[MDEV-38094] SIGSEGV in complex SQL analytical query - Jira

Details

Type: Bug
Status: Open (View Workflow)
Priority: Critical
Resolution: Unresolved
Affects Version/s: 10.6, 10.11, 11.4, 12.1(EOL), 12.2, 11.8
Fix Version/s: 10.11, 11.4, 11.8
Component/s: Optimizer
Labels:
None

Description

SET SESSION sql_buffer_result=1;

CREATE TABLE t (c INT);

INSERT INTO t() VALUES (1);

SET NAMES utf8,collation_connection=utf16le_bin;

(SELECT * FROM t GROUP BY EXISTS((SELECT 0) LOCK IN SHARE MODE)=c SOUNDS LIKE c=c=c IS NOT UNKNOWN FOR UPDATE SKIP LOCKED) ORDER BY c=c=AVG(DISTINCT ALL TRUE)=c IS NOT UNKNOWN && c SOUNDS LIKE c IS NOT UNKNOWN;

Leads to:

CS 12.2.0 16c8bcc09a22709fdb770ee267317dac1e033984 (Optimized, Clang 18.1.3-11) Build 14/10/2025
Core was generated by `/test/MD141025-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd --no-defaults --max'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00005af7cf39f830 in vtable for Field_long ()
[Current thread is 1 (LWP 320996)]
(gdb) bt
#0 0x00005af7cf39f830 in vtable for Field_long ()
#1 0x00005af7ce53d0c4 in Item_func_soundex::val_str (this=0x7154a401bf48, str=0x7173800db020) at /test/main-MDEV-36290_opt/sql/item_strfunc.cc:2997
#2 0x00005af7ce3cc51c in Type_handler_string_result::Item_update_null_value (this=<optimized out>, item=0x7154a4055330)at /test/main-MDEV-36290_opt/sql/sql_type.cc:4366
#3 0x00005af7ce13a982 in Item_func::is_null (this=0x7154a4055330)at /test/main-MDEV-36290_opt/sql/item_func.h:248
#4 0x00005af7ce13b6fc in Item_bool_func2::is_null (this=0x7154a401c0f8)at /test/main-MDEV-36290_opt/sql/item_cmpfunc.h:490
#5 0x00005af7ce4d5df7 in Item_func_isnotnull::val_bool (this=<optimized out>)at /test/main-MDEV-36290_opt/sql/item_cmpfunc.cc:5941
#6 0x00005af7ce4af0dc in Item::save_bool_in_field (this=0x7154a4055330, field=0x7154a401c000, no_conversions=true)at /test/main-MDEV-36290_opt/sql/item.cc:7277
#7 0x00005af7ce4af162 in Item::save_in_field (this=0x7154a401c330, field=0x7154a406dde8, no_conversions=true)at /test/main-MDEV-36290_opt/sql/item.cc:7287
#8 0x00005af7ce27ca82 in copy_funcs (func_ptr=0x7154a406d7f8, thd=0x7154a4000c68) at /test/main-MDEV-36290_opt/sql/sql_select.cc:30097
#9 end_write (join=0x7154a401dc90, join_tab=0x7154a40599f0, end_of_records=<optimized out>)at /test/main-MDEV-36290_opt/sql/sql_select.cc:26088
#10 0x00005af7ce27d86b in evaluate_join_record (join=join@entry=0x7154a401dc90, join_tab=join_tab@entry=0x7154a4059578, error=<optimized out>) at /test/main-MDEV-36290_opt/sql/sql_select.cc:24699
#11 0x00005af7ce24613b in sub_select (join=0x7154a401dc90, join_tab=0x7154a4059578, end_of_records=<optimized out>)at /test/main-MDEV-36290_opt/sql/sql_select.cc:24466
#12 0x00005af7ce261323 in do_select (join=join@entry=0x7154a401dc90, procedure=<optimized out>)at /test/main-MDEV-36290_opt/sql/sql_select.cc:23977
#13 0x00005af7ce260d8a in JOIN::exec_inner (this=this@entry=0x7154a401dc90)at /test/main-MDEV-36290_opt/sql/sql_select.cc:5086
#14 0x00005af7ce246997 in JOIN::exec (this=0x7154a401dc90)at /test/main-MDEV-36290_opt/sql/sql_select.cc:4874
#15 mysql_select (thd=thd@entry=0x7154a4000c68, tables=<optimized out>, fields=@0x7154a401c870: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x7154a401cbb8, last = 0x7154a401cbb8, elements = 1}, <No data fields>}, conds=<optimized out>, og_num=<optimized out>, order=<optimized out>, group=0x0, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x7154a401dc68, unit=0x7154a4005090, select_lex=0x7154a401c5b8)at /test/main-MDEV-36290_opt/sql/sql_select.cc:5402
#16 0x00005af7ce246619 in handle_select (thd=thd@entry=0x7154a4000c68, lex=lex@entry=0x7154a4004fb0, result=result@entry=0x7154a401dc68, setup_tables_done_option=setup_tables_done_option@entry=0)at /test/main-MDEV-36290_opt/sql/sql_select.cc:634
#17 0x00005af7ce213ab7 in execute_sqlcom_select (thd=thd@entry=0x7154a4000c68, all_tables=0x7154a401cbf8)at /test/main-MDEV-36290_opt/sql/sql_parse.cc:6167
#18 0x00005af7ce2125d1 in mysql_execute_command (thd=thd@entry=0x7154a4000c68, is_called_from_prepared_stmt=false)at /test/main-MDEV-36290_opt/sql/sql_parse.cc:3950
#19 0x00005af7ce20aa21 in mysql_parse (thd=thd@entry=0x7154a4000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x7173800dc420)at /test/main-MDEV-36290_opt/sql/sql_parse.cc:7883
#20 0x00005af7ce208f3f in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x7154a4000c68, packet=packet@entry=0x7154a40089f9 "", packet_length=packet_length@entry=209, blocking=true)at /test/main-MDEV-36290_opt/sql/sql_parse.cc:1878
#21 0x00005af7ce20ae31 in do_command (thd=thd@entry=0x7154a4000c68, blocking=true) at /test/main-MDEV-36290_opt/sql/sql_parse.cc:1417
#22 0x00005af7ce33877d in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5af7fa3dd298, put_in_cache=true)at /test/main-MDEV-36290_opt/sql/sql_connect.cc:1414
#23 0x00005af7ce33853f in handle_one_connection (arg=arg@entry=0x5af7fa3dd298)at /test/main-MDEV-36290_opt/sql/sql_connect.cc:1326
#24 0x00005af7ce6e5d99 in pfs_spawn_thread (arg=0x5af7fa383308)at /test/main-MDEV-36290_opt/storage/perfschema/pfs.cc:2198
#25 0x0000717382a9caa4 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
#26 0x0000717382b29c6c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

Bug Detection Matrix
Rel o/d Build Commit UniqueID observed
CS 10.6 dbg 240925 e1f12f149c198829e130eacbeddc19dce3f55b3b n < m_size\|SIGABRT\|Bounds_checked_array<Item*>::operator[]\|Item::split_sum_func2\|Item_func::split_sum_func\|Item::split_sum_func2
CS 10.6 opt 240925 e1f12f149c198829e130eacbeddc19dce3f55b3b No bug found
CS 10.11 dbg 240925 990b44495c6345fa1198d2f7cb61839d1ada97ef n < m_size\|SIGABRT\|Bounds_checked_array<Item*>::operator[]\|Item::split_sum_func2\|Item_func::split_sum_func\|Item::split_sum_func2
CS 10.11 opt 240925 990b44495c6345fa1198d2f7cb61839d1ada97ef SIGABRT\|__libc_message_impl\|malloc_printerr\|_int_free_merge_chunk\|_int_free
CS 11.4 dbg 240925 e8ef8c005545f0163d76077e285c700e2822f533 n < m_size\|SIGABRT\|Bounds_checked_array<Item*>::operator[]\|Item::split_sum_func2\|Item_cond::split_sum_func\|JOIN::prepare
CS 11.4 opt 240925 e8ef8c005545f0163d76077e285c700e2822f533 No bug found
CS 11.8 dbg 240925 d203a8a5df95e2c5778a304a885fb7aedfbc095e n < m_size\|SIGABRT\|Bounds_checked_array<Item*>::operator[]\|Item::split_sum_func2\|Item_cond::split_sum_func\|JOIN::prepare
CS 11.8 opt 240925 d203a8a5df95e2c5778a304a885fb7aedfbc095e SIGSEGV\|Item_func_soundex::val_str\|Type_handler_string_result::Item_update_null_value\|Item_func::is_null\|Item_bool_func2::is_null
CS 12.1 dbg 240925 667c5e0b002a24bc595d60955950200a588f4fb7 n < m_size\|SIGABRT\|Bounds_checked_array<Item*>::operator[]\|Item::split_sum_func2\|Item_cond::split_sum_func\|JOIN::prepare
CS 12.1 opt 240925 667c5e0b002a24bc595d60955950200a588f4fb7 SIGSEGV\|vtable for Field_long\|Item_func_soundex::val_str\|Type_handler_string_result::Item_update_null_value\|Item_func::is_null
CS 12.2 dbg 141025 16c8bcc09a22709fdb770ee267317dac1e033984 n < m_size\|SIGABRT\|Bounds_checked_array<Item*>::operator[]\|Item::split_sum_func2\|Item_cond::split_sum_func\|JOIN::prepare
CS 12.2 dbg 240925 b8a77289639a3b10ada64cf892f02b5cecdb1603 n < m_size\|SIGABRT\|Bounds_checked_array<Item*>::operator[]\|Item::split_sum_func2\|Item_cond::split_sum_func\|JOIN::prepare
CS 12.2 opt 141025 16c8bcc09a22709fdb770ee267317dac1e033984 SIGSEGV\|vtable for Field_long\|Item_func_soundex::val_str\|Type_handler_string_result::Item_update_null_value\|Item_func::is_null
CS 12.2 opt 240925 b8a77289639a3b10ada64cf892f02b5cecdb1603 SIGSEGV\|vtable for Field_long\|Item_func_soundex::val_str\|Type_handler_string_result::Item_update_null_value\|Item_func::is_null
ES 10.6 dbg 240925 ed866636069dda51daa8570497926ae43af8aa24 n < m_size\|SIGABRT\|Bounds_checked_array<Item*>::operator[]\|Item::split_sum_func2\|Item_func::split_sum_func\|Item::split_sum_func2
ES 10.6 opt 240925 ed866636069dda51daa8570497926ae43af8aa24 SIGSEGV\|Item_func_soundex::val_str\|Type_handler_string_result::Item_update_null_value\|Item_func::is_null\|Item_bool_func2::is_null
ES 11.4 dbg 240925 0ddbffaced6c2b50ef4c6e0d8685b1fa25148875 n < m_size\|SIGABRT\|Bounds_checked_array<Item*>::operator[]\|Item::split_sum_func2\|Item_cond::split_sum_func\|JOIN::prepare
ES 11.4 opt 240925 0ddbffaced6c2b50ef4c6e0d8685b1fa25148875 No bug found
ES 11.8 dbg 240925 543157202acd67ac9b0bb50e0b35bf7790e5467d n < m_size\|SIGABRT\|Bounds_checked_array<Item*>::operator[]\|Item::split_sum_func2\|Item_cond::split_sum_func\|JOIN::prepare
ES 11.8 opt 240925 543157202acd67ac9b0bb50e0b35bf7790e5467d SIGSEGV\|Item_func_soundex::val_str\|Type_handler_string_result::Item_update_null_value\|Item_func::is_null\|Item_bool_func2::is_null

Attachments

Issue Links

relates to

MDEV-29210 Assertion `param->field_count > (uint) (copy - copy_start)' failed in setup_copy_fields, SIGSEGV in JOIN::make_sum_func_list and TABLE_LIST::is_active_sjm (ES), ASAN: use-after-poison in Copy_field::set

Confirmed

MDEV-32317 Prepare phase: Server crashes at Item_bool_rowready_func2::cleanup

Confirmed

SIGSEGV in complex SQL analytical query

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration