Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-28615

Crash caused by multi-table UPDATE over derived with hanging CTE

Details

    Description

      poc:

      CREATE TABLE v1269 ( v1270 VARCHAR ( 1 ) , v1271 INT , v1272 INT ) ;
      		 
       CREATE TABLE v1273 ( v1274 BOOLEAN NOT NULL , v1275 INT , v1276 INT ) ;
      		 
       INSERT INTO v1269 ( v1271 ) VALUES ( v1271 ) ;
      		 
       UPDATE ( SELECT DISTINCT ( ( 66 , 'x' NOT BETWEEN ( SELECT DISTINCT EXISTS ( SELECT DISTINCT v1270 FROM v1269 UNION SELECT v1274 FROM ( SELECT DISTINCT ( SELECT v1270 FROM ( SELECT DISTINCT ( ( NOT ( 17138038.000000 AND v1274 = 78 ) ) = 0 AND v1274 = -128 ) % 45 , ( 79 = 13 OR v1276 > 'x' ) FROM v1273 WHERE v1275 - v1276 ) AS v1277 NATURAL JOIN ( WITH v1279 AS ( SELECT v1276 FROM ( SELECT NOT v1276 <= 'x' , v1276 FROM v1273 GROUP BY v1274 ) AS v1278 ) SELECT DISTINCT v1270 , ( v1270 = 5 OR v1272 > 'x' ) FROM v1269 ) AS v1280 NATURAL JOIN v1269 WHERE v1270 = v1274 ) AS v1281 FROM v1273 ) AS v1282 NATURAL JOIN v1269 AS v1283 NATURAL JOIN v1273 ORDER BY v1271 ) AND v1270 = -1 FROM v1269 ) AND 'x' ) = 12 AND v1271 = 64 ) % 0 , ( v1271 = 37 OR v1270 > 'x' ) FROM v1269 WHERE v1271 = -1 AND ( v1271 = 85 OR v1270 = 0 OR v1270 = 45 ) ) AS v1284 NATURAL JOIN v1269 SET v1271 = -1 WHERE v1270 = 62 ;
      		 
       INSERT INTO v1273 ( v1275 ) VALUES ( ( ( SELECT ARRAY [ 16 , 255 , -1 ] ) ) [ 93 ] ) , ( 255 ) ;
      		 
       SELECT COUNT ( v1270 ) OVER v1285 , NTILE ( v1271 ) OVER v1285 FROM v1269 WINDOW v1285 AS ( PARTITION BY v1271 ORDER BY v1272 DESC ) ;

      output:
      mysqld: /sql/handler.cc:2853: int handler::ha_rnd_next(uchar*): Assertion `table_share->tmp_table != NO_TMP_TABLE || m_lock_type != 2' failed.

      The full error log is in the attachment.

      Attachments

        Issue Links

          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. MDEV-32429 Heap-Use-After-Free at /mariadb-11.3.0/sql/sql_select.cc:15810

          • Major - Major loss of function.
          • Closed

          Activity

            Ascending order - Click to sort in descending order
            nobody Shihao Wen created issue -
            danblack Daniel Black made changes -
            Field Original Value New Value
            Comment [
            Using a [10.3 image|https://quay.io/repository/mariadb-foundation/mariadb-devel?tab=tags] from ~18hrs ago
             
            {noformat:title=testing with container}
            # vi /tmp/m/t.sql
            # # include sql
            # podman run --env MARIADB_DATABASE=test --env MARIADB_USER=test --env MARIADB_PASSWORD=test -e MARIADB_ALLOW_EMPTY_ROOT_PASSWORD=1 -v /tmp/m:/docker-entrypoint-initdb.d/:z --rm quay.io/mariadb-foundation/mariadb-devel:10.3
            {noformat}

            {noformat:title=10.3-c9b5a05341d7342db5f369493ea200b5fb9db243}
            2022-05-19 06:55:18+00:00 [Note] [Entrypoint]: Entrypoint script for MariaDB Server 1:10.3.35+maria~focal started.
            2022-05-19 06:55:18+00:00 [Note] [Entrypoint]: Switching to dedicated user 'mysql'
            2022-05-19 06:55:18+00:00 [Note] [Entrypoint]: Entrypoint script for MariaDB Server 1:10.3.35+maria~focal started.
            2022-05-19 06:55:18+00:00 [Note] [Entrypoint]: Initializing database files


            PLEASE REMEMBER TO SET A PASSWORD FOR THE MariaDB root USER !
            To do so, start the server, then issue the following command:

            '/usr/bin/mysql_secure_installation'

            which will also give you the option of removing the test
            databases and anonymous user created by default. This is
            strongly recommended for production servers.

            See the MariaDB Knowledgebase at http://mariadb.com/kb

            Please report any problems at http://mariadb.org/jira

            The latest information about MariaDB is available at http://mariadb.org/.

            Consider joining MariaDB's strong and vibrant community:
            https://mariadb.org/get-involved/

            2022-05-19 06:55:21+00:00 [Note] [Entrypoint]: Database files initialized
            2022-05-19 06:55:21+00:00 [Note] [Entrypoint]: Starting temporary server
            2022-05-19 06:55:21+00:00 [Note] [Entrypoint]: Waiting for server startup
            2022-05-19 6:55:21 0 [Note] mysqld (mysqld 10.3.35-MariaDB-1:10.3.35+maria~focal) starting as process 112 ...
            2022-05-19 6:55:21 0 [Note] InnoDB: Using Linux native AIO
            2022-05-19 6:55:21 0 [Note] InnoDB: Mutexes and rw_locks use GCC atomic builtins
            2022-05-19 6:55:21 0 [Note] InnoDB: Uses event mutexes
            2022-05-19 6:55:21 0 [Note] InnoDB: Compressed tables use zlib 1.2.11
            2022-05-19 6:55:21 0 [Note] InnoDB: Number of pools: 1
            2022-05-19 6:55:21 0 [Note] InnoDB: Using SSE2 crc32 instructions
            2022-05-19 6:55:21 0 [Note] InnoDB: Initializing buffer pool, total size = 256M, instances = 1, chunk size = 128M
            2022-05-19 6:55:21 0 [Note] InnoDB: Completed initialization of buffer pool
            2022-05-19 6:55:21 0 [Note] InnoDB: If the mysqld execution user is authorized, page cleaner thread priority can be changed. See the man page of setpriority().
            2022-05-19 6:55:21 0 [Note] InnoDB: 128 out of 128 rollback segments are active.
            2022-05-19 6:55:21 0 [Note] InnoDB: Creating shared tablespace for temporary tables
            2022-05-19 6:55:21 0 [Note] InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...
            2022-05-19 6:55:21 0 [Note] InnoDB: File './ibtmp1' size is now 12 MB.
            2022-05-19 6:55:21 0 [Note] InnoDB: 10.3.35 started; log sequence number 1625443; transaction id 20
            2022-05-19 6:55:21 0 [Note] Plugin 'FEEDBACK' is disabled.
            2022-05-19 6:55:21 0 [Warning] 'user' entry 'root@def0c412bfec' ignored in --skip-name-resolve mode.
            2022-05-19 6:55:21 0 [Warning] 'proxies_priv' entry '@% root@def0c412bfec' ignored in --skip-name-resolve mode.
            2022-05-19 6:55:21 0 [Note] Reading of all Master_info entries succeeded
            2022-05-19 6:55:21 0 [Note] Added new Master_info '' to hash table
            2022-05-19 6:55:21 0 [Note] mysqld: ready for connections.
            Version: '10.3.35-MariaDB-1:10.3.35+maria~focal' socket: '/var/run/mysqld/mysqld.sock' port: 0 mariadb.org binary distribution
            2022-05-19 06:55:22+00:00 [Note] [Entrypoint]: Temporary server started.
            Warning: Unable to load '/usr/share/zoneinfo/leap-seconds.list' as time zone. Skipping it.
            Warning: Unable to load '/usr/share/zoneinfo/leapseconds' as time zone. Skipping it.
            Warning: Unable to load '/usr/share/zoneinfo/tzdata.zi' as time zone. Skipping it.
            2022-05-19 06:55:22+00:00 [Note] [Entrypoint]: Securing system users (equivalent to running mysql_secure_installation)
            2022-05-19 06:55:22+00:00 [Note] [Entrypoint]: Creating database test
            2022-05-19 06:55:22+00:00 [Note] [Entrypoint]: Creating user test
            2022-05-19 06:55:22+00:00 [Note] [Entrypoint]: Giving user test access to schema test

            2022-05-19 06:55:22+00:00 [Note] [Entrypoint]: /usr/local/bin/docker-entrypoint.sh: running /docker-entrypoint-initdb.d/m.sql
            ERROR 4078 (HY000) at line 7: Illegal parameter data types row and int for operation '='
            2022-05-19 6:55:22 14 [ERROR] Transaction not registered for MariaDB 2PC, but transaction is active
            2022-05-19 6:55:22 14 [Warning] MariaDB is closing a connection that has an active InnoDB transaction. 0 row modifications will roll back.

            $ podman run --rm quay.io/mariadb-foundation/mariadb-devel:10.3 cat /manifest.txt
            org.opencontainers.image.authors=MariaDB Foundation

            org.opencontainers.image.documentation=https://hub.docker.com/_/mariadb

            org.opencontainers.image.source=https://github.com/MariaDB/mariadb-docker/tree/8e5ec939a7d6bf203805987b055f1ac0b90fabfc/10.3

            org.opencontainers.image.licenses=GPL-2.0

            org.opencontainers.image.title=MariaDB Server 10.3 CI build

            org.opencontainers.image.description=This is not a Release.
            Build of the MariaDB Server from CI as of commit c9b5a05341d7342db5f369493ea200b5fb9db243

            org.opencontainers.image.version=10.3.35+c9b5a05341d7342db5f369493ea200b5fb9db243

            org.opencontainers.image.revision=c9b5a05341d7342db5f369493ea200b5fb9db243

            {noformat} ]
            serg Sergei Golubchik made changes -
            Security Developers [ 10400 ]
            serg Sergei Golubchik made changes -
            Assignee Sergei Golubchik [ serg ]
            serg Sergei Golubchik made changes -
            Assignee Sergei Golubchik [ serg ]
            danblack Daniel Black made changes -
            Fix Version/s 10.3 [ 22126 ]
            danblack Daniel Black made changes -
            Status Open [ 1 ] Confirmed [ 10101 ]
            danblack Daniel Black made changes -
            Summary Server crash in sql/handler.cc:2853: int handler::ha_rnd_next(uchar*) debug assert failed (table_share->tmp_table!=NO_TMP_TABLE) in sql/handler.cc:2853: int handler::ha_rnd_next(uchar*)
            alice Alice Sherepa made changes -
            Affects Version/s 10.2 [ 14601 ]
            Affects Version/s 10.3 [ 22126 ]
            Affects Version/s 10.4 [ 22408 ]
            Affects Version/s 10.5 [ 23123 ]
            Affects Version/s 10.6 [ 24028 ]
            Affects Version/s 10.7 [ 24805 ]
            Affects Version/s 10.8 [ 26121 ]
            alice Alice Sherepa made changes -
            Fix Version/s 10.4 [ 22408 ]
            Fix Version/s 10.5 [ 23123 ]
            Fix Version/s 10.6 [ 24028 ]
            Fix Version/s 10.7 [ 24805 ]
            alice Alice Sherepa made changes -
            Component/s Optimizer - CTE [ 13513 ]
            alice Alice Sherepa made changes -
            Assignee Igor Babaev [ igor ]
            alice Alice Sherepa made changes -
            Labels fuzzer
            julien.fritsch Julien Fritsch made changes -
            Fix Version/s 10.7 [ 24805 ]
            julien.fritsch Julien Fritsch made changes -
            Fix Version/s 10.3 [ 22126 ]
            alice Alice Sherepa made changes -
            Fix Version/s 10.9 [ 26905 ]
            Fix Version/s 10.10 [ 27530 ]
            Fix Version/s 10.11 [ 27614 ]
            Fix Version/s 11.0 [ 28320 ]
            Fix Version/s 11.1 [ 28549 ]
            Fix Version/s 11.2 [ 28603 ]
            alice Alice Sherepa made changes -
            igor Igor Babaev (Inactive) made changes -
            Status Confirmed [ 10101 ] In Progress [ 3 ]
            igor Igor Babaev (Inactive) made changes -
            Summary debug assert failed (table_share->tmp_table!=NO_TMP_TABLE) in sql/handler.cc:2853: int handler::ha_rnd_next(uchar*) Crash caused by multi-table UPDATE over derived with hanging CTE
            igor Igor Babaev (Inactive) made changes -
            Status In Progress [ 3 ] Stalled [ 10000 ]
            igor Igor Babaev (Inactive) made changes -
            Status Stalled [ 10000 ] In Progress [ 3 ]
            igor Igor Babaev (Inactive) made changes -
            Assignee Igor Babaev [ igor ] Oleksandr Byelkin [ sanja ]
            Status In Progress [ 3 ] In Review [ 10002 ]
            julien.fritsch Julien Fritsch made changes -
            Labels fuzzer crash fuzzer
            sanja Oleksandr Byelkin made changes -
            Assignee Oleksandr Byelkin [ sanja ] Igor Babaev [ igor ]
            Status In Review [ 10002 ] Stalled [ 10000 ]
            igor Igor Babaev (Inactive) made changes -
            Fix Version/s 10.4.32 [ 29300 ]
            Fix Version/s 10.5.23 [ 29012 ]
            Fix Version/s 10.6.16 [ 29014 ]
            Fix Version/s 10.10.7 [ 29018 ]
            Fix Version/s 10.11.6 [ 29020 ]
            Fix Version/s 11.0.4 [ 29021 ]
            Fix Version/s 11.1.3 [ 29023 ]
            Fix Version/s 11.2.2 [ 29035 ]
            Fix Version/s 10.4 [ 22408 ]
            Fix Version/s 10.5 [ 23123 ]
            Fix Version/s 10.6 [ 24028 ]
            Fix Version/s 10.9 [ 26905 ]
            Fix Version/s 10.10 [ 27530 ]
            Fix Version/s 10.11 [ 27614 ]
            Fix Version/s 11.0 [ 28320 ]
            Fix Version/s 11.1 [ 28549 ]
            Fix Version/s 11.2 [ 28603 ]
            Resolution Fixed [ 1 ]
            Status Stalled [ 10000 ] Closed [ 6 ]
            dbart Daniel Bartholomew made changes -
            Fix Version/s 10.4.33 [ 29516 ]
            Fix Version/s 10.5.24 [ 29517 ]
            Fix Version/s 10.6.17 [ 29518 ]
            Fix Version/s 10.11.7 [ 29519 ]
            Fix Version/s 11.0.5 [ 29520 ]
            Fix Version/s 11.1.4 [ 29024 ]
            Fix Version/s 11.2.3 [ 29521 ]
            Fix Version/s 10.5.23 [ 29012 ]
            Fix Version/s 10.6.16 [ 29014 ]
            Fix Version/s 10.10.7 [ 29018 ]
            Fix Version/s 10.11.6 [ 29020 ]
            Fix Version/s 11.0.4 [ 29021 ]
            Fix Version/s 11.1.3 [ 29023 ]
            Fix Version/s 11.2.2 [ 29035 ]
            Fix Version/s 10.4.32 [ 29300 ]
            serg Sergei Golubchik made changes -
            Security Developers [ 10400 ]

            People

              igor Igor Babaev (Inactive)
              nobody Shihao Wen
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.