[MDEV-33644] Server crashes at Item_func_nullif::decimal_op - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Duplicate
Affects Version/s: 11.3.2, 11.4.1
Fix Version/s: N/A
Component/s: N/A
Labels:
None
Environment:
Ubuntu 20.04 x86-64, docker image mariadb:11.4-rc

Description

PoC:

SELECT NULLIF ( AVG ( 999999 ) OVER ( ORDER BY 1 ) , '1' ) ORDER BY 1 , 1 , 1 ;

gdb backtrace:

#0  0x000055d7b756a0f0 in ?? ()

#1  0x000055d7b70d6982 in Item_sum_avg::val_decimal(my_decimal*) ()

#2  0x000055d7b716c0c0 in Item_window_func::val_decimal(my_decimal*) ()

#3  0x000055d7b6ff8383 in Item_ref::val_decimal(my_decimal*) ()

#4  0x000055d7b6f32caf in VDec::VDec(Item*) ()

#5  0x000055d7b7022bd7 in Arg_comparator::compare_decimal() ()

#6  0x000055d7b702c156 in Item_func_nullif::decimal_op(my_decimal*) ()

#7  0x000055d7b6f32eef in VDec_op::VDec_op(Item_func_hybrid_field_type*) ()

#8  0x000055d7b6f33049 in Type_handler_decimal_result::Item_func_hybrid_field_type_val_decimal(Item_func_hybrid_field_type*, my_decimal*) const ()

#9  0x000055d7b6ff8383 in Item_ref::val_decimal(my_decimal*) ()

#10 0x000055d7b702c16e in Item_func_nullif::decimal_op(my_decimal*) ()

#11 0x000055d7b6f32eef in VDec_op::VDec_op(Item_func_hybrid_field_type*) ()

...

#5525 0x000055d7b6ff8383 in Item_ref::val_decimal(my_decimal*) ()

#5526 0x000055d7b702c16e in Item_func_nullif::decimal_op(my_decimal*) ()

#5527 0x000055d7b6f32eef in VDec_op::VDec_op(Item_func_hybrid_field_type*) ()

#5528 0x000055d7b6f33049 in Type_handler_decimal_result::Item_func_hybrid_field_type_val_decimal(Item_func_hybrid_field_type*, my_decimal*) const ()

#5529 0x000055d7b6ff8383 in Item_ref::val_decimal(my_decimal*) ()

#5530 0x000055d7b702c16e in Item_func_nullif::decimal_op(my_decimal*) ()

#5531 0x000055d7b6f32eef in VDec_op::VDec_op(Item_func_hybrid_field_type*) ()

#5532 0x000055d7b6f33049 in Type_handler_decimal_result::Item_func_hybrid_field_type_val_decimal(Item_func_hybrid_field_type*, my_decimal*) const ()

#5533 0x000055d7b6ff8383 in Item_ref::val_decimal(my_decimal*) ()

#5534 0x000055d7b702c16e in Item_func_nullif::decimal_op(my_decimal*) ()

#5535 0x000055d7b6f32eef in VDec_op::VDec_op(Item_func_hybrid_field_type*) ()

#5536 0x000055d7b6f33049 in Type_handler_decimal_result::Item_func_hybrid_field_type_val_decimal(Item_func_hybrid_field_type*, my_decimal*) const ()

#5537 0x000055d7b6ff8383 in Item_ref::val_decimal(my_decimal*) ()

#5538 0x000055d7b702c16e in Item_func_nullif::decimal_op(my_decimal*) ()

#5539 0x000055d7b6f32eef in VDec_op::VDec_op(Item_func_hybrid_field_type*) ()

#5540 0x000055d7b6f33049 in Type_handler_decimal_result::Item_func_hybrid_field_type_val_decimal(Item_func_hybrid_field_type*, my_decimal*) const ()

#5541 0x000055d7b6ff8383 in Item_ref::val_decimal(my_decimal*) ()

#5542 0x000055d7b702c16e in Item_func_nullif::decimal_op(my_decimal*) ()

#5543 0x000055d7b6f32eef in VDec_op::VDec_op(Item_func_hybrid_field_type*) ()

#5544 0x000055d7b6f33049 in Type_handler_decimal_result::Item_func_hybrid_field_type_val_decimal(Item_func_hybrid_field_type*, my_decimal*) const ()

#5545 0x000055d7b6f32caf in VDec::VDec(Item*) ()

#5546 0x000055d7b700c013 in Item::save_decimal_in_field(Field*, bool) ()

#5547 0x000055d7b6ffb687 in Item::save_in_field(Field*, bool) ()

#5548 0x000055d7b6f47dbb in compute_window_func(THD*, List<Item_window_func>&, List<Cursor_manager>&, TABLE*, SORT_INFO*) ()

#5549 0x000055d7b6f4814f in Window_func_runner::exec(THD*, TABLE*, SORT_INFO*) ()

#5550 0x000055d7b6f48267 in Window_funcs_sort::exec(JOIN*, bool) ()

#5551 0x000055d7b6f48dd6 in Window_funcs_computation::exec(JOIN*, bool) ()

#5552 0x000055d7b6dd59fe in AGGR_OP::end_send() ()

#5553 0x000055d7b6dd5d40 in sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) ()

#5554 0x000055d7b6ddfeaf in JOIN::exec_inner() ()

#5555 0x000055d7b6de043f in JOIN::exec() ()

#5556 0x000055d7b6dde3cc in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) ()

#5557 0x000055d7b6ddebc4 in handle_select(THD*, LEX*, select_result*, unsigned long long) ()

#5558 0x000055d7b6d51285 in ?? ()

#5559 0x000055d7b6d604af in mysql_execute_command(THD*, bool) ()

#5560 0x000055d7b6d61a17 in mysql_parse(THD*, char*, unsigned int, Parser_state*) ()

#5561 0x000055d7b6d6420d in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) ()

#5562 0x000055d7b6d66118 in do_command(THD*, bool) ()

#5563 0x000055d7b6e92f6f in do_handle_one_connection(CONNECT*, bool) ()

#5564 0x000055d7b6e932bd in handle_one_connection ()

#5565 0x000055d7b7215af6 in ?? ()

#5566 0x00007f4700ed1ac3 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442

#5567 0x00007f4700f62a04 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:100

Attachments

Issue Links

duplicates

MDEV-32317 Prepare phase: Server crashes at Item_bool_rowready_func2::cleanup

Confirmed

Activity

Alice Sherepa added a comment - 2024-03-11 09:56

Thanks! I repeated on 10.4-11.4. THis is the same bug as MDEV-32317

mysqld: /10.4/src/sql/sql_array.h:64: Element_type& Bounds_checked_array<Element_type>::operator[](size_t) [with Element_type = Item*; size_t = long unsigned int]: Assertion `n < m_size' failed.

240311 10:47:26 [ERROR] mysqld got signal 6 ;

Server version: 10.4.34-MariaDB-debug-log source revision: 738da4918d3cb77d429dd998e23a046ae6c07785

/lib/x86_64-linux-gnu/libc.so.6(+0x33fd6)[0x7f7e23493fd6]

sql/sql_array.h:65(Bounds_checked_array<Item*>::operator[](unsigned long))[0x55d245515623]

sql/item.cc:2276(Item::split_sum_func2(THD*, Bounds_checked_array<Item*>, List<Item>&, Item**, unsigned int))[0x55d245ea2ed1]

sql/item_func.cc:606(Item_func::split_sum_func(THD*, Bounds_checked_array<Item*>, List<Item>&, unsigned int))[0x55d245f9fa04]

sql/item_cmpfunc.cc:2545(Item_func_nullif::split_sum_func(THD*, Bounds_checked_array<Item*>, List<Item>&, unsigned int))[0x55d245f253b7]

sql/sql_select.cc:1465(JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*))[0x55d2457309e2]

sql/sql_select.cc:4813(mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55d245754ae3]

sql/sql_select.cc:442(handle_select(THD*, LEX*, select_result*, unsigned long))[0x55d24572556a]

sql/sql_parse.cc:6549(execute_sqlcom_select(THD*, TABLE_LIST*))[0x55d24568c53a]

sql/sql_parse.cc:3980(mysql_execute_command(THD*))[0x55d24567971f]

sql/sql_parse.cc:8088(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x55d245695ab5]

sql/sql_parse.cc:1860(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x55d24566b827]

sql/sql_parse.cc:1378(do_command(THD*))[0x55d245668352]

sql/sql_connect.cc:1419(do_handle_one_connection(CONNECT*))[0x55d245a7dd88]

sql/sql_connect.cc:1324(handle_one_connection)[0x55d245a7d62c]

perfschema/pfs.cc:1871(pfs_spawn_thread)[0x55d24671d14c]

nptl/pthread_create.c:478(start_thread)[0x7f7e239ae609]

/lib/x86_64-linux-gnu/libc.so.6(clone+0x43)[0x7f7e2357f353]

Query (0x62b0000a1290): SELECT NULLIF ( AVG ( 999999 ) OVER ( ORDER BY 1 ) , '1' ) ORDER BY 1 , 1 , 1

Alice Sherepa added a comment - 2024-03-11 09:56 Thanks! I repeated on 10.4-11.4. THis is the same bug as MDEV-32317 mysqld: /10.4/src/sql/sql_array.h:64: Element_type& Bounds_checked_array<Element_type>::operator[](size_t) [with Element_type = Item*; size_t = long unsigned int]: Assertion `n < m_size' failed. 240311 10:47:26 [ERROR] mysqld got signal 6 ; Server version: 10.4.34-MariaDB-debug-log source revision: 738da4918d3cb77d429dd998e23a046ae6c07785 /lib/x86_64-linux-gnu/libc.so.6(+0x33fd6)[0x7f7e23493fd6] sql/sql_array.h:65(Bounds_checked_array<Item*>::operator[](unsigned long))[0x55d245515623] sql/item.cc:2276(Item::split_sum_func2(THD*, Bounds_checked_array<Item*>, List<Item>&, Item**, unsigned int))[0x55d245ea2ed1] sql/item_func.cc:606(Item_func::split_sum_func(THD*, Bounds_checked_array<Item*>, List<Item>&, unsigned int))[0x55d245f9fa04] sql/item_cmpfunc.cc:2545(Item_func_nullif::split_sum_func(THD*, Bounds_checked_array<Item*>, List<Item>&, unsigned int))[0x55d245f253b7] sql/sql_select.cc:1465(JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*))[0x55d2457309e2] sql/sql_select.cc:4813(mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55d245754ae3] sql/sql_select.cc:442(handle_select(THD*, LEX*, select_result*, unsigned long))[0x55d24572556a] sql/sql_parse.cc:6549(execute_sqlcom_select(THD*, TABLE_LIST*))[0x55d24568c53a] sql/sql_parse.cc:3980(mysql_execute_command(THD*))[0x55d24567971f] sql/sql_parse.cc:8088(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x55d245695ab5] sql/sql_parse.cc:1860(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x55d24566b827] sql/sql_parse.cc:1378(do_command(THD*))[0x55d245668352] sql/sql_connect.cc:1419(do_handle_one_connection(CONNECT*))[0x55d245a7dd88] sql/sql_connect.cc:1324(handle_one_connection)[0x55d245a7d62c] perfschema/pfs.cc:1871(pfs_spawn_thread)[0x55d24671d14c] nptl/pthread_create.c:478(start_thread)[0x7f7e239ae609] /lib/x86_64-linux-gnu/libc.so.6(clone+0x43)[0x7f7e2357f353] Query (0x62b0000a1290): SELECT NULLIF ( AVG ( 999999 ) OVER ( ORDER BY 1 ) , '1' ) ORDER BY 1 , 1 , 1

MariaDB Server

Server crashes at Item_func_nullif::decimal_op

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration