Details
-
Bug
-
Status: Confirmed (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.5, 10.6, 10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL), 11.1(EOL), 11.2(EOL), 11.4, 11.5(EOL)
Description
Possibly remotely related to MDEV-26434, though versions and crash/assert locations are different, as well as the SQL (no DEFAULT).
CREATE TABLE t(c INT KEY) ENGINE=InnoDB; |
INSERT INTO t VALUES(c IN (SELECT * FROM (SELECT (1 AND c=1)OR c=c FROM t ORDER BY c) AS v4 GROUP BY''HAVING c=c WINDOW v2 AS (ORDER BY c),v3 AS (v2))); |
Leads to:
|
10.10.0 e1caa4bd5e8b4645944b85d4b603bf9fc9ef6ca4 (Debug) |
mysqld: /test/10.10_dbg/sql/sql_select.cc:26457: bool setup_copy_fields(THD*, TMP_TABLE_PARAM*, Ref_ptr_array, List<Item>&, List<Item>&, uint, List<Item>&): Assertion `param->field_count > (uint) (copy - copy_start)' failed.
|
|
10.10.0 e1caa4bd5e8b4645944b85d4b603bf9fc9ef6ca4 (Debug) |
Core was generated by `/test/MD290722-mariadb-10.10.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core'.
|
Program terminated with signal SIGABRT, Aborted.
|
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
|
[Current thread is 1 (Thread 0x15533c163700 (LWP 3101393))]
|
(gdb) bt
|
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
|
#1 0x00001553608cd859 in __GI_abort () at abort.c:79
|
#2 0x00001553608cd729 in __assert_fail_base (fmt=0x155360a63588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x559707d170b8 "param->field_count > (uint) (copy - copy_start)", file=0x559707d14a20 "/test/10.10_dbg/sql/sql_select.cc", line=26457, function=<optimized out>) at assert.c:92
|
#3 0x00001553608defd6 in __GI___assert_fail (assertion=assertion@entry=0x559707d170b8 "param->field_count > (uint) (copy - copy_start)", file=file@entry=0x559707d14a20 "/test/10.10_dbg/sql/sql_select.cc", line=line@entry=26457, function=function@entry=0x559707d170e8 "bool setup_copy_fields(THD*, TMP_TABLE_PARAM*, Ref_ptr_array, List<Item>&, List<Item>&, uint, List<Item>&)") at assert.c:101
|
#4 0x0000559707192a9b in setup_copy_fields (thd=0x1552b4000db8, param=param@entry=0x1552b4026078, ref_pointer_array=<optimized out>, res_selected_fields=@0x1552b4026250: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x5597085fe860 <end_of_list>, last = 0x1552b4026250, elements = 0}, <No data fields>}, res_all_fields=@0x1552b4026208: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1552b40772c8, last = 0x1552b40772d8, elements = 2}, <No data fields>}, elements=1, all_fields=@0x1552b40261c0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1552b4027368, last = 0x1552b4015040, elements = 3}, <No data fields>}) at /test/10.10_dbg/sql/sql_select.cc:26457
|
#5 0x0000559707199ee1 in JOIN::make_aggr_tables_info (this=this@entry=0x1552b4025e30) at /test/10.10_dbg/sql/sql_select.cc:3896
|
#6 0x00005597071aa8bf in JOIN::optimize_stage2 (this=this@entry=0x1552b4025e30) at /test/10.10_dbg/sql/sql_select.cc:3288
|
#7 0x00005597071ac1a9 in JOIN::optimize_inner (this=this@entry=0x1552b4025e30) at /test/10.10_dbg/sql/sql_select.cc:2547
|
#8 0x00005597071ac56e in JOIN::optimize (this=this@entry=0x1552b4025e30) at /test/10.10_dbg/sql/sql_select.cc:1863
|
#9 0x00005597070ef0a4 in st_select_lex::optimize_unflattened_subqueries (this=0x1552b4014500, const_only=const_only@entry=false) at /test/10.10_dbg/sql/sql_lex.cc:4914
|
#10 0x00005597070e05f3 in mysql_insert (thd=thd@entry=0x1552b4000db8, table_list=0x1552b4013e10, fields=@0x1552b4005ea8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x5597085fe860 <end_of_list>, last = 0x1552b4005ea8, elements = 0}, <No data fields>}, values_list=@0x1552b4005ef0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1552b4025340, last = 0x1552b4025340, elements = 1}, <No data fields>}, update_fields=@0x1552b4005ed8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x5597085fe860 <end_of_list>, last = 0x1552b4005ed8, elements = 0}, <No data fields>}, update_values=@0x1552b4005ec0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x5597085fe860 <end_of_list>, last = 0x1552b4005ec0, elements = 0}, <No data fields>}, duplic=DUP_ERROR, ignore=false, result=0x0) at /test/10.10_dbg/sql/sql_lex.h:982
|
#11 0x0000559707124eef in mysql_execute_command (thd=thd@entry=0x1552b4000db8, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.10_dbg/sql/sql_parse.cc:4563
|
#12 0x0000559707111534 in mysql_parse (thd=thd@entry=0x1552b4000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x15533c162330) at /test/10.10_dbg/sql/sql_parse.cc:8037
|
#13 0x000055970711eb1c in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x1552b4000db8, packet=packet@entry=0x1552b400b6e9 "INSERT INTO t VALUES(c IN (SELECT * FROM (SELECT (1 AND c=1)OR c=c FROM t ORDER BY c) AS v4 GROUP BY''HAVING c=c WINDOW v2 AS (ORDER BY c),v3 AS (v2)))", packet_length=packet_length@entry=151, blocking=blocking@entry=true) at /test/10.10_dbg/sql/sql_class.h:1366
|
#14 0x0000559707121226 in do_command (thd=0x1552b4000db8, blocking=blocking@entry=true) at /test/10.10_dbg/sql/sql_parse.cc:1407
|
#15 0x0000559707282744 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55970a283a08, put_in_cache=put_in_cache@entry=true) at /test/10.10_dbg/sql/sql_connect.cc:1418
|
#16 0x0000559707282c4d in handle_one_connection (arg=0x55970a283a08) at /test/10.10_dbg/sql/sql_connect.cc:1312
|
#17 0x0000155360dde609 in start_thread (arg=<optimized out>) at pthread_create.c:477
|
#18 0x00001553609ca133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
|
|
10.10.0 e1caa4bd5e8b4645944b85d4b603bf9fc9ef6ca4 (Optimized) |
Core was generated by `/test/MD290722-mariadb-10.10.0-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
|
Program terminated with signal SIGSEGV, Segmentation fault.
|
#0 0x0000000000000000 in ?? ()
|
[Current thread is 1 (Thread 0x1508a01bf700 (LWP 3330575))]
|
(gdb) bt
|
#0 0x0000000000000000 in ?? ()
|
#1 0x000055d7c6b8fe38 in JOIN::make_sum_func_list (this=this@entry=0x15082401d4a8, field_list=@0x15082401d880: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x15082404fe70, last = 0x150824050080, elements = 3}, <No data fields>}, send_result_set_metadata=@0x15082401d8c8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x150824050080, last = 0x150824050080, elements = 1}, <No data fields>}, before_group_by=before_group_by@entry=true) at /test/10.10_opt/sql/sql_select.cc:26620
|
#2 0x000055d7c6b923e8 in JOIN::make_aggr_tables_info (this=0x15082401d4a8) at /test/10.10_opt/sql/sql_select.cc:3911
|
#3 0x000055d7c6b9d68c in JOIN::optimize_stage2 (this=<optimized out>) at /test/10.10_opt/sql/sql_select.cc:3288
|
#4 0x000055d7c6ba02f3 in JOIN::optimize_inner (this=0x15082401d4a8) at /test/10.10_opt/sql/sql_select.cc:2547
|
#5 0x000055d7c6ba25c3 in JOIN::optimize (this=this@entry=0x15082401d4a8) at /test/10.10_opt/sql/sql_select.cc:1863
|
#6 0x000055d7c6b04594 in st_select_lex::optimize_unflattened_subqueries (this=0x150824010fe0, const_only=const_only@entry=false) at /test/10.10_opt/sql/sql_lex.cc:4914
|
#7 0x000055d7c6af4d66 in mysql_insert (thd=thd@entry=0x150824000c58, table_list=<optimized out>, fields=@0x150824005b88: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55d7c7bbe2f0 <end_of_list>, last = 0x150824005b88, elements = 0}, <No data fields>}, values_list=@0x150824005bd0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x15082401c9c0, last = 0x15082401c9c0, elements = 1}, <No data fields>}, update_fields=@0x150824005bb8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55d7c7bbe2f0 <end_of_list>, last = 0x150824005bb8, elements = 0}, <No data fields>}, update_values=@0x150824005ba0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55d7c7bbe2f0 <end_of_list>, last = 0x150824005ba0, elements = 0}, <No data fields>}, duplic=<optimized out>, ignore=<optimized out>, result=<optimized out>) at /test/10.10_opt/sql/sql_lex.h:982
|
#8 0x000055d7c6b2f9ef in mysql_execute_command (thd=0x150824000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.10_opt/sql/sql_parse.cc:4563
|
#9 0x000055d7c6b1fd85 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x150824000c58) at /test/10.10_opt/sql/sql_parse.cc:8037
|
#10 mysql_parse (thd=0x150824000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.10_opt/sql/sql_parse.cc:7959
|
#11 0x000055d7c6b2b89a in dispatch_command (command=COM_QUERY, thd=0x150824000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.10_opt/sql/sql_class.h:1366
|
#12 0x000055d7c6b2d7c2 in do_command (thd=0x150824000c58, blocking=blocking@entry=true) at /test/10.10_opt/sql/sql_parse.cc:1407
|
#13 0x000055d7c6c456ef in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55d7c92f7538, put_in_cache=put_in_cache@entry=true) at /test/10.10_opt/sql/sql_connect.cc:1418
|
#14 0x000055d7c6c459cd in handle_one_connection (arg=0x55d7c92f7538) at /test/10.10_opt/sql/sql_connect.cc:1312
|
#15 0x00001508c565d609 in start_thread (arg=<optimized out>) at pthread_create.c:477
|
#16 0x00001508c5249133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
|
Bug confirmed present in:
MariaDB: 10.5.17 (opt), 10.5.17 (dbg), 10.6.9 (dbg), 10.6.9 (opt), 10.7.5 (dbg), 10.7.5 (opt), 10.8.4 (dbg), 10.8.4 (opt), 10.9.2 (dbg), 10.9.2 (opt), 10.10.0 (dbg), 10.10.0 (opt)
Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.3.36 (dbg), 10.3.36 (opt), 10.4.26 (dbg), 10.4.26 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.38 (dbg), 5.7.38 (opt), 8.0.29 (dbg), 8.0.29 (opt)
Attachments
Issue Links
- is duplicated by
-
-
- Closed
-
-
-
- Closed
-
- relates to
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
Activity
test case from MDEV-32398:
CREATE TABLE t0 ( c39 INT , c45 SMALLINT ) ; |
INSERT INTO t0 VALUES ( -1 , 86 NOT LIKE CASE WHEN 78 THEN RAND ( ) + EXISTS ( SELECT c45 AS c45 FROM ( SELECT CASE c39 WHEN 2729039170178489003 THEN 24 ELSE 115 END IS TRUE AS c57 FROM t0 ) AS t1 GROUP BY c57 , c57 , c57 WITH ROLLUP HAVING REVERSE ( ~ FORMAT ( -1745216741589043951 = IF ( -35 , 21 , -3 ) IN ( 23 = RAND ( ) & TRIM( TRAILING FROM 77 ) IS NULL ) , -11 ) ) AND CONVERT ( -17 , UNSIGNED ) ) ^ RAND ( ) IS NOT NULL ELSE -127 END ) , ( -43 , 94 ) ; |
test from MDEV-32594:
CREATE TABLE v0 ( v1 INT , v2 SMALLINT NOT NULL PRIMARY KEY ) ; |
SELECT v2 FROM v0 . TABLES WHERE v1 = 'x' AND v2 = 'x' ; |
INSERT INTO v0 VALUES ( 99 , 'x' ) ; |
INSERT INTO v0 VALUES ( v1 , v1 NOT IN ( WITH v0 AS ( SELECT 68 * 8 FROM v0 ) SELECT * FROM v0 GROUP BY v1 HAVING v1 >= NULL AND ( NULL , 9877221.000000 ) < ( NULL , 'x' ) ) ) ; |
New UniqueID observed on opt UB+ASAN 11.5 with:
CREATE TABLE t (c INT); |
INSERT INTO t VALUES (c IN (SELECT * FROM (SELECT (1 AND c=1) OR c=c FROM t ORDER BY c) AS v4 GROUP BY ''HAVING c=c WINDOW v2 AS (ORDER BY c),v3 AS (v2))); |
|
11.5.0 e4afa610539ae01164485554e2de839bea9de816 (Optimized, UBASAN) |
==458080==ERROR: AddressSanitizer: use-after-poison on address 0x6290000b8120 at pc 0x55c4fea562d1 bp 0x155462ea98b0 sp 0x155462ea98a0
|
WRITE of size 8 at 0x6290000b8120 thread T12
|
#0 0x55c4fea562d0 in Copy_field::set(unsigned char*, Field*) /test/11.5_opt_san/sql/field_conv.cc:653
|
#1 0x55c4fd772fa0 in setup_copy_fields(THD*, TMP_TABLE_PARAM*, Bounds_checked_array<Item*>, List<Item>&, List<Item>&, unsigned int, List<Item>&) /test/11.5_opt_san/sql/sql_select.cc:28570
|
#2 0x55c4fd7a4f96 in JOIN::make_aggr_tables_info() /test/11.5_opt_san/sql/sql_select.cc:4079
|
#3 0x55c4fd871525 in JOIN::optimize_stage2() /test/11.5_opt_san/sql/sql_select.cc:3449
|
#4 0x55c4fd883ad0 in JOIN::optimize_inner() /test/11.5_opt_san/sql/sql_select.cc:2683
|
#5 0x55c4fd8896f5 in JOIN::optimize() /test/11.5_opt_san/sql/sql_select.cc:1966
|
#6 0x55c4fd2dd682 in st_select_lex::optimize_unflattened_subqueries(bool) /test/11.5_opt_san/sql/sql_lex.cc:5015
|
#7 0x55c4fd25d57e in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*) /test/11.5_opt_san/sql/sql_insert.cc:890
|
#8 0x55c4fd453dbd in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:4447
|
#9 0x55c4fd470382 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815
|
#10 0x55c4fd47b853 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892
|
#11 0x55c4fd488428 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405
|
#12 0x55c4fde006fc in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445
|
#13 0x55c4fde02cfc in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347
|
#14 0x155486497ad9 in start_thread nptl/pthread_create.c:444
|
#15 0x15548652847b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
|
|
|
0x6290000b8120 is located 16160 bytes inside of 16400-byte region [0x6290000b4200,0x6290000b8210)
|
allocated by thread T12 here:
|
#0 0x55c4fcb84c17 in __interceptor_malloc (/test/UBASAN_MD250524-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7ec6c17)
|
#1 0x55c501184234 in my_malloc /test/11.5_opt_san/mysys/my_malloc.c:93
|
#2 0x55c50115eecc in root_alloc /test/11.5_opt_san/mysys/my_alloc.c:66
|
#3 0x55c50115eecc in alloc_root /test/11.5_opt_san/mysys/my_alloc.c:332
|
#4 0x55c50115faa5 in multi_alloc_root /test/11.5_opt_san/mysys/my_alloc.c:405
|
#5 0x55c4fd84919e in make_join_statistics /test/11.5_opt_san/sql/sql_select.cc:5545
|
#6 0x55c4fd883188 in JOIN::optimize_inner() /test/11.5_opt_san/sql/sql_select.cc:2657
|
#7 0x55c4fd8896f5 in JOIN::optimize() /test/11.5_opt_san/sql/sql_select.cc:1966
|
#8 0x55c4fd1aa9b5 in mysql_derived_optimize /test/11.5_opt_san/sql/sql_derived.cc:1037
|
#9 0x55c4fd1a6905 in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /test/11.5_opt_san/sql/sql_derived.cc:200
|
#10 0x55c4fd88355d in JOIN::optimize_inner() /test/11.5_opt_san/sql/sql_select.cc:2473
|
#11 0x55c4fd8896f5 in JOIN::optimize() /test/11.5_opt_san/sql/sql_select.cc:1966
|
#12 0x55c4fd2dd682 in st_select_lex::optimize_unflattened_subqueries(bool) /test/11.5_opt_san/sql/sql_lex.cc:5015
|
#13 0x55c4fd25d57e in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*) /test/11.5_opt_san/sql/sql_insert.cc:890
|
#14 0x55c4fd453dbd in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:4447
|
#15 0x55c4fd470382 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815
|
#16 0x55c4fd47b853 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892
|
#17 0x55c4fd488428 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405
|
#18 0x55c4fde006fc in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445
|
#19 0x55c4fde02cfc in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347
|
#20 0x155486497ad9 in start_thread nptl/pthread_create.c:444
|
|
|
Thread T12 created by T0 here:
|
#0 0x55c4fcb28a35 in __interceptor_pthread_create (/test/UBASAN_MD250524-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7e6aa35)
|
#1 0x55c4fcbdd4de in create_thread_to_handle_connection(CONNECT*) /test/11.5_opt_san/sql/mysqld.cc:6079
|
#2 0x55c4fcbf06ff in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.5_opt_san/sql/mysqld.cc:6203
|
#3 0x55c4fcbf17e7 in handle_connections_sockets() /test/11.5_opt_san/sql/mysqld.cc:6316
|
#4 0x55c4fcbf48ed in mysqld_main(int, char**) /test/11.5_opt_san/sql/mysqld.cc:5974
|
#5 0x1554864280cf in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
|
|
|
SUMMARY: AddressSanitizer: use-after-poison /test/11.5_opt_san/sql/field_conv.cc:653 in Copy_field::set(unsigned char*, Field*)
|
Shadow bytes around the buggy address:
|
0x0c528000efd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c528000efe0: 00 f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c528000eff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c528000f000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c528000f010: 00 00 00 f7 00 00 00 00 00 00 00 00 00 00 00 00
|
=>0x0c528000f020: 00 00 00 00[f7]00 00 00 00 00 00 00 00 00 00 00
|
0x0c528000f030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f7
|
0x0c528000f040: f7 f7 fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c528000f050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c528000f060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c528000f070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
Shadow gap: cc
|
==458080==ABORTING
|
240531 13:02:22 [ERROR] mysqld got signal 6 ;
|
With the original testcase from MDEV-32398:
CREATE TABLE t0 ( c39 INT , c45 SMALLINT ) ENGINE=InnoDB; |
INSERT INTO t0 VALUES ( -1 , 86 NOT LIKE CASE WHEN 78 THEN RAND ( ) + EXISTS ( SELECT c45 AS c45 FROM ( SELECT CASE c39 WHEN 2729039170178489003 THEN 24 ELSE 115 END IS TRUE AS c57 FROM t0 ) AS t1 GROUP BY c57 , c57 , c57 WITH ROLLUP HAVING REVERSE ( ~ FORMAT ( -1745216741589043951 = IF ( -35 , 21 , -3 ) IN ( 23 = RAND ( ) & TRIM( TRAILING FROM 77 ) IS NULL ) , -11 ) ) AND CONVERT ( -17 , UNSIGNED ) ) ^ RAND ( ) IS NOT NULL ELSE -127 END ) , ( -43 , 94 ) ; |
We get a different SIGSEGV in 11.4 ES:
|
ES 11.4.5-3 ca7a2a835c4c982ffa35d3f0b5748b30c4c22763 (Optimized) Build 13/03/2025 |
Core was generated by `/test/EMD130325-mariadb-11.4.5-3-linux-x86_64-opt/bin/mariadbd --no-defaults --'.
|
Program terminated with signal SIGSEGV, Segmentation fault.
|
#0 0x00005589d1bffce0 in TABLE_LIST::is_active_sjm (this=0x5589d1dfa970 <do_field_to_null_str(Copy_field const*)>)at /test/11.4-es_opt/sql/sql_select.cc:13958
|
|
|
[Current thread is 1 (LWP 3200178)]
|
(gdb) bt
|
#0 0x00005589d1bffce0 in TABLE_LIST::is_active_sjm (this=0x5589d1dfa970 <do_field_to_null_str(Copy_field const*)>)at /test/11.4-es_opt/sql/sql_select.cc:13958
|
#1 0x00005589d1d0a2ce in TABLE_LIST::is_sjm_scan_table (this=0x5589d1dfa970 <do_field_to_null_str(Copy_field const*)>)at /test/11.4-es_opt/sql/opt_subselect.cc:7500
|
#2 0x00005589d1bee665 in JOIN::add_sorting_to_table (this=this@entry=0x14c634022358, tab=tab@entry=0x14c634055e08, order=0x14c63401bda0) at /test/11.4-es_opt/sql/sql_select.cc:4467
|
#3 0x00005589d1bec82f in JOIN::make_aggr_tables_info (this=this@entry=0x14c634022358) at /test/11.4-es_opt/sql/sql_select.cc:4226
|
#4 0x00005589d1bde547 in JOIN::optimize_stage2 (this=this@entry=0x14c634022358) at /test/11.4-es_opt/sql/sql_select.cc:3517
|
#5 0x00005589d1bdf8d5 in JOIN::optimize_inner (this=this@entry=0x14c634022358)at /test/11.4-es_opt/sql/sql_select.cc:2748
|
#6 0x00005589d1bdd184 in JOIN::optimize (this=0x14c634022358)at /test/11.4-es_opt/sql/sql_select.cc:2020
|
#7 0x00005589d1b78cfd in st_select_lex::optimize_unflattened_subqueries (this=0x14c634018ce0, const_only=false)at /test/11.4-es_opt/sql/sql_lex.cc:5014
|
#8 0x00005589d1b64183 in mysql_insert (thd=thd@entry=0x14c634000c68, table_list=0x14c6340185b8, fields=@0x14c634005ef8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x5589d2df2320 <end_of_list>, last = 0x14c634005ef8, elements = 0}, <No data fields>}, values_list=@0x14c634005f40: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14c6340216a0, last = 0x14c6340217f8, elements = 2}, <No data fields>}, update_fields=@0x14c634005f28: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x5589d2df2320 <end_of_list>, last = 0x14c634005f28, elements = 0}, <No data fields>}, update_values=@0x14c634005f10: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x5589d2df2320 <end_of_list>, last = 0x14c634005f10, elements = 0}, <No data fields>}, duplic=DUP_ERROR, ignore=<optimized out>, result=0x0)at /test/11.4-es_opt/sql/sql_insert.cc:882
|
#9 0x00005589d1ba0dc0 in mysql_execute_command (thd=thd@entry=0x14c634000c68, is_called_from_prepared_stmt=false)at /test/11.4-es_opt/sql/sql_parse.cc:4482
|
#10 0x00005589d1b99941 in mysql_parse (thd=thd@entry=0x14c634000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14c68b168470)at /test/11.4-es_opt/sql/sql_parse.cc:7924
|
#11 0x00005589d1b97de3 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14c634000c68, packet=packet@entry=0x14c634008899 "INSERT INTO t0 VALUES ( -1 , 86 NOT LIKE CASE WHEN 78 THEN RAND ( ) + EXISTS ( SELECT c45 AS c45 FROM ( SELECT CASE c39 WHEN 2729039170178489003 THEN 24 ELSE 115 END IS TRUE AS c57 FROM t0 ) AS t1 GRO"..., packet_length=packet_length@entry=458, blocking=true)at /test/11.4-es_opt/sql/sql_parse.cc:1912
|
#12 0x00005589d1b99d51 in do_command (thd=thd@entry=0x14c634000c68, blocking=true) at /test/11.4-es_opt/sql/sql_parse.cc:1425
|
#13 0x00005589d1cc364d in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5589d5ba0938, put_in_cache=true)at /test/11.4-es_opt/sql/sql_connect.cc:1429
|
#14 0x00005589d1cc3413 in handle_one_connection (arg=arg@entry=0x5589d5ba0938)at /test/11.4-es_opt/sql/sql_connect.cc:1341
|
#15 0x00005589d203a3c7 in pfs_spawn_thread (arg=0x5589d5bc6778)at /test/11.4-es_opt/storage/perfschema/pfs.cc:2201
|
#16 0x000014c69409ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
|
#17 0x000014c694129c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
|
Full bug detection matrix for this testcase:
|
Bug Detection Matrix |
Rel o/d Build Commit UniqueID observed
|
CS 10.5 dbg 150225 c43d0a015f974c5a0142e6779332089a7a979853 param->field_count > (uint) (copy - copy_start)|SIGABRT|setup_copy_fields|JOIN::make_aggr_tables_info|JOIN::optimize_stage2|JOIN::optimize_inner
|
CS 10.5 opt 150225 c43d0a015f974c5a0142e6779332089a7a979853 SIGSEGV|JOIN::make_sum_func_list|JOIN::make_aggr_tables_info|JOIN::optimize_stage2|JOIN::optimize_inner
|
CS 10.6 dbg 150225 f1d7e0c17e33f77278e6226dd94aeb30fc856bf0 param->field_count > (uint) (copy - copy_start)|SIGABRT|setup_copy_fields|JOIN::make_aggr_tables_info|JOIN::optimize_stage2|JOIN::optimize_inner
|
CS 10.6 opt 150225 f1d7e0c17e33f77278e6226dd94aeb30fc856bf0 SIGSEGV|JOIN::make_sum_func_list|JOIN::make_aggr_tables_info|JOIN::optimize_stage2|JOIN::optimize_inner
|
CS 10.11 dbg 150225 43c5d1303f5c7c726db276815c459436110f342f param->field_count > (uint) (copy - copy_start)|SIGABRT|setup_copy_fields|JOIN::make_aggr_tables_info|JOIN::optimize_stage2|JOIN::optimize_inner
|
CS 10.11 opt 150225 43c5d1303f5c7c726db276815c459436110f342f SIGSEGV|JOIN::make_sum_func_list|JOIN::make_aggr_tables_info|JOIN::optimize_stage2|JOIN::optimize_inner
|
CS 11.4 dbg 150225 ef966af801afc2a07222b5df65dddd52c77431dd param->field_count > (uint) (copy - copy_start)|SIGABRT|setup_copy_fields|JOIN::make_aggr_tables_info|JOIN::optimize_stage2|JOIN::optimize_inner
|
CS 11.4 opt 150225 ef966af801afc2a07222b5df65dddd52c77431dd SIGSEGV|JOIN::make_sum_func_list|JOIN::make_aggr_tables_info|JOIN::optimize_stage2|JOIN::optimize_inner
|
CS 11.8 dbg 150225 33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d param->field_count > (uint) (copy - copy_start)|SIGABRT|setup_copy_fields|JOIN::make_aggr_tables_info|JOIN::optimize_stage2|JOIN::optimize_inner
|
CS 11.8 opt 150225 33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d SIGSEGV|JOIN::make_sum_func_list|JOIN::make_aggr_tables_info|JOIN::optimize_stage2|JOIN::optimize_inner
|
CS 12.0 dbg 150225 c92add291e636c797e6d6ddca605905541b2a441 param->field_count > (uint) (copy - copy_start)|SIGABRT|setup_copy_fields|JOIN::make_aggr_tables_info|JOIN::optimize_stage2|JOIN::optimize_inner
|
CS 12.0 opt 150225 c92add291e636c797e6d6ddca605905541b2a441 SIGSEGV|JOIN::make_sum_func_list|JOIN::make_aggr_tables_info|JOIN::optimize_stage2|JOIN::optimize_inner
|
ES 10.5 dbg 130325 52e0fd3f76eaa4b1e88fd2028f5640c48b6cbb06 param->field_count > (uint) (copy - copy_start)|SIGABRT|setup_copy_fields|JOIN::make_aggr_tables_info|JOIN::optimize_stage2|JOIN::optimize_inner
|
ES 10.5 opt 130325 52e0fd3f76eaa4b1e88fd2028f5640c48b6cbb06 SIGSEGV|JOIN::make_sum_func_list|JOIN::make_aggr_tables_info|JOIN::optimize_stage2|JOIN::optimize_inner
|
ES 10.6 dbg 130325 66c9276fa67d1aacf5cf47b31254e79a9d0e4a5d param->field_count > (uint) (copy - copy_start)|SIGABRT|setup_copy_fields|JOIN::make_aggr_tables_info|JOIN::optimize_stage2|JOIN::optimize_inner
|
ES 10.6 opt 130325 66c9276fa67d1aacf5cf47b31254e79a9d0e4a5d SIGSEGV|JOIN::make_sum_func_list|JOIN::make_aggr_tables_info|JOIN::optimize_stage2|JOIN::optimize_inner
|
ES 11.4 dbg 130325 ca7a2a835c4c982ffa35d3f0b5748b30c4c22763 param->field_count > (uint) (copy - copy_start)|SIGABRT|setup_copy_fields|JOIN::make_aggr_tables_info|JOIN::optimize_stage2|JOIN::optimize_inner
|
ES 11.4 opt 130325 ca7a2a835c4c982ffa35d3f0b5748b30c4c22763 SIGSEGV|TABLE_LIST::is_active_sjm|TABLE_LIST::is_sjm_scan_table|JOIN::add_sorting_to_table|JOIN::make_aggr_tables_info
|
MS 5.5 dbg 070123 bac287c315b1792e7ae33f91add6a60292f9bae8 No bug found
|
MS 5.5 opt 070123 bac287c315b1792e7ae33f91add6a60292f9bae8 No bug found
|
MS 5.6 dbg 070123 dab95781a1244104d6b87020ac2fc4d190ba2946 No bug found
|
MS 5.6 opt 070123 dab95781a1244104d6b87020ac2fc4d190ba2946 No bug found
|
MS 5.7 dbg 060224 f7680e98b6bbe3500399fbad465d08a6b75d7a5c No bug found
|
MS 5.7 opt 060224 f7680e98b6bbe3500399fbad465d08a6b75d7a5c No bug found
|
MS 8.0 dbg 060224 49ef33f7edadef3ae04665e73d1babd40179a4f1 No bug found
|
MS 8.0 opt 060224 49ef33f7edadef3ae04665e73d1babd40179a4f1 No bug found
|
MS 9.1 dbg 211024 61a3a1d8ef15512396b4c2af46e922a19bf2b174 No bug found
|
MS 9.1 opt 211024 61a3a1d8ef15512396b4c2af46e922a19bf2b174 No bug found
|
The stack difference in the previous comment - for 11.4 ES only - is a bit odd.
I bisected the specific SIGSEGV in TABLE_LIST::is_active_sjm stack, to this commit:
commit b85bbeb800ae9cc47d11b6bef890b815b1982f7e
|
Author: Monty <monty@mariadb.org>
|
Date: Fri May 3 10:44:41 2024 +0300
|
|
|
MENT-2067 Backport MDEV-9101
|
i.e. MENT-2067, which is MDEV-9101 (CS 11.5) backported to ES 11.4 only.
After this commit, the stack is a SIGSEGV in TABLE_LIST::is_active_sjm. Before that commit, it still crashes, but with two other stacks:
SIGSEGV|THD::check_limit_rows_examined|handler::increment_statistics|handler::ha_rnd_next|find_all_keys # In more recent ES 11.4 releases before the commit above
|
SIGABRT|__libc_message_impl|__libc_assert_fail|___pthread_mutex_lock|inline_mysql_mutex_lock # In earlier ES 11.4 releases
|
In general, this area is quite buggy (also see the next comment).
However, the issues observed here - along with other stacks mentioned in the next comment - are neither sporadic nor random. They are fully reproducible using the provided test cases. For the specific case mentioned above, I re-ran the bisect to confirm the results. For other stacks (next comment), I conducted at least two rounds of testing each. While the stacks vary between versions and commits, they remain consistent (i.e., static and not random) when replayed repeatedly on the same commit and version.
I initially thought that the differences in stacks might be due to the use of RAND() within the SQL. However, this did not explain why specific stacks are consistently reproducible (i.e., static and not random) for any given test case, nor why stacks change between different commits and versions or with slight testcase modifications.
Looking closer at the additional set of all discovered stacks and how they replay, in conjunction with MENT-2067, it appears that the differences in stacks are more likely related to the temporary tables associated code changes in MENT-2067.
As mentioned in the last comment, all testcase variations below produce consistently the same stacks. Zero randomness was observed.
CREATE TABLE t1 (c1 INT, c2 INT) ENGINE=InnoDB; |
INSERT INTO t1 VALUES ( 1,86 NOT LIKE CASE WHEN 78 THEN RAND ( ) + EXISTS ( SELECT c2 AS c2 FROM ( SELECT CASE c1 WHEN 2729039170178489003 THEN 24 ELSE 115 END IS TRUE AS c57 FROM t1 ) AS t1 GROUP BY c57,c57,c57 WITH ROLLUP HAVING REVERSE ( ~ FORMAT ( 1745216741589043951=IF ( -35,21,-3 ) IN ( 23=RAND ( ) & TRIM( TRAILING FROM 77 ) IS NULL ),-11 ) ) AND CONVERT ( 17,UNSIGNED ) ) ^ RAND ( ) IS NOT NULL ELSE 127 END), (-43,94 ); |
Leads to:
|
ES 11.4.5-3 ca7a2a835c4c982ffa35d3f0b5748b30c4c22763 (Optimized) Build 13/03/2025 |
SIGSEGV|THD::inc_status_created_tmp_tables|open_tmp_table|mysql_derived_create|mysql_handle_single_derived
|
|
ES 11.4.1-1 97a4030704e45b8489332ad6f8234d7f9b67414b (Optimized) |
SIGSEGV|heap_prepare_hp_create_info|ha_heap::open|handler::ha_open|open_tmp_table
|
--------
CREATE TABLE t1 ( c39 INT , c45 INT ) ENGINE=InnoDB; |
INSERT INTO t1 VALUES ( -1 , 86 NOT LIKE CASE WHEN 78 THEN RAND ( ) + EXISTS ( SELECT c45 AS c45 FROM ( SELECT CASE c39 WHEN 2729039170178489003 THEN 24 ELSE 115 END IS TRUE AS c57 FROM t1 ) AS t1 GROUP BY c57 , c57 , c57 WITH ROLLUP HAVING REVERSE ( ~ FORMAT ( -1745216741589043951 = IF ( -35 , 21 , -3 ) IN ( 23 = RAND ( ) & TRIM( TRAILING FROM 77 ) IS NULL ) , -11 ) ) AND CONVERT ( -17 , UNSIGNED ) ) ^ RAND ( ) IS NOT NULL ELSE -127 END ) , ( -43 , 94 ); |
Leads to:
|
ES 11.4.5-3 ca7a2a835c4c982ffa35d3f0b5748b30c4c22763 (Optimized) Build 13/03/2025 |
SIGSEGV|TABLE_LIST::is_active_sjm|TABLE_LIST::is_sjm_scan_table|JOIN::add_sorting_to_table|JOIN::make_aggr_tables_info
|
And on earlier commits to a thread hang on 'Creating sort index' (also consistently repeatable):
|
ES 11.4.1-1 97a4030704e45b8489332ad6f8234d7f9b67414b (Optimized) |
11.4.1-opt>SHOW PROCESSLIST;
|
+----+------+-----------+------+---------+------+---------------------+------------------------------------------------------------------------------------------------------+----------+
|
| Id | User | Host | db | Command | Time | State | Info | Progress |
|
+----+------+-----------+------+---------+------+---------------------+------------------------------------------------------------------------------------------------------+----------+
|
| 4 | root | localhost | test | Query | 67 | Creating sort index | INSERT INTO t1 VALUES ( -1 , 86 NOT LIKE CASE WHEN 78 THEN RAND ( ) + EXISTS ( SELECT c45 AS c45 FRO | 0.000 |
|
| 5 | root | localhost | test | Query | 0 | starting | SHOW PROCESSLIST | 0.000 |
|
+----+------+-----------+------+---------+------+---------------------+------------------------------------------------------------------------------------------------------+----------+
|
2 rows in set (0.000 sec)
|
--------
CREATE TABLE t1 (c1 INT, c45 INT) ENGINE=InnoDB; |
INSERT INTO t1 VALUES ( -1,86 NOT LIKE CASE WHEN 78 THEN RAND ( ) + EXISTS ( SELECT c45 AS c45 FROM ( SELECT CASE c1 WHEN 2729039170178489003 THEN 24 ELSE 115 END IS TRUE AS c57 FROM t1 ) AS t1 GROUP BY c57,c57,c57 WITH ROLLUP HAVING REVERSE ( ~ FORMAT ( -1=IF ( -1,21,-3 ) IN ( 23=RAND ( ) & TRIM( TRAILING FROM 77 ) IS NULL ),-11 )) AND CONVERT ( -1,UNSIGNED )) ^ RAND ( ) IS NOT NULL ELSE -1 END), (-43,94 ); |
Leads to:
|
ES 11.4.5-3 ca7a2a835c4c982ffa35d3f0b5748b30c4c22763 (Optimized) Build 13/03/2025 |
SIGSEGV|TABLE::is_clustering_key|JOIN::init_join_cache_and_keyread|JOIN::optimize_stage2|JOIN::optimize_inner
|
And a previously seen stack on earlier commits:
|
ES 11.4.1-1 97a4030704e45b8489332ad6f8234d7f9b67414b (Optimized) |
SIGSEGV|JOIN::make_sum_func_list|JOIN::make_aggr_tables_info|JOIN::optimize_stage2|JOIN::optimize_inner
|
--------
CREATE TABLE t (c INT,c2 INT) ENGINE=InnoDB; |
INSERT INTO t VALUES (1,1 NOT LIKE CASE WHEN 78 THEN RAND()+EXISTS (SELECT c2 AS c2 FROM (SELECT CASE c WHEN 2729039170178489003 THEN 24 ELSE 115 END IS TRUE AS c57 FROM t) AS t GROUP BY c57,c57,c57 WITH ROLLUP HAVING REVERSE (~ FORMAT (1745216741589043951=IF(-35,21,-3) IN (23=RAND() & TRIM(TRAILING FROM 77) IS NULL),-11)) AND CONVERT(17,UNSIGNED))^RAND() IS NOT NULL ELSE 127 END), (-1,94); |
Leads to:
|
ES 11.4.5-3 ca7a2a835c4c982ffa35d3f0b5748b30c4c22763 (Optimized) Build 13/03/2025 |
SIGSEGV|TABLE_SHARE::db_type|mysql_derived_create|mysql_handle_single_derived|st_join_table::preread_init
|
And a previously seen stack on earlier commits:
|
ES 11.4.1-1 97a4030704e45b8489332ad6f8234d7f9b67414b (Optimized) |
SIGSEGV|JOIN::make_sum_func_list|JOIN::make_aggr_tables_info|JOIN::optimize_stage2|JOIN::optimize_inner
|
--------
CREATE TABLE t1 (c1 INT,c2 INT) ENGINE=InnoDB; |
INSERT INTO t1 VALUES (-1,86 NOT LIKE CASE WHEN 78 THEN RAND () + EXISTS (SELECT c2 AS c2 FROM (SELECT CASE c1 WHEN 2729039170178489003 THEN 24 ELSE 115 END IS TRUE AS c57 FROM t1) AS t1 GROUP BY c57,c57,c57 WITH ROLLUP HAVING REVERSE (~ FORMAT (-1745216741589043951=IF (-35,21,-3) IN (23=RAND () & TRIM(TRAILING FROM 77) IS NULL),-11)) AND CONVERT (-17,UNSIGNED)) ^ RAND () IS NOT NULL ELSE 1 END), (-43,94); |
Leads to:
|
ES 11.4.5-3 ca7a2a835c4c982ffa35d3f0b5748b30c4c22763 (Optimized) Build 13/03/2025 |
SIGSEGV|heap_prepare_hp_create_info|ha_heap::open|handler::ha_open|open_tmp_table
|
|
ES 11.4.1-1 97a4030704e45b8489332ad6f8234d7f9b67414b (Optimized) |
SIGABRT|__libc_message_impl|malloc_printerr|_int_free|__GI___libc_free
|
Note: this is not fixed by
MDEV-23809. Also, assert added inMDEV-23809doesn't fire.