Details
-
Bug
-
Status: Closed (View Workflow)
-
Critical
-
Resolution: Fixed
-
10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL), 10.11, 11.0(EOL)
Description
The testcase below only crashes optimized 10.4+ builds with this UniqueID/stack:
SIGSEGV|Used_tables_and_const_cache::used_tables_and_const_cache_join|Item_field::fix_outer_field|Item_field::fix_fields|Item::fix_fields_if_needed
|
However, on debug builds, a set of stacks are seen, which are much more alike to MDEV-28506.
(*select_ref)->fixed()|SIGABRT|resolve_ref_in_select_and_group|Item_field::fix_outer_field|Item_field::fix_fields|Item::fix_fields_if_needed
|
(*select_ref)->fixed|SIGABRT|resolve_ref_in_select_and_group|Item_field::fix_outer_field|Item_field::fix_fields|Item::fix_fields_if_needed
|
(*select_ref)->is_fixed()|SIGABRT|resolve_ref_in_select_and_group|Item_field::fix_outer_field|Item_field::fix_fields|Item::fix_fields_if_needed
|
On 10.3 optimized we see:
|
10.3.37 a1055ab35d29437b717e83b1a388eaa02901c42f (Optimized) |
ERROR 1247 (42S22) at line 2 in file: 'in.sql': Reference 'c' not supported (forward reference in item list)
|
For the second and third line of the testcase SQL.
CREATE TABLE t (a INT); |
UPDATE t SET c=1 ORDER BY (SELECT c); |
UPDATE t SET c=1 ORDER BY (SELECT c); |
Leads to:
|
10.11.0 bc563f1a4b0b38de3b41fd0f0d3d8b7f1aacbd8b (Optimized) |
10.11.0-opt>CREATE TABLE t (a INT);
|
Query OK, 0 rows affected (0.016 sec)
|
10.11.0-opt>UPDATE t SET c=1 ORDER BY (SELECT c);
|
ERROR 1247 (42S22): Reference 'c' not supported (forward reference in item list)
|
10.11.0-opt>UPDATE t SET c=1 ORDER BY (SELECT c);
|
ERROR 2013 (HY000): Lost connection to server during query
|
|
10.11.0 bc563f1a4b0b38de3b41fd0f0d3d8b7f1aacbd8b (Optimized) |
Core was generated by `/test/MD190822-mariadb-10.11.0-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
|
Program terminated with signal SIGSEGV, Segmentation fault.
|
#0 0x00001475c0039828 in ?? ()
|
[Current thread is 1 (Thread 0x147601e56700 (LWP 1711369))]
|
(gdb) bt
|
#0 0x00001475c0039828 in ?? ()
|
#1 0x000055b718ea9bca in Used_tables_and_const_cache::used_tables_and_const_cache_join (this=0x1475c0011fb8, this=0x1475c0011fb8, item=0x1475c0038d28) at /test/10.11_opt/sql/item.h:5319
|
#2 Item_field::fix_outer_field (this=0x1475c0011560, thd=0x1475c0000c58, from_field=0x147601e54590, reference=0x1475c0011680) at /test/10.11_opt/sql/item.cc:5824
|
#3 0x000055b718eaaa1d in Item_field::fix_fields (this=0x1475c0011560, thd=0x1475c0000c58, reference=0x1475c0011680) at /test/10.11_opt/sql/item.cc:6121
|
#4 0x000055b718bd507b in Item::fix_fields_if_needed (ref=0x1475c0011680, thd=0x1475c0000c58, this=0x1475c0011560) at /test/10.11_opt/sql/item.h:1142
|
#5 Item::fix_fields_if_needed (ref=0x1475c0011680, thd=0x1475c0000c58, this=0x1475c0011560) at /test/10.11_opt/sql/item.h:1142
|
#6 Item::fix_fields_if_needed_for_scalar (ref=0x1475c0011680, thd=0x1475c0000c58, this=0x1475c0011560) at /test/10.11_opt/sql/item.h:1148
|
#7 setup_fields (thd=0x1475c0000c58, ref_pointer_array=<optimized out>, fields=<optimized out>, column_usage=column_usage@entry=MARK_COLUMNS_READ, sum_func_list=sum_func_list@entry=0x1475c00127e0, pre_fix=0x1475c0011398, allow_sum_func=true) at /test/10.11_opt/sql/sql_base.cc:7975
|
#8 0x000055b718ca30a9 in JOIN::prepare (this=0x1475c0012450, tables_init=<optimized out>, conds_init=<optimized out>, og_num=<optimized out>, order_init=<optimized out>, skip_order_by=skip_order_by@entry=false, group_init=<optimized out>, having_init=<optimized out>, proc_param_init=<optimized out>, select_lex_arg=<optimized out>, unit_arg=<optimized out>) at /test/10.11_opt/sql/sql_select.cc:1450
|
#9 0x000055b718f601a8 in subselect_single_select_engine::prepare (this=0x1475c00120d0, thd=0x1475c0000c58) at /test/10.11_opt/sql/sql_lex.h:1367
|
#10 0x000055b718f5f808 in Item_subselect::fix_fields (this=0x1475c0011f48, thd_param=<optimized out>, ref=0x1475c0012138) at /test/10.11_opt/sql/item_subselect.cc:295
|
#11 0x000055b718c753b4 in Item::fix_fields_if_needed (ref=<optimized out>, thd=0x1475c0000c58, this=0x1475c0011f48) at /test/10.11_opt/sql/item.h:1142
|
#12 Item::fix_fields_if_needed (ref=<optimized out>, thd=0x1475c0000c58, this=0x1475c0011f48) at /test/10.11_opt/sql/item.h:1142
|
#13 Item::fix_fields_if_needed_for_scalar (ref=<optimized out>, thd=0x1475c0000c58, this=0x1475c0011f48) at /test/10.11_opt/sql/item.h:1148
|
#14 Item::fix_fields_if_needed_for_order_by (ref=<optimized out>, thd=0x1475c0000c58, this=0x1475c0011f48) at /test/10.11_opt/sql/item.h:1156
|
#15 find_order_in_list (thd=0x1475c0000c58, ref_pointer_array=<optimized out>, tables=0x1475c0010820, order=0x1475c0012128, fields=<optimized out>, all_fields=@0x147601e549d0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55b719dc16b0 <end_of_list>, last = 0x147601e549d0, elements = 0}, <No data fields>}, is_group_field=false, add_to_all_fields=true, from_window_spec=false) at /test/10.11_opt/sql/sql_select.cc:25677
|
#16 0x000055b718c9f8d5 in setup_order (thd=thd@entry=0x1475c0000c58, ref_pointer_array={m_array = 0x1475c0012360, m_size = 30}, tables=tables@entry=0x1475c0010820, fields=@0x147601e549d0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55b719dc16b0 <end_of_list>, last = 0x147601e549d0, elements = 0}, <No data fields>}, all_fields=@0x147601e549d0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55b719dc16b0 <end_of_list>, last = 0x147601e549d0, elements = 0}, <No data fields>}, order=0x1475c0012128, from_window_spec=false) at /test/10.11_opt/sql/sql_select.cc:25724
|
#17 0x000055b718d130d2 in mysql_prepare_update (thd=thd@entry=0x1475c0000c58, table_list=0x1475c0010820, conds=conds@entry=0x147601e54ae0, order_num=order_num@entry=1, order=order@entry=0x1475c0012128) at /test/10.11_opt/sql/sql_update.cc:1455
|
#18 0x000055b718d13560 in mysql_update (thd=thd@entry=0x1475c0000c58, table_list=<optimized out>, fields=@0x1475c0005770: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1475c00110c0, last = 0x1475c00110c0, elements = 1}, <No data fields>}, values=@0x1475c0005ba0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1475c00110d0, last = 0x1475c00110d0, elements = 1}, <No data fields>}, conds=<optimized out>, order_num=1, order=0x1475c0012128, limit=18446744073709551615, ignore=false, found_return=0x147601e54f80, updated_return=0x147601e55070) at /test/10.11_opt/sql/sql_update.cc:474
|
#19 0x000055b718c42c01 in mysql_execute_command (thd=0x1475c0000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.11_opt/sql/sql_limit.h:85
|
#20 0x000055b718c327b5 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x1475c0000c58) at /test/10.11_opt/sql/sql_parse.cc:8035
|
#21 mysql_parse (thd=0x1475c0000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.11_opt/sql/sql_parse.cc:7957
|
#22 0x000055b718c3e2ca in dispatch_command (command=COM_QUERY, thd=0x1475c0000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.11_opt/sql/sql_class.h:1339
|
#23 0x000055b718c401f2 in do_command (thd=0x1475c0000c58, blocking=blocking@entry=true) at /test/10.11_opt/sql/sql_parse.cc:1407
|
#24 0x000055b718d5846f in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55b71b40bf08, put_in_cache=put_in_cache@entry=true) at /test/10.11_opt/sql/sql_connect.cc:1418
|
#25 0x000055b718d5874d in handle_one_connection (arg=0x55b71b40bf08) at /test/10.11_opt/sql/sql_connect.cc:1312
|
#26 0x000014761ae97609 in start_thread (arg=<optimized out>) at pthread_create.c:477
|
#27 0x000014761aa83133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
|
Bug confirmed present in:
MariaDB: 10.3.37 (dbg), 10.4.27 (dbg), 10.4.27 (opt), 10.5.18 (dbg), 10.5.18 (opt), 10.6.10 (dbg), 10.6.10 (opt), 10.7.6 (dbg), 10.7.6 (opt), 10.8.5 (dbg), 10.8.5 (opt), 10.9.2 (dbg), 10.9.2 (opt), 10.10.2 (dbg), 10.10.2 (opt), 10.11.0 (dbg), 10.11.0 (opt)
Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.3.37 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.38 (dbg), 5.7.38 (opt), 8.0.29 (dbg), 8.0.29 (opt)
In summary, whilst 10.3 (dbg) and all other (dbg) versions are affected by theis testcase, it seems that the crash/bug triggered in 10.3+ (dbg) is rather MDEV-28506, whereas the 10.4+ opt crash triggered and described in this bug looks to be a different bug.
Attachments
Issue Links
- relates to
-
-
- Confirmed
-
-
-
- Confirmed
-
-
-
- Stalled
-
Activity
Please also test any fixes with this testcase
CREATE TABLE t (a CHAR(1),b VARCHAR(1),KEY(a)) ENGINE=InnoDB; |
UPDATE t SET c=1 ORDER BY (SELECT c LIMIT 0); |
UBSAN issue observed with this testcase:
CREATE TABLE t (a CHAR BINARY) ENGINE=InnoDB; |
SELECT * FROM t WHERE c2 BETWEEN '1000-00-01' AND '9999-12-31' ORDER BY c,c2 DESC LIMIT 2; |
UPDATE t SET c=1 ORDER BY (SELECT c); |
Leads to:
|
10.5.26 736449d30ffb2ec71bd700ac84eb38ba30bb662c (Optimized, UBASAN) |
/test/10.5_opt_san/sql/item.h:5190:42: runtime error: member call on address 0x55c1eaa92480 which does not point to an object of type 'Item'
|
0x55c1eaa92480: note: object has invalid vptr
|
c1 55 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 41 4f e5 c1 55 00 00 b0 55 4f e5
|
^~~~~~~~~~~~~~~~~~~~~~~
|
invalid vptr
|
#0 0x55c1e7074917 in Used_tables_and_const_cache::used_tables_and_const_cache_join(Item const*) /test/10.5_opt_san/sql/item.h:5190
|
#1 0x55c1e6fd0977 in Item_field::fix_outer_field(THD*, Field**, Item**) /test/10.5_opt_san/sql/item.cc:5899
|
#2 0x55c1e6fd7f43 in Item_field::fix_fields(THD*, Item**) /test/10.5_opt_san/sql/item.cc:6183
|
#3 0x55c1e57baeb6 in Item::fix_fields_if_needed(THD*, Item**) /test/10.5_opt_san/sql/item.h:1004
|
#4 0x55c1e57baeb6 in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /test/10.5_opt_san/sql/item.h:1008
|
#5 0x55c1e57baeb6 in setup_fields(THD*, Bounds_checked_array<Item*>, List<Item>&, enum_column_usage, List<Item>*, List<Item>*, bool) /test/10.5_opt_san/sql/sql_base.cc:7673
|
#6 0x55c1e5e80fac in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /test/10.5_opt_san/sql/sql_select.cc:1375
|
#7 0x55c1e76f2274 in subselect_single_select_engine::prepare(THD*) /test/10.5_opt_san/sql/item_subselect.cc:3858
|
#8 0x55c1e76ea152 in Item_subselect::fix_fields(THD*, Item**) /test/10.5_opt_san/sql/item_subselect.cc:291
|
#9 0x55c1e5ba3995 in Item::fix_fields_if_needed(THD*, Item**) /test/10.5_opt_san/sql/item.h:1004
|
#10 0x55c1e5ba3995 in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /test/10.5_opt_san/sql/item.h:1008
|
#11 0x55c1e5cb8d29 in Item::fix_fields_if_needed_for_order_by(THD*, Item**) /test/10.5_opt_san/sql/item.h:1016
|
#12 0x55c1e5cb8d29 in find_order_in_list /test/10.5_opt_san/sql/sql_select.cc:25294
|
#13 0x55c1e5d9586b in setup_order(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, List<Item>&, List<Item>&, st_order*, bool) /test/10.5_opt_san/sql/sql_select.cc:25341
|
#14 0x55c1e615ffd3 in mysql_prepare_update(THD*, TABLE_LIST*, Item**, unsigned int, st_order*) /test/10.5_opt_san/sql/sql_update.cc:1449
|
#15 0x55c1e616204e in mysql_update(THD*, TABLE_LIST*, List<Item>&, List<Item>&, Item*, unsigned int, st_order*, unsigned long long, bool, unsigned long long*, unsigned long long*) /test/10.5_opt_san/sql/sql_update.cc:479
|
#16 0x55c1e5b6a558 in mysql_execute_command(THD*) /test/10.5_opt_san/sql/sql_parse.cc:4494
|
#17 0x55c1e5b8723e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /test/10.5_opt_san/sql/sql_parse.cc:8204
|
#18 0x55c1e5b937dc in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /test/10.5_opt_san/sql/sql_parse.cc:1892
|
#19 0x55c1e5ba028b in do_command(THD*) /test/10.5_opt_san/sql/sql_parse.cc:1376
|
#20 0x55c1e6377c2f in do_handle_one_connection(CONNECT*, bool) /test/10.5_opt_san/sql/sql_connect.cc:1417
|
#21 0x55c1e637a02c in handle_one_connection /test/10.5_opt_san/sql/sql_connect.cc:1319
|
#22 0x14a172e97ad9 in start_thread nptl/pthread_create.c:444
|
#23 0x14a172f2847b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
|
|
|
240601 10:16:03 [ERROR] mysqld got signal 11 ;
|
This happens only on optimized UB+ASAN builds, not on debug, which assert with the `(*select_ref)->is_fixed()' assertion instead.
MTR Testcase example for the last comment
export UBSAN_OPTIONS=print_stacktrace=1 |
--source include/have_innodb.inc
|
CREATE TABLE t (a CHAR BINARY) ENGINE=InnoDB; |
--error 1054
|
SELECT * FROM t WHERE c2 BETWEEN '1000-00-01' AND '9999-12-31' ORDER BY c,c2 DESC LIMIT 2; |
UPDATE t SET c=1 ORDER BY (SELECT c); |
The same testcase does not crash 11.5, nor produce any UB+ASAN issue in that release:
|
11.5.0 e4afa610539ae01164485554e2de839bea9de816 (Optimized, UBASAN) |
11.5.0-opt>UPDATE t SET c=1 ORDER BY (SELECT c);
|
ERROR 1054 (42S22): Unknown column 'c' in 'field list'
|
Same for debug. Same for 11.1.6 @ 926e7cad48309ada177e83119a84e3d7703ed27d.
However, 10.11 gives a difference outcome:
|
10.11.9 f146ba82c4a5d6763b253aac412c6401555a8dac (Optimized, UBASAN) |
10.11.9-opt>UPDATE t SET c=1 ORDER BY (SELECT c);
|
ERROR 1247 (42S22): Reference 'c' not supported (forward reference in item list)
|
With no other UB/ASAN output. Debug asserts with the `(*select_ref)->is_fixed()' assertion.
There is definitely something odd happening here, like a memory overwrite. This testcase:
CREATE TABLE t(a CHAR BINARY); |
SELECT * FROM t WHERE c2 BETWEEN '1000-00-01' AND '9999-12-31' ORDER BY c,c2 DESC LIMIT 2; |
UPDATE t SET c=1 ORDER BY(SELECT c);#ERROR: 2013 - L; |
(Note the last line "#ERROR..." bit.) When executed with pquery, leads to
|
10.5.26 736449d30ffb2ec71bd700ac84eb38ba30bb662c (Optimized, UBASAN) |
SIGSEGV|Used_tables_and_const_cache::used_tables_and_const_cache_join|Item_field::fix_outer_field|Item_field::fix_fields|Item::fix_fields_if_needed
|
Howerver, when executed with pquery as
CREATE TABLE t(a CHAR BINARY); |
SELECT * FROM t WHERE c2 BETWEEN '1000-00-01' AND '9999-12-31' ORDER BY c,c2 DESC LIMIT 2; |
UPDATE t SET c=1 ORDER BY(SELECT c); |
(No nore #ERROR...), Leads to:
|
10.5.26 736449d30ffb2ec71bd700ac84eb38ba30bb662c (Optimized, UBASAN) |
UBSAN|member call on address X which does not point to an object of type 'Item'|sql/item.h|Used_tables_and_const_cache::used_tables_and_const_cache_join|Item_field::fix_outer_field|Item_field::fix_fields|Item::fix_fields_if_needed
|
And again, when changed to:
CREATE TABLE t(a CHAR BINARY); |
SELECT * FROM t WHERE c2 BETWEEN '1000-00-01' AND '9999-12-31' ORDER BY c,c2 DESC LIMIT 2; |
UPDATE t SET c=1 ORDER BY(SELECT c);#ERROR: 2013 - Lost connection to MySQL server during query; |
Leads to:
|
10.5.26 736449d30ffb2ec71bd700ac84eb38ba30bb662c (Optimized, UBASAN) |
SIGSEGV|__dynamic_cast|__ubsan::checkDynamicType|HandleDynamicTypeCacheMiss|__ubsan::__ubsan_handle_dynamic_type_cache_miss
|
All this is consistently reproducible. The full stack for the last (new) SIGSEGV:
|
10.5.26 736449d30ffb2ec71bd700ac84eb38ba30bb662c (Optimized) |
Core was generated by `/test/UBASAN_MD250524-mariadb-10.5.26-linux-x86_64-opt/bin/mariadbd --no-defaul'.
|
Program terminated with signal SIGSEGV, Segmentation fault.
|
#0 __pthread_kill_implementation (no_tid=0, signo=11, threadid=<optimized out>) at ./nptl/pthread_kill.c:44
|
Download failed: Invalid argument. Continuing without source file ./nptl/./nptl/pthread_kill.c.
|
[Current thread is 1 (LWP 457893)]
|
(gdb) bt
|
#0 __pthread_kill_implementation (no_tid=0, signo=11, threadid=<optimized out>) at ./nptl/pthread_kill.c:44
|
#1 __pthread_kill_internal (signo=11, threadid=<optimized out>)at ./nptl/pthread_kill.c:78
|
#2 __GI___pthread_kill (threadid=<optimized out>, signo=11)at ./nptl/pthread_kill.c:89
|
#3 0x000056382e3a7fe3 in handle_fatal_signal (sig=<optimized out>)at /test/10.5_opt_san/sql/signal_handler.cc:357
|
#4 <signal handler called>
|
#5 0x000014cb48ab5990 in __dynamic_cast ()
|
from /lib/x86_64-linux-gnu/libstdc++.so.6
|
#6 0x000014cb4821063b in __ubsan::checkDynamicType (Object=Object@entry=0x62b000086e00, Type=0x563831feff90 <typeinfo for Item>, Hash=2392176982462739827)at ../../../../src/libsanitizer/ubsan/ubsan_type_hash_itanium.cpp:232
|
#7 0x000014cb4820f156 in HandleDynamicTypeCacheMiss (Data=Data@entry=0x563835208be0, Pointer=Pointer@entry=108508054318592, Hash=<optimized out>, Opts={FromUnrecoverableHandler = false, pc = 94799296018712, bp = 22862681818304}) at ../../../../src/libsanitizer/ubsan/ubsan_handlers_cxx.cpp:36
|
#8 0x000014cb4820f83f in __ubsan::__ubsan_handle_dynamic_type_cache_miss (Data=Data@entry=0x563835208be0, Pointer=Pointer@entry=108508054318592, Hash=<optimized out>)at ../../../../src/libsanitizer/ubsan/ubsan_handlers_cxx.cpp:87
|
#9 0x000056382e5d3918 in Used_tables_and_const_cache::used_tables_and_const_cache_join (this=0x62b000086c68, item=0x62b000086e00)at /test/10.5_opt_san/sql/item.h:5190
|
#10 0x000056382e52f978 in Item_field::fix_outer_field (this=this@entry=0x62b000086220, thd=thd@entry=0x62b00007e218, from_field=from_field@entry=0x14cb22074700, reference=reference@entry=0x62b000086370)at /test/10.5_opt_san/sql/item.cc:5899
|
#11 0x000056382e536f44 in Item_field::fix_fields (this=0x62b000086220, thd=0x62b00007e218, reference=<optimized out>)at /test/10.5_opt_san/sql/item.cc:6183
|
#12 0x000056382cd19eb7 in Item::fix_fields_if_needed (ref=<optimized out>, thd=<optimized out>, this=<optimized out>)at /test/10.5_opt_san/sql/item.h:1004
|
#13 Item::fix_fields_if_needed_for_scalar (ref=<optimized out>, thd=0x62b00007e218, this=0x62b000086220)at /test/10.5_opt_san/sql/item.h:1008
|
#14 setup_fields (thd=0x62b00007e218, ref_pointer_array=<optimized out>, fields=<optimized out>, column_usage=column_usage@entry=MARK_COLUMNS_READ, sum_func_list=sum_func_list@entry=0x62b000087468, pre_fix=<optimized out>, allow_sum_func=<optimized out>) at /test/10.5_opt_san/sql/sql_base.cc:7673
|
#15 0x000056382d3dffad in JOIN::prepare (this=0x62b000087140, tables_init=<optimized out>, conds_init=<optimized out>, og_num=<optimized out>, order_init=<optimized out>, skip_order_by=skip_order_by@entry=false, group_init=<optimized out>, having_init=<optimized out>, proc_param_init=<optimized out>, select_lex_arg=<optimized out>, unit_arg=<optimized out>)at /test/10.5_opt_san/sql/sql_select.cc:1375
|
#16 0x000056382ec51275 in subselect_single_select_engine::prepare (this=<optimized out>, thd=0x62b00007e218)at /test/10.5_opt_san/sql/item_subselect.cc:3858
|
#17 0x000056382ec49153 in Item_subselect::fix_fields (this=0x62b000086bd8, thd_param=<optimized out>, ref=<optimized out>)at /test/10.5_opt_san/sql/item_subselect.cc:291
|
#18 0x000056382d102996 in Item::fix_fields_if_needed (ref=0x62b000086e08, thd=0x62b00007e218, this=0x62b000086bd8)at /test/10.5_opt_san/sql/item.h:1004
|
#19 Item::fix_fields_if_needed_for_scalar (this=0x62b000086bd8, thd=0x62b00007e218, ref=0x62b000086e08)at /test/10.5_opt_san/sql/item.h:1008
|
#20 0x000056382d217d2a in Item::fix_fields_if_needed_for_order_by (ref=<optimized out>, thd=<optimized out>, this=0x62b000086bd8)at /test/10.5_opt_san/sql/item.h:1016
|
#21 find_order_in_list (thd=thd@entry=0x62b00007e218, ref_pointer_array=<optimized out>, tables=tables@entry=0x62b0000853c8, order=order@entry=0x62b000086df8, fields=@0x14cb220752a0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x56383a7bd440 <end_of_list>, last = 0x14cb220752a0, elements = 0}, <No data fields>}, all_fields=<optimized out>, is_group_field=<optimized out>, add_to_all_fields=<optimized out>, from_window_spec=<optimized out>)at /test/10.5_opt_san/sql/sql_select.cc:25294
|
#22 0x000056382d2f486c in setup_order (thd=thd@entry=0x62b00007e218, ref_pointer_array={m_array = 0x62b000087048, m_size = 30}, tables=tables@entry=0x62b0000853c8, fields=@0x14cb220752a0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x56383a7bd440 <end_of_list>, last = 0x14cb220752a0, elements = 0}, <No data fields>}, all_fields=@0x14cb220752a0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x56383a7bd440 <end_of_list>, last = 0x14cb220752a0, elements = 0}, <No data fields>}, order=0x62b000086df8, from_window_spec=false)at /test/10.5_opt_san/sql/sql_select.cc:25341
|
#23 0x000056382d6befd4 in mysql_prepare_update (thd=thd@entry=0x62b00007e218, table_list=0x62b0000853c8, conds=conds@entry=0x14cb22075660, order_num=order_num@entry=1, order=order@entry=0x62b000086df8)at /test/10.5_opt_san/sql/sql_update.cc:1449
|
#24 0x000056382d6c104f in mysql_update (thd=thd@entry=0x62b00007e218, table_list=<optimized out>, fields=@0x62b0000829a8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x62b000085d00, last = 0x62b000085d00, elements = 1}, <No data fields>}, values=@0x62b000082f68: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x62b000085d18, last = 0x62b000085d18, elements = 1}, <No data fields>}, conds=<optimized out>, conds@entry=0x0, order_num=order_num@entry=1, order=<optimized out>, limit=<optimized out>, ignore=<optimized out>, found_return=<optimized out>, updated_return=<optimized out>)at /test/10.5_opt_san/sql/sql_update.cc:479
|
#25 0x000056382d0c9559 in mysql_execute_command (thd=thd@entry=0x62b00007e218)at /test/10.5_opt_san/sql/sql_parse.cc:4494
|
#26 0x000056382d0e623f in mysql_parse (thd=thd@entry=0x62b00007e218, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14cb22076b10, is_com_multi=<optimized out>, is_next_command=<optimized out>)at /test/10.5_opt_san/sql/sql_parse.cc:8204
|
#27 0x000056382d0f27dd in dispatch_command (command=<optimized out>, thd=thd@entry=0x62b00007e218, packet=<optimized out>, packet_length=<optimized out>, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false)at /test/10.5_opt_san/sql/sql_parse.cc:1892
|
#28 0x000056382d0ff28c in do_command (thd=0x62b00007e218)at /test/10.5_opt_san/sql/sql_parse.cc:1376
|
#29 0x000056382d8d6c30 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x608000002738, put_in_cache=put_in_cache@entry=true)at /test/10.5_opt_san/sql/sql_connect.cc:1417
|
#30 0x000056382d8d902d in handle_one_connection (arg=0x608000002738)at /test/10.5_opt_san/sql/sql_connect.cc:1319
|
#31 0x000014cb47e97ada in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:444
|
#32 0x000014cb47f2847c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
|
Note: the testcases and outcomes mentioned in this comment require pquery client. Once a fix is ready, I can test to see if these outcomes are gone.
Another occurrence of a similar nature is this one:
CREATE TABLE t(c1 INT NOT NULL, c2 TIME NULL, PRIMARY KEY(c1)); |
CREATE TABLE t2(a INT UNSIGNED NOT NULL, b BIGINT NOT NULL, c CHAR(1), d VARBINARY(1) NOT NULL, e VARBINARY(1) NOT NULL, f VARCHAR(1), g BLOB, h TINYBLOB, id BIGINT NOT NULL, KEY(b), KEY(e), PRIMARY KEY(id)) ENGINE=InnoDB;######; |
UPDATE t SET c=1 ORDER BY(SELECT c);###########################################################; |
When the '#' are changed or removed, the testcase outcome changes. When this is replayed with pquery, we see (consistently):
|
10.5.26 736449d30ffb2ec71bd700ac84eb38ba30bb662c (Optimized, UBASAN) |
==1705023==ERROR: AddressSanitizer: use-after-poison on address 0x62b0000870d0 at pc 0x55e3891b4925 bp 0x14986bddb4c0 sp 0x14986bddb4b0
|
READ of size 8 at 0x62b0000870d0 thread T23
|
#0 0x55e3891b4924 in Used_tables_and_const_cache::used_tables_and_const_cache_join(Item const*) /test/10.5_opt_san/sql/item.h:5190
|
#1 0x55e389110977 in Item_field::fix_outer_field(THD*, Field**, Item**) /test/10.5_opt_san/sql/item.cc:5899
|
#2 0x55e389117f43 in Item_field::fix_fields(THD*, Item**) /test/10.5_opt_san/sql/item.cc:6183
|
#3 0x55e3878faeb6 in Item::fix_fields_if_needed(THD*, Item**) /test/10.5_opt_san/sql/item.h:1004
|
#4 0x55e3878faeb6 in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /test/10.5_opt_san/sql/item.h:1008
|
#5 0x55e3878faeb6 in setup_fields(THD*, Bounds_checked_array<Item*>, List<Item>&, enum_column_usage, List<Item>*, List<Item>*, bool) /test/10.5_opt_san/sql/sql_base.cc:7673
|
#6 0x55e387fc0fac in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /test/10.5_opt_san/sql/sql_select.cc:1375
|
#7 0x55e389832274 in subselect_single_select_engine::prepare(THD*) /test/10.5_opt_san/sql/item_subselect.cc:3858
|
#8 0x55e38982a152 in Item_subselect::fix_fields(THD*, Item**) /test/10.5_opt_san/sql/item_subselect.cc:291
|
#9 0x55e387ce3995 in Item::fix_fields_if_needed(THD*, Item**) /test/10.5_opt_san/sql/item.h:1004
|
#10 0x55e387ce3995 in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /test/10.5_opt_san/sql/item.h:1008
|
#11 0x55e387df8d29 in Item::fix_fields_if_needed_for_order_by(THD*, Item**) /test/10.5_opt_san/sql/item.h:1016
|
#12 0x55e387df8d29 in find_order_in_list /test/10.5_opt_san/sql/sql_select.cc:25294
|
#13 0x55e387ed586b in setup_order(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, List<Item>&, List<Item>&, st_order*, bool) /test/10.5_opt_san/sql/sql_select.cc:25341
|
#14 0x55e38829ffd3 in mysql_prepare_update(THD*, TABLE_LIST*, Item**, unsigned int, st_order*) /test/10.5_opt_san/sql/sql_update.cc:1449
|
#15 0x55e3882a204e in mysql_update(THD*, TABLE_LIST*, List<Item>&, List<Item>&, Item*, unsigned int, st_order*, unsigned long long, bool, unsigned long long*, unsigned long long*) /test/10.5_opt_san/sql/sql_update.cc:479
|
#16 0x55e387caa558 in mysql_execute_command(THD*) /test/10.5_opt_san/sql/sql_parse.cc:4494
|
#17 0x55e387cc723e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /test/10.5_opt_san/sql/sql_parse.cc:8204
|
#18 0x55e387cd37dc in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /test/10.5_opt_san/sql/sql_parse.cc:1892
|
#19 0x55e387ce028b in do_command(THD*) /test/10.5_opt_san/sql/sql_parse.cc:1376
|
#20 0x55e3884b7c2f in do_handle_one_connection(CONNECT*, bool) /test/10.5_opt_san/sql/sql_connect.cc:1417
|
#21 0x55e3884ba02c in handle_one_connection /test/10.5_opt_san/sql/sql_connect.cc:1319
|
#22 0x149890e97ad9 in start_thread nptl/pthread_create.c:444
|
#23 0x149890f2847b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
|
|
|
0x62b0000870d0 is located 7888 bytes inside of 24624-byte region [0x62b000085200,0x62b00008b230)
|
allocated by thread T23 here:
|
#0 0x55e3875809a7 in __interceptor_malloc (/test/UBASAN_MD250524-mariadb-10.5.26-linux-x86_64-opt/bin/mariadbd+0x757a9a7)
|
#1 0x55e38b882f14 in my_malloc /test/10.5_opt_san/mysys/my_malloc.c:91
|
#2 0x55e38b85c3c1 in reset_root_defaults /test/10.5_opt_san/mysys/my_alloc.c:148
|
#3 0x55e3879780ce in THD::init_for_queries() /test/10.5_opt_san/sql/sql_class.cc:1409
|
#4 0x55e3884b23a4 in prepare_new_connection_state(THD*) /test/10.5_opt_san/sql/sql_connect.cc:1246
|
#5 0x55e3884b4057 in thd_prepare_connection(THD*) /test/10.5_opt_san/sql/sql_connect.cc:1340
|
#6 0x55e3884b4057 in thd_prepare_connection(THD*) /test/10.5_opt_san/sql/sql_connect.cc:1329
|
#7 0x55e3884b6cd7 in do_handle_one_connection(CONNECT*, bool) /test/10.5_opt_san/sql/sql_connect.cc:1407
|
#8 0x55e3884ba02c in handle_one_connection /test/10.5_opt_san/sql/sql_connect.cc:1319
|
#9 0x149890e97ad9 in start_thread nptl/pthread_create.c:444
|
|
|
Thread T23 created by T0 here:
|
#0 0x55e3875247c5 in pthread_create (/test/UBASAN_MD250524-mariadb-10.5.26-linux-x86_64-opt/bin/mariadbd+0x751e7c5)
|
#1 0x55e3875d6f7e in create_thread_to_handle_connection(CONNECT*) /test/10.5_opt_san/sql/mysqld.cc:6095
|
#2 0x55e3875e868d in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/10.5_opt_san/sql/mysqld.cc:6219
|
#3 0x55e3875e9422 in handle_connections_sockets() /test/10.5_opt_san/sql/mysqld.cc:6346
|
#4 0x55e3875eb104 in mysqld_main(int, char**) /test/10.5_opt_san/sql/mysqld.cc:5741
|
#5 0x149890e280cf in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
|
|
|
SUMMARY: AddressSanitizer: use-after-poison /test/10.5_opt_san/sql/item.h:5190 in Used_tables_and_const_cache::used_tables_and_const_cache_join(Item const*)
|
Shadow bytes around the buggy address:
|
0x0c5680008dc0: 00 00 00 00 00 00 00 00 00 00 f7 00 00 00 00 00
|
0x0c5680008dd0: 00 00 00 00 00 00 00 00 00 00 00 f7 00 00 00 00
|
0x0c5680008de0: 00 00 00 00 00 00 00 00 00 00 00 00 f7 00 00 00
|
0x0c5680008df0: 00 00 00 00 00 00 00 00 00 00 00 00 00 f7 00 f7
|
0x0c5680008e00: 00 00 00 00 00 f7 00 00 00 f7 00 00 00 00 00 00
|
=>0x0c5680008e10: 00 00 00 00 00 00 00 f7 00 00[f7]00 00 00 00 00
|
0x0c5680008e20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c5680008e30: 00 00 00 00 00 00 00 00 00 f7 00 00 00 00 00 00
|
0x0c5680008e40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c5680008e50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c5680008e60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
Shadow gap: cc
|
==1705023==ABORTING
|
240601 13:27:13 [ERROR] mysqld got signal 6 ;
|
Confirming the earlier suspected memory corruption.
It would be great to see this bug fixed. It regularly affects testing. Another example, seen when executing the testcase using pquery only:
CREATE TABLE t (a VARCHAR(5000),FULLTEXT (a)) ENGINE=InnoDB; |
SELECT * FROM t1 WHERE c1=-255 ORDER BY c1,c6 LIMIT 2; |
UPDATE t SET c=0 ORDER BY(SELECT c);###### |
Removing the "######" makes the testcase non-reproducible.
Additional issues observed, including on optimized/release builds, with this testcase:
CREATE TEMPORARY TABLE t1 (c INT) ENGINE=Aria; |
CREATE TABLE t2 (c INT) ENGINE=InnoDB; |
INSERT INTO t2 VALUES (0, 1); |
EXPLAIN SELECT c+0 FROM t2; |
UPDATE t1 SET d=1 ORDER BY (SELECT d); |
Leads to:
|
CS 10.6.20 2e580dc2a8da4aaf3a7f1b3cfb4f897dbb5f7089 (Optimized) |
2024-09-07 13:04:15 0 [Note] /test/MD190824-mariadb-10.6.20-linux-x86_64-opt/bin/mariadbd: ready for connections.
|
Version: '10.6.20-MariaDB' socket: '/test/MD190824-mariadb-10.6.20-linux-x86_64-opt/socket.sock' port: 12659 MariaDB Server
|
pure virtual method called
|
terminate called without an active exception
|
|
CS 10.6.20 2e580dc2a8da4aaf3a7f1b3cfb4f897dbb5f7089 (Optimized) |
Core was generated by `/test/MD190824-mariadb-10.6.20-linux-x86_64-opt/bin/mariadbd --no-defaults --ma'.
|
Program terminated with signal SIGABRT, Aborted.
|
Download failed: Invalid argument. Continuing without source file ./nptl/./nptl/pthread_kill.c.
|
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44
|
|
|
[Current thread is 1 (LWP 87395)]
|
(gdb) bt
|
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44
|
#1 __pthread_kill_internal (signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:78
|
#2 __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6)at ./nptl/pthread_kill.c:89
|
#3 0x00001518fe64526e in __GI_raise (sig=sig@entry=6)at ../sysdeps/posix/raise.c:26
|
#4 0x00001518fe6288ff in __GI_abort () at ./stdlib/abort.c:79
|
#5 0x00001518feaa5ffe in __gnu_cxx::__verbose_terminate_handler ()at ../../../../src/libstdc++-v3/libsupc++/vterminate.cc:95
|
#6 0x00001518feabae9c in __cxxabiv1::__terminate (handler=<optimized out>)at ../../../../src/libstdc++-v3/libsupc++/eh_terminate.cc:48
|
#7 0x00001518feaa5a49 in std::terminate ()at ../../../../src/libstdc++-v3/libsupc++/eh_terminate.cc:58
|
#8 0x00001518feabbc45 in __cxxabiv1::__cxa_pure_virtual ()at ../../../../src/libstdc++-v3/libsupc++/pure.cc:50
|
#9 0x0000565139a7a213 in Item_ref::fix_fields (this=0x1518a4012cc8, thd=<optimized out>, reference=0x1518a4011980)at /test/10.6_opt/sql/item.cc:8398
|
#10 0x0000565139a78f90 in Item_field::fix_outer_field (this=this@entry=0x1518a4011860, thd=thd@entry=0x1518a4000c68, from_field=from_field@entry=0x1518fc167400, reference=reference@entry=0x1518a4011980)at /test/10.6_opt/sql/item.cc:6059
|
#11 0x0000565139a79a1d in Item_field::fix_fields (this=0x1518a4011860, thd=0x1518a4000c68, reference=0x1518a4011980)at /test/10.6_opt/sql/item.cc:6278
|
#12 0x00005651397941eb in Item::fix_fields_if_needed (ref=0x1518a4011980, thd=0x1518a4000c68, this=0x1518a4011860) at /test/10.6_opt/sql/item.h:1167
|
#13 Item::fix_fields_if_needed (ref=0x1518a4011980, thd=<optimized out>, this=0x1518a4011860) at /test/10.6_opt/sql/item.h:1165
|
#14 Item::fix_fields_if_needed_for_scalar (ref=0x1518a4011980, thd=<optimized out>, this=0x1518a4011860) at /test/10.6_opt/sql/item.h:1176
|
#15 setup_fields (thd=thd@entry=0x1518a4000c68, ref_pointer_array=<optimized out>, fields=<optimized out>, column_usage=column_usage@entry=MARK_COLUMNS_READ, sum_func_list=sum_func_list@entry=0x1518a40129f0, pre_fix=0x1518a4011660, allow_sum_func=true) at /test/10.6_opt/sql/sql_base.cc:7779
|
#16 0x000056513985c723 in JOIN::prepare (this=0x1518a4012698, tables_init=<optimized out>, conds_init=<optimized out>, og_num=<optimized out>, order_init=<optimized out>, skip_order_by=skip_order_by@entry=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x1518a4011390, unit_arg=0x1518a4011998) at /test/10.6_opt/sql/sql_select.cc:1498
|
#17 0x0000565139b28955 in subselect_single_select_engine::prepare (this=0x1518a4012340, thd=0x1518a4000c68)at /test/10.6_opt/sql/sql_lex.h:1396
|
#18 0x0000565139b27fbd in Item_subselect::fix_fields (this=0x1518a40121b8, thd_param=<optimized out>, ref=0x1518a40123a8)at /test/10.6_opt/sql/item_subselect.cc:297
|
#19 0x000056513982b91e in Item::fix_fields_if_needed (ref=<optimized out>, thd=0x1518a4000c68, this=0x1518a40121b8) at /test/10.6_opt/sql/item.h:1165
|
#20 Item::fix_fields_if_needed (ref=<optimized out>, thd=0x1518a4000c68, this=0x1518a40121b8) at /test/10.6_opt/sql/item.h:1165
|
#21 Item::fix_fields_if_needed_for_scalar (ref=<optimized out>, thd=0x1518a4000c68, this=0x1518a40121b8) at /test/10.6_opt/sql/item.h:1176
|
#22 Item::fix_fields_if_needed_for_order_by (ref=<optimized out>, thd=0x1518a4000c68, this=0x1518a40121b8) at /test/10.6_opt/sql/item.h:1184
|
#23 find_order_in_list (thd=thd@entry=0x1518a4000c68, tables=tables@entry=0x1518a4010ab8, order=order@entry=0x1518a4012398, fields=@0x1518fc167830: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x56513aa979c0 <end_of_list>, last = 0x1518fc167830, elements = 0}, <No data fields>}, all_fields=@0x1518fc167830: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x56513aa979c0 <end_of_list>, last = 0x1518fc167830, elements = 0}, <No data fields>}, is_group_field=false, add_to_all_fields=true, from_window_spec=false, ref_pointer_array=<optimized out>)at /test/10.6_opt/sql/sql_select.cc:26101
|
#24 0x0000565139857f4d in setup_order (thd=thd@entry=0x1518a4000c68, ref_pointer_array=<optimized out>, tables=tables@entry=0x1518a4010ab8, fields=@0x1518fc167830: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x56513aa979c0 <end_of_list>, last = 0x1518fc167830, elements = 0}, <No data fields>}, all_fields=@0x1518fc167830: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x56513aa979c0 <end_of_list>, last = 0x1518fc167830, elements = 0}, <No data fields>}, order=0x1518a4012398, from_window_spec=false)at /test/10.6_opt/sql/sql_select.cc:26148
|
#25 0x00005651398d9d8b in mysql_prepare_update (thd=thd@entry=0x1518a4000c68, table_list=0x1518a4010ab8, conds=conds@entry=0x1518fc167940, order_num=order_num@entry=1, order=order@entry=0x1518a4012398)at /test/10.6_opt/sql/sql_update.cc:1456
|
#26 0x00005651398da21c in mysql_update (thd=thd@entry=0x1518a4000c68, table_list=<optimized out>, fields=@0x1518a4005958: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1518a4011370, last = 0x1518a4011370, elements = 1}, <No data fields>}, values=@0x1518a4005db8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1518a4011380, last = 0x1518a4011380, elements = 1}, <No data fields>}, conds=<optimized out>, order_num=1, order=0x1518a4012398, limit=18446744073709551615, ignore=false, found_return=0x1518fc167e00, updated_return=0x1518fc167f70) at /test/10.6_opt/sql/sql_update.cc:479
|
#27 0x00005651397ff840 in mysql_execute_command (thd=thd@entry=0x1518a4000c68, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false)at /test/10.6_opt/sql/sql_parse.cc:4452
|
#28 0x000056513980368e in mysql_parse (thd=0x1518a4000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.6_opt/sql/sql_parse.cc:8165
|
#29 0x0000565139806055 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x1518a4000c68, packet=packet@entry=0x1518a4008629 "UPDATE t1 SET d=1 ORDER BY (SELECT d)", packet_length=packet_length@entry=37, blocking=blocking@entry=true)at /test/10.6_opt/sql/sql_parse.cc:1996
|
#30 0x0000565139807cfd in do_command (thd=0x1518a4000c68, blocking=blocking@entry=true) at /test/10.6_opt/sql/sql_parse.cc:1410
|
#31 0x000056513992386f in do_handle_one_connection (connect=<optimized out>, connect@entry=0x56513bc25c18, put_in_cache=put_in_cache@entry=true)at /test/10.6_opt/sql/sql_connect.cc:1417
|
#32 0x0000565139923bdd in handle_one_connection (arg=arg@entry=0x56513bc25c18)at /test/10.6_opt/sql/sql_connect.cc:1319
|
#33 0x0000565139ce54c3 in pfs_spawn_thread (arg=0x56513bbced68)at /test/10.6_opt/storage/perfschema/pfs.cc:2201
|
#34 0x00001518fe69ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
|
#35 0x00001518fe729c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
|
MTR testcase (produces stack seen earlier in this issue):
CREATE TEMPORARY TABLE t1 (c INT) ENGINE=Aria; |
CREATE TABLE t2 (c INT); |
--error ER_WRONG_VALUE_COUNT_ON_ROW
|
INSERT INTO t2 VALUES (0, 1); |
EXPLAIN SELECT c+0 FROM t2; |
--error ER_BAD_FIELD_ERROR
|
UPDATE t1 SET d=1 ORDER BY (SELECT d); |
Please use the native CLI to reproduce the stack in this comment.
Additional testcase.
CLI:
CREATE TABLE t (a INT); # InnoDB |
INSERT INTO t VALUES('aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa',0); |
UPDATE t SET c=1 ORDER BY (SELECT c); |
MTR:
CREATE TABLE t (a INT); # MyISAM |
--error 1136
|
INSERT INTO t VALUES('aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa',0); |
UPDATE t SET c=1 ORDER BY (SELECT c); |
Removing a single 'a' leads to non-reproducibility likely indicating memory corruption / misalignment.
Bug confirmed present in:
MariaDB: 10.5.27 (dbg), 10.6.20 (dbg), 10.6.20 (opt), 10.11.10 (dbg), 10.11.10 (opt)
Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.5.27 (opt), 11.2.6 (dbg), 11.2.6 (opt), 11.4.4 (dbg), 11.4.4 (opt), 11.6.2 (dbg), 11.6.2 (opt), 11.7.0 (dbg), 11.7.0 (opt)
MDEV-29351 SIGSEGV when doing forward reference of item in select list
The reason for the crash was the code assumed that
SELECT_LEX.ref_pointer_array would be initialized with zero, which was
not the case. This cause the test of
if (!select->ref_pointer_array[counter]) in item.cc to be unpredictable and cause crashes
Fixed by zero-filling ref_pointer_array on allocation.
psergei Hi! is this another name resolution issue? Thank you