[MDEV-19520] Extend condition normalization to include 'NOT a' - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL), 10.11, 11.0(EOL), 11.1(EOL), 11.2(EOL), 11.3(EOL), 11.4
Fix Version/s: 10.5.26, 10.6.19, 10.11.9, 11.1.6, 11.2.5, 11.4.3, 11.5.2, 11.6.0
Component/s: Optimizer, Parser
Labels:

Description

CREATE TABLE t1 (a INT);

INSERT INTO t1 VALUES (0),(1);

SELECT a FROM t1 GROUP BY a HAVING NOT a;

10.4 30ddf961
#3 <signal handler called>
#4 0x00005638135a7255 in Item_func_not::fix_fields (this=0x7f77080140b0, thd=0x7f7708000b00, ref=0x0) at /data/src/10.4/sql/item_cmpfunc.cc:6307
#5 0x00005638131fe022 in st_select_lex::pushdown_from_having_into_where (this=0x7f77080131b0, thd=0x7f7708000b00, having=0x0) at /data/src/10.4/sql/sql_lex.cc:10245
#6 0x0000563813262a53 in JOIN::optimize_inner (this=0x7f7708014a70) at /data/src/10.4/sql/sql_select.cc:1966
#7 0x00005638132613d4 in JOIN::optimize (this=0x7f7708014a70) at /data/src/10.4/sql/sql_select.cc:1561
#8 0x000056381326c1ca in mysql_select (thd=0x7f7708000b00, tables=0x7f7708013778, wild_num=0, fields=..., conds=0x0, og_num=1, order=0x0, group=0x7f7708013f50, having=0x7f77080140b0, proc_param=0x0, select_options=2147748608, result=0x7f7708014a48, unit=0x7f7708004a28, select_lex=0x7f77080131b0) at /data/src/10.4/sql/sql_select.cc:4589
#9 0x000056381325c862 in handle_select (thd=0x7f7708000b00, lex=0x7f7708004960, result=0x7f7708014a48, setup_tables_done_option=0) at /data/src/10.4/sql/sql_select.cc:424
#10 0x0000563813226261 in execute_sqlcom_select (thd=0x7f7708000b00, all_tables=0x7f7708013778) at /data/src/10.4/sql/sql_parse.cc:6598
#11 0x000056381321b524 in mysql_execute_command (thd=0x7f7708000b00) at /data/src/10.4/sql/sql_parse.cc:3887
#12 0x0000563813229ff5 in mysql_parse (thd=0x7f7708000b00, rawbuf=0x7f77080130f8 "SELECT a FROM t1 GROUP BY a HAVING NOT a", length=40, parser_state=0x7f7718199180, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:8150
#13 0x00005638132156e1 in dispatch_command (command=COM_QUERY, thd=0x7f7708000b00, packet=0x7f7708008301 "SELECT a FROM t1 GROUP BY a HAVING NOT a", packet_length=40, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:1829
#14 0x0000563813213ea1 in do_command (thd=0x7f7708000b00) at /data/src/10.4/sql/sql_parse.cc:1362
#15 0x000056381338b937 in do_handle_one_connection (connect=0x563816243040) at /data/src/10.4/sql/sql_connect.cc:1403
#16 0x000056381338b69b in handle_one_connection (arg=0x563816243040) at /data/src/10.4/sql/sql_connect.cc:1306
#17 0x0000563813cb3135 in pfs_spawn_thread (arg=0x5638162783f0) at /data/src/10.4/storage/perfschema/pfs.cc:1862
#18 0x00007f771fb3c4a4 in start_thread (arg=0x7f771819a700) at pthread_create.c:456
#19 0x00007f771e084d0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97

Reproducible with MyISAM, Aria, InnoDB.
Non-debug build fails the same way.

No crash with condition_pushdown_from_having=off.

Attachments

Issue Links

is duplicated by

MDEV-26418 A SEGV in Optimizer

Closed

MDEV-30152 Crash bug on select related functions

Closed

MDEV-32300 Server crashes at Item_func_not::fix_fields

Closed

MDEV-32420 Segmentation fault at /mariadb-11.3.0/sql/item_cmpfunc.cc:6552

Closed

Activity

Ascending order - Click to sort in descending order

Roel Van de Paar added a comment - 2022-06-17 10:21

SELECT * FROM (SELECT 1 AS c) AS a WHERE c IN (SELECT 1) GROUP BY c, c HAVING NOT c;

Leads to:

10.10.0 081a284712bb661349e2e3802077b12211cede3e (Optimized)
Core was generated by `/test/MD310522-mariadb-10.10.0-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000055c86b1cfd0e in Item_func_not::fix_fields (this=0x1491b0013820, thd=
0x1491b0000c58, ref=0x0) at /test/10.10_opt/sql/item_cmpfunc.cc:6445
[Current thread is 1 (Thread 0x1491e4804700 (LWP 2260955))]
(gdb) bt
#0 0x000055c86b1cfd0e in Item_func_not::fix_fields (this=0x1491b0013820, thd=0x1491b0000c58, ref=0x0) at /test/10.10_opt/sql/item_cmpfunc.cc:6445
#1 0x000055c86af36ec2 in st_select_lex::pushdown_from_having_into_where (this=0x1491b0010988, thd=0x1491b0000c58, having=0x0) at /test/10.10_opt/sql/sql_lex.cc:11256
#2 0x000055c86afc09a9 in JOIN::optimize_inner (this=0x1491b0018c70) at /test/10.10_opt/sql/sql_select.cc:2259
#3 0x000055c86afc3b13 in JOIN::optimize (this=this@entry=0x1491b0018c70) at /test/10.10_opt/sql/sql_select.cc:1845
#4 0x000055c86afc3bfe in mysql_select (thd=0x1491b0000c58, tables=0x1491b0011c90, fields=@0x1491b0010c28: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1491b0010f18, last = 0x1491b0010f18, elements = 1}, <No data fields>}, conds=0x1491b00131c0, og_num=2, order=0x0, group=0x1491b0013548, having=0x1491b0013820, proc_param=0x0, select_options=<optimized out>, result=0x1491b0014188, unit=0x1491b0004cb8, select_lex=0x1491b0010988) at /test/10.10_opt/sql/sql_select.cc:5030
#5 0x000055c86afc4397 in handle_select (thd=thd@entry=0x1491b0000c58, lex=lex@entry=0x1491b0004be0, result=result@entry=0x1491b0014188, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.10_opt/sql/sql_select.cc:578
#6 0x000055c86af479b1 in execute_sqlcom_select (thd=0x1491b0000c58, all_tables=0x1491b0011c90) at /test/10.10_opt/sql/sql_parse.cc:6260
#7 0x000055c86af5552d in mysql_execute_command (thd=0x1491b0000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.10_opt/sql/sql_parse.cc:3944
#8 0x000055c86af42bb5 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x1491b0000c58) at /test/10.10_opt/sql/sql_parse.cc:8036
#9 mysql_parse (thd=0x1491b0000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.10_opt/sql/sql_parse.cc:7958
#10 0x000055c86af4e6ca in dispatch_command (command=COM_QUERY, thd=0x1491b0000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.10_opt/sql/sql_class.h:1364
#11 0x000055c86af505f2 in do_command (thd=0x1491b0000c58, blocking=blocking@entry=true) at /test/10.10_opt/sql/sql_parse.cc:1407
#12 0x000055c86b0668af in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55c86e75a1a8, put_in_cache=put_in_cache@entry=true) at /test/10.10_opt/sql/sql_connect.cc:1418
#13 0x000055c86b066b8d in handle_one_connection (arg=0x55c86e75a1a8) at /test/10.10_opt/sql/sql_connect.cc:1312
#14 0x00001491fd647609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#15 0x00001491fd233133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.4.26 (dbg), 10.4.26 (opt), 10.5.17 (dbg), 10.5.17 (opt), 10.6.9 (dbg), 10.6.9 (opt), 10.7.5 (dbg), 10.7.5 (opt), 10.8.4 (dbg), 10.8.4 (opt), 10.9.2 (dbg), 10.9.2 (opt), 10.10.0 (dbg), 10.10.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.3.36 (dbg), 10.3.36 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.38 (dbg), 5.7.38 (opt), 8.0.29 (dbg), 8.0.29 (opt)

Roel Van de Paar added a comment - 2022-06-17 10:21 SELECT * FROM ( SELECT 1 AS c) AS a WHERE c IN ( SELECT 1) GROUP BY c, c HAVING NOT c; Leads to: 10.10.0 081a284712bb661349e2e3802077b12211cede3e (Optimized) Core was generated by `/test/MD310522-mariadb-10.10.0-linux-x86_64-opt/bin/mysqld --no-defaults --core'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x000055c86b1cfd0e in Item_func_not::fix_fields (this=0x1491b0013820, thd= 0x1491b0000c58, ref=0x0) at /test/10.10_opt/sql/item_cmpfunc.cc:6445 [Current thread is 1 (Thread 0x1491e4804700 (LWP 2260955))] (gdb) bt #0 0x000055c86b1cfd0e in Item_func_not::fix_fields (this=0x1491b0013820, thd=0x1491b0000c58, ref=0x0) at /test/10.10_opt/sql/item_cmpfunc.cc:6445 #1 0x000055c86af36ec2 in st_select_lex::pushdown_from_having_into_where (this=0x1491b0010988, thd=0x1491b0000c58, having=0x0) at /test/10.10_opt/sql/sql_lex.cc:11256 #2 0x000055c86afc09a9 in JOIN::optimize_inner (this=0x1491b0018c70) at /test/10.10_opt/sql/sql_select.cc:2259 #3 0x000055c86afc3b13 in JOIN::optimize (this=this@entry=0x1491b0018c70) at /test/10.10_opt/sql/sql_select.cc:1845 #4 0x000055c86afc3bfe in mysql_select (thd=0x1491b0000c58, tables=0x1491b0011c90, fields=@0x1491b0010c28: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1491b0010f18, last = 0x1491b0010f18, elements = 1}, <No data fields>}, conds=0x1491b00131c0, og_num=2, order=0x0, group=0x1491b0013548, having=0x1491b0013820, proc_param=0x0, select_options=<optimized out>, result=0x1491b0014188, unit=0x1491b0004cb8, select_lex=0x1491b0010988) at /test/10.10_opt/sql/sql_select.cc:5030 #5 0x000055c86afc4397 in handle_select (thd=thd@entry=0x1491b0000c58, lex=lex@entry=0x1491b0004be0, result=result@entry=0x1491b0014188, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.10_opt/sql/sql_select.cc:578 #6 0x000055c86af479b1 in execute_sqlcom_select (thd=0x1491b0000c58, all_tables=0x1491b0011c90) at /test/10.10_opt/sql/sql_parse.cc:6260 #7 0x000055c86af5552d in mysql_execute_command (thd=0x1491b0000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.10_opt/sql/sql_parse.cc:3944 #8 0x000055c86af42bb5 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x1491b0000c58) at /test/10.10_opt/sql/sql_parse.cc:8036 #9 mysql_parse (thd=0x1491b0000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.10_opt/sql/sql_parse.cc:7958 #10 0x000055c86af4e6ca in dispatch_command (command=COM_QUERY, thd=0x1491b0000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.10_opt/sql/sql_class.h:1364 #11 0x000055c86af505f2 in do_command (thd=0x1491b0000c58, blocking=blocking@entry=true) at /test/10.10_opt/sql/sql_parse.cc:1407 #12 0x000055c86b0668af in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55c86e75a1a8, put_in_cache=put_in_cache@entry=true) at /test/10.10_opt/sql/sql_connect.cc:1418 #13 0x000055c86b066b8d in handle_one_connection (arg=0x55c86e75a1a8) at /test/10.10_opt/sql/sql_connect.cc:1312 #14 0x00001491fd647609 in start_thread (arg=<optimized out>) at pthread_create.c:477 #15 0x00001491fd233133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 Bug confirmed present in: MariaDB: 10.4.26 (dbg), 10.4.26 (opt), 10.5.17 (dbg), 10.5.17 (opt), 10.6.9 (dbg), 10.6.9 (opt), 10.7.5 (dbg), 10.7.5 (opt), 10.8.4 (dbg), 10.8.4 (opt), 10.9.2 (dbg), 10.9.2 (opt), 10.10.0 (dbg), 10.10.0 (opt) Bug (or feature/syntax) confirmed not present in: MariaDB: 10.3.36 (dbg), 10.3.36 (opt) MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.38 (dbg), 5.7.38 (opt), 8.0.29 (dbg), 8.0.29 (opt)

Roel Van de Paar added a comment - 2022-06-17 10:23

SELECT * FROM (SELECT 1 AS c) AS a GROUP BY c, c HAVING NOT c;

Roel Van de Paar added a comment - 2022-06-17 10:23 SELECT * FROM ( SELECT 1 AS c) AS a GROUP BY c, c HAVING NOT c;

Roel Van de Paar added a comment - 2022-06-17 10:25 - edited

SELECT * FROM (SELECT 1 AS c) AS a GROUP BY c HAVING NOT c;

Produces a somewhat different stack:

11.0.1 b075191ba8598af6aff5549e6e19f6255aef258a (Optimized)
Core was generated by `/test/MD090123-mariadb-11.0.1-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x0000558ebb538901 in Item_func_not::fix_fields (ref=0x0,
thd=0x14a108000c68, this=0x14a108012538)
at /test/11.0_opt/sql/item_cmpfunc.cc:6547
6547 rc= (*ref= new_item)->fix_fields(thd, ref);
[Current thread is 1 (Thread 0x14a14c08d640 (LWP 702036))]
(gdb) bt
#0 0x0000558ebb538901 in Item_func_not::fix_fields (ref=0x0, thd=0x14a108000c68, this=0x14a108012538) at /test/11.0_opt/sql/item_cmpfunc.cc:6547
#1 Item_func_not::fix_fields (this=0x14a108012538, thd=0x14a108000c68, ref=0x0) at /test/11.0_opt/sql/item_cmpfunc.cc:6534
#2 0x0000558ebb29884a in st_select_lex::pushdown_from_having_into_where (this=0x14a108010848, thd=0x14a108000c68, having=0x0) at /test/11.0_opt/sql/sql_lex.cc:11250
#3 0x0000558ebb326a61 in JOIN::optimize_inner (this=0x14a108012ef8) at /test/11.0_opt/sql/sql_select.cc:2290
#4 0x0000558ebb327ada in JOIN::optimize (this=this@entry=0x14a108012ef8) at /test/11.0_opt/sql/sql_select.cc:1870
#5 0x0000558ebb327bbe in mysql_select (thd=0x14a108000c68, tables=0x14a108011b90, fields=@0x14a108010ae8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14a108010de0, last = 0x14a108010de0, elements = 1}, <No data fields>}, conds=0x0, og_num=1, order=0x0, group=0x14a1080123d8, having=0x14a108012538, proc_param=0x0, select_options=<optimized out>, result=0x14a108012ed0, unit=0x14a108004ce8, select_lex=0x14a108010848) at /test/11.0_opt/sql/sql_select.cc:5066
#6 0x0000558ebb328354 in handle_select (thd=thd@entry=0x14a108000c68, lex=lex@entry=0x14a108004c10, result=result@entry=0x14a108012ed0, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/11.0_opt/sql/sql_select.cc:581
#7 0x0000558ebb2a3b25 in execute_sqlcom_select (thd=0x14a108000c68, all_tables=0x14a108011b90) at /test/11.0_opt/sql/sql_parse.cc:6265
#8 0x0000558ebb2b2870 in mysql_execute_command (thd=0x14a108000c68, is_called_from_prepared_stmt=<optimized out>) at /test/11.0_opt/sql/sql_parse.cc:3949
#9 0x0000558ebb2b4104 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x14a108000c68) at /test/11.0_opt/sql/sql_parse.cc:8000
#10 mysql_parse (thd=0x14a108000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/11.0_opt/sql/sql_parse.cc:7922
#11 0x0000558ebb2b66e2 in dispatch_command (command=COM_QUERY, thd=0x14a108000c68, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/11.0_opt/sql/sql_parse.cc:1991
#12 0x0000558ebb2b7e80 in do_command (thd=0x14a108000c68, blocking=blocking@entry=true) at /test/11.0_opt/sql/sql_parse.cc:1407
#13 0x0000558ebb3cdab7 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x558ebd379c38, put_in_cache=put_in_cache@entry=true) at /test/11.0_opt/sql/sql_connect.cc:1416
#14 0x0000558ebb3cdd8d in handle_one_connection (arg=0x558ebd379c38) at /test/11.0_opt/sql/sql_connect.cc:1318
#15 0x000014a16434fb43 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
#16 0x000014a1643e1a00 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

And in UBSAN we get:

10.11.2 70be59913c90e93fe5136d6f6df03c4254aa515d (Debug, UBASAN)
2023-01-13 19:37:21 0 [Note] /test/UBASAN_MD070123-mariadb-10.11.2-linux-x86_64-dbg/bin/mysqld: ready for connections.
Version: '10.11.2-MariaDB-debug' socket: '/test/UBASAN_MD070123-mariadb-10.11.2-linux-x86_64-dbg/socket.sock' port: 11398 MariaDB Server
/test/10.11_dbg_san/sql/item_cmpfunc.cc:6547:16: runtime error: store to null pointer of type 'struct Item *'
#0 0x5587b5810657 in Item_func_not::fix_fields(THD, Item*) /test/10.11_dbg_san/sql/item_cmpfunc.cc:6547
#1 0x5587b3d7ce8a in st_select_lex::pushdown_from_having_into_where(THD, Item) /test/10.11_dbg_san/sql/sql_lex.cc:11250
#2 0x5587b424d6ef in JOIN::optimize_inner() /test/10.11_dbg_san/sql/sql_select.cc:2291
#3 0x5587b425289f in JOIN::optimize() /test/10.11_dbg_san/sql/sql_select.cc:1870
#4 0x5587b4252ebd in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/10.11_dbg_san/sql/sql_select.cc:5066
#5 0x5587b4257632 in handle_select(THD, LEX, select_result*, unsigned long long) /test/10.11_dbg_san/sql/sql_select.cc:581
#6 0x5587b3df3b1c in execute_sqlcom_select /test/10.11_dbg_san/sql/sql_parse.cc:6265
#7 0x5587b3e54419 in mysql_execute_command(THD*, bool) /test/10.11_dbg_san/sql/sql_parse.cc:3949
#8 0x5587b3e83a74 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/10.11_dbg_san/sql/sql_parse.cc:8000
#9 0x5587b3e937d2 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/10.11_dbg_san/sql/sql_parse.cc:1894
#10 0x5587b3ea159c in do_command(THD*, bool) /test/10.11_dbg_san/sql/sql_parse.cc:1407
#11 0x5587b483f495 in do_handle_one_connection(CONNECT*, bool) /test/10.11_dbg_san/sql/sql_connect.cc:1416
#12 0x5587b48409b0 in handle_one_connection /test/10.11_dbg_san/sql/sql_connect.cc:1318
#13 0x15338e139b42 in start_thread nptl/pthread_create.c:442
#14 0x15338e1cb9ff (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)

230113 19:37:22 [ERROR] mysqld got signal 11 ;

Roel Van de Paar added a comment - 2022-06-17 10:25 - edited SELECT * FROM ( SELECT 1 AS c) AS a GROUP BY c HAVING NOT c; Produces a somewhat different stack: 11.0.1 b075191ba8598af6aff5549e6e19f6255aef258a (Optimized) Core was generated by `/test/MD090123-mariadb-11.0.1-linux-x86_64-opt/bin/mysqld --no-defaults --core-'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x0000558ebb538901 in Item_func_not::fix_fields (ref=0x0, thd=0x14a108000c68, this=0x14a108012538) at /test/11.0_opt/sql/item_cmpfunc.cc:6547 6547 rc= (*ref= new_item)->fix_fields(thd, ref); [Current thread is 1 (Thread 0x14a14c08d640 (LWP 702036))] (gdb) bt #0 0x0000558ebb538901 in Item_func_not::fix_fields (ref=0x0, thd=0x14a108000c68, this=0x14a108012538) at /test/11.0_opt/sql/item_cmpfunc.cc:6547 #1 Item_func_not::fix_fields (this=0x14a108012538, thd=0x14a108000c68, ref=0x0) at /test/11.0_opt/sql/item_cmpfunc.cc:6534 #2 0x0000558ebb29884a in st_select_lex::pushdown_from_having_into_where (this=0x14a108010848, thd=0x14a108000c68, having=0x0) at /test/11.0_opt/sql/sql_lex.cc:11250 #3 0x0000558ebb326a61 in JOIN::optimize_inner (this=0x14a108012ef8) at /test/11.0_opt/sql/sql_select.cc:2290 #4 0x0000558ebb327ada in JOIN::optimize (this=this@entry=0x14a108012ef8) at /test/11.0_opt/sql/sql_select.cc:1870 #5 0x0000558ebb327bbe in mysql_select (thd=0x14a108000c68, tables=0x14a108011b90, fields=@0x14a108010ae8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14a108010de0, last = 0x14a108010de0, elements = 1}, <No data fields>}, conds=0x0, og_num=1, order=0x0, group=0x14a1080123d8, having=0x14a108012538, proc_param=0x0, select_options=<optimized out>, result=0x14a108012ed0, unit=0x14a108004ce8, select_lex=0x14a108010848) at /test/11.0_opt/sql/sql_select.cc:5066 #6 0x0000558ebb328354 in handle_select (thd=thd@entry=0x14a108000c68, lex=lex@entry=0x14a108004c10, result=result@entry=0x14a108012ed0, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/11.0_opt/sql/sql_select.cc:581 #7 0x0000558ebb2a3b25 in execute_sqlcom_select (thd=0x14a108000c68, all_tables=0x14a108011b90) at /test/11.0_opt/sql/sql_parse.cc:6265 #8 0x0000558ebb2b2870 in mysql_execute_command (thd=0x14a108000c68, is_called_from_prepared_stmt=<optimized out>) at /test/11.0_opt/sql/sql_parse.cc:3949 #9 0x0000558ebb2b4104 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x14a108000c68) at /test/11.0_opt/sql/sql_parse.cc:8000 #10 mysql_parse (thd=0x14a108000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/11.0_opt/sql/sql_parse.cc:7922 #11 0x0000558ebb2b66e2 in dispatch_command (command=COM_QUERY, thd=0x14a108000c68, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/11.0_opt/sql/sql_parse.cc:1991 #12 0x0000558ebb2b7e80 in do_command (thd=0x14a108000c68, blocking=blocking@entry=true) at /test/11.0_opt/sql/sql_parse.cc:1407 #13 0x0000558ebb3cdab7 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x558ebd379c38, put_in_cache=put_in_cache@entry=true) at /test/11.0_opt/sql/sql_connect.cc:1416 #14 0x0000558ebb3cdd8d in handle_one_connection (arg=0x558ebd379c38) at /test/11.0_opt/sql/sql_connect.cc:1318 #15 0x000014a16434fb43 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442 #16 0x000014a1643e1a00 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81 And in UBSAN we get: 10.11.2 70be59913c90e93fe5136d6f6df03c4254aa515d (Debug, UBASAN) 2023-01-13 19:37:21 0 [Note] /test/UBASAN_MD070123-mariadb-10.11.2-linux-x86_64-dbg/bin/mysqld: ready for connections. Version: '10.11.2-MariaDB-debug' socket: '/test/UBASAN_MD070123-mariadb-10.11.2-linux-x86_64-dbg/socket.sock' port: 11398 MariaDB Server /test/10.11_dbg_san/sql/item_cmpfunc.cc:6547:16: runtime error: store to null pointer of type 'struct Item *' #0 0x5587b5810657 in Item_func_not::fix_fields(THD*, Item**) /test/10.11_dbg_san/sql/item_cmpfunc.cc:6547 #1 0x5587b3d7ce8a in st_select_lex::pushdown_from_having_into_where(THD*, Item*) /test/10.11_dbg_san/sql/sql_lex.cc:11250 #2 0x5587b424d6ef in JOIN::optimize_inner() /test/10.11_dbg_san/sql/sql_select.cc:2291 #3 0x5587b425289f in JOIN::optimize() /test/10.11_dbg_san/sql/sql_select.cc:1870 #4 0x5587b4252ebd in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.11_dbg_san/sql/sql_select.cc:5066 #5 0x5587b4257632 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/10.11_dbg_san/sql/sql_select.cc:581 #6 0x5587b3df3b1c in execute_sqlcom_select /test/10.11_dbg_san/sql/sql_parse.cc:6265 #7 0x5587b3e54419 in mysql_execute_command(THD*, bool) /test/10.11_dbg_san/sql/sql_parse.cc:3949 #8 0x5587b3e83a74 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.11_dbg_san/sql/sql_parse.cc:8000 #9 0x5587b3e937d2 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.11_dbg_san/sql/sql_parse.cc:1894 #10 0x5587b3ea159c in do_command(THD*, bool) /test/10.11_dbg_san/sql/sql_parse.cc:1407 #11 0x5587b483f495 in do_handle_one_connection(CONNECT*, bool) /test/10.11_dbg_san/sql/sql_connect.cc:1416 #12 0x5587b48409b0 in handle_one_connection /test/10.11_dbg_san/sql/sql_connect.cc:1318 #13 0x15338e139b42 in start_thread nptl/pthread_create.c:442 #14 0x15338e1cb9ff (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff) 230113 19:37:22 [ERROR] mysqld got signal 11 ;

Roel Van de Paar added a comment - 2023-12-18 04:08 - edited

Also observed stack smashing while testing ~~MDEV-7850~~ in 11.4:

11.4.0 57618265ad914824ce78108729829df13c75e224 (Debug)
Core was generated by `/test/MDEV-7850_MD161223-mariadb-11.4.0-linux-x86_64-dbg/bin/mariadbd --no-defa'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000055ae08a128c7 in Item_func_not::fix_fields (this=0x1466e1c41b10,
thd=0x1466e0000d58,
ref=<error reading variable: Cannot access memory at address 0x1467900732a8>) at /test/bb-11.4-MDEV-7850_dbg/sql/item_cmpfunc.cc:6545
6545 rc= (*ref= new_item)->fix_fields(thd, ref);
[Current thread is 1 (LWP 802528)]
(gdb) bt
#0 0x000055ae08a128c7 in Item_func_not::fix_fields (this=0x1466e1c41b10, thd=0x1466e0000d58, ref=<error reading variable: Cannot access memory at address 0x1467900732a8>) at /test/bb-11.4-MDEV-7850_dbg/sql/item_cmpfunc.cc:6545
Backtrace stopped: Cannot access memory at address 0x146790073308

In this particular occurrence, the issue proved to be very sporadic.

Roel Van de Paar added a comment - 2023-12-18 04:08 - edited Also observed stack smashing while testing MDEV-7850 in 11.4: 11.4.0 57618265ad914824ce78108729829df13c75e224 (Debug) Core was generated by `/test/MDEV-7850_MD161223-mariadb-11.4.0-linux-x86_64-dbg/bin/mariadbd --no-defa'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x000055ae08a128c7 in Item_func_not::fix_fields (this=0x1466e1c41b10, thd=0x1466e0000d58, ref=<error reading variable: Cannot access memory at address 0x1467900732a8>) at /test/bb-11.4-MDEV-7850_dbg/sql/item_cmpfunc.cc:6545 6545 rc= (*ref= new_item)->fix_fields(thd, ref); [Current thread is 1 (LWP 802528)] (gdb) bt #0 0x000055ae08a128c7 in Item_func_not::fix_fields (this=0x1466e1c41b10, thd=0x1466e0000d58, ref=<error reading variable: Cannot access memory at address 0x1467900732a8>) at /test/bb-11.4-MDEV-7850_dbg/sql/item_cmpfunc.cc:6545 Backtrace stopped: Cannot access memory at address 0x146790073308 In this particular occurrence, the issue proved to be very sporadic.

Rex Johnston added a comment - 2024-04-29 23:13 - edited

During the optimization phase (JOIN::optimize_inner()), conditions can be "pushed" from a having clause to complement "where" conditions.

This method is st_select_lex::pushdown_from_having_into_where().
While stepping through the item tree associated with the having clause, it does this

if (item->walk(&Item::cleanup_excluding_immutables_processor, 0, STOP_PTR)

     || item->fix_fields(thd, NULL))

    // error handling

Item::cleanup_excluding_immutables_processor() modifies flags within the item tree and is not part of this problem.

Calling fix_fields() with NULL as a second parameter assumes that the item is not to be transformed in any way. In the case of Item_func_not::fix_fields() this assumption is not true. For the example query, HAVING NOT a, where a is a simple field, this item transforms itself from NOT a to equals(a, 0). Once transformed, it expects to be able to return it's transformed value in the ref parameter. NULL (nullptr) is passed in, resulting in a server crash when it attempts to write there.

The best fix is to ensure that this condition (going into the optimize phase with an Item of type Item_func_not still in any item tree) does not happen.

A process called "normalization" is applied during parsing. Any condition that consists solely of a field (i.e. a) is normalized to not_equals(a,0).

The fix here is to extend normalization to include a test for the condition "NOT a" and transform it into equals(a,0).

Rex Johnston added a comment - 2024-04-29 23:13 - edited During the optimization phase ( JOIN::optimize_inner() ), conditions can be "pushed" from a having clause to complement "where" conditions. This method is st_select_lex::pushdown_from_having_into_where() . While stepping through the item tree associated with the having clause, it does this if (item->walk(&Item::cleanup_excluding_immutables_processor, 0, STOP_PTR) || item->fix_fields(thd, NULL)) { // error handling } Item::cleanup_excluding_immutables_processor() modifies flags within the item tree and is not part of this problem. Calling fix_fields() with NULL as a second parameter assumes that the item is not to be transformed in any way. In the case of Item_func_not::fix_fields() this assumption is not true. For the example query, HAVING NOT a , where a is a simple field, this item transforms itself from NOT a to equals(a, 0) . Once transformed, it expects to be able to return it's transformed value in the ref parameter. NULL (nullptr) is passed in, resulting in a server crash when it attempts to write there. The best fix is to ensure that this condition (going into the optimize phase with an Item of type Item_func_not still in any item tree) does not happen. A process called "normalization" is applied during parsing. Any condition that consists solely of a field (i.e. a) is normalized to not_equals(a,0) . The fix here is to extend normalization to include a test for the condition "NOT a" and transform it into equals(a,0) .

Oleksandr Byelkin added a comment - 2024-06-24 14:20

OK to push

Oleksandr Byelkin added a comment - 2024-06-24 14:20 OK to push

Sergei Petrunia added a comment - 2024-07-04 16:45 - edited

For the release notes: the server could crash if one runs a query with HAVING NOT column clause where the "column" is also used in the GROUP BY {{ ... SELECT ... GROUP BY column ... HAVING NOT column}}. Other forms of HAVING clause were not affected.

Sergei Petrunia added a comment - 2024-07-04 16:45 - edited For the release notes: the server could crash if one runs a query with HAVING NOT column clause where the "column" is also used in the GROUP BY {{ ... SELECT ... GROUP BY column ... HAVING NOT column}}. Other forms of HAVING clause were not affected.

People

Assignee:: Rex Johnston

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 2019-05-17 19:16

Updated:: 2024-07-04 16:47

Resolved:: 2024-06-24 18:38

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.