[MDEV-28080] Crash when using HAVING with NOT EXIST predicate in an equality Created: 2022-03-16  Updated: 2022-05-03  Resolved: 2022-04-29

Status: Closed
Project: MariaDB Server
Component/s: Optimizer
Affects Version/s: 10.9.0, 10.4, 10.5, 10.6, 10.7, 10.8
Fix Version/s: 10.4.25, 10.5.16, 10.6.8, 10.7.4

Type: Bug Priority: Blocker
Reporter: Jingzhou Fu Assignee: Igor Babaev
Resolution: Duplicate Votes: 0
Labels: None
Environment:

Linux jie-2 5.4.143-1-pve #1 SMP PVE 5.4.143-1 (Tue, 28 Sep 2021 09:10:37 +0200) x86_64 x86_64 x86_64 GNU/Linux

Issue Links:
Duplicate
duplicates MDEV-26402 A SEGV in Item_field::used_tables/upd... Closed
Relates
relates to MDEV-25084 Assertion `fixed' or Assertion `i->is... Confirmed

 Description   

PoC:

CREATE TABLE v2 ( v3 INT ( 29 ) ) ;
 
SELECT ( 'x' ) FROM v2 GROUP BY v3 HAVING v3 = ( NOT EXISTS ( SELECT * WHERE 'x' ) ) ;

report (compiled with ASAN):

Thread pointer: 0x7f0dac000c58                                                                                                                                                               
Attempting backtrace. You can use the following information to find out                                                                                                                      
where mysqld died. If you see no messages after this, something went                                                                                                                         
terribly wrong...                                                                                                                                                                            
stack_bottom = 0x7f0e10057e30 thread_stack 0x49000                                                                                                                                           
mysys/stacktrace.c:212(my_print_stacktrace)[0xe12bae]
 
sql/signal_handler.cc:226(handle_fatal_signal)[0x973f04]
 
sigaction.c:0(__restore_rt)[0x7f0e1b8b53c0]
 
sql/item_subselect.cc:4026(subselect_single_select_engine::exec())[0xa36cdc]
 
sql/item_subselect.cc:858(Item_subselect::exec())[0xa2e4bc]
 
sql/item_subselect.cc:1872(Item_exists_subselect::val_bool())[0xa30a1e]
 
sql/item_cmpfunc.cc:202(Item_func_not::val_int())[0x9a6739]
 
sql/sql_type.cc:8716(Type_handler_int_result::Item_eq_value(THD*, Type_cmp_attributes const*, Item*, Item*) const)[0x8d676c]
 
sql/item_cmpfunc.cc:6746(Item_equal::add_const(THD*, Item*))[0x9b79d8]
 
??:0(Item_equal::merge_with_check(THD*, Item_equal*, bool))[0x9b7d7b]
 
sql/sql_list.h:429(base_list_iterator::next())[0x7aec59]
 
sql/field.h:429(Context)[0x899f87]
 
??:0(JOIN::optimize_inner())[0x79112c]
 
??:0(JOIN::optimize())[0x78af00]
 
sql/sql_select.cc:4993(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_
 
select_lex*))[0x785468]
 
sql/sql_select.cc:543(handle_select(THD*, LEX*, select_result*, unsigned long))[0x785330]
 
sql/sql_parse.cc:6252(execute_sqlcom_select(THD*, TABLE_LIST*))[0x754fea]
 
??:0(mysql_execute_command(THD*, bool))[0x74ef77]
 
sql/sql_class.h:2734(THD::enter_stage(PSI_stage_info_v1 const*, char const*, char const*, unsigned int))[0x74b207]
 
sql/sql_parse.cc:1896(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x7490c7]
 
sql/sql_parse.cc:1404(do_command(THD*, bool))[0x74b65e]
 
sql/sql_connect.cc:1418(do_handle_one_connection(CONNECT*, bool))[0x85bf2e]
 
sql/sql_connect.cc:1318(handle_one_connection)[0x85bd4d]
 
perfschema/pfs.cc:2203(pfs_spawn_thread)[0xb8496e]
 
nptl/pthread_create.c:478(start_thread)[0x7f0e1b8a9609]
 
??:0(clone)[0x7f0e1b5c9163]
 
 
 
Trying to get some variables.
 
Some pointers may be invalid and cause the dump to abort.
 
Query (0x7f0dac010b50): SELECT ( 'x' ) FROM v2 GROUP BY v3 HAVING v3 = ( NOT EXISTS ( SELECT * WHERE 'x' ) )



 Comments   
Comment by Alice Sherepa [ 2022-03-18 ]

Thanks! I repeated on 10.4-10.8, a temporary workaround - optimizer_switch='condition_pushdown_from_having=off';

set optimizer_switch='condition_pushdown_from_having=on';
 
CREATE TABLE t1 (a int);
 
SELECT 1 FROM t1 GROUP BY a HAVING a= (NOT EXISTS (SELECT 1));

10.4 069139a549a62f26d566c1ae

 
Version: '10.4.25-MariaDB-debug-log'  
mysqld: /10.4/src/sql/item_subselect.cc:1799: virtual bool Item_exists_subselect::val_bool(): Assertion `fixed == 1' failed.
 
220318  9:59:21 [ERROR] mysqld got signal 6 ;
 
 
 
Server version: 10.4.25-MariaDB-debug-log
 
 
 
sql/item_subselect.cc:1800(Item_exists_subselect::val_bool())[0x556271a47cd1]
 
sql/item_cmpfunc.cc:200(Item_func_not::val_int())[0x5562718d37cc]
 
sql/sql_type.cc:8270(Type_handler_int_result::Item_eq_value(THD*, Type_cmp_attributes const*, Item*, Item*) const)[0x5562715ebf52]
 
sql/item_cmpfunc.cc:6653(Item_equal::add_const(THD*, Item*))[0x5562719154b6]
 
sql/item_cmpfunc.cc:6779(Item_equal::merge_with_check(THD*, Item_equal*, bool))[0x556271915b63]
 
sql/sql_select.cc:17242(propagate_new_equalities(THD*, Item*, List<Item_equal>*, COND_EQUAL*, bool*))[0x55627119c974]
 
sql/opt_subselect.cc:6012(and_new_conditions_to_optimized_cond(THD*, Item*, COND_EQUAL**, List<Item>&, Item::cond_result*))[0x55627155f154]
 
sql/sql_select.cc:2091(JOIN::optimize_inner())[0x5562711299ac]
 
sql/sql_select.cc:1659(JOIN::optimize())[0x556271124bda]
 
sql/sql_select.cc:4749(mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x5562711459c9]
 
sql/sql_select.cc:436(handle_select(THD*, LEX*, select_result*, unsigned long))[0x556271116c70]
 
sql/sql_parse.cc:6449(execute_sqlcom_select(THD*, TABLE_LIST*))[0x55627108525f]
 
sql/sql_parse.cc:3963(mysql_execute_command(THD*))[0x556271072b3e]
 
sql/sql_parse.cc:7995(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x55627108e74d]
 
sql/sql_parse.cc:1860(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x556271064ed4]
 
sql/sql_parse.cc:1373(do_command(THD*))[0x556271061951]
 
sql/sql_connect.cc:1420(do_handle_one_connection(CONNECT*))[0x55627145d30d]
 
sql/sql_connect.cc:1317(handle_one_connection)[0x55627145ca66]
 
perfschema/pfs.cc:1871(pfs_spawn_thread)[0x55627215e09d]
 
nptl/pthread_create.c:478(start_thread)[0x7f119acb6609]
 
/lib/x86_64-linux-gnu/libc.so.6(clone+0x43)[0x7f119a887163]
 
 
 
Query (0x62b0000a1290): SELECT 1 FROM t1 GROUP BY a HAVING a= (NOT EXISTS (SELECT 1))

on 10.6+ assertion was renamed -10.6/src/sql/item_subselect.cc:1872: virtual bool Item_exists_subselect::val_bool(): Assertion `fixed()' failed.

Comment by Igor Babaev [ 2022-04-28 ]

This bug has been actually fixed by the patch for MDEV-26402. Only a test case of MDEV-28080 will be added to 10.4.

Comment by Igor Babaev [ 2022-04-29 ]

Here's a more general test case that causes the same crash:

CREATE TABLE t1 (a int);
 
CREATE TABLE t2 (b int);
 
INSERT INTO t1 VALUES (0), (1), (1), (0);
 
INSERT INTO t2 VALUES (3), (7);
 
 
 
SELECT a FROM t1 
  GROUP BY a HAVING a= (NOT EXISTS (SELECT b FROM t2 WHERE b = 1));
 
SELECT a FROM t1 
  GROUP BY a HAVING a= (NOT EXISTS (SELECT b FROM t2 WHERE b = 7));
 
 
 
DROP TABLE t1, t2;

Comment by Igor Babaev [ 2022-04-29 ]

A test case for this bug was pushed into 10.4

Generated at Thu Feb 08 09:57:54 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.