Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-39224

SIGSEGV in hp_rec_key_cmp when query combines INTERSECT + UNION ALL + EXCEPT ALL set operations

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Duplicate
    • 12.0.1
    • N/A
    • N/A
    • None
    • Not for Release Notes

    Description

        1. Environment
      Item Value
      ------ -------
      Server version 12.0.1-MariaDB-debug
      Source revision ecb7c9b692811f96cfa54add61012a701c47523d
      OS Linux 6.6.98-40.6.tl4.x86_64 (TencentOS)
      Compiler GCC 12.3.1
      Architecture x86_64
      InnoDB UNIV_DEBUG switched on
        1. Description

      MariaDB server crashes with SIGSEGV (signal 11) when a query combines three set operations in the specific order: *INTERSECT ... UNION ALL ... EXCEPT ALL*. The crash occurs during query execution in the HEAP storage engine's hash index key comparison function, triggered when the `select_unit_ext` sends rows to an internal temporary table for deduplication.

      *Expected behavior:* The query should return the correct result set without crashing.

      *Actual behavior:* Server crashes with SIGSEGV during execution.

        1. Minimal Reproducible Case

      *No tables required — the crash occurs with a pure literal query:*

      ```sql
      SELECT 1 INTERSECT SELECT 1 UNION ALL SELECT 1 EXCEPT ALL SELECT 1;
      ```

        1. Stack Trace

      ```
      Thread pointer: 0x7fe27c000dc8
      stack_bottom = 0x7fe2b4544000 thread_stack 0x49000
      mysys/stacktrace.c:215(my_print_stacktrace)
      sql/signal_handler.cc:230(handle_fatal_signal)
      /lib64/libc.so.6(+0x18f30)
      heap/hp_hash.c:389(hp_rec_key_cmp) ← CRASH POINT
      heap/ha_heap.cc:863(ha_heap::find_unique_row(unsigned char*, unsigned int))
      sql/sql_union.cc:669(select_unit_ext::send_data(List<Item>&)) ← ENTRY TO BUG PATH
      sql/sql_class.cc:3225(select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long))
      sql/sql_select.cc:25628(end_send(JOIN*, st_join_table*, bool))
      sql/sql_select.cc:24515(evaluate_join_record(JOIN*, st_join_table*, int))
      sql/sql_select.cc:24282(sub_select(JOIN*, st_join_table*, bool))
      sql/sql_select.cc:23793(do_select(JOIN*, Procedure*))
      sql/sql_select.cc:5059(JOIN::exec_inner())
      sql/sql_select.cc:4842(JOIN::exec())
      sql/sql_union.cc:2437(st_select_lex_unit::exec_inner())
      sql/sql_union.cc:2342(st_select_lex_unit::exec())
      sql/sql_union.cc:45(mysql_union(THD*, LEX*, select_result*, st_select_lex_unit*, unsigned long long))
      sql/sql_select.cc:623(handle_select(THD*, LEX*, select_result*, unsigned long long))
      sql/sql_parse.cc:4676(mysql_execute_command(THD*, bool))
      sql/sql_parse.cc:7915(mysql_parse(THD*, char*, unsigned int, Parser_state*))
      sql/sql_parse.cc:1902(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))
      sql/sql_parse.cc:1415(do_command(THD*, bool))
      sql/sql_connect.cc:1415(do_handle_one_connection(CONNECT*, bool))
      sql/sql_connect.cc:1329(handle_one_connection)
      /lib64/libc.so.6(+0x69277)
      /lib64/libc.so.6(+0xf083c)
      ```

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. MDEV-38722 server crash hp_rec_key_cmp

          • Major - Major loss of function.
          • Confirmed

          Activity

            People

              Unassigned Unassigned
              chunlingqin chunlingqin
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.