Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-28509

Server crash via Item_func_ne::add_key_fields in /sql/sql_bitmap.h:196, member access within null pointer of type 'struct JOIN_TAB' in add_key_field

    XMLWordPrintable

Details

    • Bug
    • Status: In Review (View Workflow)
    • Major
    • Resolution: Unresolved
    • 10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL), 10.11, 11.0(EOL), 11.1(EOL), 11.2(EOL), 11.4, 11.7(EOL), 11.8
    • 10.5, 10.6, 10.11, 11.4
    • Optimizer

    Description

      Original testcase (reduced version in comments below):

      CREATE TABLE v1054 ( v1055 INT ) ;
      		 
       INSERT INTO v1054 ( v1055 ) VALUES ( 54 ) ;
      		 
       UPDATE v1054 SET v1055 = 127 WHERE v1055 = 83 ;
      		 
       INSERT INTO v1054 ( v1055 ) VALUES ( -1 ) , ( -1 ) ;
      		 
       WITH v1057 AS ( SELECT v1055 FROM ( SELECT v1055 FROM v1054 GROUP BY v1055 ) AS v1056 ) SELECT v1055 FROM v1057 WHERE v1055 BETWEEN FALSE AND ( ( ( v1055 OR NOT v1055 ) BETWEEN ( ( ( ( EXISTS ( WITH v1063 AS ( SELECT v1055 FROM ( SELECT v1055 FROM v1054 GROUP BY v1055 ) AS v1058 WINDOW v1062 AS ( PARTITION BY v1055 ORDER BY ( SELECT DISTINCT 16 FROM v1054 AS v1059 , v1054 AS v1060 , v1054 AS v1061 JOIN v1054 ) DESC RANGE BETWEEN 80808358.000000 FOLLOWING AND 82012945.000000 FOLLOWING ) ) SELECT v1055 FROM ( SELECT DISTINCT ( ( NOT ( 60914711.000000 AND v1055 = 68 ) ) = -1 AND v1055 = 17 ) % v1055 , ( v1055 = -1 OR v1055 > 'x' ) FROM v1054 WHERE v1055 = -128 AND ( v1055 = -128 OR v1055 = 0 OR v1055 = 31 ) ) AS v1064 NATURAL JOIN v1063 AS v1065 NATURAL JOIN v1063 AS v1066 NATURAL JOIN ( SELECT DISTINCT v1055 , ( v1055 = -1 OR v1055 > 'x' ) FROM v1054 ) AS v1067 NATURAL JOIN v1063 AS v1068 NATURAL JOIN v1063 WHERE v1055 != 72 GROUP BY v1055 ORDER BY v1055 ) AND v1055 = -1 ) - 2147483647 ) ) ) AND 'x' = ( 4 + 34235093.000000 <= 60 ) ) ) ;

      Leads to:

      10.9.0 0b14dbd45b5a1c02616d611876158d44b92b77bf (Optimized)

      		 
      Core was generated by `/test/MD030522-mariadb-10.9.0-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
      		 
      Program terminated with signal SIGSEGV, Segmentation fault.
      		 
      #0  0x000055daccac22da in Bitmap<64u>::merge (this=<optimized out>, map2=...)
      		 
          at /test/10.9_opt/sql/sql_bitmap.h:172
      		 
      [Current thread is 1 (Thread 0x14d62c400700 (LWP 357990))]
      		 
      (gdb) bt
      		 
      #0  0x000055daccac22da in Bitmap<64u>::merge (this=<optimized out>, map2=<optimized out>) at /test/10.9_opt/sql/sql_bitmap.h:172
      		 
      #1  add_key_field (join=<optimized out>, key_fields=0x14d62c3fdd38, and_level=0, cond=0x14d5d40db680, field=0x14d5d40aef30, eq_func=<optimized out>, value=0x14d5d40db700, num_values=1, usable_tables=18446744073709551615, sargables=0x14d62c3fded8, row_col_no=0) at /test/10.9_opt/sql/sql_select.cc:6296
      		 
      #2  0x000055daccac24fd in add_key_equal_fields (join=0x14d5d40a38e8, key_fields=0x14d62c3fdd38, and_level=0, cond=0x14d5d40db680, field_item=0x14d5d40db4f0, eq_func=<optimized out>, val=0x14d5d40db700, num_values=1, usable_tables=18446744073709551615, sargables=0x14d62c3fded8, row_col_no=0) at /test/10.9_opt/sql/sql_select.cc:6413
      		 
      #3  0x000055daccacbd65 in Item_func_ne::add_key_fields (this=0x14d5d40db680, join=0x14d5d40a38e8, key_fields=0x14d62c3fdd38, and_level=0x14d62c3fdd34, usable_tables=18446744073709551615, sargables=0x14d62c3fded8) at /test/10.9_opt/sql/sql_select.cc:6648
      		 
      #4  0x000055daccacc589 in update_ref_and_keys (thd=thd@entry=0x14d5d4000c58, keyuse=keyuse@entry=0x14d5d40a3c08, join_tab=0x14d5d40db8e0, tables=1, cond=0x14d5d40db680, normal_tables=normal_tables@entry=18446744073709551615, sargables=0x14d62c3fded8, select_lex=<optimized out>, select_lex=<optimized out>) at /test/10.9_opt/sql/sql_select.cc:7170
      		 
      #5  0x000055daccb01779 in make_join_statistics (keyuse_array=0x14d5d40a3c08, tables_list=@0x14d5d405c970: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14d5d40a3ea0, last = 0x14d5d40a3ea0, elements = 1}, <No data fields>}, join=0x14d5d40a38e8) at /test/10.9_opt/sql/sql_select.cc:5422
      		 
      #6  JOIN::optimize_inner (this=0x14d5d40a38e8) at /test/10.9_opt/sql/sql_select.cc:2495
      		 
      #7  0x000055daccb036d3 in JOIN::optimize (this=this@entry=0x14d5d40a38e8) at /test/10.9_opt/sql/sql_select.cc:1837
      		 
      #8  0x000055dacca499fb in mysql_derived_optimize (thd=0x14d5d4000c58, lex=0x14d5d4004be0, derived=0x14d5d405e118) at /test/10.9_opt/sql/sql_derived.cc:1064
      		 
      #9  0x000055dacca49258 in mysql_handle_single_derived (lex=0x14d5d4004be0, derived=derived@entry=0x14d5d405e118, phases=phases@entry=4) at /test/10.9_opt/sql/sql_derived.cc:200
      		 
      #10 0x000055daccb0077c in JOIN::optimize_inner (this=0x14d5d40a0e50) at /test/10.9_opt/sql/sql_select.cc:2313
      		 
      #11 0x000055daccb036d3 in JOIN::optimize (this=this@entry=0x14d5d40a0e50) at /test/10.9_opt/sql/sql_select.cc:1837
      		 
      #12 0x000055dacca67464 in st_select_lex::optimize_unflattened_subqueries (this=0x14d5d4013c48, const_only=const_only@entry=true) at /test/10.9_opt/sql/sql_lex.cc:4916
      		 
      #13 0x000055daccbe9455 in JOIN::optimize_constant_subqueries (this=this@entry=0x14d5d4072788) at /test/10.9_opt/sql/opt_subselect.cc:5622
      		 
      #14 0x000055daccafff67 in JOIN::optimize_inner (this=0x14d5d4072788) at /test/10.9_opt/sql/sql_select.cc:2157
      		 
      #15 0x000055daccb036d3 in JOIN::optimize (this=this@entry=0x14d5d4072788) at /test/10.9_opt/sql/sql_select.cc:1837
      		 
      #16 0x000055daccb037be in mysql_select (thd=0x14d5d4000c58, tables=0x14d5d4045880, fields=@0x14d5d4013ee8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14d5d40141e0, last = 0x14d5d40141e0, elements = 1}, <No data fields>}, conds=0x14d5d4059b10, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x14d5d4072760, unit=0x14d5d4004cb8, select_lex=0x14d5d4013c48) at /test/10.9_opt/sql/sql_select.cc:5022
      		 
      #17 0x000055daccb03f57 in handle_select (thd=thd@entry=0x14d5d4000c58, lex=lex@entry=0x14d5d4004be0, result=result@entry=0x14d5d4072760, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.9_opt/sql/sql_select.cc:570
      		 
      #18 0x000055dacca87a21 in execute_sqlcom_select (thd=0x14d5d4000c58, all_tables=0x14d5d4045880) at /test/10.9_opt/sql/sql_parse.cc:6271
      		 
      #19 0x000055dacca95363 in mysql_execute_command (thd=0x14d5d4000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.9_opt/sql/sql_parse.cc:3961
      		 
      #20 0x000055dacca82a55 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x14d5d4000c58) at /test/10.9_opt/sql/sql_parse.cc:8046
      		 
      #21 mysql_parse (thd=0x14d5d4000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.9_opt/sql/sql_parse.cc:7968
      		 
      #22 0x000055dacca8e71a in dispatch_command (command=COM_QUERY, thd=0x14d5d4000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.9_opt/sql/sql_class.h:1364
      		 
      #23 0x000055dacca90642 in do_command (thd=0x14d5d4000c58, blocking=blocking@entry=true) at /test/10.9_opt/sql/sql_parse.cc:1408
      		 
      #24 0x000055daccba55bf in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55dad0334eb8, put_in_cache=put_in_cache@entry=true) at /test/10.9_opt/sql/sql_connect.cc:1418
      		 
      #25 0x000055daccba589d in handle_one_connection (arg=0x55dad0334eb8) at /test/10.9_opt/sql/sql_connect.cc:1312
      		 
      #26 0x000014d645c57609 in start_thread (arg=<optimized out>) at pthread_create.c:477
      		 
      #27 0x000014d645843133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

      10.9.0 0b14dbd45b5a1c02616d611876158d44b92b77bf (Debug)

      		 
      Core was generated by `/test/MD030522-mariadb-10.9.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
      		 
      Program terminated with signal SIGSEGV, Segmentation fault.
      		 
      #0  Bitmap<64u>::merge (map2=..., this=<optimized out>)
      		 
          at /test/10.9_dbg/sql/sql_bitmap.h:210
      		 
      [Current thread is 1 (Thread 0x148c00096700 (LWP 667827))]
      		 
      (gdb) bt
      		 
      #0  Bitmap<64u>::merge (map2=<optimized out>, this=<optimized out>) at /test/10.9_dbg/sql/sql_bitmap.h:210
      		 
      #1  add_key_field (join=join@entry=0x148b980cf378, key_fields=key_fields@entry=0x148c000942d8, and_level=and_level@entry=0, cond=cond@entry=0x148b9810ada0, field=field@entry=0x148b980dae10, eq_func=eq_func@entry=false, value=0x148b9810ae20, num_values=1, usable_tables=18446744073709551615, sargables=0x148c000943f8, row_col_no=0) at /test/10.9_dbg/sql/sql_select.cc:6296
      		 
      #2  0x0000562f13415710 in add_key_equal_fields (join=join@entry=0x148b980cf378, key_fields=key_fields@entry=0x148c000942d8, and_level=0, cond=cond@entry=0x148b9810ada0, field_item=0x148b9810ac10, eq_func=eq_func@entry=false, val=0x148b9810ae20, num_values=1, usable_tables=18446744073709551615, sargables=0x148c000943f8, row_col_no=0) at /test/10.9_dbg/sql/sql_select.cc:6413
      		 
      #3  0x0000562f1341f1e3 in Item_func_ne::add_key_fields (this=0x148b9810ada0, join=0x148b980cf378, key_fields=0x148c000942d8, and_level=0x148c000942d4, usable_tables=18446744073709551615, sargables=0x148c000943f8) at /test/10.9_dbg/sql/sql_select.cc:6648
      		 
      #4  0x0000562f1341f93e in update_ref_and_keys (thd=thd@entry=0x148b98000db8, keyuse=keyuse@entry=0x148b980cf698, join_tab=0x148b9810b000, tables=1, cond=0x148b9810ada0, normal_tables=normal_tables@entry=18446744073709551615, select_lex=0x148b98084d30, sargables=0x148c000943f8) at /test/10.9_dbg/sql/sql_select.cc:7170
      		 
      #5  0x0000562f13455b82 in make_join_statistics (join=join@entry=0x148b980cf378, tables_list=@0x148b98084f48: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x148b980cf930, last = 0x148b980cf930, elements = 1}, <No data fields>}, keyuse_array=keyuse_array@entry=0x148b980cf698) at /test/10.9_dbg/sql/sql_select.cc:5422
      		 
      #6  0x0000562f1345e52c in JOIN::optimize_inner (this=this@entry=0x148b980cf378) at /test/10.9_dbg/sql/sql_select.cc:2495
      		 
      #7  0x0000562f1345e96c in JOIN::optimize (this=this@entry=0x148b980cf378) at /test/10.9_dbg/sql/sql_select.cc:1837
      		 
      #8  0x0000562f13381a63 in mysql_derived_optimize (thd=0x148b98000db8, lex=0x148b98004f00, derived=0x148b98086758) at /test/10.9_dbg/sql/sql_derived.cc:1064
      		 
      #9  0x0000562f133811fd in mysql_handle_single_derived (lex=0x148b98004f00, derived=derived@entry=0x148b98086758, phases=phases@entry=4) at /test/10.9_dbg/sql/sql_derived.cc:200
      		 
      #10 0x0000562f1345e6fd in JOIN::optimize_inner (this=this@entry=0x148b980cc840) at /test/10.9_dbg/sql/sql_select.cc:2313
      		 
      #11 0x0000562f1345e96c in JOIN::optimize (this=this@entry=0x148b980cc840) at /test/10.9_dbg/sql/sql_select.cc:1837
      		 
      #12 0x0000562f133a3462 in st_select_lex::optimize_unflattened_subqueries (this=0x148b98017168, const_only=const_only@entry=true) at /test/10.9_dbg/sql/sql_lex.cc:4916
      		 
      #13 0x0000562f1358ff3d in JOIN::optimize_constant_subqueries (this=this@entry=0x148b9809aef0) at /test/10.9_dbg/sql/opt_subselect.cc:5622
      		 
      #14 0x0000562f1345d490 in JOIN::optimize_inner (this=this@entry=0x148b9809aef0) at /test/10.9_dbg/sql/sql_select.cc:2157
      		 
      #15 0x0000562f1345e96c in JOIN::optimize (this=this@entry=0x148b9809aef0) at /test/10.9_dbg/sql/sql_select.cc:1837
      		 
      #16 0x0000562f1345ea5f in mysql_select (thd=thd@entry=0x148b98000db8, tables=0x148b9806dc90, fields=@0x148b98017408: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x148b98017700, last = 0x148b98017700, elements = 1}, <No data fields>}, conds=0x148b980820e8, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x148b9809aec8, unit=0x148b98004fd8, select_lex=0x148b98017168) at /test/10.9_dbg/sql/sql_select.cc:5022
      		 
      #17 0x0000562f1345f2a8 in handle_select (thd=thd@entry=0x148b98000db8, lex=lex@entry=0x148b98004f00, result=result@entry=0x148b9809aec8, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.9_dbg/sql/sql_select.cc:570
      		 
      #18 0x0000562f133cb6c8 in execute_sqlcom_select (thd=thd@entry=0x148b98000db8, all_tables=0x148b9806dc90) at /test/10.9_dbg/sql/sql_parse.cc:6271
      		 
      #19 0x0000562f133d7935 in mysql_execute_command (thd=thd@entry=0x148b98000db8, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.9_dbg/sql/sql_parse.cc:3961
      		 
      #20 0x0000562f133c567b in mysql_parse (thd=thd@entry=0x148b98000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x148c00095470) at /test/10.9_dbg/sql/sql_parse.cc:8046
      		 
      #21 0x0000562f133d2f79 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x148b98000db8, packet=packet@entry=0x148b9800b699 "WITH v1057 AS ( SELECT v1055 FROM ( SELECT v1055 FROM v1054 GROUP BY v1055 ) AS v1056 ) SELECT v1055 FROM v1057 WHERE v1055 BETWEEN FALSE AND ( ( ( v1055 OR NOT v1055 ) BETWEEN ( ( ( ( EXISTS ( WITH v"..., packet_length=packet_length@entry=1048, blocking=blocking@entry=true) at /test/10.9_dbg/sql/sql_class.h:1364
      		 
      #22 0x0000562f133d5686 in do_command (thd=0x148b98000db8, blocking=blocking@entry=true) at /test/10.9_dbg/sql/sql_parse.cc:1408
      		 
      #23 0x0000562f13532d02 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x562f171eede8, put_in_cache=put_in_cache@entry=true) at /test/10.9_dbg/sql/sql_connect.cc:1418
      		 
      #24 0x0000562f1353320b in handle_one_connection (arg=0x562f171eede8) at /test/10.9_dbg/sql/sql_connect.cc:1312
      		 
      #25 0x0000148c17d25609 in start_thread (arg=<optimized out>) at pthread_create.c:477
      		 
      #26 0x0000148c17911133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

      Bug confirmed present in:
      MariaDB: 10.3.35 (dbg), 10.3.35 (opt), 10.4.25 (dbg), 10.4.25 (opt), 10.5.16 (dbg), 10.5.16 (opt), 10.6.8 (dbg), 10.6.8 (opt), 10.7.4 (dbg), 10.7.4 (opt), 10.8.3 (dbg), 10.8.3 (opt), 10.9.0 (dbg), 10.9.0 (opt), 10.10.0 (dbg), 10.10.0 (opt)

      Bug (or feature/syntax) confirmed not present in:
      MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.37 (dbg), 5.7.37 (opt), 8.0.28 (dbg), 8.0.28 (opt)

      Attachments

        Issue Links

          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. MDEV-32085 Server crash in add_key_field

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-32295 Server crashes at add_key_field

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-32422 Segmentation fault at /mariadb-11.3.0/sql/sql_select.cc:6554

          • Major - Major loss of function.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-22498 SIGSEGV in Bitmap<64u>::merge on SELECT

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-29017 SIGSEGV in Bitmap<64u>::merge on SELECT

          • Major - Major loss of function.
          • Confirmed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-30756 Crash in get_sort_by_table / make_join_statistics / update_depend_map_for_order, various UBSAN pointer issues

          • Major - Major loss of function.
          • Stalled

          Bug - A problem which impairs or prevents the functions of the product. MDEV-35717 UBSAN: runtime errors: applying zero offset to null pointer in my_strnncoll_utf8mb3_general1400_as_ci, and applying non-zero offset 4 to null pointer in my_strcoll_ascii_4bytes_found

          • Critical - Crashes, loss of data, severe memory leak.
          • Confirmed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-22825 Server crashes in Bitmap<64u>::merge / add_key_field with condition_pushdown_for_subquery=on

          • Major - Major loss of function.
          • Confirmed

          Activity

            People

              psergei Sergei Petrunia
              nobody Shihao Wen
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.