[MDEV-32211] MariaDB server crashes in ill-formed CREATE TABLE with check expression Created: 2023-09-20  Updated: 2023-09-30  Resolved: 2023-09-30

Status: Closed
Project: MariaDB Server
Component/s: Server
Affects Version/s: 11.3
Fix Version/s: N/A

Type: Bug Priority: Blocker
Reporter: Yu Liang Assignee: Sergei Golubchik
Resolution: Fixed Votes: 0
Labels: crash, regression
Environment:

Ubuntu Desktop 20.04 LTS
Intel(R) Core(TM) i7-10700 CPU @ 2.90GHz


 Description   

The latest version of MariDB Server: Git commit hash: (8d9bc61d0bf783fa792e6c3be37b0eceecbeec89) crashes when executing the following query:

drop database if exists test1;;
create database test1;;
use test1;;
create table v0(c1 INT);
CREATE TABLE IF NOT EXISTS v2 ( CHECK ( c1 >> FORMAT ( c1, DEFAULT ( c1 )) ) , c3 TEXT REFERENCES v1 ON UPDATE CASCADE ON DELETE NO ACTION ) ;

Here is the crashing stack trace from version 8d9bc61d0b:

#0 0x0000aaaab719ce3c in my_strcasecmp_utf8mb3 (cs=<optimized out>, s=0xffff79b79248 "c3", t=0x0) at /home/mysql/mariadb/strings/ctype-utf8.c:831
#1 0x0000aaaab6328398 in lex_string_cmp (a=<optimized out>, b=0xffff79b78ff8, charset=<optimized out>) at /home/mysql/mariadb/sql/lex_string.h:95
#2 Item_field::check_vcol_func_processor (this=0xffff79b78f28, arg=<optimized out>) at /home/mysql/mariadb/sql/item.cc:1574
#3 0x0000aaaab635069c in Item_default_value::walk (this=0xffff79b78f28, processor=<optimized out>, walk_subquery=<optimized out>, args=0xffff7be64260)
at /home/mysql/mariadb/sql/item.h:6750
#4 0x0000aaaab5a02970 in Item_args::walk_args (arg=0xffff7be64260, walk_subquery=false, processor=<optimized out>, this=0xffff79b790d0)
at /home/mysql/mariadb/sql/item.h:2796
#5 Item_func_or_sum::walk (this=<optimized out>, processor=<optimized out>, walk_subquery=false, arg=0xffff7be64260) at /home/mysql/mariadb/sql/item.h:5496
#6 0x0000aaaab5a02970 in Item_args::walk_args (arg=0xffff7be64260, walk_subquery=false, processor=<optimized out>, this=0xffff79b791b0)
at /home/mysql/mariadb/sql/item.h:2796
#7 Item_func_or_sum::walk (this=<optimized out>, processor=<optimized out>, walk_subquery=false, arg=0xffff7be64260) at /home/mysql/mariadb/sql/item.h:5496
#8 0x0000aaaab6285ef8 in check_expression (vcol=0xffff79b791f8, name=0xffff79b79210, type=VCOL_CHECK_TABLE, alter_info=<optimized out>)
at /home/mysql/mariadb/sql/field.cc:10523
#9 0x0000aaaab5e2af74 in mysql_prepare_create_table_finalize (thd=<optimized out>, create_info=<optimized out>, alter_info=<optimized out>, db_options=<optimized out>,
file=<optimized out>, key_info_buffer=<optimized out>, key_count=<optimized out>, create_table_mode=<optimized out>, db=..., table_name=...)
at /home/mysql/mariadb/sql/sql_table.cc:3761
#10 0x0000aaaab5e31804 in mysql_create_frm_image (thd=0xffff52d62218, db=..., table_name=..., create_info=0xffff7be67260, alter_info=<optimized out>,
create_table_mode=<optimized out>, key_info=<optimized out>, key_count=<optimized out>, frm=<optimized out>) at /home/mysql/mariadb/sql/sql_table.cc:4327
#11 0x0000aaaab5e3b74c in create_table_impl (thd=0xffff52d62218, ddl_log_state_create=0xffff7be66c60, ddl_log_state_rm=<optimized out>, orig_db=..., orig_table_name=...,
db=..., table_name=..., path=..., options=..., create_info=<optimized out>, alter_info=<optimized out>, create_table_mode=<optimized out>, is_trans=<optimized out>,
key_info=<optimized out>, key_count=<optimized out>, frm=<optimized out>) at /home/mysql/mariadb/sql/sql_table.cc:4641
#12 0x0000aaaab5e3d3a8 in mysql_create_table_no_lock (thd=0xffff52d62218, ddl_log_state_create=<optimized out>, ddl_log_state_rm=<optimized out>, db=0xffff79b78470,
table_name=<optimized out>, create_info=0xffff7be67260, alter_info=<optimized out>, is_trans=<optimized out>, create_table_mode=<optimized out>,
table_list=<optimized out>) at /home/mysql/mariadb/sql/sql_table.cc:4766
#13 0x0000aaaab5e4b468 in mysql_create_table (alter_info=0xffff7be67000, create_info=0xffff7be67260, create_table=0xffff79b78458, thd=0xffff52d62218)
at /home/mysql/mariadb/sql/sql_table.cc:4882
#14 Sql_cmd_create_table_like::execute (this=<optimized out>, thd=0xffff52d62218) at /home/mysql/mariadb/sql/sql_table.cc:12819
#15 0x0000aaaab5c4164c in mysql_execute_command (thd=0xffff52d62218, is_called_from_prepared_stmt=<optimized out>) at /home/mysql/mariadb/sql/sql_parse.cc:5722
#16 0x0000aaaab5c147d0 in mysql_parse (thd=0xffff52d62218, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>)
at /home/mysql/mariadb/sql/sql_parse.cc:7732
#17 0x0000aaaab5c37afc in dispatch_command (command=COM_QUERY, thd=0xffff52d62218,
packet=0xffff79b6e219 "CREATE TABLE IF NOT EXISTS v2 ( CHECK ( c1 >> FORMAT ( c1, DEFAULT ( c1 )) ) , c3 TEXT REFERENCES v1 ON UPDATE CASCADE ON DELETE NO ACTION )",
packet_length=<optimized out>, blocking=<optimized out>) at /home/mysql/mariadb/sql/sql_class.h:1528
#18 0x0000aaaab5c3c878 in do_command (thd=0xffff52d62218, blocking=<optimized out>) at /home/mysql/mariadb/sql/sql_parse.cc:1406
#19 0x0000aaaab5f71458 in do_handle_one_connection (connect=<optimized out>, put_in_cache=true) at /home/mysql/mariadb/sql/sql_connect.cc:1445
#20 0x0000aaaab5f71c3c in handle_one_connection (arg=0xffff7ad2b4b8) at /home/mysql/mariadb/sql/sql_connect.cc:1347
#21 0x0000aaaab694524c in pfs_spawn_thread (arg=0xffff79511898) at /home/mysql/mariadb/storage/perfschema/pfs.cc:2201
#22 0x0000ffff8073a624 in start_thread (arg=0xffff80b5b918 <asan_thread_start(void*)>) at pthread_create.c:477
#23 0x0000ffff803c949c in thread_start () at ../sysdeps/unix/sysv/linux/aarch64/clone.S:78

The bug seems to be introduce in commit: faee972f18bebfab4bed5527741743807787ca69, which is a merge commit that merge multiple modifications from 10.4 to 10.5. However, the specific bug introduced commit is not yet found.

Some other useful information:

Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=on,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on,split_materialized=on,condition_pushdown_for_subquery=on,rowid_filter=on,condition_pushdown_from_having=on,not_null_range_scan=off,hash_join_cardinality=on,sargable_casefold=on

 Comments   
Comment by Marko Mäkelä [ 2023-09-21 ]

I can’t reproduce this on 11.1 or 11.2:

11.2 eece7f135f1d87c66faa8a51090401c09adc1edc

 
mysqltest: At line 2: query 'CREATE TABLE IF NOT EXISTS v2 ( CHECK ( c1 >> FORMAT ( c1, DEFAULT ( c1 )) ) , c3 TEXT REFERENCES v1 ON UPDATE CASCADE ON DELETE NO ACTION ) ' failed: ER_BAD_FIELD_ERROR (1054): Unknown column 'c1' in 'CHECK'

On the stated revision I did reproduce this:

11.3 8d9bc61d0bf783fa792e6c3be37b0eceecbeec89

 
Version: '11.3.0-MariaDB-debug-log'  socket: '/dev/shm/11/mysql-test/var/tmp/mysqld.1.sock'  port: 16000  Source distribution
 
AddressSanitizer:DEADLYSIGNAL
 
=================================================================
 
==111596==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x560b72a659b3 bp 0x000000000000 sp 0x7fb835f13240 T5)
 
==111596==The signal is caused by a READ memory access.
 
==111596==Hint: address points to the zero page.
 
    #0 0x560b72a659b3 in my_strcasecmp_utf8mb3 /mariadb/11/strings/ctype-utf8.c:831
 
    #1 0x560b71342abd in lex_string_cmp /mariadb/11/sql/lex_string.h:95
 
    #2 0x560b71342abd in Item_field::check_vcol_func_processor(void*) /mariadb/11/sql/item.cc:1574
 
    #3 0x560b7134e988 in Item_default_value::walk(bool (Item::*)(void*), bool, void*) /mariadb/11/sql/item.h:6751
 
    #4 0x560b7129502e in Item_args::walk_args(bool (Item::*)(void*), bool, void*) /mariadb/11/sql/item.h:2796
 
    #5 0x560b7129510a in Item_func_or_sum::walk(bool (Item::*)(void*), bool, void*) /mariadb/11/sql/item.h:5496
 
    #6 0x560b7129502e in Item_args::walk_args(bool (Item::*)(void*), bool, void*) /mariadb/11/sql/item.h:2796
 
    #7 0x560b7129510a in Item_func_or_sum::walk(bool (Item::*)(void*), bool, void*) /mariadb/11/sql/item.h:5496
 
    #8 0x560b713a4528 in check_expression(Virtual_column_info*, st_mysql_const_lex_string const*, enum_vcol_info_type, Alter_info*) /mariadb/11/sql/field.cc:10523

Comment by Marko Mäkelä [ 2023-09-21 ]

I reproduced this also with an older 11.3:

11.3 8ad1e26b1bafa4ed9928306efc10c047f2274108

 
Version: '11.3.0-MariaDB-debug-log'  socket: '/dev/shm/11/mysql-test/var/tmp/mysqld.1.sock'  port: 16000  Source distribution
 
AddressSanitizer:DEADLYSIGNAL
 
=================================================================
 
==118667==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5564b2e82a67 bp 0x000000000000 sp 0x7fc33ab13240 T5)
 
==118667==The signal is caused by a READ memory access.
 
==118667==Hint: address points to the zero page.
 
    #0 0x5564b2e82a67 in my_strcasecmp_utf8mb3 /mariadb/11/strings/ctype-utf8.c:831
 
    #1 0x5564b1762669 in lex_string_cmp /mariadb/11/sql/lex_string.h:95
 
    #2 0x5564b1762669 in Item_field::check_vcol_func_processor(void*) /mariadb/11/sql/item.cc:1574
 
    #3 0x5564b176e534 in Item_default_value::walk(bool (Item::*)(void*), bool, void*) /mariadb/11/sql/item.h:6749

Except for the attempt to upgrade RocksDB (MDEV-30610), all changes to the sql subdirectory between 11.2 and this 11.3 commit are by bar.

Comment by Alexander Barkov [ 2023-09-27 ]

Hello serg,
can you please check this problem? It seems t be related to your recent changes in Item_field::check_vcol_func_processor().

Comment by Sergei Golubchik [ 2023-09-30 ]

cannot repeat on the e9573c059656 commit, but it still repeats on e9573c059656^^

Apparently was fixed in the merge e9573c059656^

Likely by 8adb6107ce2a

Generated at Thu Feb 08 10:29:40 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.