[MDEV-22814] SIGSEGV in set_field_to_null_with_conversions on SELECT (on optimized builds) Created: 2020-06-05  Updated: 2023-12-05

Status: Stalled
Project: MariaDB Server
Component/s: Optimizer, Optimizer - Window functions
Affects Version/s: 10.2, 10.3, 10.4, 10.5
Fix Version/s: 10.4, 10.5

Type: Bug Priority: Major
Reporter: Roel Van de Paar Assignee: Sergei Petrunia
Resolution: Unresolved Votes: 0
Labels: not-10.1

Issue Links:
Relates
relates to MDEV-11867 Invalid use of group function - Closed
relates to MDEV-15210 item_windowfunc.cc:445: virtual Field... Closed

 Description    

USE test;
 
CREATE TABLE t (i INT, j INT, KEY(i)) ENGINE=InnoDB;
 
SELECT FIRST_VALUE(j) OVER (ORDER BY 0 + (SELECT FIRST_VALUE(upper.j) OVER (ORDER BY upper.j) FROM t LIMIT 1)) FROM t AS upper;

Leads to:

10.5.4 8569dac1ec9f6853a0b2f3ea9bcbda67644ead24

 
Core was generated by `/test/MD260520-mariadb-10.5.4-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
 
    at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
 
[Current thread is 1 (Thread 0x14c4294d1700 (LWP 3556701))]
 
(gdb) bt
 
(gdb) (gdb) #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
 
#1  0x000055dfe7fb8337 in my_write_core (sig=sig@entry=11) at /test/10.5_opt/mysys/stacktrace.c:518
 
#2  0x000055dfe797a3ca in handle_fatal_signal (sig=11) at /test/10.5_opt/sql/signal_handler.cc:330
 
#3  <signal handler called>
 
#4  set_field_to_null_with_conversions (field=0x0, no_conversions=true) at /test/10.5_opt/sql/field_conv.cc:205
 
#5  0x000055dfe79905e6 in Item::save_in_field (this=0x14c406847ee0, field=0x0, no_conversions=<optimized out>) at /test/10.5_opt/sql/item.cc:6605
 
#6  0x000055dfe77d5913 in Item_result_field::save_in_result_field (no_conversions=true, this=<optimized out>) at /test/10.5_opt/sql/item.h:3255
 
#7  copy_sum_funcs (end_ptr=0x14c40684be68, func_ptr=0x14c40684be60) at /test/10.5_opt/sql/sql_select.cc:25650
 
#8  end_write_group (join=0x14c40684a948, join_tab=0x14c4068c93d8, end_of_records=<optimized out>) at /test/10.5_opt/sql/sql_select.cc:22272
 
#9  0x000055dfe77da87b in AGGR_OP::end_send (this=0x14c4068cc3c8) at /test/10.5_opt/sql/sql_select.cc:28855
 
#10 0x000055dfe77daaee in sub_select_postjoin_aggr (join=0x14c40684a948, join_tab=0x14c4068c93d8, end_of_records=<optimized out>) at /test/10.5_opt/sql/sql_select.cc:20325
 
#11 0x000055dfe77e226d in do_select (procedure=<optimized out>, join=0x14c40684a948) at /test/10.5_opt/sql/sql_select.cc:20151
 
#12 JOIN::exec_inner (this=this@entry=0x14c40684a948) at /test/10.5_opt/sql/sql_select.cc:4464
 
#13 0x000055dfe77e2677 in JOIN::exec (this=this@entry=0x14c40684a948) at /test/10.5_opt/sql/sql_select.cc:4245
 
#14 0x000055dfe77e09c2 in mysql_select (thd=thd@entry=0x14c406812018, tables=0x14c4068498c0, fields=@0x14c4068472e0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14c406849800, last = 0x14c406849800, elements = 1}, <No data fields>}, conds=0x0, og_num=<optimized out>, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x14c40684a920, unit=0x14c406815e70, select_lex=0x14c406847190) at /test/10.5_opt/sql/sql_select.cc:4669
 
#15 0x000055dfe77e1381 in handle_select (thd=thd@entry=0x14c406812018, lex=lex@entry=0x14c406815da8, result=result@entry=0x14c40684a920, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.5_opt/sql/sql_select.cc:417
 
#16 0x000055dfe7787e91 in execute_sqlcom_select (thd=thd@entry=0x14c406812018, all_tables=0x14c4068498c0) at /test/10.5_opt/sql/sql_parse.cc:6207
 
#17 0x000055dfe7783db2 in mysql_execute_command (thd=thd@entry=0x14c406812018) at /test/10.5_opt/sql/sql_parse.cc:3939
 
#18 0x000055dfe778afac in mysql_parse (thd=0x14c406812018, rawbuf=<optimized out>, length=126, parser_state=0x14c4294d04b0, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /test/10.5_opt/sql/sql_parse.cc:7991
 
#19 0x000055dfe77802b5 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14c406812018, packet=packet@entry=0x14c40683a019 "", packet_length=packet_length@entry=126, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_opt/sql/sql_parse.cc:1874
 
#20 0x000055dfe777e6a4 in do_command (thd=0x14c406812018) at /test/10.5_opt/sql/sql_parse.cc:1355
 
#21 0x000055dfe7873891 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x14c428c329b8, put_in_cache=put_in_cache@entry=true) at /test/10.5_opt/sql/sql_connect.cc:1411
 
#22 0x000055dfe7873bf4 in handle_one_connection (arg=arg@entry=0x14c428c329b8) at /test/10.5_opt/sql/sql_connect.cc:1313
 
#23 0x000055dfe7be006a in pfs_spawn_thread (arg=0x14c428c4b018) at /test/10.5_opt/storage/perfschema/pfs.cc:2201
 
#24 0x000014c42a4c86db in start_thread (arg=0x14c4294d1700) at pthread_create.c:463
 
#25 0x000014c4298c688f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.2.33 (dbg), 10.2.33 (opt), 10.3.24 (dbg), 10.3.24 (opt), 10.4.14 (dbg), 10.4.14 (opt), 10.5.4 (dbg), 10.5.4 (opt)

Bug confirmed not present in:
MariaDB: 10.1.46 (dbg), 10.1.46 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.47 (dbg), 5.6.47 (opt), 5.7.29 (dbg), 5.7.29 (opt), 8.0.19 (dbg), 8.0.19 (opt)

Issue is not reproducible on MyISAM, Aria or MEMORY. MyISAM example on 10.5.4 (opt):

10.5.4 8569dac1ec9f6853a0b2f3ea9bcbda67644ead24

 
10.5.4>SELECT FIRST_VALUE(j) OVER (ORDER BY 0 + (SELECT FIRST_VALUE(upper.j) OVER (ORDER BY upper.j) FROM t LIMIT 1)) FROM t AS upper;
 
+---------------------------------------------------------------------------------------------------------+
 
| FIRST_VALUE(j) OVER (ORDER BY 0 + (SELECT FIRST_VALUE(upper.j) OVER (ORDER BY upper.j) FROM t LIMIT 1)) |
 
+---------------------------------------------------------------------------------------------------------+
 
|                                                                                                    NULL |
 
+---------------------------------------------------------------------------------------------------------+
 
1 row in set (0.006 sec)



 Comments   
Comment by Marko Mäkelä [ 2020-06-05 ]

I tried an ASAN debug build, but ASAN did not report anything extra. And I can repeat it without InnoDB, using MyISAM:

--source include/have_innodb.inc
 
CREATE TABLE t (i INT, j INT, KEY(i));
 
SELECT FIRST_VALUE(j) OVER (ORDER BY 0 + (SELECT FIRST_VALUE(upper.j) OVER (ORDER BY upper.j) FROM t LIMIT 1)) FROM t AS upper;
 
DROP TABLE t;

10.2 29ed04cb6d8e930c2b2bad7baf4cdae02cf712cd

 
Version: '10.2.33-MariaDB-debug-log'  socket: '/dev/shm/10.2a/mysql-test/var/tmp/mysqld.1.sock'  port: 16000  Source distribution
 
mysqld: /mariadb/10.2o/sql/item_windowfunc.cc:351: virtual Field *Item_sum_hybrid_simple::create_tmp_field(bool, TABLE *): Assertion `0' failed.
 
#7  0x00000000014965a5 in Item_sum_hybrid_simple::create_tmp_field (this=<optimized out>, group=<optimized out>, table=<optimized out>) at /mariadb/10.2o/sql/item_windowfunc.cc:351
 
#8  0x00000000009f47cd in create_tmp_field (thd=0x62a000060208, table=0x622000022928, item=0x62b000001320, type=<optimized out>, copy_func=0x7f1c3762cf40, from_field=0x622000023a30, default_field=0x6220000239e0, group=<optimized out>, modify_item=<optimized out>, table_cant_handle_bit_fields=<optimized out>, make_copy_field=false) at /mariadb/10.2o/sql/sql_select.cc:16485
 
#9  0x00000000009a8a30 in create_tmp_table (thd=<optimized out>, param=<optimized out>, fields=<optimized out>, group=<optimized out>, distinct=false, save_sum_fields=<optimized out>, select_options=<optimized out>, rows_limit=<optimized out>, table_alias=<optimized out>, do_not_open=<optimized out>, keep_row_order=<optimized out>) at /mariadb/10.2o/sql/sql_select.cc:16986
 
#10 0x00000000009b17f8 in JOIN::create_postjoin_aggr_table (this=<optimized out>, tab=<optimized out>, table_fields=<optimized out>, table_group=<optimized out>, save_sum_fields=<optimized out>, distinct=<optimized out>, keep_row_order=<optimized out>) at /mariadb/10.2o/sql/sql_select.cc:2970
 
#11 0x000000000099fb5a in JOIN::make_aggr_tables_info (this=0x62b000002ce8) at /mariadb/10.2o/sql/sql_select.cc:2575
 
#12 0x000000000096fbcf in JOIN::optimize_inner (this=<optimized out>) at /mariadb/10.2o/sql/sql_select.cc:2282
 
#13 0x000000000096cfef in JOIN::optimize (this=0x62b000002ce8) at /mariadb/10.2o/sql/sql_select.cc:1113
 
#14 0x0000000000963b7e in mysql_select (thd=<optimized out>, tables=<optimized out>, wild_num=<optimized out>, fields=<optimized out>, conds=<optimized out>, og_num=<optimized out>, order=<optimized out>, group=<optimized out>, having=<optimized out>, proc_param=<optimized out>, select_options=<optimized out>, result=<optimized out>, unit=<optimized out>, select_lex=<optimized out>) at /mariadb/10.2o/sql/sql_select.cc:3819
 
#15 0x00000000009632a1 in handle_select (thd=<optimized out>, lex=0x62a000063d40, result=<optimized out>, setup_tables_done_option=<optimized out>) at /mariadb/10.2o/sql/sql_select.cc:361
 
#16 0x00000000008e4e9f in execute_sqlcom_select (thd=0x62a000060208, all_tables=<optimized out>) at /mariadb/10.2o/sql/sql_parse.cc:6226

Comment by Varun Gupta (Inactive) [ 2020-06-22 ]

For the standard :

Syntax Rules

  1. Let OF be the WINFUNC in an application of the Syntax Rules of this Subclause. The result of the appli- cation of this Subclause is QSX or SSSRX, as appropriate, which is returned as TRANSFORM.
    #An <aggregate function> simply contained in a <window function> shall not simply contain a <hypothet- ical set function>.
  2. Let OF be the <window function>.
  3. Case:
    a) If OF is contained in an <order by clause>, then the <order by clause> shall be simply contained in a <query expression> that is a simple table query. Let TE be the <table expression> contained in the result of the syntactic transformation of a simple table query, as specified in Subclause 7.13, “<query expression>”.
    b) Otherwise, OF shall be contained in a <select list> that is immediately contained in a <query specifi- cation> QS or a <select statement: single row> SSSR. Let QSS be the innermost <query specification> contained in QS that contains OF. Let TE be the <table expression> immediately contained in QSS or SSSR.
  4. OF shall not contain an outer reference or a <query expression>.

So it says that window function cannot have outer references, so maybe we could disallow such queries.

Comment by Varun Gupta (Inactive) [ 2020-06-23 ]

The crash will be fixed by MDEV-15313. I checked the query does not crash and returns correct results. But the question is should we allow outer references in window functions or not?

Comment by Varun Gupta (Inactive) [ 2020-06-23 ]

The discussion on the call resulted was that we should not allow outer references to window functions, so we should throw an error for this case.

Comment by Roel Van de Paar [ 2020-07-09 ]

Confirming the crash that Marko saw. Running this testcase:

USE test;
 
CREATE TABLE t (i INT, j INT);
 
SELECT LAST_VALUE(j) OVER (ORDER BY 0 + (SELECT FIRST_VALUE(upper.j) OVER (ORDER BY upper.j) FROM t LIMIT 1)) FROM t AS upper;

Against debug build produces:

10.5.5 e1013725ce0f3f947e728491eef75d9985e8db2f

 
Core was generated by `/test/MD250620-mariadb-10.5.5-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
 
Program terminated with signal SIGABRT, Aborted.
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
 
[Current thread is 1 (Thread 0x14cfe0580700 (LWP 1330641))]
 
(gdb) bt
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
 
#1  0x000055e3ab5987d0 in my_write_core (sig=sig@entry=6) at /test/10.5_dbg/mysys/stacktrace.c:518
 
#2  0x000055e3aad5147a in handle_fatal_signal (sig=6) at /test/10.5_dbg/sql/signal_handler.cc:330
 
#3  <signal handler called>
 
#4  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
 
#5  0x000014cfde8168b1 in __GI_abort () at abort.c:79
 
#6  0x000014cfde80642a in __assert_fail_base (fmt=0x14cfde98da38 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", 
    assertion=assertion@entry=0x55e3ab8d266f "0", file=file@entry=0x55e3ab8f4b20 "/test/10.5_dbg/sql/item_windowfunc.cc", 
    line=line@entry=462, 
    function=function@entry=0x55e3ab8f53e0 <Item_sum_hybrid_simple::create_tmp_field(st_mem_root*, bool, TABLE*)::__PRETTY_FUNCTION__> "virtual Field* Item_sum_hybrid_simple::create_tmp_field(MEM_ROOT*, bool, TABLE*)") at assert.c:92
 
#7  0x000014cfde8064a2 in __GI___assert_fail (assertion=assertion@entry=0x55e3ab8d266f "0", 
    file=file@entry=0x55e3ab8f4b20 "/test/10.5_dbg/sql/item_windowfunc.cc", line=line@entry=462, 
    function=function@entry=0x55e3ab8f53e0 <Item_sum_hybrid_simple::create_tmp_field(st_mem_root*, bool, TABLE*)::__PRETTY_FUNCTION__> "virtual Field* Item_sum_hybrid_simple::create_tmp_field(MEM_ROOT*, bool, TABLE*)") at assert.c:101
 
#8  0x000055e3aaf5ec4e in Item_sum_hybrid_simple::create_tmp_field (this=<optimized out>, root=<optimized out>, 
    group=<optimized out>, table=<optimized out>) at /test/10.5_dbg/sql/item_windowfunc.cc:462
 
#9  0x000055e3aace4c87 in Item_sum::create_tmp_field_ex (this=<optimized out>, root=<optimized out>, table=<optimized out>, 
    src=<optimized out>, param=<optimized out>) at /test/10.5_dbg/sql/item_sum.h:522
 
#10 0x000055e3aaaf25f9 in create_tmp_field (table=table@entry=0x14cfba17c0a0, item=item@entry=0x14cfba074f50, 
    copy_func=copy_func@entry=0x14cfe057dc68, from_field=from_field@entry=0x14cfba17d478, default_field=0x14cfba17d428, 
    group=<optimized out>, modify_item=true, table_cant_handle_bit_fields=false, make_copy_field=false)
 
    at /test/10.5_dbg/sql/sql_select.cc:18045
 
#11 0x000055e3aaaf354e in Create_tmp_table::add_fields (this=this@entry=0x14cfe057dce0, thd=thd@entry=0x14cfba015088, 
    table=table@entry=0x14cfba17c0a0, param=param@entry=0x14cfba1782b0, fields=...) at /test/10.5_dbg/sql/sql_select.cc:18542
 
#12 0x000055e3aab18ba8 in create_tmp_table (thd=0x14cfba015088, param=0x14cfba1782b0, fields=..., group=group@entry=0x0, 
    distinct=distinct@entry=false, save_sum_fields=save_sum_fields@entry=true, select_options=2147748608, 
    rows_limit=18446744073709551615, table_alias=0x55e3ac0dbb80 <empty_clex_str>, do_not_open=true, keep_row_order=false)
 
    at /test/10.5_dbg/sql/sql_select.cc:19156
 
#13 0x000055e3aab18f1a in JOIN::create_postjoin_aggr_table (this=this@entry=0x14cfba0779b8, tab=tab@entry=0x14cfba175448, 
    table_fields=table_fields@entry=0x14cfba077ce0, table_group=0x0, save_sum_fields=<optimized out>, 
    distinct=distinct@entry=false, keep_row_order=false) at /test/10.5_dbg/sql/sql_select.cc:3736
 
#14 0x000055e3aab19d1b in JOIN::make_aggr_tables_info (this=this@entry=0x14cfba0779b8) at /test/10.5_dbg/sql/sql_select.cc:3333
 
#15 0x000055e3aab1ec33 in JOIN::optimize_stage2 (this=this@entry=0x14cfba0779b8) at /test/10.5_dbg/sql/sql_select.cc:2977
 
#16 0x000055e3aab22d83 in JOIN::optimize_inner (this=this@entry=0x14cfba0779b8) at /test/10.5_dbg/sql/sql_select.cc:2262
 
#17 0x000055e3aab230a6 in JOIN::optimize (this=this@entry=0x14cfba0779b8) at /test/10.5_dbg/sql/sql_select.cc:1612
 
#18 0x000055e3aab23a33 in mysql_select (thd=thd@entry=0x14cfba015088, tables=<optimized out>, fields=..., conds=0x0, og_num=0, 
    order=<optimized out>, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x14cfba077990, 
    unit=0x14cfba0190a0, select_lex=0x14cfba074200) at /test/10.5_dbg/sql/sql_select.cc:4635
 
#19 0x000055e3aab23daf in handle_select (thd=thd@entry=0x14cfba015088, lex=lex@entry=0x14cfba018fd8, 
    result=result@entry=0x14cfba077990, setup_tables_done_option=setup_tables_done_option@entry=0)
 
    at /test/10.5_dbg/sql/sql_select.cc:417
 
#20 0x000055e3aaaad6c9 in execute_sqlcom_select (thd=thd@entry=0x14cfba015088, all_tables=0x14cfba076930)
 
    at /test/10.5_dbg/sql/sql_parse.cc:6211
 
#21 0x000055e3aaaa67c2 in mysql_execute_command (thd=thd@entry=0x14cfba015088) at /test/10.5_dbg/sql/sql_parse.cc:3939
 
#22 0x000055e3aaab3638 in mysql_parse (thd=thd@entry=0x14cfba015088, rawbuf=<optimized out>, length=<optimized out>, 
    parser_state=parser_state@entry=0x14cfe057f350, is_com_multi=is_com_multi@entry=false, 
    is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:7995
 
#23 0x000055e3aaaa0110 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14cfba015088, 
    packet=packet@entry=0x14cfba067089 "SELECT LAST_VALUE(j) OVER (ORDER BY 0 + (SELECT FIRST_VALUE(upper.j) OVER (ORDER BY upper.j) FROM t LIMIT 1)) FROM t AS upper", packet_length=packet_length@entry=125, is_com_multi=is_com_multi@entry=false, 
    is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:1874
 
#24 0x000055e3aaa9e8ea in do_command (thd=0x14cfba015088) at /test/10.5_dbg/sql/sql_parse.cc:1355
 
#25 0x000055e3aabfa15f in do_handle_one_connection (connect=<optimized out>, connect@entry=0x14cfbf4d2028, 
    put_in_cache=put_in_cache@entry=true) at /test/10.5_dbg/sql/sql_connect.cc:1411
 
#26 0x000055e3aabfa87b in handle_one_connection (arg=arg@entry=0x14cfbf4d2028) at /test/10.5_dbg/sql/sql_connect.cc:1313
 
#27 0x000055e3ab05d11c in pfs_spawn_thread (arg=0x14cfdd446508) at /test/10.5_dbg/storage/perfschema/pfs.cc:2201
 
#28 0x000014cfdf4f96db in start_thread (arg=0x14cfe0580700) at pthread_create.c:463
 
#29 0x000014cfde8f7a3f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Comment by Alice Sherepa [ 2022-03-16 ]

not reproducible on current 10.2- 10.8 (10.2 0f56e21efa68ba3b37d117)

Comment by Roel Van de Paar [ 2022-03-16 ]

Confirmed not reproducible anymore. Will leave it to psergei to make a call on whether anything is left to do here.

Comment by Julien Fritsch [ 2023-12-05 ]

Automated message:
----------------------------
Since this issue has not been updated since 6 weeks, it's time to move it back to Stalled.

Comment by JiraAutomate [ 2023-12-05 ]

Automated message:
----------------------------
Since this issue has not been updated since 6 weeks, it's time to move it back to Stalled.

Generated at Thu Feb 08 09:17:41 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.