Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-28504

SIGSEGV in With_element::get_name and UBSAN: runtime error: member call on null pointer of type 'struct With_element' in With_clause::find_table_def + 2 other UBSAN runtime errors.

    XMLWordPrintable

Details

    Description

      Original testcase (reduced version in comments below):

      CREATE TABLE v898 ( v899 BIGINT ) ;
      		 
       INSERT INTO v898 ( v899 ) VALUES ( 11 ) ;
      		 
       UPDATE v898 SET v899 = 66 WHERE v899 = -1 ;
      		 
       INSERT INTO v898 ( v899 ) VALUES ( 255 ) , ( 0 ) ;
      		 
       WITH v905 AS ( SELECT v899 FROM ( SELECT v899 , ( ( WITH v900 AS ( SELECT v899 IN ( 4 - 8 = ( v899 = 8 OR v899 = 22 OR v899 = - ( 73 + 255 <= 0 ) >= v899 + v899 ) , 0 ) FROM v898 ) SELECT v899 FROM v900 WHERE FALSE IN ( WITH v902 AS ( SELECT v899 FROM ( SELECT v899 FROM v898 GROUP BY v899 ) AS v901 ) SELECT v899 FROM v902 ) ) = 28 ) / 6708852.000000 IS NOT NULL AS v903 FROM v898 GROUP BY v899 ) AS v904 ) SELECT v899 FROM v905 WHERE ( v899 , ( ( 93693740.000000 OR NOT v899 ) BETWEEN ( ( NOT ( ( 96058445.000000 ^ 83427040.000000 AND ( NOT ( v899 = 'x' AND v899 = 'x' AND v899 = 'x' ) ) IS NULL = 72 ) * NULL ) ) - 60 ) AND 71459389.000000 ) ) NOT IN ( SELECT ( v899 % v899 <= v899 ) , 0 FROM v898 ) ;

      Leads to:

      10.9.0 0b14dbd45b5a1c02616d611876158d44b92b77bf (Optimized)

      		 
      Core was generated by `/test/MD030522-mariadb-10.9.0-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
      		 
      Program terminated with signal SIGSEGV, Segmentation fault.
      		 
      #0  With_element::get_name (this=<optimized out>)
      		 
          at /test/10.9_opt/sql/sql_cte.cc:447
      		 
      447	    if (my_strcasecmp(system_charset_info, with_elem->get_name_str(),
      		 
      [Current thread is 1 (Thread 0x148eec129700 (LWP 45816))]
      		 
      (gdb) bt
      		 
      #0  With_element::get_name (this=<optimized out>) at /test/10.9_opt/sql/sql_cte.cc:447
      		 
      #1  With_element::get_name_str (this=<optimized out>) at /test/10.9_opt/sql/sql_cte.h:228
      		 
      #2  With_clause::find_table_def (this=<optimized out>, table=table@entry=0x148ebc0477d8, barrier=0x148ebc049780) at /test/10.9_opt/sql/sql_cte.cc:447
      		 
      #3  0x000055ecfaa29d19 in find_table_def_in_with_clauses (tbl=tbl@entry=0x148ebc0477d8, ctxt=ctxt@entry=0x148eec126fe0) at /test/10.9_opt/sql/sql_cte.cc:490
      		 
      #4  0x000055ecfaa2a0ae in With_element::check_dependencies_in_select (this=this@entry=0x148ebc04d6d8, sl=sl@entry=0x148ebc0471f8, ctxt=ctxt@entry=0x148eec126fe0, in_subq=in_subq@entry=true, dep_map=dep_map@entry=0x148ebc011178) at /test/10.9_opt/sql/sql_cte.cc:552
      		 
      #5  0x000055ecfaa29f04 in With_element::check_dependencies_in_unit (this=this@entry=0x148ebc04d6d8, unit=unit@entry=0x148ebc048050, ctxt=ctxt@entry=0x148eec127080, in_subq=<optimized out>, in_subq@entry=true, dep_map=dep_map@entry=0x148ebc011178) at /test/10.9_opt/sql/sql_cte.cc:663
      		 
      #6  0x000055ecfaa2a04c in With_element::check_dependencies_in_select (this=this@entry=0x148ebc04d6d8, sl=sl@entry=0x148ebc046c50, ctxt=ctxt@entry=0x148eec127080, in_subq=in_subq@entry=true, dep_map=dep_map@entry=0x148ebc011178) at /test/10.9_opt/sql/sql_cte.cc:578
      		 
      #7  0x000055ecfaa29f04 in With_element::check_dependencies_in_unit (this=this@entry=0x148ebc04d6d8, unit=<optimized out>, ctxt=ctxt@entry=0x148eec1271b0, in_subq=<optimized out>, in_subq@entry=true, dep_map=dep_map@entry=0x148ebc011178) at /test/10.9_opt/sql/sql_cte.cc:663
      		 
      #8  0x000055ecfaa29e68 in With_element::check_dependencies_in_with_clause (this=this@entry=0x148ebc04d6d8, with_clause=<optimized out>, ctxt=ctxt@entry=0x148eec1271b0, in_subq=in_subq@entry=true, dep_map=dep_map@entry=0x148ebc011178) at /test/10.9_opt/sql/sql_cte.cc:699
      		 
      #9  0x000055ecfaa29eb8 in With_element::check_dependencies_in_unit (this=this@entry=0x148ebc04d6d8, unit=unit@entry=0x148ebc04a5c8, ctxt=ctxt@entry=0x148eec1271b0, in_subq=in_subq@entry=true, dep_map=dep_map@entry=0x148ebc011178) at /test/10.9_opt/sql/sql_cte.cc:657
      		 
      #10 0x000055ecfaa2a04c in With_element::check_dependencies_in_select (this=this@entry=0x148ebc04d6d8, sl=sl@entry=0x148ebc0460d8, ctxt=ctxt@entry=0x148eec1271b0, in_subq=in_subq@entry=true, dep_map=dep_map@entry=0x148ebc011178) at /test/10.9_opt/sql/sql_cte.cc:578
      		 
      #11 0x000055ecfaa29f04 in With_element::check_dependencies_in_unit (this=this@entry=0x148ebc04d6d8, unit=unit@entry=0x148ebc04b038, ctxt=ctxt@entry=0x148eec127250, in_subq=<optimized out>, in_subq@entry=false, dep_map=dep_map@entry=0x148ebc011178) at /test/10.9_opt/sql/sql_cte.cc:663
      		 
      #12 0x000055ecfaa2a04c in With_element::check_dependencies_in_select (this=this@entry=0x148ebc04d6d8, sl=sl@entry=0x148ebc0112f8, ctxt=ctxt@entry=0x148eec127250, in_subq=in_subq@entry=false, dep_map=dep_map@entry=0x148ebc011178) at /test/10.9_opt/sql/sql_cte.cc:578
      		 
      #13 0x000055ecfaa29f04 in With_element::check_dependencies_in_unit (this=this@entry=0x148ebc04d6d8, unit=unit@entry=0x148ebc04c7a0, ctxt=ctxt@entry=0x148eec127300, in_subq=<optimized out>, in_subq@entry=false, dep_map=dep_map@entry=0x148ebc011178) at /test/10.9_opt/sql/sql_cte.cc:663
      		 
      #14 0x000055ecfaa2a04c in With_element::check_dependencies_in_select (this=this@entry=0x148ebc04d6d8, sl=sl@entry=0x148ebc010d50, ctxt=ctxt@entry=0x148eec127300, in_subq=in_subq@entry=false, dep_map=dep_map@entry=0x148ebc011178) at /test/10.9_opt/sql/sql_cte.cc:578
      		 
      #15 0x000055ecfaa2a15b in With_element::check_dependencies_in_spec (this=this@entry=0x148ebc04d6d8) at /test/10.9_opt/sql/sql_cte.cc:415
      		 
      #16 0x000055ecfaa2a1bb in With_clause::check_dependencies (this=0x148ebc010ca8) at /test/10.9_opt/sql/sql_cte.cc:344
      		 
      #17 With_clause::check_dependencies (this=0x148ebc010ca8) at /test/10.9_opt/sql/sql_cte.cc:316
      		 
      #18 0x000055ecfaa2ac35 in LEX::check_dependencies_in_with_clauses (this=this@entry=0x148ebc004be0) at /test/10.9_opt/sql/sql_cte.cc:93
      		 
      #19 0x000055ecfaa2b1b6 in LEX::check_cte_dependencies_and_resolve_references (this=0x148ebc004be0) at /test/10.9_opt/sql/sql_cte.cc:286
      		 
      #20 0x000055ecfaa625a0 in MYSQLparse (thd=<optimized out>) at /test/10.9_opt/sql/sql_yacc.yy:8363
      		 
      #21 0x000055ecfa872155 in parse_sql (thd=thd@entry=0x148ebc000c58, parser_state=parser_state@entry=0x148eec128460, creation_ctx=creation_ctx@entry=0x0, do_pfs_digest=do_pfs_digest@entry=true) at /test/10.9_opt/sql/sql_parse.cc:10468
      		 
      #22 0x000055ecfa86d9a7 in mysql_parse (rawbuf=<optimized out>, length=702, parser_state=0x148eec128460, thd=0x148ebc000c58) at /test/10.9_opt/sql/sql_parse.cc:7998
      		 
      #23 mysql_parse (thd=0x148ebc000c58, rawbuf=<optimized out>, length=702, parser_state=0x148eec128460) at /test/10.9_opt/sql/sql_parse.cc:7968
      		 
      #24 0x000055ecfa87971a in dispatch_command (command=COM_QUERY, thd=0x148ebc000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.9_opt/sql/sql_class.h:1364
      		 
      #25 0x000055ecfa87b642 in do_command (thd=0x148ebc000c58, blocking=blocking@entry=true) at /test/10.9_opt/sql/sql_parse.cc:1408
      		 
      #26 0x000055ecfa9905bf in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55ecfc8ade58, put_in_cache=put_in_cache@entry=true) at /test/10.9_opt/sql/sql_connect.cc:1418
      		 
      #27 0x000055ecfa99089d in handle_one_connection (arg=0x55ecfc8ade58) at /test/10.9_opt/sql/sql_connect.cc:1312
      		 
      #28 0x0000148f18828609 in start_thread (arg=<optimized out>) at pthread_create.c:477
      		 
      #29 0x0000148f18414133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

      10.9.0 0b14dbd45b5a1c02616d611876158d44b92b77bf (Debug)

      		 
      Core was generated by `/test/MD030522-mariadb-10.9.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
      		 
      Program terminated with signal SIGSEGV, Segmentation fault.
      		 
      #0  0x0000559df64d3e90 in With_element::get_name (this=<optimized out>)
      		 
          at /test/10.9_dbg/sql/sql_cte.h:228
      		 
      228	  const char *get_name_str() { return get_name()->str; }
      		 
      [Current thread is 1 (Thread 0x14dd30753700 (LWP 45818))]
      		 
      (gdb) bt
      		 
      #0  0x0000559df64d3e90 in With_element::get_name (this=<optimized out>) at /test/10.9_dbg/sql/sql_cte.h:228
      		 
      #1  With_element::get_name_str (this=<optimized out>) at /test/10.9_dbg/sql/sql_cte.h:228
      		 
      #2  With_clause::find_table_def (this=<optimized out>, table=table@entry=0x14dcf006fba8, barrier=0x14dcf0071b50) at /test/10.9_dbg/sql/sql_cte.cc:447
      		 
      #3  0x0000559df64d3f3d in find_table_def_in_with_clauses (tbl=tbl@entry=0x14dcf006fba8, ctxt=ctxt@entry=0x14dd30750f60) at /test/10.9_dbg/sql/sql_cte.cc:490
      		 
      #4  0x0000559df64d416c in With_element::check_dependencies_in_select (this=this@entry=0x14dcf0075b20, sl=sl@entry=0x14dcf006f5c8, ctxt=ctxt@entry=0x14dd30750f60, in_subq=in_subq@entry=true, dep_map=dep_map@entry=0x14dcf0014698) at /test/10.9_dbg/sql/sql_cte.cc:552
      		 
      #5  0x0000559df64d40d5 in With_element::check_dependencies_in_unit (this=this@entry=0x14dcf0075b20, unit=unit@entry=0x14dcf0070420, ctxt=ctxt@entry=0x14dd30751000, in_subq=<optimized out>, in_subq@entry=true, dep_map=dep_map@entry=0x14dcf0014698) at /test/10.9_dbg/sql/sql_cte.cc:663
      		 
      #6  0x0000559df64d4247 in With_element::check_dependencies_in_select (this=this@entry=0x14dcf0075b20, sl=sl@entry=0x14dcf006f020, ctxt=ctxt@entry=0x14dd30751000, in_subq=in_subq@entry=true, dep_map=dep_map@entry=0x14dcf0014698) at /test/10.9_dbg/sql/sql_cte.cc:578
      		 
      #7  0x0000559df64d40d5 in With_element::check_dependencies_in_unit (this=this@entry=0x14dcf0075b20, unit=<optimized out>, ctxt=ctxt@entry=0x14dd30751130, in_subq=<optimized out>, in_subq@entry=true, dep_map=dep_map@entry=0x14dcf0014698) at /test/10.9_dbg/sql/sql_cte.cc:663
      		 
      #8  0x0000559df64d4049 in With_element::check_dependencies_in_with_clause (this=this@entry=0x14dcf0075b20, with_clause=<optimized out>, ctxt=ctxt@entry=0x14dd30751130, in_subq=in_subq@entry=true, dep_map=dep_map@entry=0x14dcf0014698) at /test/10.9_dbg/sql/sql_cte.cc:699
      		 
      #9  0x0000559df64d409a in With_element::check_dependencies_in_unit (this=this@entry=0x14dcf0075b20, unit=unit@entry=0x14dcf0072a08, ctxt=ctxt@entry=0x14dd30751130, in_subq=in_subq@entry=true, dep_map=dep_map@entry=0x14dcf0014698) at /test/10.9_dbg/sql/sql_cte.cc:657
      		 
      #10 0x0000559df64d4247 in With_element::check_dependencies_in_select (this=this@entry=0x14dcf0075b20, sl=sl@entry=0x14dcf006e4a8, ctxt=ctxt@entry=0x14dd30751130, in_subq=in_subq@entry=true, dep_map=dep_map@entry=0x14dcf0014698) at /test/10.9_dbg/sql/sql_cte.cc:578
      		 
      #11 0x0000559df64d40d5 in With_element::check_dependencies_in_unit (this=this@entry=0x14dcf0075b20, unit=unit@entry=0x14dcf0073478, ctxt=ctxt@entry=0x14dd307511d0, in_subq=<optimized out>, in_subq@entry=false, dep_map=dep_map@entry=0x14dcf0014698) at /test/10.9_dbg/sql/sql_cte.cc:663
      		 
      #12 0x0000559df64d4247 in With_element::check_dependencies_in_select (this=this@entry=0x14dcf0075b20, sl=sl@entry=0x14dcf0014818, ctxt=ctxt@entry=0x14dd307511d0, in_subq=in_subq@entry=false, dep_map=dep_map@entry=0x14dcf0014698) at /test/10.9_dbg/sql/sql_cte.cc:578
      		 
      #13 0x0000559df64d40d5 in With_element::check_dependencies_in_unit (this=this@entry=0x14dcf0075b20, unit=unit@entry=0x14dcf0074be8, ctxt=ctxt@entry=0x14dd30751280, in_subq=<optimized out>, in_subq@entry=false, dep_map=dep_map@entry=0x14dcf0014698) at /test/10.9_dbg/sql/sql_cte.cc:663
      		 
      #14 0x0000559df64d4247 in With_element::check_dependencies_in_select (this=this@entry=0x14dcf0075b20, sl=sl@entry=0x14dcf0014270, ctxt=ctxt@entry=0x14dd30751280, in_subq=in_subq@entry=false, dep_map=dep_map@entry=0x14dcf0014698) at /test/10.9_dbg/sql/sql_cte.cc:578
      		 
      #15 0x0000559df64d42c6 in With_element::check_dependencies_in_spec (this=this@entry=0x14dcf0075b20) at /test/10.9_dbg/sql/sql_cte.cc:415
      		 
      #16 0x0000559df64d4325 in With_clause::check_dependencies (this=this@entry=0x14dcf00141c8) at /test/10.9_dbg/sql/sql_cte.cc:344
      		 
      #17 0x0000559df64d4de5 in LEX::check_dependencies_in_with_clauses (this=this@entry=0x14dcf0004f00) at /test/10.9_dbg/sql/sql_cte.cc:93
      		 
      #18 0x0000559df64d538b in LEX::check_cte_dependencies_and_resolve_references (this=this@entry=0x14dcf0004f00) at /test/10.9_dbg/sql/sql_cte.cc:286
      		 
      #19 0x0000559df6284c62 in LEX::check_main_unit_semantics (this=this@entry=0x14dcf0004f00) at /test/10.9_dbg/sql/sql_lex.cc:9115
      		 
      #20 0x0000559df628af69 in LEX::select_finalize (this=this@entry=0x14dcf0004f00, expr=expr@entry=0x14dcf007b620) at /test/10.9_dbg/sql/sql_lex.cc:10463
      		 
      #21 0x0000559df628b432 in LEX::select_finalize (this=0x14dcf0004f00, expr=0x14dcf007b620, l=<optimized out>) at /test/10.9_dbg/sql/sql_lex.cc:10469
      		 
      #22 0x0000559df650006e in MYSQLparse (thd=thd@entry=0x14dcf0000db8) at /test/10.9_dbg/sql/sql_yacc.yy:8363
      		 
      #23 0x0000559df62a15cd in parse_sql (thd=thd@entry=0x14dcf0000db8, parser_state=parser_state@entry=0x14dd30752470, creation_ctx=creation_ctx@entry=0x0, do_pfs_digest=do_pfs_digest@entry=true) at /test/10.9_dbg/sql/sql_parse.cc:10399
      		 
      #24 0x0000559df629c589 in mysql_parse (thd=thd@entry=0x14dcf0000db8, rawbuf=<optimized out>, length=702, parser_state=parser_state@entry=0x14dd30752470) at /test/10.9_dbg/sql/sql_parse.cc:7998
      		 
      #25 0x0000559df62a9f79 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14dcf0000db8, packet=packet@entry=0x14dcf000b699 "WITH v905 AS ( SELECT v899 FROM ( SELECT v899 , ( ( WITH v900 AS ( SELECT v899 IN ( 4 - 8 = ( v899 = 8 OR v899 = 22 OR v899 = - ( 73 + 255 <= 0 ) >= v899 + v899 ) , 0 ) FROM v898 ) SELECT v899 FROM v9"..., packet_length=packet_length@entry=702, blocking=blocking@entry=true) at /test/10.9_dbg/sql/sql_class.h:1364
      		 
      #26 0x0000559df62ac686 in do_command (thd=0x14dcf0000db8, blocking=blocking@entry=true) at /test/10.9_dbg/sql/sql_parse.cc:1408
      		 
      #27 0x0000559df6409d02 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x559df9c9fc78, put_in_cache=put_in_cache@entry=true) at /test/10.9_dbg/sql/sql_connect.cc:1418
      		 
      #28 0x0000559df640a20b in handle_one_connection (arg=0x559df9c9fc78) at /test/10.9_dbg/sql/sql_connect.cc:1312
      		 
      #29 0x000014dd497cf609 in start_thread (arg=<optimized out>) at pthread_create.c:477
      		 
      #30 0x000014dd493bb133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

      Bug confirmed present in:
      MariaDB: 10.2.44 (dbg), 10.2.44 (opt), 10.3.35 (dbg), 10.3.35 (opt), 10.4.25 (dbg), 10.4.25 (opt), 10.5.16 (dbg), 10.5.16 (opt), 10.6.8 (dbg), 10.6.8 (opt), 10.7.4 (dbg), 10.7.4 (opt), 10.8.3 (dbg), 10.8.3 (opt), 10.9.0 (dbg), 10.9.0 (opt)

      Bug (or feature/syntax) confirmed not present in:
      MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.37 (dbg), 5.7.37 (opt), 8.0.28 (dbg), 8.0.28 (opt)

      Attachments

        Issue Links

          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. MDEV-28556 segfault at 78 ip 0000556abe28aee5 sp 00007f42740812f0 error 4 in mysqld[556abdc91000+1121000]

          • Major - Major loss of function.
          • Closed

          Activity

            People

              igor Igor Babaev
              nobody Shihao Wen
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.