[MDEV-36363] MariaDB crashes within JOIN optimization - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Duplicate
Affects Version/s: 11.7.2
Fix Version/s: N/A
Component/s: Optimizer, Optimizer - Window functions
Labels:
- crash
Environment:
UBUNTU ARM64 VM

Description

This bug is very likely relates to MDEV-36356, but not sure.

PoC:

DROP DATABASE IF EXISTS test123;

CREATE DATABASE IF NOT EXISTS test123;

USE test123;

CREATE TABLE v00 (c01 INT, c02 TEXT);

CREATE INDEX i03 ON v00 (c01);

INSERT INTO v00 (c01, c02) VALUES (0, 'abc');

SELECT SQL_CACHE *, TRUE >= FALSE IN ( SELECT 'string' ), TRUE < FALSE IN ( SELECT 'string' ) FROM ( ( ( ( SELECT TRUE FROM v00 AS ta70203004 LOCK IN SHARE MODE SKIP LOCKED ) ORDER BY TRUE != AVG ( FALSE ) OVER ( ) IS UNKNOWN XOR TRUE != INTERVAL TRUE AND TRUE DAY_HOUR + FALSE != TRUE IN ( SELECT 'string' ) IN ( SELECT 'string' ) AND FALSE XOR FALSE LIMIT ROWS EXAMINED 1234567890 ) AS ta70203003 NATURAL STRAIGHT_JOIN v00 AS ta70203000, v00 AS ta70203001 NATURAL JOIN v00 AS ta70203002 ) ) WINDOW no_window_name AS ( PARTITION BY FALSE ASC, TRUE < TRUE IN ( SELECT 'string' ), TRUE >= TRUE IN ( SELECT 'string' ) DESC ORDER BY TRUE >= FALSE IN ( SELECT 'string' ) );

Crash stack: NULL Pointer Deference. Potentially the same root cause with MDEV-36356.

#0 0x00000000018849b8 in Item_field::Item_field (this=<optimized out>, thd=<optimized out>, f=0x0) at /home/mariadb/mariadb-server/sql/item.cc:3183
#1 0x0000000001592a74 in Window_funcs_sort::setup (this=<optimized out>, thd=0xffff6b462218, sel=0x0, it=..., join_tab=<optimized out>)
at /home/mariadb/mariadb-server/sql/sql_window.cc:3162
#2 0x0000000001594648 in Window_funcs_computation::setup (this=<optimized out>, thd=<optimized out>, window_funcs=0xffff918f3d78, tab=<optimized out>)
at /home/mariadb/mariadb-server/sql/sql_window.cc:3204
#3 0x0000000000e8ee44 in JOIN::make_aggr_tables_info (this=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_select.cc:4252
#4 0x0000000000e4ad14 in JOIN::optimize_stage2 (this=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_select.cc:3500
#5 0x0000000000e5489c in JOIN::optimize_inner (this=0xffff6a4ac468) at /home/mariadb/mariadb-server/sql/sql_select.cc:2731
#6 0x0000000000e3dd0c in JOIN::optimize (this=0xffff6a4ac468) at /home/mariadb/mariadb-server/sql/sql_select.cc:1994
#7 0x0000000000c06894 in mysql_derived_optimize (thd=<optimized out>, lex=<optimized out>, derived=<optimized out>)
at /home/mariadb/mariadb-server/sql/sql_derived.cc:1037
#8 0x0000000000c0c14c in mysql_handle_single_derived (lex=0xffff6b4664b0, derived=0xffff6a4a0c88, phases=4)
at /home/mariadb/mariadb-server/sql/sql_derived.cc:200
#9 0x0000000000e53f54 in JOIN::optimize_inner (this=0xffff6a4abb98) at /home/mariadb/mariadb-server/sql/sql_select.cc:2521
#10 0x0000000000e3dd0c in JOIN::optimize (this=0xffff6a4abb98) at /home/mariadb/mariadb-server/sql/sql_select.cc:1994
#11 0x0000000000e27864 in mysql_select (thd=0xffff6b462218, tables=<optimized out>, fields=..., conds=<optimized out>, og_num=<optimized out>,
order=<optimized out>, group=<optimized out>, having=<optimized out>, proc_param=0x0, select_options=<optimized out>, result=0xffff6a4abb68,
unit=0xffff6b466590, select_lex=0xffff918f09e0) at /home/mariadb/mariadb-server/sql/sql_select.cc:5348
#12 0x0000000000e26f08 in handle_select (thd=0xffff6b462218, lex=0xffff6b4664b0, result=0xffff6a4abb68, setup_tables_done_option=0)
at /home/mariadb/mariadb-server/sql/sql_select.cc:633
#13 0x0000000000d4c2c0 in execute_sqlcom_select (thd=0xffff6b462218, all_tables=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_parse.cc:6191
#14 0x0000000000d30e80 in mysql_execute_command (thd=0xffff6b462218, is_called_from_prepared_stmt=<optimized out>)
at /home/mariadb/mariadb-server/sql/sql_parse.cc:3979
#15 0x0000000000d1cd24 in mysql_parse (thd=0xffff6b462218, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>)
at /home/mariadb/mariadb-server/sql/sql_parse.cc:7915
#16 0x0000000000d120f0 in dispatch_command (command=<optimized out>, thd=<optimized out>, packet=<optimized out>, packet_length=<optimized out>,
blocking=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_parse.cc:1902
#17 0x0000000000d1dbf4 in do_command (thd=0xffff6b462218, blocking=true) at /home/mariadb/mariadb-server/sql/sql_parse.cc:1415
#18 0x00000000012846f8 in do_handle_one_connection (connect=<optimized out>, put_in_cache=true) at /home/mariadb/mariadb-server/sql/sql_connect.cc:1415
#19 0x00000000012841b4 in handle_one_connection (arg=0xffff97a1a9b8) at /home/mariadb/mariadb-server/sql/sql_connect.cc:1327
#20 0x0000000002200c38 in pfs_spawn_thread (arg=0xffff91409a98) at /home/mariadb/mariadb-server/storage/perfschema/pfs.cc:2198
#21 0x0000ffff9d618624 in start_thread (arg=0x883ac8 <asan_thread_start(void*)>) at pthread_create.c:477
#22 0x0000ffff9d33a66c in thread_start () at ../sysdeps/unix/sysv/linux/aarch64/clone.S:78

Attachments

Issue Links

duplicates

MDEV-32609 Derived subquery selecting from dummy table causes segv

Confirmed

Activity

Alice Sherepa added a comment - 2025-03-25 17:09

Thank you! I repeated as described, yes, it is related to MDEV-36356 and a duplicate of MDEV-32609:

Version: '11.8.1-MariaDB-debug-log'

250325 17:56:35 [ERROR] /11.8/bld/sql/mariadbd got signal 11 ;

Server version: 11.8.1-MariaDB-debug-log source revision: cc831f16c82f00d3531e09c2f5c59eadc0abb0d7

sql/signal_handler.cc:230(handle_fatal_signal)[0x559a12e94ce5]

sigaction.c:0(__restore_rt)[0x7f71fb90f420]

sql/item.cc:3206(Item_field::Item_field(THD*, Field*))[0x559a12f10c48]

sql/sql_window.cc:3162(Window_funcs_sort::setup(THD*, SQL_SELECT*, List_iterator<Item_window_func>&, st_join_table*))[0x559a12c7bce2]

sql/sql_window.cc:3203(Window_funcs_computation::setup(THD*, List<Item_window_func>*, st_join_table*))[0x559a12c7c3a9]

sql/sql_select.cc:4265(JOIN::make_aggr_tables_info())[0x559a125db8ef]

sql/sql_select.cc:3506(JOIN::optimize_stage2())[0x559a125d2c52]

sql/sql_select.cc:2737(JOIN::optimize_inner())[0x559a125cac9d]

sql/sql_select.cc:1994(JOIN::optimize())[0x559a125c30ab]

sql/sql_derived.cc:1037(mysql_derived_optimize(THD*, LEX*, TABLE_LIST*))[0x559a123c9a18]

sql/sql_derived.cc:200(mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int))[0x559a123c40c2]

sql/sql_select.cc:2527(JOIN::optimize_inner())[0x559a125c8d39]

sql/sql_select.cc:1994(JOIN::optimize())[0x559a125c30ab]

sql/sql_select.cc:5361(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x559a125e64d9]

sql/sql_select.cc:633(handle_select(THD*, LEX*, select_result*, unsigned long long))[0x559a125b3a90]

sql/sql_parse.cc:6191(execute_sqlcom_select(THD*, TABLE_LIST*))[0x559a124cdffc]

sql/sql_parse.cc:3979(mysql_execute_command(THD*, bool))[0x559a124bdba8]

sql/sql_parse.cc:7915(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x559a124d90a0]

sql/sql_parse.cc:1904(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x559a124af4c4]

sql/sql_parse.cc:1415(do_command(THD*, bool))[0x559a124ac15b]

sql/sql_connect.cc:1415(do_handle_one_connection(CONNECT*, bool))[0x559a129c66ea]

sql/sql_connect.cc:1329(handle_one_connection)[0x559a129c623d]

perfschema/pfs.cc:2200(pfs_spawn_thread)[0x559a136f22c4]

nptl/pthread_create.c:478(start_thread)[0x7f71fb903609]

Connection ID (thread ID): 4

Status: NOT_KILLED

Query (0x62d0003e84a8): SELECT sql_cache *,

TRUE >= FALSE IN

(SELECT 'string'), TRUE < FALSE IN

(SELECT 'string')

FROM (((

(SELECT TRUE

FROM v00 AS ta70203004 LOCK IN SHARE MODE skip locked)

ORDER BY TRUE != AVG (FALSE) over () IS UNKNOWN xor TRUE != INTERVAL TRUE

AND TRUE day_hour + FALSE != TRUE IN

(SELECT 'string') IN

(SELECT 'string')

AND FALSE xor FALSE LIMIT ROWS examined 1234567890) AS ta70203003 NATURAL

STRAIGHT_JOIN v00 AS ta70203000,

v00 AS ta70203001

NATURAL JOIN v00 AS ta70203002)) window no_window_name AS (partition BY FALSE ASC, TRUE < TRUE IN

(SELECT 'string'), TRUE >= TRUE IN

(SELECT 'string') DESC

ORDER BY TRUE >= FALSE IN

(SELECT 'string'))

test case from MDEV-32609:

Version: '11.8.1-MariaDB-debug-log'

250325 17:58:50 [ERROR] /11.8/bld/sql/mariadbd got signal 11 ;

Server version: 11.8.1-MariaDB-debug-log source revision: cc831f16c82f00d3531e09c2f5c59eadc0abb0d7

sql/signal_handler.cc:230(handle_fatal_signal)[0x55d58f63dce5]

sigaction.c:0(__restore_rt)[0x7fcf43428420]

sql/item.cc:3206(Item_field::Item_field(THD*, Field*))[0x55d58f6b9c48]

sql/sql_window.cc:3162(Window_funcs_sort::setup(THD*, SQL_SELECT*, List_iterator<Item_window_func>&, st_join_table*))[0x55d58f424ce2]

sql/sql_window.cc:3203(Window_funcs_computation::setup(THD*, List<Item_window_func>*, st_join_table*))[0x55d58f4253a9]

sql/sql_select.cc:4265(JOIN::make_aggr_tables_info())[0x55d58ed848ef]

sql/sql_select.cc:3547(JOIN::optimize_stage2())[0x55d58ed7c219]

sql/sql_select.cc:2737(JOIN::optimize_inner())[0x55d58ed73c9d]

sql/sql_select.cc:1994(JOIN::optimize())[0x55d58ed6c0ab]

sql/sql_derived.cc:1037(mysql_derived_optimize(THD*, LEX*, TABLE_LIST*))[0x55d58eb72a18]

sql/sql_derived.cc:200(mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int))[0x55d58eb6d0c2]

sql/sql_select.cc:2527(JOIN::optimize_inner())[0x55d58ed71d39]

sql/sql_select.cc:1994(JOIN::optimize())[0x55d58ed6c0ab]

sql/sql_select.cc:5361(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55d58ed8f4d9]

sql/sql_select.cc:633(handle_select(THD*, LEX*, select_result*, unsigned long long))[0x55d58ed5ca90]

sql/sql_parse.cc:6191(execute_sqlcom_select(THD*, TABLE_LIST*))[0x55d58ec76ffc]

sql/sql_parse.cc:3979(mysql_execute_command(THD*, bool))[0x55d58ec66ba8]

sql/sql_parse.cc:7915(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x55d58ec820a0]

sql/sql_parse.cc:1904(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x55d58ec584c4]

sql/sql_parse.cc:1415(do_command(THD*, bool))[0x55d58ec5515b]

sql/sql_connect.cc:1415(do_handle_one_connection(CONNECT*, bool))[0x55d58f16f6ea]

sql/sql_connect.cc:1329(handle_one_connection)[0x55d58f16f23d]

perfschema/pfs.cc:2200(pfs_spawn_thread)[0x55d58fe9b2c4]

nptl/pthread_create.c:478(start_thread)[0x7fcf4341c609]

Query (0x62d0003e84a8): (SELECT 5 a FROM dual ORDER BY a) ORDER BY  AVG(a) OVER ()

Alice Sherepa added a comment - 2025-03-25 17:09 Thank you! I repeated as described, yes, it is related to MDEV-36356 and a duplicate of MDEV-32609 : Version: '11.8.1-MariaDB-debug-log' 250325 17:56:35 [ERROR] /11.8/bld/sql/mariadbd got signal 11 ; Server version: 11.8.1-MariaDB-debug-log source revision: cc831f16c82f00d3531e09c2f5c59eadc0abb0d7 sql/signal_handler.cc:230(handle_fatal_signal)[0x559a12e94ce5] sigaction.c:0(__restore_rt)[0x7f71fb90f420] sql/item.cc:3206(Item_field::Item_field(THD*, Field*))[0x559a12f10c48] sql/sql_window.cc:3162(Window_funcs_sort::setup(THD*, SQL_SELECT*, List_iterator<Item_window_func>&, st_join_table*))[0x559a12c7bce2] sql/sql_window.cc:3203(Window_funcs_computation::setup(THD*, List<Item_window_func>*, st_join_table*))[0x559a12c7c3a9] sql/sql_select.cc:4265(JOIN::make_aggr_tables_info())[0x559a125db8ef] sql/sql_select.cc:3506(JOIN::optimize_stage2())[0x559a125d2c52] sql/sql_select.cc:2737(JOIN::optimize_inner())[0x559a125cac9d] sql/sql_select.cc:1994(JOIN::optimize())[0x559a125c30ab] sql/sql_derived.cc:1037(mysql_derived_optimize(THD*, LEX*, TABLE_LIST*))[0x559a123c9a18] sql/sql_derived.cc:200(mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int))[0x559a123c40c2] sql/sql_select.cc:2527(JOIN::optimize_inner())[0x559a125c8d39] sql/sql_select.cc:1994(JOIN::optimize())[0x559a125c30ab] sql/sql_select.cc:5361(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x559a125e64d9] sql/sql_select.cc:633(handle_select(THD*, LEX*, select_result*, unsigned long long))[0x559a125b3a90] sql/sql_parse.cc:6191(execute_sqlcom_select(THD*, TABLE_LIST*))[0x559a124cdffc] sql/sql_parse.cc:3979(mysql_execute_command(THD*, bool))[0x559a124bdba8] sql/sql_parse.cc:7915(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x559a124d90a0] sql/sql_parse.cc:1904(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x559a124af4c4] sql/sql_parse.cc:1415(do_command(THD*, bool))[0x559a124ac15b] sql/sql_connect.cc:1415(do_handle_one_connection(CONNECT*, bool))[0x559a129c66ea] sql/sql_connect.cc:1329(handle_one_connection)[0x559a129c623d] perfschema/pfs.cc:2200(pfs_spawn_thread)[0x559a136f22c4] nptl/pthread_create.c:478(start_thread)[0x7f71fb903609] Connection ID (thread ID): 4 Status: NOT_KILLED Query (0x62d0003e84a8): SELECT sql_cache *, TRUE >= FALSE IN (SELECT 'string'), TRUE < FALSE IN (SELECT 'string') FROM ((( (SELECT TRUE FROM v00 AS ta70203004 LOCK IN SHARE MODE skip locked) ORDER BY TRUE != AVG (FALSE) over () IS UNKNOWN xor TRUE != INTERVAL TRUE AND TRUE day_hour + FALSE != TRUE IN (SELECT 'string') IN (SELECT 'string') AND FALSE xor FALSE LIMIT ROWS examined 1234567890) AS ta70203003 NATURAL STRAIGHT_JOIN v00 AS ta70203000, v00 AS ta70203001 NATURAL JOIN v00 AS ta70203002)) window no_window_name AS (partition BY FALSE ASC, TRUE < TRUE IN (SELECT 'string'), TRUE >= TRUE IN (SELECT 'string') DESC ORDER BY TRUE >= FALSE IN (SELECT 'string')) test case from MDEV-32609 : Version: '11.8.1-MariaDB-debug-log' 250325 17:58:50 [ERROR] /11.8/bld/sql/mariadbd got signal 11 ; Server version: 11.8.1-MariaDB-debug-log source revision: cc831f16c82f00d3531e09c2f5c59eadc0abb0d7 sql/signal_handler.cc:230(handle_fatal_signal)[0x55d58f63dce5] sigaction.c:0(__restore_rt)[0x7fcf43428420] sql/item.cc:3206(Item_field::Item_field(THD*, Field*))[0x55d58f6b9c48] sql/sql_window.cc:3162(Window_funcs_sort::setup(THD*, SQL_SELECT*, List_iterator<Item_window_func>&, st_join_table*))[0x55d58f424ce2] sql/sql_window.cc:3203(Window_funcs_computation::setup(THD*, List<Item_window_func>*, st_join_table*))[0x55d58f4253a9] sql/sql_select.cc:4265(JOIN::make_aggr_tables_info())[0x55d58ed848ef] sql/sql_select.cc:3547(JOIN::optimize_stage2())[0x55d58ed7c219] sql/sql_select.cc:2737(JOIN::optimize_inner())[0x55d58ed73c9d] sql/sql_select.cc:1994(JOIN::optimize())[0x55d58ed6c0ab] sql/sql_derived.cc:1037(mysql_derived_optimize(THD*, LEX*, TABLE_LIST*))[0x55d58eb72a18] sql/sql_derived.cc:200(mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int))[0x55d58eb6d0c2] sql/sql_select.cc:2527(JOIN::optimize_inner())[0x55d58ed71d39] sql/sql_select.cc:1994(JOIN::optimize())[0x55d58ed6c0ab] sql/sql_select.cc:5361(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55d58ed8f4d9] sql/sql_select.cc:633(handle_select(THD*, LEX*, select_result*, unsigned long long))[0x55d58ed5ca90] sql/sql_parse.cc:6191(execute_sqlcom_select(THD*, TABLE_LIST*))[0x55d58ec76ffc] sql/sql_parse.cc:3979(mysql_execute_command(THD*, bool))[0x55d58ec66ba8] sql/sql_parse.cc:7915(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x55d58ec820a0] sql/sql_parse.cc:1904(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x55d58ec584c4] sql/sql_parse.cc:1415(do_command(THD*, bool))[0x55d58ec5515b] sql/sql_connect.cc:1415(do_handle_one_connection(CONNECT*, bool))[0x55d58f16f6ea] sql/sql_connect.cc:1329(handle_one_connection)[0x55d58f16f23d] perfschema/pfs.cc:2200(pfs_spawn_thread)[0x55d58fe9b2c4] nptl/pthread_create.c:478(start_thread)[0x7fcf4341c609] Query (0x62d0003e84a8): (SELECT 5 a FROM dual ORDER BY a) ORDER BY AVG(a) OVER ()

MariaDB Server

MariaDB crashes within JOIN optimization

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration