Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-30052

Crash with a query containing nested WINDOW clauses

    XMLWordPrintable

Details

    Description

      Setting this to critical due to use-after-poison in sql/sql_list.h (ref ASAN output in first comment below), as well as the code location (opt_subselect.cc) and the code in crashes on (total_key_length += inner->max_length).

      CREATE TABLE t (c INT) ENGINE=InnoDB;
      		 
      UPDATE t SET c=1 WHERE c=2 ORDER BY (1 IN ((SELECT * FROM (SELECT * FROM t) AS v1 GROUP BY c WINDOW v2 AS (ORDER BY (SELECT * FROM t GROUP BY c WINDOW v3 AS (PARTITION BY c))))));

      Leads to:

      10.11.2 8283948846740a22f96bbe7bccf250708406d5d9 (Debug)

      		 
      Core was generated by `/test/MD171122-mariadb-10.11.2-linux-x86_64-dbg/bin/mysqld --no-defaults --core'.
      		 
      Program terminated with signal SIGSEGV, Segmentation fault.
      		 
      #0  subquery_types_allow_materialization (thd=thd@entry=0x1463c4000d48, 
          in_subs=in_subs@entry=0x1463c4028708)
      		 
          at /test/10.11_dbg/sql/opt_subselect.cc:891
      		 
      891	    total_key_length += inner->max_length;
      		 
      [Current thread is 1 (Thread 0x1463f8912700 (LWP 3156269))]
      		 
      (gdb) bt
      		 
      #0  subquery_types_allow_materialization (thd=thd@entry=0x1463c4000d48, in_subs=in_subs@entry=0x1463c4028708) at /test/10.11_dbg/sql/opt_subselect.cc:891
      		 
      #1  0x000056489b07a4e6 in is_materialization_applicable (thd=thd@entry=0x1463c4000d48, in_subs=in_subs@entry=0x1463c4028708, child_select=child_select@entry=0x1463c4014068) at /test/10.11_dbg/sql/sql_lex.h:1651
      		 
      #2  0x000056489b07ab8b in check_and_do_in_subquery_rewrites (join=join@entry=0x1463c4029ef8) at /test/10.11_dbg/sql/opt_subselect.cc:755
      		 
      #3  0x000056489af4049a in JOIN::prepare (this=0x1463c4029ef8, tables_init=<optimized out>, conds_init=<optimized out>, og_num=<optimized out>, order_init=<optimized out>, skip_order_by=skip_order_by@entry=false, group_init=<optimized out>, having_init=<optimized out>, proc_param_init=<optimized out>, select_lex_arg=<optimized out>, unit_arg=<optimized out>) at /test/10.11_dbg/sql/sql_select.cc:1565
      		 
      #4  0x000056489b2bd33d in subselect_single_select_engine::prepare (this=0x1463c4028900, thd=0x1463c4000d48) at /test/10.11_dbg/sql/sql_lex.h:1368
      		 
      #5  0x000056489b2bc80b in Item_subselect::fix_fields (this=this@entry=0x1463c4028708, thd_param=thd_param@entry=0x1463c4000d48, ref=ref@entry=0x1463c4028968) at /test/10.11_dbg/sql/item_subselect.cc:295
      		 
      #6  0x000056489b2bcc50 in Item_in_subselect::fix_fields (this=0x1463c4028708, thd_arg=0x1463c4000d48, ref=0x1463c4028968) at /test/10.11_dbg/sql/item_subselect.cc:3545
      		 
      #7  0x000056489af102e7 in Item::fix_fields_if_needed (ref=<optimized out>, thd=0x1463c4000d48, this=0x1463c4028708) at /test/10.11_dbg/sql/item.h:1164
      		 
      #8  Item::fix_fields_if_needed_for_scalar (ref=<optimized out>, thd=0x1463c4000d48, this=0x1463c4028708) at /test/10.11_dbg/sql/item.h:1156
      		 
      #9  Item::fix_fields_if_needed_for_order_by (ref=<optimized out>, thd=0x1463c4000d48, this=0x1463c4028708) at /test/10.11_dbg/sql/item.h:1164
      		 
      #10 find_order_in_list (thd=thd@entry=0x1463c4000d48, ref_pointer_array=<optimized out>, tables=tables@entry=0x1463c4013330, order=order@entry=0x1463c4028958, fields=@0x1463f8910cf0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x56489c459f00 <end_of_list>, last = 0x1463f8910cf0, elements = 0}, <No data fields>}, all_fields=@0x1463c4029a28: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x56489c459f00 <end_of_list>, last = 0x1463c4029a28, elements = 0}, <No data fields>}, is_group_field=false, add_to_all_fields=true, from_window_spec=false) at /test/10.11_dbg/sql/sql_select.cc:25730
      		 
      #11 0x000056489af3bd31 in setup_order (thd=thd@entry=0x1463c4000d48, ref_pointer_array=<optimized out>, tables=tables@entry=0x1463c4013330, fields=@0x1463f8910cf0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x56489c459f00 <end_of_list>, last = 0x1463f8910cf0, elements = 0}, <No data fields>}, all_fields=@0x1463c4029a28: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x56489c459f00 <end_of_list>, last = 0x1463c4029a28, elements = 0}, <No data fields>}, order=0x1463c4028958, from_window_spec=false) at /test/10.11_dbg/sql/sql_select.cc:25777
      		 
      #12 0x000056489af3fccd in setup_without_group (reserved=<optimized out>, hidden_group_fields=0x1463c40299d7, win_funcs=<optimized out>, win_specs=<optimized out>, group=<optimized out>, order=<optimized out>, conds=0x1463c4029b10, all_fields=@0x1463c4029a28: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x56489c459f00 <end_of_list>, last = 0x1463c4029a28, elements = 0}, <No data fields>}, fields=<optimized out>, leaves=<optimized out>, tables=<optimized out>, ref_pointer_array=<optimized out>, thd=<optimized out>) at /test/10.11_dbg/sql/sql_select.cc:888
      		 
      #13 JOIN::prepare (this=this@entry=0x1463c4029690, tables_init=tables_init@entry=0x1463c4013330, conds_init=conds_init@entry=0x1463c4013dc0, og_num=og_num@entry=1, order_init=order_init@entry=0x1463c4028958, skip_order_by=skip_order_by@entry=false, group_init=<optimized out>, having_init=<optimized out>, proc_param_init=<optimized out>, select_lex_arg=<optimized out>, unit_arg=<optimized out>) at /test/10.11_dbg/sql/sql_select.cc:1465
      		 
      #14 0x000056489af5650c in mysql_select (thd=thd@entry=0x1463c4000d48, tables=tables@entry=0x1463c4013330, fields=@0x1463f8910cf0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x56489c459f00 <end_of_list>, last = 0x1463f8910cf0, elements = 0}, <No data fields>}, conds=conds@entry=0x1463c4013dc0, og_num=1, order=0x1463c4028958, group=0x0, having=0x0, proc_param=0x0, select_options=37383395344512, result=0x1463c4029580, unit=0x1463c4004f88, select_lex=0x1463c40057b8) at /test/10.11_dbg/sql/sql_select.cc:5056
      		 
      #15 0x000056489afcf16b in mysql_multi_update (thd=thd@entry=0x1463c4000d48, table_list=0x1463c4013330, fields=fields@entry=0x1463c4005a58, values=values@entry=0x1463c4005e88, conds=0x1463c4013dc0, options=0, handle_duplicates=DUP_ERROR, ignore=false, unit=0x1463c4004f88, select_lex=0x1463c40057b8, result=0x1463f8910ed0) at /test/10.11_dbg/sql/sql_update.cc:1980
      		 
      #16 0x000056489aed18c8 in mysql_execute_command (thd=thd@entry=0x1463c4000d48, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.11_dbg/sql/sql_parse.cc:4489
      		 
      #17 0x000056489aebe606 in mysql_parse (thd=thd@entry=0x1463c4000d48, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x1463f8911300) at /test/10.11_dbg/sql/sql_parse.cc:7998
      		 
      #18 0x000056489aecbb41 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x1463c4000d48, packet=packet@entry=0x1463c400adf9 "UPDATE t SET c=1 WHERE c=2 ORDER BY (1 IN ((SELECT * FROM (SELECT * FROM t) AS v1 GROUP BY c WINDOW v2 AS (ORDER BY (SELECT * FROM t GROUP BY c WINDOW v3 AS (PARTITION BY c))))))", packet_length=packet_length@entry=178, blocking=blocking@entry=true) at /test/10.11_dbg/sql/sql_class.h:1346
      		 
      #19 0x000056489aecdf7f in do_command (thd=0x1463c4000d48, blocking=blocking@entry=true) at /test/10.11_dbg/sql/sql_parse.cc:1407
      		 
      #20 0x000056489b028763 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x56489d9a6fb8, put_in_cache=put_in_cache@entry=true) at /test/10.11_dbg/sql/sql_connect.cc:1416
      		 
      #21 0x000056489b028c32 in handle_one_connection (arg=0x56489d9a6fb8) at /test/10.11_dbg/sql/sql_connect.cc:1318
      		 
      #22 0x000014641159c609 in start_thread (arg=<optimized out>) at pthread_create.c:477
      		 
      #23 0x0000146411188133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

      Bug confirmed present in:
      MariaDB: 10.3.37 (dbg), 10.4.27 (dbg), 10.5.18 (dbg), 10.6.10 (dbg), 10.7.6 (dbg), 10.8.5 (dbg), 10.9.3 (dbg), 10.10.2 (dbg), 10.11.2 (dbg)

      Bug (or feature/syntax) confirmed not present in:
      MariaDB: 10.3.37 (opt), 10.4.27 (opt), 10.5.18 (opt), 10.6.10 (opt), 10.7.6 (opt), 10.8.5 (opt), 10.9.3 (opt), 10.10.2 (opt), 10.11.2 (opt)
      MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.38 (dbg), 5.7.38 (opt), 8.0.29 (dbg), 8.0.29 (opt)

      Attachments

        Issue Links

          includes

          Bug - A problem which impairs or prevents the functions of the product. MDEV-25643 Assertion `table->no_keyread || !table->covering_keys.is_set(tab->index) || table->file->keyread == tab->index' failed in join_read_first

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-28501 SIGSEGV in update_depend_map_for_order on SELECT, UBSAN: runtime error: member access within null pointer of type 'struct JOIN_TAB'

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-28505 Server crash in sql/sql_select.cc:19830 in sub_select(JOIN*, st_join_table*, bool)

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-28510 SIGSEGV in get_sort_by_table and SIGSEGV in subquery_types_allow_materialization

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-28516 SIGSEGV in get_sort_by_table, UBSAN: runtime error: member access within null pointer of type 'struct TABLE_LIST'

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-28799 SIGSEGV in JOIN_CACHE::reset_join and Assertion `cache != __null' failed in sub_select_cache on SELECT

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-29052 SIGSEGV's in hp_rec_hashnr and my_hash_sort_simple (from hp_rec_hashnr and my_ci_hash_sort) on SELECT when using window functions

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-29353 SIGSEGV's in _ma_unique_hash, _ma_make_key and _ma_calc_blob_length on SELECT (on optimized builds)

          • Major - Major loss of function.
          • Closed

          Task - A task that needs to be done. MDEV-30381 investigate group by window issues

          • Major - Major loss of function.
          • Closed
          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. MDEV-28515 Assertion `field->table == table' failed in Create_tmp_table::finalize and create_tmp_table and SIGSEGV in hp_rec_hashnr

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-29359 Server crashed with heap-use-after-free in in Field::is_null(long long) const

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-32036 Server crash in find_field_in_table

          • Major - Major loss of function.
          • Closed

          Activity

            People

              sanja Oleksandr Byelkin
              Roel Roel Van de Paar
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.