Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-36356

MariaDB crashes in Item::save_int_in_field and UBSAN member call on null pointer of type 'Field' upon executing a complex SELECT

Details

    Description

      MariaDB crashes when executing the following statement: 

      DROP DATABASE IF EXISTS test123;
      		 
      CREATE DATABASE IF NOT EXISTS test123;
      		 
      USE test123;
      		 
      CREATE TABLE v00 (c01 INT, c02 TEXT);
      		 
      INSERT INTO v00 (c01, c02) VALUES (0, 'abc');
      		 
      SELECT * FROM { ta60225505 v00 AS ta60225502 NATURAL RIGHT OUTER JOIN ( ( SELECT * FROM { ta60225509 v00 AS ta60225507 NATURAL STRAIGHT_JOIN v00 AS ta60225508 } LIMIT 1234567890 ROWS EXAMINED 1234567890 LOCK IN SHARE MODE SKIP LOCKED ) ORDER BY FALSE <=> + INTERVAL NOT FALSE = FALSE IN ( SELECT FALSE <=> FALSE IN ( SELECT 'string' ) ) SECOND_MICROSECOND + TRUE <=> TRUE IN ( SELECT 'string' ) << ROW_NUMBER ( ) OVER ( PARTITION BY NOT TRUE <=> FALSE IN ( SELECT 'string' ) DESC ) IN ( SELECT 'string' ) ) = ta60225506 NATURAL JOIN v00 AS ta60225503 };

      The crash stack is: 

      #0  0x00000000018acf4c in Field::set_notnull (this=0x0, row_offset=0) at /home/mariadb/mariadb-server/sql/field.h:1461
      		 
      #1  Item::save_int_in_field (this=0xffff6425f5a0, field=0x0, no_conversions=true) at /home/mariadb/mariadb-server/sql/item.cc:7117
      		 
      #2  0x00000000018ad344 in Item::save_in_field (this=0xffff6425f5a0, field=0x0, no_conversions=true) at /home/mariadb/mariadb-server/sql/item.cc:7134
      		 
      #3  0x0000000001590bdc in save_window_function_values (window_functions=..., tbl=0xffff642b4438, rowid_buf=0xffff926436d8 "")
      		 
          at /home/mariadb/mariadb-server/sql/sql_window.cc:2793
      		 
      #4  compute_window_func (thd=<optimized out>, window_functions=..., cursor_managers=..., tbl=<optimized out>, filesort_result=<optimized out>)
      		 
          at /home/mariadb/mariadb-server/sql/sql_window.cc:2952
      		 
      #5  0x0000000001591dc8 in Window_func_runner::exec (this=<optimized out>, thd=<optimized out>, tbl=<optimized out>, filesort_result=<optimized out>)
      		 
          at /home/mariadb/mariadb-server/sql/sql_window.cc:3068
      		 
      #6  0x0000000001592208 in Window_funcs_sort::exec (this=0xffff93468f10, join=<optimized out>, keep_filesort_result=true)
      		 
          at /home/mariadb/mariadb-server/sql/sql_window.cc:3096
      		 
      #7  0x0000000001594f64 in Window_funcs_computation::exec (this=<optimized out>, join=0xffff64269220, keep_last_filesort_result=<optimized out>)
      		 
          at /home/mariadb/mariadb-server/sql/sql_window.cc:3225
      		 
      #8  0x0000000000f21754 in AGGR_OP::end_send (this=0xffff6429e3d8) at /home/mariadb/mariadb-server/sql/sql_select.cc:33256
      		 
      #9  0x0000000000e97718 in sub_select_postjoin_aggr (join=0xffff64269220, join_tab=0xffff934672e8, end_of_records=true)
      		 
          at /home/mariadb/mariadb-server/sql/sql_select.cc:23782
      		 
      #10 0x0000000000e24dc8 in sub_select (join=0xffff64269220, join_tab=0xffff93466e70, end_of_records=<optimized out>)
      		 
          at /home/mariadb/mariadb-server/sql/sql_select.cc:24037
      		 
      #11 0x0000000000e24dc8 in sub_select (join=0xffff64269220, join_tab=0xffff934669f8, end_of_records=<optimized out>)
      		 
          at /home/mariadb/mariadb-server/sql/sql_select.cc:24037
      		 
      #12 0x0000000000ea8768 in do_select (join=0xffff64269220, procedure=0x0) at /home/mariadb/mariadb-server/sql/sql_select.cc:23617
      		 
      #13 JOIN::exec_inner (this=0xffff64269220) at /home/mariadb/mariadb-server/sql/sql_select.cc:5046
      		 
      #14 0x0000000000ea4dc0 in JOIN::exec (this=0xffff64269220) at /home/mariadb/mariadb-server/sql/sql_select.cc:4829
      		 
      #15 0x0000000000e27d78 in mysql_select (thd=0xffff65262218, tables=<optimized out>, fields=..., conds=<optimized out>, og_num=<optimized out>,
      		 
          order=<optimized out>, group=<optimized out>, having=<optimized out>, proc_param=0x0, select_options=<optimized out>, result=0xffff64269128,
      		 
          unit=0xffff8baf6018, select_lex=0xffff8baf4250) at /home/mariadb/mariadb-server/sql/sql_select.cc:5362
      		 
      #16 0x0000000000c0a3ec in mysql_derived_fill (thd=<optimized out>, lex=<optimized out>, derived=<optimized out>)
      		 
          at /home/mariadb/mariadb-server/sql/sql_derived.cc:1283
      		 
      #17 0x0000000000c0c14c in mysql_handle_single_derived (lex=0xffff652664b0, derived=0xffff642611c0, phases=96)
      		 
          at /home/mariadb/mariadb-server/sql/sql_derived.cc:200
      		 
      #18 0x0000000000eedbfc in st_join_table::preread_init (this=0xffff9346f408) at /home/mariadb/mariadb-server/sql/sql_select.cc:16671
      		 
      #19 0x0000000000e24ee8 in sub_select (join=0xffff6427d740, join_tab=0xffff9346f408, end_of_records=<optimized out>)
      		 
          at /home/mariadb/mariadb-server/sql/sql_select.cc:24051
      		 
      #20 0x0000000000f23108 in evaluate_join_record (join=0xffff6427d740, join_tab=<optimized out>, error=<optimized out>)
      		 
          at /home/mariadb/mariadb-server/sql/sql_select.cc:24337
      		 
      #21 0x0000000000e25350 in sub_select (join=0xffff6427d740, join_tab=0xffff9346ef90, end_of_records=<optimized out>)
      		 
          at /home/mariadb/mariadb-server/sql/sql_select.cc:24104
      		 
      #22 0x0000000000ea8374 in do_select (join=0xffff6427d740, procedure=0x0) at /home/mariadb/mariadb-server/sql/sql_select.cc:23615
      		 
      #23 JOIN::exec_inner (this=0xffff6427d740) at /home/mariadb/mariadb-server/sql/sql_select.cc:5046
      		 
      #24 0x0000000000ea4dc0 in JOIN::exec (this=0xffff6427d740) at /home/mariadb/mariadb-server/sql/sql_select.cc:4829
      		 
      #25 0x0000000001105618 in st_select_lex_unit::exec_inner (this=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_union.cc:2437
      		 
      #26 0x00000000010f5c04 in st_select_lex_unit::exec (this=0xffff64266708) at /home/mariadb/mariadb-server/sql/sql_union.cc:2342
      		 
      #27 0x0000000000c0a02c in mysql_derived_fill (thd=<optimized out>, lex=<optimized out>, derived=<optimized out>)
      		 
          at /home/mariadb/mariadb-server/sql/sql_derived.cc:1272
      		 
      #28 0x0000000000c0c14c in mysql_handle_single_derived (lex=0xffff652664b0, derived=0xffff642675b8, phases=96)
      		 
          at /home/mariadb/mariadb-server/sql/sql_derived.cc:200
      		 
      #29 0x0000000000eedbfc in st_join_table::preread_init (this=0xffff934796a0) at /home/mariadb/mariadb-server/sql/sql_select.cc:16671
      		 
      #30 0x0000000000e24ee8 in sub_select (join=0xffff64268b28, join_tab=0xffff934796a0, end_of_records=<optimized out>)
      		 
          at /home/mariadb/mariadb-server/sql/sql_select.cc:24051
      		 
      #31 0x0000000000ea8374 in do_select (join=0xffff64268b28, procedure=0x0) at /home/mariadb/mariadb-server/sql/sql_select.cc:23615
      		 
      #32 JOIN::exec_inner (this=0xffff64268b28) at /home/mariadb/mariadb-server/sql/sql_select.cc:5046
      		 
      #33 0x0000000000ea4dc0 in JOIN::exec (this=0xffff64268b28) at /home/mariadb/mariadb-server/sql/sql_select.cc:4829
      		 
      #34 0x0000000001105618 in st_select_lex_unit::exec_inner (this=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_union.cc:2437
      		 
      #35 0x00000000010f5c04 in st_select_lex_unit::exec (this=0xffff65266590) at /home/mariadb/mariadb-server/sql/sql_union.cc:2342
      		 
      #36 0x00000000010ee140 in mysql_union (thd=<optimized out>, lex=<optimized out>, result=<optimized out>, unit=0xffff65266590,
      		 
          setup_tables_done_option=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_union.cc:45
      		 
      #37 0x0000000000e26a80 in handle_select (thd=0xffff65262218, lex=0xffff652664b0, result=0xffff64267e30, setup_tables_done_option=0)
      		 
          at /home/mariadb/mariadb-server/sql/sql_select.cc:623
      		 
      #38 0x0000000000d4c2c0 in execute_sqlcom_select (thd=0xffff65262218, all_tables=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_parse.cc:6191
      		 
      #39 0x0000000000d30e80 in mysql_execute_command (thd=0xffff65262218, is_called_from_prepared_stmt=<optimized out>)
      		 
          at /home/mariadb/mariadb-server/sql/sql_parse.cc:3979
      		 
      #40 0x0000000000d1cd24 in mysql_parse (thd=0xffff65262218, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>)
      		 
          at /home/mariadb/mariadb-server/sql/sql_parse.cc:7915
      		 
      #41 0x0000000000d120f0 in dispatch_command (command=<optimized out>, thd=<optimized out>, packet=<optimized out>, packet_length=<optimized out>,
      		 
          blocking=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_parse.cc:1902
      		 
      #42 0x0000000000d1dbf4 in do_command (thd=0xffff65262218, blocking=true) at /home/mariadb/mariadb-server/sql/sql_parse.cc:1415
      		 
      #43 0x00000000012846f8 in do_handle_one_connection (connect=<optimized out>, put_in_cache=true) at /home/mariadb/mariadb-server/sql/sql_connect.cc:1415
      		 
      #44 0x00000000012841b4 in handle_one_connection (arg=0xffff6d63e9b8) at /home/mariadb/mariadb-server/sql/sql_connect.cc:1327
      		 
      #45 0x0000000002200c38 in pfs_spawn_thread (arg=0xffff8b609a98) at /home/mariadb/mariadb-server/storage/perfschema/pfs.cc:2198
      		 
      #46 0x0000ffff97666624 in start_thread (arg=0x883ac8 <asan_thread_start(void*)>) at pthread_create.c:477
      		 
      #47 0x0000ffff9738866c in thread_start () at ../sysdeps/unix/sysv/linux/aarch64/clone.S:78

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. MDEV-26416 A SEGV in Field::set_notnull/Item::save_real_in_field

          • Major - Major loss of function.
          • Confirmed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-28619 Server crash in /sql/sql_window.cc:3033 in Window_funcs_sort::setup(THD*, SQL_SELECT*, List_iterator<Item_window_func>&, st_join_table*)

          • Critical - Crashes, loss of data, severe memory leak.
          • Stalled

          Activity

            Transition Time In Source Status Execution Times
            Roel Van de Paar made transition -
            Open Confirmed
            		1d 12h 28m 1

            People

              psergei Sergei Petrunia
              luy70 Yu Liang
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.