Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-29052

SIGSEGV's in hp_rec_hashnr and my_hash_sort_simple (from hp_rec_hashnr and my_ci_hash_sort) on SELECT when using window functions

Details

    Description

      This crash looks strongly correlated with MDEV-24066. The SIGSEGV described here seems specific to using partitioning. However, here window functions are also used and no *SAN build is needed to reproduce the SIGSEGV in hp_rec_hashnr. Furthermore, replaying this testcase on debug builds leads to various stacks from MDEV-28515, yet the testcase from MDEV-28515 does not produce the SIGSEGV in hp_rec_hashnr. It seems that an optimizer/window fix for MDEV-28515 would be needed, and a partitioning fix for this SIGEGV in hp_rec_hashnr.

      CREATE TABLE c(c DOUBLE,v2 TEXT,v3 INT) ENGINE=InnoDB;
      		 
      INSERT INTO c(v2)VALUES (1);
      		 
      SELECT 1 FROM c WINDOW v9 AS(ORDER BY (SELECT c FROM c GROUP BY c WINDOW c3 AS(PARTITION BY v2 ORDER BY - c)));

      Leads to:

      10.10.0 63961a08a6203f4d58363a9321e4cf9c8b07a9fe (Optimized)

      		 
      Core was generated by `/test/MD290622-mariadb-10.10.0-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
      		 
      Program terminated with signal SIGSEGV, Segmentation fault.
      		 
      #0  0x000055acdb2892a1 in hp_rec_hashnr (keydef=keydef@entry=0x1551c0053ab8, 
          rec=rec@entry=0x1551c0052c10 "\377")
      		 
          at /test/10.10_opt/storage/heap/hp_hash.c:303
      		 
      303	      if (rec[seg->null_pos] & seg->null_bit)
      		 
      [Current thread is 1 (Thread 0x1551e2efc700 (LWP 2131648))]
      		 
      (gdb) bt
      		 
      #0  0x000055acdb2892a1 in hp_rec_hashnr (keydef=keydef@entry=0x1551c0053ab8, rec=rec@entry=0x1551c0052c10 "\377") at /test/10.10_opt/storage/heap/hp_hash.c:303
      		 
      #1  0x000055acdb28c576 in hp_write_key (info=<optimized out>, keyinfo=0x1551c0053ab8, record=0x1551c0052c10 "\377", recpos=0x1551c005ec68 "") at /test/10.10_opt/storage/heap/hp_write.c:349
      		 
      #2  0x000055acdb28c0a4 in heap_write (info=0x1551c0053ed8, record=0x1551c0052c10 "\377") at /test/10.10_opt/storage/heap/hp_write.c:52
      		 
      #3  0x000055acdb287440 in ha_heap::write_row (this=0x1551c0052e90, buf=<optimized out>) at /test/10.10_opt/storage/heap/ha_heap.cc:239
      		 
      #4  0x000055acdae3fc08 in handler::ha_write_tmp_row (buf=0x1551c0052c10 "\377", this=0x1551c0052e90) at /test/10.10_opt/include/mysql/psi/mysql_thread.h:795
      		 
      #5  end_write (join=0x1551c0013b30, join_tab=0x1551c004e140, end_of_records=<optimized out>) at /test/10.10_opt/sql/sql_select.cc:22771
      		 
      #6  0x000055acdae16023 in evaluate_join_record (join=join@entry=0x1551c0013b30, join_tab=join_tab@entry=0x1551c004dd90, error=<optimized out>) at /test/10.10_opt/sql/sql_select.cc:21508
      		 
      #7  0x000055acdae290fb in sub_select (end_of_records=false, join_tab=0x1551c004dd90, join=0x1551c0013b30) at /test/10.10_opt/sql/sql_select.cc:21278
      		 
      #8  sub_select (join=0x1551c0013b30, join_tab=0x1551c004dd90, end_of_records=false) at /test/10.10_opt/sql/sql_select.cc:21207
      		 
      #9  0x000055acdae55891 in do_select (procedure=<optimized out>, join=0x1551c0013b30) at /test/10.10_opt/sql/sql_select.cc:20823
      		 
      #10 JOIN::exec_inner (this=0x1551c0013b30) at /test/10.10_opt/sql/sql_select.cc:4787
      		 
      #11 0x000055acdae55c58 in JOIN::exec (this=this@entry=0x1551c0013b30) at /test/10.10_opt/sql/sql_select.cc:4565
      		 
      #12 0x000055acdae53e61 in mysql_select (thd=0x1551c0000c58, tables=0x1551c0010d78, fields=@0x1551c0010ad8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1551c0010d30, last = 0x1551c0010d30, elements = 1}, <No data fields>}, conds=0x0, og_num=1, order=0x0, group=0x1551c0012290, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x1551c0013b08, unit=0x1551c0004cb8, select_lex=0x1551c0010838) at /test/10.10_opt/sql/sql_select.cc:5045
      		 
      #13 0x000055acdae545a7 in handle_select (thd=thd@entry=0x1551c0000c58, lex=lex@entry=0x1551c0004be0, result=result@entry=0x1551c0013b08, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.10_opt/sql/sql_select.cc:579
      		 
      #14 0x000055acdadd7591 in execute_sqlcom_select (thd=0x1551c0000c58, all_tables=0x1551c0010d78) at /test/10.10_opt/sql/sql_parse.cc:6260
      		 
      #15 0x000055acdade50fd in mysql_execute_command (thd=0x1551c0000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.10_opt/sql/sql_parse.cc:3944
      		 
      #16 0x000055acdadd2795 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x1551c0000c58) at /test/10.10_opt/sql/sql_parse.cc:8036
      		 
      #17 mysql_parse (thd=0x1551c0000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.10_opt/sql/sql_parse.cc:7958
      		 
      #18 0x000055acdadde2aa in dispatch_command (command=COM_QUERY, thd=0x1551c0000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.10_opt/sql/sql_class.h:1364
      		 
      #19 0x000055acdade01d2 in do_command (thd=0x1551c0000c58, blocking=blocking@entry=true) at /test/10.10_opt/sql/sql_parse.cc:1407
      		 
      #20 0x000055acdaef6ddf in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55acdda57c58, put_in_cache=put_in_cache@entry=true) at /test/10.10_opt/sql/sql_connect.cc:1418
      		 
      #21 0x000055acdaef70bd in handle_one_connection (arg=0x55acdda57c58) at /test/10.10_opt/sql/sql_connect.cc:1312
      		 
      #22 0x000015520f79b609 in start_thread (arg=<optimized out>) at pthread_create.c:477
      		 
      #23 0x000015520f387133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

      Bug confirmed present in:
      MariaDB: 10.3.36 (dbg), 10.3.36 (opt), 10.4.26 (dbg), 10.4.26 (opt), 10.5.17 (dbg), 10.5.17 (opt), 10.6.9 (dbg), 10.6.9 (opt), 10.7.5 (dbg), 10.7.5 (opt), 10.8.4 (dbg), 10.8.4 (opt), 10.9.2 (dbg), 10.9.2 (opt), 10.10.0 (dbg), 10.10.0 (opt)
      (Debug builds crash with the stacks in MDEV-28515)

      Bug (or feature/syntax) confirmed not present in:
      MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.38 (dbg), 5.7.38 (opt), 8.0.29 (dbg), 8.0.29 (opt)

      Attachments

        Issue Links

          is part of

          Bug - A problem which impairs or prevents the functions of the product. MDEV-30052 Crash with a query containing nested WINDOW clauses

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-24066 ASAN unknown-crash in hp_rec_hashnr after replace into partition +invisible columns and runtime error: load of value 25264, which is not a valid value for type 'geometry_type' in make_empty_rec

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-28506 SIGSEGV's in find_field_in_table[s][_ref], Item_field::fix_fields, create_view_field and MemcmpInterceptorCommon | Assertions `(*select_ref)->fixed' or '->is_fixed' and `table_list->table' failed

          • Major - Major loss of function.
          • Stalled

          Bug - A problem which impairs or prevents the functions of the product. MDEV-28515 Assertion `field->table == table' failed in Create_tmp_table::finalize and create_tmp_table and SIGSEGV in hp_rec_hashnr

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-29353 SIGSEGV's in _ma_unique_hash, _ma_make_key and _ma_calc_blob_length on SELECT (on optimized builds)

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-30575 SIGSEGV in my_charlen_utf8mb3 (corruption)

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-32329 (patch) pushdown from having into where: Server crashes at sub_select

          • Major - Major loss of function.
          • Closed

          Activity

            Ascending order - Click to sort in descending order
            nayuta-yanagisawa Nayuta Yanagisawa (Inactive) added a comment -

            I've debugged the problem on 10.3 HEAD (66c06735a2aeff32d69e5d2a4378563ad474691f).

            The cause of the crash seems to be that seg->null_pos has an invalid (possibly not initialized) value in hp_rec_hashnr().

            Thread 3 hit Breakpoint 1, hp_rec_hashnr (keydef=keydef@entry=0x7fea8416ada8, rec=rec@entry=0x7fea8416a0e0 "\377") at /home/nayuta_mariadb/repo/mariadb-server/bb-10.3-MD
            		 
            EV-29052/storage/heap/hp_hash.c:293                                                                                                                                      
            293           if (rec[seg->null_pos] & seg->null_bit)

            nayuta-yanagisawa Nayuta Yanagisawa (Inactive) added a comment - I've debugged the problem on 10.3 HEAD (66c06735a2aeff32d69e5d2a4378563ad474691f). The cause of the crash seems to be that seg->null_pos has an invalid (possibly not initialized) value in hp_rec_hashnr() . Thread 3 hit Breakpoint 1, hp_rec_hashnr (keydef=keydef@entry=0x7fea8416ada8, rec=rec@entry=0x7fea8416a0e0 "\377" ) at /home/nayuta_mariadb/repo/mariadb-server/bb-10.3-MD EV-29052/storage/heap/hp_hash.c:293 293 if (rec[seg->null_pos] & seg->null_bit)
            Roel Roel Van de Paar added a comment - - edited

            Two additional stacks with this testcase:

            CREATE TABLE t (c CHAR(8) NOT NULL) ENGINE=InnoDB;
            		 
            INSERT INTO t VALUES(1);
            		 
            SELECT * FROM (SELECT * FROM t) AS a JOIN t WINDOW b AS (PARTITION BY t.c AND 1 BETWEEN (SELECT * FROM t GROUP BY t.c WINDOW d AS (PARTITION BY t.c)) AND 1);

            Leads to:

            10.11.0 6ebdd3013a18b01dbecec76b870810329eb76586 (Optimized)

            		 
            Core was generated by `/test/MD190922-mariadb-10.11.0-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
            		 
            Program terminated with signal SIGSEGV, Segmentation fault.
            		 
            #0  my_hash_sort_simple (cs=0x55f3c8be6d60 <my_charset_latin1>, 
                key=0x14ff940541d1 <error: Cannot access memory at address 0x14ff940541d1>, len=<optimized out>, nr1=0x14ff2009e170, nr2=0x14ff2009e178)
            		 
                at /test/10.11_opt/strings/ctype-simple.c:391
            		 
            [Current thread is 1 (Thread 0x14ff200a0700 (LWP 1742694))]
            		 
            (gdb) bt
            		 
            #0  my_hash_sort_simple (cs=0x55f3c8be6d60 <my_charset_latin1>, key=0x14ff940541d1 <error: Cannot access memory at address 0x14ff940541d1>, len=<optimized out>, nr1=0x14ff2009e170, nr2=0x14ff2009e178) at /test/10.11_opt/strings/ctype-simple.c:391
            		 
            #1  0x000055f3c7fc5200 in my_ci_hash_sort (nr2=0x14ff2009e178, nr1=0x14ff2009e170, len=<optimized out>, key=0x14ff940541d1 <error: Cannot access memory at address 0x14ff940541d1>, ci=0x55f3c8be6d60 <my_charset_latin1>) at /test/10.11_opt/include/m_ctype.h:1317
            		 
            #2  hp_rec_hashnr (keydef=keydef@entry=0x14fe9405ad78, rec=rec@entry=0x14fe9405a150 "\375\001") at /test/10.11_opt/storage/heap/hp_hash.c:319
            		 
            #3  0x000055f3c7fc8466 in hp_write_key (info=<optimized out>, keyinfo=0x14fe9405ad78, record=0x14fe9405a150 "\375\001", recpos=0x14fe9405bea8 "\200\276\005\224\376\024") at /test/10.11_opt/storage/heap/hp_write.c:349
            		 
            #4  0x000055f3c7fc7f94 in heap_write (info=0x14fe9405b198, record=0x14fe9405a150 "\375\001") at /test/10.11_opt/storage/heap/hp_write.c:52
            		 
            #5  0x000055f3c7fc3330 in ha_heap::write_row (this=0x14fe94059c00, buf=<optimized out>) at /test/10.11_opt/storage/heap/ha_heap.cc:239
            		 
            #6  0x000055f3c7b76ba8 in handler::ha_write_tmp_row (buf=0x14fe9405a150 "\375\001", this=0x14fe94059c00) at /test/10.11_opt/include/mysql/psi/mysql_thread.h:795
            		 
            #7  end_write (join=0x14fe94047518, join_tab=0x14fe940551d0, end_of_records=<optimized out>) at /test/10.11_opt/sql/sql_select.cc:23258
            		 
            #8  0x000055f3c7c5cfb9 in JOIN_CACHE::generate_full_extensions (rec_ptr=0x14fe9405a558 "\001", this=0x14fe94053240) at /test/10.11_opt/sql/sql_join_cache.cc:2478
            		 
            #9  JOIN_CACHE::generate_full_extensions (this=0x14fe94053240, rec_ptr=0x14fe9405a558 "\001") at /test/10.11_opt/sql/sql_join_cache.cc:2461
            		 
            #10 0x000055f3c7c5d3be in JOIN_CACHE::join_matching_records (this=0x14fe94053240, skip_last=false) at /test/10.11_opt/sql/sql_join_cache.cc:2370
            		 
            #11 0x000055f3c7c5cc01 in JOIN_CACHE::join_records (this=this@entry=0x14fe94053240, skip_last=skip_last@entry=false) at /test/10.11_opt/sql/sql_join_cache.cc:2151
            		 
            #12 0x000055f3c7b5dfaa in sub_select_cache (join=0x14fe94047518, join_tab=0x14fe94054e18, end_of_records=<optimized out>) at /test/10.11_opt/sql/sql_select.cc:21538
            		 
            #13 0x000055f3c7b8c59f in do_select (procedure=<optimized out>, join=0x14fe94047518) at /test/10.11_opt/sql/sql_select.cc:21311
            		 
            #14 JOIN::exec_inner (this=0x14fe94047518) at /test/10.11_opt/sql/sql_select.cc:4813
            		 
            #15 0x000055f3c7b8cb08 in JOIN::exec (this=this@entry=0x14fe94047518) at /test/10.11_opt/sql/sql_select.cc:4591
            		 
            #16 0x000055f3c7b8ad11 in mysql_select (thd=0x14fe94000c58, tables=0x14fe94012490, fields=@0x14fe94010c68: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14fe94010f58, last = 0x14fe940486c0, elements = 2}, <No data fields>}, conds=0x0, og_num=1, order=0x0, group=0x14fe94014328, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x14fe940474f0, unit=0x14fe94004cd0, select_lex=0x14fe940109c8) at /test/10.11_opt/sql/sql_select.cc:5071
            		 
            #17 0x000055f3c7b8b457 in handle_select (thd=thd@entry=0x14fe94000c58, lex=lex@entry=0x14fe94004bf8, result=result@entry=0x14fe940474f0, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.11_opt/sql/sql_select.cc:582
            		 
            #18 0x000055f3c7b0d051 in execute_sqlcom_select (thd=0x14fe94000c58, all_tables=0x14fe94012490) at /test/10.11_opt/sql/sql_parse.cc:6261
            		 
            #19 0x000055f3c7b1ad48 in mysql_execute_command (thd=0x14fe94000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.11_opt/sql/sql_parse.cc:3945
            		 
            #20 0x000055f3c7b08205 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x14fe94000c58) at /test/10.11_opt/sql/sql_parse.cc:8037
            		 
            #21 mysql_parse (thd=0x14fe94000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.11_opt/sql/sql_parse.cc:7959
            		 
            #22 0x000055f3c7b13d6a in dispatch_command (command=COM_QUERY, thd=0x14fe94000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.11_opt/sql/sql_class.h:1345
            		 
            #23 0x000055f3c7b15cb2 in do_command (thd=0x14fe94000c58, blocking=blocking@entry=true) at /test/10.11_opt/sql/sql_parse.cc:1407
            		 
            #24 0x000055f3c7c2f17f in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55f3caed3528, put_in_cache=put_in_cache@entry=true) at /test/10.11_opt/sql/sql_connect.cc:1416
            		 
            #25 0x000055f3c7c2f45d in handle_one_connection (arg=0x55f3caed3528) at /test/10.11_opt/sql/sql_connect.cc:1318
            		 
            #26 0x000014ff39aee609 in start_thread (arg=<optimized out>) at pthread_create.c:477
            		 
            #27 0x000014ff396da133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

            10.4.27 3e3cfa893481abe9524a1657c4246fa9f91d4826 (Optimized)

            		 
            Core was generated by `/test/MD190922-mariadb-10.4.27-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
            		 
            Program terminated with signal SIGSEGV, Segmentation fault.
            		 
            #0  my_hash_sort_simple (cs=0x55f0bbb11360 <my_charset_latin1>, 
                key=0x146548053e79 <error: Cannot access memory at address 0x146548053e79>, len=<optimized out>, nr1=0x146490fe0240, nr2=0x146490fe0248)
            		 
                at /test/10.4_opt/strings/ctype-simple.c:392
            		 
            [Current thread is 1 (Thread 0x146490fe3700 (LWP 1742948))]
            		 
            (gdb) bt
            		 
            #0  my_hash_sort_simple (cs=0x55f0bbb11360 <my_charset_latin1>, key=0x146548053e79 <error: Cannot access memory at address 0x146548053e79>, len=<optimized out>, nr1=0x146490fe0240, nr2=0x146490fe0248) at /test/10.4_opt/strings/ctype-simple.c:392
            		 
            #1  0x000055f0bafcc950 in hp_rec_hashnr (keydef=keydef@entry=0x14644805b278, rec=rec@entry=0x14644805a670 "\375\001") at /test/10.4_opt/storage/heap/hp_hash.c:309
            		 
            #2  0x000055f0bafcfba6 in hp_write_key (info=<optimized out>, keyinfo=0x14644805b278, record=0x14644805a670 "\375\001", recpos=0x14644805c378 "0\b") at /test/10.4_opt/storage/heap/hp_write.c:349
            		 
            #3  0x000055f0bafcf6e4 in heap_write (info=0x14644805b678, record=0x14644805a670 "\375\001") at /test/10.4_opt/storage/heap/hp_write.c:52
            		 
            #4  0x000055f0bafcaad0 in ha_heap::write_row (this=0x14644805a180, buf=<optimized out>) at /test/10.4_opt/storage/heap/ha_heap.cc:235
            		 
            #5  0x000055f0babb0a75 in handler::ha_write_tmp_row (buf=<optimized out>, this=0x14644805a180) at /test/10.4_opt/include/mysql/psi/mysql_thread.h:788
            		 
            #6  end_write (join=0x14644804c1f0, join_tab=0x146448055e70, end_of_records=<optimized out>) at /test/10.4_opt/sql/sql_select.cc:22118
            		 
            #7  0x000055f0bac7bf99 in JOIN_CACHE::generate_full_extensions (rec_ptr=0x14644805aa48 "\001", this=0x1464480569d0) at /test/10.4_opt/sql/sql_join_cache.cc:2472
            		 
            #8  JOIN_CACHE::generate_full_extensions (this=0x1464480569d0, rec_ptr=0x14644805aa48 "\001") at /test/10.4_opt/sql/sql_join_cache.cc:2455
            		 
            #9  0x000055f0bac7c326 in JOIN_CACHE::join_matching_records (this=0x1464480569d0, skip_last=false) at /test/10.4_opt/sql/sql_join_cache.cc:2364
            		 
            #10 0x000055f0bac7bb60 in JOIN_CACHE::join_records (this=this@entry=0x1464480569d0, skip_last=skip_last@entry=false) at /test/10.4_opt/sql/sql_join_cache.cc:2147
            		 
            #11 0x000055f0bab9975a in sub_select_cache (join=0x14644804c1f0, join_tab=0x146448055ac8, end_of_records=<optimized out>) at /test/10.4_opt/sql/sql_select.cc:20462
            		 
            #12 0x000055f0babc61c8 in do_select (procedure=<optimized out>, join=0x14644804c1f0) at /test/10.4_opt/sql/sql_select.cc:20222
            		 
            #13 JOIN::exec_inner (this=0x14644804c1f0) at /test/10.4_opt/sql/sql_select.cc:4565
            		 
            #14 0x000055f0babc66b6 in JOIN::exec (this=this@entry=0x14644804c1f0) at /test/10.4_opt/sql/sql_select.cc:4347
            		 
            #15 0x000055f0babc4746 in mysql_select (thd=0x146448000c48, tables=0x146448011ab8, wild_num=1, fields=@0x146448010140: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x146448010590, last = 0x146448015e38, elements = 2}, <No data fields>}, conds=0x0, og_num=1, order=0x0, group=0x146448013fc0, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x146448015948, unit=0x146448004820, select_lex=0x14644800fff8) at /test/10.4_opt/sql/sql_select.cc:4786
            		 
            #16 0x000055f0babc512a in handle_select (thd=thd@entry=0x146448000c48, lex=lex@entry=0x146448004760, result=result@entry=0x146448015948, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.4_opt/sql/sql_select.cc:436
            		 
            #17 0x000055f0bab52641 in execute_sqlcom_select (thd=0x146448000c48, all_tables=0x146448011ab8) at /test/10.4_opt/sql/sql_parse.cc:6450
            		 
            #18 0x000055f0bab608d3 in mysql_execute_command (thd=0x146448000c48) at /test/10.4_opt/sql/sql_parse.cc:3964
            		 
            #19 0x000055f0bab62de2 in mysql_parse (thd=0x146448000c48, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /test/10.4_opt/sql/sql_parse.cc:7996
            		 
            #20 0x000055f0bab6579a in dispatch_command (command=COM_QUERY, thd=0x146448000c48, packet=<optimized out>, packet_length=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /test/10.4_opt/sql/sql_class.h:1207
            		 
            #21 0x000055f0bab672ef in do_command (thd=0x146448000c48) at /test/10.4_opt/sql/sql_parse.cc:1378
            		 
            #22 0x000055f0bac52cde in do_handle_one_connection (connect=0x55f0be65ef38) at /test/10.4_opt/sql/sql_connect.cc:1420
            		 
            #23 0x000055f0bac52d6d in handle_one_connection (arg=<optimized out>) at /test/10.4_opt/sql/sql_connect.cc:1324
            		 
            #24 0x00001464abf1c609 in start_thread (arg=<optimized out>) at pthread_create.c:477
            		 
            #25 0x00001464abb08133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

            Bug confirmed present in:
            MariaDB: 10.3.37 (dbg), 10.3.37 (opt), 10.4.27 (dbg), 10.4.27 (opt), 10.5.18 (dbg), 10.5.18 (opt), 10.6.10 (dbg), 10.6.10 (opt), 10.7.6 (dbg), 10.7.6 (opt), 10.8.5 (dbg), 10.8.5 (opt), 10.9.3 (dbg), 10.9.3 (opt), 10.10.2 (dbg), 10.10.2 (opt), 10.11.0 (dbg), 10.11.0 (opt)

            Bug (or feature/syntax) confirmed not present in:
            MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.38 (dbg), 5.7.38 (opt), 8.0.29 (dbg), 8.0.29 (opt)

            It also produces two assertions on other versions. All UniqueID's seen for this testcase:

            SIGSEGV|my_hash_sort_simple|hp_rec_hashnr|hp_write_key|heap_write
            		 
            SIGSEGV|my_hash_sort_simple|my_ci_hash_sort|hp_rec_hashnr|hp_write_key
            		 
            field->table == table|SIGABRT|Create_tmp_table::finalize|create_tmp_table|JOIN::create_postjoin_aggr_table|JOIN::make_aggr_tables_info
            		 
            field->table == table|SIGABRT|create_tmp_table|JOIN::create_postjoin_aggr_table|JOIN::make_aggr_tables_info|JOIN::optimize_stage2

            Roel Roel Van de Paar added a comment - - edited Two additional stacks with this testcase: CREATE TABLE t (c CHAR (8) NOT NULL ) ENGINE=InnoDB; INSERT INTO t VALUES (1); SELECT * FROM ( SELECT * FROM t) AS a JOIN t WINDOW b AS (PARTITION BY t.c AND 1 BETWEEN ( SELECT * FROM t GROUP BY t.c WINDOW d AS (PARTITION BY t.c)) AND 1); Leads to: 10.11.0 6ebdd3013a18b01dbecec76b870810329eb76586 (Optimized) Core was generated by `/test/MD190922-mariadb-10.11.0-linux-x86_64-opt/bin/mysqld --no-defaults --core'. Program terminated with signal SIGSEGV, Segmentation fault. #0 my_hash_sort_simple (cs=0x55f3c8be6d60 <my_charset_latin1>, key=0x14ff940541d1 <error: Cannot access memory at address 0x14ff940541d1>, len=<optimized out>, nr1=0x14ff2009e170, nr2=0x14ff2009e178) at /test/10.11_opt/strings/ctype-simple.c:391 [Current thread is 1 (Thread 0x14ff200a0700 (LWP 1742694))] (gdb) bt #0 my_hash_sort_simple (cs=0x55f3c8be6d60 <my_charset_latin1>, key=0x14ff940541d1 <error: Cannot access memory at address 0x14ff940541d1>, len=<optimized out>, nr1=0x14ff2009e170, nr2=0x14ff2009e178) at /test/10.11_opt/strings/ctype-simple.c:391 #1 0x000055f3c7fc5200 in my_ci_hash_sort (nr2=0x14ff2009e178, nr1=0x14ff2009e170, len=<optimized out>, key=0x14ff940541d1 <error: Cannot access memory at address 0x14ff940541d1>, ci=0x55f3c8be6d60 <my_charset_latin1>) at /test/10.11_opt/include/m_ctype.h:1317 #2 hp_rec_hashnr (keydef=keydef@entry=0x14fe9405ad78, rec=rec@entry=0x14fe9405a150 "\375\001") at /test/10.11_opt/storage/heap/hp_hash.c:319 #3 0x000055f3c7fc8466 in hp_write_key (info=<optimized out>, keyinfo=0x14fe9405ad78, record=0x14fe9405a150 "\375\001", recpos=0x14fe9405bea8 "\200\276\005\224\376\024") at /test/10.11_opt/storage/heap/hp_write.c:349 #4 0x000055f3c7fc7f94 in heap_write (info=0x14fe9405b198, record=0x14fe9405a150 "\375\001") at /test/10.11_opt/storage/heap/hp_write.c:52 #5 0x000055f3c7fc3330 in ha_heap::write_row (this=0x14fe94059c00, buf=<optimized out>) at /test/10.11_opt/storage/heap/ha_heap.cc:239 #6 0x000055f3c7b76ba8 in handler::ha_write_tmp_row (buf=0x14fe9405a150 "\375\001", this=0x14fe94059c00) at /test/10.11_opt/include/mysql/psi/mysql_thread.h:795 #7 end_write (join=0x14fe94047518, join_tab=0x14fe940551d0, end_of_records=<optimized out>) at /test/10.11_opt/sql/sql_select.cc:23258 #8 0x000055f3c7c5cfb9 in JOIN_CACHE::generate_full_extensions (rec_ptr=0x14fe9405a558 "\001", this=0x14fe94053240) at /test/10.11_opt/sql/sql_join_cache.cc:2478 #9 JOIN_CACHE::generate_full_extensions (this=0x14fe94053240, rec_ptr=0x14fe9405a558 "\001") at /test/10.11_opt/sql/sql_join_cache.cc:2461 #10 0x000055f3c7c5d3be in JOIN_CACHE::join_matching_records (this=0x14fe94053240, skip_last=false) at /test/10.11_opt/sql/sql_join_cache.cc:2370 #11 0x000055f3c7c5cc01 in JOIN_CACHE::join_records (this=this@entry=0x14fe94053240, skip_last=skip_last@entry=false) at /test/10.11_opt/sql/sql_join_cache.cc:2151 #12 0x000055f3c7b5dfaa in sub_select_cache (join=0x14fe94047518, join_tab=0x14fe94054e18, end_of_records=<optimized out>) at /test/10.11_opt/sql/sql_select.cc:21538 #13 0x000055f3c7b8c59f in do_select (procedure=<optimized out>, join=0x14fe94047518) at /test/10.11_opt/sql/sql_select.cc:21311 #14 JOIN::exec_inner (this=0x14fe94047518) at /test/10.11_opt/sql/sql_select.cc:4813 #15 0x000055f3c7b8cb08 in JOIN::exec (this=this@entry=0x14fe94047518) at /test/10.11_opt/sql/sql_select.cc:4591 #16 0x000055f3c7b8ad11 in mysql_select (thd=0x14fe94000c58, tables=0x14fe94012490, fields=@0x14fe94010c68: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14fe94010f58, last = 0x14fe940486c0, elements = 2}, <No data fields>}, conds=0x0, og_num=1, order=0x0, group=0x14fe94014328, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x14fe940474f0, unit=0x14fe94004cd0, select_lex=0x14fe940109c8) at /test/10.11_opt/sql/sql_select.cc:5071 #17 0x000055f3c7b8b457 in handle_select (thd=thd@entry=0x14fe94000c58, lex=lex@entry=0x14fe94004bf8, result=result@entry=0x14fe940474f0, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.11_opt/sql/sql_select.cc:582 #18 0x000055f3c7b0d051 in execute_sqlcom_select (thd=0x14fe94000c58, all_tables=0x14fe94012490) at /test/10.11_opt/sql/sql_parse.cc:6261 #19 0x000055f3c7b1ad48 in mysql_execute_command (thd=0x14fe94000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.11_opt/sql/sql_parse.cc:3945 #20 0x000055f3c7b08205 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x14fe94000c58) at /test/10.11_opt/sql/sql_parse.cc:8037 #21 mysql_parse (thd=0x14fe94000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.11_opt/sql/sql_parse.cc:7959 #22 0x000055f3c7b13d6a in dispatch_command (command=COM_QUERY, thd=0x14fe94000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.11_opt/sql/sql_class.h:1345 #23 0x000055f3c7b15cb2 in do_command (thd=0x14fe94000c58, blocking=blocking@entry=true) at /test/10.11_opt/sql/sql_parse.cc:1407 #24 0x000055f3c7c2f17f in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55f3caed3528, put_in_cache=put_in_cache@entry=true) at /test/10.11_opt/sql/sql_connect.cc:1416 #25 0x000055f3c7c2f45d in handle_one_connection (arg=0x55f3caed3528) at /test/10.11_opt/sql/sql_connect.cc:1318 #26 0x000014ff39aee609 in start_thread (arg=<optimized out>) at pthread_create.c:477 #27 0x000014ff396da133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 10.4.27 3e3cfa893481abe9524a1657c4246fa9f91d4826 (Optimized) Core was generated by `/test/MD190922-mariadb-10.4.27-linux-x86_64-opt/bin/mysqld --no-defaults --core'. Program terminated with signal SIGSEGV, Segmentation fault. #0 my_hash_sort_simple (cs=0x55f0bbb11360 <my_charset_latin1>, key=0x146548053e79 <error: Cannot access memory at address 0x146548053e79>, len=<optimized out>, nr1=0x146490fe0240, nr2=0x146490fe0248) at /test/10.4_opt/strings/ctype-simple.c:392 [Current thread is 1 (Thread 0x146490fe3700 (LWP 1742948))] (gdb) bt #0 my_hash_sort_simple (cs=0x55f0bbb11360 <my_charset_latin1>, key=0x146548053e79 <error: Cannot access memory at address 0x146548053e79>, len=<optimized out>, nr1=0x146490fe0240, nr2=0x146490fe0248) at /test/10.4_opt/strings/ctype-simple.c:392 #1 0x000055f0bafcc950 in hp_rec_hashnr (keydef=keydef@entry=0x14644805b278, rec=rec@entry=0x14644805a670 "\375\001") at /test/10.4_opt/storage/heap/hp_hash.c:309 #2 0x000055f0bafcfba6 in hp_write_key (info=<optimized out>, keyinfo=0x14644805b278, record=0x14644805a670 "\375\001", recpos=0x14644805c378 "0\b") at /test/10.4_opt/storage/heap/hp_write.c:349 #3 0x000055f0bafcf6e4 in heap_write (info=0x14644805b678, record=0x14644805a670 "\375\001") at /test/10.4_opt/storage/heap/hp_write.c:52 #4 0x000055f0bafcaad0 in ha_heap::write_row (this=0x14644805a180, buf=<optimized out>) at /test/10.4_opt/storage/heap/ha_heap.cc:235 #5 0x000055f0babb0a75 in handler::ha_write_tmp_row (buf=<optimized out>, this=0x14644805a180) at /test/10.4_opt/include/mysql/psi/mysql_thread.h:788 #6 end_write (join=0x14644804c1f0, join_tab=0x146448055e70, end_of_records=<optimized out>) at /test/10.4_opt/sql/sql_select.cc:22118 #7 0x000055f0bac7bf99 in JOIN_CACHE::generate_full_extensions (rec_ptr=0x14644805aa48 "\001", this=0x1464480569d0) at /test/10.4_opt/sql/sql_join_cache.cc:2472 #8 JOIN_CACHE::generate_full_extensions (this=0x1464480569d0, rec_ptr=0x14644805aa48 "\001") at /test/10.4_opt/sql/sql_join_cache.cc:2455 #9 0x000055f0bac7c326 in JOIN_CACHE::join_matching_records (this=0x1464480569d0, skip_last=false) at /test/10.4_opt/sql/sql_join_cache.cc:2364 #10 0x000055f0bac7bb60 in JOIN_CACHE::join_records (this=this@entry=0x1464480569d0, skip_last=skip_last@entry=false) at /test/10.4_opt/sql/sql_join_cache.cc:2147 #11 0x000055f0bab9975a in sub_select_cache (join=0x14644804c1f0, join_tab=0x146448055ac8, end_of_records=<optimized out>) at /test/10.4_opt/sql/sql_select.cc:20462 #12 0x000055f0babc61c8 in do_select (procedure=<optimized out>, join=0x14644804c1f0) at /test/10.4_opt/sql/sql_select.cc:20222 #13 JOIN::exec_inner (this=0x14644804c1f0) at /test/10.4_opt/sql/sql_select.cc:4565 #14 0x000055f0babc66b6 in JOIN::exec (this=this@entry=0x14644804c1f0) at /test/10.4_opt/sql/sql_select.cc:4347 #15 0x000055f0babc4746 in mysql_select (thd=0x146448000c48, tables=0x146448011ab8, wild_num=1, fields=@0x146448010140: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x146448010590, last = 0x146448015e38, elements = 2}, <No data fields>}, conds=0x0, og_num=1, order=0x0, group=0x146448013fc0, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x146448015948, unit=0x146448004820, select_lex=0x14644800fff8) at /test/10.4_opt/sql/sql_select.cc:4786 #16 0x000055f0babc512a in handle_select (thd=thd@entry=0x146448000c48, lex=lex@entry=0x146448004760, result=result@entry=0x146448015948, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.4_opt/sql/sql_select.cc:436 #17 0x000055f0bab52641 in execute_sqlcom_select (thd=0x146448000c48, all_tables=0x146448011ab8) at /test/10.4_opt/sql/sql_parse.cc:6450 #18 0x000055f0bab608d3 in mysql_execute_command (thd=0x146448000c48) at /test/10.4_opt/sql/sql_parse.cc:3964 #19 0x000055f0bab62de2 in mysql_parse (thd=0x146448000c48, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /test/10.4_opt/sql/sql_parse.cc:7996 #20 0x000055f0bab6579a in dispatch_command (command=COM_QUERY, thd=0x146448000c48, packet=<optimized out>, packet_length=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /test/10.4_opt/sql/sql_class.h:1207 #21 0x000055f0bab672ef in do_command (thd=0x146448000c48) at /test/10.4_opt/sql/sql_parse.cc:1378 #22 0x000055f0bac52cde in do_handle_one_connection (connect=0x55f0be65ef38) at /test/10.4_opt/sql/sql_connect.cc:1420 #23 0x000055f0bac52d6d in handle_one_connection (arg=<optimized out>) at /test/10.4_opt/sql/sql_connect.cc:1324 #24 0x00001464abf1c609 in start_thread (arg=<optimized out>) at pthread_create.c:477 #25 0x00001464abb08133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 Bug confirmed present in: MariaDB: 10.3.37 (dbg), 10.3.37 (opt), 10.4.27 (dbg), 10.4.27 (opt), 10.5.18 (dbg), 10.5.18 (opt), 10.6.10 (dbg), 10.6.10 (opt), 10.7.6 (dbg), 10.7.6 (opt), 10.8.5 (dbg), 10.8.5 (opt), 10.9.3 (dbg), 10.9.3 (opt), 10.10.2 (dbg), 10.10.2 (opt), 10.11.0 (dbg), 10.11.0 (opt) Bug (or feature/syntax) confirmed not present in: MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.38 (dbg), 5.7.38 (opt), 8.0.29 (dbg), 8.0.29 (opt) It also produces two assertions on other versions. All UniqueID's seen for this testcase: SIGSEGV|my_hash_sort_simple|hp_rec_hashnr|hp_write_key|heap_write SIGSEGV|my_hash_sort_simple|my_ci_hash_sort|hp_rec_hashnr|hp_write_key field->table == table|SIGABRT|Create_tmp_table::finalize|create_tmp_table|JOIN::create_postjoin_aggr_table|JOIN::make_aggr_tables_info field->table == table|SIGABRT|create_tmp_table|JOIN::create_postjoin_aggr_table|JOIN::make_aggr_tables_info|JOIN::optimize_stage2
            Johnston Rex Johnston added a comment -

            Igor's patch currently in MDEV-30052/comments fixes this issue.

            Johnston Rex Johnston added a comment - Igor's patch currently in MDEV-30052 /comments fixes this issue.

            People

              psergei Sergei Petrunia
              Roel Roel Van de Paar
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.