[MDEV-25158] Segfault on INTERSECT ALL with UNION in Oracle mode - Jira

Details

Type: Bug
Status: Stalled (View Workflow)
Priority: Critical
Resolution: Unresolved
Affects Version/s: 10.5, 10.6, 10.11, 11.0(EOL), 11.1(EOL), 11.2(EOL), 11.3(EOL), 11.4, 11.5(EOL), 11.6(EOL), 11.7(EOL)
Fix Version/s: 10.5, 10.6, 10.11, 11.4
Component/s: Server
Labels:

Sprint:
Q2/2025 Development

Description

SET SQL_MODE='ORACLE';

CREATE TABLE t (c CHAR(1)) ENGINE=InnoDB;

INSERT INTO t VALUES(0), (1), (1), (1), (1);

SELECT * FROM t UNION SELECT * FROM t INTERSECT ALL SELECT * FROM t;

Leads to:

10.6.0 8dd35a2507f8d63ca8df9335d2c6072d5c0e3b86 (Optimized)
Core was generated by `/test/MD160321-mariadb-10.6.0-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
[Current thread is 1 (Thread 0x14b8807b0700 (LWP 3114391))]
(gdb) bt
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
#1 0x000055d2d41af26f in my_write_core (sig=sig@entry=11) at /test/10.6_opt/mysys/stacktrace.c:424
#2 0x000055d2d3c2a5e0 in handle_fatal_signal (sig=11) at /test/10.6_opt/sql/signal_handler.cc:331
#3 <signal handler called>
#4 0x000055d2d3f3c29f in hp_rec_key_cmp (keydef=keydef@entry=0x14b82804d9c8, rec1=0x3 <error: Cannot access memory at address 0x3>, rec2=rec2@entry=0x14b82804cd58 "\377\376") at /test/10.6_opt/storage/heap/hp_hash.c:389
#5 0x000055d2d3f3a557 in ha_heap::find_unique_row (this=0x14b82804cec0, record=0x14b82804cd58 "\377\376", unique_idx=<optimized out>) at /test/10.6_opt/storage/heap/ha_heap.cc:813
#6 0x000055d2d3ad3f83 in select_unit_ext::send_data (this=0x14b828013a38, values=<optimized out>) at /test/10.6_opt/sql/sql_union.cc:670
#7 0x000055d2d3a72b5e in select_result_sink::send_data_with_check (u=<optimized out>, sent=<optimized out>, items=@0x14b828012d70: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14b8280131e8, last = 0x14b8280131e8, elements = 1}, <No data fields>}, this=<optimized out>) at /test/10.6_opt/sql/sql_class.h:5554
#8 select_result_sink::send_data_with_check (sent=<optimized out>, u=<optimized out>, items=@0x14b828012d70: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14b8280131e8, last = 0x14b8280131e8, elements = 1}, <No data fields>}, this=<optimized out>) at /test/10.6_opt/sql/sql_class.h:5544
#9 end_send (join=0x14b828014a28, join_tab=0x14b828051be8, end_of_records=<optimized out>) at /test/10.6_opt/sql/sql_select.cc:21952
#10 0x000055d2d3a4a9de in evaluate_join_record (join=0x14b828014a28, join_tab=0x14b828051838, error=<optimized out>) at /test/10.6_opt/sql/sql_select.cc:20975
#11 0x000055d2d3a5bb9b in sub_select (end_of_records=false, join_tab=0x14b828051838, join=0x14b828014a28) at /test/10.6_opt/sql/sql_select.cc:20752
#12 sub_select (join=0x14b828014a28, join_tab=0x14b828051838, end_of_records=false) at /test/10.6_opt/sql/sql_select.cc:20681
#13 0x000055d2d3a898c2 in do_select (procedure=<optimized out>, join=0x14b828014a28) at /test/10.6_opt/sql/sql_select.cc:20299
#14 JOIN::exec_inner (this=0x14b828014a28) at /test/10.6_opt/sql/sql_select.cc:4477
#15 0x000055d2d3a89c78 in JOIN::exec (this=0x14b828014a28) at /test/10.6_opt/sql/sql_select.cc:4257
#16 0x000055d2d3ad6edc in st_select_lex_unit::exec (this=0x14b828004c70) at /test/10.6_opt/sql/sql_union.cc:2235
#17 0x000055d2d3adaf18 in mysql_union (thd=thd@entry=0x14b828000c58, lex=lex@entry=0x14b828004ba8, result=result@entry=0x14b828013a10, unit=unit@entry=0x14b828004c70, setup_tables_done_option=<optimized out>) at /test/10.6_opt/sql/sql_union.cc:41
#18 0x000055d2d3a884da in handle_select (thd=thd@entry=0x14b828000c58, lex=lex@entry=0x14b828004ba8, result=result@entry=0x14b828013a10, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.6_opt/sql/sql_select.cc:407
#19 0x000055d2d3a18e8e in execute_sqlcom_select (thd=0x14b828000c58, all_tables=0x14b828010ba8) at /test/10.6_opt/sql/sql_parse.cc:6230
#20 0x000055d2d3a26de7 in mysql_execute_command (thd=0x14b828000c58) at /test/10.6_opt/sql/sql_parse.cc:3926
#21 0x000055d2d3a13dc4 in mysql_parse (thd=0x14b828000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.6_opt/sql/sql_parse.cc:7998
#22 0x000055d2d3a1fd2d in dispatch_command (command=COM_QUERY, thd=0x14b828000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.6_opt/sql/sql_class.h:1318
#23 0x000055d2d3a21db6 in do_command (thd=0x14b828000c58, blocking=blocking@entry=true) at /test/10.6_opt/sql/sql_parse.cc:1397
#24 0x000055d2d3b24557 in do_handle_one_connection (connect=<optimized out>, put_in_cache=true) at /test/10.6_opt/sql/sql_connect.cc:1410
#25 0x000055d2d3b248bd in handle_one_connection (arg=arg@entry=0x55d2d62dc148) at /test/10.6_opt/sql/sql_connect.cc:1312
#26 0x000055d2d3ea4f97 in pfs_spawn_thread (arg=0x55d2d6257f68) at /test/10.6_opt/storage/perfschema/pfs.cc:2201
#27 0x000014b884831609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#28 0x000014b884420293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

10.5.10 031b3dfc22c3d37769d49da902401b26a24f12b4 (Optimized)
Core was generated by `/test/MD160321-mariadb-10.5.10-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
[Current thread is 1 (Thread 0x154928a62700 (LWP 3115332))]
(gdb) bt
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
#1 0x000056359cf64fdf in my_write_core (sig=sig@entry=11) at /test/10.5_opt/mysys/stacktrace.c:424
#2 0x000056359c985820 in handle_fatal_signal (sig=11) at /test/10.5_opt/sql/signal_handler.cc:331
#3 <signal handler called>
#4 0x000056359cca227f in hp_rec_key_cmp (keydef=keydef@entry=0x1548ec04ec28, rec1=0x3 <error: Cannot access memory at address 0x3>, rec2=rec2@entry=0x1548ec04dfb8 "\377\376") at /test/10.5_opt/storage/heap/hp_hash.c:389
#5 0x000056359cca0537 in ha_heap::find_unique_row (this=0x1548ec04e120, record=0x1548ec04dfb8 "\377\376", unique_idx=<optimized out>) at /test/10.5_opt/storage/heap/ha_heap.cc:813
#6 0x000056359c8292f3 in select_unit_ext::send_data (this=0x1548ec013978, values=<optimized out>) at /test/10.5_opt/sql/sql_union.cc:670
#7 0x000056359c7c710e in select_result_sink::send_data_with_check (u=<optimized out>, sent=<optimized out>, items=@0x1548ec012cb0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1548ec013128, last = 0x1548ec013128, elements = 1}, <No data fields>}, this=<optimized out>) at /test/10.5_opt/sql/sql_class.h:5328
#8 select_result_sink::send_data_with_check (sent=<optimized out>, u=<optimized out>, items=@0x1548ec012cb0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1548ec013128, last = 0x1548ec013128, elements = 1}, <No data fields>}, this=<optimized out>) at /test/10.5_opt/sql/sql_class.h:5318
#9 end_send (join=0x1548ec014968, join_tab=0x1548ec052de8, end_of_records=<optimized out>) at /test/10.5_opt/sql/sql_select.cc:21973
#10 0x000056359c79edd0 in evaluate_join_record (join=join@entry=0x1548ec014968, join_tab=join_tab@entry=0x1548ec052a40, error=<optimized out>) at /test/10.5_opt/sql/sql_select.cc:21004
#11 0x000056359c7aff6b in sub_select (end_of_records=false, join_tab=0x1548ec052a40, join=0x1548ec014968) at /test/10.5_opt/sql/sql_select.cc:20781
#12 sub_select (join=0x1548ec014968, join_tab=0x1548ec052a40, end_of_records=false) at /test/10.5_opt/sql/sql_select.cc:20710
#13 0x000056359c7de372 in do_select (procedure=<optimized out>, join=0x1548ec014968) at /test/10.5_opt/sql/sql_select.cc:20315
#14 JOIN::exec_inner (this=0x1548ec014968) at /test/10.5_opt/sql/sql_select.cc:4467
#15 0x000056359c7de728 in JOIN::exec (this=0x1548ec014968) at /test/10.5_opt/sql/sql_select.cc:4247
#16 0x000056359c82c36c in st_select_lex_unit::exec (this=0x1548ec004c48) at /test/10.5_opt/sql/sql_union.cc:2235
#17 0x000056359c8303a8 in mysql_union (thd=thd@entry=0x1548ec000c58, lex=lex@entry=0x1548ec004b80, result=result@entry=0x1548ec013950, unit=unit@entry=0x1548ec004c48, setup_tables_done_option=<optimized out>) at /test/10.5_opt/sql/sql_union.cc:41
#18 0x000056359c7dcf8a in handle_select (thd=thd@entry=0x1548ec000c58, lex=lex@entry=0x1548ec004b80, result=result@entry=0x1548ec013950, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.5_opt/sql/sql_select.cc:407
#19 0x000056359c76bc0e in execute_sqlcom_select (thd=0x1548ec000c58, all_tables=0x1548ec010ae8) at /test/10.5_opt/sql/sql_parse.cc:6308
#20 0x000056359c77a348 in mysql_execute_command (thd=0x1548ec000c58) at /test/10.5_opt/sql/sql_parse.cc:4004
#21 0x000056359c7667f6 in mysql_parse (thd=thd@entry=0x1548ec000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x154928a61420, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_opt/sql/sql_parse.cc:8089
#22 0x000056359c772f97 in dispatch_command (command=COM_QUERY, thd=0x1548ec000c58, packet=0x1548ec008059 "SELECT * FROM t UNION SELECT * FROM t INTERSECT ALL SELECT * FROM t", packet_length=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /test/10.5_opt/sql/sql_class.h:1257
#23 0x000056359c7753ba in do_command (thd=0x1548ec000c58) at /test/10.5_opt/sql/sql_parse.cc:1370
#24 0x000056359c87aac1 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x56359fe24c38, put_in_cache=put_in_cache@entry=true) at /test/10.5_opt/sql/sql_connect.cc:1410
#25 0x000056359c87af3d in handle_one_connection (arg=arg@entry=0x56359fe24c38) at /test/10.5_opt/sql/sql_connect.cc:1312
#26 0x000056359cc09077 in pfs_spawn_thread (arg=0x56359fda2028) at /test/10.5_opt/storage/perfschema/pfs.cc:2201
#27 0x000015493edd1609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#28 0x000015493e9c0293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.5.10 (opt), 10.6.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.2.38 (opt), 10.3.29 (opt), 10.4.19 (opt)

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

error.log
31 kB
2021-03-16 10:51

Issue Links

is caused by

MDEV-18844 Implement EXCEPT ALL and INTERSECT ALL operations

Closed

is duplicated by

MDEV-32325 Server crashes at __nss_database_lookup

Closed

MDEV-32328 Server crashes at select_unit::write_record

Closed

MDEV-32330 Server crashes at select_unit_ext::send_data

Closed

Activity

Ascending order - Click to sort in descending order

View 12 older comments

Roel Van de Paar added a comment - 2024-05-16 20:32

Also observed stack corruption

10.11.8 3a069644682e336e445039e48baae9693f9a08ee (Debug)
mariadbd: /test/10.11_dbg/sql/sql_union.cc:784: virtual bool select_unit_ext::send_eof(): Assertion `curr_op_type != INTERSECT_ALL' failed.

10.11.8 3a069644682e336e445039e48baae9693f9a08ee (Debug)
Core was generated by `/test/MD130524-mariadb-10.11.8-linux-x86_64-dbg/bin/mariadbd --no-defaults --th'.
Program terminated with signal SIGABRT, Aborted.
#0 0x000014e613c9999b in ?? ()
[Current thread is 1 (LWP 106762)]
(gdb) bt
#0 0x000014e613c9999b in ?? ()
Backtrace stopped: Cannot access memory at address 0x14e5ec10f0f0

Roel Van de Paar added a comment - 2024-05-16 20:32 Also observed stack corruption 10.11.8 3a069644682e336e445039e48baae9693f9a08ee (Debug) mariadbd: /test/10.11_dbg/sql/sql_union.cc:784: virtual bool select_unit_ext::send_eof(): Assertion `curr_op_type != INTERSECT_ALL' failed. 10.11.8 3a069644682e336e445039e48baae9693f9a08ee (Debug) Core was generated by `/test/MD130524-mariadb-10.11.8-linux-x86_64-dbg/bin/mariadbd --no-defaults --th'. Program terminated with signal SIGABRT, Aborted. #0 0x000014e613c9999b in ?? () [Current thread is 1 (LWP 106762)] (gdb) bt #0 0x000014e613c9999b in ?? () Backtrace stopped: Cannot access memory at address 0x14e5ec10f0f0

Ramesh Sivaraman added a comment - 2024-05-24 05:56

Server crashes with slightly different stack when we use non-default charset/collation in the test case

CREATE TABLE t (c CHAR(1) NOT NULL) DEFAULT COLLATE=utf32_unicode_ci;

SET GLOBAL sql_mode=ORACLE;

SET sql_mode=DEFAULT;

INSERT t VALUES (1);

SELECT * FROM t UNION SELECT * FROM t INTERSECT ALL SELECT * FROM t;

SIGSEGV|my_mb_wc_utf32_quick|my_uca_scanner_next_utf32|my_uca_scanner_next_utf32|my_uca_strnncollsp_onelevel_utf32

SIGSEGV|my_mb_wc_utf32_quick|my_uca_scanner_next_utf32|my_uca_strnncollsp_onelevel_utf32|my_uca_strnncollsp_utf32

Ramesh Sivaraman added a comment - 2024-05-24 05:56 Server crashes with slightly different stack when we use non-default charset/collation in the test case CREATE TABLE t (c CHAR (1) NOT NULL ) DEFAULT COLLATE =utf32_unicode_ci; SET GLOBAL sql_mode=ORACLE; SET sql_mode= DEFAULT ; INSERT t VALUES (1); SELECT * FROM t UNION SELECT * FROM t INTERSECT ALL SELECT * FROM t; SIGSEGV|my_mb_wc_utf32_quick|my_uca_scanner_next_utf32|my_uca_scanner_next_utf32|my_uca_strnncollsp_onelevel_utf32 SIGSEGV|my_mb_wc_utf32_quick|my_uca_scanner_next_utf32|my_uca_strnncollsp_onelevel_utf32|my_uca_strnncollsp_utf32

Roel Van de Paar added a comment - 2024-09-09 05:54 - edited

--source include/have_innodb.inc

SET GLOBAL sql_mode='ORACLE';

SET sql_mode=DEFAULT;

CREATE TABLE t (c INT) ENGINE=InnoDB;

INSERT INTO t (c) VALUES (1);

SELECT * FROM t UNION SELECT * FROM t EXCEPT ALL SELECT * FROM t;

Leads to additional stack:

SIGSEGV|hp_rec_key_cmp|ha_heap::find_unique_row|select_unit_ext::send_data|select_result_sink::send_data_with_check

And

--source include/have_innodb.inc

SET GLOBAL sql_mode='ORACLE';

SET sql_mode=DEFAULT;

CREATE TABLE t (c INT KEY) ENGINE=InnoDB;

INSERT INTO t (c) VALUES (1);

SELECT * FROM t UNION SELECT * FROM t EXCEPT ALL SELECT * FROM t;

Leads to additional stack:

SIGSEGV|__memcmp_evex_movbe|hp_rec_key_cmp|ha_heap::find_unique_row|select_unit_ext::send_data

Roel Van de Paar added a comment - 2024-09-09 05:54 - edited --source include/have_innodb.inc SET GLOBAL sql_mode= 'ORACLE' ; SET sql_mode= DEFAULT ; CREATE TABLE t (c INT ) ENGINE=InnoDB; INSERT INTO t (c) VALUES (1); SELECT * FROM t UNION SELECT * FROM t EXCEPT ALL SELECT * FROM t; Leads to additional stack: SIGSEGV|hp_rec_key_cmp|ha_heap::find_unique_row|select_unit_ext::send_data|select_result_sink::send_data_with_check And --source include/have_innodb.inc SET GLOBAL sql_mode= 'ORACLE' ; SET sql_mode= DEFAULT ; CREATE TABLE t (c INT KEY ) ENGINE=InnoDB; INSERT INTO t (c) VALUES (1); SELECT * FROM t UNION SELECT * FROM t EXCEPT ALL SELECT * FROM t; Leads to additional stack: SIGSEGV|__memcmp_evex_movbe|hp_rec_key_cmp|ha_heap::find_unique_row|select_unit_ext::send_data

Aleksey Midenkov added a comment - 2025-04-28 20:39

Please review

778956949a0 (HEAD -> bb-10.5-midenok2, mariadb/bb-10.5-midenok2) MDEV-25158 Segfault on INTERSECT ALL with UNION in Oracle mode

Aleksey Midenkov added a comment - 2025-04-28 20:39 Please review 778956949a0 (HEAD -> bb-10.5-midenok2, mariadb/bb-10.5-midenok2) MDEV-25158 Segfault on INTERSECT ALL with UNION in Oracle mode

Oleksandr Byelkin added a comment - 7 hours ago

Check please "git show 778956949a087a7c9255ca7c754fd3426846a419" to see last line in the test you should remove (it will be red).

Make some function with sane name to check the same condition you added in 3 places.

Otherwise patch is OK

Oleksandr Byelkin added a comment - 7 hours ago Check please "git show 778956949a087a7c9255ca7c754fd3426846a419" to see last line in the test you should remove (it will be red). Make some function with sane name to check the same condition you added in 3 places. Otherwise patch is OK

MariaDB Server

Segfault on INTERSECT ALL with UNION in Oracle mode

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates

Git Integration