[MDEV-32330] Server crashes at select_unit_ext::send_data Created: 2023-09-30  Updated: 2023-12-15  Resolved: 2023-10-09

Status: Closed
Project: MariaDB Server
Component/s: N/A
Affects Version/s: 11.1.2, 11.2.1
Fix Version/s: N/A

Type: Bug Priority: Major
Reporter: Jingzhou Fu Assignee: Unassigned
Resolution: Duplicate Votes: 0
Labels: None
Environment:

Ubuntu 20.04 x86-64, docker image mariadb:11.1.2

Issue Links:
Duplicate
duplicates MDEV-25158 SIGSEGV in hp_rec_key_cmp and Asserti... Confirmed

 Description   

PoC:

SELECT ( SELECT ( CASE WHEN 1 THEN 'x' END + 1 ) INTERSECT SELECT 1 UNION ALL SELECT 1 EXCEPT ALL SELECT 1 ) ;

docker log:

mariadbd(my_print_stacktrace+0x32)[0x56002fe267c2]
 
mariadbd(handle_fatal_signal+0x488)[0x56002f8ffcf8]
 
/lib/x86_64-linux-gnu/libc.so.6(+0x42520)[0x7ff3bd64c520]
 
mariadbd(+0xd7425f)[0x56002fbce25f]
 
mariadbd(+0xd72457)[0x56002fbcc457]
 
mariadbd(_ZN15select_unit_ext9send_dataER4ListI4ItemE+0x283)[0x56002f75ea03]
 
mariadbd(_ZN4JOIN10exec_innerEv+0xc90)[0x56002f70e880]
 
mariadbd(_ZN4JOIN4execEv+0x3f)[0x56002f70efff]
 
mariadbd(_ZN18st_select_lex_unit10exec_innerEv+0x5b4)[0x56002f761344]
 
mariadbd(_ZN22subselect_union_engine4execEv+0x22)[0x56002f9de262]
 
mariadbd(_ZN14Item_subselect4execEv+0x4c)[0x56002f9de73c]
 
mariadbd(_ZN24Item_singlerow_subselect8val_realEv+0x39)[0x56002f9e0bb9]
 
mariadbd(_ZNK12Type_handler16Item_send_doubleEP4ItemP8ProtocolP8st_value+0x1d)[0x56002f8569fd]
 
mariadbd(_ZN8Protocol19send_result_set_rowEP4ListI4ItemE+0xea)[0x56002f5b4cfa]
 
mariadbd(_ZN11select_send9send_dataER4ListI4ItemE+0x37)[0x56002f6336a7]
 
mariadbd(_ZN4JOIN10exec_innerEv+0xc90)[0x56002f70e880]
 
mariadbd(_ZN4JOIN4execEv+0x3f)[0x56002f70efff]
 
mariadbd(_Z12mysql_selectP3THDP10TABLE_LISTR4ListI4ItemEPS4_jP8st_orderS9_S7_S9_yP13select_resultP18st_select_lex_unitP13st_select_lex+0x12c)[0x56002f70cf7c]
 
mariadbd(_Z13handle_selectP3THDP3LEXP13select_resulty+0x154)[0x56002f70d774]
 
mariadbd(+0x826f55)[0x56002f680f55]
 
mariadbd(_Z21mysql_execute_commandP3THDb+0x419e)[0x56002f68ff0e]
 
mariadbd(_Z11mysql_parseP3THDPcjP12Parser_state+0x1e7)[0x56002f691237]
 
mariadbd(_Z16dispatch_command19enum_server_commandP3THDPcjb+0x14bd)[0x56002f693a1d]
 
mariadbd(_Z10do_commandP3THDb+0x138)[0x56002f695818]
 
mariadbd(_Z24do_handle_one_connectionP7CONNECTb+0x3bf)[0x56002f7bd3af]
 
mariadbd(handle_one_connection+0x5d)[0x56002f7bd6fd]
 
mariadbd(+0xcd1906)[0x56002fb2b906]
 
/lib/x86_64-linux-gnu/libc.so.6(+0x94b43)[0x7ff3bd69eb43]
 
/lib/x86_64-linux-gnu/libc.so.6(clone+0x44)[0x7ff3bd72fbb4]
 
 
 
Trying to get some variables.
 
Some pointers may be invalid and cause the dump to abort.
 
Query (0x7ff3600130d8): SELECT ( SELECT ( CASE WHEN 1 THEN 'x' END + 1 ) INTERSECT SELECT 1 UNION ALL SELECT 1 EXCEPT ALL SELECT 1 )
 
 
 
Connection ID (thread ID): 4
 
Status: NOT_KILLED
 
 
 
Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=on,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on,split_materialized=on,condition_pushdown_for_subquery=on,rowid_filter=on,condition_pushdown_from_having=on,not_null_range_scan=off,hash_join_cardinality=on



 Comments   
Comment by Alice Sherepa [ 2023-10-09 ]

Thanks! THis is the same as MDEV-25158

231009 18:04:29 [ERROR] mysqld got signal 6 ;
 
 
 
Server version: 11.2.2-MariaDB-debug-log source revision: 872ed5342d8f1ec02f8f8a7a25a606e4ff512234
 
 
 
asan/asan_report.cc:462(__asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool))[0x7fce93881fa3]
 
asan/asan_rtl.cc:119(__asan_report_load8)[0x7fce93882deb]
 
heap/ha_heap.cc:872(ha_heap::find_unique_row(unsigned char*, unsigned int))[0x55b60da2fba1]
 
sql/sql_union.cc:676(select_unit_ext::send_data(List<Item>&))[0x55b60ca89f05]
 
sql/sql_class.h:5794(select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long))[0x55b60c92625b]
 
sql/sql_select.cc:4807(JOIN::exec_inner())[0x55b60c84c9ad]
 
sql/sql_select.cc:4720(JOIN::exec())[0x55b60c84b4a0]
 
sql/sql_union.cc:2389(st_select_lex_unit::exec_inner())[0x55b60ca99df3]
 
sql/sql_union.cc:2292(st_select_lex_unit::exec())[0x55b60ca98867]
 
sql/item_subselect.cc:4187(subselect_union_engine::exec())[0x55b60d33f61d]
 
sql/item_subselect.cc:812(Item_subselect::exec())[0x55b60d31a2c3]
 
sql/item_subselect.cc:1441(Item_singlerow_subselect::val_real())[0x55b60d31fdd9]
 
sql/sql_type.cc:7510(Type_handler::Item_send_double(Item*, Protocol*, st_value*) const)[0x55b60ce35cde]
 
sql/sql_type.h:6044(Type_handler_double::Item_send(Item*, Protocol*, st_value*) const)[0x55b60ce52214]
 
sql/item.h:1239(Item::send(Protocol*, st_value*))[0x55b60c38b30c]
 
sql/protocol.cc:1332(Protocol::send_result_set_row(List<Item>*))[0x55b60c44b2c7]
 
sql/sql_class.cc:3129(select_send::send_data(List<Item>&))[0x55b60c5ef854]
 
sql/sql_class.h:5794(select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long))[0x55b60c92625b]
 
sql/sql_select.cc:4807(JOIN::exec_inner())[0x55b60c84c9ad]
 
sql/sql_select.cc:4720(JOIN::exec())[0x55b60c84b4a0]
 
sql/sql_select.cc:5251(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55b60c84fcab]
 
sql/sql_select.cc:628(handle_select(THD*, LEX*, select_result*, unsigned long long))[0x55b60c81f152]
 
sql/sql_parse.cc:6064(execute_sqlcom_select(THD*, TABLE_LIST*))[0x55b60c740f39]
 
sql/sql_parse.cc:3955(mysql_execute_command(THD*, bool))[0x55b60c731b8b]
 
sql/sql_parse.cc:7810(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x55b60c74bdb7]
 
sql/sql_parse.cc:1895(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x55b60c72415e]
 
sql/sql_parse.cc:1406(do_command(THD*, bool))[0x55b60c720ea8]
 
sql/sql_connect.cc:1445(do_handle_one_connection(CONNECT*, bool))[0x55b60cbff8f9]
 
sql/sql_connect.cc:1349(handle_one_connection)[0x55b60cbff256]
 
perfschema/pfs.cc:2203(pfs_spawn_thread)[0x55b60d86d722]
 
nptl/pthread_create.c:478(start_thread)[0x7fce932eb609]
 
 
 
Query (0x6290001092a8): SELECT ( SELECT ( CASE WHEN 1 THEN 'x' END + 1 ) INTERSECT SELECT 1 UNION ALL SELECT 1 EXCEPT ALL SELECT 1 )

Generated at Thu Feb 08 10:30:32 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.