Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-28502

SIGSEGV in Item_subselect::is_expensive (+ other SIGSEGV's in MS 8.0) and 2x UBSAN: runtime error: member call on null pointer of type 'struct st_select_lex' in Item_subselect::is_expensive and in st_select_lex::next_select

    XMLWordPrintable

Details

    Description

      Original testcase (reduced version in comments below):

      CREATE TABLE v865 ( v866 FLOAT ) ;
      		 
       INSERT INTO v865 ( v866 ) VALUES ( 67 ) ;
      		 
       UPDATE v865 SET v866 = -1 WHERE v866 = 33 ;
      		 
       INSERT INTO v865 ( v866 ) VALUES ( -1 ) , ( 0 ) ;
      		 
       WITH v868 AS ( SELECT v866 FROM ( SELECT v866 FROM v865 GROUP BY v866 ) AS v867 ) SELECT v866 FROM v865 WHERE ( SELECT v866 FROM v865 AS v869 LIMIT 1 OFFSET 1 ) IN ( SELECT v866 FROM ( SELECT v866 , ( SELECT v866 FROM v865 AS v870 LIMIT 1 OFFSET 1 ) IN ( SELECT v866 FROM ( WITH v872 AS ( SELECT v866 % 52 != 50 FROM ( SELECT -128 , 51 , v866 FROM v865 WHERE v866 = 83 ) AS v871 GROUP BY v866 ) SELECT -128 FROM ( SELECT DISTINCT v866 , 'x' FROM v865 ) AS v873 NATURAL JOIN v872 AS v874 , v872 AS v875 NATURAL JOIN v865 ) AS v876 NATURAL JOIN v865 AS v877 WHERE v866 != 84 GROUP BY v866 ) AS v878 FROM v865 ) AS v879 WHERE v878 != 28 GROUP BY v878 ) ;

      Leads to:

      10.9.0 0b14dbd45b5a1c02616d611876158d44b92b77bf (Optimized)

      		 
      Core was generated by `/test/MD030522-mariadb-10.9.0-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
      		 
      Program terminated with signal SIGSEGV, Segmentation fault.
      		 
      #0  Item_subselect::is_expensive (this=0x14f5300540f8)
      		 
          at /test/10.9_opt/sql/sql_lex.h:1377
      		 
      1377	  st_select_lex* next_select() { return (st_select_lex*) next; }
      		 
      [Current thread is 1 (Thread 0x14f55b2fd700 (LWP 1542815))]
      		 
      (gdb) bt
      		 
      #0  Item_subselect::is_expensive (this=0x14f5300540f8) at /test/10.9_opt/sql/sql_lex.h:1377
      		 
      #1  0x000055b844f0efec in Item_args::walk_args (arg=0x0, walk_subquery=false, processor=<optimized out>, this=0x14f5300751c0) at /test/10.9_opt/sql/item.h:2741
      		 
      #2  Item_func_or_sum::walk (this=0x14f530075150, processor=&virtual table offset 896, walk_subquery=false, arg=0x0) at /test/10.9_opt/sql/item.h:5428
      		 
      #3  0x000055b84524eca1 in Item_direct_view_ref::walk (this=0x14f53007f6d0, processor=<optimized out>, walk_subquery=<optimized out>, arg=0x0) at /test/10.9_opt/sql/item.h:6035
      		 
      #4  0x000055b844f0efec in Item_args::walk_args (arg=0x0, walk_subquery=false, processor=<optimized out>, this=0x14f5300554e8) at /test/10.9_opt/sql/item.h:2741
      		 
      #5  Item_func_or_sum::walk (this=0x14f530055478, processor=&virtual table offset 896, walk_subquery=false, arg=0x0) at /test/10.9_opt/sql/item.h:5428
      		 
      #6  0x000055b844f0eee1 in Item::is_expensive (this=0x14f530055478) at /test/10.9_opt/sql/item.h:2571
      		 
      #7  0x000055b845262906 in Item::can_eval_in_optimize (this=0x14f530055478) at /test/10.9_opt/sql/item.h:1696
      		 
      #8  Item::can_eval_in_optimize (this=0x14f530055478) at /test/10.9_opt/sql/item.h:1696
      		 
      #9  Item_cond::fix_fields (this=0x14f5300812b8, thd=0x14f530000c58, ref=<optimized out>) at /test/10.9_opt/sql/item_cmpfunc.cc:4897
      		 
      #10 0x000055b84513892c in Item::fix_fields_if_needed (ref=0x14f530080988, thd=0x14f530000c58, this=<optimized out>) at /test/10.9_opt/sql/item.h:1142
      		 
      #11 Item::fix_fields_if_needed (ref=0x14f530080988, thd=0x14f530000c58, this=<optimized out>) at /test/10.9_opt/sql/item.h:1142
      		 
      #12 convert_subq_to_sj (subq_pred=<optimized out>, parent_join=0x14f53005c408) at /test/10.9_opt/sql/opt_subselect.cc:1949
      		 
      #13 convert_join_subqueries_to_semijoins (join=join@entry=0x14f53005c408) at /test/10.9_opt/sql/opt_subselect.cc:1300
      		 
      #14 0x000055b845055a13 in JOIN::optimize_inner (this=0x14f53005c408) at /test/10.9_opt/sql/sql_select.cc:2071
      		 
      #15 0x000055b8450596d3 in JOIN::optimize (this=this@entry=0x14f53005c408) at /test/10.9_opt/sql/sql_select.cc:1837
      		 
      #16 0x000055b8450597be in mysql_select (thd=0x14f530000c58, tables=0x14f530013f08, fields=@0x14f530013bc8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14f530013ec0, last = 0x14f530013ec0, elements = 1}, <No data fields>}, conds=0x14f5300567b8, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x14f53005c3e0, unit=0x14f530004cb8, select_lex=0x14f530013928) at /test/10.9_opt/sql/sql_select.cc:5022
      		 
      #17 0x000055b845059f57 in handle_select (thd=thd@entry=0x14f530000c58, lex=lex@entry=0x14f530004be0, result=result@entry=0x14f53005c3e0, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.9_opt/sql/sql_select.cc:570
      		 
      #18 0x000055b844fdda21 in execute_sqlcom_select (thd=0x14f530000c58, all_tables=0x14f530013f08) at /test/10.9_opt/sql/sql_parse.cc:6271
      		 
      #19 0x000055b844feb363 in mysql_execute_command (thd=0x14f530000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.9_opt/sql/sql_parse.cc:3961
      		 
      #20 0x000055b844fd8a55 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x14f530000c58) at /test/10.9_opt/sql/sql_parse.cc:8046
      		 
      #21 mysql_parse (thd=0x14f530000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.9_opt/sql/sql_parse.cc:7968
      		 
      #22 0x000055b844fe471a in dispatch_command (command=COM_QUERY, thd=0x14f530000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.9_opt/sql/sql_class.h:1364
      		 
      #23 0x000055b844fe6642 in do_command (thd=0x14f530000c58, blocking=blocking@entry=true) at /test/10.9_opt/sql/sql_parse.cc:1408
      		 
      #24 0x000055b8450fb5bf in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55b847c224f8, put_in_cache=put_in_cache@entry=true) at /test/10.9_opt/sql/sql_connect.cc:1418
      		 
      #25 0x000055b8450fb89d in handle_one_connection (arg=0x55b847c224f8) at /test/10.9_opt/sql/sql_connect.cc:1312
      		 
      #26 0x000014f58bd9b609 in start_thread (arg=<optimized out>) at pthread_create.c:477
      		 
      #27 0x000014f58b987133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

      10.9.0 0b14dbd45b5a1c02616d611876158d44b92b77bf (Debug)

      		 
      Core was generated by `/test/MD030522-mariadb-10.9.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
      		 
      Program terminated with signal SIGSEGV, Segmentation fault.
      		 
      #0  0x00005635ae85ccea in Item_subselect::is_expensive (this=0x1528c007c678)
      		 
          at /test/10.9_dbg/sql/sql_lex.h:1377
      		 
      1377	  st_select_lex* next_select() { return (st_select_lex*) next; }
      		 
      [Current thread is 1 (Thread 0x1528f33ae700 (LWP 340932))]
      		 
      (gdb) bt
      		 
      #0  0x00005635ae85ccea in Item_subselect::is_expensive (this=0x1528c007c678) at /test/10.9_dbg/sql/sql_lex.h:1377
      		 
      #1  0x00005635ae86f5cf in Item_subselect::is_expensive_processor (this=<optimized out>, arg=<optimized out>) at /test/10.9_dbg/sql/item_subselect.h:258
      		 
      #2  0x00005635ae85d09c in Item_subselect::walk (this=this@entry=0x1528c007c678, processor=<optimized out>, walk_subquery=walk_subquery@entry=false, argument=argument@entry=0x0) at /test/10.9_dbg/sql/item_subselect.cc:819
      		 
      #3  0x00005635ae86fb53 in Item_in_subselect::walk (this=0x1528c007c678, processor=&virtual table offset 896, walk_subquery=<optimized out>, arg=0x0) at /test/10.9_dbg/sql/item_subselect.h:757
      		 
      #4  0x00005635ae36f1ab in Item_args::walk_args (arg=0x0, walk_subquery=false, processor=<optimized out>, this=0x1528c009e440) at /test/10.9_dbg/sql/item.h:2741
      		 
      #5  Item_func_or_sum::walk (this=0x1528c009e3d0, processor=<optimized out>, walk_subquery=false, arg=0x0) at /test/10.9_dbg/sql/item.h:5428
      		 
      #6  0x00005635ae7886bc in Item_direct_view_ref::walk (this=0x1528c00a9cb0, processor=&virtual Item::is_expensive_processor(void*), walk_subquery=<optimized out>, arg=0x0) at /test/10.9_dbg/sql/item.h:6035
      		 
      #7  0x00005635ae36f1ab in Item_args::walk_args (arg=0x0, walk_subquery=false, processor=<optimized out>, this=0x1528c007da68) at /test/10.9_dbg/sql/item.h:2741
      		 
      #8  Item_func_or_sum::walk (this=0x1528c007d9f8, processor=<optimized out>, walk_subquery=false, arg=0x0) at /test/10.9_dbg/sql/item.h:5428
      		 
      #9  0x00005635ae36f0ea in Item::is_expensive (this=0x1528c007d9f8) at /test/10.9_dbg/sql/item.h:2571
      		 
      #10 0x00005635ae79f0b4 in Item::can_eval_in_optimize (this=0x1528c007d9f8) at /test/10.9_dbg/sql/item.h:1698
      		 
      #11 Item_cond::fix_fields (this=0x1528c00ab898, thd=0x1528c0000db8, ref=<optimized out>) at /test/10.9_dbg/sql/item_cmpfunc.cc:4897
      		 
      #12 0x00005635ae6234f9 in Item::fix_fields_if_needed (ref=0x1528c00aaf68, thd=0x1528c0000db8, this=<optimized out>) at /test/10.9_dbg/sql/item.h:1144
      		 
      #13 convert_subq_to_sj (subq_pred=0x1528c007eda8, parent_join=0x1528c00849f8) at /test/10.9_dbg/sql/opt_subselect.cc:1949
      		 
      #14 convert_join_subqueries_to_semijoins (join=join@entry=0x1528c00849f8) at /test/10.9_dbg/sql/opt_subselect.cc:1300
      		 
      #15 0x00005635ae4f81b1 in JOIN::optimize_inner (this=this@entry=0x1528c00849f8) at /test/10.9_dbg/sql/sql_select.cc:2071
      		 
      #16 0x00005635ae4f996c in JOIN::optimize (this=this@entry=0x1528c00849f8) at /test/10.9_dbg/sql/sql_select.cc:1837
      		 
      #17 0x00005635ae4f9a5f in mysql_select (thd=thd@entry=0x1528c0000db8, tables=0x1528c0017428, fields=@0x1528c00170e8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1528c00173e0, last = 0x1528c00173e0, elements = 1}, <No data fields>}, conds=0x1528c007eda8, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x1528c00849d0, unit=0x1528c0004fd8, select_lex=0x1528c0016e48) at /test/10.9_dbg/sql/sql_select.cc:5022
      		 
      #18 0x00005635ae4fa2a8 in handle_select (thd=thd@entry=0x1528c0000db8, lex=lex@entry=0x1528c0004f00, result=result@entry=0x1528c00849d0, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.9_dbg/sql/sql_select.cc:570
      		 
      #19 0x00005635ae4666c8 in execute_sqlcom_select (thd=thd@entry=0x1528c0000db8, all_tables=0x1528c0017428) at /test/10.9_dbg/sql/sql_parse.cc:6271
      		 
      #20 0x00005635ae472935 in mysql_execute_command (thd=thd@entry=0x1528c0000db8, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.9_dbg/sql/sql_parse.cc:3961
      		 
      #21 0x00005635ae46067b in mysql_parse (thd=thd@entry=0x1528c0000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x1528f33ad470) at /test/10.9_dbg/sql/sql_parse.cc:8046
      		 
      #22 0x00005635ae46df79 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x1528c0000db8, packet=packet@entry=0x1528c000b699 "WITH v868 AS ( SELECT v866 FROM ( SELECT v866 FROM v865 GROUP BY v866 ) AS v867 ) SELECT v866 FROM v865 WHERE ( SELECT v866 FROM v865 AS v869 LIMIT 1 OFFSET 1 ) IN ( SELECT v866 FROM ( SELECT v866 , ("..., packet_length=packet_length@entry=649, blocking=blocking@entry=true) at /test/10.9_dbg/sql/sql_class.h:1364
      		 
      #23 0x00005635ae470686 in do_command (thd=0x1528c0000db8, blocking=blocking@entry=true) at /test/10.9_dbg/sql/sql_parse.cc:1408
      		 
      #24 0x00005635ae5cdd02 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5635b077e9b8, put_in_cache=put_in_cache@entry=true) at /test/10.9_dbg/sql/sql_connect.cc:1418
      		 
      #25 0x00005635ae5ce20b in handle_one_connection (arg=0x5635b077e9b8) at /test/10.9_dbg/sql/sql_connect.cc:1312
      		 
      #26 0x000015292ca84609 in start_thread (arg=<optimized out>) at pthread_create.c:477
      		 
      #27 0x000015292c670133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

      Bug confirmed present in:
      MariaDB: 10.2.44 (dbg), 10.2.44 (opt), 10.3.35 (dbg), 10.3.35 (opt), 10.4.25 (dbg), 10.4.25 (opt), 10.5.16 (dbg), 10.5.16 (opt), 10.6.8 (dbg), 10.6.8 (opt), 10.7.4 (dbg), 10.7.4 (opt), 10.8.3 (dbg), 10.8.3 (opt), 10.9.0 (dbg), 10.9.0 (opt)
      MySQL: 8.0.28 (dbg), 8.0.28 (opt)

      Bug (or feature/syntax) confirmed not present in:
      MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.37 (dbg), 5.7.37 (opt)

      Attachments

        Issue Links

          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. MDEV-28621 group by optimization incorrectly removing subquery where subject buried in a function

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-29350 Crash when IN predicand is used in eliminated GROUP BY clause

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-28506 SIGSEGV's in find_field_in_table[s][_ref], Item_field::fix_fields, create_view_field and MemcmpInterceptorCommon | Assertions `(*select_ref)->fixed' or '->is_fixed' and `table_list->table' failed

          • Major - Major loss of function.
          • Stalled

          Bug - A problem which impairs or prevents the functions of the product. MDEV-29411 SIGSEGV's st_select_lex_unit::set_limit and st_select_lex::get_offset, and Assertion `!eliminated' failed in Item_subselect::exec on SELECT, UBSAN: member access within null pointer of type 'struct st_select_lex' in st_select_lex_unit::set_limit

          • Major - Major loss of function.
          • Confirmed

          Activity

            People

              Unassigned Unassigned
              nobody Shihao Wen
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.