[MDEV-29731] Crash when HAVING in a correlated subquery references columns in the outer query - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.4, 10.5, 10.6, 10.7, 10.8, 10.9, 10.10, 10.11, 11.0, 11.1, 11.2, 11.3
Fix Version/s: 10.4.32, 10.5.23, 10.6.16, 10.10.7, 10.11.6, 11.0.4, 11.1.3
Component/s: Optimizer
Labels:

Description

CREATE TABLE t(c INT,c2 INT UNIQUE) ENGINE=InnoDB;

SELECT 1 FROM t WHERE c2=(SELECT 1 FROM t GROUP BY c HAVING c2=c+1) AND c2=1;

Leads to:

10.11.0 6ebdd3013a18b01dbecec76b870810329eb76586 (Debug)
mysqld: /test/10.11_dbg/sql/item.cc:6009: virtual bool Item_field::fix_fields(THD, Item*): Assertion `field' failed.

10.11.0 6ebdd3013a18b01dbecec76b870810329eb76586 (Debug)
Core was generated by `/test/MD190922-mariadb-10.11.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core'.
Program terminated with signal SIGABRT, Aborted.
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
[Current thread is 1 (Thread 0x151f28164700 (LWP 3246815))]
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x0000151f41ef2859 in __GI_abort () at abort.c:79
#2 0x0000151f41ef2729 in __assert_fail_base (fmt=0x151f42088588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x55e95a8ce218 "field", file=0x55e95aa78780 "/test/10.11_dbg/sql/item.cc", line=6009, function=<optimized out>) at assert.c:92
#3 0x0000151f41f03fd6 in __GI___assert_fail (assertion=assertion@entry=0x55e95a8ce218 "field", file=file@entry=0x55e95aa78780 "/test/10.11_dbg/sql/item.cc", line=line@entry=6009, function=function@entry=0x55e95aa7b218 "virtual bool Item_field::fix_fields(THD, Item*)") at assert.c:101
#4 0x000055e95a00f1c4 in Item_field::fix_fields (this=0x151ec0069b10, thd=0x151ec0000d48, reference=0x151ec00151c8) at /test/10.11_dbg/sql/item.cc:6009
#5 0x000055e95a063a80 in Item::fix_fields_if_needed (ref=0x151ec00151c8, thd=0x151ec0000d48, this=<optimized out>) at /test/10.11_dbg/sql/item.h:1144
#6 Item_func::fix_fields (this=0x151ec0015150, thd=0x151ec0000d48, ref=<optimized out>) at /test/10.11_dbg/sql/item_func.cc:350
#7 0x000055e959cd1b6c in st_select_lex::pushdown_from_having_into_where (this=0x151ec0014058, thd=0x151ec0000d48, having=0x0) at /test/10.11_dbg/sql/sql_lex.cc:11260
#8 0x000055e959d7a7dc in JOIN::optimize_inner (this=this@entry=0x151ec0069528) at /test/10.11_dbg/sql/sql_select.cc:2281
#9 0x000055e959d7b464 in JOIN::optimize (this=this@entry=0x151ec0069528) at /test/10.11_dbg/sql/sql_select.cc:1864
#10 0x000055e959cbdb1a in st_select_lex::optimize_unflattened_subqueries (this=0x151ec00132f8, const_only=const_only@entry=false) at /test/10.11_dbg/sql/sql_lex.cc:4918
#11 0x000055e959eb1813 in JOIN::optimize_unflattened_subqueries (this=this@entry=0x151ec0068f40) at /test/10.11_dbg/sql/opt_subselect.cc:5655
#12 0x000055e959d7720a in JOIN::optimize_stage2 (this=this@entry=0x151ec0068f40) at /test/10.11_dbg/sql/sql_select.cc:3348
#13 0x000055e959d7b09e in JOIN::optimize_inner (this=this@entry=0x151ec0068f40) at /test/10.11_dbg/sql/sql_select.cc:2551
#14 0x000055e959d7b464 in JOIN::optimize (this=this@entry=0x151ec0068f40) at /test/10.11_dbg/sql/sql_select.cc:1864
#15 0x000055e959d7b557 in mysql_select (thd=thd@entry=0x151ec0000d48, tables=0x151ec0013838, fields=@0x151ec0013598: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x151ec00137f0, last = 0x151ec00137f0, elements = 1}, <No data fields>}, conds=0x151ec0016340, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2164525824, result=0x151ec0016db0, unit=0x151ec0004f80, select_lex=0x151ec00132f8) at /test/10.11_dbg/sql/sql_select.cc:5057
#16 0x000055e959d7bda0 in handle_select (thd=thd@entry=0x151ec0000d48, lex=lex@entry=0x151ec0004ea8, result=result@entry=0x151ec0016db0, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.11_dbg/sql/sql_select.cc:582
#17 0x000055e959ce5d94 in execute_sqlcom_select (thd=thd@entry=0x151ec0000d48, all_tables=0x151ec0013838) at /test/10.11_dbg/sql/sql_parse.cc:6261
#18 0x000055e959cf2109 in mysql_execute_command (thd=thd@entry=0x151ec0000d48, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.11_dbg/sql/sql_parse.cc:3945
#19 0x000055e959ce003c in mysql_parse (thd=thd@entry=0x151ec0000d48, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x151f28163330) at /test/10.11_dbg/sql/sql_parse.cc:8037
#20 0x000055e959ced66d in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x151ec0000d48, packet=packet@entry=0x151ec000aed9 "SELECT 1 FROM t WHERE c2=(SELECT 1 FROM t GROUP BY c HAVING c2=c+1) AND c2=1", packet_length=packet_length@entry=76, blocking=blocking@entry=true) at /test/10.11_dbg/sql/sql_class.h:1345
#21 0x000055e959cefd97 in do_command (thd=0x151ec0000d48, blocking=blocking@entry=true) at /test/10.11_dbg/sql/sql_parse.cc:1407
#22 0x000055e959e53fb9 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55e95c330738, put_in_cache=put_in_cache@entry=true) at /test/10.11_dbg/sql/sql_connect.cc:1416
#23 0x000055e959e544c3 in handle_one_connection (arg=0x55e95c330738) at /test/10.11_dbg/sql/sql_connect.cc:1318
#24 0x0000151f42403609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#25 0x0000151f41fef133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

10.5.18 23a8654cdbd84336fd2004bdd2b0cb4a0ecd3d4a (Debug)
mysqld: /test/10.5_dbg/sql/item.cc:5954: virtual bool Item_field::fix_fields(THD, Item*): Assertion `context' failed.

10.5.18 23a8654cdbd84336fd2004bdd2b0cb4a0ecd3d4a (Debug)
Core was generated by `/test/MD190922-mariadb-10.5.18-linux-x86_64-dbg/bin/mysqld --no-defaults --core'.
Program terminated with signal SIGABRT, Aborted.
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
[Current thread is 1 (Thread 0x14ee32dfe700 (LWP 3247036))]
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x000014ee4b7bd859 in __GI_abort () at abort.c:79
#2 0x000014ee4b7bd729 in __assert_fail_base (fmt=0x14ee4b953588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x559dfac0d8dd "context", file=0x559dfada1f84 "/test/10.5_dbg/sql/item.cc", line=5954, function=<optimized out>) at assert.c:92
#3 0x000014ee4b7cefd6 in __GI___assert_fail (assertion=assertion@entry=0x559dfac0d8dd "context", file=file@entry=0x559dfada1f84 "/test/10.5_dbg/sql/item.cc", line=line@entry=5954, function=function@entry=0x559dfada4a20 "virtual bool Item_field::fix_fields(THD, Item*)") at assert.c:101
#4 0x0000559dfa2d5191 in Item_field::fix_fields (this=0x14ee000179c0, thd=0x14ee00000d48, reference=0x14ee00014e18) at /test/10.5_dbg/sql/item.cc:5954
#5 0x0000559dfa32ce37 in Item::fix_fields_if_needed (ref=0x14ee00014e18, thd=0x14ee00000d48, this=0x14ee000179c0) at /test/10.5_dbg/sql/item.h:988
#6 Item_func::fix_fields (this=0x14ee00014d80, thd=0x14ee00000d48, ref=<optimized out>) at /test/10.5_dbg/sql/item_func.cc:355
#7 0x0000559df9fe0c27 in st_select_lex::pushdown_from_having_into_where (this=0x14ee00013bb0, thd=0x14ee00000d48, having=0x0) at /test/10.5_dbg/sql/sql_lex.cc:11137
#8 0x0000559dfa075b87 in JOIN::optimize_inner (this=this@entry=0x14ee00017288) at /test/10.5_dbg/sql/sql_select.cc:2084
#9 0x0000559dfa076822 in JOIN::optimize (this=this@entry=0x14ee00017288) at /test/10.5_dbg/sql/sql_select.cc:1686
#10 0x0000559df9fcc8e3 in st_select_lex::optimize_unflattened_subqueries (this=0x14ee00012e08, const_only=const_only@entry=false) at /test/10.5_dbg/sql/sql_lex.cc:4879
#11 0x0000559dfa199099 in JOIN::optimize_unflattened_subqueries (this=this@entry=0x14ee00016b38) at /test/10.5_dbg/sql/opt_subselect.cc:5643
#12 0x0000559dfa0726ec in JOIN::optimize_stage2 (this=this@entry=0x14ee00016b38) at /test/10.5_dbg/sql/sql_select.cc:3126
#13 0x0000559dfa076443 in JOIN::optimize_inner (this=this@entry=0x14ee00016b38) at /test/10.5_dbg/sql/sql_select.cc:2354
#14 0x0000559dfa076822 in JOIN::optimize (this=this@entry=0x14ee00016b38) at /test/10.5_dbg/sql/sql_select.cc:1686
#15 0x0000559dfa0768fd in mysql_select (thd=thd@entry=0x14ee00000d48, tables=0x14ee00013378, fields=@0x14ee00012f58: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14ee00013330, last = 0x14ee00013330, elements = 1}, <No data fields>}, conds=0x14ee00016048, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x14ee00016b10, unit=0x14ee00004cf0, select_lex=0x14ee00012e08) at /test/10.5_dbg/sql/sql_select.cc:4803
#16 0x0000559dfa077440 in handle_select (thd=thd@entry=0x14ee00000d48, lex=lex@entry=0x14ee00004c28, result=result@entry=0x14ee00016b10, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.5_dbg/sql/sql_select.cc:444
#17 0x0000559df9ff5377 in execute_sqlcom_select (thd=thd@entry=0x14ee00000d48, all_tables=0x14ee00013378) at /test/10.5_dbg/sql/sql_parse.cc:6315
#18 0x0000559dfa001e6b in mysql_execute_command (thd=thd@entry=0x14ee00000d48) at /test/10.5_dbg/sql/sql_parse.cc:4006
#19 0x0000559df9fef17d in mysql_parse (thd=thd@entry=0x14ee00000d48, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14ee32dfd340, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:8101
#20 0x0000559df9ffd1b4 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14ee00000d48, packet=packet@entry=0x14ee0000a979 "SELECT 1 FROM t WHERE c2=(SELECT 1 FROM t GROUP BY c HAVING c2=c+1) AND c2=1", packet_length=packet_length@entry=76, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_class.h:1296
#21 0x0000559df9fffce6 in do_command (thd=0x14ee00000d48) at /test/10.5_dbg/sql/sql_parse.cc:1375
#22 0x0000559dfa140948 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x559dfdd19198, put_in_cache=put_in_cache@entry=true) at /test/10.5_dbg/sql/sql_connect.cc:1416
#23 0x0000559dfa140e51 in handle_one_connection (arg=0x559dfdd19198) at /test/10.5_dbg/sql/sql_connect.cc:1318
#24 0x000014ee4bcce609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#25 0x000014ee4b8ba133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

10.8.5 593fdee3973ce4ab4890a6fb9f740b3a28a44edc (Optimized)
Core was generated by `/test/MD190922-mariadb-10.8.5-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x0000556ed602a8df in Item_field::fix_fields (this=0x152414048df0, thd=
0x152414000c58, reference=0x152414012678)
at /test/10.8_opt/sql/item.cc:6018
[Current thread is 1 (Thread 0x152478098700 (LWP 3246781))]
(gdb) bt
#0 0x0000556ed602a8df in Item_field::fix_fields (this=0x152414048df0, thd=0x152414000c58, reference=0x152414012678) at /test/10.8_opt/sql/item.cc:6018
#1 0x0000556ed606dd8d in Item::fix_fields_if_needed (ref=0x152414012678, thd=0x152414000c58, this=0x152414048df0) at /test/10.8_opt/sql/item.h:1142
#2 Item::fix_fields_if_needed (ref=0x152414012678, thd=0x152414000c58, this=0x152414048df0) at /test/10.8_opt/sql/item.h:1142
#3 Item_func::fix_fields (ref=<optimized out>, thd=0x152414000c58, this=0x152414012600) at /test/10.8_opt/sql/item_func.cc:350
#4 Item_func::fix_fields (this=0x152414012600, thd=0x152414000c58, ref=<optimized out>) at /test/10.8_opt/sql/item_func.cc:317
#5 0x0000556ed5dad802 in st_select_lex::pushdown_from_having_into_where (this=0x152414011510, thd=0x152414000c58, having=0x0) at /test/10.8_opt/sql/sql_lex.cc:11270
#6 0x0000556ed5e37539 in JOIN::optimize_inner (this=0x152414048840) at /test/10.8_opt/sql/sql_select.cc:2248
#7 0x0000556ed5e3a6a3 in JOIN::optimize (this=this@entry=0x152414048840) at /test/10.8_opt/sql/sql_select.cc:1834
#8 0x0000556ed5d9dd34 in st_select_lex::optimize_unflattened_subqueries (this=0x1524140107b8, const_only=const_only@entry=false) at /test/10.8_opt/sql/sql_lex.cc:4944
#9 0x0000556ed5f20872 in JOIN::optimize_unflattened_subqueries (this=this@entry=0x152414048290) at /test/10.8_opt/sql/opt_subselect.cc:5656
#10 0x0000556ed5e33c7e in JOIN::optimize_stage2 (this=<optimized out>) at /test/10.8_opt/sql/sql_select.cc:3315
#11 0x0000556ed5e382f8 in JOIN::optimize_inner (this=0x152414048290) at /test/10.8_opt/sql/sql_select.cc:2518
#12 0x0000556ed5e3a6a3 in JOIN::optimize (this=this@entry=0x152414048290) at /test/10.8_opt/sql/sql_select.cc:1834
#13 0x0000556ed5e3a78e in mysql_select (thd=0x152414000c58, tables=0x152414010cf8, fields=@0x152414010a58: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x152414010cb0, last = 0x152414010cb0, elements = 1}, <No data fields>}, conds=0x1524140137e8, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x152414014250, unit=0x152414004ca8, select_lex=0x1524140107b8) at /test/10.8_opt/sql/sql_select.cc:5024
#14 0x0000556ed5e3af27 in handle_select (thd=thd@entry=0x152414000c58, lex=lex@entry=0x152414004bd0, result=result@entry=0x152414014250, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.8_opt/sql/sql_select.cc:552
#15 0x0000556ed5dbe241 in execute_sqlcom_select (thd=0x152414000c58, all_tables=0x152414010cf8) at /test/10.8_opt/sql/sql_parse.cc:6253
#16 0x0000556ed5dcbd64 in mysql_execute_command (thd=0x152414000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.8_opt/sql/sql_parse.cc:3944
#17 0x0000556ed5db9315 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x152414000c58) at /test/10.8_opt/sql/sql_parse.cc:8028
#18 mysql_parse (thd=0x152414000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.8_opt/sql/sql_parse.cc:7950
#19 0x0000556ed5dc4f4a in dispatch_command (command=COM_QUERY, thd=0x152414000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.8_opt/sql/sql_class.h:1368
#20 0x0000556ed5dc6e92 in do_command (thd=0x152414000c58, blocking=blocking@entry=true) at /test/10.8_opt/sql/sql_parse.cc:1407
#21 0x0000556ed5edca3f in do_handle_one_connection (connect=<optimized out>, connect@entry=0x556ed83ea688, put_in_cache=put_in_cache@entry=true) at /test/10.8_opt/sql/sql_connect.cc:1416
#22 0x0000556ed5edcd1d in handle_one_connection (arg=0x556ed83ea688) at /test/10.8_opt/sql/sql_connect.cc:1318
#23 0x000015248f91a609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#24 0x000015248f506133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.4.27 (dbg), 10.4.27 (opt), 10.5.18 (dbg), 10.5.18 (opt), 10.6.10 (dbg), 10.6.10 (opt), 10.7.6 (dbg), 10.7.6 (opt), 10.8.5 (dbg), 10.8.5 (opt), 10.9.3 (dbg), 10.9.3 (opt), 10.10.2 (dbg), 10.10.2 (opt), 10.11.0 (dbg), 10.11.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.3.37 (dbg), 10.3.37 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.38 (dbg), 5.7.38 (opt), 8.0.29 (dbg), 8.0.29 (opt)

10.3 Gives no errors and 'empty set' on second query.

Attachments

Issue Links

duplicates

MDEV-32399 pushdown_from_having_into_where: SEGV at /mariadb-11.3.0/sql/item.cc:6013

Closed

is duplicated by

MDEV-32610 Server crash on 10.11.5

Closed

relates to

MDEV-28506 SIGSEGV's in find_field_in_table[s][_ref], Item_field::fix_fields, create_view_field | Assertion `(*select_ref)->fixed' or '->is_fixed' failed in resolve_ref_in_select_and_group | Assertion `table_list->table' failed in find_field_in_table_ref

Stalled

Activity

People

Assignee:: Oleg Smirnov

Reporter:: Roel Van de Paar

Votes:: 1 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 2022-10-06 21:09

Updated:: 2024-01-30 19:10

Resolved:: 2023-09-20 04:49

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.