[MDEV-29351] SIGSEGV when doing forward reference of item in select list - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL), 10.11, 11.0(EOL)
Fix Version/s: 10.5.27, 10.6.20, 10.11.10, 11.2.6, 11.4.4
Component/s: Optimizer
Labels:

Description

The testcase below only crashes optimized 10.4+ builds with this UniqueID/stack:

SIGSEGV|Used_tables_and_const_cache::used_tables_and_const_cache_join|Item_field::fix_outer_field|Item_field::fix_fields|Item::fix_fields_if_needed

However, on debug builds, a set of stacks are seen, which are much more alike to MDEV-28506.

(*select_ref)->fixed()|SIGABRT|resolve_ref_in_select_and_group|Item_field::fix_outer_field|Item_field::fix_fields|Item::fix_fields_if_needed

(*select_ref)->fixed|SIGABRT|resolve_ref_in_select_and_group|Item_field::fix_outer_field|Item_field::fix_fields|Item::fix_fields_if_needed

(*select_ref)->is_fixed()|SIGABRT|resolve_ref_in_select_and_group|Item_field::fix_outer_field|Item_field::fix_fields|Item::fix_fields_if_needed

On 10.3 optimized we see:

10.3.37 a1055ab35d29437b717e83b1a388eaa02901c42f (Optimized)
ERROR 1247 (42S22) at line 2 in file: 'in.sql': Reference 'c' not supported (forward reference in item list)

For the second and third line of the testcase SQL.

CREATE TABLE t (a INT);

UPDATE t SET c=1 ORDER BY (SELECT c);

UPDATE t SET c=1 ORDER BY (SELECT c);

Leads to:

10.11.0 bc563f1a4b0b38de3b41fd0f0d3d8b7f1aacbd8b (Optimized)
10.11.0-opt>CREATE TABLE t (a INT);
Query OK, 0 rows affected (0.016 sec)
10.11.0-opt>UPDATE t SET c=1 ORDER BY (SELECT c);
ERROR 1247 (42S22): Reference 'c' not supported (forward reference in item list)
10.11.0-opt>UPDATE t SET c=1 ORDER BY (SELECT c);
ERROR 2013 (HY000): Lost connection to server during query

10.11.0 bc563f1a4b0b38de3b41fd0f0d3d8b7f1aacbd8b (Optimized)
Core was generated by `/test/MD190822-mariadb-10.11.0-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00001475c0039828 in ?? ()
[Current thread is 1 (Thread 0x147601e56700 (LWP 1711369))]
(gdb) bt
#0 0x00001475c0039828 in ?? ()
#1 0x000055b718ea9bca in Used_tables_and_const_cache::used_tables_and_const_cache_join (this=0x1475c0011fb8, this=0x1475c0011fb8, item=0x1475c0038d28) at /test/10.11_opt/sql/item.h:5319
#2 Item_field::fix_outer_field (this=0x1475c0011560, thd=0x1475c0000c58, from_field=0x147601e54590, reference=0x1475c0011680) at /test/10.11_opt/sql/item.cc:5824
#3 0x000055b718eaaa1d in Item_field::fix_fields (this=0x1475c0011560, thd=0x1475c0000c58, reference=0x1475c0011680) at /test/10.11_opt/sql/item.cc:6121
#4 0x000055b718bd507b in Item::fix_fields_if_needed (ref=0x1475c0011680, thd=0x1475c0000c58, this=0x1475c0011560) at /test/10.11_opt/sql/item.h:1142
#5 Item::fix_fields_if_needed (ref=0x1475c0011680, thd=0x1475c0000c58, this=0x1475c0011560) at /test/10.11_opt/sql/item.h:1142
#6 Item::fix_fields_if_needed_for_scalar (ref=0x1475c0011680, thd=0x1475c0000c58, this=0x1475c0011560) at /test/10.11_opt/sql/item.h:1148
#7 setup_fields (thd=0x1475c0000c58, ref_pointer_array=<optimized out>, fields=<optimized out>, column_usage=column_usage@entry=MARK_COLUMNS_READ, sum_func_list=sum_func_list@entry=0x1475c00127e0, pre_fix=0x1475c0011398, allow_sum_func=true) at /test/10.11_opt/sql/sql_base.cc:7975
#8 0x000055b718ca30a9 in JOIN::prepare (this=0x1475c0012450, tables_init=<optimized out>, conds_init=<optimized out>, og_num=<optimized out>, order_init=<optimized out>, skip_order_by=skip_order_by@entry=false, group_init=<optimized out>, having_init=<optimized out>, proc_param_init=<optimized out>, select_lex_arg=<optimized out>, unit_arg=<optimized out>) at /test/10.11_opt/sql/sql_select.cc:1450
#9 0x000055b718f601a8 in subselect_single_select_engine::prepare (this=0x1475c00120d0, thd=0x1475c0000c58) at /test/10.11_opt/sql/sql_lex.h:1367
#10 0x000055b718f5f808 in Item_subselect::fix_fields (this=0x1475c0011f48, thd_param=<optimized out>, ref=0x1475c0012138) at /test/10.11_opt/sql/item_subselect.cc:295
#11 0x000055b718c753b4 in Item::fix_fields_if_needed (ref=<optimized out>, thd=0x1475c0000c58, this=0x1475c0011f48) at /test/10.11_opt/sql/item.h:1142
#12 Item::fix_fields_if_needed (ref=<optimized out>, thd=0x1475c0000c58, this=0x1475c0011f48) at /test/10.11_opt/sql/item.h:1142
#13 Item::fix_fields_if_needed_for_scalar (ref=<optimized out>, thd=0x1475c0000c58, this=0x1475c0011f48) at /test/10.11_opt/sql/item.h:1148
#14 Item::fix_fields_if_needed_for_order_by (ref=<optimized out>, thd=0x1475c0000c58, this=0x1475c0011f48) at /test/10.11_opt/sql/item.h:1156
#15 find_order_in_list (thd=0x1475c0000c58, ref_pointer_array=<optimized out>, tables=0x1475c0010820, order=0x1475c0012128, fields=<optimized out>, all_fields=@0x147601e549d0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55b719dc16b0 <end_of_list>, last = 0x147601e549d0, elements = 0}, <No data fields>}, is_group_field=false, add_to_all_fields=true, from_window_spec=false) at /test/10.11_opt/sql/sql_select.cc:25677
#16 0x000055b718c9f8d5 in setup_order (thd=thd@entry=0x1475c0000c58, ref_pointer_array={m_array = 0x1475c0012360, m_size = 30}, tables=tables@entry=0x1475c0010820, fields=@0x147601e549d0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55b719dc16b0 <end_of_list>, last = 0x147601e549d0, elements = 0}, <No data fields>}, all_fields=@0x147601e549d0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55b719dc16b0 <end_of_list>, last = 0x147601e549d0, elements = 0}, <No data fields>}, order=0x1475c0012128, from_window_spec=false) at /test/10.11_opt/sql/sql_select.cc:25724
#17 0x000055b718d130d2 in mysql_prepare_update (thd=thd@entry=0x1475c0000c58, table_list=0x1475c0010820, conds=conds@entry=0x147601e54ae0, order_num=order_num@entry=1, order=order@entry=0x1475c0012128) at /test/10.11_opt/sql/sql_update.cc:1455
#18 0x000055b718d13560 in mysql_update (thd=thd@entry=0x1475c0000c58, table_list=<optimized out>, fields=@0x1475c0005770: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1475c00110c0, last = 0x1475c00110c0, elements = 1}, <No data fields>}, values=@0x1475c0005ba0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1475c00110d0, last = 0x1475c00110d0, elements = 1}, <No data fields>}, conds=<optimized out>, order_num=1, order=0x1475c0012128, limit=18446744073709551615, ignore=false, found_return=0x147601e54f80, updated_return=0x147601e55070) at /test/10.11_opt/sql/sql_update.cc:474
#19 0x000055b718c42c01 in mysql_execute_command (thd=0x1475c0000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.11_opt/sql/sql_limit.h:85
#20 0x000055b718c327b5 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x1475c0000c58) at /test/10.11_opt/sql/sql_parse.cc:8035
#21 mysql_parse (thd=0x1475c0000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.11_opt/sql/sql_parse.cc:7957
#22 0x000055b718c3e2ca in dispatch_command (command=COM_QUERY, thd=0x1475c0000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.11_opt/sql/sql_class.h:1339
#23 0x000055b718c401f2 in do_command (thd=0x1475c0000c58, blocking=blocking@entry=true) at /test/10.11_opt/sql/sql_parse.cc:1407
#24 0x000055b718d5846f in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55b71b40bf08, put_in_cache=put_in_cache@entry=true) at /test/10.11_opt/sql/sql_connect.cc:1418
#25 0x000055b718d5874d in handle_one_connection (arg=0x55b71b40bf08) at /test/10.11_opt/sql/sql_connect.cc:1312
#26 0x000014761ae97609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#27 0x000014761aa83133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.3.37 (dbg), 10.4.27 (dbg), 10.4.27 (opt), 10.5.18 (dbg), 10.5.18 (opt), 10.6.10 (dbg), 10.6.10 (opt), 10.7.6 (dbg), 10.7.6 (opt), 10.8.5 (dbg), 10.8.5 (opt), 10.9.2 (dbg), 10.9.2 (opt), 10.10.2 (dbg), 10.10.2 (opt), 10.11.0 (dbg), 10.11.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.3.37 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.38 (dbg), 5.7.38 (opt), 8.0.29 (dbg), 8.0.29 (opt)

In summary, whilst 10.3 (dbg) and all other (dbg) versions are affected by theis testcase, it seems that the crash/bug triggered in 10.3+ (dbg) is rather MDEV-28506, whereas the 10.4+ opt crash triggered and described in this bug looks to be a different bug.

Attachments

Issue Links

relates to

MDEV-22713 Assertion `(*select_ref)->is_fixed()' failed in resolve_ref_in_select_and_group

Confirmed

MDEV-29300 Assertion `*ref && (*ref)->fixed()' failed in Item_field::fix_outer_field on SELECT

Confirmed

MDEV-28506 SIGSEGV's in find_field_in_table[s][_ref], Item_field::fix_fields, create_view_field and MemcmpInterceptorCommon | Assertions `(*select_ref)->fixed' or '->is_fixed' and `table_list->table' failed

Stalled

Activity

Ascending order - Click to sort in descending order

View 9 older comments

Roel Van de Paar added a comment - 2024-09-07 03:06 - edited

Additional issues observed, including on optimized/release builds, with this testcase:

CREATE TEMPORARY TABLE t1 (c INT) ENGINE=Aria;

CREATE TABLE t2 (c INT) ENGINE=InnoDB;

INSERT INTO t2 VALUES (0, 1);

EXPLAIN SELECT c+0 FROM t2;

UPDATE t1 SET d=1 ORDER BY (SELECT d);

Leads to:

CS 10.6.20 2e580dc2a8da4aaf3a7f1b3cfb4f897dbb5f7089 (Optimized)
2024-09-07 13:04:15 0 [Note] /test/MD190824-mariadb-10.6.20-linux-x86_64-opt/bin/mariadbd: ready for connections.
Version: '10.6.20-MariaDB' socket: '/test/MD190824-mariadb-10.6.20-linux-x86_64-opt/socket.sock' port: 12659 MariaDB Server
pure virtual method called
terminate called without an active exception

CS 10.6.20 2e580dc2a8da4aaf3a7f1b3cfb4f897dbb5f7089 (Optimized)
Core was generated by `/test/MD190824-mariadb-10.6.20-linux-x86_64-opt/bin/mariadbd --no-defaults --ma'.
Program terminated with signal SIGABRT, Aborted.
Download failed: Invalid argument. Continuing without source file ./nptl/./nptl/pthread_kill.c.
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44

[Current thread is 1 (LWP 87395)]
(gdb) bt
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44
#1 __pthread_kill_internal (signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6)at ./nptl/pthread_kill.c:89
#3 0x00001518fe64526e in __GI_raise (sig=sig@entry=6)at ../sysdeps/posix/raise.c:26
#4 0x00001518fe6288ff in __GI_abort () at ./stdlib/abort.c:79
#5 0x00001518feaa5ffe in __gnu_cxx::__verbose_terminate_handler ()at ../../../../src/libstdc++-v3/libsupc++/vterminate.cc:95
#6 0x00001518feabae9c in __cxxabiv1::__terminate (handler=<optimized out>)at ../../../../src/libstdc++-v3/libsupc++/eh_terminate.cc:48
#7 0x00001518feaa5a49 in std::terminate ()at ../../../../src/libstdc++-v3/libsupc++/eh_terminate.cc:58
#8 0x00001518feabbc45 in __cxxabiv1::__cxa_pure_virtual ()at ../../../../src/libstdc++-v3/libsupc++/pure.cc:50
#9 0x0000565139a7a213 in Item_ref::fix_fields (this=0x1518a4012cc8, thd=<optimized out>, reference=0x1518a4011980)at /test/10.6_opt/sql/item.cc:8398
#10 0x0000565139a78f90 in Item_field::fix_outer_field (this=this@entry=0x1518a4011860, thd=thd@entry=0x1518a4000c68, from_field=from_field@entry=0x1518fc167400, reference=reference@entry=0x1518a4011980)at /test/10.6_opt/sql/item.cc:6059
#11 0x0000565139a79a1d in Item_field::fix_fields (this=0x1518a4011860, thd=0x1518a4000c68, reference=0x1518a4011980)at /test/10.6_opt/sql/item.cc:6278
#12 0x00005651397941eb in Item::fix_fields_if_needed (ref=0x1518a4011980, thd=0x1518a4000c68, this=0x1518a4011860) at /test/10.6_opt/sql/item.h:1167
#13 Item::fix_fields_if_needed (ref=0x1518a4011980, thd=<optimized out>, this=0x1518a4011860) at /test/10.6_opt/sql/item.h:1165
#14 Item::fix_fields_if_needed_for_scalar (ref=0x1518a4011980, thd=<optimized out>, this=0x1518a4011860) at /test/10.6_opt/sql/item.h:1176
#15 setup_fields (thd=thd@entry=0x1518a4000c68, ref_pointer_array=<optimized out>, fields=<optimized out>, column_usage=column_usage@entry=MARK_COLUMNS_READ, sum_func_list=sum_func_list@entry=0x1518a40129f0, pre_fix=0x1518a4011660, allow_sum_func=true) at /test/10.6_opt/sql/sql_base.cc:7779
#16 0x000056513985c723 in JOIN::prepare (this=0x1518a4012698, tables_init=<optimized out>, conds_init=<optimized out>, og_num=<optimized out>, order_init=<optimized out>, skip_order_by=skip_order_by@entry=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x1518a4011390, unit_arg=0x1518a4011998) at /test/10.6_opt/sql/sql_select.cc:1498
#17 0x0000565139b28955 in subselect_single_select_engine::prepare (this=0x1518a4012340, thd=0x1518a4000c68)at /test/10.6_opt/sql/sql_lex.h:1396
#18 0x0000565139b27fbd in Item_subselect::fix_fields (this=0x1518a40121b8, thd_param=<optimized out>, ref=0x1518a40123a8)at /test/10.6_opt/sql/item_subselect.cc:297
#19 0x000056513982b91e in Item::fix_fields_if_needed (ref=<optimized out>, thd=0x1518a4000c68, this=0x1518a40121b8) at /test/10.6_opt/sql/item.h:1165
#20 Item::fix_fields_if_needed (ref=<optimized out>, thd=0x1518a4000c68, this=0x1518a40121b8) at /test/10.6_opt/sql/item.h:1165
#21 Item::fix_fields_if_needed_for_scalar (ref=<optimized out>, thd=0x1518a4000c68, this=0x1518a40121b8) at /test/10.6_opt/sql/item.h:1176
#22 Item::fix_fields_if_needed_for_order_by (ref=<optimized out>, thd=0x1518a4000c68, this=0x1518a40121b8) at /test/10.6_opt/sql/item.h:1184
#23 find_order_in_list (thd=thd@entry=0x1518a4000c68, tables=tables@entry=0x1518a4010ab8, order=order@entry=0x1518a4012398, fields=@0x1518fc167830: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x56513aa979c0 <end_of_list>, last = 0x1518fc167830, elements = 0}, <No data fields>}, all_fields=@0x1518fc167830: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x56513aa979c0 <end_of_list>, last = 0x1518fc167830, elements = 0}, <No data fields>}, is_group_field=false, add_to_all_fields=true, from_window_spec=false, ref_pointer_array=<optimized out>)at /test/10.6_opt/sql/sql_select.cc:26101
#24 0x0000565139857f4d in setup_order (thd=thd@entry=0x1518a4000c68, ref_pointer_array=<optimized out>, tables=tables@entry=0x1518a4010ab8, fields=@0x1518fc167830: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x56513aa979c0 <end_of_list>, last = 0x1518fc167830, elements = 0}, <No data fields>}, all_fields=@0x1518fc167830: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x56513aa979c0 <end_of_list>, last = 0x1518fc167830, elements = 0}, <No data fields>}, order=0x1518a4012398, from_window_spec=false)at /test/10.6_opt/sql/sql_select.cc:26148
#25 0x00005651398d9d8b in mysql_prepare_update (thd=thd@entry=0x1518a4000c68, table_list=0x1518a4010ab8, conds=conds@entry=0x1518fc167940, order_num=order_num@entry=1, order=order@entry=0x1518a4012398)at /test/10.6_opt/sql/sql_update.cc:1456
#26 0x00005651398da21c in mysql_update (thd=thd@entry=0x1518a4000c68, table_list=<optimized out>, fields=@0x1518a4005958: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1518a4011370, last = 0x1518a4011370, elements = 1}, <No data fields>}, values=@0x1518a4005db8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1518a4011380, last = 0x1518a4011380, elements = 1}, <No data fields>}, conds=<optimized out>, order_num=1, order=0x1518a4012398, limit=18446744073709551615, ignore=false, found_return=0x1518fc167e00, updated_return=0x1518fc167f70) at /test/10.6_opt/sql/sql_update.cc:479
#27 0x00005651397ff840 in mysql_execute_command (thd=thd@entry=0x1518a4000c68, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false)at /test/10.6_opt/sql/sql_parse.cc:4452
#28 0x000056513980368e in mysql_parse (thd=0x1518a4000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.6_opt/sql/sql_parse.cc:8165
#29 0x0000565139806055 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x1518a4000c68, packet=packet@entry=0x1518a4008629 "UPDATE t1 SET d=1 ORDER BY (SELECT d)", packet_length=packet_length@entry=37, blocking=blocking@entry=true)at /test/10.6_opt/sql/sql_parse.cc:1996
#30 0x0000565139807cfd in do_command (thd=0x1518a4000c68, blocking=blocking@entry=true) at /test/10.6_opt/sql/sql_parse.cc:1410
#31 0x000056513992386f in do_handle_one_connection (connect=<optimized out>, connect@entry=0x56513bc25c18, put_in_cache=put_in_cache@entry=true)at /test/10.6_opt/sql/sql_connect.cc:1417
#32 0x0000565139923bdd in handle_one_connection (arg=arg@entry=0x56513bc25c18)at /test/10.6_opt/sql/sql_connect.cc:1319
#33 0x0000565139ce54c3 in pfs_spawn_thread (arg=0x56513bbced68)at /test/10.6_opt/storage/perfschema/pfs.cc:2201
#34 0x00001518fe69ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
#35 0x00001518fe729c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

MTR testcase (produces stack seen earlier in this issue):

CREATE TEMPORARY TABLE t1 (c INT) ENGINE=Aria;

CREATE TABLE t2 (c INT);

--error ER_WRONG_VALUE_COUNT_ON_ROW

INSERT INTO t2 VALUES (0, 1);

EXPLAIN SELECT c+0 FROM t2;

--error ER_BAD_FIELD_ERROR

UPDATE t1 SET d=1 ORDER BY (SELECT d);

Please use the native CLI to reproduce the stack in this comment.

Roel Van de Paar added a comment - 2024-09-07 03:06 - edited Additional issues observed, including on optimized/release builds, with this testcase: CREATE TEMPORARY TABLE t1 (c INT ) ENGINE=Aria; CREATE TABLE t2 (c INT ) ENGINE=InnoDB; INSERT INTO t2 VALUES (0, 1); EXPLAIN SELECT c+0 FROM t2; UPDATE t1 SET d=1 ORDER BY ( SELECT d); Leads to: CS 10.6.20 2e580dc2a8da4aaf3a7f1b3cfb4f897dbb5f7089 (Optimized) 2024-09-07 13:04:15 0 [Note] /test/MD190824-mariadb-10.6.20-linux-x86_64-opt/bin/mariadbd: ready for connections. Version: '10.6.20-MariaDB' socket: '/test/MD190824-mariadb-10.6.20-linux-x86_64-opt/socket.sock' port: 12659 MariaDB Server pure virtual method called terminate called without an active exception CS 10.6.20 2e580dc2a8da4aaf3a7f1b3cfb4f897dbb5f7089 (Optimized) Core was generated by `/test/MD190824-mariadb-10.6.20-linux-x86_64-opt/bin/mariadbd --no-defaults --ma'. Program terminated with signal SIGABRT, Aborted. Download failed: Invalid argument. Continuing without source file ./nptl/./nptl/pthread_kill.c. #0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44 [Current thread is 1 (LWP 87395)] (gdb) bt #0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44 #1 __pthread_kill_internal (signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:78 #2 __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6)at ./nptl/pthread_kill.c:89 #3 0x00001518fe64526e in __GI_raise (sig=sig@entry=6)at ../sysdeps/posix/raise.c:26 #4 0x00001518fe6288ff in __GI_abort () at ./stdlib/abort.c:79 #5 0x00001518feaa5ffe in __gnu_cxx::__verbose_terminate_handler ()at ../../../../src/libstdc++-v3/libsupc++/vterminate.cc:95 #6 0x00001518feabae9c in __cxxabiv1::__terminate (handler=<optimized out>)at ../../../../src/libstdc++-v3/libsupc++/eh_terminate.cc:48 #7 0x00001518feaa5a49 in std::terminate ()at ../../../../src/libstdc++-v3/libsupc++/eh_terminate.cc:58 #8 0x00001518feabbc45 in __cxxabiv1::__cxa_pure_virtual ()at ../../../../src/libstdc++-v3/libsupc++/pure.cc:50 #9 0x0000565139a7a213 in Item_ref::fix_fields (this=0x1518a4012cc8, thd=<optimized out>, reference=0x1518a4011980)at /test/10.6_opt/sql/item.cc:8398 #10 0x0000565139a78f90 in Item_field::fix_outer_field (this=this@entry=0x1518a4011860, thd=thd@entry=0x1518a4000c68, from_field=from_field@entry=0x1518fc167400, reference=reference@entry=0x1518a4011980)at /test/10.6_opt/sql/item.cc:6059 #11 0x0000565139a79a1d in Item_field::fix_fields (this=0x1518a4011860, thd=0x1518a4000c68, reference=0x1518a4011980)at /test/10.6_opt/sql/item.cc:6278 #12 0x00005651397941eb in Item::fix_fields_if_needed (ref=0x1518a4011980, thd=0x1518a4000c68, this=0x1518a4011860) at /test/10.6_opt/sql/item.h:1167 #13 Item::fix_fields_if_needed (ref=0x1518a4011980, thd=<optimized out>, this=0x1518a4011860) at /test/10.6_opt/sql/item.h:1165 #14 Item::fix_fields_if_needed_for_scalar (ref=0x1518a4011980, thd=<optimized out>, this=0x1518a4011860) at /test/10.6_opt/sql/item.h:1176 #15 setup_fields (thd=thd@entry=0x1518a4000c68, ref_pointer_array=<optimized out>, fields=<optimized out>, column_usage=column_usage@entry=MARK_COLUMNS_READ, sum_func_list=sum_func_list@entry=0x1518a40129f0, pre_fix=0x1518a4011660, allow_sum_func=true) at /test/10.6_opt/sql/sql_base.cc:7779 #16 0x000056513985c723 in JOIN::prepare (this=0x1518a4012698, tables_init=<optimized out>, conds_init=<optimized out>, og_num=<optimized out>, order_init=<optimized out>, skip_order_by=skip_order_by@entry=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x1518a4011390, unit_arg=0x1518a4011998) at /test/10.6_opt/sql/sql_select.cc:1498 #17 0x0000565139b28955 in subselect_single_select_engine::prepare (this=0x1518a4012340, thd=0x1518a4000c68)at /test/10.6_opt/sql/sql_lex.h:1396 #18 0x0000565139b27fbd in Item_subselect::fix_fields (this=0x1518a40121b8, thd_param=<optimized out>, ref=0x1518a40123a8)at /test/10.6_opt/sql/item_subselect.cc:297 #19 0x000056513982b91e in Item::fix_fields_if_needed (ref=<optimized out>, thd=0x1518a4000c68, this=0x1518a40121b8) at /test/10.6_opt/sql/item.h:1165 #20 Item::fix_fields_if_needed (ref=<optimized out>, thd=0x1518a4000c68, this=0x1518a40121b8) at /test/10.6_opt/sql/item.h:1165 #21 Item::fix_fields_if_needed_for_scalar (ref=<optimized out>, thd=0x1518a4000c68, this=0x1518a40121b8) at /test/10.6_opt/sql/item.h:1176 #22 Item::fix_fields_if_needed_for_order_by (ref=<optimized out>, thd=0x1518a4000c68, this=0x1518a40121b8) at /test/10.6_opt/sql/item.h:1184 #23 find_order_in_list (thd=thd@entry=0x1518a4000c68, tables=tables@entry=0x1518a4010ab8, order=order@entry=0x1518a4012398, fields=@0x1518fc167830: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x56513aa979c0 <end_of_list>, last = 0x1518fc167830, elements = 0}, <No data fields>}, all_fields=@0x1518fc167830: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x56513aa979c0 <end_of_list>, last = 0x1518fc167830, elements = 0}, <No data fields>}, is_group_field=false, add_to_all_fields=true, from_window_spec=false, ref_pointer_array=<optimized out>)at /test/10.6_opt/sql/sql_select.cc:26101 #24 0x0000565139857f4d in setup_order (thd=thd@entry=0x1518a4000c68, ref_pointer_array=<optimized out>, tables=tables@entry=0x1518a4010ab8, fields=@0x1518fc167830: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x56513aa979c0 <end_of_list>, last = 0x1518fc167830, elements = 0}, <No data fields>}, all_fields=@0x1518fc167830: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x56513aa979c0 <end_of_list>, last = 0x1518fc167830, elements = 0}, <No data fields>}, order=0x1518a4012398, from_window_spec=false)at /test/10.6_opt/sql/sql_select.cc:26148 #25 0x00005651398d9d8b in mysql_prepare_update (thd=thd@entry=0x1518a4000c68, table_list=0x1518a4010ab8, conds=conds@entry=0x1518fc167940, order_num=order_num@entry=1, order=order@entry=0x1518a4012398)at /test/10.6_opt/sql/sql_update.cc:1456 #26 0x00005651398da21c in mysql_update (thd=thd@entry=0x1518a4000c68, table_list=<optimized out>, fields=@0x1518a4005958: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1518a4011370, last = 0x1518a4011370, elements = 1}, <No data fields>}, values=@0x1518a4005db8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1518a4011380, last = 0x1518a4011380, elements = 1}, <No data fields>}, conds=<optimized out>, order_num=1, order=0x1518a4012398, limit=18446744073709551615, ignore=false, found_return=0x1518fc167e00, updated_return=0x1518fc167f70) at /test/10.6_opt/sql/sql_update.cc:479 #27 0x00005651397ff840 in mysql_execute_command (thd=thd@entry=0x1518a4000c68, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false)at /test/10.6_opt/sql/sql_parse.cc:4452 #28 0x000056513980368e in mysql_parse (thd=0x1518a4000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.6_opt/sql/sql_parse.cc:8165 #29 0x0000565139806055 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x1518a4000c68, packet=packet@entry=0x1518a4008629 "UPDATE t1 SET d=1 ORDER BY (SELECT d)", packet_length=packet_length@entry=37, blocking=blocking@entry=true)at /test/10.6_opt/sql/sql_parse.cc:1996 #30 0x0000565139807cfd in do_command (thd=0x1518a4000c68, blocking=blocking@entry=true) at /test/10.6_opt/sql/sql_parse.cc:1410 #31 0x000056513992386f in do_handle_one_connection (connect=<optimized out>, connect@entry=0x56513bc25c18, put_in_cache=put_in_cache@entry=true)at /test/10.6_opt/sql/sql_connect.cc:1417 #32 0x0000565139923bdd in handle_one_connection (arg=arg@entry=0x56513bc25c18)at /test/10.6_opt/sql/sql_connect.cc:1319 #33 0x0000565139ce54c3 in pfs_spawn_thread (arg=0x56513bbced68)at /test/10.6_opt/storage/perfschema/pfs.cc:2201 #34 0x00001518fe69ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447 #35 0x00001518fe729c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78 MTR testcase (produces stack seen earlier in this issue): CREATE TEMPORARY TABLE t1 (c INT ) ENGINE=Aria; CREATE TABLE t2 (c INT ); --error ER_WRONG_VALUE_COUNT_ON_ROW INSERT INTO t2 VALUES (0, 1); EXPLAIN SELECT c+0 FROM t2; --error ER_BAD_FIELD_ERROR UPDATE t1 SET d=1 ORDER BY ( SELECT d); Please use the native CLI to reproduce the stack in this comment.

Roel Van de Paar added a comment - 2024-09-20 23:45 - edited

Additional testcase.

CLI:

CREATE TABLE t (a INT);  # InnoDB

INSERT INTO t VALUES('aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa',0);

UPDATE t SET c=1 ORDER BY (SELECT c);

MTR:

CREATE TABLE t (a INT);  # MyISAM

--error 1136

INSERT INTO t VALUES('aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa',0);

UPDATE t SET c=1 ORDER BY (SELECT c);

Removing a single 'a' leads to non-reproducibility likely indicating memory corruption / misalignment.

Bug confirmed present in:
MariaDB: 10.5.27 (dbg), 10.6.20 (dbg), 10.6.20 (opt), 10.11.10 (dbg), 10.11.10 (opt)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.5.27 (opt), 11.2.6 (dbg), 11.2.6 (opt), 11.4.4 (dbg), 11.4.4 (opt), 11.6.2 (dbg), 11.6.2 (opt), 11.7.0 (dbg), 11.7.0 (opt)

Roel Van de Paar added a comment - 2024-09-20 23:45 - edited Additional testcase. CLI: CREATE TABLE t (a INT ); # InnoDB INSERT INTO t VALUES ( 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa' ,0); UPDATE t SET c=1 ORDER BY ( SELECT c); MTR: CREATE TABLE t (a INT ); # MyISAM --error 1136 INSERT INTO t VALUES ( 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa' ,0); UPDATE t SET c=1 ORDER BY ( SELECT c); Removing a single 'a' leads to non-reproducibility likely indicating memory corruption / misalignment. Bug confirmed present in: MariaDB: 10.5.27 (dbg), 10.6.20 (dbg), 10.6.20 (opt), 10.11.10 (dbg), 10.11.10 (opt) Bug (or feature/syntax) confirmed not present in: MariaDB: 10.5.27 (opt), 11.2.6 (dbg), 11.2.6 (opt), 11.4.4 (dbg), 11.4.4 (opt), 11.6.2 (dbg), 11.6.2 (opt), 11.7.0 (dbg), 11.7.0 (opt)

Michael Widenius added a comment - 2024-10-09 15:08

~~MDEV-29351~~ SIGSEGV when doing forward reference of item in select list

The reason for the crash was the code assumed that
SELECT_LEX.ref_pointer_array would be initialized with zero, which was
not the case. This cause the test of
if (!select->ref_pointer_array[counter]) in item.cc to be unpredictable and cause crashes

Fixed by zero-filling ref_pointer_array on allocation.

Michael Widenius added a comment - 2024-10-09 15:08 MDEV-29351 SIGSEGV when doing forward reference of item in select list The reason for the crash was the code assumed that SELECT_LEX.ref_pointer_array would be initialized with zero, which was not the case. This cause the test of if (!select->ref_pointer_array [counter] ) in item.cc to be unpredictable and cause crashes Fixed by zero-filling ref_pointer_array on allocation.

Michael Widenius added a comment - 2024-10-09 15:08

Fix pushed to bb-10.5-monty for testing

Michael Widenius added a comment - 2024-10-09 15:08 Fix pushed to bb-10.5-monty for testing

Michael Widenius added a comment - 2024-10-16 15:12

Pushed to 10.5 tree

Michael Widenius added a comment - 2024-10-16 15:12 Pushed to 10.5 tree

People

Assignee:: Michael Widenius

Reporter:: Roel Van de Paar

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2022-08-23 00:36

Updated:: 2024-10-16 15:12

Resolved:: 2024-10-16 15:12

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.