[MDEV-28034] SIGSEGV in Item_args::walk_args and libstdc++ __cxa_pure_virtual terminate/SIGABRT in Item::check_type_scalar Created: 2022-03-10  Updated: 2023-06-14  Resolved: 2023-06-14

Status: Closed
Project: MariaDB Server
Component/s: Virtual Columns
Affects Version/s: 10.2, 10.3, 10.4, 10.5, 10.6, 10.7, 10.8, 10.9
Fix Version/s: N/A

Type: Bug Priority: Critical
Reporter: Roel Van de Paar Assignee: Nikita Malyavin
Resolution: Cannot Reproduce Votes: 0
Labels: affects-tests, crash, regression

Issue Links:
Relates
relates to MDEV-24176 Server crashes after insert in the ta... Closed
relates to MDEV-27920 Galera node crashes when inserting ro... Closed

 Description   

Seems related to MDEV-27920.
Interestingly, only 10.2 optimized does not crash, so it is a regression of sorts. It would be interesting to find out why that version does not crash.

# Important note: This bug can only be reproduced by a C-based client, like pquery. CLI replay will not reproduce the bug
 
CREATE TABLE t (c INT,c2 CHAR AS (CONCAT ('',DAYNAME ('')))) COLLATE utf8_bin ENGINE=InnoDB;
 
SELECT * FROM t WHERE c2='2010-10-01 00:00:00' LIMIT 2;
 
INSERT INTO t SET c=CONCAT (REPEAT ('',0),'','');

Leads to:

10.9.0 4a2a9c02cd6611ef36bbb735c2b483dbc83580d4 (Optimized)

 
Core was generated by `/test/MD260222-mariadb-10.9.0-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
 
Program terminated with signal SIGABRT, Aborted.
 
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
 
[Current thread is 1 (Thread 0x14c3600c9700 (LWP 3506817))]
 
(gdb) bt
 
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
 
#1  0x000014c362e48859 in __GI_abort () at abort.c:79
 
#2  0x000014c363207911 in ?? () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
 
#3  0x000014c36321338c in ?? () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
 
#4  0x000014c3632133f7 in std::terminate() () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
 
#5  0x000014c363214155 in __cxa_pure_virtual () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
 
#6  0x0000557e4718b901 in Item::check_type_scalar (this=this@entry=0x14c2c4012d28, opname=@0x14c3600c7520: {str = 0x557e479c1046 "concat", length = 6}) at /test/10.9_opt/sql/item.cc:1121
 
#7  0x0000557e471df1e0 in Item_func::check_argument_types_scalar (this=0x14c2c401d2f0, start=<optimized out>, end=<optimized out>) at /test/10.9_opt/sql/item_func.cc:271
 
#8  0x0000557e471d95d1 in Item_func::fix_fields (ref=<optimized out>, thd=0x14c2c4000c58, this=0x14c2c401d2f0) at /test/10.9_opt/sql/item_func.cc:357
 
#9  Item_func::fix_fields (this=this@entry=0x14c2c401d2f0, thd=thd@entry=0x14c2c4000c58, ref=<optimized out>) at /test/10.9_opt/sql/item_func.cc:314
 
#10 0x0000557e4720ed56 in Item_str_func::fix_fields (this=0x14c2c401d2f0, thd=0x14c2c4000c58, ref=<optimized out>) at /test/10.9_opt/sql/item_strfunc.cc:127
 
#11 0x0000557e47005683 in fix_vcol_expr (thd=0x14c2c4000c58, vcol=0x14c2c401d3b8) at /test/10.9_opt/sql/table.cc:3596
 
#12 0x0000557e46eb2677 in TABLE::fix_vcol_exprs (this=0x14c2c40178b8, thd=0x14c2c4000c58) at /test/10.9_opt/sql/sql_base.cc:5442
 
#13 0x0000557e46eb2b9e in fix_all_session_vcol_exprs (tables=0x14c2c40109c8, thd=0x14c2c4000c58) at /test/10.9_opt/sql/sql_base.cc:5478
 
#14 lock_tables (thd=thd@entry=0x14c2c4000c58, tables=0x14c2c40109c8, count=<optimized out>, flags=flags@entry=0) at /test/10.9_opt/sql/sql_base.cc:5662
 
#15 0x0000557e46eb43e2 in open_and_lock_tables (thd=thd@entry=0x14c2c4000c58, options=<optimized out>, tables=<optimized out>, tables@entry=0x14c2c40109c8, derived=derived@entry=true, flags=flags@entry=0, prelocking_strategy=<optimized out>) at /test/10.9_opt/sql/sql_base.cc:5274
 
#16 0x0000557e46ee9b2a in open_and_lock_tables (flags=<optimized out>, derived=<optimized out>, tables=<optimized out>, thd=<optimized out>) at /test/10.9_opt/sql/sql_base.h:509
 
#17 open_and_lock_for_insert_delayed (table_list=<optimized out>, thd=<optimized out>) at /test/10.9_opt/sql/sql_insert.cc:628
 
#18 mysql_insert (thd=thd@entry=0x14c2c4000c58, table_list=0x14c2c40109c8, fields=@0x14c2c4005d60: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14c2c4011628, last = 0x14c2c4011628, elements = 1}, <No data fields>}, values_list=@0x14c2c4005da8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14c2c40110c8, last = 0x14c2c40110c8, elements = 1}, <No data fields>}, update_fields=@0x14c2c4005d90: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x557e480c83b0 <end_of_list>, last = 0x14c2c4005d90, elements = 0}, <No data fields>}, update_values=@0x14c2c4005d78: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x557e480c83b0 <end_of_list>, last = 0x14c2c4005d78, elements = 0}, <No data fields>}, duplic=<optimized out>, ignore=<optimized out>, result=<optimized out>) at /test/10.9_opt/sql/sql_insert.cc:753
 
#19 0x0000557e46f255cf in mysql_execute_command (thd=0x14c2c4000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.9_opt/sql/sql_parse.cc:4562
 
#20 0x0000557e46f14e26 in mysql_parse (thd=0x14c2c4000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.9_opt/sql/sql_parse.cc:8027
 
#21 0x0000557e46f20fd5 in dispatch_command (command=COM_QUERY, thd=0x14c2c4000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.9_opt/sql/sql_class.h:1362
 
#22 0x0000557e46f231c7 in do_command (thd=0x14c2c4000c58, blocking=blocking@entry=true) at /test/10.9_opt/sql/sql_parse.cc:1402
 
#23 0x0000557e47042b47 in do_handle_one_connection (connect=<optimized out>, put_in_cache=true) at /test/10.9_opt/sql/sql_connect.cc:1418
 
#24 0x0000557e47042e8d in handle_one_connection (arg=arg@entry=0x557e4a201b88) at /test/10.9_opt/sql/sql_connect.cc:1312
 
#25 0x0000557e473bc631 in pfs_spawn_thread (arg=0x557e4a1b9908) at /test/10.9_opt/storage/perfschema/pfs.cc:2201
 
#26 0x000014c363359609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#27 0x000014c362f45163 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

10.9.0 4a2a9c02cd6611ef36bbb735c2b483dbc83580d4 (Debug)

 
Core was generated by `/test/MD260222-mariadb-10.9.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  0x00005556522235f9 in Item_args::walk_args (arg=0x0, walk_subquery=false, 
    processor=<optimized out>, this=0x148c000277f0)
 
    at /test/10.9_dbg/sql/item.h:2741
 
[Current thread is 1 (Thread 0x148c7815b700 (LWP 1143402))]
 
(gdb) bt
 
#0  0x00005556522235f9 in Item_args::walk_args (arg=0x0, walk_subquery=false, processor=<optimized out>, this=0x148c000277f0) at /test/10.9_dbg/sql/item.h:2741
 
#1  Item_func_or_sum::walk (this=0x148c00027780, processor=<optimized out>, walk_subquery=false, arg=0x0) at /test/10.9_dbg/sql/item.h:5437
 
#2  0x0000555652466ec3 in fix_session_vcol_expr (thd=thd@entry=0x148c00000db8, vcol=0x148c00027848) at /test/10.9_dbg/sql/table.cc:3622
 
#3  0x00005556522a7608 in TABLE::fix_vcol_exprs (this=0x148c0001f6a8, thd=thd@entry=0x148c00000db8) at /test/10.9_dbg/sql/sql_base.cc:5442
 
#4  0x00005556522a7cd8 in fix_all_session_vcol_exprs (tables=0x148c00013ee8, thd=0x148c00000db8) at /test/10.9_dbg/sql/sql_base.cc:5478
 
#5  lock_tables (thd=thd@entry=0x148c00000db8, tables=0x148c00013ee8, count=<optimized out>, flags=flags@entry=0) at /test/10.9_dbg/sql/sql_base.cc:5662
 
#6  0x00005556522a9ab9 in open_and_lock_tables (thd=thd@entry=0x148c00000db8, options=<optimized out>, tables=<optimized out>, tables@entry=0x148c00013ee8, derived=derived@entry=true, flags=flags@entry=0, prelocking_strategy=prelocking_strategy@entry=0x148c78159cb0) at /test/10.9_dbg/sql/sql_base.cc:5274
 
#7  0x00005556522f92e4 in open_and_lock_tables (flags=0, derived=true, tables=0x148c00013ee8, thd=0x148c00000db8) at /test/10.9_dbg/sql/sql_base.h:509
 
#8  mysql_insert (thd=thd@entry=0x148c00000db8, table_list=0x148c00013ee8, fields=@0x148c00006080: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x148c00014b48, last = 0x148c00014b48, elements = 1}, <No data fields>}, values_list=@0x148c000060c8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x148c000145e8, last = 0x148c000145e8, elements = 1}, <No data fields>}, update_fields=@0x148c000060b0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55565398f9a0 <end_of_list>, last = 0x148c000060b0, elements = 0}, <No data fields>}, update_values=@0x148c00006098: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55565398f9a0 <end_of_list>, last = 0x148c00006098, elements = 0}, <No data fields>}, duplic=DUP_ERROR, ignore=false, result=0x0) at /test/10.9_dbg/sql/sql_insert.cc:758
 
#9  0x0000555652341958 in mysql_execute_command (thd=thd@entry=0x148c00000db8, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.9_dbg/sql/sql_parse.cc:4562
 
#10 0x000055565232c343 in mysql_parse (thd=thd@entry=0x148c00000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x148c7815a400) at /test/10.9_dbg/sql/sql_parse.cc:8027
 
#11 0x000055565233afdf in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x148c00000db8, packet=packet@entry=0x148c0000b889 "INSERT INTO t SET c=CONCAT (REPEAT ('',0),'','');", packet_length=packet_length@entry=49, blocking=blocking@entry=true) at /test/10.9_dbg/sql/sql_class.h:1362
 
#12 0x000055565233e426 in do_command (thd=0x148c00000db8, blocking=blocking@entry=true) at /test/10.9_dbg/sql/sql_parse.cc:1402
 
#13 0x00005556524b9036 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5556569548a8, put_in_cache=put_in_cache@entry=true) at /test/10.9_dbg/sql/sql_connect.cc:1418
 
#14 0x00005556524b963b in handle_one_connection (arg=arg@entry=0x5556569548a8) at /test/10.9_dbg/sql/sql_connect.cc:1312
 
#15 0x000055565293fd23 in pfs_spawn_thread (arg=0x555656897328) at /test/10.9_dbg/storage/perfschema/pfs.cc:2201
 
#16 0x0000148c828cc609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#17 0x0000148c824b8163 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.2.44 (dbg), 10.3.35 (dbg), 10.3.35 (opt), 10.4.25 (dbg), 10.4.25 (opt), 10.5.16 (dbg), 10.5.16 (opt), 10.6.8 (dbg), 10.6.8 (opt), 10.7.4 (dbg), 10.7.4 (opt), 10.8.3 (dbg), 10.8.3 (opt), 10.9.0 (dbg), 10.9.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.2.44 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.37 (dbg), 5.7.37 (opt), 8.0.28 (dbg), 8.0.28 (opt)

 Comments   
Comment by Marko Mäkelä [ 2022-03-10 ]

Here is a simpler test that repeats a crash just fine in mtr, without using InnoDB at all, and without any type mismatch:

CREATE TABLE t (c DATETIME,c2 CHAR AS (CONCAT ('',DAYNAME (c))))
 
COLLATE utf8_bin;
 
SELECT * FROM t WHERE c2='';
 
INSERT INTO t SET c=NULL;

10.6 36a19f94ce102be87b22fdc7ad147ab7d5ed4331

 
mysqltest: At line 4: query 'INSERT INTO t SET c=NULL' failed: <Unknown> (2013): Lost connection to server during query

It is important that the WHERE clause in the SELECT statement refers to the virtual column.

AddressSanitizer will tell us more about the out-of-bounds access:

10.6 36a19f94ce102be87b22fdc7ad147ab7d5ed4331

 
==439907==ERROR: AddressSanitizer: use-after-poison on address 0x62b000079728 at pc 0x55895b0504af bp 0x7fcca04e0a60 sp 0x7fcca04e0a58
 
READ of size 8 at 0x62b000079728 thread T5
 
#6  0x00007fcca51d04ec in __asan::__asan_report_load8 (addr=<optimized out>) at ../../../../src/libsanitizer/asan/asan_rtl.cpp:123
 
#7  0x000055895b0504af in Item_args::walk_args (this=this@entry=0x619000088cf8, processor=&virtual table offset 824, walk_subquery=walk_subquery@entry=false, arg=arg@entry=0x0) at /mariadb/10.6/sql/item.h:2741
 
#8  0x000055895b050605 in Item_func_or_sum::walk (this=0x619000088c88, processor=<optimized out>, walk_subquery=<optimized out>, arg=<optimized out>) at /mariadb/10.6/sql/item.h:5432
 
#9  0x000055895b3dceae in fix_session_vcol_expr (thd=thd@entry=0x62b000070218, vcol=0x61d0001f18b8) at /mariadb/10.6/sql/table.cc:3622
 
#10 0x000055895b03ab86 in TABLE::fix_vcol_exprs (this=this@entry=0x619000087f98, thd=thd@entry=0x62b000070218) at /mariadb/10.6/sql/sql_base.cc:5442
 
#11 0x000055895b03adc5 in fix_all_session_vcol_exprs (thd=thd@entry=0x62b000070218, tables=tables@entry=0x62b000077340) at /mariadb/10.6/sql/sql_base.cc:5478
 
#12 0x000055895b03b8b5 in lock_tables (thd=thd@entry=0x62b000070218, tables=0x62b000077340, count=<optimized out>, flags=flags@entry=0) at /mariadb/10.6/sql/sql_base.cc:5662
 
#13 0x000055895b03db6f in open_and_lock_tables (thd=thd@entry=0x62b000070218, options=<optimized out>, tables=tables@entry=0x62b000077340, derived=derived@entry=true, flags=flags@entry=0, 
    prelocking_strategy=prelocking_strategy@entry=0x7fcca04e0d60) at /mariadb/10.6/sql/sql_base.cc:5274
 
#14 0x000055895afbb161 in open_and_lock_tables (thd=thd@entry=0x62b000070218, tables=tables@entry=0x62b000077340, derived=derived@entry=true, flags=flags@entry=0) at /mariadb/10.6/sql/sql_base.h:509
 
#15 0x000055895b0d7374 in mysql_insert (thd=thd@entry=0x62b000070218, table_list=0x62b000077340, fields=…

The memory had been freed (or poisoned) earlier at the end of the execution of the SELECT statement:

#1  0x00007fcca51c998e in __asan_poison_memory_region (addr=<optimized out>, size=<optimized out>) at ../../../../src/libsanitizer/asan/asan_poisoning.cpp:134
 
#2  0x000055895b99c062 in Item::operator delete (size=216, ptr=0x62b000079728) at /mariadb/10.6/sql/item.h:855
 
#3  Item_func_conv_charset::~Item_func_conv_charset (this=0x62b000079728, __in_chrg=<optimized out>) at /mariadb/10.6/sql/item_strfunc.h:1693
 
#4  0x000055895b095f1e in Item::delete_self (this=0x62b000079728) at /mariadb/10.6/sql/item.h:2522
 
#5  0x000055895b07a950 in Query_arena::free_items (this=this@entry=0x62b000070230) at /mariadb/10.6/sql/sql_class.cc:3846
 
#6  0x000055895b080bc7 in THD::cleanup_after_query (this=this@entry=0x62b000070218) at /mariadb/10.6/sql/sql_class.cc:2305
 
#7  0x000055895b175453 in mysql_parse (thd=thd@entry=0x62b000070218, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x7fcca04e1b60) at /mariadb/10.6/sql/sql_parse.cc:8053

Comment by Roel Van de Paar [ 2022-03-10 ]

Thank you marko

Comment by Roel Van de Paar [ 2022-03-11 ]

Note to self: additional testcase previously reduced, requires pquery

CREATE TABLE t (c INT,c2 CHAR(1) AS (CONCAT ('',DAYNAME ('')))) COLLATE utf8_bin;
 
SELECT * FROM t WHERE c2 IN (1);
 
INSERT INTO t VALUES (1);

Comment by Roel Van de Paar [ 2022-04-09 ]

Additional testcase (idem)

CREATE TABLE t (c INT,c2 CHAR(1) AS (CONCAT ('',DAYNAME ('')))) ENGINE=InnoDB COLLATE utf8_bin;
 
SELECT * FROM t WHERE c2 IN (1);
 
INSERT INTO t VALUES (1);

Comment by Roel Van de Paar [ 2022-04-09 ]

Partially new stacks with this testcase:

CREATE TABLE t (c INT,c2 CHAR AS (CONCAT ('',DAYNAME ('')))) COLLATE utf8_bin;
 
SELECT c,c2 FROM t;
 
SELECT HEX(c),HEX (c2) FROM t;

Leads to:

10.9.0 ef930dcad58ae6c3f334a32bd63e26c65fd66fa6 (Debug)

 
Core was generated by `/test/MD050422-mariadb-10.9.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  0x0000556e9b7016b9 in Item_args::walk_args (arg=0x0, walk_subquery=true, 
    processor=<optimized out>, this=0x148e68027740)
 
    at /test/10.9_dbg/sql/item.h:2741
 
2741	      if (args[i]->walk(processor, walk_subquery, arg))
 
[Current thread is 1 (Thread 0x148f10050700 (LWP 698270))]
 
(gdb) bt
 
#0  0x0000556e9b7016b9 in Item_args::walk_args (arg=0x0, walk_subquery=true, processor=<optimized out>, this=0x148e68027740) at /test/10.9_dbg/sql/item.h:2741
 
#1  Item_func_or_sum::walk (this=0x148e680276d0, processor=<optimized out>, walk_subquery=true, arg=0x0) at /test/10.9_dbg/sql/item.h:5437
 
#2  0x0000556e9b77c3d7 in TABLE::mark_virtual_column_deps (field=0x148e68026220, this=0x148e6801f508) at /test/10.9_dbg/sql/item.h:7757
 
#3  TABLE::mark_column_with_deps (field=0x148e68026220, this=0x148e6801f508) at /test/10.9_dbg/sql/item.h:7739
 
#4  update_field_dependencies (thd=thd@entry=0x148e68000db8, field=field@entry=0x148e68026220, table=table@entry=0x148e6801f508) at /test/10.9_dbg/sql/sql_base.cc:5783
 
#5  0x0000556e9b7881af in find_field_in_table (thd=thd@entry=0x148e68000db8, table=0x148e6801f508, name=name@entry=0x148e68014560 "c2", length=length@entry=2, allow_rowid=allow_rowid@entry=true, cached_field_index_ptr=cached_field_index_ptr@entry=0x148e68014650) at /test/10.9_dbg/sql/sql_base.cc:6069
 
#6  0x0000556e9b788966 in find_field_in_table_ref (thd=thd@entry=0x148e68000db8, table_list=table_list@entry=0x148e68014800, name=name@entry=0x148e68014560 "c2", length=length@entry=2, item_name=0x148e68014560 "c2", db_name=db_name@entry=0x0, table_name=0x0, ignored_tables=0x0, ref=0x148e68014720, check_privileges=true, allow_rowid=true, cached_field_index_ptr=0x148e68014650, register_tree_change=true, actual_table=0x148f1004e128) at /test/10.9_dbg/sql/sql_base.cc:6198
 
#7  0x0000556e9b7899d1 in find_field_in_tables (thd=thd@entry=0x148e68000db8, item=item@entry=0x148e68014568, first_table=<optimized out>, last_table=0x0, ignored_tables=0x0, ref=ref@entry=0x148e68014720, report_error=IGNORE_EXCEPT_NON_UNIQUE, check_privileges=true, register_tree_change=true) at /test/10.9_dbg/sql/sql_base.cc:6512
 
#8  0x0000556e9bb64518 in Item_field::fix_fields (this=0x148e68014568, thd=0x148e68000db8, reference=0x148e68014720) at /test/10.9_dbg/sql/item.cc:6003
 
#9  0x0000556e9bbb9b3a in Item::fix_fields_if_needed (ref=0x148e68014720, thd=0x148e68000db8, this=<optimized out>) at /test/10.9_dbg/sql/item.h:1144
 
#10 Item_func::fix_fields (this=this@entry=0x148e680146a8, thd=thd@entry=0x148e68000db8, ref=<optimized out>) at /test/10.9_dbg/sql/item_func.cc:347
 
#11 0x0000556e9bc057f8 in Item_str_func::fix_fields (this=0x148e680146a8, thd=0x148e68000db8, ref=<optimized out>) at /test/10.9_dbg/sql/item_strfunc.cc:127
 
#12 0x0000556e9b78a776 in Item::fix_fields_if_needed (ref=0x148e680147a0, thd=0x148e68000db8, this=0x148e680146a8) at /test/10.9_dbg/sql/item.h:1148
 
#13 Item::fix_fields_if_needed_for_scalar (ref=0x148e680147a0, thd=0x148e68000db8, this=0x148e680146a8) at /test/10.9_dbg/sql/item.h:1148
 
#14 setup_fields (thd=0x148e68000db8, ref_pointer_array=<optimized out>, fields=<optimized out>, column_usage=column_usage@entry=MARK_COLUMNS_READ, sum_func_list=sum_func_list@entry=0x148e68015b48, pre_fix=0x148e68014130, allow_sum_func=true) at /test/10.9_dbg/sql/sql_base.cc:7722
 
#15 0x0000556e9b899d9a in JOIN::prepare (this=this@entry=0x148e680157e0, tables_init=tables_init@entry=0x148e68014800, conds_init=conds_init@entry=0x0, og_num=og_num@entry=0, order_init=order_init@entry=0x0, skip_order_by=skip_order_by@entry=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x148e68013e78, unit_arg=0x148e680051c8) at /test/10.9_dbg/sql/sql_select.cc:1395
 
#16 0x0000556e9b8b24e1 in mysql_select (thd=thd@entry=0x148e68000db8, tables=0x148e68014800, fields=@0x148e68014118: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x148e68014530, last = 0x148e68014798, elements = 2}, <No data fields>}, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x148e680157b8, unit=0x148e680051c8, select_lex=0x148e68013e78) at /test/10.9_dbg/sql/sql_select.cc:4982
 
#17 0x0000556e9b8b2808 in handle_select (thd=thd@entry=0x148e68000db8, lex=lex@entry=0x148e680050f0, result=result@entry=0x148e680157b8, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.9_dbg/sql/sql_select.cc:543
 
#18 0x0000556e9b811b96 in execute_sqlcom_select (thd=thd@entry=0x148e68000db8, all_tables=0x148e68014800) at /test/10.9_dbg/sql/sql_parse.cc:6268
 
#19 0x0000556e9b81eb7e in mysql_execute_command (thd=thd@entry=0x148e68000db8, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.9_dbg/sql/sql_parse.cc:3959
 
#20 0x0000556e9b80ae23 in mysql_parse (thd=thd@entry=0x148e68000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x148f1004f400) at /test/10.9_dbg/sql/sql_parse.cc:8043
 
#21 0x0000556e9b819a23 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x148e68000db8, packet=packet@entry=0x148e6800b889 "SELECT HEX(c),HEX (c2) FROM t;", packet_length=packet_length@entry=30, blocking=blocking@entry=true) at /test/10.9_dbg/sql/sql_class.h:1362
 
#22 0x0000556e9b81ce74 in do_command (thd=0x148e68000db8, blocking=blocking@entry=true) at /test/10.9_dbg/sql/sql_parse.cc:1407
 
#23 0x0000556e9b999d2a in do_handle_one_connection (connect=<optimized out>, connect@entry=0x556e9e79cb08, put_in_cache=put_in_cache@entry=true) at /test/10.9_dbg/sql/sql_connect.cc:1418
 
#24 0x0000556e9b99a32f in handle_one_connection (arg=arg@entry=0x556e9e79cb08) at /test/10.9_dbg/sql/sql_connect.cc:1312
 
#25 0x0000556e9be247a5 in pfs_spawn_thread (arg=0x556e9e6b0128) at /test/10.9_dbg/storage/perfschema/pfs.cc:2201
 
#26 0x0000148f1431a609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#27 0x0000148f13f06163 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.2.44 (dbg), 10.2.44 (opt), 10.3.35 (dbg), 10.3.35 (opt), 10.4.25 (dbg), 10.4.25 (opt), 10.5.16 (dbg), 10.5.16 (opt), 10.6.8 (dbg), 10.6.8 (opt), 10.7.4 (dbg), 10.7.4 (opt), 10.8.3 (dbg), 10.8.3 (opt), 10.9.0 (dbg), 10.9.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.37 (dbg), 5.7.37 (opt), 8.0.28 (dbg), 8.0.28 (opt)

Additional UniqueID's observed with this testcase:

SIGSEGV|Item_args::walk_args|Item_func_or_sum::walk|TABLE::mark_virtual_column_deps|TABLE::mark_column_with_deps
 
SIGSEGV|Item_args::walk_args|Item_func_or_sum::walk|TABLE::mark_virtual_col|TABLE::mark_virtual_col
 
SIGSEGV|Item_args::walk_args|Item_func_or_sum::walk|TABLE::mark_virtual_col|update_field_dependencies

Comment by Rex Johnston [ 2023-01-31 ]

Marko's test doesn't crash with my patch for MDEV-28622.

Comment by Nikita Malyavin [ 2023-05-15 ]

Roel Is there any way to reproduce your issue with mysqltest, or other easy way?
I tried every test from the ticket, none succeeded, as well as marko's one (though MDEV-28622 is yet in review, so i suppose is not merged).

Comment by Roel Van de Paar [ 2023-05-20 ]

Tested extensively and the issue is no longer present in recent builds. Builds from 12 May 23 no longer show the issue. There must have been some fix/patch somewhere. I am OK with closing this, though it would be good to know where the fix came from I suppose.

Generated at Thu Feb 08 09:57:33 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.