[MDEV-28917] SIGSEGV in resolve_ref_in_select_and_group and Assertion `n < m_size' failed in Bounds_checked_array on INSERT Created: 2022-06-21  Updated: 2023-11-28

Status: Confirmed
Project: MariaDB Server
Component/s: Data Manipulation - Insert, Optimizer - Window functions
Affects Version/s: 10.6, 10.7, 10.8, 10.9, 10.10, 10.11, 11.0
Fix Version/s: 10.6, 10.11

Type: Bug Priority: Major
Reporter: Roel Van de Paar Assignee: Oleksandr Byelkin
Resolution: Unresolved Votes: 0
Labels: not-10.3, not-10.4, not-10.5, regression

Issue Links:
Relates
relates to MDEV-16993 [Draft] Assertion `n < m_size' failed... Closed
relates to MDEV-22713 Assertion `(*select_ref)->is_fixed()'... Confirmed
relates to MDEV-26926 【BUG】【view】debug 版本视图做 insert into ..... Closed
relates to MDEV-26944 Server crash on selecting some data f... Confirmed

 Description   

Though there are various other bugs around which look possibly remotely-related, this looks to be a new regression in 10.6.

CREATE TABLE t(t INT);
 
INSERT INTO t SELECT 1 FROM t WINDOW t AS(t),v AS (ORDER BY (SELECT v,v BETWEEN(SELECT t AS t GROUP BY v WINDOW t AS (t)) AND 1));

Leads to:

10.10.0 081a284712bb661349e2e3802077b12211cede3e (Optimized)

 
Core was generated by `/test/MD310522-mariadb-10.10.0-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  0x000055e3a47552bd in resolve_ref_in_select_and_group (thd=thd@entry=
 
    0x150fd8000c58, ref=ref@entry=0x150fd8012950, 
    select=select@entry=0x150fd8011cc8) at /test/10.10_opt/sql/sql_array.h:63
 
[Current thread is 1 (Thread 0x15100dd01700 (LWP 892556))]
 
(gdb) bt
 
#0  0x000055e3a47552bd in resolve_ref_in_select_and_group (thd=thd@entry=0x150fd8000c58, ref=ref@entry=0x150fd8012950, select=select@entry=0x150fd8011cc8) at /test/10.10_opt/sql/sql_array.h:63
 
#1  0x000055e3a4769001 in Item_field::fix_outer_field (this=0x150fd8012950, thd=0x150fd8000c58, from_field=0x15100dcffb10, reference=0x150fd8012a78) at /test/10.10_opt/sql/item.cc:5803
 
#2  0x000055e3a4769e8d in Item_field::fix_fields (this=0x150fd8012950, thd=0x150fd8000c58, reference=0x150fd8012a78) at /test/10.10_opt/sql/item.cc:6105
 
#3  0x000055e3a4537054 in Item::fix_fields_if_needed (ref=<optimized out>, thd=0x150fd8000c58, this=0x150fd8012950) at /test/10.10_opt/sql/item.h:1142
 
#4  Item::fix_fields_if_needed (ref=<optimized out>, thd=0x150fd8000c58, this=0x150fd8012950) at /test/10.10_opt/sql/item.h:1142
 
#5  Item::fix_fields_if_needed_for_scalar (ref=<optimized out>, thd=0x150fd8000c58, this=0x150fd8012950) at /test/10.10_opt/sql/item.h:1148
 
#6  Item::fix_fields_if_needed_for_order_by (ref=<optimized out>, thd=0x150fd8000c58, this=0x150fd8012950) at /test/10.10_opt/sql/item.h:1156
 
#7  find_order_in_list (thd=0x150fd8000c58, ref_pointer_array=<optimized out>, tables=0x150fd80114e8, order=0x150fd8012a68, fields=<optimized out>, all_fields=@0x150fd80202a8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x150fd80114a0, last = 0x150fd80114a0, elements = 1}, <No data fields>}, is_group_field=true, add_to_all_fields=true, from_window_spec=false) at /test/10.10_opt/sql/sql_select.cc:25105
 
#8  0x000055e3a456047f in setup_group (thd=thd@entry=0x150fd8000c58, ref_pointer_array={m_array = 0x150fd8014498, m_size = 15}, tables=0x150fd80114e8, fields=@0x150fd8011248: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x150fd80114a0, last = 0x150fd80114a0, elements = 1}, <No data fields>}, all_fields=@0x150fd80202a8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x150fd80114a0, last = 0x150fd80114a0, elements = 1}, <No data fields>}, order=0x150fd8012a68, hidden_group_fields=0x150fd8020257, from_window_spec=false) at /test/10.10_opt/sql/sql_select.cc:25229
 
#9  0x000055e3a4563e6b in setup_without_group (reserved=<optimized out>, hidden_group_fields=0x150fd8020257, win_funcs=<optimized out>, win_specs=<optimized out>, group=<optimized out>, order=<optimized out>, conds=0x150fd8020390, all_fields=<optimized out>, fields=<optimized out>, leaves=<optimized out>, tables=<optimized out>, ref_pointer_array=<optimized out>, thd=0x150fd8000c58) at /test/10.10_opt/sql/sql_select.cc:886
 
#10 JOIN::prepare (this=0x150fd801ff40, tables_init=<optimized out>, conds_init=<optimized out>, og_num=<optimized out>, order_init=<optimized out>, skip_order_by=<optimized out>, group_init=<optimized out>, having_init=<optimized out>, proc_param_init=<optimized out>, select_lex_arg=<optimized out>, unit_arg=<optimized out>) at /test/10.10_opt/sql/sql_select.cc:1438
 
#11 0x000055e3a45760ef in mysql_select (thd=0x150fd8000c58, tables=0x150fd80114e8, fields=@0x150fd8011248: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x150fd80114a0, last = 0x150fd80114a0, elements = 1}, <No data fields>}, conds=0x0, og_num=1, order=0x0, group=0x150fd8012a68, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x150fd80143d8, unit=0x150fd8004cb8, select_lex=0x150fd8010fa8) at /test/10.10_opt/sql/sql_select.cc:5019
 
#12 0x000055e3a4576397 in handle_select (thd=thd@entry=0x150fd8000c58, lex=lex@entry=0x150fd8004be0, result=result@entry=0x150fd80143d8, setup_tables_done_option=setup_tables_done_option@entry=1073741824) at /test/10.10_opt/sql/sql_select.cc:578
 
#13 0x000055e3a45084dc in mysql_execute_command (thd=0x150fd8000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.10_opt/sql/sql_parse.cc:4708
 
#14 0x000055e3a44f4bb5 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x150fd8000c58) at /test/10.10_opt/sql/sql_parse.cc:8036
 
#15 mysql_parse (thd=0x150fd8000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.10_opt/sql/sql_parse.cc:7958
 
#16 0x000055e3a45006ca in dispatch_command (command=COM_QUERY, thd=0x150fd8000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.10_opt/sql/sql_class.h:1364
 
#17 0x000055e3a45025f2 in do_command (thd=0x150fd8000c58, blocking=blocking@entry=true) at /test/10.10_opt/sql/sql_parse.cc:1407
 
#18 0x000055e3a46188af in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55e3a7063dc8, put_in_cache=put_in_cache@entry=true) at /test/10.10_opt/sql/sql_connect.cc:1418
 
#19 0x000055e3a4618b8d in handle_one_connection (arg=0x55e3a7063dc8) at /test/10.10_opt/sql/sql_connect.cc:1312
 
#20 0x0000151026b31609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#21 0x000015102671d133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

10.10.0 081a284712bb661349e2e3802077b12211cede3e (Debug)

 
mysqld: /test/10.10_dbg/sql/sql_array.h:65: Element_type& Bounds_checked_array<Element_type>::operator[](size_t) [with Element_type = Item*; size_t = long unsigned int]: Assertion `n < m_size' failed.

10.10.0 081a284712bb661349e2e3802077b12211cede3e (Debug)

 
Core was generated by `/test/MD310522-mariadb-10.10.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core'.
 
Program terminated with signal SIGABRT, Aborted.
 
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
 
[Current thread is 1 (Thread 0x14bfa1580700 (LWP 892553))]
 
(gdb) bt
 
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
 
#1  0x000014bfba10d859 in __GI_abort () at abort.c:79
 
#2  0x000014bfba10d729 in __assert_fail_base (fmt=0x14bfba2a3588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x559bb6efe98b "n < m_size", file=0x559bb6eec128 "/test/10.10_dbg/sql/sql_array.h", line=65, function=<optimized out>) at assert.c:92
 
#3  0x000014bfba11efd6 in __GI___assert_fail (assertion=assertion@entry=0x559bb6efe98b "n < m_size", file=file@entry=0x559bb6eec128 "/test/10.10_dbg/sql/sql_array.h", line=line@entry=65, function=function@entry=0x559bb6f079b0 "Element_type& Bounds_checked_array<Element_type>::operator[](size_t) [with Element_type = Item*; size_t = long unsigned int]") at assert.c:101
 
#4  0x0000559bb6630a54 in Bounds_checked_array<Item*>::operator[] (n=0, this=0x14bf60015578) at /test/10.10_dbg/sql/item.cc:5520
 
#5  resolve_ref_in_select_and_group (thd=thd@entry=0x14bf60000db8, ref=ref@entry=0x14bf60015e70, select=select@entry=0x14bf600151e8) at /test/10.10_dbg/sql/item.cc:5521
 
#6  0x0000559bb6645331 in Item_field::fix_outer_field (this=this@entry=0x14bf60015e70, thd=thd@entry=0x14bf60000db8, from_field=from_field@entry=0x14bfa157eb20, reference=reference@entry=0x14bf60015f98) at /test/10.10_dbg/sql/item.cc:5803
 
#7  0x0000559bb664609c in Item_field::fix_fields (this=0x14bf60015e70, thd=0x14bf60000db8, reference=0x14bf60015f98) at /test/10.10_dbg/sql/item.cc:6105
 
#8  0x0000559bb6370b74 in Item::fix_fields_if_needed (ref=<optimized out>, thd=0x14bf60000db8, this=0x14bf60015e70) at /test/10.10_dbg/sql/item.h:1156
 
#9  Item::fix_fields_if_needed_for_scalar (ref=<optimized out>, thd=0x14bf60000db8, this=0x14bf60015e70) at /test/10.10_dbg/sql/item.h:1148
 
#10 Item::fix_fields_if_needed_for_order_by (ref=<optimized out>, thd=0x14bf60000db8, this=0x14bf60015e70) at /test/10.10_dbg/sql/item.h:1156
 
#11 find_order_in_list (thd=thd@entry=0x14bf60000db8, ref_pointer_array=<optimized out>, tables=tables@entry=0x14bf60014a08, order=order@entry=0x14bf60015f88, fields=@0x14bf60014768: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14bf600149c0, last = 0x14bf600149c0, elements = 1}, <No data fields>}, all_fields=@0x14bf60024c28: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14bf600149c0, last = 0x14bf600149c0, elements = 1}, <No data fields>}, is_group_field=true, add_to_all_fields=true, from_window_spec=false) at /test/10.10_dbg/sql/sql_select.cc:25105
 
#12 0x0000559bb639ce72 in setup_group (thd=thd@entry=0x14bf60000db8, ref_pointer_array=<optimized out>, tables=tables@entry=0x14bf60014a08, fields=@0x14bf60014768: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14bf600149c0, last = 0x14bf600149c0, elements = 1}, <No data fields>}, all_fields=@0x14bf60024c28: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14bf600149c0, last = 0x14bf600149c0, elements = 1}, <No data fields>}, order=0x14bf60015f88, hidden_group_fields=0x14bf60024bd7, from_window_spec=false) at /test/10.10_dbg/sql/sql_select.cc:25229
 
#13 0x0000559bb63a0e0e in setup_without_group (reserved=<optimized out>, hidden_group_fields=0x14bf60024bd7, win_funcs=<optimized out>, win_specs=<optimized out>, group=<optimized out>, order=<optimized out>, conds=0x14bf60024d10, all_fields=@0x14bf60024c28: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14bf600149c0, last = 0x14bf600149c0, elements = 1}, <No data fields>}, fields=<optimized out>, leaves=<optimized out>, tables=<optimized out>, ref_pointer_array=<optimized out>, thd=0x14bf60000db8) at /test/10.10_dbg/sql/sql_select.cc:870
 
#14 JOIN::prepare (this=this@entry=0x14bf600248c0, tables_init=tables_init@entry=0x14bf60014a08, conds_init=conds_init@entry=0x0, og_num=og_num@entry=1, order_init=order_init@entry=0x0, skip_order_by=skip_order_by@entry=false, group_init=<optimized out>, having_init=<optimized out>, proc_param_init=<optimized out>, select_lex_arg=<optimized out>, unit_arg=<optimized out>) at /test/10.10_dbg/sql/sql_select.cc:1438
 
#15 0x0000559bb63b7b70 in mysql_select (thd=thd@entry=0x14bf60000db8, tables=0x14bf60014a08, fields=@0x14bf60014768: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14bf600149c0, last = 0x14bf600149c0, elements = 1}, <No data fields>}, conds=0x0, og_num=1, order=0x0, group=0x14bf60015f88, having=0x0, proc_param=0x0, select_options=2202244745984, result=0x14bf600178f8, unit=0x14bf60004fd8, select_lex=0x14bf600144c8) at /test/10.10_dbg/sql/sql_select.cc:5019
 
#16 0x0000559bb63b7d8e in handle_select (thd=thd@entry=0x14bf60000db8, lex=lex@entry=0x14bf60004f00, result=result@entry=0x14bf600178f8, setup_tables_done_option=setup_tables_done_option@entry=1073741824) at /test/10.10_dbg/sql/sql_select.cc:578
 
#17 0x0000559bb6331f9d in mysql_execute_command (thd=thd@entry=0x14bf60000db8, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.10_dbg/sql/sql_parse.cc:4708
 
#18 0x0000559bb631de3a in mysql_parse (thd=thd@entry=0x14bf60000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14bfa157f470) at /test/10.10_dbg/sql/sql_parse.cc:8036
 
#19 0x0000559bb632b422 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14bf60000db8, packet=packet@entry=0x14bf6000b6d9 "INSERT INTO t SELECT 1 FROM t WINDOW t AS(t),v AS (ORDER BY (SELECT v,v BETWEEN(SELECT t AS t GROUP BY v WINDOW t AS (t)) AND 1))", packet_length=packet_length@entry=129, blocking=blocking@entry=true) at /test/10.10_dbg/sql/sql_class.h:1364
 
#20 0x0000559bb632db2c in do_command (thd=0x14bf60000db8, blocking=blocking@entry=true) at /test/10.10_dbg/sql/sql_parse.cc:1407
 
#21 0x0000559bb648d3c0 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x559bb9548b28, put_in_cache=put_in_cache@entry=true) at /test/10.10_dbg/sql/sql_connect.cc:1418
 
#22 0x0000559bb648d8c9 in handle_one_connection (arg=0x559bb9548b28) at /test/10.10_dbg/sql/sql_connect.cc:1312
 
#23 0x000014bfba61e609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#24 0x000014bfba20a133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.6.9 (dbg), 10.6.9 (opt), 10.7.5 (dbg), 10.7.5 (opt), 10.8.4 (dbg), 10.8.4 (opt), 10.9.2 (dbg), 10.9.2 (opt), 10.10.0 (dbg), 10.10.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.3.36 (dbg), 10.3.36 (opt), 10.4.26 (dbg), 10.4.26 (opt), 10.5.17 (dbg), 10.5.17 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.38 (dbg), 5.7.38 (opt), 8.0.29 (dbg), 8.0.29 (opt)

 Comments   
Comment by Sergei Petrunia [ 2022-08-09 ]

This is a problem in Name Resolution.

Comment by Alice Sherepa [ 2023-05-03 ]

currently returns ER_WRONG_WINDOW_SPEC_NAME (4009): Window specification with name 't' is not defined (10.6 fe89df42686fd41e986dc - 11.0)

Generated at Thu Feb 08 10:04:27 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.