[MDEV-32393] Segmentation fault at /mariadb-11.3.0/sql/sql_select.cc:27660 Created: 2023-10-10  Updated: 2023-11-28

Status: Confirmed
Project: MariaDB Server
Component/s: Optimizer - Window functions, Server
Affects Version/s: 10.4, 10.5, 10.6, 10.9, 10.10, 10.11, 11.0, 11.1, 11.2, 11.3.0
Fix Version/s: 10.4, 10.5, 10.6, 10.11, 11.0, 11.1, 11.2

Type: Bug Priority: Major
Reporter: Xin Wen Assignee: Sergei Petrunia
Resolution: Unresolved Votes: 0
Labels: None
Environment:

Ubuntu 20.04

Issue Links:
Relates

 Description   

Run these queries in release build:

CREATE TABLE t0 ( c18 TEXT , INDEX i0 ( c18 ( 9 ) ) ) ;
INSERT INTO t0 VALUES ( 41 ) , ( -24 ) ;
ALTER TABLE t0 ADD COLUMN c48 INT AFTER c18 ;
INSERT INTO t0 VALUES ( LTRIM ( -117 ) % -103.513076 = -4336707295717280702 IS NOT NULL , -125 ) , ( 17 , 70 ) ;
SELECT t0 . c48 AS c5 FROM ( SELECT c48 AS c49 FROM t0 ) AS t1 JOIN t0 ON IF ( t1 . c49 , t1 . c49 , 111 ) IN ( -124 = RAND ( ) >> ( SELECT BIT_XOR( t1 . c49 ) OVER ( PARTITION BY t0 . c48 , t0 . c18 , t0 . c18 , t0 . c48 ) AS c36 FROM t0 GROUP BY c48 , c18 LIMIT 1 ) IS NULL ) = t1 . c49 ;

Will trigger Segmentation fault.
GDB info:
Thread 17 "mariadbd" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffd1c17300 (LWP 2627)]
0x0000000000ca7d94 in setup_group (thd=thd@entry=0x62b00016c218, ref_pointer_array=..., tables=tables@entry=0x6290000aa8a0, fields=..., all_fields=...,
order=0x6290000950f0, hidden_group_fields=0x7fffd1c12220, from_window_spec=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:27660
27660 (*ord->item)->marker= MARKER_UNDEF_POS; /* Mark found */

#0 0x0000000000ca7d94 in setup_group (thd=thd@entry=0x62b00016c218, ref_pointer_array=..., tables=tables@entry=0x6290000af8e8, fields=..., all_fields=..., order=0x629000095130, hidden_group_fields=0x7fffd1c12220, from_window_spec=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:27660
#1 0x000000000111e689 in setup_windows (thd=<optimized out>, ref_pointer_array=..., tables=<optimized out>, fields=..., all_fields=..., win_specs=..., win_funcs=...) at /home/wx/mariadb-11.3.0/sql/sql_window.cc:238
#2 0x0000000000bf3a8a in setup_without_group (thd=<optimized out>, ref_pointer_array=..., tables=0x6290000af8e8, leaves=..., fields=..., all_fields=..., conds=0x6290000b55f0, order=0x0, group=0x6290000b0168, win_specs=..., win_funcs=..., hidden_group_fields=<optimized out>, reserved=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:955
#3 JOIN::prepare (this=0x6290000b5160, tables_init=<optimized out>, conds_init=<optimized out>, og_num=<optimized out>, order_init=<optimized out>, skip_order_by=<optimized out>, group_init=<optimized out>, having_init=<optimized out>, proc_param_init=<optimized out>, select_lex_arg=<optimized out>, unit_arg=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:1531
#4 0x00000000015d5c30 in subselect_single_select_engine::prepare (this=<optimized out>, thd=<optimized out>) at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:3943
#5 0x00000000015b1a8e in Item_subselect::fix_fields (this=<optimized out>, thd_param=<optimized out>, ref=<optimized out>) at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:296
#6 0x0000000001459380 in Item::fix_fields_if_needed (this=0x6297e59b5090, thd=0x62b00016c218, ref=0x6290000b0f00) at /home/wx/mariadb-11.3.0/sql/item.h:1147
#7 Item_func::fix_fields (this=<optimized out>, thd=<optimized out>, ref=<optimized out>) at /home/wx/mariadb-11.3.0/sql/item_func.cc:349
#8 0x0000000001459380 in Item::fix_fields_if_needed (this=0x6297e59b5090, thd=0x62b00016c218, ref=0x6290000b0fc0) at /home/wx/mariadb-11.3.0/sql/item.h:1147
#9 Item_func::fix_fields (this=<optimized out>, thd=<optimized out>, ref=<optimized out>) at /home/wx/mariadb-11.3.0/sql/item_func.cc:349
#10 0x0000000001459380 in Item::fix_fields_if_needed (this=0x6297e59b5090, thd=0x62b00016c218, ref=0x6290000b11f0) at /home/wx/mariadb-11.3.0/sql/item.h:1147
#11 Item_func::fix_fields (this=<optimized out>, thd=<optimized out>, ref=<optimized out>) at /home/wx/mariadb-11.3.0/sql/item_func.cc:349
#12 0x0000000001459380 in Item::fix_fields_if_needed (this=0x6297e59b5090, thd=0x62b00016c218, ref=0x6290000b12b8) at /home/wx/mariadb-11.3.0/sql/item.h:1147
#13 Item_func::fix_fields (this=<optimized out>, thd=<optimized out>, ref=<optimized out>) at /home/wx/mariadb-11.3.0/sql/item_func.cc:349
#14 0x0000000001459380 in Item::fix_fields_if_needed (this=0x6297e59b5090, thd=0x62b00016c218, ref=0x6290000b1638) at /home/wx/mariadb-11.3.0/sql/item.h:1147
#15 Item_func::fix_fields (this=<optimized out>, thd=<optimized out>, ref=<optimized out>) at /home/wx/mariadb-11.3.0/sql/item_func.cc:349
#16 0x00000000009d6748 in Item::fix_fields_if_needed (this=0x6290000b15b8, thd=0x62b00016c218, ref=0x629000093990) at /home/wx/mariadb-11.3.0/sql/item.h:1147
#17 Item::fix_fields_if_needed_for_scalar (this=0x6290000b15b8, thd=0x62b00016c218, ref=0x629000093990) at /home/wx/mariadb-11.3.0/sql/item.h:1156
#18 Item::fix_fields_if_needed_for_bool (this=0x6290000b15b8, thd=0x62b00016c218, ref=0x629000093990) at /home/wx/mariadb-11.3.0/sql/item.h:1160
#19 setup_on_expr (thd=0x62b00016c218, table=0x629000093930, is_update=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_base.cc:8777
#20 0x00000000009d7116 in setup_conds (thd=<optimized out>, tables=tables@entry=0x6290000931c8, leaves=..., conds=<optimized out>, conds@entry=0x6290000b2de0) at /home/wx/mariadb-11.3.0/sql/sql_base.cc:8896
#21 0x0000000000bf3349 in setup_without_group (thd=0x62b00016c218, ref_pointer_array=..., tables=0x6290000931c8, leaves=..., fields=..., all_fields=..., conds=0x6290000b2de0, order=0x0, group=0x0, win_specs=..., win_funcs=..., hidden_group_fields=<optimized out>, reserved=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:931
#22 JOIN::prepare (this=0x6290000b2950, tables_init=<optimized out>, conds_init=<optimized out>, og_num=<optimized out>, order_init=<optimized out>, skip_order_by=<optimized out>, group_init=<optimized out>, having_init=<optimized out>, proc_param_init=<optimized out>, select_lex_arg=<optimized out>, unit_arg=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:1531
#23 0x0000000000be4c97 in mysql_select (thd=<optimized out>, thd@entry=0x62b00016c218, tables=0x7fffd1c11f80, fields=..., conds=0xd1c11f03, og_num=0, order=0x166c380 <sql_print_error(char const*, ...)>, group=0x0, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x6290000b2920, unit=0x62b0001704a8, select_lex=0x6290000914e8) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:5224
#24 0x0000000000be4596 in handle_select (thd=thd@entry=0x62b00016c218, lex=<optimized out>, lex@entry=0x62b0001703c8, result=<optimized out>, result@entry=0x6290000b2920, setup_tables_done_option=<optimized out>, setup_tables_done_option@entry=0) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:628
#25 0x0000000000b3df18 in execute_sqlcom_select (thd=0x62b00016c218, all_tables=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:6013
#26 0x0000000000b2cd51 in mysql_execute_command (thd=0x62b00016c218, is_called_from_prepared_stmt=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:3912
#27 0x0000000000b1fe79 in mysql_parse (thd=thd@entry=0x62b00016c218, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, parser_state@entry=0x7fffd1c15a80) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:7734
#28 0x0000000000b19069 in dispatch_command (command=<optimized out>, thd=0x62b00016c218, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1893
#29 0x0000000000b20b71 in do_command (thd=0x62b00016c218, blocking=true) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1406
#30 0x0000000000f03476 in do_handle_one_connection (connect=<optimized out>, put_in_cache=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1445
#31 0x0000000000f02eb9 in handle_one_connection (arg=arg@entry=0x60800144e5b8) at /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1347
#32 0x0000000001a00c1b in pfs_spawn_thread (arg=0x617000006618) at /home/wx/mariadb-11.3.0/storage/perfschema/pfs.cc:2201
#33 0x00007ffff79f7609 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
#34 0x00007ffff770f133 in clone () from /lib/x86_64-linux-gnu/libc.so.6

 Comments   
Comment by Alice Sherepa [ 2023-10-12 ]

Thank you!
I repeated on 10.4-11.2:

CREATE TABLE t0 (b int);
 
INSERT INTO t0 VALUES (1),(2),(3);
 
SELECT 1 FROM (SELECT b FROM t0) AS t1 
  JOIN t0 ON ( SELECT sum( t1.b ) OVER ( PARTITION BY t0.b) FROM t0  GROUP BY t0.b)   ;


mysqld: /10.4/src/sql/sql_array.h:64: Element_type& Bounds_checked_array<Element_type>::operator[](size_t) [with Element_type = Item*; size_t = long unsigned int]: Assertion `n < m_size' failed.
 
231012 12:26:26 [ERROR] mysqld got signal 6 ;
 
 
 
Server version: 10.4.32-MariaDB-debug-log source revision: 0c7af6a2a19343cb9d4fedbd7165b8f73bc4cf96
 
 
 
/lib/x86_64-linux-gnu/libc.so.6(+0x33fd6)[0x7fa49ca05fd6]
 
sql/sql_array.h:65(Bounds_checked_array<Item*>::operator[](unsigned long))[0x564b0671b75d]
 
sql/sql_select.cc:24879(find_order_in_list(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, st_order*, List<Item>&, List<Item>&, bool, bool, bool))[0x564b069e2a01]
 
sql/sql_select.cc:25021(setup_group(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, List<Item>&, List<Item>&, st_order*, bool*, bool))[0x564b069e37f3]
 
sql/sql_window.cc:244(setup_windows(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, List<Item>&, List<Item>&, List<Window_spec>&, List<Item_window_func>&))[0x564b06e35274]
 
sql/sql_select.cc:761(setup_without_group(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, List<TABLE_LIST>&, List<Item>&, List<Item>&, Item**, st_order*, st_order*, List<Window_spec>&, List<Item_window_func>&, bool*))[0x564b0692532d]
 
sql/sql_select.cc:1335(JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*))[0x564b0692c59b]
 
sql/item_subselect.cc:3804(subselect_single_select_engine::prepare(THD*))[0x564b07290a0c]
 
sql/item_subselect.cc:289(Item_subselect::fix_fields(THD*, Item**))[0x564b0726a481]
 
sql/item.h:966(Item::fix_fields_if_needed(THD*, Item**))[0x564b065d85cd]
 
sql/item.h:970(Item::fix_fields_if_needed_for_scalar(THD*, Item**))[0x564b065d8607]
 
sql/item.h:975(Item::fix_fields_if_needed_for_bool(THD*, Item**))[0x564b06710ab1]
 
sql/sql_base.cc:8435(setup_on_expr(THD*, TABLE_LIST*, bool))[0x564b0670731f]
 
sql/sql_base.cc:8554(setup_conds(THD*, TABLE_LIST*, List<TABLE_LIST>&, Item**))[0x564b06707f68]
 
sql/sql_select.cc:744(setup_without_group(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, List<TABLE_LIST>&, List<Item>&, List<Item>&, Item**, st_order*, st_order*, List<Window_spec>&, List<Item_window_func>&, bool*))[0x564b06924e0e]
 
sql/sql_select.cc:1335(JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*))[0x564b0692c59b]
 
sql/sql_select.cc:4789(mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x564b06951e67]
 
sql/sql_select.cc:442(handle_select(THD*, LEX*, select_result*, unsigned long))[0x564b06922de0]
 
sql/sql_parse.cc:6475(execute_sqlcom_select(THD*, TABLE_LIST*))[0x564b0688ebe4]
 
sql/sql_parse.cc:3978(mysql_execute_command(THD*))[0x564b0687c35b]
 
sql/sql_parse.cc:8012(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x564b068980bf]
 
sql/sql_parse.cc:1860(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x564b0686e4e5]
 
sql/sql_parse.cc:1378(do_command(THD*))[0x564b0686b010]
 
sql/sql_connect.cc:1420(do_handle_one_connection(CONNECT*))[0x564b06c78deb]
 
sql/sql_connect.cc:1325(handle_one_connection)[0x564b06c7868f]
 
perfschema/pfs.cc:1871(pfs_spawn_thread)[0x564b07923274]
 
nptl/pthread_create.c:478(start_thread)[0x7fa49cf20609]
 
 
 
JOIN t0 ON ( SELECT sum( t1.b ) OVER ( PARTITION BY t0.b) FROM t0  GROUP BY t0.b)

Generated at Thu Feb 08 10:31:00 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.