[#MDEV-29638] Subselect using index cause crashes

2022-09-26 15:40:01 0 [Note] mariadbd: ready for connections.

Version: '10.6.9-MariaDB-1:10.6.9+maria~ubu2004'  socket: '/run/mysqld/mysqld.sock'  port: 3306  mariadb.org binary distribution

220926 15:40:22 [ERROR] mysqld got signal 11 ;

This could be because you hit a bug. It is also possible that this binary

or one of the libraries it was linked against is corrupt, improperly built,

or misconfigured. This error can also be caused by malfunctioning hardware.

To report this bug, see https://mariadb.com/kb/en/reporting-bugs

We will try our best to scrape up some info that will hopefully help

diagnose the problem, but since we have already crashed,

something is definitely wrong and this may fail.

Server version: 10.6.9-MariaDB-1:10.6.9+maria~ubu2004

key_buffer_size=134217728

read_buffer_size=131072

max_used_connections=3

max_threads=153

thread_count=3

It is possible that mysqld could use up to

key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 467959 K  bytes of memory

Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x7f180c000c58

Attempting backtrace. You can use the following information to find out

where mysqld died. If you see no messages after this, something went

terribly wrong...

stack_bottom = 0x7f18549d4d98 thread_stack 0x49000

Printing to addr2line failed

mariadbd(my_print_stacktrace+0x32)[0x560930f3cf62]

mariadbd(handle_fatal_signal+0x485)[0x5609309fdfb5]

/lib/x86_64-linux-gnu/libpthread.so.0(+0x14420)[0x7f186cdbc420]

mariadbd(_Z16best_access_pathP4JOINP13st_join_tableyPK8POSITIONjbdPS3_S6_+0xde3)[0x560930803353]

mariadbd(+0x7e4f67)[0x560930805f67]

mariadbd(+0x7e5212)[0x560930806212]

mariadbd(_Z11choose_planP4JOINy+0x2e2)[0x560930806da2]

mariadbd(_ZN13st_join_table21choose_best_splittingEdy+0x57e)[0x56093097cb4e]

mariadbd(_Z16best_access_pathP4JOINP13st_join_tableyPK8POSITIONjbdPS3_S6_+0x13c)[0x5609308026ac]

mariadbd(+0x7e4f67)[0x560930805f67]

mariadbd(+0x7e5212)[0x560930806212]

mariadbd(_Z11choose_planP4JOINy+0x2e2)[0x560930806da2]

mariadbd(_ZN4JOIN14optimize_innerEv+0x3862)[0x560930834042]

mariadbd(_ZN4JOIN8optimizeEv+0xc3)[0x560930834833]

mariadbd(+0x76334c)[0x56093078434c]

mariadbd(_Z27mysql_handle_single_derivedP3LEXP10TABLE_LISTj+0x99)[0x560930783b89]

mariadbd(_ZN13st_select_lex14handle_derivedEP3LEXj+0x47)[0x5609307a0ae7]

mariadbd(_ZN4JOIN14optimize_innerEv+0x1215)[0x5609308319f5]

mariadbd(_ZN4JOIN8optimizeEv+0xc3)[0x560930834833]

mariadbd(_Z12mysql_selectP3THDP10TABLE_LISTR4ListI4ItemEPS4_jP8st_orderS9_S7_S9_yP13select_resultP18st_select_lex_unitP13st_select_lex+0xb7)[0x560930834907]

mariadbd(_Z13handle_selectP3THDP3LEXP13select_resultm+0x157)[0x560930835117]

mariadbd(+0x7a25f1)[0x5609307c35f1]

mariadbd(_Z21mysql_execute_commandP3THDb+0x4489)[0x5609307d19c9]

mariadbd(_Z11mysql_parseP3THDPcjP12Parser_state+0x1e7)[0x5609307be1e7]

mariadbd(_Z16dispatch_command19enum_server_commandP3THDPcjb+0x1095)[0x5609307ca4d5]

mariadbd(_Z10do_commandP3THDb+0x138)[0x5609307cc718]

mariadbd(_Z24do_handle_one_connectionP7CONNECTb+0x3b7)[0x5609308de137]

mariadbd(handle_one_connection+0x5d)[0x5609308de48d]

mariadbd(+0xc23916)[0x560930c44916]

/lib/x86_64-linux-gnu/libpthread.so.0(+0x8609)[0x7f186cdb0609]

/lib/x86_64-linux-gnu/libc.so.6(clone+0x43)[0x7f186c99c133]

Trying to get some variables.

Some pointers may be invalid and cause the dump to abort.

Query (0x7f180c0108c0): SELECT *

FROM (SELECT DISTINCT a.users_id AS id

      FROM applicants a

               INNER JOIN (SELECT ram.applicants_users_id

                           FROM rel_applicants_to_missions ram

                                    INNER JOIN missions m ON m.id = ram.missions_id

                           WHERE (m.mission_status > 2 AND m.mission_type = 2)

                           GROUP BY ram.applicants_users_id) m2 ON m2.applicants_users_id = a.users_id) result

Connection ID (thread ID): 5

Status: NOT_KILLED

Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=on,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=off,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=on,mrr_cost_based=off,mrr_sort_keys=on,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=off,table_elimination=on,extended_keys=on,exists_to_in=off,orderby_uses_equalities=on,condition_pushdown_for_derived=off,split_materialized=on,condition_pushdown_for_subquery=on,rowid_filter=on,condition_pushdown_from_having=on,not_null_range_scan=off

The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ contains

information that should help you find out what is causing the crash.

Writing a core file...

Working directory at /var/lib/mysql

Resource Limits:

Limit                     Soft Limit           Hard Limit           Units

Max cpu time              unlimited            unlimited            seconds

Max file size             unlimited            unlimited            bytes

Max data size             unlimited            unlimited            bytes

Max stack size            8388608              unlimited            bytes

Max core file size        0                    unlimited            bytes

Max resident set          unlimited            unlimited            bytes

Max processes             unlimited            unlimited            processes

Max open files            1048576              1048576              files

Max locked memory         65536                65536                bytes

Max address space         unlimited            unlimited            bytes

Max file locks            unlimited            unlimited            locks

Max pending signals       23298                23298                signals

Max msgqueue size         819200               819200               bytes

Max nice priority         0                    0

Max realtime priority     0                    0

Max realtime timeout      unlimited            unlimited            us

Core pattern: core

Kernel version: Linux version 5.10.124-linuxkit (root@buildkitsandbox) (gcc (Alpine 10.2.1_pre1) 10.2.1 20201203, GNU ld (GNU Binutils) 2.35.2) #1 SMP Thu Jun 30 08:19:10 UTC 2022

Thank you for the report!
I repeated as described on 10.3-10.10 with optimizer_switch='condition_pushdown_for_derived=off,split_materialized=on', with InnoDB engine, explain also crashes.

10.3 b3e06ce3fde4cb1e64f1b
Version: '10.3.37-MariaDB-debug-log'
=================================================================
==1091436==ERROR: AddressSanitizer: heap-use-after-free on address 0x6130000fc3e0 at pc 0x55fd10b27608 bp 0x7f2d43980fc0 sp 0x7f2d43980fb0
READ of size 4 at 0x6130000fc3e0 thread T27
#0 0x55fd10b27607 in best_access_path(JOIN, st_join_table, unsigned long long, st_position const, unsigned int, bool, double, st_position, st_position*) /10.3/src/sql/sql_select.cc:7446
#1 0x55fd10b2fbeb in best_extension_by_limited_search /10.3/src/sql/sql_select.cc:9007
#2 0x55fd10b30635 in best_extension_by_limited_search /10.3/src/sql/sql_select.cc:9078
#3 0x55fd10b2b9f7 in greedy_search /10.3/src/sql/sql_select.cc:8184
#4 0x55fd10b2981f in choose_plan(JOIN*, unsigned long long) /10.3/src/sql/sql_select.cc:7760
#5 0x55fd10faad7e in st_join_table::choose_best_splitting(double, unsigned long long) /10.3/src/sql/opt_split.cc:975
#6 0x55fd10b24565 in best_access_path(JOIN, st_join_table, unsigned long long, st_position const, unsigned int, bool, double, st_position, st_position*) /10.3/src/sql/sql_select.cc:6963
#7 0x55fd10b2fbeb in best_extension_by_limited_search /10.3/src/sql/sql_select.cc:9007
#8 0x55fd10b30635 in best_extension_by_limited_search /10.3/src/sql/sql_select.cc:9078
#9 0x55fd10b2b9f7 in greedy_search /10.3/src/sql/sql_select.cc:8184
#10 0x55fd10b2981f in choose_plan(JOIN*, unsigned long long) /10.3/src/sql/sql_select.cc:7760
#11 0x55fd10b16512 in make_join_statistics /10.3/src/sql/sql_select.cc:5221
#12 0x55fd10af4fd9 in JOIN::optimize_inner() /10.3/src/sql/sql_select.cc:1992
#13 0x55fd10af04b4 in JOIN::optimize() /10.3/src/sql/sql_select.cc:1534
#14 0x55fd10981bc3 in mysql_derived_optimize(THD, LEX, TABLE_LIST*) /10.3/src/sql/sql_derived.cc:962
#15 0x55fd1097ce68 in mysql_handle_single_derived(LEX, TABLE_LIST, unsigned int) /10.3/src/sql/sql_derived.cc:193
#16 0x55fd10d60b6e in TABLE_LIST::handle_derived(LEX*, unsigned int) /10.3/src/sql/table.cc:8536
#17 0x55fd109c24c3 in LEX::handle_list_of_derived(TABLE_LIST*, unsigned int) /10.3/src/sql/sql_lex.h:4032
#18 0x55fd109e3422 in st_select_lex::handle_derived(LEX*, unsigned int) /10.3/src/sql/sql_lex.cc:4196
#19 0x55fd10af3488 in JOIN::optimize_inner() /10.3/src/sql/sql_select.cc:1823
#20 0x55fd10af04b4 in JOIN::optimize() /10.3/src/sql/sql_select.cc:1534
#21 0x55fd10b0db8e in mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /10.3/src/sql/sql_select.cc:4360
#22 0x55fd10ae3ed2 in handle_select(THD, LEX, select_result*, unsigned long) /10.3/src/sql/sql_select.cc:372
#23 0x55fd10a54be2 in execute_sqlcom_select /10.3/src/sql/sql_parse.cc:6340
#24 0x55fd10a42c1d in mysql_execute_command(THD*) /10.3/src/sql/sql_parse.cc:3871
#25 0x55fd10a5e93f in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /10.3/src/sql/sql_parse.cc:7871
#26 0x55fd10a3581c in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /10.3/src/sql/sql_parse.cc:1852
#27 0x55fd10a3235f in do_command(THD*) /10.3/src/sql/sql_parse.cc:1398
#28 0x55fd10e063b2 in do_handle_one_connection(CONNECT*) /10.3/src/sql/sql_connect.cc:1403
#29 0x55fd10e05c6c in handle_one_connection /10.3/src/sql/sql_connect.cc:1308
#30 0x55fd1243778c in pfs_spawn_thread /10.3/src/storage/perfschema/pfs.cc:1869
#31 0x7f2d5a141608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
#32 0x7f2d5a066132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)

0x6130000fc3e0 is located 32 bytes inside of 328-byte region [0x6130000fc3c0,0x6130000fc508)
freed by thread T27 here:
#0 0x7f2d5aa96c65 in operator delete(void*, unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cc:177
#1 0x55fd11558bc2 in QUICK_RANGE_SELECT::~QUICK_RANGE_SELECT() /10.3/src/sql/opt_range.cc:1338
#2 0x55fd10b3f1a6 in make_join_select /10.3/src/sql/sql_select.cc:11067
#3 0x55fd10af7b0e in JOIN::optimize_stage2() /10.3/src/sql/sql_select.cc:2248
#4 0x55fd10af0400 in JOIN::optimize() /10.3/src/sql/sql_select.cc:1527
#5 0x55fd10981bc3 in mysql_derived_optimize(THD, LEX, TABLE_LIST*) /10.3/src/sql/sql_derived.cc:962
#6 0x55fd1097ce68 in mysql_handle_single_derived(LEX, TABLE_LIST, unsigned int) /10.3/src/sql/sql_derived.cc:193
#7 0x55fd10d60b6e in TABLE_LIST::handle_derived(LEX*, unsigned int) /10.3/src/sql/table.cc:8536
#8 0x55fd109c24c3 in LEX::handle_list_of_derived(TABLE_LIST*, unsigned int) /10.3/src/sql/sql_lex.h:4032
#9 0x55fd109e3422 in st_select_lex::handle_derived(LEX*, unsigned int) /10.3/src/sql/sql_lex.cc:4196
#10 0x55fd10af3488 in JOIN::optimize_inner() /10.3/src/sql/sql_select.cc:1823
#11 0x55fd10af04b4 in JOIN::optimize() /10.3/src/sql/sql_select.cc:1534
#12 0x55fd10981bc3 in mysql_derived_optimize(THD, LEX, TABLE_LIST*) /10.3/src/sql/sql_derived.cc:962
#13 0x55fd1097ce68 in mysql_handle_single_derived(LEX, TABLE_LIST, unsigned int) /10.3/src/sql/sql_derived.cc:193
#14 0x55fd10d60b6e in TABLE_LIST::handle_derived(LEX*, unsigned int) /10.3/src/sql/table.cc:8536
#15 0x55fd109c24c3 in LEX::handle_list_of_derived(TABLE_LIST*, unsigned int) /10.3/src/sql/sql_lex.h:4032
#16 0x55fd109e3422 in st_select_lex::handle_derived(LEX*, unsigned int) /10.3/src/sql/sql_lex.cc:4196
#17 0x55fd10af3488 in JOIN::optimize_inner() /10.3/src/sql/sql_select.cc:1823
#18 0x55fd10af04b4 in JOIN::optimize() /10.3/src/sql/sql_select.cc:1534
#19 0x55fd10b0db8e in mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /10.3/src/sql/sql_select.cc:4360
#20 0x55fd10ae3ed2 in handle_select(THD, LEX, select_result*, unsigned long) /10.3/src/sql/sql_select.cc:372
#21 0x55fd10a54be2 in execute_sqlcom_select /10.3/src/sql/sql_parse.cc:6340
#22 0x55fd10a42c1d in mysql_execute_command(THD*) /10.3/src/sql/sql_parse.cc:3871
#23 0x55fd10a5e93f in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /10.3/src/sql/sql_parse.cc:7871
#24 0x55fd10a3581c in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /10.3/src/sql/sql_parse.cc:1852
#25 0x55fd10a3235f in do_command(THD*) /10.3/src/sql/sql_parse.cc:1398
#26 0x55fd10e063b2 in do_handle_one_connection(CONNECT*) /10.3/src/sql/sql_connect.cc:1403
#27 0x55fd10e05c6c in handle_one_connection /10.3/src/sql/sql_connect.cc:1308
#28 0x55fd1243778c in pfs_spawn_thread /10.3/src/storage/perfschema/pfs.cc:1869
#29 0x7f2d5a141608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477

previously allocated by thread T27 here:
#0 0x7f2d5aa95587 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cc:104
#1 0x55fd11594319 in get_quick_select(PARAM, unsigned int, SEL_ARG, unsigned int, unsigned int, st_mem_root*) /10.3/src/sql/opt_range.cc:10665
#2 0x55fd115bd85b in TRP_RANGE::make_quick(PARAM, bool, st_mem_root) /10.3/src/sql/opt_range.cc:2117
#3 0x55fd11562fa8 in SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool, bool, bool) /10.3/src/sql/opt_range.cc:2701
#4 0x55fd10b0e39b in get_quick_record_count /10.3/src/sql/sql_select.cc:4411
#5 0x55fd10b14caa in make_join_statistics /10.3/src/sql/sql_select.cc:5111
#6 0x55fd10af4fd9 in JOIN::optimize_inner() /10.3/src/sql/sql_select.cc:1992
#7 0x55fd10af04b4 in JOIN::optimize() /10.3/src/sql/sql_select.cc:1534
#8 0x55fd10981bc3 in mysql_derived_optimize(THD, LEX, TABLE_LIST*) /10.3/src/sql/sql_derived.cc:962
#9 0x55fd1097ce68 in mysql_handle_single_derived(LEX, TABLE_LIST, unsigned int) /10.3/src/sql/sql_derived.cc:193
#10 0x55fd10d60b6e in TABLE_LIST::handle_derived(LEX*, unsigned int) /10.3/src/sql/table.cc:8536
#11 0x55fd109c24c3 in LEX::handle_list_of_derived(TABLE_LIST*, unsigned int) /10.3/src/sql/sql_lex.h:4032
#12 0x55fd109e3422 in st_select_lex::handle_derived(LEX*, unsigned int) /10.3/src/sql/sql_lex.cc:4196
#13 0x55fd10d60ae0 in TABLE_LIST::handle_derived(LEX*, unsigned int) /10.3/src/sql/table.cc:8533
#14 0x55fd109c24c3 in LEX::handle_list_of_derived(TABLE_LIST*, unsigned int) /10.3/src/sql/sql_lex.h:4032
#15 0x55fd109e3422 in st_select_lex::handle_derived(LEX*, unsigned int) /10.3/src/sql/sql_lex.cc:4196
#16 0x55fd10af3488 in JOIN::optimize_inner() /10.3/src/sql/sql_select.cc:1823
#17 0x55fd10af04b4 in JOIN::optimize() /10.3/src/sql/sql_select.cc:1534
#18 0x55fd10b0db8e in mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /10.3/src/sql/sql_select.cc:4360
#19 0x55fd10ae3ed2 in handle_select(THD, LEX, select_result*, unsigned long) /10.3/src/sql/sql_select.cc:372
#20 0x55fd10a54be2 in execute_sqlcom_select /10.3/src/sql/sql_parse.cc:6340
#21 0x55fd10a42c1d in mysql_execute_command(THD*) /10.3/src/sql/sql_parse.cc:3871
#22 0x55fd10a5e93f in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /10.3/src/sql/sql_parse.cc:7871
#23 0x55fd10a3581c in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /10.3/src/sql/sql_parse.cc:1852
#24 0x55fd10a3235f in do_command(THD*) /10.3/src/sql/sql_parse.cc:1398
#25 0x55fd10e063b2 in do_handle_one_connection(CONNECT*) /10.3/src/sql/sql_connect.cc:1403
#26 0x55fd10e05c6c in handle_one_connection /10.3/src/sql/sql_connect.cc:1308
#27 0x55fd1243778c in pfs_spawn_thread /10.3/src/storage/perfschema/pfs.cc:1869
#28 0x7f2d5a141608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477

Thread T27 created by T0 here:
#0 0x7f2d5a9c0815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208
#1 0x55fd12437b7d in spawn_thread_v1 /10.3/src/storage/perfschema/pfs.cc:1919
#2 0x55fd1075739e in inline_mysql_thread_create /10.3/src/include/mysql/psi/mysql_thread.h:1275
#3 0x55fd10770158 in create_thread_to_handle_connection(CONNECT*) /10.3/src/sql/mysqld.cc:6668
#4 0x55fd107708f3 in create_new_thread /10.3/src/sql/mysqld.cc:6738
#5 0x55fd10771a85 in handle_connections_sockets() /10.3/src/sql/mysqld.cc:6996
#6 0x55fd1076f449 in mysqld_main(int, char**) /10.3/src/sql/mysqld.cc:6290
#7 0x55fd10755b9c in main /10.3/src/sql/main.cc:25
#8 0x7f2d59f6b082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-use-after-free /10.3/src/sql/sql_select.cc:7446 in best_access_path(JOIN, st_join_table, unsigned long long, st_position const, unsigned int, bool, double, st_position, st_position*)
Shadow bytes around the buggy address:
0x0c2680017820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2680017830: 04 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2680017840: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2680017850: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2680017860: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
=>0x0c2680017870: fa fa fa fa fa fa fa fa fd fd fd fd[fd]fd fd fd
0x0c2680017880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2680017890: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c26800178a0: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c26800178b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c26800178c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1091436==ABORTING
----------SERVER LOG END-------------

[MDEV-29638] Subselect using index cause crashes Created: 2022-09-26 Updated: 2023-11-28
Status:	Stalled
Project:	MariaDB Server
Component/s:	Optimizer
Affects Version/s:	10.6.9, 10.3, 10.4, 10.5, 10.6, 10.7, 10.8, 10.9, 10.10
Fix Version/s:	10.4, 10.5, 10.6, 10.11, 11.0

[MDEV-29638] Subselect using index cause crashes Created: 2022-09-26 Updated: 2023-11-28