[MDEV-37565] Assertion `item_sum->fixed()' in add_special_frame_cursors, `m_alloced_field_count' in Create_tmp_table::start, SIGSEGV in Item_field::Item_field, UBSAN null-pointer-use in Item_field::Item_field - Jira

--source include/have_innodb.inc

CREATE TABLE t (c INT) ENGINE=InnoDB;

DELETE FROM t WHERE c IN (SELECT * FROM t) ORDER BY LAST_VALUE(t) OVER() IS NOT UNKNOWN;

CS 12.1.2 033471a367b4c60b7262e64f43f46b02e95b9d74 (Debug, Clang 18.1.3-1) Build 08/08/2025
mariadbd: /test/12.1_dbg/sql/sql_window.cc:2604: bool add_special_frame_cursors(THD , Cursor_manager , Item_window_func *): Assertion `item_sum->fixed()' failed.

CS 12.1.2 033471a367b4c60b7262e64f43f46b02e95b9d74 (Debug, Clang 18.1.3-1) Build 08/08/2025
Core was generated by `/test/MD080825-mariadb-12.1.2-linux-x86_64-dbg/bin/mariadbd --no-defaults --max'.
Program terminated with signal SIGABRT, Aborted.
Download failed: Invalid argument. Continuing without source file ./nptl/./nptl/pthread_kill.c.
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44

[Current thread is 1 (LWP 362865)]
(gdb) bt
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44
#1 __pthread_kill_internal (signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6)at ./nptl/pthread_kill.c:89
#3 0x00007d333ae4526e in __GI_raise (sig=sig@entry=6)at ../sysdeps/posix/raise.c:26
#4 0x00007d333ae288ff in __GI_abort () at ./stdlib/abort.c:79
#5 0x00007d333ae2881b in __assert_fail_base (fmt=0x7d333afd01e8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x624ef3f0f1dc "item_sum->fixed()", file=file@entry=0x624ef3fbdc0e "/test/12.1_dbg/sql/sql_window.cc", line=line@entry=2604, function=function@entry=0x624ef400310a "bool add_special_frame_cursors(THD , Cursor_manager , Item_window_func *)") at ./assert/assert.c:94
#6 0x00007d333ae3b507 in __assert_fail (assertion=0x624ef3f0f1dc "item_sum->fixed()", file=0x624ef3fbdc0e "/test/12.1_dbg/sql/sql_window.cc", line=2604, function=0x624ef400310a "bool add_special_frame_cursors(THD , Cursor_manager , Item_window_func *)") at ./assert/assert.c:103
#7 0x0000624ef4f5097f in add_special_frame_cursors (thd=0x7d320c000d58, cursor_manager=0x7d320c018410, window_func=0x7d320c01caf8)at /test/12.1_dbg/sql/sql_window.cc:2604
#8 0x0000624ef4f4fe36 in get_window_functions_required_cursors (thd=0x7d320c000d58, window_functions=@0x7d320c07cbb0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x7d320c07cbd0, last = 0x7d320c07cbd0, elements = 1}, <No data fields>}, cursor_managers=0x7d3333f2f890)at /test/12.1_dbg/sql/sql_window.cc:2739
#9 0x0000624ef4f51c72 in Window_func_runner::exec (this=0x7d320c07cba8, thd=0x7d320c000d58, tbl=0x7d320c08c380, filesort_result=0x7d320c018b00)at /test/12.1_dbg/sql/sql_window.cc:3063
#10 0x0000624ef4f51dd6 in Window_funcs_sort::exec (this=0x7d320c07cba0, join=0x7d320c01cf38, keep_filesort_result=true)at /test/12.1_dbg/sql/sql_window.cc:3096
#11 0x0000624ef4f52811 in Window_funcs_computation::exec (this=0x7d320c021e10, join=0x7d320c01cf38, keep_last_filesort_result=true)at /test/12.1_dbg/sql/sql_window.cc:3225
#12 0x0000624ef4ca5246 in AGGR_OP::end_send (this=0x7d320c021df0)at /test/12.1_dbg/sql/sql_select.cc:33635
#13 0x0000624ef4c7ab10 in sub_select_postjoin_aggr (join=0x7d320c01cf38, join_tab=0x7d320c07bef0, end_of_records=true)at /test/12.1_dbg/sql/sql_select.cc:24144
#14 0x0000624ef4c58c66 in sub_select (join=0x7d320c01cf38, join_tab=0x7d320c07ba78, end_of_records=true)at /test/12.1_dbg/sql/sql_select.cc:24399
#15 0x0000624ef4c58c66 in sub_select (join=0x7d320c01cf38, join_tab=0x7d320c07b600, end_of_records=true)at /test/12.1_dbg/sql/sql_select.cc:24399
#16 0x0000624ef4c80831 in do_select (join=0x7d320c01cf38, procedure=0x0)at /test/12.1_dbg/sql/sql_select.cc:23979
#17 0x0000624ef4c7fb91 in JOIN::exec_inner (this=0x7d320c01cf38)at /test/12.1_dbg/sql/sql_select.cc:5086
#18 0x0000624ef4c7ed8e in JOIN::exec (this=0x7d320c01cf38)at /test/12.1_dbg/sql/sql_select.cc:4874
#19 0x0000624ef4cb32cf in Sql_cmd_dml::execute_inner (this=0x7d320c01cd00, thd=0x7d320c000d58) at /test/12.1_dbg/sql/sql_select.cc:34785
#20 0x0000624ef4b762ed in Sql_cmd_delete::execute_inner (this=0x7d320c01cd00, thd=0x7d320c000d58) at /test/12.1_dbg/sql/sql_delete.cc:2102
#21 0x0000624ef4cb2e36 in Sql_cmd_dml::execute (this=0x7d320c01cd00, thd=0x7d320c000d58) at /test/12.1_dbg/sql/sql_select.cc:34719
#22 0x0000624ef4bf40cb in mysql_execute_command (thd=0x7d320c000d58, is_called_from_prepared_stmt=false) at /test/12.1_dbg/sql/sql_parse.cc:4399
#23 0x0000624ef4bea524 in mysql_parse (thd=0x7d320c000d58, rawbuf=0x7d320c019e80 "DELETE FROM t WHERE c IN (SELECT * FROM t) ORDER BY LAST_VALUE(t) OVER() IS NOT UNKNOWN", length=87, parser_state=0x7d3333f31a10)at /test/12.1_dbg/sql/sql_parse.cc:7883
#24 0x0000624ef4be78f8 in dispatch_command (command=COM_QUERY, thd=0x7d320c000d58, packet=0x7d320c00b1f9 "DELETE FROM t WHERE c IN (SELECT * FROM t) ORDER BY LAST_VALUE(t) OVER() IS NOT UNKNOWN", packet_length=87, blocking=true)at /test/12.1_dbg/sql/sql_parse.cc:1878
#25 0x0000624ef4beb0d3 in do_command (thd=0x7d320c000d58, blocking=true)at /test/12.1_dbg/sql/sql_parse.cc:1417
#26 0x0000624ef4e0a139 in do_handle_one_connection (connect=0x624ef72b8e18, put_in_cache=true) at /test/12.1_dbg/sql/sql_connect.cc:1414
#27 0x0000624ef4e09ede in handle_one_connection (arg=0x624ef71ce4d8)at /test/12.1_dbg/sql/sql_connect.cc:1326
#28 0x00007d333ae9ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
#29 0x00007d333af29c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

CS 11.4.9 03b31c0bd99390c1984f19a19f22dd6e77b7692e (Debug, Clang 18.1.3-1) Build 08/08/2025
mariadbd: /test/11.4_dbg/sql/sql_select.cc:21840: TABLE Create_tmp_table::start(THD , TMP_TABLE_PARAM , const LEX_CSTRING ): Assertion `m_alloced_field_count' failed.

CS 11.4.9 03b31c0bd99390c1984f19a19f22dd6e77b7692e (Debug, Clang 18.1.3-1) Build 08/08/2025
Core was generated by `/test/MD080825-mariadb-11.4.9-linux-x86_64-dbg/bin/mariadbd --no-defaults --max'.
Program terminated with signal SIGABRT, Aborted.
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44

[Current thread is 1 (LWP 2715114)]
(gdb) bt
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44
#1 __pthread_kill_internal (signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6)at ./nptl/pthread_kill.c:89
#3 0x00007adffb24526e in __GI_raise (sig=sig@entry=6)at ../sysdeps/posix/raise.c:26
#4 0x00007adffb2288ff in __GI_abort () at ./stdlib/abort.c:79
#5 0x00007adffb22881b in __assert_fail_base (fmt=0x7adffb3d01e8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x6364c4004a2f "m_alloced_field_count", file=file@entry=0x6364c3f554fd "/test/11.4_dbg/sql/sql_select.cc", line=line@entry=21840, function=function@entry=0x6364c3f1f6ff "TABLE Create_tmp_table::start(THD , TMP_TABLE_PARAM , const LEX_CSTRING )") at ./assert/assert.c:94
#6 0x00007adffb23b507 in __assert_fail (assertion=0x6364c4004a2f "m_alloced_field_count", file=0x6364c3f554fd "/test/11.4_dbg/sql/sql_select.cc", line=21840, function=0x6364c3f1f6ff "TABLE Create_tmp_table::start(THD , TMP_TABLE_PARAM , const LEX_CSTRING )") at ./assert/assert.c:103
#7 0x00006364c4c42655 in Create_tmp_table::start (this=0x7adff8ed8608, thd=0x7adeb0000d58, param=0x7adeb0021878, table_alias=0x6364c59ce8b0 <empty_clex_str>)at /test/11.4_dbg/sql/sql_select.cc:21840
#8 0x00006364c4c1e4ba in create_tmp_table (thd=0x7adeb0000d58, param=0x7adeb0021878, fields=@0x7adeb001cd08: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x6364c5c91d98 <end_of_list>, last = 0x7adeb001cd08, elements = 0}, <No data fields>}, group=0x0, distinct=false, save_sum_fields=false, select_options=37383395344512, rows_limit=18446744073709551615, table_alias=0x6364c59ce8b0 <empty_clex_str>, do_not_open=true, keep_row_order=false) at /test/11.4_dbg/sql/sql_select.cc:22724
#9 0x00006364c4c1f970 in JOIN::create_postjoin_aggr_table (this=0x7adeb001c960, tab=0x7adeb0078560, table_fields=0x7adeb001cd08, table_group=0x0, save_sum_fields=false, distinct=false, keep_row_order=false) at /test/11.4_dbg/sql/sql_select.cc:4352
#10 0x00006364c4c1c0c6 in JOIN::make_aggr_tables_info (this=0x7adeb001c960)at /test/11.4_dbg/sql/sql_select.cc:3912
#11 0x00006364c4c08e89 in JOIN::optimize_stage2 (this=0x7adeb001c960)at /test/11.4_dbg/sql/sql_select.cc:3520
#12 0x00006364c4c0b73c in JOIN::optimize_inner (this=0x7adeb001c960)at /test/11.4_dbg/sql/sql_select.cc:2751
#13 0x00006364c4c069e8 in JOIN::optimize (this=0x7adeb001c960)at /test/11.4_dbg/sql/sql_select.cc:2019
#14 0x00006364c4c56b77 in Sql_cmd_dml::execute_inner (this=0x7adeb001c7e8, thd=0x7adeb0000d58) at /test/11.4_dbg/sql/sql_select.cc:34525
#15 0x00006364c4b2f8c6 in Sql_cmd_delete::execute_inner (this=0x7adeb001c7e8, thd=0x7adeb0000d58) at /test/11.4_dbg/sql/sql_delete.cc:1836
#16 0x00006364c4c56796 in Sql_cmd_dml::execute (this=0x7adeb001c7e8, thd=0x7adeb0000d58) at /test/11.4_dbg/sql/sql_select.cc:34472
#17 0x00006364c4b9906d in mysql_execute_command (thd=0x7adeb0000d58, is_called_from_prepared_stmt=false) at /test/11.4_dbg/sql/sql_parse.cc:4420
#18 0x00006364c4b8f3a4 in mysql_parse (thd=0x7adeb0000d58, rawbuf=0x7adeb0019a50 "DELETE FROM t WHERE c IN (SELECT * FROM t) ORDER BY LAST_VALUE(t) OVER() IS NOT UNKNOWN", length=87, parser_state=0x7adff8edaa30)at /test/11.4_dbg/sql/sql_parse.cc:7897
#19 0x00006364c4b8c854 in dispatch_command (command=COM_QUERY, thd=0x7adeb0000d58, packet=0x7adeb000af69 "DELETE FROM t WHERE c IN (SELECT * FROM t) ORDER BY LAST_VALUE(t) OVER() IS NOT UNKNOWN", packet_length=87, blocking=true)at /test/11.4_dbg/sql/sql_parse.cc:1905
#20 0x00006364c4b8ff53 in do_command (thd=0x7adeb0000d58, blocking=true)at /test/11.4_dbg/sql/sql_parse.cc:1418
#21 0x00006364c4da1a09 in do_handle_one_connection (connect=0x6364c7e9c508, put_in_cache=true) at /test/11.4_dbg/sql/sql_connect.cc:1408
#22 0x00006364c4da17a2 in handle_one_connection (arg=0x6364c7f87628)at /test/11.4_dbg/sql/sql_connect.cc:1320
#23 0x00007adffb29ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
#24 0x00007adffb329c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

CS 11.4.9 03b31c0bd99390c1984f19a19f22dd6e77b7692e (Optimized, Clang 18.1.3-1) Build 08/08/2025
Core was generated by `/test/MD080825-mariadb-11.4.9-linux-x86_64-opt/bin/mariadbd --no-defaults --max'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 Item_field::Item_field (this=0x73d2fc056320, thd=0x73d2fc000c68, f=0x0)at /test/11.4_opt/sql/item.cc:3138

[Current thread is 1 (LWP 3236034)]
(gdb) bt
#0 Item_field::Item_field (this=0x73d2fc056320, thd=0x73d2fc000c68, f=0x0)at /test/11.4_opt/sql/item.cc:3138
#1 0x00005b88adbc9a52 in Window_funcs_sort::setup (this=this@entry=0x73d2fc01f1c8, thd=thd@entry=0x73d2fc000c68, sel=sel@entry=0x0, it=@0x73d4481fda18: {<base_list_iterator> = {list = 0x73d2fc005c20, el = 0x73d2fc019ec0, prev = 0x73d2fc005c20, current = 0x73d2fc019ec0}, <No data fields>}, join_tab=join_tab@entry=0x73d2fc055860)at /test/11.4_opt/sql/sql_window.cc:3151
#2 0x00005b88adbca634 in Window_funcs_computation::setup (this=0x73d2fc01f1a8, thd=0x73d2fc000c68, window_funcs=0x73d2fc005c20, tab=0x73d2fc055860) at /test/11.4_opt/sql/sql_window.cc:3193
#3 0x00005b88ada01ff4 in JOIN::make_aggr_tables_info (this=this@entry=0x73d2fc01a170) at /test/11.4_opt/sql/sql_select.cc:4279
#4 0x00005b88ad9f3b37 in JOIN::optimize_stage2 (this=this@entry=0x73d2fc01a170) at /test/11.4_opt/sql/sql_select.cc:3520
#5 0x00005b88ad9f4ee9 in JOIN::optimize_inner (this=this@entry=0x73d2fc01a170)at /test/11.4_opt/sql/sql_select.cc:2751
#6 0x00005b88ad9f2774 in JOIN::optimize (this=this@entry=0x73d2fc01a170)at /test/11.4_opt/sql/sql_select.cc:2019
#7 0x00005b88ada2c548 in Sql_cmd_dml::execute_inner (this=<optimized out>, thd=0x73d2fc000c68) at /test/11.4_opt/sql/sql_select.cc:34525
#8 0x00005b88ad96e072 in Sql_cmd_delete::execute_inner (this=0x73d2fc019ff8, thd=0x73d2fc000c68) at /test/11.4_opt/sql/sql_delete.cc:1836
#9 0x00005b88ada2c36b in Sql_cmd_dml::execute (this=0x73d2fc019ff8, thd=0x73d2fc000c68) at /test/11.4_opt/sql/sql_select.cc:34472
#10 0x00005b88ad9b037c in mysql_execute_command (thd=thd@entry=0x73d2fc000c68, is_called_from_prepared_stmt=false) at /test/11.4_opt/sql/sql_parse.cc:4420
#11 0x00005b88ad9abc31 in mysql_parse (thd=thd@entry=0x73d2fc000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x73d4481fe490)at /test/11.4_opt/sql/sql_parse.cc:7897
#12 0x00005b88ad9aa0e9 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x73d2fc000c68, packet=packet@entry=0x73d2fc008779 "DELETE FROM t WHERE c IN (SELECT * FROM t) ORDER BY LAST_VALUE(t) OVER() IS NOT UNKNOWN", packet_length=packet_length@entry=87, blocking=true)at /test/11.4_opt/sql/sql_parse.cc:1905
#13 0x00005b88ad9ac041 in do_command (thd=thd@entry=0x73d2fc000c68, blocking=true) at /test/11.4_opt/sql/sql_parse.cc:1418
#14 0x00005b88adaf9ddd in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5b88af4ba608, put_in_cache=true)at /test/11.4_opt/sql/sql_connect.cc:1408
#15 0x00005b88adaf9ba3 in handle_one_connection (arg=arg@entry=0x5b88af4ba608)at /test/11.4_opt/sql/sql_connect.cc:1320
#16 0x00005b88adcaa51e in pfs_spawn_thread (arg=0x5b88af4e42a8)at /test/11.4_opt/storage/perfschema/pfs.cc:2201
#17 0x000073d44b89ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
#18 0x000073d44b929c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

Bug Detection Matrix
Rel o/d Build Commit UniqueID observed
CS 10.6 dbg 080825 13f337ce1f295f4aac75db681e00c71f2bf8acaf No bug found
CS 10.6 opt 080825 13f337ce1f295f4aac75db681e00c71f2bf8acaf No bug found
CS 10.11 dbg 080825 c45a34b2fb10e4e8f768e7e5fe846e9592eb6ea8 No bug found
CS 10.11 opt 080825 c45a34b2fb10e4e8f768e7e5fe846e9592eb6ea8 No bug found
CS 11.4 dbg 080825 03b31c0bd99390c1984f19a19f22dd6e77b7692e m_alloced_field_count\|SIGABRT\|Create_tmp_table::start\|create_tmp_table\|JOIN::create_postjoin_aggr_table\|JOIN::make_aggr_tables_info
CS 11.4 opt 080825 03b31c0bd99390c1984f19a19f22dd6e77b7692e SIGSEGV\|Item_field::Item_field\|Window_funcs_sort::setup\|Window_funcs_computation::setup\|JOIN::make_aggr_tables_info
CS 11.8 dbg 080825 1a446ccc48528e88a3cd6cd1d1ec9e7492d342ca item_sum->fixed()\|SIGABRT\|add_special_frame_cursors\|get_window_functions_required_cursors\|Window_func_runner::exec\|Window_funcs_sort::exec
CS 11.8 opt 080825 1a446ccc48528e88a3cd6cd1d1ec9e7492d342ca No bug found
CS 12.1 dbg 080825 033471a367b4c60b7262e64f43f46b02e95b9d74 item_sum->fixed()\|SIGABRT\|add_special_frame_cursors\|get_window_functions_required_cursors\|Window_func_runner::exec\|Window_funcs_sort::exec
CS 12.1 opt 080825 033471a367b4c60b7262e64f43f46b02e95b9d74 No bug found
CS 12.2 dbg 080825 e02f4d7e311e214ea62ff2e59599849e229f4165 item_sum->fixed()\|SIGABRT\|add_special_frame_cursors\|get_window_functions_required_cursors\|Window_func_runner::exec\|Window_funcs_sort::exec
CS 12.2 opt 080825 e02f4d7e311e214ea62ff2e59599849e229f4165 No bug found
ES 10.5 dbg 080825 70586522eacf09d04d49962072e14325a75d8155 No bug found
ES 10.5 opt 080825 70586522eacf09d04d49962072e14325a75d8155 No bug found
ES 10.6 dbg 080825 9b794f34b48fb7eee490b6da44edc0f33a947447 No bug found
ES 10.6 opt 080825 9b794f34b48fb7eee490b6da44edc0f33a947447 No bug found
ES 11.4 dbg 080825 a1c03ccd54b582e75506687ee19b273ca897f261 m_alloced_field_count\|SIGABRT\|Create_tmp_table::start\|create_tmp_table\|JOIN::create_postjoin_aggr_table\|JOIN::make_aggr_tables_info
ES 11.4 opt 080825 a1c03ccd54b582e75506687ee19b273ca897f261 SIGSEGV\|Item_field::Item_field\|Window_funcs_sort::setup\|Window_funcs_computation::setup\|JOIN::make_aggr_tables_info
ES 11.8 dbg 080825 4cdf75ab6ba37d4e7e208690785e880ed3176f2f item_sum->fixed()\|SIGABRT\|add_special_frame_cursors\|get_window_functions_required_cursors\|Window_func_runner::exec\|Window_funcs_sort::exec
ES 11.8 opt 080825 4cdf75ab6ba37d4e7e208690785e880ed3176f2f No bug found
MS 5.5 dbg 070123 bac287c315b1792e7ae33f91add6a60292f9bae8 No bug found
MS 5.5 opt 070123 bac287c315b1792e7ae33f91add6a60292f9bae8 No bug found
MS 5.6 dbg 070123 dab95781a1244104d6b87020ac2fc4d190ba2946 No bug found
MS 5.6 opt 070123 dab95781a1244104d6b87020ac2fc4d190ba2946 No bug found
MS 5.7 dbg 070525 f7680e98b6bbe3500399fbad465d08a6b75d7a5c No bug found
MS 5.7 opt 070525 f7680e98b6bbe3500399fbad465d08a6b75d7a5c No bug found
MS 8.0 dbg 060224 49ef33f7edadef3ae04665e73d1babd40179a4f1 No bug found
MS 8.0 opt 060224 49ef33f7edadef3ae04665e73d1babd40179a4f1 No bug found
MS 9.1 dbg 211024 61a3a1d8ef15512396b4c2af46e922a19bf2b174 No bug found
MS 9.1 opt 211024 61a3a1d8ef15512396b4c2af46e922a19bf2b174 No bug found

CS 11.4.9 03b31c0bd99390c1984f19a19f22dd6e77b7692e (Optimized, UBASAN, Clang 21.1.0-20250811) Build 22/08/2025
/test/11.4_opt_san/sql/item.cc:3138:38: runtime error: member access within null pointer of type 'Field'
#0 0x6344d10c28f2 in Item_field::Item_field(THD, Field) /test/11.4_opt_san/sql/item.cc:3138:38
#1 0x6344d28decd5 in Window_funcs_sort::setup(THD, SQL_SELECT, List_iterator<Item_window_func>&, st_join_table*) /test/11.4_opt_san/sql/sql_window.cc:3151:29
#2 0x6344d28e0cda in Window_funcs_computation::setup(THD, List<Item_window_func>, st_join_table*) /test/11.4_opt_san/sql/sql_window.cc:3193:14
#3 0x6344d1f2cb60 in JOIN::make_aggr_tables_info() /test/11.4_opt_san/sql/sql_select.cc:4279:38
#4 0x6344d1eca40d in JOIN::optimize_stage2() /test/11.4_opt_san/sql/sql_select.cc:3520:7
#5 0x6344d1ed04ca in JOIN::optimize_inner() /test/11.4_opt_san/sql/sql_select.cc:2751:9
#6 0x6344d1ec2c03 in JOIN::optimize() /test/11.4_opt_san/sql/sql_select.cc:2019:10
#7 0x6344d2040eeb in Sql_cmd_dml::execute_inner(THD*) /test/11.4_opt_san/sql/sql_select.cc:34525:13
#8 0x6344d1bc28d9 in Sql_cmd_delete::execute_inner(THD*) /test/11.4_opt_san/sql/sql_delete.cc:1836:39
#9 0x6344d203ff84 in Sql_cmd_dml::execute(THD*) /test/11.4_opt_san/sql/sql_select.cc:34472:9
#10 0x6344d1d3a0bc in mysql_execute_command(THD*, bool) /test/11.4_opt_san/sql/sql_parse.cc:4420:27
#11 0x6344d1d1cd94 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.4_opt_san/sql/sql_parse.cc:7897:18
#12 0x6344d1d1503d in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.4_opt_san/sql/sql_parse.cc:1905:7
#13 0x6344d1d1eca1 in do_command(THD*, bool) /test/11.4_opt_san/sql/sql_parse.cc:1418:17
#14 0x6344d2511fec in do_handle_one_connection(CONNECT*, bool) /test/11.4_opt_san/sql/sql_connect.cc:1408:11
#15 0x6344d2511b0a in handle_one_connection /test/11.4_opt_san/sql/sql_connect.cc:1320:5
#16 0x6344d0dca13a in asan_thread_start(void*) crtstuff.c
#17 0x7ee1a7e9ca93 in start_thread nptl/pthread_create.c:447:8
#18 0x7ee1a7f29c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

SUMMARY: UndefinedBehaviorSanitizer: null-pointer-use /test/11.4_opt_san/sql/item.cc:3138:38

Compiled with a recent version of Clang and LLVM. Ubuntu instructions for Clang/LLVM 18:

  # Note: It is strongly recommended to uninstall all old Clang & LLVM packages (ref  dpkg --list | grep -iE 'clang|llvm'  and use  apt purge  and  dpkg --purge  to remove the packages), before installing Clang/LLVM 18

     sudo apt install clang llvm-18 llvm-18-linker-tools llvm-18-runtime llvm-18-tools llvm-18-dev libstdc++-14-dev llvm-dev lld-18

Compiled with: "-DCMAKE_C_COMPILER=/usr/bin/clang -DCMAKE_CXX_COMPILER=/usr/bin/clang++ -DCMAKE_C{,XX}_FLAGS='-march=native -mtune=native'" and:

    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON

Set before execution:

    export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1   # And you may also want to supress UBSAN startup issues using 'suppressions=UBSAN.filter' in UBSAN_OPTIONS. For an example of UBSAN.filter, which includes current startup issues see: https://github.com/mariadb-corporation/mariadb-qa/blob/master/UBSAN.filter

SAN Bug Detection Matrix
Rel o/d Build Commit UniqueID observed
CS 10.6 dbg 220825 1d84cb272f4bc223b4df05dae9b3669eb506b3bd No bug found
CS 10.6 opt 220825 1d84cb272f4bc223b4df05dae9b3669eb506b3bd No bug found
CS 10.11 dbg 220825 ba9e8ebdbe903aa6f8b4f388356085dfd2df91a8 No bug found
CS 10.11 opt 220825 ba9e8ebdbe903aa6f8b4f388356085dfd2df91a8 No bug found
CS 11.4 dbg 220825 03b31c0bd99390c1984f19a19f22dd6e77b7692e m_alloced_field_count\|SIGABRT\|Create_tmp_table::start\|create_tmp_table\|JOIN::create_postjoin_aggr_table\|JOIN::make_aggr_tables_info
CS 11.4 opt 220825 03b31c0bd99390c1984f19a19f22dd6e77b7692e UBSAN\|member access within null pointer of type 'Field'\|sql/item.cc\|Item_field::Item_field\|Window_funcs_sort::setup\|Window_funcs_computation::setup\|JOIN::make_aggr_tables_info
CS 11.8 dbg 220825 1a446ccc48528e88a3cd6cd1d1ec9e7492d342ca item_sum->fixed()\|SIGABRT\|add_special_frame_cursors\|get_window_functions_required_cursors\|Window_func_runner::exec\|Window_funcs_sort::exec
CS 11.8 opt 220825 1a446ccc48528e88a3cd6cd1d1ec9e7492d342ca No bug found
CS 12.1 dbg 220825 033471a367b4c60b7262e64f43f46b02e95b9d74 item_sum->fixed()\|SIGABRT\|add_special_frame_cursors\|get_window_functions_required_cursors\|Window_func_runner::exec\|Window_funcs_sort::exec
CS 12.1 opt 220825 033471a367b4c60b7262e64f43f46b02e95b9d74 No bug found
CS 12.2 dbg 220825 e02f4d7e311e214ea62ff2e59599849e229f4165 item_sum->fixed()\|SIGABRT\|add_special_frame_cursors\|get_window_functions_required_cursors\|Window_func_runner::exec\|Window_funcs_sort::exec
CS 12.2 opt 220825 e02f4d7e311e214ea62ff2e59599849e229f4165 No bug found
ES 10.5 dbg 230825 70586522eacf09d04d49962072e14325a75d8155 No bug found
ES 10.5 opt 230825 70586522eacf09d04d49962072e14325a75d8155 No bug found
ES 10.6 dbg 230825 9b794f34b48fb7eee490b6da44edc0f33a947447 No bug found
ES 10.6 opt 230825 9b794f34b48fb7eee490b6da44edc0f33a947447 No bug found
ES 11.4 dbg 220825 a1c03ccd54b582e75506687ee19b273ca897f261 m_alloced_field_count\|SIGABRT\|Create_tmp_table::start\|create_tmp_table\|JOIN::create_postjoin_aggr_table\|JOIN::make_aggr_tables_info
ES 11.4 opt 220825 a1c03ccd54b582e75506687ee19b273ca897f261 UBSAN\|member access within null pointer of type 'Field'\|sql/item.cc\|Item_field::Item_field\|Window_funcs_sort::setup\|Window_funcs_computation::setup\|JOIN::make_aggr_tables_info
ES 11.8 dbg 220825 4cdf75ab6ba37d4e7e208690785e880ed3176f2f item_sum->fixed()\|SIGABRT\|add_special_frame_cursors\|get_window_functions_required_cursors\|Window_func_runner::exec\|Window_funcs_sort::exec
ES 11.8 opt 220825 4cdf75ab6ba37d4e7e208690785e880ed3176f2f No bug found

Assertion `item_sum->fixed()' in add_special_frame_cursors, `m_alloced_field_count' in Create_tmp_table::start, SIGSEGV in Item_field::Item_field, UBSAN null-pointer-use in Item_field::Item_field

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration