Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Segmentation fault (core dumped) #6081

Closed
monetdb-team opened this issue Nov 30, 2020 · 0 comments
Closed

Segmentation fault (core dumped) #6081

monetdb-team opened this issue Nov 30, 2020 · 0 comments
Labels
bug Something isn't working normal SQL

Comments

@monetdb-team
Copy link

Date: 2016-10-20 11:40:47 +0200
From: Bo Tang <>
To: SQL devs <>
Version: 11.23.13 (Jun2016-SP2)
CC: @drstmane

Last updated: 2017-03-03 10:24:55 +0100

Comment 24558

Date: 2016-10-20 11:40:47 +0200
From: Bo Tang <>

Created attachment 484
debug query

sqlsmith triggered the following assertion:

Segmentation fault (core dumped)

I re-run the attached query with mclient manually, it returned:

TypeException:user.update[1048]:'calc.==' undefined in: calc.==(X_1442:str,X_1444:int);

Attached file: bug-6.sql (application/sql, 8433 bytes)
Description: debug query

Comment 24560

Date: 2016-10-20 12:38:03 +0200
From: @drstmane

With Jun2016, I see no segfault or assertion (server keeps running), "just" an error:
"TypeException:user.main[1023]:'calc.==' undefined in: calc.==(X_26871:str,X_26873:int);"

And the server reports
"
WARNING To speedup calc.== a bulk operator implementation is needed
X_26473:bat[:bit] := mal.multiplex("calc":str,"==":str,X_26471:bat[:str],X_26472:bat[:int]);
WARNING To speedup calc.== a bulk operator implementation is needed
X_26485:bat[:bit] := mal.multiplex("calc":str,"==":str,X_26482:bat[:bit],X_26484:bat[:int]);
"

Comment 24561

Date: 2016-10-20 12:39:41 +0200
From: @drstmane

correction:
I used the Dec2016 branch (changeset 8733d8f211a8), not the Jun2016 branch.

Comment 24565

Date: 2016-10-20 14:49:12 +0200
From: @drstmane

While not occurring with the default and Dec2016 branches,
the segfault indeed occurs with the Jun2016 branch:

WARNING To speedup calc.== a bulk operator implementation is needed
X_1137:bat[:bit] := mal.multiplex("calc":str,"==":str,X_1135:bat[:str],X_1136:bat[:int]);
WARNING To speedup calc.== a bulk operator implementation is needed
X_1142:bat[:bit] := mal.multiplex("calc":str,"==":str,X_1140:bat[:bit],X_1141:bat[:int]);

Thread 5 "mserver5" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffc0930700 (LWP 17487)]
0x00007fffe8177c87 in sa_reset (sa=0x7fff00000000) at /ufs/manegold//Monet/HG/Jun2016/source/MonetDB/sql/common/sql_mem.c:65
65 for (i = 1; inr; i++) {
Missing separate debuginfos, use: dnf debuginfo-install R-core-3.3.1-2.fc24.x86_64 SuperLU-5.2.0-1.fc24.x86_64 armadillo-7.300.1-1.fc24.x86_64 arpack-3.3.0-2.b0f7a60git.fc24.x86_64 atlas-3.10.2-12.fc24.x86_64 blas-3.6.1-1.fc24.x86_64 boost-atomic-1.60.0-7.fc24.x86_64 boost-chrono-1.60.0-7.fc24.x86_64 boost-date-time-1.60.0-7.fc24.x86_64 boost-filesystem-1.60.0-7.fc24.x86_64 boost-iostreams-1.60.0-7.fc24.x86_64 boost-program-options-1.60.0-7.fc24.x86_64 boost-regex-1.60.0-7.fc24.x86_64 boost-system-1.60.0-7.fc24.x86_64 boost-thread-1.60.0-7.fc24.x86_64 bzip2-libs-1.0.6-20.fc24.x86_64 cfitsio-3.370-6.fc24.x86_64 cyrus-sasl-lib-2.1.26-26.2.fc24.x86_64 expat-2.1.1-2.fc24.x86_64 fontconfig-2.11.94-7.fc24.x86_64 freetype-2.6.3-2.fc24.x86_64 freexl-1.0.2-3.fc24.x86_64 gdal-libs-2.0.2-6.fc24.x86_64 geos-3.5.0-1.fc24.x86_64 giflib-4.1.6-15.fc24.x86_64 gsl-2.1-4.fc24.x86_64 hdf5-1.8.16-3.fc24.x86_64 jasper-libs-1.900.1-34.fc24.x86_64 jbigkit-libs-2.1-5.fc24.x86_64 keyutils-libs-1.5.9-8.fc24.x86_64 krb5-libs-1.14.4-4.fc24.x86_64 lapack-3.6.1-1.fc24.x86_64 laszip-2.2.0-6.fc24.x86_64 lcms2-2.8-2.fc24.x86_64 libICE-1.0.9-5.fc24.x86_64 libSM-1.2.2-4.fc24.x86_64 libX11-1.6.3-3.fc24.x86_64 libXau-1.0.8-6.fc24.x86_64 libatomic_ops-7.4.2-9.fc24.x86_64 libcom_err-1.42.13-4.fc24.x86_64 libcurl-7.47.1-8.fc24.x86_64 libdap-3.17.2-1.fc24.x86_64 libgcc-6.2.1-2.fc24.x86_64 libgeotiff-1.4.0-7.fc24.x86_64 libgfortran-6.2.1-2.fc24.x86_64 libgomp-6.2.1-2.fc24.x86_64 libgta-1.0.7-3.fc24.x86_64 libicu-56.1-4.fc24.x86_64 libidn-1.33-1.fc24.x86_64 libjpeg-turbo-1.5.0-4.fc24.x86_64 liblas-1.8.0-13.fc24.x86_64 libnghttp2-1.7.1-1.fc24.x86_64 libpng-1.6.23-1.fc24.x86_64 libpsl-0.13.0-2.fc24.x86_64 libquadmath-6.2.1-2.fc24.x86_64 libselinux-2.5-9.fc24.x86_64 libspatialite-4.3.0a-2.fc24.x86_64 libssh2-1.7.0-5.fc24.x86_64 libstdc++-6.2.1-2.fc24.x86_64 libtiff-4.0.6-2.fc24.x86_64 libtool-ltdl-2.4.6-12.fc24.x86_64 libunistring-0.9.4-3.fc24.x86_64 libuuid-2.28.2-1.fc24.x86_64 libwebp-0.5.1-1.fc24.x86_64 libxcb-1.11.1-2.fc24.x86_64 libxml2-2.9.3-3.fc24.x86_64 mariadb-libs-10.1.18-1.fc24.x86_64 ncurses-libs-6.0-6.20160709.fc24.x86_64 netcdf-4.4.0-3.fc24.x86_64 nspr-4.13.0-1.fc24.x86_64 nss-3.27.0-1.1.fc24.x86_64 nss-softokn-freebl-3.27.0-1.0.fc24.x86_64 nss-util-3.27.0-1.0.fc24.x86_64 ogdi-3.2.0-0.26.beta2.fc24.x86_64 openblas-openmp-0.2.18-5.fc24.x86_64 openjpeg2-2.1.2-1.fc24.x86_64 openldap-2.4.44-1.fc24.x86_64 openssl-libs-1.0.2j-1.fc24.x86_64 pcre-8.39-3.fc24.x86_64 poppler-0.41.0-3.fc24.x86_64 postgresql-libs-9.5.4-1.fc24.x86_64 proj-4.9.2-2.fc24.x86_64 readline-6.3-8.fc24.x86_64 sqlite-libs-3.13.0-1.fc24.x86_64 tre-0.8.0-16.20140228gitc2f5d13.fc24.x86_64 unixODBC-2.3.4-2.fc24.x86_64 xerces-c-3.1.4-1.fc24.x86_64 xz-libs-5.2.2-2.fc24.x86_64 zlib-1.2.8-10.fc24.x86_64
(gdb) bt
0 0x00007fffe8177c87 in sa_reset (sa=0x7fff00000000) at /ufs/manegold/
/Monet/HG/Jun2016/source/MonetDB/sql/common/sql_mem.c:65
1 0x00007fffe7fe80c8 in sqlcleanup (c=0x7fffb8010c40, err=0) at /ufs/manegold//Monet/HG/Jun2016/source/MonetDB/sql/backends/monet5/sql.c:172
2 0x00007fffe800f221 in SQLparser (c=0x7fffe9db2330) at /ufs/manegold/
/Monet/HG/Jun2016/source/MonetDB/sql/backends/monet5/sql_scenario.c:1326
3 0x00007ffff797d85a in runPhase (c=0x7fffe9db2330, phase=1) at /ufs/manegold//Monet/HG/Jun2016/source/MonetDB/monetdb5/mal/mal_scenario.c:531
4 0x00007ffff797da01 in runScenarioBody (c=0x7fffe9db2330) at /ufs/manegold/
/Monet/HG/Jun2016/source/MonetDB/monetdb5/mal/mal_scenario.c:566
5 0x00007ffff797dbac in runScenario (c=0x7fffe9db2330) at /ufs/manegold//Monet/HG/Jun2016/source/MonetDB/monetdb5/mal/mal_scenario.c:595
6 0x00007ffff797f738 in MSserveClient (dummy=0x7fffe9db2330) at /ufs/manegold/
/Monet/HG/Jun2016/source/MonetDB/monetdb5/mal/mal_session.c:457
7 0x00007ffff797f18c in MSscheduleClient (command=0x7fffb80008d0 "\340`\f\270\377\177", challenge=0x7fffc092fd70 "noo75rWC", fin=0x7fffb8002980, fout=0x7fffb4002b60) at /ufs/manegold//Monet/HG/Jun2016/source/MonetDB/monetdb5/mal/mal_session.c:342
8 0x00007ffff7a39dd5 in doChallenge (data=0x7fffb40008d0) at /ufs/manegold/
/Monet/HG/Jun2016/source/MonetDB/monetdb5/modules/mal/mal_mapi.c:205
9 0x00007ffff739475f in thread_starter (arg=0x7fffb4004c50) at /ufs/manegold/_/Monet/HG/Jun2016/source/MonetDB/gdk/gdk_system.c:485
10 0x00007ffff48f25ca in start_thread () from /lib64/libpthread.so.0
11 0x00007ffff462bf6d in clone () from /lib64/libc.so.6
(gdb) li
60
61 sql_allocator *sa_reset( sql_allocator sa )
62 {
63 size_t i ;
64
65 for (i = 1; inr; i++) {
66 DELETE(sa->blks[i]);
67 }
68 sa->nr = 1;
69 sa->used = 0;
(gdb) p sa
$1 = (sql_allocator *) 0x7fff00000000
(gdb) p *sa
Cannot access memory at address 0x7fff00000000
(gdb) p i
$2 = 1
(gdb) up
1 0x00007fffe7fe80c8 in sqlcleanup (c=0x7fffb8010c40, err=0) at /ufs/manegold/
/Monet/HG/Jun2016/source/MonetDB/sql/backends/monet5/sql.c:172
172 c->sa = sa_reset(c->sa);
(gdb) li
167 c->emod = 0;
168 }
169 /
some statements dynamically disable caching */
170 c->sym = NULL;
171 if (c->sa)
172 c->sa = sa_reset(c->sa);
173 if (err >0)
174 c->session->status = -err;
175 if (err <0)
176 c->session->status = err;
(gdb) p c
$3 = (mvc *) 0x7fffb8010c40
(gdb) p *c
$4 = {errstr = '\000' <repeats 20 times>, "\005", '\000' <repeats 31 times>, "\005", '\000' <repeats 31 times>, "\005", '\000' <repeats 31 times>, "\005", '\000' <repeats 31 times>, "\005", '\000' <repeats 31 times>, "\005", '\000' <repeats 31 times>..., sa = 0x7fff00000000, qc = 0x7fffb8003a50, clientid = 0, scanner = {rs = 0x7fffb8002980, ws = 0x7fff00000000, log = 0x0, yynext = 0, yylast = 5, yysval = 8431,
yyval = 385, yycur = 0, yybak = 0 '\000', as = 0, key = 0, started = 0, mode = (LINE_N | unknown: 4), schema = 0x0, errstr = 0x0}, params = 0x0, forward = 0x500000000, vars = 0x7fffb80008d0, topvars = 0, sizevars = 32, frame = 1, use_views = 0, args = 0x500000000, argc = 0, argmax = 32, sym = 0x0, no_mitosis = 0, user_id = 3, role_id = 0, last_id = -1, rowcnt = -4294967296, timezone = 7200000, cache = 100,
caching = 0, history = 5, reply_size = -1, sizeheader = 0, debug = 0, emode = 0 '\000', emod = 0 '\000', session = 0x7fffb8003bb0, type = 0, pushdown = 5, label = 75, cascade_action = 0x0, opt_stats = {0, 0, 0, 5, 0, 0, 0, 0}, result_id = 0, results = 0x500000000}
(gdb)

Comment 24568

Date: 2016-10-20 15:27:11 +0200
From: @sjoerdmullender

valgrind gives some worrying errors in the Jun2016 branch. It looks like freeVariables() accesses data beyond the end of the array. glb->stk isn't as long as mb->vtop expects.

Comment 24573

Date: 2016-10-21 11:28:33 +0200
From: Bo Tang <>

Created attachment 485
another query for segmentation fault

Attached file: bug-7.sql (application/sql, 137 bytes)
Description: another query for segmentation fault

Comment 24574

Date: 2016-10-21 11:31:40 +0200
From: Bo Tang <>

For the later query, gdb backtrace shows:

0 0x00007ffff5d9b090 in __write_nocancel () from /lib64/libc.so.6
1 0x00007ffff79b2153 in socket_write (s=0x751370, buf=0x6bfe30, elmsize=1, cnt=26) at stream.c:2112
2 0x00007ffff79b4eca in bs_flush (ss=0x7323c0) at stream.c:3716
3 0x00007ffff79ae42e in mnstr_flush (s=0x7323c0) at stream.c:474
4 0x00007ffff7bcbc5a in mapi_execute_internal (hdl=0x1c503a60) at mapi.c:4166
5 0x00007ffff7bcbff9 in mapi_query (mid=0x750f30, cmd=0x47345f "CALL sys.settimeout(1)") at mapi.c:4217
6 0x000000000042178a in dut_monetdb::test (this=this@entry=0x6ab410,...) at monetdb.cc:217
7 0x0000000000411942 in main (argc=, argv=) at sqlsmith.cc:209

Comment 24577

Date: 2016-10-21 16:23:07 +0200
From: Bo Tang <>

Created attachment 487
this query also triggered Segmentation fault (core dumped)

Attached file: bug-9.sql (application/sql, 1958 bytes)
Description: this query also triggered Segmentation fault (core dumped)

Comment 24587

Date: 2016-10-24 16:03:50 +0200
From: Bo Tang <>

Created attachment 488
one more query for segmentation fault

Attached file: bug-10.sql (application/sql, 285 bytes)
Description: one more query for segmentation fault

Comment 24647

Date: 2016-11-03 10:19:09 +0100
From: MonetDB Mercurial Repository <>

Changeset 0a940b3f3f28 made by Niels Nes niels@cwi.nl in the MonetDB repo, refers to this bug.

For complete details, see http//devmonetdborg/hg/MonetDB?cmd=changeset;node=0a940b3f3f28

Changeset description:

fixed crash in bug #6081

Comment 24650

Date: 2016-11-07 09:34:42 +0100
From: @sjoerdmullender

(In reply to MonetDB Mercurial Repository from comment 9)

Changeset 0a940b3f3f28 made by Niels Nes niels@cwi.nl in the MonetDB
repo, refers to this bug.

For complete details, see
http//devmonetdborg/hg/MonetDB?cmd=changeset;node=0a940b3f3f28

Changeset description:

fixed crash in bug #6081

This does not fix the problem I referred to in comment 4.

Comment 24651

Date: 2016-11-07 10:32:47 +0100
From: MonetDB Mercurial Repository <>

Changeset 6c8b4094bb16 made by Sjoerd Mullender sjoerd@acm.org in the MonetDB repo, refers to this bug.

For complete details, see http//devmonetdborg/hg/MonetDB?cmd=changeset;node=6c8b4094bb16

Changeset description:

Don't try to free the global stack before it was initialized.
This fixes bug #6081.

Comment 24652

Date: 2016-11-07 10:35:20 +0100
From: @sjoerdmullender

(In reply to MonetDB Mercurial Repository from comment 11)

Changeset 6c8b4094bb16 made by Sjoerd Mullender sjoerd@acm.org in the
MonetDB repo, refers to this bug.

For complete details, see
http//devmonetdborg/hg/MonetDB?cmd=changeset;node=6c8b4094bb16

Changeset description:

Don't try to free the global stack before it was initialized.
This fixes bug #6081.

This is actually a fix for comment 4, not for the calc.== undefined issue.

Comment 24963

Date: 2017-02-03 14:56:23 +0100
From: @sjoerdmullender

None of the queries results in a crash or even warnings about calc.== in the Dec2016 branch.

Comment 25131

Date: 2017-03-03 10:24:55 +0100
From: @sjoerdmullender

Dec2016-SP2 has been released, incorporating the fix.

@monetdb-team monetdb-team added bug Something isn't working normal SQL labels Nov 30, 2020
@sjoerdmullender sjoerdmullender added this to the Ancient Release milestone Feb 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working normal SQL
Projects
None yet
Development

No branches or pull requests

2 participants