[#MDEV-24931] Assertion `prefix_size <= width' failed in Bitmap<width>::is_prefix(uint) & UBSAN: shift exponent 32 is too large for 32-bit type 'int' in generate_derived_keys_for

10.5 16388f39

mariadbd: /data/src/10.5/sql/sql_bitmap.h:136: bool Bitmap<width>::is_prefix(uint) const [with unsigned int width = 64; uint = unsigned int]: Assertion `prefix_size <= width' failed.

210220 17:05:10 [ERROR] mysqld got signal 6 ;

#7  0x00007fe11d136f36 in __GI___assert_fail (assertion=0x55b6654a6a4d "prefix_size <= width", file=0x55b6654a6a68 "/data/src/10.5/sql/sql_bitmap.h", line=136, function=0x55b6654a6a88 "bool Bitmap<width>::is_prefix(uint) const [with unsigned int width = 64; uint = unsigned int]") at assert.c:101

#8  0x000055b664761d66 in Bitmap<64u>::is_prefix (this=0x7fe1182f13b0, prefix_size=65) at /data/src/10.5/sql/sql_bitmap.h:136

#9  0x000055b664713794 in make_join_statistics (join=0x7fe0fc0768b0, tables_list=..., keyuse_array=0x7fe0fc076ba0) at /data/src/10.5/sql/sql_select.cc:5283

#10 0x000055b664708aa8 in JOIN::optimize_inner (this=0x7fe0fc0768b0) at /data/src/10.5/sql/sql_select.cc:2255

#11 0x000055b664706595 in JOIN::optimize (this=0x7fe0fc0768b0) at /data/src/10.5/sql/sql_select.cc:1627

#12 0x000055b6647119a8 in mysql_select (thd=0x7fe0fc000db8, tables=0x7fe0fc015960, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7fe0fc070a58, unit=0x7fe0fc004f60, select_lex=0x7fe0fc015370) at /data/src/10.5/sql/sql_select.cc:4705

#13 0x000055b6647014bf in handle_select (thd=0x7fe0fc000db8, lex=0x7fe0fc004e98, result=0x7fe0fc070a58, setup_tables_done_option=0) at /data/src/10.5/sql/sql_select.cc:417

#14 0x000055b6646c3e83 in execute_sqlcom_select (thd=0x7fe0fc000db8, all_tables=0x7fe0fc015960) at /data/src/10.5/sql/sql_parse.cc:6282

#15 0x000055b6646baf0d in mysql_execute_command (thd=0x7fe0fc000db8) at /data/src/10.5/sql/sql_parse.cc:3978

#16 0x000055b6646c8d2a in mysql_parse (thd=0x7fe0fc000db8, rawbuf=0x7fe0fc0152d0 "SELECT * FROM v1 NATURAL JOIN t1", length=32, parser_state=0x7fe1182f2510, is_com_multi=false, is_next_command=false) at /data/src/10.5/sql/sql_parse.cc:8063

#17 0x000055b6646b4c8f in dispatch_command (command=COM_QUERY, thd=0x7fe0fc000db8, packet=0x7fe0fc00b589 "SELECT * FROM v1 NATURAL JOIN t1", packet_length=32, is_com_multi=false, is_next_command=false) at /data/src/10.5/sql/sql_parse.cc:1889

#18 0x000055b6646b3483 in do_command (thd=0x7fe0fc000db8) at /data/src/10.5/sql/sql_parse.cc:1370

#19 0x000055b664861689 in do_handle_one_connection (connect=0x55b667b28428, put_in_cache=true) at /data/src/10.5/sql/sql_connect.cc:1410

#20 0x000055b6648613ec in handle_one_connection (arg=0x55b667a31e48) at /data/src/10.5/sql/sql_connect.cc:1312

#21 0x000055b664dc1e35 in pfs_spawn_thread (arg=0x55b667b28068) at /data/src/10.5/storage/perfschema/pfs.cc:2201

#22 0x00007fe11d64e609 in start_thread (arg=<optimized out>) at pthread_create.c:477

#23 0x00007fe11d222293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

I also ran into this bug. In my case, I could only reproduce on InnoDB, not MyISAM. 10.4+ only as well.

CREATE TABLE t (c1 INT,c2 INT,c3 INT,c4 INT,c5 INT,c6 INT,c7 INT,c8 INT,c9 INT,c10 INT,c11 INT,c12 INT,c13 INT,c14 INT,c15 INT,c16 INT,c17 INT,c18 INT,c19 INT,c20 INT,c21 INT,c22 INT,c23 INT,c24 INT,c25 INT,c26 INT,c27 INT,c28 INT,c29 INT,c30 INT,c31 INT,c32 INT,c33 INT,c34 INT,c35 INT,c36 INT,c37 INT,c38 INT,c39 INT,c40 INT,c41 INT,c42 INT,c43 INT,c44 INT,c45 INT,c46 INT,c47 INT,c48 INT,c49 INT,c50 INT,c51 INT,c52 INT,c53 INT,c54 INT,c55 INT,c56 INT,c57 INT,c58 INT,c59 INT,c60 INT,c61 INT,c62 INT,c63 INT,c64 INT,c65 INT) ENGINE=InnoDB;

CREATE TEMPORARY TABLE t (c INT);

SET SESSION optimizer_switch='derived_merge=OFF';

DROP TABLE t;

SELECT * FROM t AS a NATURAL JOIN (SELECT * FROM t) AS b;

11.0.1 b075191ba8598af6aff5549e6e19f6255aef258a (Debug)
mysqld: /test/11.0_dbg/sql/sql_bitmap.h:136: bool Bitmap<width>::is_prefix(uint) const [with unsigned int width = 64; uint = unsigned int]: Assertion `prefix_size <= width' failed.

11.0.1 b075191ba8598af6aff5549e6e19f6255aef258a (Debug)
Core was generated by `/test/MD090123-mariadb-11.0.1-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
Program terminated with signal SIGABRT, Aborted.
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=23173295412800)
at ./nptl/pthread_kill.c:44
[Current thread is 1 (Thread 0x1513740a9640 (LWP 543104))]
(gdb) bt
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=23173295412800) at ./nptl/pthread_kill.c:44
#1 __pthread_kill_internal (signo=6, threadid=23173295412800) at ./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=23173295412800, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3 0x000015138c73f476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4 0x000015138c7257f3 in __GI_abort () at ./stdlib/abort.c:79
#5 0x000015138c72571b in __assert_fail_base (fmt=0x15138c8da150 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x565522ebce30 "prefix_size <= width", file=0x565522e92090 "/test/11.0_dbg/sql/sql_bitmap.h", line=136, function=<optimized out>) at ./assert/assert.c:92
#6 0x000015138c736e96 in __GI___assert_fail (assertion=0x565522ebce30 "prefix_size <= width", file=0x565522e92090 "/test/11.0_dbg/sql/sql_bitmap.h", line=136, function=0x565522ec00d8 "bool Bitmap<width>::is_prefix(uint) const [with unsigned int width = 64; uint = unsigned int]") at ./assert/assert.c:101
#7 0x00005655224dd837 in Bitmap<64u>::is_prefix (prefix_size=65, this=<synthetic pointer>) at /test/11.0_dbg/sql/sql_bitmap.h:136
#8 make_join_statistics (join=join@entry=0x151334085210, tables_list=@0x151334013418: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x15133408bd10, last = 0x15133408bd20, elements = 2}, <No data fields>}, keyuse_array=keyuse_array@entry=0x151334085560) at /test/11.0_dbg/sql/sql_select.cc:5663
#9 0x00005655224e5b70 in JOIN::optimize_inner (this=this@entry=0x151334085210) at /test/11.0_dbg/sql/sql_select.cc:2534
#10 0x00005655224e6064 in JOIN::optimize (this=this@entry=0x151334085210) at /test/11.0_dbg/sql/sql_select.cc:1870
#11 0x00005655224e6154 in mysql_select (thd=thd@entry=0x151334000d58, tables=0x1513340137f0, fields=@0x1513340134a0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x151334013798, last = 0x1513340b0c40, elements = 65}, <No data fields>}, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2164525824, result=0x151334016d20, unit=0x151334004f98, select_lex=0x151334013200) at /test/11.0_dbg/sql/sql_select.cc:5066
#12 0x00005655224e691a in handle_select (thd=thd@entry=0x151334000d58, lex=lex@entry=0x151334004ec0, result=result@entry=0x151334016d20, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/11.0_dbg/sql/sql_select.cc:581
#13 0x00005655224521d3 in execute_sqlcom_select (thd=thd@entry=0x151334000d58, all_tables=0x1513340137f0) at /test/11.0_dbg/sql/sql_parse.cc:6265
#14 0x000056552245d650 in mysql_execute_command (thd=thd@entry=0x151334000d58, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/11.0_dbg/sql/sql_parse.cc:3949
#15 0x0000565522464934 in mysql_parse (thd=thd@entry=0x151334000d58, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x1513740a82c0) at /test/11.0_dbg/sql/sql_parse.cc:8000
#16 0x0000565522466ac8 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x151334000d58, packet=packet@entry=0x15133400ae09 "SELECT * FROM t AS a NATURAL JOIN (SELECT * FROM t) AS b", packet_length=packet_length@entry=56, blocking=blocking@entry=true) at /test/11.0_dbg/sql/sql_class.h:243
#17 0x0000565522468921 in do_command (thd=0x151334000d58, blocking=blocking@entry=true) at /test/11.0_dbg/sql/sql_parse.cc:1407
#18 0x00005655225b29ea in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5655247ad558, put_in_cache=put_in_cache@entry=true) at /test/11.0_dbg/sql/sql_connect.cc:1416
#19 0x00005655225b2c4e in handle_one_connection (arg=0x5655247ad558) at /test/11.0_dbg/sql/sql_connect.cc:1318
#20 0x000015138c791b43 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
#21 0x000015138c823a00 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

Bug confirmed present in:
MariaDB: 10.4.28 (dbg), 10.5.19 (dbg), 10.6.12 (dbg), 10.7.8 (dbg), 10.8.7 (dbg), 10.9.5 (dbg), 10.10.3 (dbg), 10.11.2 (dbg), 11.0.1 (dbg)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.3.38 (dbg), 10.3.38 (opt), 10.4.28 (opt), 10.5.19 (opt), 10.6.12 (opt), 10.7.8 (opt), 10.8.7 (opt), 10.9.5 (opt), 10.10.3 (opt), 10.11.2 (opt), 11.0.1 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.40 (dbg), 5.7.40 (opt), 8.0.31 (dbg), 8.0.31 (opt)

10.11.2 70be59913c90e93fe5136d6f6df03c4254aa515d (Debug, UBASAN)

2023-01-13 18:22:00 0 [Note] /test/UBASAN_MD070123-mariadb-10.11.2-linux-x86_64-dbg/bin/mysqld: ready for connections.

Version: '10.11.2-MariaDB-debug'  socket: '/test/UBASAN_MD070123-mariadb-10.11.2-linux-x86_64-dbg/socket.sock'  port: 11513  MariaDB Server

/test/10.11_dbg_san/sql/sql_select.cc:13035:46: runtime error: shift exponent 32 is too large for 32-bit type 'int'

    #0 0x55affec089e6 in generate_derived_keys_for_table /test/10.11_dbg_san/sql/sql_select.cc:13035

    #1 0x55affec089e6 in generate_derived_keys /test/10.11_dbg_san/sql/sql_select.cc:13134

    #2 0x55affec089e6 in sort_and_filter_keyuse(JOIN*, st_dynamic_array*, bool) /test/10.11_dbg_san/sql/sql_select.cc:7357

    #3 0x55affeda4db8 in make_join_statistics /test/10.11_dbg_san/sql/sql_select.cc:5500

    #4 0x55affede0a03 in JOIN::optimize_inner() /test/10.11_dbg_san/sql/sql_select.cc:2534

    #5 0x55affede289f in JOIN::optimize() /test/10.11_dbg_san/sql/sql_select.cc:1870

    #6 0x55affede2ebd in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.11_dbg_san/sql/sql_select.cc:5066

    #7 0x55affede7632 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/10.11_dbg_san/sql/sql_select.cc:581

    #8 0x55affe983b1c in execute_sqlcom_select /test/10.11_dbg_san/sql/sql_parse.cc:6265

    #9 0x55affe9e4419 in mysql_execute_command(THD*, bool) /test/10.11_dbg_san/sql/sql_parse.cc:3949

    #10 0x55affea13a74 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.11_dbg_san/sql/sql_parse.cc:8000

    #11 0x55affea237d2 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.11_dbg_san/sql/sql_parse.cc:1894

    #12 0x55affea3159c in do_command(THD*, bool) /test/10.11_dbg_san/sql/sql_parse.cc:1407

    #13 0x55afff3cf495 in do_handle_one_connection(CONNECT*, bool) /test/10.11_dbg_san/sql/sql_connect.cc:1416

    #14 0x55afff3d09b0 in handle_one_connection /test/10.11_dbg_san/sql/sql_connect.cc:1318

    #15 0x14883faa8b42 in start_thread nptl/pthread_create.c:442

    #16 0x14883fb3a9ff  (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)

mysqld: /test/10.11_dbg_san/sql/sql_bitmap.h:136: bool Bitmap<width>::is_prefix(uint) const [with unsigned int width = 64; uint = unsigned int]: Assertion `prefix_size <= width' failed.

230113 18:22:01 [ERROR] mysqld got signal 6 ;

[MDEV-24931] Assertion `prefix_size <= width' failed in Bitmap<width>::is_prefix(uint) & UBSAN: shift exponent 32 is too large for 32-bit type 'int' in generate_derived_keys_for_table Created: 2021-02-20 Updated: 2023-11-28
Status:	Confirmed
Project:	MariaDB Server
Component/s:	Optimizer, Server, Storage Engine - InnoDB, Views
Affects Version/s:	10.4, 10.5, 10.6, 10.7, 10.8, 10.9, 10.10, 10.11, 11.0
Fix Version/s:	10.4, 10.5, 10.6, 10.11

[MDEV-24931] Assertion `prefix_size <= width' failed in Bitmap<width>::is_prefix(uint) & UBSAN: shift exponent 32 is too large for 32-bit type 'int' in generate_derived_keys_for_table Created: 2021-02-20 Updated: 2023-11-28