[#MDEV-30841] SIGSEGV in Item_field::used_tables and UBSAN: runtime error: member access within null pointer of type 'struct Field' on SELECT

11.0.1 f2dc4d4c10ac36a73b5c1eb765352d3aee808d66 (Optimized)
Core was generated by `/test/MD180223-mariadb-11.0.1-linux-x86_64-opt/bin/mariadbd --no-defaults --cor'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000055efef34bbbb in Item_field::used_tables (this=0x14864001ec28)
at /test/11.0_opt/sql/item.cc:3510
3510 if (field->table->const_table)
[Current thread is 1 (Thread 0x148678129640 (LWP 3105045))]
(gdb) bt
#0 0x000055efef34bbbb in Item_field::used_tables (this=0x14864001ec28) at /test/11.0_opt/sql/item.cc:3510
#1 0x000055efef34c0b3 in Item_direct_view_ref::used_tables (this=0x14864001f3e0) at /test/11.0_opt/sql/item.cc:10831
#2 Item_direct_view_ref::used_tables (this=0x14864001f3e0) at /test/11.0_opt/sql/item.cc:10822
#3 0x000055efef08e379 in Item::pushable_equality_checker_for_derived (this=this@entry=0x14864001f3e0, arg=arg@entry=0x148640016a88 "\001") at /test/11.0_opt/sql/item.h:2720
#4 0x000055efef36c206 in Item_equal::create_pushable_equalities (this=this@entry=0x148640024de0, thd=thd@entry=0x148640000c68, equalities=equalities@entry=0x148678126f30, checker=<optimized out>, arg=arg@entry=0x148640016a88 "\001", clone_const=true) at /test/11.0_opt/sql/item_cmpfunc.cc:7747
#5 0x000055efef347a88 in Item::build_pushable_cond (this=0x148640024de0, thd=0x148640000c68, checker=<optimized out>, arg=0x148640016a88 "\001") at /test/11.0_opt/sql/item.cc:7695
#6 0x000055efef347983 in Item::build_pushable_cond (this=this@entry=0x148640024ad0, thd=thd@entry=0x148640000c68, checker=<optimized out>, arg=0x148640016a88 "\001") at /test/11.0_opt/sql/item.cc:7665
#7 0x000055efef08d06f in pushdown_cond_for_derived (thd=0x148640000c68, cond=0x148640024ad0, derived=derived@entry=0x148640012428) at /test/11.0_opt/sql/sql_derived.cc:1539
#8 0x000055efef14bf82 in JOIN::optimize_inner (this=0x14864001d5a0) at /test/11.0_opt/sql/sql_select.cc:2384
#9 0x000055efef14ce6a in JOIN::optimize (this=this@entry=0x14864001d5a0) at /test/11.0_opt/sql/sql_select.cc:1897
#10 0x000055efef14cf5e in mysql_select (thd=0x148640000c68, tables=0x1486400133d0, fields=@0x148640010d40: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x148640011060, last = 0x148640011060, elements = 1}, <No data fields>}, conds=0x14864001c690, og_num=1, order=0x0, group=0x14864001ca28, having=0x14864001cb90, proc_param=0x0, select_options=<optimized out>, result=0x14864001cc88, unit=0x148640004cf0, select_lex=0x148640010a88) at /test/11.0_opt/sql/sql_select.cc:5132
#11 0x000055efef14d6f4 in handle_select (thd=thd@entry=0x148640000c68, lex=lex@entry=0x148640004c18, result=result@entry=0x14864001cc88, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/11.0_opt/sql/sql_select.cc:608
#12 0x000055efef0c6ee5 in execute_sqlcom_select (thd=0x148640000c68, all_tables=0x1486400133d0) at /test/11.0_opt/sql/sql_parse.cc:6267
#13 0x000055efef0d5f00 in mysql_execute_command (thd=0x148640000c68, is_called_from_prepared_stmt=<optimized out>) at /test/11.0_opt/sql/sql_parse.cc:3949
#14 0x000055efef0d7794 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x148640000c68) at /test/11.0_opt/sql/sql_parse.cc:8002
#15 mysql_parse (thd=0x148640000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/11.0_opt/sql/sql_parse.cc:7924
#16 0x000055efef0d9d72 in dispatch_command (command=COM_QUERY, thd=0x148640000c68, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/11.0_opt/sql/sql_parse.cc:1991
#17 0x000055efef0db510 in do_command (thd=0x148640000c68, blocking=blocking@entry=true) at /test/11.0_opt/sql/sql_parse.cc:1407
#18 0x000055efef1f3717 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55eff1380e88, put_in_cache=put_in_cache@entry=true) at /test/11.0_opt/sql/sql_connect.cc:1416
#19 0x000055efef1f39ed in handle_one_connection (arg=0x55eff1380e88) at /test/11.0_opt/sql/sql_connect.cc:1318
#20 0x000014869cc19b43 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
#21 0x000014869ccaba00 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

11.0.1 f2dc4d4c10ac36a73b5c1eb765352d3aee808d66 (Debug)
Core was generated by `/test/MD180223-mariadb-11.0.1-linux-x86_64-dbg/bin/mariadbd --no-defaults --cor'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000055ade0c16e45 in Item_field::used_tables (this=0x15081c021618)
at /test/11.0_dbg/sql/item.cc:3510
3510 if (field->table->const_table)
[Current thread is 1 (Thread 0x150890ceb640 (LWP 3105030))]
(gdb) bt
#0 0x000055ade0c16e45 in Item_field::used_tables (this=0x15081c021618) at /test/11.0_dbg/sql/item.cc:3510
#1 0x000055ade0c1734a in Item_direct_view_ref::used_tables (this=0x15081c021dd0) at /test/11.0_dbg/sql/item.cc:10831
#2 0x000055ade08caf8b in Item::pushable_equality_checker_for_derived (this=<optimized out>, arg=0x15081c019458 "\001") at /test/11.0_dbg/sql/item.h:2720
#3 0x000055ade0c3da2c in Item_equal::create_pushable_equalities (this=this@entry=0x15081c0278f8, thd=thd@entry=0x15081c000d58, equalities=equalities@entry=0x150890ce9590, checker=<optimized out>, arg=arg@entry=0x15081c019458 "\001", clone_const=true) at /test/11.0_dbg/sql/item_cmpfunc.cc:7747
#4 0x000055ade0c121a8 in Item::build_pushable_cond (this=0x15081c0278f8, thd=0x15081c000d58, checker=<optimized out>, arg=0x15081c019458 "\001") at /test/11.0_dbg/sql/item.cc:7695
#5 0x000055ade0c1204c in Item::build_pushable_cond (this=this@entry=0x15081c0275e8, thd=thd@entry=0x15081c000d58, checker=<optimized out>, arg=0x15081c019458 "\001") at /test/11.0_dbg/sql/item.cc:7665
#6 0x000055ade08c99f1 in pushdown_cond_for_derived (thd=0x15081c000d58, cond=0x15081c0275e8, derived=derived@entry=0x15081c014df8) at /test/11.0_dbg/sql/sql_derived.cc:1539
#7 0x000055ade09a2efb in JOIN::optimize_inner (this=this@entry=0x15081c01ff70) at /test/11.0_dbg/sql/sql_select.cc:2384
#8 0x000055ade09a39bc in JOIN::optimize (this=this@entry=0x15081c01ff70) at /test/11.0_dbg/sql/sql_select.cc:1897
#9 0x000055ade09a3ac5 in mysql_select (thd=thd@entry=0x15081c000d58, tables=0x15081c015da0, fields=@0x15081c013710: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x15081c013a30, last = 0x15081c013a30, elements = 1}, <No data fields>}, conds=0x15081c01f060, og_num=1, order=0x0, group=0x15081c01f3f8, having=0x15081c01f560, proc_param=0x0, select_options=2164525824, result=0x15081c01f658, unit=0x15081c004fa0, select_lex=0x15081c013458) at /test/11.0_dbg/sql/sql_select.cc:5132
#10 0x000055ade09a428b in handle_select (thd=thd@entry=0x15081c000d58, lex=lex@entry=0x15081c004ec8, result=result@entry=0x15081c01f658, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/11.0_dbg/sql/sql_select.cc:608
#11 0x000055ade0909e8d in execute_sqlcom_select (thd=thd@entry=0x15081c000d58, all_tables=0x15081c015da0) at /test/11.0_dbg/sql/sql_parse.cc:6267
#12 0x000055ade09154af in mysql_execute_command (thd=thd@entry=0x15081c000d58, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/11.0_dbg/sql/sql_parse.cc:3949
#13 0x000055ade091c7cf in mysql_parse (thd=thd@entry=0x15081c000d58, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x150890cea2c0) at /test/11.0_dbg/sql/sql_parse.cc:8002
#14 0x000055ade091e963 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x15081c000d58, packet=packet@entry=0x15081c00ae19 "SELECT x FROM (SELECT * FROM (SELECT 1 AS x) AS x) AS x WHERE x IN (SELECT * FROM (SELECT 1) AS x WHERE x IN (SELECT x IN (SELECT 1) AS x)) GROUP BY x HAVING NOT x", packet_length=packet_length@entry=163, blocking=blocking@entry=true) at /test/11.0_dbg/sql/sql_class.h:242
#15 0x000055ade09207bc in do_command (thd=0x15081c000d58, blocking=blocking@entry=true) at /test/11.0_dbg/sql/sql_parse.cc:1407
#16 0x000055ade0a716e2 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55ade4a04fe8, put_in_cache=put_in_cache@entry=true) at /test/11.0_dbg/sql/sql_connect.cc:1416
#17 0x000055ade0a71941 in handle_one_connection (arg=0x55ade4a04fe8) at /test/11.0_dbg/sql/sql_connect.cc:1318
#18 0x00001508bf7cdb43 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
#19 0x00001508bf85fa00 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

11.0.1 4d09050ca77a7efac4565d46e4bcd85a5f210c53 (Optimized, UBASAN)
/test/11.0_opt_san/sql/item.cc:3512:14: runtime error: member access within null pointer of type 'struct Field'
#0 0x56468270486e in Item_field::used_tables() const /test/11.0_opt_san/sql/item.cc:3512
#1 0x564682707b5f in Item_direct_view_ref::used_tables() const /test/11.0_opt_san/sql/item.cc:10815
#2 0x564680e4ac8c in Item::pushable_equality_checker_for_derived(unsigned char*) /test/11.0_opt_san/sql/item.h:2714
#3 0x56468289471e in Item_equal::create_pushable_equalities(THD, List<Item>, bool (Item::)(unsigned char), unsigned char*, bool) /test/11.0_opt_san/sql/item_cmpfunc.cc:7716
#4 0x5646826d546f in Item::build_pushable_cond(THD, bool (Item::)(unsigned char), unsigned char) /test/11.0_opt_san/sql/item.cc:7679
#5 0x5646826d5c0f in Item::build_pushable_cond(THD, bool (Item::)(unsigned char), unsigned char) /test/11.0_opt_san/sql/item.cc:7649
#6 0x564680e3fadc in pushdown_cond_for_derived(THD, Item, TABLE_LIST*) /test/11.0_opt_san/sql/sql_derived.cc:1537
#7 0x5646814d076d in JOIN::optimize_inner() /test/11.0_opt_san/sql/sql_select.cc:2349
#8 0x5646814d6430 in JOIN::optimize() /test/11.0_opt_san/sql/sql_select.cc:1870
#9 0x5646814d6ac6 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/11.0_opt_san/sql/sql_select.cc:5066
#10 0x5646814da8e0 in handle_select(THD, LEX, select_result*, unsigned long long) /test/11.0_opt_san/sql/sql_select.cc:581
#11 0x564681082f60 in execute_sqlcom_select /test/11.0_opt_san/sql/sql_parse.cc:6265
#12 0x5646810e8827 in mysql_execute_command(THD*, bool) /test/11.0_opt_san/sql/sql_parse.cc:3949
#13 0x5646810f9542 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.0_opt_san/sql/sql_parse.cc:8000
#14 0x564681106fa5 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.0_opt_san/sql/sql_parse.cc:1894
#15 0x564681110700 in do_command(THD*, bool) /test/11.0_opt_san/sql/sql_parse.cc:1407
#16 0x5646819f103c in do_handle_one_connection(CONNECT*, bool) /test/11.0_opt_san/sql/sql_connect.cc:1416
#17 0x5646819f363c in handle_one_connection /test/11.0_opt_san/sql/sql_connect.cc:1318
#18 0x15352e0efb42 in start_thread nptl/pthread_create.c:442
#19 0x15352e1819ff (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)

Bug confirmed present in:
MariaDB: 10.4.29 (dbg), 10.4.29 (opt), 10.5.20 (dbg), 10.5.20 (opt), 10.6.13 (dbg), 10.6.13 (opt), 10.7.8 (dbg), 10.7.8 (opt), 10.8.8 (dbg), 10.8.8 (opt), 10.9.6 (dbg), 10.9.6 (opt), 10.10.4 (dbg), 10.10.4 (opt), 10.11.2 (dbg), 10.11.2 (opt), 11.0.1 (dbg), 11.0.1 (opt)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.3.38 (dbg), 10.3.38 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.40 (dbg), 5.7.40 (opt), 8.0.31 (dbg), 8.0.31 (opt)

[MDEV-30841] SIGSEGV in Item_field::used_tables and UBSAN: runtime error: member access within null pointer of type 'struct Field' on SELECT Created: 2023-03-14 Updated: 2023-11-28
Status:	Open
Project:	MariaDB Server
Component/s:	Optimizer
Affects Version/s:	10.4, 10.5, 10.6, 10.7, 10.8, 10.9, 10.10, 10.11, 11.0
Fix Version/s:	10.4, 10.5, 10.6, 10.11

[MDEV-30841] SIGSEGV in Item_field::used_tables and UBSAN: runtime error: member access within null pointer of type 'struct Field' on SELECT Created: 2023-03-14 Updated: 2023-11-28