[MDEV-29261] SIGSEGV in subselect_uniquesubquery_engine::print and SIGSEGV in subselect_indexsubquery_engine::print, on INSERT Created: 2022-08-06  Updated: 2023-11-08  Resolved: 2023-11-08

Status: Closed
Project: MariaDB Server
Component/s: Optimizer, Storage Engine - InnoDB
Affects Version/s: 10.3, 10.4, 10.5, 10.6, 10.7, 10.8, 10.9, 10.10
Fix Version/s: 10.4.29

Type: Bug Priority: Critical
Reporter: Roel Van de Paar Assignee: Dave Gosselin
Resolution: Duplicate Votes: 0
Labels: None


 Description    

CREATE TABLE t (c INT KEY) ENGINE=InnoDB;
 
INSERT INTO t VALUES ((c IN (SELECT (0,c) IN ((0,0),(0,0),(0,0)) AS v FROM (SELECT c FROM t WHERE (c) NOT IN (SELECT c FROM t)) AS v2))-2^1=(c IS NULL));

Leads to:

10.10.0 e1caa4bd5e8b4645944b85d4b603bf9fc9ef6ca4 (Optimized)

 
Core was generated by `/test/MD290722-mariadb-10.10.0-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  0x00005567cc02bf36 in subselect_uniquesubquery_engine::print (
 
    this=0x145754051350, str=0x1457e40f8840, query_type=QT_NO_DATA_EXPANSION)
 
    at /test/10.10_opt/sql/item_subselect.cc:4669
 
4669	  if (tab->table->s->table_category == TABLE_CATEGORY_TEMPORARY)
 
[Current thread is 1 (Thread 0x1457e40fa700 (LWP 18153))]
 
(gdb) bt
 
#0  0x00005567cc02bf36 in subselect_uniquesubquery_engine::print (this=0x145754051350, str=0x1457e40f8840, query_type=QT_NO_DATA_EXPANSION) at /test/10.10_opt/sql/item_subselect.cc:4669
 
#1  0x00005567cc02c0db in Item_subselect::print (this=0x145754013f20, str=0x1457e40f8840, query_type=<optimized out>) at /test/10.10_opt/sql/item_subselect.cc:1123
 
#2  0x00005567cbfc533b in Item_func::print_args (this=this@entry=0x14575401f808, str=str@entry=0x1457e40f8840, from=from@entry=0, query_type=query_type@entry=QT_NO_DATA_EXPANSION) at /test/10.10_opt/sql/item_func.cc:621
 
#3  0x00005567cbfc543e in Item_func::print (this=0x14575401f808, str=0x1457e40f8840, query_type=QT_NO_DATA_EXPANSION) at /test/10.10_opt/sql/item_func.cc:610
 
#4  0x00005567cbf7d644 in Item_cache_wrapper::print (query_type=QT_NO_DATA_EXPANSION, str=0x1457e40f8840, this=0x1457540544b8) at /test/10.10_opt/sql/item.cc:8764
 
#5  Item_cache_wrapper::print (this=0x1457540544b8, str=0x1457e40f8840, query_type=QT_NO_DATA_EXPANSION) at /test/10.10_opt/sql/item.cc:8746
 
#6  0x00005567cbd7e3ef in st_select_lex::print (this=0x145754012430, thd=0x145754000c58, str=0x1457e40f8840, query_type=QT_NO_DATA_EXPANSION) at /test/10.10_opt/sql/sql_select.cc:28995
 
#7  0x00005567cbce4f02 in st_select_lex_unit::print (this=0x14575401c240, str=0x1457e40f8840, query_type=QT_NO_DATA_EXPANSION) at /test/10.10_opt/sql/sql_lex.cc:3703
 
#8  0x00005567cbd7d70b in TABLE_LIST::print (this=0x14575401ca40, thd=0x145754000c58, str=0x1457e40f8840, query_type=QT_NO_DATA_EXPANSION, eliminated_tables=<optimized out>) at /test/10.10_opt/sql/sql_select.cc:28756
 
#9  0x00005567cbd7df66 in print_table_array (query_type=QT_NO_DATA_EXPANSION, end=<optimized out>, table=0x145754058478, str=0x1457e40f8840, eliminated_tables=0, thd=0x145754000c58) at /test/10.10_opt/sql/sql_select.cc:28650
 
#10 print_join (thd=thd@entry=0x145754000c58, eliminated_tables=0, str=str@entry=0x1457e40f8840, tables=<optimized out>, query_type=query_type@entry=QT_NO_DATA_EXPANSION) at /test/10.10_opt/sql/sql_select.cc:28650
 
#11 0x00005567cbd7e66e in st_select_lex::print (this=0x145754011598, thd=0x145754000c58, str=0x1457e40f8840, query_type=QT_NO_DATA_EXPANSION) at /test/10.10_opt/sql/sql_select.cc:28976
 
#12 0x00005567cc02c0db in Item_subselect::print (this=0x1457540142a8, str=0x1457e40f8840, query_type=<optimized out>) at /test/10.10_opt/sql/item_subselect.cc:1123
 
#13 0x00005567cbfc533b in Item_func::print_args (this=this@entry=0x14575404e220, str=str@entry=0x1457e40f8840, from=from@entry=0, query_type=query_type@entry=QT_NO_DATA_EXPANSION) at /test/10.10_opt/sql/item_func.cc:621
 
#14 0x00005567cbfc543e in Item_func::print (this=0x14575404e220, str=0x1457e40f8840, query_type=QT_NO_DATA_EXPANSION) at /test/10.10_opt/sql/item_func.cc:610
 
#15 0x00005567cbf70a54 in Item::print_parenthesised (this=0x14575404e220, str=0x1457e40f8840, query_type=QT_NO_DATA_EXPANSION, parent_prec=<optimized out>) at /test/10.10_opt/sql/item.cc:496
 
#16 0x00005567cbfc56c6 in Item_func::print_op (this=0x14575401d928, str=0x1457e40f8840, query_type=QT_NO_DATA_EXPANSION) at /test/10.10_opt/sql/item_func.cc:630
 
#17 0x00005567cbfddbcc in Item_func::raise_numeric_overflow (this=<optimized out>, type_name=0x5567cc5a9c04 "BIGINT UNSIGNED") at /test/10.10_opt/sql/item_func.h:213
 
#18 0x00005567cbfc43c4 in Item_func::raise_integer_overflow (this=<optimized out>) at /test/10.10_opt/sql/item_func.h:246
 
#19 Item_func_minus::int_op (this=0x14575401d928) at /test/10.10_opt/sql/item_func.cc:1339
 
#20 0x00005567cbf892bd in Arg_comparator::compare_int_unsigned_signed (this=0x14575401dc58) at /test/10.10_opt/sql/item_cmpfunc.cc:1001
 
#21 0x00005567cbf8974f in Arg_comparator::compare (this=<optimized out>) at /test/10.10_opt/sql/item_cmpfunc.h:103
 
#22 Item_func_eq::val_int (this=<optimized out>) at /test/10.10_opt/sql/item_cmpfunc.cc:1762
 
#23 0x00005567cbf79643 in Item::save_int_in_field (this=0x14575401dba8, field=0x14575401fab0, no_conversions=<optimized out>) at /test/10.10_opt/sql/item.cc:6842
 
#24 0x00005567cbf693e7 in Item::save_in_field (this=0x14575401dba8, field=0x14575401fab0, no_conversions=<optimized out>) at /test/10.10_opt/sql/item.cc:6852
 
#25 0x00005567cbca9e38 in fill_record (thd=thd@entry=0x145754000c58, table=table@entry=0x145754017db8, ptr=0x14575401fa80, ptr@entry=0x14575401fa78, values=@0x145754011460: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1457540146c8, last = 0x1457540146c8, elements = 1}, <No data fields>}, ignore_errors=ignore_errors@entry=false, use_value=use_value@entry=false) at /test/10.10_opt/sql/sql_base.cc:9196
 
#26 0x00005567cbca9f54 in fill_record_n_invoke_before_triggers (thd=thd@entry=0x145754000c58, table=table@entry=0x145754017db8, ptr=0x14575401fa78, values=@0x145754011460: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1457540146c8, last = 0x1457540146c8, elements = 1}, <No data fields>}, ignore_errors=ignore_errors@entry=false, event=event@entry=TRG_EVENT_INSERT) at /test/10.10_opt/sql/sql_base.cc:9251
 
#27 0x00005567cbcda332 in mysql_insert (thd=thd@entry=0x145754000c58, table_list=<optimized out>, fields=@0x145754005b88: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x5567ccda32f0 <end_of_list>, last = 0x145754005b88, elements = 0}, <No data fields>}, values_list=@0x145754005bd0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1457540146d8, last = 0x1457540146d8, elements = 1}, <No data fields>}, update_fields=@0x145754005bb8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x5567ccda32f0 <end_of_list>, last = 0x145754005bb8, elements = 0}, <No data fields>}, update_values=@0x145754005ba0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x5567ccda32f0 <end_of_list>, last = 0x145754005ba0, elements = 0}, <No data fields>}, duplic=<optimized out>, ignore=<optimized out>, result=<optimized out>) at /test/10.10_opt/sql/sql_insert.cc:1088
 
#28 0x00005567cbd149ef in mysql_execute_command (thd=0x145754000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.10_opt/sql/sql_parse.cc:4563
 
#29 0x00005567cbd04d85 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x145754000c58) at /test/10.10_opt/sql/sql_parse.cc:8037
 
#30 mysql_parse (thd=0x145754000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.10_opt/sql/sql_parse.cc:7959
 
#31 0x00005567cbd1089a in dispatch_command (command=COM_QUERY, thd=0x145754000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.10_opt/sql/sql_class.h:1366
 
#32 0x00005567cbd127c2 in do_command (thd=0x145754000c58, blocking=blocking@entry=true) at /test/10.10_opt/sql/sql_parse.cc:1407
 
#33 0x00005567cbe2a6ef in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5567cde9f5c8, put_in_cache=put_in_cache@entry=true) at /test/10.10_opt/sql/sql_connect.cc:1418
 
#34 0x00005567cbe2a9cd in handle_one_connection (arg=0x5567cde9f5c8) at /test/10.10_opt/sql/sql_connect.cc:1312
 
#35 0x00001457fd536609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#36 0x00001457fd122133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

10.10.0 e1caa4bd5e8b4645944b85d4b603bf9fc9ef6ca4 (Debug)

 
Core was generated by `/test/MD290722-mariadb-10.10.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  0x00005651a477526c in subselect_uniquesubquery_engine::print (
 
    this=0x145d40078570, str=0x145dc812b7e0, query_type=QT_NO_DATA_EXPANSION)
 
    at /test/10.10_dbg/sql/item_subselect.cc:4669
 
4669	  if (tab->table->s->table_category == TABLE_CATEGORY_TEMPORARY)
 
[Current thread is 1 (Thread 0x145dc812d700 (LWP 20657))]
 
(gdb) bt
 
#0  0x00005651a477526c in subselect_uniquesubquery_engine::print (this=0x145d40078570, str=0x145dc812b7e0, query_type=QT_NO_DATA_EXPANSION) at /test/10.10_dbg/sql/item_subselect.cc:4669
 
#1  0x00005651a47746e9 in Item_subselect::print (this=this@entry=0x145d40017440, str=str@entry=0x145dc812b7e0, query_type=query_type@entry=QT_NO_DATA_EXPANSION) at /test/10.10_dbg/sql/item_subselect.cc:1123
 
#2  0x00005651a4774ac5 in Item_in_subselect::print (this=0x145d40017440, str=0x145dc812b7e0, query_type=QT_NO_DATA_EXPANSION) at /test/10.10_dbg/sql/item_subselect.cc:3514
 
#3  0x00005651a46fba78 in Item_func::print_args (this=this@entry=0x145d40028120, str=str@entry=0x145dc812b7e0, from=from@entry=0, query_type=query_type@entry=QT_NO_DATA_EXPANSION) at /test/10.10_dbg/sql/item_func.cc:621
 
#4  0x00005651a46fbc96 in Item_func::print (this=this@entry=0x145d40028120, str=str@entry=0x145dc812b7e0, query_type=query_type@entry=QT_NO_DATA_EXPANSION) at /test/10.10_dbg/sql/item_func.cc:610
 
#5  0x00005651a46bad42 in Item_in_optimizer::print (this=0x145d40028120, str=0x145dc812b7e0, query_type=QT_NO_DATA_EXPANSION) at /test/10.10_dbg/sql/item_cmpfunc.cc:1235
 
#6  0x00005651a469b555 in Item_cache_wrapper::print (this=0x145d4007baa8, str=0x145dc812b7e0, query_type=QT_NO_DATA_EXPANSION) at /test/10.10_dbg/sql/item.cc:8764
 
#7  0x00005651a468badc in Item::print_parenthesised (this=this@entry=0x145d4007baa8, str=str@entry=0x145dc812b7e0, query_type=query_type@entry=QT_NO_DATA_EXPANSION, parent_prec=NEG_PRECEDENCE) at /test/10.10_dbg/sql/item.cc:496
 
#8  0x00005651a46b5be3 in Item_func_not::print (this=0x145d400176a8, str=0x145dc812b7e0, query_type=QT_NO_DATA_EXPANSION) at /test/10.10_dbg/sql/item_cmpfunc.cc:210
 
#9  0x00005651a43fcf1e in st_select_lex::print (this=this@entry=0x145d40015950, thd=0x145d40000db8, str=str@entry=0x145dc812b7e0, query_type=query_type@entry=QT_NO_DATA_EXPANSION) at /test/10.10_dbg/sql/sql_select.cc:28995
 
#10 0x00005651a43477fa in st_select_lex_unit::print (this=0x145d40024b50, str=str@entry=0x145dc812b7e0, query_type=query_type@entry=QT_NO_DATA_EXPANSION) at /test/10.10_dbg/sql/sql_lex.cc:3703
 
#11 0x00005651a43fc37e in TABLE_LIST::print (this=0x145d40025350, thd=thd@entry=0x145d40000db8, eliminated_tables=eliminated_tables@entry=0, str=str@entry=0x145dc812b7e0, query_type=query_type@entry=QT_NO_DATA_EXPANSION) at /test/10.10_dbg/sql/sql_select.cc:28756
 
#12 0x00005651a43fca91 in print_table_array (query_type=QT_NO_DATA_EXPANSION, end=0x145d4007fc70, table=0x145d4007fc68, str=0x145dc812b7e0, eliminated_tables=0, thd=0x145d40000db8) at /test/10.10_dbg/sql/sql_select.cc:28494
 
#13 print_join (thd=thd@entry=0x145d40000db8, eliminated_tables=0, str=str@entry=0x145dc812b7e0, tables=0x145d40014c70, query_type=query_type@entry=QT_NO_DATA_EXPANSION) at /test/10.10_dbg/sql/sql_select.cc:28650
 
#14 0x00005651a43fd45e in st_select_lex::print (this=0x145d40014ab8, thd=thd@entry=0x145d40000db8, str=str@entry=0x145dc812b7e0, query_type=query_type@entry=QT_NO_DATA_EXPANSION) at /test/10.10_dbg/sql/sql_select.cc:28976
 
#15 0x00005651a4773e8c in subselect_single_select_engine::print (this=0x145d400179f0, str=0x145dc812b7e0, query_type=QT_NO_DATA_EXPANSION) at /test/10.10_dbg/sql/item_subselect.cc:4653
 
#16 0x00005651a47746e9 in Item_subselect::print (this=this@entry=0x145d400177c8, str=str@entry=0x145dc812b7e0, query_type=query_type@entry=QT_NO_DATA_EXPANSION) at /test/10.10_dbg/sql/item_subselect.cc:1123
 
#17 0x00005651a4774ac5 in Item_in_subselect::print (this=0x145d400177c8, str=0x145dc812b7e0, query_type=QT_NO_DATA_EXPANSION) at /test/10.10_dbg/sql/item_subselect.cc:3514
 
#18 0x00005651a46fba78 in Item_func::print_args (this=this@entry=0x145d40075410, str=str@entry=0x145dc812b7e0, from=from@entry=0, query_type=query_type@entry=QT_NO_DATA_EXPANSION) at /test/10.10_dbg/sql/item_func.cc:621
 
#19 0x00005651a46fbc96 in Item_func::print (this=this@entry=0x145d40075410, str=str@entry=0x145dc812b7e0, query_type=query_type@entry=QT_NO_DATA_EXPANSION) at /test/10.10_dbg/sql/item_func.cc:610
 
#20 0x00005651a46bad42 in Item_in_optimizer::print (this=0x145d40075410, str=0x145dc812b7e0, query_type=QT_NO_DATA_EXPANSION) at /test/10.10_dbg/sql/item_cmpfunc.cc:1235
 
#21 0x00005651a468bb10 in Item::print_parenthesised (this=this@entry=0x145d40075410, str=str@entry=0x145dc812b7e0, query_type=query_type@entry=QT_NO_DATA_EXPANSION, parent_prec=<optimized out>) at /test/10.10_dbg/sql/item.cc:496
 
#22 0x00005651a46fbf22 in Item_func::print_op (this=0x145d40026238, str=0x145dc812b7e0, query_type=QT_NO_DATA_EXPANSION) at /test/10.10_dbg/sql/item_func.cc:630
 
#23 0x00005651a471b84b in Item_num_op::print (this=<optimized out>, str=<optimized out>, query_type=<optimized out>) at /test/10.10_dbg/sql/item_func.h:1106
 
#24 0x00005651a471b66e in Item_func::raise_numeric_overflow (this=<optimized out>, type_name=0x5651a4f442e2 "BIGINT UNSIGNED") at /test/10.10_dbg/sql/item_func.h:213
 
#25 0x00005651a46fa96d in Item_func::raise_integer_overflow (this=<optimized out>) at /test/10.10_dbg/sql/item_func.h:246
 
#26 Item_func::check_integer_overflow (val_unsigned=<optimized out>, value=-3, this=0x145d40026238) at /test/10.10_dbg/sql/item_func.h:249
 
#27 Item_func_minus::int_op (this=0x145d40026238) at /test/10.10_dbg/sql/item_func.cc:1336
 
#28 0x00005651a4572eda in Item_func_hybrid_field_type::val_int_from_int_op (this=<optimized out>) at /test/10.10_dbg/sql/item_func.h:849
 
#29 Type_handler_int_result::Item_func_hybrid_field_type_val_int (this=<optimized out>, item=<optimized out>) at /test/10.10_dbg/sql/sql_type.cc:5426
 
#30 0x00005651a46c5f25 in Item_func_hybrid_field_type::val_int (this=0x145d40026238) at /test/10.10_dbg/sql/sql_type.h:7441
 
#31 0x00005651a46ab4bd in Arg_comparator::compare_int_unsigned_signed (this=0x145d40026568) at /test/10.10_dbg/sql/item_cmpfunc.cc:1001
 
#32 0x00005651a46ad952 in Arg_comparator::compare (this=0x145d40026568) at /test/10.10_dbg/sql/item_cmpfunc.h:103
 
#33 Item_func_eq::val_int (this=0x145d400264b8) at /test/10.10_dbg/sql/item_cmpfunc.cc:1762
 
#34 0x00005651a4696dd3 in Item::save_int_in_field (this=0x145d400264b8, field=0x145d40029fb0, no_conversions=<optimized out>) at /test/10.10_dbg/sql/item.cc:6842
 
#35 0x00005651a4575d64 in Type_handler_int_result::Item_save_in_field (this=<optimized out>, item=<optimized out>, field=<optimized out>, no_conversions=<optimized out>) at /test/10.10_dbg/sql/sql_type.cc:4362
 
#36 0x00005651a467d4f1 in Item::save_in_field (this=0x145d400264b8, field=0x145d40029fb0, no_conversions=<optimized out>) at /test/10.10_dbg/sql/item.cc:6852
 
#37 0x00005651a42fc3d3 in fill_record (thd=thd@entry=0x145d40000db8, table=table@entry=0x145d4001e978, ptr=0x145d40029f80, ptr@entry=0x145d40029f78, values=@0x145d40014980: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x145d40017be8, last = 0x145d40017be8, elements = 1}, <No data fields>}, ignore_errors=ignore_errors@entry=false, use_value=use_value@entry=false) at /test/10.10_dbg/sql/sql_base.cc:9196
 
#38 0x00005651a42fc496 in fill_record_n_invoke_before_triggers (thd=thd@entry=0x145d40000db8, table=table@entry=0x145d4001e978, ptr=0x145d40029f78, values=@0x145d40014980: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x145d40017be8, last = 0x145d40017be8, elements = 1}, <No data fields>}, ignore_errors=ignore_errors@entry=false, event=event@entry=TRG_EVENT_INSERT) at /test/10.10_dbg/sql/sql_base.cc:9251
 
#39 0x00005651a433faa3 in mysql_insert (thd=thd@entry=0x145d40000db8, table_list=<optimized out>, fields=@0x145d40005ea8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x5651a585b860 <end_of_list>, last = 0x145d40005ea8, elements = 0}, <No data fields>}, values_list=@0x145d40005ef0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x145d40017bf8, last = 0x145d40017bf8, elements = 1}, <No data fields>}, update_fields=@0x145d40005ed8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x5651a585b860 <end_of_list>, last = 0x145d40005ed8, elements = 0}, <No data fields>}, update_values=@0x145d40005ec0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x5651a585b860 <end_of_list>, last = 0x145d40005ec0, elements = 0}, <No data fields>}, duplic=DUP_ERROR, ignore=false, result=0x0) at /test/10.10_dbg/sql/sql_insert.cc:1088
 
#40 0x00005651a4381eef in mysql_execute_command (thd=thd@entry=0x145d40000db8, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.10_dbg/sql/sql_parse.cc:4563
 
#41 0x00005651a436e534 in mysql_parse (thd=thd@entry=0x145d40000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x145dc812c330) at /test/10.10_dbg/sql/sql_parse.cc:8037
 
#42 0x00005651a437bb1c in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x145d40000db8, packet=packet@entry=0x145d4000b6e9 "INSERT INTO t VALUES ((c IN (SELECT (0,c) IN ((0,0),(0,0),(0,0)) AS v FROM (SELECT c FROM t WHERE (c) NOT IN (SELECT c FROM t)) AS v2))-2^1=(c IS NULL))", packet_length=packet_length@entry=152, blocking=blocking@entry=true) at /test/10.10_dbg/sql/sql_class.h:1366
 
#43 0x00005651a437e226 in do_command (thd=0x145d40000db8, blocking=blocking@entry=true) at /test/10.10_dbg/sql/sql_parse.cc:1407
 
#44 0x00005651a44df744 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5651a6d37a18, put_in_cache=put_in_cache@entry=true) at /test/10.10_dbg/sql/sql_connect.cc:1418
 
#45 0x00005651a44dfc4d in handle_one_connection (arg=0x5651a6d37a18) at /test/10.10_dbg/sql/sql_connect.cc:1312
 
#46 0x0000145dee5c1609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#47 0x0000145dee1ad133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.3.36 (dbg), 10.3.36 (opt), 10.4.26 (dbg), 10.4.26 (opt), 10.5.17 (dbg), 10.5.17 (opt), 10.6.9 (dbg), 10.6.9 (opt), 10.7.5 (dbg), 10.7.5 (opt), 10.8.4 (dbg), 10.8.4 (opt), 10.9.2 (dbg), 10.9.2 (opt), 10.10.0 (dbg), 10.10.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.38 (dbg), 5.7.38 (opt), 8.0.29 (dbg), 8.0.29 (opt)

 Comments   
Comment by Roel Van de Paar [ 2022-08-06 ]

Slightly changing the testcase:

CREATE TABLE t (c INT KEY) ENGINE=InnoDB;
 
INSERT INTO t VALUES ((c IN (SELECT (0,0) IN ((0,0),(0,0),(0,0)) AS v FROM (SELECT c FROM t WHERE c NOT IN (SELECT c FROM t)) AS v2))-2^1=(c IS NULL));

Leads to this interesting result in the CLI:

10.10.0 e1caa4bd5e8b4645944b85d4b603bf9fc9ef6ca4 (Optimized)

 
ERROR 1690 (22003): BIGINT UNSIGNED value is out of range in '(<in_optimizer>(`test`.`t`.`c`,<exists>(select (0,0) in ((0,0),(0,0),(0,0)) AS `v` from (select `test`.`t`.`c` AS `c` from `test`.`t` where !<expr_cache><`test`.`t`.`c`>(<in_optimizer>(`test`.`t`.`c`,<exists>(<primary_index_lookup>(`test`.`t`.`c` in t on PRIMARY))))) `v2` where `test`.`t`.`c` = (0,0) in ((0,0),(0,0),(0,0))))) - 2 ^ 1'

Comment by Roel Van de Paar [ 2022-08-06 ]

As for the original testcase, the crash specifically may be related to InnoDB, as the crash only reproduces with this engine. MyISAM and Aria give the [odd] ERROR 1690 instead for the original testcase.

Comment by Roel Van de Paar [ 2022-08-06 ]

Additional stacks with this testcase:

CREATE TABLE t(c INT UNIQUE) ENGINE=InnoDB;
 
INSERT INTO t VALUES ((TRUE IN (SELECT * FROM (SELECT (1^0)%1 IN (SELECT c FROM t GROUP BY c)) AS v))--((c IS NULL))^1);

Leads to:

10.10.0 e1caa4bd5e8b4645944b85d4b603bf9fc9ef6ca4 (Debug)

 
Core was generated by `/test/MD290722-mariadb-10.10.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  0x000055fb6e7c200a in subselect_indexsubquery_engine::print (
 
    this=0x151260076aa0, str=0x1512ad5c3820, query_type=QT_NO_DATA_EXPANSION)
 
    at /test/10.10_dbg/sql/item_subselect.cc:4720
 
4720	  str->append(tab->table->s->table_name.str, tab->table->s->table_name.length);
 
[Current thread is 1 (Thread 0x1512ad5c5700 (LWP 1155678))]
 
(gdb) bt
 
#0  0x000055fb6e7c200a in subselect_indexsubquery_engine::print (this=0x151260076aa0, str=0x1512ad5c3820, query_type=QT_NO_DATA_EXPANSION) at /test/10.10_dbg/sql/item_subselect.cc:4720
 
#1  0x000055fb6e7c16e9 in Item_subselect::print (this=this@entry=0x151260016d28, str=str@entry=0x1512ad5c3820, query_type=query_type@entry=QT_NO_DATA_EXPANSION) at /test/10.10_dbg/sql/item_subselect.cc:1123
 
#2  0x000055fb6e7c1ac5 in Item_in_subselect::print (this=0x151260016d28, str=0x1512ad5c3820, query_type=QT_NO_DATA_EXPANSION) at /test/10.10_dbg/sql/item_subselect.cc:3514
 
#3  0x000055fb6e748a78 in Item_func::print_args (this=this@entry=0x151260029528, str=str@entry=0x1512ad5c3820, from=from@entry=0, query_type=query_type@entry=QT_NO_DATA_EXPANSION) at /test/10.10_dbg/sql/item_func.cc:621
 
#4  0x000055fb6e748c96 in Item_func::print (this=this@entry=0x151260029528, str=str@entry=0x1512ad5c3820, query_type=query_type@entry=QT_NO_DATA_EXPANSION) at /test/10.10_dbg/sql/item_func.cc:610
 
#5  0x000055fb6e707d42 in Item_in_optimizer::print (this=0x151260029528, str=0x1512ad5c3820, query_type=QT_NO_DATA_EXPANSION) at /test/10.10_dbg/sql/item_cmpfunc.cc:1235
 
#6  0x000055fb6e6d8be4 in Item::print_item_w_name (this=this@entry=0x151260029528, str=str@entry=0x1512ad5c3820, query_type=query_type@entry=QT_NO_DATA_EXPANSION) at /test/10.10_dbg/sql/item.cc:510
 
#7  0x000055fb6e44a3f9 in st_select_lex::print (this=this@entry=0x151260014f68, thd=0x151260000db8, str=str@entry=0x1512ad5c3820, query_type=query_type@entry=QT_NO_DATA_EXPANSION) at /test/10.10_dbg/sql/sql_select.cc:28962
 
#8  0x000055fb6e3947fa in st_select_lex_unit::print (this=0x151260017028, str=str@entry=0x1512ad5c3820, query_type=query_type@entry=QT_NO_DATA_EXPANSION) at /test/10.10_dbg/sql/sql_lex.cc:3703
 
#9  0x000055fb6e44937e in TABLE_LIST::print (this=0x1512600261c0, thd=thd@entry=0x151260000db8, eliminated_tables=eliminated_tables@entry=0, str=str@entry=0x1512ad5c3820, query_type=query_type@entry=QT_NO_DATA_EXPANSION) at /test/10.10_dbg/sql/sql_select.cc:28756
 
#10 0x000055fb6e449a91 in print_table_array (query_type=QT_NO_DATA_EXPANSION, end=0x151260099130, table=0x151260099128, str=0x1512ad5c3820, eliminated_tables=0, thd=0x151260000db8) at /test/10.10_dbg/sql/sql_select.cc:28494
 
#11 print_join (thd=thd@entry=0x151260000db8, eliminated_tables=0, str=str@entry=0x1512ad5c3820, tables=0x151260014b80, query_type=query_type@entry=QT_NO_DATA_EXPANSION) at /test/10.10_dbg/sql/sql_select.cc:28650
 
#12 0x000055fb6e44a45e in st_select_lex::print (this=0x1512600149c8, thd=thd@entry=0x151260000db8, str=str@entry=0x1512ad5c3820, query_type=query_type@entry=QT_NO_DATA_EXPANSION) at /test/10.10_dbg/sql/sql_select.cc:28976
 
#13 0x000055fb6e7c0e8c in subselect_single_select_engine::print (this=0x151260017ab0, str=0x1512ad5c3820, query_type=QT_NO_DATA_EXPANSION) at /test/10.10_dbg/sql/item_subselect.cc:4653
 
#14 0x000055fb6e7c16e9 in Item_subselect::print (this=this@entry=0x151260017888, str=str@entry=0x1512ad5c3820, query_type=query_type@entry=QT_NO_DATA_EXPANSION) at /test/10.10_dbg/sql/item_subselect.cc:1123
 
#15 0x000055fb6e7c1ac5 in Item_in_subselect::print (this=0x151260017888, str=0x1512ad5c3820, query_type=QT_NO_DATA_EXPANSION) at /test/10.10_dbg/sql/item_subselect.cc:3514
 
#16 0x000055fb6e748a78 in Item_func::print_args (this=this@entry=0x151260029b80, str=str@entry=0x1512ad5c3820, from=from@entry=0, query_type=query_type@entry=QT_NO_DATA_EXPANSION) at /test/10.10_dbg/sql/item_func.cc:621
 
#17 0x000055fb6e748c96 in Item_func::print (this=this@entry=0x151260029b80, str=str@entry=0x1512ad5c3820, query_type=query_type@entry=QT_NO_DATA_EXPANSION) at /test/10.10_dbg/sql/item_func.cc:610
 
#18 0x000055fb6e707d42 in Item_in_optimizer::print (this=0x151260029b80, str=0x1512ad5c3820, query_type=QT_NO_DATA_EXPANSION) at /test/10.10_dbg/sql/item_cmpfunc.cc:1235
 
#19 0x000055fb6e6d8b10 in Item::print_parenthesised (this=this@entry=0x151260029b80, str=str@entry=0x1512ad5c3820, query_type=query_type@entry=QT_NO_DATA_EXPANSION, parent_prec=<optimized out>) at /test/10.10_dbg/sql/item.cc:496
 
#20 0x000055fb6e748f22 in Item_func::print_op (this=0x151260027338, str=0x1512ad5c3820, query_type=QT_NO_DATA_EXPANSION) at /test/10.10_dbg/sql/item_func.cc:630
 
#21 0x000055fb6e76884b in Item_num_op::print (this=<optimized out>, str=<optimized out>, query_type=<optimized out>) at /test/10.10_dbg/sql/item_func.h:1106
 
#22 0x000055fb6e76866e in Item_func::raise_numeric_overflow (this=<optimized out>, type_name=0x55fb6ef912e2 "BIGINT UNSIGNED") at /test/10.10_dbg/sql/item_func.h:213
 
#23 0x000055fb6e747927 in Item_func::raise_integer_overflow (this=0x151260027338) at /test/10.10_dbg/sql/item_func.h:223
 
#24 Item_func_minus::int_op (this=0x151260027338) at /test/10.10_dbg/sql/item_func.cc:1339
 
#25 0x000055fb6e5bfeda in Item_func_hybrid_field_type::val_int_from_int_op (this=<optimized out>) at /test/10.10_dbg/sql/item_func.h:849
 
#26 Type_handler_int_result::Item_func_hybrid_field_type_val_int (this=<optimized out>, item=<optimized out>) at /test/10.10_dbg/sql/sql_type.cc:5426
 
#27 0x000055fb6e712f25 in Item_func_hybrid_field_type::val_int (this=0x151260027338) at /test/10.10_dbg/sql/sql_type.h:7441
 
#28 0x000055fb6e6e3dd3 in Item::save_int_in_field (this=0x151260027338, field=0x15126002a7d0, no_conversions=<optimized out>) at /test/10.10_dbg/sql/item.cc:6842
 
#29 0x000055fb6e5c2d64 in Type_handler_int_result::Item_save_in_field (this=<optimized out>, item=<optimized out>, field=<optimized out>, no_conversions=<optimized out>) at /test/10.10_dbg/sql/sql_type.cc:4362
 
#30 0x000055fb6e6ca4f1 in Item::save_in_field (this=0x151260027338, field=0x15126002a7d0, no_conversions=<optimized out>) at /test/10.10_dbg/sql/item.cc:6852
 
#31 0x000055fb6e3493d3 in fill_record (thd=thd@entry=0x151260000db8, table=table@entry=0x151260025d08, ptr=0x15126002a7a0, ptr@entry=0x15126002a798, values=@0x151260014938: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1512600273f0, last = 0x1512600273f0, elements = 1}, <No data fields>}, ignore_errors=ignore_errors@entry=false, use_value=use_value@entry=false) at /test/10.10_dbg/sql/sql_base.cc:9196
 
#32 0x000055fb6e349496 in fill_record_n_invoke_before_triggers (thd=thd@entry=0x151260000db8, table=table@entry=0x151260025d08, ptr=0x15126002a798, values=@0x151260014938: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1512600273f0, last = 0x1512600273f0, elements = 1}, <No data fields>}, ignore_errors=ignore_errors@entry=false, event=event@entry=TRG_EVENT_INSERT) at /test/10.10_dbg/sql/sql_base.cc:9251
 
#33 0x000055fb6e38caa3 in mysql_insert (thd=thd@entry=0x151260000db8, table_list=<optimized out>, fields=@0x151260005ea8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55fb6f8a8860 <end_of_list>, last = 0x151260005ea8, elements = 0}, <No data fields>}, values_list=@0x151260005ef0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x151260027500, last = 0x151260027500, elements = 1}, <No data fields>}, update_fields=@0x151260005ed8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55fb6f8a8860 <end_of_list>, last = 0x151260005ed8, elements = 0}, <No data fields>}, update_values=@0x151260005ec0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55fb6f8a8860 <end_of_list>, last = 0x151260005ec0, elements = 0}, <No data fields>}, duplic=DUP_ERROR, ignore=false, result=0x0) at /test/10.10_dbg/sql/sql_insert.cc:1088
 
#34 0x000055fb6e3ceeef in mysql_execute_command (thd=thd@entry=0x151260000db8, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.10_dbg/sql/sql_parse.cc:4563
 
#35 0x000055fb6e3bb534 in mysql_parse (thd=thd@entry=0x151260000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x1512ad5c4330) at /test/10.10_dbg/sql/sql_parse.cc:8037
 
#36 0x000055fb6e3c8b1c in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x151260000db8, packet=packet@entry=0x15126000b6e9 "INSERT INTO t VALUES ((TRUE IN (SELECT * FROM (SELECT (1^0)%1 IN (SELECT c FROM t GROUP BY c)) AS v))--((c IS NULL))^1)", packet_length=packet_length@entry=119, blocking=blocking@entry=true) at /test/10.10_dbg/sql/sql_class.h:1366
 
#37 0x000055fb6e3cb226 in do_command (thd=0x151260000db8, blocking=blocking@entry=true) at /test/10.10_dbg/sql/sql_parse.cc:1407
 
#38 0x000055fb6e52c744 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55fb723c14c8, put_in_cache=put_in_cache@entry=true) at /test/10.10_dbg/sql/sql_connect.cc:1418
 
#39 0x000055fb6e52cc4d in handle_one_connection (arg=0x55fb723c14c8) at /test/10.10_dbg/sql/sql_connect.cc:1312
 
#40 0x00001512c7049609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#41 0x00001512c6c35133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.3.36 (dbg), 10.3.36 (opt), 10.4.26 (dbg), 10.4.26 (opt), 10.5.17 (dbg), 10.5.17 (opt), 10.6.9 (dbg), 10.6.9 (opt), 10.7.5 (dbg), 10.7.5 (opt), 10.8.4 (dbg), 10.8.4 (opt), 10.9.2 (dbg), 10.9.2 (opt), 10.10.0 (dbg), 10.10.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.38 (dbg), 5.7.38 (opt), 8.0.29 (dbg), 8.0.29 (opt)

Comment by Roel Van de Paar [ 2022-08-06 ]

Output for last testcase when using MyISAM:

10.10.0 e1caa4bd5e8b4645944b85d4b603bf9fc9ef6ca4 (Debug)

 
10.10.0-dbg>CREATE TABLE t(c INT UNIQUE) ENGINE=MyISAM;
 
Query OK, 0 rows affected (0.013 sec)
 
 
 
10.10.0-dbg>INSERT INTO t VALUES ((TRUE IN (SELECT * FROM (SELECT (1^0)%1 IN (SELECT c FROM t GROUP BY c)) AS v))--((c IS NULL))^1);
 
ERROR 1690 (22003): BIGINT UNSIGNED value is out of range in '(<in_optimizer>(1,<exists>(select `v`.`(1^0)%1 IN (SELECT c FROM t GROUP BY c)` from (select <in_optimizer>(1 ^ 0 MOD 1,<exists>(select `test`.`t`.`c` from `test`.`t` where trigcond(1 ^ 0 MOD 1 = `test`.`t`.`c` or `test`.`t`.`c` is null) having trigcond(`test`.`t`.`c` is null))) AS `(1^0)%1 IN (SELECT c FROM t GROUP BY c)`) `v` where 1 = `v`.`(1^0)%1 IN (SELECT c FROM t GROUP BY c)` or `v`.`(1^0)%1 IN (SELECT c FROM t GROUP BY c)` is null having `v`.`(1^0)%1 IN (SE

Besides the odd output, note the end is chopped off.

Comment by Dave Gosselin [ 2023-11-08 ]

Fixed by MDEV-31181 with git sha f5e7c56e3254271a434253ae1367a7be7c429f94

Generated at Thu Feb 08 10:07:08 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.