Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-32290

Server crashes at sub_select_cache(JOIN*, st_join_table*, bool)

    XMLWordPrintable

Details

    • Bug
    • Status: In Review (View Workflow)
    • Critical
    • Resolution: Unresolved
    • 11.2.1, 10.4(EOL), 10.5(EOL), 10.6, 10.11, 11.0(EOL), 11.4, 11.7(EOL), 11.8
    • 10.11, 11.4, 11.8, 12.3
    • Optimizer, Optimizer - CTE
    • None
    • Ubuntu 20.04 x86-64, docker image mariadb:11.1.2
    • Q3/2026 Server Maintenance

    Description

      PoC:

      SELECT ( WITH RECURSIVE x ( x ) AS ( SELECT 1 EXCEPT SELECT x + 1 FROM ( SELECT 1.000000 x FROM ( SELECT 1.000000 FROM x UNION SELECT x FROM ( WITH x AS ( WITH x ( x ) AS ( SELECT 1.000000 EXCEPT SELECT ( 1 ) ) SELECT x FROM x WHERE 1 IN ( SELECT x FROM x ) ) SELECT * FROM x ) x ) x ) x ) SELECT x FROM x ) ;

      docker log:

      mariadbd(my_print_stacktrace+0x32)[0x55835a5867c2]
      		 
      mariadbd(handle_fatal_signal+0x488)[0x55835a05fcf8]
      		 
      /lib/x86_64-linux-gnu/libc.so.6(+0x42520)[0x7f533257b520]
      		 
      mariadbd(_Z16sub_select_cacheP4JOINP13st_join_tableb+0x1c)[0x558359e3ae4c]
      		 
      mariadbd(_ZN4JOIN10exec_innerEv+0xe8b)[0x558359e6ea7b]
      		 
      mariadbd(_ZN4JOIN4execEv+0x3f)[0x558359e6efff]
      		 
      mariadbd(_ZN18st_select_lex_unit10exec_innerEv+0x5b4)[0x558359ec1344]
      		 
      mariadbd(+0x7ec42a)[0x558359da642a]
      		 
      mariadbd(_Z27mysql_handle_single_derivedP3LEXP10TABLE_LISTj+0x95)[0x558359da5e35]
      		 
      mariadbd(_ZN13st_join_table12preread_initEv+0x80)[0x558359e3a710]
      		 
      mariadbd(_Z10sub_selectP4JOINP13st_join_tableb+0x1a8)[0x558359e3a978]
      		 
      mariadbd(_ZN4JOIN10exec_innerEv+0xfd4)[0x558359e6ebc4]
      		 
      mariadbd(_ZN4JOIN4execEv+0x3f)[0x558359e6efff]
      		 
      mariadbd(_ZN18st_select_lex_unit14exec_recursiveEv+0x304)[0x558359ec1a04]
      		 
      mariadbd(_ZN10TABLE_LIST14fill_recursiveEP3THD+0xa2)[0x558359da5fc2]
      		 
      mariadbd(+0x7ec44f)[0x558359da644f]
      		 
      mariadbd(_Z27mysql_handle_single_derivedP3LEXP10TABLE_LISTj+0x95)[0x558359da5e35]
      		 
      mariadbd(_ZN13st_join_table12preread_initEv+0x80)[0x558359e3a710]
      		 
      mariadbd(_Z10sub_selectP4JOINP13st_join_tableb+0x1a8)[0x558359e3a978]
      		 
      mariadbd(_ZN4JOIN10exec_innerEv+0xfd4)[0x558359e6ebc4]
      		 
      mariadbd(_ZN4JOIN4execEv+0x3f)[0x558359e6efff]
      		 
      mariadbd(_ZN30subselect_single_select_engine4execEv+0x146)[0x55835a13f7f6]
      		 
      mariadbd(_ZN14Item_subselect4execEv+0x4c)[0x55835a13e73c]
      		 
      mariadbd(_ZN24Item_singlerow_subselect7val_intEv+0x24)[0x55835a140784]
      		 
      mariadbd(_ZNK12Type_handler14Item_send_longEP4ItemP8ProtocolP8st_value+0x1d)[0x558359fb689d]
      		 
      mariadbd(_ZN8Protocol19send_result_set_rowEP4ListI4ItemE+0xea)[0x558359d14cfa]
      		 
      mariadbd(_ZN11select_send9send_dataER4ListI4ItemE+0x37)[0x558359d936a7]
      		 
      mariadbd(_ZN4JOIN10exec_innerEv+0xc90)[0x558359e6e880]
      		 
      mariadbd(_ZN4JOIN4execEv+0x3f)[0x558359e6efff]
      		 
      mariadbd(_Z12mysql_selectP3THDP10TABLE_LISTR4ListI4ItemEPS4_jP8st_orderS9_S7_S9_yP13select_resultP18st_select_lex_unitP13st_select_lex+0x12c)[0x558359e6cf7c]
      		 
      mariadbd(_Z13handle_selectP3THDP3LEXP13select_resulty+0x154)[0x558359e6d774]
      		 
      mariadbd(+0x826f55)[0x558359de0f55]
      		 
      mariadbd(_Z21mysql_execute_commandP3THDb+0x419e)[0x558359deff0e]
      		 
      mariadbd(_Z11mysql_parseP3THDPcjP12Parser_state+0x1e7)[0x558359df1237]
      		 
      mariadbd(_Z16dispatch_command19enum_server_commandP3THDPcjb+0x14bd)[0x558359df3a1d]
      		 
      mariadbd(_Z10do_commandP3THDb+0x138)[0x558359df5818]
      		 
      mariadbd(_Z24do_handle_one_connectionP7CONNECTb+0x3bf)[0x558359f1d3af]
      		 
      mariadbd(handle_one_connection+0x5d)[0x558359f1d6fd]
      		 
      mariadbd(+0xcd1906)[0x55835a28b906]
      		 
      /lib/x86_64-linux-gnu/libc.so.6(+0x94b43)[0x7f53325cdb43]
      		 
      /lib/x86_64-linux-gnu/libc.so.6(clone+0x44)[0x7f533265ebb4]
      		 
       
      		 
      Trying to get some variables.
      		 
      Some pointers may be invalid and cause the dump to abort.
      		 
      Query (0x7f52d40130d8): SELECT ( WITH RECURSIVE x ( x ) AS ( SELECT 1 EXCEPT SELECT x + 1 FROM ( SELECT 1.000000 x FROM ( SELECT 1.000000 FROM x UNION SELECT x FROM ( WITH x AS ( WITH x ( x ) AS ( SELECT 1.000000 EXCEPT SELECT ( 1 ) ) SELECT x FROM x WHERE 1 IN ( SELECT x FROM x ) ) SELECT * FROM x ) x ) x ) x ) SELECT x FROM x )
      		 
       
      		 
      Connection ID (thread ID): 4
      		 
      Status: NOT_KILLED
      		 
       
      		 
      Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=on,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on,split_materialized=on,condition_pushdown_for_subquery=on,rowid_filter=on,condition_pushdown_from_having=on,not_null_range_scan=off,hash_join_cardinality=on

      Attachments

        Issue Links

          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. MDEV-32379 Segmentation fault at /mariadb-11.3.0/sql/sql_select.cc:23188

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-32392 Segmentation fault at /mariadb-11.3.0/sql/sql_select.cc:14639

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-39379 MariaDB debug build assertion `cache != __null' failed in sub_select_cache

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-28799 SIGSEGV in JOIN_CACHE::reset_join and Assertion `cache != __null' failed in sub_select_cache on SELECT

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-32710 Assertion Failed at /mariadb-11.3.0/sql/item_subselect.cc:1936

          • Major - Major loss of function.
          • Confirmed

          Activity

            People

              psergei Sergei Petrunia
              fuboat Jingzhou Fu
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.