[MDEV-32324] Server crashes inside filesort at my_decimal::to_binary - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 11.1.2, 11.2.1, 10.4(EOL), 10.5, 10.6, 10.9(EOL), 10.10(EOL), 10.11, 11.0(EOL)
Fix Version/s: 10.4.32, 10.5.23, 10.6.16, 10.10.7, 10.11.6, 11.0.4, 11.1.3, 11.2.2, 11.3.1
Component/s: Optimizer
Labels:
None
Environment:
Ubuntu 20.04 x86-64, docker image mariadb:11.1.2

Description

PoC:

SELECT 1.000000 two UNION SELECT 1 ORDER BY ( SELECT two LIMIT 1 OFFSET 1 ) ;

docker log:

mariadbd(my_print_stacktrace+0x32)[0x55edbccc87c2]

mariadbd(handle_fatal_signal+0x488)[0x55edbc7a1cf8]

/lib/x86_64-linux-gnu/libc.so.6(+0x42520)[0x7f2de8831520]

mariadbd(_ZNK10my_decimal9to_binaryEPhitj+0x31)[0x55edbc8ed5c1]

mariadbd(_ZNK27Type_handler_decimal_result18make_sort_key_partEPhP4ItemPK15SORT_FIELD_ATTRP6String+0x6d)[0x55edbc79ccdd]

mariadbd(+0xaa1dc2)[0x55edbc79ddc2]

mariadbd(_Z8filesortP3THDP5TABLEP8FilesortP16Filesort_trackerP4JOINy+0x15d7)[0x55edbc7a06c7]

mariadbd(_Z17create_sort_indexP3THDP4JOINP13st_join_tableP8Filesort+0xea)[0x55edbc595dfa]

mariadbd(_ZN13st_join_table10sort_tableEv+0x8b)[0x55edbc59618b]

mariadbd(_Z21join_init_read_recordP13st_join_table+0x71)[0x55edbc596251]

mariadbd(_Z10sub_selectP4JOINP13st_join_tableb+0x22f)[0x55edbc57c9ff]

mariadbd(_ZN4JOIN10exec_innerEv+0xfd4)[0x55edbc5b0bc4]

mariadbd(_ZN4JOIN4execEv+0x3f)[0x55edbc5b0fff]

mariadbd(_Z12mysql_selectP3THDP10TABLE_LISTR4ListI4ItemEPS4_jP8st_orderS9_S7_S9_yP13select_resultP18st_select_lex_unitP13st_select_lex+0x12c)[0x55edbc5aef7c]

mariadbd(_ZN18st_select_lex_unit10exec_innerEv+0x68c)[0x55edbc60341c]

mariadbd(_Z11mysql_unionP3THDP3LEXP13select_resultP18st_select_lex_unity+0x48)[0x55edbc606438]

mariadbd(_Z13handle_selectP3THDP3LEXP13select_resulty+0x59)[0x55edbc5af679]

mariadbd(+0x826f55)[0x55edbc522f55]

mariadbd(_Z21mysql_execute_commandP3THDb+0x419e)[0x55edbc531f0e]

mariadbd(_Z11mysql_parseP3THDPcjP12Parser_state+0x1e7)[0x55edbc533237]

mariadbd(_Z16dispatch_command19enum_server_commandP3THDPcjb+0x14bd)[0x55edbc535a1d]

mariadbd(_Z10do_commandP3THDb+0x138)[0x55edbc537818]

mariadbd(_Z24do_handle_one_connectionP7CONNECTb+0x3bf)[0x55edbc65f3af]

mariadbd(handle_one_connection+0x5d)[0x55edbc65f6fd]

mariadbd(+0xcd1906)[0x55edbc9cd906]

/lib/x86_64-linux-gnu/libc.so.6(+0x94b43)[0x7f2de8883b43]

/lib/x86_64-linux-gnu/libc.so.6(clone+0x44)[0x7f2de8914bb4]

Trying to get some variables.

Some pointers may be invalid and cause the dump to abort.

Query (0x7f2d840130d8): SELECT 1.000000 two UNION SELECT 1 ORDER BY ( SELECT two LIMIT 1 OFFSET 1 )

Connection ID (thread ID): 4

Status: NOT_KILLED

Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=on,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on,split_materialized=on,condition_pushdown_for_subquery=on,rowid_filter=on,condition_pushdown_from_having=on,not_null_range_scan=off,hash_join_cardinality=on

Attachments

Issue Links

is duplicated by

MDEV-32606 Server crash when querying InnoDB table

Closed

MDEV-32992 Server crashes when the result set has a decimal part when using the UNION with ORDER BY (SELECT .. LIMIT) clause

Closed

relates to

MDEV-25994 Crash with union of my_decimal type in ORDER BY clause

Closed

Activity

Ascending order - Click to sort in descending order

Jingzhou Fu created issue - 2023-09-30 19:42

Sergei Golubchik made changes - 2023-10-01 06:43

Field	Original Value	New Value
Security		Developers [ 10400 ]

Alice Sherepa made changes - 2023-10-03 13:28

Link

This issue relates to ~~MDEV-25994~~ [ ~~MDEV-25994~~ ]

Alice Sherepa made changes - 2023-10-03 13:28

Affects Version/s		10.4 [ 22408 ]
Affects Version/s		10.5 [ 23123 ]
Affects Version/s		10.6 [ 24028 ]
Affects Version/s		10.9 [ 26905 ]
Affects Version/s		10.10 [ 27530 ]
Affects Version/s		10.11 [ 27614 ]
Affects Version/s		11.0 [ 28320 ]

Alice Sherepa made changes - 2023-10-03 13:29

Fix Version/s		10.4 [ 22408 ]
Fix Version/s		10.5 [ 23123 ]
Fix Version/s		10.6 [ 24028 ]
Fix Version/s		10.9 [ 26905 ]
Fix Version/s		10.10 [ 27530 ]
Fix Version/s		10.11 [ 27614 ]
Fix Version/s		11.0 [ 28320 ]

Alice Sherepa added a comment - 2023-10-03 13:30

Thank you for the report!
I repeated as described on 10.4-11.2

Version: '10.4.32-MariaDB-debug-log'

231003 15:27:14 [ERROR] mysqld got signal 11 ;

Server version: 10.4.32-MariaDB-debug-log source revision: 50a2e8b1892b6b8a276d4bd75a1a02148f9e6ff2

sql/signal_handler.cc:238(handle_fatal_signal)[0x55f3cb51d7e9]

sigaction.c:0(__restore_rt)[0x7fdb1ba02420]

sql/my_decimal.h:128(my_decimal::operator=(my_decimal const&))[0x55f3cb2fcc8d]

sql/my_decimal.h:332(my_decimal2decimal(my_decimal const*, my_decimal*))[0x55f3cb2fd059]

sql/my_decimal.cc:206(my_decimal::to_binary(unsigned char*, int, int, unsigned int) const)[0x55f3cb8db506]

sql/filesort.cc:1159(Type_handler_decimal_result::make_sort_key(unsigned char*, Item*, SORT_FIELD_ATTR const*, String*) const)[0x55f3cb513c9b]

sql/filesort.cc:1207(make_sortkey(Sort_param*, unsigned char*, unsigned char*))[0x55f3cb514168]

sql/filesort.cc:849(find_all_keys(THD*, Sort_param*, SQL_SELECT*, SORT_INFO*, st_io_cache*, st_io_cache*, Bounded_queue<unsigned char, unsigned char>*, unsigned long long*))[0x55f3cb511496]

sql/filesort.cc:262(filesort(THD*, TABLE*, Filesort*, Filesort_tracker*, JOIN*, unsigned long long))[0x55f3cb50cd8d]

sql/sql_select.cc:24212(create_sort_index(THD*, JOIN*, st_join_table*, Filesort*))[0x55f3caec37dc]

sql/sql_select.cc:21890(st_join_table::sort_table())[0x55f3caeb1f3d]

sql/sql_select.cc:21829(join_init_read_record(st_join_table*))[0x55f3caeb143f]

sql/sql_select.cc:20899(sub_select(JOIN*, st_join_table*, bool))[0x55f3caeaab58]

sql/sql_select.cc:20423(do_select(JOIN*, Procedure*))[0x55f3caea8aba]

sql/sql_select.cc:4605(JOIN::exec_inner())[0x55f3cae36602]

sql/sql_select.cc:4388(JOIN::exec())[0x55f3cae33c2e]

sql/sql_select.cc:4828(mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55f3cae37e0e]

sql/sql_union.cc:1729(st_select_lex_unit::exec())[0x55f3cb02de2a]

sql/sql_union.cc:42(mysql_union(THD*, LEX*, select_result*, st_select_lex_unit*, unsigned long))[0x55f3cb01bcb2]

sql/sql_select.cc:432(handle_select(THD*, LEX*, select_result*, unsigned long))[0x55f3cae085eb]

sql/sql_parse.cc:6475(execute_sqlcom_select(THD*, TABLE_LIST*))[0x55f3cad7472c]

sql/sql_parse.cc:3978(mysql_execute_command(THD*))[0x55f3cad61ea3]

sql/sql_parse.cc:8012(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x55f3cad7dc07]

sql/sql_parse.cc:1860(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x55f3cad5402d]

sql/sql_parse.cc:1378(do_command(THD*))[0x55f3cad50b58]

sql/sql_connect.cc:1420(do_handle_one_connection(CONNECT*))[0x55f3cb15e7fd]

sql/sql_connect.cc:1325(handle_one_connection)[0x55f3cb15e0a1]

perfschema/pfs.cc:1871(pfs_spawn_thread)[0x55f3cbe0899a]

nptl/pthread_create.c:478(start_thread)[0x7fdb1b9f6609]

/lib/x86_64-linux-gnu/libc.so.6(clone+0x43)[0x7fdb1b5c7133]

Query (0x62b0000a1420): SELECT 1.000000 two UNION SELECT 1 ORDER BY ( SELECT two LIMIT 1 OFFSET 1 )

Alice Sherepa added a comment - 2023-10-03 13:30 Thank you for the report! I repeated as described on 10.4-11.2 Version: '10.4.32-MariaDB-debug-log' 231003 15:27:14 [ERROR] mysqld got signal 11 ; Server version: 10.4.32-MariaDB-debug-log source revision: 50a2e8b1892b6b8a276d4bd75a1a02148f9e6ff2 sql/signal_handler.cc:238(handle_fatal_signal)[0x55f3cb51d7e9] sigaction.c:0(__restore_rt)[0x7fdb1ba02420] sql/my_decimal.h:128(my_decimal::operator=(my_decimal const&))[0x55f3cb2fcc8d] sql/my_decimal.h:332(my_decimal2decimal(my_decimal const*, my_decimal*))[0x55f3cb2fd059] sql/my_decimal.cc:206(my_decimal::to_binary(unsigned char*, int, int, unsigned int) const)[0x55f3cb8db506] sql/filesort.cc:1159(Type_handler_decimal_result::make_sort_key(unsigned char*, Item*, SORT_FIELD_ATTR const*, String*) const)[0x55f3cb513c9b] sql/filesort.cc:1207(make_sortkey(Sort_param*, unsigned char*, unsigned char*))[0x55f3cb514168] sql/filesort.cc:849(find_all_keys(THD*, Sort_param*, SQL_SELECT*, SORT_INFO*, st_io_cache*, st_io_cache*, Bounded_queue<unsigned char, unsigned char>*, unsigned long long*))[0x55f3cb511496] sql/filesort.cc:262(filesort(THD*, TABLE*, Filesort*, Filesort_tracker*, JOIN*, unsigned long long))[0x55f3cb50cd8d] sql/sql_select.cc:24212(create_sort_index(THD*, JOIN*, st_join_table*, Filesort*))[0x55f3caec37dc] sql/sql_select.cc:21890(st_join_table::sort_table())[0x55f3caeb1f3d] sql/sql_select.cc:21829(join_init_read_record(st_join_table*))[0x55f3caeb143f] sql/sql_select.cc:20899(sub_select(JOIN*, st_join_table*, bool))[0x55f3caeaab58] sql/sql_select.cc:20423(do_select(JOIN*, Procedure*))[0x55f3caea8aba] sql/sql_select.cc:4605(JOIN::exec_inner())[0x55f3cae36602] sql/sql_select.cc:4388(JOIN::exec())[0x55f3cae33c2e] sql/sql_select.cc:4828(mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55f3cae37e0e] sql/sql_union.cc:1729(st_select_lex_unit::exec())[0x55f3cb02de2a] sql/sql_union.cc:42(mysql_union(THD*, LEX*, select_result*, st_select_lex_unit*, unsigned long))[0x55f3cb01bcb2] sql/sql_select.cc:432(handle_select(THD*, LEX*, select_result*, unsigned long))[0x55f3cae085eb] sql/sql_parse.cc:6475(execute_sqlcom_select(THD*, TABLE_LIST*))[0x55f3cad7472c] sql/sql_parse.cc:3978(mysql_execute_command(THD*))[0x55f3cad61ea3] sql/sql_parse.cc:8012(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x55f3cad7dc07] sql/sql_parse.cc:1860(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x55f3cad5402d] sql/sql_parse.cc:1378(do_command(THD*))[0x55f3cad50b58] sql/sql_connect.cc:1420(do_handle_one_connection(CONNECT*))[0x55f3cb15e7fd] sql/sql_connect.cc:1325(handle_one_connection)[0x55f3cb15e0a1] perfschema/pfs.cc:1871(pfs_spawn_thread)[0x55f3cbe0899a] nptl/pthread_create.c:478(start_thread)[0x7fdb1b9f6609] /lib/x86_64-linux-gnu/libc.so.6(clone+0x43)[0x7fdb1b5c7133] Query (0x62b0000a1420): SELECT 1.000000 two UNION SELECT 1 ORDER BY ( SELECT two LIMIT 1 OFFSET 1 )

Alice Sherepa made changes - 2023-10-03 13:31

Assignee

Sergei Petrunia [ psergey ]

Alice Sherepa made changes - 2023-10-03 13:31

Status

Open [ 1 ]

Confirmed [ 10101 ]

Alice Sherepa made changes - 2023-10-03 13:32

Component/s

Optimizer [ 10200 ]

Sergei Petrunia added a comment - 2023-10-12 09:54

The subquery ( SELECT two LIMIT 1 OFFSET 1 ) returns an empty set. But it has maybe_null=false. This confuses the sorting code.

Sergei Petrunia added a comment - 2023-10-12 09:54 The subquery ( SELECT two LIMIT 1 OFFSET 1 ) returns an empty set. But it has maybe_null=false. This confuses the sorting code.

Sergei Petrunia added a comment - 2023-10-12 09:58 - edited

A related fix

commit 3c209bfc040ddfc41ece8357d772547432353fd2

Author:	Sergei Petrunia <sergey@mariadb.com>  Thu Apr 21 15:03:23 2022

Committer:	Sergei Petrunia <sergey@mariadb.com>  Fri Apr 22 13:57:16 2022

MDEV-25994: Crash with union of my_decimal type in ORDER BY clause

    When single-row subquery fails with "Subquery reutrns more than 1 row"

    error, it will raise an error and return NULL.

    On the other hand, Item_singlerow_subselect sets item->maybe_null=0

    for table-less subqueries like "(SELECT not_null_value)"  (*)

    This discrepancy (item with maybe_null=0 returning NULL) causes the

    code in Type_handler_decimal_result::make_sort_key_part() to crash.

    Fixed this by allowing inference (*) only when the subquery is NOT a

    UNION.

Sergei Petrunia added a comment - 2023-10-12 09:58 - edited A related fix commit 3c209bfc040ddfc41ece8357d772547432353fd2 Author: Sergei Petrunia <sergey@mariadb.com> Thu Apr 21 15:03:23 2022 Committer: Sergei Petrunia <sergey@mariadb.com> Fri Apr 22 13:57:16 2022 MDEV-25994: Crash with union of my_decimal type in ORDER BY clause When single-row subquery fails with "Subquery reutrns more than 1 row" error, it will raise an error and return NULL. On the other hand, Item_singlerow_subselect sets item->maybe_null=0 for table-less subqueries like "(SELECT not_null_value)" (*) This discrepancy (item with maybe_null=0 returning NULL) causes the code in Type_handler_decimal_result::make_sort_key_part() to crash. Fixed this by allowing inference (*) only when the subquery is NOT a UNION.

Sergei Petrunia made changes - 2023-10-12 10:05

Status

Confirmed [ 10101 ]

In Progress [ 3 ]

Sergei Petrunia made changes - 2023-10-12 11:08

Summary

Server crashes at my_decimal::to_binary

Server crashes inside filesort at my_decimal::to_binary

Sergei Petrunia added a comment - 2023-10-12 11:20

bb-10.4-~~MDEV-32324~~

Sergei Petrunia added a comment - 2023-10-12 11:20 bb-10.4- MDEV-32324

Sergei Petrunia added a comment - 2023-10-12 11:20

Oleg, please review.

Sergei Petrunia added a comment - 2023-10-12 11:20 Oleg, please review.

Sergei Petrunia made changes - 2023-10-12 11:20

Assignee	Sergei Petrunia [ psergey ]	Oleg Smirnov [ JIRAUSER50405 ]
Status	In Progress [ 3 ]	In Review [ 10002 ]

Oleg Smirnov added a comment - 2023-10-16 10:11

A couple of cosmetic comments are left at GitHub, otherwise legitimate.

Oleg Smirnov added a comment - 2023-10-16 10:11 A couple of cosmetic comments are left at GitHub , otherwise legitimate.

Oleg Smirnov made changes - 2023-10-16 10:11

Status

In Review [ 10002 ]

Stalled [ 10000 ]

Sergei Petrunia made changes - 2023-10-16 15:44

Fix Version/s		10.4.32 [ 29300 ]
Fix Version/s		10.5.23 [ 29012 ]
Fix Version/s		10.6.16 [ 29014 ]
Fix Version/s		10.10.7 [ 29018 ]
Fix Version/s		10.11.6 [ 29020 ]
Fix Version/s		11.0.4 [ 29021 ]
Fix Version/s		11.1.3 [ 29023 ]
Fix Version/s		11.2.2 [ 29035 ]
Fix Version/s		11.3.1 [ 29416 ]
Fix Version/s	10.4 [ 22408 ]
Fix Version/s	10.5 [ 23123 ]
Fix Version/s	10.6 [ 24028 ]
Fix Version/s	10.9 [ 26905 ]
Fix Version/s	10.10 [ 27530 ]
Fix Version/s	10.11 [ 27614 ]
Fix Version/s	11.0 [ 28320 ]
Assignee	Oleg Smirnov [ JIRAUSER50405 ]	Sergei Petrunia [ psergey ]
Resolution		Fixed [ 1 ]
Status	Stalled [ 10000 ]	Closed [ 6 ]

Sergei Petrunia added a comment - 2023-10-16 15:44

Addressed comments on github.

Sergei Petrunia added a comment - 2023-10-16 15:44 Addressed comments on github.

Alice Sherepa made changes - 2023-12-12 17:12

Link

This issue is duplicated by ~~MDEV-32606~~ [ ~~MDEV-32606~~ ]

Sergei Golubchik made changes - 2023-12-15 11:18

Security

Developers [ 10400 ]

Alice Sherepa made changes - 2024-04-04 12:05

Link

This issue is duplicated by ~~MDEV-32992~~ [ ~~MDEV-32992~~ ]

People

Assignee:: Sergei Petrunia

Reporter:: Jingzhou Fu

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 2023-09-30 19:42

Updated:: 2024-04-04 12:05

Resolved:: 2023-10-16 15:44

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration