[MDEV-32597] Server crash after query Created: 2023-10-27  Updated: 2023-11-09  Resolved: 2023-11-09

Status: Closed
Project: MariaDB Server
Component/s: Optimizer - Window functions
Affects Version/s: 11.1
Fix Version/s: N/A

Type: Bug Priority: Critical
Reporter: csfuzz Assignee: Unassigned
Resolution: Duplicate Votes: 0
Labels: None

Issue Links:
Duplicate
duplicates MDEV-32307 Server crashes at filesort Confirmed

 Description   

SELECT optimizer_switch ;
SELECT 2231626 IN ( SELECT 10 INTERSECT ALL SELECT 1 ORDER BY AVG ( '2006-05-21' ) OVER ( ) ) = 2058 ;
select @ SELECT optimizer_switch ;
SELECT ; ;
show SELECT optimizer_switch = "default" ;
select @ @ session . optimizer_switch ;

Thread pointer: 0x62b00016c218
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
stack_bottom = 0x7fad867e1880 thread_stack 0x5fc00
/usr/local/mysql/bin/mariadbd(__interceptor_backtrace+0x5b)[0x781b5b]
mysys/stacktrace.c:215(my_print_stacktrace)[0x228cfae]
sql/signal_handler.cc:0(handle_fatal_signal)[0x12bd0d2]
sigaction.c:0(__restore_rt)[0x7fada8942420]
sql/sql_analyze_stmt.h:112(Exec_time_tracker::get_loops() const)[0x12abc71]
sql/sql_select.cc:26909(create_sort_index(THD*, JOIN*, st_join_table*, Filesort*))[0xca6c82]
/usr/local/mysql/bin/mariadbd(_ZN17Window_funcs_sort4execEP4JOINb+0xe6)[0x1113946]
/usr/local/mysql/bin/mariadbd(_ZN24Window_funcs_computation4execEP4JOINb+0x4d)[0x1115bcd]
sql/sql_select.cc:32382(AGGR_OP::end_send())[0xca0669]
sql/sql_select.cc:23189(sub_select_postjoin_aggr(JOIN*, st_join_table*, bool))[0xc3c211]
/usr/local/mysql/bin/mariadbd(_ZN4JOIN10exec_innerEv+0x28cc)[0xc4899c]
sql/sql_select.cc:4721(JOIN::exec())[0xc45f19]
sql/sql_select.cc:5251(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0xbe89b8]
/usr/local/mysql/bin/mariadbd(_ZN18st_select_lex_unit10exec_innerEv+0x183e)[0xdfa01e]
sql/item_subselect.cc:4188(subselect_union_engine::exec())[0x15b5c25]
sql/item_subselect.cc:817(Item_subselect::exec())[0x1591e4b]
sql/item_subselect.cc:1991(Item_in_subselect::val_bool())[0x159b6f0]
sql/item_cmpfunc.cc:1714(Item_in_optimizer::val_int())[0x13973d7]
sql/item_cmpfunc.cc:994(Arg_comparator::compare_int_signed())[0x139060f]
sql/item_cmpfunc.cc:1830(Item_func_eq::val_int())[0x13982b2]
sql/sql_type.cc:7472(Type_handler::Item_send_long(Item*, Protocol*, st_value*) const)[0x10f4562]
sql/protocol.cc:1334(Protocol::send_result_set_row(List<Item>*))[0x8a35e8]
sql/sql_class.cc:3130(select_send::send_data(List<Item>&))[0xa1841d]
sql/sql_select.cc:4809(JOIN::exec_inner())[0xc48ade]
sql/sql_select.cc:4721(JOIN::exec())[0xc45f19]
sql/sql_select.cc:5251(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0xbe89b8]
sql/sql_select.cc:628(handle_select(THD*, LEX*, select_result*, unsigned long long))[0xbe7e59]
sql/sql_parse.cc:6041(execute_sqlcom_select(THD*, TABLE_LIST*))[0xb41bc6]
/usr/local/mysql/bin/mariadbd(_Z21mysql_execute_commandP3THDb+0x18b7)[0xb319a7]
sql/sql_class.h:2830(THD::enter_stage(PSI_stage_info_v1 const*, char const*, char const*, unsigned int))[0xb24c79]
/usr/local/mysql/bin/mariadbd(_Z16dispatch_command19enum_server_commandP3THDPcjb+0x2cf8)[0xb1e648]
sql/sql_parse.cc:1407(do_command(THD*, bool))[0xb25971]
sql/sql_connect.cc:1416(do_handle_one_connection(CONNECT*, bool))[0xf0d066]
sql/sql_connect.cc:1322(handle_one_connection)[0xf0caa9]
perfschema/pfs.cc:2203(pfs_spawn_thread)[0x19d710b]
nptl/pthread_create.c:478(start_thread)[0x7fada8936609]
addr2line: DWARF error: section .debug_info is larger than its filesize! (0x93ef57 vs 0x530f28)
/lib/x86_64-linux-gnu/libc.so.6(clone+0x43)[0x7fada864e133]

Trying to get some variables.
Some pointers may be invalid and cause the dump to abort.
Query (0x629000087238): SELECT 2231626 IN ( SELECT 10 INTERSECT ALL SELECT 1 ORDER BY AVG ( '2006-05-21' ) OVER ( ) ) = 2058

 Comments   
Comment by Alice Sherepa [ 2023-11-09 ]

Thanks! I repeated on 10.4-11.2, this is the same bug as MDEV-32307

SELECT 5 IN ( SELECT 10 union SELECT 20 ORDER BY sum(5) OVER () );


Version: '10.4.32-MariaDB-debug-log' 
231109 14:09:44 [ERROR] mysqld got signal 11 ;
 
 
 
Server version: 10.4.32-MariaDB-debug-log source revision: 62d80652be7c19f4ad2bf68d6ffbb4e1eb1d77ea
 
 
 
sql/signal_handler.cc:235(handle_fatal_signal)[0x55a14e48d1e9]
 
sigaction.c:0(__restore_rt)[0x7f0c80db2420]
 
sql/sql_analyze_stmt.h:74(Exec_time_tracker::get_loops() const)[0x55a14e16d529]
 
sql/sql_analyze_stmt.h:191(Filesort_tracker::report_use(unsigned long long))[0x55a14e48b5c6]
 
sql/filesort.cc:198(filesort(THD*, TABLE*, Filesort*, Filesort_tracker*, JOIN*, unsigned long long))[0x55a14e47bff1]
 
sql/sql_select.cc:24246(create_sort_index(THD*, JOIN*, st_join_table*, Filesort*))[0x55a14de310f1]
 
sql/sql_window.cc:3052(Window_funcs_sort::exec(JOIN*, bool))[0x55a14e292c8b]
 
sql/sql_window.cc:3185(Window_funcs_computation::exec(JOIN*, bool))[0x55a14e293b24]
 
sql/sql_select.cc:29697(AGGR_OP::end_send())[0x55a14de5a972]
 
sql/sql_select.cc:20621(sub_select_postjoin_aggr(JOIN*, st_join_table*, bool))[0x55a14de16f97]
 
sql/sql_select.cc:20867(sub_select(JOIN*, st_join_table*, bool))[0x55a14de17a92]
 
sql/sql_select.cc:20445(do_select(JOIN*, Procedure*))[0x55a14de16192]
 
sql/sql_select.cc:4625(JOIN::exec_inner())[0x55a14dda3bd4]
 
sql/sql_select.cc:4408(JOIN::exec())[0x55a14dda1204]
 
sql/sql_select.cc:4848(mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55a14dda53e0]
 
sql/sql_union.cc:1729(st_select_lex_unit::exec())[0x55a14df9caa0]
 
sql/item_subselect.cc:4060(subselect_union_engine::exec())[0x55a14e6e9c8d]
 
sql/item_subselect.cc:758(Item_subselect::exec())[0x55a14e6c4392]
 
sql/item_subselect.cc:938(Item_in_subselect::exec())[0x55a14e6c5996]
 
sql/item_subselect.cc:1886(Item_in_subselect::val_bool())[0x55a14e6d0f71]
 
sql/item.h:1562(Item::val_bool_result())[0x55a14da05952]
 
sql/item_cmpfunc.cc:1673(Item_in_optimizer::val_int())[0x55a14e5678f8]
 
sql/sql_type.cc:7137(Type_handler::Item_send_long(Item*, Protocol*, st_value*) const)[0x55a14e25cdbe]
 
sql/sql_type.h:5198(Type_handler_long::Item_send(Item*, Protocol*, st_value*) const)[0x55a14e2774ce]
 
sql/item.h:1046(Item::send(Protocol*, st_value*))[0x55a14da04d1c]
 
sql/protocol.cc:1033(Protocol::send_result_set_row(List<Item>*))[0x55a14d9f625d]
 
sql/sql_class.cc:3137(select_send::send_data(List<Item>&))[0x55a14dba94c7]
 
sql/sql_select.cc:4492(JOIN::exec_inner())[0x55a14dda2615]
 
sql/sql_select.cc:4408(JOIN::exec())[0x55a14dda1204]
 
sql/sql_select.cc:4848(mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55a14dda53e0]
 
sql/sql_select.cc:442(handle_select(THD*, LEX*, select_result*, unsigned long))[0x55a14dd75c56]
 
sql/sql_parse.cc:6475(execute_sqlcom_select(THD*, TABLE_LIST*))[0x55a14dcdcc5c]
 
sql/sql_parse.cc:3978(mysql_execute_command(THD*))[0x55a14dcca3d3]
 
sql/sql_parse.cc:8014(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x55a14dce61d7]
 
sql/sql_parse.cc:1860(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x55a14dcbc563]
 
sql/sql_parse.cc:1378(do_command(THD*))[0x55a14dcb908e]
 
sql/sql_connect.cc:1419(do_handle_one_connection(CONNECT*))[0x55a14e0cd67e]
 
sql/sql_connect.cc:1324(handle_one_connection)[0x55a14e0ccf22]
 
perfschema/pfs.cc:1871(pfs_spawn_thread)[0x55a14ed6abb0]
 
nptl/pthread_create.c:478(start_thread)[0x7f0c80da6609]
 
 
 
Query (0x62b0000a1290): SELECT 5 IN ( SELECT 10 union SELECT 20 ORDER BY sum(5) OVER () )

Generated at Thu Feb 08 10:32:33 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.