Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
10.4(EOL), 10.5, 10.6, 10.7(EOL)
Description
This may prove to be a duplicate of MDEV-17783 and/or MDEV-23937, however there is a different situation here (stack smashing). It is also unclear if the MDEV-17783 patch already made it to 10.7 trunk. A 10.7 trunk build from today still shows the issue. Finally, the versions affected look to be different.
# mysqld options required for replay: --innodb_strict_mode=OFF |
SET SESSION join_cache_level=5; |
CREATE TABLE t3 (c INT) ENGINE=InnoDB; |
CREATE TABLE t2 (c INT) ENGINE=InnoDB PARTITION BY RANGE (c)(PARTITION p0 VALUES LESS THAN (1),PARTITION p VALUES LESS THAN (2), PARTITION p2 VALUES LESS THAN (3)); |
CREATE TABLE t (c1 INT,c2 INT,c3 INT,c4 INT,c5 INT,c6 INT,c7 INT,c8 INT,c9 INT,c10 INT,c11 INT,c12 INT,c13 INT,c14 INT,c15 INT,c16 INT,c17 INT,c18 INT,c19 INT,c20 INT,c21 INT,c22 INT,c23 INT,c24 INT,c25 INT,c26 INT,c27 INT,c28 INT,c29 INT,c30 INT,c31 INT,c32 INT,c33 INT,c34 INT,c35 INT,c36 INT,c37 INT,c38 INT,c39 INT,c40 INT,c41 INT,c42 INT,c43 INT,c44 INT,c45 INT,c46 INT,c47 INT,c48 INT,c49 INT,c50 INT,c51 INT,c52 INT,c53 INT,c54 INT,c55 INT,c56 INT,c57 INT,c58 INT,c59 INT,c60 INT,c61 INT,c62 INT,c63 INT,c64 INT,c65 INT) ENGINE=InnoDB ROW_FORMAT=DYNAMIC; |
SELECT * FROM (SELECT * FROM t NATURAL JOIN t3) as t NATURAL RIGHT JOIN (SELECT * FROM t NATURAL JOIN t2) AS t2; |
DROP FUNCTION IF EXISTS f1; |
Leads to:
10.7.0 71ed8c136fa203b9b3a678a6d5cc72235ef73ef7 (Debug) |
Core was generated by `/test/MD200721-mariadb-10.7.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
|
Program terminated with signal SIGSEGV, Segmentation fault.
|
#0 0x00005568eba98a05 in table_cond_selectivity (join=<optimized out>,
|
idx=<optimized out>, s=<optimized out>, rem_tables=<optimized out>)
|
at /test/10.7_dbg/sql/sql_select.cc:9669
|
9669 return sel;
|
[Current thread is 1 (Thread 0x153375946700 (LWP 325379))]
|
(gdb) bt
|
#0 0x00005568eba98a05 in table_cond_selectivity (join=<optimized out>, idx=<optimized out>, s=<optimized out>, rem_tables=<optimized out>) at /test/10.7_dbg/sql/sql_select.cc:9669
|
#1 0x0001000100010001 in ?? ()
|
#2 0x0000000000000006 in ?? ()
|
#3 0x0000000000000390 in ?? ()
|
#4 0x401999999999999a in ?? ()
|
#5 0x4008000000000000 in ?? ()
|
#6 0x0000000000000010 in ?? ()
|
#7 0x0000000400000003 in ?? ()
|
#8 0x000000010000003c in ?? ()
|
#9 0x0000000000000260 in ?? ()
|
#10 0x4008000000000000 in ?? ()
|
#11 0x4013333333333333 in ?? ()
|
#12 0x0000000000000000 in ?? ()
|
10.6.3 891a927e804c5a3a582f6137c2f316ef7abb25ca (Optimized) |
Core was generated by `/test/MD280621-mariadb-10.6.3-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
|
Program terminated with signal SIGSEGV, Segmentation fault.
|
#0 0x0000559a0f8c4dc9 in table_cond_selectivity (join=<optimized out>,
|
idx=<optimized out>, s=<optimized out>, rem_tables=<optimized out>)
|
at /test/10.6_opt/sql/sql_select.cc:9354
|
9354 table_map used_tables= item_equal->used_tables();
|
[Current thread is 1 (Thread 0x14cabc0b4700 (LWP 341412))]
|
(gdb) bt
|
#0 0x0000559a0f8c4dc9 in table_cond_selectivity (join=<optimized out>, idx=<optimized out>, s=<optimized out>, rem_tables=<optimized out>) at /test/10.6_opt/sql/sql_select.cc:9354
|
#1 0x0001000100010001 in ?? ()
|
#2 0x0000000000000390 in ?? ()
|
#3 0x401999999999999a in ?? ()
|
#4 0x4008000000000000 in ?? ()
|
#5 0x0000000000000010 in ?? ()
|
#6 0x4008000000000000 in ?? ()
|
#7 0x0000550000000003 in ?? ()
|
#8 0x0000003c00000004 in ?? ()
|
#9 0x4013333333333333 in ?? ()
|
#10 0x0000000000000260 in ?? ()
|
#11 0x000014cabc0b1f30 in ?? ()
|
#12 0x4008000000000000 in ?? ()
|
#13 0x0000000000000000 in ?? ()
|
The stack smashing may be observed only x in y runs. Ref first comment below for other related stack.
Bug confirmed present in:
MariaDB: 10.4.20 (dbg), 10.4.20 (opt), 10.5.11 (dbg), 10.5.11 (opt), 10.6.3 (dbg), 10.6.3 (opt), 10.7.0 (dbg), 10.7.0 (opt)
Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.2.39 (dbg), 10.2.39 (opt), 10.3.30 (dbg), 10.3.30 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.34 (dbg), 5.7.34 (opt), 8.0.24 (dbg), 8.0.24 (opt)
Attachments
Issue Links
- relates to
-
MDEV-17783 AddressSanitizer: stack-buffer-overflow in table_cond_selectivity with optimizer_use_condition_selectivity > 1, join_cache_level >2
- Closed
-
MDEV-23937 SIGSEGV in looped best_extension_by_limited_search from greedy_search on NATURAL JOIN | SIGSEGV in restore_prev_nj_state
- Closed