Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-24986

Server crash, ASAN heap-buffer-overflow, or assertion `key_buff_elements && cur_key_idx < key_buff_elements' failed in Ordered_key::add_key

    XMLWordPrintable

Details

    • Bug
    • Status: Open (View Workflow)
    • Major
    • Resolution: Unresolved
    • 10.5, 10.6
    • 10.5
    • Optimizer
    • None

    Description

      SET MAX_HEAP_TABLE_SIZE= 32768;
       
      CREATE TABLE t (a INT, b INT, KEY (a));
      INSERT INTO t VALUES
        (1,3),(0,6),(146,30),(7,2),(8,5),(2,4),(0,1),(175,74),(7,1),(1,9),
        (2,3),(8,0),(9,0),(NULL,9),(NULL,8),(27,1);
       
      SELECT * FROM t WHERE (a, b) NOT IN (SELECT t1.a, t2.b FROM t AS t1, t AS t2);
       
      # Cleanup
      DROP TABLE t;
      

      10.5 e0ba68ba non-debug

      free(): invalid size
      210225 17:18:03 [ERROR] mysqld got signal 6 ;
       
      #3  <signal handler called>
      #4  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
      #5  0x00007fd0f2ea8859 in __GI_abort () at abort.c:79
      #6  0x00007fd0f2f133ee in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7fd0f303d285 "%s\n") at ../sysdeps/posix/libc_fatal.c:155
      #7  0x00007fd0f2f1b47c in malloc_printerr (str=str@entry=0x7fd0f303b4c6 "free(): invalid size") at malloc.c:5347
      #8  0x00007fd0f2f1ccbc in _int_free (av=<optimized out>, p=0x7fd0dc04b4c0, have_lock=0) at malloc.c:4177
      #9  0x0000560420d4345f in my_bitmap_free (map=map@entry=0x7fd0dc03ddb8) at /data/src/10.5/mysys/my_bitmap.c:205
      #10 0x00005604208485d2 in Ordered_key::~Ordered_key (this=0x7fd0dc03dd68, __in_chrg=<optimized out>) at /data/src/10.5/sql/item_subselect.cc:5794
      #11 0x000056042084862d in subselect_rowid_merge_engine::~subselect_rowid_merge_engine (this=0x7fd0dc03dc50, __in_chrg=<optimized out>) at /data/src/10.5/sql/item_subselect.cc:6457
      #12 subselect_rowid_merge_engine::~subselect_rowid_merge_engine (this=0x7fd0dc03dc50, __in_chrg=<optimized out>) at /data/src/10.5/sql/item_subselect.cc:6451
      #13 0x000056042083eb4e in subselect_hash_sj_engine::cleanup (this=0x7fd0dc037f20) at /data/src/10.5/sql/item_subselect.cc:5332
      #14 0x000056042083cb8e in Item_subselect::cleanup (this=0x7fd0dc0133a8) at /data/src/10.5/sql/item_subselect.cc:155
      #15 0x0000560420515c61 in Item::delete_self (this=0x7fd0dc0133a8) at /data/src/10.5/sql/item.h:2306
      #16 Query_arena::free_items (this=this@entry=0x7fd0dc000c70) at /data/src/10.5/sql/sql_class.cc:3769
      #17 0x0000560420517b71 in THD::cleanup_after_query (this=this@entry=0x7fd0dc000c58) at /data/src/10.5/sql/sql_class.cc:2307
      #18 0x000056042055df1e in mysql_parse (thd=0x7fd0dc000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /data/src/10.5/sql/sql_parse.cc:8087
      #19 0x0000560420569a2f in dispatch_command (command=COM_QUERY, thd=0x7fd0dc000c58, packet=<optimized out>, packet_length=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /data/src/10.5/sql/sql_class.h:1257
      #20 0x000056042056be07 in do_command (thd=0x7fd0dc000c58) at /data/src/10.5/sql/sql_parse.cc:1370
      #21 0x0000560420671be1 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x56042336af58, put_in_cache=put_in_cache@entry=true) at /data/src/10.5/sql/sql_connect.cc:1410
      #22 0x000056042067205d in handle_one_connection (arg=arg@entry=0x56042336af58) at /data/src/10.5/sql/sql_connect.cc:1312
      #23 0x00005604209fa9b6 in pfs_spawn_thread (arg=0x560423301b58) at /data/src/10.5/storage/perfschema/pfs.cc:2201
      #24 0x00007fd0f33b6609 in start_thread (arg=<optimized out>) at pthread_create.c:477
      #25 0x00007fd0f2fa5293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
      

      10.5 e0ba68ba non-debug ASAN

      ==1202493==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6180000127a8 at pc 0x5576e530d5b4 bp 0x7f9197285d20 sp 0x7f9197285d10
      WRITE of size 8 at 0x6180000127a8 thread T5
          #0 0x5576e530d5b3 in Ordered_key::add_key(unsigned long long) /data/src/10.5/sql/item_subselect.h:1316
          #1 0x5576e530d5b3 in subselect_rowid_merge_engine::init(st_bitmap*, st_bitmap*) /data/src/10.5/sql/item_subselect.cc:6426
          #2 0x5576e530f7c0 in subselect_hash_sj_engine::exec() /data/src/10.5/sql/item_subselect.cc:5682
          #3 0x5576e52df522 in Item_subselect::exec() /data/src/10.5/sql/item_subselect.cc:806
          #4 0x5576e52df958 in Item_in_subselect::val_bool() /data/src/10.5/sql/item_subselect.cc:1865
          #5 0x5576e50e5763 in Item_in_optimizer::val_int() /data/src/10.5/sql/item_cmpfunc.cc:1650
          #6 0x5576e50e5763 in Item_in_optimizer::val_int() /data/src/10.5/sql/item_cmpfunc.cc:1558
          #7 0x5576e5038036 in Item_cache_int::cache_value() /data/src/10.5/sql/item.cc:9858
          #8 0x5576e50a34d0 in Item_cache_wrapper::cache() /data/src/10.5/sql/item.cc:8693
          #9 0x5576e508be17 in Item_cache_wrapper::val_bool() /data/src/10.5/sql/item.cc:8879
          #10 0x5576e508be17 in Item_cache_wrapper::val_bool() /data/src/10.5/sql/item.cc:8862
          #11 0x5576e50b4b45 in Item_func_not::val_int() /data/src/10.5/sql/item_cmpfunc.cc:202
          #12 0x5576e497f6dc in evaluate_join_record /data/src/10.5/sql/sql_select.cc:20785
          #13 0x5576e49bff64 in sub_select(JOIN*, st_join_table*, bool) /data/src/10.5/sql/sql_select.cc:20687
          #14 0x5576e49bff64 in sub_select(JOIN*, st_join_table*, bool) /data/src/10.5/sql/sql_select.cc:20616
          #15 0x5576e4a76f44 in do_select /data/src/10.5/sql/sql_select.cc:20221
          #16 0x5576e4a76f44 in JOIN::exec_inner() /data/src/10.5/sql/sql_select.cc:4467
          #17 0x5576e4a78276 in JOIN::exec() /data/src/10.5/sql/sql_select.cc:4247
          #18 0x5576e4a6fdc5 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.5/sql/sql_select.cc:4720
          #19 0x5576e4a728af in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.5/sql/sql_select.cc:417
          #20 0x5576e48da037 in execute_sqlcom_select /data/src/10.5/sql/sql_parse.cc:6282
          #21 0x5576e49095bc in mysql_execute_command(THD*) /data/src/10.5/sql/sql_parse.cc:3978
          #22 0x5576e48c7bcc in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.5/sql/sql_parse.cc:8063
          #23 0x5576e48f3748 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.5/sql/sql_parse.cc:1889
          #24 0x5576e48f95f1 in do_command(THD*) /data/src/10.5/sql/sql_parse.cc:1370
          #25 0x5576e4c9c44c in do_handle_one_connection(CONNECT*, bool) /data/src/10.5/sql/sql_connect.cc:1410
          #26 0x5576e4c9cfe4 in handle_one_connection /data/src/10.5/sql/sql_connect.cc:1312
          #27 0x5576e588e7c8 in pfs_spawn_thread /data/src/10.5/storage/perfschema/pfs.cc:2201
          #28 0x7f91a067d608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
          #29 0x7f91a0253292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
       
      0x6180000127a8 is located 0 bytes to the right of 808-byte region [0x618000012480,0x6180000127a8)
      allocated by thread T5 here:
          #0 0x7f91a0b6bbc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
          #1 0x5576e6380eac in my_malloc /data/src/10.5/mysys/my_malloc.c:90
          #2 0x5576e53087ef in Ordered_key::alloc_keys_buffers() /data/src/10.5/sql/item_subselect.cc:5894
          #3 0x5576e530abe0 in Ordered_key::init(int) /data/src/10.5/sql/item_subselect.cc:5877
          #4 0x5576e530ccb3 in subselect_rowid_merge_engine::init(st_bitmap*, st_bitmap*) /data/src/10.5/sql/item_subselect.cc:6372
          #5 0x5576e530f7c0 in subselect_hash_sj_engine::exec() /data/src/10.5/sql/item_subselect.cc:5682
          #6 0x5576e52df522 in Item_subselect::exec() /data/src/10.5/sql/item_subselect.cc:806
          #7 0x5576e52df958 in Item_in_subselect::val_bool() /data/src/10.5/sql/item_subselect.cc:1865
          #8 0x5576e50e5763 in Item_in_optimizer::val_int() /data/src/10.5/sql/item_cmpfunc.cc:1650
          #9 0x5576e50e5763 in Item_in_optimizer::val_int() /data/src/10.5/sql/item_cmpfunc.cc:1558
          #10 0x5576e5038036 in Item_cache_int::cache_value() /data/src/10.5/sql/item.cc:9858
          #11 0x5576e50a34d0 in Item_cache_wrapper::cache() /data/src/10.5/sql/item.cc:8693
          #12 0x5576e508be17 in Item_cache_wrapper::val_bool() /data/src/10.5/sql/item.cc:8879
          #13 0x5576e508be17 in Item_cache_wrapper::val_bool() /data/src/10.5/sql/item.cc:8862
          #14 0x5576e50b4b45 in Item_func_not::val_int() /data/src/10.5/sql/item_cmpfunc.cc:202
          #15 0x5576e497f6dc in evaluate_join_record /data/src/10.5/sql/sql_select.cc:20785
          #16 0x5576e49bff64 in sub_select(JOIN*, st_join_table*, bool) /data/src/10.5/sql/sql_select.cc:20687
          #17 0x5576e49bff64 in sub_select(JOIN*, st_join_table*, bool) /data/src/10.5/sql/sql_select.cc:20616
          #18 0x5576e4a76f44 in do_select /data/src/10.5/sql/sql_select.cc:20221
          #19 0x5576e4a76f44 in JOIN::exec_inner() /data/src/10.5/sql/sql_select.cc:4467
          #20 0x5576e4a78276 in JOIN::exec() /data/src/10.5/sql/sql_select.cc:4247
          #21 0x5576e4a6fdc5 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.5/sql/sql_select.cc:4720
          #22 0x5576e4a728af in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.5/sql/sql_select.cc:417
          #23 0x5576e48da037 in execute_sqlcom_select /data/src/10.5/sql/sql_parse.cc:6282
          #24 0x5576e49095bc in mysql_execute_command(THD*) /data/src/10.5/sql/sql_parse.cc:3978
          #25 0x5576e48c7bcc in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.5/sql/sql_parse.cc:8063
          #26 0x5576e48f3748 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.5/sql/sql_parse.cc:1889
          #27 0x5576e48f95f1 in do_command(THD*) /data/src/10.5/sql/sql_parse.cc:1370
          #28 0x5576e4c9c44c in do_handle_one_connection(CONNECT*, bool) /data/src/10.5/sql/sql_connect.cc:1410
          #29 0x5576e4c9cfe4 in handle_one_connection /data/src/10.5/sql/sql_connect.cc:1312
          #30 0x5576e588e7c8 in pfs_spawn_thread /data/src/10.5/storage/perfschema/pfs.cc:2201
          #31 0x7f91a067d608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
       
      Thread T5 created by T0 here:
          #0 0x7f91a0a98805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
          #1 0x5576e588ea66 in my_thread_create /data/src/10.5/storage/perfschema/my_thread.h:38
          #2 0x5576e588ea66 in pfs_spawn_thread_v1 /data/src/10.5/storage/perfschema/pfs.cc:2252
          #3 0x5576e465147e in inline_mysql_thread_create /data/src/10.5/include/mysql/psi/mysql_thread.h:1323
          #4 0x5576e465147e in create_thread_to_handle_connection(CONNECT*) /data/src/10.5/sql/mysqld.cc:6012
          #5 0x5576e465cfd4 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.5/sql/mysqld.cc:6136
          #6 0x5576e465d9f2 in handle_connections_sockets() /data/src/10.5/sql/mysqld.cc:6263
          #7 0x5576e465f653 in mysqld_main(int, char**) /data/src/10.5/sql/mysqld.cc:5658
          #8 0x7f91a01580b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
       
      SUMMARY: AddressSanitizer: heap-buffer-overflow /data/src/10.5/sql/item_subselect.h:1316 in Ordered_key::add_key(unsigned long long)
      Shadow bytes around the buggy address:
        0x0c307fffa4a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c307fffa4b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c307fffa4c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c307fffa4d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c307fffa4e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      =>0x0c307fffa4f0: 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa
        0x0c307fffa500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c307fffa510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c307fffa520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c307fffa530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c307fffa540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
        Shadow gap:              cc
      ==1202493==ABORTING
      210225 17:19:20 [ERROR] mysqld got signal 6 ;
      This could be because you hit a bug. It is also possible that this binary
      or one of the libraries it was linked against is corrupt, improperly built,
      or misconfigured. This error can also be caused by malfunctioning hardware.
       
      To report this bug, see https://mariadb.com/kb/en/reporting-bugs
       
      We will try our best to scrape up some info that will hopefully help
      diagnose the problem, but since we have already crashed, 
      something is definitely wrong and this may fail.
       
      Server version: 10.5.10-MariaDB-log
      key_buffer_size=1048576
      read_buffer_size=131072
      max_used_connections=1
      max_threads=153
      thread_count=1
      It is possible that mysqld could use up to 
      key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 63640 K  bytes of memory
      Hope that's ok; if not, decrease some variables in the equation.
       
      Thread pointer: 0x62b000069218
      Attempting backtrace. You can use the following information to find out
      where mysqld died. If you see no messages after this, something went
      terribly wrong...
      stack_bottom = 0x7f9197289800 thread_stack 0x5fc00
      ??:0(__interceptor_tcgetattr)[0x7f91a0acad30]
      mysys/stacktrace.c:213(my_print_stacktrace)[0x5576e638a416]
      sql/signal_handler.cc:209(handle_fatal_signal)[0x5576e4ff4b34]
      sigaction.c:0(__restore_rt)[0x7f91a06893c0]
      ??:0(gsignal)[0x7f91a017718b]
      ??:0(abort)[0x7f91a0156859]
      ??:0(__sanitizer_set_report_fd)[0x7f91a0b896a2]
      ??:0(__sanitizer_get_module_and_offset_for_pc)[0x7f91a0b9424c]
      ??:0(__sanitizer_ptr_cmp)[0x7f91a0b758ec]
      ??:0(__asan_on_error)[0x7f91a0b75363]
      ??:0(__asan_report_store8)[0x7f91a0b7674e]
      sql/item_subselect.h:1316(Ordered_key::add_key(unsigned long long))[0x5576e530d5b4]
      sql/item_subselect.cc:5680(subselect_hash_sj_engine::exec())[0x5576e530f7c1]
      sql/item_subselect.cc:811(Item_subselect::exec())[0x5576e52df523]
      sql/item_subselect.cc:1865(Item_in_subselect::val_bool())[0x5576e52df959]
      sql/item_cmpfunc.cc:1651(Item_in_optimizer::val_int())[0x5576e50e5764]
      sql/item.cc:9858(Item_cache_int::cache_value())[0x5576e5038037]
      sql/item.cc:8694(Item_cache_wrapper::cache())[0x5576e50a34d1]
      sql/item.cc:8880(Item_cache_wrapper::val_bool())[0x5576e508be18]
      sql/item_cmpfunc.cc:203(Item_func_not::val_int())[0x5576e50b4b46]
      sql/sql_select.cc:20785(evaluate_join_record(JOIN*, st_join_table*, int))[0x5576e497f6dd]
      sql/sql_select.cc:20695(sub_select(JOIN*, st_join_table*, bool))[0x5576e49bff65]
      sql/sql_select.cc:20221(JOIN::exec_inner())[0x5576e4a76f45]
      sql/sql_select.cc:4248(JOIN::exec())[0x5576e4a78277]
      sql/sql_select.cc:4722(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x5576e4a6fdc6]
      sql/sql_select.cc:417(handle_select(THD*, LEX*, select_result*, unsigned long))[0x5576e4a728b0]
      sql/sql_parse.cc:6282(execute_sqlcom_select(THD*, TABLE_LIST*))[0x5576e48da038]
      sql/sql_parse.cc:3978(mysql_execute_command(THD*))[0x5576e49095bd]
      sql/sql_parse.cc:8080(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x5576e48c7bcd]
      sql/sql_parse.cc:1892(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x5576e48f3749]
      sql/sql_parse.cc:1370(do_command(THD*))[0x5576e48f95f2]
      sql/sql_connect.cc:1410(do_handle_one_connection(CONNECT*, bool))[0x5576e4c9c44d]
      sql/sql_connect.cc:1312(handle_one_connection)[0x5576e4c9cfe5]
      perfschema/pfs.cc:2204(pfs_spawn_thread)[0x5576e588e7c9]
      nptl/pthread_create.c:478(start_thread)[0x7f91a067d609]
      ??:0(clone)[0x7f91a0253293]
       
      Trying to get some variables.
      Some pointers may be invalid and cause the dump to abort.
      Query (0x62b000038238): SELECT * FROM t WHERE (a, b) NOT IN (SELECT t1.a, t2.b FROM t AS t1, t AS t2)
       
      Connection ID (thread ID): 4
      Status: NOT_KILLED
       
      Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=on,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on,split_materialized=on,condition_pushdown_for_subquery=on,rowid_filter=on,condition_pushdown_from_having=on,not_null_range_scan=off
       
      The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ contains
      information that should help you find out what is causing the crash.
      Writing a core file...
      Working directory at /dev/shm/var_auto_7LgB/mysqld.1/data
      Resource Limits:
      Limit                     Soft Limit           Hard Limit           Units     
      Max cpu time              unlimited            unlimited            seconds   
      Max file size             unlimited            unlimited            bytes     
      Max data size             unlimited            unlimited            bytes     
      Max stack size            8388608              unlimited            bytes     
      Max core file size        0                    0                    bytes     
      Max resident set          unlimited            unlimited            bytes     
      Max processes             385874               385874               processes 
      Max open files            1024                 1024                 files     
      Max locked memory         67108864             67108864             bytes     
      Max address space         unlimited            unlimited            bytes     
      Max file locks            unlimited            unlimited            locks     
      Max pending signals       385874               385874               signals   
      Max msgqueue size         819200               819200               bytes     
      Max nice priority         0                    0                    
      Max realtime priority     0                    0                    
      Max realtime timeout      unlimited            unlimited            us        
      Core pattern: |/usr/share/apport/apport %p %s %c %d %P %E
      

      10.5 e0ba68ba debug

      mariadbd: /data/src/10.5/sql/item_subselect.h:1315: void Ordered_key::add_key(rownum_t): Assertion `key_buff_elements && cur_key_idx < key_buff_elements' failed.
      210225 17:19:59 [ERROR] mysqld got signal 6 ;
       
      #7  0x00007f7b1689df36 in __GI___assert_fail (assertion=0x55cd675f9728 "key_buff_elements && cur_key_idx < key_buff_elements", file=0x55cd675f9320 "/data/src/10.5/sql/item_subselect.h", line=1315, function=0x55cd675f9760 "void Ordered_key::add_key(rownum_t)") at assert.c:101
      #8  0x000055cd66a9ae9f in Ordered_key::add_key (this=0x7f7b00058ce0, row_num=109) at /data/src/10.5/sql/item_subselect.h:1315
      #9  0x000055cd66a98701 in subselect_rowid_merge_engine::init (this=0x7f7b00058bc8, non_null_key_parts=0x0, partial_match_key_parts=0x7f7b00054798) at /data/src/10.5/sql/item_subselect.cc:6426
      #10 0x000055cd66a9643c in subselect_hash_sj_engine::exec (this=0x7f7b00054710) at /data/src/10.5/sql/item_subselect.cc:5682
      #11 0x000055cd66a855cf in Item_subselect::exec (this=0x7f7b000181c8) at /data/src/10.5/sql/item_subselect.cc:806
      #12 0x000055cd66a85cb5 in Item_in_subselect::exec (this=0x7f7b000181c8) at /data/src/10.5/sql/item_subselect.cc:986
      #13 0x000055cd66a89940 in Item_in_subselect::val_bool (this=0x7f7b000181c8) at /data/src/10.5/sql/item_subselect.cc:1865
      #14 0x000055cd664fa2ed in Item::val_bool_result (this=0x7f7b000181c8) at /data/src/10.5/sql/item.h:1575
      #15 0x000055cd669e79b0 in Item_in_optimizer::val_int (this=0x7f7b00019ff0) at /data/src/10.5/sql/item_cmpfunc.cc:1650
      #16 0x000055cd664fa255 in Item::val_int_result (this=0x7f7b00019ff0) at /data/src/10.5/sql/item.h:1571
      #17 0x000055cd669d584e in Item_cache_int::cache_value (this=0x7f7b00057cb8) at /data/src/10.5/sql/item.cc:9858
      #18 0x000055cd669de490 in Item_cache_wrapper::cache (this=0x7f7b00057bf0) at /data/src/10.5/sql/item.cc:8693
      #19 0x000055cd669d2823 in Item_cache_wrapper::val_bool (this=0x7f7b00057bf0) at /data/src/10.5/sql/item.cc:8879
      #20 0x000055cd669e2784 in Item_func_not::val_int (this=0x7f7b00018518) at /data/src/10.5/sql/item_cmpfunc.cc:202
      #21 0x000055cd666af8ae in evaluate_join_record (join=0x7f7b00018f50, join_tab=0x7f7b00079b90, error=0) at /data/src/10.5/sql/sql_select.cc:20785
      #22 0x000055cd666af4aa in sub_select (join=0x7f7b00018f50, join_tab=0x7f7b00079b90, end_of_records=false) at /data/src/10.5/sql/sql_select.cc:20687
      #23 0x000055cd666ae940 in do_select (join=0x7f7b00018f50, procedure=0x0) at /data/src/10.5/sql/sql_select.cc:20221
      #24 0x000055cd666822aa in JOIN::exec_inner (this=0x7f7b00018f50) at /data/src/10.5/sql/sql_select.cc:4467
      #25 0x000055cd666813cb in JOIN::exec (this=0x7f7b00018f50) at /data/src/10.5/sql/sql_select.cc:4247
      #26 0x000055cd66682bff in mysql_select (thd=0x7f7b00000db8, tables=0x7f7b000159b8, fields=..., conds=0x7f7b00018518, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7f7b00018f28, unit=0x7f7b00004f60, select_lex=0x7f7b000153c8) at /data/src/10.5/sql/sql_select.cc:4720
      #27 0x000055cd6667267d in handle_select (thd=0x7f7b00000db8, lex=0x7f7b00004e98, result=0x7f7b00018f28, setup_tables_done_option=0) at /data/src/10.5/sql/sql_select.cc:417
      #28 0x000055cd66635041 in execute_sqlcom_select (thd=0x7f7b00000db8, all_tables=0x7f7b000159b8) at /data/src/10.5/sql/sql_parse.cc:6282
      #29 0x000055cd6662c0cb in mysql_execute_command (thd=0x7f7b00000db8) at /data/src/10.5/sql/sql_parse.cc:3978
      #30 0x000055cd66639ee8 in mysql_parse (thd=0x7f7b00000db8, rawbuf=0x7f7b000152d0 "SELECT * FROM t WHERE (a, b) NOT IN (SELECT t1.a, t2.b FROM t AS t1, t AS t2)", length=77, parser_state=0x7f7b11258510, is_com_multi=false, is_next_command=false) at /data/src/10.5/sql/sql_parse.cc:8063
      #31 0x000055cd66625e4d in dispatch_command (command=COM_QUERY, thd=0x7f7b00000db8, packet=0x7f7b0000b589 "", packet_length=77, is_com_multi=false, is_next_command=false) at /data/src/10.5/sql/sql_parse.cc:1889
      #32 0x000055cd66624641 in do_command (thd=0x7f7b00000db8) at /data/src/10.5/sql/sql_parse.cc:1370
      #33 0x000055cd667d2857 in do_handle_one_connection (connect=0x55cd697c5428, put_in_cache=true) at /data/src/10.5/sql/sql_connect.cc:1410
      #34 0x000055cd667d25ba in handle_one_connection (arg=0x55cd696cee48) at /data/src/10.5/sql/sql_connect.cc:1312
      #35 0x000055cd66d33251 in pfs_spawn_thread (arg=0x55cd697c5068) at /data/src/10.5/storage/perfschema/pfs.cc:2201
      #36 0x00007f7b16db5609 in start_thread (arg=<optimized out>) at pthread_create.c:477
      #37 0x00007f7b16989293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
      

      Reproducible on 10.5, 10.6, with at least MyISAM and InnoDB, all of release, ASAN and debug builds as described above.
      Not reproducible on 10.4.
      The failure started happening on 10.5 after this merge:

      commit 45a4dbdca4d57f5826ea7bcdb7e341aecb985e29
      Merge: 9380850d874 c9fe6fbb614
      Author: Igor Babaev
      Date:   Sat Aug 31 23:39:12 2019 -0700
       
          Merge remote-tracking branch 'origin/bb-mdev-18844' into 10.5
      

      Attachments

        Issue Links

          Activity

            People

              psergei Sergei Petrunia
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.