Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-29210

Assertion `param->field_count > (uint) (copy - copy_start)' failed in setup_copy_fields, SIGSEGV in JOIN::make_sum_func_list, ASAN: use-after-poison in Copy_field::set

    XMLWordPrintable

Details

    Description

      Possibly remotely related to MDEV-26434, though versions and crash/assert locations are different, as well as the SQL (no DEFAULT).

      CREATE TABLE t(c INT KEY) ENGINE=InnoDB;
      		 
      INSERT INTO t VALUES(c IN (SELECT * FROM (SELECT (1 AND c=1)OR c=c FROM t ORDER BY c) AS v4 GROUP BY''HAVING c=c WINDOW v2 AS (ORDER BY c),v3 AS (v2)));

      Leads to:

      10.10.0 e1caa4bd5e8b4645944b85d4b603bf9fc9ef6ca4 (Debug)

      		 
      mysqld: /test/10.10_dbg/sql/sql_select.cc:26457: bool setup_copy_fields(THD*, TMP_TABLE_PARAM*, Ref_ptr_array, List<Item>&, List<Item>&, uint, List<Item>&): Assertion `param->field_count > (uint) (copy - copy_start)' failed.

      10.10.0 e1caa4bd5e8b4645944b85d4b603bf9fc9ef6ca4 (Debug)

      		 
      Core was generated by `/test/MD290722-mariadb-10.10.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core'.
      		 
      Program terminated with signal SIGABRT, Aborted.
      		 
      #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
      		 
      [Current thread is 1 (Thread 0x15533c163700 (LWP 3101393))]
      		 
      (gdb) bt
      		 
      #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
      		 
      #1  0x00001553608cd859 in __GI_abort () at abort.c:79
      		 
      #2  0x00001553608cd729 in __assert_fail_base (fmt=0x155360a63588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x559707d170b8 "param->field_count > (uint) (copy - copy_start)", file=0x559707d14a20 "/test/10.10_dbg/sql/sql_select.cc", line=26457, function=<optimized out>) at assert.c:92
      		 
      #3  0x00001553608defd6 in __GI___assert_fail (assertion=assertion@entry=0x559707d170b8 "param->field_count > (uint) (copy - copy_start)", file=file@entry=0x559707d14a20 "/test/10.10_dbg/sql/sql_select.cc", line=line@entry=26457, function=function@entry=0x559707d170e8 "bool setup_copy_fields(THD*, TMP_TABLE_PARAM*, Ref_ptr_array, List<Item>&, List<Item>&, uint, List<Item>&)") at assert.c:101
      		 
      #4  0x0000559707192a9b in setup_copy_fields (thd=0x1552b4000db8, param=param@entry=0x1552b4026078, ref_pointer_array=<optimized out>, res_selected_fields=@0x1552b4026250: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x5597085fe860 <end_of_list>, last = 0x1552b4026250, elements = 0}, <No data fields>}, res_all_fields=@0x1552b4026208: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1552b40772c8, last = 0x1552b40772d8, elements = 2}, <No data fields>}, elements=1, all_fields=@0x1552b40261c0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1552b4027368, last = 0x1552b4015040, elements = 3}, <No data fields>}) at /test/10.10_dbg/sql/sql_select.cc:26457
      		 
      #5  0x0000559707199ee1 in JOIN::make_aggr_tables_info (this=this@entry=0x1552b4025e30) at /test/10.10_dbg/sql/sql_select.cc:3896
      		 
      #6  0x00005597071aa8bf in JOIN::optimize_stage2 (this=this@entry=0x1552b4025e30) at /test/10.10_dbg/sql/sql_select.cc:3288
      		 
      #7  0x00005597071ac1a9 in JOIN::optimize_inner (this=this@entry=0x1552b4025e30) at /test/10.10_dbg/sql/sql_select.cc:2547
      		 
      #8  0x00005597071ac56e in JOIN::optimize (this=this@entry=0x1552b4025e30) at /test/10.10_dbg/sql/sql_select.cc:1863
      		 
      #9  0x00005597070ef0a4 in st_select_lex::optimize_unflattened_subqueries (this=0x1552b4014500, const_only=const_only@entry=false) at /test/10.10_dbg/sql/sql_lex.cc:4914
      		 
      #10 0x00005597070e05f3 in mysql_insert (thd=thd@entry=0x1552b4000db8, table_list=0x1552b4013e10, fields=@0x1552b4005ea8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x5597085fe860 <end_of_list>, last = 0x1552b4005ea8, elements = 0}, <No data fields>}, values_list=@0x1552b4005ef0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1552b4025340, last = 0x1552b4025340, elements = 1}, <No data fields>}, update_fields=@0x1552b4005ed8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x5597085fe860 <end_of_list>, last = 0x1552b4005ed8, elements = 0}, <No data fields>}, update_values=@0x1552b4005ec0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x5597085fe860 <end_of_list>, last = 0x1552b4005ec0, elements = 0}, <No data fields>}, duplic=DUP_ERROR, ignore=false, result=0x0) at /test/10.10_dbg/sql/sql_lex.h:982
      		 
      #11 0x0000559707124eef in mysql_execute_command (thd=thd@entry=0x1552b4000db8, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.10_dbg/sql/sql_parse.cc:4563
      		 
      #12 0x0000559707111534 in mysql_parse (thd=thd@entry=0x1552b4000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x15533c162330) at /test/10.10_dbg/sql/sql_parse.cc:8037
      		 
      #13 0x000055970711eb1c in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x1552b4000db8, packet=packet@entry=0x1552b400b6e9 "INSERT INTO t VALUES(c IN (SELECT * FROM (SELECT (1 AND c=1)OR c=c FROM t ORDER BY c) AS v4 GROUP BY''HAVING c=c WINDOW v2 AS (ORDER BY c),v3 AS (v2)))", packet_length=packet_length@entry=151, blocking=blocking@entry=true) at /test/10.10_dbg/sql/sql_class.h:1366
      		 
      #14 0x0000559707121226 in do_command (thd=0x1552b4000db8, blocking=blocking@entry=true) at /test/10.10_dbg/sql/sql_parse.cc:1407
      		 
      #15 0x0000559707282744 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55970a283a08, put_in_cache=put_in_cache@entry=true) at /test/10.10_dbg/sql/sql_connect.cc:1418
      		 
      #16 0x0000559707282c4d in handle_one_connection (arg=0x55970a283a08) at /test/10.10_dbg/sql/sql_connect.cc:1312
      		 
      #17 0x0000155360dde609 in start_thread (arg=<optimized out>) at pthread_create.c:477
      		 
      #18 0x00001553609ca133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

      10.10.0 e1caa4bd5e8b4645944b85d4b603bf9fc9ef6ca4 (Optimized)

      		 
      Core was generated by `/test/MD290722-mariadb-10.10.0-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
      		 
      Program terminated with signal SIGSEGV, Segmentation fault.
      		 
      #0  0x0000000000000000 in ?? ()
      		 
      [Current thread is 1 (Thread 0x1508a01bf700 (LWP 3330575))]
      		 
      (gdb) bt
      		 
      #0  0x0000000000000000 in ?? ()
      		 
      #1  0x000055d7c6b8fe38 in JOIN::make_sum_func_list (this=this@entry=0x15082401d4a8, field_list=@0x15082401d880: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x15082404fe70, last = 0x150824050080, elements = 3}, <No data fields>}, send_result_set_metadata=@0x15082401d8c8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x150824050080, last = 0x150824050080, elements = 1}, <No data fields>}, before_group_by=before_group_by@entry=true) at /test/10.10_opt/sql/sql_select.cc:26620
      		 
      #2  0x000055d7c6b923e8 in JOIN::make_aggr_tables_info (this=0x15082401d4a8) at /test/10.10_opt/sql/sql_select.cc:3911
      		 
      #3  0x000055d7c6b9d68c in JOIN::optimize_stage2 (this=<optimized out>) at /test/10.10_opt/sql/sql_select.cc:3288
      		 
      #4  0x000055d7c6ba02f3 in JOIN::optimize_inner (this=0x15082401d4a8) at /test/10.10_opt/sql/sql_select.cc:2547
      		 
      #5  0x000055d7c6ba25c3 in JOIN::optimize (this=this@entry=0x15082401d4a8) at /test/10.10_opt/sql/sql_select.cc:1863
      		 
      #6  0x000055d7c6b04594 in st_select_lex::optimize_unflattened_subqueries (this=0x150824010fe0, const_only=const_only@entry=false) at /test/10.10_opt/sql/sql_lex.cc:4914
      		 
      #7  0x000055d7c6af4d66 in mysql_insert (thd=thd@entry=0x150824000c58, table_list=<optimized out>, fields=@0x150824005b88: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55d7c7bbe2f0 <end_of_list>, last = 0x150824005b88, elements = 0}, <No data fields>}, values_list=@0x150824005bd0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x15082401c9c0, last = 0x15082401c9c0, elements = 1}, <No data fields>}, update_fields=@0x150824005bb8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55d7c7bbe2f0 <end_of_list>, last = 0x150824005bb8, elements = 0}, <No data fields>}, update_values=@0x150824005ba0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55d7c7bbe2f0 <end_of_list>, last = 0x150824005ba0, elements = 0}, <No data fields>}, duplic=<optimized out>, ignore=<optimized out>, result=<optimized out>) at /test/10.10_opt/sql/sql_lex.h:982
      		 
      #8  0x000055d7c6b2f9ef in mysql_execute_command (thd=0x150824000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.10_opt/sql/sql_parse.cc:4563
      		 
      #9  0x000055d7c6b1fd85 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x150824000c58) at /test/10.10_opt/sql/sql_parse.cc:8037
      		 
      #10 mysql_parse (thd=0x150824000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.10_opt/sql/sql_parse.cc:7959
      		 
      #11 0x000055d7c6b2b89a in dispatch_command (command=COM_QUERY, thd=0x150824000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.10_opt/sql/sql_class.h:1366
      		 
      #12 0x000055d7c6b2d7c2 in do_command (thd=0x150824000c58, blocking=blocking@entry=true) at /test/10.10_opt/sql/sql_parse.cc:1407
      		 
      #13 0x000055d7c6c456ef in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55d7c92f7538, put_in_cache=put_in_cache@entry=true) at /test/10.10_opt/sql/sql_connect.cc:1418
      		 
      #14 0x000055d7c6c459cd in handle_one_connection (arg=0x55d7c92f7538) at /test/10.10_opt/sql/sql_connect.cc:1312
      		 
      #15 0x00001508c565d609 in start_thread (arg=<optimized out>) at pthread_create.c:477
      		 
      #16 0x00001508c5249133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

      Bug confirmed present in:
      MariaDB: 10.5.17 (opt), 10.5.17 (dbg), 10.6.9 (dbg), 10.6.9 (opt), 10.7.5 (dbg), 10.7.5 (opt), 10.8.4 (dbg), 10.8.4 (opt), 10.9.2 (dbg), 10.9.2 (opt), 10.10.0 (dbg), 10.10.0 (opt)

      Bug (or feature/syntax) confirmed not present in:
      MariaDB: 10.3.36 (dbg), 10.3.36 (opt), 10.4.26 (dbg), 10.4.26 (opt)
      MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.38 (dbg), 5.7.38 (opt), 8.0.29 (dbg), 8.0.29 (opt)

      Attachments

        Issue Links

          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. MDEV-32398 Use-After-Poison at /mariadb-11.3.0/sql/field_conv.cc:619

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-32594 server crash

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-26434 MariaDB Server SEGV in setup_copy_fields

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-31305 Crash caused by query with aggregation over materialized derived

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-32083 Maraidb server crashes with empty backtrace log

          • Major - Major loss of function.
          • Confirmed

          Activity

            People

              psergei Sergei Petrunia
              Roel Roel Van de Paar
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.