Bug #100073 Field_typed_arrary might result in server crash
Submitted: 2 Jul 2020 4:48 Modified: 2 Jul 2020 5:05
Reporter: Xiong Wang Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Optimizer Severity:S6 (Debug Builds)
Version:8.0.18 or higher, 8.0.20 OS:Any
Assigned to: CPU Architecture:Any

[2 Jul 2020 4:48] Xiong Wang
Description:
MySQL 8.0 version has something wrong to deal with Field_typed_array. There are the following crash for debug version.

Program received signal SIGABRT, Aborted.
[Switching to Thread 0x7f219c535700 (LWP 97628)]
0x00007f21ac745277 in raise () from /lib64/libc.so.6
(gdb) bt
#0  0x00007f21ac745277 in raise () from /lib64/libc.so.6
#1  0x00007f21ac746968 in abort () from /lib64/libc.so.6
#2  0x00007f21ac73e096 in __assert_fail_base () from /lib64/libc.so.6
#3  0x00007f21ac73e142 in __assert_fail () from /lib64/libc.so.6
#4  0x0000000004d92783 in temptable::Column::Column (this=0x7f20f0a68108,
    mysql_row=0x7f20f01015b8 "\377\377", mysql_table=..., mysql_field=...)
    at /flash/xwang/mysql-server/storage/temptable/src/column.cc:83
#5  0x0000000004d8ee92 in temptable::Allocator<temptable::Column, temptable::AllocationScheme::Exponential>::construct<temptable::Column, unsigned char const*&, TABLE&, Field&> (
    this=0x7f20f0145de8, mem=0x7f20f0a68108,
    args#0=@0x7f219c531b18: 0x7f20f01015b8 "\377\377", args#1=..., args#2=...)
    at /flash/xwang/mysql-server/storage/temptable/include/temptable/allocator.h:419
#6  0x0000000004d8e134 in std::allocator_traits<temptable::Allocator<temptable::Column, temptable::AllocationScheme::Exponential> >::_S_construct<temptable::Column, unsigned char const*&, TABLE&, Field&> (__a=..., __p=0x7f20f0a68108, __args#0=@0x7f219c531b18: 0x7f20f01015b8 "\377\377",
    __args#1=..., __args#2=...)
    at /opt/rh/devtoolset-7/root/usr/include/c++/7/bits/alloc_traits.h:243

If we SET internal_tmp_mem_storage_engine=memory; the other stack shows:
[Switching to Thread 0x7f28f01ef700 (LWP 105655)]
0x00007f28ff74d277 in raise () from /lib64/libc.so.6
(gdb) bt
#0  0x00007f28ff74d277 in raise () from /lib64/libc.so.6
#1  0x00007f28ff74e968 in abort () from /lib64/libc.so.6
#2  0x00007f28ff746096 in __assert_fail_base () from /lib64/libc.so.6
#3  0x00007f28ff746142 in __assert_fail () from /lib64/libc.so.6
#4  0x00000000030e3ad6 in free_tmp_table (thd=0x7f2844000da0, entry=0x7f28440e0908)
    at /flash/xwang/mysql-server/sql/sql_tmp_table.cc:2316
#5  0x000000000305ac6f in QEP_TAB::cleanup (this=0x7f284410a978)
    at /flash/xwang/mysql-server/sql/sql_select.cc:3250
#6  0x0000000003055bb8 in JOIN::destroy (this=0x7f2844109dc8)
    at /flash/xwang/mysql-server/sql/sql_select.cc:1735
#7  0x00000000030f458a in SELECT_LEX::cleanup (this=0x7f28441085e8, thd=0x7f2844000da0,
    full=true) at /flash/xwang/mysql-server/sql/sql_union.cc:1460
#8  0x00000000030f3ddf in SELECT_LEX_UNIT::cleanup (this=0x7f2844107f28, thd=0x7f2844000da0,
    full=true) at /flash/xwang/mysql-server/sql/sql_union.cc:1264
#9  0x0000000002fdf51c in mysql_execute_command (thd=0x7f2844000da0, first_level=true)
    at /flash/xwang/mysql-server/sql/sql_parse.cc:4667
#10 0x0000000002fe12fe in mysql_parse (thd=0x7f2844000da0, parser_state=0x7f28f01edb30)
    at /flash/xwang/mysql-server/sql/sql_parse.cc:5306
#11 0x0000000002fd66d3 in dispatch_command (thd=0x7f2844000da0, com_data=0x7f28f01eebd0,
    command=COM_QUERY) at /flash/xwang/mysql-server/sql/sql_parse.cc:1776
#12 0x0000000002fd4c03 in do_command (thd=0x7f2844000da0)
    at /flash/xwang/mysql-server/sql/sql_parse.cc:1274
#13 0x0000000003197fa7 in handle_connection (arg=0x83a2450)
    at /flash/xwang/mysql-server/sql/conn_handler/connection_handler_per_thread.cc:302
#14 0x0000000004cbdb8e in pfs_spawn_thread (arg=0xa25ecf0)
    at /flash/xwang/mysql-server/storage/perfschema/pfs.cc:2854
#15 0x00007f29014dce25 in start_thread () from /lib64/libpthread.so.0
#16 0x00007f28ff814f1d in clone () from /lib64/libc.so.6

How to repeat:
SET SESSION debug="+d,show_hidden_columns";
CREATE TABLE t1(j json, INDEX mv_idx((CAST(j AS UNSIGNED ARRAY))));
SHOW CREATE TABLE t1;
SELECT 680963a1f6dcb151c3e713b46b4c3452 FROM t1 GROUP BY 1; # Here, should use the correct invisible column name to replace 680963a1f6dcb151c3e713b46b4c3452

Suggested fix:
Internal temporary table uses shared->mem_root but not TABLE->mem_root. It seems Field_typed_array::init doesn't follow such a rule.
[2 Jul 2020 5:05] MySQL Verification Team
Hello Xiong Wang,

Thank you for the report and feedback.
Observed that 8.0.20 debug build is affected.

regards,
Umesh