, decimal_value=0x153b840651e8) at /test/11.0_dbg/sql/item_func.cc:1196
 
#2  0x00005558fa97fba2 in VDec_op::VDec_op (this=0x153b840651e0, item=0x153b4c028c30) at /test/11.0_dbg/sql/sql_type.cc:308
 
#3  0x00005558fa97ff43 in Type_handler_decimal_result::Item_func_hybrid_field_type_val_decimal (this=<optimized out>, item=<optimized out>, dec=0x153b840652c8) at /test/11.0_dbg/sql/sql_type.cc:5348
 
#4  0x00005558faac16bd in Item_func_hybrid_field_type::val_decimal (this=0x153b4c028c30, dec=0x153b840652c8) at /test/11.0_dbg/sql/sql_type.h:7441
 
#5  0x00005558fa97f69e in VDec::VDec (this=0x153b840652c0, item=0x153b4c028c30) at /test/11.0_dbg/sql/sql_type.cc:301
 
#6  0x00005558faaf45e8 in VDec2_lazy::VDec2_lazy (b=0x153b4c028cf0, a=<optimized out>, this=0x153b840652c0) at /test/11.0_dbg/sql/sql_type.h:507
 
#7  Item_func_plus::decimal_op (this=0x153b4c028e10, decimal_value=0x153b840654d8) at /test/11.0_dbg/sql/item_func.cc:1196
 
#8  0x00005558fa97fba2 in VDec_op::VDec_op (this=0x153b840654d0, item=0x153b4c028e10) at /test/11.0_dbg/sql/sql_type.cc:308
 
#9  0x00005558fa97ff43 in Type_handler_decimal_result::Item_func_hybrid_field_type_val_decimal (this=<optimized out>, item=<optimized out>, dec=0x153b840655b8) at /test/11.0_dbg/sql/sql_type.cc:5348
 
#10 0x00005558faac16bd in Item_func_hybrid_field_type::val_decimal (this=0x153b4c028e10, dec=0x153b840655b8) at /test/11.0_dbg/sql/sql_type.h:7441
 
#11 0x00005558fa97f69e in VDec::VDec (this=0x153b840655b0, item=0x153b4c028e10) at /test/11.0_dbg/sql/sql_type.cc:301
 
[..]
 
#987 0x00005558fa97ff43 in Type_handler_decimal_result::Item_func_hybrid_field_type_val_decimal (this=<optimized out>, item=<optimized out>, dec=0x153b84083488) at /test/11.0_dbg/sql/sql_type.cc:5348
 
#988 0x00005558faac16bd in Item_func_hybrid_field_type::val_decimal (this=0x153b4c0392c8, dec=0x153b84083488) at /test/11.0_dbg/sql/sql_type.h:7441
 
#989 0x00005558fa97f69e in VDec::VDec (this=0x153b84083480, item=0x153b4c0392c8) at /test/11.0_dbg/sql/sql_type.cc:301
 
#990 0x00005558faaf45e8 in VDec2_lazy::VDec2_lazy (b=0x153b4c039388, a=<optimized out>, this=0x153b84083480) at /test/11.0_dbg/sql/sql_type.h:507
 
#991 Item_func_plus::decimal_op (this=0x153b4c039408, decimal_value=0x153b84083698) at /test/11.0_dbg/sql/item_func.cc:1196
 
#992 0x00005558fa97fba2 in VDec_op::VDec_op (this=0x153b84083690, item=0x153b4c039408) at /test/11.0_dbg/sql/sql_type.cc:308
 
#993 0x00005558fa97ff43 in Type_handler_decimal_result::Item_func_hybrid_field_type_val_decimal (this=<optimized out>, item=<optimized out>, dec=0x153b84083778) at /test/11.0_dbg/sql/sql_type.cc:5348

Bug confirmed present in:
MariaDB: 10.4.30 (dbg), 10.5.21 (dbg), 10.6.14 (dbg), 10.6.14 (opt), 10.8.8 (dbg), 10.8.8 (opt), 10.9.7 (dbg), 10.9.7 (opt), 10.10.5 (dbg), 10.10.5 (opt), 10.11.4 (dbg), 10.11.4 (opt), 11.0.2 (dbg), 11.0.2 (opt), 11.1.0 (dbg), 11.1.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.4.30 (opt), 10.5.21 (opt)

Unique IDs

SIGSEGV|Type_handler_decimal_result::Item_func_hybrid_field_type_val_decimal|Item_func_hybrid_field_type::val_decimal|VDec::VDec|VDec2_lazy::VDec2_lazy
 
SIGSEGV|VDec2_lazy::VDec2_lazy|Item_func_plus::decimal_op|VDec_op::VDec_op|Type_handler_decimal_result::Item_func_hybrid_field_type_val_decimal
 
SIGSEGV|VDec_op::VDec_op|Type_handler_decimal_result::Item_func_hybrid_field_type_val_decimal|Item_func_hybrid_field_type::val_decimal|VDec::VDec
 
SIGSEGV|VDec::VDec|VDec2_lazy::VDec2_lazy|Item_func_plus::decimal_op|VDec_op::VDec_op



 Comments   
Comment by Alice Sherepa [ 2023-07-05 ]

no crash on current 10.5-11.2, but 10.4 still ends up with a crash

MariaDB [test]> INSERT INTO t (t) VALUES (t +0+t + t+t +0+t + t -0+t +-0+-0+t + t +-0+t +-0+t + t+t +0+t + t+t + t +0+t + t +-0+t +-0+-0+t + t +-0+t +-0.0+t +-0+0+t +-0+0.0+t + t +-0+0.0+0.0+0+t +-0+0.0+-0+0.0+0.0+0+t +-0+0.0+0+0.0+0+t +-0+t + t +-0+0.0+0.0+0+t +-0+0.0+0.0+0+t + t+t +0.0+t + t +-0+0+t +-0+0.0+-0+t + t +-0+0.0+0.0+0+t +-0+0.0+0+t + t+t +0+t + t+t + t +0.0+t + t +-0+0+t +-0+0.0+-0+t + t +-0+0.0+0.0+0+t +-0+0+t + t+t +0+t + t+t +0.0+t + t +-0+0+t +-0+0.0+t + t +0.0+0+t + t+t +0.0+t + t +-0+0+t +0.0+0.0+0+t + t+t +0.0+t + t +-0+0+t +-0+0.0+-0+t + t +-0+0.0+0.0+0+t +-0+0.0+0+t + t+t +0+t + t+t + t +0.0+t + t +-0+0+t +0.0+0+0.0+0.0+0+t + t+t +0.0+t + t +-0+0+t +-0+0.0+-0+t + t +-0+0.0+0.0+0+t +-0+0.0+0+t + t+t +0+t + t+t + t +0.0+t + t +-0+0+t +-0+0.0+-0+t + t +-0+0.0+0.0+0+t +-0+0.0+t +-0+0+t +-0+0.0+t + t +-0+0.0+0.0+0+t +-0+0.0+-0+0.0+0.0+0+t +-0+0.0+0+0.0+0+t +-0+t + t +-0+0.0+0.0+0+t +-0+0.0+0.0+0+t + t+t +0.0+t + t +-0+0+t +-0+0.0+-0+t + t +-0+0.0+0.0+0+t +-0+0.0+0+t + t+t +0+t + t+t + t +0.0+t + t +-0+0+t +-0+0.0+-0+t + t +-0+0.0+0.0+0+t +-0+0+t + t+t +0+t + t+t +-0+0.0+t +0+t + t+t +0.0+t + t +-0+0+t +-0+0.0+-0+t + t+t +0.0+0+0.0+0.0+0+t + t+t +0.0+t + t +-0+0+t +-0+0.0+-0+t + t +-0+0.0+0.0+0+t +-0+0.0+0+t + t+t +0+t + t+t + t +0.0+t + t +-0+0+t +-0+0.0+-0+t + t +-0+0.0+0.0+0+t +-0+0.0+t +-0+0+t +-0+0.0+t + t +-0+0.0+0.0+0+t +-0+0.0+-0+0.0+0.0+0+t +-0+0.0+0+0.0+0+t +-0+t + t +-0+0.0+0.0+0+t +-0+0.0+0.0+0+t + t+t +0.0+t + t +-0+0+t +-0+0.0+-0+t + t +-0+0.0+0.0+0+t +-0+0.0+0+t  ),(0.0);
 
ERROR 1062 (23000): Duplicate entry '0' for key 'PRIMARY'

Comment by Alexander Barkov [ 2023-07-11 ]

I cannot reproduce this problem. Debug builds for all versions from 10.4 to 11.2 seem to work fine for me.

alice, I need some more information please:

  • which commit hash did you try 10.4 with?
  • what is the output from this query: 

    show variables like 'thread_stack';

  • what is your OS?

The problem might be related to the thread stack overrun. Possibly the required memory is not calculated correctly in your installation.

I tried to reduce thread_stack on my box, it works as expected:

ERROR 1436 (HY000) at line 4: Thread stack overrun:  132936 bytes used of a 164864 byte stack, and 32000 bytes needed.  Use 'mysqld --thread_stack=#' to specify a bigger stack

Thanks.

Comment by Alice Sherepa [ 2023-07-11 ] 

MariaDB 10.4.31-MariaDB-debug-log source revision 02cd3675c4d211118c06478c50a7a515251bc2fc 
 
 
show variables like 'thread_stack';
 
Variable_name	Value
 
thread_stack	392192
 
CREATE TABLE t (t INT KEY) ENGINE=INNODB;
 
INSERT INTO t (t) VALUES (t +0+t + t+t +0+t + t -0+t +-0+-0+t + t +-0+t +-0+t + t+t +0+t + t+t + t +0+t + t +-0+t +-0+-0+t + t +-0+t +-0.0+t +-0+0+t +-0+0.0+t + t +-0+0.0+0.0+0+t +-0+0.0+-0+0.0+0.0+0+t +-0+0.0+0+0.0+0+t +-0+t + t +-0+0.0+0.0+0+t +-0+0.0+0.0+0+t + t+t +0.0+t + t +-0+0+t +-0+0.0+-0+t + t +-0+0.0+0.0+0+t +-0+0.0+0+t + t+t +0+t + t+t + t +0.0+t + t +-0+0+t +-0+0.0+-0+t + t +-0+0.0+0.0+0+t +-0+0+t + t+t +0+t + t+t +0.0+t + t +-0+0+t +-0+0.0+t + t +0.0+0+t + t+t +0.0+t + t +-0+0+t +0.0+0.0+0+t + t+t +0.0+t + t +-0+0+t +-0+0.0+-0+t + t +-0+0.0+0.0+0+t +-0+0.0+0+t + t+t +0+t + t+t + t +0.0+t + t +-0+0+t +0.0+0+0.0+0.0+0+t + t+t +0.0+t + t +-0+0+t +-0+0.0+-0+t + t +-0+0.0+0.0+0+t +-0+0.0+0+t + t+t +0+t + t+t + t +0.0+t + t +-0+0+t +-0+0.0+-0+t + t +-0+0.0+0.0+0+t +-0+0.0+t +-0+0+t +-0+0.0+t + t +-0+0.0+0.0+0+t +-0+0.0+-0+0.0+0.0+0+t +-0+0.0+0+0.0+0+t +-0+t + t +-0+0.0+0.0+0+t +-0+0.0+0.0+0+t + t+t +0.0+t + t +-0+0+t +-0+0.0+-0+t + t +-0+0.0+0.0+0+t +-0+0.0+0+t + t+t +0+t + t+t + t +0.0+t + t +-0+0+t +-0+0.0+-0+t + t +-0+0.0+0.0+0+t +-0+0+t + t+t +0+t + t+t +-0+0.0+t +0+t + t+t +0.0+t + t +-0+0+t +-0+0.0+-0+t + t+t +0.0+0+0.0+0.0+0+t + t+t +0.0+t + t +-0+0+t +-0+0.0+-0+t + t +-0+0.0+0.0+0+t +-0+0.0+0+t + t+t +0+t + t+t + t +0.0+t + t +-0+0+t +-0+0.0+-0+t + t +-0+0.0+0.0+0+t +-0+0.0+t +-0+0+t +-0+0.0+t + t +-0+0.0+0.0+0+t +-0+0.0+-0+0.0+0.0+0+t +-0+0.0+0+0.0+0+t +-0+t + t +-0+0.0+0.0+0+t +-0+0.0+0.0+0+t + t+t +0.0+t + t +-0+0+t +-0+0.0+-0+t + t +-0+0.0+0.0+0+t +-0+0.0+0+t  ),(0.0);
 
main.1_my 'innodb'                       [ fail ]
 
        Test ended at 2023-07-11 08:24:56
 
 
 
CURRENT_TEST: main.1_my
 
mysqltest: At line 7: query 'INSERT INTO t (t) VALUES (t +0+t + t+t +0+t + t -0+t +-0+-0+t + t +-0+t +-0+t + t+t +0+t + t+t + t +0+t + t +-0+t +-0+-0+t + t +-0+t +-0.0+t +-0+0+t +-0+0.0+t + t +-0+0.0+0.0+0+t +-0+0.0+-0+0.0+0.0+0+t +-0+0.0+0+0.0+0+t +-0+t + t +-0+0.0+0.0+0+t +-0+0.0+0.0+0+t + t+t +0.0+t + t +-0+0+t +-0+0.0+-0+t + t +-0+0.0+0.0+0+t +-0+0.0+0+t + t+t +0+t + t+t + t +0.0+t + t +-0+0+t +-0+0.0+-0+t + t +-0+0.0+0.0+0+t +-0+0+t + t+t +0+t + t+t +0.0+t + t +-0+0+t +-0+0.0+t + t +0.0+0+t + t+t +0.0+t + t +-0+0+t +0.0+0.0+0+t + t+t +0.0+t + t +-0+0+t +-0+0.0+-0+t + t +-0+0.0+0.0+0+t +-0+0.0+0+t + t+t +0+t + t+t + t +0.0+t + t +-0+0+t +0.0+0+0.0+0.0+0+t + t+t +0.0+t + t +-0+0+t +-0+0.0+-0+t + t +-0+0.0+0.0+0+t +-0+0.0+0+t + t+t +0+t + t+t + t +0.0+t + t +-0+0+t +-0+0.0+-0+t + t +-0+0.0+0.0+0+t +-0+0.0+t +-0+0+t +-0+0.0+t + t +-0+0.0+0.0+0+t +-0+0.0+-0+0.0+0.0+0+t +-0+0.0+0+0.0+0+t +-0+t + t +-0+0.0+0.0+0+t +-0+0.0+0.0+0+t + t+t +0.0+t + t +-0+0+t +-0+0.0+-0+t + t +-0+0.0+0.0+0+t +-0+0.0+0+t + t+t +0+t + t+t + t +0.0+t + t +-0+0+t +-0+0.0+-0+t + t +-0+0.0+0.0+0+t +-0+0+t + t+t +0+t + t+t +-0+0.0+t +0+t + t+t +0.0+t + t +-0+0+t +-0+0.0+-0+t + t+t +0.0+0+0.0+0.0+0+t + t+t +0.0+t + t +-0+0+t +-0+0.0+-0+t + t +-0+0.0+0.0+0+t +-0+0.0+0+t + t+t +0+t + t+t + t +0.0+t + t +-0+0+t +-0+0.0+-0+t + t +-0+0.0+0.0+0+t +-0+0.0+t +-0+0+t +-0+0.0+t + t +-0+0.0+0.0+0+t +-0+0.0+-0+0.0+0.0+0+t +-0+0.0+0+0.0+0+t +-0+t + t +-0+0.0+0.0+0+t +-0+0.0+0.0+0+t + t+t +0.0+t + t +-0+0+t +-0+0.0+-0+t + t +-0+0.0+0.0+0+t +-0+0.0+0+t  ),(0.0)' failed: 2013: Lost connection to MySQL server during query

ubuntu 20.04, built with ASAN.

but at the same time - when running from the docker with ubuntu - I do not get a crash. (there - thread_stack 299008 )

Comment by Alexander Barkov [ 2023-07-11 ]

alice, thanks for the information.

With an ASAN build I have still no luck reproducing the problem.

Can you please try to start the server with a 2x or 3x or even 10x bigger --thread-stack value?
Does the problem go away?

Thanks.

Comment by Alice Sherepa [ 2023-07-11 ]

yes, with -mysqld=-thread-stack=524288 - error as expected

Comment by Alexander Barkov [ 2023-07-11 ]

Thanks. Now I think it's clear what the problem is.

Comment by Alexander Barkov [ 2023-07-11 ]

Repeatable on my box with --thread-stack=299008 with script:

CREATE OR REPLACE TABLE t (t DECIMAL(10,1)) ENGINE=INNODB;
 
INSERT INTO t VALUES (1);
 
SET @query=CONCAT('SELECT (0', REPEAT('+t',500),') FROM t');
 
EXECUTE IMMEDIATE @query;

The exact number (500) may vary. In some cases it crashes with 500, in some cases it crashes with 520.

Comment by Alice Sherepa [ 2023-07-12 ]

with the test above and --thread-stack=420000 - it is reproducible also on 11.0 ( 313c5a1dfb744aaef10 )

Generated at Thu Feb 08 10:22:41 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.