[MDEV-36363] MariaDB crashes within JOIN optimization - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Duplicate
Affects Version/s: 11.7.2
Fix Version/s: N/A
Component/s: Optimizer, Optimizer - Window functions
Labels:
- crash
Environment:
UBUNTU ARM64 VM

Description

This bug is very likely relates to MDEV-36356, but not sure.

PoC:

DROP DATABASE IF EXISTS test123;

CREATE DATABASE IF NOT EXISTS test123;

USE test123;

CREATE TABLE v00 (c01 INT, c02 TEXT);

CREATE INDEX i03 ON v00 (c01);

INSERT INTO v00 (c01, c02) VALUES (0, 'abc');

SELECT SQL_CACHE *, TRUE >= FALSE IN ( SELECT 'string' ), TRUE < FALSE IN ( SELECT 'string' ) FROM ( ( ( ( SELECT TRUE FROM v00 AS ta70203004 LOCK IN SHARE MODE SKIP LOCKED ) ORDER BY TRUE != AVG ( FALSE ) OVER ( ) IS UNKNOWN XOR TRUE != INTERVAL TRUE AND TRUE DAY_HOUR + FALSE != TRUE IN ( SELECT 'string' ) IN ( SELECT 'string' ) AND FALSE XOR FALSE LIMIT ROWS EXAMINED 1234567890 ) AS ta70203003 NATURAL STRAIGHT_JOIN v00 AS ta70203000, v00 AS ta70203001 NATURAL JOIN v00 AS ta70203002 ) ) WINDOW no_window_name AS ( PARTITION BY FALSE ASC, TRUE < TRUE IN ( SELECT 'string' ), TRUE >= TRUE IN ( SELECT 'string' ) DESC ORDER BY TRUE >= FALSE IN ( SELECT 'string' ) );

Crash stack: NULL Pointer Deference. Potentially the same root cause with MDEV-36356.

#0 0x00000000018849b8 in Item_field::Item_field (this=<optimized out>, thd=<optimized out>, f=0x0) at /home/mariadb/mariadb-server/sql/item.cc:3183
#1 0x0000000001592a74 in Window_funcs_sort::setup (this=<optimized out>, thd=0xffff6b462218, sel=0x0, it=..., join_tab=<optimized out>)
at /home/mariadb/mariadb-server/sql/sql_window.cc:3162
#2 0x0000000001594648 in Window_funcs_computation::setup (this=<optimized out>, thd=<optimized out>, window_funcs=0xffff918f3d78, tab=<optimized out>)
at /home/mariadb/mariadb-server/sql/sql_window.cc:3204
#3 0x0000000000e8ee44 in JOIN::make_aggr_tables_info (this=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_select.cc:4252
#4 0x0000000000e4ad14 in JOIN::optimize_stage2 (this=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_select.cc:3500
#5 0x0000000000e5489c in JOIN::optimize_inner (this=0xffff6a4ac468) at /home/mariadb/mariadb-server/sql/sql_select.cc:2731
#6 0x0000000000e3dd0c in JOIN::optimize (this=0xffff6a4ac468) at /home/mariadb/mariadb-server/sql/sql_select.cc:1994
#7 0x0000000000c06894 in mysql_derived_optimize (thd=<optimized out>, lex=<optimized out>, derived=<optimized out>)
at /home/mariadb/mariadb-server/sql/sql_derived.cc:1037
#8 0x0000000000c0c14c in mysql_handle_single_derived (lex=0xffff6b4664b0, derived=0xffff6a4a0c88, phases=4)
at /home/mariadb/mariadb-server/sql/sql_derived.cc:200
#9 0x0000000000e53f54 in JOIN::optimize_inner (this=0xffff6a4abb98) at /home/mariadb/mariadb-server/sql/sql_select.cc:2521
#10 0x0000000000e3dd0c in JOIN::optimize (this=0xffff6a4abb98) at /home/mariadb/mariadb-server/sql/sql_select.cc:1994
#11 0x0000000000e27864 in mysql_select (thd=0xffff6b462218, tables=<optimized out>, fields=..., conds=<optimized out>, og_num=<optimized out>,
order=<optimized out>, group=<optimized out>, having=<optimized out>, proc_param=0x0, select_options=<optimized out>, result=0xffff6a4abb68,
unit=0xffff6b466590, select_lex=0xffff918f09e0) at /home/mariadb/mariadb-server/sql/sql_select.cc:5348
#12 0x0000000000e26f08 in handle_select (thd=0xffff6b462218, lex=0xffff6b4664b0, result=0xffff6a4abb68, setup_tables_done_option=0)
at /home/mariadb/mariadb-server/sql/sql_select.cc:633
#13 0x0000000000d4c2c0 in execute_sqlcom_select (thd=0xffff6b462218, all_tables=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_parse.cc:6191
#14 0x0000000000d30e80 in mysql_execute_command (thd=0xffff6b462218, is_called_from_prepared_stmt=<optimized out>)
at /home/mariadb/mariadb-server/sql/sql_parse.cc:3979
#15 0x0000000000d1cd24 in mysql_parse (thd=0xffff6b462218, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>)
at /home/mariadb/mariadb-server/sql/sql_parse.cc:7915
#16 0x0000000000d120f0 in dispatch_command (command=<optimized out>, thd=<optimized out>, packet=<optimized out>, packet_length=<optimized out>,
blocking=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_parse.cc:1902
#17 0x0000000000d1dbf4 in do_command (thd=0xffff6b462218, blocking=true) at /home/mariadb/mariadb-server/sql/sql_parse.cc:1415
#18 0x00000000012846f8 in do_handle_one_connection (connect=<optimized out>, put_in_cache=true) at /home/mariadb/mariadb-server/sql/sql_connect.cc:1415
#19 0x00000000012841b4 in handle_one_connection (arg=0xffff97a1a9b8) at /home/mariadb/mariadb-server/sql/sql_connect.cc:1327
#20 0x0000000002200c38 in pfs_spawn_thread (arg=0xffff91409a98) at /home/mariadb/mariadb-server/storage/perfschema/pfs.cc:2198
#21 0x0000ffff9d618624 in start_thread (arg=0x883ac8 <asan_thread_start(void*)>) at pthread_create.c:477
#22 0x0000ffff9d33a66c in thread_start () at ../sysdeps/unix/sysv/linux/aarch64/clone.S:78

Attachments

Issue Links

duplicates

MDEV-32609 Derived subquery selecting from dummy table causes segv

Confirmed

Activity

People

Assignee:: Unassigned

Reporter:: Yu Liang

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2025-03-24 18:24

Updated:: 2025-03-25 17:10

Resolved:: 2025-03-25 17:10

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server