[MDEV-22786] Crashes with nested table value constructors - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.3(EOL), 10.4(EOL), 10.5, 10.6
Fix Version/s: 10.3.29, 10.4.19, 10.5.10
Component/s: Parser
Labels:
- not-10.1
- not-10.2

Description

This statement:

VALUES ((VALUES(1)));

crashes the server with the following stack trace:

#0  Item_field::type_handler (this=0x7fff60015588)

    at /home/bar/maria-git/server.10.3/sql/item.h:3068

#1  0x0000000000b5a541 in subselect_engine::set_row (this=0x7fff60014ac8, item_list=...,

    row=0x7fff60014a88) at /home/bar/maria-git/server.10.3/sql/item_subselect.cc:3749

#2  0x0000000000b5a711 in subselect_single_select_engine::fix_length_and_dec (

    this=0x7fff60014ac8, row=0x7fff60014a88)

    at /home/bar/maria-git/server.10.3/sql/item_subselect.cc:3766

#3  0x0000000000b4fdae in Item_singlerow_subselect::fix_length_and_dec (

    this=0x7fff60014940) at /home/bar/maria-git/server.10.3/sql/item_subselect.cc:1208

#4  0x0000000000b4d62e in Item_subselect::fix_fields (this=0x7fff60014940,

    thd_param=0x7fff60000d90, ref=0x0)

    at /home/bar/maria-git/server.10.3/sql/item_subselect.cc:316

#5  0x000000000067d13e in Item::fix_fields_if_needed (this=0x7fff60014940,

    thd=0x7fff60000d90, ref=0x0) at /home/bar/maria-git/server.10.3/sql/item.h:825

#6  0x0000000000984e47 in fix_fields_for_tvc (thd=0x7fff60000d90, li=...)

    at /home/bar/maria-git/server.10.3/sql/sql_tvc.cc:62

#7  0x00000000009854c1 in table_value_constr::prepare (this=0x7fff600144e0,

    thd=0x7fff60000d90, sl=0x7fff60013870, tmp_result=0x7fff60016b18,

    unit_arg=0x7fff600156a8) at /home/bar/maria-git/server.10.3/sql/sql_tvc.cc:238

#8  0x000000000086d430 in st_select_lex_unit::prepare (this=0x7fff600156a8,

    derived_arg=0x7fff60015e60, sel_result=0x7fff60016a30, additional_options=0)

    at /home/bar/maria-git/server.10.3/sql/sql_union.cc:1018

#9  0x000000000072c701 in mysql_derived_prepare (thd=0x7fff60000d90, lex=0x7fff60004b98,

    derived=0x7fff60015e60) at /home/bar/maria-git/server.10.3/sql/sql_derived.cc:770

#10 0x000000000072b2c3 in mysql_handle_single_derived (lex=0x7fff60004b98,

    derived=0x7fff60015e60, phases=2)

    at /home/bar/maria-git/server.10.3/sql/sql_derived.cc:199

#11 0x000000000089b868 in TABLE_LIST::handle_derived (this=0x7fff60015e60,

    lex=0x7fff60004b98, phases=2) at /home/bar/maria-git/server.10.3/sql/table.cc:8292

#12 0x00000000007447c8 in LEX::handle_list_of_derived (this=0x7fff60004b98,

    table_list=0x7fff60015e60, phases=2)

    at /home/bar/maria-git/server.10.3/sql/sql_lex.h:3997

#13 0x0000000000750912 in st_select_lex::handle_derived (this=0x7fff60015170,

    lex=0x7fff60004b98, phases=2) at /home/bar/maria-git/server.10.3/sql/sql_lex.cc:4143

#14 0x00000000007bb4ee in JOIN::prepare (this=0x7fff600164c8, tables_init=0x7fff60015e60,

    wild_num=1, conds_init=0x0, og_num=0, order_init=0x0, skip_order_by=false,

    group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7fff60015170,

    unit_arg=0x7fff60013c88) at /home/bar/maria-git/server.10.3/sql/sql_select.cc:1036

#15 0x0000000000b5a37f in subselect_single_select_engine::prepare (this=0x7fff60014ac8,

    thd=0x7fff60000d90) at /home/bar/maria-git/server.10.3/sql/item_subselect.cc:3686

#16 0x0000000000b4d422 in Item_subselect::fix_fields (this=0x7fff60014940,

    thd_param=0x7fff60000d90, ref=0x0)

Attachments

Issue Links

relates to

MDEV-21995 Server crashes in Item_field::real_type_handler with table value constructor

Closed

MDEV-24618 Assertion failure when TVC uses a row in the context expecting a scalar value

Closed

MDEV-24675 Server crash when table value constructor uses a subselect

Closed

Activity

Ascending order - Click to sort in descending order

Roel Van de Paar added a comment - 2020-09-04 08:52 - edited

The issue also affects optimized builds

VALUES ((VALUES(1)));

Leads to:

10.5.6 1c587481966abc7a9ad5309d0a91ca920f7a5657 (Debug)
Core was generated by `/test/MD110820-mariadb-10.5.6-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
[Current thread is 1 (Thread 0x1536e9e71700 (LWP 1878992))]
(gdb) bt
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
#1 0x00005640b83d1b86 in my_write_core (sig=sig@entry=11) at /test/10.5_dbg/mysys/stacktrace.c:519
#2 0x00005640b7b88d7b in handle_fatal_signal (sig=11) at /test/10.5_dbg/sql/signal_handler.cc:330
#3 <signal handler called>
#4 0x00005640b7bc3acf in Item_field::type_handler (this=<optimized out>) at /test/10.5_dbg/sql/item.h:3450
#5 0x00005640b7c7c4bc in subselect_engine::set_row (this=this@entry=0x1536c5875660, item_list=@0x1536c5876260: {<b
ase_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1536c5876b10, last = 0x1536c5876b10, elements = 1}, <No da
ta fields>}, row=row@entry=0x1536c5875620) at /test/10.5_dbg/sql/item_subselect.cc:3837
#6 0x00005640b7c7c5aa in subselect_single_select_engine::fix_length_and_dec (this=0x1536c5875660, row=0x1536c58756
20) at /test/10.5_dbg/sql/item_subselect.cc:3854
#7 0x00005640b7c75f4e in Item_singlerow_subselect::fix_length_and_dec (this=0x1536c58754b8) at /test/10.5_dbg/sql/
item_subselect.cc:1254
#8 0x00005640b7c7a774 in Item_subselect::fix_fields (this=0x1536c58754b8, thd_param=<optimized out>, ref=0x0) at /
test/10.5_dbg/sql/item_subselect.cc:325
#9 0x00005640b7ae1d29 in Item::fix_fields_if_needed (ref=0x0, thd=0x1536c5815088, this=0x1536c58754b8) at /test/10
.5_dbg/sql/item.h:982
#10 fix_fields_for_tvc (thd=thd@entry=0x1536c5815088, li=@0x1536e9e6dee0: {<base_list_iterator> = {list = 0x1536c58
74c68, el = 0x1536c5874c50, prev = 0x0, current = 0x0}, <No data fields>}) at /test/10.5_dbg/sql/sql_tvc.cc:92
#11 0x00005640b7ae2221 in table_value_constr::prepare (this=0x1536c5874c60, thd=0x1536c5815088, sl=sl@entry=0x1536c
5874718, tmp_result=tmp_result@entry=0x1536c5878088, unit_arg=unit_arg@entry=0x1536c5876b20) at /test/10.5_dbg/sql/
sql_tvc.cc:268
#12 0x00005640b79c94eb in st_select_lex_unit::prepare (this=this@entry=0x1536c5876b20, derived_arg=derived_arg@entr
y=0x1536c5877350, sel_result=<optimized out>, additional_options=additional_options@entry=0) at /test/10.5_dbg/sql/
sql_union.cc:1563
#13 0x00005640b788fac6 in mysql_derived_prepare (thd=0x1536c5815088, lex=0x1536c5818fd8, derived=0x1536c5877350) at
/test/10.5_dbg/sql/sql_derived.cc:816
#14 0x00005640b788df3d in mysql_handle_single_derived (lex=lex@entry=0x1536c5818fd8, derived=derived@entry=0x1536c5
877350, phases=phases@entry=2) at /test/10.5_dbg/sql/sql_derived.cc:206
#15 0x00005640b79ed275 in TABLE_LIST::handle_derived (this=this@entry=0x1536c5877350, lex=lex@entry=0x1536c5818fd8,
phases=phases@entry=2) at /test/10.5_dbg/sql/table.cc:9095
#16 0x00005640b78b09e3 in LEX::handle_list_of_derived (phases=2, table_list=<optimized out>, this=0x1536c5818fd8) a
t /test/10.5_dbg/sql/sql_lex.h:4424
#17 st_select_lex::handle_derived (this=<optimized out>, lex=0x1536c5818fd8, phases=phases@entry=2) at /test/10.5_d
bg/sql/sql_lex.cc:4866
#18 0x00005640b794b6b2 in JOIN::prepare (this=0x1536c5877a30, tables_init=<optimized out>, conds_init=<optimized ou
t>, og_num=0, order_init=0x0, skip_order_by=skip_order_by@entry=false, group_init=0x0, having_init=0x0, proc_param_
init=0x0, select_lex_arg=0x1536c5876110, unit_arg=0x1536c5874cb8) at /test/10.5_dbg/sql/sql_select.cc:1149
#19 0x00005640b7c7b3b3 in subselect_single_select_engine::prepare (this=0x1536c5875660, thd=0x1536c5815088) at /tes
t/10.5_dbg/sql/item_subselect.cc:3775
#20 0x00005640b7c7a507 in Item_subselect::fix_fields (this=0x1536c58754b8, thd_param=<optimized out>, ref=0x0) at /
test/10.5_dbg/sql/item_subselect.cc:285
#21 0x00005640b7ae1d29 in Item::fix_fields_if_needed (ref=0x0, thd=0x1536c5815088, this=0x1536c58754b8) at /test/10
.5_dbg/sql/item.h:982
#22 fix_fields_for_tvc (thd=thd@entry=0x1536c5815088, li=@0x1536e9e6f4c0: {<base_list_iterator> = {list = 0x1536c58756d8, el = 0x1536c58756c0, prev = 0x0, current = 0x0}, <No data fields>}) at /test/10.5_dbg/sql/sql_tvc.cc:92
#23 0x00005640b7ae2221 in table_value_constr::prepare (this=0x1536c58756d0, thd=0x1536c5815088, sl=sl@entry=0x1536c5874290, tmp_result=tmp_result@entry=0x1536c5875ff8, unit_arg=unit_arg@entry=0x1536c58190a0) at /test/10.5_dbg/sql/sql_tvc.cc:268
#24 0x00005640b79c94eb in st_select_lex_unit::prepare (this=this@entry=0x1536c58190a0, derived_arg=0x0, sel_result=sel_result@entry=0x1536c5875fd0, additional_options=additional_options@entry=2199023255552) at /test/10.5_dbg/sql/sql_union.cc:1563
#25 0x00005640b79cb09b in mysql_union (thd=thd@entry=0x1536c5815088, lex=lex@entry=0x1536c5818fd8, result=result@entry=0x1536c5875fd0, unit=unit@entry=0x1536c58190a0, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.5_dbg/sql/sql_union.cc:39
#26 0x00005640b79596b6 in handle_select (thd=thd@entry=0x1536c5815088, lex=lex@entry=0x1536c5818fd8, result=result@entry=0x1536c5875fd0, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.5_dbg/sql/sql_select.cc:407
#27 0x00005640b78e1d72 in execute_sqlcom_select (thd=thd@entry=0x1536c5815088, all_tables=0x0) at /test/10.5_dbg/sql/sql_parse.cc:6210
#28 0x00005640b78dae46 in mysql_execute_command (thd=thd@entry=0x1536c5815088) at /test/10.5_dbg/sql/sql_parse.cc:3932
#29 0x00005640b78e7d4e in mysql_parse (thd=thd@entry=0x1536c5815088, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x1536e9e70350, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:7994
#30 0x00005640b78d477e in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x1536c5815088, packet=packet@entry=0x1536c5867089 "VALUES ((VALUES(1)))", packet_length=packet_length@entry=20, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:1867
#31 0x00005640b78d2f58 in do_command (thd=0x1536c5815088) at /test/10.5_dbg/sql/sql_parse.cc:1348
#32 0x00005640b7a2fbc9 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x1536c8cd0808, put_in_cache=put_in_cache@entry=true) at /test/10.5_dbg/sql/sql_connect.cc:1410
#33 0x00005640b7a302e5 in handle_one_connection (arg=arg@entry=0x1536c8cd0808) at /test/10.5_dbg/sql/sql_connect.cc:1312
#34 0x00005640b7e96572 in pfs_spawn_thread (arg=0x1536e6c46508) at /test/10.5_dbg/storage/perfschema/pfs.cc:2201
#35 0x00001536e8dea6db in start_thread (arg=0x1536e9e71700) at pthread_create.c:463
#36 0x00001536e81e8a3f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

10.6.0 9118fd360a3da0bba521caf2a35c424968235ac4 (Debug)
Core was generated by `/test/MD010121-mariadb-10.6.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
[Current thread is 1 (Thread 0x14641c6a2700 (LWP 911091))]
(gdb) bt
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
#1 0x000055dba7baf0d7 in my_write_core (sig=sig@entry=11) at /test/10.6_dbg/mysys/stacktrace.c:424
#2 0x000055dba7343ab1 in handle_fatal_signal (sig=11) at /test/10.6_dbg/sql/signal_handler.cc:330
#3 <signal handler called>
#4 0x000055dba738408d in Item_field::type_handler (this=<optimized out>) at /test/10.6_dbg/sql/item.h:3458
#5 0x000055dba745b2ec in subselect_engine::set_row (this=this@entry=0x1463d8013c70, item_list=@0x1463d8014870: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1463d8015110, last = 0x1463d8015110, elements = 1}, <No data fields>}, row=row@entry=0x1463d8013c30) at /test/10.6_dbg/sql/item_subselect.cc:3838
#6 0x000055dba745b3de in subselect_single_select_engine::fix_length_and_dec (this=0x1463d8013c70, row=0x1463d8013c30) at /test/10.6_dbg/sql/item_subselect.cc:3855
#7 0x000055dba745100a in Item_singlerow_subselect::fix_length_and_dec (this=0x1463d8013ac8) at /test/10.6_dbg/sql/item_subselect.cc:1254
#8 0x000055dba7456a82 in Item_subselect::fix_fields (this=0x1463d8013ac8, thd_param=<optimized out>, ref=0x0) at /test/10.6_dbg/sql/item_subselect.cc:325
#9 0x000055dba7299170 in Item::fix_fields_if_needed (ref=0x0, thd=0x1463d8000db8, this=0x1463d8013ac8) at /test/10.6_dbg/sql/sql_list.h:443
#10 fix_fields_for_tvc (thd=thd@entry=0x1463d8000db8, li=@0x14641c69f1a0: {<base_list_iterator> = {list = 0x1463d8013278, el = 0x1463d8013260, prev = 0x0, current = 0x0}, <No data fields>}) at /test/10.6_dbg/sql/sql_tvc.cc:93
#11 0x000055dba7299685 in table_value_constr::prepare (this=0x1463d8013270, thd=0x1463d8000db8, sl=sl@entry=0x1463d8012d30, tmp_result=tmp_result@entry=0x1463d8016688, unit_arg=unit_arg@entry=0x1463d8015120) at /test/10.6_dbg/sql/sql_tvc.cc:269
#12 0x000055dba71703b0 in st_select_lex_unit::prepare (this=this@entry=0x1463d8015120, derived_arg=derived_arg@entry=0x1463d8015950, sel_result=<optimized out>, additional_options=additional_options@entry=0) at /test/10.6_dbg/sql/sql_union.cc:1567
#13 0x000055dba7022be8 in mysql_derived_prepare (thd=0x1463d8000db8, lex=0x1463d8004eb8, derived=0x1463d8015950) at /test/10.6_dbg/sql/sql_derived.cc:816
#14 0x000055dba7020f0c in mysql_handle_single_derived (lex=lex@entry=0x1463d8004eb8, derived=derived@entry=0x1463d8015950, phases=phases@entry=2) at /test/10.6_dbg/sql/sql_derived.cc:206
#15 0x000055dba719539b in TABLE_LIST::handle_derived (this=this@entry=0x1463d8015950, lex=lex@entry=0x1463d8004eb8, phases=phases@entry=2) at /test/10.6_dbg/sql/table.cc:9120
#16 0x000055dba70455c5 in LEX::handle_list_of_derived (phases=2, table_list=<optimized out>, this=0x1463d8004eb8) at /test/10.6_dbg/sql/table.h:2704
#17 st_select_lex::handle_derived (this=<optimized out>, lex=0x1463d8004eb8, phases=phases@entry=2) at /test/10.6_dbg/sql/sql_lex.cc:4911
#18 0x000055dba70e5f55 in JOIN::prepare (this=0x1463d8016030, tables_init=<optimized out>, conds_init=<optimized out>, og_num=0, order_init=0x0, skip_order_by=skip_order_by@entry=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x1463d8014720, unit_arg=0x1463d80132c8) at /test/10.6_dbg/sql/sql_select.cc:1158
#19 0x000055dba74578e8 in subselect_single_select_engine::prepare (this=0x1463d8013c70, thd=0x1463d8000db8) at /test/10.6_dbg/sql/sql_lex.h:1350
#20 0x000055dba7456a35 in Item_subselect::fix_fields (this=0x1463d8013ac8, thd_param=<optimized out>, ref=0x0) at /test/10.6_dbg/sql/item_subselect.cc:285
#21 0x000055dba7299170 in Item::fix_fields_if_needed (ref=0x0, thd=0x1463d8000db8, this=0x1463d8013ac8) at /test/10.6_dbg/sql/sql_list.h:443
#22 fix_fields_for_tvc (thd=thd@entry=0x1463d8000db8, li=@0x14641c6a0740: {<base_list_iterator> = {list = 0x1463d8013ce8, el = 0x1463d8013cd0, prev = 0x0, current = 0x0}, <No data fields>}) at /test/10.6_dbg/sql/sql_tvc.cc:93
#23 0x000055dba7299685 in table_value_constr::prepare (this=0x1463d8013ce0, thd=0x1463d8000db8, sl=sl@entry=0x1463d80128b0, tmp_result=tmp_result@entry=0x1463d8014608, unit_arg=unit_arg@entry=0x1463d8004f80) at /test/10.6_dbg/sql/sql_tvc.cc:269
#24 0x000055dba71703b0 in st_select_lex_unit::prepare (this=this@entry=0x1463d8004f80, derived_arg=0x0, sel_result=sel_result@entry=0x1463d80145e0, additional_options=additional_options@entry=2199023255552) at /test/10.6_dbg/sql/sql_union.cc:1567
#25 0x000055dba7171fde in mysql_union (thd=thd@entry=0x1463d8000db8, lex=lex@entry=0x1463d8004eb8, result=result@entry=0x1463d80145e0, unit=unit@entry=0x1463d8004f80, setup_tables_done_option=<optimized out>, setup_tables_done_option@entry=0) at /test/10.6_dbg/sql/sql_union.cc:39
#26 0x000055dba70ffc0e in handle_select (thd=thd@entry=0x1463d8000db8, lex=lex@entry=0x1463d8004eb8, result=result@entry=0x1463d80145e0, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.6_dbg/sql/sql_select.cc:407
#27 0x000055dba707219d in execute_sqlcom_select (thd=thd@entry=0x1463d8000db8, all_tables=0x0) at /test/10.6_dbg/sql/sql_parse.cc:6116
#28 0x000055dba707ec7c in mysql_execute_command (thd=thd@entry=0x1463d8000db8) at /test/10.6_dbg/sql/sql_parse.cc:3820
#29 0x000055dba706b072 in mysql_parse (thd=thd@entry=0x1463d8000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14641c6a13d0) at /test/10.6_dbg/sql/sql_parse.cc:7881
#30 0x000055dba70791ec in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x1463d8000db8, packet=packet@entry=0x1463d8008d39 "VALUES ((VALUES(1)))", packet_length=packet_length@entry=20) at /test/10.6_dbg/sql/sql_class.h:1293
#31 0x000055dba707c52d in do_command (thd=0x1463d8000db8) at /test/10.6_dbg/sql/sql_parse.cc:1348
#32 0x000055dba71d87fc in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55dbaaa03458, put_in_cache=put_in_cache@entry=true) at /test/10.6_dbg/sql/sql_connect.cc:1410
#33 0x000055dba71d8f03 in handle_one_connection (arg=arg@entry=0x55dbaaa03458) at /test/10.6_dbg/sql/sql_connect.cc:1312
#34 0x000055dba768e88f in pfs_spawn_thread (arg=0x55dbaa94f8b8) at /test/10.6_dbg/storage/perfschema/pfs.cc:2201
#35 0x000014641f76e609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#36 0x000014641f35d293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.3.28 (dbg), 10.3.28 (opt), 10.4.18 (dbg), 10.4.18 (opt), 10.5.9 (opt), 10.6.0 (dbg), 10.6.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.2.37 (dbg), 10.2.37 (opt), 10.5.9 (dbg)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.50 (dbg), 5.6.50 (opt), 5.7.32 (dbg), 5.7.32 (opt), 8.0.22 (dbg), 8.0.22 (opt)

Roel Van de Paar added a comment - 2020-09-04 08:52 - edited The issue also affects optimized builds VALUES ((VALUES(1))); Leads to: 10.5.6 1c587481966abc7a9ad5309d0a91ca920f7a5657 (Debug) Core was generated by `/test/MD110820-mariadb-10.5.6-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'. Program terminated with signal SIGSEGV, Segmentation fault. #0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57 [Current thread is 1 (Thread 0x1536e9e71700 (LWP 1878992))] (gdb) bt #0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57 #1 0x00005640b83d1b86 in my_write_core (sig=sig@entry=11) at /test/10.5_dbg/mysys/stacktrace.c:519 #2 0x00005640b7b88d7b in handle_fatal_signal (sig=11) at /test/10.5_dbg/sql/signal_handler.cc:330 #3 <signal handler called> #4 0x00005640b7bc3acf in Item_field::type_handler (this=<optimized out>) at /test/10.5_dbg/sql/item.h:3450 #5 0x00005640b7c7c4bc in subselect_engine::set_row (this=this@entry=0x1536c5875660, item_list=@0x1536c5876260: {<b ase_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1536c5876b10, last = 0x1536c5876b10, elements = 1}, <No da ta fields>}, row=row@entry=0x1536c5875620) at /test/10.5_dbg/sql/item_subselect.cc:3837 #6 0x00005640b7c7c5aa in subselect_single_select_engine::fix_length_and_dec (this=0x1536c5875660, row=0x1536c58756 20) at /test/10.5_dbg/sql/item_subselect.cc:3854 #7 0x00005640b7c75f4e in Item_singlerow_subselect::fix_length_and_dec (this=0x1536c58754b8) at /test/10.5_dbg/sql/ item_subselect.cc:1254 #8 0x00005640b7c7a774 in Item_subselect::fix_fields (this=0x1536c58754b8, thd_param=<optimized out>, ref=0x0) at / test/10.5_dbg/sql/item_subselect.cc:325 #9 0x00005640b7ae1d29 in Item::fix_fields_if_needed (ref=0x0, thd=0x1536c5815088, this=0x1536c58754b8) at /test/10 .5_dbg/sql/item.h:982 #10 fix_fields_for_tvc (thd=thd@entry=0x1536c5815088, li=@0x1536e9e6dee0: {<base_list_iterator> = {list = 0x1536c58 74c68, el = 0x1536c5874c50, prev = 0x0, current = 0x0}, <No data fields>}) at /test/10.5_dbg/sql/sql_tvc.cc:92 #11 0x00005640b7ae2221 in table_value_constr::prepare (this=0x1536c5874c60, thd=0x1536c5815088, sl=sl@entry=0x1536c 5874718, tmp_result=tmp_result@entry=0x1536c5878088, unit_arg=unit_arg@entry=0x1536c5876b20) at /test/10.5_dbg/sql/ sql_tvc.cc:268 #12 0x00005640b79c94eb in st_select_lex_unit::prepare (this=this@entry=0x1536c5876b20, derived_arg=derived_arg@entr y=0x1536c5877350, sel_result=<optimized out>, additional_options=additional_options@entry=0) at /test/10.5_dbg/sql/ sql_union.cc:1563 #13 0x00005640b788fac6 in mysql_derived_prepare (thd=0x1536c5815088, lex=0x1536c5818fd8, derived=0x1536c5877350) at /test/10.5_dbg/sql/sql_derived.cc:816 #14 0x00005640b788df3d in mysql_handle_single_derived (lex=lex@entry=0x1536c5818fd8, derived=derived@entry=0x1536c5 877350, phases=phases@entry=2) at /test/10.5_dbg/sql/sql_derived.cc:206 #15 0x00005640b79ed275 in TABLE_LIST::handle_derived (this=this@entry=0x1536c5877350, lex=lex@entry=0x1536c5818fd8, phases=phases@entry=2) at /test/10.5_dbg/sql/table.cc:9095 #16 0x00005640b78b09e3 in LEX::handle_list_of_derived (phases=2, table_list=<optimized out>, this=0x1536c5818fd8) a t /test/10.5_dbg/sql/sql_lex.h:4424 #17 st_select_lex::handle_derived (this=<optimized out>, lex=0x1536c5818fd8, phases=phases@entry=2) at /test/10.5_d bg/sql/sql_lex.cc:4866 #18 0x00005640b794b6b2 in JOIN::prepare (this=0x1536c5877a30, tables_init=<optimized out>, conds_init=<optimized ou t>, og_num=0, order_init=0x0, skip_order_by=skip_order_by@entry=false, group_init=0x0, having_init=0x0, proc_param_ init=0x0, select_lex_arg=0x1536c5876110, unit_arg=0x1536c5874cb8) at /test/10.5_dbg/sql/sql_select.cc:1149 #19 0x00005640b7c7b3b3 in subselect_single_select_engine::prepare (this=0x1536c5875660, thd=0x1536c5815088) at /tes t/10.5_dbg/sql/item_subselect.cc:3775 #20 0x00005640b7c7a507 in Item_subselect::fix_fields (this=0x1536c58754b8, thd_param=<optimized out>, ref=0x0) at / test/10.5_dbg/sql/item_subselect.cc:285 #21 0x00005640b7ae1d29 in Item::fix_fields_if_needed (ref=0x0, thd=0x1536c5815088, this=0x1536c58754b8) at /test/10 .5_dbg/sql/item.h:982 #22 fix_fields_for_tvc (thd=thd@entry=0x1536c5815088, li=@0x1536e9e6f4c0: {<base_list_iterator> = {list = 0x1536c58756d8, el = 0x1536c58756c0, prev = 0x0, current = 0x0}, <No data fields>}) at /test/10.5_dbg/sql/sql_tvc.cc:92 #23 0x00005640b7ae2221 in table_value_constr::prepare (this=0x1536c58756d0, thd=0x1536c5815088, sl=sl@entry=0x1536c5874290, tmp_result=tmp_result@entry=0x1536c5875ff8, unit_arg=unit_arg@entry=0x1536c58190a0) at /test/10.5_dbg/sql/sql_tvc.cc:268 #24 0x00005640b79c94eb in st_select_lex_unit::prepare (this=this@entry=0x1536c58190a0, derived_arg=0x0, sel_result=sel_result@entry=0x1536c5875fd0, additional_options=additional_options@entry=2199023255552) at /test/10.5_dbg/sql/sql_union.cc:1563 #25 0x00005640b79cb09b in mysql_union (thd=thd@entry=0x1536c5815088, lex=lex@entry=0x1536c5818fd8, result=result@entry=0x1536c5875fd0, unit=unit@entry=0x1536c58190a0, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.5_dbg/sql/sql_union.cc:39 #26 0x00005640b79596b6 in handle_select (thd=thd@entry=0x1536c5815088, lex=lex@entry=0x1536c5818fd8, result=result@entry=0x1536c5875fd0, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.5_dbg/sql/sql_select.cc:407 #27 0x00005640b78e1d72 in execute_sqlcom_select (thd=thd@entry=0x1536c5815088, all_tables=0x0) at /test/10.5_dbg/sql/sql_parse.cc:6210 #28 0x00005640b78dae46 in mysql_execute_command (thd=thd@entry=0x1536c5815088) at /test/10.5_dbg/sql/sql_parse.cc:3932 #29 0x00005640b78e7d4e in mysql_parse (thd=thd@entry=0x1536c5815088, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x1536e9e70350, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:7994 #30 0x00005640b78d477e in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x1536c5815088, packet=packet@entry=0x1536c5867089 "VALUES ((VALUES(1)))", packet_length=packet_length@entry=20, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:1867 #31 0x00005640b78d2f58 in do_command (thd=0x1536c5815088) at /test/10.5_dbg/sql/sql_parse.cc:1348 #32 0x00005640b7a2fbc9 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x1536c8cd0808, put_in_cache=put_in_cache@entry=true) at /test/10.5_dbg/sql/sql_connect.cc:1410 #33 0x00005640b7a302e5 in handle_one_connection (arg=arg@entry=0x1536c8cd0808) at /test/10.5_dbg/sql/sql_connect.cc:1312 #34 0x00005640b7e96572 in pfs_spawn_thread (arg=0x1536e6c46508) at /test/10.5_dbg/storage/perfschema/pfs.cc:2201 #35 0x00001536e8dea6db in start_thread (arg=0x1536e9e71700) at pthread_create.c:463 #36 0x00001536e81e8a3f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 10.6.0 9118fd360a3da0bba521caf2a35c424968235ac4 (Debug) Core was generated by `/test/MD010121-mariadb-10.6.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'. Program terminated with signal SIGSEGV, Segmentation fault. #0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56 [Current thread is 1 (Thread 0x14641c6a2700 (LWP 911091))] (gdb) bt #0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56 #1 0x000055dba7baf0d7 in my_write_core (sig=sig@entry=11) at /test/10.6_dbg/mysys/stacktrace.c:424 #2 0x000055dba7343ab1 in handle_fatal_signal (sig=11) at /test/10.6_dbg/sql/signal_handler.cc:330 #3 <signal handler called> #4 0x000055dba738408d in Item_field::type_handler (this=<optimized out>) at /test/10.6_dbg/sql/item.h:3458 #5 0x000055dba745b2ec in subselect_engine::set_row (this=this@entry=0x1463d8013c70, item_list=@0x1463d8014870: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1463d8015110, last = 0x1463d8015110, elements = 1}, <No data fields>}, row=row@entry=0x1463d8013c30) at /test/10.6_dbg/sql/item_subselect.cc:3838 #6 0x000055dba745b3de in subselect_single_select_engine::fix_length_and_dec (this=0x1463d8013c70, row=0x1463d8013c30) at /test/10.6_dbg/sql/item_subselect.cc:3855 #7 0x000055dba745100a in Item_singlerow_subselect::fix_length_and_dec (this=0x1463d8013ac8) at /test/10.6_dbg/sql/item_subselect.cc:1254 #8 0x000055dba7456a82 in Item_subselect::fix_fields (this=0x1463d8013ac8, thd_param=<optimized out>, ref=0x0) at /test/10.6_dbg/sql/item_subselect.cc:325 #9 0x000055dba7299170 in Item::fix_fields_if_needed (ref=0x0, thd=0x1463d8000db8, this=0x1463d8013ac8) at /test/10.6_dbg/sql/sql_list.h:443 #10 fix_fields_for_tvc (thd=thd@entry=0x1463d8000db8, li=@0x14641c69f1a0: {<base_list_iterator> = {list = 0x1463d8013278, el = 0x1463d8013260, prev = 0x0, current = 0x0}, <No data fields>}) at /test/10.6_dbg/sql/sql_tvc.cc:93 #11 0x000055dba7299685 in table_value_constr::prepare (this=0x1463d8013270, thd=0x1463d8000db8, sl=sl@entry=0x1463d8012d30, tmp_result=tmp_result@entry=0x1463d8016688, unit_arg=unit_arg@entry=0x1463d8015120) at /test/10.6_dbg/sql/sql_tvc.cc:269 #12 0x000055dba71703b0 in st_select_lex_unit::prepare (this=this@entry=0x1463d8015120, derived_arg=derived_arg@entry=0x1463d8015950, sel_result=<optimized out>, additional_options=additional_options@entry=0) at /test/10.6_dbg/sql/sql_union.cc:1567 #13 0x000055dba7022be8 in mysql_derived_prepare (thd=0x1463d8000db8, lex=0x1463d8004eb8, derived=0x1463d8015950) at /test/10.6_dbg/sql/sql_derived.cc:816 #14 0x000055dba7020f0c in mysql_handle_single_derived (lex=lex@entry=0x1463d8004eb8, derived=derived@entry=0x1463d8015950, phases=phases@entry=2) at /test/10.6_dbg/sql/sql_derived.cc:206 #15 0x000055dba719539b in TABLE_LIST::handle_derived (this=this@entry=0x1463d8015950, lex=lex@entry=0x1463d8004eb8, phases=phases@entry=2) at /test/10.6_dbg/sql/table.cc:9120 #16 0x000055dba70455c5 in LEX::handle_list_of_derived (phases=2, table_list=<optimized out>, this=0x1463d8004eb8) at /test/10.6_dbg/sql/table.h:2704 #17 st_select_lex::handle_derived (this=<optimized out>, lex=0x1463d8004eb8, phases=phases@entry=2) at /test/10.6_dbg/sql/sql_lex.cc:4911 #18 0x000055dba70e5f55 in JOIN::prepare (this=0x1463d8016030, tables_init=<optimized out>, conds_init=<optimized out>, og_num=0, order_init=0x0, skip_order_by=skip_order_by@entry=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x1463d8014720, unit_arg=0x1463d80132c8) at /test/10.6_dbg/sql/sql_select.cc:1158 #19 0x000055dba74578e8 in subselect_single_select_engine::prepare (this=0x1463d8013c70, thd=0x1463d8000db8) at /test/10.6_dbg/sql/sql_lex.h:1350 #20 0x000055dba7456a35 in Item_subselect::fix_fields (this=0x1463d8013ac8, thd_param=<optimized out>, ref=0x0) at /test/10.6_dbg/sql/item_subselect.cc:285 #21 0x000055dba7299170 in Item::fix_fields_if_needed (ref=0x0, thd=0x1463d8000db8, this=0x1463d8013ac8) at /test/10.6_dbg/sql/sql_list.h:443 #22 fix_fields_for_tvc (thd=thd@entry=0x1463d8000db8, li=@0x14641c6a0740: {<base_list_iterator> = {list = 0x1463d8013ce8, el = 0x1463d8013cd0, prev = 0x0, current = 0x0}, <No data fields>}) at /test/10.6_dbg/sql/sql_tvc.cc:93 #23 0x000055dba7299685 in table_value_constr::prepare (this=0x1463d8013ce0, thd=0x1463d8000db8, sl=sl@entry=0x1463d80128b0, tmp_result=tmp_result@entry=0x1463d8014608, unit_arg=unit_arg@entry=0x1463d8004f80) at /test/10.6_dbg/sql/sql_tvc.cc:269 #24 0x000055dba71703b0 in st_select_lex_unit::prepare (this=this@entry=0x1463d8004f80, derived_arg=0x0, sel_result=sel_result@entry=0x1463d80145e0, additional_options=additional_options@entry=2199023255552) at /test/10.6_dbg/sql/sql_union.cc:1567 #25 0x000055dba7171fde in mysql_union (thd=thd@entry=0x1463d8000db8, lex=lex@entry=0x1463d8004eb8, result=result@entry=0x1463d80145e0, unit=unit@entry=0x1463d8004f80, setup_tables_done_option=<optimized out>, setup_tables_done_option@entry=0) at /test/10.6_dbg/sql/sql_union.cc:39 #26 0x000055dba70ffc0e in handle_select (thd=thd@entry=0x1463d8000db8, lex=lex@entry=0x1463d8004eb8, result=result@entry=0x1463d80145e0, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.6_dbg/sql/sql_select.cc:407 #27 0x000055dba707219d in execute_sqlcom_select (thd=thd@entry=0x1463d8000db8, all_tables=0x0) at /test/10.6_dbg/sql/sql_parse.cc:6116 #28 0x000055dba707ec7c in mysql_execute_command (thd=thd@entry=0x1463d8000db8) at /test/10.6_dbg/sql/sql_parse.cc:3820 #29 0x000055dba706b072 in mysql_parse (thd=thd@entry=0x1463d8000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14641c6a13d0) at /test/10.6_dbg/sql/sql_parse.cc:7881 #30 0x000055dba70791ec in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x1463d8000db8, packet=packet@entry=0x1463d8008d39 "VALUES ((VALUES(1)))", packet_length=packet_length@entry=20) at /test/10.6_dbg/sql/sql_class.h:1293 #31 0x000055dba707c52d in do_command (thd=0x1463d8000db8) at /test/10.6_dbg/sql/sql_parse.cc:1348 #32 0x000055dba71d87fc in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55dbaaa03458, put_in_cache=put_in_cache@entry=true) at /test/10.6_dbg/sql/sql_connect.cc:1410 #33 0x000055dba71d8f03 in handle_one_connection (arg=arg@entry=0x55dbaaa03458) at /test/10.6_dbg/sql/sql_connect.cc:1312 #34 0x000055dba768e88f in pfs_spawn_thread (arg=0x55dbaa94f8b8) at /test/10.6_dbg/storage/perfschema/pfs.cc:2201 #35 0x000014641f76e609 in start_thread (arg=<optimized out>) at pthread_create.c:477 #36 0x000014641f35d293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 Bug confirmed present in: MariaDB: 10.3.28 (dbg), 10.3.28 (opt), 10.4.18 (dbg), 10.4.18 (opt), 10.5.9 (opt), 10.6.0 (dbg), 10.6.0 (opt) Bug (or feature/syntax) confirmed not present in: MariaDB: 10.2.37 (dbg), 10.2.37 (opt), 10.5.9 (dbg) MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.50 (dbg), 5.6.50 (opt), 5.7.32 (dbg), 5.7.32 (opt), 8.0.22 (dbg), 8.0.22 (opt)

Roel Van de Paar added a comment - 2020-09-04 08:54

10.2.34 (Optimized)

10.2.34>VALUES ((VALUES(1)));

ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'VALUES ((VALUES(1)))' at line 1

Roel Van de Paar added a comment - 2020-09-04 08:54 10.2.34 (Optimized) 10.2.34>VALUES ((VALUES(1))); ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'VALUES ((VALUES(1)))' at line 1

Alice Sherepa added a comment - 2020-12-09 15:29

probably the same problem:

VALUES ((select 1));

10.3 bc2dc83cb56851144a8
201209 15:26:43 [ERROR] mysqld got signal 11 ;

/lib/x86_64-linux-gnu/libpthread.so.0(+0x12730)[0x7fa992383730]
sql/item_subselect.cc:294(Item_subselect::fix_fields(THD, Item*))[0x562111632b53]
sql/item.h:830(Item::fix_fields_if_needed(THD, Item*))[0x5621109eac4f]
sql/sql_tvc.cc:62(fix_fields_for_tvc(THD*, List_iterator_fast<List<Item> >&))[0x5621111eaf94]
sql/sql_tvc.cc:238(table_value_constr::prepare(THD, st_select_lex, select_result, st_select_lex_unit))[0x5621111ec0a9]
sql/sql_union.cc:1038(st_select_lex_unit::prepare(TABLE_LIST, select_result, unsigned long))[0x562110f1ea5f]
sql/sql_union.cc:39(mysql_union(THD, LEX, select_result, st_select_lex_unit, unsigned long))[0x562110f148df]
sql/sql_select.cc:360(handle_select(THD, LEX, select_result*, unsigned long))[0x562110d169a5]
sql/sql_parse.cc:6316(execute_sqlcom_select(THD, TABLE_LIST))[0x562110c8316a]
sql/sql_parse.cc:3847(mysql_execute_command(THD*))[0x562110c70caa]
sql/sql_parse.cc:7837(mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool))[0x562110c8d219]
sql/sql_parse.cc:1855(dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool))[0x562110c63936]
sql/sql_parse.cc:1398(do_command(THD*))[0x562110c60071]
sql/sql_connect.cc:1403(do_handle_one_connection(CONNECT*))[0x562111050367]
sql/sql_connect.cc:1309(handle_one_connection)[0x56211104fc1f]
perfschema/pfs.cc:1871(pfs_spawn_thread)[0x5621127b31d3]
nptl/pthread_create.c:487(start_thread)[0x7fa992378fa3]
x86_64/clone.S:97(clone)[0x7fa991cfc4cf]

Query (0x62b000000410): VALUES ((select 1))

Alice Sherepa added a comment - 2020-12-09 15:29 probably the same problem: VALUES (( select 1)); 10.3 bc2dc83cb56851144a8 201209 15:26:43 [ERROR] mysqld got signal 11 ; /lib/x86_64-linux-gnu/libpthread.so.0(+0x12730)[0x7fa992383730] sql/item_subselect.cc:294(Item_subselect::fix_fields(THD*, Item**))[0x562111632b53] sql/item.h:830(Item::fix_fields_if_needed(THD*, Item**))[0x5621109eac4f] sql/sql_tvc.cc:62(fix_fields_for_tvc(THD*, List_iterator_fast<List<Item> >&))[0x5621111eaf94] sql/sql_tvc.cc:238(table_value_constr::prepare(THD*, st_select_lex*, select_result*, st_select_lex_unit*))[0x5621111ec0a9] sql/sql_union.cc:1038(st_select_lex_unit::prepare(TABLE_LIST*, select_result*, unsigned long))[0x562110f1ea5f] sql/sql_union.cc:39(mysql_union(THD*, LEX*, select_result*, st_select_lex_unit*, unsigned long))[0x562110f148df] sql/sql_select.cc:360(handle_select(THD*, LEX*, select_result*, unsigned long))[0x562110d169a5] sql/sql_parse.cc:6316(execute_sqlcom_select(THD*, TABLE_LIST*))[0x562110c8316a] sql/sql_parse.cc:3847(mysql_execute_command(THD*))[0x562110c70caa] sql/sql_parse.cc:7837(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x562110c8d219] sql/sql_parse.cc:1855(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x562110c63936] sql/sql_parse.cc:1398(do_command(THD*))[0x562110c60071] sql/sql_connect.cc:1403(do_handle_one_connection(CONNECT*))[0x562111050367] sql/sql_connect.cc:1309(handle_one_connection)[0x56211104fc1f] perfschema/pfs.cc:1871(pfs_spawn_thread)[0x5621127b31d3] nptl/pthread_create.c:487(start_thread)[0x7fa992378fa3] x86_64/clone.S:97(clone)[0x7fa991cfc4cf] Query (0x62b000000410): VALUES ((select 1))

Roel Van de Paar added a comment - 2021-01-22 08:26

Testcase by Alice against all versions. Note the stack is quite different.

VALUES ((SELECT 1));

Leads to:

10.6.0 9118fd360a3da0bba521caf2a35c424968235ac4 (Debug)
Core was generated by `/test/MD010121-mariadb-10.6.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
[Current thread is 1 (Thread 0x151cd4c38700 (LWP 877639))]
(gdb) bt
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
#1 0x000055cb56dd70d7 in my_write_core (sig=sig@entry=11) at /test/10.6_dbg/mysys/stacktrace.c:424
#2 0x000055cb5656bab1 in handle_fatal_signal (sig=11) at /test/10.6_dbg/sql/signal_handler.cc:330
#3 <signal handler called>
#4 0x000055cb5667ebac in Item_subselect::fix_fields (this=0x151c98013a58, thd_param=<optimized out>, ref=0x0) at /test/10.6_dbg/sql/item_subselect.cc:303
#5 0x000055cb564c1170 in Item::fix_fields_if_needed (ref=0x0, thd=0x151c98000db8, this=0x151c98013a58) at /test/10.6_dbg/sql/sql_list.h:443
#6 fix_fields_for_tvc (thd=thd@entry=0x151c98000db8, li=@0x151cd4c36740: {<base_list_iterator> = {list = 0x151c98013c78, el = 0x151c98013c60, prev = 0x0, current = 0x0}, <No data fields>}) at /test/10.6_dbg/sql/sql_tvc.cc:93
#7 0x000055cb564c1685 in table_value_constr::prepare (this=0x151c98013c70, thd=0x151c98000db8, sl=sl@entry=0x151c980128b0, tmp_result=tmp_result@entry=0x151c98014598, unit_arg=unit_arg@entry=0x151c98004f80) at /test/10.6_dbg/sql/sql_tvc.cc:269
#8 0x000055cb563983b0 in st_select_lex_unit::prepare (this=this@entry=0x151c98004f80, derived_arg=0x0, sel_result=sel_result@entry=0x151c98014570, additional_options=additional_options@entry=2199023255552) at /test/10.6_dbg/sql/sql_union.cc:1567
#9 0x000055cb56399fde in mysql_union (thd=thd@entry=0x151c98000db8, lex=lex@entry=0x151c98004eb8, result=result@entry=0x151c98014570, unit=unit@entry=0x151c98004f80, setup_tables_done_option=<optimized out>, setup_tables_done_option@entry=0) at /test/10.6_dbg/sql/sql_union.cc:39
#10 0x000055cb56327c0e in handle_select (thd=thd@entry=0x151c98000db8, lex=lex@entry=0x151c98004eb8, result=result@entry=0x151c98014570, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.6_dbg/sql/sql_select.cc:407
#11 0x000055cb5629a19d in execute_sqlcom_select (thd=thd@entry=0x151c98000db8, all_tables=0x0) at /test/10.6_dbg/sql/sql_parse.cc:6116
#12 0x000055cb562a6c7c in mysql_execute_command (thd=thd@entry=0x151c98000db8) at /test/10.6_dbg/sql/sql_parse.cc:3820
#13 0x000055cb56293072 in mysql_parse (thd=thd@entry=0x151c98000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x151cd4c373d0) at /test/10.6_dbg/sql/sql_parse.cc:7881
#14 0x000055cb562a11ec in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x151c98000db8, packet=packet@entry=0x151c98008d39 "VALUES ((SELECT 1))", packet_length=packet_length@entry=19) at /test/10.6_dbg/sql/sql_class.h:1293
#15 0x000055cb562a452d in do_command (thd=0x151c98000db8) at /test/10.6_dbg/sql/sql_parse.cc:1348
#16 0x000055cb564007fc in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55cb5879ab68, put_in_cache=put_in_cache@entry=true) at /test/10.6_dbg/sql/sql_connect.cc:1410
#17 0x000055cb56400f03 in handle_one_connection (arg=arg@entry=0x55cb5879ab68) at /test/10.6_dbg/sql/sql_connect.cc:1312
#18 0x000055cb568b688f in pfs_spawn_thread (arg=0x55cb586a1f58) at /test/10.6_dbg/storage/perfschema/pfs.cc:2201
#19 0x0000151ce9fcd609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#20 0x0000151ce9bbc293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.3.28 (dbg), 10.3.28 (opt), 10.4.18 (dbg), 10.4.18 (opt), 10.5.9 (dbg), 10.5.9 (opt), 10.6.0 (dbg), 10.6.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.2.37 (dbg), 10.2.37 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.50 (dbg), 5.6.50 (opt), 5.7.32 (dbg), 5.7.32 (opt), 8.0.22 (dbg), 8.0.22 (opt)

Roel Van de Paar added a comment - 2021-01-22 08:26 Testcase by Alice against all versions. Note the stack is quite different. VALUES ((SELECT 1)); Leads to: 10.6.0 9118fd360a3da0bba521caf2a35c424968235ac4 (Debug) Core was generated by `/test/MD010121-mariadb-10.6.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'. Program terminated with signal SIGSEGV, Segmentation fault. #0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56 [Current thread is 1 (Thread 0x151cd4c38700 (LWP 877639))] (gdb) bt #0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56 #1 0x000055cb56dd70d7 in my_write_core (sig=sig@entry=11) at /test/10.6_dbg/mysys/stacktrace.c:424 #2 0x000055cb5656bab1 in handle_fatal_signal (sig=11) at /test/10.6_dbg/sql/signal_handler.cc:330 #3 <signal handler called> #4 0x000055cb5667ebac in Item_subselect::fix_fields (this=0x151c98013a58, thd_param=<optimized out>, ref=0x0) at /test/10.6_dbg/sql/item_subselect.cc:303 #5 0x000055cb564c1170 in Item::fix_fields_if_needed (ref=0x0, thd=0x151c98000db8, this=0x151c98013a58) at /test/10.6_dbg/sql/sql_list.h:443 #6 fix_fields_for_tvc (thd=thd@entry=0x151c98000db8, li=@0x151cd4c36740: {<base_list_iterator> = {list = 0x151c98013c78, el = 0x151c98013c60, prev = 0x0, current = 0x0}, <No data fields>}) at /test/10.6_dbg/sql/sql_tvc.cc:93 #7 0x000055cb564c1685 in table_value_constr::prepare (this=0x151c98013c70, thd=0x151c98000db8, sl=sl@entry=0x151c980128b0, tmp_result=tmp_result@entry=0x151c98014598, unit_arg=unit_arg@entry=0x151c98004f80) at /test/10.6_dbg/sql/sql_tvc.cc:269 #8 0x000055cb563983b0 in st_select_lex_unit::prepare (this=this@entry=0x151c98004f80, derived_arg=0x0, sel_result=sel_result@entry=0x151c98014570, additional_options=additional_options@entry=2199023255552) at /test/10.6_dbg/sql/sql_union.cc:1567 #9 0x000055cb56399fde in mysql_union (thd=thd@entry=0x151c98000db8, lex=lex@entry=0x151c98004eb8, result=result@entry=0x151c98014570, unit=unit@entry=0x151c98004f80, setup_tables_done_option=<optimized out>, setup_tables_done_option@entry=0) at /test/10.6_dbg/sql/sql_union.cc:39 #10 0x000055cb56327c0e in handle_select (thd=thd@entry=0x151c98000db8, lex=lex@entry=0x151c98004eb8, result=result@entry=0x151c98014570, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.6_dbg/sql/sql_select.cc:407 #11 0x000055cb5629a19d in execute_sqlcom_select (thd=thd@entry=0x151c98000db8, all_tables=0x0) at /test/10.6_dbg/sql/sql_parse.cc:6116 #12 0x000055cb562a6c7c in mysql_execute_command (thd=thd@entry=0x151c98000db8) at /test/10.6_dbg/sql/sql_parse.cc:3820 #13 0x000055cb56293072 in mysql_parse (thd=thd@entry=0x151c98000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x151cd4c373d0) at /test/10.6_dbg/sql/sql_parse.cc:7881 #14 0x000055cb562a11ec in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x151c98000db8, packet=packet@entry=0x151c98008d39 "VALUES ((SELECT 1))", packet_length=packet_length@entry=19) at /test/10.6_dbg/sql/sql_class.h:1293 #15 0x000055cb562a452d in do_command (thd=0x151c98000db8) at /test/10.6_dbg/sql/sql_parse.cc:1348 #16 0x000055cb564007fc in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55cb5879ab68, put_in_cache=put_in_cache@entry=true) at /test/10.6_dbg/sql/sql_connect.cc:1410 #17 0x000055cb56400f03 in handle_one_connection (arg=arg@entry=0x55cb5879ab68) at /test/10.6_dbg/sql/sql_connect.cc:1312 #18 0x000055cb568b688f in pfs_spawn_thread (arg=0x55cb586a1f58) at /test/10.6_dbg/storage/perfschema/pfs.cc:2201 #19 0x0000151ce9fcd609 in start_thread (arg=<optimized out>) at pthread_create.c:477 #20 0x0000151ce9bbc293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 Bug confirmed present in: MariaDB: 10.3.28 (dbg), 10.3.28 (opt), 10.4.18 (dbg), 10.4.18 (opt), 10.5.9 (dbg), 10.5.9 (opt), 10.6.0 (dbg), 10.6.0 (opt) Bug (or feature/syntax) confirmed not present in: MariaDB: 10.2.37 (dbg), 10.2.37 (opt) MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.50 (dbg), 5.6.50 (opt), 5.7.32 (dbg), 5.7.32 (opt), 8.0.22 (dbg), 8.0.22 (opt)

Roel Van de Paar added a comment - 2021-01-22 08:30

Unique ID's seen so far. First line: first testcase, second + third line: testcase by Alice.

SIGSEGV|Item_field::type_handler|subselect_engine::set_row|subselect_single_select_engine::fix_length_and_dec|Item_singlerow_subselect::fix_length_and_dec

SIGSEGV|Item_subselect::fix_fields|Item::fix_fields_if_needed|Item::fix_fields_if_needed|fix_fields_for_tvc

SIGSEGV|Item_subselect::fix_fields|Item::fix_fields_if_needed|fix_fields_for_tvc|table_value_constr::prepare

Igor Babaev (Inactive) added a comment - 2021-01-27 01:15

The problem is that when parsing TVC we use some variables that are global for the processed query. They are LEX::fields, LEX::many_values, LEX::insert_list. We need counterpart variables local for TVC. In order not to modify all code in the grammar rules that currently uses those global we save the globals' values when entering a TVC and restore them when leaving the TVC. Here's a diff that does it:

diff --git a/sql/sql_lex.cc b/sql/sql_lex.cc

index b8f6610..cd2a43b 100644

--- a/sql/sql_lex.cc

+++ b/sql/sql_lex.cc

@@ -2421,6 +2421,9 @@ void st_select_lex::init_select()

   with_dep= 0;

   join= 0;

   lock_type= TL_READ_DEFAULT;

+  save_field_list.empty();

+  save_many_values.empty();

+  save_insert_list= 0;

   tvc= 0;

   in_funcs.empty();

   curr_tvc_name= 0;

@@ -8276,16 +8279,33 @@ bool LEX::last_field_generated_always_as_row_end()

+void LEX::tvc_start()

+{

+  if (!nest_level)

+    current_select->init_select();

+  else

+  {

+    current_select->save_field_list= field_list;

+    current_select->save_many_values= many_values;

+    current_select->save_insert_list= insert_list;

+  }

+  field_list.empty();

+  many_values.empty();

+  insert_list= 0;

+}

 bool LEX::tvc_finalize()

-  mysql_init_select(this);

   if (unlikely(!(current_select->tvc=

                new (thd->mem_root)

                table_value_constr(many_values,

                                   current_select,

                                   current_select->options))))

     return true;

-  many_values.empty();

+  field_list= current_select->save_field_list;

+  many_values= current_select->save_many_values;

+  insert_list= current_select->save_insert_list;

   if (!current_select->master_unit()->fake_select_lex)

     current_select->master_unit()->add_fake_select_lex(thd);

   return false;

diff --git a/sql/sql_lex.h b/sql/sql_lex.h

index 55929ed..c8e014d 100644

--- a/sql/sql_lex.h

+++ b/sql/sql_lex.h

@@ -1175,6 +1175,9 @@ class st_select_lex: public st_select_lex_node

   /* it is for correct printing SELECT options */

   thr_lock_type lock_type;

+  List<Item> save_field_list;

+  List<List_item> save_many_values;

+  List<Item> *save_insert_list;

   table_value_constr *tvc;

   bool in_tvc;

@@ -4045,12 +4048,7 @@ struct LEX: public Query_tables_list

     return false;

-  void tvc_start()

-  {

-    field_list.empty();

-    many_values.empty();

-    insert_list= 0;

-  }

+  void tvc_start();

   bool tvc_finalize();

   bool tvc_finalize_derived();

With the above code (after the fix of ~~MDEV-24675~~!!!) I had:

MariaDB [test]> values ((values(2)));

+-------------+

| (values(2)) |

+-------------+

|           2 |

+-------------+

MariaDB [test]> select (values(2)) union values ((values(3)));

+-------------+

| (values(2)) |

+-------------+

|           2 |

|           3 |

+-------------+

MariaDB [test]> values ((values(2)),(values(3)));

+-------------+-------------+

| (values(2)) | (values(3)) |

+-------------+-------------+

|           2 |           3 |

+-------------+-------------+

MariaDB [test]> values ((values(2))) union values((values(3)));

+-------------+

| (values(2)) |

+-------------+

|           2 |

|           3 |

+-------------+

Most probably we have to change LEX::tvc_finalize_derived() similar how it's done in the above diff for LEX::tvc_finalize();

Igor Babaev (Inactive) added a comment - 2021-01-27 01:15 The problem is that when parsing TVC we use some variables that are global for the processed query. They are LEX::fields, LEX::many_values, LEX::insert_list. We need counterpart variables local for TVC. In order not to modify all code in the grammar rules that currently uses those global we save the globals' values when entering a TVC and restore them when leaving the TVC. Here's a diff that does it: diff --git a/sql/sql_lex.cc b/sql/sql_lex.cc index b8f6610..cd2a43b 100644 --- a/sql/sql_lex.cc +++ b/sql/sql_lex.cc @@ -2421,6 +2421,9 @@ void st_select_lex::init_select() with_dep= 0; join= 0; lock_type= TL_READ_DEFAULT; + save_field_list.empty(); + save_many_values.empty(); + save_insert_list= 0; tvc= 0; in_funcs.empty(); curr_tvc_name= 0; @@ -8276,16 +8279,33 @@ bool LEX::last_field_generated_always_as_row_end() } +void LEX::tvc_start() +{ + if (!nest_level) + current_select->init_select(); + else + { + current_select->save_field_list= field_list; + current_select->save_many_values= many_values; + current_select->save_insert_list= insert_list; + } + field_list.empty(); + many_values.empty(); + insert_list= 0; +} + + bool LEX::tvc_finalize() { - mysql_init_select(this); if (unlikely(!(current_select->tvc= new (thd->mem_root) table_value_constr(many_values, current_select, current_select->options)))) return true; - many_values.empty(); + field_list= current_select->save_field_list; + many_values= current_select->save_many_values; + insert_list= current_select->save_insert_list; if (!current_select->master_unit()->fake_select_lex) current_select->master_unit()->add_fake_select_lex(thd); return false; diff --git a/sql/sql_lex.h b/sql/sql_lex.h index 55929ed..c8e014d 100644 --- a/sql/sql_lex.h +++ b/sql/sql_lex.h @@ -1175,6 +1175,9 @@ class st_select_lex: public st_select_lex_node /* it is for correct printing SELECT options */ thr_lock_type lock_type; + List<Item> save_field_list; + List<List_item> save_many_values; + List<Item> *save_insert_list; table_value_constr *tvc; bool in_tvc; @@ -4045,12 +4048,7 @@ struct LEX: public Query_tables_list return false; } - void tvc_start() - { - field_list.empty(); - many_values.empty(); - insert_list= 0; - } + void tvc_start(); bool tvc_finalize(); bool tvc_finalize_derived(); With the above code (after the fix of MDEV-24675 !!!) I had: MariaDB [test]> values ((values(2))); +-------------+ | (values(2)) | +-------------+ | 2 | +-------------+ MariaDB [test]> select (values(2)) union values ((values(3))); +-------------+ | (values(2)) | +-------------+ | 2 | | 3 | +-------------+ MariaDB [test]> values ((values(2)),(values(3))); +-------------+-------------+ | (values(2)) | (values(3)) | +-------------+-------------+ | 2 | 3 | +-------------+-------------+ MariaDB [test]> values ((values(2))) union values((values(3))); +-------------+ | (values(2)) | +-------------+ | 2 | | 3 | +-------------+ Most probably we have to change LEX::tvc_finalize_derived() similar how it's done in the above diff for LEX::tvc_finalize();

Igor Babaev (Inactive) added a comment - 2021-02-09 05:36

There is actually another more serious bug in wrap_tvc() that causes different crashes for nested TVCs.
The code of wrap_tvc() must be re-written.

Igor Babaev (Inactive) added a comment - 2021-02-09 05:36 There is actually another more serious bug in wrap_tvc() that causes different crashes for nested TVCs. The code of wrap_tvc() must be re-written.

Igor Babaev (Inactive) added a comment - 2021-03-04 17:48

A fix for this bug was pushed into 10.3

Igor Babaev (Inactive) added a comment - 2021-03-04 17:48 A fix for this bug was pushed into 10.3

People

Assignee:: Igor Babaev (Inactive)

Reporter:: Alexander Barkov

Votes:: 1 Vote for this issue

Watchers:: 8 Start watching this issue

Dates

Created:: 2020-06-03 08:23

Updated:: 2021-03-09 13:46

Resolved:: 2021-03-04 17:48

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server