Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-29070

SIGSEGV in my_decimal::operator= and Assertion `0' failed in Item_type_holder::val_decimal on SELECT

    XMLWordPrintable

Details

    Description

      CREATE TABLE c(c INT UNIQUE) ENGINE=InnoDB;
      		 
      INSERT INTO c(c)VALUES (1);
      		 
      UPDATE c SET c=0 WHERE(SELECT c,c WHERE c<0 INTERSECT SELECT + 1 / + 1,c FROM c WHERE c>-0  + 1)IN (SELECT c,c);

      Leads to:

      10.9.2 6ec17142dcfb1e9d9f41211ed1b6d82e062d1541 (Optimized)

      		 
      Core was generated by `/test/MD310522-mariadb-10.9.2-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
      		 
      Program terminated with signal SIGSEGV, Segmentation fault.
      		 
      #0  my_decimal::operator= (rhs=..., this=0x155110048a38)
      		 
          at /test/10.9_opt/sql/my_decimal.h:353
      		 
      [Current thread is 1 (Thread 0x15513c0c3700 (LWP 2572129))]
      		 
      (gdb) bt
      		 
      #0  my_decimal::operator= (rhs=<error reading variable>, this=0x155110048a38) at /test/10.9_opt/sql/my_decimal.h:353
      		 
      #1  my_decimal2decimal (to=0x155110048a38, from=0x0) at /test/10.9_opt/sql/my_decimal.h:353
      		 
      #2  Item_cache_decimal::cache_value (this=0x1551100489a0) at /test/10.9_opt/sql/item.cc:10404
      		 
      #3  Item_cache::has_value (this=0x1551100489a0) at /test/10.9_opt/sql/item.h:7080
      		 
      #4  Item_cache_decimal::val_decimal (this=0x1551100489a0, val=<optimized out>) at /test/10.9_opt/sql/item.cc:10426
      		 
      #5  0x000056051692281f in VDec::VDec (this=0x15513c0c1750, item=<optimized out>) at /test/10.9_opt/sql/sql_type.cc:301
      		 
      #6  0x00005605169f1dd3 in Item::save_decimal_in_field (this=<optimized out>, field=0x155110057158, no_conversions=<optimized out>) at /test/10.9_opt/sql/item.cc:6816
      		 
      #7  0x00005605169e1c57 in Item::save_in_field (this=0x1551100489a0, field=0x155110057158, no_conversions=<optimized out>) at /test/10.9_opt/sql/item.cc:6836
      		 
      #8  0x0000560516802f16 in store_key_item::copy_inner (this=0x155110057120) at /test/10.9_opt/sql/sql_select.h:1969
      		 
      #9  0x00005605167e9ac4 in store_key::copy (thd=0x155110000c58, this=<optimized out>) at /test/10.9_opt/sql/sql_select.h:1863
      		 
      #10 cp_buffer_from_ref (thd=thd@entry=0x155110000c58, table=table@entry=0x155110058460, ref=ref@entry=0x155110056760) at /test/10.9_opt/sql/sql_select.cc:24921
      		 
      #11 0x00005605167ea482 in cmp_buffer_with_ref (tab_ref=0x155110056760, table=0x155110058460, thd=0x155110000c58) at /test/10.9_opt/sql/sql_select.cc:24903
      		 
      #12 join_read_key2 (thd=0x155110000c58, tab=0x0, table=0x155110058460, table_ref=0x155110056760) at /test/10.9_opt/sql/sql_select.cc:21855
      		 
      #13 0x00005605168eca76 in Expression_cache_tmptable::check_value (this=0x1551100566a0, value=0x15513c0c18c8) at /test/10.9_opt/sql/sql_expression_cache.cc:223
      		 
      #14 0x00005605169f617c in Item_cache_wrapper::check_cache (this=this@entry=0x155110056560) at /test/10.9_opt/sql/item.cc:8850
      		 
      #15 0x00005605169f62fe in Item_cache_wrapper::val_int (this=0x155110056560) at /test/10.9_opt/sql/item.cc:8913
      		 
      #16 0x00005605167c2dc1 in evaluate_join_record (join=join@entry=0x1551100468c0, join_tab=join_tab@entry=0x15511004f910, error=<optimized out>) at /test/10.9_opt/sql/sql_select.cc:21289
      		 
      #17 0x00005605167d5cdb in sub_select (end_of_records=false, join_tab=0x15511004f910, join=0x1551100468c0) at /test/10.9_opt/sql/sql_select.cc:21191
      		 
      #18 sub_select (join=0x1551100468c0, join_tab=0x15511004f910, end_of_records=false) at /test/10.9_opt/sql/sql_select.cc:21120
      		 
      #19 0x00005605168024a1 in do_select (procedure=<optimized out>, join=0x1551100468c0) at /test/10.9_opt/sql/sql_select.cc:20736
      		 
      #20 JOIN::exec_inner (this=0x1551100468c0) at /test/10.9_opt/sql/sql_select.cc:4786
      		 
      #21 0x0000560516802868 in JOIN::exec (this=this@entry=0x1551100468c0) at /test/10.9_opt/sql/sql_select.cc:4564
      		 
      #22 0x0000560516800a71 in mysql_select (thd=thd@entry=0x155110000c58, tables=tables@entry=0x155110010880, fields=@0x15513c0c1e80: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x56051780e5d0 <end_of_list>, last = 0x15513c0c1e80, elements = 0}, <No data fields>}, conds=conds@entry=0x1551100144c0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x1551100467b0, unit=0x155110004cb8, select_lex=0x1551100054b8) at /test/10.9_opt/sql/sql_select.cc:5044
      		 
      #23 0x0000560516861265 in mysql_multi_update (thd=thd@entry=0x155110000c58, table_list=0x155110010880, fields=fields@entry=0x155110005758, values=values@entry=0x155110005b88, conds=0x1551100144c0, options=0, handle_duplicates=DUP_ERROR, ignore=false, unit=0x155110004cb8, select_lex=0x1551100054b8, result=0x15513c0c2070) at /test/10.9_opt/sql/sql_update.cc:1976
      		 
      #24 0x0000560516790d1b in mysql_execute_command (thd=0x155110000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.9_opt/sql/sql_parse.cc:4486
      		 
      #25 0x000056051677f9e5 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x155110000c58) at /test/10.9_opt/sql/sql_parse.cc:8036
      		 
      #26 mysql_parse (thd=0x155110000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.9_opt/sql/sql_parse.cc:7958
      		 
      #27 0x000056051678b4fa in dispatch_command (command=COM_QUERY, thd=0x155110000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.9_opt/sql/sql_class.h:1364
      		 
      #28 0x000056051678d422 in do_command (thd=0x155110000c58, blocking=blocking@entry=true) at /test/10.9_opt/sql/sql_parse.cc:1407
      		 
      #29 0x00005605168a369f in do_handle_one_connection (connect=<optimized out>, connect@entry=0x560519ccbcb8, put_in_cache=put_in_cache@entry=true) at /test/10.9_opt/sql/sql_connect.cc:1418
      		 
      #30 0x00005605168a397d in handle_one_connection (arg=0x560519ccbcb8) at /test/10.9_opt/sql/sql_connect.cc:1312
      		 
      #31 0x0000155168b79609 in start_thread (arg=<optimized out>) at pthread_create.c:477
      		 
      #32 0x0000155168765133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

      10.10.0 081a284712bb661349e2e3802077b12211cede3e (Debug)

      		 
      mysqld: /test/10.10_dbg/sql/item.cc:10687: virtual my_decimal* Item_type_holder::val_decimal(my_decimal*): Assertion `0' failed.

      10.10.0 081a284712bb661349e2e3802077b12211cede3e (Debug)

      		 
      Core was generated by `/test/MD310522-mariadb-10.10.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core'.
      		 
      Program terminated with signal SIGABRT, Aborted.
      		 
      #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
      		 
      [Current thread is 1 (Thread 0x14f82c0c4700 (LWP 857303))]
      		 
      (gdb) bt
      		 
      #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
      		 
      #1  0x000014f844a38859 in __GI_abort () at abort.c:79
      		 
      #2  0x000014f844a38729 in __assert_fail_base (fmt=0x14f844bce588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x5590e6862b3e "0", file=0x5590e6848120 "/test/10.10_dbg/sql/item.cc", line=10687, function=<optimized out>) at assert.c:92
      		 
      #3  0x000014f844a49fd6 in __GI___assert_fail (assertion=assertion@entry=0x5590e6862b3e "0", file=file@entry=0x5590e6848120 "/test/10.10_dbg/sql/item.cc", line=line@entry=10687, function=function@entry=0x5590e68487f0 "virtual my_decimal* Item_type_holder::val_decimal(my_decimal*)") at assert.c:101
      		 
      #4  0x00005590e5dc359b in Item_type_holder::val_decimal (this=<optimized out>) at /test/10.10_dbg/sql/item.cc:10687
      		 
      #5  0x00005590e5997eed in Item::val_decimal_result (this=<optimized out>, val=<optimized out>) at /test/10.10_dbg/sql/item.h:1782
      		 
      #6  0x00005590e5dc2939 in Item_cache_decimal::cache_value (this=0x14f7f8070008) at /test/10.10_dbg/sql/item.cc:10401
      		 
      #7  0x00005590e5dc29d0 in Item_cache::has_value (this=0x14f7f8070008) at /test/10.10_dbg/sql/item.h:7080
      		 
      #8  Item_cache_decimal::val_decimal (this=0x14f7f8070008, val=<optimized out>) at /test/10.10_dbg/sql/item.cc:10426
      		 
      #9  0x00005590e5cc8cce in VDec::VDec (this=0x14f82c0c26d0, item=0x14f7f8070008) at /test/10.10_dbg/sql/sql_type.cc:301
      		 
      #10 0x00005590e5ddb066 in Item::save_decimal_in_field (this=<optimized out>, field=0x14f7f807e768, no_conversions=<optimized out>) at /test/10.10_dbg/sql/item.cc:6816
      		 
      #11 0x00005590e5cba628 in Type_handler_decimal_result::Item_save_in_field (this=<optimized out>, item=<optimized out>, field=<optimized out>, no_conversions=<optimized out>) at /test/10.10_dbg/sql/sql_type.cc:4352
      		 
      #12 0x00005590e5dc18d3 in Item::save_in_field (this=0x14f7f8070008, field=0x14f7f807e768, no_conversions=<optimized out>) at /test/10.10_dbg/sql/item.cc:6836
      		 
      #13 0x00005590e5997c83 in Item::save_org_in_field (this=<optimized out>, field=<optimized out>, data=<optimized out>) at /test/10.10_dbg/sql/item.h:1220
      		 
      #14 0x00005590e5997e50 in Item::save_val (this=<optimized out>, to=<optimized out>) at /test/10.10_dbg/sql/item.h:1705
      		 
      #15 0x00005590e5b51cce in store_key_item::copy_inner (this=0x14f7f807e730) at /test/10.10_dbg/sql/sql_select.h:1969
      		 
      #16 0x00005590e5b33640 in store_key::copy (thd=0x14f7f8000db8, this=<optimized out>) at /test/10.10_dbg/sql/sql_select.h:1863
      		 
      #17 cp_buffer_from_ref (thd=thd@entry=0x14f7f8000db8, table=table@entry=0x14f7f807f830, ref=ref@entry=0x14f7f807dd68) at /test/10.10_dbg/sql/sql_select.cc:24921
      		 
      #18 0x00005590e5b3412c in cmp_buffer_with_ref (tab_ref=0x14f7f807dd68, table=0x14f7f807f830, thd=0x14f7f8000db8) at /test/10.10_dbg/sql/sql_select.cc:24903
      		 
      #19 join_read_key2 (thd=0x14f7f8000db8, tab=tab@entry=0x0, table=0x14f7f807f830, table_ref=table_ref@entry=0x14f7f807dd68) at /test/10.10_dbg/sql/sql_select.cc:21855
      		 
      #20 0x00005590e5c88e2a in Expression_cache_tmptable::check_value (this=0x14f7f807dca8, value=0x14f82c0c2898) at /test/10.10_dbg/sql/sql_expression_cache.cc:223
      		 
      #21 0x00005590e5ddfbf4 in Item_cache_wrapper::check_cache (this=this@entry=0x14f7f807db68) at /test/10.10_dbg/sql/item.cc:8850
      		 
      #22 0x00005590e5ddfcde in Item_cache_wrapper::val_int (this=0x14f7f807db68) at /test/10.10_dbg/sql/item.cc:8913
      		 
      #23 0x00005590e5b07d76 in evaluate_join_record (join=join@entry=0x14f7f806df28, join_tab=join_tab@entry=0x14f7f8076af0, error=error@entry=0) at /test/10.10_dbg/sql/sql_select.cc:21289
      		 
      #24 0x00005590e5b1d999 in sub_select (join=0x14f7f806df28, join_tab=0x14f7f8076af0, end_of_records=false) at /test/10.10_dbg/sql/sql_select.cc:21191
      		 
      #25 0x00005590e5b5127b in do_select (procedure=<optimized out>, join=0x14f7f806df28) at /test/10.10_dbg/sql/sql_select.cc:20736
      		 
      #26 JOIN::exec_inner (this=this@entry=0x14f7f806df28) at /test/10.10_dbg/sql/sql_select.cc:4786
      		 
      #27 0x00005590e5b51814 in JOIN::exec (this=this@entry=0x14f7f806df28) at /test/10.10_dbg/sql/sql_select.cc:4564
      		 
      #28 0x00005590e5b4f598 in mysql_select (thd=thd@entry=0x14f7f8000db8, tables=tables@entry=0x14f7f8013db0, fields=@0x14f82c0c2e50: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x5590e6f9ea00 <end_of_list>, last = 0x14f82c0c2e50, elements = 0}, <No data fields>}, conds=conds@entry=0x14f7f80179f0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2200096997504, result=0x14f7f806de18, unit=0x14f7f8004fd8, select_lex=0x14f7f80057d8) at /test/10.10_dbg/sql/sql_select.cc:5044
      		 
      #29 0x00005590e5bc8e7f in mysql_multi_update (thd=thd@entry=0x14f7f8000db8, table_list=0x14f7f8013db0, fields=fields@entry=0x14f7f8005a78, values=values@entry=0x14f7f8005ea8, conds=0x14f7f80179f0, options=0, handle_duplicates=DUP_ERROR, ignore=false, unit=0x14f7f8004fd8, select_lex=0x14f7f80057d8, result=0x14f82c0c3030) at /test/10.10_dbg/sql/sql_update.cc:1976
      		 
      #30 0x00005590e5ac94f5 in mysql_execute_command (thd=thd@entry=0x14f7f8000db8, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.10_dbg/sql/sql_parse.cc:4486
      		 
      #31 0x00005590e5ab5e3a in mysql_parse (thd=thd@entry=0x14f7f8000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14f82c0c3470) at /test/10.10_dbg/sql/sql_parse.cc:8036
      		 
      #32 0x00005590e5ac3422 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14f7f8000db8, packet=packet@entry=0x14f7f800b6d9 "UPDATE c SET c=0 WHERE(SELECT c,c WHERE c<0 INTERSECT SELECT + 1 / + 1,c FROM c WHERE c>-0  + 1)IN (SELECT c,c)", packet_length=packet_length@entry=111, blocking=blocking@entry=true) at /test/10.10_dbg/sql/sql_class.h:1364
      		 
      #33 0x00005590e5ac5b2c in do_command (thd=0x14f7f8000db8, blocking=blocking@entry=true) at /test/10.10_dbg/sql/sql_parse.cc:1407
      		 
      #34 0x00005590e5c253c0 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5590e85f4b28, put_in_cache=put_in_cache@entry=true) at /test/10.10_dbg/sql/sql_connect.cc:1418
      		 
      #35 0x00005590e5c258c9 in handle_one_connection (arg=0x5590e85f4b28) at /test/10.10_dbg/sql/sql_connect.cc:1312
      		 
      #36 0x000014f844f49609 in start_thread (arg=<optimized out>) at pthread_create.c:477
      		 
      #37 0x000014f844b35133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

      Bug confirmed present in:
      MariaDB: 10.4.26 (dbg), 10.4.26 (opt), 10.5.17 (dbg), 10.5.17 (opt), 10.6.9 (dbg), 10.6.9 (opt), 10.7.5 (dbg), 10.7.5 (opt), 10.8.4 (dbg), 10.8.4 (opt), 10.9.2 (dbg), 10.9.2 (opt), 10.10.0 (dbg), 10.10.0 (opt)

      Bug (or feature/syntax) confirmed not present in:
      MariaDB: 10.3.36 (dbg), 10.3.36 (opt)
      MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.38 (dbg), 5.7.38 (opt), 8.0.29 (dbg), 8.0.29 (opt)

      Attachments

        Issue Links

          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. MDEV-32432 Segmentation fault at /mariadb-11.3.0/sql/sql_select.cc:2126

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-32595 MariaDB Server Crash

          • Major - Major loss of function.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-29093 Assertion `0' failed in Item_type_holder::val_str on UPDATE and SIGSEGV in String::copy, UBSAN: reference binding to null pointer of type 'const struct String'

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-32866 Correlated subquery fails after single row substitution in outer query

          • Major - Major loss of function.
          • In Review

          Activity

            People

              oleg.smirnov Oleg Smirnov
              Roel Roel Van de Paar
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.