Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-40037

SIGSEGV in SEL_ARG::index_order_prev / SEL_ARG::store_min via optimizer_trace range printing in get_best_group_min_max

    XMLWordPrintable

Details

    • Q3/2026 Server Maintenance

    Description

      CLI Testcase:

      CREATE TABLE t2 (c1 VARCHAR(1) KEY,INDEX idx1 (c1)) ENGINE=InnoDB;
      		 
      INSERT INTO t2 VALUES ('x'),('1'),('a'),('b');
      		 
      SET optimizer_trace='enabled=on';
      		 
      SELECT 1 FROM t2 WHERE NOT c1<RAND() GROUP BY c1 LIMIT 3;

      MTR Testcase:

      --source include/have_innodb.inc
      		 
      CREATE TABLE t2 (c1 VARCHAR(1) KEY,INDEX idx1 (c1)) ENGINE=InnoDB;
      		 
      INSERT INTO t2 VALUES ('x'),('1'),('a'),('b');
      		 
      SET optimizer_trace='enabled=on';
      		 
      SELECT 1 FROM t2 WHERE NOT c1<RAND() GROUP BY c1 LIMIT 3;

      Leads to:

      CS 13.1.0 02e1853c894906737fe0ea5f836adb087b1a72ad (Optimized, Clang 22.1.6-20260529) Build 05/06/2026

      		 
      Core was generated by `/test/MD050626-mariadb-13.1.0-linux-x86_64-opt/bin/mariadbd --no-defaults --loo'.
      		 
      Program terminated with signal SIGSEGV, Segmentation fault.
      		 
      #0  __memcpy_evex_unaligned_erms ()at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:287
      		 
       
      		 
      [Current thread is 1 (LWP 1179827)]
      		 
      (gdb) bt
      		 
      #0  __memcpy_evex_unaligned_erms ()at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:287
      		 
      #1  0x000060171211a542 in memcpy (__dest=0x718430056ee0, __src=0x0, __len=6)at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29
      		 
      #2  SEL_ARG::store_min (this=0x718430056f90, min_key=0x798570dfacc0, length=<optimized out>, min_key_flag=<optimized out>)at /test/13.0_opt/sql/opt_range.h:539
      		 
      #3  SEL_ARG::store_min_max (this=this@entry=0x718430056f90, kp=<optimized out>, length=6, min_key=0x798570dfacc0, min_flag=0, max_key=0x798570dfacc8, max_flag=0, min_part=0x798570dfacd8, max_part=0x798570dfacdc) at /test/13.0_opt/sql/opt_range.h:575
      		 
      #4  0x00006017120fc4fa in step_down_to (arg=arg@entry=0x798570dfac78, key_tree=key_tree@entry=0x718430056f90)at /test/13.0_opt/sql/opt_range_mrr.cc:110
      		 
      #5  0x00006017120fc110 in sel_arg_range_seq_next (rseq=rseq@entry=0x798570dfac78, range=range@entry=0x798570dfb1c0)at /test/13.0_opt/sql/opt_range_mrr.cc:242
      		 
      #6  0x00006017120ff3f3 in trace_ranges (range_trace=range_trace@entry=0x798570dfb430, param=param@entry=0x798570dfcf20, idx=0, keypart=keypart@entry=0x718430056f90, key_parts=0x718430029740)at /test/13.0_opt/sql/opt_range.cc:17671
      		 
      #7  0x0000601712106fe3 in get_best_group_min_max (param=param@entry=0x798570dfcf20, tree=tree@entry=0x718430056f00, read_time=<optimized out>) at /test/13.0_opt/sql/opt_range.cc:15185
      		 
      #8  0x0000601712100f4c in SQL_SELECT::test_quick_select (this=this@entry=0x71843001cba0, thd=thd@entry=0x718430000c70, keys_to_use=<optimized out>, prev_tables=<optimized out>, limit=3, force_quick_range=<optimized out>, ordered_output=<optimized out>, remove_false_parts_of_where=<optimized out>, only_single_index_range_scan=<optimized out>, note_unusable_keys=Item_func::BITMAP_ALL)at /test/13.0_opt/sql/opt_range.cc:3146
      		 
      #9  0x00006017122380e6 in make_join_select (join=join@entry=0x718430019bd0, select=0x71843001ca00, cond=0x718430018e00)at /test/13.0_opt/sql/sql_select.cc:14833
      		 
      #10 0x0000601712230523 in JOIN::optimize_stage2 (this=this@entry=0x718430019bd0) at /test/13.0_opt/sql/sql_select.cc:3069
      		 
      #11 0x000060171222f62f in JOIN::optimize_inner (this=this@entry=0x718430019bd0)at /test/13.0_opt/sql/sql_select.cc:2789
      		 
      #12 0x00006017122288c9 in JOIN::optimize (this=0x718430019bd0)at /test/13.0_opt/sql/sql_select.cc:2016
      		 
      #13 mysql_select (thd=thd@entry=0x718430000c70, tables=<optimized out>, fields=@0x718430017ef8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x7184300181d0, last = 0x7184300181d0, elements = 1}, <No data fields>}, conds=<optimized out>, og_num=<optimized out>, order=<optimized out>, group=0x718430019180, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x718430019ba0, unit=0x7184300051b8, select_lex=0x718430017c40)at /test/13.0_opt/sql/sql_select.cc:5425
      		 
      #14 0x0000601712228360 in handle_select (thd=thd@entry=0x718430000c70, lex=lex@entry=0x7184300050d8, result=result@entry=0x718430019ba0, setup_tables_done_option=setup_tables_done_option@entry=0)at /test/13.0_opt/sql/sql_select.cc:636
      		 
      #15 0x00006017121f6057 in execute_sqlcom_select (thd=thd@entry=0x718430000c70, all_tables=0x718430018240) at /test/13.0_opt/sql/sql_parse.cc:6217
      		 
      #16 0x00006017121f1a89 in mysql_execute_command (thd=thd@entry=0x718430000c70, is_called_from_prepared_stmt=false) at /test/13.0_opt/sql/sql_parse.cc:3991
      		 
      #17 0x00006017121ecdad in mysql_parse (thd=thd@entry=0x718430000c70, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x798570dfe4f0)at /test/13.0_opt/sql/sql_parse.cc:7945
      		 
      #18 0x00006017121eb57f in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x718430000c70, packet=packet@entry=0x718430008d91 "SELECT 1 FROM t2 WHERE NOT c1<RAND() GROUP BY c1 LIMIT 3", packet_length=packet_length@entry=56, blocking=true)at /test/13.0_opt/sql/sql_parse.cc:1903
      		 
      #19 0x00006017121ed230 in do_command (thd=thd@entry=0x718430000c70, blocking=true) at /test/13.0_opt/sql/sql_parse.cc:1437
      		 
      #20 0x00006017123151fd in do_handle_one_connection (connect=<optimized out>, connect@entry=0x601715426e10, put_in_cache=true)at /test/13.0_opt/sql/sql_connect.cc:1503
      		 
      #21 0x0000601712315032 in handle_one_connection (arg=arg@entry=0x601715426e10)at /test/13.0_opt/sql/sql_connect.cc:1415
      		 
      #22 0x00006017126b7163 in pfs_spawn_thread (arg=0x60171549cc90)at /test/13.0_opt/storage/perfschema/pfs.cc:2198
      		 
      #23 0x000079857a89ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
      		 
      #24 0x000079857a929c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

      CS 13.1.0 02e1853c894906737fe0ea5f836adb087b1a72ad (Debug, Clang 22.1.6-20260529) Build 05/06/2026

      		 
      Core was generated by `/test/MD050626-mariadb-13.1.0-linux-x86_64-dbg/bin/mariadbd --no-defaults --loo'.
      		 
      Program terminated with signal SIGSEGV, Segmentation fault.
      		 
      #0  0x000055957a6925a8 in SEL_ARG::index_order_prev (this=0xa5a5a5a5a5a5a5a5, kp=0x6accfc07bfd0) at /test/13.0_dbg/sql/opt_range.h:598
      		 
      598	    return (kp[part].flag & HA_REVERSE_SORT)? next : prev;
      		 
      [Current thread is 1 (LWP 1179304)]
      		 
      (gdb) bt
      		 
      #0  0x000055957a6925a8 in SEL_ARG::index_order_prev (this=0xa5a5a5a5a5a5a5a5, kp=0x6accfc07bfd0) at /test/13.0_dbg/sql/opt_range.h:598
      		 
      #1  0x000055957a668801 in sel_arg_range_seq_next (rseq=0x72ce349acca8, range=0x72ce349acc58) at /test/13.0_dbg/sql/opt_range_mrr.cc:236
      		 
      #2  0x000055957a66d033 in trace_ranges (range_trace=0x72ce349ad800, param=0x72ce349af6f0, idx=0, keypart=0x6accfc07c0f0, key_parts=0x6accfc032b30) at /test/13.0_dbg/sql/opt_range.cc:17671
      		 
      #3  0x000055957a67573a in get_best_group_min_max (param=0x72ce349af6f0, tree=0x6accfc07c060, read_time=0.0072326600000000001)at /test/13.0_dbg/sql/opt_range.cc:15185
      		 
      #4  0x000055957a66f4ef in SQL_SELECT::test_quick_select (this=0x6accfc01f580, thd=0x6accfc000d60, keys_to_use={static BITS_PER_ELEMENT = 64, static ARRAY_ELEMENTS = 1, static ALL_BITS_SET = 18446744073709551615, buffer = {2}}, prev_tables=13835058055282163712, limit=3, force_quick_range=false, ordered_output=false, remove_false_parts_of_where=false, only_single_index_range_scan=false, note_unusable_keys=Item_func::BITMAP_ALL)at /test/13.0_dbg/sql/opt_range.cc:3146
      		 
      #5  0x000055957a875cb7 in make_join_select (join=0x6accfc01c430, select=0x6accfc01f360, cond=0x6accfc01b660)at /test/13.0_dbg/sql/sql_select.cc:14833
      		 
      #6  0x000055957a86b2e6 in JOIN::optimize_stage2 (this=0x6accfc01c430)at /test/13.0_dbg/sql/sql_select.cc:3069
      		 
      #7  0x000055957a86a40f in JOIN::optimize_inner (this=0x6accfc01c430)at /test/13.0_dbg/sql/sql_select.cc:2789
      		 
      #8  0x000055957a867fe6 in JOIN::optimize (this=0x6accfc01c430)at /test/13.0_dbg/sql/sql_select.cc:2016
      		 
      #9  0x000055957a86082d in mysql_select (thd=0x6accfc000d60, tables=0x6accfc01aaa0, fields=@0x6accfc01a758: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x6accfc01aa30, last = 0x6accfc01aa30, elements = 1}, <No data fields>}, conds=0x6accfc01b660, og_num=1, order=0x0, group=0x6accfc01b9e0, having=0x0, proc_param=0x0, select_options=2164525824, result=0x6accfc01c400, unit=0x6accfc005280, select_lex=0x6accfc01a4a0)at /test/13.0_dbg/sql/sql_select.cc:5425
      		 
      #10 0x000055957a86042d in handle_select (thd=0x6accfc000d60, lex=0x6accfc0051a0, result=0x6accfc01c400, setup_tables_done_option=0)at /test/13.0_dbg/sql/sql_select.cc:636
      		 
      #11 0x000055957a80afe6 in execute_sqlcom_select (thd=0x6accfc000d60, all_tables=0x6accfc01aaa0) at /test/13.0_dbg/sql/sql_parse.cc:6217
      		 
      #12 0x000055957a801418 in mysql_execute_command (thd=0x6accfc000d60, is_called_from_prepared_stmt=false) at /test/13.0_dbg/sql/sql_parse.cc:3991
      		 
      #13 0x000055957a7fa208 in mysql_parse (thd=0x6accfc000d60, rawbuf=0x6accfc01a3c0 "SELECT 1 FROM t2 WHERE NOT c1<RAND() GROUP BY c1 LIMIT 3", length=56, parser_state=0x72ce349b29f0)at /test/13.0_dbg/sql/sql_parse.cc:7945
      		 
      #14 0x000055957a7f795e in dispatch_command (command=COM_QUERY, thd=0x6accfc000d60, packet=0x6accfc00b5f1 "SELECT 1 FROM t2 WHERE NOT c1<RAND() GROUP BY c1 LIMIT 3", packet_length=56, blocking=true) at /test/13.0_dbg/sql/sql_parse.cc:1903
      		 
      #15 0x000055957a7fac8a in do_command (thd=0x6accfc000d60, blocking=true)at /test/13.0_dbg/sql/sql_parse.cc:1437
      		 
      #16 0x000055957a9cbfae in do_handle_one_connection (connect=0x55957e2b9830, put_in_cache=true) at /test/13.0_dbg/sql/sql_connect.cc:1503
      		 
      #17 0x000055957a9cbd91 in handle_one_connection (arg=0x55957e298190)at /test/13.0_dbg/sql/sql_connect.cc:1415
      		 
      #18 0x000072ce4069ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
      		 
      #19 0x000072ce40729c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

      Bug Detection Matrix

      		 
          Rel    o/d  Build   Commit                                    UniqueID observed             
      CS  10.6   dbg  100426  f39b634db715cd9dc1835653d1ce544df2aa1613  No bug found                  
      CS  10.6   opt  100426  f39b634db715cd9dc1835653d1ce544df2aa1613  No bug found                  
      CS  10.11  dbg  100426  ba774a0a90fac0163babe9d7a964aa36503e1711  SIGSEGV|SEL_ARG::index_order_prev|sel_arg_range_seq_next|trace_ranges|get_best_group_min_max
      		 
      CS  10.11  opt  100426  ba774a0a90fac0163babe9d7a964aa36503e1711  SIGSEGV|SEL_ARG::store_min|SEL_ARG::store_min_max|step_down_to|sel_arg_range_seq_next
      		 
      CS  11.4   dbg  100426  dc89915ad9bf3dcb67e66d2844c77ec0403373de  SIGSEGV|SEL_ARG::index_order_prev|sel_arg_range_seq_next|trace_ranges|get_best_group_min_max
      		 
      CS  11.4   opt  100426  dc89915ad9bf3dcb67e66d2844c77ec0403373de  SIGSEGV|SEL_ARG::store_min|SEL_ARG::store_min_max|step_down_to|sel_arg_range_seq_next
      		 
      CS  11.8   dbg  100426  e47db94aea7f0d6e0177e948486fc8860331f05f  SIGSEGV|SEL_ARG::index_order_prev|sel_arg_range_seq_next|trace_ranges|get_best_group_min_max
      		 
      CS  11.8   opt  100426  e47db94aea7f0d6e0177e948486fc8860331f05f  SIGSEGV|SEL_ARG::store_min|SEL_ARG::store_min_max|step_down_to|sel_arg_range_seq_next
      		 
      CS  12.3   dbg  100426  f5bb9922107672e88f7b5cbdb3d25151cc5744bb  SIGSEGV|SEL_ARG::index_order_prev|sel_arg_range_seq_next|trace_ranges|get_best_group_min_max
      		 
      CS  12.3   opt  100426  f5bb9922107672e88f7b5cbdb3d25151cc5744bb  SIGSEGV|SEL_ARG::index_order_prev|sel_arg_range_seq_next|trace_ranges|get_best_group_min_max
      		 
      CS  13.0   dbg  210526  c8e8d33309606e682c98675d594dbd23ebc2ddf6  SIGSEGV|SEL_ARG::index_order_prev|sel_arg_range_seq_next|trace_ranges|get_best_group_min_max
      		 
      CS  13.0   opt  210526  c8e8d33309606e682c98675d594dbd23ebc2ddf6  SIGSEGV|SEL_ARG::index_order_prev|sel_arg_range_seq_next|trace_ranges|get_best_group_min_max
      		 
      CS  13.1   dbg  050626  02e1853c894906737fe0ea5f836adb087b1a72ad  SIGSEGV|SEL_ARG::index_order_prev|sel_arg_range_seq_next|trace_ranges|get_best_group_min_max
      		 
      CS  13.1   opt  050626  02e1853c894906737fe0ea5f836adb087b1a72ad  SIGSEGV|SEL_ARG::store_min|SEL_ARG::store_min_max|step_down_to|sel_arg_range_seq_next
      		 
      ES  10.6   dbg  100426  84a80c8b38208d362225496da08d86d8d454e453  No bug found                  
      ES  10.6   opt  100426  84a80c8b38208d362225496da08d86d8d454e453  No bug found                  
      ES  11.4   dbg  100426  8b2bf17b733262409422ce7d039a0c021fc47077  SIGSEGV|SEL_ARG::index_order_prev|sel_arg_range_seq_next|trace_ranges|get_best_group_min_max
      		 
      ES  11.4   opt  100426  8b2bf17b733262409422ce7d039a0c021fc47077  SIGSEGV|SEL_ARG::store_min|SEL_ARG::store_min_max|step_down_to|sel_arg_range_seq_next
      		 
      ES  11.8   dbg  100426  854cae81f52e477c7777a51db26ba640d8755b81  SIGSEGV|SEL_ARG::index_order_prev|sel_arg_range_seq_next|trace_ranges|get_best_group_min_max
      		 
      ES  11.8   opt  100426  854cae81f52e477c7777a51db26ba640d8755b81  SIGSEGV|SEL_ARG::store_min|SEL_ARG::store_min_max|step_down_to|sel_arg_range_seq_next
      		 
      ES  12.3   dbg  220426  613a6253fe9efc12e166f83a97663ba263db8317  SIGSEGV|SEL_ARG::index_order_prev|sel_arg_range_seq_next|trace_ranges|get_best_group_min_max
      		 
      ES  12.3   opt  220426  613a6253fe9efc12e166f83a97663ba263db8317  SIGSEGV|SEL_ARG::index_order_prev|sel_arg_range_seq_next|trace_ranges|get_best_group_min_max
      		 
      MS  5.5    dbg  070123  bac287c315b1792e7ae33f91add6a60292f9bae8  No bug found                  
      MS  5.5    opt  070123  bac287c315b1792e7ae33f91add6a60292f9bae8  No bug found                  
      MS  5.6    dbg  070123  dab95781a1244104d6b87020ac2fc4d190ba2946  No bug found                  
      MS  5.6    opt  070123  dab95781a1244104d6b87020ac2fc4d190ba2946  No bug found                  
      MS  5.7    dbg  070525  f7680e98b6bbe3500399fbad465d08a6b75d7a5c  No bug found                  
      MS  5.7    opt  070525  f7680e98b6bbe3500399fbad465d08a6b75d7a5c  No bug found                  
      MS  8.0    dbg  060224  49ef33f7edadef3ae04665e73d1babd40179a4f1  No bug found                  
      MS  8.0    opt  060224  49ef33f7edadef3ae04665e73d1babd40179a4f1  No bug found                  
      MS  9.1    dbg  211024  61a3a1d8ef15512396b4c2af46e922a19bf2b174  No bug found                  
      MS  9.1    opt  211024  61a3a1d8ef15512396b4c2af46e922a19bf2b174  No bug found

      Attachments

        Activity

          People

            Johnston Rex Johnston
            Roel Roel Van de Paar
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.