Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-29350

Crash when IN predicand is used in eliminated GROUP BY clause

    XMLWordPrintable

Details

    Description

      The testcase was simplified to not use table DDL; the same issue is present when actual tables are used.

      The crash between dbg vs opt is slightly different as of the 4th frame:

      SIGSEGV|st_select_lex_node::exclude_from_tree|st_select_lex_node::exclude|Item_subselect::eliminate_subselect_processor|Item_in_subselect::walk  # opt
      		 
      SIGSEGV|st_select_lex_node::exclude_from_tree|st_select_lex_node::exclude|Item_subselect::eliminate_subselect_processor|Item_subselect::walk  # dbg

      Testcase:

      SELECT 1 WHERE 1 IN (SELECT 1 FROM (SELECT (SELECT 1 FROM (SELECT 1) AS v1) IN (SELECT 1 FROM (SELECT 1) AS v2) AS v3 FROM (SELECT 1) AS v4) AS v5 GROUP BY v3);

      Leads to:

      10.10.2 87e8463e0454a04c2bbaa38d44227c491fb07dc1 (Optimized)

      		 
      Core was generated by `/test/MD200822-mariadb-10.10.2-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
      		 
      Program terminated with signal SIGSEGV, Segmentation fault.
      		 
      #0  0x0000565229b1291b in st_select_lex_node::exclude_from_tree (
      		 
          this=this@entry=0x153e1c013298) at /test/10.10_opt/sql/sql_lex.cc:3225
      		 
      3225	  if ((*prev= next))
      		 
      [Current thread is 1 (Thread 0x153e5dc56700 (LWP 110797))]
      		 
      (gdb) bt
      		 
      #0  0x0000565229b1291b in st_select_lex_node::exclude_from_tree (this=this@entry=0x153e1c013298) at /test/10.10_opt/sql/sql_lex.cc:3225
      		 
      #1  0x0000565229b12996 in st_select_lex_node::exclude (this=0x153e1c013298) at /test/10.10_opt/sql/sql_lex.cc:3237
      		 
      #2  0x0000565229e5984e in Item_subselect::eliminate_subselect_processor (this=0x153e1c013a98, arg=<optimized out>) at /test/10.10_opt/sql/item_subselect.cc:395
      		 
      #3  0x0000565229e67c78 in Item_in_subselect::walk (this=0x153e1c01a368, processor=&virtual table offset 968, walk_subquery=false, arg=0x0) at /test/10.10_opt/sql/item_subselect.h:757
      		 
      #4  0x0000565229a681ec in Item_args::walk_args (arg=0x0, walk_subquery=false, processor=<optimized out>, this=0x153e1c022520) at /test/10.10_opt/sql/item.h:2757
      		 
      #5  Item_func_or_sum::walk (this=0x153e1c0224b0, processor=&virtual table offset 968, walk_subquery=false, arg=0x0) at /test/10.10_opt/sql/item.h:5445
      		 
      #6  0x0000565229daf121 in Item_direct_view_ref::walk (this=0x153e1c024c90, processor=<optimized out>, walk_subquery=<optimized out>, arg=0x0) at /test/10.10_opt/sql/item.h:6052
      		 
      #7  0x0000565229ba4f26 in remove_redundant_subquery_clauses (subq_select_lex=0x153e1c010fb0) at /test/10.10_opt/sql/sql_select.cc:818
      		 
      #8  JOIN::prepare (this=0x153e1c01e730, tables_init=<optimized out>, conds_init=<optimized out>, og_num=<optimized out>, order_init=<optimized out>, skip_order_by=skip_order_by@entry=false, group_init=<optimized out>, having_init=<optimized out>, proc_param_init=<optimized out>, select_lex_arg=<optimized out>, unit_arg=<optimized out>) at /test/10.10_opt/sql/sql_select.cc:1478
      		 
      #9  0x0000565229e610e8 in subselect_single_select_engine::prepare (this=0x153e1c01cb38, thd=0x153e1c000c58) at /test/10.10_opt/sql/sql_lex.h:1367
      		 
      #10 0x0000565229e60748 in Item_subselect::fix_fields (this=this@entry=0x153e1c01d4a0, thd_param=thd_param@entry=0x153e1c000c58, ref=ref@entry=0x153e1c01e310) at /test/10.10_opt/sql/item_subselect.cc:295
      		 
      #11 0x0000565229e60ac9 in Item_in_subselect::fix_fields (this=0x153e1c01d4a0, thd_arg=0x153e1c000c58, ref=0x153e1c01e310) at /test/10.10_opt/sql/item_subselect.cc:3588
      		 
      #12 0x0000565229ad7d5f in Item::fix_fields_if_needed (ref=0x153e1c01e310, thd=0x153e1c000c58, this=0x153e1c01d4a0) at /test/10.10_opt/sql/item.h:1142
      		 
      #13 Item::fix_fields_if_needed (ref=0x153e1c01e310, thd=0x153e1c000c58, this=0x153e1c01d4a0) at /test/10.10_opt/sql/item.h:1142
      		 
      #14 Item::fix_fields_if_needed_for_scalar (ref=0x153e1c01e310, thd=0x153e1c000c58, this=0x153e1c01d4a0) at /test/10.10_opt/sql/item.h:1148
      		 
      #15 Item::fix_fields_if_needed_for_bool (ref=0x153e1c01e310, thd=0x153e1c000c58, this=0x153e1c01d4a0) at /test/10.10_opt/sql/item.h:1152
      		 
      #16 setup_conds (thd=thd@entry=0x153e1c000c58, tables=tables@entry=0x0, leaves=@0x153e1c010c40: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x56522acc06b0 <end_of_list>, last = 0x153e1c010c40, elements = 0}, <No data fields>}, conds=conds@entry=0x153e1c01e310) at /test/10.10_opt/sql/sql_base.cc:8801
      		 
      #17 0x0000565229ba40ea in setup_without_group (reserved=0x153e1c010de4, hidden_group_fields=0x153e1c01e1d7, win_funcs=@0x153e1c010e78: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x56522acc06b0 <end_of_list>, last = 0x153e1c010e78, elements = 0}, <No data fields>}, win_specs=@0x153e1c010e60: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x56522acc06b0 <end_of_list>, last = 0x153e1c010e60, elements = 0}, <No data fields>}, group=0x0, order=0x0, conds=0x153e1c01e310, all_fields=@0x153e1c01e228: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x153e1c010f20, last = 0x153e1c010f20, elements = 1}, <No data fields>}, fields=@0x153e1c010cc8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x153e1c010f20, last = 0x153e1c010f20, elements = 1}, <No data fields>}, leaves=@0x153e1c010c40: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x56522acc06b0 <end_of_list>, last = 0x153e1c010c40, elements = 0}, <No data fields>}, tables=0x0, ref_pointer_array=<optimized out>, thd=0x153e1c000c58) at /test/10.10_opt/sql/sql_select.cc:884
      		 
      #18 JOIN::prepare (this=0x153e1c01de98, tables_init=<optimized out>, conds_init=<optimized out>, og_num=<optimized out>, order_init=<optimized out>, skip_order_by=<optimized out>, group_init=<optimized out>, having_init=<optimized out>, proc_param_init=<optimized out>, select_lex_arg=<optimized out>, unit_arg=<optimized out>) at /test/10.10_opt/sql/sql_select.cc:1456
      		 
      #19 0x0000565229bb654f in mysql_select (thd=0x153e1c000c58, tables=0x0, fields=@0x153e1c010cc8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x153e1c010f20, last = 0x153e1c010f20, elements = 1}, <No data fields>}, conds=0x153e1c01d4a0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x153e1c01cc30, unit=0x153e1c004cd0, select_lex=0x153e1c010a28) at /test/10.10_opt/sql/sql_select.cc:5045
      		 
      #20 0x0000565229bb67f7 in handle_select (thd=thd@entry=0x153e1c000c58, lex=lex@entry=0x153e1c004bf8, result=result@entry=0x153e1c01cc30, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.10_opt/sql/sql_select.cc:581
      		 
      #21 0x0000565229b384f1 in execute_sqlcom_select (thd=0x153e1c000c58, all_tables=0x153e1c012b90) at /test/10.10_opt/sql/sql_parse.cc:6261
      		 
      #22 0x0000565229b46138 in mysql_execute_command (thd=0x153e1c000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.10_opt/sql/sql_parse.cc:3945
      		 
      #23 0x0000565229b336f5 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x153e1c000c58) at /test/10.10_opt/sql/sql_parse.cc:8035
      		 
      #24 mysql_parse (thd=0x153e1c000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.10_opt/sql/sql_parse.cc:7957
      		 
      #25 0x0000565229b3f20a in dispatch_command (command=COM_QUERY, thd=0x153e1c000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.10_opt/sql/sql_class.h:1339
      		 
      #26 0x0000565229b41132 in do_command (thd=0x153e1c000c58, blocking=blocking@entry=true) at /test/10.10_opt/sql/sql_parse.cc:1407
      		 
      #27 0x0000565229c593af in do_handle_one_connection (connect=<optimized out>, connect@entry=0x56522c3501c8, put_in_cache=put_in_cache@entry=true) at /test/10.10_opt/sql/sql_connect.cc:1418
      		 
      #28 0x0000565229c5968d in handle_one_connection (arg=0x56522c3501c8) at /test/10.10_opt/sql/sql_connect.cc:1312
      		 
      #29 0x0000153e76c9a609 in start_thread (arg=<optimized out>) at pthread_create.c:477
      		 
      #30 0x0000153e76886133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

      10.10.2 87e8463e0454a04c2bbaa38d44227c491fb07dc1 (Debug)

      		 
      Core was generated by `/test/MD200822-mariadb-10.10.2-linux-x86_64-dbg/bin/mysqld --no-defaults --core'.
      		 
      Program terminated with signal SIGSEGV, Segmentation fault.
      		 
      #0  0x000055cf3655bb75 in st_select_lex_node::exclude_from_tree (
      		 
          this=this@entry=0x1538180167b8) at /test/10.10_dbg/sql/sql_lex.cc:3225
      		 
      3225	  if ((*prev= next))
      		 
      [Current thread is 1 (Thread 0x15386200c700 (LWP 111085))]
      		 
      (gdb) bt
      		 
      #0  0x000055cf3655bb75 in st_select_lex_node::exclude_from_tree (this=this@entry=0x1538180167b8) at /test/10.10_dbg/sql/sql_lex.cc:3225
      		 
      #1  0x000055cf3655bbed in st_select_lex_node::exclude (this=0x1538180167b8) at /test/10.10_dbg/sql/sql_lex.cc:3237
      		 
      #2  0x000055cf3698964c in Item_subselect::eliminate_subselect_processor (this=0x153818016fb8, arg=<optimized out>) at /test/10.10_dbg/sql/item_subselect.cc:395
      		 
      #3  0x000055cf36989b18 in Item_subselect::walk (this=0x153818016fb8, processor=<optimized out>, walk_subquery=<optimized out>, argument=0x0) at /test/10.10_dbg/sql/item_subselect.cc:782
      		 
      #4  0x000055cf3699c5ce in Item_in_subselect::walk (this=0x15381801dbc8, processor=&virtual table offset 968, walk_subquery=false, arg=0x0) at /test/10.10_dbg/sql/item_subselect.h:757
      		 
      #5  0x000055cf364903f9 in Item_args::walk_args (arg=0x0, walk_subquery=false, processor=<optimized out>, this=0x153818026020) at /test/10.10_dbg/sql/item.h:2757
      		 
      #6  Item_func_or_sum::walk (this=0x153818025fb0, processor=<optimized out>, walk_subquery=false, arg=0x0) at /test/10.10_dbg/sql/item.h:5445
      		 
      #7  0x000055cf368b42ca in Item_direct_view_ref::walk (this=0x153818028828, processor=&virtual Item::eliminate_subselect_processor(void*), walk_subquery=<optimized out>, arg=0x0) at /test/10.10_dbg/sql/item.h:6052
      		 
      #8  0x000055cf3660864e in remove_redundant_subquery_clauses (subq_select_lex=0x1538180144d0) at /test/10.10_dbg/sql/sql_select.cc:818
      		 
      #9  JOIN::prepare (this=0x153818022008, tables_init=<optimized out>, conds_init=<optimized out>, og_num=<optimized out>, order_init=<optimized out>, skip_order_by=skip_order_by@entry=false, group_init=<optimized out>, having_init=<optimized out>, proc_param_init=<optimized out>, select_lex_arg=<optimized out>, unit_arg=<optimized out>) at /test/10.10_dbg/sql/sql_select.cc:1478
      		 
      #10 0x000055cf3698fe91 in subselect_single_select_engine::prepare (this=0x153818020398, thd=0x153818000db8) at /test/10.10_dbg/sql/sql_lex.h:1367
      		 
      #11 0x000055cf3698f35f in Item_subselect::fix_fields (this=this@entry=0x153818020d70, thd_param=thd_param@entry=0x153818000db8, ref=ref@entry=0x153818021be8) at /test/10.10_dbg/sql/item_subselect.cc:295
      		 
      #12 0x000055cf3698f7a4 in Item_in_subselect::fix_fields (this=0x153818020d70, thd_arg=0x153818000db8, ref=0x153818021be8) at /test/10.10_dbg/sql/item_subselect.cc:3588
      		 
      #13 0x000055cf36510972 in Item::fix_fields_if_needed (ref=0x153818021be8, thd=0x153818000db8, this=0x153818020d70) at /test/10.10_dbg/sql/item.h:1152
      		 
      #14 Item::fix_fields_if_needed_for_scalar (ref=0x153818021be8, thd=0x153818000db8, this=0x153818020d70) at /test/10.10_dbg/sql/item.h:1148
      		 
      #15 Item::fix_fields_if_needed_for_bool (ref=0x153818021be8, thd=0x153818000db8, this=0x153818020d70) at /test/10.10_dbg/sql/item.h:1152
      		 
      #16 setup_conds (thd=thd@entry=0x153818000db8, tables=tables@entry=0x0, leaves=@0x153818014160: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55cf37b5ac20 <end_of_list>, last = 0x153818014160, elements = 0}, <No data fields>}, conds=conds@entry=0x153818021be8) at /test/10.10_dbg/sql/sql_base.cc:8801
      		 
      #17 0x000055cf36607f0f in setup_without_group (reserved=0x153818014304, hidden_group_fields=0x153818021aaf, win_funcs=@0x153818014398: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55cf37b5ac20 <end_of_list>, last = 0x153818014398, elements = 0}, <No data fields>}, win_specs=@0x153818014380: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55cf37b5ac20 <end_of_list>, last = 0x153818014380, elements = 0}, <No data fields>}, group=0x0, order=0x0, conds=0x153818021be8, all_fields=@0x153818021b00: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x153818014440, last = 0x153818014440, elements = 1}, <No data fields>}, fields=@0x1538180141e8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x153818014440, last = 0x153818014440, elements = 1}, <No data fields>}, leaves=@0x153818014160: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55cf37b5ac20 <end_of_list>, last = 0x153818014160, elements = 0}, <No data fields>}, tables=0x0, ref_pointer_array=<optimized out>, thd=0x153818000db8) at /test/10.10_dbg/sql/sql_select.cc:884
      		 
      #18 JOIN::prepare (this=this@entry=0x153818021768, tables_init=tables_init@entry=0x0, conds_init=conds_init@entry=0x153818020d70, og_num=og_num@entry=0, order_init=order_init@entry=0x0, skip_order_by=skip_order_by@entry=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x153818013f48, unit_arg=0x153818004ff0) at /test/10.10_dbg/sql/sql_select.cc:1456
      		 
      #19 0x000055cf3661f184 in mysql_select (thd=thd@entry=0x153818000db8, tables=0x0, fields=@0x1538180141e8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x153818014440, last = 0x153818014440, elements = 1}, <No data fields>}, conds=0x153818020d70, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2164525824, result=0x153818020490, unit=0x153818004ff0, select_lex=0x153818013f48) at /test/10.10_dbg/sql/sql_select.cc:5045
      		 
      #20 0x000055cf3661f3a2 in handle_select (thd=thd@entry=0x153818000db8, lex=lex@entry=0x153818004f18, result=result@entry=0x153818020490, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.10_dbg/sql/sql_select.cc:581
      		 
      #21 0x000055cf365895a6 in execute_sqlcom_select (thd=thd@entry=0x153818000db8, all_tables=0x1538180160b0) at /test/10.10_dbg/sql/sql_parse.cc:6261
      		 
      #22 0x000055cf365958c7 in mysql_execute_command (thd=thd@entry=0x153818000db8, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.10_dbg/sql/sql_parse.cc:3945
      		 
      #23 0x000055cf36583882 in mysql_parse (thd=thd@entry=0x153818000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x15386200b330) at /test/10.10_dbg/sql/sql_parse.cc:8035
      		 
      #24 0x000055cf36590e6a in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x153818000db8, packet=packet@entry=0x15381800b6e9 "SELECT 1 WHERE 1 IN (SELECT 1 FROM (SELECT (SELECT 1 FROM (SELECT 1) AS v1) IN (SELECT 1 FROM (SELECT 1) AS v2) AS v3 FROM (SELECT 1) AS v4) AS v5 GROUP BY v3)", packet_length=packet_length@entry=159, blocking=blocking@entry=true) at /test/10.10_dbg/sql/sql_class.h:1339
      		 
      #25 0x000055cf36593574 in do_command (thd=0x153818000db8, blocking=blocking@entry=true) at /test/10.10_dbg/sql/sql_parse.cc:1407
      		 
      #26 0x000055cf366f51da in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55cf39046988, put_in_cache=put_in_cache@entry=true) at /test/10.10_dbg/sql/sql_connect.cc:1418
      		 
      #27 0x000055cf366f56e3 in handle_one_connection (arg=0x55cf39046988) at /test/10.10_dbg/sql/sql_connect.cc:1312
      		 
      #28 0x000015387b488609 in start_thread (arg=<optimized out>) at pthread_create.c:477
      		 
      #29 0x000015387b074133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

      Bug confirmed present in:
      MariaDB: 10.4.27 (dbg), 10.4.27 (opt), 10.5.18 (dbg), 10.5.18 (opt), 10.6.10 (dbg), 10.6.10 (opt), 10.7.6 (dbg), 10.7.6 (opt), 10.8.5 (dbg), 10.8.5 (opt), 10.9.2 (dbg), 10.9.2 (opt), 10.10.2 (dbg), 10.10.2 (opt), 10.11.0 (dbg), 10.11.0 (opt)

      Bug (or feature/syntax) confirmed not present in:
      MariaDB: 10.3.37 (dbg), 10.3.37 (opt)
      MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.38 (dbg), 5.7.38 (opt), 8.0.29 (dbg), 8.0.29 (opt)

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-28502 SIGSEGV in Item_subselect::is_expensive (+ other SIGSEGV's in MS 8.0) and 2x UBSAN: runtime error: member call on null pointer of type 'struct st_select_lex' in Item_subselect::is_expensive and in st_select_lex::next_select

          • Major - Major loss of function.
          • Closed

          Activity

            People

              igor Igor Babaev
              Roel Roel Van de Paar
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.