[MDEV-24033] SIGSEGV in __memcmp_avx2_movbe from queue_insert | SIGSEGV in __memcmp_avx2_movbe from native_compare Created: 2020-10-27  Updated: 2020-12-10  Resolved: 2020-10-30

Status: Closed
Project: MariaDB Server
Component/s: Optimizer, Optimizer - Window functions, Partitioning
Affects Version/s: 10.1, 10.2, 10.3, 10.4, 10.5, 10.6
Fix Version/s: 10.2.35, 10.3.26, 10.4.16, 10.5.7

Type: Bug Priority: Blocker
Reporter: Roel Van de Paar Assignee: Varun Gupta (Inactive)
Resolution: Fixed Votes: 0
Labels: regression


 Description    

SET sql_select_limit = 3;
 
CREATE TEMPORARY TABLE t (i INT);
 
INSERT INTO t VALUES (1), (2), (3), (4);
 
SET SESSION max_sort_length=4;
 
SELECT SUM(SUM(i)) OVER W FROM t GROUP BY i WINDOW w AS (PARTITION BY i ORDER BY i) ORDER BY SUM(SUM(i)) OVER w;

Leads to:

10.6.0 5d4599f9750140f92cfdbbe4d292ae1b8dd456f8 (Optimized)

 
Core was generated by `/test/MD201020-mariadb-10.6.0-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
 
    at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
 
[Current thread is 1 (Thread 0x14f8ecec0700 (LWP 821770))]
 
(gdb) bt
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
 
#1  0x0000558337932a4f in my_write_core (sig=sig@entry=11) at /test/10.6_opt/mysys/stacktrace.c:424
 
#2  0x0000558337356130 in handle_fatal_signal (sig=11) at /test/10.6_opt/sql/signal_handler.cc:330
 
#3  <signal handler called>
 
#4  __memcmp_avx2_movbe () at ../sysdeps/x86_64/multiarch/memcmp-avx2-movbe.S:267
 
#5  0x0000558337932344 in insert_at (queue=queue@entry=0x14f8ecebe3c0, element=0x14f89c0638d8 "\253\070\006\234\370\024", idx=2) at /test/10.6_opt/mysys/queues.c:197
 
#6  0x0000558337932592 in queue_insert (queue=queue@entry=0x14f8ecebe3c0, element=<optimized out>) at /test/10.6_opt/mysys/queues.c:219
 
#7  0x00005583373546f0 in Bounded_queue<unsigned char, unsigned char>::push (element=0x14f89c01fd78 "\360U\002\234\370\024", this=<optimized out>) at /test/10.6_opt/sql/bounded_queue.h:178
 
#8  find_all_keys (found_rows=0x14f89c0636a0, pq=0x14f8ecebe3a0, tempfile=0x14f8ecebe4b0, buffpek_pointers=0x14f8ecebe5a0, fs_info=0x14f89c063530, select=0x0, param=0x14f8ecebe3f0, thd=0x14f89c000c58) at /test/10.6_opt/sql/filesort.cc:951
 
#9  filesort (thd=0x14f89c000c58, table=table@entry=0x14f89c01e9f0, filesort=filesort@entry=0x14f89c015b60, tracker=0x14f89c015fb0, join=join@entry=0x14f89c012cc8, first_table_bit=<optimized out>) at /test/10.6_opt/sql/filesort.cc:355
 
#10 0x000055833719b226 in create_sort_index (thd=<optimized out>, join=0x14f89c012cc8, tab=tab@entry=0x14f89c014828, fsort=0x14f89c015b60, fsort@entry=0x0) at /test/10.6_opt/sql/sql_select.cc:23850
 
#11 0x000055833719b5b2 in st_join_table::sort_table (this=this@entry=0x14f89c014828) at /test/10.6_opt/sql/sql_select.cc:21597
 
#12 0x000055833719b680 in join_init_read_record (tab=0x14f89c014828) at /test/10.6_opt/sql/sql_select.cc:21536
 
#13 0x00005583371aa68e in AGGR_OP::end_send (this=0x14f89c015720) at /test/10.6_opt/sql/sql_select.cc:28901
 
#14 0x00005583371aa9d0 in sub_select_postjoin_aggr (join=0x14f89c012cc8, join_tab=0x14f89c014828, end_of_records=<optimized out>) at /test/10.6_opt/sql/sql_select.cc:20315
 
#15 0x00005583371b3e88 in do_select (procedure=<optimized out>, join=0x14f89c012cc8) at /test/10.6_opt/sql/sql_select.cc:20154
 
#16 JOIN::exec_inner (this=0x14f89c012cc8) at /test/10.6_opt/sql/sql_select.cc:4465
 
#17 0x00005583371b42b9 in JOIN::exec (this=this@entry=0x14f89c012cc8) at /test/10.6_opt/sql/sql_select.cc:4246
 
#18 0x00005583371b2367 in mysql_select (thd=0x14f89c000c58, tables=0x14f89c011028, fields=<optimized out>, conds=0x0, og_num=2, order=0x14f89c012b40, group=0x14f89c011858, having=0x0, proc_param=0x0, select_options=2147748608, result=0x14f89c012ca0, unit=0x14f89c004c20, select_lex=0x14f89c0104e0) at /test/10.6_opt/sql/sql_select.cc:4673
 
#19 0x00005583371b2d67 in handle_select (thd=thd@entry=0x14f89c000c58, lex=lex@entry=0x14f89c004b58, result=result@entry=0x14f89c012ca0, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.6_opt/sql/sql_select.cc:417
 
#20 0x0000558337142951 in execute_sqlcom_select (thd=0x14f89c000c58, all_tables=0x14f89c011028) at /test/10.6_opt/sql/sql_parse.cc:6062
 
#21 0x0000558337150380 in mysql_execute_command (thd=0x14f89c000c58) at /test/10.6_opt/sql/sql_parse.cc:3784
 
#22 0x000055833713d03f in mysql_parse (thd=0x14f89c000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.6_opt/sql/sql_parse.cc:7833
 
#23 0x0000558337148967 in dispatch_command (command=COM_QUERY, thd=0x14f89c000c58, packet=0x14f89c008009 "", packet_length=<optimized out>) at /test/10.6_opt/sql/sql_class.h:1253
 
#24 0x000055833714ad42 in do_command (thd=0x14f89c000c58) at /test/10.6_opt/sql/sql_parse.cc:1343
 
#25 0x000055833724e6e1 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55833ae75d68, put_in_cache=put_in_cache@entry=true) at /test/10.6_opt/sql/sql_connect.cc:1410
 
#26 0x000055833724eb5d in handle_one_connection (arg=arg@entry=0x55833ae75d68) at /test/10.6_opt/sql/sql_connect.cc:1312
 
#27 0x00005583375d4266 in pfs_spawn_thread (arg=0x55833ade29c8) at /test/10.6_opt/storage/perfschema/pfs.cc:2201
 
#28 0x000014f8eff56609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#29 0x000014f8efb45293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

10.5.7 e3fc9c1db04bdc5566bcdafcc3d5159199089c00 (Debug)

 
Core was generated by `/test/MD211020-mariadb-10.5.7-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
 
    at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
 
[Current thread is 1 (Thread 0x14c16c07c700 (LWP 660751))]
 
(gdb) bt
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
 
#1  0x000055d80dd99869 in my_write_core (sig=sig@entry=11) at /test/10.5_dbg/mysys/stacktrace.c:424
 
#2  0x000055d80d4eef1f in handle_fatal_signal (sig=11) at /test/10.5_dbg/sql/signal_handler.cc:330
 
#3  <signal handler called>
 
#4  __memcmp_avx2_movbe () at ../sysdeps/x86_64/multiarch/memcmp-avx2-movbe.S:267
 
#5  0x000055d80dd98da7 in native_compare (length=<optimized out>, a=<optimized out>, b=<optimized out>) at /test/10.5_dbg/mysys/ptr_cmp.c:49
 
#6  0x000055d80dd990c7 in insert_at (queue=queue@entry=0x14c16c079c60, element=element@entry=0x14c128069d68 ";\235\006(\301\024", idx=4) at /test/10.5_dbg/mysys/queues.c:190
 
#7  0x000055d80dd993bd in queue_insert (queue=queue@entry=0x14c16c079c60, element=0x14c128069d68 ";\235\006(\301\024") at /test/10.5_dbg/mysys/queues.c:219
 
#8  0x000055d80d4ecf8c in Bounded_queue<unsigned char, unsigned char>::push (element=0x14c1280261b8 "0\271\002(\301\024", this=0x14c16c079c40) at /test/10.5_dbg/sql/bounded_queue.h:137
 
#9  find_all_keys (found_rows=0x14c128069c70, pq=0x14c16c079c40, tempfile=0x14c16c079d40, buffpek_pointers=0x14c16c079eb0, fs_info=0x14c128069a80, select=0x0, param=0x14c16c079c90, thd=0x14c128000db8) at /test/10.5_dbg/sql/filesort.cc:942
 
#10 filesort (thd=thd@entry=0x14c128000db8, table=table@entry=0x14c128024cb0, filesort=filesort@entry=0x14c128018238, tracker=0x14c128018670, join=join@entry=0x14c128015290, first_table_bit=<optimized out>) at /test/10.5_dbg/sql/filesort.cc:352
 
#11 0x000055d80d28dd13 in create_sort_index (thd=0x14c128000db8, join=0x14c128015290, tab=tab@entry=0x14c128016de0, fsort=0x14c128018238, fsort@entry=0x0) at /test/10.5_dbg/sql/sql_select.cc:23862
 
#12 0x000055d80d28e0ec in st_join_table::sort_table (this=this@entry=0x14c128016de0) at /test/10.5_dbg/sql/sql_select.cc:21609
 
#13 0x000055d80d28e226 in join_init_read_record (tab=0x14c128016de0) at /test/10.5_dbg/sql/sql_select.cc:21548
 
#14 0x000055d80d2a062c in AGGR_OP::end_send (this=this@entry=0x14c128017dc8) at /test/10.5_dbg/sql/sql_select.cc:28913
 
#15 0x000055d80d2a09ac in sub_select_postjoin_aggr (join=0x14c128015290, join_tab=0x14c128016de0, end_of_records=<optimized out>) at /test/10.5_dbg/sql/sql_select.cc:20335
 
#16 0x000055d80d274b2b in sub_select (join=0x14c128015290, join_tab=0x14c128016a38, end_of_records=<optimized out>) at /test/10.5_dbg/sql/sql_select.cc:20569
 
#17 0x000055d80d2adbf0 in do_select (procedure=<optimized out>, join=0x14c128015290) at /test/10.5_dbg/sql/sql_select.cc:20161
 
#18 JOIN::exec_inner (this=this@entry=0x14c128015290) at /test/10.5_dbg/sql/sql_select.cc:4455
 
#19 0x000055d80d2ae02f in JOIN::exec (this=this@entry=0x14c128015290) at /test/10.5_dbg/sql/sql_select.cc:4236
 
#20 0x000055d80d2ac2a7 in mysql_select (thd=thd@entry=0x14c128000db8, tables=0x14c1280135c0, fields=@0x14c128012ba0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14c128013560, last = 0x14c128013560, elements = 1}, <No data fields>}, conds=0x0, og_num=2, order=0x14c128015108, group=0x14c128013df0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x14c128015268, unit=0x14c128004f58, select_lex=0x14c128012a50) at /test/10.5_dbg/sql/sql_select.cc:4651
 
#21 0x000055d80d2ac56e in handle_select (thd=thd@entry=0x14c128000db8, lex=lex@entry=0x14c128004e90, result=result@entry=0x14c128015268, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.5_dbg/sql/sql_select.cc:417
 
#22 0x000055d80d21f203 in execute_sqlcom_select (thd=thd@entry=0x14c128000db8, all_tables=0x14c1280135c0) at /test/10.5_dbg/sql/sql_parse.cc:6210
 
#23 0x000055d80d22bf7d in mysql_execute_command (thd=thd@entry=0x14c128000db8) at /test/10.5_dbg/sql/sql_parse.cc:3932
 
#24 0x000055d80d217e17 in mysql_parse (thd=thd@entry=0x14c128000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14c16c07b3d0, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:7994
 
#25 0x000055d80d226133 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14c128000db8, packet=packet@entry=0x14c128008f89 "", packet_length=packet_length@entry=111, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_class.h:1254
 
#26 0x000055d80d22985e in do_command (thd=0x14c128000db8) at /test/10.5_dbg/sql/sql_parse.cc:1348
 
#27 0x000055d80d3842c6 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55d81080c0c8, put_in_cache=put_in_cache@entry=true) at /test/10.5_dbg/sql/sql_connect.cc:1410
 
#28 0x000055d80d3849cd in handle_one_connection (arg=arg@entry=0x55d81080c0c8) at /test/10.5_dbg/sql/sql_connect.cc:1312
 
#29 0x000055d80d839cfd in pfs_spawn_thread (arg=0x55d8107140e8) at /test/10.5_dbg/storage/perfschema/pfs.cc:2201
 
#30 0x000014c16d9f2609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#31 0x000014c16d5e1293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.5.7 (dbg), 10.5.7 (opt), 10.6.0 (dbg), 10.6.0 (opt)

Bug confirmed not present in:
MariaDB: 10.1.48 (dbg), 10.1.48 (opt), 10.2.35 (dbg), 10.2.35 (opt), 10.3.26 (dbg), 10.3.26 (opt), 10.4.16 (dbg), 10.4.16 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.50 (dbg), 5.6.50 (opt), 5.7.32 (dbg), 5.7.32 (opt), 8.0.22 (dbg), 8.0.22 (opt)

10.4.16 gives:

10.4.16 7eda55619654b76add275695e0a6039e60876e81 (Optimized)

 
10.4.16>SELECT SUM(SUM(i)) OVER W FROM t GROUP BY i WINDOW w AS (PARTITION BY i ORDER BY i) ORDER BY SUM(SUM(i)) OVER w;
 
+--------------------+
 
| SUM(SUM(i)) OVER W |
 
+--------------------+
 
|                  4 |
 
|                  2 |
 
|                  3 |
 
+--------------------+
 
3 rows in set (0.001 sec)



 Comments   
Comment by Varun Gupta (Inactive) [ 2020-10-27 ]

Another testcase, affecting earlier versions too

SET max_length_for_sort_data=30;
 
SET sql_select_limit = 3;
 
CREATE TABLE t1 (a DECIMAL(64,0), b INT);
 
INSERT INTO t1 VALUES (1,1), (2,2), (3,3), (4,4);
 
SET max_sort_length=8;
 
ANALYZE FORMAT=JSON SELECT * FROM t1 ORDER BY a+1;
 
SELECT * FROM t1 ORDER BY a+1;

Comment by Varun Gupta (Inactive) [ 2020-10-27 ]

Stacktrace

#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
 
#1  0x00007ffff79f9859 in __GI_abort () at abort.c:79
 
#2  0x00007ffff7a643ee in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7b8e285 "%s\n")
 
    at ../sysdeps/posix/libc_fatal.c:155
 
#3  0x00007ffff7a6c47c in malloc_printerr (str=str@entry=0x7ffff7b90670 "double free or corruption (out)") at malloc.c:5347
 
#4  0x00007ffff7a6e120 in _int_free (av=0x7ffff7bbfb80 <main_arena>, p=0x7fffe002bbf0, have_lock=<optimized out>) at malloc.c:4314
 
#5  0x000055555657ea3d in free_memory (ptr=0x7fffe002bc70) at /home/varun/MariaDB/10.2/mysys/safemalloc.c:279
 
#6  0x000055555657e6e6 in sf_free (ptr=0x7fffe002bc70) at /home/varun/MariaDB/10.2/mysys/safemalloc.c:197
 
#7  0x000055555656b96d in my_free (ptr=0x7fffe002bc70) at /home/varun/MariaDB/10.2/mysys/my_malloc.c:218
 
#8  0x000055555657119a in delete_queue (queue=0x7ffff1ae5db0) at /home/varun/MariaDB/10.2/mysys/queues.c:178
 
#9  0x0000555555dc98e0 in Bounded_queue<unsigned char, unsigned char>::~Bounded_queue (this=0x7ffff1ae5d90, __in_chrg=<optimized out>)
 
    at /home/varun/MariaDB/10.2/sql/bounded_queue.h:52
 
#10 0x0000555555dc4848 in filesort (thd=0x7fffe0000d90, table=0x7fffe0025d90, filesort=0x7fffe00174b8, tracker=0x7fffe0017b50, 
    join=0x7fffe0015540, first_table_bit=1) at /home/varun/MariaDB/10.2/sql/filesort.cc:152
 
#11 0x0000555555bc19d2 in create_sort_index (thd=0x7fffe0000d90, join=0x7fffe0015540, tab=0x7fffe0016998, fsort=0x7fffe00174b8)
 
    at /home/varun/MariaDB/10.2/sql/sql_select.cc:22062
 
#12 0x0000555555bbc053 in st_join_table::sort_table (this=0x7fffe0016998) at /home/varun/MariaDB/10.2/sql/sql_select.cc:19824
 
#13 0x0000555555bbbc9f in join_init_read_record (tab=0x7fffe0016998) at /home/varun/MariaDB/10.2/sql/sql_select.cc:19765
 
#14 0x0000555555bb9be4 in sub_select (join=0x7fffe0015540, join_tab=0x7fffe0016998, end_of_records=false)
 
    at /home/varun/MariaDB/10.2/sql/sql_select.cc:18856
 
#15 0x0000555555bb91bc in do_select (join=0x7fffe0015540, procedure=0x0) at /home/varun/MariaDB/10.2/sql/sql_select.cc:18403
 
#16 0x0000555555b92e19 in JOIN::exec_inner (this=0x7fffe0015540) at /home/varun/MariaDB/10.2/sql/sql_select.cc:3641
 
#17 0x0000555555b922c0 in JOIN::exec (this=0x7fffe0015540) at /home/varun/MariaDB/10.2/sql/sql_select.cc:3436
 
#18 0x0000555555b93482 in mysql_select (thd=0x7fffe0000d90, tables=0x7fffe0014b60, wild_num=1, fields=..., conds=0x0, og_num=1, 
    order=0x7fffe0015400, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7fffe0015520, unit=0x7fffe0004988, 
    select_lex=0x7fffe00050c8) at /home/varun/MariaDB/10.2/sql/sql_select.cc:3836

Comment by Roel Van de Paar [ 2020-10-27 ]

Testing the testcase by Varun against all versions, I see some hangs, i.e. CLI unable to connect.

Full report in terms of crashes:

SET max_length_for_sort_data=30;
 
SET sql_select_limit = 3;
 
CREATE TABLE t1 (a DECIMAL(64,0), b INT);
 
INSERT INTO t1 VALUES (1,1), (2,2), (3,3), (4,4);
 
SET max_sort_length=8;
 
ANALYZE FORMAT=JSON SELECT * FROM t1 ORDER BY a+1;
 
SELECT * FROM t1 ORDER BY a+1;

Leads to:

10.6.0 5d4599f9750140f92cfdbbe4d292ae1b8dd456f8 (Optimized)

 
Core was generated by `/test/MD201020-mariadb-10.6.0-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
 
    at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
 
[Current thread is 1 (Thread 0x149054a19700 (LWP 3489565))]
 
(gdb) bt
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
 
#1  0x0000562e4d98aa4f in my_write_core (sig=sig@entry=11) at /test/10.6_opt/mysys/stacktrace.c:424
 
#2  0x0000562e4d3ae130 in handle_fatal_signal (sig=11) at /test/10.6_opt/sql/signal_handler.cc:330
 
#3  <signal handler called>
 
#4  __memcmp_avx2_movbe () at ../sysdeps/x86_64/multiarch/memcmp-avx2-movbe.S:248
 
#5  0x0000562e4d98a344 in insert_at (queue=queue@entry=0x149054a17450, element=0x148ff4022720 "\365&\002\364\217\024", idx=4) at /test/10.6_opt/mysys/queues.c:197
 
#6  0x0000562e4d98a592 in queue_insert (queue=queue@entry=0x149054a17450, element=<optimized out>) at /test/10.6_opt/mysys/queues.c:219
 
#7  0x0000562e4d3ac6f0 in Bounded_queue<unsigned char, unsigned char>::push (element=0x148ff401a7b8 "", this=<optimized out>) at /test/10.6_opt/sql/bounded_queue.h:178
 
#8  find_all_keys (found_rows=0x148ff4049ec0, pq=0x149054a17430, tempfile=0x149054a17540, buffpek_pointers=0x149054a17630, fs_info=0x148ff4049d50, select=0x148ff4013c30, param=0x149054a17480, thd=0x148ff4000c58) at /test/10.6_opt/sql/filesort.cc:951
 
#9  filesort (thd=0x148ff4000c58, table=table@entry=0x148ff401f5e8, filesort=filesort@entry=0x148ff4013d80, tracker=0x148ff4014478, join=join@entry=0x148ff4011db8, first_table_bit=<optimized out>) at /test/10.6_opt/sql/filesort.cc:355
 
#10 0x0000562e4d1f3226 in create_sort_index (thd=<optimized out>, join=0x148ff4011db8, tab=tab@entry=0x148ff4013360, fsort=0x148ff4013d80, fsort@entry=0x0) at /test/10.6_opt/sql/sql_select.cc:23850
 
#11 0x0000562e4d1f35b2 in st_join_table::sort_table (this=this@entry=0x148ff4013360) at /test/10.6_opt/sql/sql_select.cc:21597
 
#12 0x0000562e4d1f3680 in join_init_read_record (tab=0x148ff4013360) at /test/10.6_opt/sql/sql_select.cc:21536
 
#13 0x0000562e4d1ddc4e in sub_select (end_of_records=false, join_tab=0x148ff4013360, join=0x148ff4011db8) at /test/10.6_opt/sql/sql_select.cc:20602
 
#14 sub_select (join=0x148ff4011db8, join_tab=0x148ff4013360, end_of_records=<optimized out>) at /test/10.6_opt/sql/sql_select.cc:20534
 
#15 0x0000562e4d20c032 in do_select (procedure=<optimized out>, join=0x148ff4011db8) at /test/10.6_opt/sql/sql_select.cc:20152
 
#16 JOIN::exec_inner (this=0x148ff4011db8) at /test/10.6_opt/sql/sql_select.cc:4465
 
#17 0x0000562e4d20c2b9 in JOIN::exec (this=this@entry=0x148ff4011db8) at /test/10.6_opt/sql/sql_select.cc:4246
 
#18 0x0000562e4d20a367 in mysql_select (thd=0x148ff4000c58, tables=0x148ff4010a68, fields=<optimized out>, conds=0x0, og_num=1, order=0x148ff4011c30, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x148ff4011d90, unit=0x148ff4004c20, select_lex=0x148ff4010470) at /test/10.6_opt/sql/sql_select.cc:4673
 
#19 0x0000562e4d20ad67 in handle_select (thd=thd@entry=0x148ff4000c58, lex=lex@entry=0x148ff4004b58, result=result@entry=0x148ff4011d90, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.6_opt/sql/sql_select.cc:417
 
#20 0x0000562e4d19acae in execute_sqlcom_select (thd=0x148ff4000c58, all_tables=0x148ff4010a68) at /test/10.6_opt/sql/sql_parse.cc:6062
 
#21 0x0000562e4d1a8380 in mysql_execute_command (thd=0x148ff4000c58) at /test/10.6_opt/sql/sql_parse.cc:3784
 
#22 0x0000562e4d19503f in mysql_parse (thd=0x148ff4000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.6_opt/sql/sql_parse.cc:7833
 
#23 0x0000562e4d1a0967 in dispatch_command (command=COM_QUERY, thd=0x148ff4000c58, packet=0x148ff4008009 "ANALYZE FORMAT=JSON SELECT * FROM t1 ORDER BY a+1", packet_length=<optimized out>) at /test/10.6_opt/sql/sql_class.h:1253
 
#24 0x0000562e4d1a2d42 in do_command (thd=0x148ff4000c58) at /test/10.6_opt/sql/sql_parse.cc:1343
 
#25 0x0000562e4d2a66e1 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x562e4fbbc4a8, put_in_cache=put_in_cache@entry=true) at /test/10.6_opt/sql/sql_connect.cc:1410
 
#26 0x0000562e4d2a6b5d in handle_one_connection (arg=arg@entry=0x562e4fbbc4a8) at /test/10.6_opt/sql/sql_connect.cc:1312
 
#27 0x0000562e4d62c266 in pfs_spawn_thread (arg=0x562e4fb6fa28) at /test/10.6_opt/storage/perfschema/pfs.cc:2201
 
#28 0x0000149057aaf609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#29 0x000014905769e293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Also interesting is some of the output from error logs, for example:

10.3.26 9b46d8e5c4108b0c55f8df3aa9abd8dd344d7688 (Debug)

 
Version: '10.3.26-MariaDB-debug'  socket: '/test/MD211020-mariadb-10.3.26-linux-x86_64-dbg/socket.sock'  port: 13675  MariaDB Server
 
Error: Freeing overrun buffer 0x1506a4028250 at 0x563b2adf30a4, 0x563b2ade38fb, mysys/safemalloc.c:194, mysys/my_malloc.c:225, sql/sql_array.h:43, sql/filesort.cc:350, sql/sql_select.cc:22927, sql/sql_select.cc:20691
 
Allocated at sql/sql_select.cc:20631, sql/filesort_utils.cc:138, sql/filesort.cc:1373, sql/sql_select.cc:22927, sql/sql_select.cc:20691, sql/sql_select.cc:20631, sql/sql_select.cc:19712, sql/sql_select.cc:19255
 
Error: Freeing overrun buffer 0x1506a4026f60 at sql/sql_select.cc:3912, mysys/safemalloc.c:194, mysys/my_malloc.c:225, sql/sql_array.h:43, sql/filesort.cc:350, sql/sql_select.cc:22927, sql/sql_select.cc:20691, sql/sql_select.cc:20631
 
Allocated at sql/sql_select.cc:19712, sql/filesort_utils.cc:138, sql/filesort.cc:1373, sql/sql_select.cc:22927, sql/sql_select.cc:20691, sql/sql_select.cc:20631, sql/sql_select.cc:19712, sql/sql_select.cc:19255
 
201028  9:20:50 [ERROR] mysqld got signal 11 ;

Bug confirmed present in:
MariaDB: 10.1.48 (dbg), 10.1.48 (opt), 10.2.35 (dbg), 10.2.35 (opt), 10.3.26 (dbg), 10.3.26 (opt), 10.4.16 (dbg), 10.4.16 (opt), 10.5.7 (dbg), 10.5.7 (opt), 10.6.0 (dbg), 10.6.0 (opt)

Bug confirmed not present in:
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.50 (dbg), 5.6.50 (opt), 5.7.32 (dbg), 5.7.32 (opt), 8.0.22 (dbg), 8.0.22 (opt)

Comment by Roel Van de Paar [ 2020-10-28 ]

I left the regression tag as the first testcase is by itself a regression in 10.5/10.6.

Comment by Sergei Petrunia [ 2020-10-30 ]

Ok to push.

Generated at Thu Feb 08 09:26:56 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.