Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-36356

MariaDB crashes in Item::save_int_in_field and UBSAN member call on null pointer of type 'Field' upon executing a complex SELECT

Details

    Description

      MariaDB crashes when executing the following statement: 

      DROP DATABASE IF EXISTS test123;
      		 
      CREATE DATABASE IF NOT EXISTS test123;
      		 
      USE test123;
      		 
      CREATE TABLE v00 (c01 INT, c02 TEXT);
      		 
      INSERT INTO v00 (c01, c02) VALUES (0, 'abc');
      		 
      SELECT * FROM { ta60225505 v00 AS ta60225502 NATURAL RIGHT OUTER JOIN ( ( SELECT * FROM { ta60225509 v00 AS ta60225507 NATURAL STRAIGHT_JOIN v00 AS ta60225508 } LIMIT 1234567890 ROWS EXAMINED 1234567890 LOCK IN SHARE MODE SKIP LOCKED ) ORDER BY FALSE <=> + INTERVAL NOT FALSE = FALSE IN ( SELECT FALSE <=> FALSE IN ( SELECT 'string' ) ) SECOND_MICROSECOND + TRUE <=> TRUE IN ( SELECT 'string' ) << ROW_NUMBER ( ) OVER ( PARTITION BY NOT TRUE <=> FALSE IN ( SELECT 'string' ) DESC ) IN ( SELECT 'string' ) ) = ta60225506 NATURAL JOIN v00 AS ta60225503 };

      The crash stack is: 

      #0  0x00000000018acf4c in Field::set_notnull (this=0x0, row_offset=0) at /home/mariadb/mariadb-server/sql/field.h:1461
      		 
      #1  Item::save_int_in_field (this=0xffff6425f5a0, field=0x0, no_conversions=true) at /home/mariadb/mariadb-server/sql/item.cc:7117
      		 
      #2  0x00000000018ad344 in Item::save_in_field (this=0xffff6425f5a0, field=0x0, no_conversions=true) at /home/mariadb/mariadb-server/sql/item.cc:7134
      		 
      #3  0x0000000001590bdc in save_window_function_values (window_functions=..., tbl=0xffff642b4438, rowid_buf=0xffff926436d8 "")
      		 
          at /home/mariadb/mariadb-server/sql/sql_window.cc:2793
      		 
      #4  compute_window_func (thd=<optimized out>, window_functions=..., cursor_managers=..., tbl=<optimized out>, filesort_result=<optimized out>)
      		 
          at /home/mariadb/mariadb-server/sql/sql_window.cc:2952
      		 
      #5  0x0000000001591dc8 in Window_func_runner::exec (this=<optimized out>, thd=<optimized out>, tbl=<optimized out>, filesort_result=<optimized out>)
      		 
          at /home/mariadb/mariadb-server/sql/sql_window.cc:3068
      		 
      #6  0x0000000001592208 in Window_funcs_sort::exec (this=0xffff93468f10, join=<optimized out>, keep_filesort_result=true)
      		 
          at /home/mariadb/mariadb-server/sql/sql_window.cc:3096
      		 
      #7  0x0000000001594f64 in Window_funcs_computation::exec (this=<optimized out>, join=0xffff64269220, keep_last_filesort_result=<optimized out>)
      		 
          at /home/mariadb/mariadb-server/sql/sql_window.cc:3225
      		 
      #8  0x0000000000f21754 in AGGR_OP::end_send (this=0xffff6429e3d8) at /home/mariadb/mariadb-server/sql/sql_select.cc:33256
      		 
      #9  0x0000000000e97718 in sub_select_postjoin_aggr (join=0xffff64269220, join_tab=0xffff934672e8, end_of_records=true)
      		 
          at /home/mariadb/mariadb-server/sql/sql_select.cc:23782
      		 
      #10 0x0000000000e24dc8 in sub_select (join=0xffff64269220, join_tab=0xffff93466e70, end_of_records=<optimized out>)
      		 
          at /home/mariadb/mariadb-server/sql/sql_select.cc:24037
      		 
      #11 0x0000000000e24dc8 in sub_select (join=0xffff64269220, join_tab=0xffff934669f8, end_of_records=<optimized out>)
      		 
          at /home/mariadb/mariadb-server/sql/sql_select.cc:24037
      		 
      #12 0x0000000000ea8768 in do_select (join=0xffff64269220, procedure=0x0) at /home/mariadb/mariadb-server/sql/sql_select.cc:23617
      		 
      #13 JOIN::exec_inner (this=0xffff64269220) at /home/mariadb/mariadb-server/sql/sql_select.cc:5046
      		 
      #14 0x0000000000ea4dc0 in JOIN::exec (this=0xffff64269220) at /home/mariadb/mariadb-server/sql/sql_select.cc:4829
      		 
      #15 0x0000000000e27d78 in mysql_select (thd=0xffff65262218, tables=<optimized out>, fields=..., conds=<optimized out>, og_num=<optimized out>,
      		 
          order=<optimized out>, group=<optimized out>, having=<optimized out>, proc_param=0x0, select_options=<optimized out>, result=0xffff64269128,
      		 
          unit=0xffff8baf6018, select_lex=0xffff8baf4250) at /home/mariadb/mariadb-server/sql/sql_select.cc:5362
      		 
      #16 0x0000000000c0a3ec in mysql_derived_fill (thd=<optimized out>, lex=<optimized out>, derived=<optimized out>)
      		 
          at /home/mariadb/mariadb-server/sql/sql_derived.cc:1283
      		 
      #17 0x0000000000c0c14c in mysql_handle_single_derived (lex=0xffff652664b0, derived=0xffff642611c0, phases=96)
      		 
          at /home/mariadb/mariadb-server/sql/sql_derived.cc:200
      		 
      #18 0x0000000000eedbfc in st_join_table::preread_init (this=0xffff9346f408) at /home/mariadb/mariadb-server/sql/sql_select.cc:16671
      		 
      #19 0x0000000000e24ee8 in sub_select (join=0xffff6427d740, join_tab=0xffff9346f408, end_of_records=<optimized out>)
      		 
          at /home/mariadb/mariadb-server/sql/sql_select.cc:24051
      		 
      #20 0x0000000000f23108 in evaluate_join_record (join=0xffff6427d740, join_tab=<optimized out>, error=<optimized out>)
      		 
          at /home/mariadb/mariadb-server/sql/sql_select.cc:24337
      		 
      #21 0x0000000000e25350 in sub_select (join=0xffff6427d740, join_tab=0xffff9346ef90, end_of_records=<optimized out>)
      		 
          at /home/mariadb/mariadb-server/sql/sql_select.cc:24104
      		 
      #22 0x0000000000ea8374 in do_select (join=0xffff6427d740, procedure=0x0) at /home/mariadb/mariadb-server/sql/sql_select.cc:23615
      		 
      #23 JOIN::exec_inner (this=0xffff6427d740) at /home/mariadb/mariadb-server/sql/sql_select.cc:5046
      		 
      #24 0x0000000000ea4dc0 in JOIN::exec (this=0xffff6427d740) at /home/mariadb/mariadb-server/sql/sql_select.cc:4829
      		 
      #25 0x0000000001105618 in st_select_lex_unit::exec_inner (this=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_union.cc:2437
      		 
      #26 0x00000000010f5c04 in st_select_lex_unit::exec (this=0xffff64266708) at /home/mariadb/mariadb-server/sql/sql_union.cc:2342
      		 
      #27 0x0000000000c0a02c in mysql_derived_fill (thd=<optimized out>, lex=<optimized out>, derived=<optimized out>)
      		 
          at /home/mariadb/mariadb-server/sql/sql_derived.cc:1272
      		 
      #28 0x0000000000c0c14c in mysql_handle_single_derived (lex=0xffff652664b0, derived=0xffff642675b8, phases=96)
      		 
          at /home/mariadb/mariadb-server/sql/sql_derived.cc:200
      		 
      #29 0x0000000000eedbfc in st_join_table::preread_init (this=0xffff934796a0) at /home/mariadb/mariadb-server/sql/sql_select.cc:16671
      		 
      #30 0x0000000000e24ee8 in sub_select (join=0xffff64268b28, join_tab=0xffff934796a0, end_of_records=<optimized out>)
      		 
          at /home/mariadb/mariadb-server/sql/sql_select.cc:24051
      		 
      #31 0x0000000000ea8374 in do_select (join=0xffff64268b28, procedure=0x0) at /home/mariadb/mariadb-server/sql/sql_select.cc:23615
      		 
      #32 JOIN::exec_inner (this=0xffff64268b28) at /home/mariadb/mariadb-server/sql/sql_select.cc:5046
      		 
      #33 0x0000000000ea4dc0 in JOIN::exec (this=0xffff64268b28) at /home/mariadb/mariadb-server/sql/sql_select.cc:4829
      		 
      #34 0x0000000001105618 in st_select_lex_unit::exec_inner (this=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_union.cc:2437
      		 
      #35 0x00000000010f5c04 in st_select_lex_unit::exec (this=0xffff65266590) at /home/mariadb/mariadb-server/sql/sql_union.cc:2342
      		 
      #36 0x00000000010ee140 in mysql_union (thd=<optimized out>, lex=<optimized out>, result=<optimized out>, unit=0xffff65266590,
      		 
          setup_tables_done_option=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_union.cc:45
      		 
      #37 0x0000000000e26a80 in handle_select (thd=0xffff65262218, lex=0xffff652664b0, result=0xffff64267e30, setup_tables_done_option=0)
      		 
          at /home/mariadb/mariadb-server/sql/sql_select.cc:623
      		 
      #38 0x0000000000d4c2c0 in execute_sqlcom_select (thd=0xffff65262218, all_tables=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_parse.cc:6191
      		 
      #39 0x0000000000d30e80 in mysql_execute_command (thd=0xffff65262218, is_called_from_prepared_stmt=<optimized out>)
      		 
          at /home/mariadb/mariadb-server/sql/sql_parse.cc:3979
      		 
      #40 0x0000000000d1cd24 in mysql_parse (thd=0xffff65262218, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>)
      		 
          at /home/mariadb/mariadb-server/sql/sql_parse.cc:7915
      		 
      #41 0x0000000000d120f0 in dispatch_command (command=<optimized out>, thd=<optimized out>, packet=<optimized out>, packet_length=<optimized out>,
      		 
          blocking=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_parse.cc:1902
      		 
      #42 0x0000000000d1dbf4 in do_command (thd=0xffff65262218, blocking=true) at /home/mariadb/mariadb-server/sql/sql_parse.cc:1415
      		 
      #43 0x00000000012846f8 in do_handle_one_connection (connect=<optimized out>, put_in_cache=true) at /home/mariadb/mariadb-server/sql/sql_connect.cc:1415
      		 
      #44 0x00000000012841b4 in handle_one_connection (arg=0xffff6d63e9b8) at /home/mariadb/mariadb-server/sql/sql_connect.cc:1327
      		 
      #45 0x0000000002200c38 in pfs_spawn_thread (arg=0xffff8b609a98) at /home/mariadb/mariadb-server/storage/perfschema/pfs.cc:2198
      		 
      #46 0x0000ffff97666624 in start_thread (arg=0x883ac8 <asan_thread_start(void*)>) at pthread_create.c:477
      		 
      #47 0x0000ffff9738866c in thread_start () at ../sysdeps/unix/sysv/linux/aarch64/clone.S:78

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. MDEV-26416 A SEGV in Field::set_notnull/Item::save_real_in_field

          • Major - Major loss of function.
          • Confirmed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-28619 Server crash in /sql/sql_window.cc:3033 in Window_funcs_sort::setup(THD*, SQL_SELECT*, List_iterator<Item_window_func>&, st_join_table*)

          • Critical - Crashes, loss of data, severe memory leak.
          • Stalled

          Activity

            Ascending order - Click to sort in descending order
            Roel Roel Van de Paar added a comment - - edited

            Bug confirmed, thank you for reporting!

            CREATE TABLE v (c1 INT, c2 TEXT);
            		 
            INSERT INTO v (c1, c2) VALUES (0, 'a');
            		 
            SELECT * FROM { ta1 v AS ta2 NATURAL RIGHT OUTER JOIN ((SELECT * FROM { ta3 v AS ta4 NATURAL STRAIGHT_JOIN v AS ta5 } LIMIT 1234567890 ROWS EXAMINED 1234567890 LOCK IN SHARE MODE SKIP LOCKED) ORDER BY FALSE <=> + INTERVAL NOT FALSE=FALSE IN (SELECT FALSE <=> FALSE IN (SELECT 'string')) SECOND_MICROSECOND + TRUE <=> TRUE IN (SELECT 'string') << ROW_NUMBER () OVER (PARTITION BY NOT TRUE <=> FALSE IN (SELECT 'string') DESC) IN (SELECT 'string'))=ta6 NATURAL JOIN v AS ta7 };

            Leads to:

            CS 11.4.6 ef966af801afc2a07222b5df65dddd52c77431dd (Optimized) Build 15/02/2025

            		 
            Core was generated by `/test/MD150225-mariadb-11.4.6-linux-x86_64-opt/bin/mariadbd --no-defaults --max'.
            		 
            Program terminated with signal SIGSEGV, Segmentation fault.
            		 
            #0  Field::set_notnull (this=0x0, row_offset=0)at /test/11.4_opt/sql/field.h:1423
            		 
             
            		 
            [Current thread is 1 (LWP 283830)]
            		 
            (gdb) bt
            		 
            #0  Field::set_notnull (this=0x0, row_offset=0)at /test/11.4_opt/sql/field.h:1423
            		 
            #1  Item::save_int_in_field (this=0x558427f22b98, field=0x0, no_conversions=true) at /test/11.4_opt/sql/item.cc:7084
            		 
            #2  0x00005584121210c2 in Item::save_in_field (this=0x558427f22b98, field=0x0, no_conversions=true) at /test/11.4_opt/sql/item.cc:7101
            		 
            #3  0x000055841206d082 in save_window_function_values (window_functions=@0x558427f49f60: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x558427f49f80, last = 0x558427f49f80, elements = 1}, <No data fields>}, tbl=0x558427f4e030, rowid_buf=0x55841512b3b8 "")at /test/11.4_opt/sql/sql_window.cc:2792
            		 
            #4  compute_window_func (thd=thd@entry=0x558427e90018, window_functions=@0x558427f49f60: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x558427f49f80, last = 0x558427f49f80, elements = 1}, <No data fields>}, cursor_managers=@0x1546200f7cf8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x558427f86168, last = 0x558427f86168, elements = 1}, <No data fields>}, tbl=tbl@entry=0x558427f4e030, filesort_result=filesort_result@entry=0x55841c9d9b00)at /test/11.4_opt/sql/sql_window.cc:2944
            		 
            #5  0x000055841206d3d7 in Window_func_runner::exec (this=this@entry=0x558427f49f58, thd=thd@entry=0x558427e90018, tbl=0x558427f4e030, filesort_result=0x55841c9d9b00)at /test/11.4_opt/sql/sql_window.cc:3057
            		 
            #6  0x000055841206e4d3 in Window_funcs_sort::exec (this=<optimized out>, join=0x558427f28608, keep_filesort_result=<optimized out>)at /test/11.4_opt/sql/sql_window.cc:3085
            		 
            #7  Window_funcs_computation::exec (this=0x558427f49f30, join=0x558427f28608, keep_last_filesort_result=<optimized out>)at /test/11.4_opt/sql/sql_window.cc:3214
            		 
            #8  0x0000558411f0ef36 in AGGR_OP::end_send (this=0x558427f49cb0)at /test/11.4_opt/sql/sql_select.cc:33282
            		 
            #9  0x0000558411eef747 in sub_select_postjoin_aggr (join=0x558427f28608, join_tab=0x558427f483d0, end_of_records=true)at /test/11.4_opt/sql/sql_select.cc:23827
            		 
            #10 0x0000558411ef3681 in do_select (join=join@entry=0x558427f28608, procedure=<optimized out>) at /test/11.4_opt/sql/sql_select.cc:23662
            		 
            #11 0x0000558411ef2f76 in JOIN::exec_inner (this=this@entry=0x558427f28608)at /test/11.4_opt/sql/sql_select.cc:5045
            		 
            #12 0x0000558411ed8ce7 in JOIN::exec (this=0x558427f28608)at /test/11.4_opt/sql/sql_select.cc:4831
            		 
            #13 mysql_select (thd=thd@entry=0x558427e90018, tables=<optimized out>, fields=@0x558427ee1460: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x558427ee1790, last = 0x558427f29918, elements = 2}, <No data fields>}, conds=<optimized out>, og_num=<optimized out>, order=<optimized out>, group=0x0, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x558427f28518, unit=0x558427ee2e50, select_lex=0x558427ee11a8)at /test/11.4_opt/sql/sql_select.cc:5361
            		 
            #14 0x0000558411e60650 in mysql_derived_fill (thd=0x558427e90018, lex=0x558427e94210, derived=0x558427f24640)at /test/11.4_opt/sql/sql_derived.cc:1283
            		 
            #15 0x0000558411e60dc2 in mysql_handle_single_derived (lex=0x558427e94210, derived=derived@entry=0x558427f24640, phases=phases@entry=96)at /test/11.4_opt/sql/sql_derived.cc:200
            		 
            #16 0x0000558411f0428b in st_join_table::preread_init (this=this@entry=0x558427f820d0) at /test/11.4_opt/sql/sql_select.cc:16720
            		 
            #17 0x0000558411ed8382 in sub_select (join=0x558427f27d68, join_tab=0x558427f820d0, end_of_records=<optimized out>)at /test/11.4_opt/sql/sql_select.cc:24096
            		 
            #18 0x0000558411f0f4eb in evaluate_join_record (join=join@entry=0x558427f27d68, join_tab=join_tab@entry=0x558427f81c60, error=<optimized out>) at /test/11.4_opt/sql/sql_select.cc:24382
            		 
            #19 0x0000558411ed848b in sub_select (join=0x558427f27d68, join_tab=0x558427f81c60, end_of_records=<optimized out>)at /test/11.4_opt/sql/sql_select.cc:24149
            		 
            #20 0x0000558411ef3653 in do_select (join=join@entry=0x558427f27d68, procedure=<optimized out>) at /test/11.4_opt/sql/sql_select.cc:23660
            		 
            #21 0x0000558411ef2f76 in JOIN::exec_inner (this=this@entry=0x558427f27d68)at /test/11.4_opt/sql/sql_select.cc:5045
            		 
            #22 0x0000558411ed8ce7 in JOIN::exec (this=0x558427f27d68)at /test/11.4_opt/sql/sql_select.cc:4831
            		 
            #23 mysql_select (thd=thd@entry=0x558427e90018, tables=<optimized out>, fields=@0x558427ee0700: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x558427ee0a30, last = 0x558427f345d0, elements = 2}, <No data fields>}, conds=<optimized out>, og_num=<optimized out>, order=<optimized out>, group=0x0, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x558427f27d40, unit=0x558427e942f0, select_lex=0x558427ee0448)at /test/11.4_opt/sql/sql_select.cc:5361
            		 
            #24 0x0000558411ed8969 in handle_select (thd=thd@entry=0x558427e90018, lex=lex@entry=0x558427e94210, result=result@entry=0x558427f27d40, setup_tables_done_option=setup_tables_done_option@entry=0)at /test/11.4_opt/sql/sql_select.cc:642
            		 
            #25 0x0000558411ea4cfe in execute_sqlcom_select (thd=thd@entry=0x558427e90018, all_tables=0x558427ee0a98) at /test/11.4_opt/sql/sql_parse.cc:6183
            		 
            #26 0x0000558411ea3229 in mysql_execute_command (thd=thd@entry=0x558427e90018, is_called_from_prepared_stmt=false) at /test/11.4_opt/sql/sql_parse.cc:3975
            		 
            #27 0x0000558411e9b7e1 in mysql_parse (thd=thd@entry=0x558427e90018, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x1546200f9410)at /test/11.4_opt/sql/sql_parse.cc:7907
            		 
            #28 0x0000558411e99c99 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x558427e90018, packet=packet@entry=0x558427e98019 "", packet_length=packet_length@entry=474, blocking=true)at /test/11.4_opt/sql/sql_parse.cc:1904
            		 
            #29 0x0000558411e9bbf1 in do_command (thd=thd@entry=0x558427e90018, blocking=true) at /test/11.4_opt/sql/sql_parse.cc:1417
            		 
            #30 0x0000558411fc379d in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5584151458d8, put_in_cache=true)at /test/11.4_opt/sql/sql_connect.cc:1408
            		 
            #31 0x0000558411fc3563 in handle_one_connection (arg=arg@entry=0x5584151458d8)at /test/11.4_opt/sql/sql_connect.cc:1320
            		 
            #32 0x0000558412332a4e in pfs_spawn_thread (arg=0x55841cb3e618)at /test/11.4_opt/storage/perfschema/pfs.cc:2201
            		 
            #33 0x000015462029ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
            		 
            #34 0x0000154620329c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

            CS 11.4.6 ef966af801afc2a07222b5df65dddd52c77431dd (Debug) Build 15/02/2025

            		 
            Core was generated by `/test/MD150225-mariadb-11.4.6-linux-x86_64-dbg/bin/mariadbd --no-defaults --max'.
            		 
            Program terminated with signal SIGSEGV, Segmentation fault.
            		 
            #0  Field::set_notnull (this=0x0, row_offset=0)at /test/11.4_dbg/sql/field.h:1423
            		 
             
            		 
            [Current thread is 1 (LWP 283803)]
            		 
            (gdb) bt
            		 
            #0  Field::set_notnull (this=0x0, row_offset=0)at /test/11.4_dbg/sql/field.h:1423
            		 
            #1  0x0000562a41bf9663 in Item::save_int_in_field (this=0x150850075a28, field=0x0, no_conversions=true) at /test/11.4_dbg/sql/item.cc:7084
            		 
            #2  0x0000562a41a80800 in Type_handler_int_result::Item_save_in_field (this=0x562a4332e408 <type_handler_slonglong>, item=0x150850075a28, field=0x0, no_conversions=true) at /test/11.4_dbg/sql/sql_type.cc:4445
            		 
            #3  0x0000562a41bf9765 in Item::save_in_field (this=0x150850075a28, field=0x0, no_conversions=true) at /test/11.4_dbg/sql/item.cc:7101
            		 
            #4  0x0000562a41ab32d0 in save_window_function_values (window_functions=@0x1508500a2600: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1508500a2620, last = 0x1508500a2620, elements = 1}, <No data fields>}, tbl=0x1508500a6740, rowid_buf=0x15085012ca28 "")at /test/11.4_dbg/sql/sql_window.cc:2792
            		 
            #5  0x0000562a41ab3149 in compute_window_func (thd=0x150850000d58, window_functions=@0x1508500a2600: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1508500a2620, last = 0x1508500a2620, elements = 1}, <No data fields>}, cursor_managers=@0x1508b01c9890: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1508500dcd90, last = 0x1508500dcd90, elements = 1}, <No data fields>}, tbl=0x1508500a6740, filesort_result=0x150850074c90)at /test/11.4_dbg/sql/sql_window.cc:2944
            		 
            #6  0x0000562a41ab3605 in Window_func_runner::exec (this=0x1508500a25f8, thd=0x150850000d58, tbl=0x1508500a6740, filesort_result=0x150850074c90)at /test/11.4_dbg/sql/sql_window.cc:3057
            		 
            #7  0x0000562a41ab3736 in Window_funcs_sort::exec (this=0x1508500a25f0, join=0x15085007b4a8, keep_filesort_result=true)at /test/11.4_dbg/sql/sql_window.cc:3085
            		 
            #8  0x0000562a41ab4171 in Window_funcs_computation::exec (this=0x1508500a25d0, join=0x15085007b4a8, keep_last_filesort_result=true)at /test/11.4_dbg/sql/sql_window.cc:3214
            		 
            #9  0x0000562a41868916 in AGGR_OP::end_send (this=0x15085008e4a8)at /test/11.4_dbg/sql/sql_select.cc:33282
            		 
            #10 0x0000562a4183ea20 in sub_select_postjoin_aggr (join=0x15085007b4a8, join_tab=0x1508500a08f8, end_of_records=true)at /test/11.4_dbg/sql/sql_select.cc:23827
            		 
            #11 0x0000562a4181d396 in sub_select (join=0x15085007b4a8, join_tab=0x1508500a0488, end_of_records=true)at /test/11.4_dbg/sql/sql_select.cc:24082
            		 
            #12 0x0000562a41868bd6 in sub_select_cache (join=0x15085007b4a8, join_tab=0x1508500a0488, end_of_records=true)at /test/11.4_dbg/sql/sql_select.cc:23895
            		 
            #13 0x0000562a4181d396 in sub_select (join=0x15085007b4a8, join_tab=0x1508500a0018, end_of_records=true)at /test/11.4_dbg/sql/sql_select.cc:24082
            		 
            #14 0x0000562a418449b0 in do_select (join=0x15085007b4a8, procedure=0x0)at /test/11.4_dbg/sql/sql_select.cc:23662
            		 
            #15 0x0000562a41843cca in JOIN::exec_inner (this=0x15085007b4a8)at /test/11.4_dbg/sql/sql_select.cc:5045
            		 
            #16 0x0000562a41842bae in JOIN::exec (this=0x15085007b4a8)at /test/11.4_dbg/sql/sql_select.cc:4831
            		 
            #17 0x0000562a4181e02d in mysql_select (thd=0x150850000d58, tables=0x15085001b288, fields=@0x15085001aef0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x15085001b220, last = 0x15085007c7c0, elements = 2}, <No data fields>}, conds=0x15085007c650, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2201187781376, result=0x15085007b3b8, unit=0x15085001c8e0, select_lex=0x15085001ac38)at /test/11.4_dbg/sql/sql_select.cc:5361
            		 
            #18 0x0000562a4175573d in mysql_derived_fill (thd=0x150850000d58, lex=0x150850004f20, derived=0x1508500774d0)at /test/11.4_dbg/sql/sql_derived.cc:1283
            		 
            #19 0x0000562a41755e56 in mysql_handle_single_derived (lex=0x150850004f20, derived=0x1508500774d0, phases=96) at /test/11.4_dbg/sql/sql_derived.cc:200
            		 
            #20 0x0000562a418597c6 in st_join_table::preread_init (this=0x1508500d8998)at /test/11.4_dbg/sql/sql_select.cc:16720
            		 
            #21 0x0000562a4181d40e in sub_select (join=0x15085007abf8, join_tab=0x1508500d8998, end_of_records=false)at /test/11.4_dbg/sql/sql_select.cc:24096
            		 
            #22 0x0000562a4186918d in evaluate_join_record (join=0x15085007abf8, join_tab=0x1508500d8528, error=0) at /test/11.4_dbg/sql/sql_select.cc:24382
            		 
            #23 0x0000562a4181d6fe in sub_select (join=0x15085007abf8, join_tab=0x1508500d8528, end_of_records=false)at /test/11.4_dbg/sql/sql_select.cc:24149
            		 
            #24 0x0000562a41844964 in do_select (join=0x15085007abf8, procedure=0x0)at /test/11.4_dbg/sql/sql_select.cc:23660
            		 
            #25 0x0000562a41843cca in JOIN::exec_inner (this=0x15085007abf8)at /test/11.4_dbg/sql/sql_select.cc:5045
            		 
            #26 0x0000562a41842bae in JOIN::exec (this=0x15085007abf8)at /test/11.4_dbg/sql/sql_select.cc:4831
            		 
            #27 0x0000562a4181e02d in mysql_select (thd=0x150850000d58, tables=0x15085001a528, fields=@0x15085001a190: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x15085001a4c0, last = 0x15085008cb38, elements = 2}, <No data fields>}, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2164525824, result=0x15085007abd0, unit=0x150850005000, select_lex=0x150850019ed8) at /test/11.4_dbg/sql/sql_select.cc:5361
            		 
            #28 0x0000562a4181dab5 in handle_select (thd=0x150850000d58, lex=0x150850004f20, result=0x15085007abd0, setup_tables_done_option=0)at /test/11.4_dbg/sql/sql_select.cc:642
            		 
            #29 0x0000562a417c5691 in execute_sqlcom_select (thd=0x150850000d58, all_tables=0x15085001a528) at /test/11.4_dbg/sql/sql_parse.cc:6183
            		 
            #30 0x0000562a417ba620 in mysql_execute_command (thd=0x150850000d58, is_called_from_prepared_stmt=false) at /test/11.4_dbg/sql/sql_parse.cc:3975
            		 
            #31 0x0000562a417b27a4 in mysql_parse (thd=0x150850000d58, rawbuf=0x150850019ac0 "SELECT * FROM { ta1 v AS ta2 NATURAL RIGHT OUTER JOIN ((SELECT * FROM { ta3 v AS ta4 NATURAL STRAIGHT_JOIN v AS ta5 } LIMIT 1234567890 ROWS EXAMINED 1234567890 LOCK IN SHARE MODE SKIP LOCKED) ORDER BY"..., length=474, parser_state=0x1508b01cca30)at /test/11.4_dbg/sql/sql_parse.cc:7907
            		 
            #32 0x0000562a417afc54 in dispatch_command (command=COM_QUERY, thd=0x150850000d58, packet=0x15085000afd9 "", packet_length=474, blocking=true) at /test/11.4_dbg/sql/sql_parse.cc:1904
            		 
            #33 0x0000562a417b3353 in do_command (thd=0x150850000d58, blocking=true)at /test/11.4_dbg/sql/sql_parse.cc:1417
            		 
            #34 0x0000562a419955a9 in do_handle_one_connection (connect=0x562a45704df8, put_in_cache=true) at /test/11.4_dbg/sql/sql_connect.cc:1408
            		 
            #35 0x0000562a41995342 in handle_one_connection (arg=0x562a457688a8)at /test/11.4_dbg/sql/sql_connect.cc:1320
            		 
            #36 0x00001508b5a9ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
            		 
            #37 0x00001508b5b29c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

            Bug Detection Matrix

            		 
                Rel    o/d  Build   Commit                                    UniqueID observed             
            CS  10.5   dbg  150225  c43d0a015f974c5a0142e6779332089a7a979853  No bug found                  
            CS  10.5   opt  150225  c43d0a015f974c5a0142e6779332089a7a979853  No bug found                  
            CS  10.6   dbg  150225  f1d7e0c17e33f77278e6226dd94aeb30fc856bf0  No bug found                  
            CS  10.6   opt  150225  f1d7e0c17e33f77278e6226dd94aeb30fc856bf0  No bug found                  
            CS  10.11  dbg  150225  43c5d1303f5c7c726db276815c459436110f342f  SIGSEGV|Field::set_notnull|Item::save_int_in_field|Type_handler_int_result::Item_save_in_field|Item::save_in_field
            		 
            CS  10.11  opt  150225  43c5d1303f5c7c726db276815c459436110f342f  SIGSEGV|Field::set_notnull|Item::save_int_in_field|Item::save_in_field|save_window_function_values
            		 
            CS  11.4   dbg  150225  ef966af801afc2a07222b5df65dddd52c77431dd  SIGSEGV|Field::set_notnull|Item::save_int_in_field|Type_handler_int_result::Item_save_in_field|Item::save_in_field
            		 
            CS  11.4   opt  150225  ef966af801afc2a07222b5df65dddd52c77431dd  SIGSEGV|Field::set_notnull|Item::save_int_in_field|Item::save_in_field|save_window_function_values
            		 
            CS  11.8   dbg  150225  33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d  SIGSEGV|Field::set_notnull|Item::save_int_in_field|Type_handler_int_result::Item_save_in_field|Item::save_in_field
            		 
            CS  11.8   opt  150225  33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d  SIGSEGV|Field::set_notnull|Item::save_int_in_field|Item::save_in_field|save_window_function_values
            		 
            CS  12.0   dbg  150225  c92add291e636c797e6d6ddca605905541b2a441  SIGSEGV|Field::set_notnull|Item::save_int_in_field|Type_handler_int_result::Item_save_in_field|Item::save_in_field
            		 
            CS  12.0   opt  150225  c92add291e636c797e6d6ddca605905541b2a441  SIGSEGV|Field::set_notnull|Item::save_int_in_field|Item::save_in_field|save_window_function_values
            		 
            ES  10.5   dbg  130325  52e0fd3f76eaa4b1e88fd2028f5640c48b6cbb06  No bug found                  
            ES  10.5   opt  130325  52e0fd3f76eaa4b1e88fd2028f5640c48b6cbb06  No bug found                  
            ES  10.6   dbg  130325  66c9276fa67d1aacf5cf47b31254e79a9d0e4a5d  No bug found                  
            ES  10.6   opt  130325  66c9276fa67d1aacf5cf47b31254e79a9d0e4a5d  No bug found                  
            ES  11.4   dbg  130325  ca7a2a835c4c982ffa35d3f0b5748b30c4c22763  SIGSEGV|Field::set_notnull|Item::save_int_in_field|Type_handler_int_result::Item_save_in_field|Item::save_in_field
            		 
            ES  11.4   opt  130325  ca7a2a835c4c982ffa35d3f0b5748b30c4c22763  SIGSEGV|Field::set_notnull|Item::save_int_in_field|Item::save_in_field|save_window_function_values
            		 
            MS  5.5    dbg  070123  bac287c315b1792e7ae33f91add6a60292f9bae8  No bug found                  
            MS  5.5    opt  070123  bac287c315b1792e7ae33f91add6a60292f9bae8  No bug found                  
            MS  5.6    dbg  070123  dab95781a1244104d6b87020ac2fc4d190ba2946  No bug found                  
            MS  5.6    opt  070123  dab95781a1244104d6b87020ac2fc4d190ba2946  No bug found                  
            MS  5.7    dbg  060224  f7680e98b6bbe3500399fbad465d08a6b75d7a5c  No bug found                  
            MS  5.7    opt  060224  f7680e98b6bbe3500399fbad465d08a6b75d7a5c  No bug found                  
            MS  8.0    dbg  060224  49ef33f7edadef3ae04665e73d1babd40179a4f1  No bug found                  
            MS  8.0    opt  060224  49ef33f7edadef3ae04665e73d1babd40179a4f1  No bug found                  
            MS  9.1    dbg  211024  61a3a1d8ef15512396b4c2af46e922a19bf2b174  No bug found                  
            MS  9.1    opt  211024  61a3a1d8ef15512396b4c2af46e922a19bf2b174  No bug found

            Roel Roel Van de Paar added a comment - - edited Bug confirmed, thank you for reporting! CREATE TABLE v (c1 INT , c2 TEXT); INSERT INTO v (c1, c2) VALUES (0, 'a' ); SELECT * FROM { ta1 v AS ta2 NATURAL RIGHT OUTER JOIN (( SELECT * FROM { ta3 v AS ta4 NATURAL STRAIGHT_JOIN v AS ta5 } LIMIT 1234567890 ROWS EXAMINED 1234567890 LOCK IN SHARE MODE SKIP LOCKED) ORDER BY FALSE <=> + INTERVAL NOT FALSE = FALSE IN ( SELECT FALSE <=> FALSE IN ( SELECT 'string' )) SECOND_MICROSECOND + TRUE <=> TRUE IN ( SELECT 'string' ) << ROW_NUMBER () OVER (PARTITION BY NOT TRUE <=> FALSE IN ( SELECT 'string' ) DESC ) IN ( SELECT 'string' ))=ta6 NATURAL JOIN v AS ta7 }; Leads to: CS 11.4.6 ef966af801afc2a07222b5df65dddd52c77431dd (Optimized) Build 15/02/2025 Core was generated by `/test/MD150225-mariadb-11.4.6-linux-x86_64-opt/bin/mariadbd --no-defaults --max'. Program terminated with signal SIGSEGV, Segmentation fault. #0 Field::set_notnull (this=0x0, row_offset=0)at /test/11.4_opt/sql/field.h:1423   [Current thread is 1 (LWP 283830)] (gdb) bt #0 Field::set_notnull (this=0x0, row_offset=0)at /test/11.4_opt/sql/field.h:1423 #1 Item::save_int_in_field (this=0x558427f22b98, field=0x0, no_conversions=true) at /test/11.4_opt/sql/item.cc:7084 #2 0x00005584121210c2 in Item::save_in_field (this=0x558427f22b98, field=0x0, no_conversions=true) at /test/11.4_opt/sql/item.cc:7101 #3 0x000055841206d082 in save_window_function_values (window_functions=@0x558427f49f60: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x558427f49f80, last = 0x558427f49f80, elements = 1}, <No data fields>}, tbl=0x558427f4e030, rowid_buf=0x55841512b3b8 "")at /test/11.4_opt/sql/sql_window.cc:2792 #4 compute_window_func (thd=thd@entry=0x558427e90018, window_functions=@0x558427f49f60: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x558427f49f80, last = 0x558427f49f80, elements = 1}, <No data fields>}, cursor_managers=@0x1546200f7cf8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x558427f86168, last = 0x558427f86168, elements = 1}, <No data fields>}, tbl=tbl@entry=0x558427f4e030, filesort_result=filesort_result@entry=0x55841c9d9b00)at /test/11.4_opt/sql/sql_window.cc:2944 #5 0x000055841206d3d7 in Window_func_runner::exec (this=this@entry=0x558427f49f58, thd=thd@entry=0x558427e90018, tbl=0x558427f4e030, filesort_result=0x55841c9d9b00)at /test/11.4_opt/sql/sql_window.cc:3057 #6 0x000055841206e4d3 in Window_funcs_sort::exec (this=<optimized out>, join=0x558427f28608, keep_filesort_result=<optimized out>)at /test/11.4_opt/sql/sql_window.cc:3085 #7 Window_funcs_computation::exec (this=0x558427f49f30, join=0x558427f28608, keep_last_filesort_result=<optimized out>)at /test/11.4_opt/sql/sql_window.cc:3214 #8 0x0000558411f0ef36 in AGGR_OP::end_send (this=0x558427f49cb0)at /test/11.4_opt/sql/sql_select.cc:33282 #9 0x0000558411eef747 in sub_select_postjoin_aggr (join=0x558427f28608, join_tab=0x558427f483d0, end_of_records=true)at /test/11.4_opt/sql/sql_select.cc:23827 #10 0x0000558411ef3681 in do_select (join=join@entry=0x558427f28608, procedure=<optimized out>) at /test/11.4_opt/sql/sql_select.cc:23662 #11 0x0000558411ef2f76 in JOIN::exec_inner (this=this@entry=0x558427f28608)at /test/11.4_opt/sql/sql_select.cc:5045 #12 0x0000558411ed8ce7 in JOIN::exec (this=0x558427f28608)at /test/11.4_opt/sql/sql_select.cc:4831 #13 mysql_select (thd=thd@entry=0x558427e90018, tables=<optimized out>, fields=@0x558427ee1460: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x558427ee1790, last = 0x558427f29918, elements = 2}, <No data fields>}, conds=<optimized out>, og_num=<optimized out>, order=<optimized out>, group=0x0, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x558427f28518, unit=0x558427ee2e50, select_lex=0x558427ee11a8)at /test/11.4_opt/sql/sql_select.cc:5361 #14 0x0000558411e60650 in mysql_derived_fill (thd=0x558427e90018, lex=0x558427e94210, derived=0x558427f24640)at /test/11.4_opt/sql/sql_derived.cc:1283 #15 0x0000558411e60dc2 in mysql_handle_single_derived (lex=0x558427e94210, derived=derived@entry=0x558427f24640, phases=phases@entry=96)at /test/11.4_opt/sql/sql_derived.cc:200 #16 0x0000558411f0428b in st_join_table::preread_init (this=this@entry=0x558427f820d0) at /test/11.4_opt/sql/sql_select.cc:16720 #17 0x0000558411ed8382 in sub_select (join=0x558427f27d68, join_tab=0x558427f820d0, end_of_records=<optimized out>)at /test/11.4_opt/sql/sql_select.cc:24096 #18 0x0000558411f0f4eb in evaluate_join_record (join=join@entry=0x558427f27d68, join_tab=join_tab@entry=0x558427f81c60, error=<optimized out>) at /test/11.4_opt/sql/sql_select.cc:24382 #19 0x0000558411ed848b in sub_select (join=0x558427f27d68, join_tab=0x558427f81c60, end_of_records=<optimized out>)at /test/11.4_opt/sql/sql_select.cc:24149 #20 0x0000558411ef3653 in do_select (join=join@entry=0x558427f27d68, procedure=<optimized out>) at /test/11.4_opt/sql/sql_select.cc:23660 #21 0x0000558411ef2f76 in JOIN::exec_inner (this=this@entry=0x558427f27d68)at /test/11.4_opt/sql/sql_select.cc:5045 #22 0x0000558411ed8ce7 in JOIN::exec (this=0x558427f27d68)at /test/11.4_opt/sql/sql_select.cc:4831 #23 mysql_select (thd=thd@entry=0x558427e90018, tables=<optimized out>, fields=@0x558427ee0700: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x558427ee0a30, last = 0x558427f345d0, elements = 2}, <No data fields>}, conds=<optimized out>, og_num=<optimized out>, order=<optimized out>, group=0x0, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x558427f27d40, unit=0x558427e942f0, select_lex=0x558427ee0448)at /test/11.4_opt/sql/sql_select.cc:5361 #24 0x0000558411ed8969 in handle_select (thd=thd@entry=0x558427e90018, lex=lex@entry=0x558427e94210, result=result@entry=0x558427f27d40, setup_tables_done_option=setup_tables_done_option@entry=0)at /test/11.4_opt/sql/sql_select.cc:642 #25 0x0000558411ea4cfe in execute_sqlcom_select (thd=thd@entry=0x558427e90018, all_tables=0x558427ee0a98) at /test/11.4_opt/sql/sql_parse.cc:6183 #26 0x0000558411ea3229 in mysql_execute_command (thd=thd@entry=0x558427e90018, is_called_from_prepared_stmt=false) at /test/11.4_opt/sql/sql_parse.cc:3975 #27 0x0000558411e9b7e1 in mysql_parse (thd=thd@entry=0x558427e90018, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x1546200f9410)at /test/11.4_opt/sql/sql_parse.cc:7907 #28 0x0000558411e99c99 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x558427e90018, packet=packet@entry=0x558427e98019 "", packet_length=packet_length@entry=474, blocking=true)at /test/11.4_opt/sql/sql_parse.cc:1904 #29 0x0000558411e9bbf1 in do_command (thd=thd@entry=0x558427e90018, blocking=true) at /test/11.4_opt/sql/sql_parse.cc:1417 #30 0x0000558411fc379d in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5584151458d8, put_in_cache=true)at /test/11.4_opt/sql/sql_connect.cc:1408 #31 0x0000558411fc3563 in handle_one_connection (arg=arg@entry=0x5584151458d8)at /test/11.4_opt/sql/sql_connect.cc:1320 #32 0x0000558412332a4e in pfs_spawn_thread (arg=0x55841cb3e618)at /test/11.4_opt/storage/perfschema/pfs.cc:2201 #33 0x000015462029ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447 #34 0x0000154620329c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78 CS 11.4.6 ef966af801afc2a07222b5df65dddd52c77431dd (Debug) Build 15/02/2025 Core was generated by `/test/MD150225-mariadb-11.4.6-linux-x86_64-dbg/bin/mariadbd --no-defaults --max'. Program terminated with signal SIGSEGV, Segmentation fault. #0 Field::set_notnull (this=0x0, row_offset=0)at /test/11.4_dbg/sql/field.h:1423   [Current thread is 1 (LWP 283803)] (gdb) bt #0 Field::set_notnull (this=0x0, row_offset=0)at /test/11.4_dbg/sql/field.h:1423 #1 0x0000562a41bf9663 in Item::save_int_in_field (this=0x150850075a28, field=0x0, no_conversions=true) at /test/11.4_dbg/sql/item.cc:7084 #2 0x0000562a41a80800 in Type_handler_int_result::Item_save_in_field (this=0x562a4332e408 <type_handler_slonglong>, item=0x150850075a28, field=0x0, no_conversions=true) at /test/11.4_dbg/sql/sql_type.cc:4445 #3 0x0000562a41bf9765 in Item::save_in_field (this=0x150850075a28, field=0x0, no_conversions=true) at /test/11.4_dbg/sql/item.cc:7101 #4 0x0000562a41ab32d0 in save_window_function_values (window_functions=@0x1508500a2600: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1508500a2620, last = 0x1508500a2620, elements = 1}, <No data fields>}, tbl=0x1508500a6740, rowid_buf=0x15085012ca28 "")at /test/11.4_dbg/sql/sql_window.cc:2792 #5 0x0000562a41ab3149 in compute_window_func (thd=0x150850000d58, window_functions=@0x1508500a2600: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1508500a2620, last = 0x1508500a2620, elements = 1}, <No data fields>}, cursor_managers=@0x1508b01c9890: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1508500dcd90, last = 0x1508500dcd90, elements = 1}, <No data fields>}, tbl=0x1508500a6740, filesort_result=0x150850074c90)at /test/11.4_dbg/sql/sql_window.cc:2944 #6 0x0000562a41ab3605 in Window_func_runner::exec (this=0x1508500a25f8, thd=0x150850000d58, tbl=0x1508500a6740, filesort_result=0x150850074c90)at /test/11.4_dbg/sql/sql_window.cc:3057 #7 0x0000562a41ab3736 in Window_funcs_sort::exec (this=0x1508500a25f0, join=0x15085007b4a8, keep_filesort_result=true)at /test/11.4_dbg/sql/sql_window.cc:3085 #8 0x0000562a41ab4171 in Window_funcs_computation::exec (this=0x1508500a25d0, join=0x15085007b4a8, keep_last_filesort_result=true)at /test/11.4_dbg/sql/sql_window.cc:3214 #9 0x0000562a41868916 in AGGR_OP::end_send (this=0x15085008e4a8)at /test/11.4_dbg/sql/sql_select.cc:33282 #10 0x0000562a4183ea20 in sub_select_postjoin_aggr (join=0x15085007b4a8, join_tab=0x1508500a08f8, end_of_records=true)at /test/11.4_dbg/sql/sql_select.cc:23827 #11 0x0000562a4181d396 in sub_select (join=0x15085007b4a8, join_tab=0x1508500a0488, end_of_records=true)at /test/11.4_dbg/sql/sql_select.cc:24082 #12 0x0000562a41868bd6 in sub_select_cache (join=0x15085007b4a8, join_tab=0x1508500a0488, end_of_records=true)at /test/11.4_dbg/sql/sql_select.cc:23895 #13 0x0000562a4181d396 in sub_select (join=0x15085007b4a8, join_tab=0x1508500a0018, end_of_records=true)at /test/11.4_dbg/sql/sql_select.cc:24082 #14 0x0000562a418449b0 in do_select (join=0x15085007b4a8, procedure=0x0)at /test/11.4_dbg/sql/sql_select.cc:23662 #15 0x0000562a41843cca in JOIN::exec_inner (this=0x15085007b4a8)at /test/11.4_dbg/sql/sql_select.cc:5045 #16 0x0000562a41842bae in JOIN::exec (this=0x15085007b4a8)at /test/11.4_dbg/sql/sql_select.cc:4831 #17 0x0000562a4181e02d in mysql_select (thd=0x150850000d58, tables=0x15085001b288, fields=@0x15085001aef0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x15085001b220, last = 0x15085007c7c0, elements = 2}, <No data fields>}, conds=0x15085007c650, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2201187781376, result=0x15085007b3b8, unit=0x15085001c8e0, select_lex=0x15085001ac38)at /test/11.4_dbg/sql/sql_select.cc:5361 #18 0x0000562a4175573d in mysql_derived_fill (thd=0x150850000d58, lex=0x150850004f20, derived=0x1508500774d0)at /test/11.4_dbg/sql/sql_derived.cc:1283 #19 0x0000562a41755e56 in mysql_handle_single_derived (lex=0x150850004f20, derived=0x1508500774d0, phases=96) at /test/11.4_dbg/sql/sql_derived.cc:200 #20 0x0000562a418597c6 in st_join_table::preread_init (this=0x1508500d8998)at /test/11.4_dbg/sql/sql_select.cc:16720 #21 0x0000562a4181d40e in sub_select (join=0x15085007abf8, join_tab=0x1508500d8998, end_of_records=false)at /test/11.4_dbg/sql/sql_select.cc:24096 #22 0x0000562a4186918d in evaluate_join_record (join=0x15085007abf8, join_tab=0x1508500d8528, error=0) at /test/11.4_dbg/sql/sql_select.cc:24382 #23 0x0000562a4181d6fe in sub_select (join=0x15085007abf8, join_tab=0x1508500d8528, end_of_records=false)at /test/11.4_dbg/sql/sql_select.cc:24149 #24 0x0000562a41844964 in do_select (join=0x15085007abf8, procedure=0x0)at /test/11.4_dbg/sql/sql_select.cc:23660 #25 0x0000562a41843cca in JOIN::exec_inner (this=0x15085007abf8)at /test/11.4_dbg/sql/sql_select.cc:5045 #26 0x0000562a41842bae in JOIN::exec (this=0x15085007abf8)at /test/11.4_dbg/sql/sql_select.cc:4831 #27 0x0000562a4181e02d in mysql_select (thd=0x150850000d58, tables=0x15085001a528, fields=@0x15085001a190: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x15085001a4c0, last = 0x15085008cb38, elements = 2}, <No data fields>}, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2164525824, result=0x15085007abd0, unit=0x150850005000, select_lex=0x150850019ed8) at /test/11.4_dbg/sql/sql_select.cc:5361 #28 0x0000562a4181dab5 in handle_select (thd=0x150850000d58, lex=0x150850004f20, result=0x15085007abd0, setup_tables_done_option=0)at /test/11.4_dbg/sql/sql_select.cc:642 #29 0x0000562a417c5691 in execute_sqlcom_select (thd=0x150850000d58, all_tables=0x15085001a528) at /test/11.4_dbg/sql/sql_parse.cc:6183 #30 0x0000562a417ba620 in mysql_execute_command (thd=0x150850000d58, is_called_from_prepared_stmt=false) at /test/11.4_dbg/sql/sql_parse.cc:3975 #31 0x0000562a417b27a4 in mysql_parse (thd=0x150850000d58, rawbuf=0x150850019ac0 "SELECT * FROM { ta1 v AS ta2 NATURAL RIGHT OUTER JOIN ((SELECT * FROM { ta3 v AS ta4 NATURAL STRAIGHT_JOIN v AS ta5 } LIMIT 1234567890 ROWS EXAMINED 1234567890 LOCK IN SHARE MODE SKIP LOCKED) ORDER BY"..., length=474, parser_state=0x1508b01cca30)at /test/11.4_dbg/sql/sql_parse.cc:7907 #32 0x0000562a417afc54 in dispatch_command (command=COM_QUERY, thd=0x150850000d58, packet=0x15085000afd9 "", packet_length=474, blocking=true) at /test/11.4_dbg/sql/sql_parse.cc:1904 #33 0x0000562a417b3353 in do_command (thd=0x150850000d58, blocking=true)at /test/11.4_dbg/sql/sql_parse.cc:1417 #34 0x0000562a419955a9 in do_handle_one_connection (connect=0x562a45704df8, put_in_cache=true) at /test/11.4_dbg/sql/sql_connect.cc:1408 #35 0x0000562a41995342 in handle_one_connection (arg=0x562a457688a8)at /test/11.4_dbg/sql/sql_connect.cc:1320 #36 0x00001508b5a9ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447 #37 0x00001508b5b29c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78 Bug Detection Matrix Rel o/d Build Commit UniqueID observed CS 10.5 dbg 150225 c43d0a015f974c5a0142e6779332089a7a979853 No bug found CS 10.5 opt 150225 c43d0a015f974c5a0142e6779332089a7a979853 No bug found CS 10.6 dbg 150225 f1d7e0c17e33f77278e6226dd94aeb30fc856bf0 No bug found CS 10.6 opt 150225 f1d7e0c17e33f77278e6226dd94aeb30fc856bf0 No bug found CS 10.11 dbg 150225 43c5d1303f5c7c726db276815c459436110f342f SIGSEGV|Field::set_notnull|Item::save_int_in_field|Type_handler_int_result::Item_save_in_field|Item::save_in_field CS 10.11 opt 150225 43c5d1303f5c7c726db276815c459436110f342f SIGSEGV|Field::set_notnull|Item::save_int_in_field|Item::save_in_field|save_window_function_values CS 11.4 dbg 150225 ef966af801afc2a07222b5df65dddd52c77431dd SIGSEGV|Field::set_notnull|Item::save_int_in_field|Type_handler_int_result::Item_save_in_field|Item::save_in_field CS 11.4 opt 150225 ef966af801afc2a07222b5df65dddd52c77431dd SIGSEGV|Field::set_notnull|Item::save_int_in_field|Item::save_in_field|save_window_function_values CS 11.8 dbg 150225 33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d SIGSEGV|Field::set_notnull|Item::save_int_in_field|Type_handler_int_result::Item_save_in_field|Item::save_in_field CS 11.8 opt 150225 33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d SIGSEGV|Field::set_notnull|Item::save_int_in_field|Item::save_in_field|save_window_function_values CS 12.0 dbg 150225 c92add291e636c797e6d6ddca605905541b2a441 SIGSEGV|Field::set_notnull|Item::save_int_in_field|Type_handler_int_result::Item_save_in_field|Item::save_in_field CS 12.0 opt 150225 c92add291e636c797e6d6ddca605905541b2a441 SIGSEGV|Field::set_notnull|Item::save_int_in_field|Item::save_in_field|save_window_function_values ES 10.5 dbg 130325 52e0fd3f76eaa4b1e88fd2028f5640c48b6cbb06 No bug found ES 10.5 opt 130325 52e0fd3f76eaa4b1e88fd2028f5640c48b6cbb06 No bug found ES 10.6 dbg 130325 66c9276fa67d1aacf5cf47b31254e79a9d0e4a5d No bug found ES 10.6 opt 130325 66c9276fa67d1aacf5cf47b31254e79a9d0e4a5d No bug found ES 11.4 dbg 130325 ca7a2a835c4c982ffa35d3f0b5748b30c4c22763 SIGSEGV|Field::set_notnull|Item::save_int_in_field|Type_handler_int_result::Item_save_in_field|Item::save_in_field ES 11.4 opt 130325 ca7a2a835c4c982ffa35d3f0b5748b30c4c22763 SIGSEGV|Field::set_notnull|Item::save_int_in_field|Item::save_in_field|save_window_function_values MS 5.5 dbg 070123 bac287c315b1792e7ae33f91add6a60292f9bae8 No bug found MS 5.5 opt 070123 bac287c315b1792e7ae33f91add6a60292f9bae8 No bug found MS 5.6 dbg 070123 dab95781a1244104d6b87020ac2fc4d190ba2946 No bug found MS 5.6 opt 070123 dab95781a1244104d6b87020ac2fc4d190ba2946 No bug found MS 5.7 dbg 060224 f7680e98b6bbe3500399fbad465d08a6b75d7a5c No bug found MS 5.7 opt 060224 f7680e98b6bbe3500399fbad465d08a6b75d7a5c No bug found MS 8.0 dbg 060224 49ef33f7edadef3ae04665e73d1babd40179a4f1 No bug found MS 8.0 opt 060224 49ef33f7edadef3ae04665e73d1babd40179a4f1 No bug found MS 9.1 dbg 211024 61a3a1d8ef15512396b4c2af46e922a19bf2b174 No bug found MS 9.1 opt 211024 61a3a1d8ef15512396b4c2af46e922a19bf2b174 No bug found
            Roel Roel Van de Paar added a comment - - edited

            UBSAN sees a null pointer use issue:

            CS 11.4.6 ef966af801afc2a07222b5df65dddd52c77431dd (Debug, UBASAN, Clang) Build 15/02/2025

            		 
            /test/11.4_dbg_san/sql/item.cc:7084:10: runtime error: member call on null pointer of type 'Field'
            		 
                #0 0x5597d570b678 in Item::save_int_in_field(Field*, bool) /test/11.4_dbg_san/sql/item.cc:7084:10
            		 
                #1 0x5597d570bac6 in Item::save_in_field(Field*, bool) /test/11.4_dbg_san/sql/item.cc:7101:30
            		 
                #2 0x5597d52470a3 in save_window_function_values(List<Item_window_func>&, TABLE*, unsigned char*) /test/11.4_dbg_san/sql/sql_window.cc:2792:15
            		 
                #3 0x5597d52470a3 in compute_window_func(THD*, List<Item_window_func>&, List<Cursor_manager>&, TABLE*, SORT_INFO*) /test/11.4_dbg_san/sql/sql_window.cc:2944:5
            		 
                #4 0x5597d5248903 in Window_func_runner::exec(THD*, TABLE*, SORT_INFO*) /test/11.4_dbg_san/sql/sql_window.cc:3057:18
            		 
                #5 0x5597d5248ec7 in Window_funcs_sort::exec(JOIN*, bool) /test/11.4_dbg_san/sql/sql_window.cc:3085:25
            		 
                #6 0x5597d524bddf in Window_funcs_computation::exec(JOIN*, bool) /test/11.4_dbg_san/sql/sql_window.cc:3214:14
            		 
                #7 0x5597d4a47234 in AGGR_OP::end_send() /test/11.4_dbg_san/sql/sql_select.cc:33282:38
            		 
                #8 0x5597d49968a8 in sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) /test/11.4_dbg_san/sql/sql_select.cc:23827:15
            		 
                #9 0x5597d491c89c in sub_select(JOIN*, st_join_table*, bool) /test/11.4_dbg_san/sql/sql_select.cc:24082:7
            		 
                #10 0x5597d4a48360 in sub_select_cache(JOIN*, st_join_table*, bool) /test/11.4_dbg_san/sql/sql_select.cc:23895:11
            		 
                #11 0x5597d491c89c in sub_select(JOIN*, st_join_table*, bool) /test/11.4_dbg_san/sql/sql_select.cc:24082:7
            		 
                #12 0x5597d49aceb3 in do_select(JOIN*, Procedure*) /test/11.4_dbg_san/sql/sql_select.cc:23662:14
            		 
                #13 0x5597d49a97d1 in JOIN::exec_inner() /test/11.4_dbg_san/sql/sql_select.cc:5045:50
            		 
                #14 0x5597d49a7232 in JOIN::exec() /test/11.4_dbg_san/sql/sql_select.cc:4831:8
            		 
                #15 0x5597d4921044 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.4_dbg_san/sql/sql_select.cc:5361:21
            		 
                #16 0x5597d463cbeb in mysql_derived_fill(THD*, LEX*, TABLE_LIST*) /test/11.4_dbg_san/sql/sql_derived.cc:1283:10
            		 
                #17 0x5597d463ef76 in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /test/11.4_dbg_san/sql/sql_derived.cc:200:15
            		 
                #18 0x5597d49f9800 in st_join_table::preread_init() /test/11.4_dbg_san/sql/sql_select.cc:16720:7
            		 
                #19 0x5597d491c9a3 in sub_select(JOIN*, st_join_table*, bool) /test/11.4_dbg_san/sql/sql_select.cc:24096:49
            		 
                #20 0x5597d4a49cdf in evaluate_join_record(JOIN*, st_join_table*, int) /test/11.4_dbg_san/sql/sql_select.cc:24382:11
            		 
                #21 0x5597d491d070 in sub_select(JOIN*, st_join_table*, bool) /test/11.4_dbg_san/sql/sql_select.cc:24149:9
            		 
                #22 0x5597d49acdac in do_select(JOIN*, Procedure*) /test/11.4_dbg_san/sql/sql_select.cc:23660:14
            		 
                #23 0x5597d49a97d1 in JOIN::exec_inner() /test/11.4_dbg_san/sql/sql_select.cc:5045:50
            		 
                #24 0x5597d49a7232 in JOIN::exec() /test/11.4_dbg_san/sql/sql_select.cc:4831:8
            		 
                #25 0x5597d4921044 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.4_dbg_san/sql/sql_select.cc:5361:21
            		 
                #26 0x5597d491f972 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.4_dbg_san/sql/sql_select.cc:642:10
            		 
                #27 0x5597d47f3b77 in execute_sqlcom_select(THD*, TABLE_LIST*) /test/11.4_dbg_san/sql/sql_parse.cc:6183:12
            		 
                #28 0x5597d47df97c in mysql_execute_command(THD*, bool) /test/11.4_dbg_san/sql/sql_parse.cc:3975:12
            		 
                #29 0x5597d47af378 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.4_dbg_san/sql/sql_parse.cc:7907:18
            		 
                #30 0x5597d47a355d in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.4_dbg_san/sql/sql_parse.cc:1904:7
            		 
                #31 0x5597d47b1d9d in do_command(THD*, bool) /test/11.4_dbg_san/sql/sql_parse.cc:1417:17
            		 
                #32 0x5597d4e7412c in do_handle_one_connection(CONNECT*, bool) /test/11.4_dbg_san/sql/sql_connect.cc:1408:11
            		 
                #33 0x5597d4e739eb in handle_one_connection /test/11.4_dbg_san/sql/sql_connect.cc:1320:5
            		 
                #34 0x5597d41be31c in asan_thread_start(void*) asan_interceptors.cpp.o
            		 
                #35 0x14a4f4a9ca93 in start_thread nptl/pthread_create.c:447:8
            		 
                #36 0x14a4f4b29c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
            		 
             
            		 
            SUMMARY: UndefinedBehaviorSanitizer: null-pointer-use /test/11.4_dbg_san/sql/item.cc:7084:10

            Setup:

            Compiled with a recent version of Clang (I used Clang 18.1.3) with LLVM 18. Ubuntu instructions:
            		 
              # Note: It is strongly recommended to uninstall all old Clang & LLVM packages (ref  dpkg --list | grep -iE 'clang|llvm'  and use  apt purge  and  dpkg --purge  to remove the packages), before installing Clang/LLVM 18
            		 
                 sudo apt install clang llvm-18 llvm-18-linker-tools llvm-18-runtime llvm-18-tools llvm-18-dev libstdc++-14-dev llvm-dev
            		 
            Compiled with: "-DCMAKE_C_COMPILER=/usr/bin/clang -DCMAKE_CXX_COMPILER=/usr/bin/clang++ -DCMAKE_C{,XX}_FLAGS='-march=native -mtune=native'" and:
            		 
                -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON
            		 
            Set before execution:
            		 
                export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1   # And you may also want to supress UBSAN startup issues using 'suppressions=UBSAN.filter' in UBSAN_OPTIONS. For an example of UBSAN.filter, which includes current startup issues see: https://github.com/mariadb-corporation/mariadb-qa/blob/master/UBSAN.filter
            		 
                export ASAN_OPTIONS=quarantine_size_mb=512:atexit=0:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1:allocator_may_return_null=1

            SAN Bug Detection Matrix

            		 
                Rel    o/d  Build   Commit                                    UniqueID observed             
            CS  10.5   dbg  150225  c43d0a015f974c5a0142e6779332089a7a979853  No bug found
            		 
            CS  10.5   opt  150225  c43d0a015f974c5a0142e6779332089a7a979853  No bug found                  
            CS  10.6   dbg  150225  f1d7e0c17e33f77278e6226dd94aeb30fc856bf0  No bug found                  
            CS  10.6   opt  150225  f1d7e0c17e33f77278e6226dd94aeb30fc856bf0  No bug found                  
            CS  10.11  dbg  150225  43c5d1303f5c7c726db276815c459436110f342f  UBSAN|member call on null pointer of type 'Field'|sql/item.cc|Item::save_int_in_field|Item::save_in_field|save_window_function_values|compute_window_func
            		 
            CS  10.11  opt  150225  43c5d1303f5c7c726db276815c459436110f342f  UBSAN|member call on null pointer of type 'Field'|sql/item.cc|Item::save_int_in_field|Item::save_in_field|save_window_function_values|compute_window_func
            		 
            CS  11.4   dbg  150225  ef966af801afc2a07222b5df65dddd52c77431dd  UBSAN|member call on null pointer of type 'Field'|sql/item.cc|Item::save_int_in_field|Item::save_in_field|save_window_function_values|compute_window_func
            		 
            CS  11.4   opt  150225  ef966af801afc2a07222b5df65dddd52c77431dd  UBSAN|member call on null pointer of type 'Field'|sql/item.cc|Item::save_int_in_field|Item::save_in_field|save_window_function_values|compute_window_func
            		 
            CS  11.8   dbg  150225  33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d  UBSAN|member call on null pointer of type 'Field'|sql/item.cc|Item::save_int_in_field|Item::save_in_field|save_window_function_values|compute_window_func
            		 
            CS  11.8   opt  150225  33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d  UBSAN|member call on null pointer of type 'Field'|sql/item.cc|Item::save_int_in_field|Item::save_in_field|save_window_function_values|compute_window_func
            		 
            CS  12.0   dbg  150225  c92add291e636c797e6d6ddca605905541b2a441  UBSAN|member call on null pointer of type 'Field'|sql/item.cc|Item::save_int_in_field|Item::save_in_field|save_window_function_values|compute_window_func
            		 
            CS  12.0   opt  150225  c92add291e636c797e6d6ddca605905541b2a441  UBSAN|member call on null pointer of type 'Field'|sql/item.cc|Item::save_int_in_field|Item::save_in_field|save_window_function_values|compute_window_func
            		 
            ES  10.5   dbg  140325  6553c62369ab3606efc74295c902181f793fd6d1  No bug found                  
            ES  10.5   opt  140325  6553c62369ab3606efc74295c902181f793fd6d1  No bug found                  
            ES  10.6   dbg  140325  a99e9e4101f5d56a379577e6d81c829b7658df99  No bug found                  
            ES  10.6   opt  140325  a99e9e4101f5d56a379577e6d81c829b7658df99  No bug found                  
            ES  11.4   dbg  140325  26e39c99feaa4e6f9d3e1b13fd4a7d101059b7ba  UBSAN|member call on null pointer of type 'Field'|sql/item.cc|Item::save_int_in_field|Item::save_in_field|save_window_function_values|compute_window_func
            		 
            ES  11.4   opt  140325  26e39c99feaa4e6f9d3e1b13fd4a7d101059b7ba  UBSAN|member call on null pointer of type 'Field'|sql/item.cc|Item::save_int_in_field|Item::save_in_field|save_window_function_values|compute_window_func

            Roel Roel Van de Paar added a comment - - edited UBSAN sees a null pointer use issue: CS 11.4.6 ef966af801afc2a07222b5df65dddd52c77431dd (Debug, UBASAN, Clang) Build 15/02/2025 /test/11.4_dbg_san/sql/item.cc:7084:10: runtime error: member call on null pointer of type 'Field' #0 0x5597d570b678 in Item::save_int_in_field(Field*, bool) /test/11.4_dbg_san/sql/item.cc:7084:10 #1 0x5597d570bac6 in Item::save_in_field(Field*, bool) /test/11.4_dbg_san/sql/item.cc:7101:30 #2 0x5597d52470a3 in save_window_function_values(List<Item_window_func>&, TABLE*, unsigned char*) /test/11.4_dbg_san/sql/sql_window.cc:2792:15 #3 0x5597d52470a3 in compute_window_func(THD*, List<Item_window_func>&, List<Cursor_manager>&, TABLE*, SORT_INFO*) /test/11.4_dbg_san/sql/sql_window.cc:2944:5 #4 0x5597d5248903 in Window_func_runner::exec(THD*, TABLE*, SORT_INFO*) /test/11.4_dbg_san/sql/sql_window.cc:3057:18 #5 0x5597d5248ec7 in Window_funcs_sort::exec(JOIN*, bool) /test/11.4_dbg_san/sql/sql_window.cc:3085:25 #6 0x5597d524bddf in Window_funcs_computation::exec(JOIN*, bool) /test/11.4_dbg_san/sql/sql_window.cc:3214:14 #7 0x5597d4a47234 in AGGR_OP::end_send() /test/11.4_dbg_san/sql/sql_select.cc:33282:38 #8 0x5597d49968a8 in sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) /test/11.4_dbg_san/sql/sql_select.cc:23827:15 #9 0x5597d491c89c in sub_select(JOIN*, st_join_table*, bool) /test/11.4_dbg_san/sql/sql_select.cc:24082:7 #10 0x5597d4a48360 in sub_select_cache(JOIN*, st_join_table*, bool) /test/11.4_dbg_san/sql/sql_select.cc:23895:11 #11 0x5597d491c89c in sub_select(JOIN*, st_join_table*, bool) /test/11.4_dbg_san/sql/sql_select.cc:24082:7 #12 0x5597d49aceb3 in do_select(JOIN*, Procedure*) /test/11.4_dbg_san/sql/sql_select.cc:23662:14 #13 0x5597d49a97d1 in JOIN::exec_inner() /test/11.4_dbg_san/sql/sql_select.cc:5045:50 #14 0x5597d49a7232 in JOIN::exec() /test/11.4_dbg_san/sql/sql_select.cc:4831:8 #15 0x5597d4921044 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.4_dbg_san/sql/sql_select.cc:5361:21 #16 0x5597d463cbeb in mysql_derived_fill(THD*, LEX*, TABLE_LIST*) /test/11.4_dbg_san/sql/sql_derived.cc:1283:10 #17 0x5597d463ef76 in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /test/11.4_dbg_san/sql/sql_derived.cc:200:15 #18 0x5597d49f9800 in st_join_table::preread_init() /test/11.4_dbg_san/sql/sql_select.cc:16720:7 #19 0x5597d491c9a3 in sub_select(JOIN*, st_join_table*, bool) /test/11.4_dbg_san/sql/sql_select.cc:24096:49 #20 0x5597d4a49cdf in evaluate_join_record(JOIN*, st_join_table*, int) /test/11.4_dbg_san/sql/sql_select.cc:24382:11 #21 0x5597d491d070 in sub_select(JOIN*, st_join_table*, bool) /test/11.4_dbg_san/sql/sql_select.cc:24149:9 #22 0x5597d49acdac in do_select(JOIN*, Procedure*) /test/11.4_dbg_san/sql/sql_select.cc:23660:14 #23 0x5597d49a97d1 in JOIN::exec_inner() /test/11.4_dbg_san/sql/sql_select.cc:5045:50 #24 0x5597d49a7232 in JOIN::exec() /test/11.4_dbg_san/sql/sql_select.cc:4831:8 #25 0x5597d4921044 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.4_dbg_san/sql/sql_select.cc:5361:21 #26 0x5597d491f972 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.4_dbg_san/sql/sql_select.cc:642:10 #27 0x5597d47f3b77 in execute_sqlcom_select(THD*, TABLE_LIST*) /test/11.4_dbg_san/sql/sql_parse.cc:6183:12 #28 0x5597d47df97c in mysql_execute_command(THD*, bool) /test/11.4_dbg_san/sql/sql_parse.cc:3975:12 #29 0x5597d47af378 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.4_dbg_san/sql/sql_parse.cc:7907:18 #30 0x5597d47a355d in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.4_dbg_san/sql/sql_parse.cc:1904:7 #31 0x5597d47b1d9d in do_command(THD*, bool) /test/11.4_dbg_san/sql/sql_parse.cc:1417:17 #32 0x5597d4e7412c in do_handle_one_connection(CONNECT*, bool) /test/11.4_dbg_san/sql/sql_connect.cc:1408:11 #33 0x5597d4e739eb in handle_one_connection /test/11.4_dbg_san/sql/sql_connect.cc:1320:5 #34 0x5597d41be31c in asan_thread_start(void*) asan_interceptors.cpp.o #35 0x14a4f4a9ca93 in start_thread nptl/pthread_create.c:447:8 #36 0x14a4f4b29c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78   SUMMARY: UndefinedBehaviorSanitizer: null-pointer-use /test/11.4_dbg_san/sql/item.cc:7084:10 Setup: Compiled with a recent version of Clang (I used Clang 18.1.3) with LLVM 18. Ubuntu instructions: # Note: It is strongly recommended to uninstall all old Clang & LLVM packages (ref dpkg --list | grep -iE 'clang|llvm' and use apt purge and dpkg --purge to remove the packages), before installing Clang/LLVM 18 sudo apt install clang llvm-18 llvm-18-linker-tools llvm-18-runtime llvm-18-tools llvm-18-dev libstdc++-14-dev llvm-dev Compiled with: "-DCMAKE_C_COMPILER=/usr/bin/clang -DCMAKE_CXX_COMPILER=/usr/bin/clang++ -DCMAKE_C{,XX}_FLAGS='-march=native -mtune=native'" and: -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON Set before execution: export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1 # And you may also want to supress UBSAN startup issues using 'suppressions=UBSAN.filter' in UBSAN_OPTIONS. For an example of UBSAN.filter, which includes current startup issues see: https://github.com/mariadb-corporation/mariadb-qa/blob/master/UBSAN.filter export ASAN_OPTIONS=quarantine_size_mb=512:atexit=0:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1:allocator_may_return_null=1 SAN Bug Detection Matrix Rel o/d Build Commit UniqueID observed CS 10.5 dbg 150225 c43d0a015f974c5a0142e6779332089a7a979853 No bug found CS 10.5 opt 150225 c43d0a015f974c5a0142e6779332089a7a979853 No bug found CS 10.6 dbg 150225 f1d7e0c17e33f77278e6226dd94aeb30fc856bf0 No bug found CS 10.6 opt 150225 f1d7e0c17e33f77278e6226dd94aeb30fc856bf0 No bug found CS 10.11 dbg 150225 43c5d1303f5c7c726db276815c459436110f342f UBSAN|member call on null pointer of type 'Field'|sql/item.cc|Item::save_int_in_field|Item::save_in_field|save_window_function_values|compute_window_func CS 10.11 opt 150225 43c5d1303f5c7c726db276815c459436110f342f UBSAN|member call on null pointer of type 'Field'|sql/item.cc|Item::save_int_in_field|Item::save_in_field|save_window_function_values|compute_window_func CS 11.4 dbg 150225 ef966af801afc2a07222b5df65dddd52c77431dd UBSAN|member call on null pointer of type 'Field'|sql/item.cc|Item::save_int_in_field|Item::save_in_field|save_window_function_values|compute_window_func CS 11.4 opt 150225 ef966af801afc2a07222b5df65dddd52c77431dd UBSAN|member call on null pointer of type 'Field'|sql/item.cc|Item::save_int_in_field|Item::save_in_field|save_window_function_values|compute_window_func CS 11.8 dbg 150225 33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d UBSAN|member call on null pointer of type 'Field'|sql/item.cc|Item::save_int_in_field|Item::save_in_field|save_window_function_values|compute_window_func CS 11.8 opt 150225 33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d UBSAN|member call on null pointer of type 'Field'|sql/item.cc|Item::save_int_in_field|Item::save_in_field|save_window_function_values|compute_window_func CS 12.0 dbg 150225 c92add291e636c797e6d6ddca605905541b2a441 UBSAN|member call on null pointer of type 'Field'|sql/item.cc|Item::save_int_in_field|Item::save_in_field|save_window_function_values|compute_window_func CS 12.0 opt 150225 c92add291e636c797e6d6ddca605905541b2a441 UBSAN|member call on null pointer of type 'Field'|sql/item.cc|Item::save_int_in_field|Item::save_in_field|save_window_function_values|compute_window_func ES 10.5 dbg 140325 6553c62369ab3606efc74295c902181f793fd6d1 No bug found ES 10.5 opt 140325 6553c62369ab3606efc74295c902181f793fd6d1 No bug found ES 10.6 dbg 140325 a99e9e4101f5d56a379577e6d81c829b7658df99 No bug found ES 10.6 opt 140325 a99e9e4101f5d56a379577e6d81c829b7658df99 No bug found ES 11.4 dbg 140325 26e39c99feaa4e6f9d3e1b13fd4a7d101059b7ba UBSAN|member call on null pointer of type 'Field'|sql/item.cc|Item::save_int_in_field|Item::save_in_field|save_window_function_values|compute_window_func ES 11.4 opt 140325 26e39c99feaa4e6f9d3e1b13fd4a7d101059b7ba UBSAN|member call on null pointer of type 'Field'|sql/item.cc|Item::save_int_in_field|Item::save_in_field|save_window_function_values|compute_window_func
            alice Alice Sherepa added a comment -

            This seems to be a duplicate of MDEV-26416. But there SEGV in Field::set_notnull/Item::save_real_in_field, here Field::set_notnull/Item::save_int_in_field.
            10.5/10.6 return syntax error, while the bug most likely exists there also, just needs test adjustments to repeat it there.

            alice Alice Sherepa added a comment - This seems to be a duplicate of MDEV-26416 . But there SEGV in Field::set_notnull/Item::save_real_in_field, here Field::set_notnull/Item::save_int_in_field. 10.5/10.6 return syntax error, while the bug most likely exists there also, just needs test adjustments to repeat it there.

            People

              psergei Sergei Petrunia
              luy70 Yu Liang
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.