[MDEV-32296] Server crashes at fix_fields Created: 2023-09-30  Updated: 2023-12-15  Resolved: 2023-10-05

Status: Closed
Project: MariaDB Server
Component/s: Optimizer
Affects Version/s: 11.1.2, 11.2.1
Fix Version/s: N/A

Type: Bug Priority: Major
Reporter: Jingzhou Fu Assignee: Unassigned
Resolution: Duplicate Votes: 0
Labels: None
Environment:

Ubuntu 20.04 x86-64, docker image mariadb:11.1.2

Issue Links:
Duplicate

 Description   

PoC:

SELECT ( ( ( ( ( WITH x ( x ) AS ( SELECT 1 UNION SELECT 1 ) ( ( SELECT ( 'x' ) FROM x HAVING ( SELECT x GROUP BY x HAVING x ) ) ) ) ) ) ) ) ;

docker log:

mariadbd(my_print_stacktrace+0x32)[0x5640ff3997c2]
 
mariadbd(handle_fatal_signal+0x488)[0x5640fee72cf8]
 
/lib/x86_64-linux-gnu/libc.so.6(+0x42520)[0x7f14cce04520]
 
mariadbd(_ZN10Item_field10fix_fieldsEP3THDPP4Item+0x24b)[0x5640fee9e4ab]
 
mariadbd(_ZN9Item_func10fix_fieldsEP3THDPP4Item+0x8c)[0x5640feee3fec]
 
mariadbd(_ZN13st_select_lex31pushdown_from_having_into_whereEP3THDP4Item+0x17a)[0x5640febe8d7a]
 
mariadbd(_ZN4JOIN14optimize_innerEv+0x992)[0x5640fec7ee52]
 
mariadbd(_ZN4JOIN8optimizeEv+0xda)[0x5640fec7fe2a]
 
mariadbd(_ZN13st_select_lex31optimize_unflattened_subqueriesEb+0x115)[0x5640febd9a55]
 
mariadbd(_ZN4JOIN15optimize_stage2Ev+0x12b8)[0x5640fec7c4c8]
 
mariadbd(_ZN4JOIN14optimize_innerEv+0x1437)[0x5640fec7f8f7]
 
mariadbd(_ZN4JOIN8optimizeEv+0xda)[0x5640fec7fe2a]
 
mariadbd(_ZN13st_select_lex31optimize_unflattened_subqueriesEb+0x115)[0x5640febd9a55]
 
mariadbd(_ZN4JOIN28optimize_constant_subqueriesEv+0x35)[0x5640fed78d55]
 
mariadbd(_ZN4JOIN14optimize_innerEv+0x503)[0x5640fec7e9c3]
 
mariadbd(_ZN4JOIN8optimizeEv+0xda)[0x5640fec7fe2a]
 
mariadbd(_Z12mysql_selectP3THDP10TABLE_LISTR4ListI4ItemEPS4_jP8st_orderS9_S7_S9_yP13select_resultP18st_select_lex_unitP13st_select_lex+0xd1)[0x5640fec7ff21]
 
mariadbd(_Z13handle_selectP3THDP3LEXP13select_resulty+0x154)[0x5640fec80774]
 
mariadbd(+0x826f55)[0x5640febf3f55]
 
mariadbd(_Z21mysql_execute_commandP3THDb+0x419e)[0x5640fec02f0e]
 
mariadbd(_Z11mysql_parseP3THDPcjP12Parser_state+0x1e7)[0x5640fec04237]
 
mariadbd(_Z16dispatch_command19enum_server_commandP3THDPcjb+0x14bd)[0x5640fec06a1d]
 
mariadbd(_Z10do_commandP3THDb+0x138)[0x5640fec08818]
 
mariadbd(_Z24do_handle_one_connectionP7CONNECTb+0x3bf)[0x5640fed303af]
 
mariadbd(handle_one_connection+0x5d)[0x5640fed306fd]
 
mariadbd(+0xcd1906)[0x5640ff09e906]
 
/lib/x86_64-linux-gnu/libc.so.6(+0x94b43)[0x7f14cce56b43]
 
/lib/x86_64-linux-gnu/libc.so.6(clone+0x44)[0x7f14ccee7bb4]
 
 
 
Trying to get some variables.
 
Some pointers may be invalid and cause the dump to abort.
 
Query (0x7f14680130d8): SELECT ( ( ( ( ( WITH x ( x ) AS ( SELECT 1 UNION SELECT 1 ) ( ( SELECT ( 'x' ) FROM x HAVING ( SELECT x GROUP BY x HAVING x ) ) ) ) ) ) ) )
 
 
 
Connection ID (thread ID): 4
 
Status: NOT_KILLED
 
 
 
Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=on,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on,split_materialized=on,condition_pushdown_for_subquery=on,rowid_filter=on,condition_pushdown_from_having=on,not_null_range_scan=off,hash_join_cardinality=on



 Comments   
Comment by Alice Sherepa [ 2023-10-05 ]

Thanks! This is the same bug as MDEV-32322

Version: '10.4.32-MariaDB-debug-log'  
231005 13:26:10 [ERROR] mysqld got signal 11 ;
 
 
 
Server version: 10.4.32-MariaDB-debug-log source revision: 50a2e8b1892b6b8a276d4bd75a1a02148f9e6ff2
 
 
 
sql/signal_handler.cc:238(handle_fatal_signal)[0x563047b917e9]
 
sigaction.c:0(__restore_rt)[0x7fcd65964420]
 
sql/sql_select.cc:25645(setup_copy_fields(THD*, TMP_TABLE_PARAM*, Bounds_checked_array<Item*>, List<Item>&, List<Item>&, unsigned int, List<Item>&))[0x5630475420d1]
 
sql/sql_select.cc:3732(JOIN::make_aggr_tables_info())[0x5630474a0a07]
 
sql/sql_select.cc:3150(JOIN::optimize_stage2())[0x563047499ce1]
 
sql/sql_select.cc:2394(JOIN::optimize_inner())[0x563047491f20]
 
sql/sql_select.cc:1711(JOIN::optimize())[0x56304748ac2b]
 
sql/sql_lex.cc:4236(st_select_lex::optimize_unflattened_subqueries(bool))[0x5630473635f2]
 
sql/opt_subselect.cc:5603(JOIN::optimize_unflattened_subqueries())[0x5630478d4fa1]
 
sql/sql_select.cc:2942(JOIN::optimize_stage2())[0x563047497fa9]
 
sql/sql_select.cc:2394(JOIN::optimize_inner())[0x563047491f20]
 
sql/sql_select.cc:1711(JOIN::optimize())[0x56304748ac2b]
 
sql/sql_lex.cc:4236(st_select_lex::optimize_unflattened_subqueries(bool))[0x5630473635f2]
 
sql/opt_subselect.cc:5636(JOIN::optimize_constant_subqueries())[0x5630478d508e]
 
sql/sql_select.cc:2048(JOIN::optimize_inner())[0x56304748dfa1]
 
sql/sql_select.cc:1711(JOIN::optimize())[0x56304748ac2b]
 
sql/sql_select.cc:4812(mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x5630474abc1d]
 
sql/sql_select.cc:442(handle_select(THD*, LEX*, select_result*, unsigned long))[0x56304747c922]
 
sql/sql_parse.cc:6475(execute_sqlcom_select(THD*, TABLE_LIST*))[0x5630473e872c]
 
sql/sql_parse.cc:3978(mysql_execute_command(THD*))[0x5630473d5ea3]
 
sql/sql_parse.cc:8012(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x5630473f1c07]
 
sql/sql_parse.cc:1860(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x5630473c802d]
 
sql/sql_parse.cc:1378(do_command(THD*))[0x5630473c4b58]
 
sql/sql_connect.cc:1420(do_handle_one_connection(CONNECT*))[0x5630477d27fd]
 
sql/sql_connect.cc:1325(handle_one_connection)[0x5630477d20a1]
 
perfschema/pfs.cc:1871(pfs_spawn_thread)[0x56304847c99a]
 
nptl/pthread_create.c:478(start_thread)[0x7fcd65958609]
 
 
 
Query (0x62b0000a1420): SELECT ( ( ( ( ( WITH x ( x ) AS ( SELECT 1 UNION SELECT 1 ) ( ( SELECT ( 'x' ) FROM x HAVING ( SELECT x GROUP BY x HAVING x ) ) ) ) ) ) ) )

Generated at Thu Feb 08 10:30:18 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.