[MDEV-26047] MariaDB server crash at Item_subselect::init_expr_cache_tracker - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Blocker
Resolution: Fixed
Affects Version/s: 10.6.1, 10.5.11, 10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5, 10.6
Fix Version/s: 10.2.44, 10.3.35, 10.4.25, 10.5.16, 10.6.8, 10.7.4, 10.8.3
Component/s: Optimizer
Labels:
- crash
- regression
Environment:
Linux 5.4.0-39-generic #43-Ubuntu SMP Fri Jun 19 10:28:31 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

Description

Steps to reproduce:

CREATE TABLE v0 ( v1 INT PRIMARY KEY ) ;

 INSERT INTO v0 VALUES ( ( ( 23695630.000000 ) ) NOT IN ( SELECT DISTINCT - ( 89 IN ( 127 , 'x' , NULL ) ) IN ( 'x' , 127 ) FROM v0 AS v2 WHERE v1 IS NOT NULL GROUP BY ( ( SELECT DISTINCT - ( 'x' IN ( 65 , NULL ) ) IN ( 'x' , -2147483648 ) AND ( SELECT NULL WHERE - ( 16 ) AND ( v1 IN ( ( ( v1 = v1 ) ) = 'x' ) ) = -2147483648 ) ) ) ORDER BY ( v1 = 'x' AND 84 ) OR ( v1 = 8 AND v1 = -1 ) ASC ) ) ;

 CREATE TABLE v3 ( v4 INTEGER , v5 INT PRIMARY KEY , v6 VARCHAR ( 24 ) , v7 INT , v8 INT , v9 INT ) ;

 INSERT INTO v3 ( v5 ) VALUES ( ( ( - ( ( 'x' IS NOT NULL ) ) ) ) ) , ( 55 BETWEEN - 80445159.000000 AND - ( ( ( SELECT DISTINCT v1 IN ( ( -1 IN ( ( SELECT DISTINCT - ( 58 IN ( ( -128 IN ( 54560735.000000 ) ) ) ) NOT IN ( 'x' , - ( ( 54 IN ( ( NULL IN ( ( SELECT v1 FROM v0 AS v12 WHERE - ( 99 ) AND v1 = 95 GROUP BY 89382485.000000 ) ) ) ) ) ) ) AS v11 ) ) ) = 'x' ) FROM v0 AS v10 WHERE v1 IS NOT NULL GROUP BY 'x' , 5612101.000000 ) ) ) ) ;

Backtrace:
Core was generated by `/home/supersix/fuzz/security/MariaDB/install/bin/mysqld --defaults-file=/home/s'.

Program terminated with signal SIGSEGV, Segmentation fault.

#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=0xb)

    at ../sysdeps/unix/sysv/linux/pthread_kill.c:56

[Current thread is 1 (Thread 0x7f0f26251300 (LWP 1437547))]

gdb-peda$ #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=0xb)

    at ../sysdeps/unix/sysv/linux/pthread_kill.c:56

#1  0x0000559d3cff698f in my_write_core (sig=sig@entry=0xb)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/mysys/stacktrace.c:424

#2  0x0000559d3ba63583 in handle_fatal_signal (sig=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/signal_handler.cc:344

#3  <signal handler called>

#4  0x0000559d3be106ea in Item_subselect::init_expr_cache_tracker (

    this=0x6290021eddb8, thd=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_lex.h:982

#5  0x0000559d3be108df in Item_singlerow_subselect::expr_cache_insert_transformer (this=0x6290021eddb8, tmp_thd=0x62b000070218, unused=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_subselect.cc:1389

#6  0x0000559d3bab3024 in Item::transform (this=<optimized out>,

    thd=<optimized out>, transformer=<optimized out>, arg=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item.cc:610

#7  0x0000559d3bb7d48a in Item_cond::transform (this=<optimized out>,

    thd=<optimized out>, transformer=&virtual table offset 1328,

    arg=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.cc:5135

#8  0x0000559d3b235270 in JOIN::setup_subquery_caches (this=0x62900222e478)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:4225

#9  0x0000559d3b31b21f in JOIN::optimize_stage2 (this=0x62900222e478)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:3065

#10 0x0000559d3b327252 in JOIN::optimize_inner (this=0x62900222e478)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:2477

#11 0x0000559d3b329eda in JOIN::optimize (this=this@entry=0x62900222e478)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:1807

#12 0x0000559d3b09fb28 in st_select_lex::optimize_unflattened_subqueries (

    this=0x62b000079968, const_only=const_only@entry=0x0)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_lex.cc:4936

#13 0x0000559d3b0643e5 in mysql_insert (thd=thd@entry=0x62b000070218,

    table_list=<optimized out>, fields=..., values_list=...,

    update_fields=..., update_values=..., duplic=<optimized out>,

    ignore=<optimized out>, result=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_lex.h:982

#14 0x0000559d3b15ca9c in mysql_execute_command (thd=<optimized out>,

    is_called_from_prepared_stmt=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:4568

#15 0x0000559d3b1188dd in mysql_parse (thd=0x62b000070218,

    rawbuf=<optimized out>, length=<optimized out>,

    parser_state=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:8028

#16 0x0000559d3b14edb9 in dispatch_command (command=COM_QUERY,

    thd=0x62b000070218, packet=<optimized out>, packet_length=<optimized out>,

    blocking=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:1995

#17 0x0000559d3b153704 in do_command (thd=0x62b000070218,

    blocking=blocking@entry=0x1)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:1406

#18 0x0000559d3b61314d in do_handle_one_connection (connect=<optimized out>,

    put_in_cache=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1410

#19 0x0000559d3b614807 in handle_one_connection (arg=arg@entry=0x608008ba4fb8)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1312

#20 0x0000559d3c45fef0 in pfs_spawn_thread (arg=0x617000005b98)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/storage/perfschema/pfs.cc:2201

#21 0x00007f0f481e3609 in start_thread (arg=<optimized out>)

    at pthread_create.c:477

#22 0x00007f0f47db7293 in clone ()

    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

gdb-peda$ quit

Attachments

Issue Links

causes

MDEV-28437 Assertion `!eliminated' failed in Item_subselect::exec

Closed

is duplicated by

MDEV-26164 crash in Item_subselect::init_expr_cache_tracker

Closed

MDEV-26428 MariaDB Server SEGV issue

Closed

relates to

MDEV-24925 Server crashes in Item_subselect::init_expr_cache_tracker

Closed

MDEV-27957 Select from view with subselect fails with lost connection

Closed

MDEV-32394 init_expr_cache_tracker: SEGV at /mariadb-11.3.0/sql/item_subselect.cc:7069

Confirmed

links to

CVE-2022-27384

CVE-2022-32083

(1 relates to, 2 links to)

Activity

Ascending order - Click to sort in descending order

yaoguang created issue - 2021-06-30 06:35

Alice Sherepa made changes - 2021-06-30 08:10

Field	Original Value	New Value
Description	Steps to reproduce: {code:java} CREATE TABLE v0 ( v1 INT PRIMARY KEY ) ; INSERT INTO v0 VALUES ( ( ( 23695630.000000 ) ) NOT IN ( SELECT DISTINCT - ( 89 IN ( 127 , 'x' , NULL ) ) IN ( 'x' , 127 ) FROM v0 AS v2 WHERE v1 IS NOT NULL GROUP BY ( ( SELECT DISTINCT - ( 'x' IN ( 65 , NULL ) ) IN ( 'x' , -2147483648 ) AND ( SELECT NULL WHERE - ( 16 ) AND ( v1 IN ( ( ( v1 = v1 ) ) = 'x' ) ) = -2147483648 ) ) ) ORDER BY ( v1 = 'x' AND 84 ) OR ( v1 = 8 AND v1 = -1 ) ASC ) ) ; CREATE TABLE v3 ( v4 INTEGER , v5 INT PRIMARY KEY , v6 VARCHAR ( 24 ) , v7 INT , v8 INT , v9 INT ) ; INSERT INTO v3 ( v5 ) VALUES ( ( ( - ( ( 'x' IS NOT NULL ) ) ) ) ) , ( 55 BETWEEN - 80445159.000000 AND - ( ( ( SELECT DISTINCT v1 IN ( ( -1 IN ( ( SELECT DISTINCT - ( 58 IN ( ( -128 IN ( 54560735.000000 ) ) ) ) NOT IN ( 'x' , - ( ( 54 IN ( ( NULL IN ( ( SELECT v1 FROM v0 AS v12 WHERE - ( 99 ) AND v1 = 95 GROUP BY 89382485.000000 ) ) ) ) ) ) ) AS v11 ) ) ) = 'x' ) FROM v0 AS v10 WHERE v1 IS NOT NULL GROUP BY 'x' , 5612101.000000 ) ) ) ) ; {code} Backtrace: Core was generated by `/home/supersix/fuzz/security/MariaDB/install/bin/mysqld --defaults-file=/home/s'. Program terminated with signal SIGSEGV, Segmentation fault. #0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=0xb) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56 [Current thread is 1 (Thread 0x7f0f26251300 (LWP 1437547))] gdb-peda$ #0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=0xb) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56 #1 0x0000559d3cff698f in my_write_core (sig=sig@entry=0xb) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/mysys/stacktrace.c:424 #2 0x0000559d3ba63583 in handle_fatal_signal (sig=<optimized out>) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/signal_handler.cc:344 #3 <signal handler called> #4 0x0000559d3be106ea in Item_subselect::init_expr_cache_tracker ( this=0x6290021eddb8, thd=<optimized out>) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_lex.h:982 #5 0x0000559d3be108df in Item_singlerow_subselect::expr_cache_insert_transformer (this=0x6290021eddb8, tmp_thd=0x62b000070218, unused=<optimized out>) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_subselect.cc:1389 #6 0x0000559d3bab3024 in Item::transform (this=<optimized out>, thd=<optimized out>, transformer=<optimized out>, arg=<optimized out>) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item.cc:610 #7 0x0000559d3bb7d48a in Item_cond::transform (this=<optimized out>, thd=<optimized out>, transformer=&virtual table offset 1328, arg=<optimized out>) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.cc:5135 #8 0x0000559d3b235270 in JOIN::setup_subquery_caches (this=0x62900222e478) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:4225 #9 0x0000559d3b31b21f in JOIN::optimize_stage2 (this=0x62900222e478) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:3065 #10 0x0000559d3b327252 in JOIN::optimize_inner (this=0x62900222e478) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:2477 #11 0x0000559d3b329eda in JOIN::optimize (this=this@entry=0x62900222e478) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:1807 #12 0x0000559d3b09fb28 in st_select_lex::optimize_unflattened_subqueries ( this=0x62b000079968, const_only=const_only@entry=0x0) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_lex.cc:4936 #13 0x0000559d3b0643e5 in mysql_insert (thd=thd@entry=0x62b000070218, table_list=<optimized out>, fields=..., values_list=..., update_fields=..., update_values=..., duplic=<optimized out>, ignore=<optimized out>, result=<optimized out>) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_lex.h:982 #14 0x0000559d3b15ca9c in mysql_execute_command (thd=<optimized out>, is_called_from_prepared_stmt=<optimized out>) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:4568 #15 0x0000559d3b1188dd in mysql_parse (thd=0x62b000070218, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:8028 #16 0x0000559d3b14edb9 in dispatch_command (command=COM_QUERY, thd=0x62b000070218, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:1995 #17 0x0000559d3b153704 in do_command (thd=0x62b000070218, blocking=blocking@entry=0x1) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:1406 #18 0x0000559d3b61314d in do_handle_one_connection (connect=<optimized out>, put_in_cache=<optimized out>) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1410 #19 0x0000559d3b614807 in handle_one_connection (arg=arg@entry=0x608008ba4fb8) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1312 #20 0x0000559d3c45fef0 in pfs_spawn_thread (arg=0x617000005b98) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/storage/perfschema/pfs.cc:2201 #21 0x00007f0f481e3609 in start_thread (arg=<optimized out>) at pthread_create.c:477 #22 0x00007f0f47db7293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 gdb-peda$ quit	Steps to reproduce: {code:sql} CREATE TABLE v0 ( v1 INT PRIMARY KEY ) ; INSERT INTO v0 VALUES ( ( ( 23695630.000000 ) ) NOT IN ( SELECT DISTINCT - ( 89 IN ( 127 , 'x' , NULL ) ) IN ( 'x' , 127 ) FROM v0 AS v2 WHERE v1 IS NOT NULL GROUP BY ( ( SELECT DISTINCT - ( 'x' IN ( 65 , NULL ) ) IN ( 'x' , -2147483648 ) AND ( SELECT NULL WHERE - ( 16 ) AND ( v1 IN ( ( ( v1 = v1 ) ) = 'x' ) ) = -2147483648 ) ) ) ORDER BY ( v1 = 'x' AND 84 ) OR ( v1 = 8 AND v1 = -1 ) ASC ) ) ; CREATE TABLE v3 ( v4 INTEGER , v5 INT PRIMARY KEY , v6 VARCHAR ( 24 ) , v7 INT , v8 INT , v9 INT ) ; INSERT INTO v3 ( v5 ) VALUES ( ( ( - ( ( 'x' IS NOT NULL ) ) ) ) ) , ( 55 BETWEEN - 80445159.000000 AND - ( ( ( SELECT DISTINCT v1 IN ( ( -1 IN ( ( SELECT DISTINCT - ( 58 IN ( ( -128 IN ( 54560735.000000 ) ) ) ) NOT IN ( 'x' , - ( ( 54 IN ( ( NULL IN ( ( SELECT v1 FROM v0 AS v12 WHERE - ( 99 ) AND v1 = 95 GROUP BY 89382485.000000 ) ) ) ) ) ) ) AS v11 ) ) ) = 'x' ) FROM v0 AS v10 WHERE v1 IS NOT NULL GROUP BY 'x' , 5612101.000000 ) ) ) ) ; {code} Backtrace: Core was generated by `/home/supersix/fuzz/security/MariaDB/install/bin/mysqld --defaults-file=/home/s'. {noformat} Program terminated with signal SIGSEGV, Segmentation fault. #0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=0xb) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56 [Current thread is 1 (Thread 0x7f0f26251300 (LWP 1437547))] gdb-peda$ #0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=0xb) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56 #1 0x0000559d3cff698f in my_write_core (sig=sig@entry=0xb) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/mysys/stacktrace.c:424 #2 0x0000559d3ba63583 in handle_fatal_signal (sig=<optimized out>) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/signal_handler.cc:344 #3 <signal handler called> #4 0x0000559d3be106ea in Item_subselect::init_expr_cache_tracker ( this=0x6290021eddb8, thd=<optimized out>) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_lex.h:982 #5 0x0000559d3be108df in Item_singlerow_subselect::expr_cache_insert_transformer (this=0x6290021eddb8, tmp_thd=0x62b000070218, unused=<optimized out>) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_subselect.cc:1389 #6 0x0000559d3bab3024 in Item::transform (this=<optimized out>, thd=<optimized out>, transformer=<optimized out>, arg=<optimized out>) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item.cc:610 #7 0x0000559d3bb7d48a in Item_cond::transform (this=<optimized out>, thd=<optimized out>, transformer=&virtual table offset 1328, arg=<optimized out>) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.cc:5135 #8 0x0000559d3b235270 in JOIN::setup_subquery_caches (this=0x62900222e478) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:4225 #9 0x0000559d3b31b21f in JOIN::optimize_stage2 (this=0x62900222e478) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:3065 #10 0x0000559d3b327252 in JOIN::optimize_inner (this=0x62900222e478) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:2477 #11 0x0000559d3b329eda in JOIN::optimize (this=this@entry=0x62900222e478) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:1807 #12 0x0000559d3b09fb28 in st_select_lex::optimize_unflattened_subqueries ( this=0x62b000079968, const_only=const_only@entry=0x0) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_lex.cc:4936 #13 0x0000559d3b0643e5 in mysql_insert (thd=thd@entry=0x62b000070218, table_list=<optimized out>, fields=..., values_list=..., update_fields=..., update_values=..., duplic=<optimized out>, ignore=<optimized out>, result=<optimized out>) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_lex.h:982 #14 0x0000559d3b15ca9c in mysql_execute_command (thd=<optimized out>, is_called_from_prepared_stmt=<optimized out>) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:4568 #15 0x0000559d3b1188dd in mysql_parse (thd=0x62b000070218, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:8028 #16 0x0000559d3b14edb9 in dispatch_command (command=COM_QUERY, thd=0x62b000070218, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:1995 #17 0x0000559d3b153704 in do_command (thd=0x62b000070218, blocking=blocking@entry=0x1) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:1406 #18 0x0000559d3b61314d in do_handle_one_connection (connect=<optimized out>, put_in_cache=<optimized out>) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1410 #19 0x0000559d3b614807 in handle_one_connection (arg=arg@entry=0x608008ba4fb8) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1312 #20 0x0000559d3c45fef0 in pfs_spawn_thread (arg=0x617000005b98) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/storage/perfschema/pfs.cc:2201 #21 0x00007f0f481e3609 in start_thread (arg=<optimized out>) at pthread_create.c:477 #22 0x00007f0f47db7293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 gdb-peda$ quit {noformat}

Alice Sherepa made changes - 2021-06-30 08:13

Link

This issue relates to ~~MDEV-24925~~ [ ~~MDEV-24925~~ ]

Alice Sherepa added a comment - 2021-06-30 09:03 - edited

Thanks!
Repeatable on 10.2-10.6:

-- source include/have_innodb.inc

CREATE TABLE t1 (a int) engine=innodb;

SELECT 1 IN (SELECT NULL FROM t1 WHERE a IS NOT NULL GROUP BY (SELECT NULL from dual WHERE a = 1));

10.2 768c51880a5aa6d25d4c
Version: '10.2.40-MariaDB-debug-log'
210630 8:54:33 [ERROR] mysqld got signal 11 ;

Server version: 10.2.40-MariaDB-debug-log

sql/signal_handler.cc:221(handle_fatal_signal)[0x55d6c25421b8]
/lib/x86_64-linux-gnu/libpthread.so.0(+0x12730)[0x7f1e42715730]
sql/item_subselect.cc:6888(Item_subselect::init_expr_cache_tracker(THD*))[0x55d6c27676a6]
sql/item_subselect.cc:1316(Item_singlerow_subselect::expr_cache_insert_transformer(THD, unsigned char))[0x55d6c27399be]
sql/item.cc:733(Item::transform(THD, Item (Item::)(THD, unsigned char), unsigned char))[0x55d6c2581917]
sql/sql_select.cc:3187(JOIN::setup_subquery_caches())[0x55d6c1f9aea5]
sql/sql_select.cc:2095(JOIN::optimize_inner())[0x55d6c1f8f4e0]
sql/sql_select.cc:1127(JOIN::optimize())[0x55d6c1f85318]
sql/sql_lex.cc:3868(st_select_lex::optimize_unflattened_subqueries(bool))[0x55d6c1eb68ac]
sql/opt_subselect.cc:5360(JOIN::optimize_constant_subqueries())[0x55d6c2360a78]
sql/sql_select.cc:1349(JOIN::optimize_inner())[0x55d6c1f874d9]
sql/sql_select.cc:1127(JOIN::optimize())[0x55d6c1f85318]
sql/sql_select.cc:3835(mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex))[0x55d6c1fa0766]
sql/sql_select.cc:361(handle_select(THD, LEX, select_result*, unsigned long))[0x55d6c1f7d3fa]
sql/sql_parse.cc:6271(execute_sqlcom_select(THD, TABLE_LIST))[0x55d6c1ef0d54]
sql/sql_parse.cc:3582(mysql_execute_command(THD*))[0x55d6c1edc4db]
sql/sql_parse.cc:7793(mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool))[0x55d6c1efa072]
sql/sql_parse.cc:1830(dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool))[0x55d6c1ed10bf]
sql/sql_parse.cc:1381(do_command(THD*))[0x55d6c1ecdaf0]
sql/sql_connect.cc:1336(do_handle_one_connection(CONNECT*))[0x55d6c227798e]
sql/sql_connect.cc:1242(handle_one_connection)[0x55d6c227724f]
perfschema/pfs.cc:1871(pfs_spawn_thread)[0x55d6c3718f3c]
nptl/pthread_create.c:487(start_thread)[0x7f1e4270afa3]
x86_64/clone.S:97(clone)[0x7f1e4208e4cf]

Query (0x62b000000290): SELECT 1 IN (SELECT null FROM t1 WHERE a IS NOT NULL GROUP BY (SELECT NULL from dual WHERE a = 1) )

this is also as ~~MDEV-24925~~ regression after 7e9a6b7f09bfb00e781d (~~MDEV-24779~~: main.subselect fails in buildbot with --ps-protocol)
Please check the initial test case after the fix.

Alice Sherepa added a comment - 2021-06-30 09:03 - edited Thanks! Repeatable on 10.2-10.6: -- source include/have_innodb.inc CREATE TABLE t1 (a int ) engine=innodb; SELECT 1 IN ( SELECT NULL FROM t1 WHERE a IS NOT NULL GROUP BY ( SELECT NULL from dual WHERE a = 1)); 10.2 768c51880a5aa6d25d4c Version: '10.2.40-MariaDB-debug-log' 210630 8:54:33 [ERROR] mysqld got signal 11 ; Server version: 10.2.40-MariaDB-debug-log sql/signal_handler.cc:221(handle_fatal_signal)[0x55d6c25421b8] /lib/x86_64-linux-gnu/libpthread.so.0(+0x12730)[0x7f1e42715730] sql/item_subselect.cc:6888(Item_subselect::init_expr_cache_tracker(THD*))[0x55d6c27676a6] sql/item_subselect.cc:1316(Item_singlerow_subselect::expr_cache_insert_transformer(THD*, unsigned char*))[0x55d6c27399be] sql/item.cc:733(Item::transform(THD*, Item* (Item::*)(THD*, unsigned char*), unsigned char*))[0x55d6c2581917] sql/sql_select.cc:3187(JOIN::setup_subquery_caches())[0x55d6c1f9aea5] sql/sql_select.cc:2095(JOIN::optimize_inner())[0x55d6c1f8f4e0] sql/sql_select.cc:1127(JOIN::optimize())[0x55d6c1f85318] sql/sql_lex.cc:3868(st_select_lex::optimize_unflattened_subqueries(bool))[0x55d6c1eb68ac] sql/opt_subselect.cc:5360(JOIN::optimize_constant_subqueries())[0x55d6c2360a78] sql/sql_select.cc:1349(JOIN::optimize_inner())[0x55d6c1f874d9] sql/sql_select.cc:1127(JOIN::optimize())[0x55d6c1f85318] sql/sql_select.cc:3835(mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55d6c1fa0766] sql/sql_select.cc:361(handle_select(THD*, LEX*, select_result*, unsigned long))[0x55d6c1f7d3fa] sql/sql_parse.cc:6271(execute_sqlcom_select(THD*, TABLE_LIST*))[0x55d6c1ef0d54] sql/sql_parse.cc:3582(mysql_execute_command(THD*))[0x55d6c1edc4db] sql/sql_parse.cc:7793(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x55d6c1efa072] sql/sql_parse.cc:1830(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x55d6c1ed10bf] sql/sql_parse.cc:1381(do_command(THD*))[0x55d6c1ecdaf0] sql/sql_connect.cc:1336(do_handle_one_connection(CONNECT*))[0x55d6c227798e] sql/sql_connect.cc:1242(handle_one_connection)[0x55d6c227724f] perfschema/pfs.cc:1871(pfs_spawn_thread)[0x55d6c3718f3c] nptl/pthread_create.c:487(start_thread)[0x7f1e4270afa3] x86_64/clone.S:97(clone)[0x7f1e4208e4cf] Query (0x62b000000290): SELECT 1 IN (SELECT null FROM t1 WHERE a IS NOT NULL GROUP BY (SELECT NULL from dual WHERE a = 1) ) this is also as MDEV-24925 regression after 7e9a6b7f09bfb00e781d ( MDEV-24779 : main.subselect fails in buildbot with --ps-protocol) Please check the initial test case after the fix.

Alice Sherepa made changes - 2021-06-30 09:03

Affects Version/s		10.5 [ 23123 ]
Affects Version/s	10.6.0 [ 24431 ]

Alice Sherepa made changes - 2021-06-30 09:04

Fix Version/s		10.2 [ 14601 ]
Fix Version/s		10.3 [ 22126 ]
Fix Version/s		10.4 [ 22408 ]
Fix Version/s		10.5 [ 23123 ]
Fix Version/s		10.6 [ 24028 ]

Alice Sherepa made changes - 2021-06-30 09:04

Status

Open [ 1 ]

Confirmed [ 10101 ]

Alice Sherepa made changes - 2021-06-30 09:04

Assignee

Sergei Petrunia [ psergey ]

Alice Sherepa made changes - 2021-06-30 09:30

Labels

crash

crash regression

Sergei Petrunia added a comment - 2021-07-03 16:44 - edited

SELECT 1 IN (

  SELECT NULL

  FROM t1

  WHERE

    a IS NOT NULL

  GROUP BY

    (SELECT NULL from dual WHERE a = 1)

);

So, we crash here:

(gdb) print slave

  $8 = (st_select_lex_node *) 0x0

(gdb) up

  #1  0x0000555555e94eae in Item_subselect::init_expr_cache_tracker (this=0x7fff7c0158a0, thd=0x7fff7c000d50) at /home/psergey/dev-git/10.2/sql/item_subselect.cc:6888

(gdb) wher

  #0  st_select_lex_unit::first_select (this=0x7fff7c014db0) at /home/psergey/dev-git/10.2/sql/sql_lex.h:694

  #1  0x0000555555e94eae in Item_subselect::init_expr_cache_tracker (this=0x7fff7c0158a0, thd=0x7fff7c000d50) at /home/psergey/dev-git/10.2/sql/item_subselect.cc:6888

  #2  0x0000555555e852cb in Item_singlerow_subselect::expr_cache_insert_transformer (this=0x7fff7c0158a0, tmp_thd=0x7fff7c000d50, unused=0x0) at /home/psergey/dev-git/10.2/sql/item_subselect.cc:1315

  #3  0x0000555555dd510c in Item::transform (this=0x7fff7c0158a0, thd=0x7fff7c000d50, transformer=&virtual Item::expr_cache_insert_transformer(THD*, unsigned char*), arg=0x0) at /home/psergey/dev-git/10.2/sql/item.cc:736

  #4  0x0000555555b8a338 in JOIN::setup_subquery_caches (this=0x7fff7c0164c0) at /home/psergey/dev-git/10.2/sql/sql_select.cc:3188

  #5  0x0000555555b863c2 in JOIN::optimize_inner (this=0x7fff7c0164c0) at /home/psergey/dev-git/10.2/sql/sql_select.cc:2095

  #6  0x0000555555b82bcc in JOIN::optimize (this=0x7fff7c0164c0) at /home/psergey/dev-git/10.2/sql/sql_select.cc:1127

  #7  0x0000555555b326cd in st_select_lex::optimize_unflattened_subqueries (this=0x7fff7c005098, const_only=true) at /home/psergey/dev-git/10.2/sql/sql_lex.cc:3868

  #8  0x0000555555cf24c7 in JOIN::optimize_constant_subqueries (this=0x7fff7c015e40) at /home/psergey/dev-git/10.2/sql/opt_subselect.cc:5360

  #9  0x0000555555b836e0 in JOIN::optimize_inner (this=0x7fff7c015e40) at /home/psergey/dev-git/10.2/sql/sql_select.cc:1349

  #10 0x0000555555b82bcc in JOIN::optimize (this=0x7fff7c015e40) at /home/psergey/dev-git/10.2/sql/sql_select.cc:1127

  #11 0x0000555555b8c11e in mysql_select (thd=0x7fff7c000d50, tables=0x0, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7fff7c015e20, unit=0x7fff7c004948, select_lex=0x7fff7c005098) at /home/psergey/dev-git/10.2/sql/sql_select.cc:3835

  #12 0x0000555555b80303 in handle_select (thd=0x7fff7c000d50, lex=0x7fff7c004888, result=0x7fff7c015e20, setup_tables_done_option=0) at /home/psergey/dev-git/10.2/sql/sql_select.cc:361

  #13 0x0000555555b4b5d9 in execute_sqlcom_select (thd=0x7fff7c000d50, all_tables=0x7fff7c0141b0) at /home/psergey/dev-git/10.2/sql/sql_parse.cc:6271

  #14 0x0000555555b420cb in mysql_execute_command (thd=0x7fff7c000d50) at /home/psergey/dev-git/10.2/sql/sql_parse.cc:3582

  #15 0x0000555555b4f350 in mysql_parse (thd=0x7fff7c000d50, rawbuf=0x7fff7c0133c8 "SELECT 1 IN (SELECT NULL FROM t1 WHERE a IS NOT NULL GROUP BY (SELECT NULL from dual WHERE a = 1))", length=98, parser_state=0x7ffff41c0630, is_com_multi=false, is_next_command=false) at /home/psergey/dev-git/10.2/sql/sql_parse.cc:7793

on this line

  Explain_node *node= qw->get_node(unit->first_select()->select_number);

because unit->first_select()==NULL.

It looks like this subquery's parent UNION doesn't have SELECTs in it...

unit->first_select() (i.e. st_select_lex_unit::slave) was previously assigned NULL here:

  #0  0x0000555555b2fd9c in st_select_lex_node::fast_exclude (this=0x7fff7c014db0) at /home/psergey/dev-git/10.2/sql/sql_lex.cc:2282

  #1  0x0000555555b2feda in st_select_lex_node::exclude (this=0x7fff7c014db0) at /home/psergey/dev-git/10.2/sql/sql_lex.cc:2360

  #2  0x0000555555e82ad9 in Item_subselect::eliminate_subselect_processor (this=0x7fff7c0158a0, arg=0x0) at /home/psergey/dev-git/10.2/sql/item_subselect.cc:371

  #3  0x0000555555e837c9 in Item_subselect::walk (this=0x7fff7c0158a0, processor=&virtual table offset 928, walk_subquery=false, argument=0x0) at /home/psergey/dev-git/10.2/sql/item_subselect.cc:745

  #4  0x0000555555b80b63 in remove_redundant_subquery_clauses (subq_select_lex=0x7fff7c013598) at /home/psergey/dev-git/10.2/sql/sql_select.cc:597

  #5  0x0000555555b81814 in JOIN::prepare (this=0x7fff7c0164c0, tables_init=0x7fff7c0141b0, wild_num=0, conds_init=0x7fff7c0148f0, og_num=1, order_init=0x0, skip_order_by=false, group_init=0x7fff7c015a60, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7fff7c013598, unit_arg=0x7fff7c013990) at /home/psergey/dev-git/10.2/sql/sql_select.cc:834

  #6  0x0000555555e8e2f8 in subselect_single_select_engine::prepare (this=0x7fff7c015cb8, thd=0x7fff7c000d50) at /home/psergey/dev-git/10.2/sql/item_subselect.cc:3781

  #7  0x0000555555e8264b in Item_subselect::fix_fields (this=0x7fff7c015ab8, thd_param=0x7fff7c000d50, ref=0x7fff7c015d00) at /home/psergey/dev-git/10.2/sql/item_subselect.cc:269

  #8  0x0000555555e8d3d8 in Item_in_subselect::fix_fields (this=0x7fff7c015ab8, thd_arg=0x7fff7c000d50, ref=0x7fff7c015d00) at /home/psergey/dev-git/10.2/sql/item_subselect.cc:3444

  #9  0x0000555555adaa51 in setup_fields (thd=0x7fff7c000d50, ref_pointer_array=..., fields=..., mark_used_columns=MARK_COLUMNS_READ, sum_func_list=0x7fff7c016160, pre_fix=0x7fff7c0051d8, allow_sum_func=true) at /home/psergey/dev-git/10.2/sql/sql_base.cc:7263

  #10 0x0000555555b81641 in JOIN::prepare (this=0x7fff7c015e40, tables_init=0x0, wild_num=0, conds_init=0x0, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7fff7c005098, unit_arg=0x7fff7c004948) at /home/psergey/dev-git/10.2/sql/sql_select.cc:807

  #11 0x0000555555b8c0fc in mysql_select (thd=0x7fff7c000d50, tables=0x0, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7fff7c015e20, unit=0x7fff7c004948, select_lex=0x7fff7c005098) at /home/psergey/dev-git/10.2/sql/sql_select.cc:3829

Sergei Petrunia added a comment - 2021-07-03 16:44 - edited SELECT 1 IN ( SELECT NULL FROM t1 WHERE a IS NOT NULL GROUP BY ( SELECT NULL from dual WHERE a = 1) ); So, we crash here: (gdb) print slave $8 = (st_select_lex_node *) 0x0 (gdb) up #1 0x0000555555e94eae in Item_subselect::init_expr_cache_tracker (this=0x7fff7c0158a0, thd=0x7fff7c000d50) at /home/psergey/dev-git/10.2/sql/item_subselect.cc:6888 (gdb) wher #0 st_select_lex_unit::first_select (this=0x7fff7c014db0) at /home/psergey/dev-git/10.2/sql/sql_lex.h:694 #1 0x0000555555e94eae in Item_subselect::init_expr_cache_tracker (this=0x7fff7c0158a0, thd=0x7fff7c000d50) at /home/psergey/dev-git/10.2/sql/item_subselect.cc:6888 #2 0x0000555555e852cb in Item_singlerow_subselect::expr_cache_insert_transformer (this=0x7fff7c0158a0, tmp_thd=0x7fff7c000d50, unused=0x0) at /home/psergey/dev-git/10.2/sql/item_subselect.cc:1315 #3 0x0000555555dd510c in Item::transform (this=0x7fff7c0158a0, thd=0x7fff7c000d50, transformer=&virtual Item::expr_cache_insert_transformer(THD*, unsigned char*), arg=0x0) at /home/psergey/dev-git/10.2/sql/item.cc:736 #4 0x0000555555b8a338 in JOIN::setup_subquery_caches (this=0x7fff7c0164c0) at /home/psergey/dev-git/10.2/sql/sql_select.cc:3188 #5 0x0000555555b863c2 in JOIN::optimize_inner (this=0x7fff7c0164c0) at /home/psergey/dev-git/10.2/sql/sql_select.cc:2095 #6 0x0000555555b82bcc in JOIN::optimize (this=0x7fff7c0164c0) at /home/psergey/dev-git/10.2/sql/sql_select.cc:1127 #7 0x0000555555b326cd in st_select_lex::optimize_unflattened_subqueries (this=0x7fff7c005098, const_only=true) at /home/psergey/dev-git/10.2/sql/sql_lex.cc:3868 #8 0x0000555555cf24c7 in JOIN::optimize_constant_subqueries (this=0x7fff7c015e40) at /home/psergey/dev-git/10.2/sql/opt_subselect.cc:5360 #9 0x0000555555b836e0 in JOIN::optimize_inner (this=0x7fff7c015e40) at /home/psergey/dev-git/10.2/sql/sql_select.cc:1349 #10 0x0000555555b82bcc in JOIN::optimize (this=0x7fff7c015e40) at /home/psergey/dev-git/10.2/sql/sql_select.cc:1127 #11 0x0000555555b8c11e in mysql_select (thd=0x7fff7c000d50, tables=0x0, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7fff7c015e20, unit=0x7fff7c004948, select_lex=0x7fff7c005098) at /home/psergey/dev-git/10.2/sql/sql_select.cc:3835 #12 0x0000555555b80303 in handle_select (thd=0x7fff7c000d50, lex=0x7fff7c004888, result=0x7fff7c015e20, setup_tables_done_option=0) at /home/psergey/dev-git/10.2/sql/sql_select.cc:361 #13 0x0000555555b4b5d9 in execute_sqlcom_select (thd=0x7fff7c000d50, all_tables=0x7fff7c0141b0) at /home/psergey/dev-git/10.2/sql/sql_parse.cc:6271 #14 0x0000555555b420cb in mysql_execute_command (thd=0x7fff7c000d50) at /home/psergey/dev-git/10.2/sql/sql_parse.cc:3582 #15 0x0000555555b4f350 in mysql_parse (thd=0x7fff7c000d50, rawbuf=0x7fff7c0133c8 "SELECT 1 IN (SELECT NULL FROM t1 WHERE a IS NOT NULL GROUP BY (SELECT NULL from dual WHERE a = 1))", length=98, parser_state=0x7ffff41c0630, is_com_multi=false, is_next_command=false) at /home/psergey/dev-git/10.2/sql/sql_parse.cc:7793 on this line Explain_node *node= qw->get_node(unit->first_select()->select_number); because unit->first_select()==NULL. It looks like this subquery's parent UNION doesn't have SELECTs in it... unit->first_select() (i.e. st_select_lex_unit::slave) was previously assigned NULL here: #0 0x0000555555b2fd9c in st_select_lex_node::fast_exclude (this=0x7fff7c014db0) at /home/psergey/dev-git/10.2/sql/sql_lex.cc:2282 #1 0x0000555555b2feda in st_select_lex_node::exclude (this=0x7fff7c014db0) at /home/psergey/dev-git/10.2/sql/sql_lex.cc:2360 #2 0x0000555555e82ad9 in Item_subselect::eliminate_subselect_processor (this=0x7fff7c0158a0, arg=0x0) at /home/psergey/dev-git/10.2/sql/item_subselect.cc:371 #3 0x0000555555e837c9 in Item_subselect::walk (this=0x7fff7c0158a0, processor=&virtual table offset 928, walk_subquery=false, argument=0x0) at /home/psergey/dev-git/10.2/sql/item_subselect.cc:745 #4 0x0000555555b80b63 in remove_redundant_subquery_clauses (subq_select_lex=0x7fff7c013598) at /home/psergey/dev-git/10.2/sql/sql_select.cc:597 #5 0x0000555555b81814 in JOIN::prepare (this=0x7fff7c0164c0, tables_init=0x7fff7c0141b0, wild_num=0, conds_init=0x7fff7c0148f0, og_num=1, order_init=0x0, skip_order_by=false, group_init=0x7fff7c015a60, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7fff7c013598, unit_arg=0x7fff7c013990) at /home/psergey/dev-git/10.2/sql/sql_select.cc:834 #6 0x0000555555e8e2f8 in subselect_single_select_engine::prepare (this=0x7fff7c015cb8, thd=0x7fff7c000d50) at /home/psergey/dev-git/10.2/sql/item_subselect.cc:3781 #7 0x0000555555e8264b in Item_subselect::fix_fields (this=0x7fff7c015ab8, thd_param=0x7fff7c000d50, ref=0x7fff7c015d00) at /home/psergey/dev-git/10.2/sql/item_subselect.cc:269 #8 0x0000555555e8d3d8 in Item_in_subselect::fix_fields (this=0x7fff7c015ab8, thd_arg=0x7fff7c000d50, ref=0x7fff7c015d00) at /home/psergey/dev-git/10.2/sql/item_subselect.cc:3444 #9 0x0000555555adaa51 in setup_fields (thd=0x7fff7c000d50, ref_pointer_array=..., fields=..., mark_used_columns=MARK_COLUMNS_READ, sum_func_list=0x7fff7c016160, pre_fix=0x7fff7c0051d8, allow_sum_func=true) at /home/psergey/dev-git/10.2/sql/sql_base.cc:7263 #10 0x0000555555b81641 in JOIN::prepare (this=0x7fff7c015e40, tables_init=0x0, wild_num=0, conds_init=0x0, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7fff7c005098, unit_arg=0x7fff7c004948) at /home/psergey/dev-git/10.2/sql/sql_select.cc:807 #11 0x0000555555b8c0fc in mysql_select (thd=0x7fff7c000d50, tables=0x0, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7fff7c015e20, unit=0x7fff7c004948, select_lex=0x7fff7c005098) at /home/psergey/dev-git/10.2/sql/sql_select.cc:3829

Sergei Petrunia added a comment - 2021-07-03 16:52

that is, in the previous comment:

Stack trace #2 shows: remove_redundant_subquery_clauses() removes the GROUP BY clause from the SELECT inside the IN-subquery. This is Ok.

However, Stack trace #1 shows that we're trying to setup subquery cache. Why do we do it if we have removed the GROUP BY clause?

Sergei Petrunia added a comment - 2021-07-03 16:52 that is, in the previous comment: Stack trace #2 shows: remove_redundant_subquery_clauses() removes the GROUP BY clause from the SELECT inside the IN-subquery. This is Ok. However, Stack trace #1 shows that we're trying to setup subquery cache. Why do we do it if we have removed the GROUP BY clause?

Sergei Petrunia added a comment - 2021-07-03 17:04

If we go to frame #4 of stack trace #1:

(gdb) up
#4 0x0000555555b8a338 in JOIN::setup_subquery_caches (this=0x7fff7c0164c0) at /home/psergey/dev-git/10.2/sql/sql_select.cc:3188

we are here:

    List_iterator<Item> li(all_fields);

    Item *item;

    while ((item= li++))

      Item *new_item=

        item->transform(thd, &Item::expr_cache_insert_transformer,

                        NULL);

and the subquery is in the select list:

(gdb) p all_fields.elements

  $190 = 2

(gdb) p all_fields.elem(0)

  $192 = (Item_singlerow_subselect *) 0x7fff7c0158a0

(gdb) p all_fields.elem(1)

  $194 = (Item_null *) 0x7fff7c0140e0

Apparently, remove_redundant_subquery_clauses() did not fully remove the subquery...

Sergei Petrunia added a comment - 2021-07-03 17:04 If we go to frame #4 of stack trace #1: (gdb) up #4 0x0000555555b8a338 in JOIN::setup_subquery_caches (this=0x7fff7c0164c0) at /home/psergey/dev-git/10.2/sql/sql_select.cc:3188 we are here: List_iterator<Item> li(all_fields); Item *item; while ((item= li++)) { Item *new_item= item->transform(thd, &Item::expr_cache_insert_transformer, NULL); and the subquery is in the select list: (gdb) p all_fields.elements $190 = 2 (gdb) p all_fields.elem(0) $192 = (Item_singlerow_subselect *) 0x7fff7c0158a0 (gdb) p all_fields.elem(1) $194 = (Item_null *) 0x7fff7c0140e0 Apparently, remove_redundant_subquery_clauses() did not fully remove the subquery...

Sergei Petrunia added a comment - 2021-07-03 17:09

There was a similar fix for ~~MDEV-24925~~:

https://github.com/MariaDB/server/commit/c72c77ca3bcb9d29903f95bf37c9930224984d29

its logic was "do not remove GROUP BY entries that use the select list".. but in this case, ord->in_field_list==false, despite that the subselect is in the select list.

Sergei Petrunia added a comment - 2021-07-03 17:09 There was a similar fix for MDEV-24925 : https://github.com/MariaDB/server/commit/c72c77ca3bcb9d29903f95bf37c9930224984d29 its logic was "do not remove GROUP BY entries that use the select list".. but in this case, ord->in_field_list==false, despite that the subselect is in the select list.

Sergei Petrunia added a comment - 2021-07-03 17:18 - edited

The subselect is added into the select list here:

  #0  base_list::push_front_impl (this=0x7fff7c0167e0, node=0x7fff7c017290) at /home/psergey/dev-git/10.2/sql/sql_list.h:248

  #1  0x0000555555a9d913 in base_list::push_front (this=0x7fff7c0167e0, info=0x7fff7c0158a0, mem_root=0x7fff7c005ed8) at /home/psergey/dev-git/10.2/sql/sql_list.h:255

  #2  0x0000555555bd1549 in List<Item>::push_front (this=0x7fff7c0167e0, a=0x7fff7c0158a0, mem_root=0x7fff7c005ed8) at /home/psergey/dev-git/10.2/sql/sql_list.h:547

  #3  0x0000555555bbbecb in find_order_in_list (thd=0x7fff7c000d50, ref_pointer_array=..., tables=0x7fff7c0141b0, order=0x7fff7c015a60, fields=..., all_fields=..., is_group_field=true, add_to_all_fields=true, from_window_spec=false) at /home/psergey/dev-git/10.2/sql/sql_select.cc:22708

  #4  0x0000555555bbc24d in setup_group (thd=0x7fff7c000d50, ref_pointer_array=..., tables=0x7fff7c0141b0, fields=..., all_fields=..., order=0x7fff7c015a60, hidden_group_fields=0x7fff7c0167a7, from_window_spec=false) at /home/psergey/dev-git/10.2/sql/sql_select.cc:22820

  #5  0x0000555555b80ea1 in setup_without_group (thd=0x7fff7c000d50, ref_pointer_array=..., tables=0x7fff7c0141b0, leaves=..., fields=..., all_fields=..., conds=0x7fff7c0168c8, order=0x0, group=0x7fff7c015a60, win_specs=..., win_funcs=..., hidden_group_fields=0x7fff7c0167a7, reserved=0x7fff7c01385c) at /home/psergey/dev-git/10.2/sql/sql_select.cc:669

  #6  0x0000555555b81774 in JOIN::prepare (this=0x7fff7c0164c0, tables_init=0x7fff7c0141b0, wild_num=0, conds_init=0x7fff7c0148f0, og_num=1, order_init=0x0, skip_order_by=false, group_init=0x7fff7c015a60, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7fff7c013598, unit_arg=0x7fff7c013990) at /home/psergey/dev-git/10.2/sql/sql_select.cc:812

  #7  0x0000555555e8e2f8 in subselect_single_select_engine::prepare (this=0x7fff7c015cb8, thd=0x7fff7c000d50) at /home/psergey/dev-git/10.2/sql/item_subselect.cc:3781

  #8  0x0000555555e8264b in Item_subselect::fix_fields (this=0x7fff7c015ab8, thd_param=0x7fff7c000d50, ref=0x7fff7c015d00) at /home/psergey/dev-git/10.2/sql/item_subselect.cc:269

  #9  0x0000555555e8d3d8 in Item_in_subselect::fix_fields (this=0x7fff7c015ab8, thd_arg=0x7fff7c000d50, ref=0x7fff7c015d00) at /home/psergey/dev-git/10.2/sql/item_subselect.cc:3444

  #10 0x0000555555adaa51 in setup_fields (thd=0x7fff7c000d50, ref_pointer_array=..., fields=..., mark_used_columns=MARK_COLUMNS_READ, sum_func_list=0x7fff7c016160, pre_fix=0x7fff7c0051d8, allow_sum_func=true) at /home/psergey/dev-git/10.2/sql/sql_base.cc:7263

  #11 0x0000555555b81641 in JOIN::prepare (this=0x7fff7c015e40, tables_init=0x0, wild_num=0, conds_init=0x0, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7fff7c005098, unit_arg=0x7fff7c004948) at /home/psergey/dev-git/10.2/sql/sql_select.cc:807

  #12 0x0000555555b8c0fc in mysql_select (thd=0x7fff7c000d50, tables=0x0, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7fff7c015e20, unit=0x7fff7c004948, select_lex=0x7fff7c005098) at /home/psergey/dev-git/10.2/sql/sql_select.cc:3829

  #13 0x0000555555b80303 in handle_select (thd=0x7fff7c000d50, lex=0x7fff7c004888, result=0x7fff7c015e20, setup_tables_done_option=0) at /home/psergey/dev-git/10.2/sql/sql_select.cc:361

  #14 0x0000555555b4b5d9 in execute_sqlcom_select (thd=0x7fff7c000d50, all_tables=0x7fff7c0141b0) at /home/psergey/dev-git/10.2/sql/sql_parse.cc:6271

  #15 0x0000555555b420cb in mysql_execute_command (thd=0x7fff7c000d50) at /home/psergey/dev-git/10.2/sql/sql_parse.cc:3582

The code in find_order_in_list() seems to have left order->in_field_list=false on purpose...

The primary usage of order->in_field_list is in create_distinct_group, it doesn't look like we can set it to true for items that were not originally in the select list.

Sergei Petrunia added a comment - 2021-07-03 17:18 - edited The subselect is added into the select list here: #0 base_list::push_front_impl (this=0x7fff7c0167e0, node=0x7fff7c017290) at /home/psergey/dev-git/10.2/sql/sql_list.h:248 #1 0x0000555555a9d913 in base_list::push_front (this=0x7fff7c0167e0, info=0x7fff7c0158a0, mem_root=0x7fff7c005ed8) at /home/psergey/dev-git/10.2/sql/sql_list.h:255 #2 0x0000555555bd1549 in List<Item>::push_front (this=0x7fff7c0167e0, a=0x7fff7c0158a0, mem_root=0x7fff7c005ed8) at /home/psergey/dev-git/10.2/sql/sql_list.h:547 #3 0x0000555555bbbecb in find_order_in_list (thd=0x7fff7c000d50, ref_pointer_array=..., tables=0x7fff7c0141b0, order=0x7fff7c015a60, fields=..., all_fields=..., is_group_field=true, add_to_all_fields=true, from_window_spec=false) at /home/psergey/dev-git/10.2/sql/sql_select.cc:22708 #4 0x0000555555bbc24d in setup_group (thd=0x7fff7c000d50, ref_pointer_array=..., tables=0x7fff7c0141b0, fields=..., all_fields=..., order=0x7fff7c015a60, hidden_group_fields=0x7fff7c0167a7, from_window_spec=false) at /home/psergey/dev-git/10.2/sql/sql_select.cc:22820 #5 0x0000555555b80ea1 in setup_without_group (thd=0x7fff7c000d50, ref_pointer_array=..., tables=0x7fff7c0141b0, leaves=..., fields=..., all_fields=..., conds=0x7fff7c0168c8, order=0x0, group=0x7fff7c015a60, win_specs=..., win_funcs=..., hidden_group_fields=0x7fff7c0167a7, reserved=0x7fff7c01385c) at /home/psergey/dev-git/10.2/sql/sql_select.cc:669 #6 0x0000555555b81774 in JOIN::prepare (this=0x7fff7c0164c0, tables_init=0x7fff7c0141b0, wild_num=0, conds_init=0x7fff7c0148f0, og_num=1, order_init=0x0, skip_order_by=false, group_init=0x7fff7c015a60, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7fff7c013598, unit_arg=0x7fff7c013990) at /home/psergey/dev-git/10.2/sql/sql_select.cc:812 #7 0x0000555555e8e2f8 in subselect_single_select_engine::prepare (this=0x7fff7c015cb8, thd=0x7fff7c000d50) at /home/psergey/dev-git/10.2/sql/item_subselect.cc:3781 #8 0x0000555555e8264b in Item_subselect::fix_fields (this=0x7fff7c015ab8, thd_param=0x7fff7c000d50, ref=0x7fff7c015d00) at /home/psergey/dev-git/10.2/sql/item_subselect.cc:269 #9 0x0000555555e8d3d8 in Item_in_subselect::fix_fields (this=0x7fff7c015ab8, thd_arg=0x7fff7c000d50, ref=0x7fff7c015d00) at /home/psergey/dev-git/10.2/sql/item_subselect.cc:3444 #10 0x0000555555adaa51 in setup_fields (thd=0x7fff7c000d50, ref_pointer_array=..., fields=..., mark_used_columns=MARK_COLUMNS_READ, sum_func_list=0x7fff7c016160, pre_fix=0x7fff7c0051d8, allow_sum_func=true) at /home/psergey/dev-git/10.2/sql/sql_base.cc:7263 #11 0x0000555555b81641 in JOIN::prepare (this=0x7fff7c015e40, tables_init=0x0, wild_num=0, conds_init=0x0, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7fff7c005098, unit_arg=0x7fff7c004948) at /home/psergey/dev-git/10.2/sql/sql_select.cc:807 #12 0x0000555555b8c0fc in mysql_select (thd=0x7fff7c000d50, tables=0x0, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7fff7c015e20, unit=0x7fff7c004948, select_lex=0x7fff7c005098) at /home/psergey/dev-git/10.2/sql/sql_select.cc:3829 #13 0x0000555555b80303 in handle_select (thd=0x7fff7c000d50, lex=0x7fff7c004888, result=0x7fff7c015e20, setup_tables_done_option=0) at /home/psergey/dev-git/10.2/sql/sql_select.cc:361 #14 0x0000555555b4b5d9 in execute_sqlcom_select (thd=0x7fff7c000d50, all_tables=0x7fff7c0141b0) at /home/psergey/dev-git/10.2/sql/sql_parse.cc:6271 #15 0x0000555555b420cb in mysql_execute_command (thd=0x7fff7c000d50) at /home/psergey/dev-git/10.2/sql/sql_parse.cc:3582 The code in find_order_in_list() seems to have left order->in_field_list=false on purpose... The primary usage of order->in_field_list is in create_distinct_group , it doesn't look like we can set it to true for items that were not originally in the select list.

Sergei Petrunia added a comment - 2021-07-03 17:20

Need to discuss this.

Sergei Petrunia added a comment - 2021-07-03 17:20 Need to discuss this.

Alice Sherepa added a comment - 2021-07-15 14:06

./mtr main.subselect4  --view

10.2 fb0b28932ce82903f2fcfb6
210715 14:04:02 [ERROR] mysqld got signal 11 ;

Server version: 10.2.40-MariaDB-debug-log

sql/signal_handler.cc:221(handle_fatal_signal)[0x55bdc217768e]
/lib/x86_64-linux-gnu/libpthread.so.0(+0x12730)[0x7fba7c7f8730]
sql/item_subselect.cc:6888(Item_subselect::init_expr_cache_tracker(THD*))[0x55bdc239cb7c]
sql/item_subselect.cc:1316(Item_singlerow_subselect::expr_cache_insert_transformer(THD, unsigned char))[0x55bdc236ee94]
sql/item.cc:733(Item::transform(THD, Item (Item::)(THD, unsigned char), unsigned char))[0x55bdc21b6ded]
sql/sql_select.cc:3187(JOIN::setup_subquery_caches())[0x55bdc1bcf379]
sql/sql_select.cc:2095(JOIN::optimize_inner())[0x55bdc1bc39b4]
sql/sql_select.cc:1127(JOIN::optimize())[0x55bdc1bb97ec]
sql/sql_lex.cc:3868(st_select_lex::optimize_unflattened_subqueries(bool))[0x55bdc1aeadf0]
sql/opt_subselect.cc:5360(JOIN::optimize_constant_subqueries())[0x55bdc1f95f3c]
sql/sql_select.cc:1349(JOIN::optimize_inner())[0x55bdc1bbb9ad]
sql/sql_select.cc:1127(JOIN::optimize())[0x55bdc1bb97ec]
sql/sql_derived.cc:920(mysql_derived_optimize(THD, LEX, TABLE_LIST*))[0x55bdc1a91644]
sql/sql_derived.cc:192(mysql_handle_single_derived(LEX, TABLE_LIST, unsigned int))[0x55bdc1a8cd26]
sql/sql_select.cc:1413(JOIN::optimize_inner())[0x55bdc1bbc8e6]
sql/sql_select.cc:1127(JOIN::optimize())[0x55bdc1bb97ec]
sql/sql_select.cc:3835(mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex))[0x55bdc1bd4c3a]
sql/sql_select.cc:361(handle_select(THD, LEX, select_result*, unsigned long))[0x55bdc1bb18ce]
sql/sql_parse.cc:6271(execute_sqlcom_select(THD, TABLE_LIST))[0x55bdc1b25228]
sql/sql_parse.cc:3582(mysql_execute_command(THD*))[0x55bdc1b109af]
sql/sql_parse.cc:7793(mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool))[0x55bdc1b2e546]
sql/sql_parse.cc:1830(dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool))[0x55bdc1b05593]
sql/sql_parse.cc:1381(do_command(THD*))[0x55bdc1b01fc4]
sql/sql_connect.cc:1336(do_handle_one_connection(CONNECT*))[0x55bdc1eace5c]
sql/sql_connect.cc:1242(handle_one_connection)[0x55bdc1eac71d]
perfschema/pfs.cc:1871(pfs_spawn_thread)[0x55bdc334e63c]
nptl/pthread_create.c:487(start_thread)[0x7fba7c7edfa3]
x86_64/clone.S:97(clone)[0x7fba7c1714cf]

Trying to get some variables.
Some pointers may be invalid and cause the dump to abort.
Query (0x62b000000290): SELECT * FROM mysqltest_tmp_v

Alice Sherepa added a comment - 2021-07-15 14:06 ./mtr main.subselect4 --view 10.2 fb0b28932ce82903f2fcfb6 210715 14:04:02 [ERROR] mysqld got signal 11 ; Server version: 10.2.40-MariaDB-debug-log sql/signal_handler.cc:221(handle_fatal_signal)[0x55bdc217768e] /lib/x86_64-linux-gnu/libpthread.so.0(+0x12730)[0x7fba7c7f8730] sql/item_subselect.cc:6888(Item_subselect::init_expr_cache_tracker(THD*))[0x55bdc239cb7c] sql/item_subselect.cc:1316(Item_singlerow_subselect::expr_cache_insert_transformer(THD*, unsigned char*))[0x55bdc236ee94] sql/item.cc:733(Item::transform(THD*, Item* (Item::*)(THD*, unsigned char*), unsigned char*))[0x55bdc21b6ded] sql/sql_select.cc:3187(JOIN::setup_subquery_caches())[0x55bdc1bcf379] sql/sql_select.cc:2095(JOIN::optimize_inner())[0x55bdc1bc39b4] sql/sql_select.cc:1127(JOIN::optimize())[0x55bdc1bb97ec] sql/sql_lex.cc:3868(st_select_lex::optimize_unflattened_subqueries(bool))[0x55bdc1aeadf0] sql/opt_subselect.cc:5360(JOIN::optimize_constant_subqueries())[0x55bdc1f95f3c] sql/sql_select.cc:1349(JOIN::optimize_inner())[0x55bdc1bbb9ad] sql/sql_select.cc:1127(JOIN::optimize())[0x55bdc1bb97ec] sql/sql_derived.cc:920(mysql_derived_optimize(THD*, LEX*, TABLE_LIST*))[0x55bdc1a91644] sql/sql_derived.cc:192(mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int))[0x55bdc1a8cd26] sql/sql_select.cc:1413(JOIN::optimize_inner())[0x55bdc1bbc8e6] sql/sql_select.cc:1127(JOIN::optimize())[0x55bdc1bb97ec] sql/sql_select.cc:3835(mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55bdc1bd4c3a] sql/sql_select.cc:361(handle_select(THD*, LEX*, select_result*, unsigned long))[0x55bdc1bb18ce] sql/sql_parse.cc:6271(execute_sqlcom_select(THD*, TABLE_LIST*))[0x55bdc1b25228] sql/sql_parse.cc:3582(mysql_execute_command(THD*))[0x55bdc1b109af] sql/sql_parse.cc:7793(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x55bdc1b2e546] sql/sql_parse.cc:1830(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x55bdc1b05593] sql/sql_parse.cc:1381(do_command(THD*))[0x55bdc1b01fc4] sql/sql_connect.cc:1336(do_handle_one_connection(CONNECT*))[0x55bdc1eace5c] sql/sql_connect.cc:1242(handle_one_connection)[0x55bdc1eac71d] perfschema/pfs.cc:1871(pfs_spawn_thread)[0x55bdc334e63c] nptl/pthread_create.c:487(start_thread)[0x7fba7c7edfa3] x86_64/clone.S:97(clone)[0x7fba7c1714cf] Trying to get some variables. Some pointers may be invalid and cause the dump to abort. Query (0x62b000000290): SELECT * FROM mysqltest_tmp_v

Alice Sherepa made changes - 2021-07-16 15:51

Link

This issue is duplicated by ~~MDEV-26164~~ [ ~~MDEV-26164~~ ]

Alice Sherepa added a comment - 2021-07-16 15:52

test case from ~~MDEV-26164~~:

-- source include/have_innodb.inc

create table t(a int) engine=innodb;

select 1 from t where not exists

  select 1 from t where binary current_time()

  group by (select a),(select 1)

);

Alice Sherepa added a comment - 2021-07-16 15:52 test case from MDEV-26164 : -- source include/have_innodb.inc create table t(a int ) engine=innodb; select 1 from t where not exists ( select 1 from t where binary current_time () group by ( select a),( select 1) );

Alice Sherepa made changes - 2021-08-27 13:20

Link

This issue is duplicated by ~~MDEV-26428~~ [ ~~MDEV-26428~~ ]

Sergei Golubchik made changes - 2021-12-06 21:36

Workflow

MariaDB v3 [ 123116 ]

MariaDB v4 [ 144377 ]

Sergei Golubchik made changes - 2022-04-13 13:02

Remote Link

This issue links to "CVE-2022-27384 (Web Link)" [ 33622 ]

Sergei Golubchik made changes - 2022-04-13 13:02

Priority

Major [ 3 ]

Blocker [ 1 ]

Sergei Golubchik made changes - 2022-04-19 13:06

Description

Steps to reproduce:

{code:sql}

CREATE TABLE v0 ( v1 INT PRIMARY KEY ) ;
INSERT INTO v0 VALUES ( ( ( 23695630.000000 ) ) NOT IN ( SELECT DISTINCT - ( 89 IN ( 127 , 'x' , NULL ) ) IN ( 'x' , 127 ) FROM v0 AS v2 WHERE v1 IS NOT NULL GROUP BY ( ( SELECT DISTINCT - ( 'x' IN ( 65 , NULL ) ) IN ( 'x' , -2147483648 ) AND ( SELECT NULL WHERE - ( 16 ) AND ( v1 IN ( ( ( v1 = v1 ) ) = 'x' ) ) = -2147483648 ) ) ) ORDER BY ( v1 = 'x' AND 84 ) OR ( v1 = 8 AND v1 = -1 ) ASC ) ) ;
CREATE TABLE v3 ( v4 INTEGER , v5 INT PRIMARY KEY , v6 VARCHAR ( 24 ) , v7 INT , v8 INT , v9 INT ) ;
INSERT INTO v3 ( v5 ) VALUES ( ( ( - ( ( 'x' IS NOT NULL ) ) ) ) ) , ( 55 BETWEEN - 80445159.000000 AND - ( ( ( SELECT DISTINCT v1 IN ( ( -1 IN ( ( SELECT DISTINCT - ( 58 IN ( ( -128 IN ( 54560735.000000 ) ) ) ) NOT IN ( 'x' , - ( ( 54 IN ( ( NULL IN ( ( SELECT v1 FROM v0 AS v12 WHERE - ( 99 ) AND v1 = 95 GROUP BY 89382485.000000 ) ) ) ) ) ) ) AS v11 ) ) ) = 'x' ) FROM v0 AS v10 WHERE v1 IS NOT NULL GROUP BY 'x' , 5612101.000000 ) ) ) ) ;

{code}

Backtrace:

Core was generated by `/home/supersix/fuzz/security/MariaDB/install/bin/mysqld --defaults-file=/home/s'.

{noformat}

Program terminated with signal SIGSEGV, Segmentation fault.

#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=0xb)

    at ../sysdeps/unix/sysv/linux/pthread_kill.c:56

[Current thread is 1 (Thread 0x7f0f26251300 (LWP 1437547))]

gdb-peda$ #0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=0xb)

    at ../sysdeps/unix/sysv/linux/pthread_kill.c:56

#1 0x0000559d3cff698f in my_write_core (sig=sig@entry=0xb)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/mysys/stacktrace.c:424

#2 0x0000559d3ba63583 in handle_fatal_signal (sig=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/signal_handler.cc:344

#3 <signal handler called>

#4 0x0000559d3be106ea in Item_subselect::init_expr_cache_tracker (

    this=0x6290021eddb8, thd=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_lex.h:982

#5 0x0000559d3be108df in Item_singlerow_subselect::expr_cache_insert_transformer (this=0x6290021eddb8, tmp_thd=0x62b000070218, unused=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_subselect.cc:1389

#6 0x0000559d3bab3024 in Item::transform (this=<optimized out>,

    thd=<optimized out>, transformer=<optimized out>, arg=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item.cc:610

#7 0x0000559d3bb7d48a in Item_cond::transform (this=<optimized out>,

    thd=<optimized out>, transformer=&virtual table offset 1328,

    arg=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.cc:5135

#8 0x0000559d3b235270 in JOIN::setup_subquery_caches (this=0x62900222e478)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:4225

#9 0x0000559d3b31b21f in JOIN::optimize_stage2 (this=0x62900222e478)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:3065

#10 0x0000559d3b327252 in JOIN::optimize_inner (this=0x62900222e478)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:2477

#11 0x0000559d3b329eda in JOIN::optimize (this=this@entry=0x62900222e478)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:1807

#12 0x0000559d3b09fb28 in st_select_lex::optimize_unflattened_subqueries (

    this=0x62b000079968, const_only=const_only@entry=0x0)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_lex.cc:4936

#13 0x0000559d3b0643e5 in mysql_insert (thd=thd@entry=0x62b000070218,

    table_list=<optimized out>, fields=..., values_list=...,

    update_fields=..., update_values=..., duplic=<optimized out>,

    ignore=<optimized out>, result=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_lex.h:982

#14 0x0000559d3b15ca9c in mysql_execute_command (thd=<optimized out>,

    is_called_from_prepared_stmt=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:4568

#15 0x0000559d3b1188dd in mysql_parse (thd=0x62b000070218,

    rawbuf=<optimized out>, length=<optimized out>,

    parser_state=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:8028

#16 0x0000559d3b14edb9 in dispatch_command (command=COM_QUERY,

    thd=0x62b000070218, packet=<optimized out>, packet_length=<optimized out>,

    blocking=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:1995

#17 0x0000559d3b153704 in do_command (thd=0x62b000070218,

    blocking=blocking@entry=0x1)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:1406

#18 0x0000559d3b61314d in do_handle_one_connection (connect=<optimized out>,

    put_in_cache=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1410

#19 0x0000559d3b614807 in handle_one_connection (arg=arg@entry=0x608008ba4fb8)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1312

#20 0x0000559d3c45fef0 in pfs_spawn_thread (arg=0x617000005b98)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/storage/perfschema/pfs.cc:2201

#21 0x00007f0f481e3609 in start_thread (arg=<optimized out>)

    at pthread_create.c:477

#22 0x00007f0f47db7293 in clone ()

    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

gdb-peda$ quit
{noformat}

Steps to reproduce:

{code:sql}

CREATE TABLE v0 ( v1 INT PRIMARY KEY ) ;
INSERT INTO v0 VALUES ( ( ( 23695630.000000 ) ) NOT IN ( SELECT DISTINCT - ( 89 IN ( 127 , 'x' , NULL ) ) IN ( 'x' , 127 ) FROM v0 AS v2 WHERE v1 IS NOT NULL GROUP BY ( ( SELECT DISTINCT - ( 'x' IN ( 65 , NULL ) ) IN ( 'x' , -2147483648 ) AND ( SELECT NULL WHERE - ( 16 ) AND ( v1 IN ( ( ( v1 = v1 ) ) = 'x' ) ) = -2147483648 ) ) ) ORDER BY ( v1 = 'x' AND 84 ) OR ( v1 = 8 AND v1 = -1 ) ASC ) ) ;
CREATE TABLE v3 ( v4 INTEGER , v5 INT PRIMARY KEY , v6 VARCHAR ( 24 ) , v7 INT , v8 INT , v9 INT ) ;
INSERT INTO v3 ( v5 ) VALUES ( ( ( - ( ( 'x' IS NOT NULL ) ) ) ) ) , ( 55 BETWEEN - 80445159.000000 AND - ( ( ( SELECT DISTINCT v1 IN ( ( -1 IN ( ( SELECT DISTINCT - ( 58 IN ( ( -128 IN ( 54560735.000000 ) ) ) ) NOT IN ( 'x' , - ( ( 54 IN ( ( NULL IN ( ( SELECT v1 FROM v0 AS v12 WHERE - ( 99 ) AND v1 = 95 GROUP BY 89382485.000000 ) ) ) ) ) ) ) AS v11 ) ) ) = 'x' ) FROM v0 AS v10 WHERE v1 IS NOT NULL GROUP BY 'x' , 5612101.000000 ) ) ) ) ;

{code}

Backtrace:
Core was generated by `/home/supersix/fuzz/security/MariaDB/install/bin/mysqld --defaults-file=/home/s'.

{noformat}
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=0xb)
    at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
[Current thread is 1 (Thread 0x7f0f26251300 (LWP 1437547))]
gdb-peda$ #0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=0xb)
    at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
#1 0x0000559d3cff698f in my_write_core (sig=sig@entry=0xb)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/mysys/stacktrace.c:424
#2 0x0000559d3ba63583 in handle_fatal_signal (sig=<optimized out>)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/signal_handler.cc:344
#3 <signal handler called>
#4 0x0000559d3be106ea in Item_subselect::init_expr_cache_tracker (
    this=0x6290021eddb8, thd=<optimized out>)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_lex.h:982
#5 0x0000559d3be108df in Item_singlerow_subselect::expr_cache_insert_transformer (this=0x6290021eddb8, tmp_thd=0x62b000070218, unused=<optimized out>)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_subselect.cc:1389
#6 0x0000559d3bab3024 in Item::transform (this=<optimized out>,
    thd=<optimized out>, transformer=<optimized out>, arg=<optimized out>)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item.cc:610
#7 0x0000559d3bb7d48a in Item_cond::transform (this=<optimized out>,
    thd=<optimized out>, transformer=&virtual table offset 1328,
    arg=<optimized out>)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.cc:5135
#8 0x0000559d3b235270 in JOIN::setup_subquery_caches (this=0x62900222e478)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:4225
#9 0x0000559d3b31b21f in JOIN::optimize_stage2 (this=0x62900222e478)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:3065
#10 0x0000559d3b327252 in JOIN::optimize_inner (this=0x62900222e478)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:2477
#11 0x0000559d3b329eda in JOIN::optimize (this=this@entry=0x62900222e478)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:1807
#12 0x0000559d3b09fb28 in st_select_lex::optimize_unflattened_subqueries (
    this=0x62b000079968, const_only=const_only@entry=0x0)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_lex.cc:4936
#13 0x0000559d3b0643e5 in mysql_insert (thd=thd@entry=0x62b000070218,
    table_list=<optimized out>, fields=..., values_list=...,
    update_fields=..., update_values=..., duplic=<optimized out>,
    ignore=<optimized out>, result=<optimized out>)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_lex.h:982
#14 0x0000559d3b15ca9c in mysql_execute_command (thd=<optimized out>,
    is_called_from_prepared_stmt=<optimized out>)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:4568
#15 0x0000559d3b1188dd in mysql_parse (thd=0x62b000070218,
    rawbuf=<optimized out>, length=<optimized out>,
    parser_state=<optimized out>)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:8028
#16 0x0000559d3b14edb9 in dispatch_command (command=COM_QUERY,
    thd=0x62b000070218, packet=<optimized out>, packet_length=<optimized out>,
    blocking=<optimized out>)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:1995
#17 0x0000559d3b153704 in do_command (thd=0x62b000070218,
    blocking=blocking@entry=0x1)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:1406
#18 0x0000559d3b61314d in do_handle_one_connection (connect=<optimized out>,
    put_in_cache=<optimized out>)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1410
#19 0x0000559d3b614807 in handle_one_connection (arg=arg@entry=0x608008ba4fb8)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1312
#20 0x0000559d3c45fef0 in pfs_spawn_thread (arg=0x617000005b98)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/storage/perfschema/pfs.cc:2201
#21 0x00007f0f481e3609 in start_thread (arg=<optimized out>)
    at pthread_create.c:477
#22 0x00007f0f47db7293 in clone ()
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
gdb-peda$ quit
{noformat}

Sergei Petrunia added a comment - 2022-04-22 15:46

Check out Item_subselect::set_fake_select_as_master_processor(). It has this:
An observation: there exists code that "un-eliminates" an item: see Item_subselect::set_fake_select_as_master_processor

/*

    Undo Item_subselect::eliminate_subselect_processor because at that phase

    we don't know yet that the ORDER clause will be moved to the fake select.

*/

    unit->item= this;

    eliminated= FALSE;

Sergei Petrunia added a comment - 2022-04-22 15:46 Check out Item_subselect::set_fake_select_as_master_processor(). It has this: An observation: there exists code that "un-eliminates" an item: see Item_subselect::set_fake_select_as_master_processor /* Undo Item_subselect::eliminate_subselect_processor because at that phase we don't know yet that the ORDER clause will be moved to the fake select. */ unit->item= this ; eliminated= FALSE;

Sergei Petrunia added a comment - 2022-04-22 17:27

A patch: https://github.com/MariaDB/server/commit/c01ee954bf3b10fef85af7b8c77d319ff7bd6b61

Sergei Petrunia added a comment - 2022-04-22 17:27 A patch: https://github.com/MariaDB/server/commit/c01ee954bf3b10fef85af7b8c77d319ff7bd6b61

Sergei Petrunia added a comment - 2022-04-22 17:28

Note that this patch doesn't fix ~~MDEV-27957~~. for that MDEV, a crash becomes a memory leak (one can see it reported by e.g. my_malloc)

Sergei Petrunia added a comment - 2022-04-22 17:28 Note that this patch doesn't fix MDEV-27957 . for that MDEV, a crash becomes a memory leak (one can see it reported by e.g. my_malloc)

Sergei Petrunia added a comment - 2022-04-22 17:28 - edited

sanja please review

Sergei Petrunia added a comment - 2022-04-22 17:28 - edited sanja please review

Sergei Petrunia made changes - 2022-04-22 17:28

Assignee	Sergei Petrunia [ psergey ]	Oleg Smirnov [ JIRAUSER50405 ]
Status	Confirmed [ 10101 ]	In Review [ 10002 ]

Sergei Petrunia made changes - 2022-04-22 17:28

Assignee

Oleg Smirnov [ JIRAUSER50405 ]

Oleksandr Byelkin [ sanja ]

Sergei Petrunia added a comment - 2022-04-22 18:01

Note: for unused fields in select lists, we had intent to fix this in the future versions: MDEV-27201.

Sergei Petrunia added a comment - 2022-04-22 18:01 Note: for unused fields in select lists, we had intent to fix this in the future versions: MDEV-27201 .

Oleksandr Byelkin added a comment - 2022-04-24 09:52

OK to push

Oleksandr Byelkin added a comment - 2022-04-24 09:52 OK to push

Oleksandr Byelkin made changes - 2022-04-24 09:52

Status

In Review [ 10002 ]

Stalled [ 10000 ]

Oleksandr Byelkin made changes - 2022-04-24 09:52

Assignee

Oleksandr Byelkin [ sanja ]

Sergei Petrunia [ psergey ]

Sergei Petrunia made changes - 2022-04-26 12:55

Component/s		Optimizer [ 10200 ]
Fix Version/s		10.2.44 [ 27514 ]
Fix Version/s		10.3.35 [ 27512 ]
Fix Version/s		10.4.25 [ 27510 ]
Fix Version/s		10.5.16 [ 27508 ]
Fix Version/s		10.6.8 [ 27506 ]
Fix Version/s		10.7.4 [ 27504 ]
Fix Version/s		10.8.3 [ 27502 ]
Fix Version/s	10.2 [ 14601 ]
Fix Version/s	10.3 [ 22126 ]
Fix Version/s	10.4 [ 22408 ]
Fix Version/s	10.5 [ 23123 ]
Fix Version/s	10.6 [ 24028 ]
Resolution		Fixed [ 1 ]
Status	Stalled [ 10000 ]	Closed [ 6 ]

Elena Stepanova made changes - 2022-04-28 14:05

Link

This issue causes ~~MDEV-28437~~ [ ~~MDEV-28437~~ ]

Sergei Golubchik made changes - 2022-07-02 07:49

Remote Link

This issue links to "CVE-2022-32083 (Web Link)" [ 34070 ]

Alice Sherepa made changes - 2023-10-12 13:37

Link

This issue relates to ~~MDEV-27957~~ [ ~~MDEV-27957~~ ]

Alice Sherepa made changes - 2023-10-12 14:07

Link

This issue relates to MDEV-32394 [ MDEV-32394 ]

People

Assignee:: Sergei Petrunia

Reporter:: yaoguang

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2021-06-30 06:35

Updated:: 2023-10-12 14:07

Resolved:: 2022-04-26 12:55

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.