[MDEV-37422] SIGSEGV failed in base_list_iterator::replace, Assertion `n < m_size' in Bounds_checked_array, ASAN use-after-poison in JOIN::rollup_make_fields - Jira

XML

Word

Printable

Details

Type: Bug
Status: In Review (View Workflow)
Priority: Critical
Resolution: Unresolved
Affects Version/s: 12.1, 12.2
Fix Version/s: 12.1
Component/s: Optimizer, Virtual Columns
Labels:

Sprint:
Q4/2025 Server Maintenance, Q1/2026 Server Maintenance

Description

--source include/have_innodb.inc

CREATE TABLE t (a INT,b INT,a1 INT GENERATED ALWAYS AS (a) VIRTUAL,INDEX (a1)) ENGINE=INNODB;

SELECT * FROM t GROUP BY a WITH ROLLUP;

Leads to:

CS 12.1.2 033471a367b4c60b7262e64f43f46b02e95b9d74 (Optimized, Clang) Build 08/08/2025
Core was generated by `/test/MD080825-mariadb-12.1.2-linux-x86_64-opt/bin/mariadbd --no-defaults --max'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 base_list_iterator::replace (element=0x7652a801c6f0, this=<optimized out>)at /test/12.1_opt/sql/sql_list.h:450

[Current thread is 1 (LWP 2417744)]
(gdb) bt
#0 base_list_iterator::replace (element=0x7652a801c6f0, this=<optimized out>)at /test/12.1_opt/sql/sql_list.h:450
#1 List_iterator<Item>::replace (a=0x7652a801c6f0, this=<optimized out>)at /test/12.1_opt/sql/sql_list.h:594
#2 JOIN::rollup_make_fields (this=this@entry=0x7652a8019028, fields_arg=@0x7652a8019410: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x7652a801c4c8, last = 0x7652a801cb10, elements = 4}, <No data fields>}, sel_fields=@0x7652a8019458: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x7652a801c6e0, last = 0x7652a801cb10, elements = 3}, <No data fields>}, func=func@entry=0x76537bf12578) at /test/12.1_opt/sql/sql_select.cc:30541
#3 0x000059963ff04464 in JOIN::make_sum_func_list (this=this@entry=0x7652a8019028, field_list=@0x7652a8019410: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x7652a801c4c8, last = 0x7652a801cb10, elements = 4}, <No data fields>}, send_result_set_metadata=@0x7652a8019458: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x7652a801c6e0, last = 0x7652a801cb10, elements = 3}, <No data fields>}, before_group_by=true) at /test/12.1_opt/sql/sql_select.cc:29689
#4 0x000059963ff134a7 in JOIN::make_aggr_tables_info (this=this@entry=0x7652a8019028) at /test/12.1_opt/sql/sql_select.cc:4193
#5 0x000059963ff05cd7 in JOIN::optimize_stage2 (this=this@entry=0x7652a8019028) at /test/12.1_opt/sql/sql_select.cc:3538
#6 0x000059963ff0712a in JOIN::optimize_inner (this=this@entry=0x7652a8019028)at /test/12.1_opt/sql/sql_select.cc:2769
#7 0x000059963ff04914 in JOIN::optimize (this=this@entry=0x7652a8019028)at /test/12.1_opt/sql/sql_select.cc:2023
#8 0x000059963fefe892 in mysql_select (thd=thd@entry=0x7652a8000c68, tables=<optimized out>, fields=@0x7652a80179e0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x7652a8017d28, last = 0x7652a8019bc0, elements = 3}, <No data fields>}, conds=<optimized out>, og_num=<optimized out>, order=<optimized out>, group=0x7652a80185f0, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x7652a8019000, unit=0x7652a8005090, select_lex=0x7652a8017728)at /test/12.1_opt/sql/sql_select.cc:5388
#9 0x000059963fefe5b9 in handle_select (thd=thd@entry=0x7652a8000c68, lex=lex@entry=0x7652a8004fb0, result=result@entry=0x7652a8019000, setup_tables_done_option=setup_tables_done_option@entry=0)at /test/12.1_opt/sql/sql_select.cc:634
#10 0x000059963fec8487 in execute_sqlcom_select (thd=thd@entry=0x7652a8000c68, all_tables=0x7652a8017d78) at /test/12.1_opt/sql/sql_parse.cc:6167
#11 0x000059963fec6fa1 in mysql_execute_command (thd=thd@entry=0x7652a8000c68, is_called_from_prepared_stmt=false) at /test/12.1_opt/sql/sql_parse.cc:3950
#12 0x000059963febf3f1 in mysql_parse (thd=thd@entry=0x7652a8000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x76537bf13420)at /test/12.1_opt/sql/sql_parse.cc:7883
#13 0x000059963febd90f in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x7652a8000c68, packet=packet@entry=0x7652a80089f9 "SELECT * FROM t GROUP BY a WITH ROLLUP", packet_length=packet_length@entry=38, blocking=true)at /test/12.1_opt/sql/sql_parse.cc:1878
#14 0x000059963febf801 in do_command (thd=thd@entry=0x7652a8000c68, blocking=true) at /test/12.1_opt/sql/sql_parse.cc:1417
#15 0x00005996400150ed in do_handle_one_connection (connect=<optimized out>, connect@entry=0x599641dd7a88, put_in_cache=true)at /test/12.1_opt/sql/sql_connect.cc:1414
#16 0x0000599640014eaf in handle_one_connection (arg=arg@entry=0x599641dd7a88)at /test/12.1_opt/sql/sql_connect.cc:1326
#17 0x00005996401d7a79 in pfs_spawn_thread (arg=0x599641d7d958)at /test/12.1_opt/storage/perfschema/pfs.cc:2198
#18 0x000076537cc9ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
#19 0x000076537cd29c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

CS 12.2.0 e02f4d7e311e214ea62ff2e59599849e229f4165 (Debug, Clang) Build 07/08/2025
mariadbd: /test/12.2_dbg/sql/sql_array.h:65: Element_type &Bounds_checked_array<Item >::operator[](size_t) [Element_type = Item ]: Assertion `n < m_size' failed.

CS 12.2.0 e02f4d7e311e214ea62ff2e59599849e229f4165 (Debug, Clang) Build 07/08/2025
Core was generated by `/test/MD070825-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd --no-defaults --max'.
Program terminated with signal SIGABRT, Aborted.
Download failed: Invalid argument. Continuing without source file ./nptl/./nptl/pthread_kill.c.
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44

[Current thread is 1 (LWP 2240059)]
(gdb) bt
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44
#1 __pthread_kill_internal (signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6)at ./nptl/pthread_kill.c:89
#3 0x000073768b44527e in __GI_raise (sig=sig@entry=6)at ../sysdeps/posix/raise.c:26
#4 0x000073768b4288ff in __GI_abort () at ./stdlib/abort.c:79
#5 0x000073768b42881b in __assert_fail_base (fmt=0x73768b5d01e8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x5f2960d0722b "n < m_size", file=file@entry=0x5f2960d03312 "/test/12.2_dbg/sql/sql_array.h", line=line@entry=65, function=function@entry=0x5f2960d07236 "Element_type &Bounds_checked_array<Item >::operator[](size_t) [Element_type = Item ]") at ./assert/assert.c:96
#6 0x000073768b43b517 in __assert_fail (assertion=0x5f2960d0722b "n < m_size", file=0x5f2960d03312 "/test/12.2_dbg/sql/sql_array.h", line=65, function=0x5f2960d07236 "Element_type &Bounds_checked_array<Item >::operator[](size_t) [Element_type = Item ]") at ./assert/assert.c:105
#7 0x00005f295fb3290d in Bounds_checked_array<Item*>::operator[] (this=0x7376802c0098, n=3) at /test/12.2_dbg/sql/sql_array.h:65
#8 0x00005f295fd4a4be in JOIN::rollup_make_fields (this=0x73579c01b828, fields_arg=@0x73579c01bc18: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x73579c01ee90, last = 0x73579c01f4d8, elements = 4}, <No data fields>}, sel_fields=@0x73579c01bc60: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x73579c01f0a8, last = 0x73579c01f4d8, elements = 3}, <No data fields>}, func=0x7376802c0160) at /test/12.2_dbg/sql/sql_select.cc:30537
#9 0x00005f295fd01865 in JOIN::make_sum_func_list (this=0x73579c01b828, field_list=@0x73579c01bc18: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x73579c01ee90, last = 0x73579c01f4d8, elements = 4}, <No data fields>}, send_result_set_metadata=@0x73579c01bc60: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x73579c01f0a8, last = 0x73579c01f4d8, elements = 3}, <No data fields>}, before_group_by=true) at /test/12.2_dbg/sql/sql_select.cc:29689
#10 0x00005f295fd18c1f in JOIN::make_aggr_tables_info (this=0x73579c01b828)at /test/12.2_dbg/sql/sql_select.cc:4193
#11 0x00005f295fd047e9 in JOIN::optimize_stage2 (this=0x73579c01b828)at /test/12.2_dbg/sql/sql_select.cc:3538
#12 0x00005f295fd071ee in JOIN::optimize_inner (this=0x73579c01b828)at /test/12.2_dbg/sql/sql_select.cc:2769
#13 0x00005f295fd02348 in JOIN::optimize (this=0x73579c01b828)at /test/12.2_dbg/sql/sql_select.cc:2023
#14 0x00005f295fcf9f99 in mysql_select (thd=0x73579c000d58, tables=0x73579c01a578, fields=@0x73579c01a1e0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x73579c01a528, last = 0x73579c01c3d0, elements = 3}, <No data fields>}, conds=0x0, og_num=1, order=0x0, group=0x73579c01adf0, having=0x0, proc_param=0x0, select_options=2164525824, result=0x73579c01b800, unit=0x73579c005158, select_lex=0x73579c019f28)at /test/12.2_dbg/sql/sql_select.cc:5388
#15 0x00005f295fcf9ad5 in handle_select (thd=0x73579c000d58, lex=0x73579c005078, result=0x73579c01b800, setup_tables_done_option=0)at /test/12.2_dbg/sql/sql_select.cc:634
#16 0x00005f295fca1611 in execute_sqlcom_select (thd=0x73579c000d58, all_tables=0x73579c01a578) at /test/12.2_dbg/sql/sql_parse.cc:6167
#17 0x00005f295fc9639e in mysql_execute_command (thd=0x73579c000d58, is_called_from_prepared_stmt=false) at /test/12.2_dbg/sql/sql_parse.cc:3950
#18 0x00005f295fc8e664 in mysql_parse (thd=0x73579c000d58, rawbuf=0x73579c019e80 "SELECT * FROM t GROUP BY a WITH ROLLUP", length=38, parser_state=0x7376802c2a10) at /test/12.2_dbg/sql/sql_parse.cc:7883
#19 0x00005f295fc8ba38 in dispatch_command (command=COM_QUERY, thd=0x73579c000d58, packet=0x73579c00b1f9 "SELECT * FROM t GROUP BY a WITH ROLLUP", packet_length=38, blocking=true) at /test/12.2_dbg/sql/sql_parse.cc:1878
#20 0x00005f295fc8f213 in do_command (thd=0x73579c000d58, blocking=true)at /test/12.2_dbg/sql/sql_parse.cc:1417
#21 0x00005f295fe7c4b9 in do_handle_one_connection (connect=0x5f2996f21b58, put_in_cache=true) at /test/12.2_dbg/sql/sql_connect.cc:1414
#22 0x00005f295fe7c25e in handle_one_connection (arg=0x5f2996e4d538)at /test/12.2_dbg/sql/sql_connect.cc:1326
#23 0x000073768b49caa4 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
#24 0x000073768b529c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

Bug Detection Matrix
Rel o/d Build Commit UniqueID observed
CS 10.6 dbg 080825 13f337ce1f295f4aac75db681e00c71f2bf8acaf No bug found
CS 10.6 opt 080825 13f337ce1f295f4aac75db681e00c71f2bf8acaf No bug found
CS 10.11 dbg 080825 c45a34b2fb10e4e8f768e7e5fe846e9592eb6ea8 No bug found
CS 10.11 opt 080825 c45a34b2fb10e4e8f768e7e5fe846e9592eb6ea8 No bug found
CS 11.4 dbg 080825 03b31c0bd99390c1984f19a19f22dd6e77b7692e No bug found
CS 11.4 opt 080825 03b31c0bd99390c1984f19a19f22dd6e77b7692e No bug found
CS 11.8 dbg 080825 1a446ccc48528e88a3cd6cd1d1ec9e7492d342ca No bug found
CS 11.8 opt 080825 1a446ccc48528e88a3cd6cd1d1ec9e7492d342ca No bug found
CS 12.0 dbg 080825 aab83aecdca15738d114cf5a2f223f1d12e4e6bd No bug found
CS 12.0 opt 080825 aab83aecdca15738d114cf5a2f223f1d12e4e6bd No bug found
CS 12.1 dbg 080825 033471a367b4c60b7262e64f43f46b02e95b9d74 n < m_size\|SIGABRT\|Bounds_checked_array<Item*>::operator[]\|JOIN::rollup_make_fields\|JOIN::make_sum_func_list\|JOIN::make_aggr_tables_info
CS 12.1 opt 080825 033471a367b4c60b7262e64f43f46b02e95b9d74 SIGSEGV\|base_list_iterator::replace\|List_iterator<Item>::replace\|JOIN::rollup_make_fields\|JOIN::make_sum_func_list
CS 12.2 dbg 080825 e02f4d7e311e214ea62ff2e59599849e229f4165 n < m_size\|SIGABRT\|Bounds_checked_array<Item*>::operator[]\|JOIN::rollup_make_fields\|JOIN::make_sum_func_list\|JOIN::make_aggr_tables_info
CS 12.2 opt 080825 e02f4d7e311e214ea62ff2e59599849e229f4165 SIGSEGV\|base_list_iterator::replace\|List_iterator<Item>::replace\|JOIN::rollup_make_fields\|JOIN::make_sum_func_list
ES 10.5 dbg 080825 70586522eacf09d04d49962072e14325a75d8155 No bug found
ES 10.5 opt 080825 70586522eacf09d04d49962072e14325a75d8155 No bug found
ES 10.6 dbg 080825 9b794f34b48fb7eee490b6da44edc0f33a947447 No bug found
ES 10.6 opt 080825 9b794f34b48fb7eee490b6da44edc0f33a947447 No bug found
ES 11.4 dbg 080825 a1c03ccd54b582e75506687ee19b273ca897f261 No bug found
ES 11.4 opt 080825 a1c03ccd54b582e75506687ee19b273ca897f261 No bug found
ES 11.8 dbg 080825 4cdf75ab6ba37d4e7e208690785e880ed3176f2f No bug found
ES 11.8 opt 080825 4cdf75ab6ba37d4e7e208690785e880ed3176f2f No bug found
MS 5.5 dbg 070123 bac287c315b1792e7ae33f91add6a60292f9bae8 No bug found
MS 5.5 opt 070123 bac287c315b1792e7ae33f91add6a60292f9bae8 No bug found
MS 5.6 dbg 070123 dab95781a1244104d6b87020ac2fc4d190ba2946 No bug found
MS 5.6 opt 070123 dab95781a1244104d6b87020ac2fc4d190ba2946 No bug found
MS 5.7 dbg 070525 f7680e98b6bbe3500399fbad465d08a6b75d7a5c No bug found
MS 5.7 opt 070525 f7680e98b6bbe3500399fbad465d08a6b75d7a5c No bug found
MS 8.0 dbg 060224 49ef33f7edadef3ae04665e73d1babd40179a4f1 No bug found
MS 8.0 opt 060224 49ef33f7edadef3ae04665e73d1babd40179a4f1 No bug found
MS 9.1 dbg 211024 61a3a1d8ef15512396b4c2af46e922a19bf2b174 No bug found
MS 9.1 opt 211024 61a3a1d8ef15512396b4c2af46e922a19bf2b174 No bug found

The assertion happens after this commit

commit 8cdee25952763a0401e4c2a4d61e92c13499bdc6

Author: Yuchen Pei <ycp@mariadb.com>

Date:   Wed Jun 4 11:43:30 2025 +1000

    MDEV-36132 Substitute vcol expressions with indexed vcol fields in ORDER BY and GROUP BY

    Also expand vcol field index coverings to include indexes covering all

    the fields in the expression. The reasoning goes as follows: let f(c1,

    c2, ..., cn) be a function on applied to columns c1, c2, ..., cn, if

    f(...) is covered by an index, so should vc whose expression is

    f(...).

[..]

Attachments

Issue Links

is caused by

MDEV-36132 Optimizer support for functional indexes: handle GROUP/ORDER BY

Closed

relates to

MDEV-37682 Not all columns in super-aggregate rows in a SELECT ... WITH ROLLUP are NULL

In Review

Activity

People

Assignee:: Sergei Petrunia

Reporter:: Ramesh Sivaraman

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2025-08-11 06:53

Updated:: 3 days ago 16:38

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.