[MDEV-28614] Server crash in item_subselect.cc:6898 in Item_subselect::init_expr_cache_tracker(THD*) Created: 2022-05-19  Updated: 2024-01-09

Status: Stalled
Project: MariaDB Server
Component/s: Optimizer
Affects Version/s: 10.3.35, 10.2, 10.3, 10.4, 10.5, 10.6, 10.7, 10.8
Fix Version/s: 10.4, 10.5, 10.6, 10.11, 11.0, 11.1, 11.2

Type: Bug Priority: Major
Reporter: Shihao Wen Assignee: Rex Johnston
Resolution: Unresolved Votes: 0
Labels: fuzzer
Environment:

ubuntu 18.04

Attachments: HTML File 22_stack    
Issue Links:
Relates
relates to MDEV-32394 init_expr_cache_tracker: SEGV at /mar... Confirmed

 Description   

poc:

CREATE TABLE v1223 ( v1224 INTEGER , v1225 INT , v1226 CHAR ( 1 ) NOT NULL CHECK ( ( NOT ( ( NOT ( v1226 NOT IN ( v1226 ) AND v1226 NOT IN ( 83 ) ) ) + v1226 AND v1226 = 5 ) > 42 OR v1226 > 'x' ) ) , v1227 INT , UNIQUE INDEX v1228 ( v1226 , v1224 ) ) ;
 
 CREATE TABLE v1229 ( v1230 INTEGER , v1231 INT , v1232 INT , v1233 INT , UNIQUE INDEX v1234 ( v1232 , v1233 ) ) ;
 
 CREATE UNIQUE INDEX v1235 USING BTREE ON v1229 ( v1232 ASC ) ;
 
 INSERT INTO v1229 ( v1230 ) VALUES ( 82 ) , ( 13 ) ;
 
 UPDATE v1229 SET v1232 = NULL WHERE v1230 BETWEEN -1 AND 10 ;
 
 SELECT v1233 FROM v1229 WHERE EXISTS ( SELECT v1230 FROM ( SELECT v1227 FROM ( SELECT DISTINCT v1227 , 84052104.000000 FROM v1223 UNION SELECT v1227 , v1225 FROM v1223 ) AS v1236 ) AS v1237 NATURAL JOIN v1229 AS v1238 NATURAL JOIN ( SELECT DISTINCT v1233 , ( v1232 = 17 OR v1231 > 'x' ) FROM v1229 ) AS v1239 NATURAL JOIN v1223 AS v1240 NATURAL JOIN v1229 WHERE v1231 IN ( 'x' = v1227 ) GROUP BY ( v1226 = -1 OR v1231 = TRUE OR 87 - v1225 > ( NOT ( v1226 = TRUE OR ( EXISTS ( SELECT DISTINCT v1231 FROM v1229 UNION SELECT v1232 FROM v1229 GROUP BY 'x' , 'x' , 'x' , 41446527.000000 HAVING ( v1232 IN ( CASE v1233 WHEN v1232 THEN 'x' WHEN 65 THEN ( ( ( NOT ( v1232 IS NULL ) ) ) + v1232 ) ELSE TRUE END != ( ( ( v1231 OR NOT v1233 ) BETWEEN 69 AND 10 ) ) ) ) ORDER BY v1231 ) AND v1233 = 53 ) ) ) ) , v1231 ) ;

output:
SUMMARY: AddressSanitizer: SEGV /server_10.3/sql/item_subselect.cc:6898 in Item_subselect::init_expr_cache_tracker(THD*)

The full error log is in the attachment.

 Comments   
Comment by Alice Sherepa [ 2022-05-19 ] 

CREATE TABLE t1 ( a int) ;
 
INSERT INTO t1 VALUES (1),(2);
 
 
 
SELECT 1 FROM t1
 
WHERE EXISTS ( SELECT 1 FROM t1 GROUP BY (EXISTS (SELECT 1 FROM t1 HAVING a ))) ;

bb-10.2-release 0ba528fe56f6c637d9fbc9d177a

 
220519 14:37:32 [ERROR] mysqld got signal 11 ;
 
 
 
Server version: 10.2.44-MariaDB-debug-log
 
 
 
sql/signal_handler.cc:221(handle_fatal_signal)[0x56101ed7d6f0]
 
sql/item_subselect.cc:6908(Item_subselect::init_expr_cache_tracker(THD*))[0x561a99f296b2]
 
sql/item_subselect.cc:1686(Item_exists_subselect::expr_cache_insert_transformer(THD*, unsigned char*))[0x561a99effd68]
 
sql/item.cc:733(Item::transform(THD*, Item* (Item::*)(THD*, unsigned char*), unsigned char*))[0x561a99d44c5b]
 
sql/sql_select.cc:3187(JOIN::setup_subquery_caches())[0x561a997590c7]
 
sql/sql_select.cc:2095(JOIN::optimize_inner())[0x561a9974d6cc]
 
sql/sql_select.cc:1127(JOIN::optimize())[0x561a99743504]
 
sql/sql_lex.cc:3867(st_select_lex::optimize_unflattened_subqueries(bool))[0x561a99673efe]
 
sql/opt_subselect.cc:5360(JOIN::optimize_constant_subqueries())[0x561a99b20fe2]
 
sql/sql_select.cc:1349(JOIN::optimize_inner())[0x561a997456c5]
 
sql/sql_select.cc:1127(JOIN::optimize())[0x561a99743504]
 
sql/sql_select.cc:3835(mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x561a9975e988]
 
sql/sql_select.cc:361(handle_select(THD*, LEX*, select_result*, unsigned long))[0x561a9973b5e6]
 
sql/sql_parse.cc:6271(execute_sqlcom_select(THD*, TABLE_LIST*))[0x561a996ae5ae]
 
sql/sql_parse.cc:3582(mysql_execute_command(THD*))[0x561a99699d35]
 
sql/sql_parse.cc:7793(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x561a996b78cc]
 
sql/sql_parse.cc:1830(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x561a9968e919]
 
sql/sql_parse.cc:1381(do_command(THD*))[0x561a9968b34a]
 
sql/sql_connect.cc:1336(do_handle_one_connection(CONNECT*))[0x561a99a38222]
 
sql/sql_connect.cc:1242(handle_one_connection)[0x561a99a37ae3]
 
perfschema/pfs.cc:1871(pfs_spawn_thread)[0x561a9aed3796]
 
nptl/pthread_create.c:487(start_thread)[0x7fe4213dffa3]
 
x86_64/clone.S:97(clone)[0x7fe420786eff]
 
 
 
Query (0x62b000000290): SELECT 1 FROM t1
 
WHERE EXISTS ( SELECT 1 FROM t1 GROUP BY (EXISTS (SELECT 1 FROM t1 HAVING a )))

Comment by Alice Sherepa [ 2023-01-24 ]

not reproducible on current 10.3 (7a98d232e42b66efc759d584b)-10.11

Comment by Sergei Golubchik [ 2023-06-27 ]

7a98d232e42b66efc759d584b is in 10.3.38, 10.4.28, 10.5.19, 10.6.12, 10.7.8, 10.8.7, 10.9.5, 10.10.3, 10.11.2, and all 11.x

Generated at Thu Feb 08 10:02:07 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.