Details
-
Bug
-
Status: In Review (View Workflow)
-
Critical
-
Resolution: Unresolved
-
10.5, 10.6, 10.11, 11.0(EOL), 11.1(EOL), 11.2(EOL), 11.3(EOL), 11.4, 11.5(EOL), 11.6(EOL), 11.7(EOL)
-
Q2/2025 Development
Description
SET SQL_MODE='ORACLE';
|
CREATE TABLE t (c CHAR(1)) ENGINE=InnoDB;
|
INSERT INTO t VALUES(0), (1), (1), (1), (1);
|
SELECT * FROM t UNION SELECT * FROM t INTERSECT ALL SELECT * FROM t;
|
Leads to:
|
10.6.0 8dd35a2507f8d63ca8df9335d2c6072d5c0e3b86 (Optimized) |
Core was generated by `/test/MD160321-mariadb-10.6.0-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
|
Program terminated with signal SIGSEGV, Segmentation fault.
|
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
|
at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
|
[Current thread is 1 (Thread 0x14b8807b0700 (LWP 3114391))]
|
(gdb) bt
|
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
|
#1 0x000055d2d41af26f in my_write_core (sig=sig@entry=11) at /test/10.6_opt/mysys/stacktrace.c:424
|
#2 0x000055d2d3c2a5e0 in handle_fatal_signal (sig=11) at /test/10.6_opt/sql/signal_handler.cc:331
|
#3 <signal handler called>
|
#4 0x000055d2d3f3c29f in hp_rec_key_cmp (keydef=keydef@entry=0x14b82804d9c8, rec1=0x3 <error: Cannot access memory at address 0x3>, rec2=rec2@entry=0x14b82804cd58 "\377\376") at /test/10.6_opt/storage/heap/hp_hash.c:389
|
#5 0x000055d2d3f3a557 in ha_heap::find_unique_row (this=0x14b82804cec0, record=0x14b82804cd58 "\377\376", unique_idx=<optimized out>) at /test/10.6_opt/storage/heap/ha_heap.cc:813
|
#6 0x000055d2d3ad3f83 in select_unit_ext::send_data (this=0x14b828013a38, values=<optimized out>) at /test/10.6_opt/sql/sql_union.cc:670
|
#7 0x000055d2d3a72b5e in select_result_sink::send_data_with_check (u=<optimized out>, sent=<optimized out>, items=@0x14b828012d70: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14b8280131e8, last = 0x14b8280131e8, elements = 1}, <No data fields>}, this=<optimized out>) at /test/10.6_opt/sql/sql_class.h:5554
|
#8 select_result_sink::send_data_with_check (sent=<optimized out>, u=<optimized out>, items=@0x14b828012d70: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14b8280131e8, last = 0x14b8280131e8, elements = 1}, <No data fields>}, this=<optimized out>) at /test/10.6_opt/sql/sql_class.h:5544
|
#9 end_send (join=0x14b828014a28, join_tab=0x14b828051be8, end_of_records=<optimized out>) at /test/10.6_opt/sql/sql_select.cc:21952
|
#10 0x000055d2d3a4a9de in evaluate_join_record (join=0x14b828014a28, join_tab=0x14b828051838, error=<optimized out>) at /test/10.6_opt/sql/sql_select.cc:20975
|
#11 0x000055d2d3a5bb9b in sub_select (end_of_records=false, join_tab=0x14b828051838, join=0x14b828014a28) at /test/10.6_opt/sql/sql_select.cc:20752
|
#12 sub_select (join=0x14b828014a28, join_tab=0x14b828051838, end_of_records=false) at /test/10.6_opt/sql/sql_select.cc:20681
|
#13 0x000055d2d3a898c2 in do_select (procedure=<optimized out>, join=0x14b828014a28) at /test/10.6_opt/sql/sql_select.cc:20299
|
#14 JOIN::exec_inner (this=0x14b828014a28) at /test/10.6_opt/sql/sql_select.cc:4477
|
#15 0x000055d2d3a89c78 in JOIN::exec (this=0x14b828014a28) at /test/10.6_opt/sql/sql_select.cc:4257
|
#16 0x000055d2d3ad6edc in st_select_lex_unit::exec (this=0x14b828004c70) at /test/10.6_opt/sql/sql_union.cc:2235
|
#17 0x000055d2d3adaf18 in mysql_union (thd=thd@entry=0x14b828000c58, lex=lex@entry=0x14b828004ba8, result=result@entry=0x14b828013a10, unit=unit@entry=0x14b828004c70, setup_tables_done_option=<optimized out>) at /test/10.6_opt/sql/sql_union.cc:41
|
#18 0x000055d2d3a884da in handle_select (thd=thd@entry=0x14b828000c58, lex=lex@entry=0x14b828004ba8, result=result@entry=0x14b828013a10, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.6_opt/sql/sql_select.cc:407
|
#19 0x000055d2d3a18e8e in execute_sqlcom_select (thd=0x14b828000c58, all_tables=0x14b828010ba8) at /test/10.6_opt/sql/sql_parse.cc:6230
|
#20 0x000055d2d3a26de7 in mysql_execute_command (thd=0x14b828000c58) at /test/10.6_opt/sql/sql_parse.cc:3926
|
#21 0x000055d2d3a13dc4 in mysql_parse (thd=0x14b828000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.6_opt/sql/sql_parse.cc:7998
|
#22 0x000055d2d3a1fd2d in dispatch_command (command=COM_QUERY, thd=0x14b828000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.6_opt/sql/sql_class.h:1318
|
#23 0x000055d2d3a21db6 in do_command (thd=0x14b828000c58, blocking=blocking@entry=true) at /test/10.6_opt/sql/sql_parse.cc:1397
|
#24 0x000055d2d3b24557 in do_handle_one_connection (connect=<optimized out>, put_in_cache=true) at /test/10.6_opt/sql/sql_connect.cc:1410
|
#25 0x000055d2d3b248bd in handle_one_connection (arg=arg@entry=0x55d2d62dc148) at /test/10.6_opt/sql/sql_connect.cc:1312
|
#26 0x000055d2d3ea4f97 in pfs_spawn_thread (arg=0x55d2d6257f68) at /test/10.6_opt/storage/perfschema/pfs.cc:2201
|
#27 0x000014b884831609 in start_thread (arg=<optimized out>) at pthread_create.c:477
|
#28 0x000014b884420293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
|
|
10.5.10 031b3dfc22c3d37769d49da902401b26a24f12b4 (Optimized) |
Core was generated by `/test/MD160321-mariadb-10.5.10-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
|
Program terminated with signal SIGSEGV, Segmentation fault.
|
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
|
at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
|
[Current thread is 1 (Thread 0x154928a62700 (LWP 3115332))]
|
(gdb) bt
|
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
|
#1 0x000056359cf64fdf in my_write_core (sig=sig@entry=11) at /test/10.5_opt/mysys/stacktrace.c:424
|
#2 0x000056359c985820 in handle_fatal_signal (sig=11) at /test/10.5_opt/sql/signal_handler.cc:331
|
#3 <signal handler called>
|
#4 0x000056359cca227f in hp_rec_key_cmp (keydef=keydef@entry=0x1548ec04ec28, rec1=0x3 <error: Cannot access memory at address 0x3>, rec2=rec2@entry=0x1548ec04dfb8 "\377\376") at /test/10.5_opt/storage/heap/hp_hash.c:389
|
#5 0x000056359cca0537 in ha_heap::find_unique_row (this=0x1548ec04e120, record=0x1548ec04dfb8 "\377\376", unique_idx=<optimized out>) at /test/10.5_opt/storage/heap/ha_heap.cc:813
|
#6 0x000056359c8292f3 in select_unit_ext::send_data (this=0x1548ec013978, values=<optimized out>) at /test/10.5_opt/sql/sql_union.cc:670
|
#7 0x000056359c7c710e in select_result_sink::send_data_with_check (u=<optimized out>, sent=<optimized out>, items=@0x1548ec012cb0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1548ec013128, last = 0x1548ec013128, elements = 1}, <No data fields>}, this=<optimized out>) at /test/10.5_opt/sql/sql_class.h:5328
|
#8 select_result_sink::send_data_with_check (sent=<optimized out>, u=<optimized out>, items=@0x1548ec012cb0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1548ec013128, last = 0x1548ec013128, elements = 1}, <No data fields>}, this=<optimized out>) at /test/10.5_opt/sql/sql_class.h:5318
|
#9 end_send (join=0x1548ec014968, join_tab=0x1548ec052de8, end_of_records=<optimized out>) at /test/10.5_opt/sql/sql_select.cc:21973
|
#10 0x000056359c79edd0 in evaluate_join_record (join=join@entry=0x1548ec014968, join_tab=join_tab@entry=0x1548ec052a40, error=<optimized out>) at /test/10.5_opt/sql/sql_select.cc:21004
|
#11 0x000056359c7aff6b in sub_select (end_of_records=false, join_tab=0x1548ec052a40, join=0x1548ec014968) at /test/10.5_opt/sql/sql_select.cc:20781
|
#12 sub_select (join=0x1548ec014968, join_tab=0x1548ec052a40, end_of_records=false) at /test/10.5_opt/sql/sql_select.cc:20710
|
#13 0x000056359c7de372 in do_select (procedure=<optimized out>, join=0x1548ec014968) at /test/10.5_opt/sql/sql_select.cc:20315
|
#14 JOIN::exec_inner (this=0x1548ec014968) at /test/10.5_opt/sql/sql_select.cc:4467
|
#15 0x000056359c7de728 in JOIN::exec (this=0x1548ec014968) at /test/10.5_opt/sql/sql_select.cc:4247
|
#16 0x000056359c82c36c in st_select_lex_unit::exec (this=0x1548ec004c48) at /test/10.5_opt/sql/sql_union.cc:2235
|
#17 0x000056359c8303a8 in mysql_union (thd=thd@entry=0x1548ec000c58, lex=lex@entry=0x1548ec004b80, result=result@entry=0x1548ec013950, unit=unit@entry=0x1548ec004c48, setup_tables_done_option=<optimized out>) at /test/10.5_opt/sql/sql_union.cc:41
|
#18 0x000056359c7dcf8a in handle_select (thd=thd@entry=0x1548ec000c58, lex=lex@entry=0x1548ec004b80, result=result@entry=0x1548ec013950, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.5_opt/sql/sql_select.cc:407
|
#19 0x000056359c76bc0e in execute_sqlcom_select (thd=0x1548ec000c58, all_tables=0x1548ec010ae8) at /test/10.5_opt/sql/sql_parse.cc:6308
|
#20 0x000056359c77a348 in mysql_execute_command (thd=0x1548ec000c58) at /test/10.5_opt/sql/sql_parse.cc:4004
|
#21 0x000056359c7667f6 in mysql_parse (thd=thd@entry=0x1548ec000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x154928a61420, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_opt/sql/sql_parse.cc:8089
|
#22 0x000056359c772f97 in dispatch_command (command=COM_QUERY, thd=0x1548ec000c58, packet=0x1548ec008059 "SELECT * FROM t UNION SELECT * FROM t INTERSECT ALL SELECT * FROM t", packet_length=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /test/10.5_opt/sql/sql_class.h:1257
|
#23 0x000056359c7753ba in do_command (thd=0x1548ec000c58) at /test/10.5_opt/sql/sql_parse.cc:1370
|
#24 0x000056359c87aac1 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x56359fe24c38, put_in_cache=put_in_cache@entry=true) at /test/10.5_opt/sql/sql_connect.cc:1410
|
#25 0x000056359c87af3d in handle_one_connection (arg=arg@entry=0x56359fe24c38) at /test/10.5_opt/sql/sql_connect.cc:1312
|
#26 0x000056359cc09077 in pfs_spawn_thread (arg=0x56359fda2028) at /test/10.5_opt/storage/perfschema/pfs.cc:2201
|
#27 0x000015493edd1609 in start_thread (arg=<optimized out>) at pthread_create.c:477
|
#28 0x000015493e9c0293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
|
Bug confirmed present in:
MariaDB: 10.5.10 (opt), 10.6.0 (opt)
Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.2.38 (opt), 10.3.29 (opt), 10.4.19 (opt)
Attachments
Issue Links
- is caused by
-
MDEV-18844 Implement EXCEPT ALL and INTERSECT ALL operations
-
- Closed
-
- is duplicated by
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
Activity
Also observed stack corruption
|
10.11.8 3a069644682e336e445039e48baae9693f9a08ee (Debug) |
mariadbd: /test/10.11_dbg/sql/sql_union.cc:784: virtual bool select_unit_ext::send_eof(): Assertion `curr_op_type != INTERSECT_ALL' failed.
|
|
10.11.8 3a069644682e336e445039e48baae9693f9a08ee (Debug) |
Core was generated by `/test/MD130524-mariadb-10.11.8-linux-x86_64-dbg/bin/mariadbd --no-defaults --th'.
|
Program terminated with signal SIGABRT, Aborted.
|
#0 0x000014e613c9999b in ?? ()
|
[Current thread is 1 (LWP 106762)]
|
(gdb) bt
|
#0 0x000014e613c9999b in ?? ()
|
Backtrace stopped: Cannot access memory at address 0x14e5ec10f0f0
|
Server crashes with slightly different stack when we use non-default charset/collation in the test case
CREATE TABLE t (c CHAR(1) NOT NULL) DEFAULT COLLATE=utf32_unicode_ci; |
SET GLOBAL sql_mode=ORACLE; |
SET sql_mode=DEFAULT; |
INSERT t VALUES (1); |
SELECT * FROM t UNION SELECT * FROM t INTERSECT ALL SELECT * FROM t; |
SIGSEGV|my_mb_wc_utf32_quick|my_uca_scanner_next_utf32|my_uca_scanner_next_utf32|my_uca_strnncollsp_onelevel_utf32
|
SIGSEGV|my_mb_wc_utf32_quick|my_uca_scanner_next_utf32|my_uca_strnncollsp_onelevel_utf32|my_uca_strnncollsp_utf32
|
--source include/have_innodb.inc
|
SET GLOBAL sql_mode='ORACLE'; |
SET sql_mode=DEFAULT; |
CREATE TABLE t (c INT) ENGINE=InnoDB; |
INSERT INTO t (c) VALUES (1); |
SELECT * FROM t UNION SELECT * FROM t EXCEPT ALL SELECT * FROM t; |
Leads to additional stack:
SIGSEGV|hp_rec_key_cmp|ha_heap::find_unique_row|select_unit_ext::send_data|select_result_sink::send_data_with_check
|
And
--source include/have_innodb.inc
|
SET GLOBAL sql_mode='ORACLE'; |
SET sql_mode=DEFAULT; |
CREATE TABLE t (c INT KEY) ENGINE=InnoDB; |
INSERT INTO t (c) VALUES (1); |
SELECT * FROM t UNION SELECT * FROM t EXCEPT ALL SELECT * FROM t; |
Leads to additional stack:
SIGSEGV|__memcmp_evex_movbe|hp_rec_key_cmp|ha_heap::find_unique_row|select_unit_ext::send_data
|
Please review
778956949a0 (HEAD -> bb-10.5-midenok2, mariadb/bb-10.5-midenok2) MDEV-25158 Segfault on INTERSECT ALL with UNION in Oracle mode
Another testcase with slightly different stack
SIGSEGV|my_charlen_utf8mb4|my_ismbchar|my_charpos_mb|my_ci_charpos11.5.0 929c2e06aae47f2dabf51b843ac84911de95bc7f (Optimized)
Core was generated by `/test/MD290224-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd --no-defaults --max'.Program terminated with signal SIGSEGV, Segmentation fault.#0 my_charlen_utf8mb4 (cs=0x5626122d28e0 <my_charset_utf8mb4_general_ci>,s=0xc <error: Cannot access memory at address 0xc>,e=0x10 <error: Cannot access memory at address 0x10>)at /test/server_opt/strings/ctype-utf8.c:3140[Current thread is 1 (Thread 0x146c6e1ef700 (LWP 2824718))](gdb) bt#0 my_charlen_utf8mb4 (cs=0x5626122d28e0 <my_charset_utf8mb4_general_ci>, s=0xc <error: Cannot access memory at address 0xc>, e=0x10 <error: Cannot access memory at address 0x10>) at /test/server_opt/strings/ctype-utf8.c:3140#1 0x00005626117a96d6 in my_ismbchar (end=0x10 <error: Cannot access memory at address 0x10>, str=0xc <error: Cannot access memory at address 0xc>, cs=0x5626122d28e0 <my_charset_utf8mb4_general_ci>) at /test/server_opt/include/m_ctype.h:1861#2 my_charpos_mb (cs=0x5626122d28e0 <my_charset_utf8mb4_general_ci>, pos=0xc <error: Cannot access memory at address 0xc>, end=0x10 <error: Cannot access memory at address 0x10>, length=1) at /test/server_opt/strings/ctype-mb.c:284#3 0x000056261152a2bf in my_ci_charpos (pos=1, e=0x10 <error: Cannot access memory at address 0x10>, b=0xc <error: Cannot access memory at address 0xc>, cs=0x5626122d28e0 <my_charset_utf8mb4_general_ci>) at /test/server_opt/include/m_ctype.h:1172#4 hp_charpos (num=1, e=0x10 <error: Cannot access memory at address 0x10>, b=0xc <error: Cannot access memory at address 0xc>, cs=0x5626122d28e0 <my_charset_utf8mb4_general_ci>) at /test/server_opt/storage/heap/hp_hash.c:27#5 hp_rec_key_cmp (keydef=keydef@entry=0x146c400596d8, rec1=0x3 <error: Cannot access memory at address 0x3>, rec2=rec2@entry=0x146c40058900 "\377") at /test/server_opt/storage/heap/hp_hash.c:405#6 0x0000562611528457 in ha_heap::find_unique_row (this=0x146c40058b70, record=0x146c40058900 "\377", unique_idx=<optimized out>) at /test/server_opt/storage/heap/ha_heap.cc:872#7 0x0000562611075633 in select_unit_ext::send_data (this=0x146c40019af8, values=<optimized out>) at /test/server_opt/sql/sql_union.cc:676#8 0x0000562611008c3c in select_result_sink::send_data_with_check (u=<optimized out>, sent=<optimized out>, items=@0x146c40018f50: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x146c40019280, last = 0x146c40019280, elements = 1}, <No data fields>}, this=<optimized out>) at /test/server_opt/sql/sql_class.h:6064#9 select_result_sink::send_data_with_check (sent=<optimized out>, u=<optimized out>, items=@0x146c40018f50: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x146c40019280, last = 0x146c40019280, elements = 1}, <No data fields>}, this=<optimized out>) at /test/server_opt/sql/sql_class.h:6054#10 end_send (join=0x146c400543b0, join_tab=0x146c4005e240, end_of_records=<optimized out>) at /test/server_opt/sql/sql_select.cc:24911#11 0x0000562610fdbfd7 in evaluate_join_record (join=0x146c400543b0, join_tab=0x146c4005ddd0, error=<optimized out>) at /test/server_opt/sql/sql_select.cc:23837#12 0x0000562610fee084 in sub_select (join=0x146c400543b0, join_tab=0x146c4005ddd0, end_of_records=false) at /test/server_opt/sql/sql_select.cc:23604#13 0x00005626110210dd in do_select (procedure=<optimized out>, join=0x146c400543b0) at /test/server_opt/sql/sql_select.cc:23115#14 JOIN::exec_inner (this=0x146c400543b0) at /test/server_opt/sql/sql_select.cc:4988#15 0x00005626110214fe in JOIN::exec (this=0x146c400543b0) at /test/server_opt/sql/sql_select.cc:4774#16 0x0000562611077fbc in st_select_lex_unit::exec_inner (this=0x146c40004f18) at /test/server_opt/sql/sql_union.cc:2388#17 0x000056261107b068 in mysql_union (thd=thd@entry=0x146c40000c58, lex=lex@entry=0x146c40004e38, result=result@entry=0x146c40019ad0, unit=unit@entry=0x146c40004f18, setup_tables_done_option=<optimized out>) at /test/server_opt/sql/sql_union.cc:45#18 0x000056261101fc5a in handle_select (thd=thd@entry=0x146c40000c58, lex=lex@entry=0x146c40004e38, result=result@entry=0x146c40019ad0, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/server_opt/sql/sql_select.cc:620#19 0x0000562610f98d2e in execute_sqlcom_select (thd=0x146c40000c58, all_tables=0x146c40016b08) at /test/server_opt/sql/sql_parse.cc:6094#20 0x0000562610fa74c1 in mysql_execute_command (thd=0x146c40000c58, is_called_from_prepared_stmt=<optimized out>) at /test/server_opt/sql/sql_parse.cc:3943#21 0x0000562610f93786 in mysql_parse (thd=0x146c40000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/server_opt/sql/sql_parse.cc:7815#22 0x0000562610f9fe95 in dispatch_command (command=COM_QUERY, thd=0x146c40000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/server_opt/sql/sql_class.h:1604#23 0x0000562610fa221e in do_command (thd=0x146c40000c58, blocking=blocking@entry=true) at /test/server_opt/sql/sql_parse.cc:1406#24 0x00005626110d3137 in do_handle_one_connection (connect=<optimized out>, put_in_cache=true) at /test/server_opt/sql/sql_connect.cc:1437#25 0x00005626110d347d in handle_one_connection (arg=arg@entry=0x56261382d6b8) at /test/server_opt/sql/sql_connect.cc:1339#26 0x000056261148441c in pfs_spawn_thread (arg=0x562613853df8) at /test/server_opt/storage/perfschema/pfs.cc:2201#27 0x0000146c92636609 in start_thread (arg=<optimized out>) at pthread_create.c:477#28 0x0000146c92222133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95