[MDEV-10705] Assertion `n < m_size' failed in Element_type& Bounds_checked_array<Element_type>::operator[](size_t) [with Element_type = Item*; size_t = long unsigned int] Created: 2016-08-30  Updated: 2018-04-18  Resolved: 2017-01-09

Status: Closed
Project: MariaDB Server
Component/s: Optimizer
Affects Version/s: 5.5, 10.0, 10.1, 10.2
Fix Version/s: 5.5.55, 10.0.29, 10.1.21, 10.2.4

Type: Bug Priority: Critical
Reporter: Elena Stepanova Assignee: Igor Babaev
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
Relates
relates to MDEV-15902 Assertion `n < m_size' failed, sql_ar... Closed

 Description    

SELECT 1 UNION ( SELECT 2 ORDER BY NULL, @a := 3 );


Version: '10.2.2-MariaDB-debug'  socket: '/data/bld/10.2/data/tmp/mysql.sock'  port: 3306  Source distribution
 
mysqld: /data/src/10.2/sql/sql_array.h:64: Element_type& Bounds_checked_array<Element_type>::operator[](size_t) [with Element_type = Item*; size_t = long unsigned int]: Assertion `n < m_size' failed.
 
160830 23:23:50 [ERROR] mysqld got signal 6 ;


#7  0x00007f1a55925312 in __GI___assert_fail (assertion=0x7f1a58a7c157 "n < m_size", file=0x7f1a58a7c138 "/data/src/10.2/sql/sql_array.h", line=64, function=0x7f1a58a7d900 <Bounds_checked_array<Item*>::operator[](unsigned long)::__PRETTY_FUNCTION__> "Element_type& Bounds_checked_array<Element_type>::operator[](size_t) [with Element_type = Item*; size_t = long unsigned int]") at assert.c:101
 
#8  0x00007f1a5810d673 in Bounds_checked_array<Item*>::operator[] (this=0x7f1a590b68f0, n=2) at /data/src/10.2/sql/sql_array.h:64
 
#9  0x00007f1a581d57e0 in find_order_in_list (thd=0x7f1a284bb070, ref_pointer_array=..., tables=0x0, order=0x7f1a28512fe0, fields=..., all_fields=..., is_group_field=false, search_in_all_fields=true) at /data/src/10.2/sql/sql_select.cc:22030
 
#10 0x00007f1a581d58d8 in setup_order (thd=0x7f1a284bb070, ref_pointer_array=..., tables=0x0, fields=..., all_fields=..., order=0x7f1a28512fe0, search_in_all_fields=true) at /data/src/10.2/sql/sql_select.cc:22062
 
#11 0x00007f1a5819ef5e in JOIN::prepare (this=0x7f1a28513808, tables_init=0x0, wild_num=0, conds_init=0x0, og_num=0, order_init=0x0, skip_order_by=true, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7f1a28512210, unit_arg=0x7f1a284beac8) at /data/src/10.2/sql/sql_select.cc:823
 
#12 0x00007f1a5823b2c5 in st_select_lex_unit::prepare (this=0x7f1a284beac8, thd_arg=0x7f1a284bb070, sel_result=0x7f1a285130c8, additional_options=268435456) at /data/src/10.2/sql/sql_union.cc:452
 
#13 0x00007f1a58239f42 in mysql_union (thd=0x7f1a284bb070, lex=0x7f1a284bea00, result=0x7f1a285130c8, unit=0x7f1a284beac8, setup_tables_done_option=0) at /data/src/10.2/sql/sql_union.cc:37
 
#14 0x00007f1a5819daa5 in handle_select (thd=0x7f1a284bb070, lex=0x7f1a284bea00, result=0x7f1a285130c8, setup_tables_done_option=0) at /data/src/10.2/sql/sql_select.cc:355
 
#15 0x00007f1a5816d8a3 in execute_sqlcom_select (thd=0x7f1a284bb070, all_tables=0x0) at /data/src/10.2/sql/sql_parse.cc:6310
 
#16 0x00007f1a581636df in mysql_execute_command (thd=0x7f1a284bb070) at /data/src/10.2/sql/sql_parse.cc:3353
 
#17 0x00007f1a5817105d in mysql_parse (thd=0x7f1a284bb070, rawbuf=0x7f1a28512088 "SELECT 1 UNION ( SELECT 2 ORDER BY NULL, @a := 3 )", length=50, parser_state=0x7f1a590b7e30, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:7742
 
#18 0x00007f1a5815f4c9 in dispatch_command (command=COM_QUERY, thd=0x7f1a284bb070, packet=0x7f1a284dc071 "SELECT 1 UNION ( SELECT 2 ORDER BY NULL, @a := 3 )", packet_length=50, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1790
 
#19 0x00007f1a5815df35 in do_command (thd=0x7f1a284bb070) at /data/src/10.2/sql/sql_parse.cc:1353
 
#20 0x00007f1a582969ea in do_handle_one_connection (connect=0x7f1a5505cad0) at /data/src/10.2/sql/sql_connect.cc:1354
 
#21 0x00007f1a58296777 in handle_one_connection (arg=0x7f1a5505cad0) at /data/src/10.2/sql/sql_connect.cc:1260
 
#22 0x00007f1a578270a4 in start_thread (arg=0x7f1a590b9300) at pthread_create.c:309
 
#23 0x00007f1a559df87d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111



 Comments   
Comment by Alexander Barkov [ 2016-12-26 ]

The problem was introduced by this change:

commit 2cfc450bf78c2d951729d1a0e8f731c0d987b1d5
 
Author: Igor Babaev <igor@askmonty.org>
 
Date:   Tue Feb 9 12:35:59 2016 -0800

Comment by Igor Babaev [ 2016-12-28 ]

The problem with the submitted test case really appeared with my merge from the mysql code. Yet the bug itself existed before this merge. Here's what we have for 10.0 and most probably for the earlier versions:

{no format}
MariaDB [test]> SELECT 1 UNION
( SELECT 2 ORDER BY NULL, @a0 := 3, @a1 := 3, @a2 := 3,
@a3 := 3, @a4 := 3, @a5 := 3, @a6 := 3, @a7 := 3, @a8 := 3,
@a9 := 3, @a10 := 3 );
ERROR 2006 (HY000): MySQL server has gone away{no format}

With this test case we have on the server side:

{no format}
Version: '10.0.29-MariaDB-debug' socket: '/tmp/mysql.sock' port: 3306 Source distribution
[New Thread 0x7ffff7f8b710 (LWP 10381)]
mysqld: /home/igor/maria-git/10.0/sql/sql_select.cc:21483: bool find_order_in_list(THD*, Item*, TABLE_LIST, ORDER*, List<Item>&, List<Item>&, bool): Assertion `all_fields.elements <= thd->lex->current_select->ref_pointer_array_size' failed.

Thread 27 "mysqld" received signal SIGABRT, Aborted.
[Switching to Thread 0x7ffff7f8b710 (LWP 10381)]
0x00007ffff62b39e5 in raise () from /lib64/libc.so.6{no format}
Comment by Igor Babaev [ 2016-12-29 ]

This bug was introduced by the fix for bug mdev-5104 (in the commit 883af99e7dac91e3f258135a2053e6b8e3c05fc3).
The fix was applied to mariadb-5.3.
So this bug MDEV-10705 is present in the current 5.3/5.5 as well.

Comment by Igor Babaev [ 2017-01-09 ]

The fix for this bug was pushed into the 5.5 tree (actually this is a 5.3 bug).

Generated at Thu Feb 08 07:44:18 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.