Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-30756

Crash in get_sort_by_table / make_join_statistics / update_depend_map_for_order, various UBSAN pointer issues

Details

    Description

      POC:

      CREATE TABLE v0 ( v1 INT , v2 CHAR UNIQUE UNIQUE NOT NULL CHECK ( v2 NOT IN ( v1 > 59 OR v1 > 67 AND FALSE NOT LIKE 'x' , 'x' ) ) ) ;
      		 
       CREATE VIEW v3 AS SELECT DISTINCT 41503055.000000 FROM v0 WHERE v2 ;
      		 
       UPDATE v0 SET v2 = v2 * 0 WHERE v2 IN ( SELECT DISTINCT v2 FROM v0 WHERE EXISTS ( SELECT v1 FROM v3 WHERE v1 = v2 + -1 GROUP BY ( SELECT v2 FROM v0 AS v4 WHERE v2 = 'x' OR v1 = 'x' OR v1 = 'x' GROUP BY v2 HAVING v1 < 'x' ) BETWEEN 44 AND 0 HAVING 2147483647 ) ) ORDER BY v1 IS NULL ;
      		 
       DROP TABLE v3 ;
      		 
       INSERT INTO v0 VALUES ( 15 ) ;

      Backtrace:

      Attempting backtrace. You can use the following information to find out
      		 
      where mysqld died. If you see no messages after this, something went
      		 
      terribly wrong...
      		 
      stack_bottom = 0x7f02b8109c00 thread_stack 0x49000
      		 
      addr2line: DWARF error: invalid or unhandled FORM value: 0x23
      		 
      ??:0(my_print_stacktrace)[0x56554d0d200b]
      		 
      ??:0(handle_fatal_signal)[0x56554c89b68f]
      		 
      ??:0(__sigaction)[0x7f02baa08520]
      		 
      addr2line: DWARF error: invalid or unhandled FORM value: 0x23
      		 
      sql_select.cc:0(get_sort_by_table(st_order*, st_order*, List<TABLE_LIST>&, unsigned long long))[0x56554c56656b]
      		 
      sql_select.cc:0(make_join_statistics(JOIN*, List<TABLE_LIST>&, st_dynamic_array*))[0x56554c508744]
      		 
      ??:0(JOIN::optimize_inner())[0x56554c5027db]
      		 
      ??:0(JOIN::optimize())[0x56554c4fd5d6]
      		 
      ??:0(st_select_lex::optimize_unflattened_subqueries(bool))[0x56554c44916c]
      		 
      ??:0(JOIN::optimize_stage2())[0x56554c4ff3c4]
      		 
      ??:0(JOIN::optimize_inner())[0x56554c50232b]
      		 
      ??:0(JOIN::optimize())[0x56554c4fd5d6]
      		 
      ??:0(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x56554c4f3048]
      		 
      ??:0(mysql_multi_update(THD*, TABLE_LIST*, List<Item>*, List<Item>*, Item*, unsigned long long, enum_duplicates, bool, st_select_lex_unit*, st_select_lex*, multi_update**))[0x56554c611053]
      		 
      ??:0(mysql_execute_command(THD*, bool))[0x56554c492722]
      		 
      ??:0(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x56554c481aa2]
      		 
      ??:0(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x56554c47f01b]
      		 
      ??:0(do_command(THD*, bool))[0x56554c4821d1]
      		 
      ??:0(do_handle_one_connection(CONNECT*, bool))[0x56554c68edc5]
      		 
      ??:0(handle_one_connection)[0x56554c68e9f7]
      		 
      :0(pfs_spawn_thread)[0x56554cc1582f]
      		 
      ??:0(pthread_condattr_setpshared)[0x7f02baa5ab43]
      		 
      ??:0(clone)[0x7f02baaebbb4]

      Trying to get some variables.

      Attachments

        Issue Links

          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. MDEV-34035 Server crashes at _ZN4JOIN15optimize_stage2Ev

          • Major - Major loss of function.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-28501 SIGSEGV in update_depend_map_for_order on SELECT, UBSAN: runtime error: member access within null pointer of type 'struct JOIN_TAB'

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-29935 Server crashes in get_sort_by_table/make_join_statistics after INSERT into a view with ORDER BY

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-35717 UBSAN: runtime errors: applying zero offset to null pointer in my_strnncoll_utf8mb3_general1400_as_ci, and applying non-zero offset 4 to null pointer in my_strcoll_ascii_4bytes_found

          • Critical - Crashes, loss of data, severe memory leak.
          • Confirmed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-28509 Server crash via Item_func_ne::add_key_fields in /sql/sql_bitmap.h:196, member access within null pointer of type 'struct JOIN_TAB' in add_key_field

          • Major - Major loss of function.
          • In Review

          Bug - A problem which impairs or prevents the functions of the product. MDEV-29935 Server crashes in get_sort_by_table/make_join_statistics after INSERT into a view with ORDER BY

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-32395 update_depend_map_for_order: SEGV at /mariadb-11.3.0/sql/sql_select.cc:16583

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-35565 Server crashes simplifying group by <subquery>

          • Critical - Crashes, loss of data, severe memory leak.
          • Stalled

          Activity

            Ascending order - Click to sort in descending order
            View 5 older comments
            Roel Roel Van de Paar added a comment -

            The new testcase by Igor gives a different stack (SIGSEGV in update_depend_map_for_order) than the original description, and that stack was previously seen in MDEV-28501.

            After fixing, please test and include all testcases. Thank you

            Roel Roel Van de Paar added a comment - The new testcase by Igor gives a different stack ( SIGSEGV in update_depend_map_for_order ) than the original description, and that stack was previously seen in MDEV-28501 . After fixing, please test and include all testcases. Thank you
            danblack Daniel Black added a comment - - edited

            Looking at the case:

            select c from t3 where c in (select (select a from t2 group by (select a from t4)) from t1);

            It crashes in update_depend_map_for_order as depend_map has 2 and the join->map2table only has 1 table.

            depend_map gets assigned 2 based on Field_fixer::visit_field where at this point the Item_field passed is:

            t1.a

            		 
            (rr) p item->field->table[0].s
            		 
            $25 = (TABLE_SHARE *) 0x7f5fd0219f90
            		 
            (rr) p item->field->table[1].s
            		 
            $26 = (TABLE_SHARE *) 0x185
            		 
            (rr) p item->field->table->map
            		 
            $27 = 2

            danblack Daniel Black added a comment - - edited Looking at the case: select c from t3 where c in ( select ( select a from t2 group by ( select a from t4)) from t1); It crashes in update_depend_map_for_order as depend_map has 2 and the join->map2table only has 1 table. depend_map gets assigned 2 based on Field_fixer::visit_field where at this point the Item_field passed is: t1.a (rr) p item->field->table[0].s $25 = (TABLE_SHARE *) 0x7f5fd0219f90 (rr) p item->field->table[1].s $26 = (TABLE_SHARE *) 0x185 (rr) p item->field->table->map $27 = 2
            Roel Roel Van de Paar added a comment - 

            SELECT(WITH x AS(SELECT (0)AS x) SELECT x FROM x WHERE x IN (SELECT 0 FROM x WHERE (SELECT x FROM (SELECT 0 UNION SELECT 0) AS x GROUP BY (SELECT x))));

            Leads to:

            CS 11.2.6 12a91b57e27b979819924cf89614e6e51f24b37b (Debug)

            		 
            Core was generated by `/test/MD141024-mariadb-11.2.6-linux-x86_64-dbg/bin/mariadbd --no-defaults --max'.
            		 
            Program terminated with signal SIGSEGV, Segmentation fault.
            		 
            #0  0x000055ca7ed32413 in update_depend_map_for_order (order=0x1538fc01e3f8, join=0x1538fc026600) at /test/11.2_dbg/sql/sql_select.cc:17176
            		 
             
            		 
            [Current thread is 1 (LWP 3469540)]
            		 
            (gdb) bt
            		 
            #0  0x000055ca7ed32413 in update_depend_map_for_order (order=0x1538fc01e3f8, join=0x1538fc026600) at /test/11.2_dbg/sql/sql_select.cc:17176
            		 
            #1  remove_const (join=join@entry=0x1538fc026600, first_order=<optimized out>, cond=0x0, change_list=true, simple_order=simple_order@entry=0x1538fc026954)at /test/11.2_dbg/sql/sql_select.cc:17289
            		 
            #2  0x000055ca7ed599a4 in JOIN::optimize_stage2 (this=this@entry=0x1538fc026600) at /test/11.2_dbg/sql/sql_select.cc:3190
            		 
            #3  0x000055ca7ed5c956 in JOIN::optimize_inner (this=this@entry=0x1538fc026600)at /test/11.2_dbg/sql/sql_select.cc:2725
            		 
            #4  0x000055ca7ed5ceae in JOIN::optimize (this=this@entry=0x1538fc026600)at /test/11.2_dbg/sql/sql_select.cc:2003
            		 
            #5  0x000055ca7ec9a412 in st_select_lex::optimize_unflattened_subqueries (this=0x1538fc014d90, const_only=const_only@entry=false)at /test/11.2_dbg/sql/sql_lex.cc:5005
            		 
            #6  0x000055ca7eea2f27 in JOIN::optimize_unflattened_subqueries (this=this@entry=0x1538fc024468) at /test/11.2_dbg/sql/opt_subselect.cc:5873
            		 
            #7  0x000055ca7ed5a3f7 in JOIN::optimize_stage2 (this=this@entry=0x1538fc024468) at /test/11.2_dbg/sql/sql_select.cc:3318
            		 
            #8  0x000055ca7ed5c956 in JOIN::optimize_inner (this=this@entry=0x1538fc024468)at /test/11.2_dbg/sql/sql_select.cc:2725
            		 
            #9  0x000055ca7ed5ceae in JOIN::optimize (this=this@entry=0x1538fc024468)at /test/11.2_dbg/sql/sql_select.cc:2003
            		 
            #10 0x000055ca7ec9a412 in st_select_lex::optimize_unflattened_subqueries (this=0x1538fc013958, const_only=const_only@entry=true)at /test/11.2_dbg/sql/sql_lex.cc:5005
            		 
            #11 0x000055ca7eea2f5f in JOIN::optimize_constant_subqueries (this=this@entry=0x1538fc023c10) at /test/11.2_dbg/sql/opt_subselect.cc:5907
            		 
            #12 0x000055ca7ed5b845 in JOIN::optimize_inner (this=this@entry=0x1538fc023c10)at /test/11.2_dbg/sql/sql_select.cc:2345
            		 
            #13 0x000055ca7ed5ceae in JOIN::optimize (this=this@entry=0x1538fc023c10)at /test/11.2_dbg/sql/sql_select.cc:2003
            		 
            #14 0x000055ca7ed5cfce in mysql_select (thd=thd@entry=0x1538fc000d58, tables=0x0, fields=@0x1538fc013c10: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1538fc01faf8, last = 0x1538fc01faf8, elements = 1}, <No data fields>}, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2164525824, result=0x1538fc023898, unit=0x1538fc0052b0, select_lex=0x1538fc013958) at /test/11.2_dbg/sql/sql_select.cc:5344
            		 
            #15 0x000055ca7ed5d858 in handle_select (thd=thd@entry=0x1538fc000d58, lex=lex@entry=0x1538fc0051d0, result=result@entry=0x1538fc023898, setup_tables_done_option=setup_tables_done_option@entry=0)at /test/11.2_dbg/sql/sql_select.cc:642
            		 
            #16 0x000055ca7ecbb751 in execute_sqlcom_select (thd=thd@entry=0x1538fc000d58, all_tables=0x1538fc0153c8) at /test/11.2_dbg/sql/sql_parse.cc:6177
            		 
            #17 0x000055ca7ecc75bc in mysql_execute_command (thd=thd@entry=0x1538fc000d58, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false)at /test/11.2_dbg/sql/sql_parse.cc:3984
            		 
            #18 0x000055ca7ecce2ce in mysql_parse (thd=thd@entry=0x1538fc000d58, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x15395cbb32a0)at /test/11.2_dbg/sql/sql_parse.cc:7938
            		 
            #19 0x000055ca7ecd0786 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x1538fc000d58, packet=packet@entry=0x1538fc00b319 "SELECT(WITH x AS(SELECT (0)AS x) SELECT x FROM x WHERE x IN (SELECT 0 FROM x WHERE (SELECT x FROM (SELECT 0 UNION SELECT 0) AS x GROUP BY (SELECT x))))", packet_length=packet_length@entry=151, blocking=blocking@entry=true) at /test/11.2_dbg/sql/sql_class.h:248
            		 
            #20 0x000055ca7ecd29c2 in do_command (thd=0x1538fc000d58, blocking=blocking@entry=true) at /test/11.2_dbg/sql/sql_parse.cc:1407
            		 
            #21 0x000055ca7ee3ffe7 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55ca81a20608, put_in_cache=put_in_cache@entry=true)at /test/11.2_dbg/sql/sql_connect.cc:1439
            		 
            #22 0x000055ca7ee402ef in handle_one_connection (arg=arg@entry=0x55ca81a20608)at /test/11.2_dbg/sql/sql_connect.cc:1341
            		 
            #23 0x000055ca7f287f14 in pfs_spawn_thread (arg=0x55ca81973328)at /test/11.2_dbg/storage/perfschema/pfs.cc:2201
            		 
            #24 0x000015395da9ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
            		 
            #25 0x000015395db29c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

            And produces the following UBSAN member access within null pointer:

            CS 11.2.6 66b8d32b7514f46b1467d404d3f9ad688bbfeb4f (Optimized, UBASAN)

            		 
            /test/11.2_opt_san/sql/sql_select.cc:17174:35: runtime error: member access within null pointer of type 'struct JOIN_TAB'
            		 
                #0 0x55bff80b72b0 in update_depend_map_for_order /test/11.2_opt_san/sql/sql_select.cc:17174
            		 
                #1 0x55bff80b72b0 in remove_const /test/11.2_opt_san/sql/sql_select.cc:17287
            		 
                #2 0x55bff8207229 in JOIN::optimize_stage2() /test/11.2_opt_san/sql/sql_select.cc:3190
            		 
                #3 0x55bff8211232 in JOIN::optimize_inner() /test/11.2_opt_san/sql/sql_select.cc:2725
            		 
                #4 0x55bff8217ee5 in JOIN::optimize() /test/11.2_opt_san/sql/sql_select.cc:2003
            		 
                #5 0x55bff7c2e352 in st_select_lex::optimize_unflattened_subqueries(bool) /test/11.2_opt_san/sql/sql_lex.cc:5005
            		 
                #6 0x55bff81fcda4 in JOIN::optimize_stage2() /test/11.2_opt_san/sql/sql_select.cc:3318
            		 
                #7 0x55bff8211232 in JOIN::optimize_inner() /test/11.2_opt_san/sql/sql_select.cc:2725
            		 
                #8 0x55bff8217ee5 in JOIN::optimize() /test/11.2_opt_san/sql/sql_select.cc:2003
            		 
                #9 0x55bff7c2e352 in st_select_lex::optimize_unflattened_subqueries(bool) /test/11.2_opt_san/sql/sql_lex.cc:5005
            		 
                #10 0x55bff8a6db87 in JOIN::optimize_constant_subqueries() /test/11.2_opt_san/sql/opt_subselect.cc:5907
            		 
                #11 0x55bff820b368 in JOIN::optimize_inner() /test/11.2_opt_san/sql/sql_select.cc:2345
            		 
                #12 0x55bff8217ee5 in JOIN::optimize() /test/11.2_opt_san/sql/sql_select.cc:2003
            		 
                #13 0x55bff8218686 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.2_opt_san/sql/sql_select.cc:5344
            		 
                #14 0x55bff821c550 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.2_opt_san/sql/sql_select.cc:642
            		 
                #15 0x55bff7d51450 in execute_sqlcom_select /test/11.2_opt_san/sql/sql_parse.cc:6177
            		 
                #16 0x55bff7dc175f in mysql_execute_command(THD*, bool) /test/11.2_opt_san/sql/sql_parse.cc:3984
            		 
                #17 0x55bff7dd2482 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.2_opt_san/sql/sql_parse.cc:7938
            		 
                #18 0x55bff7de40da in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.2_opt_san/sql/sql_parse.cc:1894
            		 
                #19 0x55bff7df4486 in do_command(THD*, bool) /test/11.2_opt_san/sql/sql_parse.cc:1407
            		 
                #20 0x55bff87c7efc in do_handle_one_connection(CONNECT*, bool) /test/11.2_opt_san/sql/sql_connect.cc:1439
            		 
                #21 0x55bff87ca52c in handle_one_connection /test/11.2_opt_san/sql/sql_connect.cc:1341
            		 
                #22 0x14a8f5a9ca93 in start_thread nptl/pthread_create.c:447
            		 
                #23 0x14a8f5b29c3b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
            		 
             
            		 
            241113  7:25:06 [ERROR] mysqld got signal 11 ;

            Bug confirmed present in:
            MariaDB: 10.5.27 (dbg), 10.5.27 (opt), 10.6.20 (dbg), 10.6.20 (opt), 10.11.10 (dbg), 10.11.10 (opt), 11.2.6 (dbg), 11.2.6 (opt), 11.4.4 (dbg), 11.4.4 (opt), 11.6.2 (dbg), 11.6.2 (opt), 11.7.0 (dbg), 11.7.0 (opt)

            Bug (or feature/syntax) confirmed not present in:
            MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.44 (dbg), 5.7.44 (opt), 8.0.36 (dbg), 8.0.36 (opt), 9.1.0 (dbg), 9.1.0 (opt)

            Roel Roel Van de Paar added a comment - SELECT ( WITH x AS ( SELECT (0) AS x) SELECT x FROM x WHERE x IN ( SELECT 0 FROM x WHERE ( SELECT x FROM ( SELECT 0 UNION SELECT 0) AS x GROUP BY ( SELECT x)))); Leads to: CS 11.2.6 12a91b57e27b979819924cf89614e6e51f24b37b (Debug) Core was generated by `/test/MD141024-mariadb-11.2.6-linux-x86_64-dbg/bin/mariadbd --no-defaults --max'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x000055ca7ed32413 in update_depend_map_for_order (order=0x1538fc01e3f8, join=0x1538fc026600) at /test/11.2_dbg/sql/sql_select.cc:17176   [Current thread is 1 (LWP 3469540)] (gdb) bt #0 0x000055ca7ed32413 in update_depend_map_for_order (order=0x1538fc01e3f8, join=0x1538fc026600) at /test/11.2_dbg/sql/sql_select.cc:17176 #1 remove_const (join=join@entry=0x1538fc026600, first_order=<optimized out>, cond=0x0, change_list=true, simple_order=simple_order@entry=0x1538fc026954)at /test/11.2_dbg/sql/sql_select.cc:17289 #2 0x000055ca7ed599a4 in JOIN::optimize_stage2 (this=this@entry=0x1538fc026600) at /test/11.2_dbg/sql/sql_select.cc:3190 #3 0x000055ca7ed5c956 in JOIN::optimize_inner (this=this@entry=0x1538fc026600)at /test/11.2_dbg/sql/sql_select.cc:2725 #4 0x000055ca7ed5ceae in JOIN::optimize (this=this@entry=0x1538fc026600)at /test/11.2_dbg/sql/sql_select.cc:2003 #5 0x000055ca7ec9a412 in st_select_lex::optimize_unflattened_subqueries (this=0x1538fc014d90, const_only=const_only@entry=false)at /test/11.2_dbg/sql/sql_lex.cc:5005 #6 0x000055ca7eea2f27 in JOIN::optimize_unflattened_subqueries (this=this@entry=0x1538fc024468) at /test/11.2_dbg/sql/opt_subselect.cc:5873 #7 0x000055ca7ed5a3f7 in JOIN::optimize_stage2 (this=this@entry=0x1538fc024468) at /test/11.2_dbg/sql/sql_select.cc:3318 #8 0x000055ca7ed5c956 in JOIN::optimize_inner (this=this@entry=0x1538fc024468)at /test/11.2_dbg/sql/sql_select.cc:2725 #9 0x000055ca7ed5ceae in JOIN::optimize (this=this@entry=0x1538fc024468)at /test/11.2_dbg/sql/sql_select.cc:2003 #10 0x000055ca7ec9a412 in st_select_lex::optimize_unflattened_subqueries (this=0x1538fc013958, const_only=const_only@entry=true)at /test/11.2_dbg/sql/sql_lex.cc:5005 #11 0x000055ca7eea2f5f in JOIN::optimize_constant_subqueries (this=this@entry=0x1538fc023c10) at /test/11.2_dbg/sql/opt_subselect.cc:5907 #12 0x000055ca7ed5b845 in JOIN::optimize_inner (this=this@entry=0x1538fc023c10)at /test/11.2_dbg/sql/sql_select.cc:2345 #13 0x000055ca7ed5ceae in JOIN::optimize (this=this@entry=0x1538fc023c10)at /test/11.2_dbg/sql/sql_select.cc:2003 #14 0x000055ca7ed5cfce in mysql_select (thd=thd@entry=0x1538fc000d58, tables=0x0, fields=@0x1538fc013c10: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1538fc01faf8, last = 0x1538fc01faf8, elements = 1}, <No data fields>}, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2164525824, result=0x1538fc023898, unit=0x1538fc0052b0, select_lex=0x1538fc013958) at /test/11.2_dbg/sql/sql_select.cc:5344 #15 0x000055ca7ed5d858 in handle_select (thd=thd@entry=0x1538fc000d58, lex=lex@entry=0x1538fc0051d0, result=result@entry=0x1538fc023898, setup_tables_done_option=setup_tables_done_option@entry=0)at /test/11.2_dbg/sql/sql_select.cc:642 #16 0x000055ca7ecbb751 in execute_sqlcom_select (thd=thd@entry=0x1538fc000d58, all_tables=0x1538fc0153c8) at /test/11.2_dbg/sql/sql_parse.cc:6177 #17 0x000055ca7ecc75bc in mysql_execute_command (thd=thd@entry=0x1538fc000d58, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false)at /test/11.2_dbg/sql/sql_parse.cc:3984 #18 0x000055ca7ecce2ce in mysql_parse (thd=thd@entry=0x1538fc000d58, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x15395cbb32a0)at /test/11.2_dbg/sql/sql_parse.cc:7938 #19 0x000055ca7ecd0786 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x1538fc000d58, packet=packet@entry=0x1538fc00b319 "SELECT(WITH x AS(SELECT (0)AS x) SELECT x FROM x WHERE x IN (SELECT 0 FROM x WHERE (SELECT x FROM (SELECT 0 UNION SELECT 0) AS x GROUP BY (SELECT x))))", packet_length=packet_length@entry=151, blocking=blocking@entry=true) at /test/11.2_dbg/sql/sql_class.h:248 #20 0x000055ca7ecd29c2 in do_command (thd=0x1538fc000d58, blocking=blocking@entry=true) at /test/11.2_dbg/sql/sql_parse.cc:1407 #21 0x000055ca7ee3ffe7 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55ca81a20608, put_in_cache=put_in_cache@entry=true)at /test/11.2_dbg/sql/sql_connect.cc:1439 #22 0x000055ca7ee402ef in handle_one_connection (arg=arg@entry=0x55ca81a20608)at /test/11.2_dbg/sql/sql_connect.cc:1341 #23 0x000055ca7f287f14 in pfs_spawn_thread (arg=0x55ca81973328)at /test/11.2_dbg/storage/perfschema/pfs.cc:2201 #24 0x000015395da9ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447 #25 0x000015395db29c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78 And produces the following UBSAN member access within null pointer: CS 11.2.6 66b8d32b7514f46b1467d404d3f9ad688bbfeb4f (Optimized, UBASAN) /test/11.2_opt_san/sql/sql_select.cc:17174:35: runtime error: member access within null pointer of type 'struct JOIN_TAB' #0 0x55bff80b72b0 in update_depend_map_for_order /test/11.2_opt_san/sql/sql_select.cc:17174 #1 0x55bff80b72b0 in remove_const /test/11.2_opt_san/sql/sql_select.cc:17287 #2 0x55bff8207229 in JOIN::optimize_stage2() /test/11.2_opt_san/sql/sql_select.cc:3190 #3 0x55bff8211232 in JOIN::optimize_inner() /test/11.2_opt_san/sql/sql_select.cc:2725 #4 0x55bff8217ee5 in JOIN::optimize() /test/11.2_opt_san/sql/sql_select.cc:2003 #5 0x55bff7c2e352 in st_select_lex::optimize_unflattened_subqueries(bool) /test/11.2_opt_san/sql/sql_lex.cc:5005 #6 0x55bff81fcda4 in JOIN::optimize_stage2() /test/11.2_opt_san/sql/sql_select.cc:3318 #7 0x55bff8211232 in JOIN::optimize_inner() /test/11.2_opt_san/sql/sql_select.cc:2725 #8 0x55bff8217ee5 in JOIN::optimize() /test/11.2_opt_san/sql/sql_select.cc:2003 #9 0x55bff7c2e352 in st_select_lex::optimize_unflattened_subqueries(bool) /test/11.2_opt_san/sql/sql_lex.cc:5005 #10 0x55bff8a6db87 in JOIN::optimize_constant_subqueries() /test/11.2_opt_san/sql/opt_subselect.cc:5907 #11 0x55bff820b368 in JOIN::optimize_inner() /test/11.2_opt_san/sql/sql_select.cc:2345 #12 0x55bff8217ee5 in JOIN::optimize() /test/11.2_opt_san/sql/sql_select.cc:2003 #13 0x55bff8218686 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.2_opt_san/sql/sql_select.cc:5344 #14 0x55bff821c550 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.2_opt_san/sql/sql_select.cc:642 #15 0x55bff7d51450 in execute_sqlcom_select /test/11.2_opt_san/sql/sql_parse.cc:6177 #16 0x55bff7dc175f in mysql_execute_command(THD*, bool) /test/11.2_opt_san/sql/sql_parse.cc:3984 #17 0x55bff7dd2482 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.2_opt_san/sql/sql_parse.cc:7938 #18 0x55bff7de40da in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.2_opt_san/sql/sql_parse.cc:1894 #19 0x55bff7df4486 in do_command(THD*, bool) /test/11.2_opt_san/sql/sql_parse.cc:1407 #20 0x55bff87c7efc in do_handle_one_connection(CONNECT*, bool) /test/11.2_opt_san/sql/sql_connect.cc:1439 #21 0x55bff87ca52c in handle_one_connection /test/11.2_opt_san/sql/sql_connect.cc:1341 #22 0x14a8f5a9ca93 in start_thread nptl/pthread_create.c:447 #23 0x14a8f5b29c3b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78   241113 7:25:06 [ERROR] mysqld got signal 11 ; Bug confirmed present in: MariaDB: 10.5.27 (dbg), 10.5.27 (opt), 10.6.20 (dbg), 10.6.20 (opt), 10.11.10 (dbg), 10.11.10 (opt), 11.2.6 (dbg), 11.2.6 (opt), 11.4.4 (dbg), 11.4.4 (opt), 11.6.2 (dbg), 11.6.2 (opt), 11.7.0 (dbg), 11.7.0 (opt) Bug (or feature/syntax) confirmed not present in: MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.44 (dbg), 5.7.44 (opt), 8.0.36 (dbg), 8.0.36 (opt), 9.1.0 (dbg), 9.1.0 (opt)
            Roel Roel Van de Paar added a comment - - edited

            This testcase somewhat similar to the last one above:

            SELECT (WITH x AS(SELECT (NULL) AS x) SELECT x FROM x WHERE x IN (SELECT 0 FROM x WHERE (SELECT x FROM (SELECT 0 UNION SELECT 0) AS x GROUP BY (SELECT x))));

            Produces (besides also producing this MDEV-35717 stack) this stack (note the aka 'st_join_table'):

            CS 11.8.0 cacaaebf01939d387645fb850ceeec5392496171 (Debug, UBASAN)

            		 
            /test/11.8_dbg_san/sql/sql_select.cc:17227:31: runtime error: member access within null pointer of type 'JOIN_TAB' (aka 'st_join_table')
            		 
                #0 0x5581fc0fcc8f in update_depend_map_for_order(JOIN*, st_order*) /test/11.8_dbg_san/sql/sql_select.cc:17227:31
            		 
                #1 0x5581fc0fcc8f in remove_const(JOIN*, st_order*, Item*, bool, bool*) /test/11.8_dbg_san/sql/sql_select.cc:17340:3
            		 
                #2 0x5581fc0e8e06 in JOIN::optimize_stage2() /test/11.8_dbg_san/sql/sql_select.cc:3190:17
            		 
                #3 0x5581fc0f135e in JOIN::optimize_inner() /test/11.8_dbg_san/sql/sql_select.cc:2725:9
            		 
                #4 0x5581fc0e32a2 in JOIN::optimize() /test/11.8_dbg_san/sql/sql_select.cc:1994:10
            		 
                #5 0x5581fbe96d13 in st_select_lex::optimize_unflattened_subqueries(bool) /test/11.8_dbg_san/sql/sql_lex.cc:5054:31
            		 
                #6 0x5581fc0e7330 in JOIN::optimize_stage2() /test/11.8_dbg_san/sql/sql_select.cc:3550:7
            		 
                #7 0x5581fc0f135e in JOIN::optimize_inner() /test/11.8_dbg_san/sql/sql_select.cc:2725:9
            		 
                #8 0x5581fc0e32a2 in JOIN::optimize() /test/11.8_dbg_san/sql/sql_select.cc:1994:10
            		 
                #9 0x5581fbe96d13 in st_select_lex::optimize_unflattened_subqueries(bool) /test/11.8_dbg_san/sql/sql_lex.cc:5054:31
            		 
                #10 0x5581fc7bd526 in JOIN::optimize_constant_subqueries() /test/11.8_dbg_san/sql/opt_subselect.cc:5900:20
            		 
                #11 0x5581fc0eedf3 in JOIN::optimize_inner() /test/11.8_dbg_san/sql/sql_select.cc:2339:7
            		 
                #12 0x5581fc0e32a2 in JOIN::optimize() /test/11.8_dbg_san/sql/sql_select.cc:1994:10
            		 
                #13 0x5581fc0c4bf8 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.8_dbg_san/sql/sql_select.cc:5342:19
            		 
                #14 0x5581fc0c3f12 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.8_dbg_san/sql/sql_select.cc:633:10
            		 
                #15 0x5581fbf99167 in execute_sqlcom_select(THD*, TABLE_LIST*) /test/11.8_dbg_san/sql/sql_parse.cc:6191:12
            		 
                #16 0x5581fbf84d39 in mysql_execute_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:3980:12
            		 
                #17 0x5581fbf54588 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.8_dbg_san/sql/sql_parse.cc:7915:18
            		 
                #18 0x5581fbf4864b in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1903:7
            		 
                #19 0x5581fbf56fad in do_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1416:17
            		 
                #20 0x5581fc61a76c in do_handle_one_connection(CONNECT*, bool) /test/11.8_dbg_san/sql/sql_connect.cc:1415:11
            		 
                #21 0x5581fc61a027 in handle_one_connection /test/11.8_dbg_san/sql/sql_connect.cc:1327:5
            		 
                #22 0x5581fb959b5c in asan_thread_start(void*) asan_interceptors.cpp.o
            		 
                #23 0x147a1c89ca93 in start_thread nptl/pthread_create.c:447:8
            		 
                #24 0x147a1c929c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
            		 
             
            		 
            SUMMARY: UndefinedBehaviorSanitizer: null-pointer-use /test/11.8_dbg_san/sql/sql_select.cc:17227:31

            As well as:

            CS 11.8.0 cacaaebf01939d387645fb850ceeec5392496171 (Debug, UBASAN, Clang)

            		 
            /test/11.8_dbg_san/strings/ctype-ascii.h:110:27: runtime error: applying non-zero offset 4 to null pointer
            		 
                #0 0x55de96554b1e in my_strcoll_ascii_4bytes_found /test/11.8_dbg_san/strings/ctype-ascii.h:110:27
            		 
                #1 0x55de96559cce in my_strnncoll_utf8mb3_general1400_as_ci /test/11.8_dbg_san/strings/strcoll.inl:238:24
            		 
                #2 0x55de937e0349 in charset_info_st::streq(st_mysql_const_lex_string, st_mysql_const_lex_string) const /test/11.8_dbg_san/include/m_ctype.h:1073:17
            		 
                #3 0x55de937e0349 in Lex_ident<Compare_ident_ci>::streq(st_mysql_const_lex_string const&) const /test/11.8_dbg_san/sql/lex_ident.h:119:38
            		 
                #4 0x55de93c2a387 in is_infoschema_db(st_mysql_const_lex_string const*) /test/11.8_dbg_san/sql/table.h:3583:34
            		 
                #5 0x55de93c2a387 in st_select_lex::add_table_to_list(THD*, Table_ident*, st_mysql_const_lex_string const*, unsigned long, thr_lock_type, enum_mdl_type, List<Index_hint>*, List<String>*, st_mysql_lex_string*) /test/11.8_dbg_san/sql/sql_parse.cc:8114:21
            		 
                #6 0x55de947d82ae in MYSQLparse(THD*) /test/11.8_dbg_san/sql/sql_yacc.yy:12151:47
            		 
                #7 0x55de93c6affb in parse_sql(THD*, Parser_state*, Object_creation_ctx*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:10328:46
            		 
                #8 0x55de93c14cb4 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.8_dbg_san/sql/sql_parse.cc:7867:15
            		 
                #9 0x55de93c0964b in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1903:7
            		 
                #10 0x55de93c17fad in do_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1416:17
            		 
                #11 0x55de942db76c in do_handle_one_connection(CONNECT*, bool) /test/11.8_dbg_san/sql/sql_connect.cc:1415:11
            		 
                #12 0x55de942db027 in handle_one_connection /test/11.8_dbg_san/sql/sql_connect.cc:1327:5
            		 
                #13 0x55de9361ab5c in asan_thread_start(void*) asan_interceptors.cpp.o
            		 
                #14 0x14b9f1a9ca93 in start_thread nptl/pthread_create.c:447:8
            		 
                #15 0x14b9f1b29c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
            		 
             
            		 
            SUMMARY: UndefinedBehaviorSanitizer: nullptr-with-nonzero-offset /test/11.8_dbg_san/strings/ctype-ascii.h:110:27

            CS 11.8.0 cacaaebf01939d387645fb850ceeec5392496171 (Debug, UBASAN, Clang)

            		 
            /test/11.8_dbg_san/sql/sql_select.cc:17227:31: runtime error: member access within null pointer of type 'JOIN_TAB' (aka 'st_join_table')
            		 
                #0 0x55de93dbdc8f in update_depend_map_for_order(JOIN*, st_order*) /test/11.8_dbg_san/sql/sql_select.cc:17227:31
            		 
                #1 0x55de93dbdc8f in remove_const(JOIN*, st_order*, Item*, bool, bool*) /test/11.8_dbg_san/sql/sql_select.cc:17340:3
            		 
                #2 0x55de93da9e06 in JOIN::optimize_stage2() /test/11.8_dbg_san/sql/sql_select.cc:3190:17
            		 
                #3 0x55de93db235e in JOIN::optimize_inner() /test/11.8_dbg_san/sql/sql_select.cc:2725:9
            		 
                #4 0x55de93da42a2 in JOIN::optimize() /test/11.8_dbg_san/sql/sql_select.cc:1994:10
            		 
                #5 0x55de93b57d13 in st_select_lex::optimize_unflattened_subqueries(bool) /test/11.8_dbg_san/sql/sql_lex.cc:5054:31
            		 
                #6 0x55de93da8330 in JOIN::optimize_stage2() /test/11.8_dbg_san/sql/sql_select.cc:3550:7
            		 
                #7 0x55de93db235e in JOIN::optimize_inner() /test/11.8_dbg_san/sql/sql_select.cc:2725:9
            		 
                #8 0x55de93da42a2 in JOIN::optimize() /test/11.8_dbg_san/sql/sql_select.cc:1994:10
            		 
                #9 0x55de93b57d13 in st_select_lex::optimize_unflattened_subqueries(bool) /test/11.8_dbg_san/sql/sql_lex.cc:5054:31
            		 
                #10 0x55de9447e526 in JOIN::optimize_constant_subqueries() /test/11.8_dbg_san/sql/opt_subselect.cc:5900:20
            		 
                #11 0x55de93dafdf3 in JOIN::optimize_inner() /test/11.8_dbg_san/sql/sql_select.cc:2339:7
            		 
                #12 0x55de93da42a2 in JOIN::optimize() /test/11.8_dbg_san/sql/sql_select.cc:1994:10
            		 
                #13 0x55de93d85bf8 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.8_dbg_san/sql/sql_select.cc:5342:19
            		 
                #14 0x55de93d84f12 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.8_dbg_san/sql/sql_select.cc:633:10
            		 
                #15 0x55de93c5a167 in execute_sqlcom_select(THD*, TABLE_LIST*) /test/11.8_dbg_san/sql/sql_parse.cc:6191:12
            		 
                #16 0x55de93c45d39 in mysql_execute_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:3980:12
            		 
                #17 0x55de93c15588 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.8_dbg_san/sql/sql_parse.cc:7915:18
            		 
                #18 0x55de93c0964b in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1903:7
            		 
                #19 0x55de93c17fad in do_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1416:17
            		 
                #20 0x55de942db76c in do_handle_one_connection(CONNECT*, bool) /test/11.8_dbg_san/sql/sql_connect.cc:1415:11
            		 
                #21 0x55de942db027 in handle_one_connection /test/11.8_dbg_san/sql/sql_connect.cc:1327:5
            		 
                #22 0x55de9361ab5c in asan_thread_start(void*) asan_interceptors.cpp.o
            		 
                #23 0x14b9f1a9ca93 in start_thread nptl/pthread_create.c:447:8
            		 
                #24 0x14b9f1b29c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
            		 
             
            		 
            SUMMARY: UndefinedBehaviorSanitizer: null-pointer-use /test/11.8_dbg_san/sql/sql_select.cc:17227:31

            Roel Roel Van de Paar added a comment - - edited This testcase somewhat similar to the last one above: SELECT ( WITH x AS ( SELECT ( NULL ) AS x) SELECT x FROM x WHERE x IN ( SELECT 0 FROM x WHERE ( SELECT x FROM ( SELECT 0 UNION SELECT 0) AS x GROUP BY ( SELECT x)))); Produces (besides also producing this MDEV-35717 stack ) this stack (note the aka 'st_join_table' ): CS 11.8.0 cacaaebf01939d387645fb850ceeec5392496171 (Debug, UBASAN) /test/11.8_dbg_san/sql/sql_select.cc:17227:31: runtime error: member access within null pointer of type 'JOIN_TAB' (aka 'st_join_table') #0 0x5581fc0fcc8f in update_depend_map_for_order(JOIN*, st_order*) /test/11.8_dbg_san/sql/sql_select.cc:17227:31 #1 0x5581fc0fcc8f in remove_const(JOIN*, st_order*, Item*, bool, bool*) /test/11.8_dbg_san/sql/sql_select.cc:17340:3 #2 0x5581fc0e8e06 in JOIN::optimize_stage2() /test/11.8_dbg_san/sql/sql_select.cc:3190:17 #3 0x5581fc0f135e in JOIN::optimize_inner() /test/11.8_dbg_san/sql/sql_select.cc:2725:9 #4 0x5581fc0e32a2 in JOIN::optimize() /test/11.8_dbg_san/sql/sql_select.cc:1994:10 #5 0x5581fbe96d13 in st_select_lex::optimize_unflattened_subqueries(bool) /test/11.8_dbg_san/sql/sql_lex.cc:5054:31 #6 0x5581fc0e7330 in JOIN::optimize_stage2() /test/11.8_dbg_san/sql/sql_select.cc:3550:7 #7 0x5581fc0f135e in JOIN::optimize_inner() /test/11.8_dbg_san/sql/sql_select.cc:2725:9 #8 0x5581fc0e32a2 in JOIN::optimize() /test/11.8_dbg_san/sql/sql_select.cc:1994:10 #9 0x5581fbe96d13 in st_select_lex::optimize_unflattened_subqueries(bool) /test/11.8_dbg_san/sql/sql_lex.cc:5054:31 #10 0x5581fc7bd526 in JOIN::optimize_constant_subqueries() /test/11.8_dbg_san/sql/opt_subselect.cc:5900:20 #11 0x5581fc0eedf3 in JOIN::optimize_inner() /test/11.8_dbg_san/sql/sql_select.cc:2339:7 #12 0x5581fc0e32a2 in JOIN::optimize() /test/11.8_dbg_san/sql/sql_select.cc:1994:10 #13 0x5581fc0c4bf8 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.8_dbg_san/sql/sql_select.cc:5342:19 #14 0x5581fc0c3f12 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.8_dbg_san/sql/sql_select.cc:633:10 #15 0x5581fbf99167 in execute_sqlcom_select(THD*, TABLE_LIST*) /test/11.8_dbg_san/sql/sql_parse.cc:6191:12 #16 0x5581fbf84d39 in mysql_execute_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:3980:12 #17 0x5581fbf54588 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.8_dbg_san/sql/sql_parse.cc:7915:18 #18 0x5581fbf4864b in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1903:7 #19 0x5581fbf56fad in do_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1416:17 #20 0x5581fc61a76c in do_handle_one_connection(CONNECT*, bool) /test/11.8_dbg_san/sql/sql_connect.cc:1415:11 #21 0x5581fc61a027 in handle_one_connection /test/11.8_dbg_san/sql/sql_connect.cc:1327:5 #22 0x5581fb959b5c in asan_thread_start(void*) asan_interceptors.cpp.o #23 0x147a1c89ca93 in start_thread nptl/pthread_create.c:447:8 #24 0x147a1c929c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78   SUMMARY: UndefinedBehaviorSanitizer: null-pointer-use /test/11.8_dbg_san/sql/sql_select.cc:17227:31 As well as: CS 11.8.0 cacaaebf01939d387645fb850ceeec5392496171 (Debug, UBASAN, Clang) /test/11.8_dbg_san/strings/ctype-ascii.h:110:27: runtime error: applying non-zero offset 4 to null pointer #0 0x55de96554b1e in my_strcoll_ascii_4bytes_found /test/11.8_dbg_san/strings/ctype-ascii.h:110:27 #1 0x55de96559cce in my_strnncoll_utf8mb3_general1400_as_ci /test/11.8_dbg_san/strings/strcoll.inl:238:24 #2 0x55de937e0349 in charset_info_st::streq(st_mysql_const_lex_string, st_mysql_const_lex_string) const /test/11.8_dbg_san/include/m_ctype.h:1073:17 #3 0x55de937e0349 in Lex_ident<Compare_ident_ci>::streq(st_mysql_const_lex_string const&) const /test/11.8_dbg_san/sql/lex_ident.h:119:38 #4 0x55de93c2a387 in is_infoschema_db(st_mysql_const_lex_string const*) /test/11.8_dbg_san/sql/table.h:3583:34 #5 0x55de93c2a387 in st_select_lex::add_table_to_list(THD*, Table_ident*, st_mysql_const_lex_string const*, unsigned long, thr_lock_type, enum_mdl_type, List<Index_hint>*, List<String>*, st_mysql_lex_string*) /test/11.8_dbg_san/sql/sql_parse.cc:8114:21 #6 0x55de947d82ae in MYSQLparse(THD*) /test/11.8_dbg_san/sql/sql_yacc.yy:12151:47 #7 0x55de93c6affb in parse_sql(THD*, Parser_state*, Object_creation_ctx*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:10328:46 #8 0x55de93c14cb4 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.8_dbg_san/sql/sql_parse.cc:7867:15 #9 0x55de93c0964b in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1903:7 #10 0x55de93c17fad in do_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1416:17 #11 0x55de942db76c in do_handle_one_connection(CONNECT*, bool) /test/11.8_dbg_san/sql/sql_connect.cc:1415:11 #12 0x55de942db027 in handle_one_connection /test/11.8_dbg_san/sql/sql_connect.cc:1327:5 #13 0x55de9361ab5c in asan_thread_start(void*) asan_interceptors.cpp.o #14 0x14b9f1a9ca93 in start_thread nptl/pthread_create.c:447:8 #15 0x14b9f1b29c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78   SUMMARY: UndefinedBehaviorSanitizer: nullptr-with-nonzero-offset /test/11.8_dbg_san/strings/ctype-ascii.h:110:27 CS 11.8.0 cacaaebf01939d387645fb850ceeec5392496171 (Debug, UBASAN, Clang) /test/11.8_dbg_san/sql/sql_select.cc:17227:31: runtime error: member access within null pointer of type 'JOIN_TAB' (aka 'st_join_table') #0 0x55de93dbdc8f in update_depend_map_for_order(JOIN*, st_order*) /test/11.8_dbg_san/sql/sql_select.cc:17227:31 #1 0x55de93dbdc8f in remove_const(JOIN*, st_order*, Item*, bool, bool*) /test/11.8_dbg_san/sql/sql_select.cc:17340:3 #2 0x55de93da9e06 in JOIN::optimize_stage2() /test/11.8_dbg_san/sql/sql_select.cc:3190:17 #3 0x55de93db235e in JOIN::optimize_inner() /test/11.8_dbg_san/sql/sql_select.cc:2725:9 #4 0x55de93da42a2 in JOIN::optimize() /test/11.8_dbg_san/sql/sql_select.cc:1994:10 #5 0x55de93b57d13 in st_select_lex::optimize_unflattened_subqueries(bool) /test/11.8_dbg_san/sql/sql_lex.cc:5054:31 #6 0x55de93da8330 in JOIN::optimize_stage2() /test/11.8_dbg_san/sql/sql_select.cc:3550:7 #7 0x55de93db235e in JOIN::optimize_inner() /test/11.8_dbg_san/sql/sql_select.cc:2725:9 #8 0x55de93da42a2 in JOIN::optimize() /test/11.8_dbg_san/sql/sql_select.cc:1994:10 #9 0x55de93b57d13 in st_select_lex::optimize_unflattened_subqueries(bool) /test/11.8_dbg_san/sql/sql_lex.cc:5054:31 #10 0x55de9447e526 in JOIN::optimize_constant_subqueries() /test/11.8_dbg_san/sql/opt_subselect.cc:5900:20 #11 0x55de93dafdf3 in JOIN::optimize_inner() /test/11.8_dbg_san/sql/sql_select.cc:2339:7 #12 0x55de93da42a2 in JOIN::optimize() /test/11.8_dbg_san/sql/sql_select.cc:1994:10 #13 0x55de93d85bf8 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.8_dbg_san/sql/sql_select.cc:5342:19 #14 0x55de93d84f12 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.8_dbg_san/sql/sql_select.cc:633:10 #15 0x55de93c5a167 in execute_sqlcom_select(THD*, TABLE_LIST*) /test/11.8_dbg_san/sql/sql_parse.cc:6191:12 #16 0x55de93c45d39 in mysql_execute_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:3980:12 #17 0x55de93c15588 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.8_dbg_san/sql/sql_parse.cc:7915:18 #18 0x55de93c0964b in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1903:7 #19 0x55de93c17fad in do_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1416:17 #20 0x55de942db76c in do_handle_one_connection(CONNECT*, bool) /test/11.8_dbg_san/sql/sql_connect.cc:1415:11 #21 0x55de942db027 in handle_one_connection /test/11.8_dbg_san/sql/sql_connect.cc:1327:5 #22 0x55de9361ab5c in asan_thread_start(void*) asan_interceptors.cpp.o #23 0x14b9f1a9ca93 in start_thread nptl/pthread_create.c:447:8 #24 0x14b9f1b29c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78   SUMMARY: UndefinedBehaviorSanitizer: null-pointer-use /test/11.8_dbg_san/sql/sql_select.cc:17227:31
            Roel Roel Van de Paar added a comment -

            Please note this comment on MDEV-29411

            Roel Roel Van de Paar added a comment - Please note this comment on MDEV-29411

            People

              Johnston Rex Johnston
              Ne0 Yongheng Chen
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.