[MDEV-28502] SIGSEGV in Item_subselect::is_expensive (+ other SIGSEGV's in MS 8.0) and 2x UBSAN: runtime error: member call on null pointer of type 'struct st_select_lex' in Item_subselect::is_expensive and in st_select_lex::next_select - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.11, 11.0(EOL), 11.1(EOL), 11.2(EOL), 11.3(EOL), 11.4, 11.5(EOL)
Fix Version/s: N/A
Component/s: Optimizer
Labels:

Description

Original testcase (reduced version in comments below):

CREATE TABLE v865 ( v866 FLOAT ) ;

 INSERT INTO v865 ( v866 ) VALUES ( 67 ) ;

 UPDATE v865 SET v866 = -1 WHERE v866 = 33 ;

 INSERT INTO v865 ( v866 ) VALUES ( -1 ) , ( 0 ) ;

 WITH v868 AS ( SELECT v866 FROM ( SELECT v866 FROM v865 GROUP BY v866 ) AS v867 ) SELECT v866 FROM v865 WHERE ( SELECT v866 FROM v865 AS v869 LIMIT 1 OFFSET 1 ) IN ( SELECT v866 FROM ( SELECT v866 , ( SELECT v866 FROM v865 AS v870 LIMIT 1 OFFSET 1 ) IN ( SELECT v866 FROM ( WITH v872 AS ( SELECT v866 % 52 != 50 FROM ( SELECT -128 , 51 , v866 FROM v865 WHERE v866 = 83 ) AS v871 GROUP BY v866 ) SELECT -128 FROM ( SELECT DISTINCT v866 , 'x' FROM v865 ) AS v873 NATURAL JOIN v872 AS v874 , v872 AS v875 NATURAL JOIN v865 ) AS v876 NATURAL JOIN v865 AS v877 WHERE v866 != 84 GROUP BY v866 ) AS v878 FROM v865 ) AS v879 WHERE v878 != 28 GROUP BY v878 ) ;

Leads to:

10.9.0 0b14dbd45b5a1c02616d611876158d44b92b77bf (Optimized)
Core was generated by `/test/MD030522-mariadb-10.9.0-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 Item_subselect::is_expensive (this=0x14f5300540f8)
at /test/10.9_opt/sql/sql_lex.h:1377
1377 st_select_lex* next_select() { return (st_select_lex*) next; }
[Current thread is 1 (Thread 0x14f55b2fd700 (LWP 1542815))]
(gdb) bt
#0 Item_subselect::is_expensive (this=0x14f5300540f8) at /test/10.9_opt/sql/sql_lex.h:1377
#1 0x000055b844f0efec in Item_args::walk_args (arg=0x0, walk_subquery=false, processor=<optimized out>, this=0x14f5300751c0) at /test/10.9_opt/sql/item.h:2741
#2 Item_func_or_sum::walk (this=0x14f530075150, processor=&virtual table offset 896, walk_subquery=false, arg=0x0) at /test/10.9_opt/sql/item.h:5428
#3 0x000055b84524eca1 in Item_direct_view_ref::walk (this=0x14f53007f6d0, processor=<optimized out>, walk_subquery=<optimized out>, arg=0x0) at /test/10.9_opt/sql/item.h:6035
#4 0x000055b844f0efec in Item_args::walk_args (arg=0x0, walk_subquery=false, processor=<optimized out>, this=0x14f5300554e8) at /test/10.9_opt/sql/item.h:2741
#5 Item_func_or_sum::walk (this=0x14f530055478, processor=&virtual table offset 896, walk_subquery=false, arg=0x0) at /test/10.9_opt/sql/item.h:5428
#6 0x000055b844f0eee1 in Item::is_expensive (this=0x14f530055478) at /test/10.9_opt/sql/item.h:2571
#7 0x000055b845262906 in Item::can_eval_in_optimize (this=0x14f530055478) at /test/10.9_opt/sql/item.h:1696
#8 Item::can_eval_in_optimize (this=0x14f530055478) at /test/10.9_opt/sql/item.h:1696
#9 Item_cond::fix_fields (this=0x14f5300812b8, thd=0x14f530000c58, ref=<optimized out>) at /test/10.9_opt/sql/item_cmpfunc.cc:4897
#10 0x000055b84513892c in Item::fix_fields_if_needed (ref=0x14f530080988, thd=0x14f530000c58, this=<optimized out>) at /test/10.9_opt/sql/item.h:1142
#11 Item::fix_fields_if_needed (ref=0x14f530080988, thd=0x14f530000c58, this=<optimized out>) at /test/10.9_opt/sql/item.h:1142
#12 convert_subq_to_sj (subq_pred=<optimized out>, parent_join=0x14f53005c408) at /test/10.9_opt/sql/opt_subselect.cc:1949
#13 convert_join_subqueries_to_semijoins (join=join@entry=0x14f53005c408) at /test/10.9_opt/sql/opt_subselect.cc:1300
#14 0x000055b845055a13 in JOIN::optimize_inner (this=0x14f53005c408) at /test/10.9_opt/sql/sql_select.cc:2071
#15 0x000055b8450596d3 in JOIN::optimize (this=this@entry=0x14f53005c408) at /test/10.9_opt/sql/sql_select.cc:1837
#16 0x000055b8450597be in mysql_select (thd=0x14f530000c58, tables=0x14f530013f08, fields=@0x14f530013bc8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14f530013ec0, last = 0x14f530013ec0, elements = 1}, <No data fields>}, conds=0x14f5300567b8, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x14f53005c3e0, unit=0x14f530004cb8, select_lex=0x14f530013928) at /test/10.9_opt/sql/sql_select.cc:5022
#17 0x000055b845059f57 in handle_select (thd=thd@entry=0x14f530000c58, lex=lex@entry=0x14f530004be0, result=result@entry=0x14f53005c3e0, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.9_opt/sql/sql_select.cc:570
#18 0x000055b844fdda21 in execute_sqlcom_select (thd=0x14f530000c58, all_tables=0x14f530013f08) at /test/10.9_opt/sql/sql_parse.cc:6271
#19 0x000055b844feb363 in mysql_execute_command (thd=0x14f530000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.9_opt/sql/sql_parse.cc:3961
#20 0x000055b844fd8a55 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x14f530000c58) at /test/10.9_opt/sql/sql_parse.cc:8046
#21 mysql_parse (thd=0x14f530000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.9_opt/sql/sql_parse.cc:7968
#22 0x000055b844fe471a in dispatch_command (command=COM_QUERY, thd=0x14f530000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.9_opt/sql/sql_class.h:1364
#23 0x000055b844fe6642 in do_command (thd=0x14f530000c58, blocking=blocking@entry=true) at /test/10.9_opt/sql/sql_parse.cc:1408
#24 0x000055b8450fb5bf in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55b847c224f8, put_in_cache=put_in_cache@entry=true) at /test/10.9_opt/sql/sql_connect.cc:1418
#25 0x000055b8450fb89d in handle_one_connection (arg=0x55b847c224f8) at /test/10.9_opt/sql/sql_connect.cc:1312
#26 0x000014f58bd9b609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#27 0x000014f58b987133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

10.9.0 0b14dbd45b5a1c02616d611876158d44b92b77bf (Debug)
Core was generated by `/test/MD030522-mariadb-10.9.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00005635ae85ccea in Item_subselect::is_expensive (this=0x1528c007c678)
at /test/10.9_dbg/sql/sql_lex.h:1377
1377 st_select_lex* next_select() { return (st_select_lex*) next; }
[Current thread is 1 (Thread 0x1528f33ae700 (LWP 340932))]
(gdb) bt
#0 0x00005635ae85ccea in Item_subselect::is_expensive (this=0x1528c007c678) at /test/10.9_dbg/sql/sql_lex.h:1377
#1 0x00005635ae86f5cf in Item_subselect::is_expensive_processor (this=<optimized out>, arg=<optimized out>) at /test/10.9_dbg/sql/item_subselect.h:258
#2 0x00005635ae85d09c in Item_subselect::walk (this=this@entry=0x1528c007c678, processor=<optimized out>, walk_subquery=walk_subquery@entry=false, argument=argument@entry=0x0) at /test/10.9_dbg/sql/item_subselect.cc:819
#3 0x00005635ae86fb53 in Item_in_subselect::walk (this=0x1528c007c678, processor=&virtual table offset 896, walk_subquery=<optimized out>, arg=0x0) at /test/10.9_dbg/sql/item_subselect.h:757
#4 0x00005635ae36f1ab in Item_args::walk_args (arg=0x0, walk_subquery=false, processor=<optimized out>, this=0x1528c009e440) at /test/10.9_dbg/sql/item.h:2741
#5 Item_func_or_sum::walk (this=0x1528c009e3d0, processor=<optimized out>, walk_subquery=false, arg=0x0) at /test/10.9_dbg/sql/item.h:5428
#6 0x00005635ae7886bc in Item_direct_view_ref::walk (this=0x1528c00a9cb0, processor=&virtual Item::is_expensive_processor(void*), walk_subquery=<optimized out>, arg=0x0) at /test/10.9_dbg/sql/item.h:6035
#7 0x00005635ae36f1ab in Item_args::walk_args (arg=0x0, walk_subquery=false, processor=<optimized out>, this=0x1528c007da68) at /test/10.9_dbg/sql/item.h:2741
#8 Item_func_or_sum::walk (this=0x1528c007d9f8, processor=<optimized out>, walk_subquery=false, arg=0x0) at /test/10.9_dbg/sql/item.h:5428
#9 0x00005635ae36f0ea in Item::is_expensive (this=0x1528c007d9f8) at /test/10.9_dbg/sql/item.h:2571
#10 0x00005635ae79f0b4 in Item::can_eval_in_optimize (this=0x1528c007d9f8) at /test/10.9_dbg/sql/item.h:1698
#11 Item_cond::fix_fields (this=0x1528c00ab898, thd=0x1528c0000db8, ref=<optimized out>) at /test/10.9_dbg/sql/item_cmpfunc.cc:4897
#12 0x00005635ae6234f9 in Item::fix_fields_if_needed (ref=0x1528c00aaf68, thd=0x1528c0000db8, this=<optimized out>) at /test/10.9_dbg/sql/item.h:1144
#13 convert_subq_to_sj (subq_pred=0x1528c007eda8, parent_join=0x1528c00849f8) at /test/10.9_dbg/sql/opt_subselect.cc:1949
#14 convert_join_subqueries_to_semijoins (join=join@entry=0x1528c00849f8) at /test/10.9_dbg/sql/opt_subselect.cc:1300
#15 0x00005635ae4f81b1 in JOIN::optimize_inner (this=this@entry=0x1528c00849f8) at /test/10.9_dbg/sql/sql_select.cc:2071
#16 0x00005635ae4f996c in JOIN::optimize (this=this@entry=0x1528c00849f8) at /test/10.9_dbg/sql/sql_select.cc:1837
#17 0x00005635ae4f9a5f in mysql_select (thd=thd@entry=0x1528c0000db8, tables=0x1528c0017428, fields=@0x1528c00170e8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1528c00173e0, last = 0x1528c00173e0, elements = 1}, <No data fields>}, conds=0x1528c007eda8, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x1528c00849d0, unit=0x1528c0004fd8, select_lex=0x1528c0016e48) at /test/10.9_dbg/sql/sql_select.cc:5022
#18 0x00005635ae4fa2a8 in handle_select (thd=thd@entry=0x1528c0000db8, lex=lex@entry=0x1528c0004f00, result=result@entry=0x1528c00849d0, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.9_dbg/sql/sql_select.cc:570
#19 0x00005635ae4666c8 in execute_sqlcom_select (thd=thd@entry=0x1528c0000db8, all_tables=0x1528c0017428) at /test/10.9_dbg/sql/sql_parse.cc:6271
#20 0x00005635ae472935 in mysql_execute_command (thd=thd@entry=0x1528c0000db8, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.9_dbg/sql/sql_parse.cc:3961
#21 0x00005635ae46067b in mysql_parse (thd=thd@entry=0x1528c0000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x1528f33ad470) at /test/10.9_dbg/sql/sql_parse.cc:8046
#22 0x00005635ae46df79 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x1528c0000db8, packet=packet@entry=0x1528c000b699 "WITH v868 AS ( SELECT v866 FROM ( SELECT v866 FROM v865 GROUP BY v866 ) AS v867 ) SELECT v866 FROM v865 WHERE ( SELECT v866 FROM v865 AS v869 LIMIT 1 OFFSET 1 ) IN ( SELECT v866 FROM ( SELECT v866 , ("..., packet_length=packet_length@entry=649, blocking=blocking@entry=true) at /test/10.9_dbg/sql/sql_class.h:1364
#23 0x00005635ae470686 in do_command (thd=0x1528c0000db8, blocking=blocking@entry=true) at /test/10.9_dbg/sql/sql_parse.cc:1408
#24 0x00005635ae5cdd02 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5635b077e9b8, put_in_cache=put_in_cache@entry=true) at /test/10.9_dbg/sql/sql_connect.cc:1418
#25 0x00005635ae5ce20b in handle_one_connection (arg=0x5635b077e9b8) at /test/10.9_dbg/sql/sql_connect.cc:1312
#26 0x000015292ca84609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#27 0x000015292c670133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.2.44 (dbg), 10.2.44 (opt), 10.3.35 (dbg), 10.3.35 (opt), 10.4.25 (dbg), 10.4.25 (opt), 10.5.16 (dbg), 10.5.16 (opt), 10.6.8 (dbg), 10.6.8 (opt), 10.7.4 (dbg), 10.7.4 (opt), 10.8.3 (dbg), 10.8.3 (opt), 10.9.0 (dbg), 10.9.0 (opt)
MySQL: 8.0.28 (dbg), 8.0.28 (opt)

Bug (or feature/syntax) confirmed not present in:
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.37 (dbg), 5.7.37 (opt)

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

8_stack
7 kB
2022-05-08 09:57

Issue Links

is duplicated by

MDEV-28621 group by optimization incorrectly removing subquery where subject buried in a function

Closed

relates to

MDEV-29350 Crash when IN predicand is used in eliminated GROUP BY clause

Closed

MDEV-28506 SIGSEGV's in find_field_in_table[s][_ref], Item_field::fix_fields, create_view_field and MemcmpInterceptorCommon | Assertions `(*select_ref)->fixed' or '->is_fixed' and `table_list->table' failed

Stalled

MDEV-29411 SIGSEGV's st_select_lex_unit::set_limit and st_select_lex::get_offset, and Assertion `!eliminated' failed in Item_subselect::exec on SELECT, UBSAN: member access within null pointer of type 'struct st_select_lex' in st_select_lex_unit::set_limit

Closed

Activity

Ascending order - Click to sort in descending order

View 7 older comments

Roel Van de Paar added a comment - 2024-02-23 23:53 - edited

The testcase in the last comment:

SELECT 1 WHERE 1 IN (SELECT 1 FROM (SELECT 1 IN (SELECT 1 FROM (SELECT 1) AS x) AS x FROM (SELECT 1) AS x) AS x WHERE x=1 GROUP BY x);

Now also produces, on optimized UBSAN builds:

UBSAN|member call on null pointer of type 'struct st_select_lex'|sql/item_subselect.cc|Item_subselect::is_expensive|Item_subselect::walk|Item_in_optimizer::walk|Item_direct_view_ref::walk

And on optimized (non-SAN) builds:

SIGSEGV|Item_subselect::is_expensive|Item_in_optimizer::walk|Item_direct_view_ref::walk|Item_args::walk_args

Which both seem to be new UniqueID's/stacks.

Roel Van de Paar added a comment - 2024-02-23 23:53 - edited The testcase in the last comment: SELECT 1 WHERE 1 IN ( SELECT 1 FROM ( SELECT 1 IN ( SELECT 1 FROM ( SELECT 1) AS x) AS x FROM ( SELECT 1) AS x) AS x WHERE x=1 GROUP BY x); Now also produces, on optimized UBSAN builds: UBSAN|member call on null pointer of type 'struct st_select_lex'|sql/item_subselect.cc|Item_subselect::is_expensive|Item_subselect::walk|Item_in_optimizer::walk|Item_direct_view_ref::walk And on optimized (non-SAN) builds: SIGSEGV|Item_subselect::is_expensive|Item_in_optimizer::walk|Item_direct_view_ref::walk|Item_args::walk_args Which both seem to be new UniqueID's/stacks.

Roel Van de Paar added a comment - 2024-05-12 23:03

This testcase:

CREATE TABLE t (c INT);

SET SESSION optimizer_switch='in_to_exists=OFF';

SELECT c FROM t WHERE (SELECT * FROM t) IN (SELECT c FROM (SELECT c, (SELECT * FROM t) IN (SELECT 1 FROM (WITH v3 AS (SELECT 1 FROM (SELECT * FROM t) AS c GROUP BY c) SELECT 1 FROM (SELECT * FROM t) AS v4 JOIN v3 AS v1,v3 AS c1 JOIN t) AS v8 JOIN t AS v7 WHERE c=1 GROUP BY c) AS v5 FROM t) AS v6 WHERE v5=1 GROUP BY v5);

Leads to the new:

SIGSEGV|Item_subselect::is_expensive|Item_subselect::is_expensive_processor|Item_subselect::walk|Item_in_optimizer::walk

In 10.11.8 (dbg). However, in 11.5 it leads to the (previously known):

SIGSEGV|Item_subselect::is_expensive|Item_subselect::is_expensive_processor|Item_subselect::walk|Item_in_subselect::walk

Note the subtle Item_in_optimizer vs Item_in_subselect difference. Here is the full stack for 10.11.8/Item_in_optimizer:

10.11.8 c3460e690431ce94705888737c2b9de6968665a7 (Debug)
Core was generated by `/test/MD240424-mariadb-10.11.8-linux-x86_64-dbg/bin/mariadbd --no-defaults --ma'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x0000557081138e19 in Item_subselect::is_expensive (this=0x149d3c016e60)at /test/10.11_dbg/sql/item_subselect.cc:586

warning: Source file is more recent than executable.
586 if (!unit->first_select()->next_select()) // no union
[Current thread is 1 (LWP 859583)]
(gdb) bt
#0 0x0000557081138e19 in Item_subselect::is_expensive (this=0x149d3c016e60)at /test/10.11_dbg/sql/item_subselect.cc:586
#1 0x000055708114b24d in Item_subselect::is_expensive_processor (this=<optimized out>, arg=<optimized out>)at /test/10.11_dbg/sql/item_subselect.h:257
#2 0x00005570811391dc in Item_subselect::walk (this=0x149d3c016e60, processor=<optimized out>, walk_subquery=<optimized out>, argument=0x0)at /test/10.11_dbg/sql/item_subselect.cc:779
#3 0x0000557081078a8f in Item_in_optimizer::walk (this=0x149d3c097298, processor=&virtual table offset 936, walk_subquery=<optimized out>, arg=0x0) at /test/10.11_dbg/sql/item_cmpfunc.cc:1501
#4 0x000055708106bc70 in Item_direct_view_ref::walk (this=0x149d3c097c10, processor=&virtual Item::is_expensive_processor(void*), walk_subquery=<optimized out>, arg=0x0) at /test/10.11_dbg/sql/item.h:6147
#5 0x0000557080c5cef5 in Item_args::walk_args (arg=0x0, walk_subquery=false, processor=<optimized out>, this=0x149d3c033a18)at /test/10.11_dbg/sql/item.h:2807
#6 Item_func_or_sum::walk (this=0x149d3c0339a8, processor=&virtual Item::is_expensive_processor(void*), walk_subquery=false, arg=0x0) at /test/10.11_dbg/sql/item.h:5530
#7 0x0000557080c5b825 in Item::is_expensive (this=0x149d3c0339a8)at /test/10.11_dbg/sql/item.h:2616
#8 0x000055708107c517 in Item::can_eval_in_optimize (this=0x149d3c0339a8)at /test/10.11_dbg/sql/item.h:1731
#9 Item_cond::eval_not_null_tables (this=0x149d3c098920, opt_arg=<optimized out>) at /test/10.11_dbg/sql/item_cmpfunc.cc:5156
#10 0x000055708108d233 in Item_cond::fix_fields (this=0x149d3c098920, thd=0x149d3c000d58, ref=<optimized out>)at /test/10.11_dbg/sql/item_cmpfunc.cc:5077
#11 0x0000557080f140bf in Item::fix_fields_if_needed (ref=0x149d3c097fb0, thd=0x149d3c000d58, this=<optimized out>)at /test/10.11_dbg/sql/item.h:1166
#12 convert_subq_to_sj (subq_pred=0x149d3c034518, parent_join=0x149d3c039b00)at /test/10.11_dbg/sql/opt_subselect.cc:1972
#13 convert_join_subqueries_to_semijoins (join=join@entry=0x149d3c039b00)at /test/10.11_dbg/sql/opt_subselect.cc:1323
#14 0x0000557080de177f in JOIN::optimize_inner (this=this@entry=0x149d3c039b00)at /test/10.11_dbg/sql/sql_select.cc:2160
#15 0x0000557080de3046 in JOIN::optimize (this=this@entry=0x149d3c039b00)at /test/10.11_dbg/sql/sql_select.cc:1915
#16 0x0000557080de3136 in mysql_select (thd=thd@entry=0x149d3c000d58, tables=0x149d3c013d98, fields=@0x149d3c013a18: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x149d3c013d48, last = 0x149d3c013d48, elements = 1}, <No data fields>}, conds=0x149d3c034518, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2164525824, result=0x149d3c039ad8, unit=0x149d3c0051f8, select_lex=0x149d3c013760)at /test/10.11_dbg/sql/sql_select.cc:5156
#17 0x0000557080de3982 in handle_select (thd=thd@entry=0x149d3c000d58, lex=lex@entry=0x149d3c005120, result=result@entry=0x149d3c039ad8, setup_tables_done_option=setup_tables_done_option@entry=0)at /test/10.11_dbg/sql/sql_select.cc:586
#18 0x0000557080d485d5 in execute_sqlcom_select (thd=thd@entry=0x149d3c000d58, all_tables=0x149d3c013d98) at /test/10.11_dbg/sql/sql_parse.cc:6384
#19 0x0000557080d53c43 in mysql_execute_command (thd=thd@entry=0x149d3c000d58, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false)at /test/10.11_dbg/sql/sql_parse.cc:3987
#20 0x0000557080d5b3a9 in mysql_parse (thd=thd@entry=0x149d3c000d58, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x149d6c0bd2f0)at /test/10.11_dbg/sql/sql_parse.cc:8126
#21 0x0000557080d5d884 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x149d3c000d58, packet=packet@entry=0x149d3c00b149 "SELECT c FROM t WHERE (SELECT * FROM t) IN (SELECT c FROM (SELECT c, (SELECT * FROM t) IN (SELECT 1 FROM (WITH v3 AS (SELECT 1 FROM (SELECT * FROM t) AS c GROUP BY c) SELECT 1 FROM (SELECT * FROM t) A"..., packet_length=packet_length@entry=320, blocking=blocking@entry=true)at /test/10.11_dbg/sql/sql_class.h:244
#22 0x0000557080d5fb25 in do_command (thd=0x149d3c000d58, blocking=blocking@entry=true) at /test/10.11_dbg/sql/sql_parse.cc:1407
#23 0x0000557080ebcbc1 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x557084187ca8, put_in_cache=put_in_cache@entry=true)at /test/10.11_dbg/sql/sql_connect.cc:1415
#24 0x0000557080ebcec0 in handle_one_connection (arg=arg@entry=0x557084187ca8)at /test/10.11_dbg/sql/sql_connect.cc:1317
#25 0x00005570812e3a34 in pfs_spawn_thread (arg=0x5570841510a8)at /test/10.11_dbg/storage/perfschema/pfs.cc:2201
#26 0x0000149d83c8f18a in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:444
#27 0x0000149d83d1dbd0 in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

Also note the use of in_to_exists.

Roel Van de Paar added a comment - 2024-05-12 23:03 This testcase: CREATE TABLE t (c INT ); SET SESSION optimizer_switch= 'in_to_exists=OFF' ; SELECT c FROM t WHERE ( SELECT * FROM t) IN ( SELECT c FROM ( SELECT c, ( SELECT * FROM t) IN ( SELECT 1 FROM ( WITH v3 AS ( SELECT 1 FROM ( SELECT * FROM t) AS c GROUP BY c) SELECT 1 FROM ( SELECT * FROM t) AS v4 JOIN v3 AS v1,v3 AS c1 JOIN t) AS v8 JOIN t AS v7 WHERE c=1 GROUP BY c) AS v5 FROM t) AS v6 WHERE v5=1 GROUP BY v5); Leads to the new: SIGSEGV|Item_subselect::is_expensive|Item_subselect::is_expensive_processor|Item_subselect::walk|Item_in_optimizer::walk In 10.11.8 (dbg). However, in 11.5 it leads to the (previously known): SIGSEGV|Item_subselect::is_expensive|Item_subselect::is_expensive_processor|Item_subselect::walk|Item_in_subselect::walk Note the subtle Item_in_optimizer vs Item_in_subselect difference. Here is the full stack for 10.11.8/Item_in_optimizer: 10.11.8 c3460e690431ce94705888737c2b9de6968665a7 (Debug) Core was generated by `/test/MD240424-mariadb-10.11.8-linux-x86_64-dbg/bin/mariadbd --no-defaults --ma'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x0000557081138e19 in Item_subselect::is_expensive (this=0x149d3c016e60)at /test/10.11_dbg/sql/item_subselect.cc:586 warning: Source file is more recent than executable. 586 if (!unit->first_select()->next_select()) // no union [Current thread is 1 (LWP 859583)] (gdb) bt #0 0x0000557081138e19 in Item_subselect::is_expensive (this=0x149d3c016e60)at /test/10.11_dbg/sql/item_subselect.cc:586 #1 0x000055708114b24d in Item_subselect::is_expensive_processor (this=<optimized out>, arg=<optimized out>)at /test/10.11_dbg/sql/item_subselect.h:257 #2 0x00005570811391dc in Item_subselect::walk (this=0x149d3c016e60, processor=<optimized out>, walk_subquery=<optimized out>, argument=0x0)at /test/10.11_dbg/sql/item_subselect.cc:779 #3 0x0000557081078a8f in Item_in_optimizer::walk (this=0x149d3c097298, processor=&virtual table offset 936, walk_subquery=<optimized out>, arg=0x0) at /test/10.11_dbg/sql/item_cmpfunc.cc:1501 #4 0x000055708106bc70 in Item_direct_view_ref::walk (this=0x149d3c097c10, processor=&virtual Item::is_expensive_processor(void*), walk_subquery=<optimized out>, arg=0x0) at /test/10.11_dbg/sql/item.h:6147 #5 0x0000557080c5cef5 in Item_args::walk_args (arg=0x0, walk_subquery=false, processor=<optimized out>, this=0x149d3c033a18)at /test/10.11_dbg/sql/item.h:2807 #6 Item_func_or_sum::walk (this=0x149d3c0339a8, processor=&virtual Item::is_expensive_processor(void*), walk_subquery=false, arg=0x0) at /test/10.11_dbg/sql/item.h:5530 #7 0x0000557080c5b825 in Item::is_expensive (this=0x149d3c0339a8)at /test/10.11_dbg/sql/item.h:2616 #8 0x000055708107c517 in Item::can_eval_in_optimize (this=0x149d3c0339a8)at /test/10.11_dbg/sql/item.h:1731 #9 Item_cond::eval_not_null_tables (this=0x149d3c098920, opt_arg=<optimized out>) at /test/10.11_dbg/sql/item_cmpfunc.cc:5156 #10 0x000055708108d233 in Item_cond::fix_fields (this=0x149d3c098920, thd=0x149d3c000d58, ref=<optimized out>)at /test/10.11_dbg/sql/item_cmpfunc.cc:5077 #11 0x0000557080f140bf in Item::fix_fields_if_needed (ref=0x149d3c097fb0, thd=0x149d3c000d58, this=<optimized out>)at /test/10.11_dbg/sql/item.h:1166 #12 convert_subq_to_sj (subq_pred=0x149d3c034518, parent_join=0x149d3c039b00)at /test/10.11_dbg/sql/opt_subselect.cc:1972 #13 convert_join_subqueries_to_semijoins (join=join@entry=0x149d3c039b00)at /test/10.11_dbg/sql/opt_subselect.cc:1323 #14 0x0000557080de177f in JOIN::optimize_inner (this=this@entry=0x149d3c039b00)at /test/10.11_dbg/sql/sql_select.cc:2160 #15 0x0000557080de3046 in JOIN::optimize (this=this@entry=0x149d3c039b00)at /test/10.11_dbg/sql/sql_select.cc:1915 #16 0x0000557080de3136 in mysql_select (thd=thd@entry=0x149d3c000d58, tables=0x149d3c013d98, fields=@0x149d3c013a18: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x149d3c013d48, last = 0x149d3c013d48, elements = 1}, <No data fields>}, conds=0x149d3c034518, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2164525824, result=0x149d3c039ad8, unit=0x149d3c0051f8, select_lex=0x149d3c013760)at /test/10.11_dbg/sql/sql_select.cc:5156 #17 0x0000557080de3982 in handle_select (thd=thd@entry=0x149d3c000d58, lex=lex@entry=0x149d3c005120, result=result@entry=0x149d3c039ad8, setup_tables_done_option=setup_tables_done_option@entry=0)at /test/10.11_dbg/sql/sql_select.cc:586 #18 0x0000557080d485d5 in execute_sqlcom_select (thd=thd@entry=0x149d3c000d58, all_tables=0x149d3c013d98) at /test/10.11_dbg/sql/sql_parse.cc:6384 #19 0x0000557080d53c43 in mysql_execute_command (thd=thd@entry=0x149d3c000d58, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false)at /test/10.11_dbg/sql/sql_parse.cc:3987 #20 0x0000557080d5b3a9 in mysql_parse (thd=thd@entry=0x149d3c000d58, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x149d6c0bd2f0)at /test/10.11_dbg/sql/sql_parse.cc:8126 #21 0x0000557080d5d884 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x149d3c000d58, packet=packet@entry=0x149d3c00b149 "SELECT c FROM t WHERE (SELECT * FROM t) IN (SELECT c FROM (SELECT c, (SELECT * FROM t) IN (SELECT 1 FROM (WITH v3 AS (SELECT 1 FROM (SELECT * FROM t) AS c GROUP BY c) SELECT 1 FROM (SELECT * FROM t) A"..., packet_length=packet_length@entry=320, blocking=blocking@entry=true)at /test/10.11_dbg/sql/sql_class.h:244 #22 0x0000557080d5fb25 in do_command (thd=0x149d3c000d58, blocking=blocking@entry=true) at /test/10.11_dbg/sql/sql_parse.cc:1407 #23 0x0000557080ebcbc1 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x557084187ca8, put_in_cache=put_in_cache@entry=true)at /test/10.11_dbg/sql/sql_connect.cc:1415 #24 0x0000557080ebcec0 in handle_one_connection (arg=arg@entry=0x557084187ca8)at /test/10.11_dbg/sql/sql_connect.cc:1317 #25 0x00005570812e3a34 in pfs_spawn_thread (arg=0x5570841510a8)at /test/10.11_dbg/storage/perfschema/pfs.cc:2201 #26 0x0000149d83c8f18a in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:444 #27 0x0000149d83d1dbd0 in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81 Also note the use of in_to_exists .

Roel Van de Paar added a comment - 2024-05-12 23:19

With the testcase in the previous comment we also see this new UBSAN UniqueID (again matching the Item_in_optimizer) in 10.5,10.6 and 10.11:

UBSAN|member call on null pointer of type 'struct st_select_lex'|sql/item_subselect.cc|Item_subselect::is_expensive|Item_subselect::is_expensive_processor|Item_subselect::walk|Item_in_optimizer::walk

It seems that something may have changed in this area, causing the new stacks.

Roel Van de Paar added a comment - 2024-05-12 23:19 With the testcase in the previous comment we also see this new UBSAN UniqueID (again matching the Item_in_optimizer) in 10.5,10.6 and 10.11: UBSAN|member call on null pointer of type 'struct st_select_lex'|sql/item_subselect.cc|Item_subselect::is_expensive|Item_subselect::is_expensive_processor|Item_subselect::walk|Item_in_optimizer::walk It seems that something may have changed in this area, causing the new stacks.

Roel Van de Paar added a comment - 2024-05-13 00:09 - edited

Another testcase:

CREATE TABLE t (c INT) COMMENT='';

SELECT c FROM t WHERE 1 IN (SELECT c FROM (SELECT c, (SELECT * FROM t) IN (SELECT 1 FROM (WITH v3 AS (SELECT 1 FROM (SELECT * FROM t) AS c GROUP BY c) SELECT 1 FROM (SELECT * FROM t) AS v4 JOIN v3 AS v1,v3 AS c JOIN t) AS v8 JOIN t AS v7 WHERE c=1 GROUP BY c) AS v5 FROM t) AS v6 WHERE v5=1 GROUP BY v5);

Which in 10.11.8 optimized builds only results in a different, or new (again Item_in_optimizer), stack:

10.11.8 c3460e690431ce94705888737c2b9de6968665a7 (Optimized)
Core was generated by `/test/MD240424-mariadb-10.11.8-linux-x86_64-opt/bin/mariadbd --no-defaults --ma'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 Item_subselect::is_expensive (this=0x154d08013ca0)at /test/10.11_opt/sql/sql_lex.h:1408

warning: Source file is more recent than executable.
1408 st_select_lex* next_select() { return (st_select_lex*) next; }
[Current thread is 1 (LWP 1682919)]
(gdb) bt
#0 Item_subselect::is_expensive (this=0x154d08013ca0)at /test/10.11_opt/sql/sql_lex.h:1408
#1 0x000055aa25f8f4c8 in Item_in_subselect::walk (this=0x154d08025f48, processor=&virtual table offset 936, walk_subquery=false, arg=0x0)at /test/10.11_opt/sql/item_subselect.h:756
#2 0x000055aa25ede62c in Item_in_optimizer::walk (this=0x154d08071f88, processor=&virtual table offset 936, walk_subquery=<optimized out>, arg=0x0) at /test/10.11_opt/sql/item_cmpfunc.cc:1503
#3 0x000055aa25ed43b1 in Item_direct_view_ref::walk (this=0x154d080728a8, processor=<optimized out>, walk_subquery=<optimized out>, arg=0x0)at /test/10.11_opt/sql/item.h:6147
#4 0x000055aa25b6293c in Item_args::walk_args (arg=0x0, walk_subquery=false, processor=<optimized out>, this=0x154d08027ae8)at /test/10.11_opt/sql/item.h:2807
#5 Item_func_or_sum::walk (this=0x154d08027a78, processor=&virtual Item::is_expensive_processor(void*), walk_subquery=false, arg=0x0) at /test/10.11_opt/sql/item.h:5530
#6 0x000055aa25b62831 in Item::is_expensive (this=0x154d08027a78)at /test/10.11_opt/sql/item.h:2616
#7 0x000055aa25ee12a8 in Item::can_eval_in_optimize (this=0x154d08027a78)at /test/10.11_opt/sql/item.h:1731
#8 Item_cond::eval_not_null_tables (this=0x154d080735b8, opt_arg=<optimized out>) at /test/10.11_opt/sql/item_cmpfunc.cc:5156
#9 0x000055aa25eeee8f in Item_cond::fix_fields (this=0x154d080735b8, thd=0x154d08000c68, ref=<optimized out>)at /test/10.11_opt/sql/item_cmpfunc.cc:5077
#10 0x000055aa25db5603 in Item::fix_fields_if_needed (ref=0x154d08072c48, thd=0x154d08000c68, this=<optimized out>)at /test/10.11_opt/sql/item.h:1164
#11 Item::fix_fields_if_needed (ref=0x154d08072c48, thd=0x154d08000c68, this=<optimized out>) at /test/10.11_opt/sql/item.h:1164
#12 convert_subq_to_sj (subq_pred=<optimized out>, parent_join=0x154d0802dea0)at /test/10.11_opt/sql/opt_subselect.cc:1972
#13 convert_join_subqueries_to_semijoins (join=join@entry=0x154d0802dea0)at /test/10.11_opt/sql/opt_subselect.cc:1323
#14 0x000055aa25cc2b4a in JOIN::optimize_inner (this=this@entry=0x154d0802dea0)at /test/10.11_opt/sql/sql_select.cc:2160
#15 0x000055aa25cc437a in JOIN::optimize (this=this@entry=0x154d0802dea0)at /test/10.11_opt/sql/sql_select.cc:1915
#16 0x000055aa25cc445e in mysql_select (thd=thd@entry=0x154d08000c68, tables=0x154d08011370, fields=@0x154d08010ff0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x154d08011320, last = 0x154d08011320, elements = 1}, <No data fields>}, conds=0x154d08028820, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2164525824, result=0x154d0802bdf0, unit=0x154d08004f40, select_lex=0x154d08010d38)at /test/10.11_opt/sql/sql_select.cc:5156
#17 0x000055aa25cc4c74 in handle_select (thd=thd@entry=0x154d08000c68, lex=lex@entry=0x154d08004e68, result=result@entry=0x154d0802bdf0, setup_tables_done_option=setup_tables_done_option@entry=0)at /test/10.11_opt/sql/sql_select.cc:586
#18 0x000055aa25c38b00 in execute_sqlcom_select (thd=thd@entry=0x154d08000c68, all_tables=0x154d08011370) at /test/10.11_opt/sql/sql_parse.cc:6384
#19 0x000055aa25c47b2a in mysql_execute_command (thd=thd@entry=0x154d08000c68, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false)at /test/10.11_opt/sql/sql_parse.cc:3987
#20 0x000055aa25c493ae in mysql_parse (thd=0x154d08000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.11_opt/sql/sql_parse.cc:8126
#21 0x000055aa25c4bbbd in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x154d08000c68, packet=packet@entry=0x154d08008759 "SELECT c FROM t WHERE 1 IN (SELECT c FROM (SELECT c, (SELECT * FROM t) IN (SELECT 1 FROM (WITH v3 AS (SELECT 1 FROM (SELECT * FROM t) AS c GROUP BY c) SELECT 1 FROM (SELECT * FROM t) AS v4 JOIN v3 AS "..., packet_length=packet_length@entry=303, blocking=blocking@entry=true)at /test/10.11_opt/sql/sql_parse.cc:1993
#22 0x000055aa25c4d9ea in do_command (thd=0x154d08000c68, blocking=blocking@entry=true) at /test/10.11_opt/sql/sql_parse.cc:1407
#23 0x000055aa25d75c47 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55aa286728f8, put_in_cache=put_in_cache@entry=true)at /test/10.11_opt/sql/sql_connect.cc:1415
#24 0x000055aa25d75fbd in handle_one_connection (arg=arg@entry=0x55aa286728f8)at /test/10.11_opt/sql/sql_connect.cc:1317
#25 0x000055aa260ff9b5 in pfs_spawn_thread (arg=0x55aa286b6e48)at /test/10.11_opt/storage/perfschema/pfs.cc:2201
#26 0x0000154d42a8f18a in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:444
#27 0x0000154d42b1dbd0 in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

Again with matching new UBSAN stack:

UBSAN|member call on null pointer of type 'struct st_select_lex'|sql/item_subselect.cc|Item_subselect::is_expensive|Item_subselect::walk|Item_in_subselect::walk|Item_in_optimizer::walk

Roel Van de Paar added a comment - 2024-05-13 00:09 - edited Another testcase: CREATE TABLE t (c INT ) COMMENT= '' ; SELECT c FROM t WHERE 1 IN ( SELECT c FROM ( SELECT c, ( SELECT * FROM t) IN ( SELECT 1 FROM ( WITH v3 AS ( SELECT 1 FROM ( SELECT * FROM t) AS c GROUP BY c) SELECT 1 FROM ( SELECT * FROM t) AS v4 JOIN v3 AS v1,v3 AS c JOIN t) AS v8 JOIN t AS v7 WHERE c=1 GROUP BY c) AS v5 FROM t) AS v6 WHERE v5=1 GROUP BY v5); Which in 10.11.8 optimized builds only results in a different, or new (again Item_in_optimizer ), stack: 10.11.8 c3460e690431ce94705888737c2b9de6968665a7 (Optimized) Core was generated by `/test/MD240424-mariadb-10.11.8-linux-x86_64-opt/bin/mariadbd --no-defaults --ma'. Program terminated with signal SIGSEGV, Segmentation fault. #0 Item_subselect::is_expensive (this=0x154d08013ca0)at /test/10.11_opt/sql/sql_lex.h:1408 warning: Source file is more recent than executable. 1408 st_select_lex* next_select() { return (st_select_lex*) next; } [Current thread is 1 (LWP 1682919)] (gdb) bt #0 Item_subselect::is_expensive (this=0x154d08013ca0)at /test/10.11_opt/sql/sql_lex.h:1408 #1 0x000055aa25f8f4c8 in Item_in_subselect::walk (this=0x154d08025f48, processor=&virtual table offset 936, walk_subquery=false, arg=0x0)at /test/10.11_opt/sql/item_subselect.h:756 #2 0x000055aa25ede62c in Item_in_optimizer::walk (this=0x154d08071f88, processor=&virtual table offset 936, walk_subquery=<optimized out>, arg=0x0) at /test/10.11_opt/sql/item_cmpfunc.cc:1503 #3 0x000055aa25ed43b1 in Item_direct_view_ref::walk (this=0x154d080728a8, processor=<optimized out>, walk_subquery=<optimized out>, arg=0x0)at /test/10.11_opt/sql/item.h:6147 #4 0x000055aa25b6293c in Item_args::walk_args (arg=0x0, walk_subquery=false, processor=<optimized out>, this=0x154d08027ae8)at /test/10.11_opt/sql/item.h:2807 #5 Item_func_or_sum::walk (this=0x154d08027a78, processor=&virtual Item::is_expensive_processor(void*), walk_subquery=false, arg=0x0) at /test/10.11_opt/sql/item.h:5530 #6 0x000055aa25b62831 in Item::is_expensive (this=0x154d08027a78)at /test/10.11_opt/sql/item.h:2616 #7 0x000055aa25ee12a8 in Item::can_eval_in_optimize (this=0x154d08027a78)at /test/10.11_opt/sql/item.h:1731 #8 Item_cond::eval_not_null_tables (this=0x154d080735b8, opt_arg=<optimized out>) at /test/10.11_opt/sql/item_cmpfunc.cc:5156 #9 0x000055aa25eeee8f in Item_cond::fix_fields (this=0x154d080735b8, thd=0x154d08000c68, ref=<optimized out>)at /test/10.11_opt/sql/item_cmpfunc.cc:5077 #10 0x000055aa25db5603 in Item::fix_fields_if_needed (ref=0x154d08072c48, thd=0x154d08000c68, this=<optimized out>)at /test/10.11_opt/sql/item.h:1164 #11 Item::fix_fields_if_needed (ref=0x154d08072c48, thd=0x154d08000c68, this=<optimized out>) at /test/10.11_opt/sql/item.h:1164 #12 convert_subq_to_sj (subq_pred=<optimized out>, parent_join=0x154d0802dea0)at /test/10.11_opt/sql/opt_subselect.cc:1972 #13 convert_join_subqueries_to_semijoins (join=join@entry=0x154d0802dea0)at /test/10.11_opt/sql/opt_subselect.cc:1323 #14 0x000055aa25cc2b4a in JOIN::optimize_inner (this=this@entry=0x154d0802dea0)at /test/10.11_opt/sql/sql_select.cc:2160 #15 0x000055aa25cc437a in JOIN::optimize (this=this@entry=0x154d0802dea0)at /test/10.11_opt/sql/sql_select.cc:1915 #16 0x000055aa25cc445e in mysql_select (thd=thd@entry=0x154d08000c68, tables=0x154d08011370, fields=@0x154d08010ff0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x154d08011320, last = 0x154d08011320, elements = 1}, <No data fields>}, conds=0x154d08028820, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2164525824, result=0x154d0802bdf0, unit=0x154d08004f40, select_lex=0x154d08010d38)at /test/10.11_opt/sql/sql_select.cc:5156 #17 0x000055aa25cc4c74 in handle_select (thd=thd@entry=0x154d08000c68, lex=lex@entry=0x154d08004e68, result=result@entry=0x154d0802bdf0, setup_tables_done_option=setup_tables_done_option@entry=0)at /test/10.11_opt/sql/sql_select.cc:586 #18 0x000055aa25c38b00 in execute_sqlcom_select (thd=thd@entry=0x154d08000c68, all_tables=0x154d08011370) at /test/10.11_opt/sql/sql_parse.cc:6384 #19 0x000055aa25c47b2a in mysql_execute_command (thd=thd@entry=0x154d08000c68, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false)at /test/10.11_opt/sql/sql_parse.cc:3987 #20 0x000055aa25c493ae in mysql_parse (thd=0x154d08000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.11_opt/sql/sql_parse.cc:8126 #21 0x000055aa25c4bbbd in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x154d08000c68, packet=packet@entry=0x154d08008759 "SELECT c FROM t WHERE 1 IN (SELECT c FROM (SELECT c, (SELECT * FROM t) IN (SELECT 1 FROM (WITH v3 AS (SELECT 1 FROM (SELECT * FROM t) AS c GROUP BY c) SELECT 1 FROM (SELECT * FROM t) AS v4 JOIN v3 AS "..., packet_length=packet_length@entry=303, blocking=blocking@entry=true)at /test/10.11_opt/sql/sql_parse.cc:1993 #22 0x000055aa25c4d9ea in do_command (thd=0x154d08000c68, blocking=blocking@entry=true) at /test/10.11_opt/sql/sql_parse.cc:1407 #23 0x000055aa25d75c47 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55aa286728f8, put_in_cache=put_in_cache@entry=true)at /test/10.11_opt/sql/sql_connect.cc:1415 #24 0x000055aa25d75fbd in handle_one_connection (arg=arg@entry=0x55aa286728f8)at /test/10.11_opt/sql/sql_connect.cc:1317 #25 0x000055aa260ff9b5 in pfs_spawn_thread (arg=0x55aa286b6e48)at /test/10.11_opt/storage/perfschema/pfs.cc:2201 #26 0x0000154d42a8f18a in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:444 #27 0x0000154d42b1dbd0 in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81 Again with matching new UBSAN stack: UBSAN|member call on null pointer of type 'struct st_select_lex'|sql/item_subselect.cc|Item_subselect::is_expensive|Item_subselect::walk|Item_in_subselect::walk|Item_in_optimizer::walk

Roel Van de Paar added a comment - 2024-07-10 21:52 - edited

Not reproducible anymore on:

10.5.26 736449d30ffb2ec71bd700ac84eb38ba30bb662c (Debug, UBASAN)
10.5.26 736449d30ffb2ec71bd700ac84eb38ba30bb662c (Optimized, UBASAN)
11.6.0 29e9ade269d803b6823ec57808e0b7fad28baf9e (Debug, UBASAN)
11.6.0 29e9ade269d803b6823ec57808e0b7fad28baf9e (Optimized, UBASAN)
10.11.9 f146ba82c4a5d6763b253aac412c6401555a8dac (Optimized, UBASAN) for version specific t/c

For all testcases. Closing.

Roel Van de Paar added a comment - 2024-07-10 21:52 - edited Not reproducible anymore on: 10.5.26 736449d30ffb2ec71bd700ac84eb38ba30bb662c (Debug, UBASAN) 10.5.26 736449d30ffb2ec71bd700ac84eb38ba30bb662c (Optimized, UBASAN) 11.6.0 29e9ade269d803b6823ec57808e0b7fad28baf9e (Debug, UBASAN) 11.6.0 29e9ade269d803b6823ec57808e0b7fad28baf9e (Optimized, UBASAN) 10.11.9 f146ba82c4a5d6763b253aac412c6401555a8dac (Optimized, UBASAN) for version specific t/c For all testcases. Closing.

MariaDB Server

SIGSEGV in Item_subselect::is_expensive (+ other SIGSEGV's in MS 8.0) and 2x UBSAN: runtime error: member call on null pointer of type 'struct st_select_lex' in Item_subselect::is_expensive and in st_select_lex::next_select

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates

Git Integration