Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-28917

SIGSEGV in resolve_ref_in_select_and_group and Assertion `n < m_size' failed in Bounds_checked_array on INSERT

    XMLWordPrintable

Details

    Description

      Though there are various other bugs around which look possibly remotely-related, this looks to be a new regression in 10.6.

      CREATE TABLE t(t INT);
      		 
      INSERT INTO t SELECT 1 FROM t WINDOW t AS(t),v AS (ORDER BY (SELECT v,v BETWEEN(SELECT t AS t GROUP BY v WINDOW t AS (t)) AND 1));

      Leads to:

      10.10.0 081a284712bb661349e2e3802077b12211cede3e (Optimized)

      		 
      Core was generated by `/test/MD310522-mariadb-10.10.0-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
      		 
      Program terminated with signal SIGSEGV, Segmentation fault.
      		 
      #0  0x000055e3a47552bd in resolve_ref_in_select_and_group (thd=thd@entry=
      		 
          0x150fd8000c58, ref=ref@entry=0x150fd8012950, 
          select=select@entry=0x150fd8011cc8) at /test/10.10_opt/sql/sql_array.h:63
      		 
      [Current thread is 1 (Thread 0x15100dd01700 (LWP 892556))]
      		 
      (gdb) bt
      		 
      #0  0x000055e3a47552bd in resolve_ref_in_select_and_group (thd=thd@entry=0x150fd8000c58, ref=ref@entry=0x150fd8012950, select=select@entry=0x150fd8011cc8) at /test/10.10_opt/sql/sql_array.h:63
      		 
      #1  0x000055e3a4769001 in Item_field::fix_outer_field (this=0x150fd8012950, thd=0x150fd8000c58, from_field=0x15100dcffb10, reference=0x150fd8012a78) at /test/10.10_opt/sql/item.cc:5803
      		 
      #2  0x000055e3a4769e8d in Item_field::fix_fields (this=0x150fd8012950, thd=0x150fd8000c58, reference=0x150fd8012a78) at /test/10.10_opt/sql/item.cc:6105
      		 
      #3  0x000055e3a4537054 in Item::fix_fields_if_needed (ref=<optimized out>, thd=0x150fd8000c58, this=0x150fd8012950) at /test/10.10_opt/sql/item.h:1142
      		 
      #4  Item::fix_fields_if_needed (ref=<optimized out>, thd=0x150fd8000c58, this=0x150fd8012950) at /test/10.10_opt/sql/item.h:1142
      		 
      #5  Item::fix_fields_if_needed_for_scalar (ref=<optimized out>, thd=0x150fd8000c58, this=0x150fd8012950) at /test/10.10_opt/sql/item.h:1148
      		 
      #6  Item::fix_fields_if_needed_for_order_by (ref=<optimized out>, thd=0x150fd8000c58, this=0x150fd8012950) at /test/10.10_opt/sql/item.h:1156
      		 
      #7  find_order_in_list (thd=0x150fd8000c58, ref_pointer_array=<optimized out>, tables=0x150fd80114e8, order=0x150fd8012a68, fields=<optimized out>, all_fields=@0x150fd80202a8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x150fd80114a0, last = 0x150fd80114a0, elements = 1}, <No data fields>}, is_group_field=true, add_to_all_fields=true, from_window_spec=false) at /test/10.10_opt/sql/sql_select.cc:25105
      		 
      #8  0x000055e3a456047f in setup_group (thd=thd@entry=0x150fd8000c58, ref_pointer_array={m_array = 0x150fd8014498, m_size = 15}, tables=0x150fd80114e8, fields=@0x150fd8011248: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x150fd80114a0, last = 0x150fd80114a0, elements = 1}, <No data fields>}, all_fields=@0x150fd80202a8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x150fd80114a0, last = 0x150fd80114a0, elements = 1}, <No data fields>}, order=0x150fd8012a68, hidden_group_fields=0x150fd8020257, from_window_spec=false) at /test/10.10_opt/sql/sql_select.cc:25229
      		 
      #9  0x000055e3a4563e6b in setup_without_group (reserved=<optimized out>, hidden_group_fields=0x150fd8020257, win_funcs=<optimized out>, win_specs=<optimized out>, group=<optimized out>, order=<optimized out>, conds=0x150fd8020390, all_fields=<optimized out>, fields=<optimized out>, leaves=<optimized out>, tables=<optimized out>, ref_pointer_array=<optimized out>, thd=0x150fd8000c58) at /test/10.10_opt/sql/sql_select.cc:886
      		 
      #10 JOIN::prepare (this=0x150fd801ff40, tables_init=<optimized out>, conds_init=<optimized out>, og_num=<optimized out>, order_init=<optimized out>, skip_order_by=<optimized out>, group_init=<optimized out>, having_init=<optimized out>, proc_param_init=<optimized out>, select_lex_arg=<optimized out>, unit_arg=<optimized out>) at /test/10.10_opt/sql/sql_select.cc:1438
      		 
      #11 0x000055e3a45760ef in mysql_select (thd=0x150fd8000c58, tables=0x150fd80114e8, fields=@0x150fd8011248: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x150fd80114a0, last = 0x150fd80114a0, elements = 1}, <No data fields>}, conds=0x0, og_num=1, order=0x0, group=0x150fd8012a68, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x150fd80143d8, unit=0x150fd8004cb8, select_lex=0x150fd8010fa8) at /test/10.10_opt/sql/sql_select.cc:5019
      		 
      #12 0x000055e3a4576397 in handle_select (thd=thd@entry=0x150fd8000c58, lex=lex@entry=0x150fd8004be0, result=result@entry=0x150fd80143d8, setup_tables_done_option=setup_tables_done_option@entry=1073741824) at /test/10.10_opt/sql/sql_select.cc:578
      		 
      #13 0x000055e3a45084dc in mysql_execute_command (thd=0x150fd8000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.10_opt/sql/sql_parse.cc:4708
      		 
      #14 0x000055e3a44f4bb5 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x150fd8000c58) at /test/10.10_opt/sql/sql_parse.cc:8036
      		 
      #15 mysql_parse (thd=0x150fd8000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.10_opt/sql/sql_parse.cc:7958
      		 
      #16 0x000055e3a45006ca in dispatch_command (command=COM_QUERY, thd=0x150fd8000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.10_opt/sql/sql_class.h:1364
      		 
      #17 0x000055e3a45025f2 in do_command (thd=0x150fd8000c58, blocking=blocking@entry=true) at /test/10.10_opt/sql/sql_parse.cc:1407
      		 
      #18 0x000055e3a46188af in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55e3a7063dc8, put_in_cache=put_in_cache@entry=true) at /test/10.10_opt/sql/sql_connect.cc:1418
      		 
      #19 0x000055e3a4618b8d in handle_one_connection (arg=0x55e3a7063dc8) at /test/10.10_opt/sql/sql_connect.cc:1312
      		 
      #20 0x0000151026b31609 in start_thread (arg=<optimized out>) at pthread_create.c:477
      		 
      #21 0x000015102671d133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

      10.10.0 081a284712bb661349e2e3802077b12211cede3e (Debug)

      		 
      mysqld: /test/10.10_dbg/sql/sql_array.h:65: Element_type& Bounds_checked_array<Element_type>::operator[](size_t) [with Element_type = Item*; size_t = long unsigned int]: Assertion `n < m_size' failed.

      10.10.0 081a284712bb661349e2e3802077b12211cede3e (Debug)

      		 
      Core was generated by `/test/MD310522-mariadb-10.10.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core'.
      		 
      Program terminated with signal SIGABRT, Aborted.
      		 
      #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
      		 
      [Current thread is 1 (Thread 0x14bfa1580700 (LWP 892553))]
      		 
      (gdb) bt
      		 
      #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
      		 
      #1  0x000014bfba10d859 in __GI_abort () at abort.c:79
      		 
      #2  0x000014bfba10d729 in __assert_fail_base (fmt=0x14bfba2a3588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x559bb6efe98b "n < m_size", file=0x559bb6eec128 "/test/10.10_dbg/sql/sql_array.h", line=65, function=<optimized out>) at assert.c:92
      		 
      #3  0x000014bfba11efd6 in __GI___assert_fail (assertion=assertion@entry=0x559bb6efe98b "n < m_size", file=file@entry=0x559bb6eec128 "/test/10.10_dbg/sql/sql_array.h", line=line@entry=65, function=function@entry=0x559bb6f079b0 "Element_type& Bounds_checked_array<Element_type>::operator[](size_t) [with Element_type = Item*; size_t = long unsigned int]") at assert.c:101
      		 
      #4  0x0000559bb6630a54 in Bounds_checked_array<Item*>::operator[] (n=0, this=0x14bf60015578) at /test/10.10_dbg/sql/item.cc:5520
      		 
      #5  resolve_ref_in_select_and_group (thd=thd@entry=0x14bf60000db8, ref=ref@entry=0x14bf60015e70, select=select@entry=0x14bf600151e8) at /test/10.10_dbg/sql/item.cc:5521
      		 
      #6  0x0000559bb6645331 in Item_field::fix_outer_field (this=this@entry=0x14bf60015e70, thd=thd@entry=0x14bf60000db8, from_field=from_field@entry=0x14bfa157eb20, reference=reference@entry=0x14bf60015f98) at /test/10.10_dbg/sql/item.cc:5803
      		 
      #7  0x0000559bb664609c in Item_field::fix_fields (this=0x14bf60015e70, thd=0x14bf60000db8, reference=0x14bf60015f98) at /test/10.10_dbg/sql/item.cc:6105
      		 
      #8  0x0000559bb6370b74 in Item::fix_fields_if_needed (ref=<optimized out>, thd=0x14bf60000db8, this=0x14bf60015e70) at /test/10.10_dbg/sql/item.h:1156
      		 
      #9  Item::fix_fields_if_needed_for_scalar (ref=<optimized out>, thd=0x14bf60000db8, this=0x14bf60015e70) at /test/10.10_dbg/sql/item.h:1148
      		 
      #10 Item::fix_fields_if_needed_for_order_by (ref=<optimized out>, thd=0x14bf60000db8, this=0x14bf60015e70) at /test/10.10_dbg/sql/item.h:1156
      		 
      #11 find_order_in_list (thd=thd@entry=0x14bf60000db8, ref_pointer_array=<optimized out>, tables=tables@entry=0x14bf60014a08, order=order@entry=0x14bf60015f88, fields=@0x14bf60014768: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14bf600149c0, last = 0x14bf600149c0, elements = 1}, <No data fields>}, all_fields=@0x14bf60024c28: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14bf600149c0, last = 0x14bf600149c0, elements = 1}, <No data fields>}, is_group_field=true, add_to_all_fields=true, from_window_spec=false) at /test/10.10_dbg/sql/sql_select.cc:25105
      		 
      #12 0x0000559bb639ce72 in setup_group (thd=thd@entry=0x14bf60000db8, ref_pointer_array=<optimized out>, tables=tables@entry=0x14bf60014a08, fields=@0x14bf60014768: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14bf600149c0, last = 0x14bf600149c0, elements = 1}, <No data fields>}, all_fields=@0x14bf60024c28: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14bf600149c0, last = 0x14bf600149c0, elements = 1}, <No data fields>}, order=0x14bf60015f88, hidden_group_fields=0x14bf60024bd7, from_window_spec=false) at /test/10.10_dbg/sql/sql_select.cc:25229
      		 
      #13 0x0000559bb63a0e0e in setup_without_group (reserved=<optimized out>, hidden_group_fields=0x14bf60024bd7, win_funcs=<optimized out>, win_specs=<optimized out>, group=<optimized out>, order=<optimized out>, conds=0x14bf60024d10, all_fields=@0x14bf60024c28: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14bf600149c0, last = 0x14bf600149c0, elements = 1}, <No data fields>}, fields=<optimized out>, leaves=<optimized out>, tables=<optimized out>, ref_pointer_array=<optimized out>, thd=0x14bf60000db8) at /test/10.10_dbg/sql/sql_select.cc:870
      		 
      #14 JOIN::prepare (this=this@entry=0x14bf600248c0, tables_init=tables_init@entry=0x14bf60014a08, conds_init=conds_init@entry=0x0, og_num=og_num@entry=1, order_init=order_init@entry=0x0, skip_order_by=skip_order_by@entry=false, group_init=<optimized out>, having_init=<optimized out>, proc_param_init=<optimized out>, select_lex_arg=<optimized out>, unit_arg=<optimized out>) at /test/10.10_dbg/sql/sql_select.cc:1438
      		 
      #15 0x0000559bb63b7b70 in mysql_select (thd=thd@entry=0x14bf60000db8, tables=0x14bf60014a08, fields=@0x14bf60014768: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14bf600149c0, last = 0x14bf600149c0, elements = 1}, <No data fields>}, conds=0x0, og_num=1, order=0x0, group=0x14bf60015f88, having=0x0, proc_param=0x0, select_options=2202244745984, result=0x14bf600178f8, unit=0x14bf60004fd8, select_lex=0x14bf600144c8) at /test/10.10_dbg/sql/sql_select.cc:5019
      		 
      #16 0x0000559bb63b7d8e in handle_select (thd=thd@entry=0x14bf60000db8, lex=lex@entry=0x14bf60004f00, result=result@entry=0x14bf600178f8, setup_tables_done_option=setup_tables_done_option@entry=1073741824) at /test/10.10_dbg/sql/sql_select.cc:578
      		 
      #17 0x0000559bb6331f9d in mysql_execute_command (thd=thd@entry=0x14bf60000db8, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.10_dbg/sql/sql_parse.cc:4708
      		 
      #18 0x0000559bb631de3a in mysql_parse (thd=thd@entry=0x14bf60000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14bfa157f470) at /test/10.10_dbg/sql/sql_parse.cc:8036
      		 
      #19 0x0000559bb632b422 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14bf60000db8, packet=packet@entry=0x14bf6000b6d9 "INSERT INTO t SELECT 1 FROM t WINDOW t AS(t),v AS (ORDER BY (SELECT v,v BETWEEN(SELECT t AS t GROUP BY v WINDOW t AS (t)) AND 1))", packet_length=packet_length@entry=129, blocking=blocking@entry=true) at /test/10.10_dbg/sql/sql_class.h:1364
      		 
      #20 0x0000559bb632db2c in do_command (thd=0x14bf60000db8, blocking=blocking@entry=true) at /test/10.10_dbg/sql/sql_parse.cc:1407
      		 
      #21 0x0000559bb648d3c0 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x559bb9548b28, put_in_cache=put_in_cache@entry=true) at /test/10.10_dbg/sql/sql_connect.cc:1418
      		 
      #22 0x0000559bb648d8c9 in handle_one_connection (arg=0x559bb9548b28) at /test/10.10_dbg/sql/sql_connect.cc:1312
      		 
      #23 0x000014bfba61e609 in start_thread (arg=<optimized out>) at pthread_create.c:477
      		 
      #24 0x000014bfba20a133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

      Bug confirmed present in:
      MariaDB: 10.6.9 (dbg), 10.6.9 (opt), 10.7.5 (dbg), 10.7.5 (opt), 10.8.4 (dbg), 10.8.4 (opt), 10.9.2 (dbg), 10.9.2 (opt), 10.10.0 (dbg), 10.10.0 (opt)

      Bug (or feature/syntax) confirmed not present in:
      MariaDB: 10.3.36 (dbg), 10.3.36 (opt), 10.4.26 (dbg), 10.4.26 (opt), 10.5.17 (dbg), 10.5.17 (opt)
      MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.38 (dbg), 5.7.38 (opt), 8.0.29 (dbg), 8.0.29 (opt)

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-16993 [Draft] Assertion `n < m_size' failed in Element_type& Bounds_checked_array<Element_type>::operator[](size_t) [with Element_type = unsigned char*; size_t = long unsigned int]

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-22713 Assertion `(*select_ref)->is_fixed()' failed in resolve_ref_in_select_and_group

          • Major - Major loss of function.
          • Confirmed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-26926 【BUG】【view】debug 版本视图做 insert into ... on duplicate key update操作导致mysqld coredump掉

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-26944 Server crash on selecting some data from information_schema

          • Critical - Crashes, loss of data, severe memory leak.
          • Confirmed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-32317 Prepare phase: Server crashes at Item_bool_rowready_func2::cleanup

          • Critical - Crashes, loss of data, severe memory leak.
          • Confirmed

          Activity

            People

              sanja Oleksandr Byelkin
              Roel Roel Van de Paar
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.