Details
-
Bug
-
Status: Closed (View Workflow)
-
Critical
-
Resolution: Fixed
-
10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL), 10.11, 11.0(EOL), 11.1(EOL), 11.2(EOL), 11.3(EOL)
Description
CREATE TABLE t(c INT,c2 INT UNIQUE) ENGINE=InnoDB; |
SELECT 1 FROM t WHERE c2=(SELECT 1 FROM t GROUP BY c HAVING c2=c+1) AND c2=1; |
Leads to:
|
10.11.0 6ebdd3013a18b01dbecec76b870810329eb76586 (Debug) |
mysqld: /test/10.11_dbg/sql/item.cc:6009: virtual bool Item_field::fix_fields(THD*, Item**): Assertion `field' failed.
|
|
10.11.0 6ebdd3013a18b01dbecec76b870810329eb76586 (Debug) |
Core was generated by `/test/MD190922-mariadb-10.11.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core'.
|
Program terminated with signal SIGABRT, Aborted.
|
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
|
[Current thread is 1 (Thread 0x151f28164700 (LWP 3246815))]
|
(gdb) bt
|
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
|
#1 0x0000151f41ef2859 in __GI_abort () at abort.c:79
|
#2 0x0000151f41ef2729 in __assert_fail_base (fmt=0x151f42088588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x55e95a8ce218 "field", file=0x55e95aa78780 "/test/10.11_dbg/sql/item.cc", line=6009, function=<optimized out>) at assert.c:92
|
#3 0x0000151f41f03fd6 in __GI___assert_fail (assertion=assertion@entry=0x55e95a8ce218 "field", file=file@entry=0x55e95aa78780 "/test/10.11_dbg/sql/item.cc", line=line@entry=6009, function=function@entry=0x55e95aa7b218 "virtual bool Item_field::fix_fields(THD*, Item**)") at assert.c:101
|
#4 0x000055e95a00f1c4 in Item_field::fix_fields (this=0x151ec0069b10, thd=0x151ec0000d48, reference=0x151ec00151c8) at /test/10.11_dbg/sql/item.cc:6009
|
#5 0x000055e95a063a80 in Item::fix_fields_if_needed (ref=0x151ec00151c8, thd=0x151ec0000d48, this=<optimized out>) at /test/10.11_dbg/sql/item.h:1144
|
#6 Item_func::fix_fields (this=0x151ec0015150, thd=0x151ec0000d48, ref=<optimized out>) at /test/10.11_dbg/sql/item_func.cc:350
|
#7 0x000055e959cd1b6c in st_select_lex::pushdown_from_having_into_where (this=0x151ec0014058, thd=0x151ec0000d48, having=0x0) at /test/10.11_dbg/sql/sql_lex.cc:11260
|
#8 0x000055e959d7a7dc in JOIN::optimize_inner (this=this@entry=0x151ec0069528) at /test/10.11_dbg/sql/sql_select.cc:2281
|
#9 0x000055e959d7b464 in JOIN::optimize (this=this@entry=0x151ec0069528) at /test/10.11_dbg/sql/sql_select.cc:1864
|
#10 0x000055e959cbdb1a in st_select_lex::optimize_unflattened_subqueries (this=0x151ec00132f8, const_only=const_only@entry=false) at /test/10.11_dbg/sql/sql_lex.cc:4918
|
#11 0x000055e959eb1813 in JOIN::optimize_unflattened_subqueries (this=this@entry=0x151ec0068f40) at /test/10.11_dbg/sql/opt_subselect.cc:5655
|
#12 0x000055e959d7720a in JOIN::optimize_stage2 (this=this@entry=0x151ec0068f40) at /test/10.11_dbg/sql/sql_select.cc:3348
|
#13 0x000055e959d7b09e in JOIN::optimize_inner (this=this@entry=0x151ec0068f40) at /test/10.11_dbg/sql/sql_select.cc:2551
|
#14 0x000055e959d7b464 in JOIN::optimize (this=this@entry=0x151ec0068f40) at /test/10.11_dbg/sql/sql_select.cc:1864
|
#15 0x000055e959d7b557 in mysql_select (thd=thd@entry=0x151ec0000d48, tables=0x151ec0013838, fields=@0x151ec0013598: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x151ec00137f0, last = 0x151ec00137f0, elements = 1}, <No data fields>}, conds=0x151ec0016340, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2164525824, result=0x151ec0016db0, unit=0x151ec0004f80, select_lex=0x151ec00132f8) at /test/10.11_dbg/sql/sql_select.cc:5057
|
#16 0x000055e959d7bda0 in handle_select (thd=thd@entry=0x151ec0000d48, lex=lex@entry=0x151ec0004ea8, result=result@entry=0x151ec0016db0, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.11_dbg/sql/sql_select.cc:582
|
#17 0x000055e959ce5d94 in execute_sqlcom_select (thd=thd@entry=0x151ec0000d48, all_tables=0x151ec0013838) at /test/10.11_dbg/sql/sql_parse.cc:6261
|
#18 0x000055e959cf2109 in mysql_execute_command (thd=thd@entry=0x151ec0000d48, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.11_dbg/sql/sql_parse.cc:3945
|
#19 0x000055e959ce003c in mysql_parse (thd=thd@entry=0x151ec0000d48, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x151f28163330) at /test/10.11_dbg/sql/sql_parse.cc:8037
|
#20 0x000055e959ced66d in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x151ec0000d48, packet=packet@entry=0x151ec000aed9 "SELECT 1 FROM t WHERE c2=(SELECT 1 FROM t GROUP BY c HAVING c2=c+1) AND c2=1", packet_length=packet_length@entry=76, blocking=blocking@entry=true) at /test/10.11_dbg/sql/sql_class.h:1345
|
#21 0x000055e959cefd97 in do_command (thd=0x151ec0000d48, blocking=blocking@entry=true) at /test/10.11_dbg/sql/sql_parse.cc:1407
|
#22 0x000055e959e53fb9 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55e95c330738, put_in_cache=put_in_cache@entry=true) at /test/10.11_dbg/sql/sql_connect.cc:1416
|
#23 0x000055e959e544c3 in handle_one_connection (arg=0x55e95c330738) at /test/10.11_dbg/sql/sql_connect.cc:1318
|
#24 0x0000151f42403609 in start_thread (arg=<optimized out>) at pthread_create.c:477
|
#25 0x0000151f41fef133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
|
|
10.5.18 23a8654cdbd84336fd2004bdd2b0cb4a0ecd3d4a (Debug) |
mysqld: /test/10.5_dbg/sql/item.cc:5954: virtual bool Item_field::fix_fields(THD*, Item**): Assertion `context' failed.
|
|
10.5.18 23a8654cdbd84336fd2004bdd2b0cb4a0ecd3d4a (Debug) |
Core was generated by `/test/MD190922-mariadb-10.5.18-linux-x86_64-dbg/bin/mysqld --no-defaults --core'.
|
Program terminated with signal SIGABRT, Aborted.
|
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
|
[Current thread is 1 (Thread 0x14ee32dfe700 (LWP 3247036))]
|
(gdb) bt
|
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
|
#1 0x000014ee4b7bd859 in __GI_abort () at abort.c:79
|
#2 0x000014ee4b7bd729 in __assert_fail_base (fmt=0x14ee4b953588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x559dfac0d8dd "context", file=0x559dfada1f84 "/test/10.5_dbg/sql/item.cc", line=5954, function=<optimized out>) at assert.c:92
|
#3 0x000014ee4b7cefd6 in __GI___assert_fail (assertion=assertion@entry=0x559dfac0d8dd "context", file=file@entry=0x559dfada1f84 "/test/10.5_dbg/sql/item.cc", line=line@entry=5954, function=function@entry=0x559dfada4a20 "virtual bool Item_field::fix_fields(THD*, Item**)") at assert.c:101
|
#4 0x0000559dfa2d5191 in Item_field::fix_fields (this=0x14ee000179c0, thd=0x14ee00000d48, reference=0x14ee00014e18) at /test/10.5_dbg/sql/item.cc:5954
|
#5 0x0000559dfa32ce37 in Item::fix_fields_if_needed (ref=0x14ee00014e18, thd=0x14ee00000d48, this=0x14ee000179c0) at /test/10.5_dbg/sql/item.h:988
|
#6 Item_func::fix_fields (this=0x14ee00014d80, thd=0x14ee00000d48, ref=<optimized out>) at /test/10.5_dbg/sql/item_func.cc:355
|
#7 0x0000559df9fe0c27 in st_select_lex::pushdown_from_having_into_where (this=0x14ee00013bb0, thd=0x14ee00000d48, having=0x0) at /test/10.5_dbg/sql/sql_lex.cc:11137
|
#8 0x0000559dfa075b87 in JOIN::optimize_inner (this=this@entry=0x14ee00017288) at /test/10.5_dbg/sql/sql_select.cc:2084
|
#9 0x0000559dfa076822 in JOIN::optimize (this=this@entry=0x14ee00017288) at /test/10.5_dbg/sql/sql_select.cc:1686
|
#10 0x0000559df9fcc8e3 in st_select_lex::optimize_unflattened_subqueries (this=0x14ee00012e08, const_only=const_only@entry=false) at /test/10.5_dbg/sql/sql_lex.cc:4879
|
#11 0x0000559dfa199099 in JOIN::optimize_unflattened_subqueries (this=this@entry=0x14ee00016b38) at /test/10.5_dbg/sql/opt_subselect.cc:5643
|
#12 0x0000559dfa0726ec in JOIN::optimize_stage2 (this=this@entry=0x14ee00016b38) at /test/10.5_dbg/sql/sql_select.cc:3126
|
#13 0x0000559dfa076443 in JOIN::optimize_inner (this=this@entry=0x14ee00016b38) at /test/10.5_dbg/sql/sql_select.cc:2354
|
#14 0x0000559dfa076822 in JOIN::optimize (this=this@entry=0x14ee00016b38) at /test/10.5_dbg/sql/sql_select.cc:1686
|
#15 0x0000559dfa0768fd in mysql_select (thd=thd@entry=0x14ee00000d48, tables=0x14ee00013378, fields=@0x14ee00012f58: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14ee00013330, last = 0x14ee00013330, elements = 1}, <No data fields>}, conds=0x14ee00016048, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x14ee00016b10, unit=0x14ee00004cf0, select_lex=0x14ee00012e08) at /test/10.5_dbg/sql/sql_select.cc:4803
|
#16 0x0000559dfa077440 in handle_select (thd=thd@entry=0x14ee00000d48, lex=lex@entry=0x14ee00004c28, result=result@entry=0x14ee00016b10, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.5_dbg/sql/sql_select.cc:444
|
#17 0x0000559df9ff5377 in execute_sqlcom_select (thd=thd@entry=0x14ee00000d48, all_tables=0x14ee00013378) at /test/10.5_dbg/sql/sql_parse.cc:6315
|
#18 0x0000559dfa001e6b in mysql_execute_command (thd=thd@entry=0x14ee00000d48) at /test/10.5_dbg/sql/sql_parse.cc:4006
|
#19 0x0000559df9fef17d in mysql_parse (thd=thd@entry=0x14ee00000d48, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14ee32dfd340, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:8101
|
#20 0x0000559df9ffd1b4 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14ee00000d48, packet=packet@entry=0x14ee0000a979 "SELECT 1 FROM t WHERE c2=(SELECT 1 FROM t GROUP BY c HAVING c2=c+1) AND c2=1", packet_length=packet_length@entry=76, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_class.h:1296
|
#21 0x0000559df9fffce6 in do_command (thd=0x14ee00000d48) at /test/10.5_dbg/sql/sql_parse.cc:1375
|
#22 0x0000559dfa140948 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x559dfdd19198, put_in_cache=put_in_cache@entry=true) at /test/10.5_dbg/sql/sql_connect.cc:1416
|
#23 0x0000559dfa140e51 in handle_one_connection (arg=0x559dfdd19198) at /test/10.5_dbg/sql/sql_connect.cc:1318
|
#24 0x000014ee4bcce609 in start_thread (arg=<optimized out>) at pthread_create.c:477
|
#25 0x000014ee4b8ba133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
|
|
10.8.5 593fdee3973ce4ab4890a6fb9f740b3a28a44edc (Optimized) |
Core was generated by `/test/MD190922-mariadb-10.8.5-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
|
Program terminated with signal SIGSEGV, Segmentation fault.
|
#0 0x0000556ed602a8df in Item_field::fix_fields (this=0x152414048df0, thd=
|
0x152414000c58, reference=0x152414012678)
|
at /test/10.8_opt/sql/item.cc:6018
|
[Current thread is 1 (Thread 0x152478098700 (LWP 3246781))]
|
(gdb) bt
|
#0 0x0000556ed602a8df in Item_field::fix_fields (this=0x152414048df0, thd=0x152414000c58, reference=0x152414012678) at /test/10.8_opt/sql/item.cc:6018
|
#1 0x0000556ed606dd8d in Item::fix_fields_if_needed (ref=0x152414012678, thd=0x152414000c58, this=0x152414048df0) at /test/10.8_opt/sql/item.h:1142
|
#2 Item::fix_fields_if_needed (ref=0x152414012678, thd=0x152414000c58, this=0x152414048df0) at /test/10.8_opt/sql/item.h:1142
|
#3 Item_func::fix_fields (ref=<optimized out>, thd=0x152414000c58, this=0x152414012600) at /test/10.8_opt/sql/item_func.cc:350
|
#4 Item_func::fix_fields (this=0x152414012600, thd=0x152414000c58, ref=<optimized out>) at /test/10.8_opt/sql/item_func.cc:317
|
#5 0x0000556ed5dad802 in st_select_lex::pushdown_from_having_into_where (this=0x152414011510, thd=0x152414000c58, having=0x0) at /test/10.8_opt/sql/sql_lex.cc:11270
|
#6 0x0000556ed5e37539 in JOIN::optimize_inner (this=0x152414048840) at /test/10.8_opt/sql/sql_select.cc:2248
|
#7 0x0000556ed5e3a6a3 in JOIN::optimize (this=this@entry=0x152414048840) at /test/10.8_opt/sql/sql_select.cc:1834
|
#8 0x0000556ed5d9dd34 in st_select_lex::optimize_unflattened_subqueries (this=0x1524140107b8, const_only=const_only@entry=false) at /test/10.8_opt/sql/sql_lex.cc:4944
|
#9 0x0000556ed5f20872 in JOIN::optimize_unflattened_subqueries (this=this@entry=0x152414048290) at /test/10.8_opt/sql/opt_subselect.cc:5656
|
#10 0x0000556ed5e33c7e in JOIN::optimize_stage2 (this=<optimized out>) at /test/10.8_opt/sql/sql_select.cc:3315
|
#11 0x0000556ed5e382f8 in JOIN::optimize_inner (this=0x152414048290) at /test/10.8_opt/sql/sql_select.cc:2518
|
#12 0x0000556ed5e3a6a3 in JOIN::optimize (this=this@entry=0x152414048290) at /test/10.8_opt/sql/sql_select.cc:1834
|
#13 0x0000556ed5e3a78e in mysql_select (thd=0x152414000c58, tables=0x152414010cf8, fields=@0x152414010a58: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x152414010cb0, last = 0x152414010cb0, elements = 1}, <No data fields>}, conds=0x1524140137e8, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x152414014250, unit=0x152414004ca8, select_lex=0x1524140107b8) at /test/10.8_opt/sql/sql_select.cc:5024
|
#14 0x0000556ed5e3af27 in handle_select (thd=thd@entry=0x152414000c58, lex=lex@entry=0x152414004bd0, result=result@entry=0x152414014250, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.8_opt/sql/sql_select.cc:552
|
#15 0x0000556ed5dbe241 in execute_sqlcom_select (thd=0x152414000c58, all_tables=0x152414010cf8) at /test/10.8_opt/sql/sql_parse.cc:6253
|
#16 0x0000556ed5dcbd64 in mysql_execute_command (thd=0x152414000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.8_opt/sql/sql_parse.cc:3944
|
#17 0x0000556ed5db9315 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x152414000c58) at /test/10.8_opt/sql/sql_parse.cc:8028
|
#18 mysql_parse (thd=0x152414000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.8_opt/sql/sql_parse.cc:7950
|
#19 0x0000556ed5dc4f4a in dispatch_command (command=COM_QUERY, thd=0x152414000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.8_opt/sql/sql_class.h:1368
|
#20 0x0000556ed5dc6e92 in do_command (thd=0x152414000c58, blocking=blocking@entry=true) at /test/10.8_opt/sql/sql_parse.cc:1407
|
#21 0x0000556ed5edca3f in do_handle_one_connection (connect=<optimized out>, connect@entry=0x556ed83ea688, put_in_cache=put_in_cache@entry=true) at /test/10.8_opt/sql/sql_connect.cc:1416
|
#22 0x0000556ed5edcd1d in handle_one_connection (arg=0x556ed83ea688) at /test/10.8_opt/sql/sql_connect.cc:1318
|
#23 0x000015248f91a609 in start_thread (arg=<optimized out>) at pthread_create.c:477
|
#24 0x000015248f506133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
|
Bug confirmed present in:
MariaDB: 10.4.27 (dbg), 10.4.27 (opt), 10.5.18 (dbg), 10.5.18 (opt), 10.6.10 (dbg), 10.6.10 (opt), 10.7.6 (dbg), 10.7.6 (opt), 10.8.5 (dbg), 10.8.5 (opt), 10.9.3 (dbg), 10.9.3 (opt), 10.10.2 (dbg), 10.10.2 (opt), 10.11.0 (dbg), 10.11.0 (opt)
Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.3.37 (dbg), 10.3.37 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.38 (dbg), 5.7.38 (opt), 8.0.29 (dbg), 8.0.29 (opt)
10.3 Gives no errors and 'empty set' on second query.
Attachments
Issue Links
- duplicates
-
-
- Closed
-
- is duplicated by
-
-
- Closed
-
- relates to
-
-
- Open
-
-
-
- Stalled
-
Activity
| Field | Original Value | New Value |
|---|---|---|
| Link |
This issue relates to |
An additional testcase;
CREATE TABLE t(c DOUBLE,v2 DOUBLE UNIQUE CHECK ((c=1)OR (c=FALSE) OR (c AND 86) OR (c=0))) ENGINE=InnoDB; |
SELECT 1 FROM t WHERE v2=(SELECT 1 FROM t GROUP BY c HAVING c>v2 - 0)AND v2<=5 / 1 AND v2>=97; |
Which yields the following stacks/UniqueID's:
SIGSEGV|Item_field::fix_fields|Item::fix_fields_if_needed|Item::fix_fields_if_needed|Item_func::fix_fields
|
context|SIGABRT|Item_field::fix_fields|Item::fix_fields_if_needed|Item_func::fix_fields|Item::fix_fields_if_needed
|
field|SIGABRT|Item_field::fix_fields|Item::fix_fields_if_needed|Item_func::fix_fields|Item::fix_fields_if_needed
|
Of which the first one is MDEV-28206, and the last two are new / different from the above.
| Labels | regression-10.4 | regression-10.4 regression-10.5 |
An additional testcase;
CREATE TABLE t(c TEXT,c2 INT UNIQUE) ENGINE=InnoDB; |
SELECT 1 FROM t WHERE c2 IN(SELECT 1 FROM t GROUP BY'',c HAVING (CASE c2 WHEN 1 +''THEN 3 ELSE c END)ORDER BY c2) GROUP BY c2 HAVING c2=1; |
Yielding these additonal stacks/UniqueID's:
context|SIGABRT|Item_field::fix_fields|Item::fix_fields_if_needed|Item_func::fix_fields|Item_func_case::fix_fields
|
field|SIGABRT|Item_field::fix_fields|Item::fix_fields_if_needed|Item_func::fix_fields|Item_func_case::fix_fields
|
An additional testcase;
CREATE TABLE t(c INT,c2 CHAR KEY UNIQUE) ENGINE=InnoDB; |
CREATE VIEW v AS SELECT * FROM t WHERE c LIKE''GROUP BY c2 HAVING c>c; |
SELECT * FROM v AS v1 NATURAL JOIN v AS v5 NATURAL JOIN v WHERE c LIKE''AND c2 IN(SELECT''FROM t WHERE c LIKE''GROUP BY c HAVING c2 LIKE (c2< + 1 OR c>1)>=c2); |
Yielding these additonal stacks/UniqueID's:
context|SIGABRT|Item_field::fix_fields|Item::fix_fields_if_needed|Item_func::fix_fields|Item_func_like::fix_fields
|
field|SIGABRT|Item_field::fix_fields|Item::fix_fields_if_needed|Item_func::fix_fields|Item_func_like::fix_fields
|
Additionally, I noticed this testcase produces a UBSAN issue, ref next comment.
| Labels | regression-10.4 regression-10.5 | affects-tests regression-10.4 regression-10.5 |
| Labels | affects-tests regression-10.4 regression-10.5 | UBSAN affects-tests regression-10.4 regression-10.5 |
| Labels | UBSAN affects-tests regression-10.4 regression-10.5 | UBSAN affects-tests regression-10.4 |
The UBSAN issue is observed in optimized builds only.
CREATE TABLE t(c INT,c2 CHAR KEY UNIQUE) ENGINE=InnoDB; |
CREATE VIEW v AS SELECT * FROM t WHERE c LIKE''GROUP BY c2 HAVING c>c; |
SELECT * FROM v AS v1 NATURAL JOIN v AS v5 NATURAL JOIN v WHERE c LIKE''AND c2 IN(SELECT''FROM t WHERE c LIKE''GROUP BY c HAVING c2 LIKE (c2< + 1 OR c>1)>=c2); |
Leads to:
|
10.11.0 fe1f8f2c6b6f3b8e3383168225f9ae7853028947 (Optimized, UBASAN) |
/test/10.11_opt_san/sql/item.cc:6029:42: runtime error: member access within null pointer of type 'struct Name_resolution_context'
|
#0 0x5629a9e61ce0 in Item_field::fix_fields(THD*, Item**) /test/10.11_opt_san/sql/item.cc:6029
|
#1 0x5629aa1e1224 in Item::fix_fields_if_needed(THD*, Item**) /test/10.11_opt_san/sql/item.h:1144
|
#2 0x5629aa1e1224 in Item_func::fix_fields(THD*, Item**) /test/10.11_opt_san/sql/item_func.cc:347
|
#3 0x5629a9ffb5a0 in Item_func_like::fix_fields(THD*, Item**) /test/10.11_opt_san/sql/item_cmpfunc.cc:5785
|
#4 0x5629aa1e1224 in Item::fix_fields_if_needed(THD*, Item**) /test/10.11_opt_san/sql/item.h:1144
|
#5 0x5629aa1e1224 in Item_func::fix_fields(THD*, Item**) /test/10.11_opt_san/sql/item_func.cc:347
|
#6 0x5629a877df4a in st_select_lex::pushdown_from_having_into_where(THD*, Item*) /test/10.11_opt_san/sql/sql_lex.cc:11258
|
#7 0x5629a8bd8229 in JOIN::optimize_inner() /test/10.11_opt_san/sql/sql_select.cc:2281
|
#8 0x5629a8c03f6f in JOIN::optimize() /test/10.11_opt_san/sql/sql_select.cc:1863
|
#9 0x5629a86e5632 in st_select_lex::optimize_unflattened_subqueries(bool) /test/10.11_opt_san/sql/sql_lex.cc:4915
|
#10 0x5629a8bbe96e in JOIN::optimize_stage2() /test/10.11_opt_san/sql/sql_select.cc:3347
|
#11 0x5629a8bddd91 in JOIN::optimize_inner() /test/10.11_opt_san/sql/sql_select.cc:2550
|
#12 0x5629a8c03f6f in JOIN::optimize() /test/10.11_opt_san/sql/sql_select.cc:1863
|
#13 0x5629a8c151fa in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.11_opt_san/sql/sql_select.cc:5056
|
#14 0x5629a8c19093 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.11_opt_san/sql/sql_select.cc:581
|
#15 0x5629a8826c2f in execute_sqlcom_select /test/10.11_opt_san/sql/sql_parse.cc:6261
|
#16 0x5629a887753b in mysql_execute_command(THD*, bool) /test/10.11_opt_san/sql/sql_parse.cc:3945
|
#17 0x5629a87f7500 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.11_opt_san/sql/sql_parse.cc:8035
|
#18 0x5629a884c0ff in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.11_opt_san/sql/sql_parse.cc:1894
|
#19 0x5629a88573fd in do_command(THD*, bool) /test/10.11_opt_san/sql/sql_parse.cc:1407
|
#20 0x5629a91404cd in do_handle_one_connection(CONNECT*, bool) /test/10.11_opt_san/sql/sql_connect.cc:1418
|
#21 0x5629a9142b3c in handle_one_connection /test/10.11_opt_san/sql/sql_connect.cc:1312
|
#22 0x14e54c2d1608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
|
#23 0x14e54b546132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)
|
Setup:
Compiled with GCC >=7.5.0 (I use GCC 9.4.0) and:
|
-DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF -DWSREP_LIB_WITH_ASAN=ON
|
Set before execution:
|
export UBSAN_OPTIONS=print_stacktrace=1
|
UBSAN Bug confirmed present in:
MariaDB: 10.4.27 (opt), 10.5.18 (opt), 10.6.10 (opt), 10.7.6 (opt), 10.8.5 (opt), 10.9.2 (opt), 10.10.2 (opt), 10.11.0 (opt)
UBSAN Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.3.37 (dbg), 10.3.37 (opt), 10.4.27 (dbg), 10.5.18 (dbg), 10.6.10 (dbg), 10.7.6 (dbg), 10.8.5 (dbg), 10.9.2 (dbg), 10.10.2 (dbg), 10.11.0 (dbg)
| Summary | Assertion `field' failed in Item_field::fix_fields, Assertion `context' failed in Item_field::fix_fields and SIGSEGV in Item_field::fix_fields on SELECT subquery using GROUP BY ... HAVING | Assertion `field' failed in Item_field::fix_fields, Assertion `context' failed in Item_field::fix_fields, SIGSEGV in Item_field::fix_fields, member access within null pointer of type 'struct Name_resolution_context' on SELECT subquery |
| Summary | Assertion `field' failed in Item_field::fix_fields, Assertion `context' failed in Item_field::fix_fields, SIGSEGV in Item_field::fix_fields, member access within null pointer of type 'struct Name_resolution_context' on SELECT subquery | Assertion `field' failed in Item_field::fix_fields, Assertion `context' failed in Item_field::fix_fields, SIGSEGV in Item_field::fix_fields, member access within null pointer of type 'struct Name_resolution_context' on SELECT subquery w/ GROUP BY |
| Status | Open [ 1 ] | Confirmed [ 10101 ] |
| Link |
This issue relates to |
Additional stack with:
SET sql_mode='only_full_group_by'; |
EXECUTE IMMEDIATE 'SELECT LEAD(c) OVER (ORDER BY c) FROM (SELECT 0 AS c) AS a NATURAL JOIN (SELECT 0 AS c) AS b;'; |
|
10.11.2 c194db34d93d8d94bd52b17349063fa401e3f942 (Debug) |
Core was generated by `/test/MD171222-mariadb-10.11.2-linux-x86_64-dbg/bin/mysqld --no-defaults --core'.
|
Program terminated with signal SIGSEGV, Segmentation fault.
|
#0 0x000055de9c220afc in Item_field::fix_fields (this=0x1554b8023908, thd=
|
0x1554b8000d48, reference=<optimized out>)
|
at /test/10.11_dbg/sql/item.cc:6256
|
6256 else if (thd->lex->in_sum_func->nest_level !=
|
[Current thread is 1 (Thread 0x1554ed81d700 (LWP 2635384))]
|
(gdb) bt
|
#0 0x000055de9c220afc in Item_field::fix_fields (this=0x1554b8023908, thd=0x1554b8000d48, reference=<optimized out>) at /test/10.11_dbg/sql/item.cc:6256
|
#1 0x000055de9be91530 in Item::fix_fields_if_needed (ref=0x1554ed81a830, thd=0x1554b8000d48, this=<optimized out>) at /test/10.11_dbg/sql/item.h:1147
|
#2 find_field_in_natural_join (actual_table=0x1554ed81a958, register_tree_change=true, ref=<optimized out>, length=1, name=0x1554b801f888 "c", table_ref=0x1554b8022810, thd=0x1554b8000d48) at /test/10.11_dbg/sql/sql_base.cc:6244
|
#3 find_field_in_table_ref (thd=thd@entry=0x1554b8000d48, table_list=table_list@entry=0x1554b8022810, name=name@entry=0x1554b801f888 "c", length=length@entry=1, item_name=<optimized out>, db_name=<optimized out>, db_name@entry=0x0, table_name=0x0, ignored_tables=0x0, ref=0x1554b801fa98, check_privileges=true, allow_rowid=true, cached_field_index_ptr=0x1554b801f978, register_tree_change=true, actual_table=0x1554ed81a958) at /test/10.11_dbg/sql/sql_base.cc:6496
|
#4 0x000055de9be91ed2 in find_field_in_tables (thd=thd@entry=0x1554b8000d48, item=item@entry=0x1554b801f890, first_table=<optimized out>, last_table=0x0, ignored_tables=0x0, ref=ref@entry=0x1554b801fa98, report_error=IGNORE_EXCEPT_NON_UNIQUE, check_privileges=true, register_tree_change=true) at /test/10.11_dbg/sql/sql_base.cc:6765
|
#5 0x000055de9c22037a in Item_field::fix_fields (this=0x1554b801f890, thd=0x1554b8000d48, reference=0x1554b801fa98) at /test/10.11_dbg/sql/item.cc:6026
|
#6 0x000055de9c3cbe9a in Item::fix_fields_if_needed (ref=<optimized out>, thd=0x1554b8000d48, this=0x1554b801f890) at /test/10.11_dbg/sql/item.h:1156
|
#7 Item::fix_fields_if_needed_for_scalar (ref=<optimized out>, thd=0x1554b8000d48, this=0x1554b801f890) at /test/10.11_dbg/sql/item.h:1156
|
#8 Item_sum_hybrid_simple::fix_fields (this=0x1554b801fa20, thd=0x1554b8000d48, ref=0x1554b801fe28) at /test/10.11_dbg/sql/item_windowfunc.cc:350
|
#9 0x000055de9c3cbab3 in Item_window_func::fix_fields (this=0x1554b801fd58, thd=0x1554b8000d48, ref=0x1554b801fe28) at /test/10.11_dbg/sql/item_windowfunc.h:1079
|
#10 0x000055de9be92b46 in Item::fix_fields_if_needed (ref=0x1554b801fe28, thd=0x1554b8000d48, this=0x1554b801fd58) at /test/10.11_dbg/sql/item.h:1156
|
#11 Item::fix_fields_if_needed_for_scalar (ref=0x1554b801fe28, thd=0x1554b8000d48, this=0x1554b801fd58) at /test/10.11_dbg/sql/item.h:1156
|
#12 setup_fields (thd=0x1554b8000d48, ref_pointer_array=<optimized out>, fields=<optimized out>, column_usage=column_usage@entry=MARK_COLUMNS_READ, sum_func_list=sum_func_list@entry=0x1554b8014f10, pre_fix=0x1554b801f6c0, allow_sum_func=true) at /test/10.11_dbg/sql/sql_base.cc:7977
|
#13 0x000055de9bf81eff in JOIN::prepare (this=this@entry=0x1554b8014b78, tables_init=tables_init@entry=0x1554b8020c20, conds_init=conds_init@entry=0x0, og_num=og_num@entry=0, order_init=order_init@entry=0x0, skip_order_by=skip_order_by@entry=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x1554b801f408, unit_arg=0x1554b801d768) at /test/10.11_dbg/sql/sql_select.cc:1459
|
#14 0x000055de9bf98c3e in mysql_select (thd=thd@entry=0x1554b8000d48, tables=0x1554b8020c20, fields=@0x1554b801f6a8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1554b801fe20, last = 0x1554b801fe20, elements = 1}, <No data fields>}, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2201187781376, result=0x1554b8023820, unit=0x1554b801d768, select_lex=0x1554b801f408) at /test/10.11_dbg/sql/sql_select.cc:5055
|
#15 0x000055de9bf98e2d in handle_select (thd=thd@entry=0x1554b8000d48, lex=lex@entry=0x1554b801d690, result=result@entry=0x1554b8023820, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.11_dbg/sql/sql_select.cc:581
|
#16 0x000055de9bf0636d in execute_sqlcom_select (thd=thd@entry=0x1554b8000d48, all_tables=0x1554b8020c20) at /test/10.11_dbg/sql/sql_parse.cc:6265
|
#17 0x000055de9bf124a2 in mysql_execute_command (thd=0x1554b8000d48, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=true) at /test/10.11_dbg/sql/sql_parse.cc:3949
|
#18 0x000055de9bf3b106 in Prepared_statement::execute (this=this@entry=0x1554b8019328, expanded_query=expanded_query@entry=0x1554ed81bb80, open_cursor=open_cursor@entry=false) at /test/10.11_dbg/sql/sql_prepare.cc:5225
|
#19 0x000055de9bf3b49f in Prepared_statement::execute_loop (this=this@entry=0x1554b8019328, expanded_query=expanded_query@entry=0x1554ed81bb80, open_cursor=open_cursor@entry=false, packet=packet@entry=0x0, packet_end=packet_end@entry=0x0) at /test/10.11_dbg/sql/sql_prepare.cc:4648
|
#20 0x000055de9bf3cbc1 in Prepared_statement::execute_immediate (this=this@entry=0x1554b8019328, query=<optimized out>, query_len=<optimized out>) at /test/10.11_dbg/sql/sql_prepare.cc:5376
|
#21 0x000055de9bf3cd90 in mysql_sql_stmt_execute_immediate (thd=thd@entry=0x1554b8000d48) at /test/10.11_dbg/sql/sql_prepare.cc:3099
|
#22 0x000055de9bf124e5 in mysql_execute_command (thd=thd@entry=0x1554b8000d48, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.11_dbg/sql/sql_parse.cc:3955
|
#23 0x000055de9bf007f4 in mysql_parse (thd=thd@entry=0x1554b8000d48, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x1554ed81c300) at /test/10.11_dbg/sql/sql_parse.cc:8000
|
#24 0x000055de9bf0dd2f in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x1554b8000d48, packet=packet@entry=0x1554b800adf9 "EXECUTE IMMEDIATE 'SELECT LEAD(c) OVER (ORDER BY c) FROM (SELECT 0 AS c) AS a NATURAL JOIN (SELECT 0 AS c) AS b;'", packet_length=packet_length@entry=113, blocking=blocking@entry=true) at /test/10.11_dbg/sql/sql_class.h:1346
|
#25 0x000055de9bf1016d in do_command (thd=0x1554b8000d48, blocking=blocking@entry=true) at /test/10.11_dbg/sql/sql_parse.cc:1407
|
#26 0x000055de9c06b013 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55de9f0d3928, put_in_cache=put_in_cache@entry=true) at /test/10.11_dbg/sql/sql_connect.cc:1416
|
#27 0x000055de9c06b4e2 in handle_one_connection (arg=0x55de9f0d3928) at /test/10.11_dbg/sql/sql_connect.cc:1318
|
#28 0x0000155506685609 in start_thread (arg=<optimized out>) at pthread_create.c:477
|
#29 0x0000155506271133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
|
psergei Please also check if this testcase is the same issue (looks like it, but the sql_mode requirement makes me doubt)
| Link | This issue relates to MDEV-28506 [ MDEV-28506 ] |
| Fix Version/s | 10.7 [ 24805 ] |
| Fix Version/s | 10.8 [ 26121 ] |
Additional SIGSEGV with:
SET optimizer_switch='derived_merge=off'; |
CREATE TABLE t (c INT) ENGINE=InnoDB; |
SET SESSION sql_mode='only_full_group_by'; |
UPDATE t SET c=''WHERE 1 IN (SELECT * FROM (SELECT * FROM (SELECT * FROM t AS v5 NATURAL JOIN t AS v4 NATURAL JOIN t) AS v3 NATURAL JOIN t GROUP BY c) AS v2 WHERE (0,c) IN ((0,-1),(+1,0)) ORDER BY 1+AVG(c) OVER (ORDER BY c)) ORDER BY c; |
Leads to:
SIGSEGV|Item_field::fix_fields|Item::fix_fields_if_needed|Item_row::fix_fields|Item::fix_fields_if_needed
|
SIGSEGV|Item_field::fix_fields|Item::fix_fields_if_needed|Item::fix_fields_if_needed|Item_row::fix_fields
|
UBSAN|member access within null pointer of type 'struct SELECT_LEX'|sql/item.cc|Item_field::fix_fields|Item::fix_fields_if_needed|Item_row::fix_fields|Item::fix_fields_if_needed
|
10.6-11.3 Affected, opt+dbg. Please note the additional UBSAN stack (this time with type struct SELECT_LEX instead of struct Name_resolution_context) as well.
| Affects Version/s | 11.0 [ 28320 ] | |
| Affects Version/s | 11.1 [ 28549 ] | |
| Affects Version/s | 11.2 [ 28603 ] | |
| Affects Version/s | 11.3 [ 28565 ] |
| Fix Version/s | 10.11 [ 27614 ] | |
| Fix Version/s | 11.0 [ 28320 ] | |
| Fix Version/s | 11.1 [ 28549 ] | |
| Fix Version/s | 11.2 [ 28603 ] |
| Summary | Assertion `field' failed in Item_field::fix_fields, Assertion `context' failed in Item_field::fix_fields, SIGSEGV in Item_field::fix_fields, member access within null pointer of type 'struct Name_resolution_context' on SELECT subquery w/ GROUP BY | Assertion `field' failed in Item_field::fix_fields, Assertion `context' failed in Item_field::fix_fields, SIGSEGV in Item_field::fix_fields, member access within null pointer in various functions |
| Assignee | Sergei Petrunia [ psergey ] | Oleg Smirnov [ JIRAUSER50405 ] |
| Status | Confirmed [ 10101 ] | In Progress [ 3 ] |
I've noticed a strange thing regarding the name resolution during debugging the first test case:
CREATE TABLE t(c INT,c2 INT UNIQUE) ENGINE=InnoDB;
|
SELECT 1 FROM t
|
WHERE c2=(SELECT 1 FROM t GROUP BY c HAVING c2=c+1) AND c2=1;
|
I added table names aliases here to find out what column names c and c2 refer to (inner or outer table):
SELECT 1 FROM t AS out_t
|
WHERE c2 = (SELECT 1 FROM t AS inn_t GROUP BY c HAVING c2 = c+1) and c2=1;
|
During the optimization phase dbug_print(select_lex) displays
select 1 AS `1` from t out_t where out_t.c2 = 1 and 1 = (subquery#2)
|
(subquery#2) expands to
select 1 from t inn_t group by inn_t.c having out_t.c2 = inn_t.c + 1
|
out_t.c2 in the subquery looks strange, I would expect the field c2 to be resolved to inn_t.c2.
| Summary | Assertion `field' failed in Item_field::fix_fields, Assertion `context' failed in Item_field::fix_fields, SIGSEGV in Item_field::fix_fields, member access within null pointer in various functions | Crash |
| Summary | Crash | Crash when HAVING in a correlated subquery references columns in the outer query |
Answer to the previous comment by igor: "c2 cannot be resolved against column of the inner table because it's not included into the group by list. (The Standard probably requires to return an error in this case)."
The Standard, indeed, requires to return an error, but the ability to reference columns of the outer query is the extension of MySQL/MariaDB syntax, so the example above is valid.
For information: MySQL once tried to prohibit such references but then permitted them again due to users complaints (https://bugs.mysql.com/bug.php?id=79549).
The commit fixing this assertion failure:
commit 2510e286284d77cca9c9a20901b9a537f3063234 (HEAD -> bb-10.4-mdev-29731, origin/bb-10.4-mdev-29731, 10.4)
|
Author: Oleg Smirnov <olernov@gmail.com>
|
Date: Tue Sep 19 19:20:21 2023 +0700
|
|
|
MDEV-29731 Assertion failure when HAVING in a correlated subquery references columns in the outer query
|
|
When resolving a column from the HAVING clause, a new Item_field
|
object may be created inside Item_ref::fix_fields().
|
But the object is created with an empty name resolution context,
|
which then leads to debug assertion failure during
|
Item_field::fix_fields().
|
|
The solution is to pass the correct name resolution context
|
when creating the Item_field object.
|
The fix (excluding added test cases) looks as simple as:
diff --git a/sql/item.cc b/sql/item.cc
|
index 685fdc2b69f..efd2acb2987 100644
|
--- a/sql/item.cc
|
+++ b/sql/item.cc
|
@@ -8041,7 +8041,7 @@ bool Item_ref::fix_fields(THD *thd, Item **reference)
|
if (from_field != not_found_field)
|
{
|
Item_field* fld;
|
- if (!(fld= new (thd->mem_root) Item_field(thd, from_field)))
|
+ if (!(fld= new (thd->mem_root) Item_field(thd, context, from_field)))
|
goto error;
|
thd->change_item_tree(reference, fld);
|
mark_as_dependent(thd, last_checked_context->select_lex,
|
This is in line with the MySQL's code.
Branch bb-10.4-mdev-29731.
| Assignee | Oleg Smirnov [ JIRAUSER50405 ] | Oleksandr Byelkin [ sanja ] |
| Status | In Progress [ 3 ] | In Review [ 10002 ] |
| Assignee | Oleksandr Byelkin [ sanja ] | Oleg Smirnov [ JIRAUSER50405 ] |
| Status | In Review [ 10002 ] | Stalled [ 10000 ] |
| Fix Version/s | 11.3 [ 28565 ] | |
| Fix Version/s | 10.4.32 [ 29300 ] | |
| Fix Version/s | 10.5.23 [ 29012 ] | |
| Fix Version/s | 10.6.16 [ 29014 ] | |
| Fix Version/s | 10.10.7 [ 29018 ] | |
| Fix Version/s | 10.11.6 [ 29020 ] | |
| Fix Version/s | 11.0.4 [ 29021 ] | |
| Fix Version/s | 11.1.3 [ 29023 ] | |
| Fix Version/s | 11.2.2 [ 29035 ] | |
| Fix Version/s | 10.4 [ 22408 ] | |
| Fix Version/s | 10.5 [ 23123 ] | |
| Fix Version/s | 10.6 [ 24028 ] | |
| Fix Version/s | 10.9 [ 26905 ] | |
| Fix Version/s | 10.10 [ 27530 ] | |
| Fix Version/s | 10.11 [ 27614 ] | |
| Fix Version/s | 11.0 [ 28320 ] | |
| Fix Version/s | 11.1 [ 28549 ] | |
| Fix Version/s | 11.2 [ 28603 ] |
| Fix Version/s | 11.3.0 [ 29302 ] | |
| Fix Version/s | 11.3 [ 28565 ] | |
| Resolution | Fixed [ 1 ] | |
| Status | Stalled [ 10000 ] | Closed [ 6 ] |
This testcase
CREATE TABLE t (c INT PRIMARY KEY,c1 BLOB,c2 TEXT) ENGINE=InnoDB; |
SET SESSION sql_mode='only_full_group_by'; |
EXECUTE IMMEDIATE 'SELECT SUM(c1) OVER (ORDER BY c1) FROM t NATURAL JOIN t AS a;'; |
Leads to an additional stack:
SIGSEGV|Item_field::fix_fields|Item::fix_fields_if_needed|Item_func::fix_fields|Item::fix_fields_if_needed
|
However, oleg.smirnov kindly confirmed it is fixed by the current patch also.
| Fix Version/s | 11.2.2 [ 29035 ] | |
| Fix Version/s | 11.3.0 [ 29302 ] |
| Link |
This issue is duplicated by |
| Link |
This issue duplicates |
| Link | This issue relates to MDEV-34155 [ MDEV-34155 ] |
| Link | This issue relates to TODO-4808 [ TODO-4808 ] |
All UniqueID's seen accross versions for the testcase above:
field|SIGABRT|Item_field::fix_fields|Item::fix_fields_if_needed|Item_func::fix_fields|st_select_lex::pushdown_from_having_into_wherecontext|SIGABRT|Item_field::fix_fields|Item::fix_fields_if_needed|Item_func::fix_fields|st_select_lex::pushdown_from_having_into_whereSIGSEGV|Item_field::fix_fields|Item::fix_fields_if_needed|Item::fix_fields_if_needed|Item_func::fix_fieldsNote that the last UniqueID matches one from
MDEV-28206.