Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-10705

Assertion `n < m_size' failed in Element_type& Bounds_checked_array<Element_type>::operator[](size_t) [with Element_type = Item*; size_t = long unsigned int]

Details

    Description

      SELECT 1 UNION ( SELECT 2 ORDER BY NULL, @a := 3 );


      Version: '10.2.2-MariaDB-debug'  socket: '/data/bld/10.2/data/tmp/mysql.sock'  port: 3306  Source distribution
      		 
      mysqld: /data/src/10.2/sql/sql_array.h:64: Element_type& Bounds_checked_array<Element_type>::operator[](size_t) [with Element_type = Item*; size_t = long unsigned int]: Assertion `n < m_size' failed.
      		 
      160830 23:23:50 [ERROR] mysqld got signal 6 ;


      #7  0x00007f1a55925312 in __GI___assert_fail (assertion=0x7f1a58a7c157 "n < m_size", file=0x7f1a58a7c138 "/data/src/10.2/sql/sql_array.h", line=64, function=0x7f1a58a7d900 <Bounds_checked_array<Item*>::operator[](unsigned long)::__PRETTY_FUNCTION__> "Element_type& Bounds_checked_array<Element_type>::operator[](size_t) [with Element_type = Item*; size_t = long unsigned int]") at assert.c:101
      		 
      #8  0x00007f1a5810d673 in Bounds_checked_array<Item*>::operator[] (this=0x7f1a590b68f0, n=2) at /data/src/10.2/sql/sql_array.h:64
      		 
      #9  0x00007f1a581d57e0 in find_order_in_list (thd=0x7f1a284bb070, ref_pointer_array=..., tables=0x0, order=0x7f1a28512fe0, fields=..., all_fields=..., is_group_field=false, search_in_all_fields=true) at /data/src/10.2/sql/sql_select.cc:22030
      		 
      #10 0x00007f1a581d58d8 in setup_order (thd=0x7f1a284bb070, ref_pointer_array=..., tables=0x0, fields=..., all_fields=..., order=0x7f1a28512fe0, search_in_all_fields=true) at /data/src/10.2/sql/sql_select.cc:22062
      		 
      #11 0x00007f1a5819ef5e in JOIN::prepare (this=0x7f1a28513808, tables_init=0x0, wild_num=0, conds_init=0x0, og_num=0, order_init=0x0, skip_order_by=true, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7f1a28512210, unit_arg=0x7f1a284beac8) at /data/src/10.2/sql/sql_select.cc:823
      		 
      #12 0x00007f1a5823b2c5 in st_select_lex_unit::prepare (this=0x7f1a284beac8, thd_arg=0x7f1a284bb070, sel_result=0x7f1a285130c8, additional_options=268435456) at /data/src/10.2/sql/sql_union.cc:452
      		 
      #13 0x00007f1a58239f42 in mysql_union (thd=0x7f1a284bb070, lex=0x7f1a284bea00, result=0x7f1a285130c8, unit=0x7f1a284beac8, setup_tables_done_option=0) at /data/src/10.2/sql/sql_union.cc:37
      		 
      #14 0x00007f1a5819daa5 in handle_select (thd=0x7f1a284bb070, lex=0x7f1a284bea00, result=0x7f1a285130c8, setup_tables_done_option=0) at /data/src/10.2/sql/sql_select.cc:355
      		 
      #15 0x00007f1a5816d8a3 in execute_sqlcom_select (thd=0x7f1a284bb070, all_tables=0x0) at /data/src/10.2/sql/sql_parse.cc:6310
      		 
      #16 0x00007f1a581636df in mysql_execute_command (thd=0x7f1a284bb070) at /data/src/10.2/sql/sql_parse.cc:3353
      		 
      #17 0x00007f1a5817105d in mysql_parse (thd=0x7f1a284bb070, rawbuf=0x7f1a28512088 "SELECT 1 UNION ( SELECT 2 ORDER BY NULL, @a := 3 )", length=50, parser_state=0x7f1a590b7e30, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:7742
      		 
      #18 0x00007f1a5815f4c9 in dispatch_command (command=COM_QUERY, thd=0x7f1a284bb070, packet=0x7f1a284dc071 "SELECT 1 UNION ( SELECT 2 ORDER BY NULL, @a := 3 )", packet_length=50, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1790
      		 
      #19 0x00007f1a5815df35 in do_command (thd=0x7f1a284bb070) at /data/src/10.2/sql/sql_parse.cc:1353
      		 
      #20 0x00007f1a582969ea in do_handle_one_connection (connect=0x7f1a5505cad0) at /data/src/10.2/sql/sql_connect.cc:1354
      		 
      #21 0x00007f1a58296777 in handle_one_connection (arg=0x7f1a5505cad0) at /data/src/10.2/sql/sql_connect.cc:1260
      		 
      #22 0x00007f1a578270a4 in start_thread (arg=0x7f1a590b9300) at pthread_create.c:309
      		 
      #23 0x00007f1a559df87d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-15902 Assertion `n < m_size' failed, sql_array.h:64: Element_type& Bounds_checked_array<Element_type>::operator[](size_t) [with Element_type = Item*; size_t = long unsigned int]

          • Major - Major loss of function.
          • Closed

          Activity

            Ascending order - Click to sort in descending order
            elenst Elena Stepanova created issue -
            bar Alexander Barkov made changes -
            Field Original Value New Value
            Priority Major [ 3 ] Critical [ 2 ]
            bar Alexander Barkov added a comment -

            The problem was introduced by this change:

            commit 2cfc450bf78c2d951729d1a0e8f731c0d987b1d5
            		 
            Author: Igor Babaev <igor@askmonty.org>
            		 
            Date:   Tue Feb 9 12:35:59 2016 -0800

            bar Alexander Barkov added a comment - The problem was introduced by this change: commit 2cfc450bf78c2d951729d1a0e8f731c0d987b1d5 Author: Igor Babaev <igor@askmonty.org> Date: Tue Feb 9 12:35:59 2016 -0800
            bar Alexander Barkov made changes -
            Assignee Alexander Barkov [ bar ] Igor Babaev [ igor ]
            igor Igor Babaev (Inactive) made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            igor Igor Babaev (Inactive) added a comment - - edited

            The problem with the submitted test case really appeared with my merge from the mysql code. Yet the bug itself existed before this merge. Here's what we have for 10.0 and most probably for the earlier versions:

            {no format}
            MariaDB [test]> SELECT 1 UNION
            ( SELECT 2 ORDER BY NULL, @a0 := 3, @a1 := 3, @a2 := 3,
            @a3 := 3, @a4 := 3, @a5 := 3, @a6 := 3, @a7 := 3, @a8 := 3,
            @a9 := 3, @a10 := 3 );
            ERROR 2006 (HY000): MySQL server has gone away{no format}

            With this test case we have on the server side:

            {no format}
            Version: '10.0.29-MariaDB-debug' socket: '/tmp/mysql.sock' port: 3306 Source distribution
            [New Thread 0x7ffff7f8b710 (LWP 10381)]
            mysqld: /home/igor/maria-git/10.0/sql/sql_select.cc:21483: bool find_order_in_list(THD*, Item*, TABLE_LIST, ORDER*, List<Item>&, List<Item>&, bool): Assertion `all_fields.elements <= thd->lex->current_select->ref_pointer_array_size' failed.

            Thread 27 "mysqld" received signal SIGABRT, Aborted.
            [Switching to Thread 0x7ffff7f8b710 (LWP 10381)]
            0x00007ffff62b39e5 in raise () from /lib64/libc.so.6{no format}
            igor Igor Babaev (Inactive) added a comment - - edited The problem with the submitted test case really appeared with my merge from the mysql code. Yet the bug itself existed before this merge. Here's what we have for 10.0 and most probably for the earlier versions: {no format} MariaDB [test] > SELECT 1 UNION ( SELECT 2 ORDER BY NULL, @a0 := 3, @a1 := 3, @a2 := 3, @a3 := 3, @a4 := 3, @a5 := 3, @a6 := 3, @a7 := 3, @a8 := 3, @a9 := 3, @a10 := 3 ); ERROR 2006 (HY000): MySQL server has gone away{no format} With this test case we have on the server side: {no format} Version: '10.0.29-MariaDB-debug' socket: '/tmp/mysql.sock' port: 3306 Source distribution [New Thread 0x7ffff7f8b710 (LWP 10381)] mysqld: /home/igor/maria-git/10.0/sql/sql_select.cc:21483: bool find_order_in_list(THD*, Item* , TABLE_LIST , ORDER*, List<Item>&, List<Item>&, bool): Assertion `all_fields.elements <= thd->lex->current_select->ref_pointer_array_size' failed. Thread 27 "mysqld" received signal SIGABRT, Aborted. [Switching to Thread 0x7ffff7f8b710 (LWP 10381)] 0x00007ffff62b39e5 in raise () from /lib64/libc.so.6{no format}
            igor Igor Babaev (Inactive) added a comment - - edited

            This bug was introduced by the fix for bug mdev-5104 (in the commit 883af99e7dac91e3f258135a2053e6b8e3c05fc3).
            The fix was applied to mariadb-5.3.
            So this bug MDEV-10705 is present in the current 5.3/5.5 as well.

            igor Igor Babaev (Inactive) added a comment - - edited This bug was introduced by the fix for bug mdev-5104 (in the commit 883af99e7dac91e3f258135a2053e6b8e3c05fc3). The fix was applied to mariadb-5.3. So this bug MDEV-10705 is present in the current 5.3/5.5 as well.
            igor Igor Babaev (Inactive) made changes -
            Fix Version/s 5.5.55 [ 22311 ]
            Fix Version/s 10.2 [ 14601 ]
            Affects Version/s 5.5 [ 15800 ]
            Affects Version/s 10.0 [ 16000 ]
            Affects Version/s 10.1 [ 16100 ]
            igor Igor Babaev (Inactive) added a comment -

            The fix for this bug was pushed into the 5.5 tree (actually this is a 5.3 bug).

            igor Igor Babaev (Inactive) added a comment - The fix for this bug was pushed into the 5.5 tree (actually this is a 5.3 bug).
            igor Igor Babaev (Inactive) made changes -
            Component/s Optimizer [ 10200 ]
            Resolution Fixed [ 1 ]
            Status In Progress [ 3 ] Closed [ 6 ]
            elenst Elena Stepanova made changes -
            Fix Version/s 10.2.4 [ 22116 ]
            Fix Version/s 10.1.21 [ 22113 ]
            Fix Version/s 10.0.29 [ 22312 ]
            alice Alice Sherepa made changes -
            alice Alice Sherepa made changes -
            alice Alice Sherepa made changes -
            serg Sergei Golubchik made changes -
            Workflow MariaDB v3 [ 76860 ] MariaDB v4 [ 150843 ]

            People

              igor Igor Babaev (Inactive)
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.