[MDEV-29351] SIGSEGV when doing forward reference of item in select list - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL), 10.11, 11.0(EOL)
Fix Version/s: 10.5.27, 10.6.20, 10.11.10, 11.2.6, 11.4.4
Component/s: Optimizer
Labels:

Description

The testcase below only crashes optimized 10.4+ builds with this UniqueID/stack:

SIGSEGV|Used_tables_and_const_cache::used_tables_and_const_cache_join|Item_field::fix_outer_field|Item_field::fix_fields|Item::fix_fields_if_needed

However, on debug builds, a set of stacks are seen, which are much more alike to MDEV-28506.

(*select_ref)->fixed()|SIGABRT|resolve_ref_in_select_and_group|Item_field::fix_outer_field|Item_field::fix_fields|Item::fix_fields_if_needed

(*select_ref)->fixed|SIGABRT|resolve_ref_in_select_and_group|Item_field::fix_outer_field|Item_field::fix_fields|Item::fix_fields_if_needed

(*select_ref)->is_fixed()|SIGABRT|resolve_ref_in_select_and_group|Item_field::fix_outer_field|Item_field::fix_fields|Item::fix_fields_if_needed

On 10.3 optimized we see:

10.3.37 a1055ab35d29437b717e83b1a388eaa02901c42f (Optimized)
ERROR 1247 (42S22) at line 2 in file: 'in.sql': Reference 'c' not supported (forward reference in item list)

For the second and third line of the testcase SQL.

CREATE TABLE t (a INT);

UPDATE t SET c=1 ORDER BY (SELECT c);

UPDATE t SET c=1 ORDER BY (SELECT c);

Leads to:

10.11.0 bc563f1a4b0b38de3b41fd0f0d3d8b7f1aacbd8b (Optimized)
10.11.0-opt>CREATE TABLE t (a INT);
Query OK, 0 rows affected (0.016 sec)
10.11.0-opt>UPDATE t SET c=1 ORDER BY (SELECT c);
ERROR 1247 (42S22): Reference 'c' not supported (forward reference in item list)
10.11.0-opt>UPDATE t SET c=1 ORDER BY (SELECT c);
ERROR 2013 (HY000): Lost connection to server during query

10.11.0 bc563f1a4b0b38de3b41fd0f0d3d8b7f1aacbd8b (Optimized)
Core was generated by `/test/MD190822-mariadb-10.11.0-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00001475c0039828 in ?? ()
[Current thread is 1 (Thread 0x147601e56700 (LWP 1711369))]
(gdb) bt
#0 0x00001475c0039828 in ?? ()
#1 0x000055b718ea9bca in Used_tables_and_const_cache::used_tables_and_const_cache_join (this=0x1475c0011fb8, this=0x1475c0011fb8, item=0x1475c0038d28) at /test/10.11_opt/sql/item.h:5319
#2 Item_field::fix_outer_field (this=0x1475c0011560, thd=0x1475c0000c58, from_field=0x147601e54590, reference=0x1475c0011680) at /test/10.11_opt/sql/item.cc:5824
#3 0x000055b718eaaa1d in Item_field::fix_fields (this=0x1475c0011560, thd=0x1475c0000c58, reference=0x1475c0011680) at /test/10.11_opt/sql/item.cc:6121
#4 0x000055b718bd507b in Item::fix_fields_if_needed (ref=0x1475c0011680, thd=0x1475c0000c58, this=0x1475c0011560) at /test/10.11_opt/sql/item.h:1142
#5 Item::fix_fields_if_needed (ref=0x1475c0011680, thd=0x1475c0000c58, this=0x1475c0011560) at /test/10.11_opt/sql/item.h:1142
#6 Item::fix_fields_if_needed_for_scalar (ref=0x1475c0011680, thd=0x1475c0000c58, this=0x1475c0011560) at /test/10.11_opt/sql/item.h:1148
#7 setup_fields (thd=0x1475c0000c58, ref_pointer_array=<optimized out>, fields=<optimized out>, column_usage=column_usage@entry=MARK_COLUMNS_READ, sum_func_list=sum_func_list@entry=0x1475c00127e0, pre_fix=0x1475c0011398, allow_sum_func=true) at /test/10.11_opt/sql/sql_base.cc:7975
#8 0x000055b718ca30a9 in JOIN::prepare (this=0x1475c0012450, tables_init=<optimized out>, conds_init=<optimized out>, og_num=<optimized out>, order_init=<optimized out>, skip_order_by=skip_order_by@entry=false, group_init=<optimized out>, having_init=<optimized out>, proc_param_init=<optimized out>, select_lex_arg=<optimized out>, unit_arg=<optimized out>) at /test/10.11_opt/sql/sql_select.cc:1450
#9 0x000055b718f601a8 in subselect_single_select_engine::prepare (this=0x1475c00120d0, thd=0x1475c0000c58) at /test/10.11_opt/sql/sql_lex.h:1367
#10 0x000055b718f5f808 in Item_subselect::fix_fields (this=0x1475c0011f48, thd_param=<optimized out>, ref=0x1475c0012138) at /test/10.11_opt/sql/item_subselect.cc:295
#11 0x000055b718c753b4 in Item::fix_fields_if_needed (ref=<optimized out>, thd=0x1475c0000c58, this=0x1475c0011f48) at /test/10.11_opt/sql/item.h:1142
#12 Item::fix_fields_if_needed (ref=<optimized out>, thd=0x1475c0000c58, this=0x1475c0011f48) at /test/10.11_opt/sql/item.h:1142
#13 Item::fix_fields_if_needed_for_scalar (ref=<optimized out>, thd=0x1475c0000c58, this=0x1475c0011f48) at /test/10.11_opt/sql/item.h:1148
#14 Item::fix_fields_if_needed_for_order_by (ref=<optimized out>, thd=0x1475c0000c58, this=0x1475c0011f48) at /test/10.11_opt/sql/item.h:1156
#15 find_order_in_list (thd=0x1475c0000c58, ref_pointer_array=<optimized out>, tables=0x1475c0010820, order=0x1475c0012128, fields=<optimized out>, all_fields=@0x147601e549d0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55b719dc16b0 <end_of_list>, last = 0x147601e549d0, elements = 0}, <No data fields>}, is_group_field=false, add_to_all_fields=true, from_window_spec=false) at /test/10.11_opt/sql/sql_select.cc:25677
#16 0x000055b718c9f8d5 in setup_order (thd=thd@entry=0x1475c0000c58, ref_pointer_array={m_array = 0x1475c0012360, m_size = 30}, tables=tables@entry=0x1475c0010820, fields=@0x147601e549d0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55b719dc16b0 <end_of_list>, last = 0x147601e549d0, elements = 0}, <No data fields>}, all_fields=@0x147601e549d0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55b719dc16b0 <end_of_list>, last = 0x147601e549d0, elements = 0}, <No data fields>}, order=0x1475c0012128, from_window_spec=false) at /test/10.11_opt/sql/sql_select.cc:25724
#17 0x000055b718d130d2 in mysql_prepare_update (thd=thd@entry=0x1475c0000c58, table_list=0x1475c0010820, conds=conds@entry=0x147601e54ae0, order_num=order_num@entry=1, order=order@entry=0x1475c0012128) at /test/10.11_opt/sql/sql_update.cc:1455
#18 0x000055b718d13560 in mysql_update (thd=thd@entry=0x1475c0000c58, table_list=<optimized out>, fields=@0x1475c0005770: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1475c00110c0, last = 0x1475c00110c0, elements = 1}, <No data fields>}, values=@0x1475c0005ba0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1475c00110d0, last = 0x1475c00110d0, elements = 1}, <No data fields>}, conds=<optimized out>, order_num=1, order=0x1475c0012128, limit=18446744073709551615, ignore=false, found_return=0x147601e54f80, updated_return=0x147601e55070) at /test/10.11_opt/sql/sql_update.cc:474
#19 0x000055b718c42c01 in mysql_execute_command (thd=0x1475c0000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.11_opt/sql/sql_limit.h:85
#20 0x000055b718c327b5 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x1475c0000c58) at /test/10.11_opt/sql/sql_parse.cc:8035
#21 mysql_parse (thd=0x1475c0000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.11_opt/sql/sql_parse.cc:7957
#22 0x000055b718c3e2ca in dispatch_command (command=COM_QUERY, thd=0x1475c0000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.11_opt/sql/sql_class.h:1339
#23 0x000055b718c401f2 in do_command (thd=0x1475c0000c58, blocking=blocking@entry=true) at /test/10.11_opt/sql/sql_parse.cc:1407
#24 0x000055b718d5846f in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55b71b40bf08, put_in_cache=put_in_cache@entry=true) at /test/10.11_opt/sql/sql_connect.cc:1418
#25 0x000055b718d5874d in handle_one_connection (arg=0x55b71b40bf08) at /test/10.11_opt/sql/sql_connect.cc:1312
#26 0x000014761ae97609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#27 0x000014761aa83133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.3.37 (dbg), 10.4.27 (dbg), 10.4.27 (opt), 10.5.18 (dbg), 10.5.18 (opt), 10.6.10 (dbg), 10.6.10 (opt), 10.7.6 (dbg), 10.7.6 (opt), 10.8.5 (dbg), 10.8.5 (opt), 10.9.2 (dbg), 10.9.2 (opt), 10.10.2 (dbg), 10.10.2 (opt), 10.11.0 (dbg), 10.11.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.3.37 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.38 (dbg), 5.7.38 (opt), 8.0.29 (dbg), 8.0.29 (opt)

In summary, whilst 10.3 (dbg) and all other (dbg) versions are affected by theis testcase, it seems that the crash/bug triggered in 10.3+ (dbg) is rather MDEV-28506, whereas the 10.4+ opt crash triggered and described in this bug looks to be a different bug.

Attachments

Issue Links

relates to

MDEV-22713 Assertion `(*select_ref)->is_fixed()' failed in resolve_ref_in_select_and_group

Confirmed

MDEV-29300 Assertion `*ref && (*ref)->fixed()' failed in Item_field::fix_outer_field on SELECT

Confirmed

MDEV-28506 SIGSEGV's in find_field_in_table[s][_ref], Item_field::fix_fields, create_view_field and MemcmpInterceptorCommon | Assertions `(*select_ref)->fixed' or '->is_fixed' and `table_list->table' failed

Stalled

Activity

People

Assignee:: Michael Widenius

Reporter:: Roel Van de Paar

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2022-08-23 00:36

Updated:: 2024-10-16 15:12

Resolved:: 2024-10-16 15:12

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.