Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-29731

Crash when HAVING in a correlated subquery references columns in the outer query

    XMLWordPrintable

Details

    Description

      CREATE TABLE t(c INT,c2 INT UNIQUE) ENGINE=InnoDB;
      		 
      SELECT 1 FROM t WHERE c2=(SELECT 1 FROM t GROUP BY c HAVING c2=c+1) AND c2=1;

      Leads to:

      10.11.0 6ebdd3013a18b01dbecec76b870810329eb76586 (Debug)

      		 
      mysqld: /test/10.11_dbg/sql/item.cc:6009: virtual bool Item_field::fix_fields(THD*, Item**): Assertion `field' failed.

      10.11.0 6ebdd3013a18b01dbecec76b870810329eb76586 (Debug)

      		 
      Core was generated by `/test/MD190922-mariadb-10.11.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core'.
      		 
      Program terminated with signal SIGABRT, Aborted.
      		 
      #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
      		 
      [Current thread is 1 (Thread 0x151f28164700 (LWP 3246815))]
      		 
      (gdb) bt
      		 
      #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
      		 
      #1  0x0000151f41ef2859 in __GI_abort () at abort.c:79
      		 
      #2  0x0000151f41ef2729 in __assert_fail_base (fmt=0x151f42088588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x55e95a8ce218 "field", file=0x55e95aa78780 "/test/10.11_dbg/sql/item.cc", line=6009, function=<optimized out>) at assert.c:92
      		 
      #3  0x0000151f41f03fd6 in __GI___assert_fail (assertion=assertion@entry=0x55e95a8ce218 "field", file=file@entry=0x55e95aa78780 "/test/10.11_dbg/sql/item.cc", line=line@entry=6009, function=function@entry=0x55e95aa7b218 "virtual bool Item_field::fix_fields(THD*, Item**)") at assert.c:101
      		 
      #4  0x000055e95a00f1c4 in Item_field::fix_fields (this=0x151ec0069b10, thd=0x151ec0000d48, reference=0x151ec00151c8) at /test/10.11_dbg/sql/item.cc:6009
      		 
      #5  0x000055e95a063a80 in Item::fix_fields_if_needed (ref=0x151ec00151c8, thd=0x151ec0000d48, this=<optimized out>) at /test/10.11_dbg/sql/item.h:1144
      		 
      #6  Item_func::fix_fields (this=0x151ec0015150, thd=0x151ec0000d48, ref=<optimized out>) at /test/10.11_dbg/sql/item_func.cc:350
      		 
      #7  0x000055e959cd1b6c in st_select_lex::pushdown_from_having_into_where (this=0x151ec0014058, thd=0x151ec0000d48, having=0x0) at /test/10.11_dbg/sql/sql_lex.cc:11260
      		 
      #8  0x000055e959d7a7dc in JOIN::optimize_inner (this=this@entry=0x151ec0069528) at /test/10.11_dbg/sql/sql_select.cc:2281
      		 
      #9  0x000055e959d7b464 in JOIN::optimize (this=this@entry=0x151ec0069528) at /test/10.11_dbg/sql/sql_select.cc:1864
      		 
      #10 0x000055e959cbdb1a in st_select_lex::optimize_unflattened_subqueries (this=0x151ec00132f8, const_only=const_only@entry=false) at /test/10.11_dbg/sql/sql_lex.cc:4918
      		 
      #11 0x000055e959eb1813 in JOIN::optimize_unflattened_subqueries (this=this@entry=0x151ec0068f40) at /test/10.11_dbg/sql/opt_subselect.cc:5655
      		 
      #12 0x000055e959d7720a in JOIN::optimize_stage2 (this=this@entry=0x151ec0068f40) at /test/10.11_dbg/sql/sql_select.cc:3348
      		 
      #13 0x000055e959d7b09e in JOIN::optimize_inner (this=this@entry=0x151ec0068f40) at /test/10.11_dbg/sql/sql_select.cc:2551
      		 
      #14 0x000055e959d7b464 in JOIN::optimize (this=this@entry=0x151ec0068f40) at /test/10.11_dbg/sql/sql_select.cc:1864
      		 
      #15 0x000055e959d7b557 in mysql_select (thd=thd@entry=0x151ec0000d48, tables=0x151ec0013838, fields=@0x151ec0013598: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x151ec00137f0, last = 0x151ec00137f0, elements = 1}, <No data fields>}, conds=0x151ec0016340, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2164525824, result=0x151ec0016db0, unit=0x151ec0004f80, select_lex=0x151ec00132f8) at /test/10.11_dbg/sql/sql_select.cc:5057
      		 
      #16 0x000055e959d7bda0 in handle_select (thd=thd@entry=0x151ec0000d48, lex=lex@entry=0x151ec0004ea8, result=result@entry=0x151ec0016db0, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.11_dbg/sql/sql_select.cc:582
      		 
      #17 0x000055e959ce5d94 in execute_sqlcom_select (thd=thd@entry=0x151ec0000d48, all_tables=0x151ec0013838) at /test/10.11_dbg/sql/sql_parse.cc:6261
      		 
      #18 0x000055e959cf2109 in mysql_execute_command (thd=thd@entry=0x151ec0000d48, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.11_dbg/sql/sql_parse.cc:3945
      		 
      #19 0x000055e959ce003c in mysql_parse (thd=thd@entry=0x151ec0000d48, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x151f28163330) at /test/10.11_dbg/sql/sql_parse.cc:8037
      		 
      #20 0x000055e959ced66d in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x151ec0000d48, packet=packet@entry=0x151ec000aed9 "SELECT 1 FROM t WHERE c2=(SELECT 1 FROM t GROUP BY c HAVING c2=c+1) AND c2=1", packet_length=packet_length@entry=76, blocking=blocking@entry=true) at /test/10.11_dbg/sql/sql_class.h:1345
      		 
      #21 0x000055e959cefd97 in do_command (thd=0x151ec0000d48, blocking=blocking@entry=true) at /test/10.11_dbg/sql/sql_parse.cc:1407
      		 
      #22 0x000055e959e53fb9 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55e95c330738, put_in_cache=put_in_cache@entry=true) at /test/10.11_dbg/sql/sql_connect.cc:1416
      		 
      #23 0x000055e959e544c3 in handle_one_connection (arg=0x55e95c330738) at /test/10.11_dbg/sql/sql_connect.cc:1318
      		 
      #24 0x0000151f42403609 in start_thread (arg=<optimized out>) at pthread_create.c:477
      		 
      #25 0x0000151f41fef133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

      10.5.18 23a8654cdbd84336fd2004bdd2b0cb4a0ecd3d4a (Debug)

      		 
      mysqld: /test/10.5_dbg/sql/item.cc:5954: virtual bool Item_field::fix_fields(THD*, Item**): Assertion `context' failed.

      10.5.18 23a8654cdbd84336fd2004bdd2b0cb4a0ecd3d4a (Debug)

      		 
      Core was generated by `/test/MD190922-mariadb-10.5.18-linux-x86_64-dbg/bin/mysqld --no-defaults --core'.
      		 
      Program terminated with signal SIGABRT, Aborted.
      		 
      #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
      		 
      [Current thread is 1 (Thread 0x14ee32dfe700 (LWP 3247036))]
      		 
      (gdb) bt
      		 
      #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
      		 
      #1  0x000014ee4b7bd859 in __GI_abort () at abort.c:79
      		 
      #2  0x000014ee4b7bd729 in __assert_fail_base (fmt=0x14ee4b953588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x559dfac0d8dd "context", file=0x559dfada1f84 "/test/10.5_dbg/sql/item.cc", line=5954, function=<optimized out>) at assert.c:92
      		 
      #3  0x000014ee4b7cefd6 in __GI___assert_fail (assertion=assertion@entry=0x559dfac0d8dd "context", file=file@entry=0x559dfada1f84 "/test/10.5_dbg/sql/item.cc", line=line@entry=5954, function=function@entry=0x559dfada4a20 "virtual bool Item_field::fix_fields(THD*, Item**)") at assert.c:101
      		 
      #4  0x0000559dfa2d5191 in Item_field::fix_fields (this=0x14ee000179c0, thd=0x14ee00000d48, reference=0x14ee00014e18) at /test/10.5_dbg/sql/item.cc:5954
      		 
      #5  0x0000559dfa32ce37 in Item::fix_fields_if_needed (ref=0x14ee00014e18, thd=0x14ee00000d48, this=0x14ee000179c0) at /test/10.5_dbg/sql/item.h:988
      		 
      #6  Item_func::fix_fields (this=0x14ee00014d80, thd=0x14ee00000d48, ref=<optimized out>) at /test/10.5_dbg/sql/item_func.cc:355
      		 
      #7  0x0000559df9fe0c27 in st_select_lex::pushdown_from_having_into_where (this=0x14ee00013bb0, thd=0x14ee00000d48, having=0x0) at /test/10.5_dbg/sql/sql_lex.cc:11137
      		 
      #8  0x0000559dfa075b87 in JOIN::optimize_inner (this=this@entry=0x14ee00017288) at /test/10.5_dbg/sql/sql_select.cc:2084
      		 
      #9  0x0000559dfa076822 in JOIN::optimize (this=this@entry=0x14ee00017288) at /test/10.5_dbg/sql/sql_select.cc:1686
      		 
      #10 0x0000559df9fcc8e3 in st_select_lex::optimize_unflattened_subqueries (this=0x14ee00012e08, const_only=const_only@entry=false) at /test/10.5_dbg/sql/sql_lex.cc:4879
      		 
      #11 0x0000559dfa199099 in JOIN::optimize_unflattened_subqueries (this=this@entry=0x14ee00016b38) at /test/10.5_dbg/sql/opt_subselect.cc:5643
      		 
      #12 0x0000559dfa0726ec in JOIN::optimize_stage2 (this=this@entry=0x14ee00016b38) at /test/10.5_dbg/sql/sql_select.cc:3126
      		 
      #13 0x0000559dfa076443 in JOIN::optimize_inner (this=this@entry=0x14ee00016b38) at /test/10.5_dbg/sql/sql_select.cc:2354
      		 
      #14 0x0000559dfa076822 in JOIN::optimize (this=this@entry=0x14ee00016b38) at /test/10.5_dbg/sql/sql_select.cc:1686
      		 
      #15 0x0000559dfa0768fd in mysql_select (thd=thd@entry=0x14ee00000d48, tables=0x14ee00013378, fields=@0x14ee00012f58: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14ee00013330, last = 0x14ee00013330, elements = 1}, <No data fields>}, conds=0x14ee00016048, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x14ee00016b10, unit=0x14ee00004cf0, select_lex=0x14ee00012e08) at /test/10.5_dbg/sql/sql_select.cc:4803
      		 
      #16 0x0000559dfa077440 in handle_select (thd=thd@entry=0x14ee00000d48, lex=lex@entry=0x14ee00004c28, result=result@entry=0x14ee00016b10, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.5_dbg/sql/sql_select.cc:444
      		 
      #17 0x0000559df9ff5377 in execute_sqlcom_select (thd=thd@entry=0x14ee00000d48, all_tables=0x14ee00013378) at /test/10.5_dbg/sql/sql_parse.cc:6315
      		 
      #18 0x0000559dfa001e6b in mysql_execute_command (thd=thd@entry=0x14ee00000d48) at /test/10.5_dbg/sql/sql_parse.cc:4006
      		 
      #19 0x0000559df9fef17d in mysql_parse (thd=thd@entry=0x14ee00000d48, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14ee32dfd340, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:8101
      		 
      #20 0x0000559df9ffd1b4 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14ee00000d48, packet=packet@entry=0x14ee0000a979 "SELECT 1 FROM t WHERE c2=(SELECT 1 FROM t GROUP BY c HAVING c2=c+1) AND c2=1", packet_length=packet_length@entry=76, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_class.h:1296
      		 
      #21 0x0000559df9fffce6 in do_command (thd=0x14ee00000d48) at /test/10.5_dbg/sql/sql_parse.cc:1375
      		 
      #22 0x0000559dfa140948 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x559dfdd19198, put_in_cache=put_in_cache@entry=true) at /test/10.5_dbg/sql/sql_connect.cc:1416
      		 
      #23 0x0000559dfa140e51 in handle_one_connection (arg=0x559dfdd19198) at /test/10.5_dbg/sql/sql_connect.cc:1318
      		 
      #24 0x000014ee4bcce609 in start_thread (arg=<optimized out>) at pthread_create.c:477
      		 
      #25 0x000014ee4b8ba133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

      10.8.5 593fdee3973ce4ab4890a6fb9f740b3a28a44edc (Optimized)

      		 
      Core was generated by `/test/MD190922-mariadb-10.8.5-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
      		 
      Program terminated with signal SIGSEGV, Segmentation fault.
      		 
      #0  0x0000556ed602a8df in Item_field::fix_fields (this=0x152414048df0, thd=
      		 
          0x152414000c58, reference=0x152414012678)
      		 
          at /test/10.8_opt/sql/item.cc:6018
      		 
      [Current thread is 1 (Thread 0x152478098700 (LWP 3246781))]
      		 
      (gdb) bt
      		 
      #0  0x0000556ed602a8df in Item_field::fix_fields (this=0x152414048df0, thd=0x152414000c58, reference=0x152414012678) at /test/10.8_opt/sql/item.cc:6018
      		 
      #1  0x0000556ed606dd8d in Item::fix_fields_if_needed (ref=0x152414012678, thd=0x152414000c58, this=0x152414048df0) at /test/10.8_opt/sql/item.h:1142
      		 
      #2  Item::fix_fields_if_needed (ref=0x152414012678, thd=0x152414000c58, this=0x152414048df0) at /test/10.8_opt/sql/item.h:1142
      		 
      #3  Item_func::fix_fields (ref=<optimized out>, thd=0x152414000c58, this=0x152414012600) at /test/10.8_opt/sql/item_func.cc:350
      		 
      #4  Item_func::fix_fields (this=0x152414012600, thd=0x152414000c58, ref=<optimized out>) at /test/10.8_opt/sql/item_func.cc:317
      		 
      #5  0x0000556ed5dad802 in st_select_lex::pushdown_from_having_into_where (this=0x152414011510, thd=0x152414000c58, having=0x0) at /test/10.8_opt/sql/sql_lex.cc:11270
      		 
      #6  0x0000556ed5e37539 in JOIN::optimize_inner (this=0x152414048840) at /test/10.8_opt/sql/sql_select.cc:2248
      		 
      #7  0x0000556ed5e3a6a3 in JOIN::optimize (this=this@entry=0x152414048840) at /test/10.8_opt/sql/sql_select.cc:1834
      		 
      #8  0x0000556ed5d9dd34 in st_select_lex::optimize_unflattened_subqueries (this=0x1524140107b8, const_only=const_only@entry=false) at /test/10.8_opt/sql/sql_lex.cc:4944
      		 
      #9  0x0000556ed5f20872 in JOIN::optimize_unflattened_subqueries (this=this@entry=0x152414048290) at /test/10.8_opt/sql/opt_subselect.cc:5656
      		 
      #10 0x0000556ed5e33c7e in JOIN::optimize_stage2 (this=<optimized out>) at /test/10.8_opt/sql/sql_select.cc:3315
      		 
      #11 0x0000556ed5e382f8 in JOIN::optimize_inner (this=0x152414048290) at /test/10.8_opt/sql/sql_select.cc:2518
      		 
      #12 0x0000556ed5e3a6a3 in JOIN::optimize (this=this@entry=0x152414048290) at /test/10.8_opt/sql/sql_select.cc:1834
      		 
      #13 0x0000556ed5e3a78e in mysql_select (thd=0x152414000c58, tables=0x152414010cf8, fields=@0x152414010a58: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x152414010cb0, last = 0x152414010cb0, elements = 1}, <No data fields>}, conds=0x1524140137e8, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x152414014250, unit=0x152414004ca8, select_lex=0x1524140107b8) at /test/10.8_opt/sql/sql_select.cc:5024
      		 
      #14 0x0000556ed5e3af27 in handle_select (thd=thd@entry=0x152414000c58, lex=lex@entry=0x152414004bd0, result=result@entry=0x152414014250, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.8_opt/sql/sql_select.cc:552
      		 
      #15 0x0000556ed5dbe241 in execute_sqlcom_select (thd=0x152414000c58, all_tables=0x152414010cf8) at /test/10.8_opt/sql/sql_parse.cc:6253
      		 
      #16 0x0000556ed5dcbd64 in mysql_execute_command (thd=0x152414000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.8_opt/sql/sql_parse.cc:3944
      		 
      #17 0x0000556ed5db9315 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x152414000c58) at /test/10.8_opt/sql/sql_parse.cc:8028
      		 
      #18 mysql_parse (thd=0x152414000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.8_opt/sql/sql_parse.cc:7950
      		 
      #19 0x0000556ed5dc4f4a in dispatch_command (command=COM_QUERY, thd=0x152414000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.8_opt/sql/sql_class.h:1368
      		 
      #20 0x0000556ed5dc6e92 in do_command (thd=0x152414000c58, blocking=blocking@entry=true) at /test/10.8_opt/sql/sql_parse.cc:1407
      		 
      #21 0x0000556ed5edca3f in do_handle_one_connection (connect=<optimized out>, connect@entry=0x556ed83ea688, put_in_cache=put_in_cache@entry=true) at /test/10.8_opt/sql/sql_connect.cc:1416
      		 
      #22 0x0000556ed5edcd1d in handle_one_connection (arg=0x556ed83ea688) at /test/10.8_opt/sql/sql_connect.cc:1318
      		 
      #23 0x000015248f91a609 in start_thread (arg=<optimized out>) at pthread_create.c:477
      		 
      #24 0x000015248f506133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

      Bug confirmed present in:
      MariaDB: 10.4.27 (dbg), 10.4.27 (opt), 10.5.18 (dbg), 10.5.18 (opt), 10.6.10 (dbg), 10.6.10 (opt), 10.7.6 (dbg), 10.7.6 (opt), 10.8.5 (dbg), 10.8.5 (opt), 10.9.3 (dbg), 10.9.3 (opt), 10.10.2 (dbg), 10.10.2 (opt), 10.11.0 (dbg), 10.11.0 (opt)

      Bug (or feature/syntax) confirmed not present in:
      MariaDB: 10.3.37 (dbg), 10.3.37 (opt)
      MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.38 (dbg), 5.7.38 (opt), 8.0.29 (dbg), 8.0.29 (opt)

      10.3 Gives no errors and 'empty set' on second query.

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. MDEV-32399 pushdown_from_having_into_where: SEGV at /mariadb-11.3.0/sql/item.cc:6013

          • Major - Major loss of function.
          • Closed
          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. MDEV-32610 Server crash on 10.11.5

          • Major - Major loss of function.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-34155 Prepare statement with select from view fails on second execution when view definition has HAVING in a correlated subquery references columns in the outer query

          • Major - Major loss of function.
          • Open

          Bug - A problem which impairs or prevents the functions of the product. MDEV-28506 SIGSEGV's in find_field_in_table[s][_ref], Item_field::fix_fields, create_view_field and MemcmpInterceptorCommon | Assertions `(*select_ref)->fixed' or '->is_fixed' and `table_list->table' failed

          • Major - Major loss of function.
          • Stalled

          Activity

            People

              oleg.smirnov Oleg Smirnov
              Roel Roel Van de Paar
              Votes:
              1 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.