Bug #92461 handle_fatal_signal (sig=11) in __memmove_sse2_unaligned_erms in String::append
Submitted: 17 Sep 2018 10:44 Modified: 19 Sep 2018 5:26
Reporter: Roel Van de Paar Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: DML Severity:S6 (Debug Builds)
Version:5.6.43 OS:Any
Assigned to: CPU Architecture:Any

[17 Sep 2018 10:44] Roel Van de Paar 
Description:
Core was generated by `/sda/MS300718-mysql-8.0.12-linux-x86_64-debug/bin/mysqld --no-defaults --core-f'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  __pthread_kill (threadid=<optimized out>, signo=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
[Current thread is 1 (Thread 0x7ff764226700 (LWP 19311))]
(gdb) bt
#0  __pthread_kill (threadid=<optimized out>, signo=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
#1  0x000055c221cb478d in my_write_core (sig=11) at /git/MS-8.0.12_dbg/mysys/stacktrace.cc:278
#2  0x000055c220a08d94 in handle_fatal_signal (sig=11) at /git/MS-8.0.12_dbg/sql/signal_handler.cc:249
#3  <signal handler called>
#4  __memmove_sse2_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:249
#5  0x000055c2209f35bd in String::append (this=0x7ff7363cb930, s=...) at /git/MS-8.0.12_dbg/sql-common/sql_string.cc:457
#6  0x000055c220cb3dd4 in Item_func_concat::val_str (this=0x7ff7363cb858, str=0x7ff7363f31a8)
    at /git/MS-8.0.12_dbg/sql/item_strfunc.cc:963
#7  0x000055c220c019ac in Item_cache_str::cache_value (this=0x7ff7363f3090) at /git/MS-8.0.12_dbg/sql/item.cc:8731
#8  0x000055c220bffc26 in Item_cache::has_value (this=0x7ff7363f3090) at /git/MS-8.0.12_dbg/sql/item.cc:8297
#9  0x000055c220c01d9a in Item_cache_str::val_str (this=0x7ff7363f3090) at /git/MS-8.0.12_dbg/sql/item.cc:8783
#10 0x000055c220c0f3e1 in Arg_comparator::compare_e_binary_string (this=0x7ff7363f32a0)
    at /git/MS-8.0.12_dbg/sql/item_cmpfunc.cc:1524
#11 0x000055c220c231a6 in Arg_comparator::compare (this=0x7ff7363f32a0) at /git/MS-8.0.12_dbg/sql/item_cmpfunc.h:130
#12 0x000055c220c10682 in Arg_comparator::compare_e_row (this=0x7ff7363cc270) at /git/MS-8.0.12_dbg/sql/item_cmpfunc.cc:1800
#13 0x000055c220c231a6 in Arg_comparator::compare (this=0x7ff7363cc270) at /git/MS-8.0.12_dbg/sql/item_cmpfunc.h:130
#14 0x000055c220c117e8 in Item_func_equal::val_int (this=0x7ff7363cc198) at /git/MS-8.0.12_dbg/sql/item_cmpfunc.cc:2170
#15 0x000055c220bf9365 in Item::send (this=0x7ff7363cc198, protocol=0x7ff7361e91b8, buffer=0x7ff764223a50)
    at /git/MS-8.0.12_dbg/sql/item.cc:6514
#16 0x000055c2207ee9f4 in THD::send_result_set_row (this=0x7ff7361e8000, row_items=0x7ff7363c8200)
    at /git/MS-8.0.12_dbg/sql/sql_class.cc:2566
#17 0x000055c220d9875f in Query_result_send::send_data (this=0x7ff7363cc420, items=...)
    at /git/MS-8.0.12_dbg/sql/query_result.cc:98
#18 0x000055c220df03b3 in JOIN::exec (this=0x7ff7363f3430) at /git/MS-8.0.12_dbg/sql/sql_executor.cc:253
#19 0x000055c2208bda30 in Sql_cmd_dml::execute_inner (this=0x7ff7363cc3f0, thd=0x7ff7361e8000)
    at /git/MS-8.0.12_dbg/sql/sql_select.cc:651
#20 0x000055c2208bd4bd in Sql_cmd_dml::execute (this=0x7ff7363cc3f0, thd=0x7ff7361e8000)
    at /git/MS-8.0.12_dbg/sql/sql_select.cc:554
#21 0x000055c22085fa19 in mysql_execute_command (thd=0x7ff7361e8000, first_level=true) at /git/MS-8.0.12_dbg/sql/sql_parse.cc:4210
#22 0x000055c220861f94 in mysql_parse (thd=0x7ff7361e8000, parser_state=0x7ff764225330) at /git/MS-8.0.12_dbg/sql/sql_parse.cc:4925
#23 0x000055c220857aeb in dispatch_command (thd=0x7ff7361e8000, com_data=0x7ff764225c90, command=COM_QUERY)
    at /git/MS-8.0.12_dbg/sql/sql_parse.cc:1607
#24 0x000055c2208563c6 in do_command (thd=0x7ff7361e8000) at /git/MS-8.0.12_dbg/sql/sql_parse.cc:1232
#25 0x000055c2209f6678 in handle_connection (arg=0x7ff751ba4380)
    at /git/MS-8.0.12_dbg/sql/conn_handler/connection_handler_per_thread.cc:308
#26 0x000055c222365422 in pfs_spawn_thread (arg=0x7ff757be6e20) at /git/MS-8.0.12_dbg/storage/perfschema/pfs.cc:2836
#27 0x00007ff765c536db in start_thread (arg=0x7ff764226700) at pthread_create.c:463
#28 0x00007ff76434888f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

How to repeat:
# mysqld options required for replay: --log-bin --server-id=0 --sql_mode= --init-file=/home/roel/percona-qa/plugins_80.sql --binlog_format=STATEMENT;
CREATE DATABASE test;
USE test;
SELECT SUBSTRING(0,0);
select * FROM t0,t0 natural join t0 ORDER BY t0.i;
create table t0(a blob,b int)engine=innodb;
INSERT INTO t0 VALUES(0,0),(0,0),(0,0),(0,0),(0,0),(0,0);
insert into t0 values(0,0,0);
CREATE TABLE t0(B_ID INT KEY)ENGINE=none;
SELECT(SELECT CONCAT(a),0 FROM t0)<=>(SELECT CONCAT(a),0 FROM t0);
[17 Sep 2018 10:54] MySQL Verification Team 
Hello Roel,

Thank you for the report and test case.
Observed that 8.0.12 debug build is affected.

regards,
Umesh
[18 Sep 2018 11:07] Tor Didriksen 
Posted by developer:
 
mtr testcase

SET sql_mode='NO_ZERO_IN_DATE';

CREATE TABLE t0(a blob,b int)engine=innodb;
INSERT INTO t0 VALUES(0,0),(0,0),(0,0),(0,0),(0,0),(0,0);

--error ER_SUBQUERY_NO_1_ROW
SELECT(SELECT CONCAT(a),0 FROM t0)<=>(SELECT CONCAT(a),0 FROM t0);

DROP TABLE t0;

SET sql_mode=default;
[18 Sep 2018 11:10] Tor Didriksen 
Posted by developer:
 
Fixed in mysql-8.0.13-release

For repro in 8.0.12 use valgrind or clang/ASAN

* mysql-8.0.12-release

clang/ASAN

==25497==AddressSanitizer CHECK failed: /builddir/build/BUILD/compiler-rt-5.0.2.src/lib/asan/asan_descriptions.cc:82 "((0 && "Address is not in memory and not in shadow?")) != (0)" (0x0, 0x0)
    #0 0x235a235 in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (runtime_output_directory/mysqld+0x235a235)
    #1 0x2376985 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (runtime_output_directory/mysqld+0x2376985)
    #2 0x22a2c0f in __asan::AddressDescription::AddressDescription(unsigned long, unsigned long, bool) (runtime_output_directory/mysqld+0x22a2c0f)
    #3 0x22a500f in __asan::ErrorGeneric::ErrorGeneric(unsigned int, unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long) (runtime_output_directory/mysqld+0x22a500f)
    #4 0x23599dc in __asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) (runtime_output_directory/mysqld+0x23599dc)
    #5 0x233aeb2 in __asan_memcpy (runtime_output_directory/mysqld+0x233aeb2)
    #6 0x2852731 in String::append(String const&) sql-common/sql_string.cc:457:5
    #7 0x2cdcc49 in Item_func_concat::val_str(String*) sql/item_strfunc.cc:963:19
    #8 0x2bc2ba7 in Item_cache_str::cache_value() sql/item.cc:8731:20
    #9 0x2bbedc2 in Item_cache::has_value() sql/item.cc:8297:23
    #10 0x2bc32ed in Item_cache_str::val_str(String*) sql/item.cc:8783:8
    #11 0x2bd6db5 in Arg_comparator::compare_e_binary_string() sql/item_cmpfunc.cc:1524:16
    #12 0x2bdcd34 in Arg_comparator::compare_e_row() sql/item_cmpfunc.cc:1800:25
    #13 0x2bdf0ac in Item_func_equal::val_int() sql/item_cmpfunc.cc:2170:14
    #14 0x2bb3ebd in Item::send(Protocol*, String*) sql/item.cc:6514:12
    #15 0x2522c18 in THD::send_result_set_row(List<Item>*) sql/sql_class.cc:2566:15
    #16 0x2e5dffa in Query_result_send::send_data(List<Item>&) sql/query_result.cc:98:12
    #17 0x2ee909f in JOIN::exec() sql/sql_executor.cc:253:41
    #18 0x2667685 in Sql_cmd_dml::execute_inner(THD*) sql/sql_select.cc:651:35
    #19 0x266701a in Sql_cmd_dml::execute(THD*) sql/sql_select.cc:554:7
    #20 0x25c3fe4 in mysql_execute_command(THD*, bool) sql/sql_parse.cc:4210:29
    #21 0x25c0780 in mysql_parse(THD*, Parser_state*) sql/sql_parse.cc:4925:19
    #22 0x25bc0f7 in dispatch_command(THD*, COM_DATA const*, enum_server_command) sql/sql_parse.cc:1607:7
    #23 0x25bee7d in do_command(THD*) sql/sql_parse.cc:1232:18
    #24 0x2857ac3 in handle_connection(void*) sql/conn_handler/connection_handler_per_thread.cc:308:13
    #25 0x520cbd8 in pfs_spawn_thread(void*) storage/perfschema/pfs.cc:2836:3
    #26 0x7fddc875050a in start_thread (/lib64/libpthread.so.0+0x750a)
    #27 0x7fddc6a5b38e in __GI___clone (/lib64/libc.so.6+0xf538e)

valgrind:
==25603== Thread 34:
==25603== Conditional jump or move depends on uninitialised value(s)
==25603==    at 0x2B78CB1: Item_field::val_str(String*) (item.cc:2580)
==25603==    by 0x2C379BC: Item_func_concat::val_str(String*) (item_strfunc.cc:947)
==25603==    by 0x2B8DAB9: Item_cache_str::cache_value() (item.cc:8731)
==25603==    by 0x2B8BED9: Item_cache::has_value() (item.cc:8297)
==25603==    by 0x2B8DE63: Item_cache_str::val_str(String*) (item.cc:8783)
==25603==    by 0x2B9AF74: Arg_comparator::compare_e_binary_string() (item_cmpfunc.cc:1524)
==25603==    by 0x2BADE87: Arg_comparator::compare() (item_cmpfunc.h:130)
==25603==    by 0x2B9C1B7: Arg_comparator::compare_e_row() (item_cmpfunc.cc:1800)
==25603==    by 0x2BADE87: Arg_comparator::compare() (item_cmpfunc.h:130)
==25603==    by 0x2B9D2F9: Item_func_equal::val_int() (item_cmpfunc.cc:2170)
==25603==    by 0x2B85B8C: Item::send(Protocol*, String*) (item.cc:6514)
==25603==    by 0x27B6AEE: THD::send_result_set_row(List<Item>*) (sql_class.cc:2566)
==25603==    by 0x2D102BB: Query_result_send::send_data(List<Item>&) (query_result.cc:98)
==25603==    by 0x2D62B81: JOIN::exec() (sql_executor.cc:253)
==25603==    by 0x2879F03: Sql_cmd_dml::execute_inner(THD*) (sql_select.cc:651)
==25603==    by 0x28799A5: Sql_cmd_dml::execute(THD*) (sql_select.cc:554)
[18 Sep 2018 11:15] Tor Didriksen 
Posted by developer:
 
Failure in current head of 5.7

==25300== Thread 24:
==25300== Conditional jump or move depends on uninitialised value(s)
==25300==    at 0xF96E7B: Item_field::val_str(String*) (item.cc:2943)
==25300==    by 0x1407EC7: Item_func_concat::val_str(String*) (item_strfunc.cc:782)
==25300==    by 0xF60C33: Item::str_result(String*) (item.h:1602)
==25300==    by 0xFABA6B: Item_cache_str::cache_value() (item.cc:10192)
==25300==    by 0xFAA093: Item_cache::has_value() (item.cc:9656)
==25300==    by 0xFABD54: Item_cache_str::val_str(String*) (item.cc:10242)
==25300==    by 0xFBC6DC: Arg_comparator::compare_e_binary_string() (item_cmpfunc.cc:1732)
==25300==    by 0xFD131D: Arg_comparator::compare() (item_cmpfunc.h:92)
==25300==    by 0xFBD843: Arg_comparator::compare_e_row() (item_cmpfunc.cc:2082)
==25300==    by 0xFD131D: Arg_comparator::compare() (item_cmpfunc.h:92)
==25300==    by 0xFBEA6A: Item_func_equal::val_int() (item_cmpfunc.cc:2525)
==25300==    by 0xFA3DCD: Item::send(Protocol*, String*) (item.cc:7569)
==25300==    by 0x1520E3A: THD::send_result_set_row(List<Item>*) (sql_class.cc:4681)
==25300==    by 0x151B65D: Query_result_send::send_data(List<Item>&) (sql_class.cc:2721)
==25300==    by 0x1531E60: JOIN::exec() (sql_executor.cc:158)
==25300==    by 0x15CA150: handle_query(THD*, LEX*, Query_result*, unsigned long long, unsigned long long) (sql_select.cc:184)
==25300== Conditional jump or move depends on uninitialised value(s)
==25300==    at 0xF4E5E0: Field_blob::val_str(String*, String*) (field.cc:8320)
==25300==    by 0xF96ED6: Item_field::val_str(String*) (item.cc:2946)
==25300==    by 0x1407EC7: Item_func_concat::val_str(String*) (item_strfunc.cc:782)
==25300==    by 0xF60C33: Item::str_result(String*) (item.h:1602)
==25300==    by 0xFABA6B: Item_cache_str::cache_value() (item.cc:10192)
==25300==    by 0xFAA093: Item_cache::has_value() (item.cc:9656)
==25300==    by 0xFABD54: Item_cache_str::val_str(String*) (item.cc:10242)
==25300==    by 0xFBC6DC: Arg_comparator::compare_e_binary_string() (item_cmpfunc.cc:1732)
==25300==    by 0xFD131D: Arg_comparator::compare() (item_cmpfunc.h:92)
==25300==    by 0xFBD843: Arg_comparator::compare_e_row() (item_cmpfunc.cc:2082)
==25300==    by 0xFD131D: Arg_comparator::compare() (item_cmpfunc.h:92)
==25300==    by 0xFBEA6A: Item_func_equal::val_int() (item_cmpfunc.cc:2525)
==25300==    by 0xFA3DCD: Item::send(Protocol*, String*) (item.cc:7569)
==25300==    by 0x1520E3A: THD::send_result_set_row(List<Item>*) (sql_class.cc:4681)
==25300==    by 0x151B65D: Query_result_send::send_data(List<Item>&) (sql_class.cc:2721)
==25300==    by 0x1531E60: JOIN::exec() (sql_executor.cc:158)

==26309==AddressSanitizer CHECK failed: /builddir/build/BUILD/compiler-rt-5.0.2.src/lib/asan/asan_descriptions.cc:82 "((0 && "Address is not in memory and not in shadow?")) != (0)" (0x0, 0x0)
    #0 0xea9975 in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (sql/mysqld+0xea9975)
    #1 0xec60c5 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (sql/mysqld+0xec60c5)
    #2 0xdf234f in __asan::AddressDescription::AddressDescription(unsigned long, unsigned long, bool) (sql/mysqld+0xdf234f)
    #3 0xdf474f in __asan::ErrorGeneric::ErrorGeneric(unsigned int, unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long) (sql/mysqld+0xdf474f)
    #4 0xea911c in __asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) (sql/mysqld+0xea911c)
    #5 0xe8ac22 in __asan_memmove (sql/mysqld+0xe8ac22)
    #6 0x1c64f9d in String::copy(String const&) sql-common/sql_string.cc:250:3
    #7 0x103d7a8 in Item_cache_str::cache_value() sql/item.cc:10205:16
    #8 0x1039ba2 in Item_cache::has_value() sql/item.cc:9656:23
    #9 0x103dd3a in Item_cache_str::val_str(String*) sql/item.cc:10242:8
    #10 0x10572c5 in Arg_comparator::compare_e_binary_string() sql/item_cmpfunc.cc:1732:15
    #11 0x105d304 in Arg_comparator::compare_e_row() sql/item_cmpfunc.cc:2082:25
    #12 0x105f9b9 in Item_func_equal::val_int() sql/item_cmpfunc.cc:2525:14
    #13 0x102d71a in Item::send(Protocol*, String*) sql/item.cc:7569:9
    #14 0x19c3d98 in THD::send_result_set_row(List<Item>*) sql/sql_class.cc:4681:15
    #15 0x19c3a2e in Query_result_send::send_data(List<Item>&) sql/sql_class.cc:2721:12
    #16 0x19ebc00 in JOIN::exec() sql/sql_executor.cc:158:44
    #17 0x1af7523 in handle_query(THD*, LEX*, Query_result*, unsigned long long, unsigned long long) sql/sql_select.cc:184:21
    #18 0x1a6d5a3 in execute_sqlcom_select(THD*, TABLE_LIST*) sql/sql_parse.cc:5144:12
    #19 0x1a63a40 in mysql_execute_command(THD*, bool) sql/sql_parse.cc:2816:12
    #20 0x1a60784 in mysql_parse(THD*, Parser_state*) sql/sql_parse.cc:5570:20
    #21 0x1a5d3bd in dispatch_command(THD*, COM_DATA const*, enum_server_command) sql/sql_parse.cc:1484:5
    #22 0x1a5f1bb in do_command(THD*) sql/sql_parse.cc:1025:17
    #23 0x1c6a393 in handle_connection sql/conn_handler/connection_handler_per_thread.cc:300:13
    #24 0x276b130 in pfs_spawn_thread storage/perfschema/pfs.cc:2190:3
    #25 0x7f9a8e94250a in start_thread (/lib64/libpthread.so.0+0x750a)
    #26 0x7f9a8cc4d38e in __GI___clone (/lib64/libc.so.6+0xf538e)
[18 Sep 2018 11:23] Tor Didriksen 
Posted by developer:
 
Valgrind for 5.6

==907== Thread 18:
==907== Conditional jump or move depends on uninitialised value(s)
==907==    at 0x6702D7: Item_field::val_str(String*) (item.cc:2717)
==907==    by 0x6E757F: Item_func_concat::val_str(String*) (item_strfunc.cc:711)
==907==    by 0x6634E1: Item::str_result(String*) (item.h:1200)
==907==    by 0x682887: Item_cache_str::cache_value() (item.cc:9061)
==907==    by 0x68AFA7: Item_cache::has_value() (item.h:4248)
==907==    by 0x682B70: Item_cache_str::val_str(String*) (item.cc:9111)
==907==    by 0x690ED8: Arg_comparator::compare_e_binary_string() (item_cmpfunc.cc:1437)
==907==    by 0x6A2CB1: Arg_comparator::compare() (item_cmpfunc.h:84)
==907==    by 0x69203F: Arg_comparator::compare_e_row() (item_cmpfunc.cc:1787)
==907==    by 0x6A2CB1: Arg_comparator::compare() (item_cmpfunc.h:84)
==907==    by 0x6931F6: Item_func_equal::val_int() (item_cmpfunc.cc:2214)
==907==    by 0x67BFD1: Item::send(Protocol*, String*) (item.cc:6911)
==907==    by 0x73614F: Protocol::send_result_set_row(List<Item>*) (protocol.cc:844)
==907==    by 0x7A43B0: select_send::send_data(List<Item>&) (sql_class.cc:2541)
==907==    by 0x7BA01B: JOIN::exec() (sql_executor.cc:151)
==907==    by 0x81A761: mysql_execute_select(THD*, st_select_lex*, bool) (sql_select.cc:1101)
==907== Conditional jump or move depends on uninitialised value(s)
==907==    at 0x91CCEE: Field_blob::val_str(String*, String*) (field.cc:7899)
==907==    by 0x670332: Item_field::val_str(String*) (item.cc:2720)
==907==    by 0x6E757F: Item_func_concat::val_str(String*) (item_strfunc.cc:711)
==907==    by 0x6634E1: Item::str_result(String*) (item.h:1200)
==907==    by 0x682887: Item_cache_str::cache_value() (item.cc:9061)
==907==    by 0x68AFA7: Item_cache::has_value() (item.h:4248)
==907==    by 0x682B70: Item_cache_str::val_str(String*) (item.cc:9111)
==907==    by 0x690ED8: Arg_comparator::compare_e_binary_string() (item_cmpfunc.cc:1437)
==907==    by 0x6A2CB1: Arg_comparator::compare() (item_cmpfunc.h:84)
==907==    by 0x69203F: Arg_comparator::compare_e_row() (item_cmpfunc.cc:1787)
==907==    by 0x6A2CB1: Arg_comparator::compare() (item_cmpfunc.h:84)
==907==    by 0x6931F6: Item_func_equal::val_int() (item_cmpfunc.cc:2214)
==907==    by 0x67BFD1: Item::send(Protocol*, String*) (item.cc:6911)
==907==    by 0x73614F: Protocol::send_result_set_row(List<Item>*) (protocol.cc:844)
==907==    by 0x7A43B0: select_send::send_data(List<Item>&) (sql_class.cc:2541)
==907==    by 0x7BA01B: JOIN::exec() (sql_executor.cc:151)
[19 Sep 2018 5:26] Roel Van de Paar 
Please also see bug 92457