[MDEV-36354] MariaDB SEGV in internal_str2dec on INSERT - Jira

Details

Type: Bug
Status: Confirmed (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.5, 10.6, 10.11, 11.4, 11.8, 12.0
Fix Version/s: 10.5, 10.6, 10.11, 11.4, 11.8
Component/s: Data Manipulation - Insert, Data types
Labels:
None

Description

The latest release version of MariaDB crashes when executing the following query:

drop database if exists test123;

create database if not exists test123;

use test123;

CREATE TABLE v00 (c01 INT, c02 TEXT);

CREATE INDEX i03 ON v00 (c01);

INSERT INTO v00 (c01, c02) VALUES (0, 'abc');

( ( SELECT TRUE <=> FALSE IN ( SELECT 'string' ), TRUE <=> TRUE IN ( SELECT 'string' ) FROM ( v00 AS ta01 JOIN v00 AS ta02 NATURAL STRAIGHT_JOIN v00 AS ta03 USING ( c01 ) ) ) LIMIT 1234567890 OFFSET 1234567890 ROWS EXAMINED 1234567890 LOCK IN SHARE MODE SKIP LOCKED );

INSERT LOW_PRIORITY IGNORE v00 SET c01 = TRUE <=> TRUE IN ( SELECT 'string' ) NOT IN ( FALSE <=> VALUE ( c02 ) DIV INTERVAL ( FALSE <=> FALSE IN ( SELECT 'string' ), FALSE ) & TRUE ^ FALSE IN ( SELECT NOT TRUE <=> TRUE IN ( SELECT 'string' ) ), TRUE <=> FALSE IN ( SELECT 'string' ) ) ON DUPLICATE KEY UPDATE c01 = DEFAULT RETURNING *;

Here is the crash stack:

#0  0x0000000002fafcd8 in internal_str2dec (from=<optimized out>, to=<optimized out>, end=0xffff7d5fab40, fixed=<optimized out>)

    at /home/mariadb/mariadb-server/strings/decimal.c:809

#1  0x0000000001db64c0 in str2my_decimal (mask=<optimized out>, from=<optimized out>, length=<optimized out>, charset=<optimized out>,

    decimal_value=<optimized out>, end_ptr=<optimized out>) at /home/mariadb/mariadb-server/sql/my_decimal.cc:257

#2  0x00000000017b10a8 in Value_source::Converter_str2my_decimal::Converter_str2my_decimal (this=0xffff7d5fac60, mask=22, cs=0xffffa9616088,

    str=0x900 <error: Cannot access memory at address 0x900>, length=255, buf=0xffff7d5fae08) at /home/mariadb/mariadb-server/sql/field.h:273

#3  Value_source::Converter_str2my_decimal_with_warn::Converter_str2my_decimal_with_warn (this=<optimized out>, thd=0xffff7d862218, filter=..., mask=22,

    cs=0xffffa9616088, str=0x900 <error: Cannot access memory at address 0x900>, length=255, buf=0xffff7d5fae08)

    at /home/mariadb/mariadb-server/sql/field.h:325

#4  Field_blob::val_decimal (this=<optimized out>, decimal_value=<optimized out>) at /home/mariadb/mariadb-server/sql/field.cc:8978

#5  0x000000000188975c in Item_field::val_decimal (this=<optimized out>, decimal_value=0x1fffefabf568) at /home/mariadb/mariadb-server/sql/item.cc:3493

#6  0x00000000014f3a4c in VDec::VDec (this=0xffff7d5fae00, item=0xffffa38f23c8) at /home/mariadb/mariadb-server/sql/sql_type.cc:357

#7  0x0000000001a486a0 in VDec2_lazy::VDec2_lazy (this=0xffff7d5fae00, a=0x1fffefabf568, b=0xffffa38f3a68)

    at /home/mariadb/mariadb-server/sql/sql_type.h:540

#8  0x0000000001a034ac in Item_func_int_div::val_int (this=0xffffa38f3b38) at /home/mariadb/mariadb-server/sql/item_func.cc:1568

#9  0x0000000001989e80 in Item::to_longlong_null (this=0xffffa38f3b38) at /home/mariadb/mariadb-server/sql/item.h:1475

#10 Func_handler_bit_and_int_to_ulonglong::to_longlong_null (this=<optimized out>, item=0x1fffefabf568)

    at /home/mariadb/mariadb-server/sql/item_cmpfunc.cc:4999

#11 0x0000000001988acc in Item_handled_func::Handler_int::val_int (this=0x900, item=0xffffa38f3dc0) at /home/mariadb/mariadb-server/sql/item_func.h:773

#12 0x000000000192037c in Arg_comparator::compare_int_unsigned_signed (this=0xffff71e67648) at /home/mariadb/mariadb-server/sql/item_cmpfunc.cc:1099

#13 0x000000000192a694 in Arg_comparator::compare (this=<optimized out>) at /home/mariadb/mariadb-server/sql/item_cmpfunc.h:114

#14 Item_func_eq::val_bool (this=<optimized out>) at /home/mariadb/mariadb-server/sql/item_cmpfunc.cc:1881

#15 0x00000000009a20c8 in Item_bool_func::val_int (this=0x900) at /home/mariadb/mariadb-server/sql/item_cmpfunc.h:245

#16 0x000000000191f750 in Arg_comparator::compare_e_int (this=0xffffa38f6450) at /home/mariadb/mariadb-server/sql/item_cmpfunc.cc:1125

#17 0x000000000192a8dc in Arg_comparator::compare (this=<optimized out>) at /home/mariadb/mariadb-server/sql/item_cmpfunc.h:114

#18 Item_func_equal::val_bool (this=<optimized out>) at /home/mariadb/mariadb-server/sql/item_cmpfunc.cc:1909

#19 0x00000000009a20c8 in Item_bool_func::val_int (this=0x900) at /home/mariadb/mariadb-server/sql/item_cmpfunc.h:245

#20 0x0000000001987700 in cmp_item_int::cmp (this=0xffff71e68420, arg=0xffffa38f6398) at /home/mariadb/mariadb-server/sql/item_cmpfunc.h:1828

#21 0x0000000001977550 in Predicant_to_list_comparator::cmp_arg (this=0xffffa38f7ae8, args=0xffffa38f7a88, i=0)

    at /home/mariadb/mariadb-server/sql/item_cmpfunc.h:2128

#22 Predicant_to_list_comparator::cmp (this=<optimized out>, args=<optimized out>, idx=0xffff7d5fb2e0, found_unknown_values=0xffffa38f7a7c)

    at /home/mariadb/mariadb-server/sql/item_cmpfunc.h:2305

#23 0x00000000019516bc in Item_func_in::val_bool (this=0xffffa38f7a10) at /home/mariadb/mariadb-server/sql/item_cmpfunc.cc:4927

#24 0x00000000009a20c8 in Item_bool_func::val_int (this=0x900) at /home/mariadb/mariadb-server/sql/item_cmpfunc.h:245

#25 0x000000000191f750 in Arg_comparator::compare_e_int (this=0xffffa38f7c50) at /home/mariadb/mariadb-server/sql/item_cmpfunc.cc:1125

#26 0x000000000192a8dc in Arg_comparator::compare (this=<optimized out>) at /home/mariadb/mariadb-server/sql/item_cmpfunc.h:114

#27 Item_func_equal::val_bool (this=<optimized out>) at /home/mariadb/mariadb-server/sql/item_cmpfunc.cc:1909

#28 0x00000000018ad0f4 in Item::save_bool_in_field (this=0xffffa38f7b98, field=0xffff7c45ab08, no_conversions=false)

    at /home/mariadb/mariadb-server/sql/item.cc:7124

#29 0x00000000018ad344 in Item::save_in_field (this=0xffffa38f7b98, field=0xffff7c45ab08, no_conversions=false)

    at /home/mariadb/mariadb-server/sql/item.cc:7134

#30 0x0000000000b57ea8 in fill_record (thd=<optimized out>, table_arg=<optimized out>, fields=..., values=..., ignore_errors=<optimized out>, update=false)

    at /home/mariadb/mariadb-server/sql/sql_base.cc:9049

#31 0x0000000000b5a8a4 in fill_record_n_invoke_before_triggers (thd=0xffff7d862218, table=0xffffaac96598, fields=..., values=...,

    ignore_errors=<optimized out>, event=TRG_EVENT_INSERT) at /home/mariadb/mariadb-server/sql/sql_base.cc:9218

#32 0x0000000000c27ccc in mysql_insert (thd=<optimized out>, table_list=0xffffa38f07b8, fields=..., values_list=..., update_fields=..., update_values=...,

    duplic=<optimized out>, ignore=<optimized out>, result=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_insert.cc:1070

#33 0x0000000000d3f5dc in mysql_execute_command (thd=0xffff7d862218, is_called_from_prepared_stmt=<optimized out>)

    at /home/mariadb/mariadb-server/sql/sql_parse.cc:4484

#34 0x0000000000d1cd24 in mysql_parse (thd=0xffff7d862218, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>)

    at /home/mariadb/mariadb-server/sql/sql_parse.cc:7915

#35 0x0000000000d120f0 in dispatch_command (command=<optimized out>, thd=<optimized out>, packet=<optimized out>, packet_length=<optimized out>,

    blocking=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_parse.cc:1902

#36 0x0000000000d1dbf4 in do_command (thd=0xffff7d862218, blocking=true) at /home/mariadb/mariadb-server/sql/sql_parse.cc:1415

#37 0x00000000012846f8 in do_handle_one_connection (connect=<optimized out>, put_in_cache=true) at /home/mariadb/mariadb-server/sql/sql_connect.cc:1415

#38 0x00000000012841b4 in handle_one_connection (arg=0xffffa9a613b8) at /home/mariadb/mariadb-server/sql/sql_connect.cc:1327

#39 0x0000000002200c38 in pfs_spawn_thread (arg=0xffffa3409718) at /home/mariadb/mariadb-server/storage/perfschema/pfs.cc:2198

#40 0x0000ffffaf44c624 in start_thread (arg=0x883ac8 <asan_thread_start(void*)>) at pthread_create.c:477

#41 0x0000ffffaf16e66c in thread_start () at ../sysdeps/unix/sysv/linux/aarch64/clone.S:78

Attachments

Issue Links

relates to

MDEV-32416 Heap-Use-After-Free at /mariadb-11.3.0/sql/item_strfunc.cc:2432

Confirmed

MDEV-32759 Heap-Use-After-Free at /mariadb-11.3.0/strings/dtoa.c:1378

Stalled

MDEV-36355 MariaDB SEGV in in my_strtod_int on INSERT

Confirmed

Activity

Ascending order - Click to sort in descending order

Yu Liang created issue - 2025-03-22 19:27

Roel Van de Paar made changes - 2025-03-24 05:41

Field	Original Value	New Value
Description	The latest release version of MariaDB crashes when executing the following query: {code:sql} drop database if exists test123; create database if not exists test123; use test123; CREATE TABLE v00 (c01 INT, c02 TEXT); CREATE INDEX i03 ON v00 (c01); INSERT INTO v00 (c01, c02) VALUES (0, 'abc'); ( ( SELECT TRUE <=> FALSE IN ( SELECT 'string' ), TRUE <=> TRUE IN ( SELECT 'string' ) FROM ( v00 AS ta01 JOIN v00 AS ta02 NATURAL STRAIGHT_JOIN v00 AS ta03 USING ( c01 ) ) ) LIMIT 1234567890 OFFSET 1234567890 ROWS EXAMINED 1234567890 LOCK IN SHARE MODE SKIP LOCKED ); INSERT LOW_PRIORITY IGNORE v00 SET c01 = TRUE <=> TRUE IN ( SELECT 'string' ) NOT IN ( FALSE <=> VALUE ( c02 ) DIV INTERVAL ( FALSE <=> FALSE IN ( SELECT 'string' ), FALSE ) & TRUE ^ FALSE IN ( SELECT NOT TRUE <=> TRUE IN ( SELECT 'string' ) ), TRUE <=> FALSE IN ( SELECT 'string' ) ) ON DUPLICATE KEY UPDATE c01 = DEFAULT RETURNING ; {code} Here is the crash stack: {quote} #0 0x0000000002fafcd8 in internal_str2dec (from=<optimized out>, to=<optimized out>, end=0xffff7d5fab40, fixed=<optimized out>) at /home/mariadb/mariadb-server/strings/decimal.c:809 #1 0x0000000001db64c0 in str2my_decimal (mask=<optimized out>, from=<optimized out>, length=<optimized out>, charset=<optimized out>, decimal_value=<optimized out>, end_ptr=<optimized out>) at /home/mariadb/mariadb-server/sql/my_decimal.cc:257 #2 0x00000000017b10a8 in Value_source::Converter_str2my_decimal::Converter_str2my_decimal (this=0xffff7d5fac60, mask=22, cs=0xffffa9616088, str=0x900 <error: Cannot access memory at address 0x900>, length=255, buf=0xffff7d5fae08) at /home/mariadb/mariadb-server/sql/field.h:273 #3 Value_source::Converter_str2my_decimal_with_warn::Converter_str2my_decimal_with_warn (this=<optimized out>, thd=0xffff7d862218, filter=..., mask=22, cs=0xffffa9616088, str=0x900 <error: Cannot access memory at address 0x900>, length=255, buf=0xffff7d5fae08) at /home/mariadb/mariadb-server/sql/field.h:325 #4 Field_blob::val_decimal (this=<optimized out>, decimal_value=<optimized out>) at /home/mariadb/mariadb-server/sql/field.cc:8978 #5 0x000000000188975c in Item_field::val_decimal (this=<optimized out>, decimal_value=0x1fffefabf568) at /home/mariadb/mariadb-server/sql/item.cc:3493 #6 0x00000000014f3a4c in VDec::VDec (this=0xffff7d5fae00, item=0xffffa38f23c8) at /home/mariadb/mariadb-server/sql/sql_type.cc:357 #7 0x0000000001a486a0 in VDec2_lazy::VDec2_lazy (this=0xffff7d5fae00, a=0x1fffefabf568, b=0xffffa38f3a68) at /home/mariadb/mariadb-server/sql/sql_type.h:540 #8 0x0000000001a034ac in Item_func_int_div::val_int (this=0xffffa38f3b38) at /home/mariadb/mariadb-server/sql/item_func.cc:1568 #9 0x0000000001989e80 in Item::to_longlong_null (this=0xffffa38f3b38) at /home/mariadb/mariadb-server/sql/item.h:1475 #10 Func_handler_bit_and_int_to_ulonglong::to_longlong_null (this=<optimized out>, item=0x1fffefabf568) at /home/mariadb/mariadb-server/sql/item_cmpfunc.cc:4999 #11 0x0000000001988acc in Item_handled_func::Handler_int::val_int (this=0x900, item=0xffffa38f3dc0) at /home/mariadb/mariadb-server/sql/item_func.h:773 #12 0x000000000192037c in Arg_comparator::compare_int_unsigned_signed (this=0xffff71e67648) at /home/mariadb/mariadb-server/sql/item_cmpfunc.cc:1099 #13 0x000000000192a694 in Arg_comparator::compare (this=<optimized out>) at /home/mariadb/mariadb-server/sql/item_cmpfunc.h:114 #14 Item_func_eq::val_bool (this=<optimized out>) at /home/mariadb/mariadb-server/sql/item_cmpfunc.cc:1881 #15 0x00000000009a20c8 in Item_bool_func::val_int (this=0x900) at /home/mariadb/mariadb-server/sql/item_cmpfunc.h:245 #16 0x000000000191f750 in Arg_comparator::compare_e_int (this=0xffffa38f6450) at /home/mariadb/mariadb-server/sql/item_cmpfunc.cc:1125 #17 0x000000000192a8dc in Arg_comparator::compare (this=<optimized out>) at /home/mariadb/mariadb-server/sql/item_cmpfunc.h:114 #18 Item_func_equal::val_bool (this=<optimized out>) at /home/mariadb/mariadb-server/sql/item_cmpfunc.cc:1909 #19 0x00000000009a20c8 in Item_bool_func::val_int (this=0x900) at /home/mariadb/mariadb-server/sql/item_cmpfunc.h:245 #20 0x0000000001987700 in cmp_item_int::cmp (this=0xffff71e68420, arg=0xffffa38f6398) at /home/mariadb/mariadb-server/sql/item_cmpfunc.h:1828 #21 0x0000000001977550 in Predicant_to_list_comparator::cmp_arg (this=0xffffa38f7ae8, args=0xffffa38f7a88, i=0) at /home/mariadb/mariadb-server/sql/item_cmpfunc.h:2128 #22 Predicant_to_list_comparator::cmp (this=<optimized out>, args=<optimized out>, idx=0xffff7d5fb2e0, found_unknown_values=0xffffa38f7a7c) at /home/mariadb/mariadb-server/sql/item_cmpfunc.h:2305 #23 0x00000000019516bc in Item_func_in::val_bool (this=0xffffa38f7a10) at /home/mariadb/mariadb-server/sql/item_cmpfunc.cc:4927 #24 0x00000000009a20c8 in Item_bool_func::val_int (this=0x900) at /home/mariadb/mariadb-server/sql/item_cmpfunc.h:245 #25 0x000000000191f750 in Arg_comparator::compare_e_int (this=0xffffa38f7c50) at /home/mariadb/mariadb-server/sql/item_cmpfunc.cc:1125 #26 0x000000000192a8dc in Arg_comparator::compare (this=<optimized out>) at /home/mariadb/mariadb-server/sql/item_cmpfunc.h:114 #27 Item_func_equal::val_bool (this=<optimized out>) at /home/mariadb/mariadb-server/sql/item_cmpfunc.cc:1909 #28 0x00000000018ad0f4 in Item::save_bool_in_field (this=0xffffa38f7b98, field=0xffff7c45ab08, no_conversions=false) at /home/mariadb/mariadb-server/sql/item.cc:7124 #29 0x00000000018ad344 in Item::save_in_field (this=0xffffa38f7b98, field=0xffff7c45ab08, no_conversions=false) at /home/mariadb/mariadb-server/sql/item.cc:7134 #30 0x0000000000b57ea8 in fill_record (thd=<optimized out>, table_arg=<optimized out>, fields=..., values=..., ignore_errors=<optimized out>, update=false) at /home/mariadb/mariadb-server/sql/sql_base.cc:9049 #31 0x0000000000b5a8a4 in fill_record_n_invoke_before_triggers (thd=0xffff7d862218, table=0xffffaac96598, fields=..., values=..., ignore_errors=<optimized out>, event=TRG_EVENT_INSERT) at /home/mariadb/mariadb-server/sql/sql_base.cc:9218 #32 0x0000000000c27ccc in mysql_insert (thd=<optimized out>, table_list=0xffffa38f07b8, fields=..., values_list=..., update_fields=..., update_values=..., duplic=<optimized out>, ignore=<optimized out>, result=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_insert.cc:1070 #33 0x0000000000d3f5dc in mysql_execute_command (thd=0xffff7d862218, is_called_from_prepared_stmt=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_parse.cc:4484 #34 0x0000000000d1cd24 in mysql_parse (thd=0xffff7d862218, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_parse.cc:7915 #35 0x0000000000d120f0 in dispatch_command (command=<optimized out>, thd=<optimized out>, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_parse.cc:1902 #36 0x0000000000d1dbf4 in do_command (thd=0xffff7d862218, blocking=true) at /home/mariadb/mariadb-server/sql/sql_parse.cc:1415 #37 0x00000000012846f8 in do_handle_one_connection (connect=<optimized out>, put_in_cache=true) at /home/mariadb/mariadb-server/sql/sql_connect.cc:1415 #38 0x00000000012841b4 in handle_one_connection (arg=0xffffa9a613b8) at /home/mariadb/mariadb-server/sql/sql_connect.cc:1327 #39 0x0000000002200c38 in pfs_spawn_thread (arg=0xffffa3409718) at /home/mariadb/mariadb-server/storage/perfschema/pfs.cc:2198 #40 0x0000ffffaf44c624 in start_thread (arg=0x883ac8 <asan_thread_start(void)>) at pthread_create.c:477 #41 0x0000ffffaf16e66c in thread_start () at ../sysdeps/unix/sysv/linux/aarch64/clone.S:78 {quote}	The latest release version of MariaDB crashes when executing the following query: {code:sql} drop database if exists test123; create database if not exists test123; use test123; CREATE TABLE v00 (c01 INT, c02 TEXT); CREATE INDEX i03 ON v00 (c01); INSERT INTO v00 (c01, c02) VALUES (0, 'abc'); ( ( SELECT TRUE <=> FALSE IN ( SELECT 'string' ), TRUE <=> TRUE IN ( SELECT 'string' ) FROM ( v00 AS ta01 JOIN v00 AS ta02 NATURAL STRAIGHT_JOIN v00 AS ta03 USING ( c01 ) ) ) LIMIT 1234567890 OFFSET 1234567890 ROWS EXAMINED 1234567890 LOCK IN SHARE MODE SKIP LOCKED ); INSERT LOW_PRIORITY IGNORE v00 SET c01 = TRUE <=> TRUE IN ( SELECT 'string' ) NOT IN ( FALSE <=> VALUE ( c02 ) DIV INTERVAL ( FALSE <=> FALSE IN ( SELECT 'string' ), FALSE ) & TRUE ^ FALSE IN ( SELECT NOT TRUE <=> TRUE IN ( SELECT 'string' ) ), TRUE <=> FALSE IN ( SELECT 'string' ) ) ON DUPLICATE KEY UPDATE c01 = DEFAULT RETURNING ; {code} Here is the crash stack: {noformat} #0 0x0000000002fafcd8 in internal_str2dec (from=<optimized out>, to=<optimized out>, end=0xffff7d5fab40, fixed=<optimized out>) at /home/mariadb/mariadb-server/strings/decimal.c:809 #1 0x0000000001db64c0 in str2my_decimal (mask=<optimized out>, from=<optimized out>, length=<optimized out>, charset=<optimized out>, decimal_value=<optimized out>, end_ptr=<optimized out>) at /home/mariadb/mariadb-server/sql/my_decimal.cc:257 #2 0x00000000017b10a8 in Value_source::Converter_str2my_decimal::Converter_str2my_decimal (this=0xffff7d5fac60, mask=22, cs=0xffffa9616088, str=0x900 <error: Cannot access memory at address 0x900>, length=255, buf=0xffff7d5fae08) at /home/mariadb/mariadb-server/sql/field.h:273 #3 Value_source::Converter_str2my_decimal_with_warn::Converter_str2my_decimal_with_warn (this=<optimized out>, thd=0xffff7d862218, filter=..., mask=22, cs=0xffffa9616088, str=0x900 <error: Cannot access memory at address 0x900>, length=255, buf=0xffff7d5fae08) at /home/mariadb/mariadb-server/sql/field.h:325 #4 Field_blob::val_decimal (this=<optimized out>, decimal_value=<optimized out>) at /home/mariadb/mariadb-server/sql/field.cc:8978 #5 0x000000000188975c in Item_field::val_decimal (this=<optimized out>, decimal_value=0x1fffefabf568) at /home/mariadb/mariadb-server/sql/item.cc:3493 #6 0x00000000014f3a4c in VDec::VDec (this=0xffff7d5fae00, item=0xffffa38f23c8) at /home/mariadb/mariadb-server/sql/sql_type.cc:357 #7 0x0000000001a486a0 in VDec2_lazy::VDec2_lazy (this=0xffff7d5fae00, a=0x1fffefabf568, b=0xffffa38f3a68) at /home/mariadb/mariadb-server/sql/sql_type.h:540 #8 0x0000000001a034ac in Item_func_int_div::val_int (this=0xffffa38f3b38) at /home/mariadb/mariadb-server/sql/item_func.cc:1568 #9 0x0000000001989e80 in Item::to_longlong_null (this=0xffffa38f3b38) at /home/mariadb/mariadb-server/sql/item.h:1475 #10 Func_handler_bit_and_int_to_ulonglong::to_longlong_null (this=<optimized out>, item=0x1fffefabf568) at /home/mariadb/mariadb-server/sql/item_cmpfunc.cc:4999 #11 0x0000000001988acc in Item_handled_func::Handler_int::val_int (this=0x900, item=0xffffa38f3dc0) at /home/mariadb/mariadb-server/sql/item_func.h:773 #12 0x000000000192037c in Arg_comparator::compare_int_unsigned_signed (this=0xffff71e67648) at /home/mariadb/mariadb-server/sql/item_cmpfunc.cc:1099 #13 0x000000000192a694 in Arg_comparator::compare (this=<optimized out>) at /home/mariadb/mariadb-server/sql/item_cmpfunc.h:114 #14 Item_func_eq::val_bool (this=<optimized out>) at /home/mariadb/mariadb-server/sql/item_cmpfunc.cc:1881 #15 0x00000000009a20c8 in Item_bool_func::val_int (this=0x900) at /home/mariadb/mariadb-server/sql/item_cmpfunc.h:245 #16 0x000000000191f750 in Arg_comparator::compare_e_int (this=0xffffa38f6450) at /home/mariadb/mariadb-server/sql/item_cmpfunc.cc:1125 #17 0x000000000192a8dc in Arg_comparator::compare (this=<optimized out>) at /home/mariadb/mariadb-server/sql/item_cmpfunc.h:114 #18 Item_func_equal::val_bool (this=<optimized out>) at /home/mariadb/mariadb-server/sql/item_cmpfunc.cc:1909 #19 0x00000000009a20c8 in Item_bool_func::val_int (this=0x900) at /home/mariadb/mariadb-server/sql/item_cmpfunc.h:245 #20 0x0000000001987700 in cmp_item_int::cmp (this=0xffff71e68420, arg=0xffffa38f6398) at /home/mariadb/mariadb-server/sql/item_cmpfunc.h:1828 #21 0x0000000001977550 in Predicant_to_list_comparator::cmp_arg (this=0xffffa38f7ae8, args=0xffffa38f7a88, i=0) at /home/mariadb/mariadb-server/sql/item_cmpfunc.h:2128 #22 Predicant_to_list_comparator::cmp (this=<optimized out>, args=<optimized out>, idx=0xffff7d5fb2e0, found_unknown_values=0xffffa38f7a7c) at /home/mariadb/mariadb-server/sql/item_cmpfunc.h:2305 #23 0x00000000019516bc in Item_func_in::val_bool (this=0xffffa38f7a10) at /home/mariadb/mariadb-server/sql/item_cmpfunc.cc:4927 #24 0x00000000009a20c8 in Item_bool_func::val_int (this=0x900) at /home/mariadb/mariadb-server/sql/item_cmpfunc.h:245 #25 0x000000000191f750 in Arg_comparator::compare_e_int (this=0xffffa38f7c50) at /home/mariadb/mariadb-server/sql/item_cmpfunc.cc:1125 #26 0x000000000192a8dc in Arg_comparator::compare (this=<optimized out>) at /home/mariadb/mariadb-server/sql/item_cmpfunc.h:114 #27 Item_func_equal::val_bool (this=<optimized out>) at /home/mariadb/mariadb-server/sql/item_cmpfunc.cc:1909 #28 0x00000000018ad0f4 in Item::save_bool_in_field (this=0xffffa38f7b98, field=0xffff7c45ab08, no_conversions=false) at /home/mariadb/mariadb-server/sql/item.cc:7124 #29 0x00000000018ad344 in Item::save_in_field (this=0xffffa38f7b98, field=0xffff7c45ab08, no_conversions=false) at /home/mariadb/mariadb-server/sql/item.cc:7134 #30 0x0000000000b57ea8 in fill_record (thd=<optimized out>, table_arg=<optimized out>, fields=..., values=..., ignore_errors=<optimized out>, update=false) at /home/mariadb/mariadb-server/sql/sql_base.cc:9049 #31 0x0000000000b5a8a4 in fill_record_n_invoke_before_triggers (thd=0xffff7d862218, table=0xffffaac96598, fields=..., values=..., ignore_errors=<optimized out>, event=TRG_EVENT_INSERT) at /home/mariadb/mariadb-server/sql/sql_base.cc:9218 #32 0x0000000000c27ccc in mysql_insert (thd=<optimized out>, table_list=0xffffa38f07b8, fields=..., values_list=..., update_fields=..., update_values=..., duplic=<optimized out>, ignore=<optimized out>, result=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_insert.cc:1070 #33 0x0000000000d3f5dc in mysql_execute_command (thd=0xffff7d862218, is_called_from_prepared_stmt=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_parse.cc:4484 #34 0x0000000000d1cd24 in mysql_parse (thd=0xffff7d862218, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_parse.cc:7915 #35 0x0000000000d120f0 in dispatch_command (command=<optimized out>, thd=<optimized out>, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_parse.cc:1902 #36 0x0000000000d1dbf4 in do_command (thd=0xffff7d862218, blocking=true) at /home/mariadb/mariadb-server/sql/sql_parse.cc:1415 #37 0x00000000012846f8 in do_handle_one_connection (connect=<optimized out>, put_in_cache=true) at /home/mariadb/mariadb-server/sql/sql_connect.cc:1415 #38 0x00000000012841b4 in handle_one_connection (arg=0xffffa9a613b8) at /home/mariadb/mariadb-server/sql/sql_connect.cc:1327 #39 0x0000000002200c38 in pfs_spawn_thread (arg=0xffffa3409718) at /home/mariadb/mariadb-server/storage/perfschema/pfs.cc:2198 #40 0x0000ffffaf44c624 in start_thread (arg=0x883ac8 <asan_thread_start(void)>) at pthread_create.c:477 #41 0x0000ffffaf16e66c in thread_start () at ../sysdeps/unix/sysv/linux/aarch64/clone.S:78 {noformat}

Roel Van de Paar made changes - 2025-03-24 05:41

Environment

Ubuntu ARM64 VM.

Roel Van de Paar made changes - 2025-03-24 05:41

Labels

crash

Roel Van de Paar made changes - 2025-03-24 05:42

Affects Version/s

11.7.2 [ 29914 ]

Roel Van de Paar added a comment - 2025-03-24 05:49

Thank you for the report! Confirmed.

CREATE TABLE v00 (c01 INT, c02 TEXT);

CREATE INDEX i03 ON v00 (c01);

INSERT INTO v00 (c01, c02) VALUES (0, 'abc');

( ( SELECT TRUE <=> FALSE IN ( SELECT 'string' ), TRUE <=> TRUE IN ( SELECT 'string' ) FROM ( v00 AS ta01 JOIN v00 AS ta02 NATURAL STRAIGHT_JOIN v00 AS ta03 USING ( c01 ) ) ) LIMIT 1234567890 OFFSET 1234567890 ROWS EXAMINED 1234567890 LOCK IN SHARE MODE SKIP LOCKED );

INSERT LOW_PRIORITY IGNORE v00 SET c01 = TRUE <=> TRUE IN ( SELECT 'string' ) NOT IN ( FALSE <=> VALUE ( c02 ) DIV INTERVAL ( FALSE <=> FALSE IN ( SELECT 'string' ), FALSE ) & TRUE ^ FALSE IN ( SELECT NOT TRUE <=> TRUE IN ( SELECT 'string' ) ), TRUE <=> FALSE IN ( SELECT 'string' ) ) ON DUPLICATE KEY UPDATE c01 = DEFAULT RETURNING *;

Leads to:

CS 11.4.6 ef966af801afc2a07222b5df65dddd52c77431dd (Debug) Build 15/02/2025
Core was generated by `/test/MD150225-mariadb-11.4.6-linux-x86_64-dbg/bin/mariadbd --no-defaults --max'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000055aa6a1c96bb in internal_str2dec (from=0xa5a5a5a5a5a5a5a5 <error: Cannot access memory at address 0xa5a5a5a5a5a5a5a5>, to=0x1492565ef790, end=0x1492565ef360, fixed=0 '\000')at /test/11.4_dbg/strings/decimal.c:809

[Current thread is 1 (LWP 178139)]
(gdb) bt
#0 0x000055aa6a1c96bb in internal_str2dec (from=0xa5a5a5a5a5a5a5a5 <error: Cannot access memory at address 0xa5a5a5a5a5a5a5a5>, to=0x1492565ef790, end=0x1492565ef360, fixed=0 '\000')at /test/11.4_dbg/strings/decimal.c:809
#1 0x000055aa69a2ba05 in str2my_decimal (mask=22, from=0xa5a5a5a5a5a5a5a5 <error: Cannot access memory at address 0xa5a5a5a5a5a5a5a5>, length=42405, charset=0x55aa6ae24530 <my_charset_latin1>, decimal_value=0x1492565ef790, end_ptr=0x1492565ef518)at /test/11.4_dbg/sql/my_decimal.cc:257
#2 0x000055aa696b72fc in Value_source::Converter_str2my_decimal::Converter_str2my_decimal (this=0x1492565ef518, mask=22, cs=0x55aa6ae24530 <my_charset_latin1>, str=0xa5a5a5a5a5a5a5a5 <error: Cannot access memory at address 0xa5a5a5a5a5a5a5a5>, length=42405, buf=0x1492565ef790) at /test/11.4_dbg/sql/field.h:275
#3 0x000055aa696b720a in Value_source::Converter_str2my_decimal_with_warn::Converter_str2my_decimal_with_warn (this=0x1492565ef518, thd=0x1491f8000d58, filter={m_want_warning_edom = true, m_want_note_truncated_spaces = true}, mask=22, cs=0x55aa6ae24530 <my_charset_latin1>, str=0xa5a5a5a5a5a5a5a5 <error: Cannot access memory at address 0xa5a5a5a5a5a5a5a5>, length=42405, buf=0x1492565ef790) at /test/11.4_dbg/sql/field.h:327
#4 0x000055aa6982787a in Field_blob::val_decimal (this=0x1491f80889c8, decimal_value=0x1492565ef790) at /test/11.4_dbg/sql/field.cc:8902
#5 0x000055aa698780e6 in Item_field::val_decimal (this=0x1491f801b940, decimal_value=0x1492565ef790) at /test/11.4_dbg/sql/item.cc:3451
#6 0x000055aa696fbcd5 in VDec::VDec (this=0x1492565ef788, item=0x1491f801b940)at /test/11.4_dbg/sql/sql_type.cc:381
#7 0x000055aa6990426c in VDec2_lazy::VDec2_lazy (this=0x1492565ef788, a=0x1491f801b940, b=0x1491f801cf28) at /test/11.4_dbg/sql/sql_type.h:545
#8 0x000055aa698ed35e in Item_func_int_div::val_int (this=0x1491f801cff0)at /test/11.4_dbg/sql/item_func.cc:1581
#9 0x000055aa6972155d in Item::to_longlong_null (this=0x1491f801cff0)at /test/11.4_dbg/sql/item.h:1478
#10 0x000055aa698c39df in Func_handler_bit_and_int_to_ulonglong::to_longlong_null (this=0x55aa6ad768b8 <Item_func_bit_and::fix_length_and_dec(THD*)::ha_int_to_ull>, item=0x1491f801d258) at /test/11.4_dbg/sql/item_cmpfunc.cc:5007
#11 0x000055aa698c32de in Item_handled_func::Handler_int::val_int (this=0x55aa6ad768b8 <Item_func_bit_and::fix_length_and_dec(THD*)::ha_int_to_ull>, item=0x1491f801d258) at /test/11.4_dbg/sql/item_func.h:772
#12 0x000055aa6972f16d in Item_handled_func::val_int (this=0x1491f801d258)at /test/11.4_dbg/sql/item_func.h:859
#13 0x000055aa698a3613 in Arg_comparator::compare_int_unsigned_signed (this=0x1491f808ac70) at /test/11.4_dbg/sql/item_cmpfunc.cc:1103
#14 0x000055aa698bd00f in Arg_comparator::compare (this=0x1491f808ac70)at /test/11.4_dbg/sql/item_cmpfunc.h:118
#15 0x000055aa698a6691 in Item_func_eq::val_bool (this=0x1491f808abb8)at /test/11.4_dbg/sql/item_cmpfunc.cc:1885
#16 0x000055aa692ebcc2 in Item_bool_func::val_int (this=0x1491f808abb8)at /test/11.4_dbg/sql/item_cmpfunc.h:249
#17 0x000055aa698a338e in Arg_comparator::compare_e_int (this=0x1491f801f7f0)at /test/11.4_dbg/sql/item_cmpfunc.cc:1129
#18 0x000055aa698bd00f in Arg_comparator::compare (this=0x1491f801f7f0)at /test/11.4_dbg/sql/item_cmpfunc.h:118
#19 0x000055aa698a67f1 in Item_func_equal::val_bool (this=0x1491f801f738)at /test/11.4_dbg/sql/item_cmpfunc.cc:1913
#20 0x000055aa692ebcc2 in Item_bool_func::val_int (this=0x1491f801f738)at /test/11.4_dbg/sql/item_cmpfunc.h:249
#21 0x000055aa698c268d in cmp_item_int::cmp (this=0x1491f808ba00, arg=0x1491f801f738) at /test/11.4_dbg/sql/item_cmpfunc.h:1832
#22 0x000055aa698c42c7 in Predicant_to_list_comparator::cmp_arg (this=0x1491f8020dd8, args=0x1491f8020d78, i=0)at /test/11.4_dbg/sql/item_cmpfunc.h:2132
#23 0x000055aa698bd5bd in Predicant_to_list_comparator::cmp (this=0x1491f8020dd8, args=0x1491f8020d78, idx=0x1492565efbd8, found_unknown_values=0x1491f8020d6c)at /test/11.4_dbg/sql/item_cmpfunc.h:2309
#24 0x000055aa698b26ab in Item_func_in::val_bool (this=0x1491f8020d00)at /test/11.4_dbg/sql/item_cmpfunc.cc:4935
#25 0x000055aa692ebcc2 in Item_bool_func::val_int (this=0x1491f8020d00)at /test/11.4_dbg/sql/item_cmpfunc.h:249
#26 0x000055aa698a338e in Arg_comparator::compare_e_int (this=0x1491f8020f20)at /test/11.4_dbg/sql/item_cmpfunc.cc:1129
#27 0x000055aa698bd00f in Arg_comparator::compare (this=0x1491f8020f20)at /test/11.4_dbg/sql/item_cmpfunc.h:118
#28 0x000055aa698a67f1 in Item_func_equal::val_bool (this=0x1491f8020e68)at /test/11.4_dbg/sql/item_cmpfunc.cc:1913
#29 0x000055aa698836b8 in Item::save_bool_in_field (this=0x1491f8020e68, field=0x1491f803f230, no_conversions=false)at /test/11.4_dbg/sql/item.cc:7091
#30 0x000055aa6970a840 in Type_handler_bool::Item_save_in_field (this=0x55aa6afb8378 <type_handler_bool>, item=0x1491f8020e68, field=0x1491f803f230, no_conversions=false)at /test/11.4_dbg/sql/sql_type.cc:4452
#31 0x000055aa69883765 in Item::save_in_field (this=0x1491f8020e68, field=0x1491f803f230, no_conversions=false)at /test/11.4_dbg/sql/item.cc:7101
#32 0x000055aa693988dc in fill_record (thd=0x1491f8000d58, table_arg=0x1491f8024e98, fields=@0x1491f8005f40: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1491f8021090, last = 0x1491f8021090, elements = 1}, <No data fields>}, values=@0x1491f801a518: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1491f80210a0, last = 0x1491f80210a0, elements = 1}, <No data fields>}, ignore_errors=false, update=false) at /test/11.4_dbg/sql/sql_base.cc:9055
#33 0x000055aa693990c3 in fill_record_n_invoke_before_triggers (thd=0x1491f8000d58, table=0x1491f8024e98, fields=@0x1491f8005f40: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1491f8021090, last = 0x1491f8021090, elements = 1}, <No data fields>}, values=@0x1491f801a518: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1491f80210a0, last = 0x1491f80210a0, elements = 1}, <No data fields>}, ignore_errors=false, event=TRG_EVENT_INSERT)at /test/11.4_dbg/sql/sql_base.cc:9224
#34 0x000055aa693e9521 in mysql_insert (thd=0x1491f8000d58, table_list=0x1491f8019e08, fields=@0x1491f8005f40: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1491f8021090, last = 0x1491f8021090, elements = 1}, <No data fields>}, values_list=@0x1491f8005f88: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1491f801a530, last = 0x1491f801a530, elements = 1}, <No data fields>}, update_fields=@0x1491f8005f70: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1491f8021248, last = 0x1491f8021248, elements = 1}, <No data fields>}, update_values=@0x1491f8005f58: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1491f8021258, last = 0x1491f8021258, elements = 1}, <No data fields>}, duplic=DUP_UPDATE, ignore=true, result=0x1491f80213a8)at /test/11.4_dbg/sql/sql_insert.cc:1058
#35 0x000055aa69446aa2 in mysql_execute_command (thd=0x1491f8000d58, is_called_from_prepared_stmt=false) at /test/11.4_dbg/sql/sql_parse.cc:4480
#36 0x000055aa6943c7a4 in mysql_parse (thd=0x1491f8000d58, rawbuf=0x1491f8019ac0 "INSERT LOW_PRIORITY IGNORE v00 SET c01 = TRUE <=> TRUE IN ( SELECT 'string' ) NOT IN ( FALSE <=> VALUE ( c02 ) DIV INTERVAL ( FALSE <=> FALSE IN ( SELECT 'string' ), FALSE ) & TRUE ^ FALSE IN ( SELECT"..., length=334, parser_state=0x1492565f1a30)at /test/11.4_dbg/sql/sql_parse.cc:7907
#37 0x000055aa69439c54 in dispatch_command (command=COM_QUERY, thd=0x1491f8000d58, packet=0x1491f800afd9 "", packet_length=334, blocking=true) at /test/11.4_dbg/sql/sql_parse.cc:1904
#38 0x000055aa6943d353 in do_command (thd=0x1491f8000d58, blocking=true)at /test/11.4_dbg/sql/sql_parse.cc:1417
#39 0x000055aa6961f5a9 in do_handle_one_connection (connect=0x55aa6c826c58, put_in_cache=true) at /test/11.4_dbg/sql/sql_connect.cc:1408
#40 0x000055aa6961f342 in handle_one_connection (arg=0x55aa6c88a708)at /test/11.4_dbg/sql/sql_connect.cc:1320
#41 0x000014925b69ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
#42 0x000014925b729c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

Bug Detection Matrix
Rel o/d Build Commit UniqueID observed
CS 10.5 dbg 150225 c43d0a015f974c5a0142e6779332089a7a979853 SIGSEGV\|internal_str2dec\|str2my_decimal\|Value_source::Converter_str2my_decimal::Converter_str2my_decimal\|Value_source::Converter_str2my_decimal_with_warn::Converter_str2my_decimal_with_warn
CS 10.5 opt 150225 c43d0a015f974c5a0142e6779332089a7a979853 No bug found
CS 10.6 dbg 150225 f1d7e0c17e33f77278e6226dd94aeb30fc856bf0 SIGSEGV\|internal_str2dec\|str2my_decimal\|Value_source::Converter_str2my_decimal::Converter_str2my_decimal\|Value_source::Converter_str2my_decimal_with_warn::Converter_str2my_decimal_with_warn
CS 10.6 opt 150225 f1d7e0c17e33f77278e6226dd94aeb30fc856bf0 No bug found
CS 10.11 dbg 150225 43c5d1303f5c7c726db276815c459436110f342f SIGSEGV\|internal_str2dec\|str2my_decimal\|Value_source::Converter_str2my_decimal::Converter_str2my_decimal\|Value_source::Converter_str2my_decimal_with_warn::Converter_str2my_decimal_with_warn
CS 10.11 opt 150225 43c5d1303f5c7c726db276815c459436110f342f SIGSEGV\|internal_str2dec\|str2my_decimal\|Value_source::Converter_str2my_decimal::Converter_str2my_decimal\|Value_source::Converter_str2my_decimal_with_warn::Converter_str2my_decimal_with_warn
CS 11.4 dbg 150225 ef966af801afc2a07222b5df65dddd52c77431dd SIGSEGV\|internal_str2dec\|str2my_decimal\|Value_source::Converter_str2my_decimal::Converter_str2my_decimal\|Value_source::Converter_str2my_decimal_with_warn::Converter_str2my_decimal_with_warn
CS 11.4 opt 150225 ef966af801afc2a07222b5df65dddd52c77431dd No bug found
CS 11.8 dbg 150225 33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d SIGSEGV\|internal_str2dec\|str2my_decimal\|Value_source::Converter_str2my_decimal::Converter_str2my_decimal\|Value_source::Converter_str2my_decimal_with_warn::Converter_str2my_decimal_with_warn
CS 11.8 opt 150225 33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d SIGSEGV\|internal_str2dec\|str2my_decimal\|Value_source::Converter_str2my_decimal::Converter_str2my_decimal\|Value_source::Converter_str2my_decimal_with_warn::Converter_str2my_decimal_with_warn
CS 12.0 dbg 150225 c92add291e636c797e6d6ddca605905541b2a441 SIGSEGV\|internal_str2dec\|str2my_decimal\|Value_source::Converter_str2my_decimal::Converter_str2my_decimal\|Value_source::Converter_str2my_decimal_with_warn::Converter_str2my_decimal_with_warn
CS 12.0 opt 150225 c92add291e636c797e6d6ddca605905541b2a441 SIGSEGV\|internal_str2dec\|str2my_decimal\|Value_source::Converter_str2my_decimal::Converter_str2my_decimal\|Value_source::Converter_str2my_decimal_with_warn::Converter_str2my_decimal_with_warn
ES 10.5 dbg 130325 52e0fd3f76eaa4b1e88fd2028f5640c48b6cbb06 SIGSEGV\|internal_str2dec\|str2my_decimal\|Value_source::Converter_str2my_decimal::Converter_str2my_decimal\|Value_source::Converter_str2my_decimal_with_warn::Converter_str2my_decimal_with_warn
ES 10.5 opt 130325 52e0fd3f76eaa4b1e88fd2028f5640c48b6cbb06 No bug found
ES 10.6 dbg 130325 66c9276fa67d1aacf5cf47b31254e79a9d0e4a5d SIGSEGV\|internal_str2dec\|str2my_decimal\|Value_source::Converter_str2my_decimal::Converter_str2my_decimal\|Value_source::Converter_str2my_decimal_with_warn::Converter_str2my_decimal_with_warn
ES 10.6 opt 130325 66c9276fa67d1aacf5cf47b31254e79a9d0e4a5d No bug found
ES 11.4 dbg 130325 ca7a2a835c4c982ffa35d3f0b5748b30c4c22763 SIGSEGV\|internal_str2dec\|str2my_decimal\|Value_source::Converter_str2my_decimal::Converter_str2my_decimal\|Value_source::Converter_str2my_decimal_with_warn::Converter_str2my_decimal_with_warn
ES 11.4 opt 130325 ca7a2a835c4c982ffa35d3f0b5748b30c4c22763 No bug found
MS 5.5 dbg 070123 bac287c315b1792e7ae33f91add6a60292f9bae8 No bug found
MS 5.5 opt 070123 bac287c315b1792e7ae33f91add6a60292f9bae8 No bug found
MS 5.6 dbg 070123 dab95781a1244104d6b87020ac2fc4d190ba2946 No bug found
MS 5.6 opt 070123 dab95781a1244104d6b87020ac2fc4d190ba2946 No bug found
MS 5.7 dbg 060224 f7680e98b6bbe3500399fbad465d08a6b75d7a5c No bug found
MS 5.7 opt 060224 f7680e98b6bbe3500399fbad465d08a6b75d7a5c No bug found
MS 8.0 dbg 060224 49ef33f7edadef3ae04665e73d1babd40179a4f1 No bug found
MS 8.0 opt 060224 49ef33f7edadef3ae04665e73d1babd40179a4f1 No bug found
MS 9.1 dbg 211024 61a3a1d8ef15512396b4c2af46e922a19bf2b174 No bug found
MS 9.1 opt 211024 61a3a1d8ef15512396b4c2af46e922a19bf2b174 No bug found

Roel Van de Paar added a comment - 2025-03-24 05:49 Thank you for the report! Confirmed. CREATE TABLE v00 (c01 INT , c02 TEXT); CREATE INDEX i03 ON v00 (c01); INSERT INTO v00 (c01, c02) VALUES (0, 'abc' ); ( ( SELECT TRUE <=> FALSE IN ( SELECT 'string' ), TRUE <=> TRUE IN ( SELECT 'string' ) FROM ( v00 AS ta01 JOIN v00 AS ta02 NATURAL STRAIGHT_JOIN v00 AS ta03 USING ( c01 ) ) ) LIMIT 1234567890 OFFSET 1234567890 ROWS EXAMINED 1234567890 LOCK IN SHARE MODE SKIP LOCKED ); INSERT LOW_PRIORITY IGNORE v00 SET c01 = TRUE <=> TRUE IN ( SELECT 'string' ) NOT IN ( FALSE <=> VALUE ( c02 ) DIV INTERVAL ( FALSE <=> FALSE IN ( SELECT 'string' ), FALSE ) & TRUE ^ FALSE IN ( SELECT NOT TRUE <=> TRUE IN ( SELECT 'string' ) ), TRUE <=> FALSE IN ( SELECT 'string' ) ) ON DUPLICATE KEY UPDATE c01 = DEFAULT RETURNING *; Leads to: CS 11.4.6 ef966af801afc2a07222b5df65dddd52c77431dd (Debug) Build 15/02/2025 Core was generated by `/test/MD150225-mariadb-11.4.6-linux-x86_64-dbg/bin/mariadbd --no-defaults --max'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x000055aa6a1c96bb in internal_str2dec (from=0xa5a5a5a5a5a5a5a5 <error: Cannot access memory at address 0xa5a5a5a5a5a5a5a5>, to=0x1492565ef790, end=0x1492565ef360, fixed=0 '\000')at /test/11.4_dbg/strings/decimal.c:809 [Current thread is 1 (LWP 178139)] (gdb) bt #0 0x000055aa6a1c96bb in internal_str2dec (from=0xa5a5a5a5a5a5a5a5 <error: Cannot access memory at address 0xa5a5a5a5a5a5a5a5>, to=0x1492565ef790, end=0x1492565ef360, fixed=0 '\000')at /test/11.4_dbg/strings/decimal.c:809 #1 0x000055aa69a2ba05 in str2my_decimal (mask=22, from=0xa5a5a5a5a5a5a5a5 <error: Cannot access memory at address 0xa5a5a5a5a5a5a5a5>, length=42405, charset=0x55aa6ae24530 <my_charset_latin1>, decimal_value=0x1492565ef790, end_ptr=0x1492565ef518)at /test/11.4_dbg/sql/my_decimal.cc:257 #2 0x000055aa696b72fc in Value_source::Converter_str2my_decimal::Converter_str2my_decimal (this=0x1492565ef518, mask=22, cs=0x55aa6ae24530 <my_charset_latin1>, str=0xa5a5a5a5a5a5a5a5 <error: Cannot access memory at address 0xa5a5a5a5a5a5a5a5>, length=42405, buf=0x1492565ef790) at /test/11.4_dbg/sql/field.h:275 #3 0x000055aa696b720a in Value_source::Converter_str2my_decimal_with_warn::Converter_str2my_decimal_with_warn (this=0x1492565ef518, thd=0x1491f8000d58, filter={m_want_warning_edom = true, m_want_note_truncated_spaces = true}, mask=22, cs=0x55aa6ae24530 <my_charset_latin1>, str=0xa5a5a5a5a5a5a5a5 <error: Cannot access memory at address 0xa5a5a5a5a5a5a5a5>, length=42405, buf=0x1492565ef790) at /test/11.4_dbg/sql/field.h:327 #4 0x000055aa6982787a in Field_blob::val_decimal (this=0x1491f80889c8, decimal_value=0x1492565ef790) at /test/11.4_dbg/sql/field.cc:8902 #5 0x000055aa698780e6 in Item_field::val_decimal (this=0x1491f801b940, decimal_value=0x1492565ef790) at /test/11.4_dbg/sql/item.cc:3451 #6 0x000055aa696fbcd5 in VDec::VDec (this=0x1492565ef788, item=0x1491f801b940)at /test/11.4_dbg/sql/sql_type.cc:381 #7 0x000055aa6990426c in VDec2_lazy::VDec2_lazy (this=0x1492565ef788, a=0x1491f801b940, b=0x1491f801cf28) at /test/11.4_dbg/sql/sql_type.h:545 #8 0x000055aa698ed35e in Item_func_int_div::val_int (this=0x1491f801cff0)at /test/11.4_dbg/sql/item_func.cc:1581 #9 0x000055aa6972155d in Item::to_longlong_null (this=0x1491f801cff0)at /test/11.4_dbg/sql/item.h:1478 #10 0x000055aa698c39df in Func_handler_bit_and_int_to_ulonglong::to_longlong_null (this=0x55aa6ad768b8 <Item_func_bit_and::fix_length_and_dec(THD*)::ha_int_to_ull>, item=0x1491f801d258) at /test/11.4_dbg/sql/item_cmpfunc.cc:5007 #11 0x000055aa698c32de in Item_handled_func::Handler_int::val_int (this=0x55aa6ad768b8 <Item_func_bit_and::fix_length_and_dec(THD*)::ha_int_to_ull>, item=0x1491f801d258) at /test/11.4_dbg/sql/item_func.h:772 #12 0x000055aa6972f16d in Item_handled_func::val_int (this=0x1491f801d258)at /test/11.4_dbg/sql/item_func.h:859 #13 0x000055aa698a3613 in Arg_comparator::compare_int_unsigned_signed (this=0x1491f808ac70) at /test/11.4_dbg/sql/item_cmpfunc.cc:1103 #14 0x000055aa698bd00f in Arg_comparator::compare (this=0x1491f808ac70)at /test/11.4_dbg/sql/item_cmpfunc.h:118 #15 0x000055aa698a6691 in Item_func_eq::val_bool (this=0x1491f808abb8)at /test/11.4_dbg/sql/item_cmpfunc.cc:1885 #16 0x000055aa692ebcc2 in Item_bool_func::val_int (this=0x1491f808abb8)at /test/11.4_dbg/sql/item_cmpfunc.h:249 #17 0x000055aa698a338e in Arg_comparator::compare_e_int (this=0x1491f801f7f0)at /test/11.4_dbg/sql/item_cmpfunc.cc:1129 #18 0x000055aa698bd00f in Arg_comparator::compare (this=0x1491f801f7f0)at /test/11.4_dbg/sql/item_cmpfunc.h:118 #19 0x000055aa698a67f1 in Item_func_equal::val_bool (this=0x1491f801f738)at /test/11.4_dbg/sql/item_cmpfunc.cc:1913 #20 0x000055aa692ebcc2 in Item_bool_func::val_int (this=0x1491f801f738)at /test/11.4_dbg/sql/item_cmpfunc.h:249 #21 0x000055aa698c268d in cmp_item_int::cmp (this=0x1491f808ba00, arg=0x1491f801f738) at /test/11.4_dbg/sql/item_cmpfunc.h:1832 #22 0x000055aa698c42c7 in Predicant_to_list_comparator::cmp_arg (this=0x1491f8020dd8, args=0x1491f8020d78, i=0)at /test/11.4_dbg/sql/item_cmpfunc.h:2132 #23 0x000055aa698bd5bd in Predicant_to_list_comparator::cmp (this=0x1491f8020dd8, args=0x1491f8020d78, idx=0x1492565efbd8, found_unknown_values=0x1491f8020d6c)at /test/11.4_dbg/sql/item_cmpfunc.h:2309 #24 0x000055aa698b26ab in Item_func_in::val_bool (this=0x1491f8020d00)at /test/11.4_dbg/sql/item_cmpfunc.cc:4935 #25 0x000055aa692ebcc2 in Item_bool_func::val_int (this=0x1491f8020d00)at /test/11.4_dbg/sql/item_cmpfunc.h:249 #26 0x000055aa698a338e in Arg_comparator::compare_e_int (this=0x1491f8020f20)at /test/11.4_dbg/sql/item_cmpfunc.cc:1129 #27 0x000055aa698bd00f in Arg_comparator::compare (this=0x1491f8020f20)at /test/11.4_dbg/sql/item_cmpfunc.h:118 #28 0x000055aa698a67f1 in Item_func_equal::val_bool (this=0x1491f8020e68)at /test/11.4_dbg/sql/item_cmpfunc.cc:1913 #29 0x000055aa698836b8 in Item::save_bool_in_field (this=0x1491f8020e68, field=0x1491f803f230, no_conversions=false)at /test/11.4_dbg/sql/item.cc:7091 #30 0x000055aa6970a840 in Type_handler_bool::Item_save_in_field (this=0x55aa6afb8378 <type_handler_bool>, item=0x1491f8020e68, field=0x1491f803f230, no_conversions=false)at /test/11.4_dbg/sql/sql_type.cc:4452 #31 0x000055aa69883765 in Item::save_in_field (this=0x1491f8020e68, field=0x1491f803f230, no_conversions=false)at /test/11.4_dbg/sql/item.cc:7101 #32 0x000055aa693988dc in fill_record (thd=0x1491f8000d58, table_arg=0x1491f8024e98, fields=@0x1491f8005f40: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1491f8021090, last = 0x1491f8021090, elements = 1}, <No data fields>}, values=@0x1491f801a518: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1491f80210a0, last = 0x1491f80210a0, elements = 1}, <No data fields>}, ignore_errors=false, update=false) at /test/11.4_dbg/sql/sql_base.cc:9055 #33 0x000055aa693990c3 in fill_record_n_invoke_before_triggers (thd=0x1491f8000d58, table=0x1491f8024e98, fields=@0x1491f8005f40: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1491f8021090, last = 0x1491f8021090, elements = 1}, <No data fields>}, values=@0x1491f801a518: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1491f80210a0, last = 0x1491f80210a0, elements = 1}, <No data fields>}, ignore_errors=false, event=TRG_EVENT_INSERT)at /test/11.4_dbg/sql/sql_base.cc:9224 #34 0x000055aa693e9521 in mysql_insert (thd=0x1491f8000d58, table_list=0x1491f8019e08, fields=@0x1491f8005f40: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1491f8021090, last = 0x1491f8021090, elements = 1}, <No data fields>}, values_list=@0x1491f8005f88: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1491f801a530, last = 0x1491f801a530, elements = 1}, <No data fields>}, update_fields=@0x1491f8005f70: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1491f8021248, last = 0x1491f8021248, elements = 1}, <No data fields>}, update_values=@0x1491f8005f58: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1491f8021258, last = 0x1491f8021258, elements = 1}, <No data fields>}, duplic=DUP_UPDATE, ignore=true, result=0x1491f80213a8)at /test/11.4_dbg/sql/sql_insert.cc:1058 #35 0x000055aa69446aa2 in mysql_execute_command (thd=0x1491f8000d58, is_called_from_prepared_stmt=false) at /test/11.4_dbg/sql/sql_parse.cc:4480 #36 0x000055aa6943c7a4 in mysql_parse (thd=0x1491f8000d58, rawbuf=0x1491f8019ac0 "INSERT LOW_PRIORITY IGNORE v00 SET c01 = TRUE <=> TRUE IN ( SELECT 'string' ) NOT IN ( FALSE <=> VALUE ( c02 ) DIV INTERVAL ( FALSE <=> FALSE IN ( SELECT 'string' ), FALSE ) & TRUE ^ FALSE IN ( SELECT"..., length=334, parser_state=0x1492565f1a30)at /test/11.4_dbg/sql/sql_parse.cc:7907 #37 0x000055aa69439c54 in dispatch_command (command=COM_QUERY, thd=0x1491f8000d58, packet=0x1491f800afd9 "", packet_length=334, blocking=true) at /test/11.4_dbg/sql/sql_parse.cc:1904 #38 0x000055aa6943d353 in do_command (thd=0x1491f8000d58, blocking=true)at /test/11.4_dbg/sql/sql_parse.cc:1417 #39 0x000055aa6961f5a9 in do_handle_one_connection (connect=0x55aa6c826c58, put_in_cache=true) at /test/11.4_dbg/sql/sql_connect.cc:1408 #40 0x000055aa6961f342 in handle_one_connection (arg=0x55aa6c88a708)at /test/11.4_dbg/sql/sql_connect.cc:1320 #41 0x000014925b69ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447 #42 0x000014925b729c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78 Bug Detection Matrix Rel o/d Build Commit UniqueID observed CS 10.5 dbg 150225 c43d0a015f974c5a0142e6779332089a7a979853 SIGSEGV|internal_str2dec|str2my_decimal|Value_source::Converter_str2my_decimal::Converter_str2my_decimal|Value_source::Converter_str2my_decimal_with_warn::Converter_str2my_decimal_with_warn CS 10.5 opt 150225 c43d0a015f974c5a0142e6779332089a7a979853 No bug found CS 10.6 dbg 150225 f1d7e0c17e33f77278e6226dd94aeb30fc856bf0 SIGSEGV|internal_str2dec|str2my_decimal|Value_source::Converter_str2my_decimal::Converter_str2my_decimal|Value_source::Converter_str2my_decimal_with_warn::Converter_str2my_decimal_with_warn CS 10.6 opt 150225 f1d7e0c17e33f77278e6226dd94aeb30fc856bf0 No bug found CS 10.11 dbg 150225 43c5d1303f5c7c726db276815c459436110f342f SIGSEGV|internal_str2dec|str2my_decimal|Value_source::Converter_str2my_decimal::Converter_str2my_decimal|Value_source::Converter_str2my_decimal_with_warn::Converter_str2my_decimal_with_warn CS 10.11 opt 150225 43c5d1303f5c7c726db276815c459436110f342f SIGSEGV|internal_str2dec|str2my_decimal|Value_source::Converter_str2my_decimal::Converter_str2my_decimal|Value_source::Converter_str2my_decimal_with_warn::Converter_str2my_decimal_with_warn CS 11.4 dbg 150225 ef966af801afc2a07222b5df65dddd52c77431dd SIGSEGV|internal_str2dec|str2my_decimal|Value_source::Converter_str2my_decimal::Converter_str2my_decimal|Value_source::Converter_str2my_decimal_with_warn::Converter_str2my_decimal_with_warn CS 11.4 opt 150225 ef966af801afc2a07222b5df65dddd52c77431dd No bug found CS 11.8 dbg 150225 33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d SIGSEGV|internal_str2dec|str2my_decimal|Value_source::Converter_str2my_decimal::Converter_str2my_decimal|Value_source::Converter_str2my_decimal_with_warn::Converter_str2my_decimal_with_warn CS 11.8 opt 150225 33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d SIGSEGV|internal_str2dec|str2my_decimal|Value_source::Converter_str2my_decimal::Converter_str2my_decimal|Value_source::Converter_str2my_decimal_with_warn::Converter_str2my_decimal_with_warn CS 12.0 dbg 150225 c92add291e636c797e6d6ddca605905541b2a441 SIGSEGV|internal_str2dec|str2my_decimal|Value_source::Converter_str2my_decimal::Converter_str2my_decimal|Value_source::Converter_str2my_decimal_with_warn::Converter_str2my_decimal_with_warn CS 12.0 opt 150225 c92add291e636c797e6d6ddca605905541b2a441 SIGSEGV|internal_str2dec|str2my_decimal|Value_source::Converter_str2my_decimal::Converter_str2my_decimal|Value_source::Converter_str2my_decimal_with_warn::Converter_str2my_decimal_with_warn ES 10.5 dbg 130325 52e0fd3f76eaa4b1e88fd2028f5640c48b6cbb06 SIGSEGV|internal_str2dec|str2my_decimal|Value_source::Converter_str2my_decimal::Converter_str2my_decimal|Value_source::Converter_str2my_decimal_with_warn::Converter_str2my_decimal_with_warn ES 10.5 opt 130325 52e0fd3f76eaa4b1e88fd2028f5640c48b6cbb06 No bug found ES 10.6 dbg 130325 66c9276fa67d1aacf5cf47b31254e79a9d0e4a5d SIGSEGV|internal_str2dec|str2my_decimal|Value_source::Converter_str2my_decimal::Converter_str2my_decimal|Value_source::Converter_str2my_decimal_with_warn::Converter_str2my_decimal_with_warn ES 10.6 opt 130325 66c9276fa67d1aacf5cf47b31254e79a9d0e4a5d No bug found ES 11.4 dbg 130325 ca7a2a835c4c982ffa35d3f0b5748b30c4c22763 SIGSEGV|internal_str2dec|str2my_decimal|Value_source::Converter_str2my_decimal::Converter_str2my_decimal|Value_source::Converter_str2my_decimal_with_warn::Converter_str2my_decimal_with_warn ES 11.4 opt 130325 ca7a2a835c4c982ffa35d3f0b5748b30c4c22763 No bug found MS 5.5 dbg 070123 bac287c315b1792e7ae33f91add6a60292f9bae8 No bug found MS 5.5 opt 070123 bac287c315b1792e7ae33f91add6a60292f9bae8 No bug found MS 5.6 dbg 070123 dab95781a1244104d6b87020ac2fc4d190ba2946 No bug found MS 5.6 opt 070123 dab95781a1244104d6b87020ac2fc4d190ba2946 No bug found MS 5.7 dbg 060224 f7680e98b6bbe3500399fbad465d08a6b75d7a5c No bug found MS 5.7 opt 060224 f7680e98b6bbe3500399fbad465d08a6b75d7a5c No bug found MS 8.0 dbg 060224 49ef33f7edadef3ae04665e73d1babd40179a4f1 No bug found MS 8.0 opt 060224 49ef33f7edadef3ae04665e73d1babd40179a4f1 No bug found MS 9.1 dbg 211024 61a3a1d8ef15512396b4c2af46e922a19bf2b174 No bug found MS 9.1 opt 211024 61a3a1d8ef15512396b4c2af46e922a19bf2b174 No bug found

Roel Van de Paar made changes - 2025-03-24 05:49

Fix Version/s		10.5 [ 23123 ]
Fix Version/s		10.6 [ 24028 ]
Fix Version/s		10.11 [ 27614 ]
Fix Version/s		11.4 [ 29301 ]
Fix Version/s		11.8 [ 29921 ]
Affects Version/s		10.5 [ 23123 ]
Affects Version/s		10.6 [ 24028 ]
Affects Version/s		10.11 [ 27614 ]
Affects Version/s		11.4 [ 29301 ]
Affects Version/s		11.8 [ 29921 ]
Affects Version/s		12.0 [ 29945 ]
Priority	Critical [ 2 ]	Major [ 3 ]

Roel Van de Paar made changes - 2025-03-24 05:49

Status

Open [ 1 ]

Confirmed [ 10101 ]

Roel Van de Paar made changes - 2025-03-24 05:50

Component/s

Data types [ 13906 ]

Roel Van de Paar made changes - 2025-03-24 05:50

Assignee

Alexander Barkov [ bar ]

Roel Van de Paar added a comment - 2025-03-24 05:50

No UBSAN/ASAN issues observed.

Roel Van de Paar added a comment - 2025-03-24 05:50 No UBSAN/ASAN issues observed.

Alice Sherepa made changes - 2025-03-24 12:17

Link

This issue relates to MDEV-32759 [ MDEV-32759 ]

Alice Sherepa made changes - 2025-03-24 12:17

Link

This issue relates to MDEV-32416 [ MDEV-32416 ]

Alice Sherepa added a comment - 2025-03-24 17:08

CREATE TABLE t1 (i INT, j TEXT, key(i));

INSERT into t1 SET i =  (value (j)) ON duplicate KEY UPDATE i = DEFAULT;

250324 18:00:51 [ERROR] //mariadbd got signal 11 ;

Server version: 10.5.29-MariaDB-debug-log source revision: f1deebbb0bcff9bd83c057c3164eefb345619a6f

sql/signal_handler.cc:229(handle_fatal_signal)[0x557a69c75ac6]

sigaction.c:0(__restore_rt)[0x7f6cf8108420]

strings/ctype-simple.c:1619(my_strntoull10rnd_8bit)[0x557a6a6da3b9]

include/m_ctype.h:801(charset_info_st::strntoull10rnd(char const*, unsigned long, int, char**, int*) const)[0x557a69c5e7d2]

sql/field.cc:1746(Field_num::get_int(charset_info_st const*, char const*, unsigned long, long long*, unsigned long long, long long, long long))[0x557a69c38c48]

sql/field.cc:4319(Field_long::store(char const*, unsigned long, charset_info_st const*))[0x557a69c41cea]

sql/field.h:772(Field::save_in_field_str(Field*))[0x557a69a62ee4]

sql/field.h:2131(Field_str::save_in_field(Field*))[0x557a69a64721]

sql/field.h:933(Field::store_field(Field*))[0x557a69a63114]

sql/field_conv.cc:902(field_conv_incompatible(Field*, Field*))[0x557a69c6897b]

sql/field_conv.cc:915(field_conv(Field*, Field*))[0x557a69c689db]

sql/item.cc:6826(save_field_in_field(Field*, bool*, Field*, bool))[0x557a69cb1ccf]

sql/item.cc:6878(Item_field::save_in_field(Field*, bool))[0x557a69cb1f32]

sql/item.h:6892(Item_insert_value::save_in_field(Field*, bool))[0x557a69cc58c0]

sql/sql_base.cc:8586(fill_record(THD*, TABLE*, List<Item>&, List<Item>&, bool, bool))[0x557a698157e9]

sql/sql_base.cc:8753(fill_record_n_invoke_before_triggers(THD*, TABLE*, List<Item>&, List<Item>&, bool, trg_event_type))[0x557a69815f2c]

sql/sql_insert.cc:1024(mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*))[0x557a69866c99]

sql/sql_parse.cc:4664(mysql_execute_command(THD*))[0x557a698bed8c]

sql/sql_parse.cc:8252(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x557a698cb283]

sql/sql_parse.cc:1894(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x557a698b5eff]

sql/sql_parse.cc:1375(do_command(THD*))[0x557a698b468e]

sql/sql_connect.cc:1386(do_handle_one_connection(CONNECT*, bool))[0x557a69a841db]

sql/sql_connect.cc:1300(handle_one_connection)[0x557a69a83f57]

perfschema/pfs.cc:2203(pfs_spawn_thread)[0x557a69fecb0e]

nptl/pthread_create.c:478(start_thread)[0x7f6cf80fc609]

Query (0x7f6c700154e0): INSERT into t1 SET i =  (value (j)) ON duplicate KEY UPDATE i = DEFAULT;

CREATE TABLE t1 (i INT, j TEXT, key(i));

INSERT into t1 SET i =  (1 = value (j)) ON duplicate KEY UPDATE i = 1;

250324 18:04:03 [ERROR] //mariadbd got signal 11 ;

Server version: 10.5.29-MariaDB-debug-log source revision: f1deebbb0bcff9bd83c057c3164eefb345619a6f

sql/signal_handler.cc:229(handle_fatal_signal)[0x564c38a1bac6]

sigaction.c:0(__restore_rt)[0x7f1b83d69420]

strings/decimal.c:801(internal_str2dec)[0x564c394ae3d8]

sql/my_decimal.cc:256(str2my_decimal(unsigned int, char const*, unsigned long, charset_info_st const*, my_decimal*, char const**))[0x564c38bd20a2]

sql/field.h:275(Value_source::Converter_str2my_decimal::Converter_str2my_decimal(unsigned int, charset_info_st const*, char const*, unsigned long, my_decimal*))[0x564c388c4fe6]

sql/field.h:329(Value_source::Converter_str2my_decimal_with_warn::Converter_str2my_decimal_with_warn(THD*, Value_source::Warn_filter, unsigned int, charset_info_st const*, char const*, unsigned long, my_decimal*))[0x564c388c5062]

sql/field.cc:8766(Field_blob::val_decimal(my_decimal*))[0x564c389fa8f0]

sql/item.cc:3403(Item_field::val_decimal(my_decimal*))[0x564c38a4c96f]

sql/sql_type.cc:302(VDec::VDec(Item*))[0x564c388ea9b3]

sql/item_cmpfunc.cc:871(Arg_comparator::compare_decimal())[0x564c38a757b9]

sql/item_cmpfunc.h:117(Arg_comparator::compare())[0x564c38a9006e]

sql/item_cmpfunc.cc:1812(Item_func_eq::val_int())[0x564c38a78f69]

sql/item.cc:6970(Item::save_int_in_field(Field*, bool))[0x564c38a582c6]

sql/sql_type.cc:4369(Type_handler_int_result::Item_save_in_field(Item*, Field*, bool) const)[0x564c388f728e]

sql/item.cc:6980(Item::save_in_field(Field*, bool))[0x564c38a5837b]

sql/sql_base.cc:8586(fill_record(THD*, TABLE*, List<Item>&, List<Item>&, bool, bool))[0x564c385bb7e9]

sql/sql_base.cc:8753(fill_record_n_invoke_before_triggers(THD*, TABLE*, List<Item>&, List<Item>&, bool, trg_event_type))[0x564c385bbf2c]

sql/sql_insert.cc:1024(mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*))[0x564c3860cc99]

sql/sql_parse.cc:4664(mysql_execute_command(THD*))[0x564c38664d8c]

sql/sql_parse.cc:8252(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x564c38671283]

sql/sql_parse.cc:1894(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x564c3865beff]

sql/sql_parse.cc:1375(do_command(THD*))[0x564c3865a68e]

sql/sql_connect.cc:1386(do_handle_one_connection(CONNECT*, bool))[0x564c3882a1db]

sql/sql_connect.cc:1300(handle_one_connection)[0x564c38829f57]

perfschema/pfs.cc:2203(pfs_spawn_thread)[0x564c38d92b0e]

nptl/pthread_create.c:478(start_thread)[0x7f1b83d5d609]

Query (0x7f1b300154e0): INSERT into t1 SET i =  (1 = value (j)) ON duplicate KEY UPDATE i = 1

Alice Sherepa added a comment - 2025-03-24 17:08 CREATE TABLE t1 (i INT , j TEXT, key (i)); INSERT into t1 SET i = (value (j)) ON duplicate KEY UPDATE i = DEFAULT ; 250324 18:00:51 [ERROR] //mariadbd got signal 11 ; Server version: 10.5.29-MariaDB-debug-log source revision: f1deebbb0bcff9bd83c057c3164eefb345619a6f sql/signal_handler.cc:229(handle_fatal_signal)[0x557a69c75ac6] sigaction.c:0(__restore_rt)[0x7f6cf8108420] strings/ctype-simple.c:1619(my_strntoull10rnd_8bit)[0x557a6a6da3b9] include/m_ctype.h:801(charset_info_st::strntoull10rnd(char const*, unsigned long, int, char**, int*) const)[0x557a69c5e7d2] sql/field.cc:1746(Field_num::get_int(charset_info_st const*, char const*, unsigned long, long long*, unsigned long long, long long, long long))[0x557a69c38c48] sql/field.cc:4319(Field_long::store(char const*, unsigned long, charset_info_st const*))[0x557a69c41cea] sql/field.h:772(Field::save_in_field_str(Field*))[0x557a69a62ee4] sql/field.h:2131(Field_str::save_in_field(Field*))[0x557a69a64721] sql/field.h:933(Field::store_field(Field*))[0x557a69a63114] sql/field_conv.cc:902(field_conv_incompatible(Field*, Field*))[0x557a69c6897b] sql/field_conv.cc:915(field_conv(Field*, Field*))[0x557a69c689db] sql/item.cc:6826(save_field_in_field(Field*, bool*, Field*, bool))[0x557a69cb1ccf] sql/item.cc:6878(Item_field::save_in_field(Field*, bool))[0x557a69cb1f32] sql/item.h:6892(Item_insert_value::save_in_field(Field*, bool))[0x557a69cc58c0] sql/sql_base.cc:8586(fill_record(THD*, TABLE*, List<Item>&, List<Item>&, bool, bool))[0x557a698157e9] sql/sql_base.cc:8753(fill_record_n_invoke_before_triggers(THD*, TABLE*, List<Item>&, List<Item>&, bool, trg_event_type))[0x557a69815f2c] sql/sql_insert.cc:1024(mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*))[0x557a69866c99] sql/sql_parse.cc:4664(mysql_execute_command(THD*))[0x557a698bed8c] sql/sql_parse.cc:8252(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x557a698cb283] sql/sql_parse.cc:1894(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x557a698b5eff] sql/sql_parse.cc:1375(do_command(THD*))[0x557a698b468e] sql/sql_connect.cc:1386(do_handle_one_connection(CONNECT*, bool))[0x557a69a841db] sql/sql_connect.cc:1300(handle_one_connection)[0x557a69a83f57] perfschema/pfs.cc:2203(pfs_spawn_thread)[0x557a69fecb0e] nptl/pthread_create.c:478(start_thread)[0x7f6cf80fc609] Query (0x7f6c700154e0): INSERT into t1 SET i = (value (j)) ON duplicate KEY UPDATE i = DEFAULT; CREATE TABLE t1 (i INT , j TEXT, key (i)); INSERT into t1 SET i = (1 = value (j)) ON duplicate KEY UPDATE i = 1; 250324 18:04:03 [ERROR] //mariadbd got signal 11 ; Server version: 10.5.29-MariaDB-debug-log source revision: f1deebbb0bcff9bd83c057c3164eefb345619a6f sql/signal_handler.cc:229(handle_fatal_signal)[0x564c38a1bac6] sigaction.c:0(__restore_rt)[0x7f1b83d69420] strings/decimal.c:801(internal_str2dec)[0x564c394ae3d8] sql/my_decimal.cc:256(str2my_decimal(unsigned int, char const*, unsigned long, charset_info_st const*, my_decimal*, char const**))[0x564c38bd20a2] sql/field.h:275(Value_source::Converter_str2my_decimal::Converter_str2my_decimal(unsigned int, charset_info_st const*, char const*, unsigned long, my_decimal*))[0x564c388c4fe6] sql/field.h:329(Value_source::Converter_str2my_decimal_with_warn::Converter_str2my_decimal_with_warn(THD*, Value_source::Warn_filter, unsigned int, charset_info_st const*, char const*, unsigned long, my_decimal*))[0x564c388c5062] sql/field.cc:8766(Field_blob::val_decimal(my_decimal*))[0x564c389fa8f0] sql/item.cc:3403(Item_field::val_decimal(my_decimal*))[0x564c38a4c96f] sql/sql_type.cc:302(VDec::VDec(Item*))[0x564c388ea9b3] sql/item_cmpfunc.cc:871(Arg_comparator::compare_decimal())[0x564c38a757b9] sql/item_cmpfunc.h:117(Arg_comparator::compare())[0x564c38a9006e] sql/item_cmpfunc.cc:1812(Item_func_eq::val_int())[0x564c38a78f69] sql/item.cc:6970(Item::save_int_in_field(Field*, bool))[0x564c38a582c6] sql/sql_type.cc:4369(Type_handler_int_result::Item_save_in_field(Item*, Field*, bool) const)[0x564c388f728e] sql/item.cc:6980(Item::save_in_field(Field*, bool))[0x564c38a5837b] sql/sql_base.cc:8586(fill_record(THD*, TABLE*, List<Item>&, List<Item>&, bool, bool))[0x564c385bb7e9] sql/sql_base.cc:8753(fill_record_n_invoke_before_triggers(THD*, TABLE*, List<Item>&, List<Item>&, bool, trg_event_type))[0x564c385bbf2c] sql/sql_insert.cc:1024(mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*))[0x564c3860cc99] sql/sql_parse.cc:4664(mysql_execute_command(THD*))[0x564c38664d8c] sql/sql_parse.cc:8252(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x564c38671283] sql/sql_parse.cc:1894(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x564c3865beff] sql/sql_parse.cc:1375(do_command(THD*))[0x564c3865a68e] sql/sql_connect.cc:1386(do_handle_one_connection(CONNECT*, bool))[0x564c3882a1db] sql/sql_connect.cc:1300(handle_one_connection)[0x564c38829f57] perfschema/pfs.cc:2203(pfs_spawn_thread)[0x564c38d92b0e] nptl/pthread_create.c:478(start_thread)[0x7f1b83d5d609] Query (0x7f1b300154e0): INSERT into t1 SET i = (1 = value (j)) ON duplicate KEY UPDATE i = 1

Alice Sherepa made changes - 2025-03-24 17:14

Link

This issue relates to MDEV-36355 [ MDEV-36355 ]

Roel Van de Paar made changes - 2025-03-24 22:06

Summary

MariaDB SEGV when executing a sequence of query

MariaDB SEGV in internal_str2dec on INSERT

People

Assignee:: Alexander Barkov

Reporter:: Yu Liang

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 2025-03-22 19:27

Updated:: 2025-03-24 22:06

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration