Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-32403

Crash if subquery is a UNION of SELECT rand() and uncorrelated SELECT

    XMLWordPrintable

Details

    • Bug
    • Status: In Review (View Workflow)
    • Major
    • Resolution: Unresolved
    • 10.4, 10.5, 10.6, 10.9, 10.10, 10.11, 11.0, 11.1, 11.2, 11.3.0
    • 10.4, 10.5, 10.6, 10.11, 11.1, 11.2
    • Optimizer, Server
    • None
    • Ubuntu 20.04

    Description

      Run these queries in release build:

      CREATE TEMPORARY TABLE t0 ( c22 TEXT , c57 BOOL ) ;
      INSERT INTO t0 VALUES ( -101 , -87 ) , ( -95 , 59 ) ;
      CREATE INDEX i0 ON t0 ( c22 ) ;
      INSERT INTO t0 ( c57 ) SELECT 48 AS c48 ;
      SELECT t4 . c16 AS c37 FROM ( WITH t1 AS ( SELECT 2743131056066857905 AS c24 , MIN( 3762089500126409270 ) AS c62 ) SELECT c22 = ( SELECT t0 . c22 AS c20 FROM ( SELECT t1 . c62 AS c27 FROM t1 LEFT OUTER JOIN t0 AS t2 ON TRUE HAVING RAND ( ) IS NOT UNKNOWN ) AS t3 JOIN t0 ON t0 . c22 = t3 . c27 EXCEPT SELECT c22 + -94 AS c36 FROM t0 WHERE c57 IN ( SELECT c22 AS c25 FROM t0 ) LIMIT 1 ) AS c16 FROM t0 ) AS t4 JOIN t0 ON t0 . c22 = t0 . c22 ;

      Will trigger Segmentation fault.
      GDB info:

      Thread 17 "mariadbd" received signal SIGSEGV, Segmentation fault.
      		 
      [Switching to Thread 0x7fffd1c17300 (LWP 3039)]
      		 
      0x0000000000cce04f in test_if_quick_select (tab=0x62d000145980) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:24361
      		 
      24361	  delete tab->select->quick;
      		 
      (gdb) p tab->select
      		 
      $29 = (SQL_SELECT *) 0x0
      		 
       
      		 
       
      		 
      #0  0x0000000000cce04f in test_if_quick_select (tab=0x62d0000e1a50) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:24361
      		 
      #1  0x0000000000ccd3ae in join_init_quick_read_record (tab=0x62d0000e1a50) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:24337
      		 
      #2  0x0000000000be32cc in sub_select (join=0x6290000c9430, join_tab=0x62d0000e1a50, end_of_records=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:23441
      		 
      #3  0x0000000000c9e284 in evaluate_join_record (join=join@entry=0x6290000c9430, join_tab=<optimized out>, join_tab@entry=0x62d0000e15d8, error=error@entry=0) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:23677
      		 
      #4  0x0000000000be3396 in sub_select (join=0x6290000c9430, join_tab=0x62d0000e15d8, end_of_records=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:23444
      		 
      #5  0x0000000000c45121 in do_select (join=0x6290000c9430, procedure=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:22961
      		 
      #6  JOIN::exec_inner (this=0x6290000c9430) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941
      		 
      #7  0x0000000000c428e9 in JOIN::exec (this=0x6290000c9430) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718
      		 
      #8  0x0000000000df0df7 in st_select_lex_unit::exec_inner (this=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_union.cc:2389
      		 
      #9  0x00000000015d8bb5 in subselect_union_engine::exec (this=<optimized out>) at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:4187
      		 
      #10 0x00000000015b3edc in Item_subselect::exec (this=0x6290000c0700) at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:812
      		 
      #11 0x00000000015b9a0c in Item_singlerow_subselect::val_str (this=0x6290000c0700, str=0x6290000c0ae8) at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:1484
      		 
      #12 0x00000000013aa698 in Arg_comparator::compare_string (this=0x6290000c0998) at /home/wx/mariadb-11.3.0/sql/item_cmpfunc.cc:773
      		 
      #13 0x00000000013b5ea2 in Arg_comparator::compare (this=<optimized out>) at /home/wx/mariadb-11.3.0/sql/item_cmpfunc.h:104
      		 
      #14 Item_func_eq::val_int (this=<optimized out>) at /home/wx/mariadb-11.3.0/sql/item_cmpfunc.cc:1780
      		 
      #15 0x00000000013552b8 in Item::save_int_in_field (this=0x6290000c08e0, field=0x6190001013b8, no_conversions=false) at /home/wx/mariadb-11.3.0/sql/item.cc:6843
      		 
      #16 0x00000000013554a9 in Item::save_in_field (this=0x6290000c08e0, field=0x6190001013b8, no_conversions=false) at /home/wx/mariadb-11.3.0/sql/item.cc:6853
      		 
      #17 0x00000000009d9dc9 in fill_record (thd=<optimized out>, table=<optimized out>, ptr=0x61f000013d98, values=..., ignore_errors=<optimized out>, use_value=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_base.cc:9320
      		 
      #18 0x0000000000de507b in select_unit::send_data (this=0x6290000c5998, values=...) at /home/wx/mariadb-11.3.0/sql/sql_union.cc:122
      		 
      #19 0x0000000000c36f9a in select_result_sink::send_data_with_check (this=0x0, items=..., u=<optimized out>, sent=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_class.h:5842
      		 
      #20 end_send (join=0x6290000c5a90, join_tab=0x6290000cb858, end_of_records=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:24710
      		 
      #21 0x0000000000c9e284 in evaluate_join_record (join=join@entry=0x6290000c5a90, join_tab=<optimized out>, join_tab@entry=0x6290000cb3e0, error=error@entry=0) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:23677
      		 
      #22 0x0000000000be340f in sub_select (join=0x6290000c5a90, join_tab=0x6290000cb3e0, end_of_records=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:23481
      		 
      #23 0x0000000000c45121 in do_select (join=0x6290000c5a90, procedure=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:22961
      		 
      #24 JOIN::exec_inner (this=0x6290000c5a90) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941
      		 
      #25 0x0000000000c428e9 in JOIN::exec (this=this@entry=0x6290000c5a90) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718
      		 
      #26 0x0000000000be5128 in mysql_select (thd=<optimized out>, tables=<optimized out>, fields=..., conds=<optimized out>, og_num=<optimized out>, order=<optimized out>, group=0x0, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x6290000c5998, unit=0x6290000c12f8, select_lex=0x629000092ea8) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:5249
      		 
      #27 0x0000000000a56eb7 in mysql_derived_fill (thd=<optimized out>, lex=<optimized out>, derived=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_derived.cc:1266
      		 
      #28 0x0000000000a57cc2 in mysql_handle_single_derived (lex=0x62b0001703c8, derived=derived@entry=0x6290000c3238, phases=phases@entry=96) at /home/wx/mariadb-11.3.0/sql/sql_derived.cc:200
      		 
      #29 0x0000000000c71b80 in st_join_table::preread_init (this=this@entry=0x62d0000e85f8) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:16029
      		 
      #30 0x0000000000be2fea in sub_select (join=0x6290000c51c0, join_tab=0x62d0000e85f8, end_of_records=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:23392
      		 
      #31 0x0000000000c45121 in do_select (join=0x6290000c51c0, procedure=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:22961
      		 
      #32 JOIN::exec_inner (this=0x6290000c51c0) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941
      		 
      #33 0x0000000000c428e9 in JOIN::exec (this=this@entry=0x6290000c51c0) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718
      		 
      #34 0x0000000000be5128 in mysql_select (thd=<optimized out>, thd@entry=0x62b00016c218, tables=<optimized out>, fields=..., conds=<optimized out>, og_num=<optimized out>, order=<optimized out>, group=0x0, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x6290000c5190, unit=0x62b0001704a8, select_lex=0x629000091610) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:5249
      		 
      #35 0x0000000000be4596 in handle_select (thd=thd@entry=0x62b00016c218, lex=<optimized out>, lex@entry=0x62b0001703c8, result=<optimized out>, result@entry=0x6290000c5190, setup_tables_done_option=<optimized out>, setup_tables_done_option@entry=0) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:628
      		 
      #36 0x0000000000b3df18 in execute_sqlcom_select (thd=0x62b00016c218, all_tables=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:6013
      		 
      #37 0x0000000000b2cd51 in mysql_execute_command (thd=0x62b00016c218, is_called_from_prepared_stmt=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:3912
      		 
      #38 0x0000000000b1fe79 in mysql_parse (thd=thd@entry=0x62b00016c218, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, parser_state@entry=0x7fffd242ca80) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:7734
      		 
      #39 0x0000000000b19069 in dispatch_command (command=<optimized out>, thd=0x62b00016c218, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1893
      		 
      #40 0x0000000000b20b71 in do_command (thd=0x62b00016c218, blocking=true) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1406
      		 
      #41 0x0000000000f03476 in do_handle_one_connection (connect=<optimized out>, put_in_cache=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1445
      		 
      #42 0x0000000000f02eb9 in handle_one_connection (arg=arg@entry=0x608001921d38) at /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1347
      		 
      #43 0x0000000001a00c1b in pfs_spawn_thread (arg=0x617000005118) at /home/wx/mariadb-11.3.0/storage/perfschema/pfs.cc:2201
      		 
      #44 0x00007ffff79f7609 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
      		 
      #45 0x00007ffff770f133 in clone () from /lib/x86_64-linux-gnu/libc.so.6

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-32397 join_read_first, keyread: SEGV at /mariadb-11.3.0/sql/sql_select.cc:24300

          • Major - Major loss of function.
          • Closed

          Activity

            People

              psergei Sergei Petrunia
              Xin Wen Xin Wen
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.