[MDEV-32399] pushdown_from_having_into_where: SEGV at /mariadb-11.3.0/sql/item.cc:6013 - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Duplicate
Affects Version/s: 11.3.0
Fix Version/s: 10.4.32, 10.5.23, 10.6.16, 10.10.7, 10.11.6, 11.0.4, 11.1.3, 11.2.2, 11.3.1
Component/s: Server
Labels:
None
Environment:
Ubuntu 20.04

Description

Run these queries in release build:

CREATE TABLE t0 ( c52 INT DEFAULT ( 92 ) DEFAULT ( NOT HEX ( 68 ) SOUNDS LIKE CASE 2 WHEN -107 THEN -96 ELSE -50 END ) , c28 INT ) ;
INSERT INTO t0 VALUES ( 27 , 68 ) , ( -123 , 68 ) ;
CREATE VIEW v0 AS SELECT c52 AS c34 , c52 AS c53 , 116 AS c44 FROM t0 ;
WITH t1 AS ( SELECT -82 AS c5 , -124 AS c48 ) SELECT t2 . c48 AS c2 FROM t0 JOIN t1 AS t2 ON t2 . c48 = ( SIN ( -65 ) + RAND ( ) * NULLIF ( 37 , 114 IN ( 29 , 88 , 23 ) ) ) WHERE t0 . c52 = ALL ( SELECT c48 AS c54 FROM t0 GROUP BY c52 , c52 HAVING REPEAT ( c5 , TRUNCATE ( 69 , -5685734343884310159 ) - TRUNCATE ( 39 , 74 ) = 56 IS NOT FALSE ) IS NULL = t0 . c52 IS NOT NULL = 61 ) IS FALSE ;

Will trigger Segmentation fault.
GDB info:
Thread 17 "mariadbd" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffe011a700 (LWP 45782)]
0x0000555556003ab7 in Item_field::fix_fields (this=0x7fff98078f10, thd=0x7fff98000c58,
reference=0x7fff98073630) at /home/wx/mariadb-11.3.0/sql/item.cc:6013
6013 if ((from_field= find_field_in_tables(thd, this,

#0 0x0000555556003ab7 in Item_field::fix_fields (this=0x7fff98078f10, thd=0x7fff98000c58,
reference=0x7fff98073630) at /home/wx/mariadb-11.3.0/sql/item.cc:6013
#1 0x00005555560472dd in Item::fix_fields_if_needed (ref=0x7fff98073630, thd=0x7fff98000c58,
this=0x7fff98078f10) at /home/wx/mariadb-11.3.0/sql/item.h:1145
#2 Item::fix_fields_if_needed (ref=0x7fff98073630, thd=0x7fff98000c58, this=0x7fff98078f10)
at /home/wx/mariadb-11.3.0/sql/item.h:1145
#3 Item_func::fix_fields (ref=<optimized out>, thd=0x7fff98000c58, this=0x7fff980735b0)
at /home/wx/mariadb-11.3.0/sql/item_func.cc:349
#4 Item_func::fix_fields (this=this@entry=0x7fff980735b0, thd=thd@entry=0x7fff98000c58,
ref=<optimized out>) at /home/wx/mariadb-11.3.0/sql/item_func.cc:316
#5 0x000055555607d0b6 in Item_str_func::fix_fields (this=0x7fff980735b0, thd=0x7fff98000c58,
ref=<optimized out>) at /home/wx/mariadb-11.3.0/sql/item_strfunc.cc:132
#6 0x00005555560472dd in Item::fix_fields_if_needed (ref=0x7fff98073700, thd=0x7fff98000c58,
this=0x7fff980735b0) at /home/wx/mariadb-11.3.0/sql/item.h:1145
#7 Item::fix_fields_if_needed (ref=0x7fff98073700, thd=0x7fff98000c58, this=0x7fff980735b0)
at /home/wx/mariadb-11.3.0/sql/item.h:1145
#8 Item_func::fix_fields (ref=<optimized out>, thd=0x7fff98000c58, this=0x7fff98073680)
at /home/wx/mariadb-11.3.0/sql/item_func.cc:349
#9 Item_func::fix_fields (this=0x7fff98073680, thd=0x7fff98000c58, ref=<optimized out>)
at /home/wx/mariadb-11.3.0/sql/item_func.cc:316
#10 0x00005555560472dd in Item::fix_fields_if_needed (ref=0x7fff980738d0, thd=0x7fff98000c58,
this=0x7fff98073680) at /home/wx/mariadb-11.3.0/sql/item.h:1145
#11 Item::fix_fields_if_needed (ref=0x7fff980738d0, thd=0x7fff98000c58, this=0x7fff98073680)
at /home/wx/mariadb-11.3.0/sql/item.h:1145
#12 Item_func::fix_fields (ref=<optimized out>, thd=0x7fff98000c58, this=0x7fff98073850)
at /home/wx/mariadb-11.3.0/sql/item_func.cc:349
#13 Item_func::fix_fields (this=0x7fff98073850, thd=0x7fff98000c58, ref=<optimized out>)
at /home/wx/mariadb-11.3.0/sql/item_func.cc:316
#14 0x00005555560472dd in Item::fix_fields_if_needed (ref=0x7fff98073b00, thd=0x7fff98000c58,
this=0x7fff98073850) at /home/wx/mariadb-11.3.0/sql/item.h:1145
#15 Item::fix_fields_if_needed (ref=0x7fff98073b00, thd=0x7fff98000c58, this=0x7fff98073850)
at /home/wx/mariadb-11.3.0/sql/item.h:1145
#16 Item_func::fix_fields (ref=<optimized out>, thd=0x7fff98000c58, this=0x7fff98073a80)
at /home/wx/mariadb-11.3.0/sql/item_func.cc:349
#17 Item_func::fix_fields (this=0x7fff98073a80, thd=0x7fff98000c58, ref=<optimized out>)
at /home/wx/mariadb-11.3.0/sql/item_func.cc:316
#18 0x00005555560472dd in Item::fix_fields_if_needed (ref=0x7fff98073c40, thd=0x7fff98000c58,
this=0x7fff98073a80) at /home/wx/mariadb-11.3.0/sql/item.h:1145
#19 Item::fix_fields_if_needed (ref=0x7fff98073c40, thd=0x7fff98000c58, this=0x7fff98073a80)
at /home/wx/mariadb-11.3.0/sql/item.h:1145
#20 Item_func::fix_fields (ref=<optimized out>, thd=0x7fff98000c58, this=0x7fff98073bc0)
at /home/wx/mariadb-11.3.0/sql/item_func.cc:349
#21 Item_func::fix_fields (this=0x7fff98073bc0, thd=0x7fff98000c58, ref=<optimized out>)
at /home/wx/mariadb-11.3.0/sql/item_func.cc:316
#22 0x0000555555d5ce42 in st_select_lex::pushdown_from_having_into_where (
this=0x7fff98071d40, thd=0x7fff98000c58, having=0x0)
at /home/wx/mariadb-11.3.0/sql/sql_lex.cc:11284
#23 0x0000555555dec7f4 in JOIN::optimize_inner (this=this@entry=0x7fff98078498)
at /home/wx/mariadb-11.3.0/sql/sql_select.cc:2380
#24 0x0000555555defccd in JOIN::optimize (this=this@entry=0x7fff98078498)
at /home/wx/mariadb-11.3.0/sql/sql_select.cc:1944
#25 0x0000555555d4db06 in st_select_lex::optimize_unflattened_subqueries (
this=0x7fff98013fb8, const_only=const_only@entry=false)
at /home/wx/mariadb-11.3.0/sql/sql_lex.cc:4916
#26 0x0000555555ede872 in JOIN::optimize_unflattened_subqueries (
this=this@entry=0x7fff98075398) at /home/wx/mariadb-11.3.0/sql/opt_subselect.cc:5864
#27 0x0000555555dea9b7 in JOIN::optimize_stage2 (this=this@entry=0x7fff98075398)
at /home/wx/mariadb-11.3.0/sql/sql_select.cc:3229
#28 0x0000555555ded98c in JOIN::optimize_inner (this=this@entry=0x7fff98075398)
at /home/wx/mariadb-11.3.0/sql/sql_select.cc:2650
#29 0x0000555555defccd in JOIN::optimize (this=this@entry=0x7fff98075398)
at /home/wx/mariadb-11.3.0/sql/sql_select.cc:1944
#30 0x0000555555defdc1 in mysql_select (thd=thd@entry=0x7fff98000c58, tables=0x7fff980145f8,
fields=..., conds=0x7fff98074988, og_num=0, order=0x0, group=0x0, having=0x0,
proc_param=0x0, select_options=<optimized out>, result=0x7fff98075370,
unit=0x7fff98004ee8, select_lex=0x7fff98013fb8)
at /home/wx/mariadb-11.3.0/sql/sql_select.cc:5235
#31 0x0000555555df0607 in handle_select (thd=thd@entry=0x7fff98000c58,
lex=lex@entry=0x7fff98004e08, result=result@entry=0x7fff98075370,
setup_tables_done_option=setup_tables_done_option@entry=0)
at /home/wx/mariadb-11.3.0/sql/sql_select.cc:628
#32 0x0000555555d6de41 in execute_sqlcom_select (thd=thd@entry=0x7fff98000c58,
all_tables=0x7fff980145f8) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:6013
#33 0x0000555555d7c2aa in mysql_execute_command (thd=thd@entry=0x7fff98000c58,
is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false)
at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:3912
#34 0x0000555555d68c27 in mysql_parse (thd=0x7fff98000c58, rawbuf=<optimized out>,
length=<optimized out>, parser_state=<optimized out>)
at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:7734
#35 0x0000555555d74fdd in dispatch_command (command=command@entry=COM_QUERY,
thd=thd@entry=0x7fff98000c58,
packet=packet@entry=0x7fff98008509 "WITH t1 AS ( SELECT -82 AS c5 , -124 AS c48 ) SELECT t2 . c48 AS c2 FROM t0 JOIN t1 AS t2 ON t2 . c48 = ( SIN ( -65 ) + RAND ( ) * NULLIF ( 37 , 114 IN ( 29 , 88 , 23 ) ) ) WHERE t0 . c52 = ALL ( SELE"...,
packet_length=packet_length@entry=390, blocking=blocking@entry=true)
at /home/wx/mariadb-11.3.0/sql/sql_class.h:251
#36 0x0000555555d7721e in do_command (thd=0x7fff98000c58, blocking=blocking@entry=true)
at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1406
#37 0x0000555555e9a617 in do_handle_one_connection (connect=<optimized out>,
connect@entry=0x555557e0c6d8, put_in_cache=put_in_cache@entry=true)
at /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1445
#38 0x0000555555e9a94d in handle_one_connection (arg=arg@entry=0x555557e0c6d8)
at /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1347
#39 0x00005555561e658d in pfs_spawn_thread (arg=0x555557db5ee8)
at /home/wx/mariadb-11.3.0/storage/perfschema/pfs.cc:2201
#40 0x00007ffff7b48609 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
#41 0x00007ffff7719133 in clone () from /lib/x86_64-linux-gnu/libc.so.6

Attachments

Issue Links

is duplicated by

MDEV-29731 Crash when HAVING in a correlated subquery references columns in the outer query

Closed

Activity

Rex Johnston added a comment - 2023-10-13 19:34 - edited

Also crashes 10.6

in Item_func::fix_fields() call to each arg in args if ((*arg)->fix_fields_if_needed(thd, arg))

(rr) p (*arg)->type()

$10 = Item::FIELD_ITEM

(rr) p ((Item_field *)(*arg))->field

$11 = (Field *) 0x0

(rr) p dbug_print_item(*arg)

$12 = 0x55c268327fe0 <dbug_item_print_buf> "t2.c5"

(rr) p dbug_print_item(this)

$13 = 0x55c268327fe0 <dbug_item_print_buf> "repeat(t2.c5,truncate(69,-5685734343884310159) - truncate(39,74) = 56 is not false)"

erroneous Item_field created in JOIN::prepare()
bool having_fix_rc= having->fix_fields_if_needed_for_bool(thd, &having);

(rr) p dbug_print_item(having)

$16 = 0x55c268327fe0 <dbug_item_print_buf> "/*always not null*/ 1 is null = t0.c52 is not null = 61"

...

(rr) p dbug_print_item(*arg)

$17 = 0x55c268327fe0 <dbug_item_print_buf> "/*always not null*/ 1 is null = t0.c52 is not null"

...

(rr) p dbug_print_item(*arg)

$18 = 0x55c268327fe0 <dbug_item_print_buf> "/*always not null*/ 1 is null = t0.c52"

...

(rr) p dbug_print_item(*arg)

$19 = 0x55c268327fe0 <dbug_item_print_buf> "/*always not null*/ 1 is null"

...

/* how did this end up as an arg to the above?  Set that way in the parser */

...

(rr) p dbug_print_item(*arg)

$20 = 0x55c268327fe0 <dbug_item_print_buf> "repeat(c5,truncate(69,-5685734343884310159) - truncate(39,74) = 56 is not false)"

So potential parser issue.

Rex Johnston added a comment - 2023-10-13 19:34 - edited Also crashes 10.6 in Item_func::fix_fields() call to each arg in args if ((*arg)->fix_fields_if_needed(thd, arg)) (rr) p (*arg)->type() $10 = Item::FIELD_ITEM (rr) p ((Item_field *)(*arg))->field $11 = (Field *) 0x0 (rr) p dbug_print_item(*arg) $12 = 0x55c268327fe0 <dbug_item_print_buf> "t2.c5" (rr) p dbug_print_item(this) $13 = 0x55c268327fe0 <dbug_item_print_buf> "repeat(t2.c5,truncate(69,-5685734343884310159) - truncate(39,74) = 56 is not false)" erroneous Item_field created in JOIN::prepare() bool having_fix_rc= having->fix_fields_if_needed_for_bool(thd, &having); (rr) p dbug_print_item(having) $16 = 0x55c268327fe0 <dbug_item_print_buf> "/*always not null*/ 1 is null = t0.c52 is not null = 61" ... (rr) p dbug_print_item(*arg) $17 = 0x55c268327fe0 <dbug_item_print_buf> "/*always not null*/ 1 is null = t0.c52 is not null" ... (rr) p dbug_print_item(*arg) $18 = 0x55c268327fe0 <dbug_item_print_buf> "/*always not null*/ 1 is null = t0.c52" ... (rr) p dbug_print_item(*arg) $19 = 0x55c268327fe0 <dbug_item_print_buf> "/*always not null*/ 1 is null" ... /* how did this end up as an arg to the above? Set that way in the parser */ ... (rr) p dbug_print_item(*arg) $20 = 0x55c268327fe0 <dbug_item_print_buf> "repeat(c5,truncate(69,-5685734343884310159) - truncate(39,74) = 56 is not false)" So potential parser issue.

MariaDB Server

pushdown_from_having_into_where: SEGV at /mariadb-11.3.0/sql/item.cc:6013

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration