[#MDEV-31269] Crash on 2nd ps execution caused by exists-to-in, and ASAN: use-after-poison in Item_func::fix_fields and Item_func::print

[MDEV-31269] Crash on 2nd ps execution caused by exists-to-in, and ASAN: use-after-poison in Item_func::fix_fields and Item_func::print_op Created: 2023-05-15 Updated: 2023-11-28
Status:	Stalled
Project:	MariaDB Server
Component/s:	Optimizer, Prepared Statements
Affects Version/s:	10.4, 10.5, 10.6, 10.9, 10.10, 10.11, 11.0, 11.1
Fix Version/s:	10.4, 10.5, 10.6, 10.11, 11.0, 11.1

Type:

Bug

Priority:

Critical

Reporter:

Yuchen Pei

Assignee:

Yuchen Pei

Resolution:

Unresolved

Votes:

Labels:

ASAN, memory_corruption

Issue Links:

Blocks
is blocked by	MDEV-30073	Wrong result on 2nd execution of PS f...	Stalled
Relates
relates to	MDEV-30073	Wrong result on 2nd execution of PS f...	Stalled

Description

MTR testcase to reprod:

11.1 4e5b771e980edfdad5c5414aa62c81d409d585a4
set optimizer_switch=default;
CREATE TABLE t1 (a INT);
CREATE TABLE t2 (b INT);
PREPARE st FROM "
SELECT * FROM t2
HAVING 0 IN (
SELECT a FROM t1
WHERE EXISTS (
SELECT a FROM t1
WHERE b = a
)
)
";
EXECUTE st;
EXECUTE st;
drop table t1, t2;

Possibly caused by attempted reuse of items freed in query arena after the first execution. If we replace the first line with set optimizer_switch='exists_to_in=off'; then the test passes. The test also passes if we replace HAVING by WHERE.

trace:

mysys/stacktrace.c:215(my_print_stacktrace)[0x561ec390cefa]

sql/signal_handler.cc:238(handle_fatal_signal)[0x561ec30a10cb]

??:0(__restore_rt)[0x7fb3f1a26140]

sql/item.cc:495(Item::print_parenthesised(String*, enum_query_type, precedence))[0x561ec30c57f7]

sql/item_func.cc:634(Item_func::print_op(String*, enum_query_type))[0x561ec312d43e]

sql/item_cmpfunc.h:551(Item_bool_rowready_func2::print(String*, enum_query_type))[0x561ec2b7dc3d]

sql/item.cc:499(Item::print_parenthesised(String*, enum_query_type, precedence))[0x561ec30c584b]

sql/item_cmpfunc.cc:5385(Item_cond::print(String*, enum_query_type))[0x561ec310338e]

sql/item.cc:10894(dbug_print_item(Item*))[0x561ec30e6f31]

sql/sql_select.cc:1382(JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*))[0x561ec2d2fc40]

sql/item_subselect.cc:3943(subselect_single_select_engine::prepare(THD*))[0x561ec31b74e7]

sql/item_subselect.cc:296(Item_subselect::fix_fields(THD*, Item**))[0x561ec31a941c]

sql/item_subselect.cc:3602(Item_in_subselect::fix_fields(THD*, Item**))[0x561ec31b63a2]

sql/item.h:1147(Item::fix_fields_if_needed(THD*, Item**))[0x561ec2ba1620]

sql/item_cmpfunc.cc:1379(Item_in_optimizer::fix_fields(THD*, Item**))[0x561ec30f59d7]

sql/item.h:1147(Item::fix_fields_if_needed(THD*, Item**))[0x561ec2ba1620]

sql/item.h:1156(Item::fix_fields_if_needed_for_scalar(THD*, Item**))[0x561ec2ba1655]

sql/item.h:1161(Item::fix_fields_if_needed_for_bool(THD*, Item**))[0x561ec2c2a2cb]

sql/sql_select.cc:1552(JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*))[0x561ec2d3085d]

sql/sql_select.cc:5132(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x561ec2d3da56]

sql/sql_select.cc:611(handle_select(THD*, LEX*, select_result*, unsigned long long))[0x561ec2d2ca67]

sql/sql_parse.cc:6024(execute_sqlcom_select(THD*, TABLE_LIST*))[0x561ec2cd4abd]

sql/sql_parse.cc:3944(mysql_execute_command(THD*, bool))[0x561ec2cccd4b]

sql/sql_prepare.cc:4992(Prepared_statement::execute(String*, bool))[0x561ec2d12dcd]

sql/sql_prepare.cc:4415(Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*))[0x561ec2d10f84]

sql/sql_prepare.cc:3457(mysql_sql_stmt_execute(THD*))[0x561ec2d0e647]

sql/sql_parse.cc:3961(mysql_execute_command(THD*, bool))[0x561ec2cccd90]

sql/sql_parse.cc:7760(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x561ec2cd96fa]

sql/sql_parse.cc:1894(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x561ec2cc6db0]

sql/sql_parse.cc:1405(do_command(THD*, bool))[0x561ec2cc5789]

sql/sql_connect.cc:1416(do_handle_one_connection(CONNECT*, bool))[0x561ec2ea4fda]

sql/sql_connect.cc:1320(handle_one_connection)[0x561ec2ea4d45]

perfschema/pfs.cc:2203(pfs_spawn_thread)[0x561ec33a8fc4]

??:0(start_thread)[0x7fb3f1a1aea7]

??:0(clone)[0x7fb3f1216a2f]

Comments

Comment by Roel Van de Paar [ 2023-05-15 ]

Confirmed in 10.4+

SET optimizer_switch=default;

CREATE TABLE t1 (a INT);

CREATE TABLE t2 (b INT);

PREPARE st FROM "SELECT * FROM t2 HAVING 0 IN (SELECT a FROM t1 WHERE EXISTS (SELECT a FROM t1 WHERE b=a))";

EXECUTE st;

EXECUTE st;  # Crash

DROP TABLE t1, t2;  # Cleanup

Leads to:

11.1.0 4e5b771e980edfdad5c5414aa62c81d409d585a4 (Optimized)
Core was generated by `/test/MD120523-mariadb-11.1.0-linux-x86_64-opt/bin/mariadbd --no-defaults --cor'.
Program terminated with signal SIGABRT, Aborted.
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=23341469865536)
at ./nptl/pthread_kill.c:44
[Current thread is 1 (Thread 0x153a9c051640 (LWP 3081877))]
(gdb) bt
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=23341469865536) at ./nptl/pthread_kill.c:44
#1 __pthread_kill_internal (signo=6, threadid=23341469865536) at ./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=23341469865536, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3 0x0000153ab4042476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4 0x0000153ab40287f3 in __GI_abort () at ./stdlib/abort.c:79
#5 0x0000153ab44a2bbe in ?? () from /lib/x86_64-linux-gnu/libstdc++.so.6
#6 0x0000153ab44ae24c in ?? () from /lib/x86_64-linux-gnu/libstdc++.so.6
#7 0x0000153ab44ae2b7 in std::terminate() () from /lib/x86_64-linux-gnu/libstdc++.so.6
#8 0x0000153ab44aefe5 in __cxa_pure_virtual () from /lib/x86_64-linux-gnu/libstdc++.so.6
#9 0x00005634a4a42cf9 in Item_func::check_argument_types_like_args0 (this=0x153a30029378) at /test/11.1_opt/sql/item_func.cc:148
#10 0x00005634a4a3dc11 in Item_func::fix_fields (ref=<optimized out>, thd=0x153a30000c68, this=0x153a30029378) at /test/11.1_opt/sql/item_func.cc:359
#11 Item_func::fix_fields (this=0x153a30029378, thd=0x153a30000c68, ref=<optimized out>) at /test/11.1_opt/sql/item_func.cc:316
#12 0x00005634a4a16b29 in Item::fix_fields_if_needed (ref=<optimized out>, thd=0x153a30000c68, this=0x153a30029378) at /test/11.1_opt/sql/item.h:1147
#13 Item::fix_fields_if_needed (ref=<optimized out>, thd=0x153a30000c68, this=0x153a30029378) at /test/11.1_opt/sql/item.h:1145
#14 Item::fix_fields_if_needed_for_scalar (ref=<optimized out>, thd=0x153a30000c68, this=0x153a30029378) at /test/11.1_opt/sql/item.h:1156
#15 Item::fix_fields_if_needed_for_bool (ref=<optimized out>, thd=0x153a30000c68, this=0x153a30029378) at /test/11.1_opt/sql/item.h:1160
#16 Item_cond::fix_fields (this=0x153a30010810, thd=0x153a30000c68, ref=<optimized out>) at /test/11.1_opt/sql/item_cmpfunc.cc:4937
#17 0x00005634a470bae7 in Item::fix_fields_if_needed (ref=0x153a300116b8, thd=0x153a30000c68, this=0x153a30010810) at /test/11.1_opt/sql/item.h:1145
#18 Item::fix_fields_if_needed (ref=0x153a300116b8, thd=0x153a30000c68, this=0x153a30010810) at /test/11.1_opt/sql/item.h:1145
#19 Item::fix_fields_if_needed_for_scalar (ref=0x153a300116b8, thd=0x153a30000c68, this=0x153a30010810) at /test/11.1_opt/sql/item.h:1156
#20 Item::fix_fields_if_needed_for_bool (ref=0x153a300116b8, thd=0x153a30000c68, this=0x153a30010810) at /test/11.1_opt/sql/item.h:1160
#21 setup_conds (thd=thd@entry=0x153a30000c68, tables=tables@entry=0x153a30024c68, leaves=@0x153a30024860: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x153a30011820, last = 0x153a30011830, elements = 2}, <No data fields>}, conds=conds@entry=0x153a300116b8) at /test/11.1_opt/sql/sql_base.cc:8861
#22 0x00005634a47dd5af in setup_without_group (reserved=0x153a30024a34, hidden_group_fields=0x153a3001157f, win_funcs=@0x153a30024ad0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x5634a59228d0 <end_of_list>, last = 0x153a30024ad0, elements = 0}, <No data fields>}, win_specs=@0x153a30024ab8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x5634a59228d0 <end_of_list>, last = 0x153a30024ab8, elements = 0}, <No data fields>}, group=0x0, order=0x0, conds=0x153a300116b8, all_fields=@0x153a300115d0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x153a30024c20, last = 0x153a30024c20, elements = 1}, <No data fields>}, fields=@0x153a30024900: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x153a30024c20, last = 0x153a30024c20, elements = 1}, <No data fields>}, leaves=@0x153a30024860: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x153a30011820, last = 0x153a30011830, elements = 2}, <No data fields>}, tables=0x153a30024c68, ref_pointer_array=<optimized out>, thd=0x153a30000c68) at /test/11.1_opt/sql/sql_select.cc:914
#23 JOIN::prepare (this=0x153a30011228, tables_init=<optimized out>, conds_init=<optimized out>, og_num=<optimized out>, order_init=<optimized out>, skip_order_by=skip_order_by@entry=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x153a30024640, unit_arg=0x153a30026fc0) at /test/11.1_opt/sql/sql_select.cc:1494
#24 0x00005634a4ab3878 in subselect_single_select_engine::prepare (this=0x153a30027a28, thd=0x153a30000c68) at /test/11.1_opt/sql/sql_lex.h:1379
#25 0x00005634a4ab2f3d in Item_subselect::fix_fields (this=this@entry=0x153a300277f8, thd_param=thd_param@entry=0x153a30000c68, ref=ref@entry=0x153a30028ab8) at /test/11.1_opt/sql/item_subselect.cc:296
#26 0x00005634a4ab3245 in Item_in_subselect::fix_fields (this=0x153a300277f8, thd_arg=0x153a30000c68, ref=0x153a30028ab8) at /test/11.1_opt/sql/item_subselect.cc:3602
#27 0x00005634a4a126bd in Item::fix_fields_if_needed (ref=<optimized out>, thd=0x153a30000c68, this=<optimized out>) at /test/11.1_opt/sql/item.h:1147
#28 Item::fix_fields_if_needed (ref=<optimized out>, thd=0x153a30000c68, this=<optimized out>) at /test/11.1_opt/sql/item.h:1145
#29 Item_in_optimizer::fix_fields (this=0x153a30028a30, thd=0x153a30000c68, ref=<optimized out>) at /test/11.1_opt/sql/item_cmpfunc.cc:1379
#30 0x00005634a47ddb66 in Item::fix_fields_if_needed (ref=0x153a30010c70, thd=0x153a30000c68, this=0x153a30028a30) at /test/11.1_opt/sql/item.h:1147
#31 Item::fix_fields_if_needed (ref=0x153a30010c70, thd=0x153a30000c68, this=0x153a30028a30) at /test/11.1_opt/sql/item.h:1145
#32 Item::fix_fields_if_needed_for_scalar (ref=0x153a30010c70, thd=0x153a30000c68, this=0x153a30028a30) at /test/11.1_opt/sql/item.h:1156
#33 Item::fix_fields_if_needed_for_bool (ref=0x153a30010c70, thd=0x153a30000c68, this=0x153a30028a30) at /test/11.1_opt/sql/item.h:1160
#34 JOIN::prepare (this=0x153a30010a60, tables_init=<optimized out>, conds_init=<optimized out>, og_num=<optimized out>, order_init=<optimized out>, skip_order_by=<optimized out>, group_init=<optimized out>, having_init=<optimized out>, proc_param_init=<optimized out>, select_lex_arg=<optimized out>, unit_arg=<optimized out>) at /test/11.1_opt/sql/sql_select.cc:1552
#35 0x00005634a47f04ea in mysql_select (thd=0x153a30000c68, tables=0x153a30023e80, fields=<optimized out>, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x153a30028a30, proc_param=0x0, select_options=<optimized out>, result=0x153a300282c0, unit=0x153a30021bb8, select_lex=0x153a30023860) at /test/11.1_opt/sql/sql_select.cc:5132
#36 0x00005634a47f07a4 in handle_select (thd=thd@entry=0x153a30000c68, lex=lex@entry=0x153a30021ad8, result=result@entry=0x153a300282c0, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/11.1_opt/sql/sql_select.cc:611
#37 0x00005634a476a485 in execute_sqlcom_select (thd=0x153a30000c68, all_tables=0x153a30023e80) at /test/11.1_opt/sql/sql_parse.cc:6024
#38 0x00005634a4778ed4 in mysql_execute_command (thd=0x153a30000c68, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=true) at /test/11.1_opt/sql/sql_parse.cc:3944
#39 0x00005634a479b32a in Prepared_statement::execute (this=0x153a30016b98, expanded_query=0x153a9c04f650, open_cursor=<optimized out>) at /test/11.1_opt/sql/sql_prepare.cc:4992
#40 0x00005634a479b541 in Prepared_statement::execute_loop (packet=<optimized out>, packet_end=<optimized out>, open_cursor=<optimized out>, expanded_query=0x153a9c04f650, this=0x153a30016b98) at /test/11.1_opt/sql/sql_prepare.cc:4415
#41 Prepared_statement::execute_loop (this=0x153a30016b98, expanded_query=0x153a9c04f650, open_cursor=<optimized out>, packet=<optimized out>, packet_end=<optimized out>) at /test/11.1_opt/sql/sql_prepare.cc:4364
#42 0x00005634a479b85b in mysql_sql_stmt_execute (thd=thd@entry=0x153a30000c68) at /test/11.1_opt/sql/sql_prepare.cc:3456
#43 0x00005634a47783a0 in mysql_execute_command (thd=0x153a30000c68, is_called_from_prepared_stmt=<optimized out>) at /test/11.1_opt/sql/sql_parse.cc:3960
#44 0x00005634a477a424 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x153a30000c68) at /test/11.1_opt/sql/sql_parse.cc:7760
#45 mysql_parse (thd=0x153a30000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/11.1_opt/sql/sql_parse.cc:7682
#46 0x00005634a477ca02 in dispatch_command (command=COM_QUERY, thd=0x153a30000c68, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/11.1_opt/sql/sql_parse.cc:1989
#47 0x00005634a477e1a0 in do_command (thd=0x153a30000c68, blocking=blocking@entry=true) at /test/11.1_opt/sql/sql_parse.cc:1405
#48 0x00005634a4897787 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5634a81f47c8, put_in_cache=put_in_cache@entry=true) at /test/11.1_opt/sql/sql_connect.cc:1416
#49 0x00005634a4897a5d in handle_one_connection (arg=0x5634a81f47c8) at /test/11.1_opt/sql/sql_connect.cc:1318
#50 0x0000153ab4094b43 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
#51 0x0000153ab4126a00 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

11.1.0 4e5b771e980edfdad5c5414aa62c81d409d585a4 (Debug)
Core was generated by `/test/MD120523-mariadb-11.1.0-linux-x86_64-dbg/bin/mariadbd --no-defaults --cor'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x0000560c415a3ff2 in Item::print_parenthesised (
this=this@entry=0x14d3ec014868, str=str@entry=0x14d48404fbb0,
query_type=query_type@entry=QT_EXPLAIN, parent_prec=CMP_PRECEDENCE)
at /test/11.1_dbg/sql/item.cc:495
[Current thread is 1 (Thread 0x14d484052640 (LWP 3106785))]
(gdb) bt
#0 0x0000560c415a3ff2 in Item::print_parenthesised (this=this@entry=0x14d3ec014868, str=str@entry=0x14d48404fbb0, query_type=query_type@entry=QT_EXPLAIN, parent_prec=CMP_PRECEDENCE) at /test/11.1_dbg/sql/item.cc:495
#1 0x0000560c4160f839 in Item_func::print_op (this=0x14d3ec030b38, str=0x14d48404fbb0, query_type=QT_EXPLAIN) at /test/11.1_dbg/sql/item_func.cc:633
#2 0x0000560c411bae97 in Item_bool_rowready_func2::print (this=<optimized out>, str=<optimized out>, query_type=<optimized out>) at /test/11.1_dbg/sql/item_cmpfunc.h:550
#3 0x0000560c415a4010 in Item::print_parenthesised (this=this@entry=0x14d3ec030b38, str=str@entry=0x14d48404fbb0, query_type=query_type@entry=QT_EXPLAIN, parent_prec=AND_PRECEDENCE) at /test/11.1_dbg/sql/item.cc:498
#4 0x0000560c415c81ec in Item_cond::print (this=0x14d3ec013200, str=0x14d48404fbb0, query_type=QT_EXPLAIN) at /test/11.1_dbg/sql/item_cmpfunc.cc:5390
#5 0x0000560c415b4e35 in dbug_print_item (item=0x14d3ec013200) at /test/11.1_dbg/sql/item.cc:10892
#6 0x0000560c4132100c in JOIN::prepare (this=0x14d3ec013c28, tables_init=<optimized out>, conds_init=<optimized out>, og_num=0, order_init=<optimized out>, skip_order_by=skip_order_by@entry=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x14d3ec02be00, unit_arg=0x14d3ec02e780) at /test/11.1_dbg/sql/sql_select.cc:1379
#7 0x0000560c4168a6f5 in subselect_single_select_engine::prepare (this=0x14d3ec02f1e8, thd=0x14d3ec000d58) at /test/11.1_dbg/sql/sql_lex.h:1379
#8 0x0000560c41689bb1 in Item_subselect::fix_fields (this=this@entry=0x14d3ec02efb8, thd_param=thd_param@entry=0x14d3ec000d58, ref=ref@entry=0x14d3ec030278) at /test/11.1_dbg/sql/item_subselect.cc:296
#9 0x0000560c4168a223 in Item_in_subselect::fix_fields (this=0x14d3ec02efb8, thd_arg=0x14d3ec000d58, ref=0x14d3ec030278) at /test/11.1_dbg/sql/item_subselect.cc:3602
#10 0x0000560c415d1a0d in Item::fix_fields_if_needed (ref=<optimized out>, thd=0x14d3ec000d58, this=<optimized out>) at /test/11.1_dbg/sql/item.h:1147
#11 Item_in_optimizer::fix_fields (this=0x14d3ec0301f0, thd=0x14d3ec000d58, ref=<optimized out>) at /test/11.1_dbg/sql/item_cmpfunc.cc:1379
#12 0x0000560c413202a0 in Item::fix_fields_if_needed (ref=0x14d3ec013668, thd=<optimized out>, this=0x14d3ec0301f0) at /test/11.1_dbg/sql/item.h:1147
#13 Item::fix_fields_if_needed_for_scalar (ref=0x14d3ec013668, thd=<optimized out>, this=0x14d3ec0301f0) at /test/11.1_dbg/sql/item.h:1156
#14 Item::fix_fields_if_needed_for_bool (ref=0x14d3ec013668, thd=<optimized out>, this=0x14d3ec0301f0) at /test/11.1_dbg/sql/item.h:1160
#15 JOIN::prepare (this=this@entry=0x14d3ec013450, tables_init=tables_init@entry=0x14d3ec02b640, conds_init=conds_init@entry=0x0, og_num=og_num@entry=0, order_init=order_init@entry=0x0, skip_order_by=skip_order_by@entry=false, group_init=<optimized out>, having_init=<optimized out>, proc_param_init=<optimized out>, select_lex_arg=<optimized out>, unit_arg=<optimized out>) at /test/11.1_dbg/sql/sql_select.cc:1552
#16 0x0000560c41336f01 in mysql_select (thd=thd@entry=0x14d3ec000d58, tables=0x14d3ec02b640, fields=@0x14d3ec02b2e0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14d3ec02b5f8, last = 0x14d3ec02b5f8, elements = 1}, <No data fields>}, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x14d3ec0301f0, proc_param=0x0, select_options=2201187781376, result=0x14d3ec02fa80, unit=0x14d3ec029378, select_lex=0x14d3ec02b020) at /test/11.1_dbg/sql/sql_select.cc:5132
#17 0x0000560c41337102 in handle_select (thd=thd@entry=0x14d3ec000d58, lex=lex@entry=0x14d3ec029298, result=result@entry=0x14d3ec02fa80, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/11.1_dbg/sql/sql_select.cc:611
#18 0x0000560c4129d3bc in execute_sqlcom_select (thd=thd@entry=0x14d3ec000d58, all_tables=0x14d3ec02b640) at /test/11.1_dbg/sql/sql_parse.cc:6024
#19 0x0000560c412a8a1c in mysql_execute_command (thd=0x14d3ec000d58, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=true) at /test/11.1_dbg/sql/sql_parse.cc:3944
#20 0x0000560c412d4f60 in Prepared_statement::execute (this=this@entry=0x14d3ec024d08, expanded_query=expanded_query@entry=0x14d484050c90, open_cursor=open_cursor@entry=false) at /test/11.1_dbg/sql/sql_prepare.cc:4992
#21 0x0000560c412d52fc in Prepared_statement::execute_loop (this=this@entry=0x14d3ec024d08, expanded_query=expanded_query@entry=0x14d484050c90, open_cursor=open_cursor@entry=false, packet=packet@entry=0x0, packet_end=packet_end@entry=0x0) at /test/11.1_dbg/sql/sql_prepare.cc:4415
#22 0x0000560c412d5939 in mysql_sql_stmt_execute (thd=thd@entry=0x14d3ec000d58) at /test/11.1_dbg/sql/sql_prepare.cc:3456
#23 0x0000560c412a8a79 in mysql_execute_command (thd=thd@entry=0x14d3ec000d58, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/11.1_dbg/sql/sql_parse.cc:3960
#24 0x0000560c412aefad in mysql_parse (thd=thd@entry=0x14d3ec000d58, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14d484051230) at /test/11.1_dbg/sql/sql_parse.cc:7760
#25 0x0000560c412b1141 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14d3ec000d58, packet=packet@entry=0x14d3ec00ae49 "EXECUTE st", packet_length=packet_length@entry=10, blocking=blocking@entry=true) at /test/11.1_dbg/sql/sql_class.h:242
#26 0x0000560c412b2f9d in do_command (thd=0x14d3ec000d58, blocking=blocking@entry=true) at /test/11.1_dbg/sql/sql_parse.cc:1405
#27 0x0000560c41404e5a in do_handle_one_connection (connect=<optimized out>, connect@entry=0x560c44cdb1f8, put_in_cache=put_in_cache@entry=true) at /test/11.1_dbg/sql/sql_connect.cc:1416
#28 0x0000560c414050b9 in handle_one_connection (arg=0x560c44cdb1f8) at /test/11.1_dbg/sql/sql_connect.cc:1318
#29 0x000014d49ba94b43 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
#30 0x000014d49bb26a00 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

Bug confirmed present in:
MariaDB: 10.4.30 (dbg), 10.4.30 (opt), 10.5.21 (dbg), 10.5.21 (opt), 10.6.14 (dbg), 10.6.14 (opt), 10.9.7 (dbg), 10.9.7 (opt), 10.10.5 (dbg), 10.10.5 (opt), 10.11.4 (dbg), 10.11.4 (opt), 11.0.2 (dbg), 11.0.2 (opt), 11.1.0 (dbg), 11.1.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.40 (dbg), 8.0.33 (dbg), 8.0.33 (opt)

Comment by Roel Van de Paar [ 2023-05-15 ]

We see use-after-poison in Item_func::fix_fields (opt) and in Item_func::print_op (dbg) in ASAN:

11.0.2 368dd22a816f3b437bccd0b9ff28b9de9b1abf0a (Optimized, UBASAN)
=================================================================
==183036==ERROR: AddressSanitizer: use-after-poison on address 0x6290000799a8 at pc 0x55d3f6003905 bp 0x14e34ed40ac0 sp 0x14e34ed40ab0
READ of size 8 at 0x6290000799a8 thread T35
#0 0x55d3f6003904 in Item_func::fix_fields(THD, Item*) /test/11.0_opt_san/sql/item_func.cc:350
#1 0x55d3f5e19149 in Item::fix_fields_if_needed(THD, Item*) /test/11.0_opt_san/sql/item.h:1147
#2 0x55d3f5e19149 in Item::fix_fields_if_needed_for_scalar(THD, Item*) /test/11.0_opt_san/sql/item.h:1156
#3 0x55d3f5e19149 in Item::fix_fields_if_needed_for_bool(THD, Item*) /test/11.0_opt_san/sql/item.h:1160
#4 0x55d3f5e19149 in Item_cond::fix_fields(THD, Item*) /test/11.0_opt_san/sql/item_cmpfunc.cc:4937
#5 0x55d3f4255bcf in Item::fix_fields_if_needed(THD, Item*) /test/11.0_opt_san/sql/item.h:1147
#6 0x55d3f4255bcf in Item::fix_fields_if_needed_for_scalar(THD, Item*) /test/11.0_opt_san/sql/item.h:1156
#7 0x55d3f4255bcf in Item::fix_fields_if_needed_for_bool(THD, Item*) /test/11.0_opt_san/sql/item.h:1160
#8 0x55d3f4255bcf in setup_conds(THD, TABLE_LIST, List<TABLE_LIST>&, Item**) /test/11.0_opt_san/sql/sql_base.cc:8827
#9 0x55d3f496618a in setup_without_group /test/11.0_opt_san/sql/sql_select.cc:919
#10 0x55d3f496618a in JOIN::prepare(TABLE_LIST, Item, unsigned int, st_order, bool, st_order, Item, st_order, st_select_lex, st_select_lex_unit) /test/11.0_opt_san/sql/sql_select.cc:1499
#11 0x55d3f651e3ef in subselect_single_select_engine::prepare(THD*) /test/11.0_opt_san/sql/item_subselect.cc:3941
#12 0x55d3f65170f2 in Item_subselect::fix_fields(THD, Item*) /test/11.0_opt_san/sql/item_subselect.cc:296
#13 0x55d3f651a104 in Item_in_subselect::fix_fields(THD, Item*) /test/11.0_opt_san/sql/item_subselect.cc:3600
#14 0x55d3f5de858e in Item::fix_fields_if_needed(THD, Item*) /test/11.0_opt_san/sql/item.h:1147
#15 0x55d3f5de858e in Item_in_optimizer::fix_fields(THD, Item*) /test/11.0_opt_san/sql/item_cmpfunc.cc:1379
#16 0x55d3f49684c1 in Item::fix_fields_if_needed(THD, Item*) /test/11.0_opt_san/sql/item.h:1147
#17 0x55d3f49684c1 in Item::fix_fields_if_needed_for_scalar(THD, Item*) /test/11.0_opt_san/sql/item.h:1156
#18 0x55d3f49684c1 in Item::fix_fields_if_needed_for_bool(THD, Item*) /test/11.0_opt_san/sql/item.h:1160
#19 0x55d3f49684c1 in JOIN::prepare(TABLE_LIST, Item, unsigned int, st_order, bool, st_order, Item, st_order, st_select_lex, st_select_lex_unit) /test/11.0_opt_san/sql/sql_select.cc:1557
#20 0x55d3f4a53cb8 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/11.0_opt_san/sql/sql_select.cc:5133
#21 0x55d3f4a55d80 in handle_select(THD, LEX, select_result*, unsigned long long) /test/11.0_opt_san/sql/sql_select.cc:616
#22 0x55d3f45d6b80 in execute_sqlcom_select /test/11.0_opt_san/sql/sql_parse.cc:6279
#23 0x55d3f463c5f6 in mysql_execute_command(THD*, bool) /test/11.0_opt_san/sql/sql_parse.cc:3949
#24 0x55d3f4742f67 in Prepared_statement::execute(String*, bool) /test/11.0_opt_san/sql/sql_prepare.cc:5223
#25 0x55d3f4745835 in Prepared_statement::execute_loop(String, bool, unsigned char, unsigned char*) /test/11.0_opt_san/sql/sql_prepare.cc:4646
#26 0x55d3f4747994 in mysql_sql_stmt_execute(THD*) /test/11.0_opt_san/sql/sql_prepare.cc:3690
#27 0x55d3f463a095 in mysql_execute_command(THD*, bool) /test/11.0_opt_san/sql/sql_parse.cc:3965
#28 0x55d3f464d4d2 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.0_opt_san/sql/sql_parse.cc:8014
#29 0x55d3f465af5d in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.0_opt_san/sql/sql_parse.cc:1894
#30 0x55d3f4664728 in do_command(THD*, bool) /test/11.0_opt_san/sql/sql_parse.cc:1407
#31 0x55d3f4f7380c in do_handle_one_connection(CONNECT*, bool) /test/11.0_opt_san/sql/sql_connect.cc:1416
#32 0x55d3f4f75e0c in handle_one_connection /test/11.0_opt_san/sql/sql_connect.cc:1318
#33 0x14e373a94b42 in start_thread nptl/pthread_create.c:442
#34 0x14e373b269ff (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)

0x6290000799a8 is located 6056 bytes inside of 16400-byte region [0x629000078200,0x62900007c210)
allocated by thread T35 here:
#0 0x55d3f3d73b17 in malloc (/test/UBASAN_MD120523-mariadb-11.0.2-linux-x86_64-opt/bin/mariadbd+0x7a1eb17)
#1 0x55d3f817d394 in my_malloc /test/11.0_opt_san/mysys/my_malloc.c:91
#2 0x55d3f815826b in root_alloc /test/11.0_opt_san/mysys/my_alloc.c:71
#3 0x55d3f815826b in reset_root_defaults /test/11.0_opt_san/mysys/my_alloc.c:248
#4 0x55d3f42b8b9e in THD::init_for_queries() /test/11.0_opt_san/sql/sql_class.cc:1386
#5 0x55d3f4f6e33e in prepare_new_connection_state(THD*) /test/11.0_opt_san/sql/sql_connect.cc:1245
#6 0x55d3f4f6fc27 in thd_prepare_connection(THD*) /test/11.0_opt_san/sql/sql_connect.cc:1339
#7 0x55d3f4f6fc27 in thd_prepare_connection(THD*) /test/11.0_opt_san/sql/sql_connect.cc:1328
#8 0x55d3f4f728a7 in do_handle_one_connection(CONNECT*, bool) /test/11.0_opt_san/sql/sql_connect.cc:1406
#9 0x55d3f4f75e0c in handle_one_connection /test/11.0_opt_san/sql/sql_connect.cc:1318
#10 0x14e373a94b42 in start_thread nptl/pthread_create.c:442

Thread T35 created by T0 here:
#0 0x55d3f3d17955 in pthread_create (/test/UBASAN_MD120523-mariadb-11.0.2-linux-x86_64-opt/bin/mariadbd+0x79c2955)
#1 0x55d3f3dcc5ee in create_thread_to_handle_connection(CONNECT*) /test/11.0_opt_san/sql/mysqld.cc:6129
#2 0x55d3f3ddea9f in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.0_opt_san/sql/mysqld.cc:6253
#3 0x55d3f3ddfa27 in handle_connections_sockets() /test/11.0_opt_san/sql/mysqld.cc:6377
#4 0x55d3f3de2a8d in mysqld_main(int, char**) /test/11.0_opt_san/sql/mysqld.cc:6024
#5 0x14e373a29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: use-after-poison /test/11.0_opt_san/sql/item_func.cc:350 in Item_func::fix_fields(THD, Item*)
Shadow bytes around the buggy address:
0x0c52800072e0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c52800072f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5280007300: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5280007310: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5280007320: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
=>0x0c5280007330: f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5280007340: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5280007350: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5280007360: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5280007370: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5280007380: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==183036==ABORTING
230515 11:16:08 [ERROR] mysqld got signal 6 ;

11.0.2 368dd22a816f3b437bccd0b9ff28b9de9b1abf0a (Debug, UBASAN)
==3605682==ERROR: AddressSanitizer: use-after-poison on address 0x6290000d89c8 at pc 0x5571104feb00 bp 0x1503ad205f30 sp 0x1503ad205f20
READ of size 8 at 0x6290000d89c8 thread T13
#0 0x5571104feaff in Item_func::print_op(String*, enum_query_type) /test/11.0_dbg_san/sql/item_func.cc:633
#1 0x55710e06391a in Item_bool_rowready_func2::print(String*, enum_query_type) /test/11.0_dbg_san/sql/item_cmpfunc.h:549
#2 0x5571100128c3 in Item::print_parenthesised(String*, enum_query_type, precedence) /test/11.0_dbg_san/sql/item.cc:498
#3 0x5571101c6dd4 in Item_cond::print(String*, enum_query_type) /test/11.0_dbg_san/sql/item_cmpfunc.cc:5390
#4 0x5571100bd724 in dbug_print_item(Item*) /test/11.0_dbg_san/sql/item.cc:10884
#5 0x55710eb64fca in JOIN::prepare(TABLE_LIST, Item, unsigned int, st_order, bool, st_order, Item, st_order, st_select_lex, st_select_lex_unit) /test/11.0_dbg_san/sql/sql_select.cc:1384
#6 0x557110a4a0d1 in subselect_single_select_engine::prepare(THD*) /test/11.0_dbg_san/sql/item_subselect.cc:3941
#7 0x557110a41b5d in Item_subselect::fix_fields(THD, Item*) /test/11.0_dbg_san/sql/item_subselect.cc:296
#8 0x557110a46939 in Item_in_subselect::fix_fields(THD, Item*) /test/11.0_dbg_san/sql/item_subselect.cc:3600
#9 0x5571102362c3 in Item::fix_fields_if_needed(THD, Item*) /test/11.0_dbg_san/sql/item.h:1147
#10 0x5571102362c3 in Item_in_optimizer::fix_fields(THD, Item*) /test/11.0_dbg_san/sql/item_cmpfunc.cc:1379
#11 0x55710eb6cd7a in Item::fix_fields_if_needed(THD, Item*) /test/11.0_dbg_san/sql/item.h:1147
#12 0x55710eb6cd7a in Item::fix_fields_if_needed_for_scalar(THD, Item*) /test/11.0_dbg_san/sql/item.h:1156
#13 0x55710eb6cd7a in Item::fix_fields_if_needed_for_bool(THD, Item*) /test/11.0_dbg_san/sql/item.h:1160
#14 0x55710eb6cd7a in JOIN::prepare(TABLE_LIST, Item, unsigned int, st_order, bool, st_order, Item, st_order, st_select_lex, st_select_lex_unit) /test/11.0_dbg_san/sql/sql_select.cc:1557
#15 0x55710ec14cfc in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/11.0_dbg_san/sql/sql_select.cc:5133
#16 0x55710ec1651c in handle_select(THD, LEX, select_result*, unsigned long long) /test/11.0_dbg_san/sql/sql_select.cc:616
#17 0x55710e788a01 in execute_sqlcom_select /test/11.0_dbg_san/sql/sql_parse.cc:6279
#18 0x55710e7e9ef5 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3949
#19 0x55710e915f20 in Prepared_statement::execute(String*, bool) /test/11.0_dbg_san/sql/sql_prepare.cc:5223
#20 0x55710e919a1f in Prepared_statement::execute_loop(String, bool, unsigned char, unsigned char*) /test/11.0_dbg_san/sql/sql_prepare.cc:4646
#21 0x55710e91cc7f in mysql_sql_stmt_execute(THD*) /test/11.0_dbg_san/sql/sql_prepare.cc:3690
#22 0x55710e7e9f90 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3965
#23 0x55710e819973 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014
#24 0x55710e829707 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894
#25 0x55710e837542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407
#26 0x55710f20c8b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416
#27 0x55710f20ddd0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318
#28 0x1503cf494b42 in start_thread nptl/pthread_create.c:442
#29 0x1503cf5269ff (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)

0x6290000d89c8 is located 6088 bytes inside of 16400-byte region [0x6290000d7200,0x6290000db210)
allocated by thread T13 here:
#0 0x55710de9e337 in __interceptor_malloc (/test/UBASAN_MD120523-mariadb-11.0.2-linux-x86_64-dbg/bin/mariadbd+0x7964337)
#1 0x5571125b5703 in my_malloc /test/11.0_dbg_san/mysys/my_malloc.c:91
#2 0x557112593f22 in root_alloc /test/11.0_dbg_san/mysys/my_alloc.c:71
#3 0x557112594dec in reset_root_defaults /test/11.0_dbg_san/mysys/my_alloc.c:248
#4 0x55710e449ec1 in THD::init_for_queries() /test/11.0_dbg_san/sql/sql_class.cc:1386
#5 0x55710f2085cc in prepare_new_connection_state(THD*) /test/11.0_dbg_san/sql/sql_connect.cc:1245
#6 0x55710f209d7a in thd_prepare_connection(THD*) /test/11.0_dbg_san/sql/sql_connect.cc:1339
#7 0x55710f20d134 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1406
#8 0x55710f20ddd0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318
#9 0x1503cf494b42 in start_thread nptl/pthread_create.c:442

Thread T13 created by T0 here:
#0 0x55710de42175 in pthread_create (/test/UBASAN_MD120523-mariadb-11.0.2-linux-x86_64-dbg/bin/mariadbd+0x7908175)
#1 0x55710def898b in create_thread_to_handle_connection(CONNECT*) /test/11.0_dbg_san/sql/mysqld.cc:6129
#2 0x55710df05e67 in create_new_thread(CONNECT*) /test/11.0_dbg_san/sql/mysqld.cc:6191
#3 0x55710df066e7 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.0_dbg_san/sql/mysqld.cc:6253
#4 0x55710df07738 in handle_connections_sockets() /test/11.0_dbg_san/sql/mysqld.cc:6377
#5 0x55710df0eee7 in mysqld_main(int, char**) /test/11.0_dbg_san/sql/mysqld.cc:6024
#6 0x55710dee3eca in main /test/11.0_dbg_san/sql/main.cc:34
#7 0x1503cf429d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: use-after-poison /test/11.0_dbg_san/sql/item_func.cc:633 in Item_func::print_op(String*, enum_query_type)
Shadow bytes around the buggy address:
0x0c52800130e0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c52800130f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5280013100: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5280013110: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5280013120: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
=>0x0c5280013130: f7 f7 f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7
0x0c5280013140: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5280013150: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5280013160: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5280013170: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5280013180: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3605682==ABORTING
230515 11:10:45 [ERROR] mysqld got signal 6 ;

Comment by Roel Van de Paar [ 2023-05-15 ]

Possibly connected with ~~MDEV-29731~~

Comment by Yuchen Pei [ 2023-05-16 ]

There's also ~~MDEV-16128~~ but I'm not sure if it is related e.g. whether it had a similar cause.

The time logged in that ticket and MDEV-30073 makes me wonder how long MDEV-22534 will take, as my draft patch for that ticket exhibits similar symptoms (one needs to replace EXISTS by a IN in the testcase) which I've been trying to fix for a while now. I have not looked into the issue in the present ticket so I don't know whether the MDEV-22534 problem has the same cause as this one

Comment by Yuchen Pei [ 2023-05-16 ]

Does it make sense to add this ticket to MDEV-31003?

Comment by Yuchen Pei [ 2023-05-16 ]

I have done some debugging of the issue in the present ticket and it seems the MDEV-22534 problem has the same cause as this one, see my comment in that ticket[1]. So I'm stealing this ticket - let me know if there are any problems sanja.

[1] https://jira.mariadb.org/browse/MDEV-22534?focusedCommentId=258728&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-258728

Comment by Yuchen Pei [ 2023-05-17 ]

A PoC patch that fixes MDEV-22534 (IN subquery) version of the issue: https://github.com/MariaDB/server/commit/fe2b867b499. Will adapt it to this ticket (EXISTS subquery) later

Comment by Yuchen Pei [ 2023-05-23 ]

Indeed, the above patch can be adapted to fix this bug, but with two caveats, both caused by the use of fields related to perfschema instrumentation for detection of being inside a ps execution:

1. It only works for 10.5+, as the commit introducing the field PSI_statement_locker_state_v1::m_parent_prepared_stmt (0ea717f51a152afdb3791195c4a25ee0baa2faac) is included in 10.5+ only
2. It only works for non-embedded builds, as embedded implies DISABLE_ALL_PSI which causes THD::m_statement_state to be undefined

Here's the patch:

https://github.com/MariaDB/server/commit/e88ae3929b9

Comment by Yuchen Pei [ 2023-05-24 ]

Updated patch after discussion with sanja - now it works with 10.4 and embedded.

https://github.com/MariaDB/server/commit/ffba2a85948

Comment by Sergei Petrunia [ 2023-06-14 ]

Simplified problem description

The problem is the interplay between Name Resolution and Permanent Transformations.

The failure scenario is:

Name Resolution creates "transient" Items (and may other objects)
Permanent query transformations are done.
This creates data structures that should survive until the end of statement life but alas they also contain "transient" Items.
Cleanup is performed. Transient items are cleaned/freed. Permanent rewrites remain in effect. We get invalid data structures.

Description of steps in greater detail

1. Name Resolution creates transient items.

When name resolution is performed, "transient" item objects are created: Item_ref, Item_direct_[view_]ref, etc.
(TODO: are there other transient data structures besides items? Like select lists?)

2. Permanent transformations are done

Permanent Transformation modifies query data structures.
The modification is typically hard to undo and so it should remain in force for the duration of the statement.
Examples of such transformations are:

Merging of mergeable VIEWs
Conversion of Item_in_subselect predicates into semi-join join operations (TABLE_LISTs in the parent select)
Conversion of Item_exists_subselect into Item_in_subselect.
...

one thing these transformations do is to move Items from one expression to another.
Note that they operate on Item trees which include "transient" items.

As a result, the query data structure is spaghetti of "permanent" and "transient" items.

3. Cleanup is performed

A cleanup operation frees the transient items and attempts to undo all the changes
that were made to the query data structures by Name Resolution.

(my speculation: why can't transient items be permanent? Because we can't do name resolution for them? Need to elaborate on this)

Comment by Yuchen Pei [ 2023-06-15 ]

Thanks for the notes psergei, it is a higher level description and corroborates well with my analysis in [1].

[1] https://jira.mariadb.org/browse/MDEV-22534?focusedCommentId=258728&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-258728

Moving on to fixing it for the purpose this ticket, i.e. for exists2in and decorrelate-in transformations, with the risk of duplicating the work on MDEV-30073, I can think of two ways:

1. At the beginning of the transformation, detect whether transient items will cause problems, and skip the transformation if so. My patch for this ticket follows this idea, but the implementation is deemed inefficient, and it is not clear whether people want this as a temporary measure before MDEV-30073 is fixed.

2. During JOIN::prepare(), create permanent Item_refs etc. instead of transient ones. I don't know whether this would be a valid idea, because in the first place I don't know why they were created as transient.

Comment by Yuchen Pei [ 2023-09-11 ]

I can confirm that bb-10.4-mdev-30073
34083cf34bc26a5cd95e56feffd01466f9f4917f passes the test in the
description.

igor Can you rebase your patch on 11.3 so that we can test
MDEV-22534 patches on top?

Generated at Thu Feb 08 10:22:34 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.