[MDEV-22786] Crashes with nested table value constructors Created: 2020-06-03  Updated: 2021-03-09  Resolved: 2021-03-04

Status: Closed
Project: MariaDB Server
Component/s: Parser
Affects Version/s: 10.3, 10.4, 10.5, 10.6
Fix Version/s: 10.3.29, 10.4.19, 10.5.10

Type: Bug Priority: Critical
Reporter: Alexander Barkov Assignee: Igor Babaev
Resolution: Fixed Votes: 1
Labels: not-10.1, not-10.2

Issue Links:
Relates
relates to MDEV-21995 Server crashes in Item_field::real_ty... Closed
relates to MDEV-24618 Assertion failure when TVC uses a row... Closed
relates to MDEV-24675 Server crash when table value constru... Closed

 Description   

This statement:

VALUES ((VALUES(1)));

crashes the server with the following stack trace:

#0  Item_field::type_handler (this=0x7fff60015588)
 
    at /home/bar/maria-git/server.10.3/sql/item.h:3068
 
#1  0x0000000000b5a541 in subselect_engine::set_row (this=0x7fff60014ac8, item_list=..., 
    row=0x7fff60014a88) at /home/bar/maria-git/server.10.3/sql/item_subselect.cc:3749
 
#2  0x0000000000b5a711 in subselect_single_select_engine::fix_length_and_dec (
 
    this=0x7fff60014ac8, row=0x7fff60014a88)
 
    at /home/bar/maria-git/server.10.3/sql/item_subselect.cc:3766
 
#3  0x0000000000b4fdae in Item_singlerow_subselect::fix_length_and_dec (
 
    this=0x7fff60014940) at /home/bar/maria-git/server.10.3/sql/item_subselect.cc:1208
 
#4  0x0000000000b4d62e in Item_subselect::fix_fields (this=0x7fff60014940, 
    thd_param=0x7fff60000d90, ref=0x0)
 
    at /home/bar/maria-git/server.10.3/sql/item_subselect.cc:316
 
#5  0x000000000067d13e in Item::fix_fields_if_needed (this=0x7fff60014940, 
    thd=0x7fff60000d90, ref=0x0) at /home/bar/maria-git/server.10.3/sql/item.h:825
 
#6  0x0000000000984e47 in fix_fields_for_tvc (thd=0x7fff60000d90, li=...)
 
    at /home/bar/maria-git/server.10.3/sql/sql_tvc.cc:62
 
#7  0x00000000009854c1 in table_value_constr::prepare (this=0x7fff600144e0, 
    thd=0x7fff60000d90, sl=0x7fff60013870, tmp_result=0x7fff60016b18, 
    unit_arg=0x7fff600156a8) at /home/bar/maria-git/server.10.3/sql/sql_tvc.cc:238
 
#8  0x000000000086d430 in st_select_lex_unit::prepare (this=0x7fff600156a8, 
    derived_arg=0x7fff60015e60, sel_result=0x7fff60016a30, additional_options=0)
 
    at /home/bar/maria-git/server.10.3/sql/sql_union.cc:1018
 
#9  0x000000000072c701 in mysql_derived_prepare (thd=0x7fff60000d90, lex=0x7fff60004b98, 
    derived=0x7fff60015e60) at /home/bar/maria-git/server.10.3/sql/sql_derived.cc:770
 
#10 0x000000000072b2c3 in mysql_handle_single_derived (lex=0x7fff60004b98, 
    derived=0x7fff60015e60, phases=2)
 
    at /home/bar/maria-git/server.10.3/sql/sql_derived.cc:199
 
#11 0x000000000089b868 in TABLE_LIST::handle_derived (this=0x7fff60015e60, 
    lex=0x7fff60004b98, phases=2) at /home/bar/maria-git/server.10.3/sql/table.cc:8292
 
#12 0x00000000007447c8 in LEX::handle_list_of_derived (this=0x7fff60004b98, 
    table_list=0x7fff60015e60, phases=2)
 
    at /home/bar/maria-git/server.10.3/sql/sql_lex.h:3997
 
#13 0x0000000000750912 in st_select_lex::handle_derived (this=0x7fff60015170, 
    lex=0x7fff60004b98, phases=2) at /home/bar/maria-git/server.10.3/sql/sql_lex.cc:4143
 
#14 0x00000000007bb4ee in JOIN::prepare (this=0x7fff600164c8, tables_init=0x7fff60015e60, 
    wild_num=1, conds_init=0x0, og_num=0, order_init=0x0, skip_order_by=false, 
    group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7fff60015170, 
    unit_arg=0x7fff60013c88) at /home/bar/maria-git/server.10.3/sql/sql_select.cc:1036
 
#15 0x0000000000b5a37f in subselect_single_select_engine::prepare (this=0x7fff60014ac8, 
    thd=0x7fff60000d90) at /home/bar/maria-git/server.10.3/sql/item_subselect.cc:3686
 
#16 0x0000000000b4d422 in Item_subselect::fix_fields (this=0x7fff60014940, 
    thd_param=0x7fff60000d90, ref=0x0)



 Comments   
Comment by Roel Van de Paar [ 2020-09-04 ]

The issue also affects optimized builds

VALUES ((VALUES(1)));

Leads to:

10.5.6 1c587481966abc7a9ad5309d0a91ca920f7a5657 (Debug)

 
Core was generated by `/test/MD110820-mariadb-10.5.6-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
 
    at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
 
[Current thread is 1 (Thread 0x1536e9e71700 (LWP 1878992))]
 
(gdb) bt
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
 
#1  0x00005640b83d1b86 in my_write_core (sig=sig@entry=11) at /test/10.5_dbg/mysys/stacktrace.c:519
 
#2  0x00005640b7b88d7b in handle_fatal_signal (sig=11) at /test/10.5_dbg/sql/signal_handler.cc:330
 
#3  <signal handler called>
 
#4  0x00005640b7bc3acf in Item_field::type_handler (this=<optimized out>) at /test/10.5_dbg/sql/item.h:3450
 
#5  0x00005640b7c7c4bc in subselect_engine::set_row (this=this@entry=0x1536c5875660, item_list=@0x1536c5876260: {<b
 
ase_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1536c5876b10, last = 0x1536c5876b10, elements = 1}, <No da
 
ta fields>}, row=row@entry=0x1536c5875620) at /test/10.5_dbg/sql/item_subselect.cc:3837
 
#6  0x00005640b7c7c5aa in subselect_single_select_engine::fix_length_and_dec (this=0x1536c5875660, row=0x1536c58756
 
20) at /test/10.5_dbg/sql/item_subselect.cc:3854
 
#7  0x00005640b7c75f4e in Item_singlerow_subselect::fix_length_and_dec (this=0x1536c58754b8) at /test/10.5_dbg/sql/
 
item_subselect.cc:1254
 
#8  0x00005640b7c7a774 in Item_subselect::fix_fields (this=0x1536c58754b8, thd_param=<optimized out>, ref=0x0) at /
 
test/10.5_dbg/sql/item_subselect.cc:325
 
#9  0x00005640b7ae1d29 in Item::fix_fields_if_needed (ref=0x0, thd=0x1536c5815088, this=0x1536c58754b8) at /test/10
 
.5_dbg/sql/item.h:982
 
#10 fix_fields_for_tvc (thd=thd@entry=0x1536c5815088, li=@0x1536e9e6dee0: {<base_list_iterator> = {list = 0x1536c58
 
74c68, el = 0x1536c5874c50, prev = 0x0, current = 0x0}, <No data fields>}) at /test/10.5_dbg/sql/sql_tvc.cc:92
 
#11 0x00005640b7ae2221 in table_value_constr::prepare (this=0x1536c5874c60, thd=0x1536c5815088, sl=sl@entry=0x1536c
 
5874718, tmp_result=tmp_result@entry=0x1536c5878088, unit_arg=unit_arg@entry=0x1536c5876b20) at /test/10.5_dbg/sql/
 
sql_tvc.cc:268
 
#12 0x00005640b79c94eb in st_select_lex_unit::prepare (this=this@entry=0x1536c5876b20, derived_arg=derived_arg@entr
 
y=0x1536c5877350, sel_result=<optimized out>, additional_options=additional_options@entry=0) at /test/10.5_dbg/sql/
 
sql_union.cc:1563
 
#13 0x00005640b788fac6 in mysql_derived_prepare (thd=0x1536c5815088, lex=0x1536c5818fd8, derived=0x1536c5877350) at
 
 /test/10.5_dbg/sql/sql_derived.cc:816
 
#14 0x00005640b788df3d in mysql_handle_single_derived (lex=lex@entry=0x1536c5818fd8, derived=derived@entry=0x1536c5
 
877350, phases=phases@entry=2) at /test/10.5_dbg/sql/sql_derived.cc:206
 
#15 0x00005640b79ed275 in TABLE_LIST::handle_derived (this=this@entry=0x1536c5877350, lex=lex@entry=0x1536c5818fd8,
 
 phases=phases@entry=2) at /test/10.5_dbg/sql/table.cc:9095
 
#16 0x00005640b78b09e3 in LEX::handle_list_of_derived (phases=2, table_list=<optimized out>, this=0x1536c5818fd8) a
 
t /test/10.5_dbg/sql/sql_lex.h:4424
 
#17 st_select_lex::handle_derived (this=<optimized out>, lex=0x1536c5818fd8, phases=phases@entry=2) at /test/10.5_d
 
bg/sql/sql_lex.cc:4866
 
#18 0x00005640b794b6b2 in JOIN::prepare (this=0x1536c5877a30, tables_init=<optimized out>, conds_init=<optimized ou
 
t>, og_num=0, order_init=0x0, skip_order_by=skip_order_by@entry=false, group_init=0x0, having_init=0x0, proc_param_
 
init=0x0, select_lex_arg=0x1536c5876110, unit_arg=0x1536c5874cb8) at /test/10.5_dbg/sql/sql_select.cc:1149
 
#19 0x00005640b7c7b3b3 in subselect_single_select_engine::prepare (this=0x1536c5875660, thd=0x1536c5815088) at /tes
 
t/10.5_dbg/sql/item_subselect.cc:3775
 
#20 0x00005640b7c7a507 in Item_subselect::fix_fields (this=0x1536c58754b8, thd_param=<optimized out>, ref=0x0) at /
 
test/10.5_dbg/sql/item_subselect.cc:285
 
#21 0x00005640b7ae1d29 in Item::fix_fields_if_needed (ref=0x0, thd=0x1536c5815088, this=0x1536c58754b8) at /test/10
 
.5_dbg/sql/item.h:982
 
#22 fix_fields_for_tvc (thd=thd@entry=0x1536c5815088, li=@0x1536e9e6f4c0: {<base_list_iterator> = {list = 0x1536c58756d8, el = 0x1536c58756c0, prev = 0x0, current = 0x0}, <No data fields>}) at /test/10.5_dbg/sql/sql_tvc.cc:92
 
#23 0x00005640b7ae2221 in table_value_constr::prepare (this=0x1536c58756d0, thd=0x1536c5815088, sl=sl@entry=0x1536c5874290, tmp_result=tmp_result@entry=0x1536c5875ff8, unit_arg=unit_arg@entry=0x1536c58190a0) at /test/10.5_dbg/sql/sql_tvc.cc:268
 
#24 0x00005640b79c94eb in st_select_lex_unit::prepare (this=this@entry=0x1536c58190a0, derived_arg=0x0, sel_result=sel_result@entry=0x1536c5875fd0, additional_options=additional_options@entry=2199023255552) at /test/10.5_dbg/sql/sql_union.cc:1563
 
#25 0x00005640b79cb09b in mysql_union (thd=thd@entry=0x1536c5815088, lex=lex@entry=0x1536c5818fd8, result=result@entry=0x1536c5875fd0, unit=unit@entry=0x1536c58190a0, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.5_dbg/sql/sql_union.cc:39
 
#26 0x00005640b79596b6 in handle_select (thd=thd@entry=0x1536c5815088, lex=lex@entry=0x1536c5818fd8, result=result@entry=0x1536c5875fd0, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.5_dbg/sql/sql_select.cc:407
 
#27 0x00005640b78e1d72 in execute_sqlcom_select (thd=thd@entry=0x1536c5815088, all_tables=0x0) at /test/10.5_dbg/sql/sql_parse.cc:6210
 
#28 0x00005640b78dae46 in mysql_execute_command (thd=thd@entry=0x1536c5815088) at /test/10.5_dbg/sql/sql_parse.cc:3932
 
#29 0x00005640b78e7d4e in mysql_parse (thd=thd@entry=0x1536c5815088, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x1536e9e70350, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:7994
 
#30 0x00005640b78d477e in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x1536c5815088, packet=packet@entry=0x1536c5867089 "VALUES ((VALUES(1)))", packet_length=packet_length@entry=20, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:1867
 
#31 0x00005640b78d2f58 in do_command (thd=0x1536c5815088) at /test/10.5_dbg/sql/sql_parse.cc:1348
 
#32 0x00005640b7a2fbc9 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x1536c8cd0808, put_in_cache=put_in_cache@entry=true) at /test/10.5_dbg/sql/sql_connect.cc:1410
 
#33 0x00005640b7a302e5 in handle_one_connection (arg=arg@entry=0x1536c8cd0808) at /test/10.5_dbg/sql/sql_connect.cc:1312
 
#34 0x00005640b7e96572 in pfs_spawn_thread (arg=0x1536e6c46508) at /test/10.5_dbg/storage/perfschema/pfs.cc:2201
 
#35 0x00001536e8dea6db in start_thread (arg=0x1536e9e71700) at pthread_create.c:463
 
#36 0x00001536e81e8a3f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

10.6.0 9118fd360a3da0bba521caf2a35c424968235ac4 (Debug)

 
Core was generated by `/test/MD010121-mariadb-10.6.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
 
    at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
 
[Current thread is 1 (Thread 0x14641c6a2700 (LWP 911091))]
 
(gdb) bt
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
 
#1  0x000055dba7baf0d7 in my_write_core (sig=sig@entry=11) at /test/10.6_dbg/mysys/stacktrace.c:424
 
#2  0x000055dba7343ab1 in handle_fatal_signal (sig=11) at /test/10.6_dbg/sql/signal_handler.cc:330
 
#3  <signal handler called>
 
#4  0x000055dba738408d in Item_field::type_handler (this=<optimized out>) at /test/10.6_dbg/sql/item.h:3458
 
#5  0x000055dba745b2ec in subselect_engine::set_row (this=this@entry=0x1463d8013c70, item_list=@0x1463d8014870: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1463d8015110, last = 0x1463d8015110, elements = 1}, <No data fields>}, row=row@entry=0x1463d8013c30) at /test/10.6_dbg/sql/item_subselect.cc:3838
 
#6  0x000055dba745b3de in subselect_single_select_engine::fix_length_and_dec (this=0x1463d8013c70, row=0x1463d8013c30) at /test/10.6_dbg/sql/item_subselect.cc:3855
 
#7  0x000055dba745100a in Item_singlerow_subselect::fix_length_and_dec (this=0x1463d8013ac8) at /test/10.6_dbg/sql/item_subselect.cc:1254
 
#8  0x000055dba7456a82 in Item_subselect::fix_fields (this=0x1463d8013ac8, thd_param=<optimized out>, ref=0x0) at /test/10.6_dbg/sql/item_subselect.cc:325
 
#9  0x000055dba7299170 in Item::fix_fields_if_needed (ref=0x0, thd=0x1463d8000db8, this=0x1463d8013ac8) at /test/10.6_dbg/sql/sql_list.h:443
 
#10 fix_fields_for_tvc (thd=thd@entry=0x1463d8000db8, li=@0x14641c69f1a0: {<base_list_iterator> = {list = 0x1463d8013278, el = 0x1463d8013260, prev = 0x0, current = 0x0}, <No data fields>}) at /test/10.6_dbg/sql/sql_tvc.cc:93
 
#11 0x000055dba7299685 in table_value_constr::prepare (this=0x1463d8013270, thd=0x1463d8000db8, sl=sl@entry=0x1463d8012d30, tmp_result=tmp_result@entry=0x1463d8016688, unit_arg=unit_arg@entry=0x1463d8015120) at /test/10.6_dbg/sql/sql_tvc.cc:269
 
#12 0x000055dba71703b0 in st_select_lex_unit::prepare (this=this@entry=0x1463d8015120, derived_arg=derived_arg@entry=0x1463d8015950, sel_result=<optimized out>, additional_options=additional_options@entry=0) at /test/10.6_dbg/sql/sql_union.cc:1567
 
#13 0x000055dba7022be8 in mysql_derived_prepare (thd=0x1463d8000db8, lex=0x1463d8004eb8, derived=0x1463d8015950) at /test/10.6_dbg/sql/sql_derived.cc:816
 
#14 0x000055dba7020f0c in mysql_handle_single_derived (lex=lex@entry=0x1463d8004eb8, derived=derived@entry=0x1463d8015950, phases=phases@entry=2) at /test/10.6_dbg/sql/sql_derived.cc:206
 
#15 0x000055dba719539b in TABLE_LIST::handle_derived (this=this@entry=0x1463d8015950, lex=lex@entry=0x1463d8004eb8, phases=phases@entry=2) at /test/10.6_dbg/sql/table.cc:9120
 
#16 0x000055dba70455c5 in LEX::handle_list_of_derived (phases=2, table_list=<optimized out>, this=0x1463d8004eb8) at /test/10.6_dbg/sql/table.h:2704
 
#17 st_select_lex::handle_derived (this=<optimized out>, lex=0x1463d8004eb8, phases=phases@entry=2) at /test/10.6_dbg/sql/sql_lex.cc:4911
 
#18 0x000055dba70e5f55 in JOIN::prepare (this=0x1463d8016030, tables_init=<optimized out>, conds_init=<optimized out>, og_num=0, order_init=0x0, skip_order_by=skip_order_by@entry=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x1463d8014720, unit_arg=0x1463d80132c8) at /test/10.6_dbg/sql/sql_select.cc:1158
 
#19 0x000055dba74578e8 in subselect_single_select_engine::prepare (this=0x1463d8013c70, thd=0x1463d8000db8) at /test/10.6_dbg/sql/sql_lex.h:1350
 
#20 0x000055dba7456a35 in Item_subselect::fix_fields (this=0x1463d8013ac8, thd_param=<optimized out>, ref=0x0) at /test/10.6_dbg/sql/item_subselect.cc:285
 
#21 0x000055dba7299170 in Item::fix_fields_if_needed (ref=0x0, thd=0x1463d8000db8, this=0x1463d8013ac8) at /test/10.6_dbg/sql/sql_list.h:443
 
#22 fix_fields_for_tvc (thd=thd@entry=0x1463d8000db8, li=@0x14641c6a0740: {<base_list_iterator> = {list = 0x1463d8013ce8, el = 0x1463d8013cd0, prev = 0x0, current = 0x0}, <No data fields>}) at /test/10.6_dbg/sql/sql_tvc.cc:93
 
#23 0x000055dba7299685 in table_value_constr::prepare (this=0x1463d8013ce0, thd=0x1463d8000db8, sl=sl@entry=0x1463d80128b0, tmp_result=tmp_result@entry=0x1463d8014608, unit_arg=unit_arg@entry=0x1463d8004f80) at /test/10.6_dbg/sql/sql_tvc.cc:269
 
#24 0x000055dba71703b0 in st_select_lex_unit::prepare (this=this@entry=0x1463d8004f80, derived_arg=0x0, sel_result=sel_result@entry=0x1463d80145e0, additional_options=additional_options@entry=2199023255552) at /test/10.6_dbg/sql/sql_union.cc:1567
 
#25 0x000055dba7171fde in mysql_union (thd=thd@entry=0x1463d8000db8, lex=lex@entry=0x1463d8004eb8, result=result@entry=0x1463d80145e0, unit=unit@entry=0x1463d8004f80, setup_tables_done_option=<optimized out>, setup_tables_done_option@entry=0) at /test/10.6_dbg/sql/sql_union.cc:39
 
#26 0x000055dba70ffc0e in handle_select (thd=thd@entry=0x1463d8000db8, lex=lex@entry=0x1463d8004eb8, result=result@entry=0x1463d80145e0, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.6_dbg/sql/sql_select.cc:407
 
#27 0x000055dba707219d in execute_sqlcom_select (thd=thd@entry=0x1463d8000db8, all_tables=0x0) at /test/10.6_dbg/sql/sql_parse.cc:6116
 
#28 0x000055dba707ec7c in mysql_execute_command (thd=thd@entry=0x1463d8000db8) at /test/10.6_dbg/sql/sql_parse.cc:3820
 
#29 0x000055dba706b072 in mysql_parse (thd=thd@entry=0x1463d8000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14641c6a13d0) at /test/10.6_dbg/sql/sql_parse.cc:7881
 
#30 0x000055dba70791ec in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x1463d8000db8, packet=packet@entry=0x1463d8008d39 "VALUES ((VALUES(1)))", packet_length=packet_length@entry=20) at /test/10.6_dbg/sql/sql_class.h:1293
 
#31 0x000055dba707c52d in do_command (thd=0x1463d8000db8) at /test/10.6_dbg/sql/sql_parse.cc:1348
 
#32 0x000055dba71d87fc in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55dbaaa03458, put_in_cache=put_in_cache@entry=true) at /test/10.6_dbg/sql/sql_connect.cc:1410
 
#33 0x000055dba71d8f03 in handle_one_connection (arg=arg@entry=0x55dbaaa03458) at /test/10.6_dbg/sql/sql_connect.cc:1312
 
#34 0x000055dba768e88f in pfs_spawn_thread (arg=0x55dbaa94f8b8) at /test/10.6_dbg/storage/perfschema/pfs.cc:2201
 
#35 0x000014641f76e609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#36 0x000014641f35d293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.3.28 (dbg), 10.3.28 (opt), 10.4.18 (dbg), 10.4.18 (opt), 10.5.9 (opt), 10.6.0 (dbg), 10.6.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.2.37 (dbg), 10.2.37 (opt), 10.5.9 (dbg)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.50 (dbg), 5.6.50 (opt), 5.7.32 (dbg), 5.7.32 (opt), 8.0.22 (dbg), 8.0.22 (opt)

Comment by Roel Van de Paar [ 2020-09-04 ]

10.2.34 (Optimized)

 
10.2.34>VALUES ((VALUES(1)));
 
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'VALUES ((VALUES(1)))' at line 1

Comment by Alice Sherepa [ 2020-12-09 ]

probably the same problem:

VALUES ((select 1));

10.3 bc2dc83cb56851144a8

 
201209 15:26:43 [ERROR] mysqld got signal 11 ;
 
 
 
/lib/x86_64-linux-gnu/libpthread.so.0(+0x12730)[0x7fa992383730]
 
sql/item_subselect.cc:294(Item_subselect::fix_fields(THD*, Item**))[0x562111632b53]
 
sql/item.h:830(Item::fix_fields_if_needed(THD*, Item**))[0x5621109eac4f]
 
sql/sql_tvc.cc:62(fix_fields_for_tvc(THD*, List_iterator_fast<List<Item> >&))[0x5621111eaf94]
 
sql/sql_tvc.cc:238(table_value_constr::prepare(THD*, st_select_lex*, select_result*, st_select_lex_unit*))[0x5621111ec0a9]
 
sql/sql_union.cc:1038(st_select_lex_unit::prepare(TABLE_LIST*, select_result*, unsigned long))[0x562110f1ea5f]
 
sql/sql_union.cc:39(mysql_union(THD*, LEX*, select_result*, st_select_lex_unit*, unsigned long))[0x562110f148df]
 
sql/sql_select.cc:360(handle_select(THD*, LEX*, select_result*, unsigned long))[0x562110d169a5]
 
sql/sql_parse.cc:6316(execute_sqlcom_select(THD*, TABLE_LIST*))[0x562110c8316a]
 
sql/sql_parse.cc:3847(mysql_execute_command(THD*))[0x562110c70caa]
 
sql/sql_parse.cc:7837(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x562110c8d219]
 
sql/sql_parse.cc:1855(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x562110c63936]
 
sql/sql_parse.cc:1398(do_command(THD*))[0x562110c60071]
 
sql/sql_connect.cc:1403(do_handle_one_connection(CONNECT*))[0x562111050367]
 
sql/sql_connect.cc:1309(handle_one_connection)[0x56211104fc1f]
 
perfschema/pfs.cc:1871(pfs_spawn_thread)[0x5621127b31d3]
 
nptl/pthread_create.c:487(start_thread)[0x7fa992378fa3]
 
x86_64/clone.S:97(clone)[0x7fa991cfc4cf]
 
 
 
Query (0x62b000000410): VALUES ((select 1))

Comment by Roel Van de Paar [ 2021-01-22 ]

Testcase by Alice against all versions. Note the stack is quite different.

VALUES ((SELECT 1));

Leads to:

10.6.0 9118fd360a3da0bba521caf2a35c424968235ac4 (Debug)

 
Core was generated by `/test/MD010121-mariadb-10.6.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
 
    at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
 
[Current thread is 1 (Thread 0x151cd4c38700 (LWP 877639))]
 
(gdb) bt
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
 
#1  0x000055cb56dd70d7 in my_write_core (sig=sig@entry=11) at /test/10.6_dbg/mysys/stacktrace.c:424
 
#2  0x000055cb5656bab1 in handle_fatal_signal (sig=11) at /test/10.6_dbg/sql/signal_handler.cc:330
 
#3  <signal handler called>
 
#4  0x000055cb5667ebac in Item_subselect::fix_fields (this=0x151c98013a58, thd_param=<optimized out>, ref=0x0) at /test/10.6_dbg/sql/item_subselect.cc:303
 
#5  0x000055cb564c1170 in Item::fix_fields_if_needed (ref=0x0, thd=0x151c98000db8, this=0x151c98013a58) at /test/10.6_dbg/sql/sql_list.h:443
 
#6  fix_fields_for_tvc (thd=thd@entry=0x151c98000db8, li=@0x151cd4c36740: {<base_list_iterator> = {list = 0x151c98013c78, el = 0x151c98013c60, prev = 0x0, current = 0x0}, <No data fields>}) at /test/10.6_dbg/sql/sql_tvc.cc:93
 
#7  0x000055cb564c1685 in table_value_constr::prepare (this=0x151c98013c70, thd=0x151c98000db8, sl=sl@entry=0x151c980128b0, tmp_result=tmp_result@entry=0x151c98014598, unit_arg=unit_arg@entry=0x151c98004f80) at /test/10.6_dbg/sql/sql_tvc.cc:269
 
#8  0x000055cb563983b0 in st_select_lex_unit::prepare (this=this@entry=0x151c98004f80, derived_arg=0x0, sel_result=sel_result@entry=0x151c98014570, additional_options=additional_options@entry=2199023255552) at /test/10.6_dbg/sql/sql_union.cc:1567
 
#9  0x000055cb56399fde in mysql_union (thd=thd@entry=0x151c98000db8, lex=lex@entry=0x151c98004eb8, result=result@entry=0x151c98014570, unit=unit@entry=0x151c98004f80, setup_tables_done_option=<optimized out>, setup_tables_done_option@entry=0) at /test/10.6_dbg/sql/sql_union.cc:39
 
#10 0x000055cb56327c0e in handle_select (thd=thd@entry=0x151c98000db8, lex=lex@entry=0x151c98004eb8, result=result@entry=0x151c98014570, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.6_dbg/sql/sql_select.cc:407
 
#11 0x000055cb5629a19d in execute_sqlcom_select (thd=thd@entry=0x151c98000db8, all_tables=0x0) at /test/10.6_dbg/sql/sql_parse.cc:6116
 
#12 0x000055cb562a6c7c in mysql_execute_command (thd=thd@entry=0x151c98000db8) at /test/10.6_dbg/sql/sql_parse.cc:3820
 
#13 0x000055cb56293072 in mysql_parse (thd=thd@entry=0x151c98000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x151cd4c373d0) at /test/10.6_dbg/sql/sql_parse.cc:7881
 
#14 0x000055cb562a11ec in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x151c98000db8, packet=packet@entry=0x151c98008d39 "VALUES ((SELECT 1))", packet_length=packet_length@entry=19) at /test/10.6_dbg/sql/sql_class.h:1293
 
#15 0x000055cb562a452d in do_command (thd=0x151c98000db8) at /test/10.6_dbg/sql/sql_parse.cc:1348
 
#16 0x000055cb564007fc in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55cb5879ab68, put_in_cache=put_in_cache@entry=true) at /test/10.6_dbg/sql/sql_connect.cc:1410
 
#17 0x000055cb56400f03 in handle_one_connection (arg=arg@entry=0x55cb5879ab68) at /test/10.6_dbg/sql/sql_connect.cc:1312
 
#18 0x000055cb568b688f in pfs_spawn_thread (arg=0x55cb586a1f58) at /test/10.6_dbg/storage/perfschema/pfs.cc:2201
 
#19 0x0000151ce9fcd609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#20 0x0000151ce9bbc293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.3.28 (dbg), 10.3.28 (opt), 10.4.18 (dbg), 10.4.18 (opt), 10.5.9 (dbg), 10.5.9 (opt), 10.6.0 (dbg), 10.6.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.2.37 (dbg), 10.2.37 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.50 (dbg), 5.6.50 (opt), 5.7.32 (dbg), 5.7.32 (opt), 8.0.22 (dbg), 8.0.22 (opt)

Comment by Roel Van de Paar [ 2021-01-22 ]

Unique ID's seen so far. First line: first testcase, second + third line: testcase by Alice.

SIGSEGV|Item_field::type_handler|subselect_engine::set_row|subselect_single_select_engine::fix_length_and_dec|Item_singlerow_subselect::fix_length_and_dec
 
SIGSEGV|Item_subselect::fix_fields|Item::fix_fields_if_needed|Item::fix_fields_if_needed|fix_fields_for_tvc
 
SIGSEGV|Item_subselect::fix_fields|Item::fix_fields_if_needed|fix_fields_for_tvc|table_value_constr::prepare

Comment by Igor Babaev [ 2021-01-27 ]

The problem is that when parsing TVC we use some variables that are global for the processed query. They are LEX::fields, LEX::many_values, LEX::insert_list. We need counterpart variables local for TVC. In order not to modify all code in the grammar rules that currently uses those global we save the globals' values when entering a TVC and restore them when leaving the TVC. Here's a diff that does it:

diff --git a/sql/sql_lex.cc b/sql/sql_lex.cc
 
index b8f6610..cd2a43b 100644
 
--- a/sql/sql_lex.cc
 
+++ b/sql/sql_lex.cc
 
@@ -2421,6 +2421,9 @@ void st_select_lex::init_select()
 
   with_dep= 0;
 
   join= 0;
 
   lock_type= TL_READ_DEFAULT;
 
+  save_field_list.empty();
 
+  save_many_values.empty();
 
+  save_insert_list= 0;
 
   tvc= 0;
 
   in_funcs.empty();
 
   curr_tvc_name= 0;
 
@@ -8276,16 +8279,33 @@ bool LEX::last_field_generated_always_as_row_end()
 
 }
 
 
 
+void LEX::tvc_start()
 
+{
 
+  if (!nest_level)
 
+    current_select->init_select();
 
+  else
 
+  {
 
+    current_select->save_field_list= field_list;
 
+    current_select->save_many_values= many_values;
 
+    current_select->save_insert_list= insert_list;
 
+  }
 
+  field_list.empty();
 
+  many_values.empty();
 
+  insert_list= 0;
 
+}
 
+
 
+
 
 bool LEX::tvc_finalize()
 
 {
 
-  mysql_init_select(this);
 
   if (unlikely(!(current_select->tvc=
 
                new (thd->mem_root)
 
                table_value_constr(many_values,
 
                                   current_select,
 
                                   current_select->options))))
 
     return true;
 
-  many_values.empty();
 
+  field_list= current_select->save_field_list;
 
+  many_values= current_select->save_many_values;
 
+  insert_list= current_select->save_insert_list;
 
   if (!current_select->master_unit()->fake_select_lex)
 
     current_select->master_unit()->add_fake_select_lex(thd);
 
   return false;
 
diff --git a/sql/sql_lex.h b/sql/sql_lex.h
 
index 55929ed..c8e014d 100644
 
--- a/sql/sql_lex.h
 
+++ b/sql/sql_lex.h
 
@@ -1175,6 +1175,9 @@ class st_select_lex: public st_select_lex_node
 
   /* it is for correct printing SELECT options */
 
   thr_lock_type lock_type;
 
   
+  List<Item> save_field_list;
 
+  List<List_item> save_many_values;
 
+  List<Item> *save_insert_list;
 
   table_value_constr *tvc;
 
   bool in_tvc;
 
 
@@ -4045,12 +4048,7 @@ struct LEX: public Query_tables_list
 
     return false;
 
   }
 
 
-  void tvc_start()
 
-  {
 
-    field_list.empty();
 
-    many_values.empty();
 
-    insert_list= 0;
 
-  }
 
+  void tvc_start();
 
   bool tvc_finalize();
 
   bool tvc_finalize_derived();

With the above code (after the fix of MDEV-24675!!!) I had:

MariaDB [test]> values ((values(2)));
 
+-------------+
 
| (values(2)) |
 
+-------------+
 
|           2 |
 
+-------------+
 
MariaDB [test]> select (values(2)) union values ((values(3)));
 
+-------------+
 
| (values(2)) |
 
+-------------+
 
|           2 |
 
|           3 |
 
+-------------+
 
MariaDB [test]> values ((values(2)),(values(3)));
 
+-------------+-------------+
 
| (values(2)) | (values(3)) |
 
+-------------+-------------+
 
|           2 |           3 |
 
+-------------+-------------+
 
MariaDB [test]> values ((values(2))) union values((values(3)));
 
+-------------+
 
| (values(2)) |
 
+-------------+
 
|           2 |
 
|           3 |
 
+-------------+

Most probably we have to change LEX::tvc_finalize_derived() similar how it's done in the above diff for LEX::tvc_finalize();

Comment by Igor Babaev [ 2021-02-09 ]

There is actually another more serious bug in wrap_tvc() that causes different crashes for nested TVCs.
The code of wrap_tvc() must be re-written.

Comment by Igor Babaev [ 2021-03-04 ]

A fix for this bug was pushed into 10.3

Generated at Thu Feb 08 09:17:27 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.