[MDEV-19520] Server crashes in st_select_lex::pushdown_from_having_into_where or Item_func_not::fix_fields and UBSAN: store to null pointer of type 'struct Item *' - Jira

XML

Word

Printable

Details

Type: Bug
Status: Confirmed (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.4, 10.5, 10.6, 10.7, 10.8, 10.9, 10.10, 10.11, 11.0, 11.1, 11.2, 11.3, 11.4
Fix Version/s: 10.4, 10.5, 10.6, 10.11, 11.0, 11.1, 11.2, 11.3
Component/s: Optimizer
Labels:

Description

CREATE TABLE t1 (a INT);

INSERT INTO t1 VALUES (0),(1);

SELECT a FROM t1 GROUP BY a HAVING NOT a;

10.4 30ddf961
#3 <signal handler called>
#4 0x00005638135a7255 in Item_func_not::fix_fields (this=0x7f77080140b0, thd=0x7f7708000b00, ref=0x0) at /data/src/10.4/sql/item_cmpfunc.cc:6307
#5 0x00005638131fe022 in st_select_lex::pushdown_from_having_into_where (this=0x7f77080131b0, thd=0x7f7708000b00, having=0x0) at /data/src/10.4/sql/sql_lex.cc:10245
#6 0x0000563813262a53 in JOIN::optimize_inner (this=0x7f7708014a70) at /data/src/10.4/sql/sql_select.cc:1966
#7 0x00005638132613d4 in JOIN::optimize (this=0x7f7708014a70) at /data/src/10.4/sql/sql_select.cc:1561
#8 0x000056381326c1ca in mysql_select (thd=0x7f7708000b00, tables=0x7f7708013778, wild_num=0, fields=..., conds=0x0, og_num=1, order=0x0, group=0x7f7708013f50, having=0x7f77080140b0, proc_param=0x0, select_options=2147748608, result=0x7f7708014a48, unit=0x7f7708004a28, select_lex=0x7f77080131b0) at /data/src/10.4/sql/sql_select.cc:4589
#9 0x000056381325c862 in handle_select (thd=0x7f7708000b00, lex=0x7f7708004960, result=0x7f7708014a48, setup_tables_done_option=0) at /data/src/10.4/sql/sql_select.cc:424
#10 0x0000563813226261 in execute_sqlcom_select (thd=0x7f7708000b00, all_tables=0x7f7708013778) at /data/src/10.4/sql/sql_parse.cc:6598
#11 0x000056381321b524 in mysql_execute_command (thd=0x7f7708000b00) at /data/src/10.4/sql/sql_parse.cc:3887
#12 0x0000563813229ff5 in mysql_parse (thd=0x7f7708000b00, rawbuf=0x7f77080130f8 "SELECT a FROM t1 GROUP BY a HAVING NOT a", length=40, parser_state=0x7f7718199180, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:8150
#13 0x00005638132156e1 in dispatch_command (command=COM_QUERY, thd=0x7f7708000b00, packet=0x7f7708008301 "SELECT a FROM t1 GROUP BY a HAVING NOT a", packet_length=40, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:1829
#14 0x0000563813213ea1 in do_command (thd=0x7f7708000b00) at /data/src/10.4/sql/sql_parse.cc:1362
#15 0x000056381338b937 in do_handle_one_connection (connect=0x563816243040) at /data/src/10.4/sql/sql_connect.cc:1403
#16 0x000056381338b69b in handle_one_connection (arg=0x563816243040) at /data/src/10.4/sql/sql_connect.cc:1306
#17 0x0000563813cb3135 in pfs_spawn_thread (arg=0x5638162783f0) at /data/src/10.4/storage/perfschema/pfs.cc:1862
#18 0x00007f771fb3c4a4 in start_thread (arg=0x7f771819a700) at pthread_create.c:456
#19 0x00007f771e084d0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97

Reproducible with MyISAM, Aria, InnoDB.
Non-debug build fails the same way.

No crash with condition_pushdown_from_having=off.

Attachments

Issue Links

is duplicated by

MDEV-26418 A SEGV in Optimizer

Closed

MDEV-30152 Crash bug on select related functions

Closed

MDEV-32300 Server crashes at Item_func_not::fix_fields

Closed

MDEV-32420 Segmentation fault at /mariadb-11.3.0/sql/item_cmpfunc.cc:6552

Closed

Activity

People

Assignee:: Igor Babaev

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2019-05-17 19:16

Updated:: 2023-12-18 04:10

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.