Search

MDEV-36678Various crashes upon stored procedure querying view with concat/group_concat
MDEV-36634UBSAN: member access within null pointer of type 'KEY' (aka 'st_key') in myrocks::ha_rocksdb::index_read_map_impl on CREATE SERVER
MDEV-36611SIGSEGV & UBASAN null-pointer-use in myrocks::Rdb_transaction_impl::get_write_batch on opt builds
MDEV-36495ASAN: heap-use-after-free in Field_blob::pack, and UBSAN: member access within null pointer of type 'KEY' in ha_archive::create, on OPTIMIZE TABLE
MDEV-36356MariaDB crashes in Item::save_int_in_field and UBSAN member call on null pointer of type 'Field' upon executing a complex SELECT
MDEV-36353MariaDB SEGV in Item_subselect::init when executing query
MDEV-35881SIGSEGV in __strcmp_evex() from my_load_defaults on INSERT when using DEFAULT_GROUP and UBSAN: runtime error: member access within null pointer of type 'struct st_my_thread_var'
MDEV-30756Crash in get_sort_by_table / make_join_statistics / update_depend_map_for_order, various UBSAN pointer issues
MDEV-29703Server crash, assertion failure or UBSAN null-pointer-use in myrocks::Rdb_key_def::unpack_simple_varchar_space_pad
MDEV-28509Server crash via Item_func_ne::add_key_fields in /sql/sql_bitmap.h:196, member access within null pointer of type 'struct JOIN_TAB' in add_key_field
MDEV-26416A SEGV in Field::set_notnull/Item::save_real_in_field

Details

Type: Bug
Status: Confirmed (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.5, 10.6, 10.11, 11.4
Fix Version/s: 10.5, 10.6, 10.11, 11.4
Component/s: Server, Stored routines
Labels:

Description

We are experiencing a crash in MariaDB (version 10.6.21) on both Rocky Linux (release 9.4) and Amazon Linux 2
in a scenario involving views and stored procedures.
While the original query is much more complex, we are providing a simplified use case that can reliably reproduce the issue.

It appears that the crash occurs when:
a VIEW uses a CONCAT() or GROUP_CONCAT() function on a column definition, and
a STORED PROCEDURE queries this VIEW using a LIKE condition on the same column having that function.

This issue does not occur with the previously used version 10.6.16 — it only started happening after the upgrade to 10.6.21.

The crash can be consistently reproduced under these conditions:

create or replace table table_task ( id int auto_increment primary key, col1 int, col2 int, col3 int);

insert into table_task select null,round(rand()*100),round(rand()*100),round(rand()*100) from seq_1_to_1000;

create or replace view v_t_task as

select col1 as taskcid, sum(col3) as suc3,

group_concat('-',case when `col3` is not null then `col2` else '' end,'-' separator ',') AS `listc2`

from table_task

group by col1;

delimiter //

CREATE or replace PROCEDURE `spmona`(IN `IN_listc2` VARCHAR(1000), IN `IN_limitfrom` INT, IN `IN_limitto` INT)

BEGIN

SELECT *

FROM

 v_t_task `t`

WHERE

 CASE WHEN IN_listc2 IS NOT NULL THEN `t`.`listc2` LIKE CONCAT("%", IN_listc2, "%") ELSE TRUE END

LIMIT

  IN_limitfrom,

  IN_limitto;

END //

delimiter ;

CALL spmona(null,0,25);

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

error_log_10.6.21_crash.txt
6 kB
2025-04-23 14:29

Activity

Ascending order - Click to sort in descending order

Daniel Black added a comment - 2025-04-24 04:13

Thank you for taking the time to report this bug and create a self contained minimised test case.

10.6-47e687b109e465a31ec029969e302ca1a73208a3

Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00000000006bb5fb in Item_ref::const_item (this=0x7fcef0080090) at /home/dan/repos/mariadb-server-10.6/sql/item.h:5890
5890 return (*ref)->const_item();


(gdb) p *this
$1 = (Item_ref) {<Item_ident> = {<Item_result_field> = {<Item_fixed_hybrid> = {<Item> = {<Value_source> = {<No data fields>}, <Type_all_attributes> = {<Type_std_attributes> = {<Type_numeric_attributes> = {max_length = 0, decimals = 0, unsigned_flag = false}, collation = {collation = 0x15ccef0 <my_charset_bin>, derivation = DERIVATION_COERCIBLE,
repertoire = MY_REPERTOIRE_UNICODE30}}, _vptr$Type_all_attributes = 0x1088370 <vtable for Item_ref+16>}, next = 0x7fcef007ff90, str_value = {<Charset> = {
m_charset = 0x15ccef0 <my_charset_bin>}, <Binary_string> = {<Sql_alloc> = {<No data fields>}, Ptr = 0x0, str_length = 0, Alloced_length = 0, extra_alloc = 0,
alloced = false, thread_specific = false}, <No data fields>}, name = {str = 0x7fcef0047f80 "listc2", length = 6}, orig_name = 0x0, base_flags = item_base_t::NONE,
with_flags = item_with_t::NONE, marker = 1024, null_value = false, is_expensive_cache = -1 '\377', join_tab_idx = 61 '='}, <No data fields>}, result_field = 0x0},
orig_db_name = {<Lex_cstring> = {<st_mysql_const_lex_string> = {str = 0x0, length = 0}, <No data fields>}, <No data fields>},
orig_table_name = {<Lex_cstring> = {<st_mysql_const_lex_string> = {str = 0x0, length = 0}, <No data fields>}, <No data fields>},
orig_field_name = {<Lex_cstring> = {<st_mysql_const_lex_string> = {str = 0x7fcef0047f80 "listc2", length = 6}, <No data fields>}, <No data fields>}, context = 0x7fcef0046d78,
db_name = {<Lex_cstring> = {<st_mysql_const_lex_string> = {str = 0x0, length = 0}, <No data fields>}, <No data fields>}, table_name = {<Lex_cstring> = {<st_mysql_const_lex_string> = {
str = 0x0, length = 0}, <No data fields>}, <No data fields>}, field_name = {<Lex_cstring> = {<st_mysql_const_lex_string> = {str = 0x7fcef0047f80 "listc2",
length = 6}, <No data fields>}, <No data fields>}, cached_table = 0x0, depended_from = 0x0, cached_field_index = 65535, can_be_depended = true, alias_name_used = false},
set_properties_only = false, ref = 0x0, reference_trough_name = true}

(gdb) p ref
$2 = (Item **) 0x0


(gdb) bt
#0 0x00000000006bb5fb in Item_ref::const_item (this=0x7fcef0080090) at /home/dan/repos/mariadb-server-10.6/sql/item.h:5890
#1 0x0000000000942ff7 in Item::cache_const_expr_analyzer (this=0x7fcef0080090, arg=<optimized out>) at /home/dan/repos/mariadb-server-10.6/sql/item.cc:7619
#2 0x0000000000944c7c in Item_ref::compile (this=0x7fcef0080090, thd=0x7fcef0000c68,
analyzer=(bool (Item::)(Item const, uchar )) 0x942fc0 <Item::cache_const_expr_analyzer(unsigned char)>, arg_p=0x7fcf2e346498,
transformer=(Item (Item::)(Item * const, THD , uchar )) 0x9430a0 <Item::cache_const_expr_transformer(THD, unsigned char)>, arg_t=0x7fcf2e34672f "")
at /home/dan/repos/mariadb-server-10.6/sql/item.cc:8595
#3 0x0000000000986c24 in Item_func::compile (this=0x7fcef00441b8, thd=0x7fcef0000c68,
analyzer=(bool (Item::)(Item const, uchar )) 0x942fc0 <Item::cache_const_expr_analyzer(unsigned char)>, arg_p=0x7fcf2e346538,
transformer=(Item (Item::)(Item * const, THD , uchar )) 0x9430a0 <Item::cache_const_expr_transformer(THD, unsigned char)>, arg_t=0x7fcf2e34672f "")
at /home/dan/repos/mariadb-server-10.6/sql/item_func.cc:575
#4 0x0000000000944ccd in Item_ref::compile (this=0x7fcef0044640, thd=0x7fcef0000c68,
analyzer=(bool (Item::)(Item const, uchar )) 0x942fc0 <Item::cache_const_expr_analyzer(unsigned char)>, arg_p=0x7fcf2e3465b8,
transformer=(Item (Item::)(Item * const, THD , uchar )) 0x9430a0 <Item::cache_const_expr_transformer(THD, unsigned char)>, arg_t=0x7fcf2e34672f "")
at /home/dan/repos/mariadb-server-10.6/sql/item.cc:8603
#5 0x0000000000986c24 in Item_func::compile (this=0x7fcef007fe50, thd=0x7fcef0000c68,
analyzer=(bool (Item::)(Item const, uchar )) 0x942fc0 <Item::cache_const_expr_analyzer(unsigned char)>, arg_p=0x7fcf2e346658,
transformer=(Item (Item::)(Item * const, THD , uchar )) 0x9430a0 <Item::cache_const_expr_transformer(THD, unsigned char)>, arg_t=0x7fcf2e34672f "")
at /home/dan/repos/mariadb-server-10.6/sql/item_func.cc:575
#6 0x0000000000986c24 in Item_func::compile (this=0x7fcef007ff90, thd=0x7fcef0000c68,
analyzer=(bool (Item::)(Item const, uchar )) 0x942fc0 <Item::cache_const_expr_analyzer(unsigned char)>, arg_p=0x7fcf2e346710,
transformer=(Item (Item::)(Item * const, THD , uchar )) 0x9430a0 <Item::cache_const_expr_transformer(THD, unsigned char)>, arg_t=0x7fcf2e34672f "")
at /home/dan/repos/mariadb-server-10.6/sql/item_func.cc:575
#7 0x0000000000662551 in Item::top_level_compile (this=0x7fcef0080090, thd=0x7fcf2e346498,
analyzer=(bool (Item::)(Item const, uchar )) 0x942fc0 <Item::cache_const_expr_analyzer(unsigned char)>, arg_p=0x7fcf2e346498, transformer=<optimized out>,
arg_t=0x7fcf2e34672f "") at /home/dan/repos/mariadb-server-10.6/sql/item.h:2229
#8 0x000000000074a104 in JOIN::cache_const_exprs (this=this@entry=0x7fcef00437a8) at /home/dan/repos/mariadb-server-10.6/sql/sql_select.cc:30627
#9 0x0000000000742c2c in JOIN::optimize_stage2 (this=this@entry=0x7fcef00437a8) at /home/dan/repos/mariadb-server-10.6/sql/sql_select.cc:2899
#10 0x0000000000744b14 in JOIN::optimize_inner (this=this@entry=0x7fcef00437a8) at /home/dan/repos/mariadb-server-10.6/sql/sql_select.cc:2639
#11 0x000000000074229c in JOIN::optimize (this=0x7fcef00437a8) at /home/dan/repos/mariadb-server-10.6/sql/sql_select.cc:1927
#12 0x00000000006d8934 in mysql_derived_optimize (thd=0x7fcef0000c68, lex=0x7fcef003a5d0, derived=0x7fcef003c5d0) at /home/dan/repos/mariadb-server-10.6/sql/sql_derived.cc:1045
#13 0x00000000006d98d9 in mysql_handle_single_derived (lex=0x7fcef003a5d0, derived=derived@entry=0x7fcef003c5d0, phases=phases@entry=4)
at /home/dan/repos/mariadb-server-10.6/sql/sql_derived.cc:200
#14 0x0000000000744776 in JOIN::optimize_inner (this=this@entry=0x7fcef0042f90) at /home/dan/repos/mariadb-server-10.6/sql/sql_select.cc:2429
#15 0x000000000074229c in JOIN::optimize (this=this@entry=0x7fcef0042f90) at /home/dan/repos/mariadb-server-10.6/sql/sql_select.cc:1927
#16 0x000000000073c600 in mysql_select (thd=thd@entry=0x7fcef0000c68, tables=<optimized out>,
fields=@0x7fcef0039818: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x7fcef0039b40, last = 0x7fcef0049fc0, elements = 3}, <No data fields>}, conds=<optimized out>,
og_num=<optimized out>, order=<optimized out>, group=0x0, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x7fcef0042f68, unit=0x7fcef003a698,
select_lex=0x7fcef0039558) at /home/dan/repos/mariadb-server-10.6/sql/sql_select.cc:5182
#17 0x000000000073c4dc in handle_select (thd=thd@entry=0x7fcef0000c68, lex=lex@entry=0x7fcef003a5d0, result=result@entry=0x7fcef0042f68,
setup_tables_done_option=setup_tables_done_option@entry=0) at /home/dan/repos/mariadb-server-10.6/sql/sql_select.cc:573
#18 0x000000000071a05b in execute_sqlcom_select (thd=thd@entry=0x7fcef0000c68, all_tables=0x7fcef003c5d0) at /home/dan/repos/mariadb-server-10.6/sql/sql_parse.cc:6422
#19 0x0000000000714d4f in mysql_execute_command (thd=0x7fcef0000c68, is_called_from_prepared_stmt=<optimized out>) at /home/dan/repos/mariadb-server-10.6/sql/sql_parse.cc:4013
#20 0x00000000006844d0 in sp_instr_stmt::exec_core (this=0x7fcef003dc68, thd=0x7fcef0080090, nextp=0x7fcf2e347c44) at /home/dan/repos/mariadb-server-10.6/sql/sp_head.cc:3895
#21 0x000000000068362b in sp_lex_keeper::reset_lex_and_exec_core (this=this@entry=0x7fcef003dcb0, thd=thd@entry=0x7fcef0000c68, nextp=nextp@entry=0x7fcf2e347c44, open_tables=false,
instr=instr@entry=0x7fcef003dc68) at /home/dan/repos/mariadb-server-10.6/sql/sp_head.cc:3606
#22 0x0000000000683f21 in sp_instr_stmt::execute (this=0x7fcef003dc68, thd=0x7fcef0000c68, nextp=0x7fcf2e347c44) at /home/dan/repos/mariadb-server-10.6/sql/sp_head.cc:3798
#23 0x000000000067e187 in sp_head::execute (this=this@entry=0x7fcef0037c90, thd=thd@entry=0x7fcef0000c68, merge_da_on_success=true)
at /home/dan/repos/mariadb-server-10.6/sql/sp_head.cc:1443
#24 0x000000000067fa82 in sp_head::execute_procedure (this=0x7fcef0037c90, thd=0x7fcef0000c68, args=0x7fcef0005db8) at /home/dan/repos/mariadb-server-10.6/sql/sp_head.cc:2523
#25 0x0000000000713ae4 in do_execute_sp (thd=thd@entry=0x7fcef0000c68, sp=0x7fcef0080090, sp@entry=0x7fcef0037c90) at /home/dan/repos/mariadb-server-10.6/sql/sql_parse.cc:3090
#26 0x00000000007137d2 in Sql_cmd_call::execute (this=0x7fcef0013390, thd=0x7fcef0000c68) at /home/dan/repos/mariadb-server-10.6/sql/sql_parse.cc:3336
#27 0x0000000000714c95 in mysql_execute_command (thd=thd@entry=0x7fcef0000c68, is_called_from_prepared_stmt=false) at /home/dan/repos/mariadb-server-10.6/sql/sql_parse.cc:6167
#28 0x0000000000710724 in mysql_parse (thd=thd@entry=0x7fcef0000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x7fcf2e349320)
at /home/dan/repos/mariadb-server-10.6/sql/sql_parse.cc:8200
#29 0x000000000070eddc in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x7fcef0000c68, packet=packet@entry=0x7fcef0008629 "CALL spmona(null,0,25)",
packet_length=packet_length@entry=22, blocking=true) at /home/dan/repos/mariadb-server-10.6/sql/sql_parse.cc:1908
#30 0x0000000000710b82 in do_command (thd=thd@entry=0x7fcef0000c68, blocking=true) at /home/dan/repos/mariadb-server-10.6/sql/sql_parse.cc:1421
#31 0x0000000000814d3d in do_handle_one_connection (connect=<optimized out>, connect@entry=0xbeab858, put_in_cache=<optimized out>)
at /home/dan/repos/mariadb-server-10.6/sql/sql_connect.cc:1386
#32 0x0000000000814b70 in handle_one_connection (arg=arg@entry=0xbeab858) at /home/dan/repos/mariadb-server-10.6/sql/sql_connect.cc:1298
#33 0x0000000000b2fbde in pfs_spawn_thread (arg=0xbe787a8) at /home/dan/repos/mariadb-server-10.6/storage/perfschema/pfs.cc:2201
#34 0x00007fcf3807dba8 in start_thread () from /lib64/libc.so.6
#35 0x00007fcf38101b8c in __clone3 () from /lib64/libc.so.6

Daniel Black added a comment - 2025-04-24 04:13 Thank you for taking the time to report this bug and create a self contained minimised test case. 10.6-47e687b109e465a31ec029969e302ca1a73208a3 Program terminated with signal SIGSEGV, Segmentation fault. #0 0x00000000006bb5fb in Item_ref::const_item (this=0x7fcef0080090) at /home/dan/repos/mariadb-server-10.6/sql/item.h:5890 5890 return (*ref)->const_item(); (gdb) p *this $1 = (Item_ref) {<Item_ident> = {<Item_result_field> = {<Item_fixed_hybrid> = {<Item> = {<Value_source> = {<No data fields>}, <Type_all_attributes> = {<Type_std_attributes> = {<Type_numeric_attributes> = {max_length = 0, decimals = 0, unsigned_flag = false}, collation = {collation = 0x15ccef0 <my_charset_bin>, derivation = DERIVATION_COERCIBLE, repertoire = MY_REPERTOIRE_UNICODE30}}, _vptr$Type_all_attributes = 0x1088370 <vtable for Item_ref+16>}, next = 0x7fcef007ff90, str_value = {<Charset> = { m_charset = 0x15ccef0 <my_charset_bin>}, <Binary_string> = {<Sql_alloc> = {<No data fields>}, Ptr = 0x0, str_length = 0, Alloced_length = 0, extra_alloc = 0, alloced = false, thread_specific = false}, <No data fields>}, name = {str = 0x7fcef0047f80 "listc2", length = 6}, orig_name = 0x0, base_flags = item_base_t::NONE, with_flags = item_with_t::NONE, marker = 1024, null_value = false, is_expensive_cache = -1 '\377', join_tab_idx = 61 '='}, <No data fields>}, result_field = 0x0}, orig_db_name = {<Lex_cstring> = {<st_mysql_const_lex_string> = {str = 0x0, length = 0}, <No data fields>}, <No data fields>}, orig_table_name = {<Lex_cstring> = {<st_mysql_const_lex_string> = {str = 0x0, length = 0}, <No data fields>}, <No data fields>}, orig_field_name = {<Lex_cstring> = {<st_mysql_const_lex_string> = {str = 0x7fcef0047f80 "listc2", length = 6}, <No data fields>}, <No data fields>}, context = 0x7fcef0046d78, db_name = {<Lex_cstring> = {<st_mysql_const_lex_string> = {str = 0x0, length = 0}, <No data fields>}, <No data fields>}, table_name = {<Lex_cstring> = {<st_mysql_const_lex_string> = { str = 0x0, length = 0}, <No data fields>}, <No data fields>}, field_name = {<Lex_cstring> = {<st_mysql_const_lex_string> = {str = 0x7fcef0047f80 "listc2", length = 6}, <No data fields>}, <No data fields>}, cached_table = 0x0, depended_from = 0x0, cached_field_index = 65535, can_be_depended = true, alias_name_used = false}, set_properties_only = false, ref = 0x0, reference_trough_name = true} (gdb) p ref $2 = (Item **) 0x0 (gdb) bt #0 0x00000000006bb5fb in Item_ref::const_item (this=0x7fcef0080090) at /home/dan/repos/mariadb-server-10.6/sql/item.h:5890 #1 0x0000000000942ff7 in Item::cache_const_expr_analyzer (this=0x7fcef0080090, arg=<optimized out>) at /home/dan/repos/mariadb-server-10.6/sql/item.cc:7619 #2 0x0000000000944c7c in Item_ref::compile (this=0x7fcef0080090, thd=0x7fcef0000c68, analyzer=(bool (Item::*)(Item * const, uchar **)) 0x942fc0 <Item::cache_const_expr_analyzer(unsigned char**)>, arg_p=0x7fcf2e346498, transformer=(Item *(Item::*)(Item * const, THD *, uchar *)) 0x9430a0 <Item::cache_const_expr_transformer(THD*, unsigned char*)>, arg_t=0x7fcf2e34672f "") at /home/dan/repos/mariadb-server-10.6/sql/item.cc:8595 #3 0x0000000000986c24 in Item_func::compile (this=0x7fcef00441b8, thd=0x7fcef0000c68, analyzer=(bool (Item::*)(Item * const, uchar **)) 0x942fc0 <Item::cache_const_expr_analyzer(unsigned char**)>, arg_p=0x7fcf2e346538, transformer=(Item *(Item::*)(Item * const, THD *, uchar *)) 0x9430a0 <Item::cache_const_expr_transformer(THD*, unsigned char*)>, arg_t=0x7fcf2e34672f "") at /home/dan/repos/mariadb-server-10.6/sql/item_func.cc:575 #4 0x0000000000944ccd in Item_ref::compile (this=0x7fcef0044640, thd=0x7fcef0000c68, analyzer=(bool (Item::*)(Item * const, uchar **)) 0x942fc0 <Item::cache_const_expr_analyzer(unsigned char**)>, arg_p=0x7fcf2e3465b8, transformer=(Item *(Item::*)(Item * const, THD *, uchar *)) 0x9430a0 <Item::cache_const_expr_transformer(THD*, unsigned char*)>, arg_t=0x7fcf2e34672f "") at /home/dan/repos/mariadb-server-10.6/sql/item.cc:8603 #5 0x0000000000986c24 in Item_func::compile (this=0x7fcef007fe50, thd=0x7fcef0000c68, analyzer=(bool (Item::*)(Item * const, uchar **)) 0x942fc0 <Item::cache_const_expr_analyzer(unsigned char**)>, arg_p=0x7fcf2e346658, transformer=(Item *(Item::*)(Item * const, THD *, uchar *)) 0x9430a0 <Item::cache_const_expr_transformer(THD*, unsigned char*)>, arg_t=0x7fcf2e34672f "") at /home/dan/repos/mariadb-server-10.6/sql/item_func.cc:575 #6 0x0000000000986c24 in Item_func::compile (this=0x7fcef007ff90, thd=0x7fcef0000c68, analyzer=(bool (Item::*)(Item * const, uchar **)) 0x942fc0 <Item::cache_const_expr_analyzer(unsigned char**)>, arg_p=0x7fcf2e346710, transformer=(Item *(Item::*)(Item * const, THD *, uchar *)) 0x9430a0 <Item::cache_const_expr_transformer(THD*, unsigned char*)>, arg_t=0x7fcf2e34672f "") at /home/dan/repos/mariadb-server-10.6/sql/item_func.cc:575 #7 0x0000000000662551 in Item::top_level_compile (this=0x7fcef0080090, thd=0x7fcf2e346498, analyzer=(bool (Item::*)(Item * const, uchar **)) 0x942fc0 <Item::cache_const_expr_analyzer(unsigned char**)>, arg_p=0x7fcf2e346498, transformer=<optimized out>, arg_t=0x7fcf2e34672f "") at /home/dan/repos/mariadb-server-10.6/sql/item.h:2229 #8 0x000000000074a104 in JOIN::cache_const_exprs (this=this@entry=0x7fcef00437a8) at /home/dan/repos/mariadb-server-10.6/sql/sql_select.cc:30627 #9 0x0000000000742c2c in JOIN::optimize_stage2 (this=this@entry=0x7fcef00437a8) at /home/dan/repos/mariadb-server-10.6/sql/sql_select.cc:2899 #10 0x0000000000744b14 in JOIN::optimize_inner (this=this@entry=0x7fcef00437a8) at /home/dan/repos/mariadb-server-10.6/sql/sql_select.cc:2639 #11 0x000000000074229c in JOIN::optimize (this=0x7fcef00437a8) at /home/dan/repos/mariadb-server-10.6/sql/sql_select.cc:1927 #12 0x00000000006d8934 in mysql_derived_optimize (thd=0x7fcef0000c68, lex=0x7fcef003a5d0, derived=0x7fcef003c5d0) at /home/dan/repos/mariadb-server-10.6/sql/sql_derived.cc:1045 #13 0x00000000006d98d9 in mysql_handle_single_derived (lex=0x7fcef003a5d0, derived=derived@entry=0x7fcef003c5d0, phases=phases@entry=4) at /home/dan/repos/mariadb-server-10.6/sql/sql_derived.cc:200 #14 0x0000000000744776 in JOIN::optimize_inner (this=this@entry=0x7fcef0042f90) at /home/dan/repos/mariadb-server-10.6/sql/sql_select.cc:2429 #15 0x000000000074229c in JOIN::optimize (this=this@entry=0x7fcef0042f90) at /home/dan/repos/mariadb-server-10.6/sql/sql_select.cc:1927 #16 0x000000000073c600 in mysql_select (thd=thd@entry=0x7fcef0000c68, tables=<optimized out>, fields=@0x7fcef0039818: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x7fcef0039b40, last = 0x7fcef0049fc0, elements = 3}, <No data fields>}, conds=<optimized out>, og_num=<optimized out>, order=<optimized out>, group=0x0, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x7fcef0042f68, unit=0x7fcef003a698, select_lex=0x7fcef0039558) at /home/dan/repos/mariadb-server-10.6/sql/sql_select.cc:5182 #17 0x000000000073c4dc in handle_select (thd=thd@entry=0x7fcef0000c68, lex=lex@entry=0x7fcef003a5d0, result=result@entry=0x7fcef0042f68, setup_tables_done_option=setup_tables_done_option@entry=0) at /home/dan/repos/mariadb-server-10.6/sql/sql_select.cc:573 #18 0x000000000071a05b in execute_sqlcom_select (thd=thd@entry=0x7fcef0000c68, all_tables=0x7fcef003c5d0) at /home/dan/repos/mariadb-server-10.6/sql/sql_parse.cc:6422 #19 0x0000000000714d4f in mysql_execute_command (thd=0x7fcef0000c68, is_called_from_prepared_stmt=<optimized out>) at /home/dan/repos/mariadb-server-10.6/sql/sql_parse.cc:4013 #20 0x00000000006844d0 in sp_instr_stmt::exec_core (this=0x7fcef003dc68, thd=0x7fcef0080090, nextp=0x7fcf2e347c44) at /home/dan/repos/mariadb-server-10.6/sql/sp_head.cc:3895 #21 0x000000000068362b in sp_lex_keeper::reset_lex_and_exec_core (this=this@entry=0x7fcef003dcb0, thd=thd@entry=0x7fcef0000c68, nextp=nextp@entry=0x7fcf2e347c44, open_tables=false, instr=instr@entry=0x7fcef003dc68) at /home/dan/repos/mariadb-server-10.6/sql/sp_head.cc:3606 #22 0x0000000000683f21 in sp_instr_stmt::execute (this=0x7fcef003dc68, thd=0x7fcef0000c68, nextp=0x7fcf2e347c44) at /home/dan/repos/mariadb-server-10.6/sql/sp_head.cc:3798 #23 0x000000000067e187 in sp_head::execute (this=this@entry=0x7fcef0037c90, thd=thd@entry=0x7fcef0000c68, merge_da_on_success=true) at /home/dan/repos/mariadb-server-10.6/sql/sp_head.cc:1443 #24 0x000000000067fa82 in sp_head::execute_procedure (this=0x7fcef0037c90, thd=0x7fcef0000c68, args=0x7fcef0005db8) at /home/dan/repos/mariadb-server-10.6/sql/sp_head.cc:2523 #25 0x0000000000713ae4 in do_execute_sp (thd=thd@entry=0x7fcef0000c68, sp=0x7fcef0080090, sp@entry=0x7fcef0037c90) at /home/dan/repos/mariadb-server-10.6/sql/sql_parse.cc:3090 #26 0x00000000007137d2 in Sql_cmd_call::execute (this=0x7fcef0013390, thd=0x7fcef0000c68) at /home/dan/repos/mariadb-server-10.6/sql/sql_parse.cc:3336 #27 0x0000000000714c95 in mysql_execute_command (thd=thd@entry=0x7fcef0000c68, is_called_from_prepared_stmt=false) at /home/dan/repos/mariadb-server-10.6/sql/sql_parse.cc:6167 #28 0x0000000000710724 in mysql_parse (thd=thd@entry=0x7fcef0000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x7fcf2e349320) at /home/dan/repos/mariadb-server-10.6/sql/sql_parse.cc:8200 #29 0x000000000070eddc in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x7fcef0000c68, packet=packet@entry=0x7fcef0008629 "CALL spmona(null,0,25)", packet_length=packet_length@entry=22, blocking=true) at /home/dan/repos/mariadb-server-10.6/sql/sql_parse.cc:1908 #30 0x0000000000710b82 in do_command (thd=thd@entry=0x7fcef0000c68, blocking=true) at /home/dan/repos/mariadb-server-10.6/sql/sql_parse.cc:1421 #31 0x0000000000814d3d in do_handle_one_connection (connect=<optimized out>, connect@entry=0xbeab858, put_in_cache=<optimized out>) at /home/dan/repos/mariadb-server-10.6/sql/sql_connect.cc:1386 #32 0x0000000000814b70 in handle_one_connection (arg=arg@entry=0xbeab858) at /home/dan/repos/mariadb-server-10.6/sql/sql_connect.cc:1298 #33 0x0000000000b2fbde in pfs_spawn_thread (arg=0xbe787a8) at /home/dan/repos/mariadb-server-10.6/storage/perfschema/pfs.cc:2201 #34 0x00007fcf3807dba8 in start_thread () from /lib64/libc.so.6 #35 0x00007fcf38101b8c in __clone3 () from /lib64/libc.so.6

Andrea Ponzo added a comment - 2025-04-24 06:20

Thank you Daniel for your interest and the quick confirmation of the bug.
I spent some time pinpointing the key area of the crash to hopefully make the fix easier for you.

Andrea Ponzo added a comment - 2025-04-24 06:20 Thank you Daniel for your interest and the quick confirmation of the bug. I spent some time pinpointing the key area of the crash to hopefully make the fix easier for you.

Roel Van de Paar added a comment - 2025-04-25 09:12 - edited

Reduced testcases in the next comments. Summary of findings;
1. Using a MyISAM table shows a SIGSEGV location; Item_ref::update_used_tables. This crash can also be reproducing no table.
2. Using a InnoDB tables shows a SIGSEGV in Item_ref::const_item
3. UBSAN builds see various bugs, ref stacks below.
4. 11.8+ does not look to be affected.
5. Thus far the bug has not been reproducible in MTR, even when using MTR idioms. Please use the CLI to reproduce. Bug is not sporadic.

Roel Van de Paar added a comment - 2025-04-25 09:12 - edited Reduced testcases in the next comments. Summary of findings; 1. Using a MyISAM table shows a SIGSEGV location; Item_ref::update_used_tables . This crash can also be reproducing no table. 2. Using a InnoDB tables shows a SIGSEGV in Item_ref::const_item 3. UBSAN builds see various bugs, ref stacks below. 4. 11.8+ does not look to be affected. 5. Thus far the bug has not been reproducible in MTR, even when using MTR idioms. Please use the CLI to reproduce. Bug is not sporadic.

Roel Van de Paar added a comment - 2025-04-25 09:12 - edited

CREATE TABLE t (c INT) ENGINE=InnoDB;

CREATE VIEW v as SELECT GROUP_CONCAT('','') AS l FROM t;

DELIMITER //

CREATE PROCEDURE s (IN i VARCHAR(1)) SELECT * FROM v v WHERE CASE WHEN i THEN v.l LIKE CONCAT ('',i) END; //

DELIMITER ;

CALL s(0);

Leads to:

CS 11.4.6 4a701e8ce4a178faf955641caf59fc13fcc718e9 (Debug) Build 12/04/2025
Core was generated by `/test/MD120425-mariadb-11.4.6-linux-x86_64-dbg/bin/mariadbd --no-defaults --max'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000057fa37e71dd7 in Item_ref::const_item (this=0x7d2af005c898)at /test/11.4_dbg/sql/item.h:5952

[Current thread is 1 (LWP 428694)]
(gdb) bt
#0 0x000057fa37e71dd7 in Item_ref::const_item (this=0x7d2af005c898)at /test/11.4_dbg/sql/item.h:5952
#1 0x000057fa383567de in Item::cache_const_expr_analyzer (this=0x7d2af005c898, arg=0x7d2c401f8730) at /test/11.4_dbg/sql/item.cc:7665
#2 0x000057fa38359993 in Item_ref::compile (this=0x7d2af005c898, thd=0x7d2af0000d58, analyzer=(bool (Item::)(Item const, uchar )) 0x57fa38356790 <Item::cache_const_expr_analyzer(unsigned char)>, arg_p=0x7d2c401f8730, transformer=(Item (Item::)(Item * const, THD , uchar )) 0x57fa383568c0 <Item::cache_const_expr_transformer(THD, unsigned char)>, arg_t=0x7d2c401f8bd7 "") at /test/11.4_dbg/sql/item.cc:8645
#3 0x000057fa383b9d5e in Item_func::compile (this=0x7d2af005be58, thd=0x7d2af0000d58, analyzer=(bool (Item::)(Item const, uchar )) 0x57fa38356790 <Item::cache_const_expr_analyzer(unsigned char)>, arg_p=0x7d2c401f8830, transformer=(Item (Item::)(Item * const, THD , uchar )) 0x57fa383568c0 <Item::cache_const_expr_transformer(THD, unsigned char)>, arg_t=0x7d2c401f8bd7 "") at /test/11.4_dbg/sql/item_func.cc:578
#4 0x000057fa38359ab9 in Item_ref::compile (this=0x7d2af005c238, thd=0x7d2af0000d58, analyzer=(bool (Item::)(Item const, uchar )) 0x57fa38356790 <Item::cache_const_expr_analyzer(unsigned char)>, arg_p=0x7d2c401f8920, transformer=(Item (Item::)(Item * const, THD , uchar )) 0x57fa383568c0 <Item::cache_const_expr_transformer(THD, unsigned char)>, arg_t=0x7d2c401f8bd7 "") at /test/11.4_dbg/sql/item.cc:8653
#5 0x000057fa383b9d5e in Item_func::compile (this=0x7d2af005c668, thd=0x7d2af0000d58, analyzer=(bool (Item::)(Item const, uchar )) 0x57fa38356790 <Item::cache_const_expr_analyzer(unsigned char)>, arg_p=0x7d2c401f8a20, transformer=(Item (Item::)(Item * const, THD , uchar )) 0x57fa383568c0 <Item::cache_const_expr_transformer(THD, unsigned char)>, arg_t=0x7d2c401f8bd7 "") at /test/11.4_dbg/sql/item_func.cc:578
#6 0x000057fa383b9d5e in Item_func::compile (this=0x7d2af005c7b0, thd=0x7d2af0000d58, analyzer=(bool (Item::)(Item const, uchar )) 0x57fa38356790 <Item::cache_const_expr_analyzer(unsigned char)>, arg_p=0x7d2c401f8bc8, transformer=(Item (Item::)(Item * const, THD , uchar )) 0x57fa383568c0 <Item::cache_const_expr_transformer(THD, unsigned char)>, arg_t=0x7d2c401f8bd7 "") at /test/11.4_dbg/sql/item_func.cc:578
#7 0x000057fa37d84329 in Item::top_level_compile (this=0x7d2af005c7b0, thd=0x7d2af0000d58, analyzer=(bool (Item::)(Item const, uchar )) 0x57fa38356790 <Item::cache_const_expr_analyzer(unsigned char)>, arg_p=0x7d2c401f8bc8, transformer=(Item (Item::)(Item * const, THD , uchar )) 0x57fa383568c0 <Item::cache_const_expr_transformer(THD, unsigned char)>, arg_t=0x7d2c401f8bd7 "") at /test/11.4_dbg/sql/item.h:2239
#8 0x000057fa37f8dd65 in JOIN::cache_const_exprs (this=0x7d2af005b690)at /test/11.4_dbg/sql/sql_select.cc:32529
#9 0x000057fa37f8197f in JOIN::optimize_stage2 (this=0x7d2af005b690)at /test/11.4_dbg/sql/sql_select.cc:2996
#10 0x000057fa37f8586e in JOIN::optimize_inner (this=0x7d2af005b690)at /test/11.4_dbg/sql/sql_select.cc:2734
#11 0x000057fa37f80b28 in JOIN::optimize (this=0x7d2af005b690)at /test/11.4_dbg/sql/sql_select.cc:2003
#12 0x000057fa37eaf251 in mysql_derived_optimize (thd=0x7d2af0000d58, lex=0x7d2af0035710, derived=0x7d2af0034f38)at /test/11.4_dbg/sql/sql_derived.cc:1037
#13 0x000057fa37eb0e26 in mysql_handle_single_derived (lex=0x7d2af0035710, derived=0x7d2af0034f38, phases=4) at /test/11.4_dbg/sql/sql_derived.cc:200
#14 0x000057fa37f84d87 in JOIN::optimize_inner (this=0x7d2af005ade0)at /test/11.4_dbg/sql/sql_select.cc:2524
#15 0x000057fa37f80b28 in JOIN::optimize (this=0x7d2af005ade0)at /test/11.4_dbg/sql/sql_select.cc:2003
#16 0x000057fa37f78ac9 in mysql_select (thd=0x7d2af0000d58, tables=0x7d2af0034f38, fields=@0x7d2af0034bb0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x7d2af0034ee0, last = 0x7d2af0034ee0, elements = 1}, <No data fields>}, conds=0x7d2af0037aa8, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2164526848, result=0x7d2af005adb8, unit=0x7d2af00357f0, select_lex=0x7d2af00348f8)at /test/11.4_dbg/sql/sql_select.cc:5354
#17 0x000057fa37f78605 in handle_select (thd=0x7d2af0000d58, lex=0x7d2af0035710, result=0x7d2af005adb8, setup_tables_done_option=0)at /test/11.4_dbg/sql/sql_select.cc:642
#18 0x000057fa37f20651 in execute_sqlcom_select (thd=0x7d2af0000d58, all_tables=0x7d2af0034f38) at /test/11.4_dbg/sql/sql_parse.cc:6183
#19 0x000057fa37f155e0 in mysql_execute_command (thd=0x7d2af0000d58, is_called_from_prepared_stmt=false) at /test/11.4_dbg/sql/sql_parse.cc:3975
#20 0x000057fa381c1057 in sp_instr_stmt::exec_core (this=0x7d2af0038430, thd=0x7d2af0000d58, nextp=0x7d2c401fb848)at /test/11.4_dbg/sql/sp_instr.cc:1074
#21 0x000057fa381be8a6 in sp_lex_keeper::reset_lex_and_exec_core (this=0x7d2af0038468, thd=0x7d2af0000d58, nextp=0x7d2c401fb848, open_tables=false, instr=0x7d2af0038430, rerun_the_same_instr=false)at /test/11.4_dbg/sql/sp_instr.cc:297
#22 0x000057fa381bf01d in sp_lex_keeper::validate_lex_and_exec_core (this=0x7d2af0038468, thd=0x7d2af0000d58, nextp=0x7d2c401fb848, open_tables=false, instr=0x7d2af0038430)at /test/11.4_dbg/sql/sp_instr.cc:476
#23 0x000057fa381c0306 in sp_instr_stmt::execute (this=0x7d2af0038430, thd=0x7d2af0000d58, nextp=0x7d2c401fb848)at /test/11.4_dbg/sql/sp_instr.cc:977
#24 0x000057fa37e06b49 in sp_head::execute (this=0x7d2af0033798, thd=0x7d2af0000d58, merge_da_on_success=true)at /test/11.4_dbg/sql/sp_head.cc:1286
#25 0x000057fa37e094a2 in sp_head::execute_procedure (this=0x7d2af0033798, thd=0x7d2af0000d58, args=0x7d2af0005f58)at /test/11.4_dbg/sql/sp_head.cc:2302
#26 0x000057fa37f1270d in do_execute_sp (thd=0x7d2af0000d58, sp=0x7d2af0033798)at /test/11.4_dbg/sql/sql_parse.cc:3082
#27 0x000057fa37f12244 in Sql_cmd_call::execute (this=0x7d2af0019b68, thd=0x7d2af0000d58) at /test/11.4_dbg/sql/sql_parse.cc:3305
#28 0x000057fa37f1e482 in mysql_execute_command (thd=0x7d2af0000d58, is_called_from_prepared_stmt=false) at /test/11.4_dbg/sql/sql_parse.cc:5878
#29 0x000057fa37f0d744 in mysql_parse (thd=0x7d2af0000d58, rawbuf=0x7d2af0019ac0 "CALL s(0)", length=9, parser_state=0x7d2c401fda30)at /test/11.4_dbg/sql/sql_parse.cc:7907
#30 0x000057fa37f0abf4 in dispatch_command (command=COM_QUERY, thd=0x7d2af0000d58, packet=0x7d2af000afd9 "CALL s(0)", packet_length=9, blocking=true) at /test/11.4_dbg/sql/sql_parse.cc:1904
#31 0x000057fa37f0e2f3 in do_command (thd=0x7d2af0000d58, blocking=true)at /test/11.4_dbg/sql/sql_parse.cc:1417
#32 0x000057fa380f0619 in do_handle_one_connection (connect=0x57fa3cd9a228, put_in_cache=true) at /test/11.4_dbg/sql/sql_connect.cc:1408
#33 0x000057fa380f03b2 in handle_one_connection (arg=0x57fa3cdfdcd8)at /test/11.4_dbg/sql/sql_connect.cc:1320
#34 0x00007d2c45e9ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
#35 0x00007d2c45f29c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

Bug Detection Matrix
Rel o/d Build Commit UniqueID observed
CS 10.5 dbg 120425 e6ea5d568c0fb972a391a8c64716846ddb7c57ef SIGSEGV\|Item_ref::const_item\|Item::cache_const_expr_analyzer\|Item_ref::compile\|Item_func::compile
CS 10.5 opt 120425 e6ea5d568c0fb972a391a8c64716846ddb7c57ef SIGSEGV\|Item_ref::const_item\|Item::cache_const_expr_analyzer\|Item_ref::compile\|Item_func::compile
CS 10.6 dbg 120425 690b2cf776faa2e1a6832077cec2246c86cd00bf SIGSEGV\|Item_ref::const_item\|Item::cache_const_expr_analyzer\|Item_ref::compile\|Item_func::compile
CS 10.6 opt 120425 690b2cf776faa2e1a6832077cec2246c86cd00bf SIGSEGV\|Item_ref::const_item\|Item::cache_const_expr_analyzer\|Item_ref::compile\|Item_func::compile
CS 10.11 dbg 120425 acd071f599f416ddb4821dec485c4d912844213f SIGSEGV\|Item_ref::const_item\|Item::cache_const_expr_analyzer\|Item_ref::compile\|Item_func::compile
CS 10.11 opt 120425 acd071f599f416ddb4821dec485c4d912844213f SIGSEGV\|Item_ref::const_item\|Item::cache_const_expr_analyzer\|Item_ref::compile\|Item_func::compile
CS 11.4 dbg 120425 4a701e8ce4a178faf955641caf59fc13fcc718e9 SIGSEGV\|Item_ref::const_item\|Item::cache_const_expr_analyzer\|Item_ref::compile\|Item_func::compile
CS 11.4 opt 120425 4a701e8ce4a178faf955641caf59fc13fcc718e9 SIGSEGV\|Item_ref::const_item\|Item::cache_const_expr_analyzer\|Item_ref::compile\|Item_func::compile
CS 11.8 dbg 120425 db5bb6f3339be5a49c0f397eb80a0f259f73f447 No bug found
CS 11.8 opt 120425 db5bb6f3339be5a49c0f397eb80a0f259f73f447 No bug found
CS 12.0 dbg 120425 22efc2c784e1b7199fb5804e6330168277ea7dce No bug found
CS 12.0 opt 120425 22efc2c784e1b7199fb5804e6330168277ea7dce No bug found
ES 10.5 dbg 210425 0d368ec0042a81d9549fc939fb742f82350b20ab SIGSEGV\|Item_ref::const_item\|Item::cache_const_expr_analyzer\|Item_ref::compile\|Item_func::compile
ES 10.5 opt 210425 0d368ec0042a81d9549fc939fb742f82350b20ab SIGSEGV\|Item_ref::const_item\|Item::cache_const_expr_analyzer\|Item_ref::compile\|Item_func::compile
ES 10.6 dbg 210425 74602d1b054ba6c9ee20af79d6e7807440a7a98e SIGSEGV\|Item_ref::const_item\|Item::cache_const_expr_analyzer\|Item_ref::compile\|Item_func::compile
ES 10.6 opt 210425 74602d1b054ba6c9ee20af79d6e7807440a7a98e SIGSEGV\|Item_ref::const_item\|Item::cache_const_expr_analyzer\|Item_ref::compile\|Item_func::compile
ES 11.4 dbg 210425 9cd12544ebfd0d52d2158af66b5aced58121cf1f SIGSEGV\|Item_ref::const_item\|Item::cache_const_expr_analyzer\|Item_ref::compile\|Item_func::compile
ES 11.4 opt 210425 9cd12544ebfd0d52d2158af66b5aced58121cf1f SIGSEGV\|Item_ref::const_item\|Item::cache_const_expr_analyzer\|Item_ref::compile\|Item_func::compile
MS 5.5 dbg 070123 bac287c315b1792e7ae33f91add6a60292f9bae8 No bug found
MS 5.5 opt 070123 bac287c315b1792e7ae33f91add6a60292f9bae8 No bug found
MS 5.6 dbg 070123 dab95781a1244104d6b87020ac2fc4d190ba2946 No bug found
MS 5.6 opt 070123 dab95781a1244104d6b87020ac2fc4d190ba2946 No bug found
MS 5.7 dbg 060224 f7680e98b6bbe3500399fbad465d08a6b75d7a5c No bug found
MS 5.7 opt 060224 f7680e98b6bbe3500399fbad465d08a6b75d7a5c No bug found
MS 8.0 dbg 060224 49ef33f7edadef3ae04665e73d1babd40179a4f1 No bug found
MS 8.0 opt 060224 49ef33f7edadef3ae04665e73d1babd40179a4f1 No bug found
MS 9.1 dbg 211024 61a3a1d8ef15512396b4c2af46e922a19bf2b174 No bug found
MS 9.1 opt 211024 61a3a1d8ef15512396b4c2af46e922a19bf2b174 No bug found

And on UBSAN builds to:

CS 10.5.29 c43d0a015f974c5a0142e6779332089a7a979853 (Debug, UBASAN, Clang) Build 15/02/2025
/test/10.5_dbg_san/sql/item.h:5628:46: runtime error: load of null pointer of type 'Item *'
#0 0x5c60e10daaa7 in Item_ref::const_item() const /test/10.5_dbg_san/sql/item.h:5628:46
#1 0x5c60e20d18ac in Item::cache_const_expr_analyzer(unsigned char**) /test/10.5_dbg_san/sql/item.cc:7522:9
#2 0x5c60e20e2632 in Item_ref::compile(THD, bool (Item::)(unsigned char), unsigned char, Item* (Item::)(THD, unsigned char), unsigned char) /test/10.5_dbg_san/sql/item.cc:8498:8
#3 0x5c60e2267096 in Item_func::compile(THD, bool (Item::)(unsigned char), unsigned char, Item* (Item::)(THD, unsigned char), unsigned char) /test/10.5_dbg_san/sql/item_func.cc:586:31
#4 0x5c60e20e2842 in Item_ref::compile(THD, bool (Item::)(unsigned char), unsigned char, Item* (Item::)(THD, unsigned char), unsigned char) /test/10.5_dbg_san/sql/item.cc:8506:29
#5 0x5c60e2267096 in Item_func::compile(THD, bool (Item::)(unsigned char), unsigned char, Item* (Item::)(THD, unsigned char), unsigned char) /test/10.5_dbg_san/sql/item_func.cc:586:31
#6 0x5c60e2267096 in Item_func::compile(THD, bool (Item::)(unsigned char), unsigned char, Item* (Item::)(THD, unsigned char), unsigned char) /test/10.5_dbg_san/sql/item_func.cc:586:31
#7 0x5c60e0eb8bc6 in Item::top_level_compile(THD, bool (Item::)(unsigned char), unsigned char, Item* (Item::)(THD, unsigned char), unsigned char) /test/10.5_dbg_san/sql/item.h:2015:12
#8 0x5c60e146dcc8 in JOIN::cache_const_exprs() /test/10.5_dbg_san/sql/sql_select.cc:29350:13
#9 0x5c60e1444ebe in JOIN::optimize_stage2() /test/10.5_dbg_san/sql/sql_select.cc:2691:3
#10 0x5c60e144ed2d in JOIN::optimize_inner() /test/10.5_dbg_san/sql/sql_select.cc:2445:9
#11 0x5c60e144208b in JOIN::optimize() /test/10.5_dbg_san/sql/sql_select.cc:1765:10
#12 0x5c60e119d646 in mysql_derived_optimize(THD, LEX, TABLE_LIST*) /test/10.5_dbg_san/sql/sql_derived.cc:1029:23
#13 0x5c60e11a39c6 in mysql_handle_single_derived(LEX, TABLE_LIST, unsigned int) /test/10.5_dbg_san/sql/sql_derived.cc:200:15
#14 0x5c60e144e5cc in JOIN::optimize_inner() /test/10.5_dbg_san/sql/sql_select.cc:2237:6
#15 0x5c60e144208b in JOIN::optimize() /test/10.5_dbg_san/sql/sql_select.cc:1765:10
#16 0x5c60e1423f60 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/10.5_dbg_san/sql/sql_select.cc:4907:19
#17 0x5c60e1423392 in handle_select(THD, LEX, select_result*, unsigned long) /test/10.5_dbg_san/sql/sql_select.cc:449:10
#18 0x5c60e13521f3 in execute_sqlcom_select(THD, TABLE_LIST) /test/10.5_dbg_san/sql/sql_parse.cc:6452:12
#19 0x5c60e133a242 in mysql_execute_command(THD*) /test/10.5_dbg_san/sql/sql_parse.cc:4043:12
#20 0x5c60e0f96e47 in sp_instr_stmt::exec_core(THD, unsigned int) /test/10.5_dbg_san/sql/sp_head.cc:3854:12
#21 0x5c60e0f8fe19 in sp_lex_keeper::reset_lex_and_exec_core(THD, unsigned int, bool, sp_instr*) /test/10.5_dbg_san/sql/sp_head.cc:3565:17
#22 0x5c60e0f945ef in sp_instr_stmt::execute(THD, unsigned int) /test/10.5_dbg_san/sql/sp_head.cc:3757:25
#23 0x5c60e0f6ce18 in sp_head::execute(THD*, bool) /test/10.5_dbg_san/sql/sp_head.cc:1443:20
#24 0x5c60e0f7a011 in sp_head::execute_procedure(THD, List<Item>) /test/10.5_dbg_san/sql/sp_head.cc:2484:5
#25 0x5c60e1323555 in do_execute_sp(THD, sp_head) /test/10.5_dbg_san/sql/sql_parse.cc:3124:16
#26 0x5c60e132250c in Sql_cmd_call::execute(THD*) /test/10.5_dbg_san/sql/sql_parse.cc:3370:9
#27 0x5c60e132af3f in mysql_execute_command(THD*) /test/10.5_dbg_san/sql/sql_parse.cc:6194:26
#28 0x5c60e130a467 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /test/10.5_dbg_san/sql/sql_parse.cc:8252:18
#29 0x5c60e12fe3b9 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /test/10.5_dbg_san/sql/sql_parse.cc:1891:7
#30 0x5c60e130c5be in do_command(THD*) /test/10.5_dbg_san/sql/sql_parse.cc:1375:17
#31 0x5c60e1916257 in do_handle_one_connection(CONNECT*, bool) /test/10.5_dbg_san/sql/sql_connect.cc:1386:11
#32 0x5c60e1915b1b in handle_one_connection /test/10.5_dbg_san/sql/sql_connect.cc:1298:5
#33 0x5c60e0e1f03c in asan_thread_start(void*) asan_interceptors.cpp.o
#34 0x746e0b89ca93 in start_thread nptl/pthread_create.c:447:8
#35 0x746e0b929c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

SUMMARY: UndefinedBehaviorSanitizer: null-pointer-use /test/10.5_dbg_san/sql/item.h:5628:46

SAN Bug Detection Matrix
Rel o/d Build Commit UniqueID observed
CS 10.5 dbg 150225 c43d0a015f974c5a0142e6779332089a7a979853 UBSAN\|load of null pointer of type 'Item *'\|sql/item.h\|Item_ref::const_item\|Item::cache_const_expr_analyzer\|Item_ref::compile\|Item_func::compile
CS 10.5 opt 150225 c43d0a015f974c5a0142e6779332089a7a979853 UBSAN\|load of null pointer of type 'Item *'\|sql/item.h\|Item_ref::const_item\|Item::cache_const_expr_analyzer\|Item_ref::compile\|Item_func::compile
CS 10.6 dbg 150225 f1d7e0c17e33f77278e6226dd94aeb30fc856bf0 UBSAN\|load of null pointer of type 'Item *'\|sql/item.h\|Item_ref::const_item\|Item::cache_const_expr_analyzer\|Item_ref::compile\|Item_func::compile
CS 10.6 opt 150225 f1d7e0c17e33f77278e6226dd94aeb30fc856bf0 UBSAN\|load of null pointer of type 'Item *'\|sql/item.h\|Item_ref::const_item\|Item::cache_const_expr_analyzer\|Item_ref::compile\|Item_func::compile
CS 10.11 dbg 150225 43c5d1303f5c7c726db276815c459436110f342f UBSAN\|load of null pointer of type 'Item *'\|sql/item.h\|Item_ref::const_item\|Item::cache_const_expr_analyzer\|Item_ref::compile\|Item_func::compile
CS 10.11 opt 150225 43c5d1303f5c7c726db276815c459436110f342f UBSAN\|load of null pointer of type 'Item *'\|sql/item.h\|Item_ref::const_item\|Item::cache_const_expr_analyzer\|Item_ref::compile\|Item_func::compile
CS 11.4 dbg 150225 ef966af801afc2a07222b5df65dddd52c77431dd UBSAN\|load of null pointer of type 'Item *'\|sql/item.h\|Item_ref::const_item\|Item::cache_const_expr_analyzer\|Item_ref::compile\|Item_func::compile
CS 11.4 opt 150225 ef966af801afc2a07222b5df65dddd52c77431dd UBSAN\|load of null pointer of type 'Item *'\|sql/item.h\|Item_ref::const_item\|Item::cache_const_expr_analyzer\|Item_ref::compile\|Item_func::compile
CS 11.8 dbg 150225 33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d No bug found
CS 11.8 opt 150225 33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d No bug found
CS 12.0 dbg 150225 c92add291e636c797e6d6ddca605905541b2a441 No bug found
CS 12.0 opt 150225 c92add291e636c797e6d6ddca605905541b2a441 No bug found
ES 10.5 dbg 140325 6553c62369ab3606efc74295c902181f793fd6d1 UBSAN\|load of null pointer of type 'Item *'\|sql/item.h\|Item_ref::const_item\|Item::cache_const_expr_analyzer\|Item_ref::compile\|Item_func::compile
ES 10.5 opt 140325 6553c62369ab3606efc74295c902181f793fd6d1 UBSAN\|load of null pointer of type 'Item *'\|sql/item.h\|Item_ref::const_item\|Item::cache_const_expr_analyzer\|Item_ref::compile\|Item_func::compile
ES 10.6 dbg 140325 a99e9e4101f5d56a379577e6d81c829b7658df99 UBSAN\|load of null pointer of type 'Item *'\|sql/item.h\|Item_ref::const_item\|Item::cache_const_expr_analyzer\|Item_ref::compile\|Item_func::compile
ES 10.6 opt 140325 a99e9e4101f5d56a379577e6d81c829b7658df99 UBSAN\|load of null pointer of type 'Item *'\|sql/item.h\|Item_ref::const_item\|Item::cache_const_expr_analyzer\|Item_ref::compile\|Item_func::compile
ES 11.4 dbg 140325 26e39c99feaa4e6f9d3e1b13fd4a7d101059b7ba UBSAN\|load of null pointer of type 'Item *'\|sql/item.h\|Item_ref::const_item\|Item::cache_const_expr_analyzer\|Item_ref::compile\|Item_func::compile
ES 11.4 opt 140325 26e39c99feaa4e6f9d3e1b13fd4a7d101059b7ba UBSAN\|load of null pointer of type 'Item *'\|sql/item.h\|Item_ref::const_item\|Item::cache_const_expr_analyzer\|Item_ref::compile\|Item_func::compile

UBASAN builds Setup:

Compiled with a recent version of Clang (I used Clang 18.1.3) with LLVM 18. Ubuntu instructions:

  # Note: It is strongly recommended to uninstall all old Clang & LLVM packages (ref  dpkg --list | grep -iE 'clang|llvm'  and use  apt purge  and  dpkg --purge  to remove the packages), before installing Clang/LLVM 18

     sudo apt install clang llvm-18 llvm-18-linker-tools llvm-18-runtime llvm-18-tools llvm-18-dev libstdc++-14-dev llvm-dev

Compiled with: "-DCMAKE_C_COMPILER=/usr/bin/clang -DCMAKE_CXX_COMPILER=/usr/bin/clang++ -DCMAKE_C{,XX}_FLAGS='-march=native -mtune=native'" and:

    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON

Set before execution:

    export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1   # And you may also want to supress UBSAN startup issues using 'suppressions=UBSAN.filter' in UBSAN_OPTIONS. For an example of UBSAN.filter, which includes current startup issues see: https://github.com/mariadb-corporation/mariadb-qa/blob/master/UBSAN.filter

Roel Van de Paar added a comment - 2025-04-25 09:12 - edited CREATE TABLE t (c INT ) ENGINE=InnoDB; CREATE VIEW v as SELECT GROUP_CONCAT( '' , '' ) AS l FROM t; DELIMITER // CREATE PROCEDURE s ( IN i VARCHAR (1)) SELECT * FROM v v WHERE CASE WHEN i THEN v.l LIKE CONCAT ( '' ,i) END ; // DELIMITER ; CALL s(0); Leads to: CS 11.4.6 4a701e8ce4a178faf955641caf59fc13fcc718e9 (Debug) Build 12/04/2025 Core was generated by `/test/MD120425-mariadb-11.4.6-linux-x86_64-dbg/bin/mariadbd --no-defaults --max'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x000057fa37e71dd7 in Item_ref::const_item (this=0x7d2af005c898)at /test/11.4_dbg/sql/item.h:5952 [Current thread is 1 (LWP 428694)] (gdb) bt #0 0x000057fa37e71dd7 in Item_ref::const_item (this=0x7d2af005c898)at /test/11.4_dbg/sql/item.h:5952 #1 0x000057fa383567de in Item::cache_const_expr_analyzer (this=0x7d2af005c898, arg=0x7d2c401f8730) at /test/11.4_dbg/sql/item.cc:7665 #2 0x000057fa38359993 in Item_ref::compile (this=0x7d2af005c898, thd=0x7d2af0000d58, analyzer=(bool (Item::*)(Item * const, uchar **)) 0x57fa38356790 <Item::cache_const_expr_analyzer(unsigned char**)>, arg_p=0x7d2c401f8730, transformer=(Item *(Item::*)(Item * const, THD *, uchar *)) 0x57fa383568c0 <Item::cache_const_expr_transformer(THD*, unsigned char*)>, arg_t=0x7d2c401f8bd7 "") at /test/11.4_dbg/sql/item.cc:8645 #3 0x000057fa383b9d5e in Item_func::compile (this=0x7d2af005be58, thd=0x7d2af0000d58, analyzer=(bool (Item::*)(Item * const, uchar **)) 0x57fa38356790 <Item::cache_const_expr_analyzer(unsigned char**)>, arg_p=0x7d2c401f8830, transformer=(Item *(Item::*)(Item * const, THD *, uchar *)) 0x57fa383568c0 <Item::cache_const_expr_transformer(THD*, unsigned char*)>, arg_t=0x7d2c401f8bd7 "") at /test/11.4_dbg/sql/item_func.cc:578 #4 0x000057fa38359ab9 in Item_ref::compile (this=0x7d2af005c238, thd=0x7d2af0000d58, analyzer=(bool (Item::*)(Item * const, uchar **)) 0x57fa38356790 <Item::cache_const_expr_analyzer(unsigned char**)>, arg_p=0x7d2c401f8920, transformer=(Item *(Item::*)(Item * const, THD *, uchar *)) 0x57fa383568c0 <Item::cache_const_expr_transformer(THD*, unsigned char*)>, arg_t=0x7d2c401f8bd7 "") at /test/11.4_dbg/sql/item.cc:8653 #5 0x000057fa383b9d5e in Item_func::compile (this=0x7d2af005c668, thd=0x7d2af0000d58, analyzer=(bool (Item::*)(Item * const, uchar **)) 0x57fa38356790 <Item::cache_const_expr_analyzer(unsigned char**)>, arg_p=0x7d2c401f8a20, transformer=(Item *(Item::*)(Item * const, THD *, uchar *)) 0x57fa383568c0 <Item::cache_const_expr_transformer(THD*, unsigned char*)>, arg_t=0x7d2c401f8bd7 "") at /test/11.4_dbg/sql/item_func.cc:578 #6 0x000057fa383b9d5e in Item_func::compile (this=0x7d2af005c7b0, thd=0x7d2af0000d58, analyzer=(bool (Item::*)(Item * const, uchar **)) 0x57fa38356790 <Item::cache_const_expr_analyzer(unsigned char**)>, arg_p=0x7d2c401f8bc8, transformer=(Item *(Item::*)(Item * const, THD *, uchar *)) 0x57fa383568c0 <Item::cache_const_expr_transformer(THD*, unsigned char*)>, arg_t=0x7d2c401f8bd7 "") at /test/11.4_dbg/sql/item_func.cc:578 #7 0x000057fa37d84329 in Item::top_level_compile (this=0x7d2af005c7b0, thd=0x7d2af0000d58, analyzer=(bool (Item::*)(Item * const, uchar **)) 0x57fa38356790 <Item::cache_const_expr_analyzer(unsigned char**)>, arg_p=0x7d2c401f8bc8, transformer=(Item *(Item::*)(Item * const, THD *, uchar *)) 0x57fa383568c0 <Item::cache_const_expr_transformer(THD*, unsigned char*)>, arg_t=0x7d2c401f8bd7 "") at /test/11.4_dbg/sql/item.h:2239 #8 0x000057fa37f8dd65 in JOIN::cache_const_exprs (this=0x7d2af005b690)at /test/11.4_dbg/sql/sql_select.cc:32529 #9 0x000057fa37f8197f in JOIN::optimize_stage2 (this=0x7d2af005b690)at /test/11.4_dbg/sql/sql_select.cc:2996 #10 0x000057fa37f8586e in JOIN::optimize_inner (this=0x7d2af005b690)at /test/11.4_dbg/sql/sql_select.cc:2734 #11 0x000057fa37f80b28 in JOIN::optimize (this=0x7d2af005b690)at /test/11.4_dbg/sql/sql_select.cc:2003 #12 0x000057fa37eaf251 in mysql_derived_optimize (thd=0x7d2af0000d58, lex=0x7d2af0035710, derived=0x7d2af0034f38)at /test/11.4_dbg/sql/sql_derived.cc:1037 #13 0x000057fa37eb0e26 in mysql_handle_single_derived (lex=0x7d2af0035710, derived=0x7d2af0034f38, phases=4) at /test/11.4_dbg/sql/sql_derived.cc:200 #14 0x000057fa37f84d87 in JOIN::optimize_inner (this=0x7d2af005ade0)at /test/11.4_dbg/sql/sql_select.cc:2524 #15 0x000057fa37f80b28 in JOIN::optimize (this=0x7d2af005ade0)at /test/11.4_dbg/sql/sql_select.cc:2003 #16 0x000057fa37f78ac9 in mysql_select (thd=0x7d2af0000d58, tables=0x7d2af0034f38, fields=@0x7d2af0034bb0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x7d2af0034ee0, last = 0x7d2af0034ee0, elements = 1}, <No data fields>}, conds=0x7d2af0037aa8, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2164526848, result=0x7d2af005adb8, unit=0x7d2af00357f0, select_lex=0x7d2af00348f8)at /test/11.4_dbg/sql/sql_select.cc:5354 #17 0x000057fa37f78605 in handle_select (thd=0x7d2af0000d58, lex=0x7d2af0035710, result=0x7d2af005adb8, setup_tables_done_option=0)at /test/11.4_dbg/sql/sql_select.cc:642 #18 0x000057fa37f20651 in execute_sqlcom_select (thd=0x7d2af0000d58, all_tables=0x7d2af0034f38) at /test/11.4_dbg/sql/sql_parse.cc:6183 #19 0x000057fa37f155e0 in mysql_execute_command (thd=0x7d2af0000d58, is_called_from_prepared_stmt=false) at /test/11.4_dbg/sql/sql_parse.cc:3975 #20 0x000057fa381c1057 in sp_instr_stmt::exec_core (this=0x7d2af0038430, thd=0x7d2af0000d58, nextp=0x7d2c401fb848)at /test/11.4_dbg/sql/sp_instr.cc:1074 #21 0x000057fa381be8a6 in sp_lex_keeper::reset_lex_and_exec_core (this=0x7d2af0038468, thd=0x7d2af0000d58, nextp=0x7d2c401fb848, open_tables=false, instr=0x7d2af0038430, rerun_the_same_instr=false)at /test/11.4_dbg/sql/sp_instr.cc:297 #22 0x000057fa381bf01d in sp_lex_keeper::validate_lex_and_exec_core (this=0x7d2af0038468, thd=0x7d2af0000d58, nextp=0x7d2c401fb848, open_tables=false, instr=0x7d2af0038430)at /test/11.4_dbg/sql/sp_instr.cc:476 #23 0x000057fa381c0306 in sp_instr_stmt::execute (this=0x7d2af0038430, thd=0x7d2af0000d58, nextp=0x7d2c401fb848)at /test/11.4_dbg/sql/sp_instr.cc:977 #24 0x000057fa37e06b49 in sp_head::execute (this=0x7d2af0033798, thd=0x7d2af0000d58, merge_da_on_success=true)at /test/11.4_dbg/sql/sp_head.cc:1286 #25 0x000057fa37e094a2 in sp_head::execute_procedure (this=0x7d2af0033798, thd=0x7d2af0000d58, args=0x7d2af0005f58)at /test/11.4_dbg/sql/sp_head.cc:2302 #26 0x000057fa37f1270d in do_execute_sp (thd=0x7d2af0000d58, sp=0x7d2af0033798)at /test/11.4_dbg/sql/sql_parse.cc:3082 #27 0x000057fa37f12244 in Sql_cmd_call::execute (this=0x7d2af0019b68, thd=0x7d2af0000d58) at /test/11.4_dbg/sql/sql_parse.cc:3305 #28 0x000057fa37f1e482 in mysql_execute_command (thd=0x7d2af0000d58, is_called_from_prepared_stmt=false) at /test/11.4_dbg/sql/sql_parse.cc:5878 #29 0x000057fa37f0d744 in mysql_parse (thd=0x7d2af0000d58, rawbuf=0x7d2af0019ac0 "CALL s(0)", length=9, parser_state=0x7d2c401fda30)at /test/11.4_dbg/sql/sql_parse.cc:7907 #30 0x000057fa37f0abf4 in dispatch_command (command=COM_QUERY, thd=0x7d2af0000d58, packet=0x7d2af000afd9 "CALL s(0)", packet_length=9, blocking=true) at /test/11.4_dbg/sql/sql_parse.cc:1904 #31 0x000057fa37f0e2f3 in do_command (thd=0x7d2af0000d58, blocking=true)at /test/11.4_dbg/sql/sql_parse.cc:1417 #32 0x000057fa380f0619 in do_handle_one_connection (connect=0x57fa3cd9a228, put_in_cache=true) at /test/11.4_dbg/sql/sql_connect.cc:1408 #33 0x000057fa380f03b2 in handle_one_connection (arg=0x57fa3cdfdcd8)at /test/11.4_dbg/sql/sql_connect.cc:1320 #34 0x00007d2c45e9ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447 #35 0x00007d2c45f29c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78 Bug Detection Matrix Rel o/d Build Commit UniqueID observed CS 10.5 dbg 120425 e6ea5d568c0fb972a391a8c64716846ddb7c57ef SIGSEGV|Item_ref::const_item|Item::cache_const_expr_analyzer|Item_ref::compile|Item_func::compile CS 10.5 opt 120425 e6ea5d568c0fb972a391a8c64716846ddb7c57ef SIGSEGV|Item_ref::const_item|Item::cache_const_expr_analyzer|Item_ref::compile|Item_func::compile CS 10.6 dbg 120425 690b2cf776faa2e1a6832077cec2246c86cd00bf SIGSEGV|Item_ref::const_item|Item::cache_const_expr_analyzer|Item_ref::compile|Item_func::compile CS 10.6 opt 120425 690b2cf776faa2e1a6832077cec2246c86cd00bf SIGSEGV|Item_ref::const_item|Item::cache_const_expr_analyzer|Item_ref::compile|Item_func::compile CS 10.11 dbg 120425 acd071f599f416ddb4821dec485c4d912844213f SIGSEGV|Item_ref::const_item|Item::cache_const_expr_analyzer|Item_ref::compile|Item_func::compile CS 10.11 opt 120425 acd071f599f416ddb4821dec485c4d912844213f SIGSEGV|Item_ref::const_item|Item::cache_const_expr_analyzer|Item_ref::compile|Item_func::compile CS 11.4 dbg 120425 4a701e8ce4a178faf955641caf59fc13fcc718e9 SIGSEGV|Item_ref::const_item|Item::cache_const_expr_analyzer|Item_ref::compile|Item_func::compile CS 11.4 opt 120425 4a701e8ce4a178faf955641caf59fc13fcc718e9 SIGSEGV|Item_ref::const_item|Item::cache_const_expr_analyzer|Item_ref::compile|Item_func::compile CS 11.8 dbg 120425 db5bb6f3339be5a49c0f397eb80a0f259f73f447 No bug found CS 11.8 opt 120425 db5bb6f3339be5a49c0f397eb80a0f259f73f447 No bug found CS 12.0 dbg 120425 22efc2c784e1b7199fb5804e6330168277ea7dce No bug found CS 12.0 opt 120425 22efc2c784e1b7199fb5804e6330168277ea7dce No bug found ES 10.5 dbg 210425 0d368ec0042a81d9549fc939fb742f82350b20ab SIGSEGV|Item_ref::const_item|Item::cache_const_expr_analyzer|Item_ref::compile|Item_func::compile ES 10.5 opt 210425 0d368ec0042a81d9549fc939fb742f82350b20ab SIGSEGV|Item_ref::const_item|Item::cache_const_expr_analyzer|Item_ref::compile|Item_func::compile ES 10.6 dbg 210425 74602d1b054ba6c9ee20af79d6e7807440a7a98e SIGSEGV|Item_ref::const_item|Item::cache_const_expr_analyzer|Item_ref::compile|Item_func::compile ES 10.6 opt 210425 74602d1b054ba6c9ee20af79d6e7807440a7a98e SIGSEGV|Item_ref::const_item|Item::cache_const_expr_analyzer|Item_ref::compile|Item_func::compile ES 11.4 dbg 210425 9cd12544ebfd0d52d2158af66b5aced58121cf1f SIGSEGV|Item_ref::const_item|Item::cache_const_expr_analyzer|Item_ref::compile|Item_func::compile ES 11.4 opt 210425 9cd12544ebfd0d52d2158af66b5aced58121cf1f SIGSEGV|Item_ref::const_item|Item::cache_const_expr_analyzer|Item_ref::compile|Item_func::compile MS 5.5 dbg 070123 bac287c315b1792e7ae33f91add6a60292f9bae8 No bug found MS 5.5 opt 070123 bac287c315b1792e7ae33f91add6a60292f9bae8 No bug found MS 5.6 dbg 070123 dab95781a1244104d6b87020ac2fc4d190ba2946 No bug found MS 5.6 opt 070123 dab95781a1244104d6b87020ac2fc4d190ba2946 No bug found MS 5.7 dbg 060224 f7680e98b6bbe3500399fbad465d08a6b75d7a5c No bug found MS 5.7 opt 060224 f7680e98b6bbe3500399fbad465d08a6b75d7a5c No bug found MS 8.0 dbg 060224 49ef33f7edadef3ae04665e73d1babd40179a4f1 No bug found MS 8.0 opt 060224 49ef33f7edadef3ae04665e73d1babd40179a4f1 No bug found MS 9.1 dbg 211024 61a3a1d8ef15512396b4c2af46e922a19bf2b174 No bug found MS 9.1 opt 211024 61a3a1d8ef15512396b4c2af46e922a19bf2b174 No bug found And on UBSAN builds to: CS 10.5.29 c43d0a015f974c5a0142e6779332089a7a979853 (Debug, UBASAN, Clang) Build 15/02/2025 /test/10.5_dbg_san/sql/item.h:5628:46: runtime error: load of null pointer of type 'Item *' #0 0x5c60e10daaa7 in Item_ref::const_item() const /test/10.5_dbg_san/sql/item.h:5628:46 #1 0x5c60e20d18ac in Item::cache_const_expr_analyzer(unsigned char**) /test/10.5_dbg_san/sql/item.cc:7522:9 #2 0x5c60e20e2632 in Item_ref::compile(THD*, bool (Item::*)(unsigned char**), unsigned char**, Item* (Item::*)(THD*, unsigned char*), unsigned char*) /test/10.5_dbg_san/sql/item.cc:8498:8 #3 0x5c60e2267096 in Item_func::compile(THD*, bool (Item::*)(unsigned char**), unsigned char**, Item* (Item::*)(THD*, unsigned char*), unsigned char*) /test/10.5_dbg_san/sql/item_func.cc:586:31 #4 0x5c60e20e2842 in Item_ref::compile(THD*, bool (Item::*)(unsigned char**), unsigned char**, Item* (Item::*)(THD*, unsigned char*), unsigned char*) /test/10.5_dbg_san/sql/item.cc:8506:29 #5 0x5c60e2267096 in Item_func::compile(THD*, bool (Item::*)(unsigned char**), unsigned char**, Item* (Item::*)(THD*, unsigned char*), unsigned char*) /test/10.5_dbg_san/sql/item_func.cc:586:31 #6 0x5c60e2267096 in Item_func::compile(THD*, bool (Item::*)(unsigned char**), unsigned char**, Item* (Item::*)(THD*, unsigned char*), unsigned char*) /test/10.5_dbg_san/sql/item_func.cc:586:31 #7 0x5c60e0eb8bc6 in Item::top_level_compile(THD*, bool (Item::*)(unsigned char**), unsigned char**, Item* (Item::*)(THD*, unsigned char*), unsigned char*) /test/10.5_dbg_san/sql/item.h:2015:12 #8 0x5c60e146dcc8 in JOIN::cache_const_exprs() /test/10.5_dbg_san/sql/sql_select.cc:29350:13 #9 0x5c60e1444ebe in JOIN::optimize_stage2() /test/10.5_dbg_san/sql/sql_select.cc:2691:3 #10 0x5c60e144ed2d in JOIN::optimize_inner() /test/10.5_dbg_san/sql/sql_select.cc:2445:9 #11 0x5c60e144208b in JOIN::optimize() /test/10.5_dbg_san/sql/sql_select.cc:1765:10 #12 0x5c60e119d646 in mysql_derived_optimize(THD*, LEX*, TABLE_LIST*) /test/10.5_dbg_san/sql/sql_derived.cc:1029:23 #13 0x5c60e11a39c6 in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /test/10.5_dbg_san/sql/sql_derived.cc:200:15 #14 0x5c60e144e5cc in JOIN::optimize_inner() /test/10.5_dbg_san/sql/sql_select.cc:2237:6 #15 0x5c60e144208b in JOIN::optimize() /test/10.5_dbg_san/sql/sql_select.cc:1765:10 #16 0x5c60e1423f60 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.5_dbg_san/sql/sql_select.cc:4907:19 #17 0x5c60e1423392 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.5_dbg_san/sql/sql_select.cc:449:10 #18 0x5c60e13521f3 in execute_sqlcom_select(THD*, TABLE_LIST*) /test/10.5_dbg_san/sql/sql_parse.cc:6452:12 #19 0x5c60e133a242 in mysql_execute_command(THD*) /test/10.5_dbg_san/sql/sql_parse.cc:4043:12 #20 0x5c60e0f96e47 in sp_instr_stmt::exec_core(THD*, unsigned int*) /test/10.5_dbg_san/sql/sp_head.cc:3854:12 #21 0x5c60e0f8fe19 in sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) /test/10.5_dbg_san/sql/sp_head.cc:3565:17 #22 0x5c60e0f945ef in sp_instr_stmt::execute(THD*, unsigned int*) /test/10.5_dbg_san/sql/sp_head.cc:3757:25 #23 0x5c60e0f6ce18 in sp_head::execute(THD*, bool) /test/10.5_dbg_san/sql/sp_head.cc:1443:20 #24 0x5c60e0f7a011 in sp_head::execute_procedure(THD*, List<Item>*) /test/10.5_dbg_san/sql/sp_head.cc:2484:5 #25 0x5c60e1323555 in do_execute_sp(THD*, sp_head*) /test/10.5_dbg_san/sql/sql_parse.cc:3124:16 #26 0x5c60e132250c in Sql_cmd_call::execute(THD*) /test/10.5_dbg_san/sql/sql_parse.cc:3370:9 #27 0x5c60e132af3f in mysql_execute_command(THD*) /test/10.5_dbg_san/sql/sql_parse.cc:6194:26 #28 0x5c60e130a467 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /test/10.5_dbg_san/sql/sql_parse.cc:8252:18 #29 0x5c60e12fe3b9 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /test/10.5_dbg_san/sql/sql_parse.cc:1891:7 #30 0x5c60e130c5be in do_command(THD*) /test/10.5_dbg_san/sql/sql_parse.cc:1375:17 #31 0x5c60e1916257 in do_handle_one_connection(CONNECT*, bool) /test/10.5_dbg_san/sql/sql_connect.cc:1386:11 #32 0x5c60e1915b1b in handle_one_connection /test/10.5_dbg_san/sql/sql_connect.cc:1298:5 #33 0x5c60e0e1f03c in asan_thread_start(void*) asan_interceptors.cpp.o #34 0x746e0b89ca93 in start_thread nptl/pthread_create.c:447:8 #35 0x746e0b929c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78 SUMMARY: UndefinedBehaviorSanitizer: null-pointer-use /test/10.5_dbg_san/sql/item.h:5628:46 SAN Bug Detection Matrix Rel o/d Build Commit UniqueID observed CS 10.5 dbg 150225 c43d0a015f974c5a0142e6779332089a7a979853 UBSAN|load of null pointer of type 'Item *'|sql/item.h|Item_ref::const_item|Item::cache_const_expr_analyzer|Item_ref::compile|Item_func::compile CS 10.5 opt 150225 c43d0a015f974c5a0142e6779332089a7a979853 UBSAN|load of null pointer of type 'Item *'|sql/item.h|Item_ref::const_item|Item::cache_const_expr_analyzer|Item_ref::compile|Item_func::compile CS 10.6 dbg 150225 f1d7e0c17e33f77278e6226dd94aeb30fc856bf0 UBSAN|load of null pointer of type 'Item *'|sql/item.h|Item_ref::const_item|Item::cache_const_expr_analyzer|Item_ref::compile|Item_func::compile CS 10.6 opt 150225 f1d7e0c17e33f77278e6226dd94aeb30fc856bf0 UBSAN|load of null pointer of type 'Item *'|sql/item.h|Item_ref::const_item|Item::cache_const_expr_analyzer|Item_ref::compile|Item_func::compile CS 10.11 dbg 150225 43c5d1303f5c7c726db276815c459436110f342f UBSAN|load of null pointer of type 'Item *'|sql/item.h|Item_ref::const_item|Item::cache_const_expr_analyzer|Item_ref::compile|Item_func::compile CS 10.11 opt 150225 43c5d1303f5c7c726db276815c459436110f342f UBSAN|load of null pointer of type 'Item *'|sql/item.h|Item_ref::const_item|Item::cache_const_expr_analyzer|Item_ref::compile|Item_func::compile CS 11.4 dbg 150225 ef966af801afc2a07222b5df65dddd52c77431dd UBSAN|load of null pointer of type 'Item *'|sql/item.h|Item_ref::const_item|Item::cache_const_expr_analyzer|Item_ref::compile|Item_func::compile CS 11.4 opt 150225 ef966af801afc2a07222b5df65dddd52c77431dd UBSAN|load of null pointer of type 'Item *'|sql/item.h|Item_ref::const_item|Item::cache_const_expr_analyzer|Item_ref::compile|Item_func::compile CS 11.8 dbg 150225 33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d No bug found CS 11.8 opt 150225 33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d No bug found CS 12.0 dbg 150225 c92add291e636c797e6d6ddca605905541b2a441 No bug found CS 12.0 opt 150225 c92add291e636c797e6d6ddca605905541b2a441 No bug found ES 10.5 dbg 140325 6553c62369ab3606efc74295c902181f793fd6d1 UBSAN|load of null pointer of type 'Item *'|sql/item.h|Item_ref::const_item|Item::cache_const_expr_analyzer|Item_ref::compile|Item_func::compile ES 10.5 opt 140325 6553c62369ab3606efc74295c902181f793fd6d1 UBSAN|load of null pointer of type 'Item *'|sql/item.h|Item_ref::const_item|Item::cache_const_expr_analyzer|Item_ref::compile|Item_func::compile ES 10.6 dbg 140325 a99e9e4101f5d56a379577e6d81c829b7658df99 UBSAN|load of null pointer of type 'Item *'|sql/item.h|Item_ref::const_item|Item::cache_const_expr_analyzer|Item_ref::compile|Item_func::compile ES 10.6 opt 140325 a99e9e4101f5d56a379577e6d81c829b7658df99 UBSAN|load of null pointer of type 'Item *'|sql/item.h|Item_ref::const_item|Item::cache_const_expr_analyzer|Item_ref::compile|Item_func::compile ES 11.4 dbg 140325 26e39c99feaa4e6f9d3e1b13fd4a7d101059b7ba UBSAN|load of null pointer of type 'Item *'|sql/item.h|Item_ref::const_item|Item::cache_const_expr_analyzer|Item_ref::compile|Item_func::compile ES 11.4 opt 140325 26e39c99feaa4e6f9d3e1b13fd4a7d101059b7ba UBSAN|load of null pointer of type 'Item *'|sql/item.h|Item_ref::const_item|Item::cache_const_expr_analyzer|Item_ref::compile|Item_func::compile UBASAN builds Setup: Compiled with a recent version of Clang (I used Clang 18.1.3) with LLVM 18. Ubuntu instructions: # Note: It is strongly recommended to uninstall all old Clang & LLVM packages (ref dpkg --list | grep -iE 'clang|llvm' and use apt purge and dpkg --purge to remove the packages), before installing Clang/LLVM 18 sudo apt install clang llvm-18 llvm-18-linker-tools llvm-18-runtime llvm-18-tools llvm-18-dev libstdc++-14-dev llvm-dev Compiled with: "-DCMAKE_C_COMPILER=/usr/bin/clang -DCMAKE_CXX_COMPILER=/usr/bin/clang++ -DCMAKE_C{,XX}_FLAGS='-march=native -mtune=native'" and: -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON Set before execution: export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1 # And you may also want to supress UBSAN startup issues using 'suppressions=UBSAN.filter' in UBSAN_OPTIONS. For an example of UBSAN.filter, which includes current startup issues see: https://github.com/mariadb-corporation/mariadb-qa/blob/master/UBSAN.filter

Roel Van de Paar added a comment - 2025-04-25 09:20 - edited

The same testcase, but using MyISAM, leads to a different SIGSEGV location:

CREATE TABLE t (c INT) ENGINE=MyISAM;

CREATE VIEW v as SELECT GROUP_CONCAT('','') AS l FROM t;

DELIMITER //

CREATE PROCEDURE s (IN i VARCHAR(1)) SELECT * FROM v v WHERE CASE WHEN i THEN v.l LIKE CONCAT ('',i) END; //

DELIMITER ;

CALL s(0);

Leads to:

CS 11.4.6 4a701e8ce4a178faf955641caf59fc13fcc718e9 (Debug) Build 12/04/2025
Core was generated by `/test/MD120425-mariadb-11.4.6-linux-x86_64-dbg/bin/mariadbd --no-defaults --max'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000055ab5c12b16e in Item_ref::update_used_tables (this=0x71329405aa98)at /test/11.4_dbg/sql/item.cc:11120

[Current thread is 1 (LWP 589063)]
(gdb) bt
#0 0x000055ab5c12b16e in Item_ref::update_used_tables (this=0x71329405aa98)at /test/11.4_dbg/sql/item.cc:11120
#1 0x000055ab5bb8c085 in Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join (this=0x71329405a0f0, item=0x71329405aa98)at /test/11.4_dbg/sql/item.h:5608
#2 0x000055ab5bb8c042 in Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join (this=0x71329405a0f0, argc=1, argv=0x71329405a0d8)at /test/11.4_dbg/sql/item.h:5620
#3 0x000055ab5bb8617d in Item_func::update_used_tables (this=0x71329405a058)at /test/11.4_dbg/sql/item_func.h:220
#4 0x000055ab5c134df0 in Item_direct_ref_to_item::update_used_tables (this=0x71329405f348) at /test/11.4_dbg/sql/item.h:8225
#5 0x000055ab5bb8c085 in Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join (this=0x713294035bf0, item=0x71329405f348)at /test/11.4_dbg/sql/item.h:5608
#6 0x000055ab5bb8c042 in Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join (this=0x713294035bf0, argc=2, argv=0x713294035bd8)at /test/11.4_dbg/sql/item.h:5620
#7 0x000055ab5bb8617d in Item_func::update_used_tables (this=0x713294035b58)at /test/11.4_dbg/sql/item_func.h:220
#8 0x000055ab5bb8c085 in Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join (this=0x713294035df0, item=0x713294035b58)at /test/11.4_dbg/sql/item.h:5608
#9 0x000055ab5bb8c042 in Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join (this=0x713294035df0, argc=2, argv=0x713294035dd8)at /test/11.4_dbg/sql/item.h:5620
#10 0x000055ab5bb8617d in Item_func::update_used_tables (this=0x713294035d58)at /test/11.4_dbg/sql/item_func.h:220
#11 0x000055ab5bd536de in make_join_statistics (join=0x713294058fe0, tables_list=@0x713294032dc0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x713294059fa8, last = 0x713294059fa8, elements = 1}, <No data fields>}, keyuse_array=0x713294059340) at /test/11.4_dbg/sql/sql_select.cc:6081
#12 0x000055ab5bd4e74a in JOIN::optimize_inner (this=0x713294058fe0)at /test/11.4_dbg/sql/sql_select.cc:2708
#13 0x000055ab5bd49b28 in JOIN::optimize (this=0x713294058fe0)at /test/11.4_dbg/sql/sql_select.cc:2003
#14 0x000055ab5bd41ac9 in mysql_select (thd=0x713294000d58, tables=0x7132940331e8, fields=@0x713294032e60: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x713294033190, last = 0x713294033190, elements = 1}, <No data fields>}, conds=0x713294035d58, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2164526848, result=0x713294058fb8, unit=0x713294033aa0, select_lex=0x713294032ba8)at /test/11.4_dbg/sql/sql_select.cc:5354
#15 0x000055ab5bd41605 in handle_select (thd=0x713294000d58, lex=0x7132940339c0, result=0x713294058fb8, setup_tables_done_option=0)at /test/11.4_dbg/sql/sql_select.cc:642
#16 0x000055ab5bce9651 in execute_sqlcom_select (thd=0x713294000d58, all_tables=0x7132940331e8) at /test/11.4_dbg/sql/sql_parse.cc:6183
#17 0x000055ab5bcde5e0 in mysql_execute_command (thd=0x713294000d58, is_called_from_prepared_stmt=false) at /test/11.4_dbg/sql/sql_parse.cc:3975
#18 0x000055ab5bf8a057 in sp_instr_stmt::exec_core (this=0x7132940366e0, thd=0x713294000d58, nextp=0x7133a5935848)at /test/11.4_dbg/sql/sp_instr.cc:1074
#19 0x000055ab5bf878a6 in sp_lex_keeper::reset_lex_and_exec_core (this=0x713294036718, thd=0x713294000d58, nextp=0x7133a5935848, open_tables=false, instr=0x7132940366e0, rerun_the_same_instr=false)at /test/11.4_dbg/sql/sp_instr.cc:297
#20 0x000055ab5bf8801d in sp_lex_keeper::validate_lex_and_exec_core (this=0x713294036718, thd=0x713294000d58, nextp=0x7133a5935848, open_tables=false, instr=0x7132940366e0)at /test/11.4_dbg/sql/sp_instr.cc:476
#21 0x000055ab5bf89306 in sp_instr_stmt::execute (this=0x7132940366e0, thd=0x713294000d58, nextp=0x7133a5935848)at /test/11.4_dbg/sql/sp_instr.cc:977
#22 0x000055ab5bbcfb49 in sp_head::execute (this=0x713294031a48, thd=0x713294000d58, merge_da_on_success=true)at /test/11.4_dbg/sql/sp_head.cc:1286
#23 0x000055ab5bbd24a2 in sp_head::execute_procedure (this=0x713294031a48, thd=0x713294000d58, args=0x713294005f58)at /test/11.4_dbg/sql/sp_head.cc:2302
#24 0x000055ab5bcdb70d in do_execute_sp (thd=0x713294000d58, sp=0x713294031a48)at /test/11.4_dbg/sql/sql_parse.cc:3082
#25 0x000055ab5bcdb244 in Sql_cmd_call::execute (this=0x713294019b68, thd=0x713294000d58) at /test/11.4_dbg/sql/sql_parse.cc:3305
#26 0x000055ab5bce7482 in mysql_execute_command (thd=0x713294000d58, is_called_from_prepared_stmt=false) at /test/11.4_dbg/sql/sql_parse.cc:5878
#27 0x000055ab5bcd6744 in mysql_parse (thd=0x713294000d58, rawbuf=0x713294019ac0 "CALL s(0)", length=9, parser_state=0x7133a5937a30)at /test/11.4_dbg/sql/sql_parse.cc:7907
#28 0x000055ab5bcd3bf4 in dispatch_command (command=COM_QUERY, thd=0x713294000d58, packet=0x71329400afd9 "CALL s(0)", packet_length=9, blocking=true) at /test/11.4_dbg/sql/sql_parse.cc:1904
#29 0x000055ab5bcd72f3 in do_command (thd=0x713294000d58, blocking=true)at /test/11.4_dbg/sql/sql_parse.cc:1417
#30 0x000055ab5beb9619 in do_handle_one_connection (connect=0x55ab602b5228, put_in_cache=true) at /test/11.4_dbg/sql/sql_connect.cc:1408
#31 0x000055ab5beb93b2 in handle_one_connection (arg=0x55ab60318cd8)at /test/11.4_dbg/sql/sql_connect.cc:1320
#32 0x00007133aaa9ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
#33 0x00007133aab29c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

Bug Detection Matrix
Rel o/d Build Commit UniqueID observed
CS 10.5 dbg 120425 e6ea5d568c0fb972a391a8c64716846ddb7c57ef SIGSEGV\|Item_ref::update_used_tables\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Item_func::update_used_tables
CS 10.5 opt 120425 e6ea5d568c0fb972a391a8c64716846ddb7c57ef SIGSEGV\|Item_ref::update_used_tables\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Item_func::update_used_tables
CS 10.6 dbg 120425 690b2cf776faa2e1a6832077cec2246c86cd00bf SIGSEGV\|Item_ref::update_used_tables\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Item_func::update_used_tables
CS 10.6 opt 120425 690b2cf776faa2e1a6832077cec2246c86cd00bf SIGSEGV\|Item_ref::update_used_tables\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Item_func::update_used_tables
CS 10.11 dbg 120425 acd071f599f416ddb4821dec485c4d912844213f SIGSEGV\|Item_ref::update_used_tables\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Item_func::update_used_tables
CS 10.11 opt 120425 acd071f599f416ddb4821dec485c4d912844213f SIGSEGV\|Item_ref::update_used_tables\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Item_func::update_used_tables
CS 11.4 dbg 120425 4a701e8ce4a178faf955641caf59fc13fcc718e9 SIGSEGV\|Item_ref::update_used_tables\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Item_func::update_used_tables
CS 11.4 opt 120425 4a701e8ce4a178faf955641caf59fc13fcc718e9 SIGSEGV\|Item_ref::update_used_tables\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Item_func::update_used_tables
CS 11.8 dbg 120425 db5bb6f3339be5a49c0f397eb80a0f259f73f447 No bug found
CS 11.8 opt 120425 db5bb6f3339be5a49c0f397eb80a0f259f73f447 No bug found
CS 12.0 dbg 120425 22efc2c784e1b7199fb5804e6330168277ea7dce No bug found
CS 12.0 opt 120425 22efc2c784e1b7199fb5804e6330168277ea7dce No bug found
ES 10.5 dbg 210425 0d368ec0042a81d9549fc939fb742f82350b20ab SIGSEGV\|Item_ref::update_used_tables\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Item_func::update_used_tables
ES 10.5 opt 210425 0d368ec0042a81d9549fc939fb742f82350b20ab SIGSEGV\|Item_ref::update_used_tables\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Item_func::update_used_tables
ES 10.6 dbg 210425 74602d1b054ba6c9ee20af79d6e7807440a7a98e SIGSEGV\|Item_ref::update_used_tables\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Item_func::update_used_tables
ES 10.6 opt 210425 74602d1b054ba6c9ee20af79d6e7807440a7a98e SIGSEGV\|Item_ref::update_used_tables\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Item_func::update_used_tables
ES 11.4 dbg 210425 9cd12544ebfd0d52d2158af66b5aced58121cf1f SIGSEGV\|Item_ref::update_used_tables\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Item_func::update_used_tables
ES 11.4 opt 210425 9cd12544ebfd0d52d2158af66b5aced58121cf1f SIGSEGV\|Item_ref::update_used_tables\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Item_func::update_used_tables
MS 5.5 dbg 070123 bac287c315b1792e7ae33f91add6a60292f9bae8 No bug found
MS 5.5 opt 070123 bac287c315b1792e7ae33f91add6a60292f9bae8 No bug found
MS 5.6 dbg 070123 dab95781a1244104d6b87020ac2fc4d190ba2946 No bug found
MS 5.6 opt 070123 dab95781a1244104d6b87020ac2fc4d190ba2946 No bug found
MS 5.7 dbg 060224 f7680e98b6bbe3500399fbad465d08a6b75d7a5c No bug found
MS 5.7 opt 060224 f7680e98b6bbe3500399fbad465d08a6b75d7a5c No bug found
MS 8.0 dbg 060224 49ef33f7edadef3ae04665e73d1babd40179a4f1 No bug found
MS 8.0 opt 060224 49ef33f7edadef3ae04665e73d1babd40179a4f1 No bug found
MS 9.1 dbg 211024 61a3a1d8ef15512396b4c2af46e922a19bf2b174 No bug found
MS 9.1 opt 211024 61a3a1d8ef15512396b4c2af46e922a19bf2b174 No bug found

An on UBASAN builds to:

CS 10.5.29 c43d0a015f974c5a0142e6779332089a7a979853 (Debug, UBASAN, Clang) Build 15/02/2025
/test/10.5_dbg_san/sql/item.cc:10970:6: runtime error: load of null pointer of type 'Item *'
#0 0x5dcf7c4a0d7d in Item_ref::update_used_tables() /test/10.5_dbg_san/sql/item.cc:10970:6
#1 0x5dcf7b46013c in Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join(Item*) /test/10.5_dbg_san/sql/item.h:5308:11
#2 0x5dcf7b46013c in Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join(unsigned int, Item**) /test/10.5_dbg_san/sql/item.h:5320:7
#3 0x5dcf7b46013c in Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join(Item*) /test/10.5_dbg_san/sql/item.h:5308:11
#4 0x5dcf7b46013c in Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join(unsigned int, Item**) /test/10.5_dbg_san/sql/item.h:5320:7
#5 0x5dcf7b46013c in Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join(Item*) /test/10.5_dbg_san/sql/item.h:5308:11
#6 0x5dcf7b46013c in Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join(unsigned int, Item**) /test/10.5_dbg_san/sql/item.h:5320:7
#7 0x5dcf7b7e9cf4 in make_join_statistics(JOIN, List<TABLE_LIST>&, st_dynamic_array) /test/10.5_dbg_san/sql/sql_select.cc:5557:12
#8 0x5dcf7b7d967f in JOIN::optimize_inner() /test/10.5_dbg_san/sql/sql_select.cc:2419:7
#9 0x5dcf7b7cb08b in JOIN::optimize() /test/10.5_dbg_san/sql/sql_select.cc:1765:10
#10 0x5dcf7b7acf60 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/10.5_dbg_san/sql/sql_select.cc:4907:19
#11 0x5dcf7b7ac392 in handle_select(THD, LEX, select_result*, unsigned long) /test/10.5_dbg_san/sql/sql_select.cc:449:10
#12 0x5dcf7b6db1f3 in execute_sqlcom_select(THD, TABLE_LIST) /test/10.5_dbg_san/sql/sql_parse.cc:6452:12
#13 0x5dcf7b6c3242 in mysql_execute_command(THD*) /test/10.5_dbg_san/sql/sql_parse.cc:4043:12
#14 0x5dcf7b31fe47 in sp_instr_stmt::exec_core(THD, unsigned int) /test/10.5_dbg_san/sql/sp_head.cc:3854:12
#15 0x5dcf7b318e19 in sp_lex_keeper::reset_lex_and_exec_core(THD, unsigned int, bool, sp_instr*) /test/10.5_dbg_san/sql/sp_head.cc:3565:17
#16 0x5dcf7b31d5ef in sp_instr_stmt::execute(THD, unsigned int) /test/10.5_dbg_san/sql/sp_head.cc:3757:25
#17 0x5dcf7b2f5e18 in sp_head::execute(THD*, bool) /test/10.5_dbg_san/sql/sp_head.cc:1443:20
#18 0x5dcf7b303011 in sp_head::execute_procedure(THD, List<Item>) /test/10.5_dbg_san/sql/sp_head.cc:2484:5
#19 0x5dcf7b6ac555 in do_execute_sp(THD, sp_head) /test/10.5_dbg_san/sql/sql_parse.cc:3124:16
#20 0x5dcf7b6ab50c in Sql_cmd_call::execute(THD*) /test/10.5_dbg_san/sql/sql_parse.cc:3370:9
#21 0x5dcf7b6b3f3f in mysql_execute_command(THD*) /test/10.5_dbg_san/sql/sql_parse.cc:6194:26
#22 0x5dcf7b693467 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /test/10.5_dbg_san/sql/sql_parse.cc:8252:18
#23 0x5dcf7b6873b9 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /test/10.5_dbg_san/sql/sql_parse.cc:1891:7
#24 0x5dcf7b6955be in do_command(THD*) /test/10.5_dbg_san/sql/sql_parse.cc:1375:17
#25 0x5dcf7bc9f257 in do_handle_one_connection(CONNECT*, bool) /test/10.5_dbg_san/sql/sql_connect.cc:1386:11
#26 0x5dcf7bc9eb1b in handle_one_connection /test/10.5_dbg_san/sql/sql_connect.cc:1298:5
#27 0x5dcf7b1a803c in asan_thread_start(void*) asan_interceptors.cpp.o
#28 0x7671e629ca93 in start_thread nptl/pthread_create.c:447:8
#29 0x7671e6329c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

SUMMARY: UndefinedBehaviorSanitizer: null-pointer-use /test/10.5_dbg_san/sql/item.cc:10970:6

SAN Bug Detection Matrix
Rel o/d Build Commit UniqueID observed
CS 10.5 dbg 150225 c43d0a015f974c5a0142e6779332089a7a979853 UBSAN\|load of null pointer of type 'Item *'\|sql/item.cc\|Item_ref::update_used_tables\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join
CS 10.5 opt 150225 c43d0a015f974c5a0142e6779332089a7a979853 UBSAN\|load of null pointer of type 'Item *'\|sql/item.cc\|Item_ref::update_used_tables\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join
CS 10.6 dbg 150225 f1d7e0c17e33f77278e6226dd94aeb30fc856bf0 UBSAN\|load of null pointer of type 'Item *'\|sql/item.cc\|Item_ref::update_used_tables\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join
CS 10.6 opt 150225 f1d7e0c17e33f77278e6226dd94aeb30fc856bf0 UBSAN\|load of null pointer of type 'Item *'\|sql/item.cc\|Item_ref::update_used_tables\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join
CS 10.11 dbg 150225 43c5d1303f5c7c726db276815c459436110f342f UBSAN\|load of null pointer of type 'Item *'\|sql/item.cc\|Item_ref::update_used_tables\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join
CS 10.11 opt 150225 43c5d1303f5c7c726db276815c459436110f342f UBSAN\|load of null pointer of type 'Item *'\|sql/item.cc\|Item_ref::update_used_tables\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join
CS 11.4 dbg 150225 ef966af801afc2a07222b5df65dddd52c77431dd UBSAN\|load of null pointer of type 'Item *'\|sql/item.cc\|Item_ref::update_used_tables\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join
CS 11.4 opt 150225 ef966af801afc2a07222b5df65dddd52c77431dd UBSAN\|load of null pointer of type 'Item *'\|sql/item.cc\|Item_ref::update_used_tables\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join
CS 11.8 dbg 150225 33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d No bug found
CS 11.8 opt 150225 33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d No bug found
CS 12.0 dbg 150225 c92add291e636c797e6d6ddca605905541b2a441 No bug found
CS 12.0 opt 150225 c92add291e636c797e6d6ddca605905541b2a441 No bug found
ES 10.5 dbg 140325 6553c62369ab3606efc74295c902181f793fd6d1 UBSAN\|load of null pointer of type 'Item *'\|sql/item.cc\|Item_ref::update_used_tables\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join
ES 10.5 opt 140325 6553c62369ab3606efc74295c902181f793fd6d1 UBSAN\|load of null pointer of type 'Item *'\|sql/item.cc\|Item_ref::update_used_tables\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join
ES 10.6 dbg 140325 a99e9e4101f5d56a379577e6d81c829b7658df99 UBSAN\|load of null pointer of type 'Item *'\|sql/item.cc\|Item_ref::update_used_tables\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join
ES 10.6 opt 140325 a99e9e4101f5d56a379577e6d81c829b7658df99 UBSAN\|load of null pointer of type 'Item *'\|sql/item.cc\|Item_ref::update_used_tables\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join
ES 11.4 dbg 140325 26e39c99feaa4e6f9d3e1b13fd4a7d101059b7ba UBSAN\|load of null pointer of type 'Item *'\|sql/item.cc\|Item_ref::update_used_tables\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join
ES 11.4 opt 140325 26e39c99feaa4e6f9d3e1b13fd4a7d101059b7ba UBSAN\|load of null pointer of type 'Item *'\|sql/item.cc\|Item_ref::update_used_tables\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join\|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join

Roel Van de Paar added a comment - 2025-04-25 09:20 - edited The same testcase, but using MyISAM, leads to a different SIGSEGV location: CREATE TABLE t (c INT ) ENGINE=MyISAM; CREATE VIEW v as SELECT GROUP_CONCAT( '' , '' ) AS l FROM t; DELIMITER // CREATE PROCEDURE s ( IN i VARCHAR (1)) SELECT * FROM v v WHERE CASE WHEN i THEN v.l LIKE CONCAT ( '' ,i) END ; // DELIMITER ; CALL s(0); Leads to: CS 11.4.6 4a701e8ce4a178faf955641caf59fc13fcc718e9 (Debug) Build 12/04/2025 Core was generated by `/test/MD120425-mariadb-11.4.6-linux-x86_64-dbg/bin/mariadbd --no-defaults --max'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x000055ab5c12b16e in Item_ref::update_used_tables (this=0x71329405aa98)at /test/11.4_dbg/sql/item.cc:11120 [Current thread is 1 (LWP 589063)] (gdb) bt #0 0x000055ab5c12b16e in Item_ref::update_used_tables (this=0x71329405aa98)at /test/11.4_dbg/sql/item.cc:11120 #1 0x000055ab5bb8c085 in Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join (this=0x71329405a0f0, item=0x71329405aa98)at /test/11.4_dbg/sql/item.h:5608 #2 0x000055ab5bb8c042 in Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join (this=0x71329405a0f0, argc=1, argv=0x71329405a0d8)at /test/11.4_dbg/sql/item.h:5620 #3 0x000055ab5bb8617d in Item_func::update_used_tables (this=0x71329405a058)at /test/11.4_dbg/sql/item_func.h:220 #4 0x000055ab5c134df0 in Item_direct_ref_to_item::update_used_tables (this=0x71329405f348) at /test/11.4_dbg/sql/item.h:8225 #5 0x000055ab5bb8c085 in Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join (this=0x713294035bf0, item=0x71329405f348)at /test/11.4_dbg/sql/item.h:5608 #6 0x000055ab5bb8c042 in Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join (this=0x713294035bf0, argc=2, argv=0x713294035bd8)at /test/11.4_dbg/sql/item.h:5620 #7 0x000055ab5bb8617d in Item_func::update_used_tables (this=0x713294035b58)at /test/11.4_dbg/sql/item_func.h:220 #8 0x000055ab5bb8c085 in Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join (this=0x713294035df0, item=0x713294035b58)at /test/11.4_dbg/sql/item.h:5608 #9 0x000055ab5bb8c042 in Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join (this=0x713294035df0, argc=2, argv=0x713294035dd8)at /test/11.4_dbg/sql/item.h:5620 #10 0x000055ab5bb8617d in Item_func::update_used_tables (this=0x713294035d58)at /test/11.4_dbg/sql/item_func.h:220 #11 0x000055ab5bd536de in make_join_statistics (join=0x713294058fe0, tables_list=@0x713294032dc0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x713294059fa8, last = 0x713294059fa8, elements = 1}, <No data fields>}, keyuse_array=0x713294059340) at /test/11.4_dbg/sql/sql_select.cc:6081 #12 0x000055ab5bd4e74a in JOIN::optimize_inner (this=0x713294058fe0)at /test/11.4_dbg/sql/sql_select.cc:2708 #13 0x000055ab5bd49b28 in JOIN::optimize (this=0x713294058fe0)at /test/11.4_dbg/sql/sql_select.cc:2003 #14 0x000055ab5bd41ac9 in mysql_select (thd=0x713294000d58, tables=0x7132940331e8, fields=@0x713294032e60: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x713294033190, last = 0x713294033190, elements = 1}, <No data fields>}, conds=0x713294035d58, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2164526848, result=0x713294058fb8, unit=0x713294033aa0, select_lex=0x713294032ba8)at /test/11.4_dbg/sql/sql_select.cc:5354 #15 0x000055ab5bd41605 in handle_select (thd=0x713294000d58, lex=0x7132940339c0, result=0x713294058fb8, setup_tables_done_option=0)at /test/11.4_dbg/sql/sql_select.cc:642 #16 0x000055ab5bce9651 in execute_sqlcom_select (thd=0x713294000d58, all_tables=0x7132940331e8) at /test/11.4_dbg/sql/sql_parse.cc:6183 #17 0x000055ab5bcde5e0 in mysql_execute_command (thd=0x713294000d58, is_called_from_prepared_stmt=false) at /test/11.4_dbg/sql/sql_parse.cc:3975 #18 0x000055ab5bf8a057 in sp_instr_stmt::exec_core (this=0x7132940366e0, thd=0x713294000d58, nextp=0x7133a5935848)at /test/11.4_dbg/sql/sp_instr.cc:1074 #19 0x000055ab5bf878a6 in sp_lex_keeper::reset_lex_and_exec_core (this=0x713294036718, thd=0x713294000d58, nextp=0x7133a5935848, open_tables=false, instr=0x7132940366e0, rerun_the_same_instr=false)at /test/11.4_dbg/sql/sp_instr.cc:297 #20 0x000055ab5bf8801d in sp_lex_keeper::validate_lex_and_exec_core (this=0x713294036718, thd=0x713294000d58, nextp=0x7133a5935848, open_tables=false, instr=0x7132940366e0)at /test/11.4_dbg/sql/sp_instr.cc:476 #21 0x000055ab5bf89306 in sp_instr_stmt::execute (this=0x7132940366e0, thd=0x713294000d58, nextp=0x7133a5935848)at /test/11.4_dbg/sql/sp_instr.cc:977 #22 0x000055ab5bbcfb49 in sp_head::execute (this=0x713294031a48, thd=0x713294000d58, merge_da_on_success=true)at /test/11.4_dbg/sql/sp_head.cc:1286 #23 0x000055ab5bbd24a2 in sp_head::execute_procedure (this=0x713294031a48, thd=0x713294000d58, args=0x713294005f58)at /test/11.4_dbg/sql/sp_head.cc:2302 #24 0x000055ab5bcdb70d in do_execute_sp (thd=0x713294000d58, sp=0x713294031a48)at /test/11.4_dbg/sql/sql_parse.cc:3082 #25 0x000055ab5bcdb244 in Sql_cmd_call::execute (this=0x713294019b68, thd=0x713294000d58) at /test/11.4_dbg/sql/sql_parse.cc:3305 #26 0x000055ab5bce7482 in mysql_execute_command (thd=0x713294000d58, is_called_from_prepared_stmt=false) at /test/11.4_dbg/sql/sql_parse.cc:5878 #27 0x000055ab5bcd6744 in mysql_parse (thd=0x713294000d58, rawbuf=0x713294019ac0 "CALL s(0)", length=9, parser_state=0x7133a5937a30)at /test/11.4_dbg/sql/sql_parse.cc:7907 #28 0x000055ab5bcd3bf4 in dispatch_command (command=COM_QUERY, thd=0x713294000d58, packet=0x71329400afd9 "CALL s(0)", packet_length=9, blocking=true) at /test/11.4_dbg/sql/sql_parse.cc:1904 #29 0x000055ab5bcd72f3 in do_command (thd=0x713294000d58, blocking=true)at /test/11.4_dbg/sql/sql_parse.cc:1417 #30 0x000055ab5beb9619 in do_handle_one_connection (connect=0x55ab602b5228, put_in_cache=true) at /test/11.4_dbg/sql/sql_connect.cc:1408 #31 0x000055ab5beb93b2 in handle_one_connection (arg=0x55ab60318cd8)at /test/11.4_dbg/sql/sql_connect.cc:1320 #32 0x00007133aaa9ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447 #33 0x00007133aab29c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78 Bug Detection Matrix Rel o/d Build Commit UniqueID observed CS 10.5 dbg 120425 e6ea5d568c0fb972a391a8c64716846ddb7c57ef SIGSEGV|Item_ref::update_used_tables|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Item_func::update_used_tables CS 10.5 opt 120425 e6ea5d568c0fb972a391a8c64716846ddb7c57ef SIGSEGV|Item_ref::update_used_tables|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Item_func::update_used_tables CS 10.6 dbg 120425 690b2cf776faa2e1a6832077cec2246c86cd00bf SIGSEGV|Item_ref::update_used_tables|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Item_func::update_used_tables CS 10.6 opt 120425 690b2cf776faa2e1a6832077cec2246c86cd00bf SIGSEGV|Item_ref::update_used_tables|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Item_func::update_used_tables CS 10.11 dbg 120425 acd071f599f416ddb4821dec485c4d912844213f SIGSEGV|Item_ref::update_used_tables|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Item_func::update_used_tables CS 10.11 opt 120425 acd071f599f416ddb4821dec485c4d912844213f SIGSEGV|Item_ref::update_used_tables|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Item_func::update_used_tables CS 11.4 dbg 120425 4a701e8ce4a178faf955641caf59fc13fcc718e9 SIGSEGV|Item_ref::update_used_tables|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Item_func::update_used_tables CS 11.4 opt 120425 4a701e8ce4a178faf955641caf59fc13fcc718e9 SIGSEGV|Item_ref::update_used_tables|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Item_func::update_used_tables CS 11.8 dbg 120425 db5bb6f3339be5a49c0f397eb80a0f259f73f447 No bug found CS 11.8 opt 120425 db5bb6f3339be5a49c0f397eb80a0f259f73f447 No bug found CS 12.0 dbg 120425 22efc2c784e1b7199fb5804e6330168277ea7dce No bug found CS 12.0 opt 120425 22efc2c784e1b7199fb5804e6330168277ea7dce No bug found ES 10.5 dbg 210425 0d368ec0042a81d9549fc939fb742f82350b20ab SIGSEGV|Item_ref::update_used_tables|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Item_func::update_used_tables ES 10.5 opt 210425 0d368ec0042a81d9549fc939fb742f82350b20ab SIGSEGV|Item_ref::update_used_tables|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Item_func::update_used_tables ES 10.6 dbg 210425 74602d1b054ba6c9ee20af79d6e7807440a7a98e SIGSEGV|Item_ref::update_used_tables|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Item_func::update_used_tables ES 10.6 opt 210425 74602d1b054ba6c9ee20af79d6e7807440a7a98e SIGSEGV|Item_ref::update_used_tables|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Item_func::update_used_tables ES 11.4 dbg 210425 9cd12544ebfd0d52d2158af66b5aced58121cf1f SIGSEGV|Item_ref::update_used_tables|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Item_func::update_used_tables ES 11.4 opt 210425 9cd12544ebfd0d52d2158af66b5aced58121cf1f SIGSEGV|Item_ref::update_used_tables|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Item_func::update_used_tables MS 5.5 dbg 070123 bac287c315b1792e7ae33f91add6a60292f9bae8 No bug found MS 5.5 opt 070123 bac287c315b1792e7ae33f91add6a60292f9bae8 No bug found MS 5.6 dbg 070123 dab95781a1244104d6b87020ac2fc4d190ba2946 No bug found MS 5.6 opt 070123 dab95781a1244104d6b87020ac2fc4d190ba2946 No bug found MS 5.7 dbg 060224 f7680e98b6bbe3500399fbad465d08a6b75d7a5c No bug found MS 5.7 opt 060224 f7680e98b6bbe3500399fbad465d08a6b75d7a5c No bug found MS 8.0 dbg 060224 49ef33f7edadef3ae04665e73d1babd40179a4f1 No bug found MS 8.0 opt 060224 49ef33f7edadef3ae04665e73d1babd40179a4f1 No bug found MS 9.1 dbg 211024 61a3a1d8ef15512396b4c2af46e922a19bf2b174 No bug found MS 9.1 opt 211024 61a3a1d8ef15512396b4c2af46e922a19bf2b174 No bug found An on UBASAN builds to: CS 10.5.29 c43d0a015f974c5a0142e6779332089a7a979853 (Debug, UBASAN, Clang) Build 15/02/2025 /test/10.5_dbg_san/sql/item.cc:10970:6: runtime error: load of null pointer of type 'Item *' #0 0x5dcf7c4a0d7d in Item_ref::update_used_tables() /test/10.5_dbg_san/sql/item.cc:10970:6 #1 0x5dcf7b46013c in Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join(Item*) /test/10.5_dbg_san/sql/item.h:5308:11 #2 0x5dcf7b46013c in Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join(unsigned int, Item**) /test/10.5_dbg_san/sql/item.h:5320:7 #3 0x5dcf7b46013c in Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join(Item*) /test/10.5_dbg_san/sql/item.h:5308:11 #4 0x5dcf7b46013c in Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join(unsigned int, Item**) /test/10.5_dbg_san/sql/item.h:5320:7 #5 0x5dcf7b46013c in Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join(Item*) /test/10.5_dbg_san/sql/item.h:5308:11 #6 0x5dcf7b46013c in Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join(unsigned int, Item**) /test/10.5_dbg_san/sql/item.h:5320:7 #7 0x5dcf7b7e9cf4 in make_join_statistics(JOIN*, List<TABLE_LIST>&, st_dynamic_array*) /test/10.5_dbg_san/sql/sql_select.cc:5557:12 #8 0x5dcf7b7d967f in JOIN::optimize_inner() /test/10.5_dbg_san/sql/sql_select.cc:2419:7 #9 0x5dcf7b7cb08b in JOIN::optimize() /test/10.5_dbg_san/sql/sql_select.cc:1765:10 #10 0x5dcf7b7acf60 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.5_dbg_san/sql/sql_select.cc:4907:19 #11 0x5dcf7b7ac392 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.5_dbg_san/sql/sql_select.cc:449:10 #12 0x5dcf7b6db1f3 in execute_sqlcom_select(THD*, TABLE_LIST*) /test/10.5_dbg_san/sql/sql_parse.cc:6452:12 #13 0x5dcf7b6c3242 in mysql_execute_command(THD*) /test/10.5_dbg_san/sql/sql_parse.cc:4043:12 #14 0x5dcf7b31fe47 in sp_instr_stmt::exec_core(THD*, unsigned int*) /test/10.5_dbg_san/sql/sp_head.cc:3854:12 #15 0x5dcf7b318e19 in sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) /test/10.5_dbg_san/sql/sp_head.cc:3565:17 #16 0x5dcf7b31d5ef in sp_instr_stmt::execute(THD*, unsigned int*) /test/10.5_dbg_san/sql/sp_head.cc:3757:25 #17 0x5dcf7b2f5e18 in sp_head::execute(THD*, bool) /test/10.5_dbg_san/sql/sp_head.cc:1443:20 #18 0x5dcf7b303011 in sp_head::execute_procedure(THD*, List<Item>*) /test/10.5_dbg_san/sql/sp_head.cc:2484:5 #19 0x5dcf7b6ac555 in do_execute_sp(THD*, sp_head*) /test/10.5_dbg_san/sql/sql_parse.cc:3124:16 #20 0x5dcf7b6ab50c in Sql_cmd_call::execute(THD*) /test/10.5_dbg_san/sql/sql_parse.cc:3370:9 #21 0x5dcf7b6b3f3f in mysql_execute_command(THD*) /test/10.5_dbg_san/sql/sql_parse.cc:6194:26 #22 0x5dcf7b693467 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /test/10.5_dbg_san/sql/sql_parse.cc:8252:18 #23 0x5dcf7b6873b9 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /test/10.5_dbg_san/sql/sql_parse.cc:1891:7 #24 0x5dcf7b6955be in do_command(THD*) /test/10.5_dbg_san/sql/sql_parse.cc:1375:17 #25 0x5dcf7bc9f257 in do_handle_one_connection(CONNECT*, bool) /test/10.5_dbg_san/sql/sql_connect.cc:1386:11 #26 0x5dcf7bc9eb1b in handle_one_connection /test/10.5_dbg_san/sql/sql_connect.cc:1298:5 #27 0x5dcf7b1a803c in asan_thread_start(void*) asan_interceptors.cpp.o #28 0x7671e629ca93 in start_thread nptl/pthread_create.c:447:8 #29 0x7671e6329c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78 SUMMARY: UndefinedBehaviorSanitizer: null-pointer-use /test/10.5_dbg_san/sql/item.cc:10970:6 SAN Bug Detection Matrix Rel o/d Build Commit UniqueID observed CS 10.5 dbg 150225 c43d0a015f974c5a0142e6779332089a7a979853 UBSAN|load of null pointer of type 'Item *'|sql/item.cc|Item_ref::update_used_tables|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join CS 10.5 opt 150225 c43d0a015f974c5a0142e6779332089a7a979853 UBSAN|load of null pointer of type 'Item *'|sql/item.cc|Item_ref::update_used_tables|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join CS 10.6 dbg 150225 f1d7e0c17e33f77278e6226dd94aeb30fc856bf0 UBSAN|load of null pointer of type 'Item *'|sql/item.cc|Item_ref::update_used_tables|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join CS 10.6 opt 150225 f1d7e0c17e33f77278e6226dd94aeb30fc856bf0 UBSAN|load of null pointer of type 'Item *'|sql/item.cc|Item_ref::update_used_tables|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join CS 10.11 dbg 150225 43c5d1303f5c7c726db276815c459436110f342f UBSAN|load of null pointer of type 'Item *'|sql/item.cc|Item_ref::update_used_tables|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join CS 10.11 opt 150225 43c5d1303f5c7c726db276815c459436110f342f UBSAN|load of null pointer of type 'Item *'|sql/item.cc|Item_ref::update_used_tables|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join CS 11.4 dbg 150225 ef966af801afc2a07222b5df65dddd52c77431dd UBSAN|load of null pointer of type 'Item *'|sql/item.cc|Item_ref::update_used_tables|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join CS 11.4 opt 150225 ef966af801afc2a07222b5df65dddd52c77431dd UBSAN|load of null pointer of type 'Item *'|sql/item.cc|Item_ref::update_used_tables|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join CS 11.8 dbg 150225 33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d No bug found CS 11.8 opt 150225 33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d No bug found CS 12.0 dbg 150225 c92add291e636c797e6d6ddca605905541b2a441 No bug found CS 12.0 opt 150225 c92add291e636c797e6d6ddca605905541b2a441 No bug found ES 10.5 dbg 140325 6553c62369ab3606efc74295c902181f793fd6d1 UBSAN|load of null pointer of type 'Item *'|sql/item.cc|Item_ref::update_used_tables|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join ES 10.5 opt 140325 6553c62369ab3606efc74295c902181f793fd6d1 UBSAN|load of null pointer of type 'Item *'|sql/item.cc|Item_ref::update_used_tables|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join ES 10.6 dbg 140325 a99e9e4101f5d56a379577e6d81c829b7658df99 UBSAN|load of null pointer of type 'Item *'|sql/item.cc|Item_ref::update_used_tables|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join ES 10.6 opt 140325 a99e9e4101f5d56a379577e6d81c829b7658df99 UBSAN|load of null pointer of type 'Item *'|sql/item.cc|Item_ref::update_used_tables|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join ES 11.4 dbg 140325 26e39c99feaa4e6f9d3e1b13fd4a7d101059b7ba UBSAN|load of null pointer of type 'Item *'|sql/item.cc|Item_ref::update_used_tables|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join ES 11.4 opt 140325 26e39c99feaa4e6f9d3e1b13fd4a7d101059b7ba UBSAN|load of null pointer of type 'Item *'|sql/item.cc|Item_ref::update_used_tables|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join|Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join

Roel Van de Paar added a comment - 2025-04-25 09:40

Finally, a testcase without any table:

CREATE VIEW v AS SELECT GROUP_CONCAT('', '') AS l FROM (SELECT 1) AS a;

DELIMITER //

CREATE PROCEDURE s (IN i VARCHAR(1)) SELECT * FROM v v WHERE CASE WHEN i THEN v.l LIKE CONCAT ('',i) END; //

DELIMITER ;

CALL s(0);

Produces the same crash as when using a MyISAM table.

Roel Van de Paar added a comment - 2025-04-25 09:40 Finally, a testcase without any table: CREATE VIEW v AS SELECT GROUP_CONCAT( '' , '' ) AS l FROM ( SELECT 1) AS a; DELIMITER // CREATE PROCEDURE s ( IN i VARCHAR (1)) SELECT * FROM v v WHERE CASE WHEN i THEN v.l LIKE CONCAT ( '' ,i) END ; // DELIMITER ; CALL s(0); Produces the same crash as when using a MyISAM table.

People

Assignee:: Dmitry Shulga

Reporter:: Andrea Ponzo

Votes:: 2 Vote for this issue

Watchers:: 7 Start watching this issue

Dates

Created:: 3 days ago 13:56

Updated:: Yesterday 09:46

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

Filters

Favourite Filters

Export - CSV (All fields)

Export - CSV (Current fields)

Search

Various crashes upon stored procedure querying view with concat/group_concat

Details

Description

Attachments

Attachments

Activity

People

Dates

Git Integration