[MDEV-30007] SIGSEGV in st_select_lex_unit::is_derived_eliminated, runtime error: member access within null pointer of type 'struct TABLE' in st_select_lex_unit::is_derived_eliminated() Created: 2022-11-14  Updated: 2022-11-15  Resolved: 2022-11-14

Status: Closed
Project: MariaDB Server
Component/s: Optimizer, Views
Affects Version/s: 10.10, 10.11
Fix Version/s: 10.10.2

Type: Bug Priority: Blocker
Reporter: Roel Van de Paar Assignee: Oleksandr Byelkin
Resolution: Fixed Votes: 0
Labels: regression

Issue Links:
Problem/Incident
is caused by MDEV-26278 Table elimination does not work acros... Closed

 Description   

strong text

CREATE VIEW v AS SELECT 1 AS a;
 
SELECT ROUND ((SELECT 1 FROM v)) FROM v GROUP BY ROUND ((SELECT 1 FROM v));

Leads to:

10.11.1 50c5743adc87e1cdec1431a02558f6540fe5a6d5 (Optimized)

 
Core was generated by `/test/MD221022-mariadb-10.11.1-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  0x0000559f36bf7f30 in st_select_lex_unit::is_derived_eliminated (
 
    this=0x14a7d0020ed8) at /test/10.11_opt/sql/sql_lex.cc:11931
 
11931	  return derived->table->map & outer_select()->join->eliminated_tables;
 
[Current thread is 1 (Thread 0x14a8280a8700 (LWP 3005740))]
 
(gdb) bt
 
#0  0x0000559f36bf7f30 in st_select_lex_unit::is_derived_eliminated (this=0x14a7d0020ed8) at /test/10.11_opt/sql/sql_lex.cc:11931
 
#1  0x0000559f36bf7fd9 in st_select_lex_unit::explainable (this=0x14a7d0020ed8) at /test/10.11_opt/sql/table.h:2878
 
#2  st_select_lex_unit::explainable (this=this@entry=0x14a7d0020ed8) at /test/10.11_opt/sql/sql_lex.cc:11906
 
#3  0x0000559f36c78ea8 in JOIN::save_explain_data_intern (this=0x14a7d00207d8, output=0x14a7d0024a38, need_tmp_table_arg=<optimized out>, need_order_arg=<optimized out>, distinct_arg=<optimized out>, message=<optimized out>) at /test/10.11_opt/sql/sql_select.cc:28383
 
#4  0x0000559f36c79890 in JOIN::save_explain_data (this=0x14a7d00207d8, output=0x14a7d0024a38, can_overwrite=<optimized out>, need_tmp_table=<optimized out>, need_order=<optimized out>, distinct=<optimized out>) at /test/10.11_opt/sql/sql_select.cc:4550
 
#5  0x0000559f36c79963 in JOIN::build_explain (this=this@entry=0x14a7d00207d8) at /test/10.11_opt/sql/sql_select.cc:1809
 
#6  0x0000559f36c83e6a in JOIN::optimize (this=this@entry=0x14a7d00207d8) at /test/10.11_opt/sql/sql_select.cc:1870
 
#7  0x0000559f36c83f7e in mysql_select (thd=0x14a7d0000c58, tables=0x14a7d0012668, fields=@0x14a7d0010bf8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14a7d00125d0, last = 0x14a7d00125d0, elements = 1}, <No data fields>}, conds=0x0, og_num=1, order=0x0, group=0x14a7d0014590, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x14a7d00207b0, unit=0x14a7d0004cd8, select_lex=0x14a7d0010958) at /test/10.11_opt/sql/sql_select.cc:5057
 
#8  0x0000559f36c84717 in handle_select (thd=thd@entry=0x14a7d0000c58, lex=lex@entry=0x14a7d0004c00, result=result@entry=0x14a7d00207b0, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.11_opt/sql/sql_select.cc:582
 
#9  0x0000559f36c062e1 in execute_sqlcom_select (thd=0x14a7d0000c58, all_tables=0x14a7d0012668) at /test/10.11_opt/sql/sql_parse.cc:6261
 
#10 0x0000559f36c13e6b in mysql_execute_command (thd=0x14a7d0000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.11_opt/sql/sql_parse.cc:3945
 
#11 0x0000559f36c01335 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x14a7d0000c58) at /test/10.11_opt/sql/sql_parse.cc:8023
 
#12 mysql_parse (thd=0x14a7d0000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.11_opt/sql/sql_parse.cc:7945
 
#13 0x0000559f36c0d0ea in dispatch_command (command=COM_QUERY, thd=0x14a7d0000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.11_opt/sql/sql_class.h:1346
 
#14 0x0000559f36c0eee2 in do_command (thd=0x14a7d0000c58, blocking=blocking@entry=true) at /test/10.11_opt/sql/sql_parse.cc:1407
 
#15 0x0000559f36d28fbf in do_handle_one_connection (connect=<optimized out>, connect@entry=0x559f38b4dd48, put_in_cache=put_in_cache@entry=true) at /test/10.11_opt/sql/sql_connect.cc:1416
 
#16 0x0000559f36d2929d in handle_one_connection (arg=0x559f38b4dd48) at /test/10.11_opt/sql/sql_connect.cc:1318
 
#17 0x000014a855344609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#18 0x000014a854f30133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

10.11.1 50c5743adc87e1cdec1431a02558f6540fe5a6d5 (Debug)

 
Core was generated by `/test/MD221022-mariadb-10.11.1-linux-x86_64-dbg/bin/mysqld --no-defaults --core'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  0x000055c76de3e1bb in st_select_lex_unit::is_derived_eliminated (
 
    this=0x150d54025b38) at /test/10.11_dbg/sql/sql_lex.cc:11931
 
11931	  return derived->table->map & outer_select()->join->eliminated_tables;
 
[Current thread is 1 (Thread 0x150de8053700 (LWP 1473257))]
 
(gdb) bt
 
#0  0x000055c76de3e1bb in st_select_lex_unit::is_derived_eliminated (this=0x150d54025b38) at /test/10.11_dbg/sql/sql_lex.cc:11931
 
#1  0x000055c76de3e26b in st_select_lex_unit::explainable (this=this@entry=0x150d54025b38) at /test/10.11_dbg/sql/table.h:2878
 
#2  0x000055c76ded2c2d in JOIN::save_explain_data_intern (this=this@entry=0x150d54025438, output=0x150d540296b0, need_tmp_table_arg=need_tmp_table_arg@entry=false, need_order_arg=need_order_arg@entry=false, distinct_arg=distinct_arg@entry=false, message=<optimized out>) at /test/10.11_dbg/sql/sql_select.cc:28383
 
#3  0x000055c76ded2e85 in JOIN::save_explain_data (this=this@entry=0x150d54025438, output=0x150d540296b0, can_overwrite=can_overwrite@entry=false, need_tmp_table=<optimized out>, need_order=<optimized out>, distinct=<optimized out>) at /test/10.11_dbg/sql/sql_select.cc:4550
 
#4  0x000055c76ded30a9 in JOIN::build_explain (this=this@entry=0x150d54025438) at /test/10.11_dbg/sql/sql_select.cc:1809
 
#5  0x000055c76dee0529 in JOIN::optimize (this=this@entry=0x150d54025438) at /test/10.11_dbg/sql/sql_select.cc:1870
 
#6  0x000055c76dee05ff in mysql_select (thd=thd@entry=0x150d54000d48, tables=0x150d54015038, fields=@0x150d540135c8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x150d54014fa0, last = 0x150d54014fa0, elements = 1}, <No data fields>}, conds=0x0, og_num=1, order=0x0, group=0x150d54016f60, having=0x0, proc_param=0x0, select_options=2164525824, result=0x150d54025410, unit=0x150d54004f88, select_lex=0x150d54013328) at /test/10.11_dbg/sql/sql_select.cc:5057
 
#7  0x000055c76dee0dc5 in handle_select (thd=thd@entry=0x150d54000d48, lex=lex@entry=0x150d54004eb0, result=result@entry=0x150d54025410, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.11_dbg/sql/sql_select.cc:582
 
#8  0x000055c76de4ead5 in execute_sqlcom_select (thd=thd@entry=0x150d54000d48, all_tables=0x150d54015038) at /test/10.11_dbg/sql/sql_parse.cc:6261
 
#9  0x000055c76de5abd2 in mysql_execute_command (thd=thd@entry=0x150d54000d48, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.11_dbg/sql/sql_parse.cc:3945
 
#10 0x000055c76de48f90 in mysql_parse (thd=thd@entry=0x150d54000d48, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x150de8052300) at /test/10.11_dbg/sql/sql_parse.cc:8023
 
#11 0x000055c76de564ac in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x150d54000d48, packet=packet@entry=0x150d5400af09 "SELECT ROUND ((SELECT 1 FROM t)) FROM t GROUP BY ROUND ((SELECT 1 FROM t))", packet_length=packet_length@entry=74, blocking=blocking@entry=true) at /test/10.11_dbg/sql/sql_class.h:1346
 
#12 0x000055c76de588f4 in do_command (thd=0x150d54000d48, blocking=blocking@entry=true) at /test/10.11_dbg/sql/sql_parse.cc:1407
 
#13 0x000055c76dfb5067 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55c77072cf38, put_in_cache=put_in_cache@entry=true) at /test/10.11_dbg/sql/sql_connect.cc:1416
 
#14 0x000055c76dfb5536 in handle_one_connection (arg=0x55c77072cf38) at /test/10.11_dbg/sql/sql_connect.cc:1318
 
#15 0x0000150dffaff609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#16 0x0000150dff6eb133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.10.2 (dbg), 10.10.2 (opt), 10.11.1 (dbg), 10.11.1 (opt)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.3.37 (dbg), 10.3.37 (opt), 10.4.27 (dbg), 10.4.27 (opt), 10.5.18 (dbg), 10.5.18 (opt), 10.6.10 (dbg), 10.6.10 (opt), 10.7.6 (dbg), 10.7.6 (opt), 10.8.5 (dbg), 10.8.5 (opt), 10.9.3 (dbg), 10.9.3 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.38 (dbg), 5.7.38 (opt), 8.0.29 (dbg), 8.0.29 (opt)

 Comments   
Comment by Roel Van de Paar [ 2022-11-14 ]

10.9.3 50c6090107d582a39e5be018c9fb4f40202210f9 (Debug)

 
10.9.3-dbg>SELECT ROUND ((SELECT 1 FROM v)) FROM v GROUP BY ROUND ((SELECT 1 FROM v));
 
+---------------------------+
 
| ROUND ((SELECT 1 FROM v)) |
 
+---------------------------+
 
|                         1 |
 
+---------------------------+
 
1 row in set (0.001 sec)

Comment by Roel Van de Paar [ 2022-11-14 ]

10.11.0 fe1f8f2c6b6f3b8e3383168225f9ae7853028947 (Debug, UBASAN)

 
/test/10.11_dbg_san/sql/sql_lex.cc:11940:26: runtime error: member access within null pointer of type 'struct TABLE'
 
    #0 0x555cbc314dd8 in st_select_lex_unit::is_derived_eliminated() const /test/10.11_dbg_san/sql/sql_lex.cc:11940
 
    #1 0x555cbc3152c2 in st_select_lex_unit::explainable() const /test/10.11_dbg_san/sql/sql_lex.cc:11932
 
    #2 0x555cbc783160 in JOIN::save_explain_data_intern(Explain_query*, bool, bool, bool, char const*) /test/10.11_dbg_san/sql/sql_select.cc:28381
 
    #3 0x555cbc783cb8 in JOIN::save_explain_data(Explain_query*, bool, bool, bool, bool) /test/10.11_dbg_san/sql/sql_select.cc:4549
 
    #4 0x555cbc7860c0 in JOIN::build_explain() /test/10.11_dbg_san/sql/sql_select.cc:1808
 
    #5 0x555cbc822362 in JOIN::optimize() /test/10.11_dbg_san/sql/sql_select.cc:1869
 
    #6 0x555cbc8228f2 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.11_dbg_san/sql/sql_select.cc:5056
 
    #7 0x555cbc8273bd in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.11_dbg_san/sql/sql_select.cc:581
 
    #8 0x555cbc3abb58 in execute_sqlcom_select /test/10.11_dbg_san/sql/sql_parse.cc:6261
 
    #9 0x555cbc40c352 in mysql_execute_command(THD*, bool) /test/10.11_dbg_san/sql/sql_parse.cc:3945
 
    #10 0x555cbc379c88 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.11_dbg_san/sql/sql_parse.cc:8035
 
    #11 0x555cbc3e685f in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.11_dbg_san/sql/sql_parse.cc:1894
 
    #12 0x555cbc3f8a70 in do_command(THD*, bool) /test/10.11_dbg_san/sql/sql_parse.cc:1407
 
    #13 0x555cbce69b41 in do_handle_one_connection(CONNECT*, bool) /test/10.11_dbg_san/sql/sql_connect.cc:1418
 
    #14 0x555cbce6c32c in handle_one_connection /test/10.11_dbg_san/sql/sql_connect.cc:1312
 
    #15 0x14c9947bc608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
 
    #16 0x14c993a31132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)
 
 
 
221114 23:54:15 [ERROR] mysqld got signal 11 ;

10.11.0 fe1f8f2c6b6f3b8e3383168225f9ae7853028947 (Optimized, UBASAN)

 
/test/10.11_opt_san/sql/sql_lex.cc:11940:26: runtime error: member access within null pointer of type 'struct TABLE'
 
    #0 0x56236a8039ae in st_select_lex_unit::is_derived_eliminated() const /test/10.11_opt_san/sql/sql_lex.cc:11940
 
    #1 0x56236a803caf in st_select_lex_unit::explainable() const /test/10.11_opt_san/sql/sql_lex.cc:11932
 
    #2 0x56236a803caf in st_select_lex_unit::explainable() const /test/10.11_opt_san/sql/sql_lex.cc:11915
 
    #3 0x56236ac648d0 in JOIN::save_explain_data_intern(Explain_query*, bool, bool, bool, char const*) /test/10.11_opt_san/sql/sql_select.cc:28381
 
    #4 0x56236ac6b8f2 in JOIN::save_explain_data(Explain_query*, bool, bool, bool, bool) /test/10.11_opt_san/sql/sql_select.cc:4549
 
    #5 0x56236ac6c917 in JOIN::build_explain() /test/10.11_opt_san/sql/sql_select.cc:1808
 
    #6 0x56236ac6df7f in JOIN::optimize() /test/10.11_opt_san/sql/sql_select.cc:1869
 
    #7 0x56236ac7f1fa in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.11_opt_san/sql/sql_select.cc:5056
 
    #8 0x56236ac83093 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.11_opt_san/sql/sql_select.cc:581
 
    #9 0x56236a890c2f in execute_sqlcom_select /test/10.11_opt_san/sql/sql_parse.cc:6261
 
    #10 0x56236a8e153b in mysql_execute_command(THD*, bool) /test/10.11_opt_san/sql/sql_parse.cc:3945
 
    #11 0x56236a861500 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.11_opt_san/sql/sql_parse.cc:8035
 
    #12 0x56236a8b60ff in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.11_opt_san/sql/sql_parse.cc:1894
 
    #13 0x56236a8c13fd in do_command(THD*, bool) /test/10.11_opt_san/sql/sql_parse.cc:1407
 
    #14 0x56236b1aa4cd in do_handle_one_connection(CONNECT*, bool) /test/10.11_opt_san/sql/sql_connect.cc:1418
 
    #15 0x56236b1acb3c in handle_one_connection /test/10.11_opt_san/sql/sql_connect.cc:1312
 
    #16 0x154514b65608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
 
    #17 0x154513dda132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)
 
 
 
221114 23:22:33 [ERROR] mysqld got signal 11 ;

Generated at Thu Feb 08 10:12:56 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.