Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-29351

SIGSEGV when doing forward reference of item in select list

Details

    Description

      The testcase below only crashes optimized 10.4+ builds with this UniqueID/stack:

      SIGSEGV|Used_tables_and_const_cache::used_tables_and_const_cache_join|Item_field::fix_outer_field|Item_field::fix_fields|Item::fix_fields_if_needed
      

      However, on debug builds, a set of stacks are seen, which are much more alike to MDEV-28506.

      (*select_ref)->fixed()|SIGABRT|resolve_ref_in_select_and_group|Item_field::fix_outer_field|Item_field::fix_fields|Item::fix_fields_if_needed
      (*select_ref)->fixed|SIGABRT|resolve_ref_in_select_and_group|Item_field::fix_outer_field|Item_field::fix_fields|Item::fix_fields_if_needed
      (*select_ref)->is_fixed()|SIGABRT|resolve_ref_in_select_and_group|Item_field::fix_outer_field|Item_field::fix_fields|Item::fix_fields_if_needed
      

      On 10.3 optimized we see:

      10.3.37 a1055ab35d29437b717e83b1a388eaa02901c42f (Optimized)

      ERROR 1247 (42S22) at line 2 in file: 'in.sql': Reference 'c' not supported (forward reference in item list)
      

      For the second and third line of the testcase SQL.

      CREATE TABLE t (a INT);
      UPDATE t SET c=1 ORDER BY (SELECT c);
      UPDATE t SET c=1 ORDER BY (SELECT c);
      

      Leads to:

      10.11.0 bc563f1a4b0b38de3b41fd0f0d3d8b7f1aacbd8b (Optimized)

      10.11.0-opt>CREATE TABLE t (a INT);
      Query OK, 0 rows affected (0.016 sec)
      10.11.0-opt>UPDATE t SET c=1 ORDER BY (SELECT c);
      ERROR 1247 (42S22): Reference 'c' not supported (forward reference in item list)
      10.11.0-opt>UPDATE t SET c=1 ORDER BY (SELECT c);
      ERROR 2013 (HY000): Lost connection to server during query
      

      10.11.0 bc563f1a4b0b38de3b41fd0f0d3d8b7f1aacbd8b (Optimized)

      Core was generated by `/test/MD190822-mariadb-10.11.0-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
      Program terminated with signal SIGSEGV, Segmentation fault.
      #0  0x00001475c0039828 in ?? ()
      [Current thread is 1 (Thread 0x147601e56700 (LWP 1711369))]
      (gdb) bt
      #0  0x00001475c0039828 in ?? ()
      #1  0x000055b718ea9bca in Used_tables_and_const_cache::used_tables_and_const_cache_join (this=0x1475c0011fb8, this=0x1475c0011fb8, item=0x1475c0038d28) at /test/10.11_opt/sql/item.h:5319
      #2  Item_field::fix_outer_field (this=0x1475c0011560, thd=0x1475c0000c58, from_field=0x147601e54590, reference=0x1475c0011680) at /test/10.11_opt/sql/item.cc:5824
      #3  0x000055b718eaaa1d in Item_field::fix_fields (this=0x1475c0011560, thd=0x1475c0000c58, reference=0x1475c0011680) at /test/10.11_opt/sql/item.cc:6121
      #4  0x000055b718bd507b in Item::fix_fields_if_needed (ref=0x1475c0011680, thd=0x1475c0000c58, this=0x1475c0011560) at /test/10.11_opt/sql/item.h:1142
      #5  Item::fix_fields_if_needed (ref=0x1475c0011680, thd=0x1475c0000c58, this=0x1475c0011560) at /test/10.11_opt/sql/item.h:1142
      #6  Item::fix_fields_if_needed_for_scalar (ref=0x1475c0011680, thd=0x1475c0000c58, this=0x1475c0011560) at /test/10.11_opt/sql/item.h:1148
      #7  setup_fields (thd=0x1475c0000c58, ref_pointer_array=<optimized out>, fields=<optimized out>, column_usage=column_usage@entry=MARK_COLUMNS_READ, sum_func_list=sum_func_list@entry=0x1475c00127e0, pre_fix=0x1475c0011398, allow_sum_func=true) at /test/10.11_opt/sql/sql_base.cc:7975
      #8  0x000055b718ca30a9 in JOIN::prepare (this=0x1475c0012450, tables_init=<optimized out>, conds_init=<optimized out>, og_num=<optimized out>, order_init=<optimized out>, skip_order_by=skip_order_by@entry=false, group_init=<optimized out>, having_init=<optimized out>, proc_param_init=<optimized out>, select_lex_arg=<optimized out>, unit_arg=<optimized out>) at /test/10.11_opt/sql/sql_select.cc:1450
      #9  0x000055b718f601a8 in subselect_single_select_engine::prepare (this=0x1475c00120d0, thd=0x1475c0000c58) at /test/10.11_opt/sql/sql_lex.h:1367
      #10 0x000055b718f5f808 in Item_subselect::fix_fields (this=0x1475c0011f48, thd_param=<optimized out>, ref=0x1475c0012138) at /test/10.11_opt/sql/item_subselect.cc:295
      #11 0x000055b718c753b4 in Item::fix_fields_if_needed (ref=<optimized out>, thd=0x1475c0000c58, this=0x1475c0011f48) at /test/10.11_opt/sql/item.h:1142
      #12 Item::fix_fields_if_needed (ref=<optimized out>, thd=0x1475c0000c58, this=0x1475c0011f48) at /test/10.11_opt/sql/item.h:1142
      #13 Item::fix_fields_if_needed_for_scalar (ref=<optimized out>, thd=0x1475c0000c58, this=0x1475c0011f48) at /test/10.11_opt/sql/item.h:1148
      #14 Item::fix_fields_if_needed_for_order_by (ref=<optimized out>, thd=0x1475c0000c58, this=0x1475c0011f48) at /test/10.11_opt/sql/item.h:1156
      #15 find_order_in_list (thd=0x1475c0000c58, ref_pointer_array=<optimized out>, tables=0x1475c0010820, order=0x1475c0012128, fields=<optimized out>, all_fields=@0x147601e549d0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55b719dc16b0 <end_of_list>, last = 0x147601e549d0, elements = 0}, <No data fields>}, is_group_field=false, add_to_all_fields=true, from_window_spec=false) at /test/10.11_opt/sql/sql_select.cc:25677
      #16 0x000055b718c9f8d5 in setup_order (thd=thd@entry=0x1475c0000c58, ref_pointer_array={m_array = 0x1475c0012360, m_size = 30}, tables=tables@entry=0x1475c0010820, fields=@0x147601e549d0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55b719dc16b0 <end_of_list>, last = 0x147601e549d0, elements = 0}, <No data fields>}, all_fields=@0x147601e549d0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55b719dc16b0 <end_of_list>, last = 0x147601e549d0, elements = 0}, <No data fields>}, order=0x1475c0012128, from_window_spec=false) at /test/10.11_opt/sql/sql_select.cc:25724
      #17 0x000055b718d130d2 in mysql_prepare_update (thd=thd@entry=0x1475c0000c58, table_list=0x1475c0010820, conds=conds@entry=0x147601e54ae0, order_num=order_num@entry=1, order=order@entry=0x1475c0012128) at /test/10.11_opt/sql/sql_update.cc:1455
      #18 0x000055b718d13560 in mysql_update (thd=thd@entry=0x1475c0000c58, table_list=<optimized out>, fields=@0x1475c0005770: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1475c00110c0, last = 0x1475c00110c0, elements = 1}, <No data fields>}, values=@0x1475c0005ba0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1475c00110d0, last = 0x1475c00110d0, elements = 1}, <No data fields>}, conds=<optimized out>, order_num=1, order=0x1475c0012128, limit=18446744073709551615, ignore=false, found_return=0x147601e54f80, updated_return=0x147601e55070) at /test/10.11_opt/sql/sql_update.cc:474
      #19 0x000055b718c42c01 in mysql_execute_command (thd=0x1475c0000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.11_opt/sql/sql_limit.h:85
      #20 0x000055b718c327b5 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x1475c0000c58) at /test/10.11_opt/sql/sql_parse.cc:8035
      #21 mysql_parse (thd=0x1475c0000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.11_opt/sql/sql_parse.cc:7957
      #22 0x000055b718c3e2ca in dispatch_command (command=COM_QUERY, thd=0x1475c0000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.11_opt/sql/sql_class.h:1339
      #23 0x000055b718c401f2 in do_command (thd=0x1475c0000c58, blocking=blocking@entry=true) at /test/10.11_opt/sql/sql_parse.cc:1407
      #24 0x000055b718d5846f in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55b71b40bf08, put_in_cache=put_in_cache@entry=true) at /test/10.11_opt/sql/sql_connect.cc:1418
      #25 0x000055b718d5874d in handle_one_connection (arg=0x55b71b40bf08) at /test/10.11_opt/sql/sql_connect.cc:1312
      #26 0x000014761ae97609 in start_thread (arg=<optimized out>) at pthread_create.c:477
      #27 0x000014761aa83133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
      

      Bug confirmed present in:
      MariaDB: 10.3.37 (dbg), 10.4.27 (dbg), 10.4.27 (opt), 10.5.18 (dbg), 10.5.18 (opt), 10.6.10 (dbg), 10.6.10 (opt), 10.7.6 (dbg), 10.7.6 (opt), 10.8.5 (dbg), 10.8.5 (opt), 10.9.2 (dbg), 10.9.2 (opt), 10.10.2 (dbg), 10.10.2 (opt), 10.11.0 (dbg), 10.11.0 (opt)

      Bug (or feature/syntax) confirmed not present in:
      MariaDB: 10.3.37 (opt)
      MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.38 (dbg), 5.7.38 (opt), 8.0.29 (dbg), 8.0.29 (opt)

      In summary, whilst 10.3 (dbg) and all other (dbg) versions are affected by theis testcase, it seems that the crash/bug triggered in 10.3+ (dbg) is rather MDEV-28506, whereas the 10.4+ opt crash triggered and described in this bug looks to be a different bug.

      Attachments

        Issue Links

          Activity

            Roel Roel Van de Paar created issue -
            Roel Roel Van de Paar made changes -
            Field Original Value New Value
            Roel Roel Van de Paar made changes -
            Description The testcase below only crashes optimized 10.4+ builds with this UniqueID/stack:
            {noformat}
            SIGSEGV|Used_tables_and_const_cache::used_tables_and_const_cache_join|Item_field::fix_outer_field|Item_field::fix_fields|Item::fix_fields_if_needed
            {noformat}
            However, on debug builds, a set of stacks are seen, which are much more alike to MDEV-28506.
            {noformat}
            (*select_ref)->fixed()|SIGABRT|resolve_ref_in_select_and_group|Item_field::fix_outer_field|Item_field::fix_fields|Item::fix_fields_if_needed
            (*select_ref)->fixed|SIGABRT|resolve_ref_in_select_and_group|Item_field::fix_outer_field|Item_field::fix_fields|Item::fix_fields_if_needed
            (*select_ref)->is_fixed()|SIGABRT|resolve_ref_in_select_and_group|Item_field::fix_outer_field|Item_field::fix_fields|Item::fix_fields_if_needed
            {noformat}
            On 10.3 optimized we see:
            {noformat:title=10.3.37 a1055ab35d29437b717e83b1a388eaa02901c42f (Optimized)}
            ERROR 1247 (42S22) at line 2 in file: 'in.sql': Reference 'c' not supported (forward reference in item list)
            {noformat}
            For the second and third line of the testcase SQL.
            {code:sql}
            CREATE TABLE t (a INT);
            UPDATE t SET c=1 ORDER BY (SELECT c LIMIT 0);
            UPDATE t SET c=1 ORDER BY (SELECT c LIMIT 0);
            {code}

            Leads to:

            {noformat:title=10.11.0 bc563f1a4b0b38de3b41fd0f0d3d8b7f1aacbd8b (Optimized)}
            Core was generated by `/test/MD190822-mariadb-10.11.0-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
            Program terminated with signal SIGSEGV, Segmentation fault.
            #0 0x00001475c0039828 in ?? ()
            [Current thread is 1 (Thread 0x147601e56700 (LWP 1711369))]
            (gdb) bt
            #0 0x00001475c0039828 in ?? ()
            #1 0x000055b718ea9bca in Used_tables_and_const_cache::used_tables_and_const_cache_join (this=0x1475c0011fb8, this=0x1475c0011fb8, item=0x1475c0038d28) at /test/10.11_opt/sql/item.h:5319
            #2 Item_field::fix_outer_field (this=0x1475c0011560, thd=0x1475c0000c58, from_field=0x147601e54590, reference=0x1475c0011680) at /test/10.11_opt/sql/item.cc:5824
            #3 0x000055b718eaaa1d in Item_field::fix_fields (this=0x1475c0011560, thd=0x1475c0000c58, reference=0x1475c0011680) at /test/10.11_opt/sql/item.cc:6121
            #4 0x000055b718bd507b in Item::fix_fields_if_needed (ref=0x1475c0011680, thd=0x1475c0000c58, this=0x1475c0011560) at /test/10.11_opt/sql/item.h:1142
            #5 Item::fix_fields_if_needed (ref=0x1475c0011680, thd=0x1475c0000c58, this=0x1475c0011560) at /test/10.11_opt/sql/item.h:1142
            #6 Item::fix_fields_if_needed_for_scalar (ref=0x1475c0011680, thd=0x1475c0000c58, this=0x1475c0011560) at /test/10.11_opt/sql/item.h:1148
            #7 setup_fields (thd=0x1475c0000c58, ref_pointer_array=<optimized out>, fields=<optimized out>, column_usage=column_usage@entry=MARK_COLUMNS_READ, sum_func_list=sum_func_list@entry=0x1475c00127e0, pre_fix=0x1475c0011398, allow_sum_func=true) at /test/10.11_opt/sql/sql_base.cc:7975
            #8 0x000055b718ca30a9 in JOIN::prepare (this=0x1475c0012450, tables_init=<optimized out>, conds_init=<optimized out>, og_num=<optimized out>, order_init=<optimized out>, skip_order_by=skip_order_by@entry=false, group_init=<optimized out>, having_init=<optimized out>, proc_param_init=<optimized out>, select_lex_arg=<optimized out>, unit_arg=<optimized out>) at /test/10.11_opt/sql/sql_select.cc:1450
            #9 0x000055b718f601a8 in subselect_single_select_engine::prepare (this=0x1475c00120d0, thd=0x1475c0000c58) at /test/10.11_opt/sql/sql_lex.h:1367
            #10 0x000055b718f5f808 in Item_subselect::fix_fields (this=0x1475c0011f48, thd_param=<optimized out>, ref=0x1475c0012138) at /test/10.11_opt/sql/item_subselect.cc:295
            #11 0x000055b718c753b4 in Item::fix_fields_if_needed (ref=<optimized out>, thd=0x1475c0000c58, this=0x1475c0011f48) at /test/10.11_opt/sql/item.h:1142
            #12 Item::fix_fields_if_needed (ref=<optimized out>, thd=0x1475c0000c58, this=0x1475c0011f48) at /test/10.11_opt/sql/item.h:1142
            #13 Item::fix_fields_if_needed_for_scalar (ref=<optimized out>, thd=0x1475c0000c58, this=0x1475c0011f48) at /test/10.11_opt/sql/item.h:1148
            #14 Item::fix_fields_if_needed_for_order_by (ref=<optimized out>, thd=0x1475c0000c58, this=0x1475c0011f48) at /test/10.11_opt/sql/item.h:1156
            #15 find_order_in_list (thd=0x1475c0000c58, ref_pointer_array=<optimized out>, tables=0x1475c0010820, order=0x1475c0012128, fields=<optimized out>, all_fields=@0x147601e549d0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55b719dc16b0 <end_of_list>, last = 0x147601e549d0, elements = 0}, <No data fields>}, is_group_field=false, add_to_all_fields=true, from_window_spec=false) at /test/10.11_opt/sql/sql_select.cc:25677
            #16 0x000055b718c9f8d5 in setup_order (thd=thd@entry=0x1475c0000c58, ref_pointer_array={m_array = 0x1475c0012360, m_size = 30}, tables=tables@entry=0x1475c0010820, fields=@0x147601e549d0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55b719dc16b0 <end_of_list>, last = 0x147601e549d0, elements = 0}, <No data fields>}, all_fields=@0x147601e549d0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55b719dc16b0 <end_of_list>, last = 0x147601e549d0, elements = 0}, <No data fields>}, order=0x1475c0012128, from_window_spec=false) at /test/10.11_opt/sql/sql_select.cc:25724
            #17 0x000055b718d130d2 in mysql_prepare_update (thd=thd@entry=0x1475c0000c58, table_list=0x1475c0010820, conds=conds@entry=0x147601e54ae0, order_num=order_num@entry=1, order=order@entry=0x1475c0012128) at /test/10.11_opt/sql/sql_update.cc:1455
            #18 0x000055b718d13560 in mysql_update (thd=thd@entry=0x1475c0000c58, table_list=<optimized out>, fields=@0x1475c0005770: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1475c00110c0, last = 0x1475c00110c0, elements = 1}, <No data fields>}, values=@0x1475c0005ba0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1475c00110d0, last = 0x1475c00110d0, elements = 1}, <No data fields>}, conds=<optimized out>, order_num=1, order=0x1475c0012128, limit=18446744073709551615, ignore=false, found_return=0x147601e54f80, updated_return=0x147601e55070) at /test/10.11_opt/sql/sql_update.cc:474
            #19 0x000055b718c42c01 in mysql_execute_command (thd=0x1475c0000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.11_opt/sql/sql_limit.h:85
            #20 0x000055b718c327b5 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x1475c0000c58) at /test/10.11_opt/sql/sql_parse.cc:8035
            #21 mysql_parse (thd=0x1475c0000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.11_opt/sql/sql_parse.cc:7957
            #22 0x000055b718c3e2ca in dispatch_command (command=COM_QUERY, thd=0x1475c0000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.11_opt/sql/sql_class.h:1339
            #23 0x000055b718c401f2 in do_command (thd=0x1475c0000c58, blocking=blocking@entry=true) at /test/10.11_opt/sql/sql_parse.cc:1407
            #24 0x000055b718d5846f in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55b71b40bf08, put_in_cache=put_in_cache@entry=true) at /test/10.11_opt/sql/sql_connect.cc:1418
            #25 0x000055b718d5874d in handle_one_connection (arg=0x55b71b40bf08) at /test/10.11_opt/sql/sql_connect.cc:1312
            #26 0x000014761ae97609 in start_thread (arg=<optimized out>) at pthread_create.c:477
            #27 0x000014761aa83133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
            {noformat}

            Bug confirmed present in:
            MariaDB: 10.3.37 (dbg), 10.4.27 (dbg), 10.4.27 (opt), 10.5.18 (dbg), 10.5.18 (opt), 10.6.10 (dbg), 10.6.10 (opt), 10.7.6 (dbg), 10.7.6 (opt), 10.8.5 (dbg), 10.8.5 (opt), 10.9.2 (dbg), 10.9.2 (opt), 10.10.2 (dbg), 10.10.2 (opt), 10.11.0 (dbg), 10.11.0 (opt)

            Bug (or feature/syntax) confirmed not present in:
            MariaDB: 10.3.37 (opt)
            MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.38 (dbg), 5.7.38 (opt), 8.0.29 (dbg), 8.0.29 (opt)

            In summary, whilst 10.3 (dbg) and all other (dbg) versions are affected by theis testcase, it seems that the crash/bug triggered in 10.3+ (dbg) is rather MDEV-28506, whereas the 10.4+ opt crash triggered and described in this bug looks to be a different bug.
            The testcase below only crashes optimized 10.4+ builds with this UniqueID/stack:
            {noformat}
            SIGSEGV|Used_tables_and_const_cache::used_tables_and_const_cache_join|Item_field::fix_outer_field|Item_field::fix_fields|Item::fix_fields_if_needed
            {noformat}
            However, on debug builds, a set of stacks are seen, which are much more alike to MDEV-28506.
            {noformat}
            (*select_ref)->fixed()|SIGABRT|resolve_ref_in_select_and_group|Item_field::fix_outer_field|Item_field::fix_fields|Item::fix_fields_if_needed
            (*select_ref)->fixed|SIGABRT|resolve_ref_in_select_and_group|Item_field::fix_outer_field|Item_field::fix_fields|Item::fix_fields_if_needed
            (*select_ref)->is_fixed()|SIGABRT|resolve_ref_in_select_and_group|Item_field::fix_outer_field|Item_field::fix_fields|Item::fix_fields_if_needed
            {noformat}
            On 10.3 optimized we see:
            {noformat:title=10.3.37 a1055ab35d29437b717e83b1a388eaa02901c42f (Optimized)}
            ERROR 1247 (42S22) at line 2 in file: 'in.sql': Reference 'c' not supported (forward reference in item list)
            {noformat}
            For the second and third line of the testcase SQL.
            {code:sql}
            CREATE TABLE t (a INT);
            UPDATE t SET c=1 ORDER BY (SELECT c);
            UPDATE t SET c=1 ORDER BY (SELECT c);
            {code}

            Leads to:

            {noformat:title=10.11.0 bc563f1a4b0b38de3b41fd0f0d3d8b7f1aacbd8b (Optimized)}
            Core was generated by `/test/MD190822-mariadb-10.11.0-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
            Program terminated with signal SIGSEGV, Segmentation fault.
            #0 0x00001475c0039828 in ?? ()
            [Current thread is 1 (Thread 0x147601e56700 (LWP 1711369))]
            (gdb) bt
            #0 0x00001475c0039828 in ?? ()
            #1 0x000055b718ea9bca in Used_tables_and_const_cache::used_tables_and_const_cache_join (this=0x1475c0011fb8, this=0x1475c0011fb8, item=0x1475c0038d28) at /test/10.11_opt/sql/item.h:5319
            #2 Item_field::fix_outer_field (this=0x1475c0011560, thd=0x1475c0000c58, from_field=0x147601e54590, reference=0x1475c0011680) at /test/10.11_opt/sql/item.cc:5824
            #3 0x000055b718eaaa1d in Item_field::fix_fields (this=0x1475c0011560, thd=0x1475c0000c58, reference=0x1475c0011680) at /test/10.11_opt/sql/item.cc:6121
            #4 0x000055b718bd507b in Item::fix_fields_if_needed (ref=0x1475c0011680, thd=0x1475c0000c58, this=0x1475c0011560) at /test/10.11_opt/sql/item.h:1142
            #5 Item::fix_fields_if_needed (ref=0x1475c0011680, thd=0x1475c0000c58, this=0x1475c0011560) at /test/10.11_opt/sql/item.h:1142
            #6 Item::fix_fields_if_needed_for_scalar (ref=0x1475c0011680, thd=0x1475c0000c58, this=0x1475c0011560) at /test/10.11_opt/sql/item.h:1148
            #7 setup_fields (thd=0x1475c0000c58, ref_pointer_array=<optimized out>, fields=<optimized out>, column_usage=column_usage@entry=MARK_COLUMNS_READ, sum_func_list=sum_func_list@entry=0x1475c00127e0, pre_fix=0x1475c0011398, allow_sum_func=true) at /test/10.11_opt/sql/sql_base.cc:7975
            #8 0x000055b718ca30a9 in JOIN::prepare (this=0x1475c0012450, tables_init=<optimized out>, conds_init=<optimized out>, og_num=<optimized out>, order_init=<optimized out>, skip_order_by=skip_order_by@entry=false, group_init=<optimized out>, having_init=<optimized out>, proc_param_init=<optimized out>, select_lex_arg=<optimized out>, unit_arg=<optimized out>) at /test/10.11_opt/sql/sql_select.cc:1450
            #9 0x000055b718f601a8 in subselect_single_select_engine::prepare (this=0x1475c00120d0, thd=0x1475c0000c58) at /test/10.11_opt/sql/sql_lex.h:1367
            #10 0x000055b718f5f808 in Item_subselect::fix_fields (this=0x1475c0011f48, thd_param=<optimized out>, ref=0x1475c0012138) at /test/10.11_opt/sql/item_subselect.cc:295
            #11 0x000055b718c753b4 in Item::fix_fields_if_needed (ref=<optimized out>, thd=0x1475c0000c58, this=0x1475c0011f48) at /test/10.11_opt/sql/item.h:1142
            #12 Item::fix_fields_if_needed (ref=<optimized out>, thd=0x1475c0000c58, this=0x1475c0011f48) at /test/10.11_opt/sql/item.h:1142
            #13 Item::fix_fields_if_needed_for_scalar (ref=<optimized out>, thd=0x1475c0000c58, this=0x1475c0011f48) at /test/10.11_opt/sql/item.h:1148
            #14 Item::fix_fields_if_needed_for_order_by (ref=<optimized out>, thd=0x1475c0000c58, this=0x1475c0011f48) at /test/10.11_opt/sql/item.h:1156
            #15 find_order_in_list (thd=0x1475c0000c58, ref_pointer_array=<optimized out>, tables=0x1475c0010820, order=0x1475c0012128, fields=<optimized out>, all_fields=@0x147601e549d0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55b719dc16b0 <end_of_list>, last = 0x147601e549d0, elements = 0}, <No data fields>}, is_group_field=false, add_to_all_fields=true, from_window_spec=false) at /test/10.11_opt/sql/sql_select.cc:25677
            #16 0x000055b718c9f8d5 in setup_order (thd=thd@entry=0x1475c0000c58, ref_pointer_array={m_array = 0x1475c0012360, m_size = 30}, tables=tables@entry=0x1475c0010820, fields=@0x147601e549d0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55b719dc16b0 <end_of_list>, last = 0x147601e549d0, elements = 0}, <No data fields>}, all_fields=@0x147601e549d0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55b719dc16b0 <end_of_list>, last = 0x147601e549d0, elements = 0}, <No data fields>}, order=0x1475c0012128, from_window_spec=false) at /test/10.11_opt/sql/sql_select.cc:25724
            #17 0x000055b718d130d2 in mysql_prepare_update (thd=thd@entry=0x1475c0000c58, table_list=0x1475c0010820, conds=conds@entry=0x147601e54ae0, order_num=order_num@entry=1, order=order@entry=0x1475c0012128) at /test/10.11_opt/sql/sql_update.cc:1455
            #18 0x000055b718d13560 in mysql_update (thd=thd@entry=0x1475c0000c58, table_list=<optimized out>, fields=@0x1475c0005770: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1475c00110c0, last = 0x1475c00110c0, elements = 1}, <No data fields>}, values=@0x1475c0005ba0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1475c00110d0, last = 0x1475c00110d0, elements = 1}, <No data fields>}, conds=<optimized out>, order_num=1, order=0x1475c0012128, limit=18446744073709551615, ignore=false, found_return=0x147601e54f80, updated_return=0x147601e55070) at /test/10.11_opt/sql/sql_update.cc:474
            #19 0x000055b718c42c01 in mysql_execute_command (thd=0x1475c0000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.11_opt/sql/sql_limit.h:85
            #20 0x000055b718c327b5 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x1475c0000c58) at /test/10.11_opt/sql/sql_parse.cc:8035
            #21 mysql_parse (thd=0x1475c0000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.11_opt/sql/sql_parse.cc:7957
            #22 0x000055b718c3e2ca in dispatch_command (command=COM_QUERY, thd=0x1475c0000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.11_opt/sql/sql_class.h:1339
            #23 0x000055b718c401f2 in do_command (thd=0x1475c0000c58, blocking=blocking@entry=true) at /test/10.11_opt/sql/sql_parse.cc:1407
            #24 0x000055b718d5846f in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55b71b40bf08, put_in_cache=put_in_cache@entry=true) at /test/10.11_opt/sql/sql_connect.cc:1418
            #25 0x000055b718d5874d in handle_one_connection (arg=0x55b71b40bf08) at /test/10.11_opt/sql/sql_connect.cc:1312
            #26 0x000014761ae97609 in start_thread (arg=<optimized out>) at pthread_create.c:477
            #27 0x000014761aa83133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
            {noformat}

            Bug confirmed present in:
            MariaDB: 10.3.37 (dbg), 10.4.27 (dbg), 10.4.27 (opt), 10.5.18 (dbg), 10.5.18 (opt), 10.6.10 (dbg), 10.6.10 (opt), 10.7.6 (dbg), 10.7.6 (opt), 10.8.5 (dbg), 10.8.5 (opt), 10.9.2 (dbg), 10.9.2 (opt), 10.10.2 (dbg), 10.10.2 (opt), 10.11.0 (dbg), 10.11.0 (opt)

            Bug (or feature/syntax) confirmed not present in:
            MariaDB: 10.3.37 (opt)
            MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.38 (dbg), 5.7.38 (opt), 8.0.29 (dbg), 8.0.29 (opt)

            In summary, whilst 10.3 (dbg) and all other (dbg) versions are affected by theis testcase, it seems that the crash/bug triggered in 10.3+ (dbg) is rather MDEV-28506, whereas the 10.4+ opt crash triggered and described in this bug looks to be a different bug.
            Roel Roel Van de Paar made changes -
            Description The testcase below only crashes optimized 10.4+ builds with this UniqueID/stack:
            {noformat}
            SIGSEGV|Used_tables_and_const_cache::used_tables_and_const_cache_join|Item_field::fix_outer_field|Item_field::fix_fields|Item::fix_fields_if_needed
            {noformat}
            However, on debug builds, a set of stacks are seen, which are much more alike to MDEV-28506.
            {noformat}
            (*select_ref)->fixed()|SIGABRT|resolve_ref_in_select_and_group|Item_field::fix_outer_field|Item_field::fix_fields|Item::fix_fields_if_needed
            (*select_ref)->fixed|SIGABRT|resolve_ref_in_select_and_group|Item_field::fix_outer_field|Item_field::fix_fields|Item::fix_fields_if_needed
            (*select_ref)->is_fixed()|SIGABRT|resolve_ref_in_select_and_group|Item_field::fix_outer_field|Item_field::fix_fields|Item::fix_fields_if_needed
            {noformat}
            On 10.3 optimized we see:
            {noformat:title=10.3.37 a1055ab35d29437b717e83b1a388eaa02901c42f (Optimized)}
            ERROR 1247 (42S22) at line 2 in file: 'in.sql': Reference 'c' not supported (forward reference in item list)
            {noformat}
            For the second and third line of the testcase SQL.
            {code:sql}
            CREATE TABLE t (a INT);
            UPDATE t SET c=1 ORDER BY (SELECT c);
            UPDATE t SET c=1 ORDER BY (SELECT c);
            {code}

            Leads to:

            {noformat:title=10.11.0 bc563f1a4b0b38de3b41fd0f0d3d8b7f1aacbd8b (Optimized)}
            Core was generated by `/test/MD190822-mariadb-10.11.0-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
            Program terminated with signal SIGSEGV, Segmentation fault.
            #0 0x00001475c0039828 in ?? ()
            [Current thread is 1 (Thread 0x147601e56700 (LWP 1711369))]
            (gdb) bt
            #0 0x00001475c0039828 in ?? ()
            #1 0x000055b718ea9bca in Used_tables_and_const_cache::used_tables_and_const_cache_join (this=0x1475c0011fb8, this=0x1475c0011fb8, item=0x1475c0038d28) at /test/10.11_opt/sql/item.h:5319
            #2 Item_field::fix_outer_field (this=0x1475c0011560, thd=0x1475c0000c58, from_field=0x147601e54590, reference=0x1475c0011680) at /test/10.11_opt/sql/item.cc:5824
            #3 0x000055b718eaaa1d in Item_field::fix_fields (this=0x1475c0011560, thd=0x1475c0000c58, reference=0x1475c0011680) at /test/10.11_opt/sql/item.cc:6121
            #4 0x000055b718bd507b in Item::fix_fields_if_needed (ref=0x1475c0011680, thd=0x1475c0000c58, this=0x1475c0011560) at /test/10.11_opt/sql/item.h:1142
            #5 Item::fix_fields_if_needed (ref=0x1475c0011680, thd=0x1475c0000c58, this=0x1475c0011560) at /test/10.11_opt/sql/item.h:1142
            #6 Item::fix_fields_if_needed_for_scalar (ref=0x1475c0011680, thd=0x1475c0000c58, this=0x1475c0011560) at /test/10.11_opt/sql/item.h:1148
            #7 setup_fields (thd=0x1475c0000c58, ref_pointer_array=<optimized out>, fields=<optimized out>, column_usage=column_usage@entry=MARK_COLUMNS_READ, sum_func_list=sum_func_list@entry=0x1475c00127e0, pre_fix=0x1475c0011398, allow_sum_func=true) at /test/10.11_opt/sql/sql_base.cc:7975
            #8 0x000055b718ca30a9 in JOIN::prepare (this=0x1475c0012450, tables_init=<optimized out>, conds_init=<optimized out>, og_num=<optimized out>, order_init=<optimized out>, skip_order_by=skip_order_by@entry=false, group_init=<optimized out>, having_init=<optimized out>, proc_param_init=<optimized out>, select_lex_arg=<optimized out>, unit_arg=<optimized out>) at /test/10.11_opt/sql/sql_select.cc:1450
            #9 0x000055b718f601a8 in subselect_single_select_engine::prepare (this=0x1475c00120d0, thd=0x1475c0000c58) at /test/10.11_opt/sql/sql_lex.h:1367
            #10 0x000055b718f5f808 in Item_subselect::fix_fields (this=0x1475c0011f48, thd_param=<optimized out>, ref=0x1475c0012138) at /test/10.11_opt/sql/item_subselect.cc:295
            #11 0x000055b718c753b4 in Item::fix_fields_if_needed (ref=<optimized out>, thd=0x1475c0000c58, this=0x1475c0011f48) at /test/10.11_opt/sql/item.h:1142
            #12 Item::fix_fields_if_needed (ref=<optimized out>, thd=0x1475c0000c58, this=0x1475c0011f48) at /test/10.11_opt/sql/item.h:1142
            #13 Item::fix_fields_if_needed_for_scalar (ref=<optimized out>, thd=0x1475c0000c58, this=0x1475c0011f48) at /test/10.11_opt/sql/item.h:1148
            #14 Item::fix_fields_if_needed_for_order_by (ref=<optimized out>, thd=0x1475c0000c58, this=0x1475c0011f48) at /test/10.11_opt/sql/item.h:1156
            #15 find_order_in_list (thd=0x1475c0000c58, ref_pointer_array=<optimized out>, tables=0x1475c0010820, order=0x1475c0012128, fields=<optimized out>, all_fields=@0x147601e549d0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55b719dc16b0 <end_of_list>, last = 0x147601e549d0, elements = 0}, <No data fields>}, is_group_field=false, add_to_all_fields=true, from_window_spec=false) at /test/10.11_opt/sql/sql_select.cc:25677
            #16 0x000055b718c9f8d5 in setup_order (thd=thd@entry=0x1475c0000c58, ref_pointer_array={m_array = 0x1475c0012360, m_size = 30}, tables=tables@entry=0x1475c0010820, fields=@0x147601e549d0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55b719dc16b0 <end_of_list>, last = 0x147601e549d0, elements = 0}, <No data fields>}, all_fields=@0x147601e549d0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55b719dc16b0 <end_of_list>, last = 0x147601e549d0, elements = 0}, <No data fields>}, order=0x1475c0012128, from_window_spec=false) at /test/10.11_opt/sql/sql_select.cc:25724
            #17 0x000055b718d130d2 in mysql_prepare_update (thd=thd@entry=0x1475c0000c58, table_list=0x1475c0010820, conds=conds@entry=0x147601e54ae0, order_num=order_num@entry=1, order=order@entry=0x1475c0012128) at /test/10.11_opt/sql/sql_update.cc:1455
            #18 0x000055b718d13560 in mysql_update (thd=thd@entry=0x1475c0000c58, table_list=<optimized out>, fields=@0x1475c0005770: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1475c00110c0, last = 0x1475c00110c0, elements = 1}, <No data fields>}, values=@0x1475c0005ba0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1475c00110d0, last = 0x1475c00110d0, elements = 1}, <No data fields>}, conds=<optimized out>, order_num=1, order=0x1475c0012128, limit=18446744073709551615, ignore=false, found_return=0x147601e54f80, updated_return=0x147601e55070) at /test/10.11_opt/sql/sql_update.cc:474
            #19 0x000055b718c42c01 in mysql_execute_command (thd=0x1475c0000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.11_opt/sql/sql_limit.h:85
            #20 0x000055b718c327b5 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x1475c0000c58) at /test/10.11_opt/sql/sql_parse.cc:8035
            #21 mysql_parse (thd=0x1475c0000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.11_opt/sql/sql_parse.cc:7957
            #22 0x000055b718c3e2ca in dispatch_command (command=COM_QUERY, thd=0x1475c0000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.11_opt/sql/sql_class.h:1339
            #23 0x000055b718c401f2 in do_command (thd=0x1475c0000c58, blocking=blocking@entry=true) at /test/10.11_opt/sql/sql_parse.cc:1407
            #24 0x000055b718d5846f in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55b71b40bf08, put_in_cache=put_in_cache@entry=true) at /test/10.11_opt/sql/sql_connect.cc:1418
            #25 0x000055b718d5874d in handle_one_connection (arg=0x55b71b40bf08) at /test/10.11_opt/sql/sql_connect.cc:1312
            #26 0x000014761ae97609 in start_thread (arg=<optimized out>) at pthread_create.c:477
            #27 0x000014761aa83133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
            {noformat}

            Bug confirmed present in:
            MariaDB: 10.3.37 (dbg), 10.4.27 (dbg), 10.4.27 (opt), 10.5.18 (dbg), 10.5.18 (opt), 10.6.10 (dbg), 10.6.10 (opt), 10.7.6 (dbg), 10.7.6 (opt), 10.8.5 (dbg), 10.8.5 (opt), 10.9.2 (dbg), 10.9.2 (opt), 10.10.2 (dbg), 10.10.2 (opt), 10.11.0 (dbg), 10.11.0 (opt)

            Bug (or feature/syntax) confirmed not present in:
            MariaDB: 10.3.37 (opt)
            MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.38 (dbg), 5.7.38 (opt), 8.0.29 (dbg), 8.0.29 (opt)

            In summary, whilst 10.3 (dbg) and all other (dbg) versions are affected by theis testcase, it seems that the crash/bug triggered in 10.3+ (dbg) is rather MDEV-28506, whereas the 10.4+ opt crash triggered and described in this bug looks to be a different bug.
            The testcase below only crashes optimized 10.4+ builds with this UniqueID/stack:
            {noformat}
            SIGSEGV|Used_tables_and_const_cache::used_tables_and_const_cache_join|Item_field::fix_outer_field|Item_field::fix_fields|Item::fix_fields_if_needed
            {noformat}
            However, on debug builds, a set of stacks are seen, which are much more alike to MDEV-28506.
            {noformat}
            (*select_ref)->fixed()|SIGABRT|resolve_ref_in_select_and_group|Item_field::fix_outer_field|Item_field::fix_fields|Item::fix_fields_if_needed
            (*select_ref)->fixed|SIGABRT|resolve_ref_in_select_and_group|Item_field::fix_outer_field|Item_field::fix_fields|Item::fix_fields_if_needed
            (*select_ref)->is_fixed()|SIGABRT|resolve_ref_in_select_and_group|Item_field::fix_outer_field|Item_field::fix_fields|Item::fix_fields_if_needed
            {noformat}
            On 10.3 optimized we see:
            {noformat:title=10.3.37 a1055ab35d29437b717e83b1a388eaa02901c42f (Optimized)}
            ERROR 1247 (42S22) at line 2 in file: 'in.sql': Reference 'c' not supported (forward reference in item list)
            {noformat}
            For the second and third line of the testcase SQL.
            {code:sql}
            CREATE TABLE t (a INT);
            UPDATE t SET c=1 ORDER BY (SELECT c);
            UPDATE t SET c=1 ORDER BY (SELECT c);
            {code}

            Leads to:

            {noformat:title=10.11.0 bc563f1a4b0b38de3b41fd0f0d3d8b7f1aacbd8b (Optimized)}
            Core was generated by `/test/MD190822-mariadb-10.11.0-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
            Program terminated with signal SIGSEGV, Segmentation fault.
            #0 0x00001475c0039828 in ?? ()
            [Current thread is 1 (Thread 0x147601e56700 (LWP 1711369))]
            (gdb) bt
            #0 0x00001475c0039828 in ?? ()
            #1 0x000055b718ea9bca in Used_tables_and_const_cache::used_tables_and_const_cache_join (this=0x1475c0011fb8, this=0x1475c0011fb8, item=0x1475c0038d28) at /test/10.11_opt/sql/item.h:5319
            #2 Item_field::fix_outer_field (this=0x1475c0011560, thd=0x1475c0000c58, from_field=0x147601e54590, reference=0x1475c0011680) at /test/10.11_opt/sql/item.cc:5824
            #3 0x000055b718eaaa1d in Item_field::fix_fields (this=0x1475c0011560, thd=0x1475c0000c58, reference=0x1475c0011680) at /test/10.11_opt/sql/item.cc:6121
            #4 0x000055b718bd507b in Item::fix_fields_if_needed (ref=0x1475c0011680, thd=0x1475c0000c58, this=0x1475c0011560) at /test/10.11_opt/sql/item.h:1142
            #5 Item::fix_fields_if_needed (ref=0x1475c0011680, thd=0x1475c0000c58, this=0x1475c0011560) at /test/10.11_opt/sql/item.h:1142
            #6 Item::fix_fields_if_needed_for_scalar (ref=0x1475c0011680, thd=0x1475c0000c58, this=0x1475c0011560) at /test/10.11_opt/sql/item.h:1148
            #7 setup_fields (thd=0x1475c0000c58, ref_pointer_array=<optimized out>, fields=<optimized out>, column_usage=column_usage@entry=MARK_COLUMNS_READ, sum_func_list=sum_func_list@entry=0x1475c00127e0, pre_fix=0x1475c0011398, allow_sum_func=true) at /test/10.11_opt/sql/sql_base.cc:7975
            #8 0x000055b718ca30a9 in JOIN::prepare (this=0x1475c0012450, tables_init=<optimized out>, conds_init=<optimized out>, og_num=<optimized out>, order_init=<optimized out>, skip_order_by=skip_order_by@entry=false, group_init=<optimized out>, having_init=<optimized out>, proc_param_init=<optimized out>, select_lex_arg=<optimized out>, unit_arg=<optimized out>) at /test/10.11_opt/sql/sql_select.cc:1450
            #9 0x000055b718f601a8 in subselect_single_select_engine::prepare (this=0x1475c00120d0, thd=0x1475c0000c58) at /test/10.11_opt/sql/sql_lex.h:1367
            #10 0x000055b718f5f808 in Item_subselect::fix_fields (this=0x1475c0011f48, thd_param=<optimized out>, ref=0x1475c0012138) at /test/10.11_opt/sql/item_subselect.cc:295
            #11 0x000055b718c753b4 in Item::fix_fields_if_needed (ref=<optimized out>, thd=0x1475c0000c58, this=0x1475c0011f48) at /test/10.11_opt/sql/item.h:1142
            #12 Item::fix_fields_if_needed (ref=<optimized out>, thd=0x1475c0000c58, this=0x1475c0011f48) at /test/10.11_opt/sql/item.h:1142
            #13 Item::fix_fields_if_needed_for_scalar (ref=<optimized out>, thd=0x1475c0000c58, this=0x1475c0011f48) at /test/10.11_opt/sql/item.h:1148
            #14 Item::fix_fields_if_needed_for_order_by (ref=<optimized out>, thd=0x1475c0000c58, this=0x1475c0011f48) at /test/10.11_opt/sql/item.h:1156
            #15 find_order_in_list (thd=0x1475c0000c58, ref_pointer_array=<optimized out>, tables=0x1475c0010820, order=0x1475c0012128, fields=<optimized out>, all_fields=@0x147601e549d0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55b719dc16b0 <end_of_list>, last = 0x147601e549d0, elements = 0}, <No data fields>}, is_group_field=false, add_to_all_fields=true, from_window_spec=false) at /test/10.11_opt/sql/sql_select.cc:25677
            #16 0x000055b718c9f8d5 in setup_order (thd=thd@entry=0x1475c0000c58, ref_pointer_array={m_array = 0x1475c0012360, m_size = 30}, tables=tables@entry=0x1475c0010820, fields=@0x147601e549d0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55b719dc16b0 <end_of_list>, last = 0x147601e549d0, elements = 0}, <No data fields>}, all_fields=@0x147601e549d0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55b719dc16b0 <end_of_list>, last = 0x147601e549d0, elements = 0}, <No data fields>}, order=0x1475c0012128, from_window_spec=false) at /test/10.11_opt/sql/sql_select.cc:25724
            #17 0x000055b718d130d2 in mysql_prepare_update (thd=thd@entry=0x1475c0000c58, table_list=0x1475c0010820, conds=conds@entry=0x147601e54ae0, order_num=order_num@entry=1, order=order@entry=0x1475c0012128) at /test/10.11_opt/sql/sql_update.cc:1455
            #18 0x000055b718d13560 in mysql_update (thd=thd@entry=0x1475c0000c58, table_list=<optimized out>, fields=@0x1475c0005770: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1475c00110c0, last = 0x1475c00110c0, elements = 1}, <No data fields>}, values=@0x1475c0005ba0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1475c00110d0, last = 0x1475c00110d0, elements = 1}, <No data fields>}, conds=<optimized out>, order_num=1, order=0x1475c0012128, limit=18446744073709551615, ignore=false, found_return=0x147601e54f80, updated_return=0x147601e55070) at /test/10.11_opt/sql/sql_update.cc:474
            #19 0x000055b718c42c01 in mysql_execute_command (thd=0x1475c0000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.11_opt/sql/sql_limit.h:85
            #20 0x000055b718c327b5 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x1475c0000c58) at /test/10.11_opt/sql/sql_parse.cc:8035
            #21 mysql_parse (thd=0x1475c0000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.11_opt/sql/sql_parse.cc:7957
            #22 0x000055b718c3e2ca in dispatch_command (command=COM_QUERY, thd=0x1475c0000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.11_opt/sql/sql_class.h:1339
            #23 0x000055b718c401f2 in do_command (thd=0x1475c0000c58, blocking=blocking@entry=true) at /test/10.11_opt/sql/sql_parse.cc:1407
            #24 0x000055b718d5846f in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55b71b40bf08, put_in_cache=put_in_cache@entry=true) at /test/10.11_opt/sql/sql_connect.cc:1418
            #25 0x000055b718d5874d in handle_one_connection (arg=0x55b71b40bf08) at /test/10.11_opt/sql/sql_connect.cc:1312
            #26 0x000014761ae97609 in start_thread (arg=<optimized out>) at pthread_create.c:477
            #27 0x000014761aa83133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
            {noformat}

            Bug confirmed present in:
            MariaDB: 10.3.37 (dbg), 10.4.27 (dbg), 10.4.27 (opt), 10.5.18 (dbg), 10.5.18 (opt), 10.6.10 (dbg), 10.6.10 (opt), 10.7.6 (dbg), 10.7.6 (opt), 10.8.5 (dbg), 10.8.5 (opt), 10.9.2 (dbg), 10.9.2 (opt), 10.10.2 (dbg), 10.10.2 (opt), 10.11.0 (dbg), 10.11.0 (opt)

            Bug (or feature/syntax) confirmed not present in:
            MariaDB: 10.3.37 (opt)
            MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.38 (dbg), 5.7.38 (opt), 8.0.29 (dbg), 8.0.29 (opt)

            *In summary*, whilst 10.3 (dbg) and all other (dbg) versions are affected by theis testcase, it seems that the crash/bug triggered in 10.3+ (dbg) is rather MDEV-28506, whereas the 10.4+ opt crash triggered and described in this bug looks to be a different bug.
            Roel Roel Van de Paar made changes -
            Description The testcase below only crashes optimized 10.4+ builds with this UniqueID/stack:
            {noformat}
            SIGSEGV|Used_tables_and_const_cache::used_tables_and_const_cache_join|Item_field::fix_outer_field|Item_field::fix_fields|Item::fix_fields_if_needed
            {noformat}
            However, on debug builds, a set of stacks are seen, which are much more alike to MDEV-28506.
            {noformat}
            (*select_ref)->fixed()|SIGABRT|resolve_ref_in_select_and_group|Item_field::fix_outer_field|Item_field::fix_fields|Item::fix_fields_if_needed
            (*select_ref)->fixed|SIGABRT|resolve_ref_in_select_and_group|Item_field::fix_outer_field|Item_field::fix_fields|Item::fix_fields_if_needed
            (*select_ref)->is_fixed()|SIGABRT|resolve_ref_in_select_and_group|Item_field::fix_outer_field|Item_field::fix_fields|Item::fix_fields_if_needed
            {noformat}
            On 10.3 optimized we see:
            {noformat:title=10.3.37 a1055ab35d29437b717e83b1a388eaa02901c42f (Optimized)}
            ERROR 1247 (42S22) at line 2 in file: 'in.sql': Reference 'c' not supported (forward reference in item list)
            {noformat}
            For the second and third line of the testcase SQL.
            {code:sql}
            CREATE TABLE t (a INT);
            UPDATE t SET c=1 ORDER BY (SELECT c);
            UPDATE t SET c=1 ORDER BY (SELECT c);
            {code}

            Leads to:

            {noformat:title=10.11.0 bc563f1a4b0b38de3b41fd0f0d3d8b7f1aacbd8b (Optimized)}
            Core was generated by `/test/MD190822-mariadb-10.11.0-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
            Program terminated with signal SIGSEGV, Segmentation fault.
            #0 0x00001475c0039828 in ?? ()
            [Current thread is 1 (Thread 0x147601e56700 (LWP 1711369))]
            (gdb) bt
            #0 0x00001475c0039828 in ?? ()
            #1 0x000055b718ea9bca in Used_tables_and_const_cache::used_tables_and_const_cache_join (this=0x1475c0011fb8, this=0x1475c0011fb8, item=0x1475c0038d28) at /test/10.11_opt/sql/item.h:5319
            #2 Item_field::fix_outer_field (this=0x1475c0011560, thd=0x1475c0000c58, from_field=0x147601e54590, reference=0x1475c0011680) at /test/10.11_opt/sql/item.cc:5824
            #3 0x000055b718eaaa1d in Item_field::fix_fields (this=0x1475c0011560, thd=0x1475c0000c58, reference=0x1475c0011680) at /test/10.11_opt/sql/item.cc:6121
            #4 0x000055b718bd507b in Item::fix_fields_if_needed (ref=0x1475c0011680, thd=0x1475c0000c58, this=0x1475c0011560) at /test/10.11_opt/sql/item.h:1142
            #5 Item::fix_fields_if_needed (ref=0x1475c0011680, thd=0x1475c0000c58, this=0x1475c0011560) at /test/10.11_opt/sql/item.h:1142
            #6 Item::fix_fields_if_needed_for_scalar (ref=0x1475c0011680, thd=0x1475c0000c58, this=0x1475c0011560) at /test/10.11_opt/sql/item.h:1148
            #7 setup_fields (thd=0x1475c0000c58, ref_pointer_array=<optimized out>, fields=<optimized out>, column_usage=column_usage@entry=MARK_COLUMNS_READ, sum_func_list=sum_func_list@entry=0x1475c00127e0, pre_fix=0x1475c0011398, allow_sum_func=true) at /test/10.11_opt/sql/sql_base.cc:7975
            #8 0x000055b718ca30a9 in JOIN::prepare (this=0x1475c0012450, tables_init=<optimized out>, conds_init=<optimized out>, og_num=<optimized out>, order_init=<optimized out>, skip_order_by=skip_order_by@entry=false, group_init=<optimized out>, having_init=<optimized out>, proc_param_init=<optimized out>, select_lex_arg=<optimized out>, unit_arg=<optimized out>) at /test/10.11_opt/sql/sql_select.cc:1450
            #9 0x000055b718f601a8 in subselect_single_select_engine::prepare (this=0x1475c00120d0, thd=0x1475c0000c58) at /test/10.11_opt/sql/sql_lex.h:1367
            #10 0x000055b718f5f808 in Item_subselect::fix_fields (this=0x1475c0011f48, thd_param=<optimized out>, ref=0x1475c0012138) at /test/10.11_opt/sql/item_subselect.cc:295
            #11 0x000055b718c753b4 in Item::fix_fields_if_needed (ref=<optimized out>, thd=0x1475c0000c58, this=0x1475c0011f48) at /test/10.11_opt/sql/item.h:1142
            #12 Item::fix_fields_if_needed (ref=<optimized out>, thd=0x1475c0000c58, this=0x1475c0011f48) at /test/10.11_opt/sql/item.h:1142
            #13 Item::fix_fields_if_needed_for_scalar (ref=<optimized out>, thd=0x1475c0000c58, this=0x1475c0011f48) at /test/10.11_opt/sql/item.h:1148
            #14 Item::fix_fields_if_needed_for_order_by (ref=<optimized out>, thd=0x1475c0000c58, this=0x1475c0011f48) at /test/10.11_opt/sql/item.h:1156
            #15 find_order_in_list (thd=0x1475c0000c58, ref_pointer_array=<optimized out>, tables=0x1475c0010820, order=0x1475c0012128, fields=<optimized out>, all_fields=@0x147601e549d0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55b719dc16b0 <end_of_list>, last = 0x147601e549d0, elements = 0}, <No data fields>}, is_group_field=false, add_to_all_fields=true, from_window_spec=false) at /test/10.11_opt/sql/sql_select.cc:25677
            #16 0x000055b718c9f8d5 in setup_order (thd=thd@entry=0x1475c0000c58, ref_pointer_array={m_array = 0x1475c0012360, m_size = 30}, tables=tables@entry=0x1475c0010820, fields=@0x147601e549d0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55b719dc16b0 <end_of_list>, last = 0x147601e549d0, elements = 0}, <No data fields>}, all_fields=@0x147601e549d0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55b719dc16b0 <end_of_list>, last = 0x147601e549d0, elements = 0}, <No data fields>}, order=0x1475c0012128, from_window_spec=false) at /test/10.11_opt/sql/sql_select.cc:25724
            #17 0x000055b718d130d2 in mysql_prepare_update (thd=thd@entry=0x1475c0000c58, table_list=0x1475c0010820, conds=conds@entry=0x147601e54ae0, order_num=order_num@entry=1, order=order@entry=0x1475c0012128) at /test/10.11_opt/sql/sql_update.cc:1455
            #18 0x000055b718d13560 in mysql_update (thd=thd@entry=0x1475c0000c58, table_list=<optimized out>, fields=@0x1475c0005770: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1475c00110c0, last = 0x1475c00110c0, elements = 1}, <No data fields>}, values=@0x1475c0005ba0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1475c00110d0, last = 0x1475c00110d0, elements = 1}, <No data fields>}, conds=<optimized out>, order_num=1, order=0x1475c0012128, limit=18446744073709551615, ignore=false, found_return=0x147601e54f80, updated_return=0x147601e55070) at /test/10.11_opt/sql/sql_update.cc:474
            #19 0x000055b718c42c01 in mysql_execute_command (thd=0x1475c0000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.11_opt/sql/sql_limit.h:85
            #20 0x000055b718c327b5 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x1475c0000c58) at /test/10.11_opt/sql/sql_parse.cc:8035
            #21 mysql_parse (thd=0x1475c0000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.11_opt/sql/sql_parse.cc:7957
            #22 0x000055b718c3e2ca in dispatch_command (command=COM_QUERY, thd=0x1475c0000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.11_opt/sql/sql_class.h:1339
            #23 0x000055b718c401f2 in do_command (thd=0x1475c0000c58, blocking=blocking@entry=true) at /test/10.11_opt/sql/sql_parse.cc:1407
            #24 0x000055b718d5846f in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55b71b40bf08, put_in_cache=put_in_cache@entry=true) at /test/10.11_opt/sql/sql_connect.cc:1418
            #25 0x000055b718d5874d in handle_one_connection (arg=0x55b71b40bf08) at /test/10.11_opt/sql/sql_connect.cc:1312
            #26 0x000014761ae97609 in start_thread (arg=<optimized out>) at pthread_create.c:477
            #27 0x000014761aa83133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
            {noformat}

            Bug confirmed present in:
            MariaDB: 10.3.37 (dbg), 10.4.27 (dbg), 10.4.27 (opt), 10.5.18 (dbg), 10.5.18 (opt), 10.6.10 (dbg), 10.6.10 (opt), 10.7.6 (dbg), 10.7.6 (opt), 10.8.5 (dbg), 10.8.5 (opt), 10.9.2 (dbg), 10.9.2 (opt), 10.10.2 (dbg), 10.10.2 (opt), 10.11.0 (dbg), 10.11.0 (opt)

            Bug (or feature/syntax) confirmed not present in:
            MariaDB: 10.3.37 (opt)
            MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.38 (dbg), 5.7.38 (opt), 8.0.29 (dbg), 8.0.29 (opt)

            *In summary*, whilst 10.3 (dbg) and all other (dbg) versions are affected by theis testcase, it seems that the crash/bug triggered in 10.3+ (dbg) is rather MDEV-28506, whereas the 10.4+ opt crash triggered and described in this bug looks to be a different bug.
            The testcase below only crashes optimized 10.4+ builds with this UniqueID/stack:
            {noformat}
            SIGSEGV|Used_tables_and_const_cache::used_tables_and_const_cache_join|Item_field::fix_outer_field|Item_field::fix_fields|Item::fix_fields_if_needed
            {noformat}
            However, on debug builds, a set of stacks are seen, which are much more alike to MDEV-28506.
            {noformat}
            (*select_ref)->fixed()|SIGABRT|resolve_ref_in_select_and_group|Item_field::fix_outer_field|Item_field::fix_fields|Item::fix_fields_if_needed
            (*select_ref)->fixed|SIGABRT|resolve_ref_in_select_and_group|Item_field::fix_outer_field|Item_field::fix_fields|Item::fix_fields_if_needed
            (*select_ref)->is_fixed()|SIGABRT|resolve_ref_in_select_and_group|Item_field::fix_outer_field|Item_field::fix_fields|Item::fix_fields_if_needed
            {noformat}
            On 10.3 optimized we see:
            {noformat:title=10.3.37 a1055ab35d29437b717e83b1a388eaa02901c42f (Optimized)}
            ERROR 1247 (42S22) at line 2 in file: 'in.sql': Reference 'c' not supported (forward reference in item list)
            {noformat}
            For the second and third line of the testcase SQL.
            {code:sql}
            CREATE TABLE t (a INT);
            UPDATE t SET c=1 ORDER BY (SELECT c);
            UPDATE t SET c=1 ORDER BY (SELECT c);
            {code}

            Leads to:

            10.11.0-opt>CREATE TABLE t (a INT);
            Query OK, 0 rows affected (0.016 sec)
            {noformat:title=10.11.0 bc563f1a4b0b38de3b41fd0f0d3d8b7f1aacbd8b (Optimized)}
            10.11.0-opt>UPDATE t SET c=1 ORDER BY (SELECT c);
            ERROR 1247 (42S22): Reference 'c' not supported (forward reference in item list)
            10.11.0-opt>UPDATE t SET c=1 ORDER BY (SELECT c);
            ERROR 2013 (HY000): Lost connection to server during query
            {noformat}
            {noformat:title=10.11.0 bc563f1a4b0b38de3b41fd0f0d3d8b7f1aacbd8b (Optimized)}
            Core was generated by `/test/MD190822-mariadb-10.11.0-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
            Program terminated with signal SIGSEGV, Segmentation fault.
            #0 0x00001475c0039828 in ?? ()
            [Current thread is 1 (Thread 0x147601e56700 (LWP 1711369))]
            (gdb) bt
            #0 0x00001475c0039828 in ?? ()
            #1 0x000055b718ea9bca in Used_tables_and_const_cache::used_tables_and_const_cache_join (this=0x1475c0011fb8, this=0x1475c0011fb8, item=0x1475c0038d28) at /test/10.11_opt/sql/item.h:5319
            #2 Item_field::fix_outer_field (this=0x1475c0011560, thd=0x1475c0000c58, from_field=0x147601e54590, reference=0x1475c0011680) at /test/10.11_opt/sql/item.cc:5824
            #3 0x000055b718eaaa1d in Item_field::fix_fields (this=0x1475c0011560, thd=0x1475c0000c58, reference=0x1475c0011680) at /test/10.11_opt/sql/item.cc:6121
            #4 0x000055b718bd507b in Item::fix_fields_if_needed (ref=0x1475c0011680, thd=0x1475c0000c58, this=0x1475c0011560) at /test/10.11_opt/sql/item.h:1142
            #5 Item::fix_fields_if_needed (ref=0x1475c0011680, thd=0x1475c0000c58, this=0x1475c0011560) at /test/10.11_opt/sql/item.h:1142
            #6 Item::fix_fields_if_needed_for_scalar (ref=0x1475c0011680, thd=0x1475c0000c58, this=0x1475c0011560) at /test/10.11_opt/sql/item.h:1148
            #7 setup_fields (thd=0x1475c0000c58, ref_pointer_array=<optimized out>, fields=<optimized out>, column_usage=column_usage@entry=MARK_COLUMNS_READ, sum_func_list=sum_func_list@entry=0x1475c00127e0, pre_fix=0x1475c0011398, allow_sum_func=true) at /test/10.11_opt/sql/sql_base.cc:7975
            #8 0x000055b718ca30a9 in JOIN::prepare (this=0x1475c0012450, tables_init=<optimized out>, conds_init=<optimized out>, og_num=<optimized out>, order_init=<optimized out>, skip_order_by=skip_order_by@entry=false, group_init=<optimized out>, having_init=<optimized out>, proc_param_init=<optimized out>, select_lex_arg=<optimized out>, unit_arg=<optimized out>) at /test/10.11_opt/sql/sql_select.cc:1450
            #9 0x000055b718f601a8 in subselect_single_select_engine::prepare (this=0x1475c00120d0, thd=0x1475c0000c58) at /test/10.11_opt/sql/sql_lex.h:1367
            #10 0x000055b718f5f808 in Item_subselect::fix_fields (this=0x1475c0011f48, thd_param=<optimized out>, ref=0x1475c0012138) at /test/10.11_opt/sql/item_subselect.cc:295
            #11 0x000055b718c753b4 in Item::fix_fields_if_needed (ref=<optimized out>, thd=0x1475c0000c58, this=0x1475c0011f48) at /test/10.11_opt/sql/item.h:1142
            #12 Item::fix_fields_if_needed (ref=<optimized out>, thd=0x1475c0000c58, this=0x1475c0011f48) at /test/10.11_opt/sql/item.h:1142
            #13 Item::fix_fields_if_needed_for_scalar (ref=<optimized out>, thd=0x1475c0000c58, this=0x1475c0011f48) at /test/10.11_opt/sql/item.h:1148
            #14 Item::fix_fields_if_needed_for_order_by (ref=<optimized out>, thd=0x1475c0000c58, this=0x1475c0011f48) at /test/10.11_opt/sql/item.h:1156
            #15 find_order_in_list (thd=0x1475c0000c58, ref_pointer_array=<optimized out>, tables=0x1475c0010820, order=0x1475c0012128, fields=<optimized out>, all_fields=@0x147601e549d0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55b719dc16b0 <end_of_list>, last = 0x147601e549d0, elements = 0}, <No data fields>}, is_group_field=false, add_to_all_fields=true, from_window_spec=false) at /test/10.11_opt/sql/sql_select.cc:25677
            #16 0x000055b718c9f8d5 in setup_order (thd=thd@entry=0x1475c0000c58, ref_pointer_array={m_array = 0x1475c0012360, m_size = 30}, tables=tables@entry=0x1475c0010820, fields=@0x147601e549d0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55b719dc16b0 <end_of_list>, last = 0x147601e549d0, elements = 0}, <No data fields>}, all_fields=@0x147601e549d0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55b719dc16b0 <end_of_list>, last = 0x147601e549d0, elements = 0}, <No data fields>}, order=0x1475c0012128, from_window_spec=false) at /test/10.11_opt/sql/sql_select.cc:25724
            #17 0x000055b718d130d2 in mysql_prepare_update (thd=thd@entry=0x1475c0000c58, table_list=0x1475c0010820, conds=conds@entry=0x147601e54ae0, order_num=order_num@entry=1, order=order@entry=0x1475c0012128) at /test/10.11_opt/sql/sql_update.cc:1455
            #18 0x000055b718d13560 in mysql_update (thd=thd@entry=0x1475c0000c58, table_list=<optimized out>, fields=@0x1475c0005770: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1475c00110c0, last = 0x1475c00110c0, elements = 1}, <No data fields>}, values=@0x1475c0005ba0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1475c00110d0, last = 0x1475c00110d0, elements = 1}, <No data fields>}, conds=<optimized out>, order_num=1, order=0x1475c0012128, limit=18446744073709551615, ignore=false, found_return=0x147601e54f80, updated_return=0x147601e55070) at /test/10.11_opt/sql/sql_update.cc:474
            #19 0x000055b718c42c01 in mysql_execute_command (thd=0x1475c0000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.11_opt/sql/sql_limit.h:85
            #20 0x000055b718c327b5 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x1475c0000c58) at /test/10.11_opt/sql/sql_parse.cc:8035
            #21 mysql_parse (thd=0x1475c0000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.11_opt/sql/sql_parse.cc:7957
            #22 0x000055b718c3e2ca in dispatch_command (command=COM_QUERY, thd=0x1475c0000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.11_opt/sql/sql_class.h:1339
            #23 0x000055b718c401f2 in do_command (thd=0x1475c0000c58, blocking=blocking@entry=true) at /test/10.11_opt/sql/sql_parse.cc:1407
            #24 0x000055b718d5846f in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55b71b40bf08, put_in_cache=put_in_cache@entry=true) at /test/10.11_opt/sql/sql_connect.cc:1418
            #25 0x000055b718d5874d in handle_one_connection (arg=0x55b71b40bf08) at /test/10.11_opt/sql/sql_connect.cc:1312
            #26 0x000014761ae97609 in start_thread (arg=<optimized out>) at pthread_create.c:477
            #27 0x000014761aa83133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
            {noformat}

            Bug confirmed present in:
            MariaDB: 10.3.37 (dbg), 10.4.27 (dbg), 10.4.27 (opt), 10.5.18 (dbg), 10.5.18 (opt), 10.6.10 (dbg), 10.6.10 (opt), 10.7.6 (dbg), 10.7.6 (opt), 10.8.5 (dbg), 10.8.5 (opt), 10.9.2 (dbg), 10.9.2 (opt), 10.10.2 (dbg), 10.10.2 (opt), 10.11.0 (dbg), 10.11.0 (opt)

            Bug (or feature/syntax) confirmed not present in:
            MariaDB: 10.3.37 (opt)
            MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.38 (dbg), 5.7.38 (opt), 8.0.29 (dbg), 8.0.29 (opt)

            *In summary*, whilst 10.3 (dbg) and all other (dbg) versions are affected by theis testcase, it seems that the crash/bug triggered in 10.3+ (dbg) is rather MDEV-28506, whereas the 10.4+ opt crash triggered and described in this bug looks to be a different bug.
            Roel Roel Van de Paar made changes -
            Description The testcase below only crashes optimized 10.4+ builds with this UniqueID/stack:
            {noformat}
            SIGSEGV|Used_tables_and_const_cache::used_tables_and_const_cache_join|Item_field::fix_outer_field|Item_field::fix_fields|Item::fix_fields_if_needed
            {noformat}
            However, on debug builds, a set of stacks are seen, which are much more alike to MDEV-28506.
            {noformat}
            (*select_ref)->fixed()|SIGABRT|resolve_ref_in_select_and_group|Item_field::fix_outer_field|Item_field::fix_fields|Item::fix_fields_if_needed
            (*select_ref)->fixed|SIGABRT|resolve_ref_in_select_and_group|Item_field::fix_outer_field|Item_field::fix_fields|Item::fix_fields_if_needed
            (*select_ref)->is_fixed()|SIGABRT|resolve_ref_in_select_and_group|Item_field::fix_outer_field|Item_field::fix_fields|Item::fix_fields_if_needed
            {noformat}
            On 10.3 optimized we see:
            {noformat:title=10.3.37 a1055ab35d29437b717e83b1a388eaa02901c42f (Optimized)}
            ERROR 1247 (42S22) at line 2 in file: 'in.sql': Reference 'c' not supported (forward reference in item list)
            {noformat}
            For the second and third line of the testcase SQL.
            {code:sql}
            CREATE TABLE t (a INT);
            UPDATE t SET c=1 ORDER BY (SELECT c);
            UPDATE t SET c=1 ORDER BY (SELECT c);
            {code}

            Leads to:

            10.11.0-opt>CREATE TABLE t (a INT);
            Query OK, 0 rows affected (0.016 sec)
            {noformat:title=10.11.0 bc563f1a4b0b38de3b41fd0f0d3d8b7f1aacbd8b (Optimized)}
            10.11.0-opt>UPDATE t SET c=1 ORDER BY (SELECT c);
            ERROR 1247 (42S22): Reference 'c' not supported (forward reference in item list)
            10.11.0-opt>UPDATE t SET c=1 ORDER BY (SELECT c);
            ERROR 2013 (HY000): Lost connection to server during query
            {noformat}
            {noformat:title=10.11.0 bc563f1a4b0b38de3b41fd0f0d3d8b7f1aacbd8b (Optimized)}
            Core was generated by `/test/MD190822-mariadb-10.11.0-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
            Program terminated with signal SIGSEGV, Segmentation fault.
            #0 0x00001475c0039828 in ?? ()
            [Current thread is 1 (Thread 0x147601e56700 (LWP 1711369))]
            (gdb) bt
            #0 0x00001475c0039828 in ?? ()
            #1 0x000055b718ea9bca in Used_tables_and_const_cache::used_tables_and_const_cache_join (this=0x1475c0011fb8, this=0x1475c0011fb8, item=0x1475c0038d28) at /test/10.11_opt/sql/item.h:5319
            #2 Item_field::fix_outer_field (this=0x1475c0011560, thd=0x1475c0000c58, from_field=0x147601e54590, reference=0x1475c0011680) at /test/10.11_opt/sql/item.cc:5824
            #3 0x000055b718eaaa1d in Item_field::fix_fields (this=0x1475c0011560, thd=0x1475c0000c58, reference=0x1475c0011680) at /test/10.11_opt/sql/item.cc:6121
            #4 0x000055b718bd507b in Item::fix_fields_if_needed (ref=0x1475c0011680, thd=0x1475c0000c58, this=0x1475c0011560) at /test/10.11_opt/sql/item.h:1142
            #5 Item::fix_fields_if_needed (ref=0x1475c0011680, thd=0x1475c0000c58, this=0x1475c0011560) at /test/10.11_opt/sql/item.h:1142
            #6 Item::fix_fields_if_needed_for_scalar (ref=0x1475c0011680, thd=0x1475c0000c58, this=0x1475c0011560) at /test/10.11_opt/sql/item.h:1148
            #7 setup_fields (thd=0x1475c0000c58, ref_pointer_array=<optimized out>, fields=<optimized out>, column_usage=column_usage@entry=MARK_COLUMNS_READ, sum_func_list=sum_func_list@entry=0x1475c00127e0, pre_fix=0x1475c0011398, allow_sum_func=true) at /test/10.11_opt/sql/sql_base.cc:7975
            #8 0x000055b718ca30a9 in JOIN::prepare (this=0x1475c0012450, tables_init=<optimized out>, conds_init=<optimized out>, og_num=<optimized out>, order_init=<optimized out>, skip_order_by=skip_order_by@entry=false, group_init=<optimized out>, having_init=<optimized out>, proc_param_init=<optimized out>, select_lex_arg=<optimized out>, unit_arg=<optimized out>) at /test/10.11_opt/sql/sql_select.cc:1450
            #9 0x000055b718f601a8 in subselect_single_select_engine::prepare (this=0x1475c00120d0, thd=0x1475c0000c58) at /test/10.11_opt/sql/sql_lex.h:1367
            #10 0x000055b718f5f808 in Item_subselect::fix_fields (this=0x1475c0011f48, thd_param=<optimized out>, ref=0x1475c0012138) at /test/10.11_opt/sql/item_subselect.cc:295
            #11 0x000055b718c753b4 in Item::fix_fields_if_needed (ref=<optimized out>, thd=0x1475c0000c58, this=0x1475c0011f48) at /test/10.11_opt/sql/item.h:1142
            #12 Item::fix_fields_if_needed (ref=<optimized out>, thd=0x1475c0000c58, this=0x1475c0011f48) at /test/10.11_opt/sql/item.h:1142
            #13 Item::fix_fields_if_needed_for_scalar (ref=<optimized out>, thd=0x1475c0000c58, this=0x1475c0011f48) at /test/10.11_opt/sql/item.h:1148
            #14 Item::fix_fields_if_needed_for_order_by (ref=<optimized out>, thd=0x1475c0000c58, this=0x1475c0011f48) at /test/10.11_opt/sql/item.h:1156
            #15 find_order_in_list (thd=0x1475c0000c58, ref_pointer_array=<optimized out>, tables=0x1475c0010820, order=0x1475c0012128, fields=<optimized out>, all_fields=@0x147601e549d0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55b719dc16b0 <end_of_list>, last = 0x147601e549d0, elements = 0}, <No data fields>}, is_group_field=false, add_to_all_fields=true, from_window_spec=false) at /test/10.11_opt/sql/sql_select.cc:25677
            #16 0x000055b718c9f8d5 in setup_order (thd=thd@entry=0x1475c0000c58, ref_pointer_array={m_array = 0x1475c0012360, m_size = 30}, tables=tables@entry=0x1475c0010820, fields=@0x147601e549d0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55b719dc16b0 <end_of_list>, last = 0x147601e549d0, elements = 0}, <No data fields>}, all_fields=@0x147601e549d0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55b719dc16b0 <end_of_list>, last = 0x147601e549d0, elements = 0}, <No data fields>}, order=0x1475c0012128, from_window_spec=false) at /test/10.11_opt/sql/sql_select.cc:25724
            #17 0x000055b718d130d2 in mysql_prepare_update (thd=thd@entry=0x1475c0000c58, table_list=0x1475c0010820, conds=conds@entry=0x147601e54ae0, order_num=order_num@entry=1, order=order@entry=0x1475c0012128) at /test/10.11_opt/sql/sql_update.cc:1455
            #18 0x000055b718d13560 in mysql_update (thd=thd@entry=0x1475c0000c58, table_list=<optimized out>, fields=@0x1475c0005770: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1475c00110c0, last = 0x1475c00110c0, elements = 1}, <No data fields>}, values=@0x1475c0005ba0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1475c00110d0, last = 0x1475c00110d0, elements = 1}, <No data fields>}, conds=<optimized out>, order_num=1, order=0x1475c0012128, limit=18446744073709551615, ignore=false, found_return=0x147601e54f80, updated_return=0x147601e55070) at /test/10.11_opt/sql/sql_update.cc:474
            #19 0x000055b718c42c01 in mysql_execute_command (thd=0x1475c0000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.11_opt/sql/sql_limit.h:85
            #20 0x000055b718c327b5 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x1475c0000c58) at /test/10.11_opt/sql/sql_parse.cc:8035
            #21 mysql_parse (thd=0x1475c0000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.11_opt/sql/sql_parse.cc:7957
            #22 0x000055b718c3e2ca in dispatch_command (command=COM_QUERY, thd=0x1475c0000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.11_opt/sql/sql_class.h:1339
            #23 0x000055b718c401f2 in do_command (thd=0x1475c0000c58, blocking=blocking@entry=true) at /test/10.11_opt/sql/sql_parse.cc:1407
            #24 0x000055b718d5846f in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55b71b40bf08, put_in_cache=put_in_cache@entry=true) at /test/10.11_opt/sql/sql_connect.cc:1418
            #25 0x000055b718d5874d in handle_one_connection (arg=0x55b71b40bf08) at /test/10.11_opt/sql/sql_connect.cc:1312
            #26 0x000014761ae97609 in start_thread (arg=<optimized out>) at pthread_create.c:477
            #27 0x000014761aa83133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
            {noformat}

            Bug confirmed present in:
            MariaDB: 10.3.37 (dbg), 10.4.27 (dbg), 10.4.27 (opt), 10.5.18 (dbg), 10.5.18 (opt), 10.6.10 (dbg), 10.6.10 (opt), 10.7.6 (dbg), 10.7.6 (opt), 10.8.5 (dbg), 10.8.5 (opt), 10.9.2 (dbg), 10.9.2 (opt), 10.10.2 (dbg), 10.10.2 (opt), 10.11.0 (dbg), 10.11.0 (opt)

            Bug (or feature/syntax) confirmed not present in:
            MariaDB: 10.3.37 (opt)
            MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.38 (dbg), 5.7.38 (opt), 8.0.29 (dbg), 8.0.29 (opt)

            *In summary*, whilst 10.3 (dbg) and all other (dbg) versions are affected by theis testcase, it seems that the crash/bug triggered in 10.3+ (dbg) is rather MDEV-28506, whereas the 10.4+ opt crash triggered and described in this bug looks to be a different bug.
            The testcase below only crashes optimized 10.4+ builds with this UniqueID/stack:
            {noformat}
            SIGSEGV|Used_tables_and_const_cache::used_tables_and_const_cache_join|Item_field::fix_outer_field|Item_field::fix_fields|Item::fix_fields_if_needed
            {noformat}
            However, on debug builds, a set of stacks are seen, which are much more alike to MDEV-28506.
            {noformat}
            (*select_ref)->fixed()|SIGABRT|resolve_ref_in_select_and_group|Item_field::fix_outer_field|Item_field::fix_fields|Item::fix_fields_if_needed
            (*select_ref)->fixed|SIGABRT|resolve_ref_in_select_and_group|Item_field::fix_outer_field|Item_field::fix_fields|Item::fix_fields_if_needed
            (*select_ref)->is_fixed()|SIGABRT|resolve_ref_in_select_and_group|Item_field::fix_outer_field|Item_field::fix_fields|Item::fix_fields_if_needed
            {noformat}
            On 10.3 optimized we see:
            {noformat:title=10.3.37 a1055ab35d29437b717e83b1a388eaa02901c42f (Optimized)}
            ERROR 1247 (42S22) at line 2 in file: 'in.sql': Reference 'c' not supported (forward reference in item list)
            {noformat}
            For the second and third line of the testcase SQL.
            {code:sql}
            CREATE TABLE t (a INT);
            UPDATE t SET c=1 ORDER BY (SELECT c);
            UPDATE t SET c=1 ORDER BY (SELECT c);
            {code}

            Leads to:
            {noformat:title=10.11.0 bc563f1a4b0b38de3b41fd0f0d3d8b7f1aacbd8b (Optimized)}
            10.11.0-opt>CREATE TABLE t (a INT);
            Query OK, 0 rows affected (0.016 sec)
            10.11.0-opt>UPDATE t SET c=1 ORDER BY (SELECT c);
            ERROR 1247 (42S22): Reference 'c' not supported (forward reference in item list)
            10.11.0-opt>UPDATE t SET c=1 ORDER BY (SELECT c);
            ERROR 2013 (HY000): Lost connection to server during query
            {noformat}
            {noformat:title=10.11.0 bc563f1a4b0b38de3b41fd0f0d3d8b7f1aacbd8b (Optimized)}
            Core was generated by `/test/MD190822-mariadb-10.11.0-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
            Program terminated with signal SIGSEGV, Segmentation fault.
            #0 0x00001475c0039828 in ?? ()
            [Current thread is 1 (Thread 0x147601e56700 (LWP 1711369))]
            (gdb) bt
            #0 0x00001475c0039828 in ?? ()
            #1 0x000055b718ea9bca in Used_tables_and_const_cache::used_tables_and_const_cache_join (this=0x1475c0011fb8, this=0x1475c0011fb8, item=0x1475c0038d28) at /test/10.11_opt/sql/item.h:5319
            #2 Item_field::fix_outer_field (this=0x1475c0011560, thd=0x1475c0000c58, from_field=0x147601e54590, reference=0x1475c0011680) at /test/10.11_opt/sql/item.cc:5824
            #3 0x000055b718eaaa1d in Item_field::fix_fields (this=0x1475c0011560, thd=0x1475c0000c58, reference=0x1475c0011680) at /test/10.11_opt/sql/item.cc:6121
            #4 0x000055b718bd507b in Item::fix_fields_if_needed (ref=0x1475c0011680, thd=0x1475c0000c58, this=0x1475c0011560) at /test/10.11_opt/sql/item.h:1142
            #5 Item::fix_fields_if_needed (ref=0x1475c0011680, thd=0x1475c0000c58, this=0x1475c0011560) at /test/10.11_opt/sql/item.h:1142
            #6 Item::fix_fields_if_needed_for_scalar (ref=0x1475c0011680, thd=0x1475c0000c58, this=0x1475c0011560) at /test/10.11_opt/sql/item.h:1148
            #7 setup_fields (thd=0x1475c0000c58, ref_pointer_array=<optimized out>, fields=<optimized out>, column_usage=column_usage@entry=MARK_COLUMNS_READ, sum_func_list=sum_func_list@entry=0x1475c00127e0, pre_fix=0x1475c0011398, allow_sum_func=true) at /test/10.11_opt/sql/sql_base.cc:7975
            #8 0x000055b718ca30a9 in JOIN::prepare (this=0x1475c0012450, tables_init=<optimized out>, conds_init=<optimized out>, og_num=<optimized out>, order_init=<optimized out>, skip_order_by=skip_order_by@entry=false, group_init=<optimized out>, having_init=<optimized out>, proc_param_init=<optimized out>, select_lex_arg=<optimized out>, unit_arg=<optimized out>) at /test/10.11_opt/sql/sql_select.cc:1450
            #9 0x000055b718f601a8 in subselect_single_select_engine::prepare (this=0x1475c00120d0, thd=0x1475c0000c58) at /test/10.11_opt/sql/sql_lex.h:1367
            #10 0x000055b718f5f808 in Item_subselect::fix_fields (this=0x1475c0011f48, thd_param=<optimized out>, ref=0x1475c0012138) at /test/10.11_opt/sql/item_subselect.cc:295
            #11 0x000055b718c753b4 in Item::fix_fields_if_needed (ref=<optimized out>, thd=0x1475c0000c58, this=0x1475c0011f48) at /test/10.11_opt/sql/item.h:1142
            #12 Item::fix_fields_if_needed (ref=<optimized out>, thd=0x1475c0000c58, this=0x1475c0011f48) at /test/10.11_opt/sql/item.h:1142
            #13 Item::fix_fields_if_needed_for_scalar (ref=<optimized out>, thd=0x1475c0000c58, this=0x1475c0011f48) at /test/10.11_opt/sql/item.h:1148
            #14 Item::fix_fields_if_needed_for_order_by (ref=<optimized out>, thd=0x1475c0000c58, this=0x1475c0011f48) at /test/10.11_opt/sql/item.h:1156
            #15 find_order_in_list (thd=0x1475c0000c58, ref_pointer_array=<optimized out>, tables=0x1475c0010820, order=0x1475c0012128, fields=<optimized out>, all_fields=@0x147601e549d0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55b719dc16b0 <end_of_list>, last = 0x147601e549d0, elements = 0}, <No data fields>}, is_group_field=false, add_to_all_fields=true, from_window_spec=false) at /test/10.11_opt/sql/sql_select.cc:25677
            #16 0x000055b718c9f8d5 in setup_order (thd=thd@entry=0x1475c0000c58, ref_pointer_array={m_array = 0x1475c0012360, m_size = 30}, tables=tables@entry=0x1475c0010820, fields=@0x147601e549d0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55b719dc16b0 <end_of_list>, last = 0x147601e549d0, elements = 0}, <No data fields>}, all_fields=@0x147601e549d0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55b719dc16b0 <end_of_list>, last = 0x147601e549d0, elements = 0}, <No data fields>}, order=0x1475c0012128, from_window_spec=false) at /test/10.11_opt/sql/sql_select.cc:25724
            #17 0x000055b718d130d2 in mysql_prepare_update (thd=thd@entry=0x1475c0000c58, table_list=0x1475c0010820, conds=conds@entry=0x147601e54ae0, order_num=order_num@entry=1, order=order@entry=0x1475c0012128) at /test/10.11_opt/sql/sql_update.cc:1455
            #18 0x000055b718d13560 in mysql_update (thd=thd@entry=0x1475c0000c58, table_list=<optimized out>, fields=@0x1475c0005770: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1475c00110c0, last = 0x1475c00110c0, elements = 1}, <No data fields>}, values=@0x1475c0005ba0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1475c00110d0, last = 0x1475c00110d0, elements = 1}, <No data fields>}, conds=<optimized out>, order_num=1, order=0x1475c0012128, limit=18446744073709551615, ignore=false, found_return=0x147601e54f80, updated_return=0x147601e55070) at /test/10.11_opt/sql/sql_update.cc:474
            #19 0x000055b718c42c01 in mysql_execute_command (thd=0x1475c0000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.11_opt/sql/sql_limit.h:85
            #20 0x000055b718c327b5 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x1475c0000c58) at /test/10.11_opt/sql/sql_parse.cc:8035
            #21 mysql_parse (thd=0x1475c0000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.11_opt/sql/sql_parse.cc:7957
            #22 0x000055b718c3e2ca in dispatch_command (command=COM_QUERY, thd=0x1475c0000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.11_opt/sql/sql_class.h:1339
            #23 0x000055b718c401f2 in do_command (thd=0x1475c0000c58, blocking=blocking@entry=true) at /test/10.11_opt/sql/sql_parse.cc:1407
            #24 0x000055b718d5846f in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55b71b40bf08, put_in_cache=put_in_cache@entry=true) at /test/10.11_opt/sql/sql_connect.cc:1418
            #25 0x000055b718d5874d in handle_one_connection (arg=0x55b71b40bf08) at /test/10.11_opt/sql/sql_connect.cc:1312
            #26 0x000014761ae97609 in start_thread (arg=<optimized out>) at pthread_create.c:477
            #27 0x000014761aa83133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
            {noformat}

            Bug confirmed present in:
            MariaDB: 10.3.37 (dbg), 10.4.27 (dbg), 10.4.27 (opt), 10.5.18 (dbg), 10.5.18 (opt), 10.6.10 (dbg), 10.6.10 (opt), 10.7.6 (dbg), 10.7.6 (opt), 10.8.5 (dbg), 10.8.5 (opt), 10.9.2 (dbg), 10.9.2 (opt), 10.10.2 (dbg), 10.10.2 (opt), 10.11.0 (dbg), 10.11.0 (opt)

            Bug (or feature/syntax) confirmed not present in:
            MariaDB: 10.3.37 (opt)
            MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.38 (dbg), 5.7.38 (opt), 8.0.29 (dbg), 8.0.29 (opt)

            *In summary*, whilst 10.3 (dbg) and all other (dbg) versions are affected by theis testcase, it seems that the crash/bug triggered in 10.3+ (dbg) is rather MDEV-28506, whereas the 10.4+ opt crash triggered and described in this bug looks to be a different bug.
            Roel Roel Van de Paar made changes -
            Affects Version/s 11.0 [ 28320 ]
            Roel Roel Van de Paar made changes -
            Fix Version/s 10.9 [ 26905 ]
            Fix Version/s 10.10 [ 27530 ]
            Fix Version/s 10.11 [ 27614 ]
            Roel Roel Van de Paar made changes -
            Status Open [ 1 ] Confirmed [ 10101 ]
            julien.fritsch Julien Fritsch made changes -
            Fix Version/s 10.7 [ 24805 ]
            julien.fritsch Julien Fritsch made changes -
            Fix Version/s 10.8 [ 26121 ]
            alice Alice Sherepa made changes -
            alice Alice Sherepa made changes -
            Fix Version/s 11.0 [ 28320 ]
            alice Alice Sherepa made changes -
            psergei Sergei Petrunia made changes -
            Assignee Sergei Petrunia [ psergey ] Oleksandr Byelkin [ sanja ]
            julien.fritsch Julien Fritsch made changes -
            Fix Version/s 10.9 [ 26905 ]
            julien.fritsch Julien Fritsch made changes -
            Fix Version/s 10.10 [ 27530 ]
            julien.fritsch Julien Fritsch made changes -
            Fix Version/s 11.0 [ 28320 ]
            Roel Roel Van de Paar made changes -
            Labels regression name_resolution regression
            Roel Roel Van de Paar made changes -
            Roel Roel Van de Paar made changes -
            Roel Roel Van de Paar made changes -
            Labels name_resolution regression UBSAN name_resolution regression
            Roel Roel Van de Paar made changes -
            Summary SIGSEGV in Used_tables_and_const_cache::used_tables_and_const_cache_join on simple repeated UPDATE... ORDER BY SIGSEGV in Used_tables_and_const_cache::used_tables_and_const_cache_join on simple repeated UPDATE... ORDER BY, UBSAN: runtime error: member call on address ... which does not point to an object of type 'Item' (object has invalid vptr)
            Roel Roel Van de Paar made changes -
            Labels UBSAN name_resolution regression UBSAN name_resolution not-11.1+ regression
            Roel Roel Van de Paar made changes -
            Labels UBSAN name_resolution not-11.1+ regression UBSAN memory_corruption name_resolution not-11.1+ regression
            Roel Roel Van de Paar made changes -
            Fix Version/s 10.4 [ 22408 ]
            Roel Roel Van de Paar made changes -
            Labels UBSAN memory_corruption name_resolution not-11.1+ regression ASAN UBSAN affects-tests memory_corruption name_resolution not-11.1+ regression
            Roel Roel Van de Paar made changes -
            Summary SIGSEGV in Used_tables_and_const_cache::used_tables_and_const_cache_join on simple repeated UPDATE... ORDER BY, UBSAN: runtime error: member call on address ... which does not point to an object of type 'Item' (object has invalid vptr) SIGSEGV in Used_tables_and_const_cache::used_tables_and_const_cache_join on UPDATE, UBSAN: runtime error: member call on address ... which does not point to an object of type 'Item' (object has invalid vptr), ASAN use-after-poison
            Roel Roel Van de Paar made changes -
            Affects Version/s 11.1 [ 28549 ]
            Affects Version/s 11.2 [ 28603 ]
            Affects Version/s 11.4 [ 29301 ]
            Affects Version/s 11.5 [ 29506 ]
            Affects Version/s 11.6 [ 29515 ]
            Roel Roel Van de Paar made changes -
            Affects Version/s 11.1 [ 28549 ]
            Affects Version/s 11.2 [ 28603 ]
            Affects Version/s 11.4 [ 29301 ]
            Affects Version/s 11.5 [ 29506 ]
            Affects Version/s 11.6 [ 29515 ]
            susil.behera Susil Behera made changes -
            Roel Roel Van de Paar made changes -
            Roel Roel Van de Paar made changes -
            serg Sergei Golubchik made changes -
            Priority Critical [ 2 ] Blocker [ 1 ]
            serg Sergei Golubchik made changes -
            Assignee Oleksandr Byelkin [ sanja ] Oleg Smirnov [ JIRAUSER50405 ]
            serg Sergei Golubchik made changes -
            Assignee Oleg Smirnov [ JIRAUSER50405 ] Michael Widenius [ monty ]
            serg Sergei Golubchik made changes -
            Priority Blocker [ 1 ] Critical [ 2 ]
            serg Sergei Golubchik made changes -
            Assignee Michael Widenius [ monty ] Oleksandr Byelkin [ sanja ]
            monty Michael Widenius made changes -
            Summary SIGSEGV in Used_tables_and_const_cache::used_tables_and_const_cache_join on UPDATE, UBSAN: runtime error: member call on address ... which does not point to an object of type 'Item' (object has invalid vptr), ASAN use-after-poison SIGSEGV in Used_tables_and_const_cache::used_tables_and_const_cache_join on UPDATE
            monty Michael Widenius made changes -
            Summary SIGSEGV in Used_tables_and_const_cache::used_tables_and_const_cache_join on UPDATE SIGSEGV when doing forward reference of item in select list
            monty Michael Widenius made changes -
            Assignee Oleksandr Byelkin [ sanja ] Michael Widenius [ monty ]
            monty Michael Widenius made changes -
            Status Confirmed [ 10101 ] In Progress [ 3 ]
            monty Michael Widenius made changes -
            issue.field.resolutiondate 2024-10-16 15:12:04.0 2024-10-16 15:12:04.14
            monty Michael Widenius made changes -
            Fix Version/s 10.5.27 [ 29902 ]
            Fix Version/s 10.5 [ 23123 ]
            Fix Version/s 10.6 [ 24028 ]
            Fix Version/s 10.11 [ 27614 ]
            Resolution Fixed [ 1 ]
            Status In Progress [ 3 ] Closed [ 6 ]
            JIraAutomate JiraAutomate made changes -
            Fix Version/s 10.6.20 [ 29903 ]
            Fix Version/s 10.11.10 [ 29904 ]
            Fix Version/s 11.2.6 [ 29906 ]
            Fix Version/s 11.4.4 [ 29907 ]

            People

              monty Michael Widenius
              Roel Roel Van de Paar
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.