[MDEV-32419] Segmentation fault at /mariadb-11.3.0/sql/sql_union.cc:2608 Created: 2023-10-10  Updated: 2023-10-24  Resolved: 2023-10-24

Status: Closed
Project: MariaDB Server
Component/s: Server
Affects Version/s: 11.3.0
Fix Version/s: N/A

Type: Bug Priority: Major
Reporter: Xin Wen Assignee: Unassigned
Resolution: Duplicate Votes: 0
Labels: None
Environment:

Ubuntu 20.04

Issue Links:
Duplicate

 Description   

Run these queries in release build:

CREATE TABLE x ( x INT ) ;
INSERT INTO x ( x ) VALUES ( 1 ) ;
UPDATE IGNORE x SET x = ( WITH RECURSIVE x ( x ) AS ( SELECT 1 EXCEPT SELECT x % ( WITH x ( x ) AS ( SELECT 1 EXCEPT SELECT x + 1 FROM x ORDER BY x , x DESC , x , NULL , ( x = 1 AND x = 1 ) DESC ) SELECT 1 FROM x WHERE x != 'x' ) FROM x WHERE x LIKE ( x BETWEEN 1 AND 1 ) GROUP BY x HAVING x > 'x' ) SELECT 1 FROM x WHERE x != 'x' WINDOW x AS ( PARTITION BY 1 , 1 , 1 , 1 ORDER BY x RANGE BETWEEN 1 PRECEDING AND 1 PRECEDING ) ) WHERE x = ( x - x <= x ) ;

Will trigger Segmentation fault.
GDB info:
Thread 16 "mariadbd" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffd242e300 (LWP 2103)]
0x0000000000df2bf1 in st_select_lex_unit::exec_recursive (this=<optimized out>)
at /home/wx/mariadb-11.3.0/sql/sql_union.cc:2608
2608 derived->table->reginfo.join_tab->preread_init_done= false;

#0 0x0000000000df2bf1 in st_select_lex_unit::exec_recursive (this=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_union.cc:2608
#1 0x0000000000a57f78 in TABLE_LIST::fill_recursive (this=this@entry=0x6290000b5488, thd=thd@entry=0x62b00016c218) at /home/wx/mariadb-11.3.0/sql/sql_derived.cc:1155
#2 0x0000000000a56ed0 in mysql_derived_fill (thd=<optimized out>, lex=<optimized out>, derived=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_derived.cc:1250
#3 0x0000000000a57cc2 in mysql_handle_single_derived (lex=0x62b0001703c8, derived=derived@entry=0x6290000b5488, phases=phases@entry=96) at /home/wx/mariadb-11.3.0/sql/sql_derived.cc:200
#4 0x0000000000c71b80 in st_join_table::preread_init (this=this@entry=0x62d0000de068) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:16029
#5 0x0000000000be2fea in sub_select (join=0x6290000bf160, join_tab=0x62d0000de068, end_of_records=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:23392
#6 0x0000000000c45121 in do_select (join=0x6290000bf160, procedure=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:22961
#7 JOIN::exec_inner (this=0x6290000bf160) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941
#8 0x0000000000c428e9 in JOIN::exec (this=0x6290000bf160) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718
#9 0x00000000015d8106 in subselect_single_select_engine::exec (this=<optimized out>) at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:4159
#10 0x00000000015b3edc in Item_subselect::exec (this=0x6290000b7018) at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:812
#11 0x00000000015b9773 in Item_singlerow_subselect::val_int (this=0x6290000b7018) at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:1462
#12 0x00000000013552b8 in Item::save_int_in_field (this=0x6290000b7018, field=0x61900016e000, no_conversions=false) at /home/wx/mariadb-11.3.0/sql/item.cc:6843
#13 0x00000000013554a9 in Item::save_in_field (this=0x6290000b7018, field=0x61900016e000, no_conversions=false) at /home/wx/mariadb-11.3.0/sql/item.cc:6853
#14 0x00000000009d7a96 in fill_record (thd=thd@entry=0x62b00016c218, table_arg=<optimized out>, fields=..., values=..., ignore_errors=false, update=true) at /home/wx/mariadb-11.3.0/sql/sql_base.cc:9032
#15 0x00000000009d9233 in fill_record_n_invoke_before_triggers (thd=thd@entry=0x62b00016c218, table=table@entry=0x61900016da98, fields=..., values=..., ignore_errors=<optimized out>, event=event@entry=TRG_EVENT_UPDATE) at /home/wx/mariadb-11.3.0/sql/sql_base.cc:9206
#16 0x0000000000e197e8 in Sql_cmd_update::update_single_table (this=0x6290000b7230, thd=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_update.cc:928
#17 0x0000000000e2cf6a in Sql_cmd_update::execute_inner (this=<optimized out>, thd=0x62b00016c218) at /home/wx/mariadb-11.3.0/sql/sql_update.cc:3065
#18 0x0000000000cc40b2 in Sql_cmd_dml::execute (this=0x6290000b7230, thd=0x62b00016c218) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:33350
#19 0x0000000000b2ce82 in mysql_execute_command (thd=0x62b00016c218, is_called_from_prepared_stmt=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:4361
#20 0x0000000000b1fe79 in mysql_parse (thd=thd@entry=0x62b00016c218, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, parser_state@entry=0x7fffd1c15a80) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:7734
#21 0x0000000000b19069 in dispatch_command (command=<optimized out>, thd=0x62b00016c218, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1893
#22 0x0000000000b20b71 in do_command (thd=0x62b00016c218, blocking=true) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1406
#23 0x0000000000f03476 in do_handle_one_connection (connect=<optimized out>, put_in_cache=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1445
#24 0x0000000000f02eb9 in handle_one_connection (arg=arg@entry=0x6080020636b8) at /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1347
#25 0x0000000001a00c1b in pfs_spawn_thread (arg=0x617000005118) at /home/wx/mariadb-11.3.0/storage/perfschema/pfs.cc:2201
#26 0x00007ffff79f7609 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
#27 0x00007ffff770f133 in clone () from /lib/x86_64-linux-gnu/libc.so.6

 Comments   
Comment by Alice Sherepa [ 2023-10-24 ]

Thanks! This is the same bug as MDEV-32326

231024 12:04:35 [ERROR] mysqld got signal 11 ;
 
Server version: 10.4.32-MariaDB-debug-log source revision: babd833685e1fd1da4411a0874ba1c98bb0b631d
 
 
 
sql/sql_union.cc:1861(st_select_lex_unit::exec_recursive())[0x562f2ebbdeb8]
 
sql/sql_derived.cc:1154(TABLE_LIST::fill_recursive(THD*))[0x562f2e81a1e2]
 
sql/sql_derived.cc:1249(mysql_derived_fill(THD*, LEX*, TABLE_LIST*))[0x562f2e81acec]
 
sql/sql_derived.cc:200(mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int))[0x562f2e813b38]
 
sql/sql_select.cc:13865(st_join_table::preread_init())[0x562f2ea07e63]
 
sql/sql_select.cc:20864(sub_select(JOIN*, st_join_table*, bool))[0x562f2ea38cff]
 
sql/sql_select.cc:20423(do_select(JOIN*, Procedure*))[0x562f2ea37130]
 
sql/sql_select.cc:4605(JOIN::exec_inner())[0x562f2e9c4c78]
 
sql/sql_select.cc:4388(JOIN::exec())[0x562f2e9c22a8]
 
sql/item_subselect.cc:4035(subselect_single_select_engine::exec())[0x562f2f307a10]
 
sql/item_subselect.cc:758(Item_subselect::exec())[0x562f2f2e2a78]
 
sql/item_subselect.cc:1400(Item_singlerow_subselect::val_int())[0x562f2f2e89e1]
 
sql/item.cc:6716(Item::save_int_in_field(Field*, bool))[0x562f2f135703]
 
sql/sql_type.cc:3847(Type_handler_int_result::Item_save_in_field(Item*, Field*, bool) const)[0x562f2ee6bd9c]
 
sql/item.cc:6726(Item::save_in_field(Field*, bool))[0x562f2f1358e7]
 
sql/sql_base.cc:8657(fill_record(THD*, TABLE*, List<Item>&, List<Item>&, bool, bool))[0x562f2e77cc22]
 
sql/sql_base.cc:8829(fill_record_n_invoke_before_triggers(THD*, TABLE*, List<Item>&, List<Item>&, bool, trg_event_type))[0x562f2e77de3d]
 
sql/sql_update.cc:1022(mysql_update(THD*, TABLE_LIST*, List<Item>&, List<Item>&, Item*, unsigned int, st_order*, unsigned long long, bool, unsigned long long*, unsigned long long*))[0x562f2ebcbe35]
 
sql/sql_parse.cc:4451(mysql_execute_command(THD*))[0x562f2e8f31cf]
 
sql/sql_parse.cc:8012(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x562f2e90c25b]
 
sql/sql_parse.cc:1860(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x562f2e8e2681]
 
sql/sql_parse.cc:1378(do_command(THD*))[0x562f2e8df1ac]
 
sql/sql_connect.cc:1420(do_handle_one_connection(CONNECT*))[0x562f2eced56d]
 
sql/sql_connect.cc:1325(handle_one_connection)[0x562f2ecece11]
 
perfschema/pfs.cc:1871(pfs_spawn_thread)[0x562f2f997d8a]
 
nptl/pthread_create.c:478(start_thread)[0x7f20aa5a7609]
 
 
 
Query (0x62b0000a1290): UPDATE IGNORE x SET x = ( WITH RECURSIVE x ( x ) AS ( SELECT 1 EXCEPT SELECT x % ( WITH x ( x ) AS ( SELECT 1 EXCEPT SELECT x + 1 FROM x ORDER BY x , x DESC , x , NULL , ( x = 1 AND x = 1 ) DESC ) SELECT 1 FROM x WHERE x != 'x' ) FROM x WHERE x LIKE ( x BETWEEN 1 AND 1 ) GROUP BY x HAVING x > 'x' ) SELECT 1 FROM x WHERE x != 'x' WINDOW x AS ( PARTITION BY 1 , 1 , 1 , 1 ORDER BY x RANGE BETWEEN 1 PRECEDING AND 1 PRECEDING ) ) WHERE x = ( x - x <= x )
 
 

Generated at Thu Feb 08 10:31:13 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.