Bug #97810 MySQL crash when compare with utf8mb4
Submitted: 27 Nov 2019 10:10 Modified: 7 Jan 2020 14:42
Reporter: Zongzhi Chen (OCA) Email Updates:
Status: Can't repeat Impact on me:
None 
Category:MySQL Server Severity:S3 (Non-critical)
Version:8.0.* OS:Any
Assigned to: CPU Architecture:Any

[27 Nov 2019 10:10] Zongzhi Chen
Description:
The version is MySQL 8.0.13

and this is the stack

#0  0x00007fe0822009b1 in pthread_kill () from /lib64/libpthread.so.0
#1  0x0000000000eca56c in handle_fatal_signal (sig=11) at /home/admin/28_20191105002214413_110335355_code/rpm_workspace/sql/signal_handler.cc:295
#2  <signal handler called>
#3  my_mb_wc_utf8_prototype<true, true> (e=0x7fda9ec0b8e0 <Address 0x7fda9ec0b8e0 out of bounds>, s=0x7fda9ec0b8ae <Address 0x7fda9ec0b8ae out of bounds>,
    pwc=<synthetic pointer>) at /home/admin/28_20191105002214413_110335355_code/rpm_workspace/strings/mb_wc.h:115
#4  my_mb_wc_utf8mb4 (e=0x7fda9ec0b8e0 <Address 0x7fda9ec0b8e0 out of bounds>, s=0x7fda9ec0b8ae <Address 0x7fda9ec0b8ae out of bounds>, pwc=<synthetic pointer>)
    at /home/admin/28_20191105002214413_110335355_code/rpm_workspace/strings/mb_wc.h:211
#5  operator() (e=0x7fda9ec0b8e0 <Address 0x7fda9ec0b8e0 out of bounds>, s=0x7fda9ec0b8ae <Address 0x7fda9ec0b8ae out of bounds>, pwc=<synthetic pointer>,
    this=0x7fdb6ec4ec98) at /home/admin/28_20191105002214413_110335355_code/rpm_workspace/strings/mb_wc.h:85
#6  next_raw (this=0x7fdb6ec4ec30) at /home/admin/28_20191105002214413_110335355_code/rpm_workspace/strings/ctype-uca.cc:139
#7  next (this=0x7fdb6ec4ec30) at /home/admin/28_20191105002214413_110335355_code/rpm_workspace/strings/ctype-uca.cc:1644
#8  my_strnncoll_uca<uca_scanner_900<Mb_wc_utf8mb4, 1>, 1, Mb_wc_utf8mb4> (cs=<optimized out>, s=<optimized out>, slen=<optimized out>, t=<optimized out>,
    tlen=<optimized out>, t_is_prefix=<optimized out>, mb_wc=...) at /home/admin/28_20191105002214413_110335355_code/rpm_workspace/strings/ctype-uca.cc:1714
#9  0x0000000001021b9a in compare (this=<optimized out>) at /home/admin/28_20191105002214413_110335355_code/rpm_workspace/sql/item_cmpfunc.h:133
#10 Item_func_eq::val_int (this=<optimized out>) at /home/admin/28_20191105002214413_110335355_code/rpm_workspace/sql/item_cmpfunc.cc:2261
#11 0x0000000000ffb6f5 in Item::save_in_field_inner (this=0x7fdb25c1d608, field=0x7fdc92f55ab0, no_conversions=<optimized out>)
    at /home/admin/28_20191105002214413_110335355_code/rpm_workspace/sql/item.cc:6367
#12 0x00000000010189a5 in Item::save_in_field (this=0x7fdb25c1d608, field=0x7fdc92f55ab0, no_conversions=<optimized out>)
    at /home/admin/28_20191105002214413_110335355_code/rpm_workspace/sql/item.cc:6252
#13 0x0000000000d4aa3e in copy_funcs (param=param@entry=0x7fdac0d07c50, thd=0x7fdb2589c000, type=type@entry=CFT_ALL)
    at /home/admin/28_20191105002214413_110335355_code/rpm_workspace/sql/sql_executor.cc:678
#14 0x0000000000d4e2f0 in end_update (join=0x7fdb25c1ec18, qep_tab=0x7fdac0d07618, end_of_records=<optimized out>)
    at /home/admin/28_20191105002214413_110335355_code/rpm_workspace/sql/sql_executor.cc:5516
#15 0x0000000000d4c518 in evaluate_join_record (join=join@entry=0x7fdb25c1ec18, qep_tab=qep_tab@entry=0x7fdac0d07370)
    at /home/admin/28_20191105002214413_110335355_code/rpm_workspace/sql/sql_executor.cc:1878
#16 0x0000000000d55064 in sub_select (join=0x7fdb25c1ec18, qep_tab=0x7fdac0d07370, end_of_records=<optimized out>)
    at /home/admin/28_20191105002214413_110335355_code/rpm_workspace/sql/sql_executor.cc:1572
#17 0x0000000000d51dcd in do_select (join=0x7fdb25c1ec18) at /home/admin/28_20191105002214413_110335355_code/rpm_workspace/sql/sql_executor.cc:1186
#18 JOIN::exec (this=this@entry=0x7fdb25c1ec18) at /home/admin/28_20191105002214413_110335355_code/rpm_workspace/sql/sql_executor.cc:283
#19 0x00000000010cf25f in subselect_single_select_engine::exec (this=<optimized out>)
    at /home/admin/28_20191105002214413_110335355_code/rpm_workspace/sql/item_subselect.cc:3046
#20 0x00000000010cfa57 in Item_subselect::exec (this=0x7fdb2623ce78) at /home/admin/28_20191105002214413_110335355_code/rpm_workspace/sql/item_subselect.cc:805
#21 0x00000000010ce965 in Item_in_subselect::val_bool (this=0x7fdb2623ce78) at /home/admin/28_20191105002214413_110335355_code/rpm_workspace/sql/item_subselect.cc:1747
#22 0x000000000101b25d in Item_in_optimizer::val_int (this=0x7fdb25c1d168) at /home/admin/28_20191105002214413_110335355_code/rpm_workspace/sql/item_cmpfunc.cc:2172
#23 0x0000000000d4c31b in evaluate_join_record (join=join@entry=0x7fdb25c1db78, qep_tab=qep_tab@entry=0x7fdb25c1e6c8)
    at /home/admin/28_20191105002214413_110335355_code/rpm_workspace/sql/sql_executor.cc:1741
#24 0x0000000000d55064 in sub_select (join=0x7fdb25c1db78, qep_tab=0x7fdb25c1e6c8, end_of_records=<optimized out>)
    at /home/admin/28_20191105002214413_110335355_code/rpm_workspace/sql/sql_executor.cc:1572
#25 0x0000000000d51dcd in do_select (join=0x7fdb25c1db78) at /home/admin/28_20191105002214413_110335355_code/rpm_workspace/sql/sql_executor.cc:1186
#26 JOIN::exec (this=0x7fdb25c1db78) at /home/admin/28_20191105002214413_110335355_code/rpm_workspace/sql/sql_executor.cc:283
#27 0x0000000000de4333 in Sql_cmd_dml::execute_inner (this=<optimized out>, thd=0x7fdb2589c000)
    at /home/admin/28_20191105002214413_110335355_code/rpm_workspace/sql/sql_select.cc:710
#28 0x0000000000def384 in Sql_cmd_dml::execute (this=0x7fdb25c1a220, thd=0x7fdb2589c000)
    at /home/admin/28_20191105002214413_110335355_code/rpm_workspace/sql/sql_select.cc:598
#29 0x0000000000d88f8e in mysql_execute_command (thd=thd@entry=0x7fdb2589c000, first_level=first_level@entry=true)
    at /home/admin/28_20191105002214413_110335355_code/rpm_workspace/sql/sql_parse.cc:4644
#30 0x0000000000d8e930 in mysql_parse (thd=thd@entry=0x7fdb2589c000, parser_state=parser_state@entry=0x7fdb6ec50bb0,
    force_primary_storage_engine=force_primary_storage_engine@entry=false) at /home/admin/28_20191105002214413_110335355_code/rpm_workspace/sql/sql_parse.cc:5396
#31 0x0000000000d91f90 in dispatch_command (thd=thd@entry=0x7fdb2589c000, com_data=com_data@entry=0x7fdb6ec51360, command=COM_QUERY)
    at /home/admin/28_20191105002214413_110335355_code/rpm_workspace/sql/sql_parse.cc:1794
#32 0x0000000000d92a70 in do_command (thd=thd@entry=0x7fdb2589c000) at /home/admin/28_20191105002214413_110335355_code/rpm_workspace/sql/sql_parse.cc:1288
#33 0x0000000000eba1a8 in handle_connection (arg=arg@entry=0x7fe070eae8c0)
    at /home/admin/28_20191105002214413_110335355_code/rpm_workspace/sql/conn_handler/connection_handler_per_thread.cc:316
#34 0x00000000022f41e0 in pfs_spawn_thread (arg=0x7fe06dd70920) at /home/admin/28_20191105002214413_110335355_code/rpm_workspace/storage/perfschema/pfs.cc:2879
#35 0x00007fe0821fbe25 in start_thread () from /lib64/libpthread.so.0
#36 0x00007fe08067234d in clone () from /lib64/libc.so.6

mysql>  show variables like '%char%';
+--------------------------+----------------------------------------+
| Variable_name            | Value                                  |
+--------------------------+----------------------------------------+
| character_set_client     | latin1                                 |
| character_set_connection | latin1                                 |
| character_set_database   | utf8                                   |
| character_set_filesystem | binary                                 |
| character_set_results    | latin1                                 |
| character_set_server     | utf8                                   |
| character_set_system     | utf8                                   |
| character_sets_dir       | /u01/polardb80_current/share/charsets/ |
+--------------------------+----------------------------------------+

How to repeat:
can't repeat
[28 Nov 2019 13:09] MySQL Verification Team
Hello Mr. zongzhi,

Thank you for your bug report.

First of all, there were so many crashing bugs fixed between 8.0.13 and 8.0.18, that we can't afford to hunt for the old bugs.

Hence, let us know how does this work with 8.0.18.

Next, if you manage to reproduce this behaviour with 8.0.18, we would need a repeatable test case. You can come by it if you analyse the core dump in debugger, where you can see the query itself.

Many thanks in advance.
[29 Dec 2019 1:00] Bugs System
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
[24 Mar 9:58] WANG GUANGYOU
find the same bug in meituan

【INFO】 2025-03-24 17:25:23 - AddressSanitizer:DEADLYSIGNAL
【INFO】 2025-03-24 17:25:23 - =================================================================
【INFO】 2025-03-24 17:25:23 - ==13741==ERROR: AddressSanitizer: SEGV on unknown address 0x000099c0f794 (pc 0x000007007725 bp 0x7f6bd0df0a10 sp 0x7f6bd0df0a10 T55)
【INFO】 2025-03-24 17:25:23 - ==13741==The signal is caused by a READ memory access.
【INFO】 2025-03-24 17:25:23 -     #0 0x7007725 in my_mb_wc_utf8_prototype<true, false> /opt/meituan/pipeline-python3-workspace/sankuai/git/mysql/strings/mb_wc.h:115
【INFO】 2025-03-24 17:25:23 -     #1 0x7007725 in my_valid_mbcharlen_utf8mb3 /opt/meituan/pipeline-python3-workspace/sankuai/git/mysql/strings/ctype-utf8.cc:53
【INFO】 2025-03-24 17:25:23 -     #2 0x7010caf in my_well_formed_len_utf8mb3 /opt/meituan/pipeline-python3-workspace/sankuai/git/mysql/strings/ctype-utf8.cc:5689
【INFO】 2025-03-24 17:25:23 -     #3 0x3d04af6 in well_formed_copy_nchars(CHARSET_INFO const*, char*, unsigned long, CHARSET_INFO const*, char const*, unsigned long, unsigned long, char const**, char const**, char const**) /opt/meituan/pipeline-python3-workspace/sankuai/git/mysql/sql-common/sql_string.cc:852
【INFO】 2025-03-24 17:25:23 -     #4 0x3fc14dd in field_well_formed_copy_nchars /opt/meituan/pipeline-python3-workspace/sankuai/git/mysql/sql/field.cc:1465
【INFO】 2025-03-24 17:25:23 -     #5 0x3fe0b9d in Field_varstring::store(char const*, unsigned long, CHARSET_INFO const*) /opt/meituan/pipeline-python3-workspace/sankuai/git/mysql/sql/field.cc:6616
【INFO】 2025-03-24 17:25:23 -     #6 0x3a5e3b2 in Fill_process_list::operator()(THD*) /opt/meituan/pipeline-python3-workspace/sankuai/git/mysql/sql/sql_show.cc:3218
【INFO】 2025-03-24 17:25:23 -     #7 0x359897a in Do_THD::operator()(THD*) /opt/meituan/pipeline-python3-workspace/sankuai/git/mysql/sql/mysqld_thd_manager.cc:78
【INFO】 2025-03-24 17:25:24 -     #8 0x3598d23 in Do_THD std::for_each<THD**, Do_THD>(THD**, THD**, Do_THD) (/opt/meituan/pipeline-python3-workspace/sankuai/build/mysql/debug/bin/mysqld+0x3598d23)
【INFO】 2025-03-24 17:25:24 -     #9 0x35974bc in Global_THD_manager::do_for_partition_thd_copy_locked(Do_THD_Impl*, mysql_mutex_t*, bool) /opt/meituan/pipeline-python3-workspace/sankuai/git/mysql/sql/mysqld_thd_manager.cc:317
【INFO】 2025-03-24 17:25:24 -     #10 0x3597722 in Global_THD_manager::do_for_all_thd_copy(Do_THD_Impl*) /opt/meituan/pipeline-python3-workspace/sankuai/git/mysql/sql/mysqld_thd_manager.cc:293
【INFO】 2025-03-24 17:25:24 -     #11 0x3a3ffda in fill_schema_processlist /opt/meituan/pipeline-python3-workspace/sankuai/git/mysql/sql/sql_show.cc:3330
【INFO】 2025-03-24 17:25:24 -     #12 0x3a3774a in do_fill_information_schema_table(THD*, Table_ref*, Item*) /opt/meituan/pipeline-python3-workspace/sankuai/git/mysql/sql/sql_show.cc:5582
【INFO】 2025-03-24 17:25:24 -     #13 0x408f1c5 in MaterializeInformationSchemaTableIterator::Init() /opt/meituan/pipeline-python3-workspace/sankuai/git/mysql/sql/iterators/composite_iterators.cc:2226
【INFO】 2025-03-24 17:25:24 -     #14 0x348fb14 in FilterIterator::Init() /opt/meituan/pipeline-python3-workspace/sankuai/git/mysql/sql/iterators/composite_iterators.h:83
【INFO】 2025-03-24 17:25:24 -     #15 0x408be69 in AggregateIterator::Init() /opt/meituan/pipeline-python3-workspace/sankuai/git/mysql/sql/iterators/composite_iterators.cc:210
【INFO】 2025-03-24 17:25:24 -     #16 0x3b63948 in Query_expression::ExecuteIteratorQuery(THD*) /opt/meituan/pipeline-python3-workspace/sankuai/git/mysql/sql/sql_union.cc:1768
【INFO】 2025-03-24 17:25:24 -     #17 0x3b63f12 in Query_expression::execute(THD*) /opt/meituan/pipeline-python3-workspace/sankuai/git/mysql/sql/sql_union.cc:1828
【INFO】 2025-03-24 17:25:24 -     #18 0x3a03783 in Sql_cmd_dml::execute_inner(THD*) /opt/meituan/pipeline-python3-workspace/sankuai/git/mysql/sql/sql_select.cc:1030
【INFO】 2025-03-24 17:25:24 -     #19 0x3a1ede1 in Sql_cmd_dml::execute(THD*) /opt/meituan/pipeline-python3-workspace/sankuai/git/mysql/sql/sql_select.cc:795
【INFO】 2025-03-24 17:25:24 -     #20 0x3910cff in mysql_execute_command(THD*, bool) /opt/meituan/pipeline-python3-workspace/sankuai/git/mysql/sql/sql_parse.cc:5238
【INFO】 2025-03-24 17:25:24 -     #21 0x3914686 in dispatch_sql_command(THD*, Parser_state*, bool) /opt/meituan/pipeline-python3-workspace/sankuai/git/mysql/sql/sql_parse.cc:5924
【INFO】 2025-03-24 17:25:24 -     #22 0x3917743 in dispatch_command(THD*, COM_DATA const*, enum_server_command) /opt/meituan/pipeline-python3-workspace/sankuai/git/mysql/sql/sql_parse.cc:2244
【INFO】 2025-03-24 17:25:24 -     #23 0x391ba9c in do_command(THD*, tp_do_command_vars*) /opt/meituan/pipeline-python3-workspace/sankuai/git/mysql/sql/sql_parse.cc:1531
【INFO】 2025-03-24 17:25:24 -     #24 0x3d3f268 in handle_connection /opt/meituan/pipeline-python3-workspace/sankuai/git/mysql/sql/conn_handler/connection_handler_per_thread.cc:341
【INFO】 2025-03-24 17:25:24 -     #25 0x6881152 in pfs_spawn_thread /opt/meituan/pipeline-python3-workspace/sankuai/git/mysql/storage/perfschema/pfs.cc:3043
【INFO】 2025-03-24 17:25:24 -     #26 0x7f6c0d119ea4 in start_thread (/lib64/libpthread.so.0+0x7ea4)
【INFO】 2025-03-24 17:25:24 -     #27 0x7f6c0b4d4b0c in clone (/lib64/libc.so.6+0xfeb0c)
【INFO】 2025-03-24 17:25:24 - AddressSanitizer can not provide additional info.
【INFO】 2025-03-24 17:25:24 - SUMMARY: AddressSanitizer: SEGV /opt/meituan/pipeline-python3-workspace/sankuai/git/mysql/strings/mb_wc.h:115 in my_mb_wc_utf8_prototype<true, false>
【INFO】 2025-03-24 17:25:24 - Thread T55 (connection) created by T0 here:
【INFO】 2025-03-24 17:25:24 -     #0 0x7f6c0d3865a5 in pthread_create (/lib64/libasan.so.6+0x585a5)
【INFO】 2025-03-24 17:25:24 -     #1 0x5c144ad in my_thread_create(my_thread_handle*, pthread_attr_t const*, void* (*)(void*), void*) /opt/meituan/pipeline-python3-workspace/sankuai/git/mysql/mysys/my_thread.cc:80
【INFO】 2025-03-24 17:25:24 -     #2 0x6880fe5 in pfs_spawn_thread_vc(unsigned int, unsigned int, my_thread_handle*, pthread_attr_t const*, void* (*)(void*), void*) /opt/meituan/pipeline-python3-workspace/sankuai/git/mysql/storage/perfschema/pfs.cc:3089
【INFO】 2025-03-24 17:25:24 -     #3 0x3d3dcf8 in inline_mysql_thread_create /opt/meituan/pipeline-python3-workspace/sankuai/git/mysql/include/mysql/psi/mysql_thread.h:139
【INFO】 2025-03-24 17:25:24 -     #4 0x3d3fe33 in Per_thread_connection_handler::add_connection(Channel_info*) /opt/meituan/pipeline-python3-workspace/sankuai/git/mysql/sql/conn_handler/connection_handler_per_thread.cc:505
【INFO】 2025-03-24 17:25:24 -     #5 0x3f87528 in Connection_handler_manager::process_new_connection(Channel_info*) /opt/meituan/pipeline-python3-workspace/sankuai/git/mysql/sql/conn_handler/connection_handler_manager.cc:299
【INFO】 2025-03-24 17:25:24 -     #6 0x3586b84 in Connection_acceptor<Mysqld_socket_listener>::connection_event_loop() (/opt/meituan/pipeline-python3-workspace/sankuai/build/mysql/debug/bin/mysqld+0x3586b84)
【INFO】 2025-03-24 17:25:24 -     #7 0x3582b18 in mysqld_main(int, char**) /opt/meituan/pipeline-python3-workspace/sankuai/git/mysql/sql/mysqld.cc:8846
【INFO】 2025-03-24 17:25:24 -     #8 0x313073e in main /opt/meituan/pipeline-python3-workspace/sankuai/git/mysql/sql/main.cc:25
【INFO】 2025-03-24 17:25:24 -     #9 0x7f6c0b3f8554 in __libc_start_main (/lib64/libc.so.6+0x22554)
【INFO】 2025-03-24 17:25:24 - ==13741==ABORTING
【INFO】 2025-03-24 17:25:24 - safe_process[13740]: Child process: 13741, exit: 42
【INFO】 2025-03-24 17:25:24 - ----------SERVER LOG END-------------
【INFO】 2025-03-24 17:25:24 - mysqld was killed after it failed to properly shutdown