Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-32723

Segmentation fault at /mariadb-11.3.0/sql/sql_cte.cc

Details

    Description

      Run these queries in debug build:

      CREATE TABLE x ( x INT ) ;
      		 
      INSERT INTO x ( x ) VALUES ( 1 ) ;
      		 
      UPDATE x SET x = 1 WHERE x = 1 ;
      		 
      INSERT INTO x ( x ) VALUES ( 1 ) , ( 1 ) ;
      		 
      WITH RECURSIVE x ( x ) AS ( WITH x ( x ) AS ( SELECT 1 EXCEPT SELECT x + 1 ORDER BY ( x = 'x' AND x BETWEEN 1 AND 1 ) OR ( ( SELECT ( SELECT x WHERE x = x ) FROM x AS x GROUP BY x ORDER BY 1 , 1 DESC ) != ( SELECT 1 FROM x WHERE x != 'x' WINDOW x AS ( PARTITION BY x ORDER BY 1 DESC ) ) AND x = 1 ) ASC ) SELECT 1 EXCEPT SELECT x + 1 FROM x ) SELECT - x , x FROM x ;

      Will trigger Segmentation fault.
      GDB info:

      #0  0x00007ffff761e379 in __interceptor_memcpy (dst=0x7fffc29d60da, src=0x6290000f52c5, size=0) at ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790
      		 
      #1  0x00005555571885fd in Lex_input_stream::skip_binary (this=0x7fffd0d1a7e0, n=0) at /home/wx/mariadb-11.3.0/sql/sql_lex.h:2537
      		 
      #2  0x0000555557137ab2 in Lex_input_stream::scan_ident_middle (this=0x7fffd0d1a7e0, thd=0x62c0001e0288, str=0x7fffd0d198b0, introducer=0x7fffd0d198b0, st=0x7fffd0d17ca0) at /home/wx/mariadb-11.3.0/sql/sql_lex.cc:2740
      		 
      #3  0x0000555557133c8f in Lex_input_stream::lex_one_token (this=0x7fffd0d1a7e0, yylval=0x7fffd0d198b0, thd=0x62c0001e0288) at /home/wx/mariadb-11.3.0/sql/sql_lex.cc:2154
      		 
      #4  0x000055555713281f in Lex_input_stream::lex_token (this=0x7fffd0d1a7e0, yylval=0x7fffd0d198b0, thd=0x62c0001e0288) at /home/wx/mariadb-11.3.0/sql/sql_lex.cc:1901
      		 
      #5  0x000055555713260d in MYSQLlex (yylval=0x7fffd0d198b0, thd=0x62c0001e0288) at /home/wx/mariadb-11.3.0/sql/sql_lex.cc:1873
      		 
      #6  0x0000555557987035 in MYSQLparse (thd=0x62c0001e0288) at /home/wx/mariadb-11.3.0/build/sql/yy_mariadb.cc:28015
      		 
      #7  0x0000555557079406 in THD::sql_parser (this=0x62c0001e0288, old_lex=0x7fffc29c8728, lex=0x7fffc29d4428, str=0x6290000f52c3 " WITH x ( x ) AS ( SELECT 1 EXCEPT SELECT x + 1 ORDER BY ( x = 'x' AND x BETWEEN 1 AND 1 ) OR ( ( SELECT ( SELECT x WHERE x = x ) FROM x AS x GROUP BY x ORDER BY 1 , 1 DESC ) != ( SELECT 1 FROM x WHER"..., str_len=314, stmt_prepare_mode=false) at /home/wx/mariadb-11.3.0/sql/sql_class.cc:2919
      		 
      #8  0x000055555791e1f2 in With_element::clone_parsed_spec (this=0x629000165648, old_lex=0x7fffc29c8728, with_table=0x7fffc29ce400) at /home/wx/mariadb-11.3.0/sql/sql_cte.cc:1074
      		 
      #9  0x000055555791ac0a in LEX::resolve_references_to_cte (this=0x7fffc29c8728, tables=0x7fffc29ce400, tables_last=0x7fffc29d3820) at /home/wx/mariadb-11.3.0/sql/sql_cte.cc:204
      		 
      #10 0x000055555791e4f2 in With_element::clone_parsed_spec (this=0x629000165648, old_lex=0x7fffc29bca28, with_table=0x7fffc29c2700) at /home/wx/mariadb-11.3.0/sql/sql_cte.cc:1101
      		 
      #11 0x000055555791ac0a in LEX::resolve_references_to_cte (this=0x7fffc29bca28, tables=0x7fffc29c2700, tables_last=0x7fffc29c7b20) at /home/wx/mariadb-11.3.0/sql/sql_cte.cc:204
      		 
      #12 0x000055555791e4f2 in With_element::clone_parsed_spec (this=0x629000165648, old_lex=0x7fffc29b0d28, with_table=0x7fffc29b6a00) at /home/wx/mariadb-11.3.0/sql/sql_cte.cc:1101
      		 
      #13 0x000055555791ac0a in LEX::resolve_references_to_cte (this=0x7fffc29b0d28, tables=0x7fffc29b6a00, tables_last=0x7fffc29bbe20) at /home/wx/mariadb-11.3.0/sql/sql_cte.cc:204
      		 
      #14 0x000055555791e4f2 in With_element::clone_parsed_spec (this=0x629000165648, old_lex=0x7fffc29a5028, with_table=0x7fffc29aad00) at /home/wx/mariadb-11.3.0/sql/sql_cte.cc:1101
      		 
      #15 0x000055555791ac0a in LEX::resolve_references_to_cte (this=0x7fffc29a5028, tables=0x7fffc29aad00, tables_last=0x7fffc29b0120) at /home/wx/mariadb-11.3.0/sql/sql_cte.cc:204
      		 
      #16 0x000055555791e4f2 in With_element::clone_parsed_spec (this=0x629000165648, old_lex=0x7fffc2999328, with_table=0x7fffc299f000) at /home/wx/mariadb-11.3.0/sql/sql_cte.cc:1101
      		 
      #17 0x000055555791ac0a in LEX::resolve_references_to_cte (this=0x7fffc2999328, tables=0x7fffc299f000, tables_last=0x7fffc29a4420) at /home/wx/mariadb-11.3.0/sql/sql_cte.cc:204
      		 
      #18 0x000055555791e4f2 in With_element::clone_parsed_spec (this=0x629000165648, old_lex=0x7fffc298d628, with_table=0x7fffc2993300) at /home/wx/mariadb-11.3.0/sql/sql_cte.cc:1101
      		 
      #19 0x000055555791ac0a in LEX::resolve_references_to_cte (this=0x7fffc298d628, tables=0x7fffc2993300, tables_last=0x7fffc2998720) at /home/wx/mariadb-11.3.0/sql/sql_cte.cc:204
      		 
      #20 0x000055555791e4f2 in With_element::clone_parsed_spec (this=0x629000165648, old_lex=0x7fffc2981928, with_table=0x7fffc2987600) at /home/wx/mariadb-11.3.0/sql/sql_cte.cc:1101
      		 
      #21 0x000055555791ac0a in LEX::resolve_references_to_cte (this=0x7fffc2981928, tables=0x7fffc2987600, tables_last=0x7fffc298ca20) at /home/wx/mariadb-11.3.0/sql/sql_cte.cc:204
      		 
      .....................................
      		 
      #9771 0x000055555791ac0a in LEX::resolve_references_to_cte (this=0x62d0000be4a8, tables=0x62d0000c3e48, tables_last=0x62d0000cb298)
      		 
          at /home/wx/mariadb-11.3.0/sql/sql_cte.cc:204
      		 
      #9772 0x000055555791e4f2 in With_element::clone_parsed_spec (this=0x6290001015f8, old_lex=0x62c0001d45f8, with_table=0x6290000fc0c0)
      		 
          at /home/wx/mariadb-11.3.0/sql/sql_cte.cc:1101
      		 
      #9773 0x000055555791ac0a in LEX::resolve_references_to_cte (this=0x62c0001d45f8, tables=0x6290000faae8, tables_last=0x629000101fa8)
      		 
          at /home/wx/mariadb-11.3.0/sql/sql_cte.cc:204
      		 
      #9774 0x000055555791afcf in LEX::check_cte_dependencies_and_resolve_references (this=0x62c0001d45f8) at /home/wx/mariadb-11.3.0/sql/sql_cte.cc:247
      		 
      #9775 0x0000555557165437 in LEX::check_main_unit_semantics (this=0x62c0001d45f8) at /home/wx/mariadb-11.3.0/sql/sql_lex.cc:9159
      		 
      #9776 0x00005555571707eb in LEX::select_finalize (this=0x62c0001d45f8, expr=0x6290001026e8) at /home/wx/mariadb-11.3.0/sql/sql_lex.cc:10475
      		 
      #9777 0x00005555571708df in LEX::select_finalize (this=0x62c0001d45f8, expr=0x6290001026e8, l=...) at /home/wx/mariadb-11.3.0/sql/sql_lex.cc:10482
      		 
      #9778 0x00005555579a562b in MYSQLparse (thd=0x62c0001d0288) at /home/wx/mariadb-11.3.0/sql/sql_yacc.yy:8535
      		 
      #9779 0x00005555571e867f in parse_sql (thd=0x62c0001d0288, parser_state=0x7fffd164c870, creation_ctx=0x0, do_pfs_digest=true)
      		 
          at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:10109
      		 
      #9780 0x00005555571d912b in mysql_parse (thd=0x62c0001d0288, 
          rawbuf=0x6290000f52a8 "WITH RECURSIVE x ( x ) AS ( WITH x ( x ) AS ( SELECT 1 EXCEPT SELECT x + 1 ORDER BY ( x = 'x' AND x BETWEEN 1 AND 1 ) OR ( ( SELECT ( SELECT x WHERE x = x ) FROM x AS x GROUP BY x ORDER BY 1 , 1 DESC "..., length=364, parser_state=0x7fffd164c870)
      		 
          at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:7686
      		 
      #9781 0x00005555571b1237 in dispatch_command (command=COM_QUERY, thd=0x62c0001d0288, 
          packet=0x6290000eb289 "WITH RECURSIVE x ( x ) AS ( WITH x ( x ) AS ( SELECT 1 EXCEPT SELECT x + 1 ORDER BY ( x = 'x' AND x BETWEEN 1 AND 1 ) OR ( ( SELECT ( SELECT x WHERE x = x ) FROM x AS x GROUP BY x ORDER BY 1 , 1 DESC "..., packet_length=364, blocking=true) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1893
      		 
      #9782 0x00005555571adf7c in do_command (thd=0x62c0001d0288, blocking=true) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1406
      		 
      #9783 0x000055555768e557 in do_handle_one_connection (connect=0x61100005b108, put_in_cache=true) at /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1445
      		 
      #9784 0x000055555768deb4 in handle_one_connection (arg=0x61100005b108) at /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1347
      		 
      #9785 0x00005555582fa350 in pfs_spawn_thread (arg=0x618000006508) at /home/wx/mariadb-11.3.0/storage/perfschema/pfs.cc:2201
      		 
      #9786 0x00007ffff7115609 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
      		 
      #9787 0x00007ffff6ce8133 in clone () from /lib/x86_64-linux-gnu/libc.so.6

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-32724 Segmentation fault due to Deep Recursion in table.cc and sql_lex.cc

          • Critical - Crashes, loss of data, severe memory leak.
          • Confirmed

          Activity

            Ascending order - Click to sort in descending order
            Wangdada HeShan added a comment - 

             
            		 
            CREATE TABLE x ( x INT ) ;
            		 
             
            		 
            WITH RECURSIVE x ( x ) AS ( 
                WITH x ( x ) AS ( 
                    SELECT 1 EXCEPT SELECT x  
                    ORDER BY 
                    ( ( SELECT x FROM x  )!= ( SELECT 1 FROM x )  ) ASC ) 
                SELECT 1 ) 
            SELECT 1 ;

            Could you please confirm whether the simplification process we applied has been helpful for developers in diagnosing and addressing this issue?

            Wangdada HeShan added a comment -   CREATE TABLE x ( x INT ) ;   WITH RECURSIVE x ( x ) AS ( WITH x ( x ) AS ( SELECT 1 EXCEPT SELECT x ORDER BY ( ( SELECT x FROM x )!= ( SELECT 1 FROM x ) ) ASC ) SELECT 1 ) SELECT 1 ; Could you please confirm whether the simplification process we applied has been helpful for developers in diagnosing and addressing this issue?
            alice Alice Sherepa added a comment - - edited

            The simplified version - not reproducible after https://github.com/MariaDB/server/commit/af2e91d9f2 (10.5.24, 10.6.17, 10.11.7). Currently returns ERROR 4005 (HY000): No anchors for recursive WITH element 'x'

            The initial reported test case: still repeatable on 10.5-11.8, but now it fails with assertion `sq_rec_ref != __null' 

            Version: '10.5.29-MariaDB-debug-log'  
            mariadbd: /10.5/src/sql/sql_cte.cc:902: void With_element::move_anchors_ahead(): Assertion `sq_rec_ref != __null' failed.
            		 
            250328 17:46:07 [ERROR] /home/alice/am/m5-10.5/bld/sql/mariadbd got signal 6 ;
            		 
             
            		 
            Server version: 10.5.29-MariaDB-debug-log source revision: 2469963f052b4dcb11ecfc0fcf5a38881c426df0
            		 
             
            		 
            /lib/x86_64-linux-gnu/libc.so.6(+0x33fd6)[0x7f27a9195fd6]
            		 
            sql/sql_cte.cc:883(With_element::move_anchors_ahead())[0x56294e0db299]
            		 
            sql/sql_cte.cc:857(With_clause::move_anchors_ahead())[0x56294e0daf3c]
            		 
            sql/sql_cte.cc:91(LEX::check_dependencies_in_with_clauses())[0x56294e0d7d46]
            		 
            sql/sql_cte.cc:246(LEX::check_cte_dependencies_and_resolve_references())[0x56294e0d89aa]
            		 
            sql/sql_lex.cc:9123(LEX::check_main_unit_semantics())[0x56294d9df6e5]
            		 
            sql/sql_lex.cc:10554(LEX::select_finalize(st_select_lex_unit*))[0x56294d9ebdfb]
            		 
            sql/sql_lex.cc:10560(LEX::select_finalize(st_select_lex_unit*, Lex_select_lock))[0x56294d9ebef2]
            		 
            sql/sql_yacc.yy:8715(MYSQLparse(THD*))[0x56294e156663]
            		 
            sql/sql_parse.cc:10684(parse_sql(THD*, Parser_state*, Object_creation_ctx*, bool))[0x56294da675d1]
            		 
            sql/sql_parse.cc:8204(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x56294da5761f]
            		 
            sql/sql_parse.cc:1894(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x56294da2c2e2]
            		 
            sql/sql_parse.cc:1375(do_command(THD*))[0x56294da28bbc]
            		 
            sql/sql_connect.cc:1386(do_handle_one_connection(CONNECT*, bool))[0x56294de9f7b6]
            		 
            sql/sql_connect.cc:1300(handle_one_connection)[0x56294de9f310]
            		 
            perfschema/pfs.cc:2203(pfs_spawn_thread)[0x56294eb5f846]
            		 
            nptl/pthread_create.c:478(start_thread)[0x7f27a9746609]
            		 
             
            		 
            Query (0x62b0000852a8): WITH RECURSIVE x ( x ) AS ( WITH x ( x ) AS ( SELECT 1 EXCEPT SELECT x + 1 ORDER BY ( x = 'x' AND x BETWEEN 1 AND 1 ) OR ( ( SELECT ( SELECT x WHERE x = x ) FROM x AS x GROUP BY x ORDER BY 1 , 1 DESC ) != ( SELECT 1 FROM x WHERE x != 'x' WINDOW x AS ( PARTITION BY x ORDER BY 1 DESC ) ) AND x = 1 ) ASC ) SELECT 1 EXCEPT SELECT x + 1 FROM x ) SELECT - x , x FROM x

            alice Alice Sherepa added a comment - - edited The simplified version - not reproducible after https://github.com/MariaDB/server/commit/af2e91d9f2 (10.5.24, 10.6.17, 10.11.7). Currently returns ERROR 4005 (HY000): No anchors for recursive WITH element 'x' The initial reported test case: still repeatable on 10.5-11.8, but now it fails with assertion `sq_rec_ref != __null' Version: '10.5.29-MariaDB-debug-log' mariadbd: /10.5/src/sql/sql_cte.cc:902: void With_element::move_anchors_ahead(): Assertion `sq_rec_ref != __null' failed. 250328 17:46:07 [ERROR] /home/alice/am/m5-10.5/bld/sql/mariadbd got signal 6 ;   Server version: 10.5.29-MariaDB-debug-log source revision: 2469963f052b4dcb11ecfc0fcf5a38881c426df0   /lib/x86_64-linux-gnu/libc.so.6(+0x33fd6)[0x7f27a9195fd6] sql/sql_cte.cc:883(With_element::move_anchors_ahead())[0x56294e0db299] sql/sql_cte.cc:857(With_clause::move_anchors_ahead())[0x56294e0daf3c] sql/sql_cte.cc:91(LEX::check_dependencies_in_with_clauses())[0x56294e0d7d46] sql/sql_cte.cc:246(LEX::check_cte_dependencies_and_resolve_references())[0x56294e0d89aa] sql/sql_lex.cc:9123(LEX::check_main_unit_semantics())[0x56294d9df6e5] sql/sql_lex.cc:10554(LEX::select_finalize(st_select_lex_unit*))[0x56294d9ebdfb] sql/sql_lex.cc:10560(LEX::select_finalize(st_select_lex_unit*, Lex_select_lock))[0x56294d9ebef2] sql/sql_yacc.yy:8715(MYSQLparse(THD*))[0x56294e156663] sql/sql_parse.cc:10684(parse_sql(THD*, Parser_state*, Object_creation_ctx*, bool))[0x56294da675d1] sql/sql_parse.cc:8204(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x56294da5761f] sql/sql_parse.cc:1894(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x56294da2c2e2] sql/sql_parse.cc:1375(do_command(THD*))[0x56294da28bbc] sql/sql_connect.cc:1386(do_handle_one_connection(CONNECT*, bool))[0x56294de9f7b6] sql/sql_connect.cc:1300(handle_one_connection)[0x56294de9f310] perfschema/pfs.cc:2203(pfs_spawn_thread)[0x56294eb5f846] nptl/pthread_create.c:478(start_thread)[0x7f27a9746609]   Query (0x62b0000852a8): WITH RECURSIVE x ( x ) AS ( WITH x ( x ) AS ( SELECT 1 EXCEPT SELECT x + 1 ORDER BY ( x = 'x' AND x BETWEEN 1 AND 1 ) OR ( ( SELECT ( SELECT x WHERE x = x ) FROM x AS x GROUP BY x ORDER BY 1 , 1 DESC ) != ( SELECT 1 FROM x WHERE x != 'x' WINDOW x AS ( PARTITION BY x ORDER BY 1 DESC ) ) AND x = 1 ) ASC ) SELECT 1 EXCEPT SELECT x + 1 FROM x ) SELECT - x , x FROM x

            People

              Johnston Rex Johnston
              Xin Wen Xin Wen
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.