Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-30841

SIGSEGV in Item_field::used_tables and UBSAN: runtime error: member access within null pointer of type 'struct Field' on SELECT

    XMLWordPrintable

Details

    Description

      SELECT x FROM (SELECT * FROM (SELECT 1 AS x) AS x) AS x WHERE x IN (SELECT * FROM (SELECT 1) AS x WHERE x IN (SELECT x IN (SELECT 1) AS x)) GROUP BY x HAVING NOT x;
      

      Leads to (please note the difference between dbg and opt stacks):

      11.0.1 f2dc4d4c10ac36a73b5c1eb765352d3aee808d66 (Optimized)

      Core was generated by `/test/MD180223-mariadb-11.0.1-linux-x86_64-opt/bin/mariadbd --no-defaults --cor'.
      Program terminated with signal SIGSEGV, Segmentation fault.
      #0  0x000055efef34bbbb in Item_field::used_tables (this=0x14864001ec28)
          at /test/11.0_opt/sql/item.cc:3510
      3510	  if (field->table->const_table)
      [Current thread is 1 (Thread 0x148678129640 (LWP 3105045))]
      (gdb) bt
      #0  0x000055efef34bbbb in Item_field::used_tables (this=0x14864001ec28) at /test/11.0_opt/sql/item.cc:3510
      #1  0x000055efef34c0b3 in Item_direct_view_ref::used_tables (this=0x14864001f3e0) at /test/11.0_opt/sql/item.cc:10831
      #2  Item_direct_view_ref::used_tables (this=0x14864001f3e0) at /test/11.0_opt/sql/item.cc:10822
      #3  0x000055efef08e379 in Item::pushable_equality_checker_for_derived (this=this@entry=0x14864001f3e0, arg=arg@entry=0x148640016a88 "\001") at /test/11.0_opt/sql/item.h:2720
      #4  0x000055efef36c206 in Item_equal::create_pushable_equalities (this=this@entry=0x148640024de0, thd=thd@entry=0x148640000c68, equalities=equalities@entry=0x148678126f30, checker=<optimized out>, arg=arg@entry=0x148640016a88 "\001", clone_const=true) at /test/11.0_opt/sql/item_cmpfunc.cc:7747
      #5  0x000055efef347a88 in Item::build_pushable_cond (this=0x148640024de0, thd=0x148640000c68, checker=<optimized out>, arg=0x148640016a88 "\001") at /test/11.0_opt/sql/item.cc:7695
      #6  0x000055efef347983 in Item::build_pushable_cond (this=this@entry=0x148640024ad0, thd=thd@entry=0x148640000c68, checker=<optimized out>, arg=0x148640016a88 "\001") at /test/11.0_opt/sql/item.cc:7665
      #7  0x000055efef08d06f in pushdown_cond_for_derived (thd=0x148640000c68, cond=0x148640024ad0, derived=derived@entry=0x148640012428) at /test/11.0_opt/sql/sql_derived.cc:1539
      #8  0x000055efef14bf82 in JOIN::optimize_inner (this=0x14864001d5a0) at /test/11.0_opt/sql/sql_select.cc:2384
      #9  0x000055efef14ce6a in JOIN::optimize (this=this@entry=0x14864001d5a0) at /test/11.0_opt/sql/sql_select.cc:1897
      #10 0x000055efef14cf5e in mysql_select (thd=0x148640000c68, tables=0x1486400133d0, fields=@0x148640010d40: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x148640011060, last = 0x148640011060, elements = 1}, <No data fields>}, conds=0x14864001c690, og_num=1, order=0x0, group=0x14864001ca28, having=0x14864001cb90, proc_param=0x0, select_options=<optimized out>, result=0x14864001cc88, unit=0x148640004cf0, select_lex=0x148640010a88) at /test/11.0_opt/sql/sql_select.cc:5132
      #11 0x000055efef14d6f4 in handle_select (thd=thd@entry=0x148640000c68, lex=lex@entry=0x148640004c18, result=result@entry=0x14864001cc88, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/11.0_opt/sql/sql_select.cc:608
      #12 0x000055efef0c6ee5 in execute_sqlcom_select (thd=0x148640000c68, all_tables=0x1486400133d0) at /test/11.0_opt/sql/sql_parse.cc:6267
      #13 0x000055efef0d5f00 in mysql_execute_command (thd=0x148640000c68, is_called_from_prepared_stmt=<optimized out>) at /test/11.0_opt/sql/sql_parse.cc:3949
      #14 0x000055efef0d7794 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x148640000c68) at /test/11.0_opt/sql/sql_parse.cc:8002
      #15 mysql_parse (thd=0x148640000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/11.0_opt/sql/sql_parse.cc:7924
      #16 0x000055efef0d9d72 in dispatch_command (command=COM_QUERY, thd=0x148640000c68, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/11.0_opt/sql/sql_parse.cc:1991
      #17 0x000055efef0db510 in do_command (thd=0x148640000c68, blocking=blocking@entry=true) at /test/11.0_opt/sql/sql_parse.cc:1407
      #18 0x000055efef1f3717 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55eff1380e88, put_in_cache=put_in_cache@entry=true) at /test/11.0_opt/sql/sql_connect.cc:1416
      #19 0x000055efef1f39ed in handle_one_connection (arg=0x55eff1380e88) at /test/11.0_opt/sql/sql_connect.cc:1318
      #20 0x000014869cc19b43 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
      #21 0x000014869ccaba00 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
      

      11.0.1 f2dc4d4c10ac36a73b5c1eb765352d3aee808d66 (Debug)

      Core was generated by `/test/MD180223-mariadb-11.0.1-linux-x86_64-dbg/bin/mariadbd --no-defaults --cor'.
      Program terminated with signal SIGSEGV, Segmentation fault.
      #0  0x000055ade0c16e45 in Item_field::used_tables (this=0x15081c021618)
          at /test/11.0_dbg/sql/item.cc:3510
      3510	  if (field->table->const_table)
      [Current thread is 1 (Thread 0x150890ceb640 (LWP 3105030))]
      (gdb) bt
      #0  0x000055ade0c16e45 in Item_field::used_tables (this=0x15081c021618) at /test/11.0_dbg/sql/item.cc:3510
      #1  0x000055ade0c1734a in Item_direct_view_ref::used_tables (this=0x15081c021dd0) at /test/11.0_dbg/sql/item.cc:10831
      #2  0x000055ade08caf8b in Item::pushable_equality_checker_for_derived (this=<optimized out>, arg=0x15081c019458 "\001") at /test/11.0_dbg/sql/item.h:2720
      #3  0x000055ade0c3da2c in Item_equal::create_pushable_equalities (this=this@entry=0x15081c0278f8, thd=thd@entry=0x15081c000d58, equalities=equalities@entry=0x150890ce9590, checker=<optimized out>, arg=arg@entry=0x15081c019458 "\001", clone_const=true) at /test/11.0_dbg/sql/item_cmpfunc.cc:7747
      #4  0x000055ade0c121a8 in Item::build_pushable_cond (this=0x15081c0278f8, thd=0x15081c000d58, checker=<optimized out>, arg=0x15081c019458 "\001") at /test/11.0_dbg/sql/item.cc:7695
      #5  0x000055ade0c1204c in Item::build_pushable_cond (this=this@entry=0x15081c0275e8, thd=thd@entry=0x15081c000d58, checker=<optimized out>, arg=0x15081c019458 "\001") at /test/11.0_dbg/sql/item.cc:7665
      #6  0x000055ade08c99f1 in pushdown_cond_for_derived (thd=0x15081c000d58, cond=0x15081c0275e8, derived=derived@entry=0x15081c014df8) at /test/11.0_dbg/sql/sql_derived.cc:1539
      #7  0x000055ade09a2efb in JOIN::optimize_inner (this=this@entry=0x15081c01ff70) at /test/11.0_dbg/sql/sql_select.cc:2384
      #8  0x000055ade09a39bc in JOIN::optimize (this=this@entry=0x15081c01ff70) at /test/11.0_dbg/sql/sql_select.cc:1897
      #9  0x000055ade09a3ac5 in mysql_select (thd=thd@entry=0x15081c000d58, tables=0x15081c015da0, fields=@0x15081c013710: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x15081c013a30, last = 0x15081c013a30, elements = 1}, <No data fields>}, conds=0x15081c01f060, og_num=1, order=0x0, group=0x15081c01f3f8, having=0x15081c01f560, proc_param=0x0, select_options=2164525824, result=0x15081c01f658, unit=0x15081c004fa0, select_lex=0x15081c013458) at /test/11.0_dbg/sql/sql_select.cc:5132
      #10 0x000055ade09a428b in handle_select (thd=thd@entry=0x15081c000d58, lex=lex@entry=0x15081c004ec8, result=result@entry=0x15081c01f658, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/11.0_dbg/sql/sql_select.cc:608
      #11 0x000055ade0909e8d in execute_sqlcom_select (thd=thd@entry=0x15081c000d58, all_tables=0x15081c015da0) at /test/11.0_dbg/sql/sql_parse.cc:6267
      #12 0x000055ade09154af in mysql_execute_command (thd=thd@entry=0x15081c000d58, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/11.0_dbg/sql/sql_parse.cc:3949
      #13 0x000055ade091c7cf in mysql_parse (thd=thd@entry=0x15081c000d58, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x150890cea2c0) at /test/11.0_dbg/sql/sql_parse.cc:8002
      #14 0x000055ade091e963 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x15081c000d58, packet=packet@entry=0x15081c00ae19 "SELECT x FROM (SELECT * FROM (SELECT 1 AS x) AS x) AS x WHERE x IN (SELECT * FROM (SELECT 1) AS x WHERE x IN (SELECT x IN (SELECT 1) AS x)) GROUP BY x HAVING NOT x", packet_length=packet_length@entry=163, blocking=blocking@entry=true) at /test/11.0_dbg/sql/sql_class.h:242
      #15 0x000055ade09207bc in do_command (thd=0x15081c000d58, blocking=blocking@entry=true) at /test/11.0_dbg/sql/sql_parse.cc:1407
      #16 0x000055ade0a716e2 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55ade4a04fe8, put_in_cache=put_in_cache@entry=true) at /test/11.0_dbg/sql/sql_connect.cc:1416
      #17 0x000055ade0a71941 in handle_one_connection (arg=0x55ade4a04fe8) at /test/11.0_dbg/sql/sql_connect.cc:1318
      #18 0x00001508bf7cdb43 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
      #19 0x00001508bf85fa00 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
      

      11.0.1 4d09050ca77a7efac4565d46e4bcd85a5f210c53 (Optimized, UBASAN)

      /test/11.0_opt_san/sql/item.cc:3512:14: runtime error: member access within null pointer of type 'struct Field'
          #0 0x56468270486e in Item_field::used_tables() const /test/11.0_opt_san/sql/item.cc:3512
          #1 0x564682707b5f in Item_direct_view_ref::used_tables() const /test/11.0_opt_san/sql/item.cc:10815
          #2 0x564680e4ac8c in Item::pushable_equality_checker_for_derived(unsigned char*) /test/11.0_opt_san/sql/item.h:2714
          #3 0x56468289471e in Item_equal::create_pushable_equalities(THD*, List<Item>*, bool (Item::*)(unsigned char*), unsigned char*, bool) /test/11.0_opt_san/sql/item_cmpfunc.cc:7716
          #4 0x5646826d546f in Item::build_pushable_cond(THD*, bool (Item::*)(unsigned char*), unsigned char*) /test/11.0_opt_san/sql/item.cc:7679
          #5 0x5646826d5c0f in Item::build_pushable_cond(THD*, bool (Item::*)(unsigned char*), unsigned char*) /test/11.0_opt_san/sql/item.cc:7649
          #6 0x564680e3fadc in pushdown_cond_for_derived(THD*, Item*, TABLE_LIST*) /test/11.0_opt_san/sql/sql_derived.cc:1537
          #7 0x5646814d076d in JOIN::optimize_inner() /test/11.0_opt_san/sql/sql_select.cc:2349
          #8 0x5646814d6430 in JOIN::optimize() /test/11.0_opt_san/sql/sql_select.cc:1870
          #9 0x5646814d6ac6 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.0_opt_san/sql/sql_select.cc:5066
          #10 0x5646814da8e0 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.0_opt_san/sql/sql_select.cc:581
          #11 0x564681082f60 in execute_sqlcom_select /test/11.0_opt_san/sql/sql_parse.cc:6265
          #12 0x5646810e8827 in mysql_execute_command(THD*, bool) /test/11.0_opt_san/sql/sql_parse.cc:3949
          #13 0x5646810f9542 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_opt_san/sql/sql_parse.cc:8000
          #14 0x564681106fa5 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_opt_san/sql/sql_parse.cc:1894
          #15 0x564681110700 in do_command(THD*, bool) /test/11.0_opt_san/sql/sql_parse.cc:1407
          #16 0x5646819f103c in do_handle_one_connection(CONNECT*, bool) /test/11.0_opt_san/sql/sql_connect.cc:1416
          #17 0x5646819f363c in handle_one_connection /test/11.0_opt_san/sql/sql_connect.cc:1318
          #18 0x15352e0efb42 in start_thread nptl/pthread_create.c:442
          #19 0x15352e1819ff  (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)
      

      Bug confirmed present in:
      MariaDB: 10.4.29 (dbg), 10.4.29 (opt), 10.5.20 (dbg), 10.5.20 (opt), 10.6.13 (dbg), 10.6.13 (opt), 10.7.8 (dbg), 10.7.8 (opt), 10.8.8 (dbg), 10.8.8 (opt), 10.9.6 (dbg), 10.9.6 (opt), 10.10.4 (dbg), 10.10.4 (opt), 10.11.2 (dbg), 10.11.2 (opt), 11.0.1 (dbg), 11.0.1 (opt)

      Bug (or feature/syntax) confirmed not present in:
      MariaDB: 10.3.38 (dbg), 10.3.38 (opt)
      MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.40 (dbg), 5.7.40 (opt), 8.0.31 (dbg), 8.0.31 (opt)

      Attachments

        Activity

          People

            psergei Sergei Petrunia
            Roel Roel Van de Paar
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.