[MDEV-37646] Server crash at Item::save_decimal_in_field - Jira

XML

Word

Printable

Details

Type: Bug
Status: Confirmed (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.6, 10.11, 11.4, 11.8, 12.1, 12.1.1
Fix Version/s: 10.6, 10.11, 11.4, 11.8, 12.1
Component/s: Optimizer - CTE, Optimizer - Window functions
Labels:
- Crash
- crash
Environment:
Ubuntu 20.04 x86-64, docker image mariadb:12.1.1

Description

PoC:

SELECT ( WITH RECURSIVE x ( x ) AS ( SELECT 1 INTERSECT SELECT x -125 FROM x ) SELECT instr ( 3.100000 , 10 ) FROM x WHERE x IN ( SELECT ( ( SELECT ( AVG ( x ) ) ) - AVG ( x ) OVER ( ) ) FROM ( SELECT 3.100000 ) x ) ) x

docker log:

#0 0x5593f9618521 (_ZN4Item21save_decimal_in_fieldEP5Fieldb+0xc1)

#1 0x5593f9618741 (_ZN4Item13save_in_fieldEP5Fieldb+0x51)

#2 0x5593f91f2311 (_Z15end_write_groupP4JOINP13st_join_tableb+0x231)

#3 0x5593f91f4016 (_ZN7AGGR_OP8end_sendEv+0xb6)

#4 0x5593f91b88b5 (_Z24sub_select_postjoin_aggrP4JOINP13st_join_tableb+0xc5)

#5 0x5593f91bfaa5 (_ZN4JOIN10exec_innerEv+0x1505)

#6 0x5593f91be4b6 (_ZN4JOIN4execEv+0x66)

#7 0x5593f976a16b (_ZN30subselect_single_select_engine4execEv+0x5ab)

#8 0x5593f975ac9d (_ZN17Item_in_subselect4execEv+0xbd)

#9 0x5593f975f02c (_ZN17Item_in_subselect8val_boolEv+0x6c)

#10 0x5593f9649bcf (_ZN17Item_in_optimizer8val_boolEv+0x1ef)

#11 0x5593f96285a8 (_ZN15Item_cache_bool11cache_valueEv+0x68)

#12 0x5593f9622e31 (_ZN18Item_cache_wrapper8val_boolEv+0x151)

#13 0x5593f91f4a42 (_ZL20evaluate_join_recordP4JOINP13st_join_tablei+0xd2)

#14 0x5593f9188d46 (_Z10sub_selectP4JOINP13st_join_tableb+0x526)

#15 0x5593f91bfa29 (_ZN4JOIN10exec_innerEv+0x1489)

#16 0x5593f91be4b6 (_ZN4JOIN4execEv+0x66)

#17 0x5593f9189cd4 (_Z12mysql_selectP3THDP10TABLE_LISTR4ListI4ItemEPS4_jP8st_orderS9_S7_S9_yP13select_resultP18st_select_lex_unitP13st_select_lex+0x5e4)

#18 0x5593f90a6999 (_ZL18mysql_derived_fillP3THDP3LEXP10TABLE_LIST+0x419)

#19 0x5593f90a7418 (_Z27mysql_handle_single_derivedP3LEXP10TABLE_LISTj+0x158)

#20 0x5593f91e02d6 (_ZN13st_join_table12preread_initEv+0xe6)

#21 0x5593f9188a70 (_Z10sub_selectP4JOINP13st_join_tableb+0x250)

#22 0x5593f91bfa29 (_ZN4JOIN10exec_innerEv+0x1489)

#23 0x5593f91be4b6 (_ZN4JOIN4execEv+0x66)

#24 0x5593f9189cd4 (_Z12mysql_selectP3THDP10TABLE_LISTR4ListI4ItemEPS4_jP8st_orderS9_S7_S9_yP13select_resultP18st_select_lex_unitP13st_select_lex+0x5e4)

#25 0x5593f9189635 (_Z13handle_selectP3THDP3LEXP13select_resulty+0x265)

#26 0x5593f9129fc8 (_ZL21execute_sqlcom_selectP3THDP10TABLE_LIST+0x698)

#27 0x5593f9120095 (_Z21mysql_execute_commandP3THDb+0x3f65)

#28 0x5593f9115485 (_Z11mysql_parseP3THDPcjP12Parser_state+0x345)

#29 0x5593f91119d1 (_Z16dispatch_command19enum_server_commandP3THDPcjb+0x16b1)

#30 0x5593f9115cd1 (_Z10do_commandP3THDb+0x4b1)

#31 0x5593f934bb74 (_Z24do_handle_one_connectionP7CONNECTb+0x2a4)

#32 0x5593f934b7a3 (handle_one_connection+0xd3)

#33 0x5593f9a140b4 (pfs_spawn_thread+0x104)

#34 0x7c79b3226609 (start_thread+0xd9)

#35 0x7c79b2f48353 (clone+0x43)

Attachments

Issue Links

relates to

MDEV-26416 A SEGV in Field::set_notnull/Item::save_real_in_field

Confirmed

MDEV-36356 MariaDB crashes in Item::save_int_in_field and UBSAN member call on null pointer of type 'Field' upon executing a complex SELECT

Confirmed

Activity

People

Assignee:: Sergei Petrunia

Reporter:: Yuxiao Guo

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2025-09-11 12:30

Updated:: 2025-09-16 09:22

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.