[MDEV-33234] Server crashes in rpl_slave_state_tostring_helper upon BINLOG_GTID_POS Created: 2024-01-13  Updated: 2024-01-13

Status: Open
Project: MariaDB Server
Component/s: Replication
Affects Version/s: 10.4, 10.5
Fix Version/s: 10.4, 10.5

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Andrei Elkin
Resolution: Unresolved Votes: 0
Labels: not-10.6+


 Description   

Notes:

  • The use of a variable is not important in the test case, it is there to avoid hardcoded position values since they may be different for at least different major versions.
  • DROP TABLE also isn't important, there should just be something written to the binary log.

--source include/have_log_bin.inc
 
 
 
DROP TABLE IF EXISTS t;
 
SELECT VARIABLE_VALUE INTO @pos FROM INFORMATION_SCHEMA.GLOBAL_STATUS WHERE VARIABLE_NAME = 'Binlog_snapshot_position';
 
SELECT '0-1-1' IN (BINLOG_GTID_POS('master-bin.000001',@pos), '0-2-2');

10.4 87a5d16911bb94d383480fdd49e20876ed1400f2

 
#3  <signal handler called>
 
#4  0x0000560b8f08125f in Charset::mbminlen (this=0x62b00003a338) at /data/bld/10.4-asan/sql/sql_string.h:144
 
#5  0x0000560b8f07d8af in String::append (this=0x62b00003a338, s=0x560b9105d5c0 "-", size=1) at /data/bld/10.4-asan/sql/sql_string.cc:543
 
#6  0x0000560b8f36a5df in rpl_slave_state_tostring_helper (dest=0x62b00003a338, gtid=0x603000016ab8, first=0x7f72fa3f8710) at /data/bld/10.4-asan/sql/rpl_gtid.cc:1074
 
#7  0x0000560b8f372181 in slave_connection_state::append_to_string (this=0x7f72fa3f87e0, out_str=0x62b00003a338) at /data/bld/10.4-asan/sql/rpl_gtid.cc:2481
 
#8  0x0000560b8f372096 in slave_connection_state::to_string (this=0x7f72fa3f87e0, out_str=0x62b00003a338) at /data/bld/10.4-asan/sql/rpl_gtid.cc:2467
 
#9  0x0000560b8eed705b in gtid_state_from_binlog_pos (in_name=0x603000016a28 "master-bin.000001", pos=488, out_str=0x62b00003a338) at /data/bld/10.4-asan/sql/sql_repl.cc:1661
 
#10 0x0000560b8f7eba3d in Item_func_binlog_gtid_pos::val_str (this=0x62b000038b78, str=0x62b00003a338) at /data/bld/10.4-asan/sql/item_strfunc.cc:3244
 
#11 0x0000560b8f6d58ef in in_string::set (this=0x62b00003a290, pos=0, item=0x62b000038b78) at /data/bld/10.4-asan/sql/item_cmpfunc.cc:3699
 
#12 0x0000560b8f6dcbb7 in Item_func_in::fix_in_vector (this=0x62b000038d60) at /data/bld/10.4-asan/sql/item_cmpfunc.cc:4453
 
#13 0x0000560b8f3e78f8 in Item_func_in::fix_for_scalar_comparison_using_bisection (this=0x62b000038d60, thd=0x62b000069208) at /data/bld/10.4-asan/sql/item_cmpfunc.h:2401
 
#14 0x0000560b8f3bd47b in Type_handler_string_result::Item_func_in_fix_comparator_compatible_types (this=0x560b9202e1e0 <type_handler_long_blob>, thd=0x62b000069208, func=0x62b000038d60) at /data/bld/10.4-asan/sql/sql_type.cc:5413
 
#15 0x0000560b8f6dc773 in Item_func_in::fix_length_and_dec (this=0x62b000038d60) at /data/bld/10.4-asan/sql/item_cmpfunc.cc:4420
 
#16 0x0000560b8f743cb9 in Item_func::fix_fields (this=0x62b000038d60, thd=0x62b000069208, ref=0x62b000038f00) at /data/bld/10.4-asan/sql/item_func.cc:389
 
#17 0x0000560b8f6dbda3 in Item_func_in::fix_fields (this=0x62b000038d60, thd=0x62b000069208, ref=0x62b000038f00) at /data/bld/10.4-asan/sql/item_cmpfunc.cc:4345
 
#18 0x0000560b8ebaadaf in Item::fix_fields_if_needed (this=0x62b000038d60, thd=0x62b000069208, ref=0x62b000038f00) at /data/bld/10.4-asan/sql/item.h:967
 
#19 0x0000560b8ebaade5 in Item::fix_fields_if_needed_for_scalar (this=0x62b000038d60, thd=0x62b000069208, ref=0x62b000038f00) at /data/bld/10.4-asan/sql/item.h:971
 
#20 0x0000560b8ecd152b in setup_fields (thd=0x62b000069208, ref_pointer_array=..., fields=..., column_usage=MARK_COLUMNS_READ, sum_func_list=0x62b000039c28, pre_fix=0x62b000038498, allow_sum_func=true) at /data/bld/10.4-asan/sql/sql_base.cc:7749
 
#21 0x0000560b8eef9675 in JOIN::prepare (this=0x62b000039908, tables_init=0x0, wild_num=0, conds_init=0x0, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x62b000038320, unit_arg=0x62b00006d130) at /data/bld/10.4-asan/sql/sql_select.cc:1350
 
#22 0x0000560b8ef1f0ca in mysql_select (thd=0x62b000069208, tables=0x0, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x62b0000398d8, unit=0x62b00006d130, select_lex=0x62b000038320) at /data/bld/10.4-asan/sql/sql_select.cc:4809
 
#23 0x0000560b8eeefe11 in handle_select (thd=0x62b000069208, lex=0x62b00006d070, result=0x62b0000398d8, setup_tables_done_option=0) at /data/bld/10.4-asan/sql/sql_select.cc:442
 
#24 0x0000560b8ee5a704 in execute_sqlcom_select (thd=0x62b000069208, all_tables=0x0) at /data/bld/10.4-asan/sql/sql_parse.cc:6523
 
#25 0x0000560b8ee47aca in mysql_execute_command (thd=0x62b000069208) at /data/bld/10.4-asan/sql/sql_parse.cc:3980
 
#26 0x0000560b8ee639f3 in mysql_parse (thd=0x62b000069208, rawbuf=0x62b000038228 "SELECT '0-1-1' IN (BINLOG_GTID_POS('master-bin.000001',@pos), '0-2-2')", length=70, parser_state=0x7f72fa3fbc60, is_com_multi=false, is_next_command=false) at /data/bld/10.4-asan/sql/sql_parse.cc:8062
 
#27 0x0000560b8ee39a4e in dispatch_command (command=COM_QUERY, thd=0x62b000069208, packet=0x62900021c209 "SELECT '0-1-1' IN (BINLOG_GTID_POS('master-bin.000001',@pos), '0-2-2')", packet_length=70, is_com_multi=false, is_next_command=false) at /data/bld/10.4-asan/sql/sql_parse.cc:1857
 
#28 0x0000560b8ee365bd in do_command (thd=0x62b000069208) at /data/bld/10.4-asan/sql/sql_parse.cc:1378
 
#29 0x0000560b8f23d135 in do_handle_one_connection (connect=0x6080000009a8) at /data/bld/10.4-asan/sql/sql_connect.cc:1419
 
#30 0x0000560b8f23ca4c in handle_one_connection (arg=0x6080000009a8) at /data/bld/10.4-asan/sql/sql_connect.cc:1323
 
#31 0x0000560b8fea1992 in pfs_spawn_thread (arg=0x615000003788) at /data/bld/10.4-asan/storage/perfschema/pfs.cc:1869
 
#32 0x00007f7303ea8044 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
 
#33 0x00007f7303f2861c in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

Reproducible on 10.4-10.5, debug and release, with a slight difference in the stack trace.
Not reproducible on 10.6+.

 Comments   
Comment by Kristian Nielsen [ 2024-01-13 ]

This patch fixes the crash:

diff --git a/sql/item_strfunc.cc b/sql/item_strfunc.cc
 
index 093e38c00c9..224a655b6fb 100644
 
--- a/sql/item_strfunc.cc
 
+++ b/sql/item_strfunc.cc
 
@@ -3222,6 +3222,7 @@ String *Item_func_binlog_gtid_pos::val_str(String *str)
 
   if (pos < 0 || pos > UINT_MAX32)
 
     goto err;
 
 
+  str->set_charset(&my_charset_bin);
 
   if (gtid_state_from_binlog_pos(name->c_ptr_safe(), (uint32)pos, str))
 
     goto err;
 
   null_value= 0;

The String class has a non-default constructor (or rather the base class Charset has) which initializes the charset. But from a quick look in gdb, the String object here is allocated with calloc(), without calling the constructor. Not sure that is valid in C++? In any case, that's why we get the crash, the charset is NULL.

Not sure if the patch is the correct fix. A number of other functions in item_strfunc.cc also initialize the charset. But what is the correct charset to return? Maybe it's fine with binary, like this.

Wondering if there's a deeper bug that the String object constructor is not called? I believe this is unrelated to using BINLOG_GTID_POS() or not. At least I would expect to see a prominent comment on the class that is needs to be possible to zero-initialize without calling constructors, so nobody by accident modifies the class to break this.

There might also be the similar bug for other string functions? But maybe it makes sense that the function that returns the string should also set the character set for it.

Generated at Thu Feb 08 10:37:24 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.