[MDEV-28505] Server crash in sql/sql_select.cc:19830 in sub_select(JOIN*, st_join_table*, bool) - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.8(EOL), 10.9(EOL)
Fix Version/s: 10.11.2, 10.3.38, 10.4.28, 10.5.19, 10.6.12, 10.7.8, 10.8.7, 10.9.5, 10.10.3
Component/s: Optimizer, Parser
Labels:
- fuzzer

Description

Original testcase (reduced version in comments below):

CREATE TABLE v1465 ( v1466 TEXT ) ;

 INSERT INTO v1465 ( v1466 ) VALUES ( 'x' ) , ( NULL ) , ( 'x' ) , ( NULL ) ;

 SELECT ( v1466 = ( SELECT v1466 FROM v1465 WHERE ( v1466 , v1466 ) NOT IN ( SELECT 'x' * v1466 * 40 , 'x' FROM v1465 ) ) * 67 + -1 ^ 57 IN ( -128 , 127 , 65 , 10 , 'x' / v1466 = v1466 + CASE v1466 WHEN TRUE THEN 0 ELSE 21 END OR v1466 = v1466 OR v1466 = v1466 ) ) , 'x' / 24141874.000000 IS NOT NULL AS v1467 FROM v1465 WINDOW v1482 AS ( PARTITION BY v1466 ORDER BY ( SELECT DISTINCT -1 FROM ( SELECT v1466 FROM v1465 WHERE ( v1466 , v1466 ) NOT IN ( SELECT ( 'x' = ( v1466 IN ( SELECT v1466 FROM v1465 WHERE v1466 = CASE WHEN v1466 ^ ( SELECT 64 FROM v1465 AS v1468 WHERE v1466 BETWEEN 41099251.000000 AND 0 GROUP BY ( TRUE , v1466 ) NOT IN ( SELECT v1466 , ( SELECT v1466 FROM ( WITH v1470 AS ( SELECT v1466 FROM ( SELECT NOT v1466 <= 'x' , v1466 FROM v1465 GROUP BY v1466 ) AS v1469 ) SELECT DISTINCT v1466 , ( NOT ( ( 25367008.000000 ^ 51425443.000000 AND ( v1466 NOT IN ( NOT ( NOT ( 'x' = TRUE AND v1466 = -128 ) ) ) AND ( v1466 , v1466 ) NOT IN ( SELECT ( - 17370811.000000 ) , 0 FROM v1465 ) ) = 29 ) * NULL ) ) FROM v1465 ) AS v1471 NATURAL JOIN v1465 WHERE v1466 = v1466 ) AS v1472 FROM v1465 ) , v1466 WINDOW v1483 AS ( PARTITION BY v1466 ORDER BY ( SELECT DISTINCT 14 FROM v1465 AS v1479 , v1465 AS v1480 , v1465 AS v1481 JOIN v1465 ) DESC RANGE BETWEEN 5477605.000000 FOLLOWING AND 95193843.000000 FOLLOWING ) ) ^ v1466 THEN 'x' ELSE v1466 END / 8 ) ) ) , 'x' FROM v1465 ) ORDER BY v1466 + v1466 , v1466 + v1466 LIMIT 1 OFFSET 1 ) AS v1477 NATURAL JOIN v1465 AS v1478 ) DESC RANGE BETWEEN 46546708.000000 FOLLOWING AND 77715920.000000 FOLLOWING ) ;

Leads to:

10.9.0 0b14dbd45b5a1c02616d611876158d44b92b77bf (Optimized)
Core was generated by `/test/MD030522-mariadb-10.9.0-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000055ae9a0f2be3 in sub_select (join=0x14935008b220,
join_tab=0x1493500b9b70, end_of_records=false)
at /test/10.9_opt/sql/sql_select.cc:21066
21066 join_tab->table->null_row=0;
[Current thread is 1 (Thread 0x14939409b700 (LWP 817942))]
(gdb) bt
#0 0x000055ae9a0f2be3 in sub_select (join=0x14935008b220, join_tab=0x1493500b9b70, end_of_records=false) at /test/10.9_opt/sql/sql_select.cc:21066
#1 0x000055ae9a11f241 in do_select (procedure=<optimized out>, join=0x14935008b220) at /test/10.9_opt/sql/sql_select.cc:20671
#2 JOIN::exec_inner (this=0x14935008b220) at /test/10.9_opt/sql/sql_select.cc:4778
#3 0x000055ae9a11f608 in JOIN::exec (this=0x14935008b220) at /test/10.9_opt/sql/sql_select.cc:4556
#4 0x000055ae9a3be6d1 in subselect_single_select_engine::exec (this=0x14935005ee80) at /test/10.9_opt/sql/item_subselect.cc:4126
#5 0x000055ae9a3bdaec in Item_subselect::exec (this=0x14935005ebb0) at /test/10.9_opt/sql/item_subselect.cc:853
#6 0x000055ae9a3bdeb4 in Item_in_subselect::val_bool (this=0x14935005ebb0) at /test/10.9_opt/sql/item_subselect.cc:1971
#7 0x000055ae9a329bbd in Item::val_bool_result (this=0x14935005ebb0) at /test/10.9_opt/sql/item.h:1783
#8 Item_in_optimizer::val_int (this=0x149350090608) at /test/10.9_opt/sql/item_cmpfunc.cc:1622
#9 Item_in_optimizer::val_int (this=0x149350090608) at /test/10.9_opt/sql/item_cmpfunc.cc:1545
#10 0x000055ae9a2f90f9 in Item_cache_int::cache_value (this=0x1493500bae60) at /test/10.9_opt/sql/item.cc:10083
#11 0x000055ae9a310fa4 in Item_cache_wrapper::cache (this=0x1493500badc0) at /test/10.9_opt/sql/item.cc:8868
#12 Item_cache_wrapper::val_bool (this=0x1493500badc0) at /test/10.9_opt/sql/item.cc:9054
#13 Item_cache_wrapper::val_bool (this=0x1493500badc0) at /test/10.9_opt/sql/item.cc:9037
#14 0x000055ae9a31bc60 in Item_func_not::val_int (this=0x14935005eec0) at /test/10.9_opt/sql/item_cmpfunc.cc:202
#15 0x000055ae9a30c5b3 in Item::save_int_in_field (this=0x14935005eec0, field=0x1493500d5330, no_conversions=<optimized out>) at /test/10.9_opt/sql/item.cc:6827
#16 0x000055ae9a2fc057 in Item::save_in_field (this=0x14935005eec0, field=0x1493500d5330, no_conversions=<optimized out>) at /test/10.9_opt/sql/item.cc:6837
#17 0x000055ae9a10929a in copy_funcs (func_ptr=0x1493500d4c48, thd=0x149350000c58) at /test/10.9_opt/sql/sql_select.cc:26340
#18 0x000055ae9a10934a in end_write (join=0x149350069970, join_tab=0x1493500cd990, end_of_records=<optimized out>) at /test/10.9_opt/sql/sql_select.cc:22611
#19 0x000055ae9a0df803 in evaluate_join_record (join=join@entry=0x149350069970, join_tab=join_tab@entry=0x1493500cd5e0, error=<optimized out>) at /test/10.9_opt/sql/sql_select.cc:21356
#20 0x000055ae9a0f2a4b in sub_select (end_of_records=false, join_tab=0x1493500cd5e0, join=0x149350069970) at /test/10.9_opt/sql/sql_select.cc:21126
#21 sub_select (join=0x149350069970, join_tab=0x1493500cd5e0, end_of_records=false) at /test/10.9_opt/sql/sql_select.cc:21055
#22 0x000055ae9a11f241 in do_select (procedure=<optimized out>, join=0x149350069970) at /test/10.9_opt/sql/sql_select.cc:20671
#23 JOIN::exec_inner (this=0x149350069970) at /test/10.9_opt/sql/sql_select.cc:4778
#24 0x000055ae9a11f608 in JOIN::exec (this=this@entry=0x149350069970) at /test/10.9_opt/sql/sql_select.cc:4556
#25 0x000055ae9a11d811 in mysql_select (thd=0x149350000c58, tables=0x149350047d20, fields=@0x1493500115f8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x149350047908, last = 0x149350047cc8, elements = 2}, <No data fields>}, conds=0x0, og_num=2, order=0x0, group=0x14935005ef70, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x149350069948, unit=0x149350004cb8, select_lex=0x149350011358) at /test/10.9_opt/sql/sql_select.cc:5036
#26 0x000055ae9a11df57 in handle_select (thd=thd@entry=0x149350000c58, lex=lex@entry=0x149350004be0, result=result@entry=0x149350069948, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.9_opt/sql/sql_select.cc:570
#27 0x000055ae9a0a1a21 in execute_sqlcom_select (thd=0x149350000c58, all_tables=0x149350047d20) at /test/10.9_opt/sql/sql_parse.cc:6271
#28 0x000055ae9a0af363 in mysql_execute_command (thd=0x149350000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.9_opt/sql/sql_parse.cc:3961
#29 0x000055ae9a09ca55 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x149350000c58) at /test/10.9_opt/sql/sql_parse.cc:8046
#30 mysql_parse (thd=0x149350000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.9_opt/sql/sql_parse.cc:7968
#31 0x000055ae9a0a871a in dispatch_command (command=COM_QUERY, thd=0x149350000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.9_opt/sql/sql_class.h:1364
#32 0x000055ae9a0aa642 in do_command (thd=0x149350000c58, blocking=blocking@entry=true) at /test/10.9_opt/sql/sql_parse.cc:1408
#33 0x000055ae9a1bf5bf in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55ae9d84f6a8, put_in_cache=put_in_cache@entry=true) at /test/10.9_opt/sql/sql_connect.cc:1418
#34 0x000055ae9a1bf89d in handle_one_connection (arg=0x55ae9d84f6a8) at /test/10.9_opt/sql/sql_connect.cc:1312
#35 0x00001493accc8609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#36 0x00001493ac8b4133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

10.9.0 0b14dbd45b5a1c02616d611876158d44b92b77bf (Debug)
Core was generated by `/test/MD030522-mariadb-10.9.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000056459bf38f60 in sub_select (join=0x14a95c0b57b0,
join_tab=0x14a95c0e5a60, end_of_records=false)
at /test/10.9_dbg/sql/sql_select.cc:21066
21066 join_tab->table->null_row=0;
[Current thread is 1 (Thread 0x14aa08051700 (LWP 818377))]
(gdb) bt
#0 0x000056459bf38f60 in sub_select (join=0x14a95c0b57b0, join_tab=0x14a95c0e5a60, end_of_records=false) at /test/10.9_dbg/sql/sql_select.cc:21066
#1 0x000056459bf6c795 in do_select (procedure=<optimized out>, join=0x14a95c0b57b0) at /test/10.9_dbg/sql/sql_select.cc:20671
#2 JOIN::exec_inner (this=this@entry=0x14a95c0b57b0) at /test/10.9_dbg/sql/sql_select.cc:4778
#3 0x000056459bf6cd2e in JOIN::exec (this=0x14a95c0b57b0) at /test/10.9_dbg/sql/sql_select.cc:4556
#4 0x000056459c2cee2a in subselect_single_select_engine::exec (this=0x14a95c087638) at /test/10.9_dbg/sql/item_subselect.cc:4126
#5 0x000056459c2ce2c1 in Item_subselect::exec (this=this@entry=0x14a95c087368) at /test/10.9_dbg/sql/item_subselect.cc:853
#6 0x000056459c2d3567 in Item_in_subselect::exec (this=0x14a95c087368) at /test/10.9_dbg/sql/item_subselect.cc:1035
#7 0x000056459c2cd475 in Item_in_subselect::val_bool (this=0x14a95c087368) at /test/10.9_dbg/sql/item_subselect.cc:1971
#8 0x000056459bdb4dd3 in Item::val_bool_result (this=<optimized out>) at /test/10.9_dbg/sql/item.h:1783
#9 0x000056459c2168cd in Item_in_optimizer::val_int (this=0x14a95c0bab98) at /test/10.9_dbg/sql/item_cmpfunc.cc:1622
#10 0x000056459bdb4d97 in Item::val_int_result (this=<optimized out>) at /test/10.9_dbg/sql/item.h:1779
#11 0x000056459c1d9a21 in Item_cache_int::cache_value (this=0x14a95c0e7128) at /test/10.9_dbg/sql/item.cc:10083
#12 0x000056459c1f7454 in Item_cache_wrapper::cache (this=0x14a95c0e7088) at /test/10.9_dbg/sql/item.cc:8868
#13 Item_cache_wrapper::val_bool (this=0x14a95c0e7088) at /test/10.9_dbg/sql/item.cc:9054
#14 0x000056459c207d68 in Item_func_not::val_int (this=0x14a95c087678) at /test/10.9_dbg/sql/item_cmpfunc.cc:202
#15 0x000056459c1f2331 in Item::save_int_in_field (this=0x14a95c087678, field=0x14a95c102760, no_conversions=<optimized out>) at /test/10.9_dbg/sql/item.cc:6827
#16 0x000056459c0d26ea in Type_handler_int_result::Item_save_in_field (this=<optimized out>, item=<optimized out>, field=<optimized out>, no_conversions=<optimized out>) at /test/10.9_dbg/sql/sql_type.cc:4360
#17 0x000056459c1d8b97 in Item::save_in_field (this=0x14a95c087678, field=0x14a95c102760, no_conversions=<optimized out>) at /test/10.9_dbg/sql/item.cc:6837
#18 0x000056459bde013e in Item_result_field::save_in_result_field (this=<optimized out>, no_conversions=<optimized out>) at /test/10.9_dbg/sql/item.h:3435
#19 0x000056459bf51902 in copy_funcs (func_ptr=0x14a95c101ff8, thd=0x14a95c000db8) at /test/10.9_dbg/sql/sql_select.cc:26340
#20 0x000056459bf51999 in end_write (join=0x14a95c0921b8, join_tab=0x14a95c0fcb38, end_of_records=<optimized out>) at /test/10.9_dbg/sql/sql_select.cc:22611
#21 0x000056459bf5fb93 in AGGR_OP::put_record (this=this@entry=0x14a95c0fd958, end_of_records=end_of_records@entry=false) at /test/10.9_dbg/sql/sql_select.cc:29514
#22 0x000056459bf60083 in AGGR_OP::put_record (this=0x14a95c0fd958) at /test/10.9_dbg/sql/sql_select.h:1056
#23 sub_select_postjoin_aggr (join=0x14a95c0921b8, join_tab=0x14a95c0fcb38, end_of_records=<optimized out>) at /test/10.9_dbg/sql/sql_select.cc:20842
#24 0x000056459bf2368c in evaluate_join_record (join=join@entry=0x14a95c0921b8, join_tab=join_tab@entry=0x14a95c0fc788, error=error@entry=0) at /test/10.9_dbg/sql/sql_select.cc:21356
#25 0x000056459bf38f49 in sub_select (join=0x14a95c0921b8, join_tab=0x14a95c0fc788, end_of_records=false) at /test/10.9_dbg/sql/sql_select.cc:21126
#26 0x000056459bf6c795 in do_select (procedure=<optimized out>, join=0x14a95c0921b8) at /test/10.9_dbg/sql/sql_select.cc:20671
#27 JOIN::exec_inner (this=this@entry=0x14a95c0921b8) at /test/10.9_dbg/sql/sql_select.cc:4778
#28 0x000056459bf6cd2e in JOIN::exec (this=this@entry=0x14a95c0921b8) at /test/10.9_dbg/sql/sql_select.cc:4556
#29 0x000056459bf6aab2 in mysql_select (thd=thd@entry=0x14a95c000db8, tables=0x14a95c0701e8, fields=@0x14a95c014b18: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14a95c06fdc8, last = 0x14a95c070190, elements = 2}, <No data fields>}, conds=0x0, og_num=2, order=0x0, group=0x14a95c087728, having=0x0, proc_param=0x0, select_options=2147748608, result=0x14a95c092190, unit=0x14a95c004fd8, select_lex=0x14a95c014878) at /test/10.9_dbg/sql/sql_select.cc:5036
#30 0x000056459bf6b2a8 in handle_select (thd=thd@entry=0x14a95c000db8, lex=lex@entry=0x14a95c004f00, result=result@entry=0x14a95c092190, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.9_dbg/sql/sql_select.cc:570
#31 0x000056459bed76c8 in execute_sqlcom_select (thd=thd@entry=0x14a95c000db8, all_tables=0x14a95c0701e8) at /test/10.9_dbg/sql/sql_parse.cc:6271
#32 0x000056459bee3935 in mysql_execute_command (thd=thd@entry=0x14a95c000db8, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.9_dbg/sql/sql_parse.cc:3961
#33 0x000056459bed167b in mysql_parse (thd=thd@entry=0x14a95c000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14aa08050470) at /test/10.9_dbg/sql/sql_parse.cc:8046
#34 0x000056459bedef79 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14a95c000db8, packet=packet@entry=0x14a95c00b699 "", packet_length=packet_length@entry=1559, blocking=blocking@entry=true) at /test/10.9_dbg/sql/sql_class.h:1364
#35 0x000056459bee1686 in do_command (thd=0x14a95c000db8, blocking=blocking@entry=true) at /test/10.9_dbg/sql/sql_parse.cc:1408
#36 0x000056459c03ed02 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x56459ff70c18, put_in_cache=put_in_cache@entry=true) at /test/10.9_dbg/sql/sql_connect.cc:1418
#37 0x000056459c03f20b in handle_one_connection (arg=0x56459ff70c18) at /test/10.9_dbg/sql/sql_connect.cc:1312
#38 0x000014aa1fefd609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#39 0x000014aa1fae9133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.2.44 (dbg), 10.2.44 (opt), 10.3.35 (dbg), 10.3.35 (opt), 10.4.25 (dbg), 10.4.25 (opt), 10.5.16 (dbg), 10.5.16 (opt), MariaDB: 10.6.8 (dbg), 10.6.8 (opt), 10.7.4 (dbg), 10.7.4 (opt), 10.8.3 (dbg), 10.8.3 (opt), 10.9.0 (dbg), 10.9.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.37 (dbg), 5.7.37 (opt), 8.0.28 (dbg), 8.0.28 (opt)

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

82_stack
9 kB
2022-05-08 10:01

Issue Links

is part of

MDEV-30052 Crash with a query containing nested WINDOW clauses

Closed

relates to

MDEV-19569 Assertion `table_list->table' failed in find_field_in_table_ref and Assertion `table_ref->table || table_ref->view' in Field_iterator_table_ref::set_field_iterator

Closed

MDEV-28506 SIGSEGV's in find_field_in_table[s][_ref], Item_field::fix_fields, create_view_field and MemcmpInterceptorCommon | Assertions `(*select_ref)->fixed' or '->is_fixed' and `table_list->table' failed

Stalled

MDEV-28510 SIGSEGV in get_sort_by_table and SIGSEGV in subquery_types_allow_materialization

Closed

MDEV-28799 SIGSEGV in JOIN_CACHE::reset_join and Assertion `cache != __null' failed in sub_select_cache on SELECT

Closed

MDEV-32766 Segmentation fault at /mariadb-11.3.0/sql/sql_select.cc:23373

Confirmed

(1 relates to)

Server crash in sql/sql_select.cc:19830 in sub_select(JOIN, st_join_table, bool)

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates

Git Integration