[MDEV-28509] Server crash via Item_func_ne::add_key_fields in /sql/sql_bitmap.h:196, member access within null pointer of type 'struct JOIN_TAB' in add_key_field - Jira

Details

Type: Bug
Status: In Review (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.2, 10.3, 10.4, 10.5, 10.6, 10.7, 10.8, 10.9, 10.10, 10.11, 11.0, 11.1, 11.2
Fix Version/s: 10.4, 10.5, 10.6, 10.11, 11.0, 11.1, 11.2
Component/s: Optimizer
Labels:
- UBSAN
- fuzzer

Description

Original testcase (reduced version in comments below):

CREATE TABLE v1054 ( v1055 INT ) ;

 INSERT INTO v1054 ( v1055 ) VALUES ( 54 ) ;

 UPDATE v1054 SET v1055 = 127 WHERE v1055 = 83 ;

 INSERT INTO v1054 ( v1055 ) VALUES ( -1 ) , ( -1 ) ;

 WITH v1057 AS ( SELECT v1055 FROM ( SELECT v1055 FROM v1054 GROUP BY v1055 ) AS v1056 ) SELECT v1055 FROM v1057 WHERE v1055 BETWEEN FALSE AND ( ( ( v1055 OR NOT v1055 ) BETWEEN ( ( ( ( EXISTS ( WITH v1063 AS ( SELECT v1055 FROM ( SELECT v1055 FROM v1054 GROUP BY v1055 ) AS v1058 WINDOW v1062 AS ( PARTITION BY v1055 ORDER BY ( SELECT DISTINCT 16 FROM v1054 AS v1059 , v1054 AS v1060 , v1054 AS v1061 JOIN v1054 ) DESC RANGE BETWEEN 80808358.000000 FOLLOWING AND 82012945.000000 FOLLOWING ) ) SELECT v1055 FROM ( SELECT DISTINCT ( ( NOT ( 60914711.000000 AND v1055 = 68 ) ) = -1 AND v1055 = 17 ) % v1055 , ( v1055 = -1 OR v1055 > 'x' ) FROM v1054 WHERE v1055 = -128 AND ( v1055 = -128 OR v1055 = 0 OR v1055 = 31 ) ) AS v1064 NATURAL JOIN v1063 AS v1065 NATURAL JOIN v1063 AS v1066 NATURAL JOIN ( SELECT DISTINCT v1055 , ( v1055 = -1 OR v1055 > 'x' ) FROM v1054 ) AS v1067 NATURAL JOIN v1063 AS v1068 NATURAL JOIN v1063 WHERE v1055 != 72 GROUP BY v1055 ORDER BY v1055 ) AND v1055 = -1 ) - 2147483647 ) ) ) AND 'x' = ( 4 + 34235093.000000 <= 60 ) ) ) ;

Leads to:

10.9.0 0b14dbd45b5a1c02616d611876158d44b92b77bf (Optimized)
Core was generated by `/test/MD030522-mariadb-10.9.0-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000055daccac22da in Bitmap<64u>::merge (this=<optimized out>, map2=...)
at /test/10.9_opt/sql/sql_bitmap.h:172
[Current thread is 1 (Thread 0x14d62c400700 (LWP 357990))]
(gdb) bt
#0 0x000055daccac22da in Bitmap<64u>::merge (this=<optimized out>, map2=<optimized out>) at /test/10.9_opt/sql/sql_bitmap.h:172
#1 add_key_field (join=<optimized out>, key_fields=0x14d62c3fdd38, and_level=0, cond=0x14d5d40db680, field=0x14d5d40aef30, eq_func=<optimized out>, value=0x14d5d40db700, num_values=1, usable_tables=18446744073709551615, sargables=0x14d62c3fded8, row_col_no=0) at /test/10.9_opt/sql/sql_select.cc:6296
#2 0x000055daccac24fd in add_key_equal_fields (join=0x14d5d40a38e8, key_fields=0x14d62c3fdd38, and_level=0, cond=0x14d5d40db680, field_item=0x14d5d40db4f0, eq_func=<optimized out>, val=0x14d5d40db700, num_values=1, usable_tables=18446744073709551615, sargables=0x14d62c3fded8, row_col_no=0) at /test/10.9_opt/sql/sql_select.cc:6413
#3 0x000055daccacbd65 in Item_func_ne::add_key_fields (this=0x14d5d40db680, join=0x14d5d40a38e8, key_fields=0x14d62c3fdd38, and_level=0x14d62c3fdd34, usable_tables=18446744073709551615, sargables=0x14d62c3fded8) at /test/10.9_opt/sql/sql_select.cc:6648
#4 0x000055daccacc589 in update_ref_and_keys (thd=thd@entry=0x14d5d4000c58, keyuse=keyuse@entry=0x14d5d40a3c08, join_tab=0x14d5d40db8e0, tables=1, cond=0x14d5d40db680, normal_tables=normal_tables@entry=18446744073709551615, sargables=0x14d62c3fded8, select_lex=<optimized out>, select_lex=<optimized out>) at /test/10.9_opt/sql/sql_select.cc:7170
#5 0x000055daccb01779 in make_join_statistics (keyuse_array=0x14d5d40a3c08, tables_list=@0x14d5d405c970: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14d5d40a3ea0, last = 0x14d5d40a3ea0, elements = 1}, <No data fields>}, join=0x14d5d40a38e8) at /test/10.9_opt/sql/sql_select.cc:5422
#6 JOIN::optimize_inner (this=0x14d5d40a38e8) at /test/10.9_opt/sql/sql_select.cc:2495
#7 0x000055daccb036d3 in JOIN::optimize (this=this@entry=0x14d5d40a38e8) at /test/10.9_opt/sql/sql_select.cc:1837
#8 0x000055dacca499fb in mysql_derived_optimize (thd=0x14d5d4000c58, lex=0x14d5d4004be0, derived=0x14d5d405e118) at /test/10.9_opt/sql/sql_derived.cc:1064
#9 0x000055dacca49258 in mysql_handle_single_derived (lex=0x14d5d4004be0, derived=derived@entry=0x14d5d405e118, phases=phases@entry=4) at /test/10.9_opt/sql/sql_derived.cc:200
#10 0x000055daccb0077c in JOIN::optimize_inner (this=0x14d5d40a0e50) at /test/10.9_opt/sql/sql_select.cc:2313
#11 0x000055daccb036d3 in JOIN::optimize (this=this@entry=0x14d5d40a0e50) at /test/10.9_opt/sql/sql_select.cc:1837
#12 0x000055dacca67464 in st_select_lex::optimize_unflattened_subqueries (this=0x14d5d4013c48, const_only=const_only@entry=true) at /test/10.9_opt/sql/sql_lex.cc:4916
#13 0x000055daccbe9455 in JOIN::optimize_constant_subqueries (this=this@entry=0x14d5d4072788) at /test/10.9_opt/sql/opt_subselect.cc:5622
#14 0x000055daccafff67 in JOIN::optimize_inner (this=0x14d5d4072788) at /test/10.9_opt/sql/sql_select.cc:2157
#15 0x000055daccb036d3 in JOIN::optimize (this=this@entry=0x14d5d4072788) at /test/10.9_opt/sql/sql_select.cc:1837
#16 0x000055daccb037be in mysql_select (thd=0x14d5d4000c58, tables=0x14d5d4045880, fields=@0x14d5d4013ee8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14d5d40141e0, last = 0x14d5d40141e0, elements = 1}, <No data fields>}, conds=0x14d5d4059b10, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x14d5d4072760, unit=0x14d5d4004cb8, select_lex=0x14d5d4013c48) at /test/10.9_opt/sql/sql_select.cc:5022
#17 0x000055daccb03f57 in handle_select (thd=thd@entry=0x14d5d4000c58, lex=lex@entry=0x14d5d4004be0, result=result@entry=0x14d5d4072760, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.9_opt/sql/sql_select.cc:570
#18 0x000055dacca87a21 in execute_sqlcom_select (thd=0x14d5d4000c58, all_tables=0x14d5d4045880) at /test/10.9_opt/sql/sql_parse.cc:6271
#19 0x000055dacca95363 in mysql_execute_command (thd=0x14d5d4000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.9_opt/sql/sql_parse.cc:3961
#20 0x000055dacca82a55 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x14d5d4000c58) at /test/10.9_opt/sql/sql_parse.cc:8046
#21 mysql_parse (thd=0x14d5d4000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.9_opt/sql/sql_parse.cc:7968
#22 0x000055dacca8e71a in dispatch_command (command=COM_QUERY, thd=0x14d5d4000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.9_opt/sql/sql_class.h:1364
#23 0x000055dacca90642 in do_command (thd=0x14d5d4000c58, blocking=blocking@entry=true) at /test/10.9_opt/sql/sql_parse.cc:1408
#24 0x000055daccba55bf in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55dad0334eb8, put_in_cache=put_in_cache@entry=true) at /test/10.9_opt/sql/sql_connect.cc:1418
#25 0x000055daccba589d in handle_one_connection (arg=0x55dad0334eb8) at /test/10.9_opt/sql/sql_connect.cc:1312
#26 0x000014d645c57609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#27 0x000014d645843133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

10.9.0 0b14dbd45b5a1c02616d611876158d44b92b77bf (Debug)
Core was generated by `/test/MD030522-mariadb-10.9.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 Bitmap<64u>::merge (map2=..., this=<optimized out>)
at /test/10.9_dbg/sql/sql_bitmap.h:210
[Current thread is 1 (Thread 0x148c00096700 (LWP 667827))]
(gdb) bt
#0 Bitmap<64u>::merge (map2=<optimized out>, this=<optimized out>) at /test/10.9_dbg/sql/sql_bitmap.h:210
#1 add_key_field (join=join@entry=0x148b980cf378, key_fields=key_fields@entry=0x148c000942d8, and_level=and_level@entry=0, cond=cond@entry=0x148b9810ada0, field=field@entry=0x148b980dae10, eq_func=eq_func@entry=false, value=0x148b9810ae20, num_values=1, usable_tables=18446744073709551615, sargables=0x148c000943f8, row_col_no=0) at /test/10.9_dbg/sql/sql_select.cc:6296
#2 0x0000562f13415710 in add_key_equal_fields (join=join@entry=0x148b980cf378, key_fields=key_fields@entry=0x148c000942d8, and_level=0, cond=cond@entry=0x148b9810ada0, field_item=0x148b9810ac10, eq_func=eq_func@entry=false, val=0x148b9810ae20, num_values=1, usable_tables=18446744073709551615, sargables=0x148c000943f8, row_col_no=0) at /test/10.9_dbg/sql/sql_select.cc:6413
#3 0x0000562f1341f1e3 in Item_func_ne::add_key_fields (this=0x148b9810ada0, join=0x148b980cf378, key_fields=0x148c000942d8, and_level=0x148c000942d4, usable_tables=18446744073709551615, sargables=0x148c000943f8) at /test/10.9_dbg/sql/sql_select.cc:6648
#4 0x0000562f1341f93e in update_ref_and_keys (thd=thd@entry=0x148b98000db8, keyuse=keyuse@entry=0x148b980cf698, join_tab=0x148b9810b000, tables=1, cond=0x148b9810ada0, normal_tables=normal_tables@entry=18446744073709551615, select_lex=0x148b98084d30, sargables=0x148c000943f8) at /test/10.9_dbg/sql/sql_select.cc:7170
#5 0x0000562f13455b82 in make_join_statistics (join=join@entry=0x148b980cf378, tables_list=@0x148b98084f48: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x148b980cf930, last = 0x148b980cf930, elements = 1}, <No data fields>}, keyuse_array=keyuse_array@entry=0x148b980cf698) at /test/10.9_dbg/sql/sql_select.cc:5422
#6 0x0000562f1345e52c in JOIN::optimize_inner (this=this@entry=0x148b980cf378) at /test/10.9_dbg/sql/sql_select.cc:2495
#7 0x0000562f1345e96c in JOIN::optimize (this=this@entry=0x148b980cf378) at /test/10.9_dbg/sql/sql_select.cc:1837
#8 0x0000562f13381a63 in mysql_derived_optimize (thd=0x148b98000db8, lex=0x148b98004f00, derived=0x148b98086758) at /test/10.9_dbg/sql/sql_derived.cc:1064
#9 0x0000562f133811fd in mysql_handle_single_derived (lex=0x148b98004f00, derived=derived@entry=0x148b98086758, phases=phases@entry=4) at /test/10.9_dbg/sql/sql_derived.cc:200
#10 0x0000562f1345e6fd in JOIN::optimize_inner (this=this@entry=0x148b980cc840) at /test/10.9_dbg/sql/sql_select.cc:2313
#11 0x0000562f1345e96c in JOIN::optimize (this=this@entry=0x148b980cc840) at /test/10.9_dbg/sql/sql_select.cc:1837
#12 0x0000562f133a3462 in st_select_lex::optimize_unflattened_subqueries (this=0x148b98017168, const_only=const_only@entry=true) at /test/10.9_dbg/sql/sql_lex.cc:4916
#13 0x0000562f1358ff3d in JOIN::optimize_constant_subqueries (this=this@entry=0x148b9809aef0) at /test/10.9_dbg/sql/opt_subselect.cc:5622
#14 0x0000562f1345d490 in JOIN::optimize_inner (this=this@entry=0x148b9809aef0) at /test/10.9_dbg/sql/sql_select.cc:2157
#15 0x0000562f1345e96c in JOIN::optimize (this=this@entry=0x148b9809aef0) at /test/10.9_dbg/sql/sql_select.cc:1837
#16 0x0000562f1345ea5f in mysql_select (thd=thd@entry=0x148b98000db8, tables=0x148b9806dc90, fields=@0x148b98017408: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x148b98017700, last = 0x148b98017700, elements = 1}, <No data fields>}, conds=0x148b980820e8, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x148b9809aec8, unit=0x148b98004fd8, select_lex=0x148b98017168) at /test/10.9_dbg/sql/sql_select.cc:5022
#17 0x0000562f1345f2a8 in handle_select (thd=thd@entry=0x148b98000db8, lex=lex@entry=0x148b98004f00, result=result@entry=0x148b9809aec8, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.9_dbg/sql/sql_select.cc:570
#18 0x0000562f133cb6c8 in execute_sqlcom_select (thd=thd@entry=0x148b98000db8, all_tables=0x148b9806dc90) at /test/10.9_dbg/sql/sql_parse.cc:6271
#19 0x0000562f133d7935 in mysql_execute_command (thd=thd@entry=0x148b98000db8, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.9_dbg/sql/sql_parse.cc:3961
#20 0x0000562f133c567b in mysql_parse (thd=thd@entry=0x148b98000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x148c00095470) at /test/10.9_dbg/sql/sql_parse.cc:8046
#21 0x0000562f133d2f79 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x148b98000db8, packet=packet@entry=0x148b9800b699 "WITH v1057 AS ( SELECT v1055 FROM ( SELECT v1055 FROM v1054 GROUP BY v1055 ) AS v1056 ) SELECT v1055 FROM v1057 WHERE v1055 BETWEEN FALSE AND ( ( ( v1055 OR NOT v1055 ) BETWEEN ( ( ( ( EXISTS ( WITH v"..., packet_length=packet_length@entry=1048, blocking=blocking@entry=true) at /test/10.9_dbg/sql/sql_class.h:1364
#22 0x0000562f133d5686 in do_command (thd=0x148b98000db8, blocking=blocking@entry=true) at /test/10.9_dbg/sql/sql_parse.cc:1408
#23 0x0000562f13532d02 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x562f171eede8, put_in_cache=put_in_cache@entry=true) at /test/10.9_dbg/sql/sql_connect.cc:1418
#24 0x0000562f1353320b in handle_one_connection (arg=0x562f171eede8) at /test/10.9_dbg/sql/sql_connect.cc:1312
#25 0x0000148c17d25609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#26 0x0000148c17911133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.3.35 (dbg), 10.3.35 (opt), 10.4.25 (dbg), 10.4.25 (opt), 10.5.16 (dbg), 10.5.16 (opt), 10.6.8 (dbg), 10.6.8 (opt), 10.7.4 (dbg), 10.7.4 (opt), 10.8.3 (dbg), 10.8.3 (opt), 10.9.0 (dbg), 10.9.0 (opt), 10.10.0 (dbg), 10.10.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.37 (dbg), 5.7.37 (opt), 8.0.28 (dbg), 8.0.28 (opt)

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

255_stack
7 kB
2022-05-08 10:07

Issue Links

is duplicated by

MDEV-32085 Server crash in add_key_field

Closed

MDEV-32295 Server crashes at add_key_field

Closed

MDEV-32422 Segmentation fault at /mariadb-11.3.0/sql/sql_select.cc:6554

Closed

relates to

MDEV-22498 SIGSEGV in Bitmap<64u>::merge on SELECT

Closed

MDEV-29017 SIGSEGV in Bitmap<64u>::merge on SELECT

Confirmed

MDEV-22825 Server crashes in Bitmap<64u>::merge / add_key_field with condition_pushdown_for_subquery=on

Confirmed

(1 relates to)

Server crash via Item_func_ne::add_key_fields in /sql/sql_bitmap.h:196, member access within null pointer of type 'struct JOIN_TAB' in add_key_field

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates

Git Integration