[MDEV-32434] Segmentation fault at /mariadb-11.3.0/storage/heap/hp_hash.c:351 Created: 2023-10-10  Updated: 2023-10-10  Resolved: 2023-10-10

Status: Closed
Project: MariaDB Server
Component/s: Server
Affects Version/s: 11.3.0
Fix Version/s: N/A

Type: Bug Priority: Major
Reporter: Xin Wen Assignee: Unassigned
Resolution: Duplicate Votes: 0
Labels: None
Environment:

Ubuntu 20.04

Issue Links:
Duplicate

 Description   

Run these queries in release build:

CREATE TABLE x ( x BOOLEAN NOT NULL ) ;
INSERT INTO x ( x ) VALUES ( 1 ) ;
UPDATE x SET x = 1 WHERE x = 1 ;
INSERT INTO x ( x ) VALUES ( 1 ) , ( x IN ( SELECT x FROM ( SELECT ( SELECT EXISTS ( SELECT * FROM ( SELECT DISTINCT ( - CASE WHEN x = 1 THEN 1 ELSE x + 1 END >= x IS NOT NULL = 1 AND x = 1 ) OR x = x OR x = 'x' FROM x AS x GROUP BY x ) AS x WHERE 1 / x GROUP BY x HAVING ( 1 = 1 AND x = 1 ) ) FROM x GROUP BY EXISTS ( SELECT 1 ) ) FROM x UNION SELECT x FROM x ) AS x ) ) ;

Will trigger Segmentation fault.
GDB info:
Thread 16 "mariadbd" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffd242e300 (LWP 3356)]
0x0000000001b95526 in hp_rec_hashnr (keydef=<optimized out>, rec=<optimized out>)
at /home/wx/mariadb-11.3.0/storage/heap/hp_hash.c:351
351 nr^=(ulong) ((((uint) nr & 63)nr2)*((uint) *pos)) (nr << 8);

#0 0x0000000001b95526 in hp_rec_hashnr (keydef=<optimized out>, rec=<optimized out>) at /home/wx/mariadb-11.3.0/storage/heap/hp_hash.c:351
#1 0x0000000001b9e13e in hp_write_key (info=<optimized out>, keyinfo=<optimized out>, record=<optimized out>, recpos=<optimized out>) at /home/wx/mariadb-11.3.0/storage/heap/hp_write.c:349
#2 0x0000000001b9d01e in heap_write (info=0x61b000065e48, record=<optimized out>) at /home/wx/mariadb-11.3.0/storage/heap/hp_write.c:52
#3 0x0000000001b8ecc5 in ha_heap::write_row (this=0x61b0000635b8, buf=0x6190002a2c90 "\377\001", '\276' <repeats 14 times>, "\377") at /home/wx/mariadb-11.3.0/storage/heap/ha_heap.cc:298
#4 0x0000000000cd5bdf in handler::ha_write_tmp_row (this=0x61b0000635b8, buf=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_class.h:7621
#5 0x0000000000c9b1c8 in end_write (join=<optimized out>, join_tab=0x62d0000dd718, end_of_records=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:24987
#6 0x0000000000c9e284 in evaluate_join_record (join=join@entry=0x6290000bca48, join_tab=<optimized out>, join_tab@entry=0x62d0000dd2a0, error=error@entry=0) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:23677
#7 0x0000000000be3396 in sub_select (join=0x6290000bca48, join_tab=0x62d0000dd2a0, end_of_records=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:23444
#8 0x0000000000c45121 in do_select (join=0x6290000bca48, procedure=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:22961
#9 JOIN::exec_inner (this=0x6290000bca48) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941
#10 0x0000000000c428e9 in JOIN::exec (this=0x6290000bca48) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718
#11 0x00000000015d8106 in subselect_single_select_engine::exec (this=<optimized out>) at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:4159
#12 0x00000000015b3edc in Item_subselect::exec (this=0x6290000b2f28) at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:812
#13 0x00000000015bda3d in Item_exists_subselect::val_int (this=0x6290000b2f28) at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:1840
#14 0x0000000001376612 in Item_cache_int::cache_value (this=0x62d0000dea78) at /home/wx/mariadb-11.3.0/sql/item.cc:10161
#15 0x000000000136b797 in Item_cache_wrapper::cache (this=0x62d0000de9c8) at /home/wx/mariadb-11.3.0/sql/item.cc:8915
#16 Item_cache_wrapper::val_str (this=0x62d0000de9c8, str=<optimized out>) at /home/wx/mariadb-11.3.0/sql/item.cc:9023
#17 0x000000000134ab45 in Item_copy_string::copy (this=0x62d0000df2c8) at /home/wx/mariadb-11.3.0/sql/item.cc:5092
#18 0x0000000000c9bd60 in copy_fields (param=0x6290000bc670) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:28418
#19 end_send_group (join=<optimized out>, join_tab=<optimized out>, end_of_records=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:24949
#20 0x0000000000c9e284 in evaluate_join_record (join=join@entry=0x6290000bc418, join_tab=<optimized out>, join_tab@entry=0x62d0000d59c0, error=error@entry=0) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:23677
#21 0x0000000000be3396 in sub_select (join=0x6290000bc418, join_tab=0x62d0000d59c0, end_of_records=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:23444
#22 0x0000000000c45121 in do_select (join=0x6290000bc418, procedure=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:22961
#23 JOIN::exec_inner (this=0x6290000bc418) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941
#24 0x0000000000c428e9 in JOIN::exec (this=0x6290000bc418) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718
#25 0x00000000015d8106 in subselect_single_select_engine::exec (this=<optimized out>) at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:4159
#26 0x00000000015b3edc in Item_subselect::exec (this=0x6290000b62a0) at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:812
#27 0x00000000015b9773 in Item_singlerow_subselect::val_int (this=0x6290000b62a0) at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:1462
#28 0x00000000013552b8 in Item::save_int_in_field (this=0x6290000b62a0, field=0x6190002a17b8, no_conversions=false) at /home/wx/mariadb-11.3.0/sql/item.cc:6843
#29 0x00000000013554a9 in Item::save_in_field (this=0x6290000b62a0, field=0x6190002a17b8, no_conversions=false) at /home/wx/mariadb-11.3.0/sql/item.cc:6853
#30 0x00000000009d9dc9 in fill_record (thd=<optimized out>, table=<optimized out>, ptr=0x61f000016798, values=..., ignore_errors=<optimized out>, use_value=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_base.cc:9320
#31 0x0000000000de507b in select_unit::send_data (this=0x6290000bbcf0, values=...) at /home/wx/mariadb-11.3.0/sql/sql_union.cc:122
#32 0x0000000000c36f9a in select_result_sink::send_data_with_check (this=0x61b000065e48, items=..., u=<optimized out>, sent=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_class.h:5842
#33 end_send (join=0x6290000bbde8, join_tab=0x62d0000e0d70, end_of_records=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:24710
#34 0x0000000000c9e284 in evaluate_join_record (join=join@entry=0x6290000bbde8, join_tab=<optimized out>, join_tab@entry=0x62d0000e08f8, error=error@entry=0) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:23677
#35 0x0000000000be3396 in sub_select (join=0x6290000bbde8, join_tab=0x62d0000e08f8, end_of_records=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:23444
#36 0x0000000000c45121 in do_select (join=0x6290000bbde8, procedure=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:22961
#37 JOIN::exec_inner (this=0x6290000bbde8) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941
#38 0x0000000000c428e9 in JOIN::exec (this=0x6290000bbde8) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718
#39 0x0000000000df0df7 in st_select_lex_unit::exec_inner (this=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_union.cc:2389
#40 0x0000000000a56f10 in mysql_derived_fill (thd=<optimized out>, lex=<optimized out>, derived=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_derived.cc:1256
#41 0x0000000000a57cc2 in mysql_handle_single_derived (lex=0x62b0001703c8, derived=derived@entry=0x6290000b9950, phases=phases@entry=96) at /home/wx/mariadb-11.3.0/sql/sql_derived.cc:200
#42 0x0000000000c71b80 in st_join_table::preread_init (this=this@entry=0x62d0000e8000) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:16029
#43 0x0000000000be2fea in sub_select (join=0x6290000bb5f8, join_tab=0x62d0000e8000, end_of_records=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:23392
#44 0x0000000000c45121 in do_select (join=0x6290000bb5f8, procedure=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:22961
#45 JOIN::exec_inner (this=0x6290000bb5f8) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941
#46 0x0000000000c428e9 in JOIN::exec (this=0x6290000bb5f8) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718
#47 0x00000000015d8106 in subselect_single_select_engine::exec (this=<optimized out>) at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:4159
#48 0x00000000015b4bab in Item_subselect::exec (this=0x6290000ba8a8) at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:812
#49 Item_in_subselect::exec (this=0x6290000ba8a8) at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:994
#50 0x00000000015be5e0 in Item_in_subselect::val_bool (this=0x6290000ba8a8) at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:1991
#51 0x00000000013b4fcc in Item_in_optimizer::val_int (this=0x62d0000d4700) at /home/wx/mariadb-11.3.0/sql/item_cmpfunc.cc:1664
#52 0x00000000013552b8 in Item::save_int_in_field (this=0x62d0000d4700, field=0x61900029e100, no_conversions=false) at /home/wx/mariadb-11.3.0/sql/item.cc:6843
#53 0x00000000013554a9 in Item::save_in_field (this=0x62d0000d4700, field=0x61900029e100, no_conversions=false) at /home/wx/mariadb-11.3.0/sql/item.cc:6853
#54 0x00000000009d7a96 in fill_record (thd=thd@entry=0x62b00016c218, table_arg=<optimized out>, fields=..., values=..., ignore_errors=false, update=false) at /home/wx/mariadb-11.3.0/sql/sql_base.cc:9032
#55 0x00000000009d9233 in fill_record_n_invoke_before_triggers (thd=thd@entry=0x62b00016c218, table=table@entry=0x61900029db98, fields=..., values=..., ignore_errors=<optimized out>, event=event@entry=TRG_EVENT_INSERT) at /home/wx/mariadb-11.3.0/sql/sql_base.cc:9206
#56 0x0000000000a6a4e5 in mysql_insert (thd=<optimized out>, table_list=0x6290000915f8, fields=..., values_list=..., update_fields=..., update_values=..., duplic=<optimized out>, ignore=<optimized out>, result=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_insert.cc:1051
#57 0x0000000000b36566 in mysql_execute_command (thd=0x62b00016c218, is_called_from_prepared_stmt=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:4417
#58 0x0000000000b1fe79 in mysql_parse (thd=thd@entry=0x62b00016c218, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, parser_state@entry=0x7fffd242ca80) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:7734
#59 0x0000000000b19069 in dispatch_command (command=<optimized out>, thd=0x62b00016c218, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1893
#60 0x0000000000b20b71 in do_command (thd=0x62b00016c218, blocking=true) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1406
#61 0x0000000000f03476 in do_handle_one_connection (connect=<optimized out>, put_in_cache=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1445
#62 0x0000000000f02eb9 in handle_one_connection (arg=arg@entry=0x608000ebabb8) at /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1347
#63 0x0000000001a00c1b in pfs_spawn_thread (arg=0x617000005498) at /home/wx/mariadb-11.3.0/storage/perfschema/pfs.cc:2201
#64 0x00007ffff79f7609 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
#65 0x00007ffff770f133 in clone () from /lib/x86_64-linux-gnu/libc.so.6

 Comments   
Comment by Alice Sherepa [ 2023-10-10 ]

Thanks! This is the same as MDEV-32329 - I will add the test there:

Version: '11.2.2-MariaDB-debug-log'  
mariadbd: /11.2/src/sql/sql_select.cc:21654: bool Create_tmp_table::finalize(THD*, TABLE*, TMP_TABLE_PARAM*, bool, bool): Assertion `field->table == table' failed.
 
231010 14:13:00 [ERROR] mysqld got signal 6 ;
 
 
 
Server version: 11.2.2-MariaDB-debug-log source revision: 872ed5342d8f1ec02f8f8a7a25a606e4ff512234
 
 
 
/lib/x86_64-linux-gnu/libc.so.6(+0x33fd6)[0x7f44e65c9fd6]
 
sql/sql_select.cc:21655(Create_tmp_table::finalize(THD*, TABLE*, TMP_TABLE_PARAM*, bool, bool))[0x561a3cce3444]
 
sql/sql_select.cc:21956(create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, st_mysql_const_lex_string const*, bool, bool))[0x561a3cce7bbb]
 
sql/sql_select.cc:4217(JOIN::create_postjoin_aggr_table(st_join_table*, List<Item>*, st_order*, bool, bool, bool))[0x561a3cc65e36]
 
sql/sql_select.cc:3777(JOIN::make_aggr_tables_info())[0x561a3cc613b5]
 
sql/sql_select.cc:3395(JOIN::optimize_stage2())[0x561a3cc5c981]
 
sql/sql_select.cc:2646(JOIN::optimize_inner())[0x561a3cc54efa]
 
sql/sql_select.cc:1944(JOIN::optimize())[0x561a3cc4db3c]
 
sql/sql_lex.cc:4888(st_select_lex::optimize_unflattened_subqueries(bool))[0x561a3cad6c0f]
 
sql/opt_subselect.cc:5866(JOIN::optimize_unflattened_subqueries())[0x561a3d14a053]
 
sql/sql_select.cc:3227(JOIN::optimize_stage2())[0x561a3cc5b238]
 
sql/sql_select.cc:2646(JOIN::optimize_inner())[0x561a3cc54efa]
 
sql/sql_select.cc:1944(JOIN::optimize())[0x561a3cc4db3c]
 
sql/sql_lex.cc:4888(st_select_lex::optimize_unflattened_subqueries(bool))[0x561a3cad6c0f]
 
sql/opt_subselect.cc:5899(JOIN::optimize_constant_subqueries())[0x561a3d14a140]
 
sql/sql_select.cc:2274(JOIN::optimize_inner())[0x561a3cc50aed]
 
sql/sql_select.cc:1944(JOIN::optimize())[0x561a3cc4db3c]
 
sql/sql_union.cc:2262(st_select_lex_unit::optimize())[0x561a3ceb8005]
 
sql/sql_derived.cc:1006(mysql_derived_optimize(THD*, LEX*, TABLE_LIST*))[0x561a3ca6b1f2]
 
sql/sql_derived.cc:200(mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int))[0x561a3ca65db6]
 
sql/sql_select.cc:2436(JOIN::optimize_inner())[0x561a3cc52fd2]
 
sql/sql_select.cc:1944(JOIN::optimize())[0x561a3cc4db3c]
 
sql/sql_lex.cc:4888(st_select_lex::optimize_unflattened_subqueries(bool))[0x561a3cad6c0f]
 
sql/sql_insert.cc:876(mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*))[0x561a3ca8637b]
 
sql/sql_parse.cc:4460(mysql_execute_command(THD*, bool))[0x561a3cb54d37]
 
sql/sql_parse.cc:7810(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x561a3cb6bdb7]
 
sql/sql_parse.cc:1895(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x561a3cb4415e]
 
sql/sql_parse.cc:1406(do_command(THD*, bool))[0x561a3cb40ea8]
 
sql/sql_connect.cc:1445(do_handle_one_connection(CONNECT*, bool))[0x561a3d01f8f9]
 
sql/sql_connect.cc:1349(handle_one_connection)[0x561a3d01f256]
 
perfschema/pfs.cc:2203(pfs_spawn_thread)[0x561a3dc8d722]
 
nptl/pthread_create.c:478(start_thread)[0x7f44e6ae4609]
 
 
 
Query (0x6290001092a8): INSERT INTO x ( x ) VALUES ( 1 ) , ( x IN ( SELECT x FROM ( SELECT ( SELECT EXISTS ( SELECT * FROM ( SELECT DISTINCT ( - CASE WHEN x = 1 THEN 1 ELSE x + 1 END >= x IS NOT NULL = 1 AND x = 1 ) OR x = x OR x = 'x' FROM x AS x GROUP BY x ) AS x WHERE 1 / x GROUP BY x HAVING ( 1 = 1 AND x = 1 ) ) FROM x GROUP BY EXISTS ( SELECT 1 ) ) FROM x UNION SELECT x FROM x ) AS x ) )

Generated at Thu Feb 08 10:31:20 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.