[MDEV-32381] Segmentation fault at /mariadb-11.3.0/sql/item.cc:5669 Created: 2023-10-09  Updated: 2023-10-09  Resolved: 2023-10-09

Status: Closed
Project: MariaDB Server
Component/s: Server
Affects Version/s: 11.3.0
Fix Version/s: N/A

Type: Bug Priority: Major
Reporter: Xin Wen Assignee: Unassigned
Resolution: Duplicate Votes: 0
Labels: None
Environment:

Ubuntu 20.04

Issue Links:
Duplicate
duplicates MDEV-29300 Assertion `*ref && (*ref)->fixed()' f... Confirmed

 Description   

Run these queries in release build:

CREATE TABLE t0 ( c12 INT , c27 INT ) ;
INSERT INTO t0 VALUES ( DEFAULT , DEFAULT ) , ( DEFAULT , DEFAULT ) ;
CREATE VIEW v0 AS SELECT c27 AS c12 , c12 AS c19 , 16 AS c15 FROM t0 ;
WITH t1 AS ( SELECT 20 AS c5 , 32 AS c17 ) SELECT t5 . c19 AS c34 FROM ( WITH t2 AS ( SELECT c19 NOT REGEXP FLOOR ( 85 ) / ORD ( 118 ) - RAND ( ) AS c27 FROM ( SELECT RAND ( ) AS c36 FROM v0 ) AS t3 JOIN v0 ON t0 . c12 = t0 . c19 ) SELECT t4 . c12 AS c19 FROM t0 JOIN v0 AS t4 ON t4 . c12 = t4 . c19 WHERE t0 . c27 = -100 ) AS t5 JOIN v0 ON t0 . c19 = ALL ( SELECT NULLIF ( c19 , 15 ) AS c16 FROM v0 ) WHERE t0 . c19 = 0 ;

Will trigger Segmentation fault.
GDB info:
Thread 16 "mariadbd" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffd242e300 (LWP 2363)]
0x000000000134c15d in Item_field::fix_outer_field (this=<optimized out>, this@entry=0x6290000ab1b0, thd=<optimized out>, thd@entry=0x62b00016c218,
from_field=from_field@entry=0x7fffd2429300, reference=<optimized out>, reference@entry=0x6290000ab4a0) at /home/wx/mariadb-11.3.0/sql/item.cc:5669
5669 place= prev_subselect_item->parsing_place;
(gdb) p prev_subselect_item
$3 = (Item_subselect *) 0x0

#0 0x000000000134c15d in Item_field::fix_outer_field (this=<optimized out>, this@entry=0x6290000b0218, thd=<optimized out>, thd@entry=0x62b00016c218, from_field=from_field@entry=0x7fffd2429300, reference=<optimized out>, reference@entry=0x6290000b0510) at /home/wx/mariadb-11.3.0/sql/item.cc:5669
#1 0x0000000001350c87 in Item_field::fix_fields (this=<optimized out>, thd=<optimized out>, reference=<optimized out>) at /home/wx/mariadb-11.3.0/sql/item.cc:6105
#2 0x0000000001459380 in Item::fix_fields_if_needed (this=0x9c, thd=0x62b00016c218, ref=0x6290000b0510) at /home/wx/mariadb-11.3.0/sql/item.h:1147
#3 Item_func::fix_fields (this=<optimized out>, thd=<optimized out>, ref=<optimized out>) at /home/wx/mariadb-11.3.0/sql/item_func.cc:349
#4 0x00000000009d6748 in Item::fix_fields_if_needed (this=0x6290000b0490, thd=0x62b00016c218, ref=0x6290000afad8) at /home/wx/mariadb-11.3.0/sql/item.h:1147
#5 Item::fix_fields_if_needed_for_scalar (this=0x6290000b0490, thd=0x62b00016c218, ref=0x6290000afad8) at /home/wx/mariadb-11.3.0/sql/item.h:1156
#6 Item::fix_fields_if_needed_for_bool (this=0x6290000b0490, thd=0x62b00016c218, ref=0x6290000afad8) at /home/wx/mariadb-11.3.0/sql/item.h:1160
#7 setup_on_expr (thd=0x62b00016c218, table=0x6290000afa78, is_update=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_base.cc:8777
#8 0x00000000009d7116 in setup_conds (thd=<optimized out>, tables=tables@entry=0x629000094a48, leaves=..., conds=<optimized out>, conds@entry=0x62d0000e68c8) at /home/wx/mariadb-11.3.0/sql/sql_base.cc:8896
#9 0x0000000000bf3349 in setup_without_group (thd=0x62b00016c218, ref_pointer_array=..., tables=0x629000094a48, leaves=..., fields=..., all_fields=..., conds=0x62d0000e68c8, order=0x0, group=0x0, win_specs=..., win_funcs=..., hidden_group_fields=<optimized out>, reserved=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:931
#10 JOIN::prepare (this=0x62d0000e6438, tables_init=<optimized out>, conds_init=<optimized out>, og_num=<optimized out>, order_init=<optimized out>, skip_order_by=<optimized out>, group_init=<optimized out>, having_init=<optimized out>, proc_param_init=<optimized out>, select_lex_arg=<optimized out>, unit_arg=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:1531
#11 0x0000000000dec22a in st_select_lex_unit::prepare_join (this=this@entry=0x6290000b0eb8, thd_arg=<optimized out>, sl=sl@entry=0x629000092dd8, tmp_result=tmp_result@entry=0x0, additional_options=additional_options@entry=0, is_union_select=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_union.cc:1103
#12 0x0000000000ddf993 in st_select_lex_unit::prepare (this=0x6290000b0eb8, derived_arg=<optimized out>, sel_result=<optimized out>, additional_options=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_union.cc:1583
#13 0x000000000113e9dd in With_element::prepare_unreferenced (this=this@entry=0x6290000b16f8, thd=thd@entry=0x62b00016c218) at /home/wx/mariadb-11.3.0/sql/sql_cte.cc:1284
#14 0x000000000113e832 in With_clause::prepare_unreferenced_elements (this=<optimized out>, thd=0x62b00016c218) at /home/wx/mariadb-11.3.0/sql/sql_cte.cc:923
#15 0x0000000000bf4aa8 in JOIN::prepare (this=0x62d0000e3340, tables_init=<optimized out>, conds_init=<optimized out>, og_num=<optimized out>, order_init=<optimized out>, skip_order_by=<optimized out>, group_init=<optimized out>, having_init=<optimized out>, proc_param_init=<optimized out>, select_lex_arg=<optimized out>, unit_arg=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:1620
#16 0x0000000000dec22a in st_select_lex_unit::prepare_join (this=this@entry=0x6290000b4f60, thd_arg=<optimized out>, sl=sl@entry=0x6290000b1810, tmp_result=tmp_result@entry=0x62d0000e3248, additional_options=additional_options@entry=0, is_union_select=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_union.cc:1103
#17 0x0000000000ddf993 in st_select_lex_unit::prepare (this=0x6290000b4f60, derived_arg=<optimized out>, sel_result=<optimized out>, additional_options=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_union.cc:1583
#18 0x0000000000a52e38 in mysql_derived_prepare (thd=<optimized out>, lex=<optimized out>, derived=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_derived.cc:840
#19 0x0000000000a57cc2 in mysql_handle_single_derived (lex=lex@entry=0x62b0001703c8, derived=derived@entry=0x6290000b57a0, phases=phases@entry=2) at /home/wx/mariadb-11.3.0/sql/sql_derived.cc:200
#20 0x0000000000e7cf8d in TABLE_LIST::handle_derived (this=0x6290000b57a0, lex=0x62b0001703c8, phases=2) at /home/wx/mariadb-11.3.0/sql/table.cc:9651
#21 0x0000000000ab86cc in LEX::handle_list_of_derived (this=0x62b0001703c8, table_list=<optimized out>, phases=2) at /home/wx/mariadb-11.3.0/sql/sql_lex.h:4579
#22 st_select_lex::handle_derived (this=<optimized out>, lex=0x62b0001703c8, phases=2) at /home/wx/mariadb-11.3.0/sql/sql_lex.cc:4989
#23 0x0000000000bf2a78 in JOIN::prepare (this=0x62d0000e1e88, tables_init=<optimized out>, conds_init=<optimized out>, og_num=<optimized out>, order_init=<optimized out>, skip_order_by=<optimized out>, group_init=<optimized out>, having_init=<optimized out>, proc_param_init=<optimized out>, select_lex_arg=<optimized out>, unit_arg=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:1439
#24 0x0000000000be4c97 in mysql_select (thd=<optimized out>, thd@entry=0x62b00016c218, tables=0x0, fields=..., conds=0x1, og_num=599792, order=0x6290000926a8, group=0x0, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x62d0000e1e58, unit=0x62b0001704a8, select_lex=0x6290000926a8) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:5224
#25 0x0000000000be4596 in handle_select (thd=thd@entry=0x62b00016c218, lex=<optimized out>, lex@entry=0x62b0001703c8, result=<optimized out>, result@entry=0x62d0000e1e58, setup_tables_done_option=<optimized out>, setup_tables_done_option@entry=0) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:628
#26 0x0000000000b3df18 in execute_sqlcom_select (thd=0x62b00016c218, all_tables=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:6013
#27 0x0000000000b2cd51 in mysql_execute_command (thd=0x62b00016c218, is_called_from_prepared_stmt=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:3912
#28 0x0000000000b1fe79 in mysql_parse (thd=thd@entry=0x62b00016c218, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, parser_state@entry=0x7fffd242ca80) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:7734
#29 0x0000000000b19069 in dispatch_command (command=<optimized out>, thd=0x62b00016c218, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1893
#30 0x0000000000b20b71 in do_command (thd=0x62b00016c218, blocking=true) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1406
#31 0x0000000000f03476 in do_handle_one_connection (connect=<optimized out>, put_in_cache=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1445
#32 0x0000000000f02eb9 in handle_one_connection (arg=arg@entry=0x6080013452b8) at /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1347
#33 0x0000000001a00c1b in pfs_spawn_thread (arg=0x617000006298) at /home/wx/mariadb-11.3.0/storage/perfschema/pfs.cc:2201
#34 0x00007ffff79f7609 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
#35 0x00007ffff770f133 in clone () from /lib/x86_64-linux-gnu/libc.so.6

 Comments   
Comment by Alice Sherepa [ 2023-10-09 ]

Thanks! I repeated as described. THis is the same bug as MDEV-29300, I will add the test there:

Version: '10.4.32-MariaDB-debug-log'  
231009 16:21:13 [ERROR] mysqld got signal 11 ;
 
 
 
Server version: 10.4.32-MariaDB-debug-log source revision: 0c7af6a2a19343cb9d4fedbd7165b8f73bc4cf96
 
 
 
sql/signal_handler.cc:238(handle_fatal_signal)[0x55de47e45f8d]
 
sigaction.c:0(__restore_rt)[0x7f01b6bd2420]
 
sql/item.cc:5575(Item_field::fix_outer_field(THD*, Field**, Item**))[0x55de47ec5dfe]
 
sql/item.cc:5994(Item_field::fix_fields(THD*, Item**))[0x55de47ec99f3]
 
sql/item.h:966(Item::fix_fields_if_needed(THD*, Item**))[0x55de473e65cd]
 
sql/item_func.cc:355(Item_func::fix_fields(THD*, Item**))[0x55de47fa3236]
 
sql/item.h:966(Item::fix_fields_if_needed(THD*, Item**))[0x55de473e65cd]
 
sql/item.h:970(Item::fix_fields_if_needed_for_scalar(THD*, Item**))[0x55de473e6607]
 
sql/item.h:975(Item::fix_fields_if_needed_for_bool(THD*, Item**))[0x55de4751eab1]
 
sql/sql_base.cc:8435(setup_on_expr(THD*, TABLE_LIST*, bool))[0x55de4751531f]
 
sql/sql_base.cc:8554(setup_conds(THD*, TABLE_LIST*, List<TABLE_LIST>&, Item**))[0x55de47515f68]
 
sql/sql_select.cc:744(setup_without_group(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, List<TABLE_LIST>&, List<Item>&, List<Item>&, Item**, st_order*, st_order*, List<Window_spec>&, List<Item_window_func>&, bool*))[0x55de47732e0e]
 
sql/sql_select.cc:1335(JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*))[0x55de4773a59b]
 
sql/sql_union.cc:662(st_select_lex_unit::prepare_join(THD*, st_select_lex*, select_result*, unsigned long, bool))[0x55de4794a208]
 
sql/sql_union.cc:1009(st_select_lex_unit::prepare(TABLE_LIST*, select_result*, unsigned long))[0x55de4794d9a7]
 
sql/sql_cte.cc:1245(With_element::prepare_unreferenced(THD*))[0x55de47c5accc]
 
sql/sql_cte.cc:921(With_clause::prepare_unreferenced_elements(THD*))[0x55de47c5932e]
 
sql/sql_select.cc:1423(JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*))[0x55de4773b6d5]
 
sql/sql_union.cc:662(st_select_lex_unit::prepare_join(THD*, st_select_lex*, select_result*, unsigned long, bool))[0x55de4794a208]
 
sql/sql_union.cc:1009(st_select_lex_unit::prepare(TABLE_LIST*, select_result*, unsigned long))[0x55de4794d9a7]
 
sql/sql_derived.cc:824(mysql_derived_prepare(THD*, LEX*, TABLE_LIST*))[0x55de475b15cb]
 
sql/sql_derived.cc:200(mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int))[0x55de475ad99c]
 
sql/table.cc:9097(TABLE_LIST::handle_derived(LEX*, unsigned int))[0x55de479da105]
 
sql/sql_lex.h:4395(LEX::handle_list_of_derived(TABLE_LIST*, unsigned int))[0x55de475f5e96]
 
sql/sql_lex.cc:4306(st_select_lex::handle_derived(LEX*, unsigned int))[0x55de47617f35]
 
sql/sql_select.cc:1243(JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*))[0x55de47738fcc]
 
sql/sql_select.cc:4789(mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55de4775fe67]
 
sql/sql_select.cc:442(handle_select(THD*, LEX*, select_result*, unsigned long))[0x55de47730de0]
 
sql/sql_parse.cc:6475(execute_sqlcom_select(THD*, TABLE_LIST*))[0x55de4769cbe4]
 
sql/sql_parse.cc:3978(mysql_execute_command(THD*))[0x55de4768a35b]
 
sql/sql_parse.cc:8012(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x55de476a60bf]
 
sql/sql_parse.cc:1860(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x55de4767c4e5]
 
sql/sql_parse.cc:1378(do_command(THD*))[0x55de47679010]
 
sql/sql_connect.cc:1420(do_handle_one_connection(CONNECT*))[0x55de47a86deb]
 
sql/sql_connect.cc:1325(handle_one_connection)[0x55de47a8668f]
 
perfschema/pfs.cc:1871(pfs_spawn_thread)[0x55de48731274]
 
nptl/pthread_create.c:478(start_thread)[0x7f01b6bc6609]
 
 
Query (0x62b0000a1290): WITH t1 AS ( SELECT 20 AS c5 , 32 AS c17 ) SELECT t5 . c19 AS c34 FROM ( WITH t2 AS ( SELECT c19 NOT REGEXP FLOOR ( 85 ) / ORD ( 118 ) - RAND ( ) AS c27 FROM ( SELECT RAND ( ) AS c36 FROM v0 ) AS t3 JOIN v0 ON t0 . c12 = t0 . c19 ) SELECT t4 . c12 AS c19 FROM t0 JOIN v0 AS t4 ON t4 . c12 = t4 . c19 WHERE t0 . c27 = -100 ) AS t5 JOIN v0 ON t0 . c19 = ALL ( SELECT NULLIF ( c19 , 15 ) AS c16 FROM v0 ) WHERE t0 . c19 = 0

Generated at Thu Feb 08 10:30:55 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.