|
Another testcase, not using BLOB, shows a similar crash in _ma_make_key, and
otherwise similar outcome (i.e. assert in (*select_ref)->fixed()) as explained above.
CREATE TABLE t (a INT);
|
INSERT INTO t VALUES();
|
INSERT INTO t SELECT * FROM t;
|
SET big_tables=1;
|
SELECT 1, (SELECT a FROM (SELECT 1) dt HAVING (a IN (1))) FROM t WINDOW w1 AS (ORDER BY (SELECT a FROM t GROUP BY a WINDOW w2 AS (PARTITION BY a)));
|
Leads to:
|
10.11.0 bc563f1a4b0b38de3b41fd0f0d3d8b7f1aacbd8b (Optimized)
|
Core was generated by `/test/MD190822-mariadb-10.11.0-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
|
Program terminated with signal SIGSEGV, Segmentation fault.
|
#0 0x000055876ba77750 in _ma_make_key (info=0x146da0062058,
|
int_key=0x146e2a8b5430, keynr=<optimized out>, key=0x146da006678f "",
|
record=0x146da004b770 "\377", filepos=0, trid=0)
|
at /test/10.11_opt/storage/maria/ma_key.c:214
|
[Current thread is 1 (Thread 0x146e2a8b7700 (LWP 2413192))]
|
(gdb) bt
|
#0 0x000055876ba77750 in _ma_make_key (info=0x146da0062058, int_key=0x146e2a8b5430, keynr=<optimized out>, key=0x146da006678f "", record=0x146da004b770 "\377", filepos=0, trid=0) at /test/10.11_opt/storage/maria/ma_key.c:214
|
#1 0x000055876ba8d5e6 in maria_write (info=0x146da0062058, record=0x146da004b770 "\377") at /test/10.11_opt/storage/maria/ma_write.c:189
|
#2 0x000055876b6b0018 in handler::ha_write_tmp_row (buf=0x146da004b770 "\377", this=0x146da0060510) at /test/10.11_opt/include/mysql/psi/mysql_thread.h:795
|
#3 end_write (join=0x146da004eb48, join_tab=0x146da0054448, end_of_records=<optimized out>) at /test/10.11_opt/sql/sql_select.cc:23256
|
#4 0x000055876b6854d3 in evaluate_join_record (join=join@entry=0x146da004eb48, join_tab=join_tab@entry=0x146da0054090, error=<optimized out>) at /test/10.11_opt/sql/sql_select.cc:21993
|
#5 0x000055876b696feb in sub_select (end_of_records=false, join_tab=0x146da0054090, join=0x146da004eb48) at /test/10.11_opt/sql/sql_select.cc:21763
|
#6 sub_select (join=0x146da004eb48, join_tab=0x146da0054090, end_of_records=false) at /test/10.11_opt/sql/sql_select.cc:21692
|
#7 0x000055876b6c5ba1 in do_select (procedure=<optimized out>, join=0x146da004eb48) at /test/10.11_opt/sql/sql_select.cc:21308
|
#8 JOIN::exec_inner (this=0x146da004eb48) at /test/10.11_opt/sql/sql_select.cc:4812
|
#9 0x000055876b6c5f68 in JOIN::exec (this=this@entry=0x146da004eb48) at /test/10.11_opt/sql/sql_select.cc:4590
|
#10 0x000055876b6c4171 in mysql_select (thd=0x146da0000c58, tables=0x146da0013608, fields=@0x146da0010b48: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x146da0010da0, last = 0x146da0013530, elements = 2}, <No data fields>}, conds=0x0, og_num=1, order=0x0, group=0x146da0014438, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x146da004eb20, unit=0x146da0004cd0, select_lex=0x146da00108a8) at /test/10.11_opt/sql/sql_select.cc:5070
|
#11 0x000055876b6c48b7 in handle_select (thd=thd@entry=0x146da0000c58, lex=lex@entry=0x146da0004bf8, result=result@entry=0x146da004eb20, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.11_opt/sql/sql_select.cc:581
|
#12 0x000055876b6465b1 in execute_sqlcom_select (thd=0x146da0000c58, all_tables=0x146da0013608) at /test/10.11_opt/sql/sql_parse.cc:6261
|
#13 0x000055876b6541f8 in mysql_execute_command (thd=0x146da0000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.11_opt/sql/sql_parse.cc:3945
|
#14 0x000055876b6417b5 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x146da0000c58) at /test/10.11_opt/sql/sql_parse.cc:8035
|
#15 mysql_parse (thd=0x146da0000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.11_opt/sql/sql_parse.cc:7957
|
#16 0x000055876b64d2ca in dispatch_command (command=COM_QUERY, thd=0x146da0000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.11_opt/sql/sql_class.h:1339
|
#17 0x000055876b64f1f2 in do_command (thd=0x146da0000c58, blocking=blocking@entry=true) at /test/10.11_opt/sql/sql_parse.cc:1407
|
#18 0x000055876b76746f in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55876ed2b218, put_in_cache=put_in_cache@entry=true) at /test/10.11_opt/sql/sql_connect.cc:1418
|
#19 0x000055876b76774d in handle_one_connection (arg=0x55876ed2b218) at /test/10.11_opt/sql/sql_connect.cc:1312
|
#20 0x0000146e5a1a7609 in start_thread (arg=<optimized out>) at pthread_create.c:477
|
#21 0x0000146e59d93133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
|
Bug confirmed present in:
MariaDB: 10.3.37 (dbg), 10.3.37 (opt), 10.4.27 (dbg), 10.4.27 (opt), 10.5.18 (dbg), 10.5.18 (opt), 10.6.10 (dbg), 10.6.10 (opt), 10.7.6 (dbg), 10.7.6 (opt), 10.8.5 (dbg), 10.8.5 (opt), 10.9.2 (dbg), 10.9.2 (opt), 10.10.2 (dbg), 10.10.2 (opt), 10.11.0 (dbg), 10.11.0 (opt)
Bug (or feature/syntax) confirmed not present in:
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.38 (dbg), 5.7.38 (opt), 8.0.29 (dbg), 8.0.29 (opt)
|
|
Another testcase which leads to a SIGSEGV in _ma_calc_blob_length
SET sql_mode='';
|
CREATE TABLE t (a BLOB NOT NULL,b DATE NOT NULL) ENGINE=InnoDB;
|
INSERT INTO t (b) VALUES (1);
|
SELECT 0, (SELECT a FROM (SELECT 0) dt HAVING (a IN (0))) FROM t WINDOW w0 AS (ORDER BY (SELECT a FROM t GROUP BY a WINDOW w0 AS (PARTITION BY a)));
|
Leads to:
|
11.0.1 b075191ba8598af6aff5549e6e19f6255aef258a (Optimized)
|
Core was generated by `/test/MD090123-mariadb-11.0.1-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
|
Program terminated with signal SIGSEGV, Segmentation fault.
|
#0 _ma_calc_blob_length (length=2,
|
pos=pos@entry=0x14f3ec053820 <error: Cannot access memory at address 0x14f3ec053820>) at /test/11.0_opt/storage/maria/ma_dynrec.c:1417
|
1417 return (uint) uint2korr(pos);
|
[Current thread is 1 (Thread 0x14f320404640 (LWP 444249))]
|
(gdb) bt
|
#0 _ma_calc_blob_length (length=2, pos=pos@entry=0x14f3ec053820 <error: Cannot access memory at address 0x14f3ec053820>) at /test/11.0_opt/storage/maria/ma_dynrec.c:1417
|
#1 0x0000557133b26d90 in _ma_unique_hash (def=def@entry=0x14f2ec07e608, record=record@entry=0x14f2ec0788d0 <incomplete sequence \374>) at /test/11.0_opt/storage/maria/ma_unique.c:140
|
#2 0x0000557133b75d9d in maria_write (info=0x14f2ec07ea58, record=0x14f2ec0788d0 <incomplete sequence \374>) at /test/11.0_opt/storage/maria/ma_write.c:133
|
#3 0x000055713378e398 in handler::ha_write_tmp_row (buf=0x14f2ec0788d0 <incomplete sequence \374>, this=0x14f2ec078bd0) at /test/11.0_opt/sql/sql_class.h:7453
|
#4 end_write (join=0x14f2ec049850, join_tab=0x14f2ec052210, end_of_records=<optimized out>) at /test/11.0_opt/sql/sql_select.cc:23336
|
#5 0x00005571337637c3 in evaluate_join_record (join=join@entry=0x14f2ec049850, join_tab=join_tab@entry=0x14f2ec051e58, error=<optimized out>) at /test/11.0_opt/sql/sql_select.cc:22073
|
#6 0x0000557133774dcf in sub_select (end_of_records=false, join_tab=0x14f2ec051e58, join=0x14f2ec049850) at /test/11.0_opt/sql/sql_select.cc:21843
|
#7 sub_select (join=0x14f2ec049850, join_tab=0x14f2ec051e58, end_of_records=<optimized out>) at /test/11.0_opt/sql/sql_select.cc:21770
|
#8 0x00005571337a46b8 in do_select (procedure=0x0, join=0x14f2ec049850) at /test/11.0_opt/sql/sql_select.cc:21386
|
#9 JOIN::exec_inner (this=0x14f2ec049850) at /test/11.0_opt/sql/sql_select.cc:4822
|
#10 0x00005571337a4b08 in JOIN::exec (this=this@entry=0x14f2ec049850) at /test/11.0_opt/sql/sql_select.cc:4600
|
#11 0x00005571337a2c11 in mysql_select (thd=0x14f2ec000c68, tables=0x14f2ec013700, fields=@0x14f2ec010b98: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14f2ec010df8, last = 0x14f2ec013628, elements = 2}, <No data fields>}, conds=0x0, og_num=1, order=0x0, group=0x14f2ec014568, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x14f2ec049828, unit=0x14f2ec004ce8, select_lex=0x14f2ec0108f8) at /test/11.0_opt/sql/sql_select.cc:5080
|
#12 0x00005571337a3354 in handle_select (thd=thd@entry=0x14f2ec000c68, lex=lex@entry=0x14f2ec004c10, result=result@entry=0x14f2ec049828, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/11.0_opt/sql/sql_select.cc:581
|
#13 0x000055713371eb25 in execute_sqlcom_select (thd=0x14f2ec000c68, all_tables=0x14f2ec013700) at /test/11.0_opt/sql/sql_parse.cc:6265
|
#14 0x000055713372d870 in mysql_execute_command (thd=0x14f2ec000c68, is_called_from_prepared_stmt=<optimized out>) at /test/11.0_opt/sql/sql_parse.cc:3949
|
#15 0x000055713372f104 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x14f2ec000c68) at /test/11.0_opt/sql/sql_parse.cc:8000
|
#16 mysql_parse (thd=0x14f2ec000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/11.0_opt/sql/sql_parse.cc:7922
|
#17 0x00005571337316e2 in dispatch_command (command=COM_QUERY, thd=0x14f2ec000c68, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/11.0_opt/sql/sql_parse.cc:1991
|
#18 0x0000557133732e80 in do_command (thd=0x14f2ec000c68, blocking=blocking@entry=true) at /test/11.0_opt/sql/sql_parse.cc:1407
|
#19 0x0000557133848ab7 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5571370fe0c8, put_in_cache=put_in_cache@entry=true) at /test/11.0_opt/sql/sql_connect.cc:1416
|
#20 0x0000557133848d8d in handle_one_connection (arg=0x5571370fe0c8) at /test/11.0_opt/sql/sql_connect.cc:1318
|
#21 0x000014f338ea7b43 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
|
#22 0x000014f338f39a00 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
|
Present in 10.3-10.11, dbg+opt builds, though dbg builds crash on crash from MDEV-28506
|