[#MDEV-28510] SIGSEGV in get_sort_by_table and SIGSEGV in subquery_types_allow

[MDEV-28510] SIGSEGV in get_sort_by_table and SIGSEGV in subquery_types_allow_materialization Created: 2022-05-08 Updated: 2023-09-04 Resolved: 2023-01-24
Status:	Closed
Project:	MariaDB Server
Component/s:	Optimizer, Parser
Affects Version/s:	10.2, 10.3, 10.4, 10.5, 10.6, 10.7, 10.8, 10.9, 10.10, 10.11
Fix Version/s:	10.11.2, 10.3.38, 10.4.28, 10.5.19, 10.6.12, 10.7.8, 10.8.7, 10.9.5, 10.10.3

Type:

Bug

Priority:

Major

Reporter:

Shihao Wen

Assignee:

Sergei Petrunia

Resolution:

Fixed

Votes:

Labels:

affects-tests, fuzzer, semi-join

Attachments:

274_stack

Issue Links:

Duplicate
is duplicated by	~~MDEV-28516~~	SIGSEGV in get_sort_by_table, UBSAN: ...	Closed
PartOf
is part of	~~MDEV-30052~~	Crash with a query containing nested ...	Closed
Relates
relates to	~~MDEV-19569~~	Assertion `table_list->table' failed ...	Closed
relates to	~~MDEV-28505~~	Server crash in sql/sql_select.cc:198...	Closed

Description

Original testcase (reduced version in comments below):

CREATE TABLE v1071 ( v1072 BOOLEAN NOT NULL ) ;

 ( ( SELECT v1072 FROM v1071 ORDER BY v1072 + v1072 , v1072 + v1072 ) ) ;

 UPDATE v1071 SET v1072 = 'x' WHERE v1072 = CASE WHEN v1072 * ( SELECT 0 FROM v1071 AS v1073 WHERE v1072 BETWEEN 70743860.000000 AND 22 WINDOW v1086 AS ( PARTITION BY v1072 ORDER BY ( SELECT DISTINCT 0 FROM ( SELECT v1072 FROM ( SELECT DISTINCT ( ( NOT ( 87472356.000000 AND v1072 = 0 ) ) = 49 AND v1072 = 30 ) % 0 , ( v1072 = 255 OR v1072 > 'x' ) FROM v1071 WHERE v1072 = 46 AND ( v1072 = 10 OR v1072 = 80 OR v1072 = -1 ) ) AS v1074 NATURAL JOIN v1071 WHERE ( v1072 = 127 OR v1072 = 16 ) NOT LIKE 'x' AND CASE v1072 * 8 = 0 WHEN 2147483647 THEN 'x' WHEN -128 THEN 'x' ELSE 8 END != 4 GROUP BY v1072 , 71777162.000000 / 91619124.000000 WINDOW v1087 AS ( PARTITION BY v1072 ORDER BY ( SELECT DISTINCT 76 FROM v1071 AS v1083 , v1071 AS v1084 , v1071 AS v1085 , v1071 ) DESC RANGE BETWEEN 66948404.000000 FOLLOWING AND 67858344.000000 FOLLOWING ) ) AS v1079 NATURAL JOIN v1071 AS v1080 , v1071 AS v1081 , v1071 AS v1082 JOIN v1071 ) DESC RANGE BETWEEN 26683913.000000 FOLLOWING AND 30593825.000000 FOLLOWING ) ) ^ v1072 THEN 'x' ELSE v1072 END / 16 ;

 INSERT INTO v1071 ( v1072 ) VALUES ( 86 ) , ( -32768 ) ;

 SELECT STDDEV_SAMP ( v1072 ) OVER v1088 , STDDEV_SAMP ( v1072 ) OVER v1088 FROM v1071 WINDOW v1088 AS ( PARTITION BY v1072 ORDER BY v1072 DESC ) ;

Leads to:

10.9.0 0b14dbd45b5a1c02616d611876158d44b92b77bf (Optimized)
Core was generated by `/test/MD030522-mariadb-10.9.0-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 get_sort_by_table (const_tables=0, tables=..., b=<optimized out>, a=0x0)
at /test/10.9_opt/sql/sql_select.cc:25516
[Current thread is 1 (Thread 0x14c418129700 (LWP 3725953))]
(gdb) bt
#0 get_sort_by_table (const_tables=0, tables=@0x14c374011cb0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14c37406ea28, last = 0x14c37406ea28, elements = 1}, <No data fields>}, b=<optimized out>, a=0x0) at /test/10.9_opt/sql/sql_select.cc:25516
#1 make_join_statistics (keyuse_array=0x14c37406e790, tables_list=@0x14c374011cb0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14c37406ea28, last = 0x14c37406ea28, elements = 1}, <No data fields>}, join=0x14c37406e470) at /test/10.9_opt/sql/sql_select.cc:5643
#2 JOIN::optimize_inner (this=0x14c37406e470) at /test/10.9_opt/sql/sql_select.cc:2495
#3 0x0000562a257cc6d3 in JOIN::optimize (this=this@entry=0x14c37406e470) at /test/10.9_opt/sql/sql_select.cc:1837
#4 0x0000562a25730464 in st_select_lex::optimize_unflattened_subqueries (this=0x14c3740054b0, const_only=const_only@entry=true) at /test/10.9_opt/sql/sql_lex.cc:4916
#5 0x0000562a258b2455 in JOIN::optimize_constant_subqueries (this=this@entry=0x14c37406d238) at /test/10.9_opt/sql/opt_subselect.cc:5622
#6 0x0000562a257c8f67 in JOIN::optimize_inner (this=0x14c37406d238) at /test/10.9_opt/sql/sql_select.cc:2157
#7 0x0000562a257cc6d3 in JOIN::optimize (this=this@entry=0x14c37406d238) at /test/10.9_opt/sql/sql_select.cc:1837
#8 0x0000562a257cc7be in mysql_select (thd=thd@entry=0x14c374000c58, tables=tables@entry=0x14c374010fa0, fields=@0x14c418127ec0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x562a267d16d0 <end_of_list>, last = 0x14c418127ec0, elements = 0}, <No data fields>}, conds=conds@entry=0x14c374053f20, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x14c37406d128, unit=0x14c374004cb8, select_lex=0x14c3740054b0) at /test/10.9_opt/sql/sql_select.cc:5022
#9 0x0000562a2582ce05 in mysql_multi_update (thd=thd@entry=0x14c374000c58, table_list=0x14c374010fa0, fields=fields@entry=0x14c374005750, values=values@entry=0x14c374005b80, conds=0x14c374053f20, options=0, handle_duplicates=DUP_ERROR, ignore=false, unit=0x14c374004cb8, select_lex=0x14c3740054b0, result=0x14c4181280b0) at /test/10.9_opt/sql/sql_update.cc:1969
#10 0x0000562a2575cda1 in mysql_execute_command (thd=0x14c374000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.9_opt/sql/sql_parse.cc:4504
#11 0x0000562a2574ba55 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x14c374000c58) at /test/10.9_opt/sql/sql_parse.cc:8046
#12 mysql_parse (thd=0x14c374000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.9_opt/sql/sql_parse.cc:7968
#13 0x0000562a2575771a in dispatch_command (command=COM_QUERY, thd=0x14c374000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.9_opt/sql/sql_class.h:1364
#14 0x0000562a25759642 in do_command (thd=0x14c374000c58, blocking=blocking@entry=true) at /test/10.9_opt/sql/sql_parse.cc:1408
#15 0x0000562a2586e5bf in do_handle_one_connection (connect=<optimized out>, connect@entry=0x562a28fe5d38, put_in_cache=put_in_cache@entry=true) at /test/10.9_opt/sql/sql_connect.cc:1418
#16 0x0000562a2586e89d in handle_one_connection (arg=0x562a28fe5d38) at /test/10.9_opt/sql/sql_connect.cc:1312
#17 0x000014c43d5d0609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#18 0x000014c43d1bc133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

10.9.0 0b14dbd45b5a1c02616d611876158d44b92b77bf (Debug)
Core was generated by `/test/MD030522-mariadb-10.9.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 get_sort_by_table (const_tables=<optimized out>, tables=...,
b=<optimized out>, a=0x0) at /test/10.9_dbg/sql/sql_select.cc:25516
[Current thread is 1 (Thread 0x15000412d700 (LWP 3726887))]
(gdb) bt
#0 get_sort_by_table (const_tables=<optimized out>, tables=@0x14ff880151d0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14ff88097750, last = 0x14ff88097750, elements = 1}, <No data fields>}, b=<optimized out>, a=0x0) at /test/10.9_dbg/sql/sql_select.cc:25516
#1 make_join_statistics (join=join@entry=0x14ff88097198, tables_list=@0x14ff880151d0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14ff88097750, last = 0x14ff88097750, elements = 1}, <No data fields>}, keyuse_array=keyuse_array@entry=0x14ff880974b8) at /test/10.9_dbg/sql/sql_select.cc:5643
#2 0x000056217facd52c in JOIN::optimize_inner (this=this@entry=0x14ff88097198) at /test/10.9_dbg/sql/sql_select.cc:2495
#3 0x000056217facd96c in JOIN::optimize (this=this@entry=0x14ff88097198) at /test/10.9_dbg/sql/sql_select.cc:1837
#4 0x000056217fa12462 in st_select_lex::optimize_unflattened_subqueries (this=0x14ff880057d0, const_only=const_only@entry=true) at /test/10.9_dbg/sql/sql_lex.cc:4916
#5 0x000056217fbfef3d in JOIN::optimize_constant_subqueries (this=this@entry=0x14ff88095f60) at /test/10.9_dbg/sql/opt_subselect.cc:5622
#6 0x000056217facc490 in JOIN::optimize_inner (this=this@entry=0x14ff88095f60) at /test/10.9_dbg/sql/sql_select.cc:2157
#7 0x000056217facd96c in JOIN::optimize (this=this@entry=0x14ff88095f60) at /test/10.9_dbg/sql/sql_select.cc:1837
#8 0x000056217facda5f in mysql_select (thd=thd@entry=0x14ff88000db8, tables=tables@entry=0x14ff880144c0, fields=@0x15000412bea0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x562180f10bc0 <end_of_list>, last = 0x15000412bea0, elements = 0}, <No data fields>}, conds=conds@entry=0x14ff8807c970, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2200096997504, result=0x14ff88095e50, unit=0x14ff88004fd8, select_lex=0x14ff880057d0) at /test/10.9_dbg/sql/sql_select.cc:5022
#9 0x000056217fb4692d in mysql_multi_update (thd=thd@entry=0x14ff88000db8, table_list=0x14ff880144c0, fields=fields@entry=0x14ff88005a70, values=values@entry=0x14ff88005ea0, conds=0x14ff8807c970, options=0, handle_duplicates=DUP_ERROR, ignore=false, unit=0x14ff88004fd8, select_lex=0x14ff880057d0, result=0x15000412c080) at /test/10.9_dbg/sql/sql_update.cc:1969
#10 0x000056217fa47e60 in mysql_execute_command (thd=thd@entry=0x14ff88000db8, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.9_dbg/sql/sql_parse.cc:4504
#11 0x000056217fa3467b in mysql_parse (thd=thd@entry=0x14ff88000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x15000412c470) at /test/10.9_dbg/sql/sql_parse.cc:8046
#12 0x000056217fa41f79 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14ff88000db8, packet=packet@entry=0x14ff8800b699 "UPDATE v1071 SET v1072 = 'x' WHERE v1072 = CASE WHEN v1072 * ( SELECT 0 FROM v1071 AS v1073 WHERE v1072 BETWEEN 70743860.000000 AND 22 WINDOW v1086 AS ( PARTITION BY v1072 ORDER BY ( SELECT DISTINCT 0"..., packet_length=packet_length@entry=1044, blocking=blocking@entry=true) at /test/10.9_dbg/sql/sql_class.h:1364
#13 0x000056217fa44686 in do_command (thd=0x14ff88000db8, blocking=blocking@entry=true) at /test/10.9_dbg/sql/sql_parse.cc:1408
#14 0x000056217fba1d02 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x562182aba788, put_in_cache=put_in_cache@entry=true) at /test/10.9_dbg/sql/sql_connect.cc:1418
#15 0x000056217fba220b in handle_one_connection (arg=0x562182aba788) at /test/10.9_dbg/sql/sql_connect.cc:1312
#16 0x00001500321f1609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#17 0x0000150031ddd133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.3.35 (dbg), 10.3.35 (opt), 10.4.25 (dbg), 10.4.25 (opt), 10.5.16 (dbg), 10.5.16 (opt), 10.6.8 (dbg), 10.6.8 (opt), 10.7.4 (dbg), 10.7.4 (opt), 10.8.3 (dbg), 10.8.3 (opt), 10.9.0 (dbg), 10.9.0 (opt), 10.10.0 (dbg), 10.10.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.37 (dbg), 5.7.37 (opt), 8.0.28 (dbg), 8.0.28 (opt)

Comments

Comment by Alice Sherepa [ 2022-05-18 ]

test is derived from the reported test case, but I added table t2, because otherwise in 10.2 "target for 'UPDATE' and as a separate source for data":

CREATE TABLE t1 ( a int );

insert into t1 values (1),(2),(3); #

CREATE TABLE t2 ( a int );

insert into t2 values (1),(2),(3); #

UPDATE t2 SET a = 5 WHERE

(SELECT 1 FROM t1

WINDOW w1 AS (ORDER BY (SELECT 1 FROM

	(SELECT 1 FROM (SELECT a=10 FROM t1) dt1 NATURAL JOIN t1 GROUP BY a

     WINDOW w2 AS (order by a)) dt )));

bb-10.2-release 84984b79f27399d01

220518 14:47:43 [ERROR] mysqld got signal 11 ;

Server version: 10.2.44-MariaDB-debug-log

mysys/stacktrace.c:172(my_print_stacktrace)[0x55e5589d2f90]
sql/signal_handler.cc:221(handle_fatal_signal)[0x55e5577096c0]
sql/sql_select.cc:23196(get_sort_by_table(st_order, st_order, List<TABLE_LIST>&, unsigned long long))[0x55e5571ee3f9]
sql/sql_select.cc:4356(make_join_statistics(JOIN, List<TABLE_LIST>&, st_dynamic_array))[0x55e557167661]
sql/sql_select.cc:1597(JOIN::optimize_inner())[0x55e55714c1c7]
sql/sql_select.cc:1127(JOIN::optimize())[0x55e5571474d4]
sql/sql_lex.cc:3867(st_select_lex::optimize_unflattened_subqueries(bool))[0x55e557077efe]
sql/sql_update.cc:393(mysql_update(THD, TABLE_LIST, List<Item>&, List<Item>&, Item, unsigned int, st_order, unsigned long long, enum_duplicates, bool, unsigned long long, unsigned long long))[0x55e557338ddb]
sql/sql_parse.cc:4056(mysql_execute_command(THD*))[0x55e5570a0923]
sql/sql_parse.cc:7793(mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool))[0x55e5570bb8ae]
sql/sql_parse.cc:1830(dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool))[0x55e5570928fb]
sql/sql_parse.cc:1381(do_command(THD*))[0x55e55708f32c]
sql/sql_connect.cc:1336(do_handle_one_connection(CONNECT*))[0x55e55743c1f2]
sql/sql_connect.cc:1242(handle_one_connection)[0x55e55743bab3]
perfschema/pfs.cc:1871(pfs_spawn_thread)[0x55e5588d7766]
nptl/pthread_create.c:487(start_thread)[0x7f770672bfa3]
x86_64/clone.S:97(clone)[0x7f7705ad2eff]

Query (0x62b000000290): UPDATE t2 SET a = 5 WHERE
(SELECT 1 FROM t1
WINDOW w1 AS (ORDER BY (SELECT 1 FROM
(SELECT 1 FROM (SELECT a=10 FROM t1) dt1 NATURAL JOIN t1 GROUP BY a
WINDOW w2 AS (order by a)) dt )))

Comment by Roel Van de Paar [ 2022-05-27 ]

UBSAN from the original testcase:

10.9.0 161fd2d29cc2f8390fa3bf7e739c52bc8d5c39df (Debug, UBASAN)
/test/10.9_dbg_san/sql/sql_select.cc:25485:21: runtime error: member access within null pointer of type 'struct TABLE_LIST'
#0 0x556cd8bd45ed in get_sort_by_table /test/10.9_dbg_san/sql/sql_select.cc:25485
#1 0x556cd8bd45ed in make_join_statistics /test/10.9_dbg_san/sql/sql_select.cc:5614
#2 0x556cd8c11d13 in JOIN::optimize_inner() /test/10.9_dbg_san/sql/sql_select.cc:2466
#3 0x556cd8c13a30 in JOIN::optimize() /test/10.9_dbg_san/sql/sql_select.cc:1808
#4 0x556cd85fa04d in st_select_lex::optimize_unflattened_subqueries(bool) /test/10.9_dbg_san/sql/sql_lex.cc:4916
#5 0x556cd95837a5 in JOIN::optimize_constant_subqueries() /test/10.9_dbg_san/sql/opt_subselect.cc:5622
#6 0x556cd8c0958d in JOIN::optimize_inner() /test/10.9_dbg_san/sql/sql_select.cc:2128
#7 0x556cd8c13a30 in JOIN::optimize() /test/10.9_dbg_san/sql/sql_select.cc:1808
#8 0x556cd8c17260 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/10.9_dbg_san/sql/sql_select.cc:4993
#9 0x556cd900acc1 in mysql_multi_update(THD, TABLE_LIST, List<Item>, List<Item>, Item, unsigned long long, enum_duplicates, bool, st_select_lex_unit, st_select_lex, multi_update*) /test/10.9_dbg_san/sql/sql_update.cc:1969
#10 0x556cd87f3823 in mysql_execute_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:4502
#11 0x556cd874d728 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/10.9_dbg_san/sql/sql_parse.cc:8043
#12 0x556cd87c344e in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1910
#13 0x556cd87d9fa9 in do_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1407
#14 0x556cd92a6c4b in do_handle_one_connection(CONNECT*, bool) /test/10.9_dbg_san/sql/sql_connect.cc:1418
#15 0x556cd92a9ae5 in handle_one_connection /test/10.9_dbg_san/sql/sql_connect.cc:1312
#16 0x556cdb802c62 in pfs_spawn_thread /test/10.9_dbg_san/storage/perfschema/pfs.cc:2201
#17 0x14dddca97608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
#18 0x14dddbd0c132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)

UBSAN from the reduced testcase above:

10.9.0 161fd2d29cc2f8390fa3bf7e739c52bc8d5c39df (Debug, UBASAN)
/test/10.9_dbg_san/sql/sql_select.cc:25485:21: runtime error: member access within null pointer of type 'struct TABLE_LIST'
#0 0x55ada08d95ed in get_sort_by_table /test/10.9_dbg_san/sql/sql_select.cc:25485
#1 0x55ada08d95ed in make_join_statistics /test/10.9_dbg_san/sql/sql_select.cc:5614
#2 0x55ada0916d13 in JOIN::optimize_inner() /test/10.9_dbg_san/sql/sql_select.cc:2466
#3 0x55ada0918a30 in JOIN::optimize() /test/10.9_dbg_san/sql/sql_select.cc:1808
#4 0x55ada02ff04d in st_select_lex::optimize_unflattened_subqueries(bool) /test/10.9_dbg_san/sql/sql_lex.cc:4916
#5 0x55ada0d26c37 in mysql_update(THD, TABLE_LIST, List<Item>&, List<Item>&, Item, unsigned int, st_order, unsigned long long, bool, unsigned long long, unsigned long long) /test/10.9_dbg_san/sql/sql_update.cc:533
#6 0x55ada04f7b17 in mysql_execute_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:4421
#7 0x55ada0452728 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/10.9_dbg_san/sql/sql_parse.cc:8043
#8 0x55ada04c844e in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1910
#9 0x55ada04defa9 in do_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1407
#10 0x55ada0fabc4b in do_handle_one_connection(CONNECT*, bool) /test/10.9_dbg_san/sql/sql_connect.cc:1418
#11 0x55ada0faeae5 in handle_one_connection /test/10.9_dbg_san/sql/sql_connect.cc:1312
#12 0x55ada3507c62 in pfs_spawn_thread /test/10.9_dbg_san/storage/perfschema/pfs.cc:2201
#13 0x15352540e608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
#14 0x153524683132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)

Comment by Roel Van de Paar [ 2022-05-27 ]

~~MDEV-28516~~ Is a possible duplicate of this bug

Comment by Roel Van de Paar [ 2022-05-27 ]

With this testcase (UPDATE) the original bug (apparently duplicated by ~~MDEV-28516~~) is reproduced:

CREATE TABLE t(v INT);

UPDATE t SET v=1 WHERE (SELECT 1 FROM (SELECT 1 AS v) AS v2 WHERE 22 WINDOW v3 AS (PARTITION BY v ORDER BY (SELECT 1 FROM (SELECT 1 FROM (SELECT 1 FROM (SELECT 1 AS v) AS v WHERE v=0 AND v=-1) AS v4 JOIN (SELECT 1 AS v) AS v GROUP BY v WINDOW v5 AS(PARTITION BY v)) AS v6)));

SIGSEGV|get_sort_by_table|make_join_statistics|JOIN::optimize_inner|JOIN::optimize

Taking the same testcase, but removing the UPDATE (and therefore the CREATE TABLE is no longer needed either), MDEV-28506 is reproduced:

SELECT 1 FROM (SELECT 1 AS v) AS v2 WHERE 22 WINDOW v3 AS (PARTITION BY v ORDER BY (SELECT 1 FROM (SELECT 1 FROM (SELECT 1 FROM (SELECT 1 AS v) AS v WHERE v=0 AND v=-1) AS v4 JOIN (SELECT 1 AS v) AS v GROUP BY v WINDOW v5 AS(PARTITION BY v)) AS v6));

table_list->table|SIGABRT|find_field_in_table_ref|find_field_in_tables|Item_field::fix_fields|Item::fix_fields_if_needed

Thus, ~~MDEV-28516~~ is likely a duplicate of this bug, and this bug is a duplicate of MDEV-28506 when the UPDATE is removed..

Comment by Roel Van de Paar [ 2022-05-27 ]

As ~~MDEV-28516~~ does have a SELECT (and not UDPATE) statement leading to the same crash, leaving both bugs open ftm.

Comment by Roel Van de Paar [ 2022-08-06 ]

Additional partially optimized testcase which leads to a new stack on debug:

SIGSEGV|subquery_types_allow_materialization|convert_join_subqueries_to_semijoins|JOIN::optimize_inner|JOIN::optimize

On optimized it leads to the already known stack from this ticket:

SIGSEGV|get_sort_by_table|make_join_statistics|JOIN::optimize_inner|JOIN::optimize

CREATE TABLE t0(c INT);

UPDATE t0 SET c= 0 WHERE c LIKE''AND c IN(SELECT * FROM t0 AS c NATURAL JOIN t0 WHERE c % 0=-0 WINDOW c AS(PARTITION BY c AND 0 BETWEEN(SELECT * FROM t0 GROUP BY c WINDOW c AS(PARTITION BY c)) AND 0));

Leads to:

10.10.0 e1caa4bd5e8b4645944b85d4b603bf9fc9ef6ca4 (Debug)
Core was generated by `/test/MD290722-mariadb-10.10.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000055ce1b165132 in subquery_types_allow_materialization (thd=thd@entry=
0x14afe0000db8, in_subs=in_subs@entry=0x14afe00258f0)
at /test/10.10_dbg/sql/opt_subselect.cc:889
889 all_are_fields &= (outer->real_item()->type() == Item::FIELD_ITEM &&
[Current thread is 1 (Thread 0x14b0515fe700 (LWP 2687120))]
(gdb) bt
#0 0x000055ce1b165132 in subquery_types_allow_materialization (thd=thd@entry=0x14afe0000db8, in_subs=in_subs@entry=0x14afe00258f0) at /test/10.10_dbg/sql/opt_subselect.cc:889
#1 0x000055ce1b169bad in convert_join_subqueries_to_semijoins (join=join@entry=0x14afe0026018) at /test/10.10_dbg/sql/opt_subselect.cc:1274
#2 0x000055ce1b03bd94 in JOIN::optimize_inner (this=this@entry=0x14afe0026018) at /test/10.10_dbg/sql/sql_select.cc:2096
#3 0x000055ce1b03d56e in JOIN::optimize (this=this@entry=0x14afe0026018) at /test/10.10_dbg/sql/sql_select.cc:1863
#4 0x000055ce1b03d661 in mysql_select (thd=thd@entry=0x14afe0000db8, tables=tables@entry=0x14afe0013e78, fields=@0x14b0515fcd20: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55ce1c48f860 <end_of_list>, last = 0x14b0515fcd20, elements = 0}, <No data fields>}, conds=conds@entry=0x14afe0025b58, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2200096997504, result=0x14afe0025f08, unit=0x14afe0004ff0, select_lex=0x14afe00057f0) at /test/10.10_dbg/sql/sql_select.cc:5048
#5 0x000055ce1b0b6feb in mysql_multi_update (thd=thd@entry=0x14afe0000db8, table_list=0x14afe0013e78, fields=fields@entry=0x14afe0005a90, values=values@entry=0x14afe0005ec0, conds=0x14afe0025b58, options=0, handle_duplicates=DUP_ERROR, ignore=false, unit=0x14afe0004ff0, select_lex=0x14afe00057f0, result=0x14b0515fcf00) at /test/10.10_dbg/sql/sql_update.cc:1979
#6 0x000055ce1afb5be1 in mysql_execute_command (thd=thd@entry=0x14afe0000db8, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.10_dbg/sql/sql_parse.cc:4487
#7 0x000055ce1afa2534 in mysql_parse (thd=thd@entry=0x14afe0000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14b0515fd330) at /test/10.10_dbg/sql/sql_parse.cc:8037
#8 0x000055ce1afafb1c in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14afe0000db8, packet=packet@entry=0x14afe000b6e9 "UPDATE t0 SET c= 0 WHERE c LIKE''AND c IN(SELECT * FROM t0 AS c NATURAL JOIN t0 WHERE c % 0=-0 WINDOW c AS(PARTITION BY c AND 0 BETWEEN(SELECT * FROM t0 GROUP BY c WINDOW c AS(PARTITION BY c)) AND 0))", packet_length=packet_length@entry=200, blocking=blocking@entry=true) at /test/10.10_dbg/sql/sql_class.h:1366
#9 0x000055ce1afb2226 in do_command (thd=0x14afe0000db8, blocking=blocking@entry=true) at /test/10.10_dbg/sql/sql_parse.cc:1407
#10 0x000055ce1b113744 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55ce1dbe1bf8, put_in_cache=put_in_cache@entry=true) at /test/10.10_dbg/sql/sql_connect.cc:1418
#11 0x000055ce1b113c4d in handle_one_connection (arg=0x55ce1dbe1bf8) at /test/10.10_dbg/sql/sql_connect.cc:1312
#12 0x000014b0804a3609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#13 0x000014b08008f133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.3.36 (dbg), 10.3.36 (opt), 10.4.26 (dbg), 10.4.26 (opt), 10.5.17 (dbg), 10.5.17 (opt), 10.6.9 (dbg), 10.6.9 (opt), 10.7.5 (dbg), 10.7.5 (opt), 10.8.4 (dbg), 10.8.4 (opt), 10.9.2 (dbg), 10.9.2 (opt), 10.10.0 (dbg), 10.10.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.38 (dbg), 5.7.38 (opt), 8.0.29 (dbg), 8.0.29 (opt)

Comment by Roel Van de Paar [ 2022-08-24 ]

Partially new stack with this testcase on 10.3 to 10.7 debug. All versions crash on the testcase, but the new stack is only seen on 10.3 to 10.7 debug builds.

CREATE TABLE t (c INT) ENGINE=InnoDB;

UPDATE t SET c=0 WHERE c LIKE '' AND c IN (SELECT * FROM t AS c NATURAL JOIN t WHERE c=1 WINDOW c AS (PARTITION BY c BETWEEN (SELECT * FROM t GROUP BY c WINDOW c AS (PARTITION BY c)) AND 1));

Leads to:

10.7.6 dc11fd07fdaf7316d340569f97a84fa0fd2d307e (Debug)
Core was generated by `/test/MD200822-mariadb-10.7.6-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x0000556867685aea in subquery_types_allow_materialization (thd=thd@entry=
0x1456ec000db8, in_subs=in_subs@entry=0x1456ec025600)
at /test/10.7_dbg/sql/opt_subselect.cc:889
[Current thread is 1 (Thread 0x145724089700 (LWP 2033292))]
(gdb) bt
#0 0x0000556867685aea in subquery_types_allow_materialization (thd=thd@entry=0x1456ec000db8, in_subs=in_subs@entry=0x1456ec025600) at /test/10.7_dbg/sql/opt_subselect.cc:889
#1 0x0000556867687835 in check_and_do_in_subquery_rewrites (join=join@entry=0x1456ec0264b8) at /test/10.7_dbg/sql/opt_subselect.cc:706
#2 0x000055686754f367 in JOIN::prepare (this=0x1456ec0264b8, tables_init=<optimized out>, conds_init=<optimized out>, og_num=<optimized out>, order_init=<optimized out>, skip_order_by=skip_order_by@entry=false, group_init=<optimized out>, having_init=<optimized out>, proc_param_init=<optimized out>, select_lex_arg=<optimized out>, unit_arg=<optimized out>) at /test/10.7_dbg/sql/sql_select.cc:1529
#3 0x00005568678c4bfd in subselect_single_select_engine::prepare (this=0x1456ec025828, thd=0x1456ec000db8) at /test/10.7_dbg/sql/sql_lex.h:1362
#4 0x00005568678c40cb in Item_subselect::fix_fields (this=this@entry=0x1456ec025600, thd_param=thd_param@entry=0x1456ec000db8, ref=ref@entry=0x1456ec025978) at /test/10.7_dbg/sql/item_subselect.cc:295
#5 0x00005568678c4510 in Item_in_subselect::fix_fields (this=0x1456ec025600, thd_arg=0x1456ec000db8, ref=0x1456ec025978) at /test/10.7_dbg/sql/item_subselect.cc:3582
#6 0x0000556867801836 in Item::fix_fields_if_needed (ref=0x1456ec025978, thd=0x1456ec000db8, this=0x1456ec025600) at /test/10.7_dbg/sql/item.h:1152
#7 Item::fix_fields_if_needed_for_scalar (ref=0x1456ec025978, thd=0x1456ec000db8, this=0x1456ec025600) at /test/10.7_dbg/sql/item.h:1148
#8 Item::fix_fields_if_needed_for_bool (ref=0x1456ec025978, thd=0x1456ec000db8, this=0x1456ec025600) at /test/10.7_dbg/sql/item.h:1152
#9 Item_cond::fix_fields (this=0x1456ec025868, thd=0x1456ec000db8, ref=<optimized out>) at /test/10.7_dbg/sql/item_cmpfunc.cc:4911
#10 0x00005568674599e7 in Item::fix_fields_if_needed (ref=0x1456ec026170, thd=0x1456ec000db8, this=0x1456ec025868) at /test/10.7_dbg/sql/item.h:1152
#11 Item::fix_fields_if_needed_for_scalar (ref=0x1456ec026170, thd=0x1456ec000db8, this=0x1456ec025868) at /test/10.7_dbg/sql/item.h:1148
#12 Item::fix_fields_if_needed_for_bool (ref=0x1456ec026170, thd=0x1456ec000db8, this=0x1456ec025868) at /test/10.7_dbg/sql/item.h:1152
#13 setup_conds (thd=thd@entry=0x1456ec000db8, tables=tables@entry=0x1456ec013e00, leaves=@0x1456ec0059d0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1456ec025d10, last = 0x1456ec025d10, elements = 1}, <No data fields>}, conds=conds@entry=0x1456ec026170) at /test/10.7_dbg/sql/sql_base.cc:8535
#14 0x000055686754e91d in setup_without_group (reserved=0x1456ec005b74, hidden_group_fields=0x1456ec026037, win_funcs=@0x1456ec005c08: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55686898cac0 <end_of_list>, last = 0x1456ec005c08, elements = 0}, <No data fields>}, win_specs=@0x1456ec005bf0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55686898cac0 <end_of_list>, last = 0x1456ec005bf0, elements = 0}, <No data fields>}, group=0x0, order=0x0, conds=0x1456ec026170, all_fields=@0x1456ec026088: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55686898cac0 <end_of_list>, last = 0x1456ec026088, elements = 0}, <No data fields>}, fields=@0x145724087d60: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55686898cac0 <end_of_list>, last = 0x145724087d60, elements = 0}, <No data fields>}, leaves=@0x1456ec0059d0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1456ec025d10, last = 0x1456ec025d10, elements = 1}, <No data fields>}, tables=0x1456ec013e00, ref_pointer_array=<optimized out>, thd=0x1456ec000db8) at /test/10.7_dbg/sql/sql_select.cc:857
#15 JOIN::prepare (this=this@entry=0x1456ec025d20, tables_init=tables_init@entry=0x1456ec013e00, conds_init=conds_init@entry=0x1456ec025868, og_num=og_num@entry=0, order_init=order_init@entry=0x0, skip_order_by=skip_order_by@entry=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x1456ec0057b8, unit_arg=0x1456ec004fc0) at /test/10.7_dbg/sql/sql_select.cc:1429
#16 0x0000556867565b0c in mysql_select (thd=thd@entry=0x1456ec000db8, tables=tables@entry=0x1456ec013e00, fields=@0x145724087d60: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55686898cac0 <end_of_list>, last = 0x145724087d60, elements = 0}, <No data fields>}, conds=conds@entry=0x1456ec025868, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2200096997504, result=0x1456ec025c10, unit=0x1456ec004fc0, select_lex=0x1456ec0057b8) at /test/10.7_dbg/sql/sql_select.cc:5015
#17 0x00005568675dd47b in mysql_multi_update (thd=thd@entry=0x1456ec000db8, table_list=0x1456ec013e00, fields=fields@entry=0x1456ec005a58, values=values@entry=0x1456ec005e90, conds=0x1456ec025868, options=0, handle_duplicates=DUP_ERROR, ignore=false, unit=0x1456ec004fc0, select_lex=0x1456ec0057b8, result=0x145724087f40) at /test/10.7_dbg/sql/sql_update.cc:1973
#18 0x00005568674df299 in mysql_execute_command (thd=thd@entry=0x1456ec000db8, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.7_dbg/sql/sql_parse.cc:4487
#19 0x00005568674cbc75 in mysql_parse (thd=thd@entry=0x1456ec000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x145724088330) at /test/10.7_dbg/sql/sql_parse.cc:8028
#20 0x00005568674d931d in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x1456ec000db8, packet=packet@entry=0x1456ec00b689 "UPDATE t SET c=0 WHERE c LIKE '' AND c IN (SELECT * FROM t AS c NATURAL JOIN t WHERE c=1 WINDOW c AS (PARTITION BY c BETWEEN (SELECT * FROM t GROUP BY c WINDOW c AS (PARTITION BY c)) AND 1))", packet_length=packet_length@entry=190, blocking=blocking@entry=true) at /test/10.7_dbg/sql/sql_class.h:1360
#21 0x00005568674dba2a in do_command (thd=0x1456ec000db8, blocking=blocking@entry=true) at /test/10.7_dbg/sql/sql_parse.cc:1407
#22 0x0000556867638260 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55686a19ccf8, put_in_cache=put_in_cache@entry=true) at /test/10.7_dbg/sql/sql_connect.cc:1418
#23 0x0000556867638769 in handle_one_connection (arg=0x55686a19ccf8) at /test/10.7_dbg/sql/sql_connect.cc:1312
#24 0x000014573c115609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#25 0x000014573bd01133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

On 10.8+ debug and optimized we see these following UniqueID's/stacks instead:

SIGSEGV|subquery_types_allow_materialization|convert_join_subqueries_to_semijoins|JOIN::optimize_inner|JOIN::optimize  # dbg

SIGSEGV|get_sort_by_table|make_join_statistics|JOIN::optimize_inner|JOIN::optimize  # opt

And 10.3-10.7 optimized also has the same optimized UniqueID/stack.

Comment by Roel Van de Paar [ 2022-08-24 ]

Turning off semijoin in the same testcase leads to yet another stack in debug builds. All versions (10.3-10.11) result in the same crash.

CREATE TABLE t (c INT);

SET SESSION optimizer_switch='semijoin=off';

UPDATE t SET c=0 WHERE c LIKE '' AND c IN (SELECT * FROM t AS c NATURAL JOIN t WHERE c=1 WINDOW c AS (PARTITION BY c BETWEEN (SELECT * FROM t GROUP BY c WINDOW c AS (PARTITION BY c)) AND 1));

Leads to:

10.11.0 bc563f1a4b0b38de3b41fd0f0d3d8b7f1aacbd8b (Debug)
Core was generated by `/test/MD190822-mariadb-10.11.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x0000558ca23d9d18 in subquery_types_allow_materialization (thd=thd@entry=
0x145eb8000db8, in_subs=in_subs@entry=0x145eb802a128)
at /test/10.11_dbg/sql/opt_subselect.cc:889
[Current thread is 1 (Thread 0x145f40532700 (LWP 4018180))]
(gdb) bt
#0 0x0000558ca23d9d18 in subquery_types_allow_materialization (thd=thd@entry=0x145eb8000db8, in_subs=in_subs@entry=0x145eb802a128) at /test/10.11_dbg/sql/opt_subselect.cc:889
#1 0x0000558ca23dae94 in is_materialization_applicable (thd=thd@entry=0x145eb8000db8, in_subs=in_subs@entry=0x145eb802a128, child_select=child_select@entry=0x145eb8014b90) at /test/10.11_dbg/sql/sql_lex.h:1650
#2 0x0000558ca23db4e8 in check_and_do_in_subquery_rewrites (join=join@entry=0x145eb802b018) at /test/10.11_dbg/sql/opt_subselect.cc:755
#3 0x0000558ca229b959 in JOIN::prepare (this=0x145eb802b018, tables_init=<optimized out>, conds_init=<optimized out>, og_num=<optimized out>, order_init=<optimized out>, skip_order_by=skip_order_by@entry=false, group_init=<optimized out>, having_init=<optimized out>, proc_param_init=<optimized out>, select_lex_arg=<optimized out>, unit_arg=<optimized out>) at /test/10.11_dbg/sql/sql_select.cc:1556
#4 0x0000558ca2622e91 in subselect_single_select_engine::prepare (this=0x145eb802a350, thd=0x145eb8000db8) at /test/10.11_dbg/sql/sql_lex.h:1367
#5 0x0000558ca262235f in Item_subselect::fix_fields (this=this@entry=0x145eb802a128, thd_param=thd_param@entry=0x145eb8000db8, ref=ref@entry=0x145eb802a4a0) at /test/10.11_dbg/sql/item_subselect.cc:295
#6 0x0000558ca26227a4 in Item_in_subselect::fix_fields (this=0x145eb802a128, thd_arg=0x145eb8000db8, ref=0x145eb802a4a0) at /test/10.11_dbg/sql/item_subselect.cc:3588
#7 0x0000558ca255e78c in Item::fix_fields_if_needed (ref=0x145eb802a4a0, thd=0x145eb8000db8, this=0x145eb802a128) at /test/10.11_dbg/sql/item.h:1152
#8 Item::fix_fields_if_needed_for_scalar (ref=0x145eb802a4a0, thd=0x145eb8000db8, this=0x145eb802a128) at /test/10.11_dbg/sql/item.h:1148
#9 Item::fix_fields_if_needed_for_bool (ref=0x145eb802a4a0, thd=0x145eb8000db8, this=0x145eb802a128) at /test/10.11_dbg/sql/item.h:1152
#10 Item_cond::fix_fields (this=0x145eb802a390, thd=0x145eb8000db8, ref=<optimized out>) at /test/10.11_dbg/sql/item_cmpfunc.cc:4906
#11 0x0000558ca21a3972 in Item::fix_fields_if_needed (ref=0x145eb802acd0, thd=0x145eb8000db8, this=0x145eb802a390) at /test/10.11_dbg/sql/item.h:1152
#12 Item::fix_fields_if_needed_for_scalar (ref=0x145eb802acd0, thd=0x145eb8000db8, this=0x145eb802a390) at /test/10.11_dbg/sql/item.h:1148
#13 Item::fix_fields_if_needed_for_bool (ref=0x145eb802acd0, thd=0x145eb8000db8, this=0x145eb802a390) at /test/10.11_dbg/sql/item.h:1152
#14 setup_conds (thd=thd@entry=0x145eb8000db8, tables=tables@entry=0x145eb8013e60, leaves=@0x145eb8005a08: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x145eb802a840, last = 0x145eb802a840, elements = 1}, <No data fields>}, conds=conds@entry=0x145eb802acd0) at /test/10.11_dbg/sql/sql_base.cc:8801
#15 0x0000558ca229af0f in setup_without_group (reserved=0x145eb8005bac, hidden_group_fields=0x145eb802ab97, win_funcs=@0x145eb8005c40: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x558ca37eec20 <end_of_list>, last = 0x145eb8005c40, elements = 0}, <No data fields>}, win_specs=@0x145eb8005c28: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x558ca37eec20 <end_of_list>, last = 0x145eb8005c28, elements = 0}, <No data fields>}, group=0x0, order=0x0, conds=0x145eb802acd0, all_fields=@0x145eb802abe8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x558ca37eec20 <end_of_list>, last = 0x145eb802abe8, elements = 0}, <No data fields>}, fields=@0x145f40530d20: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x558ca37eec20 <end_of_list>, last = 0x145f40530d20, elements = 0}, <No data fields>}, leaves=@0x145eb8005a08: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x145eb802a840, last = 0x145eb802a840, elements = 1}, <No data fields>}, tables=0x145eb8013e60, ref_pointer_array=<optimized out>, thd=0x145eb8000db8) at /test/10.11_dbg/sql/sql_select.cc:884
#16 JOIN::prepare (this=this@entry=0x145eb802a850, tables_init=tables_init@entry=0x145eb8013e60, conds_init=conds_init@entry=0x145eb802a390, og_num=og_num@entry=0, order_init=order_init@entry=0x0, skip_order_by=skip_order_by@entry=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x145eb80057f0, unit_arg=0x145eb8004ff0) at /test/10.11_dbg/sql/sql_select.cc:1456
#17 0x0000558ca22b2184 in mysql_select (thd=thd@entry=0x145eb8000db8, tables=tables@entry=0x145eb8013e60, fields=@0x145f40530d20: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x558ca37eec20 <end_of_list>, last = 0x145f40530d20, elements = 0}, <No data fields>}, conds=conds@entry=0x145eb802a390, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2200096997504, result=0x145eb802a740, unit=0x145eb8004ff0, select_lex=0x145eb80057f0) at /test/10.11_dbg/sql/sql_select.cc:5045
#18 0x0000558ca232ba5f in mysql_multi_update (thd=thd@entry=0x145eb8000db8, table_list=0x145eb8013e60, fields=fields@entry=0x145eb8005a90, values=values@entry=0x145eb8005ec0, conds=0x145eb802a390, options=0, handle_duplicates=DUP_ERROR, ignore=false, unit=0x145eb8004ff0, select_lex=0x145eb80057f0, result=0x145f40530f00) at /test/10.11_dbg/sql/sql_update.cc:1980
#19 0x0000558ca2229f3e in mysql_execute_command (thd=thd@entry=0x145eb8000db8, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.11_dbg/sql/sql_parse.cc:4487
#20 0x0000558ca2216882 in mysql_parse (thd=thd@entry=0x145eb8000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x145f40531330) at /test/10.11_dbg/sql/sql_parse.cc:8035
#21 0x0000558ca2223e6a in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x145eb8000db8, packet=packet@entry=0x145eb800b6e9 "UPDATE t SET c=0 WHERE c LIKE '' AND c IN (SELECT * FROM t AS c NATURAL JOIN t WHERE c=1 WINDOW c AS (PARTITION BY c BETWEEN (SELECT * FROM t GROUP BY c WINDOW c AS (PARTITION BY c)) AND 1))", packet_length=packet_length@entry=190, blocking=blocking@entry=true) at /test/10.11_dbg/sql/sql_class.h:1339
#22 0x0000558ca2226574 in do_command (thd=0x145eb8000db8, blocking=blocking@entry=true) at /test/10.11_dbg/sql/sql_parse.cc:1407
#23 0x0000558ca23881da in do_handle_one_connection (connect=<optimized out>, connect@entry=0x558ca563ed58, put_in_cache=put_in_cache@entry=true) at /test/10.11_dbg/sql/sql_connect.cc:1418
#24 0x0000558ca23886e3 in handle_one_connection (arg=0x558ca563ed58) at /test/10.11_dbg/sql/sql_connect.cc:1312
#25 0x0000145f675c4609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#26 0x0000145f671b0133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.3.37 (dbg), 10.4.27 (dbg), 10.5.18 (dbg), 10.6.10 (dbg), 10.7.6 (dbg), 10.8.5 (dbg), 10.9.2 (dbg), 10.10.2 (dbg), 10.11.0 (dbg)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.3.37 (opt), 10.4.27 (opt), 10.5.18 (opt), 10.6.10 (opt), 10.7.6 (opt), 10.8.5 (opt), 10.9.2 (opt), 10.10.2 (opt), 10.11.0 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.38 (dbg), 5.7.38 (opt), 8.0.29 (dbg), 8.0.29 (opt)

Generated at Thu Feb 08 10:01:18 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.

[MDEV-28510] SIGSEGV in get_sort_by_table and SIGSEGV in subquery_types_allow_materialization Created: 2022-05-08 Updated: 2023-09-04 Resolved: 2023-01-24