[MDEV-28621] group by optimization incorrectly removing subquery where subject buried in a function - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.3.35, 10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL), 10.11, 11.4
Fix Version/s: 11.4.1, 10.5.25, 10.6.18, 10.11.8, 11.0.6, 11.1.5, 11.2.4
Component/s: Optimizer
Labels:
- fuzzer
Environment:
ubuntu 18.04

Description

poc:

CREATE TABLE v1169 ( v1170 FLOAT NOT NULL ) ;

 INSERT INTO v1169 ( v1170 ) VALUES ( 40 ) ;

 UPDATE v1169 SET v1170 = -2147483648 WHERE v1170 = 5 ;

 INSERT INTO v1169 ( v1170 ) VALUES ( -128 ) , ( 52 ) ;

 WITH v1172 AS ( SELECT v1170 FROM ( SELECT v1170 FROM v1169 GROUP BY v1170 ) AS v1171 ) SELECT v1170 FROM v1172 WHERE v1170 BETWEEN FALSE AND ( ( ( v1170 OR NOT v1170 ) BETWEEN ( ( ( NOT ( ( 90778113.000000 ^ 90656932.000000 AND ( v1170 NOT IN ( NOT ( NOT ( 'x' = TRUE AND v1170 = 61 ) ) ) AND v1170 IN ( ( SELECT v1170 FROM v1169 WHERE ( FALSE <= -128 BETWEEN 10 AND 34 , v1170 ) IN ( WITH v1176 AS ( SELECT v1174 FROM ( SELECT ( SELECT v1170 FROM ( SELECT ( v1170 NOT IN ( 11097710.000000 , 12206111.000000 NOT BETWEEN 'x' AND 'x' ) AND v1170 NOT IN ( 2147483647 % v1170 ) ) , CASE WHEN v1170 % 30004927.000000 THEN 'x' ELSE v1170 END / 46 FROM v1169 UNION SELECT v1170 , v1170 FROM v1169 ) AS v1173 ) * 0 AS v1174 FROM v1169 ) AS v1175 ) SELECT ( v1174 NOT IN ( ( NOT ( 'x' / v1174 = v1174 + CASE v1174 WHEN 0 THEN v1174 ELSE ( WITH RECURSIVE v1177 ( v1178 ) AS ( SELECT v1170 FROM v1169 ) SELECT 81155100.000000 AS v1179 FROM v1177 ORDER BY v1178 DESC LIMIT 1 OFFSET 1 ) - 0 END AND v1174 = 'x' ) ) IS NULL ) AND v1174 NOT IN ( 33 ^ v1174 ) ) , v1174 + v1174 FROM v1176 GROUP BY v1174 ) ) * 2147483647 ) ) = -32768 ) * NULL ) ) ) ) AND 719937.000000 ) ) ;

output:
mysqld: /sql/item_subselect.cc:766: virtual bool Item_subselect::exec(): Assertion `!eliminated' failed.

The full error log is in the attachment.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

336_stack
14 kB
2022-05-19 03:03
mdev28621-remaining-case.test
0.7 kB
2024-04-03 09:08

Issue Links

duplicates

MDEV-28502 SIGSEGV in Item_subselect::is_expensive (+ other SIGSEGV's in MS 8.0) and 2x UBSAN: runtime error: member call on null pointer of type 'struct st_select_lex' in Item_subselect::is_expensive and in st_select_lex::next_select

Closed

MDEV-28614 Server crash in item_subselect.cc:6898 in Item_subselect::init_expr_cache_tracker(THD*)

Stalled

MDEV-29411 SIGSEGV's st_select_lex_unit::set_limit and st_select_lex::get_offset, and Assertion `!eliminated' failed in Item_subselect::exec on SELECT, UBSAN: member access within null pointer of type 'struct st_select_lex' in st_select_lex_unit::set_limit

Confirmed

MDEV-34086 MariaDB Server crashes at _ZN10Item_equal7val_intEv

Closed

includes

MDEV-30842 Item_subselect::get_cache_parameters and UBSAN member access within null pointer of type 'struct st_select_lex' in Item_subselect::get_cache_parameters on INSERT

Stalled

is duplicated by

MDEV-32309 Server crashes at Item_subselect::is_expensive

Closed

MDEV-32311 Server crashes at st_select_lex_unit::save_union_explain

Closed

MDEV-32390 Segmentation fault at /mariadb-11.3.0/sql/sql_lex.cc:4227

Closed

MDEV-32391 Segmentation fault at /mariadb-11.3.0/sql/sql_lex.h:1399

Closed

MDEV-32425 Segmentation fault at /mariadb-11.3.0/sql/sql_lex.cc:5998

Closed

MDEV-33126 virtual bool Item_subselect::exec(): Assertion `!eliminated' failed

Closed

is part of

MDEV-28622 Item_subselect eliminated flag set but Item still evaluated/used.

Closed

relates to

MDEV-24898 Server crashes in st_select_lex::next_select / Item_subselect::is_expensive

Closed

MDEV-28437 Assertion `!eliminated' failed in Item_subselect::exec

Closed

MDEV-34202 Followup to MDEV-28621: Perform GROUP BY removal safely

Confirmed

MDEV-28620 Server crash in /sql/item_subselect.cc:812 in Item_subselect::get_cache_parameters(List<Item>&)

Closed

MDEV-34013 Ignoring items instead of removing them.

Open

(6 is duplicated by, 1 is part of, 5 relates to)

Activity

People

Assignee:: Sergei Petrunia

Reporter:: Shihao Wen

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Dates

Created:: 2022-05-19 03:03

Updated:: 2024-05-20 14:32

Resolved:: 2024-05-20 14:31

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.