[MDEV-32596] Server crash after query Created: 2023-10-27  Updated: 2023-12-11

Status: Confirmed
Project: MariaDB Server
Component/s: Server
Affects Version/s: 10.4, 10.5, 10.6, 10.9, 10.10, 10.11, 11.0, 11.1, 11.2
Fix Version/s: 10.4, 10.5, 10.6, 10.11, 11.0, 11.1, 11.2, 11.3

Type: Bug Priority: Major
Reporter: csfuzz Assignee: Sergei Petrunia
Resolution: Unresolved Votes: 0
Labels: None


 Description   

SET default_storage_engine = InnoDB ;
CREATE TABLE v0 ( v1 BOOLEAN UNIQUE , v2 TEXT ) ;
SELECT v1 FROM v0 . TABLES WHERE v1 = 'x' AND v1 = 'x' ;
INSERT INTO v0 VALUES ( 54 , 'x' ) ;
INSERT INTO v0 VALUES ( v1 , v1 NOT IN ( WITH v0 AS ( SELECT * FROM v0 ORDER BY v2 / 67 * v2 ) SELECT DISTINCT v1 * v2 FROM v0 WHERE v2 = 'x' AND -1 = 5 AND v2 = v2 ) ) ;
INSERT INTO v0 VALUES ( v1 , 'x' ) ;
SELECT * FROM v0 ORDER BY v2 ;
DELETE FROM t1 ;
SELECT * FROM v0 ORDER BY v2 ;
ROLLBACK ;
SELECT * FROM v0 GROUP BY v1 HAVING ( SELECT v2 WHERE v2 = 'x' OR v2 = 'x' ) ORDER BY v1 ;
DELETE FROM t1 ;
START TRANSACTION ;
SELECT * FROM v0 ORDER BY v2 ;
COMMIT ;
SELECT * FROM v0 ORDER BY v1 ;
DELETE FROM t1 ;
START TRANSACTION ;
SELECT * ORDER BY v2 ;
ROLLBACK ;
SELECT * FROM v0 ORDER BY ( SELECT 1 UNION SELECT 1 UNION SELECT 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + x + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + ( SELECT 1 UNION SELECT 1 UNION SELECT 1 ) * ( SELECT 1 UNION SELECT 1 UNION SELECT 1 ) * 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + ( SELECT 1 UNION SELECT 1 UNION SELECT 1 ) * 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 + 1 ) ;
DELETE FROM t1 ;
DROP TABLE v0 ;

Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
stack_bottom = 0x7f8df02a1880 thread_stack 0x5fc00
/usr/local/mysql/bin/mariadbd(__interceptor_backtrace+0x5b)[0x781b5b]
mysys/stacktrace.c:215(my_print_stacktrace)[0x228cfae]
sql/signal_handler.cc:0(handle_fatal_signal)[0x12bd0d2]
sigaction.c:0(__restore_rt)[0x7f8e123fc420]
sql/item_cmpfunc.cc:7372(Item_equal::val_int())[0x13d459c]
sql/sql_type.cc:5075(Type_handler_int_result::Item_val_bool(Item*) const)[0x10c1351]
sql/item_cmpfunc.cc:5622(Item_cond_or::val_int())[0x13bed03]
sql/sql_select.cc:4803(JOIN::exec_inner())[0xc487b9]
sql/sql_select.cc:4721(JOIN::exec())[0xc45f19]
/usr/local/mysql/bin/mariadbd(_ZN30subselect_single_select_engine4execEv+0xb26)[0x15b5176]
sql/item_subselect.cc:817(Item_subselect::exec())[0x159115c]
sql/item_subselect.cc:1484(Item_singlerow_subselect::val_str(String*))[0x1596b3c]
sql/item.cc:10524(Item_cache_str::cache_value())[0x136055a]
sql/item.cc:8928(Item_cache_wrapper::cache())[0x134d2cc]
sql/sql_select.cc:24933(end_send_group(JOIN*, st_join_table*, bool))[0xc9f706]
sql/sql_select.cc:23737(evaluate_join_record(JOIN*, st_join_table*, int))[0xca16a3]
/usr/local/mysql/bin/mariadbd(_Z10sub_selectP4JOINP13st_join_tableb+0x6df)[0xbe6ccf]
/usr/local/mysql/bin/mariadbd(_ZN4JOIN10exec_innerEv+0x2681)[0xc48751]
sql/sql_select.cc:4721(JOIN::exec())[0xc45f19]
sql/sql_select.cc:5251(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0xbe89b8]
sql/sql_select.cc:628(handle_select(THD*, LEX*, select_result*, unsigned long long))[0xbe7e59]
sql/sql_parse.cc:6041(execute_sqlcom_select(THD*, TABLE_LIST*))[0xb41bc6]
/usr/local/mysql/bin/mariadbd(_Z21mysql_execute_commandP3THDb+0x18b7)[0xb319a7]
sql/sql_class.h:2830(THD::enter_stage(PSI_stage_info_v1 const*, char const*, char const*, unsigned int))[0xb24c79]
/usr/local/mysql/bin/mariadbd(_Z16dispatch_command19enum_server_commandP3THDPcjb+0x2cf8)[0xb1e648]
sql/sql_parse.cc:1407(do_command(THD*, bool))[0xb25971]
sql/sql_connect.cc:1416(do_handle_one_connection(CONNECT*, bool))[0xf0d066]
sql/sql_connect.cc:1322(handle_one_connection)[0xf0caa9]
perfschema/pfs.cc:2203(pfs_spawn_thread)[0x19d710b]
nptl/pthread_create.c:478(start_thread)[0x7f8e123f0609]
addr2line: DWARF error: section .debug_info is larger than its filesize! (0x93ef57 vs 0x530f28)
/lib/x86_64-linux-gnu/libc.so.6(clone+0x43)[0x7f8e12108133]

Trying to get some variables.
Some pointers may be invalid and cause the dump to abort.
Query (0x629000087238): SELECT * FROM v0 GROUP BY v1 HAVING ( SELECT v2 WHERE v2 = 'x' OR v2 = 'x' ) ORDER BY v1

 Comments   
Comment by Alice Sherepa [ 2023-11-09 ]

Thanks! I repeated on 10.4-11.3 with InnoDB, no crash with Myisam/Aria

 --source include/have_innodb.inc
 
 
 
CREATE TABLE t (a int, b text, UNIQUE KEY (a)) ENGINE=InnoDB;
 
INSERT INTO t VALUES (54,'x'),(NULL,'1'),(NULL,'x');
 
 
 
SELECT * FROM t GROUP BY a HAVING ( SELECT b WHERE b = 'x') ORDER BY a ;


231211 14:12:36 [ERROR] mysqld got signal 11 ;
 
 
 
Server version: 10.4.33-MariaDB-debug-log source revision: 7e34bb5ce12c543dec96d07d30598154f9880d55
 
 
 
sql/signal_handler.cc:235(handle_fatal_signal)[0x556c5119afd7]
 
sigaction.c:0(__restore_rt)[0x7f1c887cb420]
 
sql/item_cmpfunc.cc:7117(Item_equal::val_int())[0x556c512a8216]
 
sql/sql_select.cc:4488(JOIN::exec_inner())[0x556c50aaf764]
 
sql/sql_select.cc:4408(JOIN::exec())[0x556c50aae6a6]
 
sql/item_subselect.cc:4039(subselect_single_select_engine::exec())[0x556c513f7690]
 
sql/item_subselect.cc:758(Item_subselect::exec())[0x556c513d241a]
 
sql/item_subselect.cc:1422(Item_singlerow_subselect::val_str(String*))[0x556c513d8923]
 
sql/item.h:1559(Item::str_result(String*))[0x556c5071187d]
 
sql/item.cc:10377(Item_cache_str::cache_value())[0x556c51246a7a]
 
sql/item.cc:8782(Item_cache_wrapper::cache())[0x556c5125b760]
 
sql/item.cc:8836(Item_cache_wrapper::val_int())[0x556c51237b06]
 
sql/sql_select.cc:22277(end_send_group(JOIN*, st_join_table*, bool))[0x556c50b3031e]
 
sql/sql_select.cc:21149(evaluate_join_record(JOIN*, st_join_table*, int))[0x556c50b26d91]
 
sql/sql_select.cc:20961(sub_select(JOIN*, st_join_table*, bool))[0x556c50b25d2c]
 
sql/sql_select.cc:20443(do_select(JOIN*, Procedure*))[0x556c50b2346c]
 
sql/sql_select.cc:4625(JOIN::exec_inner())[0x556c50ab1076]
 
sql/sql_select.cc:4408(JOIN::exec())[0x556c50aae6a6]
 
sql/sql_select.cc:4848(mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x556c50ab2882]
 
sql/sql_select.cc:442(handle_select(THD*, LEX*, select_result*, unsigned long))[0x556c50a830f8]
 
sql/sql_parse.cc:6523(execute_sqlcom_select(THD*, TABLE_LIST*))[0x556c509ea0fd]
 
sql/sql_parse.cc:3980(mysql_execute_command(THD*))[0x556c509d771d]
 
sql/sql_parse.cc:8062(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x556c509f3679]
 
sql/sql_parse.cc:1860(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x556c509c9825]
 
sql/sql_parse.cc:1378(do_command(THD*))[0x556c509c6350]
 
sql/sql_connect.cc:1419(do_handle_one_connection(CONNECT*))[0x556c50ddb41a]
 
sql/sql_connect.cc:1324(handle_one_connection)[0x556c50ddacbe]
 
perfschema/pfs.cc:1871(pfs_spawn_thread)[0x556c51a78e70]
 
nptl/pthread_create.c:478(start_thread)[0x7f1c887bf609]
 
 
 
Query (0x62b0000a1290): SELECT * FROM t GROUP BY a HAVING ( SELECT b WHERE b = 'x') ORDER BY a

Generated at Thu Feb 08 10:32:33 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.