[MDEV-28510] SIGSEGV in get_sort_by_table and SIGSEGV in subquery_types_allow_materialization - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL), 10.11
Fix Version/s: 10.11.2, 10.3.38, 10.4.28, 10.5.19, 10.6.12, 10.7.8, 10.8.7, 10.9.5, 10.10.3
Component/s: Optimizer, Parser
Labels:

Description

Original testcase (reduced version in comments below):

CREATE TABLE v1071 ( v1072 BOOLEAN NOT NULL ) ;

 ( ( SELECT v1072 FROM v1071 ORDER BY v1072 + v1072 , v1072 + v1072 ) ) ;

 UPDATE v1071 SET v1072 = 'x' WHERE v1072 = CASE WHEN v1072 * ( SELECT 0 FROM v1071 AS v1073 WHERE v1072 BETWEEN 70743860.000000 AND 22 WINDOW v1086 AS ( PARTITION BY v1072 ORDER BY ( SELECT DISTINCT 0 FROM ( SELECT v1072 FROM ( SELECT DISTINCT ( ( NOT ( 87472356.000000 AND v1072 = 0 ) ) = 49 AND v1072 = 30 ) % 0 , ( v1072 = 255 OR v1072 > 'x' ) FROM v1071 WHERE v1072 = 46 AND ( v1072 = 10 OR v1072 = 80 OR v1072 = -1 ) ) AS v1074 NATURAL JOIN v1071 WHERE ( v1072 = 127 OR v1072 = 16 ) NOT LIKE 'x' AND CASE v1072 * 8 = 0 WHEN 2147483647 THEN 'x' WHEN -128 THEN 'x' ELSE 8 END != 4 GROUP BY v1072 , 71777162.000000 / 91619124.000000 WINDOW v1087 AS ( PARTITION BY v1072 ORDER BY ( SELECT DISTINCT 76 FROM v1071 AS v1083 , v1071 AS v1084 , v1071 AS v1085 , v1071 ) DESC RANGE BETWEEN 66948404.000000 FOLLOWING AND 67858344.000000 FOLLOWING ) ) AS v1079 NATURAL JOIN v1071 AS v1080 , v1071 AS v1081 , v1071 AS v1082 JOIN v1071 ) DESC RANGE BETWEEN 26683913.000000 FOLLOWING AND 30593825.000000 FOLLOWING ) ) ^ v1072 THEN 'x' ELSE v1072 END / 16 ;

 INSERT INTO v1071 ( v1072 ) VALUES ( 86 ) , ( -32768 ) ;

 SELECT STDDEV_SAMP ( v1072 ) OVER v1088 , STDDEV_SAMP ( v1072 ) OVER v1088 FROM v1071 WINDOW v1088 AS ( PARTITION BY v1072 ORDER BY v1072 DESC ) ;

Leads to:

10.9.0 0b14dbd45b5a1c02616d611876158d44b92b77bf (Optimized)
Core was generated by `/test/MD030522-mariadb-10.9.0-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 get_sort_by_table (const_tables=0, tables=..., b=<optimized out>, a=0x0)
at /test/10.9_opt/sql/sql_select.cc:25516
[Current thread is 1 (Thread 0x14c418129700 (LWP 3725953))]
(gdb) bt
#0 get_sort_by_table (const_tables=0, tables=@0x14c374011cb0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14c37406ea28, last = 0x14c37406ea28, elements = 1}, <No data fields>}, b=<optimized out>, a=0x0) at /test/10.9_opt/sql/sql_select.cc:25516
#1 make_join_statistics (keyuse_array=0x14c37406e790, tables_list=@0x14c374011cb0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14c37406ea28, last = 0x14c37406ea28, elements = 1}, <No data fields>}, join=0x14c37406e470) at /test/10.9_opt/sql/sql_select.cc:5643
#2 JOIN::optimize_inner (this=0x14c37406e470) at /test/10.9_opt/sql/sql_select.cc:2495
#3 0x0000562a257cc6d3 in JOIN::optimize (this=this@entry=0x14c37406e470) at /test/10.9_opt/sql/sql_select.cc:1837
#4 0x0000562a25730464 in st_select_lex::optimize_unflattened_subqueries (this=0x14c3740054b0, const_only=const_only@entry=true) at /test/10.9_opt/sql/sql_lex.cc:4916
#5 0x0000562a258b2455 in JOIN::optimize_constant_subqueries (this=this@entry=0x14c37406d238) at /test/10.9_opt/sql/opt_subselect.cc:5622
#6 0x0000562a257c8f67 in JOIN::optimize_inner (this=0x14c37406d238) at /test/10.9_opt/sql/sql_select.cc:2157
#7 0x0000562a257cc6d3 in JOIN::optimize (this=this@entry=0x14c37406d238) at /test/10.9_opt/sql/sql_select.cc:1837
#8 0x0000562a257cc7be in mysql_select (thd=thd@entry=0x14c374000c58, tables=tables@entry=0x14c374010fa0, fields=@0x14c418127ec0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x562a267d16d0 <end_of_list>, last = 0x14c418127ec0, elements = 0}, <No data fields>}, conds=conds@entry=0x14c374053f20, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x14c37406d128, unit=0x14c374004cb8, select_lex=0x14c3740054b0) at /test/10.9_opt/sql/sql_select.cc:5022
#9 0x0000562a2582ce05 in mysql_multi_update (thd=thd@entry=0x14c374000c58, table_list=0x14c374010fa0, fields=fields@entry=0x14c374005750, values=values@entry=0x14c374005b80, conds=0x14c374053f20, options=0, handle_duplicates=DUP_ERROR, ignore=false, unit=0x14c374004cb8, select_lex=0x14c3740054b0, result=0x14c4181280b0) at /test/10.9_opt/sql/sql_update.cc:1969
#10 0x0000562a2575cda1 in mysql_execute_command (thd=0x14c374000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.9_opt/sql/sql_parse.cc:4504
#11 0x0000562a2574ba55 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x14c374000c58) at /test/10.9_opt/sql/sql_parse.cc:8046
#12 mysql_parse (thd=0x14c374000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.9_opt/sql/sql_parse.cc:7968
#13 0x0000562a2575771a in dispatch_command (command=COM_QUERY, thd=0x14c374000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.9_opt/sql/sql_class.h:1364
#14 0x0000562a25759642 in do_command (thd=0x14c374000c58, blocking=blocking@entry=true) at /test/10.9_opt/sql/sql_parse.cc:1408
#15 0x0000562a2586e5bf in do_handle_one_connection (connect=<optimized out>, connect@entry=0x562a28fe5d38, put_in_cache=put_in_cache@entry=true) at /test/10.9_opt/sql/sql_connect.cc:1418
#16 0x0000562a2586e89d in handle_one_connection (arg=0x562a28fe5d38) at /test/10.9_opt/sql/sql_connect.cc:1312
#17 0x000014c43d5d0609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#18 0x000014c43d1bc133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

10.9.0 0b14dbd45b5a1c02616d611876158d44b92b77bf (Debug)
Core was generated by `/test/MD030522-mariadb-10.9.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 get_sort_by_table (const_tables=<optimized out>, tables=...,
b=<optimized out>, a=0x0) at /test/10.9_dbg/sql/sql_select.cc:25516
[Current thread is 1 (Thread 0x15000412d700 (LWP 3726887))]
(gdb) bt
#0 get_sort_by_table (const_tables=<optimized out>, tables=@0x14ff880151d0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14ff88097750, last = 0x14ff88097750, elements = 1}, <No data fields>}, b=<optimized out>, a=0x0) at /test/10.9_dbg/sql/sql_select.cc:25516
#1 make_join_statistics (join=join@entry=0x14ff88097198, tables_list=@0x14ff880151d0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14ff88097750, last = 0x14ff88097750, elements = 1}, <No data fields>}, keyuse_array=keyuse_array@entry=0x14ff880974b8) at /test/10.9_dbg/sql/sql_select.cc:5643
#2 0x000056217facd52c in JOIN::optimize_inner (this=this@entry=0x14ff88097198) at /test/10.9_dbg/sql/sql_select.cc:2495
#3 0x000056217facd96c in JOIN::optimize (this=this@entry=0x14ff88097198) at /test/10.9_dbg/sql/sql_select.cc:1837
#4 0x000056217fa12462 in st_select_lex::optimize_unflattened_subqueries (this=0x14ff880057d0, const_only=const_only@entry=true) at /test/10.9_dbg/sql/sql_lex.cc:4916
#5 0x000056217fbfef3d in JOIN::optimize_constant_subqueries (this=this@entry=0x14ff88095f60) at /test/10.9_dbg/sql/opt_subselect.cc:5622
#6 0x000056217facc490 in JOIN::optimize_inner (this=this@entry=0x14ff88095f60) at /test/10.9_dbg/sql/sql_select.cc:2157
#7 0x000056217facd96c in JOIN::optimize (this=this@entry=0x14ff88095f60) at /test/10.9_dbg/sql/sql_select.cc:1837
#8 0x000056217facda5f in mysql_select (thd=thd@entry=0x14ff88000db8, tables=tables@entry=0x14ff880144c0, fields=@0x15000412bea0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x562180f10bc0 <end_of_list>, last = 0x15000412bea0, elements = 0}, <No data fields>}, conds=conds@entry=0x14ff8807c970, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2200096997504, result=0x14ff88095e50, unit=0x14ff88004fd8, select_lex=0x14ff880057d0) at /test/10.9_dbg/sql/sql_select.cc:5022
#9 0x000056217fb4692d in mysql_multi_update (thd=thd@entry=0x14ff88000db8, table_list=0x14ff880144c0, fields=fields@entry=0x14ff88005a70, values=values@entry=0x14ff88005ea0, conds=0x14ff8807c970, options=0, handle_duplicates=DUP_ERROR, ignore=false, unit=0x14ff88004fd8, select_lex=0x14ff880057d0, result=0x15000412c080) at /test/10.9_dbg/sql/sql_update.cc:1969
#10 0x000056217fa47e60 in mysql_execute_command (thd=thd@entry=0x14ff88000db8, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.9_dbg/sql/sql_parse.cc:4504
#11 0x000056217fa3467b in mysql_parse (thd=thd@entry=0x14ff88000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x15000412c470) at /test/10.9_dbg/sql/sql_parse.cc:8046
#12 0x000056217fa41f79 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14ff88000db8, packet=packet@entry=0x14ff8800b699 "UPDATE v1071 SET v1072 = 'x' WHERE v1072 = CASE WHEN v1072 * ( SELECT 0 FROM v1071 AS v1073 WHERE v1072 BETWEEN 70743860.000000 AND 22 WINDOW v1086 AS ( PARTITION BY v1072 ORDER BY ( SELECT DISTINCT 0"..., packet_length=packet_length@entry=1044, blocking=blocking@entry=true) at /test/10.9_dbg/sql/sql_class.h:1364
#13 0x000056217fa44686 in do_command (thd=0x14ff88000db8, blocking=blocking@entry=true) at /test/10.9_dbg/sql/sql_parse.cc:1408
#14 0x000056217fba1d02 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x562182aba788, put_in_cache=put_in_cache@entry=true) at /test/10.9_dbg/sql/sql_connect.cc:1418
#15 0x000056217fba220b in handle_one_connection (arg=0x562182aba788) at /test/10.9_dbg/sql/sql_connect.cc:1312
#16 0x00001500321f1609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#17 0x0000150031ddd133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.3.35 (dbg), 10.3.35 (opt), 10.4.25 (dbg), 10.4.25 (opt), 10.5.16 (dbg), 10.5.16 (opt), 10.6.8 (dbg), 10.6.8 (opt), 10.7.4 (dbg), 10.7.4 (opt), 10.8.3 (dbg), 10.8.3 (opt), 10.9.0 (dbg), 10.9.0 (opt), 10.10.0 (dbg), 10.10.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.37 (dbg), 5.7.37 (opt), 8.0.28 (dbg), 8.0.28 (opt)

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

274_stack
6 kB
2022-05-08 10:07

Issue Links

duplicates

MDEV-28506 SIGSEGV's in find_field_in_table[s][_ref], Item_field::fix_fields, create_view_field and MemcmpInterceptorCommon | Assertions `(*select_ref)->fixed' or '->is_fixed' and `table_list->table' failed

Stalled

is duplicated by

MDEV-28516 SIGSEGV in get_sort_by_table, UBSAN: runtime error: member access within null pointer of type 'struct TABLE_LIST'

Closed

is part of

MDEV-30052 Crash with a query containing nested WINDOW clauses

Closed

relates to

MDEV-19569 Assertion `table_list->table' failed in find_field_in_table_ref and Assertion `table_ref->table || table_ref->view' in Field_iterator_table_ref::set_field_iterator

Closed

MDEV-28505 Server crash in sql/sql_select.cc:19830 in sub_select(JOIN*, st_join_table*, bool)

Closed

MDEV-29935 Server crashes in get_sort_by_table/make_join_statistics after INSERT into a view with ORDER BY

In Review

(1 relates to)

SIGSEGV in get_sort_by_table and SIGSEGV in subquery_types_allow_materialization

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates

Git Integration