[MDEV-30230] Crash bug on evaluate_join_record - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Duplicate
Affects Version/s: 10.11.2
Fix Version/s: N/A
Component/s: Server
Labels:
None

Description

POC:
```
CREATE TABLE v0 ( v1 INTEGER , v2 NUMERIC , v3 INTEGER ) ;
INSERT INTO v0 VALUES ( 25 , 17 , -32768 ) ;
INSERT INTO v0 VALUES ( NOT ( 'x' = 'x' AND v3 = 0 ) , 94 , 0 ) ;
SELECT v2 , ( - v2 ) FROM v0 GROUP BY v3 / 0 WINDOW v4 AS ( PARTITION BY ( SELECT v1 AS v5 FROM v0 AS v7 GROUP BY v1 HAVING v1 WINDOW v6 AS ( PARTITION BY v2 ORDER BY ( 255 ) DESC ) ) ) ;
```

Version:
```
Server version: 10.11.2-MariaDB key_buffer_size=134217728 read_buffer_size=131072 max_used_connections=1 max_threads=153 thread_count=1 It is possible that mysqld could use up to key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 468019 K bytes of memory Hope that's ok; if not, decrease some variables in the equation.
```

BT:
```
stack_bottom = 0x7fdbe80c0c00 thread_stack 0x49000 [46/1814]addr2line: DWARF error: invalid or unhandled FORM value: 0x23
??:0(my_print_stacktrace)[0x559d1a2e71eb]
??:0(handle_fatal_signal)[0x559d19a94958]
??:0(__sigaction)[0x7fdbfe0ac520]
addr2line: DWARF error: invalid or unhandled FORM value: 0x23
:0(hp_rec_hashnr)[0x559d19f00cd9]
:0(hp_write_key)[0x559d19f05901]
:0(heap_write)[0x559d19f04ec3]
:0(ha_heap::write_row(unsigned char const*))[0x559d19efcedd]
??:0(handler::ha_write_tmp_row(unsigned char*))[0x559d1973657f]
sql_select.cc:0(end_write(JOIN*, st_join_table*, bool))[0x559d1974c401]
sql_select.cc:0(evaluate_join_record(JOIN*, st_join_table*, int))[0x559d1974e238]
??:0(sub_select(JOIN*, st_join_table*, bool))[0x559d196f01c0]
sql_select.cc:0(do_select(JOIN*, Procedure*))[0x559d197216c0]
??:0(JOIN::exec_inner())[0x559d197207f5]
??:0(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x559d196f0fe1]
??:0(handle_select(THD*, LEX*, select_result*, unsigned long long))[0x559d196f0a86]
sql_parse.cc:0(execute_sqlcom_select(THD*, TABLE_LIST*))[0x559d19694800]
??:0(mysql_execute_command(THD*, bool))[0x559d1968b539]
??:0(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x559d1967fc82]
??:0(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x559d1967d1fb]
??:0(do_command(THD*, bool))[0x559d196803b1]
??:0(do_handle_one_connection(CONNECT*, bool))[0x559d1988a425]
??:0(handle_one_connection)[0x559d1988a057]
:0(pfs_spawn_thread)[0x559d19e16d9f]
```

Attachments

Issue Links

duplicates

MDEV-28515 Assertion `field->table == table' failed in Create_tmp_table::finalize and create_tmp_table and SIGSEGV in hp_rec_hashnr

Closed

Activity

Alice Sherepa added a comment - 2022-12-15 09:52

Thanks for the report!
This is the same bug as ~~MDEV-28515~~:

Version: '10.11.2-MariaDB-debug-log'

mariadbd: /10.11/src/sql/sql_select.cc:20095: bool Create_tmp_table::finalize(THD*, TABLE*, TMP_TABLE_PARAM*, bool, bool): Assertion `field->table == table' failed.

221215 10:46:36 [ERROR] mysqld got signal 6 ;

Server version: 10.11.2-MariaDB-debug-log

/lib/x86_64-linux-gnu/libc.so.6(+0x22729)[0x7f149c80e729]

??:0(__assert_fail)[0x7f149c81ffd6]

sql/sql_select.cc:20096(Create_tmp_table::finalize(THD*, TABLE*, TMP_TABLE_PARAM*, bool, bool))[0x55bff1034556]

sql/sql_select.cc:20391(create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, st_mysql_const_lex_string const*, bool, bool))[0x55bff1035ae5]

sql/sql_select.cc:4101(JOIN::create_postjoin_aggr_table(st_join_table*, List<Item>*, st_order*, bool, bool, bool))[0x55bff10072c9]

sql/sql_select.cc:3679(JOIN::make_aggr_tables_info())[0x55bff1005760]

sql/sql_select.cc:3303(JOIN::optimize_stage2())[0x55bff1003fbe]

sql/sql_select.cc:2562(JOIN::optimize_inner())[0x55bff100165c]

sql/sql_select.cc:1872(JOIN::optimize())[0x55bff0ffedea]

sql/sql_select.cc:5068(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55bff100aa32]

sql/sql_select.cc:582(handle_select(THD*, LEX*, select_result*, unsigned long long))[0x55bff0ff995a]

sql/sql_parse.cc:6263(execute_sqlcom_select(THD*, TABLE_LIST*))[0x55bff0fa0115]

sql/sql_parse.cc:3947(mysql_execute_command(THD*, bool))[0x55bff0f972f7]

sql/sql_parse.cc:7998(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x55bff0fa4e0c]

sql/sql_parse.cc:1896(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x55bff0f912cc]

sql/sql_parse.cc:1407(do_command(THD*, bool))[0x55bff0f8fc8b]

sql/sql_connect.cc:1415(do_handle_one_connection(CONNECT*, bool))[0x55bff1170dc1]

sql/sql_connect.cc:1319(handle_one_connection)[0x55bff1170b1d]

perfschema/pfs.cc:2203(pfs_spawn_thread)[0x55bff168a79b]

nptl/pthread_create.c:478(start_thread)[0x7f149cd3a609]

??:0(clone)[0x7f149c90b133]

Trying to get some variables.

Some pointers may be invalid and cause the dump to abort.

Query (0x7f14600154a0): SELECT v2 , ( - v2 ) FROM v0 GROUP BY v3 / 0 WINDOW v4 AS ( PARTITION BY ( SELECT v1 AS v5 FROM v0 AS v7 GROUP BY v1 HAVING v1 WINDOW v6 AS ( PARTITION BY v2 ORDER BY ( 255 ) DESC ) ) )

Alice Sherepa added a comment - 2022-12-15 09:52 Thanks for the report! This is the same bug as MDEV-28515 : Version: '10.11.2-MariaDB-debug-log' mariadbd: /10.11/src/sql/sql_select.cc:20095: bool Create_tmp_table::finalize(THD*, TABLE*, TMP_TABLE_PARAM*, bool, bool): Assertion `field->table == table' failed. 221215 10:46:36 [ERROR] mysqld got signal 6 ; Server version: 10.11.2-MariaDB-debug-log /lib/x86_64-linux-gnu/libc.so.6(+0x22729)[0x7f149c80e729] ??:0(__assert_fail)[0x7f149c81ffd6] sql/sql_select.cc:20096(Create_tmp_table::finalize(THD*, TABLE*, TMP_TABLE_PARAM*, bool, bool))[0x55bff1034556] sql/sql_select.cc:20391(create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, st_mysql_const_lex_string const*, bool, bool))[0x55bff1035ae5] sql/sql_select.cc:4101(JOIN::create_postjoin_aggr_table(st_join_table*, List<Item>*, st_order*, bool, bool, bool))[0x55bff10072c9] sql/sql_select.cc:3679(JOIN::make_aggr_tables_info())[0x55bff1005760] sql/sql_select.cc:3303(JOIN::optimize_stage2())[0x55bff1003fbe] sql/sql_select.cc:2562(JOIN::optimize_inner())[0x55bff100165c] sql/sql_select.cc:1872(JOIN::optimize())[0x55bff0ffedea] sql/sql_select.cc:5068(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55bff100aa32] sql/sql_select.cc:582(handle_select(THD*, LEX*, select_result*, unsigned long long))[0x55bff0ff995a] sql/sql_parse.cc:6263(execute_sqlcom_select(THD*, TABLE_LIST*))[0x55bff0fa0115] sql/sql_parse.cc:3947(mysql_execute_command(THD*, bool))[0x55bff0f972f7] sql/sql_parse.cc:7998(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x55bff0fa4e0c] sql/sql_parse.cc:1896(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x55bff0f912cc] sql/sql_parse.cc:1407(do_command(THD*, bool))[0x55bff0f8fc8b] sql/sql_connect.cc:1415(do_handle_one_connection(CONNECT*, bool))[0x55bff1170dc1] sql/sql_connect.cc:1319(handle_one_connection)[0x55bff1170b1d] perfschema/pfs.cc:2203(pfs_spawn_thread)[0x55bff168a79b] nptl/pthread_create.c:478(start_thread)[0x7f149cd3a609] ??:0(clone)[0x7f149c90b133] Trying to get some variables. Some pointers may be invalid and cause the dump to abort. Query (0x7f14600154a0): SELECT v2 , ( - v2 ) FROM v0 GROUP BY v3 / 0 WINDOW v4 AS ( PARTITION BY ( SELECT v1 AS v5 FROM v0 AS v7 GROUP BY v1 HAVING v1 WINDOW v6 AS ( PARTITION BY v2 ORDER BY ( 255 ) DESC ) ) )

MariaDB Server

Crash bug on evaluate_join_record

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration