[MDEV-32606] Server crash when querying InnoDB table Created: 2023-10-27  Updated: 2023-12-12  Resolved: 2023-12-12

Status: Closed
Project: MariaDB Server
Component/s: Storage Engine - InnoDB
Affects Version/s: 10.4, 10.5, 10.6, 10.9, 10.10, 10.11, 11.0, 11.1, 11.2
Fix Version/s: N/A

Type: Bug Priority: Major
Reporter: csfuzz Assignee: Alice Sherepa
Resolution: Duplicate Votes: 0
Labels: None

Issue Links:
Duplicate
duplicates MDEV-32324 Server crashes inside filesort at my_... Closed

 Description    

CREATE TABLE v0 ( v1 NUMERIC NOT NULL PRIMARY KEY , v2 TINYTEXT ) Engine = InnoDB ;
 
INSERT INTO v0 VALUES ( 88 , 50 ) ;
 
UPDATE v0 SET v1 = 63 WHERE v1 = 255 ;
 
UPDATE v0 SET v2 = 39 WHERE v1 = NULL ;
 
UPDATE v0 SET v1 = 0 WHERE v1 = 0 OR v1 = 16 ;
 
UPDATE v0 SET v1 = 18 WHERE v2 = 50 ;
 
SELECT * FROM v0 ORDER BY - v1 , v2 DESC , ( SELECT v1 AS v3 GROUP BY v2 LIMIT 8 OFFSET 24 ) ASC ;
 
SELECT * FROM v0 ORDER BY v1 ;
 
SELECT v2 , v2 , v1 FROM v0 JOIN v0 ON v1 = v2 ORDER BY v1 ;
 
DROP TABLE v0 ; , t2 , t3

When replace the engine with MYISAM, the crash will not happen.

Stack Trace:
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
stack_bottom = 0x7f7b05b34880 thread_stack 0x5fc00
/usr/local/mysql/bin/mariadbd(__interceptor_backtrace+0x5b)[0x781b5b]
mysys/stacktrace.c:215(my_print_stacktrace)[0x228cfae]
sql/signal_handler.cc:0(handle_fatal_signal)[0x12bd0d2]
sigaction.c:0(__restore_rt)[0x7f7b298cb420]
addr2line: DWARF error: section .debug_info is larger than its filesize! (0x93ef57 vs 0x530f28)
/lib/x86_64-linux-gnu/libc.so.6(memcpy+0x1b)[0x7f7b29573aeb]
/usr/local/mysql/bin/mariadbd(__asan_memcpy+0x2a8)[0x7c27b8]
sql/my_decimal.h:134(my_decimal::operator=(my_decimal const&))[0x16fda2f]
/usr/local/mysql/bin/mariadbd(_ZNK27Type_handler_decimal_result25make_packed_sort_key_partEPhP4ItemPK15SORT_FIELD_ATTRP6String+0x213)[0x12b9e83]
sql/filesort.cc:3012(make_packed_sortkey(Sort_param*, unsigned char*))[0x12b15cd]
sql/sql_sort.h:706(Sort_param::is_packed_format() const)[0x12ae16b]
sql/sql_select.cc:26909(create_sort_index(THD*, JOIN*, st_join_table*, Filesort*))[0xca6c82]
/usr/local/mysql/bin/mariadbd(_Z21join_init_read_recordP13st_join_table+0x2d5)[0xc41765]
sql/sql_select.cc:23501(sub_select(JOIN*, st_join_table*, bool))[0xbe6b87]
/usr/local/mysql/bin/mariadbd(_ZN4JOIN10exec_innerEv+0x2681)[0xc48751]
sql/sql_select.cc:4721(JOIN::exec())[0xc45f19]
sql/sql_select.cc:5251(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0xbe89b8]
sql/sql_select.cc:628(handle_select(THD*, LEX*, select_result*, unsigned long long))[0xbe7e59]
sql/sql_parse.cc:6041(execute_sqlcom_select(THD*, TABLE_LIST*))[0xb41bc6]
/usr/local/mysql/bin/mariadbd(_Z21mysql_execute_commandP3THDb+0x18b7)[0xb319a7]
sql/sql_class.h:2830(THD::enter_stage(PSI_stage_info_v1 const*, char const*, char const*, unsigned int))[0xb24c79]
/usr/local/mysql/bin/mariadbd(_Z16dispatch_command19enum_server_commandP3THDPcjb+0x2cf8)[0xb1e648]
sql/sql_parse.cc:1407(do_command(THD*, bool))[0xb25971]
sql/sql_connect.cc:1416(do_handle_one_connection(CONNECT*, bool))[0xf0d066]
sql/sql_connect.cc:1322(handle_one_connection)[0xf0caa9]
perfschema/pfs.cc:2203(pfs_spawn_thread)[0x19d710b]
nptl/pthread_create.c:478(start_thread)[0x7f7b298bf609]
addr2line: DWARF error: section .debug_info is larger than its filesize! (0x93ef57 vs 0x530f28)
/lib/x86_64-linux-gnu/libc.so.6(clone+0x43)[0x7f7b295d7133]

 Comments   
Comment by Alice Sherepa [ 2023-10-31 ]

Thanks! I repeated on 10.4-11.2, both with InnoDB and Myisam:
non-debug

Version: '10.4.31-MariaDB'  
231031 15:02:51 [ERROR] mysqld got signal 11 ;
 
 
 
Server version: 10.4.31-MariaDB source revision: 2aea9387497cecb5668ef605b8f80886f9de812c
 
 
 
sql/signal_handler.cc:238(handle_fatal_signal)[0x5655256fd627]
 
sigaction.c:0(__restore_rt)[0x7fc36838c420]
 
sql/my_decimal.h:128(my_decimal::operator=(my_decimal const&))[0x5655258102b0]
 
sql/filesort.cc:1161(Type_handler_decimal_result::make_sort_key(unsigned char*, Item*, SORT_FIELD_ATTR const*, String*) const)[0x5655256fa39b]
 
sql/filesort.cc:1207(make_sortkey(Sort_param*, unsigned char*, unsigned char*))[0x5655256f98e9]
 
sql/filesort.cc:844(filesort(THD*, TABLE*, Filesort*, Filesort_tracker*, JOIN*, unsigned long long))[0x5655256fc812]
 
sql/sql_select.cc:24202(create_sort_index(THD*, JOIN*, st_join_table*, Filesort*))[0x56552553faa7]
 
sql/sql_select.cc:21878(st_join_table::sort_table())[0x56552553fdc6]
 
sql/sql_select.cc:21815(join_init_read_record(st_join_table*))[0x56552553fe41]
 
sql/sql_select.cc:20887(sub_select(JOIN*, st_join_table*, bool))[0x565525533b89]
 
sql/sql_select.cc:20413(JOIN::exec_inner())[0x565525563687]
 
sql/sql_select.cc:4388(JOIN::exec())[0x565525563953]
 
sql/sql_select.cc:4828(mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x5655255619f6]
 
sql/sql_select.cc:454(handle_select(THD*, LEX*, select_result*, unsigned long))[0x565525562577]
 
sql/sql_parse.cc:6474(execute_sqlcom_select(THD*, TABLE_LIST*))[0x5655253e5fa3]
 
sql/sql_parse.cc:3976(mysql_execute_command(THD*))[0x56552550545b]
 
sql/sql_parse.cc:8010(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x565525509e72]
 
sql/sql_parse.cc:1919(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x56552550cac2]
 
sql/sql_parse.cc:1379(do_command(THD*))[0x56552550dbe2]
 
sql/sql_connect.cc:1420(do_handle_one_connection(CONNECT*))[0x5655255f2602]
 
sql/sql_connect.cc:1326(handle_one_connection)[0x5655255f26ed]
 
nptl/pthread_create.c:478(start_thread)[0x7fc368380609]
 
 
 
Query (0x7fc2f8010300): SELECT * FROM v0 ORDER BY - v1 , v2 DESC , ( SELECT v1 AS v3 GROUP BY v2 LIMIT 8 OFFSET 24 ) ASC


CREATE TABLE t1 ( a decimal(10,0) NOT NULL PRIMARY KEY) ;
 
INSERT INTO t1 VALUES (1),(2),(3);
 
 
 
SELECT * FROM t1 ORDER BY  ( SELECT a LIMIT 8 OFFSET 24 ) ;


231031 15:24:45 [ERROR] mysqld got signal 11 ;
 
 
 
Server version: 10.5.23-MariaDB-debug-log source revision: b06ac9a8cd2146e89270cc2150d306d8ed1b33fb
 
 
 
sql/signal_handler.cc:241(handle_fatal_signal)[0x556690fa1dd8]
 
sigaction.c:0(__restore_rt)[0x7f8503bb4420]
 
sql/my_decimal.h:128(my_decimal::operator=(my_decimal const&))[0x556690d77a0f]
 
sql/my_decimal.h:342(my_decimal2decimal(my_decimal const*, my_decimal*))[0x556690d77c95]
 
sql/my_decimal.cc:206(my_decimal::to_binary(unsigned char*, int, int, unsigned int) const)[0x55669138dd1e]
 
sql/filesort.cc:1317(Type_handler_decimal_result::make_sort_key_part(unsigned char*, Item*, SORT_FIELD_ATTR const*, String*) const)[0x556690f90ff7]
 
sql/filesort.cc:3033(make_sortkey(Sort_param*, unsigned char*))[0x556690f9cc2b]
 
sql/filesort.cc:1348(make_sortkey(Sort_param*, unsigned char*, unsigned char*, bool))[0x556690f912c5]
 
sql/filesort.cc:966(find_all_keys(THD*, Sort_param*, SQL_SELECT*, SORT_INFO*, st_io_cache*, st_io_cache*, Bounded_queue<unsigned char, unsigned char>*, unsigned long long*))[0x556690f8e554]
 
sql/filesort.cc:352(filesort(THD*, TABLE*, Filesort*, Filesort_tracker*, JOIN*, unsigned long long))[0x556690f8990f]
 
sql/sql_select.cc:24502(create_sort_index(THD*, JOIN*, st_join_table*, Filesort*))[0x5566908e01f1]
 
sql/sql_select.cc:22180(st_join_table::sort_table())[0x5566908ce90b]
 
sql/sql_select.cc:22119(join_init_read_record(st_join_table*))[0x5566908cde0c]
 
sql/sql_select.cc:21174(sub_select(JOIN*, st_join_table*, bool))[0x5566908c7436]
 
sql/sql_select.cc:20696(do_select(JOIN*, Procedure*))[0x5566908c5366]
 
sql/sql_select.cc:4602(JOIN::exec_inner())[0x55669084f9ba]
 
sql/sql_select.cc:4383(JOIN::exec())[0x55669084cfc4]
 
sql/sql_select.cc:4861(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x556690851409]
 
sql/sql_select.cc:450(handle_select(THD*, LEX*, select_result*, unsigned long))[0x5566908220bb]
 
sql/sql_parse.cc:6343(execute_sqlcom_select(THD*, TABLE_LIST*))[0x55669078764d]
 
sql/sql_parse.cc:4020(mysql_execute_command(THD*))[0x5566907763b2]
 
sql/sql_parse.cc:8120(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x5566907929bf]
 
sql/sql_parse.cc:1894(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x5566907683ed]
 
sql/sql_parse.cc:1375(do_command(THD*))[0x556690764d55]
 
sql/sql_connect.cc:1416(do_handle_one_connection(CONNECT*, bool))[0x556690bc39a3]
 
sql/sql_connect.cc:1320(handle_one_connection)[0x556690bc3307]
 
perfschema/pfs.cc:2203(pfs_spawn_thread)[0x55669184fb02]
 
nptl/pthread_create.c:478(start_thread)[0x7f8503ba8609]
 
 
 
Query (0x62b0000852a8): SELECT * FROM t1 ORDER BY  ( SELECT a LIMIT 8 OFFSET 24 )

fixed by 208ed0d8c6 commit (MDEV-32324)

Generated at Thu Feb 08 10:32:37 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.