[#MDEV-28516] SIGSEGV in get_sort_by_table, UBSAN: runtime error: member access within null pointer of type 'struct TABLE

This bug was discovered whilst reducing ~~MDEV-28501~~. Crashes optimized builds. It looks related to ~~MDEV-23130~~ (given one of the stacks listed there), however the testcase from that bug does not reproduce against 10.9 whereas this testcase does, and no SP are involved either.

CREATE TABLE t (c INT) ENGINE=InnoDB;

SELECT * FROM (SELECT 1 FROM t AS a,t) AS b JOIN t AS d NATURAL JOIN t WINDOW e AS (PARTITION BY c AND 1 BETWEEN (SELECT c FROM t GROUP BY c WINDOW f AS (PARTITION BY c)) AND 2);

10.9.0 0b14dbd45b5a1c02616d611876158d44b92b77bf (Debug)
Core was generated by `/test/MD030522-mariadb-10.9.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 get_sort_by_table (const_tables=<optimized out>, tables=...,
b=<optimized out>, a=0x0) at /test/10.9_dbg/sql/sql_select.cc:25516
25516 if (map != table->table->map)
[Current thread is 1 (Thread 0x145888051700 (LWP 3001116))]
(gdb) bt
#0 get_sort_by_table (const_tables=<optimized out>, tables=@0x145844024bf0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14584407a970, last = 0x14584407a970, elements = 1}, <No data fields>}, b=<optimized out>, a=0x0) at /test/10.9_dbg/sql/sql_select.cc:25516
#1 make_join_statistics (join=join@entry=0x14584407a3b8, tables_list=@0x145844024bf0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14584407a970, last = 0x14584407a970, elements = 1}, <No data fields>}, keyuse_array=keyuse_array@entry=0x14584407a6d8) at /test/10.9_dbg/sql/sql_select.cc:5643
#2 0x00005577ba6f452c in JOIN::optimize_inner (this=this@entry=0x14584407a3b8) at /test/10.9_dbg/sql/sql_select.cc:2495
#3 0x00005577ba6f496c in JOIN::optimize (this=this@entry=0x14584407a3b8) at /test/10.9_dbg/sql/sql_select.cc:1837
#4 0x00005577ba639462 in st_select_lex::optimize_unflattened_subqueries (this=0x145844013db0, const_only=const_only@entry=true) at /test/10.9_dbg/sql/sql_lex.cc:4916
#5 0x00005577ba825f3d in JOIN::optimize_constant_subqueries (this=this@entry=0x145844027188) at /test/10.9_dbg/sql/opt_subselect.cc:5622
#6 0x00005577ba6f3490 in JOIN::optimize_inner (this=this@entry=0x145844027188) at /test/10.9_dbg/sql/sql_select.cc:2157
#7 0x00005577ba6f496c in JOIN::optimize (this=this@entry=0x145844027188) at /test/10.9_dbg/sql/sql_select.cc:1837
#8 0x00005577ba6f4a5f in mysql_select (thd=thd@entry=0x145844000db8, tables=0x145844015f10, fields=@0x145844014050: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x145844014340, last = 0x145844079e20, elements = 2}, <No data fields>}, conds=0x0, og_num=1, order=0x0, group=0x1458440257d0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x145844027160, unit=0x145844004fd8, select_lex=0x145844013db0) at /test/10.9_dbg/sql/sql_select.cc:5022
#9 0x00005577ba6f52a8 in handle_select (thd=thd@entry=0x145844000db8, lex=lex@entry=0x145844004f00, result=result@entry=0x145844027160, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.9_dbg/sql/sql_select.cc:570
#10 0x00005577ba6616c8 in execute_sqlcom_select (thd=thd@entry=0x145844000db8, all_tables=0x145844015f10) at /test/10.9_dbg/sql/sql_parse.cc:6271
#11 0x00005577ba66d935 in mysql_execute_command (thd=thd@entry=0x145844000db8, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.9_dbg/sql/sql_parse.cc:3961
#12 0x00005577ba65b67b in mysql_parse (thd=thd@entry=0x145844000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x145888050470) at /test/10.9_dbg/sql/sql_parse.cc:8046
#13 0x00005577ba668f79 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x145844000db8, packet=packet@entry=0x14584400b699 "SELECT * FROM (SELECT 1 FROM t AS a,t) AS b JOIN t AS d NATURAL JOIN t WINDOW e AS (PARTITION BY c AND 1 BETWEEN (SELECT c FROM t GROUP BY c WINDOW f AS (PARTITION BY c)) AND 2)", packet_length=packet_length@entry=177, blocking=blocking@entry=true) at /test/10.9_dbg/sql/sql_class.h:1364
#14 0x00005577ba66b686 in do_command (thd=0x145844000db8, blocking=blocking@entry=true) at /test/10.9_dbg/sql/sql_parse.cc:1408
#15 0x00005577ba7c8d02 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5577bcdf1638, put_in_cache=put_in_cache@entry=true) at /test/10.9_dbg/sql/sql_connect.cc:1418
#16 0x00005577ba7c920b in handle_one_connection (arg=0x5577bcdf1638) at /test/10.9_dbg/sql/sql_connect.cc:1312
#17 0x000014589fb0a609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#18 0x000014589f6f6163 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.2.44 (dbg), 10.2.44 (opt), 10.3.35 (dbg), 10.3.35 (opt), 10.4.25 (dbg), 10.4.25 (opt), 10.5.16 (dbg), 10.5.16 (opt), 10.6.8 (dbg), 10.6.8 (opt), 10.7.4 (dbg), 10.7.4 (opt), 10.8.3 (dbg), 10.8.3 (opt), 10.9.0 (dbg), 10.9.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.37 (dbg), 5.7.37 (opt), 8.0.28 (dbg), 8.0.28 (opt)

[MDEV-28516] SIGSEGV in get_sort_by_table, UBSAN: runtime error: member access within null pointer of type 'struct TABLE_LIST' Created: 2022-05-09 Updated: 2023-08-07 Resolved: 2023-01-24
Status:	Closed
Project:	MariaDB Server
Component/s:	Optimizer, Parser
Affects Version/s:	10.2, 10.3, 10.4, 10.5, 10.6, 10.7, 10.8, 10.9
Fix Version/s:	10.11.2, 10.3.38, 10.4.28, 10.5.19, 10.6.12, 10.7.8, 10.8.7, 10.9.5, 10.10.3

[MDEV-28516] SIGSEGV in get_sort_by_table, UBSAN: runtime error: member access within null pointer of type 'struct TABLE_LIST' Created: 2022-05-09 Updated: 2023-08-07 Resolved: 2023-01-24