[MDEV-36356] MariaDB crashes in Item::save_int_in_field and UBSAN member call on null pointer of type 'Field' upon executing a complex SELECT - Jira

Details

Type: Bug
Status: Confirmed (View Workflow)
Priority: Critical
Resolution: Unresolved
Affects Version/s: 10.11, 11.4, 11.8, 12.0
Fix Version/s: 10.11, 11.4, 11.8
Component/s: Optimizer, Optimizer - Window functions
Labels:

Description

MariaDB crashes when executing the following statement:

DROP DATABASE IF EXISTS test123;

CREATE DATABASE IF NOT EXISTS test123;

USE test123;

CREATE TABLE v00 (c01 INT, c02 TEXT);

INSERT INTO v00 (c01, c02) VALUES (0, 'abc');

SELECT * FROM { ta60225505 v00 AS ta60225502 NATURAL RIGHT OUTER JOIN ( ( SELECT * FROM { ta60225509 v00 AS ta60225507 NATURAL STRAIGHT_JOIN v00 AS ta60225508 } LIMIT 1234567890 ROWS EXAMINED 1234567890 LOCK IN SHARE MODE SKIP LOCKED ) ORDER BY FALSE <=> + INTERVAL NOT FALSE = FALSE IN ( SELECT FALSE <=> FALSE IN ( SELECT 'string' ) ) SECOND_MICROSECOND + TRUE <=> TRUE IN ( SELECT 'string' ) << ROW_NUMBER ( ) OVER ( PARTITION BY NOT TRUE <=> FALSE IN ( SELECT 'string' ) DESC ) IN ( SELECT 'string' ) ) = ta60225506 NATURAL JOIN v00 AS ta60225503 };

The crash stack is:

#0  0x00000000018acf4c in Field::set_notnull (this=0x0, row_offset=0) at /home/mariadb/mariadb-server/sql/field.h:1461

#1  Item::save_int_in_field (this=0xffff6425f5a0, field=0x0, no_conversions=true) at /home/mariadb/mariadb-server/sql/item.cc:7117

#2  0x00000000018ad344 in Item::save_in_field (this=0xffff6425f5a0, field=0x0, no_conversions=true) at /home/mariadb/mariadb-server/sql/item.cc:7134

#3  0x0000000001590bdc in save_window_function_values (window_functions=..., tbl=0xffff642b4438, rowid_buf=0xffff926436d8 "")

    at /home/mariadb/mariadb-server/sql/sql_window.cc:2793

#4  compute_window_func (thd=<optimized out>, window_functions=..., cursor_managers=..., tbl=<optimized out>, filesort_result=<optimized out>)

    at /home/mariadb/mariadb-server/sql/sql_window.cc:2952

#5  0x0000000001591dc8 in Window_func_runner::exec (this=<optimized out>, thd=<optimized out>, tbl=<optimized out>, filesort_result=<optimized out>)

    at /home/mariadb/mariadb-server/sql/sql_window.cc:3068

#6  0x0000000001592208 in Window_funcs_sort::exec (this=0xffff93468f10, join=<optimized out>, keep_filesort_result=true)

    at /home/mariadb/mariadb-server/sql/sql_window.cc:3096

#7  0x0000000001594f64 in Window_funcs_computation::exec (this=<optimized out>, join=0xffff64269220, keep_last_filesort_result=<optimized out>)

    at /home/mariadb/mariadb-server/sql/sql_window.cc:3225

#8  0x0000000000f21754 in AGGR_OP::end_send (this=0xffff6429e3d8) at /home/mariadb/mariadb-server/sql/sql_select.cc:33256

#9  0x0000000000e97718 in sub_select_postjoin_aggr (join=0xffff64269220, join_tab=0xffff934672e8, end_of_records=true)

    at /home/mariadb/mariadb-server/sql/sql_select.cc:23782

#10 0x0000000000e24dc8 in sub_select (join=0xffff64269220, join_tab=0xffff93466e70, end_of_records=<optimized out>)

    at /home/mariadb/mariadb-server/sql/sql_select.cc:24037

#11 0x0000000000e24dc8 in sub_select (join=0xffff64269220, join_tab=0xffff934669f8, end_of_records=<optimized out>)

    at /home/mariadb/mariadb-server/sql/sql_select.cc:24037

#12 0x0000000000ea8768 in do_select (join=0xffff64269220, procedure=0x0) at /home/mariadb/mariadb-server/sql/sql_select.cc:23617

#13 JOIN::exec_inner (this=0xffff64269220) at /home/mariadb/mariadb-server/sql/sql_select.cc:5046

#14 0x0000000000ea4dc0 in JOIN::exec (this=0xffff64269220) at /home/mariadb/mariadb-server/sql/sql_select.cc:4829

#15 0x0000000000e27d78 in mysql_select (thd=0xffff65262218, tables=<optimized out>, fields=..., conds=<optimized out>, og_num=<optimized out>,

    order=<optimized out>, group=<optimized out>, having=<optimized out>, proc_param=0x0, select_options=<optimized out>, result=0xffff64269128,

    unit=0xffff8baf6018, select_lex=0xffff8baf4250) at /home/mariadb/mariadb-server/sql/sql_select.cc:5362

#16 0x0000000000c0a3ec in mysql_derived_fill (thd=<optimized out>, lex=<optimized out>, derived=<optimized out>)

    at /home/mariadb/mariadb-server/sql/sql_derived.cc:1283

#17 0x0000000000c0c14c in mysql_handle_single_derived (lex=0xffff652664b0, derived=0xffff642611c0, phases=96)

    at /home/mariadb/mariadb-server/sql/sql_derived.cc:200

#18 0x0000000000eedbfc in st_join_table::preread_init (this=0xffff9346f408) at /home/mariadb/mariadb-server/sql/sql_select.cc:16671

#19 0x0000000000e24ee8 in sub_select (join=0xffff6427d740, join_tab=0xffff9346f408, end_of_records=<optimized out>)

    at /home/mariadb/mariadb-server/sql/sql_select.cc:24051

#20 0x0000000000f23108 in evaluate_join_record (join=0xffff6427d740, join_tab=<optimized out>, error=<optimized out>)

    at /home/mariadb/mariadb-server/sql/sql_select.cc:24337

#21 0x0000000000e25350 in sub_select (join=0xffff6427d740, join_tab=0xffff9346ef90, end_of_records=<optimized out>)

    at /home/mariadb/mariadb-server/sql/sql_select.cc:24104

#22 0x0000000000ea8374 in do_select (join=0xffff6427d740, procedure=0x0) at /home/mariadb/mariadb-server/sql/sql_select.cc:23615

#23 JOIN::exec_inner (this=0xffff6427d740) at /home/mariadb/mariadb-server/sql/sql_select.cc:5046

#24 0x0000000000ea4dc0 in JOIN::exec (this=0xffff6427d740) at /home/mariadb/mariadb-server/sql/sql_select.cc:4829

#25 0x0000000001105618 in st_select_lex_unit::exec_inner (this=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_union.cc:2437

#26 0x00000000010f5c04 in st_select_lex_unit::exec (this=0xffff64266708) at /home/mariadb/mariadb-server/sql/sql_union.cc:2342

#27 0x0000000000c0a02c in mysql_derived_fill (thd=<optimized out>, lex=<optimized out>, derived=<optimized out>)

    at /home/mariadb/mariadb-server/sql/sql_derived.cc:1272

#28 0x0000000000c0c14c in mysql_handle_single_derived (lex=0xffff652664b0, derived=0xffff642675b8, phases=96)

    at /home/mariadb/mariadb-server/sql/sql_derived.cc:200

#29 0x0000000000eedbfc in st_join_table::preread_init (this=0xffff934796a0) at /home/mariadb/mariadb-server/sql/sql_select.cc:16671

#30 0x0000000000e24ee8 in sub_select (join=0xffff64268b28, join_tab=0xffff934796a0, end_of_records=<optimized out>)

    at /home/mariadb/mariadb-server/sql/sql_select.cc:24051

#31 0x0000000000ea8374 in do_select (join=0xffff64268b28, procedure=0x0) at /home/mariadb/mariadb-server/sql/sql_select.cc:23615

#32 JOIN::exec_inner (this=0xffff64268b28) at /home/mariadb/mariadb-server/sql/sql_select.cc:5046

#33 0x0000000000ea4dc0 in JOIN::exec (this=0xffff64268b28) at /home/mariadb/mariadb-server/sql/sql_select.cc:4829

#34 0x0000000001105618 in st_select_lex_unit::exec_inner (this=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_union.cc:2437

#35 0x00000000010f5c04 in st_select_lex_unit::exec (this=0xffff65266590) at /home/mariadb/mariadb-server/sql/sql_union.cc:2342

#36 0x00000000010ee140 in mysql_union (thd=<optimized out>, lex=<optimized out>, result=<optimized out>, unit=0xffff65266590,

    setup_tables_done_option=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_union.cc:45

#37 0x0000000000e26a80 in handle_select (thd=0xffff65262218, lex=0xffff652664b0, result=0xffff64267e30, setup_tables_done_option=0)

    at /home/mariadb/mariadb-server/sql/sql_select.cc:623

#38 0x0000000000d4c2c0 in execute_sqlcom_select (thd=0xffff65262218, all_tables=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_parse.cc:6191

#39 0x0000000000d30e80 in mysql_execute_command (thd=0xffff65262218, is_called_from_prepared_stmt=<optimized out>)

    at /home/mariadb/mariadb-server/sql/sql_parse.cc:3979

#40 0x0000000000d1cd24 in mysql_parse (thd=0xffff65262218, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>)

    at /home/mariadb/mariadb-server/sql/sql_parse.cc:7915

#41 0x0000000000d120f0 in dispatch_command (command=<optimized out>, thd=<optimized out>, packet=<optimized out>, packet_length=<optimized out>,

    blocking=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_parse.cc:1902

#42 0x0000000000d1dbf4 in do_command (thd=0xffff65262218, blocking=true) at /home/mariadb/mariadb-server/sql/sql_parse.cc:1415

#43 0x00000000012846f8 in do_handle_one_connection (connect=<optimized out>, put_in_cache=true) at /home/mariadb/mariadb-server/sql/sql_connect.cc:1415

#44 0x00000000012841b4 in handle_one_connection (arg=0xffff6d63e9b8) at /home/mariadb/mariadb-server/sql/sql_connect.cc:1327

#45 0x0000000002200c38 in pfs_spawn_thread (arg=0xffff8b609a98) at /home/mariadb/mariadb-server/storage/perfschema/pfs.cc:2198

#46 0x0000ffff97666624 in start_thread (arg=0x883ac8 <asan_thread_start(void*)>) at pthread_create.c:477

#47 0x0000ffff9738866c in thread_start () at ../sysdeps/unix/sysv/linux/aarch64/clone.S:78

Attachments

Issue Links

duplicates

MDEV-26416 A SEGV in Field::set_notnull/Item::save_real_in_field

Confirmed

relates to

MDEV-28619 Server crash in /sql/sql_window.cc:3033 in Window_funcs_sort::setup(THD*, SQL_SELECT*, List_iterator<Item_window_func>&, st_join_table*)

Stalled

Activity

Ascending order - Click to sort in descending order

Yu Liang created issue - 2025-03-22 19:47

Yu Liang made changes - 2025-03-22 19:48

Field	Original Value	New Value
Priority	Major [ 3 ]	Critical [ 2 ]

Roel Van de Paar made changes - 2025-03-24 08:09

Description

MariaDB crashes when executing the following statement:

{code:sql}
DROP DATABASE IF EXISTS test123;
CREATE DATABASE IF NOT EXISTS test123;
USE test123;
CREATE TABLE v00 (c01 INT, c02 TEXT);
INSERT INTO v00 (c01, c02) VALUES (0, 'abc');
SELECT * FROM { ta60225505 v00 AS ta60225502 NATURAL RIGHT OUTER JOIN ( ( SELECT * FROM { ta60225509 v00 AS ta60225507 NATURAL STRAIGHT_JOIN v00 AS ta60225508 } LIMIT 1234567890 ROWS EXAMINED 1234567890 LOCK IN SHARE MODE SKIP LOCKED ) ORDER BY FALSE <=> + INTERVAL NOT FALSE = FALSE IN ( SELECT FALSE <=> FALSE IN ( SELECT 'string' ) ) SECOND_MICROSECOND + TRUE <=> TRUE IN ( SELECT 'string' ) << ROW_NUMBER ( ) OVER ( PARTITION BY NOT TRUE <=> FALSE IN ( SELECT 'string' ) DESC ) IN ( SELECT 'string' ) ) = ta60225506 NATURAL JOIN v00 AS ta60225503 };
{code}

The crash stack is:

{quote}
#0 0x00000000018acf4c in Field::set_notnull (this=0x0, row_offset=0) at /home/mariadb/mariadb-server/sql/field.h:1461
#1 Item::save_int_in_field (this=0xffff6425f5a0, field=0x0, no_conversions=true) at /home/mariadb/mariadb-server/sql/item.cc:7117
#2 0x00000000018ad344 in Item::save_in_field (this=0xffff6425f5a0, field=0x0, no_conversions=true) at /home/mariadb/mariadb-server/sql/item.cc:7134
#3 0x0000000001590bdc in save_window_function_values (window_functions=..., tbl=0xffff642b4438, rowid_buf=0xffff926436d8 "")
    at /home/mariadb/mariadb-server/sql/sql_window.cc:2793
#4 compute_window_func (thd=<optimized out>, window_functions=..., cursor_managers=..., tbl=<optimized out>, filesort_result=<optimized out>)
    at /home/mariadb/mariadb-server/sql/sql_window.cc:2952
#5 0x0000000001591dc8 in Window_func_runner::exec (this=<optimized out>, thd=<optimized out>, tbl=<optimized out>, filesort_result=<optimized out>)
    at /home/mariadb/mariadb-server/sql/sql_window.cc:3068
#6 0x0000000001592208 in Window_funcs_sort::exec (this=0xffff93468f10, join=<optimized out>, keep_filesort_result=true)
    at /home/mariadb/mariadb-server/sql/sql_window.cc:3096
#7 0x0000000001594f64 in Window_funcs_computation::exec (this=<optimized out>, join=0xffff64269220, keep_last_filesort_result=<optimized out>)
    at /home/mariadb/mariadb-server/sql/sql_window.cc:3225
#8 0x0000000000f21754 in AGGR_OP::end_send (this=0xffff6429e3d8) at /home/mariadb/mariadb-server/sql/sql_select.cc:33256
#9 0x0000000000e97718 in sub_select_postjoin_aggr (join=0xffff64269220, join_tab=0xffff934672e8, end_of_records=true)
    at /home/mariadb/mariadb-server/sql/sql_select.cc:23782
#10 0x0000000000e24dc8 in sub_select (join=0xffff64269220, join_tab=0xffff93466e70, end_of_records=<optimized out>)
    at /home/mariadb/mariadb-server/sql/sql_select.cc:24037
#11 0x0000000000e24dc8 in sub_select (join=0xffff64269220, join_tab=0xffff934669f8, end_of_records=<optimized out>)
    at /home/mariadb/mariadb-server/sql/sql_select.cc:24037
#12 0x0000000000ea8768 in do_select (join=0xffff64269220, procedure=0x0) at /home/mariadb/mariadb-server/sql/sql_select.cc:23617
#13 JOIN::exec_inner (this=0xffff64269220) at /home/mariadb/mariadb-server/sql/sql_select.cc:5046
#14 0x0000000000ea4dc0 in JOIN::exec (this=0xffff64269220) at /home/mariadb/mariadb-server/sql/sql_select.cc:4829
#15 0x0000000000e27d78 in mysql_select (thd=0xffff65262218, tables=<optimized out>, fields=..., conds=<optimized out>, og_num=<optimized out>,
    order=<optimized out>, group=<optimized out>, having=<optimized out>, proc_param=0x0, select_options=<optimized out>, result=0xffff64269128,
    unit=0xffff8baf6018, select_lex=0xffff8baf4250) at /home/mariadb/mariadb-server/sql/sql_select.cc:5362
#16 0x0000000000c0a3ec in mysql_derived_fill (thd=<optimized out>, lex=<optimized out>, derived=<optimized out>)
    at /home/mariadb/mariadb-server/sql/sql_derived.cc:1283
#17 0x0000000000c0c14c in mysql_handle_single_derived (lex=0xffff652664b0, derived=0xffff642611c0, phases=96)
    at /home/mariadb/mariadb-server/sql/sql_derived.cc:200
#18 0x0000000000eedbfc in st_join_table::preread_init (this=0xffff9346f408) at /home/mariadb/mariadb-server/sql/sql_select.cc:16671
#19 0x0000000000e24ee8 in sub_select (join=0xffff6427d740, join_tab=0xffff9346f408, end_of_records=<optimized out>)
    at /home/mariadb/mariadb-server/sql/sql_select.cc:24051
#20 0x0000000000f23108 in evaluate_join_record (join=0xffff6427d740, join_tab=<optimized out>, error=<optimized out>)
    at /home/mariadb/mariadb-server/sql/sql_select.cc:24337
#21 0x0000000000e25350 in sub_select (join=0xffff6427d740, join_tab=0xffff9346ef90, end_of_records=<optimized out>)
    at /home/mariadb/mariadb-server/sql/sql_select.cc:24104
#22 0x0000000000ea8374 in do_select (join=0xffff6427d740, procedure=0x0) at /home/mariadb/mariadb-server/sql/sql_select.cc:23615
#23 JOIN::exec_inner (this=0xffff6427d740) at /home/mariadb/mariadb-server/sql/sql_select.cc:5046
#24 0x0000000000ea4dc0 in JOIN::exec (this=0xffff6427d740) at /home/mariadb/mariadb-server/sql/sql_select.cc:4829
#25 0x0000000001105618 in st_select_lex_unit::exec_inner (this=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_union.cc:2437
#26 0x00000000010f5c04 in st_select_lex_unit::exec (this=0xffff64266708) at /home/mariadb/mariadb-server/sql/sql_union.cc:2342
#27 0x0000000000c0a02c in mysql_derived_fill (thd=<optimized out>, lex=<optimized out>, derived=<optimized out>)
    at /home/mariadb/mariadb-server/sql/sql_derived.cc:1272
#28 0x0000000000c0c14c in mysql_handle_single_derived (lex=0xffff652664b0, derived=0xffff642675b8, phases=96)
    at /home/mariadb/mariadb-server/sql/sql_derived.cc:200
#29 0x0000000000eedbfc in st_join_table::preread_init (this=0xffff934796a0) at /home/mariadb/mariadb-server/sql/sql_select.cc:16671
#30 0x0000000000e24ee8 in sub_select (join=0xffff64268b28, join_tab=0xffff934796a0, end_of_records=<optimized out>)
    at /home/mariadb/mariadb-server/sql/sql_select.cc:24051
#31 0x0000000000ea8374 in do_select (join=0xffff64268b28, procedure=0x0) at /home/mariadb/mariadb-server/sql/sql_select.cc:23615
#32 JOIN::exec_inner (this=0xffff64268b28) at /home/mariadb/mariadb-server/sql/sql_select.cc:5046
#33 0x0000000000ea4dc0 in JOIN::exec (this=0xffff64268b28) at /home/mariadb/mariadb-server/sql/sql_select.cc:4829
#34 0x0000000001105618 in st_select_lex_unit::exec_inner (this=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_union.cc:2437
#35 0x00000000010f5c04 in st_select_lex_unit::exec (this=0xffff65266590) at /home/mariadb/mariadb-server/sql/sql_union.cc:2342
#36 0x00000000010ee140 in mysql_union (thd=<optimized out>, lex=<optimized out>, result=<optimized out>, unit=0xffff65266590,
    setup_tables_done_option=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_union.cc:45
#37 0x0000000000e26a80 in handle_select (thd=0xffff65262218, lex=0xffff652664b0, result=0xffff64267e30, setup_tables_done_option=0)
    at /home/mariadb/mariadb-server/sql/sql_select.cc:623
#38 0x0000000000d4c2c0 in execute_sqlcom_select (thd=0xffff65262218, all_tables=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_parse.cc:6191
#39 0x0000000000d30e80 in mysql_execute_command (thd=0xffff65262218, is_called_from_prepared_stmt=<optimized out>)
    at /home/mariadb/mariadb-server/sql/sql_parse.cc:3979
#40 0x0000000000d1cd24 in mysql_parse (thd=0xffff65262218, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>)
    at /home/mariadb/mariadb-server/sql/sql_parse.cc:7915
#41 0x0000000000d120f0 in dispatch_command (command=<optimized out>, thd=<optimized out>, packet=<optimized out>, packet_length=<optimized out>,
    blocking=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_parse.cc:1902
#42 0x0000000000d1dbf4 in do_command (thd=0xffff65262218, blocking=true) at /home/mariadb/mariadb-server/sql/sql_parse.cc:1415
#43 0x00000000012846f8 in do_handle_one_connection (connect=<optimized out>, put_in_cache=true) at /home/mariadb/mariadb-server/sql/sql_connect.cc:1415
#44 0x00000000012841b4 in handle_one_connection (arg=0xffff6d63e9b8) at /home/mariadb/mariadb-server/sql/sql_connect.cc:1327
#45 0x0000000002200c38 in pfs_spawn_thread (arg=0xffff8b609a98) at /home/mariadb/mariadb-server/storage/perfschema/pfs.cc:2198
#46 0x0000ffff97666624 in start_thread (arg=0x883ac8 <asan_thread_start(void*)>) at pthread_create.c:477
#47 0x0000ffff9738866c in thread_start () at ../sysdeps/unix/sysv/linux/aarch64/clone.S:78
{quote}

MariaDB crashes when executing the following statement:

{code:sql}
DROP DATABASE IF EXISTS test123;
CREATE DATABASE IF NOT EXISTS test123;
USE test123;
CREATE TABLE v00 (c01 INT, c02 TEXT);
INSERT INTO v00 (c01, c02) VALUES (0, 'abc');
SELECT * FROM { ta60225505 v00 AS ta60225502 NATURAL RIGHT OUTER JOIN ( ( SELECT * FROM { ta60225509 v00 AS ta60225507 NATURAL STRAIGHT_JOIN v00 AS ta60225508 } LIMIT 1234567890 ROWS EXAMINED 1234567890 LOCK IN SHARE MODE SKIP LOCKED ) ORDER BY FALSE <=> + INTERVAL NOT FALSE = FALSE IN ( SELECT FALSE <=> FALSE IN ( SELECT 'string' ) ) SECOND_MICROSECOND + TRUE <=> TRUE IN ( SELECT 'string' ) << ROW_NUMBER ( ) OVER ( PARTITION BY NOT TRUE <=> FALSE IN ( SELECT 'string' ) DESC ) IN ( SELECT 'string' ) ) = ta60225506 NATURAL JOIN v00 AS ta60225503 };
{code}
The crash stack is:
{noformat}
#0 0x00000000018acf4c in Field::set_notnull (this=0x0, row_offset=0) at /home/mariadb/mariadb-server/sql/field.h:1461
#1 Item::save_int_in_field (this=0xffff6425f5a0, field=0x0, no_conversions=true) at /home/mariadb/mariadb-server/sql/item.cc:7117
#2 0x00000000018ad344 in Item::save_in_field (this=0xffff6425f5a0, field=0x0, no_conversions=true) at /home/mariadb/mariadb-server/sql/item.cc:7134
#3 0x0000000001590bdc in save_window_function_values (window_functions=..., tbl=0xffff642b4438, rowid_buf=0xffff926436d8 "")
    at /home/mariadb/mariadb-server/sql/sql_window.cc:2793
#4 compute_window_func (thd=<optimized out>, window_functions=..., cursor_managers=..., tbl=<optimized out>, filesort_result=<optimized out>)
    at /home/mariadb/mariadb-server/sql/sql_window.cc:2952
#5 0x0000000001591dc8 in Window_func_runner::exec (this=<optimized out>, thd=<optimized out>, tbl=<optimized out>, filesort_result=<optimized out>)
    at /home/mariadb/mariadb-server/sql/sql_window.cc:3068
#6 0x0000000001592208 in Window_funcs_sort::exec (this=0xffff93468f10, join=<optimized out>, keep_filesort_result=true)
    at /home/mariadb/mariadb-server/sql/sql_window.cc:3096
#7 0x0000000001594f64 in Window_funcs_computation::exec (this=<optimized out>, join=0xffff64269220, keep_last_filesort_result=<optimized out>)
    at /home/mariadb/mariadb-server/sql/sql_window.cc:3225
#8 0x0000000000f21754 in AGGR_OP::end_send (this=0xffff6429e3d8) at /home/mariadb/mariadb-server/sql/sql_select.cc:33256
#9 0x0000000000e97718 in sub_select_postjoin_aggr (join=0xffff64269220, join_tab=0xffff934672e8, end_of_records=true)
    at /home/mariadb/mariadb-server/sql/sql_select.cc:23782
#10 0x0000000000e24dc8 in sub_select (join=0xffff64269220, join_tab=0xffff93466e70, end_of_records=<optimized out>)
    at /home/mariadb/mariadb-server/sql/sql_select.cc:24037
#11 0x0000000000e24dc8 in sub_select (join=0xffff64269220, join_tab=0xffff934669f8, end_of_records=<optimized out>)
    at /home/mariadb/mariadb-server/sql/sql_select.cc:24037
#12 0x0000000000ea8768 in do_select (join=0xffff64269220, procedure=0x0) at /home/mariadb/mariadb-server/sql/sql_select.cc:23617
#13 JOIN::exec_inner (this=0xffff64269220) at /home/mariadb/mariadb-server/sql/sql_select.cc:5046
#14 0x0000000000ea4dc0 in JOIN::exec (this=0xffff64269220) at /home/mariadb/mariadb-server/sql/sql_select.cc:4829
#15 0x0000000000e27d78 in mysql_select (thd=0xffff65262218, tables=<optimized out>, fields=..., conds=<optimized out>, og_num=<optimized out>,
    order=<optimized out>, group=<optimized out>, having=<optimized out>, proc_param=0x0, select_options=<optimized out>, result=0xffff64269128,
    unit=0xffff8baf6018, select_lex=0xffff8baf4250) at /home/mariadb/mariadb-server/sql/sql_select.cc:5362
#16 0x0000000000c0a3ec in mysql_derived_fill (thd=<optimized out>, lex=<optimized out>, derived=<optimized out>)
    at /home/mariadb/mariadb-server/sql/sql_derived.cc:1283
#17 0x0000000000c0c14c in mysql_handle_single_derived (lex=0xffff652664b0, derived=0xffff642611c0, phases=96)
    at /home/mariadb/mariadb-server/sql/sql_derived.cc:200
#18 0x0000000000eedbfc in st_join_table::preread_init (this=0xffff9346f408) at /home/mariadb/mariadb-server/sql/sql_select.cc:16671
#19 0x0000000000e24ee8 in sub_select (join=0xffff6427d740, join_tab=0xffff9346f408, end_of_records=<optimized out>)
    at /home/mariadb/mariadb-server/sql/sql_select.cc:24051
#20 0x0000000000f23108 in evaluate_join_record (join=0xffff6427d740, join_tab=<optimized out>, error=<optimized out>)
    at /home/mariadb/mariadb-server/sql/sql_select.cc:24337
#21 0x0000000000e25350 in sub_select (join=0xffff6427d740, join_tab=0xffff9346ef90, end_of_records=<optimized out>)
    at /home/mariadb/mariadb-server/sql/sql_select.cc:24104
#22 0x0000000000ea8374 in do_select (join=0xffff6427d740, procedure=0x0) at /home/mariadb/mariadb-server/sql/sql_select.cc:23615
#23 JOIN::exec_inner (this=0xffff6427d740) at /home/mariadb/mariadb-server/sql/sql_select.cc:5046
#24 0x0000000000ea4dc0 in JOIN::exec (this=0xffff6427d740) at /home/mariadb/mariadb-server/sql/sql_select.cc:4829
#25 0x0000000001105618 in st_select_lex_unit::exec_inner (this=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_union.cc:2437
#26 0x00000000010f5c04 in st_select_lex_unit::exec (this=0xffff64266708) at /home/mariadb/mariadb-server/sql/sql_union.cc:2342
#27 0x0000000000c0a02c in mysql_derived_fill (thd=<optimized out>, lex=<optimized out>, derived=<optimized out>)
    at /home/mariadb/mariadb-server/sql/sql_derived.cc:1272
#28 0x0000000000c0c14c in mysql_handle_single_derived (lex=0xffff652664b0, derived=0xffff642675b8, phases=96)
    at /home/mariadb/mariadb-server/sql/sql_derived.cc:200
#29 0x0000000000eedbfc in st_join_table::preread_init (this=0xffff934796a0) at /home/mariadb/mariadb-server/sql/sql_select.cc:16671
#30 0x0000000000e24ee8 in sub_select (join=0xffff64268b28, join_tab=0xffff934796a0, end_of_records=<optimized out>)
    at /home/mariadb/mariadb-server/sql/sql_select.cc:24051
#31 0x0000000000ea8374 in do_select (join=0xffff64268b28, procedure=0x0) at /home/mariadb/mariadb-server/sql/sql_select.cc:23615
#32 JOIN::exec_inner (this=0xffff64268b28) at /home/mariadb/mariadb-server/sql/sql_select.cc:5046
#33 0x0000000000ea4dc0 in JOIN::exec (this=0xffff64268b28) at /home/mariadb/mariadb-server/sql/sql_select.cc:4829
#34 0x0000000001105618 in st_select_lex_unit::exec_inner (this=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_union.cc:2437
#35 0x00000000010f5c04 in st_select_lex_unit::exec (this=0xffff65266590) at /home/mariadb/mariadb-server/sql/sql_union.cc:2342
#36 0x00000000010ee140 in mysql_union (thd=<optimized out>, lex=<optimized out>, result=<optimized out>, unit=0xffff65266590,
    setup_tables_done_option=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_union.cc:45
#37 0x0000000000e26a80 in handle_select (thd=0xffff65262218, lex=0xffff652664b0, result=0xffff64267e30, setup_tables_done_option=0)
    at /home/mariadb/mariadb-server/sql/sql_select.cc:623
#38 0x0000000000d4c2c0 in execute_sqlcom_select (thd=0xffff65262218, all_tables=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_parse.cc:6191
#39 0x0000000000d30e80 in mysql_execute_command (thd=0xffff65262218, is_called_from_prepared_stmt=<optimized out>)
    at /home/mariadb/mariadb-server/sql/sql_parse.cc:3979
#40 0x0000000000d1cd24 in mysql_parse (thd=0xffff65262218, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>)
    at /home/mariadb/mariadb-server/sql/sql_parse.cc:7915
#41 0x0000000000d120f0 in dispatch_command (command=<optimized out>, thd=<optimized out>, packet=<optimized out>, packet_length=<optimized out>,
    blocking=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_parse.cc:1902
#42 0x0000000000d1dbf4 in do_command (thd=0xffff65262218, blocking=true) at /home/mariadb/mariadb-server/sql/sql_parse.cc:1415
#43 0x00000000012846f8 in do_handle_one_connection (connect=<optimized out>, put_in_cache=true) at /home/mariadb/mariadb-server/sql/sql_connect.cc:1415
#44 0x00000000012841b4 in handle_one_connection (arg=0xffff6d63e9b8) at /home/mariadb/mariadb-server/sql/sql_connect.cc:1327
#45 0x0000000002200c38 in pfs_spawn_thread (arg=0xffff8b609a98) at /home/mariadb/mariadb-server/storage/perfschema/pfs.cc:2198
#46 0x0000ffff97666624 in start_thread (arg=0x883ac8 <asan_thread_start(void*)>) at pthread_create.c:477
#47 0x0000ffff9738866c in thread_start () at ../sysdeps/unix/sysv/linux/aarch64/clone.S:78
{noformat}

Roel Van de Paar made changes - 2025-03-24 08:15

Environment

Ubuntu 24.04 ARM64 VM

Roel Van de Paar made changes - 2025-03-24 08:15

Labels

crash

not-10.6

Roel Van de Paar made changes - 2025-03-24 08:15

Fix Version/s		10.11 [ 27614 ]
Fix Version/s		11.4 [ 29301 ]
Fix Version/s		11.8 [ 29921 ]
Affects Version/s		10.11 [ 27614 ]
Affects Version/s		11.4 [ 29301 ]
Affects Version/s		11.8 [ 29921 ]
Affects Version/s		12.0 [ 29945 ]
Affects Version/s	11.7.2 [ 29914 ]

Roel Van de Paar made changes - 2025-03-24 08:16

Status

Open [ 1 ]

Confirmed [ 10101 ]

Roel Van de Paar made changes - 2025-03-24 08:17

Assignee

Sergei Petrunia [ psergey ]

Roel Van de Paar made changes - 2025-03-24 08:17

Summary

MariaDB crashes when executing complex SELECT

MariaDB crashes in Item::save_int_in_field executing complex SELECT

Roel Van de Paar made changes - 2025-03-24 08:17

Summary

MariaDB crashes in Item::save_int_in_field executing complex SELECT

MariaDB crashes in Item::save_int_in_field upon executing complex SELECT

Roel Van de Paar made changes - 2025-03-24 08:17

Summary

MariaDB crashes in Item::save_int_in_field upon executing complex SELECT

MariaDB crashes in Item::save_int_in_field upon executing a complex SELECT

Roel Van de Paar made changes - 2025-03-24 08:19

Labels

not-10.6

UBSAN not-10.6 null-pointer-use

Roel Van de Paar made changes - 2025-03-24 08:29

Summary

MariaDB crashes in Item::save_int_in_field upon executing a complex SELECT

MariaDB crashes in Item::save_int_in_field and UBSAN member call on null pointer of type 'Field' upon executing a complex SELECT

Alice Sherepa made changes - 2025-03-24 11:02

Link

This issue duplicates MDEV-26416 [ MDEV-26416 ]

Alice Sherepa made changes - 2025-03-25 17:01

Component/s

Optimizer - Window functions [ 13502 ]

Alice Sherepa made changes - 2025-03-25 17:02

Link

This issue relates to MDEV-28619 [ MDEV-28619 ]

People

Assignee:: Sergei Petrunia

Reporter:: Yu Liang

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 2025-03-22 19:47

Updated:: 2025-03-25 17:02

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration