[MDEV-32707] Assertion Failed at /mariadb-11.3.0/sql/handler.cc:3765 Created: 2023-11-07  Updated: 2023-12-04

Status: Confirmed
Project: MariaDB Server
Component/s: Optimizer - CTE, Server
Affects Version/s: 10.4, 10.5, 10.6, 10.9, 10.10, 10.11, 11.0, 11.1, 11.2, 11.3.0
Fix Version/s: 10.4, 10.5, 10.6, 10.11, 11.0, 11.1, 11.2, 11.3

Type: Bug Priority: Major
Reporter: Xin Wen Assignee: Sergei Petrunia
Resolution: Unresolved Votes: 0
Labels: None
Environment:

Ubuntu 20.04

Issue Links:
Duplicate
is duplicated by MDEV-32706 Assertion Failed at /mariadb-11.3.0/s... Closed

 Description   

Run these queries in debug build:

CREATE TABLE x ( x VARCHAR ( 1 ) UNIQUE ) ;
INSERT INTO x ( x ) VALUES ( 1 ) ;
UPDATE x SET x = 1 WHERE x = 1 ORDER BY 'x' / ( ( WITH RECURSIVE x ( x ) AS ( SELECT 1 UNION SELECT 1 - x FROM x WINDOW x AS ( PARTITION BY x ORDER BY ( WITH x AS ( SELECT * FROM x WHERE NOT EXISTS ( WITH RECURSIVE x ( x ) AS ( SELECT 1 INTERSECT SELECT x + 1 FROM x GROUP BY 'x' , 'x' , x + x ) SELECT x AS x FROM x ORDER BY x LIMIT 1 OFFSET 1 ) ) SELECT * FROM x WHERE x <= 1 GROUP BY x HAVING x > 'x' ) IS NOT NULL DESC ) ) SELECT 1 WHERE x != 'x' ) AND x = 1 ) / ( - 1.000000 >= ( SELECT x NOT LIKE 'x' FROM x WHERE ( SELECT x FROM x WHERE NULL = x GROUP BY x HAVING ( ( SELECT 1 FROM x GROUP BY ( x OR - 1.000000 >= ( SELECT x NOT LIKE 'x' FROM x WHERE ( SELECT x FROM x WHERE NULL = x ) GROUP BY 1.000000 / x = ( SELECT x + 'x' AS x FROM x WHERE x = x ) HAVING x WINDOW x AS ( ORDER BY x DESC ) ) IS NOT NULL = 1 ) BETWEEN 1 AND 1 ) , x ) > ( 'x' , 'x' ) ) ) IS NOT NULL = 1 AND x = 1 ) , x ;

Will trigger Assertion Failed.
GDB info:
#0 0x00007ffff6c0c00b in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x00007ffff6beb859 in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2 0x00007ffff6beb729 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#3 0x00007ffff6bfcfd6 in __assert_fail () from /lib/x86_64-linux-gnu/libc.so.6
#4 0x0000555557b3488f in handler::ha_index_first (this=0x61d000248728, buf=0x61a000531138 "\377") at /home/wx/mariadb-11.3.0/sql/handler.cc:3765
#5 0x0000555557368083 in join_read_first (tab=0x62d0000869e8) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:24511
#6 0x0000555557360006 in sub_select (join=0x62d000082ac8, join_tab=0x62d0000869e8, end_of_records=false) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:23441
#7 0x000055555735dadd in do_select (join=0x62d000082ac8, procedure=0x0) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:22961
#8 0x00005555572dbfe9 in JOIN::exec_inner (this=0x62d000082ac8) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941
#9 0x00005555572d93a0 in JOIN::exec (this=0x62d000082ac8) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718
#10 0x0000555557dce72f in subselect_single_select_engine::exec (this=0x62d0000722c0) at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:4159
#11 0x0000555557da9c85 in Item_subselect::exec (this=0x62d000072120) at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:812
#12 0x0000555557dafbe9 in Item_singlerow_subselect::val_int (this=0x62d000072120) at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:1462
#13 0x00005555578b1e2c in Type_handler_int_result::Item_update_null_value (this=0x55555b7b6980 <type_handler_slong>, item=0x62d000072120) at /home/wx/mariadb-11.3.0/sql/sql_type.cc:4278
#14 0x0000555556e15a64 in Item::update_null_value (this=0x62d000072120) at /home/wx/mariadb-11.3.0/sql/item.h:2079
#15 0x0000555557de3283 in Item_subselect::is_null (this=0x62d000072120) at /home/wx/mariadb-11.3.0/sql/item_subselect.h:190
#16 0x0000555557cfbd14 in Item_row::fix_fields (this=0x62d000072478, thd=0x62c0001e0288, ref=0x62d0000727f8) at /home/wx/mariadb-11.3.0/sql/item_row.cc:60
#17 0x0000555556f0404f in Item::fix_fields_if_needed (this=0x62d000072478, thd=0x62c0001e0288, ref=0x62d0000727f8) at /home/wx/mariadb-11.3.0/sql/item.h:1147
#18 0x0000555557c6c9f2 in Item_func::fix_fields (this=0x62d000072778, thd=0x62c0001e0288, ref=0x62d00007fe30) at /home/wx/mariadb-11.3.0/sql/item_func.cc:349
#19 0x0000555556f0404f in Item::fix_fields_if_needed (this=0x62d000072778, thd=0x62c0001e0288, ref=0x62d00007fe30) at /home/wx/mariadb-11.3.0/sql/item.h:1147
#20 0x0000555556f04089 in Item::fix_fields_if_needed_for_scalar (this=0x62d000072778, thd=0x62c0001e0288, ref=0x62d00007fe30) at /home/wx/mariadb-11.3.0/sql/item.h:1156
#21 0x000055555703235b in Item::fix_fields_if_needed_for_bool (this=0x62d000072778, thd=0x62c0001e0288, ref=0x62d00007fe30) at /home/wx/mariadb-11.3.0/sql/item.h:1160
#22 0x00005555572b77b9 in JOIN::prepare (this=0x62d00007fc18, tables_init=0x62900017a098, conds_init=0x62900017a980, og_num=1, order_init=0x0, skip_order_by=false, group_init=0x62900017acf0, having_init=0x62d000072778, proc_param_init=0x0, select_lex_arg=0x629000179a30, unit_arg=0x62d0000729c0) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:1589
#23 0x0000555557dcc18e in subselect_single_select_engine::prepare (this=0x62d0000733a0, thd=0x62c0001e0288) at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:3943
#24 0x0000555557da5ca5 in Item_subselect::fix_fields (this=0x62d000073200, thd_param=0x62c0001e0288, ref=0x62d00007f350) at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:296
#25 0x0000555556f0404f in Item::fix_fields_if_needed (this=0x62d000073200, thd=0x62c0001e0288, ref=0x62d00007f350) at /home/wx/mariadb-11.3.0/sql/item.h:1147
#26 0x0000555556f04089 in Item::fix_fields_if_needed_for_scalar (this=0x62d000073200, thd=0x62c0001e0288, ref=0x62d00007f350) at /home/wx/mariadb-11.3.0/sql/item.h:1156
#27 0x000055555703235b in Item::fix_fields_if_needed_for_bool (this=0x62d000073200, thd=0x62c0001e0288, ref=0x62d00007f350) at /home/wx/mariadb-11.3.0/sql/item.h:1160
#28 0x0000555557029190 in setup_conds (thd=0x62c0001e0288, tables=0x629000179300, leaves=..., conds=0x62d00007f350) at /home/wx/mariadb-11.3.0/sql/sql_base.cc:8888
#29 0x00005555572af1c9 in setup_without_group (thd=0x62c0001e0288, ref_pointer_array=..., tables=0x629000179300, leaves=..., fields=..., all_fields=..., conds=0x62d00007f350, order=0x0, group=0x0, win_specs=..., win_funcs=..., hidden_group_fields=0x62d00007f217, reserved=0x629000178dcc) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:931
#30 0x00005555572b6b86 in JOIN::prepare (this=0x62d00007eeb8, tables_init=0x629000179300, conds_init=0x62d000073200, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x6290001789e0, unit_arg=0x62d000073400) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:1531
#31 0x0000555557dcc18e in subselect_single_select_engine::prepare (this=0x62d000073de0, thd=0x62c0001e0288) at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:3943
#32 0x0000555557da5ca5 in Item_subselect::fix_fields (this=0x62d000073c40, thd_param=0x62c0001e0288, ref=0x62d000073eb0) at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:296
#33 0x0000555556f0404f in Item::fix_fields_if_needed (this=0x62d000073c40, thd=0x62c0001e0288, ref=0x62d000073eb0) at /home/wx/mariadb-11.3.0/sql/item.h:1147
#34 0x0000555557c6c9f2 in Item_func::fix_fields (this=0x62d000073e28, thd=0x62c0001e0288, ref=0x62d0000740d8) at /home/wx/mariadb-11.3.0/sql/item_func.cc:349
#35 0x0000555556f0404f in Item::fix_fields_if_needed (this=0x62d000073e28, thd=0x62c0001e0288, ref=0x62d0000740d8) at /home/wx/mariadb-11.3.0/sql/item.h:1147
#36 0x0000555557c6c9f2 in Item_func::fix_fields (this=0x62d000074058, thd=0x62c0001e0288, ref=0x62d000074230) at /home/wx/mariadb-11.3.0/sql/item_func.cc:349
#37 0x0000555556f0404f in Item::fix_fields_if_needed (this=0x62d000074058, thd=0x62c0001e0288, ref=0x62d000074230) at /home/wx/mariadb-11.3.0/sql/item.h:1147
#38 0x0000555557c6c9f2 in Item_func::fix_fields (this=0x62d0000741b0, thd=0x62c0001e0288, ref=0x62d000074900) at /home/wx/mariadb-11.3.0/sql/item_func.cc:349
#39 0x0000555556f0404f in Item::fix_fields_if_needed (this=0x62d0000741b0, thd=0x62c0001e0288, ref=0x62d000074900) at /home/wx/mariadb-11.3.0/sql/item.h:1147
#40 0x0000555556f04089 in Item::fix_fields_if_needed_for_scalar (this=0x62d0000741b0, thd=0x62c0001e0288, ref=0x62d000074900) at /home/wx/mariadb-11.3.0/sql/item.h:1156
#41 0x000055555703235b in Item::fix_fields_if_needed_for_bool (this=0x62d0000741b0, thd=0x62c0001e0288, ref=0x62d000074900) at /home/wx/mariadb-11.3.0/sql/item.h:1160
#42 0x0000555557c13a3b in Item_cond::fix_fields (this=0x62d0000747f0, thd=0x62c0001e0288, ref=0x62d0000749b0) at /home/wx/mariadb-11.3.0/sql/item_cmpfunc.cc:4941
#43 0x0000555556f0404f in Item::fix_fields_if_needed (this=0x62d0000747f0, thd=0x62c0001e0288, ref=0x62d0000749b0) at /home/wx/mariadb-11.3.0/sql/item.h:1147
#44 0x0000555557c6c9f2 in Item_func::fix_fields (this=0x62d000074928, thd=0x62c0001e0288, ref=0x62d000074a20) at /home/wx/mariadb-11.3.0/sql/item_func.cc:349
#45 0x0000555556f0404f in Item::fix_fields_if_needed (this=0x62d000074928, thd=0x62c0001e0288, ref=0x62d000074a20) at /home/wx/mariadb-11.3.0/sql/item.h:1147
#46 0x0000555556f04089 in Item::fix_fields_if_needed_for_scalar (this=0x62d000074928, thd=0x62c0001e0288, ref=0x62d000074a20) at /home/wx/mariadb-11.3.0/sql/item.h:1156
#47 0x00005555573add95 in Item::fix_fields_if_needed_for_order_by (this=0x62d000074928, thd=0x62c0001e0288, ref=0x62d000074a20) at /home/wx/mariadb-11.3.0/sql/item.h:1164
#48 0x000055555737df94 in find_order_in_list (thd=0x62c0001e0288, ref_pointer_array=..., tables=0x6290000f5a80, order=0x62d000074a10, fields=..., all_fields=..., is_group_field=false, add_to_all_fields=true, from_window_spec=false) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:27533
#49 0x000055555737e55a in setup_order (thd=0x62c0001e0288, ref_pointer_array=..., tables=0x6290000f5a80, fields=..., all_fields=..., order=0x62d000074a10, from_window_spec=false) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:27580
#50 0x00005555572af634 in setup_without_group (thd=0x62c0001e0288, ref_pointer_array=..., tables=0x6290000f5a80, leaves=..., fields=..., all_fields=..., conds=0x62d00007da60, order=0x62d000074a10, group=0x0, win_specs=..., win_funcs=..., hidden_group_fields=0x62d00007d927, reserved=0x62c0001e52fc) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:947
#51 0x00005555572b6b86 in JOIN::prepare (this=0x62d00007d5c8, tables_init=0x6290000f5a80, conds_init=0x6290000f65e8, og_num=2, order_init=0x62d000074a10, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x62c0001e4f10, unit_arg=0x62c0001e46d8) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:1531
#52 0x0000555557569318 in Sql_cmd_update::prepare_inner (this=0x6290000f63c0, thd=0x62c0001e0288) at /home/wx/mariadb-11.3.0/sql/sql_update.cc:2999
#53 0x00005555573a79a7 in Sql_cmd_dml::prepare (this=0x6290000f63c0, thd=0x62c0001e0288) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:33265
#54 0x00005555573a7c66 in Sql_cmd_dml::execute (this=0x6290000f63c0, thd=0x62c0001e0288) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:33318
#55 0x00005555571c1637 in mysql_execute_command (thd=0x62c0001e0288, is_called_from_prepared_stmt=false) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:4361
#56 0x00005555571d95e2 in mysql_parse (thd=0x62c0001e0288, rawbuf=0x6290000f52a8 "UPDATE x SET x = 1 WHERE x = 1 ORDER BY 'x' / ( ( WITH RECURSIVE x ( x ) AS ( SELECT 1 UNION SELECT 1 - x FROM x WINDOW x AS ( PARTITION BY x ORDER BY ( WITH x AS ( SELECT * FROM x WHERE NOT EXISTS ( "..., length=896, parser_state=0x7fffd192e870) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:7734
#57 0x00005555571b1237 in dispatch_command (command=COM_QUERY, thd=0x62c0001e0288, packet=0x6290000fa289 " UPDATE x SET x = 1 WHERE x = 1 ORDER BY 'x' / ( ( WITH RECURSIVE x ( x ) AS ( SELECT 1 UNION SELECT 1 - x FROM x WINDOW x AS ( PARTITION BY x ORDER BY ( WITH x AS ( SELECT * FROM x WHERE NOT EXISTS ("..., packet_length=900, blocking=true) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1893
#58 0x00005555571adf7c in do_command (thd=0x62c0001e0288, blocking=true) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1406
#59 0x000055555768e557 in do_handle_one_connection (connect=0x611000058688, put_in_cache=true) at /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1445
#60 0x000055555768deb4 in handle_one_connection (arg=0x611000058548) at /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1347
#61 0x00005555582fa350 in pfs_spawn_thread (arg=0x618000005508) at /home/wx/mariadb-11.3.0/storage/perfschema/pfs.cc:2201
#62 0x00007ffff7115609 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
#63 0x00007ffff6ce8133 in clone () from /lib/x86_64-linux-gnu/libc.so.6

 Comments   
Comment by Alice Sherepa [ 2023-11-07 ]

Thanks!
Repeatable on 10.4-11.3. 

Version: '10.4.32-MariaDB-debug-log'  
=================================================================
 
==538528==ERROR: AddressSanitizer: heap-use-after-free on address 0x6220000379a0 at pc 0x55b8ecbc0c7a bp 0x7fa02a7cbac0 sp 0x7fa02a7cbab0
 
READ of size 8 at 0x6220000379a0 thread T27
 
    #0 0x55b8ecbc0c79 in close_thread_tables(THD*) /10.4/src/sql/sql_base.cc:953
 
    #1 0x55b8ecd72a68 in mysql_execute_command(THD*) /10.4/src/sql/sql_parse.cc:6283
 
    #2 0x55b8ecd7ddc4 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.4/src/sql/sql_parse.cc:8013
 
    #3 0x55b8ecd54186 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.4/src/sql/sql_parse.cc:1857
 
    #4 0x55b8ecd50cb1 in do_command(THD*) /10.4/src/sql/sql_parse.cc:1378
 
    #5 0x55b8ed1605b4 in do_handle_one_connection(CONNECT*) /10.4/src/sql/sql_connect.cc:1420
 
    #6 0x55b8ed15fe58 in handle_one_connection /10.4/src/sql/sql_connect.cc:1324
 
    #7 0x55b8eddfc47d in pfs_spawn_thread /10.4/src/storage/perfschema/pfs.cc:1869
 
    #8 0x7fa041396608 in start_thread /build/glibc-BHL3KM/glibc-2.31/nptl/pthread_create.c:477
 
    #9 0x7fa040f67132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)
 
 
 
0x6220000379a0 is located 160 bytes inside of 5844-byte region [0x622000037900,0x622000038fd4)
 
freed by thread T27 here:
 
    #0 0x7fa04199440f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
 
    #1 0x55b8ee983a5a in free_memory /10.4/src/mysys/safemalloc.c:279
 
    #2 0x55b8ee983016 in sf_free /10.4/src/mysys/safemalloc.c:197
 
    #3 0x55b8ee951c0e in my_free /10.4/src/mysys/my_malloc.c:222
 
    #4 0x55b8ee92e849 in free_root /10.4/src/mysys/my_alloc.c:428
 
    #5 0x55b8ecea769d in free_tmp_table(THD*, TABLE*) /10.4/src/sql/sql_select.cc:20209
 
    #6 0x55b8ecbc0ca4 in close_thread_tables(THD*) /10.4/src/sql/sql_base.cc:954
 
    #7 0x55b8ecd72a68 in mysql_execute_command(THD*) /10.4/src/sql/sql_parse.cc:6283
 
    #8 0x55b8ecd7ddc4 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.4/src/sql/sql_parse.cc:8013
 
    #9 0x55b8ecd54186 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.4/src/sql/sql_parse.cc:1857
 
    #10 0x55b8ecd50cb1 in do_command(THD*) /10.4/src/sql/sql_parse.cc:1378
 
    #11 0x55b8ed1605b4 in do_handle_one_connection(CONNECT*) /10.4/src/sql/sql_connect.cc:1420
 
    #12 0x55b8ed15fe58 in handle_one_connection /10.4/src/sql/sql_connect.cc:1324
 
    #13 0x55b8eddfc47d in pfs_spawn_thread /10.4/src/storage/perfschema/pfs.cc:1869
 
    #14 0x7fa041396608 in start_thread /build/glibc-BHL3KM/glibc-2.31/nptl/pthread_create.c:477
 
 
 
previously allocated by thread T27 here:
 
    #0 0x7fa041994808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
 
    #1 0x55b8ee9829ca in sf_malloc /10.4/src/mysys/safemalloc.c:118
 
    #2 0x55b8ee951117 in my_malloc /10.4/src/mysys/my_malloc.c:101
 
    #3 0x55b8ee92d75a in alloc_root /10.4/src/mysys/my_alloc.c:258
 
    #4 0x55b8ee92df3b in multi_alloc_root /10.4/src/mysys/my_alloc.c:332
 
    #5 0x55b8ece97ce5 in create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, st_mysql_const_lex_string const*, bool, bool) /10.4/src/sql/sql_select.cc:18709
 
    #6 0x55b8ed020ff3 in select_unit::create_result_table(THD*, List<Item>*, bool, unsigned long long, st_mysql_const_lex_string const*, bool, bool, bool, unsigned int) /10.4/src/sql/sql_union.cc:393
 
    #7 0x55b8ecc88a35 in mysql_derived_prepare /10.4/src/sql/sql_derived.cc:853
 
    #8 0x55b8ecc84b19 in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /10.4/src/sql/sql_derived.cc:200
 
    #9 0x55b8ed0b38fc in TABLE_LIST::handle_derived(LEX*, unsigned int) /10.4/src/sql/table.cc:9090
 
    #10 0x55b8ecccd05f in LEX::handle_list_of_derived(TABLE_LIST*, unsigned int) /10.4/src/sql/sql_lex.h:4403
 
    #11 0x55b8eccef1c2 in st_select_lex::handle_derived(LEX*, unsigned int) /10.4/src/sql/sql_lex.cc:4306
 
    #12 0x55b8ece10d09 in JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /10.4/src/sql/sql_select.cc:1243
 
    #13 0x55b8ed778611 in subselect_single_select_engine::prepare(THD*) /10.4/src/sql/item_subselect.cc:3815
 
    #14 0x55b8ed75230c in Item_subselect::fix_fields(THD*, Item**) /10.4/src/sql/item_subselect.cc:289
 
    #15 0x55b8ecabd5e4 in Item::fix_fields_if_needed(THD*, Item**) /10.4/src/sql/item.h:966
 
    #16 0x55b8ed67d0cd in Item_func::fix_fields(THD*, Item**) /10.4/src/sql/item_func.cc:355
 
    #17 0x55b8ecabd5e4 in Item::fix_fields_if_needed(THD*, Item**) /10.4/src/sql/item.h:966
 
    #18 0x55b8ecabd61e in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /10.4/src/sql/item.h:970
 
    #19 0x55b8ecef46dc in Item::fix_fields_if_needed_for_order_by(THD*, Item**) /10.4/src/sql/item.h:978
 
    #20 0x55b8ecec8e0e in find_order_in_list /10.4/src/sql/sql_select.cc:24931
 
    #21 0x55b8ecec93d4 in setup_order(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, List<Item>&, List<Item>&, st_order*, bool) /10.4/src/sql/sql_select.cc:24978
 
    #22 0x55b8ed31d840 in setup_windows(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, List<Item>&, List<Item>&, List<Window_spec>&, List<Item_window_func>&) /10.4/src/sql/sql_window.cc:247
 
    #23 0x55b8ece0b06a in setup_without_group /10.4/src/sql/sql_select.cc:761
 
    #24 0x55b8ece1255a in JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /10.4/src/sql/sql_select.cc:1355
 
    #25 0x55b8ed023883 in st_select_lex_unit::prepare_join(THD*, st_select_lex*, select_result*, unsigned long, bool) /10.4/src/sql/sql_union.cc:662
 
    #26 0x55b8ed027c0a in st_select_lex_unit::prepare(TABLE_LIST*, select_result*, unsigned long) /10.4/src/sql/sql_union.cc:1089
 
    #27 0x55b8ecc88748 in mysql_derived_prepare /10.4/src/sql/sql_derived.cc:824
 
    #28 0x55b8ecc84b19 in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /10.4/src/sql/sql_derived.cc:200
 
    #29 0x55b8ed0b38fc in TABLE_LIST::handle_derived(LEX*, unsigned int) /10.4/src/sql/table.cc:9090
 
 
 
Thread T27 created by T0 here:
 
    #0 0x7fa0418c1815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208
 
    #1 0x55b8eddfc86e in spawn_thread_v1 /10.4/src/storage/perfschema/pfs.cc:1919
 
    #2 0x55b8eca4bf71 in inline_mysql_thread_create /10.4/src/include/mysql/psi/mysql_thread.h:1275
 
    #3 0x55b8eca64103 in create_thread_to_handle_connection(CONNECT*) /10.4/src/sql/mysqld.cc:6289
 
    #4 0x55b8eca6489e in create_new_thread(CONNECT*) /10.4/src/sql/mysqld.cc:6359
 
    #5 0x55b8eca64d84 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /10.4/src/sql/mysqld.cc:6457
 
    #6 0x55b8eca65c40 in handle_connections_sockets() /10.4/src/sql/mysqld.cc:6615
 
    #7 0x55b8eca63808 in mysqld_main(int, char**) /10.4/src/sql/mysqld.cc:5947
 
    #8 0x55b8eca49f3c in main /10.4/src/sql/main.cc:25
 
    #9 0x7fa040e6c082 in __libc_start_main ../csu/libc-start.c:308
 
 
 
SUMMARY: AddressSanitizer: heap-use-after-free /10.4/src/sql/sql_base.cc:953 in close_thread_tables(THD*)
 
Shadow bytes around the buggy address:
 
  0x0c447fffeee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c447fffeef0: 00 00 00 00 00 00 00 00 00 00 04 fa fa fa fa fa
 
  0x0c447fffef00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c447fffef10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c447fffef20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
=>0x0c447fffef30: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c447fffef40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c447fffef50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c447fffef60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c447fffef70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c447fffef80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
  Shadow gap:              cc
 
==538528==ABORTING
 
----------SERVER LOG END-------------
 
 
 
 
 



Version: '11.1.3-MariaDB-debug-log' 
mariadbd: /11.1/sql/handler.cc:3602: int handler::ha_rnd_next(uchar*): Assertion `table_share->tmp_table != NO_TMP_TABLE || m_lock_type != 2' failed.
 
231107 18:25:24 [ERROR] mysqld got signal 6 ;
 
 
 
Server version: 11.1.3-MariaDB-debug-log source revision: 5d3e14d780a227d87ea2831481958ac4d5bbd905
 
 
 
/lib/x86_64-linux-gnu/libc.so.6(+0x33fd6)[0x7ff264ba1fd6]
 
sql/handler.cc:3604(handler::ha_rnd_next(unsigned char*))[0x55fa0fc12c92]
 
sql/handler.cc:3867(handler::read_first_row(unsigned char*, unsigned int))[0x55fa0fc15ec9]
 
sql/sql_class.h:7589(handler::ha_read_first_row(unsigned char*, unsigned int))[0x55fa0f8e3d6b]
 
sql/sql_select.cc:24052(join_read_system(st_join_table*))[0x55fa0f8c567d]
 
sql/sql_select.cc:23956(join_read_const_table(THD*, st_join_table*, POSITION*))[0x55fa0f8c520e]
 
sql/sql_select.cc:5723(make_join_statistics(JOIN*, List<TABLE_LIST>&, st_dynamic_array*))[0x55fa0f892506]
 
sql/sql_select.cc:2620(JOIN::optimize_inner())[0x55fa0f8874ec]
 
sql/sql_select.cc:1944(JOIN::optimize())[0x55fa0f884cd6]
 
sql/item_subselect.cc:4075(subselect_single_select_engine::exec())[0x55fa0fd2660d]
 
sql/item_subselect.cc:812(Item_subselect::exec())[0x55fa0fd190e9]
 
sql/item_subselect.cc:1462(Item_singlerow_subselect::val_int())[0x55fa0fd1b292]
 
sql/sql_type.cc:4272(Type_handler_int_result::Item_update_null_value(Item*) const)[0x55fa0fae64e5]
 
sql/item.h:2082(Item::update_null_value())[0x55fa0f68cd06]
 
sql/item_subselect.h:191(Item_subselect::is_null())[0x55fa0fd2e71e]
 
sql/item_row.cc:60(Item_row::fix_fields(THD*, Item**))[0x55fa0fcd6a4c]
 
sql/item.h:1150(Item::fix_fields_if_needed(THD*, Item**))[0x55fa0f6eb3ea]
 
sql/item_func.cc:349(Item_func::fix_fields(THD*, Item**))[0x55fa0fc96aae]
 
sql/item.h:1150(Item::fix_fields_if_needed(THD*, Item**))[0x55fa0f6eb3ea]
 
sql/item.h:1159(Item::fix_fields_if_needed_for_scalar(THD*, Item**))[0x55fa0f6eb423]
 
sql/item.h:1164(Item::fix_fields_if_needed_for_bool(THD*, Item**))[0x55fa0f777ed5]
 
sql/sql_select.cc:1589(JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*))[0x55fa0f883661]
 
sql/item_subselect.cc:3943(subselect_single_select_engine::prepare(THD*))[0x55fa0fd25f25]
 
sql/item_subselect.cc:296(Item_subselect::fix_fields(THD*, Item**))[0x55fa0fd179b2]
 
sql/item.h:1150(Item::fix_fields_if_needed(THD*, Item**))[0x55fa0f6eb3ea]
 
sql/item.h:1159(Item::fix_fields_if_needed_for_scalar(THD*, Item**))[0x55fa0f6eb423]
 
sql/item.h:1164(Item::fix_fields_if_needed_for_bool(THD*, Item**))[0x55fa0f777ed5]
 
sql/sql_base.cc:8903(setup_conds(THD*, TABLE_LIST*, List<TABLE_LIST>&, Item**))[0x55fa0f774247]
 
sql/sql_select.cc:930(setup_without_group(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, List<TABLE_LIST>&, List<Item>&, List<Item>&, Item**, st_order*, st_order*, List<Window_spec>&, List<Item_window_func>&, bool*))[0x55fa0f8801a6]
 
sql/sql_select.cc:1532(JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*))[0x55fa0f883295]
 
sql/item_subselect.cc:3943(subselect_single_select_engine::prepare(THD*))[0x55fa0fd25f25]
 
sql/item_subselect.cc:296(Item_subselect::fix_fields(THD*, Item**))[0x55fa0fd179b2]
 
sql/item.h:1150(Item::fix_fields_if_needed(THD*, Item**))[0x55fa0f6eb3ea]
 
sql/item_func.cc:349(Item_func::fix_fields(THD*, Item**))[0x55fa0fc96aae]
 
sql/item.h:1150(Item::fix_fields_if_needed(THD*, Item**))[0x55fa0f6eb3ea]
 
sql/item_func.cc:349(Item_func::fix_fields(THD*, Item**))[0x55fa0fc96aae]
 
sql/item.h:1150(Item::fix_fields_if_needed(THD*, Item**))[0x55fa0f6eb3ea]
 
sql/item_func.cc:349(Item_func::fix_fields(THD*, Item**))[0x55fa0fc96aae]
 
sql/item.h:1150(Item::fix_fields_if_needed(THD*, Item**))[0x55fa0f6eb3ea]
 
sql/item.h:1159(Item::fix_fields_if_needed_for_scalar(THD*, Item**))[0x55fa0f6eb423]
 
sql/item.h:1164(Item::fix_fields_if_needed_for_bool(THD*, Item**))[0x55fa0f777ed5]
 
sql/item_cmpfunc.cc:5039(Item_cond::fix_fields(THD*, Item**))[0x55fa0fc6a58a]
 
sql/item.h:1150(Item::fix_fields_if_needed(THD*, Item**))[0x55fa0f6eb3ea]
 
sql/item_func.cc:349(Item_func::fix_fields(THD*, Item**))[0x55fa0fc96aae]
 
sql/item.h:1150(Item::fix_fields_if_needed(THD*, Item**))[0x55fa0f6eb3ea]
 
sql/item.h:1159(Item::fix_fields_if_needed_for_scalar(THD*, Item**))[0x55fa0f6eb423]
 
sql/item.h:1168(Item::fix_fields_if_needed_for_order_by(THD*, Item**))[0x55fa0f8e14dd]
 
sql/sql_select.cc:27607(find_order_in_list(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, st_order*, List<Item>&, List<Item>&, bool, bool, bool))[0x55fa0f8ceae4]
 
sql/sql_select.cc:27654(setup_order(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, List<Item>&, List<Item>&, st_order*, bool))[0x55fa0f8cecc1]
 
sql/sql_select.cc:939(setup_without_group(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, List<TABLE_LIST>&, List<Item>&, List<Item>&, Item**, st_order*, st_order*, List<Window_spec>&, List<Item_window_func>&, bool*))[0x55fa0f88023c]
 
sql/sql_select.cc:1532(JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*))[0x55fa0f883295]
 
sql/sql_update.cc:3006(Sql_cmd_update::prepare_inner(THD*))[0x55fa0f988440]
 
sql/sql_select.cc:33354(Sql_cmd_dml::prepare(THD*))[0x55fa0f8dec94]
 
sql/sql_select.cc:33407(Sql_cmd_dml::execute(THD*))[0x55fa0f8dee25]
 
sql/sql_parse.cc:4405(mysql_execute_command(THD*, bool))[0x55fa0f81ef16]
 
sql/sql_parse.cc:7782(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x55fa0f82a3a8]
 
sql/sql_parse.cc:1894(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x55fa0f817747]
 
sql/sql_parse.cc:1405(do_command(THD*, bool))[0x55fa0f8160fb]
 
sql/sql_connect.cc:1416(do_handle_one_connection(CONNECT*, bool))[0x55fa0fa0231d]
 
sql/sql_connect.cc:1320(handle_one_connection)[0x55fa0fa02079]
 
perfschema/pfs.cc:2203(pfs_spawn_thread)[0x55fa0ff21d51]
 
nptl/pthread_create.c:478(start_thread)[0x7ff2650bc609]
 
 
 
Query (0x7ff230015600): UPDATE x SET x = 1 WHERE x = 1 ORDER BY 'x' / ( ( WITH RECURSIVE x ( x ) AS ( SELECT 1 UNION SELECT 1 - x FROM x WINDOW x AS ( PARTITION BY x ORDER BY ( WITH x AS ( SELECT * FROM x WHERE NOT EXISTS ( WITH RECURSIVE x ( x ) AS ( SELECT 1 INTERSECT SELECT x + 1 FROM x GROUP BY 'x' , 'x' , x + x ) SELECT x AS x FROM x ORDER BY x LIMIT 1 OFFSET 1 ) ) SELECT * FROM x WHERE x <= 1 GROUP BY x HAVING x > 'x' ) IS NOT NULL DESC ) ) SELECT 1 WHERE x != 'x' ) AND x = 1 ) / ( - 1.000000 >= ( SELECT x NOT LIKE 'x' FROM x WHERE ( SELECT x FROM x WHERE NULL = x GROUP BY x HAVING ( ( SELECT 1 FROM x GROUP BY ( x OR - 1.000000 >= ( SELECT x NOT LIKE 'x' FROM x WHERE ( SELECT x FROM x WHERE NULL = x ) GROUP BY 1.000000 / x = ( SELECT x + 'x' AS x FROM x WHERE x = x ) HAVING x WINDOW x AS ( ORDER BY x DESC ) ) IS NOT NULL = 1 ) BETWEEN 1 AND 1 ) , x ) > ( 'x' , 'x' ) ) ) IS NOT NULL = 1 AND x = 1 ) , x

Comment by Alice Sherepa [ 2023-12-04 ]

Please check also the test from MDEV-32706:

CREATE TABLE x ( x INT UNIQUE ) ;
 
INSERT INTO x ( x ) VALUES ( 1 ) ;
 
UPDATE x SET x = 1 WHERE ( SELECT x AS x FROM x AS x WHERE x BETWEEN ( SELECT x AS x FROM x AS x GROUP BY x HAVING x ORDER BY 1 DESC ) AND 1 GROUP BY x HAVING x ) IN ( SELECT DISTINCT x WHERE x BETWEEN ( SELECT x AS x FROM x AS x GROUP BY x HAVING ( SELECT 1 FROM ( SELECT x FROM x WHERE x IN ( WITH RECURSIVE x ( x ) AS ( SELECT 1 INTERSECT SELECT x + 1 FROM x ) SELECT x WHERE x OR x GROUP BY x HAVING ( 1 = 1 AND x = 1 ) ) GROUP BY x , x HAVING ( 1 = 1 AND ( ( SELECT ( NOT ( ( SELECT 1 WHERE x != ( SELECT 1 FROM x WHERE x OR x = ( WITH RECURSIVE x ( x ) AS ( SELECT 1 INTERSECT SELECT x + 1 FROM ( WITH x AS ( SELECT DISTINCT x FROM x WHERE x BETWEEN ( SELECT 'x' / 1.000000 IS NOT NULL > x AS x ) AND 1 OR x BETWEEN 'x' AND 'x' ) SELECT x FROM x UNION SELECT x FROM x ) AS x ) SELECT x WHERE x > 1 OR x > 1 OR ( x = 1 AND ( x = x OR x = x ) ) OR ( x = 1 AND x = 1 ) ) ) ) ) ) WHERE x = x ) ) = 1 ) WINDOW x AS ( PARTITION BY x ORDER BY ( x , x ) NOT IN ( SELECT 'x' , x FROM x WHERE x > 1 ) DESC ) UNION SELECT x FROM x ) AS x WHERE 'x' = x OR x = x ) ) AND 1 ) ORDER BY x , x DESC ;

Generated at Thu Feb 08 10:33:23 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.