[MDEV-36964] Stack looping, SIGSEGVs in Item_hybrid_func::type_handler and Item::check_cols on SELECT when using a function - Jira

XML

Word

Printable

Details

Type: Bug
Status: Confirmed (View Workflow)
Priority: Critical
Resolution: Unresolved
Affects Version/s: 12.0(EOL), 12.1
Fix Version/s: 12.1
Component/s: Stored routines
Labels:
- regression-12.0
- stack-looping

Bug Category:
Can result in hang or crash

Description

CREATE FUNCTION f() RETURNS ROW TYPE OF t RETURN 1;

CREATE TABLE t (c INT KEY,c2 INT,UNIQUE (c2));

SELECT ROW(COALESCE(f()),1)=ROW(1,1) AS eq;

Leads to:

CS 12.0.1 f1102da37a3dcdc8b92e0205f0a8bd878704b168 (Optimized) Build 06/06/2025
Core was generated by `/test/MD060625-mariadb-12.0.1-linux-x86_64-opt/bin/mariadbd --no-defaults --max'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x0000561e49a8e084 in Item::check_cols (this=<optimized out>, c=1)at /test/12.0_opt/sql/item.cc:1028

[Current thread is 1 (LWP 527618)]
(gdb) bt
#0 0x0000561e49a8e084 in Item::check_cols (this=<optimized out>, c=1)at /test/12.0_opt/sql/item.cc:1028
#1 0x0000561e49a6a62f in cmp_row_type (item1=item1@entry=0x7fc82c018998, item2=0x7fc82c018bd8) at /test/12.0_opt/sql/item_cmpfunc.cc:59
#2 0x0000561e49a6a706 in cmp_row_type (item1=item1@entry=0x7fc82c018998, item2=0x7fc82c018bd8) at /test/12.0_opt/sql/item_cmpfunc.cc:65
#3 0x0000561e49a6a706 in cmp_row_type (item1=item1@entry=0x7fc82c018998, item2=0x7fc82c018bd8) at /test/12.0_opt/sql/item_cmpfunc.cc:65
...
#494 0x0000561e49a6a706 in cmp_row_type (item1=item1@entry=0x7fc82c018998, item2=0x7fc82c018bd8) at /test/12.0_opt/sql/item_cmpfunc.cc:65
#495 0x0000561e49a6a706 in cmp_row_type (item1=item1@entry=0x7fc82c018998, item2=0x7fc82c018bd8) at /test/12.0_opt/sql/item_cmpfunc.cc:65
#496 0x0000561e49a6a706 in cmp_row_type (item1=item1@entry=0x7fc82c018998,

CS 12.0.1 f1102da37a3dcdc8b92e0205f0a8bd878704b168 (Debug) Build 06/06/2025
Core was generated by `/test/MD060625-mariadb-12.0.1-linux-x86_64-dbg/bin/mariadbd --no-defaults --max'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x0000557ecf94cc47 in Item_hybrid_func::type_handler (this=0x7f60c401b320)at /test/12.0_dbg/sql/item_func.h:516

[Current thread is 1 (LWP 6280)]
(gdb) bt
#0 0x0000557ecf94cc47 in Item_hybrid_func::type_handler (this=0x7f60c401b320)at /test/12.0_dbg/sql/item_func.h:516
#1 0x0000557ecf906c59 in Item::result_type (this=0x7f60c401b320)at /test/12.0_dbg/sql/item.h:1250
#2 0x0000557ecf927d1b in cmp_row_type (item1=0x7f60c401b320, item2=0x7f60c401b560) at /test/12.0_dbg/sql/item_cmpfunc.cc:64
#3 0x0000557ecf927d54 in cmp_row_type (item1=0x7f60c401b320, item2=0x7f60c401b560) at /test/12.0_dbg/sql/item_cmpfunc.cc:65
...
#494 0x0000557ecf927d54 in cmp_row_type (item1=0x7f60c401b320, item2=0x7f60c401b560) at /test/12.0_dbg/sql/item_cmpfunc.cc:65
#495 0x0000557ecf927d54 in cmp_row_type (item1=0x7f60c401b320, item2=0x7f60c401b560) at /test/12.0_dbg/sql/item_cmpfunc.cc:65
#496 0x0000557ecf927d54 in cmp_row_type (item1=0x7f60c401b320,

Bug Detection Matrix
Rel o/d Build Commit UniqueID observed
CS 10.6 dbg 060625 643319a7fb1e273797c2a1e46d76cfac0fa1da8f No bug found
CS 10.6 opt 060625 643319a7fb1e273797c2a1e46d76cfac0fa1da8f No bug found
CS 10.11 dbg 060625 11d1ac7285221ab4df7d9ef7cc8ee949b01c9b32 No bug found
CS 10.11 opt 060625 11d1ac7285221ab4df7d9ef7cc8ee949b01c9b32 No bug found
CS 11.4 dbg 060625 8c6cbb336081a5e1ad781df4a9778b61e3b4d73f No bug found
CS 11.4 opt 060625 8c6cbb336081a5e1ad781df4a9778b61e3b4d73f No bug found
CS 11.8 dbg 060625 67e6fdee05ead4974fe632e91c38941ade369b0c No bug found
CS 11.8 opt 060625 67e6fdee05ead4974fe632e91c38941ade369b0c No bug found
CS 12.0 dbg 060625 f1102da37a3dcdc8b92e0205f0a8bd878704b168 SIGSEGV\|Item_hybrid_func::type_handler\|Item::result_type\|cmp_row_type\|cmp_row_type
CS 12.0 opt 060625 f1102da37a3dcdc8b92e0205f0a8bd878704b168 SIGSEGV\|Item::check_cols\|cmp_row_type\|cmp_row_type\|cmp_row_type
CS 12.1 dbg 060625 4b79d7b8ee557d53a859aedec839b8673585b514 SIGSEGV\|Item_hybrid_func::type_handler\|Item::result_type\|cmp_row_type\|cmp_row_type
CS 12.1 opt 060625 4b79d7b8ee557d53a859aedec839b8673585b514 SIGSEGV\|Item::check_cols\|cmp_row_type\|cmp_row_type\|cmp_row_type
ES 10.5 dbg 060625 ec7bc4f84e490b25f52db7422a1e0e8bbea72fb1 No bug found
ES 10.5 opt 060625 ec7bc4f84e490b25f52db7422a1e0e8bbea72fb1 No bug found
ES 10.6 dbg 060625 8541ea1e4c2fa15789dd162f6ba4b32681f74e61 No bug found
ES 10.6 opt 060625 8541ea1e4c2fa15789dd162f6ba4b32681f74e61 No bug found
ES 11.4 dbg 060625 1c8b2d3059f5ccb67c042868baca3ee269c6eca7 No bug found
ES 11.4 opt 060625 1c8b2d3059f5ccb67c042868baca3ee269c6eca7 No bug found
MS 5.5 dbg 070123 bac287c315b1792e7ae33f91add6a60292f9bae8 No bug found
MS 5.5 opt 070123 bac287c315b1792e7ae33f91add6a60292f9bae8 No bug found
MS 5.6 dbg 070123 dab95781a1244104d6b87020ac2fc4d190ba2946 No bug found
MS 5.6 opt 070123 dab95781a1244104d6b87020ac2fc4d190ba2946 No bug found
MS 5.7 dbg 070525 f7680e98b6bbe3500399fbad465d08a6b75d7a5c No bug found
MS 5.7 opt 070525 f7680e98b6bbe3500399fbad465d08a6b75d7a5c No bug found
MS 8.0 dbg 060224 49ef33f7edadef3ae04665e73d1babd40179a4f1 No bug found
MS 8.0 opt 060224 49ef33f7edadef3ae04665e73d1babd40179a4f1 No bug found
MS 9.1 dbg 211024 61a3a1d8ef15512396b4c2af46e922a19bf2b174 No bug found
MS 9.1 opt 211024 61a3a1d8ef15512396b4c2af46e922a19bf2b174 No bug found

No UBSAN/ASAN issues observed. Testcase is CLI and MTR compatible.

Attachments

Issue Links

relates to

MDEV-36792 UBSAN load of null pointer and Assertion `b == &type_handler_row || b == &type_handler_null' in Arg_comparator::set_cmp_func when using ROW()

Confirmed

Activity

People

Assignee:: Alexander Barkov

Reporter:: Roel Van de Paar

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2025-06-07 12:29

Updated:: 2025-08-21 21:46

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.