[MDEV-23315] Server crash in subselect_single_select_engine::exec or Assertion `(st_select_lex*)join->select_lex == this' failed in st_select_lex::cleanup upon 2nd execution of PS with condition_pushdown_from_having on constant table Created: 2020-07-28  Updated: 2022-08-23

Status: Open
Project: MariaDB Server
Component/s: Character Sets, Optimizer, Prepared Statements
Affects Version/s: 10.4, 10.5
Fix Version/s: 10.4, 10.5

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Dmitry Shulga
Resolution: Unresolved Votes: 1
Labels: None


 Description    

CREATE TABLE t1 (a CHAR(8)) ENGINE=MyISAM;
 
 
 
SET optimizer_switch='condition_pushdown_from_having=on';
 
SET character_set_connection= euckr;
 
PREPARE stmt FROM "SELECT a FROM t1 GROUP BY a HAVING a = (SELECT 'baz')";
 
EXECUTE stmt;
 
EXECUTE stmt;
 
 
 
# Cleanup
 
DEALLOCATE PREPARE stmt;
 
DROP TABLE t1;

10.4 fd9ca2a7 non-debug

 
#3  <signal handler called>
 
#4  0x000055bbb7e4f3bc in subselect_single_select_engine::exec (this=0x7f11300c6228) at /data/src/10.4/sql/item_subselect.cc:3851
 
#5  0x000055bbb7e4df3d in Item_subselect::exec (this=0x7f11300c60a0) at /data/src/10.4/sql/item_subselect.cc:746
 
#6  0x000055bbb7e4e5cf in Item_singlerow_subselect::val_str (this=0x7f11300c60a0, str=0x7f1130010db8) at /data/src/10.4/sql/item_subselect.cc:1356
 
#7  0x000055bbb7e35a5d in Item_func_conv_charset::val_str (this=0x7f1130010cf0, str=0x7f11412fd9e0) at /data/src/10.4/sql/item_strfunc.cc:3503
 
#8  0x000055bbb7cd7714 in Type_handler_string_result::Item_eq_value (this=<optimized out>, thd=<optimized out>, attr=0x7f11300115b8, a=<optimized out>, b=0x7f1130010cf0) at /data/src/10.4/sql/sql_type.cc:8014
 
#9  0x000055bbb7de624a in Item_equal::add_const (this=0x7f11300114f8, thd=<optimized out>, c=0x7f1130010cf0) at /data/src/10.4/sql/item_cmpfunc.cc:6627
 
#10 0x000055bbb7de655b in Item_equal::merge_with_check (this=this@entry=0x7f11300114f8, thd=thd@entry=0x7f11300009a8, item=0x7f11300114f8, save_merged=save_merged@entry=true) at /data/src/10.4/sql/item_cmpfunc.cc:6752
 
#11 0x000055bbb7bd0bb0 in propagate_new_equalities (thd=thd@entry=0x7f11300009a8, cond=cond@entry=0x7f11300114f8, new_equalities=0x7f11300116e8, inherited=inherited@entry=0x0, is_simplifiable_cond=is_simplifiable_cond@entry=0x7f11412fdcaf) at /data/src/10.4/sql/sql_select.cc:17086
 
#12 0x000055bbb7cb91e6 in and_new_conditions_to_optimized_cond (thd=0x7f11300009a8, cond=0x7f11300114f8, cond_eq=cond_eq@entry=0x7f1130010410, new_conds=..., cond_value=cond_value@entry=0x7f11300102e8) at /data/src/10.4/sql/opt_subselect.cc:5996
 
#13 0x000055bbb7bea7c5 in JOIN::optimize_inner (this=this@entry=0x7f113000ffd8) at /data/src/10.4/sql/sql_select.cc:2038
 
#14 0x000055bbb7bece83 in JOIN::optimize (this=this@entry=0x7f113000ffd8) at /data/src/10.4/sql/sql_select.cc:1610
 
#15 0x000055bbb7bed040 in mysql_select (thd=thd@entry=0x7f11300009a8, tables=0x7f11300c4a30, wild_num=0, fields=..., conds=<optimized out>, og_num=1, order=0x0, group=0x7f11300c5220, having=0x7f11300c6268, proc_param=0x0, select_options=2416184064, result=0x7f11300c6cc0, unit=0x7f11300c2918, select_lex=0x7f11300c4468) at /data/src/10.4/sql/sql_select.cc:4673
 
#16 0x000055bbb7beda36 in handle_select (thd=thd@entry=0x7f11300009a8, lex=lex@entry=0x7f11300c2858, result=result@entry=0x7f11300c6cc0, setup_tables_done_option=setup_tables_done_option@entry=0) at /data/src/10.4/sql/sql_select.cc:422
 
#17 0x000055bbb7a97afa in execute_sqlcom_select (thd=thd@entry=0x7f11300009a8, all_tables=0x7f11300c4a30) at /data/src/10.4/sql/sql_parse.cc:6355
 
#18 0x000055bbb7b91dfd in mysql_execute_command (thd=0x7f11300009a8) at /data/src/10.4/sql/sql_parse.cc:3889
 
#19 0x000055bbb7bad32d in Prepared_statement::execute (this=this@entry=0x7f11300758f8, expanded_query=expanded_query@entry=0x7f1141300680, open_cursor=open_cursor@entry=false) at /data/src/10.4/sql/sql_prepare.cc:4765
 
#20 0x000055bbb7bad432 in Prepared_statement::execute_loop (this=0x7f11300758f8, expanded_query=0x7f1141300680, open_cursor=<optimized out>, packet=<optimized out>, packet_end=<optimized out>) at /data/src/10.4/sql/sql_prepare.cc:4251
 
#21 0x000055bbb7bad6ef in mysql_sql_stmt_execute (thd=thd@entry=0x7f11300009a8) at /data/src/10.4/sql/sql_prepare.cc:3368
 
#22 0x000055bbb7b922fc in mysql_execute_command (thd=thd@entry=0x7f11300009a8) at /data/src/10.4/sql/sql_parse.cc:3905
 
#23 0x000055bbb7b98a8a in mysql_parse (thd=thd@entry=0x7f11300009a8, rawbuf=<optimized out>, length=12, parser_state=parser_state@entry=0x7f1141302580, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /data/src/10.4/sql/sql_parse.cc:7896
 
#24 0x000055bbb7b9ad49 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x7f11300009a8, packet=packet@entry=0x7f1130007a19 "EXECUTE stmt", packet_length=packet_length@entry=12, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /data/src/10.4/sql/sql_parse.cc:1835
 
#25 0x000055bbb7b9c506 in do_command (thd=0x7f11300009a8) at /data/src/10.4/sql/sql_parse.cc:1353
 
#26 0x000055bbb7c7a942 in do_handle_one_connection (connect=connect@entry=0x55bbbb7da778) at /data/src/10.4/sql/sql_connect.cc:1412
 
#27 0x000055bbb7c7a9fd in handle_one_connection (arg=arg@entry=0x55bbbb7da778) at /data/src/10.4/sql/sql_connect.cc:1316
 
#28 0x000055bbb82bb8c1 in pfs_spawn_thread (arg=0x55bbbb7da7d8) at /data/src/10.4/storage/perfschema/pfs.cc:1869
 
#29 0x00007f11483b04a4 in start_thread (arg=0x7f1141303700) at pthread_create.c:456
 
#30 0x00007f114742ed0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97

10.4 fd9ca2a7 debug

 
mysqld: /data/src/10.4/sql/sql_union.cc:2069: bool st_select_lex::cleanup(): Assertion `(st_select_lex*)join->select_lex == this' failed.
 
200728 14:35:31 [ERROR] mysqld got signal 6 ;
 
 
 
#7  0x00007f6c54ed4f12 in __GI___assert_fail (assertion=0x55e752500698 "(st_select_lex*)join->select_lex == this", file=0x55e7525001d8 "/data/src/10.4/sql/sql_union.cc", line=2069, function=0x55e752501000 <st_select_lex::cleanup()::__PRETTY_FUNCTION__> "bool st_select_lex::cleanup()") at assert.c:101
 
#8  0x000055e7518ebde8 in st_select_lex::cleanup (this=0x7f6c34184e28) at /data/src/10.4/sql/sql_union.cc:2069
 
#9  0x000055e751c21faa in subselect_single_select_engine::prepare (this=0x7f6c34185cd0, thd=0x7f6c34000af0) at /data/src/10.4/sql/item_subselect.cc:3714
 
#10 0x000055e751c14e04 in Item_subselect::fix_fields (this=0x7f6c34185b48, thd_param=0x7f6c34000af0, ref=0x7f6c34185da8) at /data/src/10.4/sql/item_subselect.cc:283
 
#11 0x000055e7516c9897 in Item::fix_fields_if_needed (this=0x7f6c34185b48, thd=0x7f6c34000af0, ref=0x7f6c34185da8) at /data/src/10.4/sql/item.h:960
 
#12 0x000055e751bc0463 in Item_func::fix_fields (this=0x7f6c34185d10, thd=0x7f6c34000af0, ref=0x7f6c34013560) at /data/src/10.4/sql/item_func.cc:352
 
#13 0x000055e7516c9897 in Item::fix_fields_if_needed (this=0x7f6c34185d10, thd=0x7f6c34000af0, ref=0x7f6c34013560) at /data/src/10.4/sql/item.h:960
 
#14 0x000055e7516c98c5 in Item::fix_fields_if_needed_for_scalar (this=0x7f6c34185d10, thd=0x7f6c34000af0, ref=0x7f6c34013560) at /data/src/10.4/sql/item.h:964
 
#15 0x000055e75174e06d in Item::fix_fields_if_needed_for_bool (this=0x7f6c34185d10, thd=0x7f6c34000af0, ref=0x7f6c34013560) at /data/src/10.4/sql/item.h:968
 
#16 0x000055e751825f67 in JOIN::prepare (this=0x7f6c340133b0, tables_init=0x7f6c341844d8, wild_num=0, conds_init=0x0, og_num=1, order_init=0x0, skip_order_by=false, group_init=0x7f6c34184cc8, having_init=0x7f6c34185d10, proc_param_init=0x0, select_lex_arg=0x7f6c34183f10, unit_arg=0x7f6c341823c0) at /data/src/10.4/sql/sql_select.cc:1291
 
#17 0x000055e7518327b5 in mysql_select (thd=0x7f6c34000af0, tables=0x7f6c341844d8, wild_num=0, fields=..., conds=0x0, og_num=1, order=0x0, group=0x7f6c34184cc8, having=0x7f6c34185d10, proc_param=0x0, select_options=2416184064, result=0x7f6c34186768, unit=0x7f6c341823c0, select_lex=0x7f6c34183f10) at /data/src/10.4/sql/sql_select.cc:4650
 
#18 0x000055e75182242c in handle_select (thd=0x7f6c34000af0, lex=0x7f6c34182300, result=0x7f6c34186768, setup_tables_done_option=0) at /data/src/10.4/sql/sql_select.cc:422
 
#19 0x000055e7517e8ca4 in execute_sqlcom_select (thd=0x7f6c34000af0, all_tables=0x7f6c341844d8) at /data/src/10.4/sql/sql_parse.cc:6355
 
#20 0x000055e7517df2db in mysql_execute_command (thd=0x7f6c34000af0) at /data/src/10.4/sql/sql_parse.cc:3889
 
#21 0x000055e75180c9cc in Prepared_statement::execute (this=0x7f6c34132f70, expanded_query=0x7f6c4b057b50, open_cursor=false) at /data/src/10.4/sql/sql_prepare.cc:4765
 
#22 0x000055e75180ae2e in Prepared_statement::execute_loop (this=0x7f6c34132f70, expanded_query=0x7f6c4b057b50, open_cursor=false, packet=0x0, packet_end=0x0) at /data/src/10.4/sql/sql_prepare.cc:4251
 
#23 0x000055e751808902 in mysql_sql_stmt_execute (thd=0x7f6c34000af0) at /data/src/10.4/sql/sql_prepare.cc:3368
 
#24 0x000055e7517df320 in mysql_execute_command (thd=0x7f6c34000af0) at /data/src/10.4/sql/sql_parse.cc:3905
 
#25 0x000055e7517ecc51 in mysql_parse (thd=0x7f6c34000af0, rawbuf=0x7f6c34013198 "EXECUTE stmt", length=12, parser_state=0x7f6c4b058570, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:7896
 
#26 0x000055e7517d9186 in dispatch_command (command=COM_QUERY, thd=0x7f6c34000af0, packet=0x7f6c341364f1 "EXECUTE stmt", packet_length=12, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:1835
 
#27 0x000055e7517d7928 in do_command (thd=0x7f6c34000af0) at /data/src/10.4/sql/sql_parse.cc:1353
 
#28 0x000055e751960afe in do_handle_one_connection (connect=0x55e754490ce0) at /data/src/10.4/sql/sql_connect.cc:1412
 
#29 0x000055e75196084d in handle_one_connection (arg=0x55e754490ce0) at /data/src/10.4/sql/sql_connect.cc:1316
 
#30 0x000055e752360a0d in pfs_spawn_thread (arg=0x55e7544ac900) at /data/src/10.4/storage/perfschema/pfs.cc:1869
 
#31 0x00007f6c56e5d4a4 in start_thread (arg=0x7f6c4b059700) at pthread_create.c:456
 
#32 0x00007f6c54f91d0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97

10.4 fd9ca2a7 non-debug ASAN

 
==3521==ERROR: AddressSanitizer: use-after-poison on address 0x62b000062d40 at pc 0x55915fe7f22d bp 0x7fd711f10250 sp 0x7fd711f10248
 
READ of size 8 at 0x62b000062d40 thread T5
 
    #0 0x55915fe7f22c in JOIN::destroy() /data/src/10.4/sql/sql_select.cc:4494
 
    #1 0x55915ff9e6e2 in st_select_lex::cleanup() /data/src/10.4/sql/sql_union.cc:2070
 
    #2 0x559160550d50 in subselect_single_select_engine::prepare(THD*) /data/src/10.4/sql/item_subselect.cc:3714
 
    #3 0x55916054f71c in Item_subselect::fix_fields(THD*, Item**) /data/src/10.4/sql/item_subselect.cc:283
 
    #4 0x559160479cbe in Item::fix_fields_if_needed(THD*, Item**) /data/src/10.4/sql/item.h:960
 
    #5 0x559160479cbe in Item_func::fix_fields(THD*, Item**) /data/src/10.4/sql/item_func.cc:352
 
    #6 0x55915fdef843 in Item::fix_fields_if_needed(THD*, Item**) /data/src/10.4/sql/item.h:960
 
    #7 0x55915fdef843 in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /data/src/10.4/sql/item.h:964
 
    #8 0x55915fe9d14d in Item::fix_fields_if_needed_for_bool(THD*, Item**) /data/src/10.4/sql/item.h:968
 
    #9 0x55915fe9d14d in JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /data/src/10.4/sql/sql_select.cc:1291
 
    #10 0x55915fed12fc in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.4/sql/sql_select.cc:4650
 
    #11 0x55915fed1b8f in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:422
 
    #12 0x55915fb3d0d0 in execute_sqlcom_select /data/src/10.4/sql/sql_parse.cc:6355
 
    #13 0x55915fdcf70c in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3889
 
    #14 0x55915fe18ce7 in Prepared_statement::execute(String*, bool) /data/src/10.4/sql/sql_prepare.cc:4765
 
    #15 0x55915fe192b3 in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /data/src/10.4/sql/sql_prepare.cc:4251
 
    #16 0x55915fe19ba3 in mysql_sql_stmt_execute(THD*) /data/src/10.4/sql/sql_prepare.cc:3368
 
    #17 0x55915fdd2138 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3905
 
    #18 0x55915fde5118 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7896
 
    #19 0x55915fdeb2ea in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1835
 
    #20 0x55915fdee986 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1353
 
    #21 0x5591600606e7 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1412
 
    #22 0x55916006090a in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316
 
    #23 0x559161067833 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
 
    #24 0x7fd71c9b44a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
 
    #25 0x7fd71aae8d0e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8d0e)
 
 
 
0x62b000062d40 is located 2880 bytes inside of 24608-byte region [0x62b000062200,0x62b000068220)
 
allocated by thread T5 here:
 
    #0 0x7fd71cc8bd28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
 
    #1 0x559161120efc in my_malloc /data/src/10.4/mysys/my_malloc.c:101
 
 
 
Thread T5 created by T0 here:
 
    #0 0x7fd71cbfaf59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
 
    #1 0x55916106fab2 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1919
 
 
 
SUMMARY: AddressSanitizer: use-after-poison /data/src/10.4/sql/sql_select.cc:4494 in JOIN::destroy()
 
Shadow bytes around the buggy address:
 
  0x0c5680004550: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c5680004560: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c5680004570: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c5680004580: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c5680004590: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
=>0x0c56800045a0: f7 f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7
 
  0x0c56800045b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c56800045c0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c56800045d0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c56800045e0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c56800045f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Heap right redzone:      fb
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack partial redzone:   f4
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
==3521==ABORTING

Reproducible on 10.4-10.5, debug, non-debug and ASAN as shown above.
The test case is not applicable to earlier versions due to the optimizer switch.

 Comments   
Comment by Alice Sherepa [ 2022-08-23 ]

not reproducible on the current 10.4+ (10.4 316847eab72022cd11351ea1)

Generated at Thu Feb 08 09:21:29 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.