Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Malicious SQL statement which directly crashes TiDB server by triggering stack overflow #36896

Closed
JZuming opened this issue Aug 4, 2022 · 2 comments · Fixed by #43758
Closed

Malicious SQL statement which directly crashes TiDB server by triggering stack overflow #36896

JZuming opened this issue Aug 4, 2022 · 2 comments · Fixed by #43758
Assignees
@XuHuaiyu
Labels
severity/moderate sig/execution SIG execution type/bug The issue is confirmed as a bug.

Comments

@JZuming
Copy link

JZuming commented Aug 4, 2022

Bug Report

Please answer these questions before submitting your issue. Thanks!

1. Minimal reproduce step (Required)

Setup the environment and create database testdb

tiup playground &
mysql -h "127.0.0.1" -u root -P 4000
MySQL> create database testdb;
MySQL> \q

Testcase

mysql -h "127.0.0.1" -u root -P 4000 -D testdb < mysql_bk.sql; 
mysql -h "127.0.0.1" -u root -P 4000 -D testdb < min_stmts.sql

mysql_bk.sql: mysql_bk.txt
min_stmts.sql: min_stmts.txt

Note: This bug can only be occasionally triggered, so you should repeat the test case several times to trigger the bug. Generally, I can reproduce the bug within10 tries.

2. What did you expect to see? (Required)

Testcase does not crash the TiDB server.

3. What did you see instead (Required)

Testcase crashed the TiDB server. The log shows that it may trigger a stack overflow bug.

The log of the TiDB server: tidb.log

4. What is your TiDB version? (Required)

Release Version: v6.1.0
Edition: Community
Git Commit Hash: 1a89decdb192cbdce6a7b0020d71128bc964d30f
Git Branch: HEAD
UTC Build Time: 2022-08-01 09:18:07
GoVersion: go1.18
Race Enabled: false
TiKV Min Version: v3.0.0-60965b006877ca7234adaced7890d7b029ed1306
Check Table Before Drop: false
@JZuming JZuming added the type/bug The issue is confirmed as a bug. label Aug 4, 2022
@morgo
Copy link
Contributor

morgo commented Aug 4, 2022

I can reproduce:

tidb quit: exit status 2
created by github.com/pingcap/tidb/executor.(*HashAggExec).prepare4ParallelExec
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/executor/aggregate.go:834 +0x149

goroutine 6700 [select]:
github.com/pingcap/tidb/executor.readProjectionInput(0x4299ce0?, 0xc002336c60?)
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/executor/projection.go:458 +0x5f
github.com/pingcap/tidb/executor.(*projectionWorker).run(0xc0019e7780, {0x4299ce0?, 0xc002336c60?})
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/executor/projection.go:427 +0x125
created by github.com/pingcap/tidb/executor.(*ProjectionExec).prepare
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/executor/projection.go:275 +0x69b

@tiancaiamao tiancaiamao added the sig/execution SIG execution label Aug 5, 2022
@tiancaiamao
Copy link
Contributor

Stack overflow from the memory OOM tracker, PTAL @XuHuaiyu

goroutine 576818 [running]:
github.com/pingcap/tidb/util/memory.(*BaseOOMAction).GetFallback(0xc005bbcd20)
        /home/zuming/tidb/util/memory/action.go:73 +0x92 fp=0xc029092398 sp=0xc029092390 pc=0x1eb6a92
github.com/pingcap/tidb/util/memory.reArrangeFallback({0x3f511f0, 0xc005bbcd20}, {0x3f511f0, 0xc006351490})
        /home/zuming/tidb/util/memory/tracker.go:214 +0xb2 fp=0xc0290923d0 sp=0xc029092398 pc=0x1eb8b32
github.com/pingcap/tidb/util/memory.reArrangeFallback({0x3f511f0, 0xc005bbcd90}, {0x3f511f0, 0xc006351490})
        /home/zuming/tidb/util/memory/tracker.go:214 +0xc5 fp=0xc029092408 sp=0xc0290923d0 pc=0x1eb8b45
github.com/pingcap/tidb/util/memory.reArrangeFallback({0x3f511f0, 0xc005bbcd20}, {0x3f511f0, 0xc006351490})
        /home/zuming/tidb/util/memory/tracker.go:214 +0xc5 fp=0xc029092440 sp=0xc029092408 pc=0x1eb8b45
github.com/pingcap/tidb/util/memory.reArrangeFallback({0x3f511f0, 0xc005bbcd90}, {0x3f511f0, 0xc006351490})
        /home/zuming/tidb/util/memory/tracker.go:214 +0xc5 fp=0xc029092478 sp=0xc029092440 pc=0x1eb8b45
github.com/pingcap/tidb/util/memory.reArrangeFallback({0x3f511f0, 0xc005bbcd20}, {0x3f511f0, 0xc006351490})
        /home/zuming/tidb/util/memory/tracker.go:214 +0xc5 fp=0xc0290924b0 sp=0xc029092478 pc=0x1eb8b45
github.com/pingcap/tidb/util/memory.reArrangeFallback({0x3f511f0, 0xc005bbcd90}, {0x3f511f0, 0xc006351490})
        /home/zuming/tidb/util/memory/tracker.go:214 +0xc5 fp=0xc0290924e8 sp=0xc0290924b0 pc=0x1eb8b45
github.com/pingcap/tidb/util/memory.reArrangeFallback({0x3f511f0, 0xc005bbcd20}, {0x3f511f0, 0xc006351490})
        /home/zuming/tidb/util/memory/tracker.go:214 +0xc5 fp=0xc029092520 sp=0xc0290924e8 pc=0x1eb8b45
github.com/pingcap/tidb/util/memory.reArrangeFallback({0x3f511f0, 0xc005bbcd90}, {0x3f511f0, 0xc006351490})
        /home/zuming/tidb/util/memory/tracker.go:214 +0xc5 fp=0xc029092558 sp=0xc029092520 pc=0x1eb8b45
github.com/pingcap/tidb/util/memory.reArrangeFallback({0x3f511f0, 0xc005bbcd20}, {0x3f511f0, 0xc006351490})
        /home/zuming/tidb/util/memory/tracker.go:214 +0xc5 fp=0xc029092590 sp=0xc029092558 pc=0x1eb8b45
github.com/pingcap/tidb/util/memory.reArrangeFallback({0x3f511f0, 0xc005bbcd90}, {0x3f511f0, 0xc006351490})
        /home/zuming/tidb/util/memory/tracker.go:214 +0xc5 fp=0xc0290925c8 sp=0xc029092590 pc=0x1eb8b45
github.com/pingcap/tidb/util/memory.reArrangeFallback({0x3f511f0, 0xc005bbcd20}, {0x3f511f0, 0xc006351490})
        /home/zuming/tidb/util/memory/tracker.go:214 +0xc5 fp=0xc029092600 sp=0xc0290925c8 pc=0x1eb8b45
github.com/pingcap/tidb/util/memory.reArrangeFallback({0x3f511f0, 0xc005bbcd90}, {0x3f511f0, 0xc006351490})
        /home/zuming/tidb/util/memory/tracker.go:214 +0xc5 fp=0xc029092638 sp=0xc029092600 pc=0x1eb8b45
github.com/pingcap/tidb/util/memory.reArrangeFallback({0x3f511f0, 0xc005bbcd20}, {0x3f511f0, 0xc006351490})
        /home/zuming/tidb/util/memory/tracker.go:214 +0xc5 fp=0xc029092670 sp=0xc029092638 pc=0x1eb8b45
github.com/pingcap/tidb/util/memory.reArrangeFallback({0x3f511f0, 0xc005bbcd90}, {0x3f511f0, 0xc006351490})
        /home/zuming/tidb/util/memory/tracker.go:214 +0xc5 fp=0xc0290926a8 sp=0xc029092670 pc=0x1eb8b45
github.com/pingcap/tidb/util/memory.reArrangeFallback({0x3f511f0, 0xc005bbcd20}, {0x3f511f0, 0xc006351490})
        /home/zuming/tidb/util/memory/tracker.go:214 +0xc5 fp=0xc0290926e0 sp=0xc0290926a8 pc=0x1eb8b45
github.com/pingcap/tidb/util/memory.reArrangeFallback({0x3f511f0, 0xc005bbcd90}, {0x3f511f0, 0xc006351490})
        /home/zuming/tidb/util/memory/tracker.go:214 +0xc5 fp=0xc029092718 sp=0xc0290926e0 pc=0x1eb8b45
github.com/pingcap/tidb/util/memory.reArrangeFallback({0x3f511f0, 0xc005bbcd20}, {0x3f511f0, 0xc006351490})
        /home/zuming/tidb/util/memory/tracker.go:214 +0xc5 fp=0xc029092750 sp=0xc029092718 pc=0x1eb8b45
github.com/pingcap/tidb/util/memory.reArrangeFallback({0x3f511f0, 0xc005bbcd90}, {0x3f511f0, 0xc006351490})
        /home/zuming/tidb/util/memory/tracker.go:214 +0xc5 fp=0xc029092788 sp=0xc029092750 pc=0x1eb8b45
github.com/pingcap/tidb/util/memory.reArrangeFallback({0x3f511f0, 0xc005bbcd20}, {0x3f511f0, 0xc006351490})
        /home/zuming/tidb/util/memory/tracker.go:214 +0xc5 fp=0xc0290927c0 sp=0xc029092788 pc=0x1eb8b45
github.com/pingcap/tidb/util/memory.reArrangeFallback({0x3f511f0, 0xc005bbcd90}, {0x3f511f0, 0xc006351490})
        /home/zuming/tidb/util/memory/tracker.go:214 +0xc5 fp=0xc0290927f8 sp=0xc0290927c0 pc=0x1eb8b45
github.com/pingcap/tidb/util/memory.reArrangeFallback({0x3f511f0, 0xc005bbcd20}, {0x3f511f0, 0xc006351490})
        /home/zuming/tidb/util/memory/tracker.go:214 +0xc5 fp=0xc029092830 sp=0xc0290927f8 pc=0x1eb8b45
github.com/pingcap/tidb/util/memory.reArrangeFallback({0x3f511f0, 0xc005bbcd90}, {0x3f511f0, 0xc006351490})
        /home/zuming/tidb/util/memory/tracker.go:214 +0xc5 fp=0xc029092868 sp=0xc029092830 pc=0x1eb8b45
github.com/pingcap/tidb/util/memory.reArrangeFallback({0x3f511f0, 0xc005bbcd20}, {0x3f511f0, 0xc006351490})
        /home/zuming/tidb/util/memory/tracker.go:214 +0xc5 fp=0xc0290928a0 sp=0xc029092868 pc=0x1eb8b45
github.com/pingcap/tidb/util/memory.reArrangeFallback({0x3f511f0, 0xc005bbcd90}, {0x3f511f0, 0xc006351490})
        /home/zuming/tidb/util/memory/tracker.go:214 +0xc5 fp=0xc0290928d8 sp=0xc0290928a0 pc=0x1eb8b45
github.com/pingcap/tidb/util/memory.reArrangeFallback({0x3f511f0, 0xc005bbcd20}, {0x3f511f0, 0xc006351490})
        /home/zuming/tidb/util/memory/tracker.go:214 +0xc5 fp=0xc029092910 sp=0xc0290928d8 pc=0x1eb8b45
github.com/pingcap/tidb/util/memory.reArrangeFallback({0x3f511f0, 0xc005bbcd90}, {0x3f511f0, 0xc006351490})
        /home/zuming/tidb/util/memory/tracker.go:214 +0xc5 fp=0xc029092948 sp=0xc029092910 pc=0x1eb8b45
github.com/pingcap/tidb/util/memory.reArrangeFallback({0x3f511f0, 0xc005bbcd20}, {0x3f511f0, 0xc006351490})
        /home/zuming/tidb/util/memory/tracker.go:214 +0xc5 fp=0xc029092980 sp=0xc029092948 pc=0x1eb8b45
github.com/pingcap/tidb/util/memory.reArrangeFallback({0x3f511f0, 0xc005bbcd90}, {0x3f511f0, 0xc006351490})
        /home/zuming/tidb/util/memory/tracker.go:214 +0xc5 fp=0xc0290929b8 sp=0xc029092980 pc=0x1eb8b45
github.com/pingcap/tidb/util/memory.reArrangeFallback({0x3f511f0, 0xc005bbcd20}, {0x3f511f0, 0xc006351490})
        /home/zuming/tidb/util/memory/tracker.go:214 +0xc5 fp=0xc0290929f0 sp=0xc0290929b8 pc=0x1eb8b45

@guo-shaoge guo-shaoge mentioned this issue May 12, 2023
Merged
12 tasks
ti-chi-bot bot pushed a commit that referenced this issue May 12, 2023
@guo-shaoge
executor: fix cte may hang because register OOMAction repeatedly (#43758
cd334c4 
)

close #36896, close #43749
This was referenced May 12, 2023
Merged
Merged
Merged
Merged
Merged
ti-chi-bot bot pushed a commit that referenced this issue May 18, 2023
@ti-chi-bot
executor: fix cte may hang because register OOMAction repeatedly (#43758
cb98f2c 
) (#43774)

close #36896, close #43749
ti-chi-bot bot pushed a commit that referenced this issue May 23, 2023
@ti-chi-bot
executor: fix cte may hang because register OOMAction repeatedly (#43758
3110690 
) (#43771)

close #36896, close #43749
ti-chi-bot bot pushed a commit that referenced this issue May 23, 2023
@ti-chi-bot
executor: fix cte may hang because register OOMAction repeatedly (#43758
507a4ca 
) (#43773)

close #36896, close #43749
ti-chi-bot bot pushed a commit that referenced this issue May 23, 2023
@ti-chi-bot
executor: fix cte may hang because register OOMAction repeatedly (#43758
833ba03 
) (#43772)

close #36896, close #43749
ti-chi-bot bot pushed a commit that referenced this issue May 23, 2023
@ti-chi-bot
executor: fix cte may hang because register OOMAction repeatedly (#43758
fe24d1f 
) (#43770)

close #36896, close #43749
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@XuHuaiyu XuHuaiyu

Labels
severity/moderate sig/execution SIG execution type/bug The issue is confirmed as a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

executor: fix cte may hang because register OOMAction repeatedly guo-shaoge/tidb
4 participants
@morgo @tiancaiamao @XuHuaiyu @JZuming