[MDEV-32716] Segmentation fault at /mariadb-11.3.0/sql/item.h:5647 Created: 2023-11-07  Updated: 2023-12-04

Status: Confirmed
Project: MariaDB Server
Component/s: Optimizer, Server
Affects Version/s: 10.4, 10.5, 10.6, 10.9, 10.10, 10.11, 11.0, 11.1, 11.2, 11.3.0
Fix Version/s: 10.4, 10.5, 10.6, 10.11, 11.0, 11.1, 11.2, 11.3

Type: Bug Priority: Major
Reporter: Xin Wen Assignee: Sergei Petrunia
Resolution: Unresolved Votes: 0
Labels: None
Environment:

Ubuntu 20.04


 Description   

Run these queries in debug build:

CREATE TABLE x ( x INT ) ;
INSERT INTO x ( x ) VALUES ( 1 ) ;
UPDATE x SET x = 1 WHERE x = 1 ;
INSERT INTO x ( x ) VALUES ( 1 ) , ( 1 ) ;
WITH RECURSIVE x ( x ) AS ( SELECT 1.000000 ^ 1.000000 UNION SELECT 1 - x FROM x ) SELECT DISTINCT * FROM x UNION SELECT NOT ( SELECT x FROM ( SELECT 1.000000 ^ 'x' * 1.000000 / 1 ^ x = ( SELECT x FROM x WHERE x IN ( WITH x AS ( WITH x AS ( SELECT * FROM x WHERE x / 1 = x % 1 ) SELECT ( NULL = 1.000000 ) OR ( ( x % 1 ) = 1 ) OR ( x BETWEEN 1 AND 1 ) AS x , x + NULL FROM x WHERE x = CASE x WHEN 'x' THEN 'x' WHEN 1 THEN 'x' ELSE x END WINDOW x AS ( PARTITION BY x ORDER BY x DESC ) ) SELECT x FROM x AS x WHERE ( x = 'x' OR x = 'x' ) AND x IS NOT NULL GROUP BY - 'x' >= x ) UNION SELECT 1 - x FROM x ) AND ( x = CASE WHEN 'x' THEN 'x' ELSE x END ) = 1 FROM x GROUP BY x ) AS x WHERE x = 'x' AND x IN ( SELECT - 1 BETWEEN ( SELECT x FROM x AS x WHERE EXISTS ( SELECT x , x * x FROM x ORDER BY ( x BETWEEN ( SELECT DISTINCT x WHERE x BETWEEN ( WITH x AS ( SELECT * FROM x GROUP BY x HAVING ( 1 NOT IN ( ( x < 1 OR 1 - 1 ) , 1 ) ) WINDOW x AS ( ) ) SELECT x AS x FROM x AS x GROUP BY x HAVING x ) AND 1 ) AND 1 ) , x ) GROUP BY x ORDER BY x * 1 ) AND 1 AS x FROM x WHERE x = 'x' GROUP BY x HAVING x ) ) FROM x WHERE ( x = 1 ) OR ( x = 1 ) OR ( x BETWEEN 1 AND 1 ) OR ( x = 1 ) OR ( x BETWEEN 1 AND 1 ) OR 1 OR ( 1 IN ( 1 , 1 ) ) OR ( x BETWEEN 1 AND 1 ) OR ( x = 1 ) OR ( x + 1 = ( SELECT DISTINCT x IS NULL FROM x ) OR x > 1 OR ( x = 1 AND ( x = x OR x = x ) ) ) OR ( x = 1 ) GROUP BY x , x HAVING ( 1 = 1 AND ( FALSE < x ) = 1 ) ORDER BY x + x ;

Will trigger Segmentation fault.
GDB info:
#0 0x00005555570327e2 in Item_ref::type_handler (this=0x62f000017f58) at /home/wx/mariadb-11.3.0/sql/item.h:5647
#1 0x000055555703288f in Item_ref::type_handler (this=0x62f000017a50) at /home/wx/mariadb-11.3.0/sql/item.h:5647
#2 0x0000555556ea63b4 in Item::result_type (this=0x62f000017a50) at /home/wx/mariadb-11.3.0/sql/item.h:1273
#3 0x00005555570342b6 in Item_ref::check_cols (this=0x62f000017a50, c=1) at /home/wx/mariadb-11.3.0/sql/item.h:5749
#4 0x0000555556f040ec in Item::fix_fields_if_needed_for_scalar (this=0x62f000017a50, thd=0x62c0001e0288, ref=0x62f000017a40) at /home/wx/mariadb-11.3.0/sql/item.h:1156
#5 0x0000555557bd0e55 in Item_direct_ref::fix_fields (this=0x62f000017930, thd=0x62c0001e0288, it=0x62f000017da0) at /home/wx/mariadb-11.3.0/sql/item.h:5841
#6 0x0000555556f0404f in Item::fix_fields_if_needed (this=0x62f000017930, thd=0x62c0001e0288, ref=0x62f000017da0) at /home/wx/mariadb-11.3.0/sql/item.h:1147
#7 0x0000555557c6c9f2 in Item_func::fix_fields (this=0x62f000017d20, thd=0x62c0001e0288, ref=0x62f000027218) at /home/wx/mariadb-11.3.0/sql/item_func.cc:349
#8 0x0000555556f0404f in Item::fix_fields_if_needed (this=0x62f000017d20, thd=0x62c0001e0288, ref=0x62f000027218) at /home/wx/mariadb-11.3.0/sql/item.h:1147
#9 0x0000555556f04089 in Item::fix_fields_if_needed_for_scalar (this=0x62f000017d20, thd=0x62c0001e0288, ref=0x62f000027218) at /home/wx/mariadb-11.3.0/sql/item.h:1156
#10 0x000055555703235b in Item::fix_fields_if_needed_for_bool (this=0x62f000017d20, thd=0x62c0001e0288, ref=0x62f000027218) at /home/wx/mariadb-11.3.0/sql/item.h:1160
#11 0x0000555557c13a3b in Item_cond::fix_fields (this=0x62f0000270f0, thd=0x62c0001e0288, ref=0x62f0000027d8) at /home/wx/mariadb-11.3.0/sql/item_cmpfunc.cc:4941
#12 0x00005555572bf966 in JOIN::optimize_inner (this=0x62f0000025c0) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:2319
#13 0x00005555572bbba6 in JOIN::optimize (this=0x62f0000025c0) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:1944
#14 0x0000555557daa63f in Item_in_subselect::optimize (this=0x62d00007b240, out_rows=0x7fffd192c1f0, cost=0x7fffd192c210) at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:850
#15 0x00005555577bc289 in setup_jtbm_semi_joins (join=0x62d000088a38, join_list=0x62900015f150, eq_list=...) at /home/wx/mariadb-11.3.0/sql/opt_subselect.cc:6593
#16 0x00005555572c0b41 in JOIN::optimize_inner (this=0x62d000088a38) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:2403
#17 0x00005555572bbba6 in JOIN::optimize (this=0x62d000088a38) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:1944
#18 0x0000555557143851 in st_select_lex::optimize_unflattened_subqueries (this=0x62900015eae8, const_only=false) at /home/wx/mariadb-11.3.0/sql/sql_lex.cc:4916
#19 0x00005555577b7509 in JOIN::optimize_unflattened_subqueries (this=0x62d000088208) at /home/wx/mariadb-11.3.0/sql/opt_subselect.cc:5864
#20 0x00005555572c91e7 in JOIN::optimize_stage2 (this=0x62d000088208) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:3229
#21 0x00005555572c2f34 in JOIN::optimize_inner (this=0x62d000088208) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:2650
#22 0x00005555572bbba6 in JOIN::optimize (this=0x62d000088208) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:1944
#23 0x0000555557527ce3 in st_select_lex_unit::optimize (this=0x62c0001e46d8) at /home/wx/mariadb-11.3.0/sql/sql_union.cc:2262
#24 0x00005555575288de in st_select_lex_unit::exec_inner (this=0x62c0001e46d8) at /home/wx/mariadb-11.3.0/sql/sql_union.cc:2310
#25 0x0000555557528545 in st_select_lex_unit::exec (this=0x62c0001e46d8) at /home/wx/mariadb-11.3.0/sql/sql_union.cc:2292
#26 0x0000555557514186 in mysql_union (thd=0x62c0001e0288, lex=0x62c0001e45f8, result=0x62d0000859e8, unit=0x62c0001e46d8, setup_tables_done_option=0) at /home/wx/mariadb-11.3.0/sql/sql_union.cc:45
#27 0x00005555572acea8 in handle_select (thd=0x62c0001e0288, lex=0x62c0001e45f8, result=0x62d0000859e8, setup_tables_done_option=0) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:618
#28 0x00005555571ce583 in execute_sqlcom_select (thd=0x62c0001e0288, all_tables=0x6290000f8ab8) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:6013
#29 0x00005555571becf6 in mysql_execute_command (thd=0x62c0001e0288, is_called_from_prepared_stmt=false) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:3912
#30 0x00005555571d95e2 in mysql_parse (thd=0x62c0001e0288, rawbuf=0x6290000f52a8 "WITH RECURSIVE x ( x ) AS ( SELECT 1.000000 ^ 1.000000 UNION SELECT 1 - x FROM x ) SELECT DISTINCT * FROM x UNION SELECT NOT ( SELECT x FROM ( SELECT 1.000000 ^ 'x' * 1.000000 / 1 ^ x = ( SELECT x FRO"..., length=1444, parser_state=0x7fffd192e870) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:7734
#31 0x00005555571b1237 in dispatch_command (command=COM_QUERY, thd=0x62c0001e0288, packet=0x6290000fa289 " WITH RECURSIVE x ( x ) AS ( SELECT 1.000000 ^ 1.000000 UNION SELECT 1 - x FROM x ) SELECT DISTINCT * FROM x UNION SELECT NOT ( SELECT x FROM ( SELECT 1.000000 ^ 'x' * 1.000000 / 1 ^ x = ( SELECT x FR"..., packet_length=1448, blocking=true) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1893
#32 0x00005555571adf7c in do_command (thd=0x62c0001e0288, blocking=true) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1406
#33 0x000055555768e557 in do_handle_one_connection (connect=0x611000065ec8, put_in_cache=true) at /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1445
#34 0x000055555768deb4 in handle_one_connection (arg=0x611000065d88) at /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1347
#35 0x00005555582fa350 in pfs_spawn_thread (arg=0x618000005508) at /home/wx/mariadb-11.3.0/storage/perfschema/pfs.cc:2201
#36 0x00007ffff7115609 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
#37 0x00007ffff6ce8133 in clone () from /lib/x86_64-linux-gnu/libc.so.6

 Comments   
Comment by Alice Sherepa [ 2023-11-09 ]

Thanks! I repeated as described on 10.4-11.2

Version: '10.4.32-MariaDB-debug-log' 
231109 14:58:37 [ERROR] mysqld got signal 11 ;
 
 
 
Server version: 10.4.32-MariaDB-debug-log source revision: 62d80652be7c19f4ad2bf68d6ffbb4e1eb1d77ea
 
 
 
sql/item.h:5453(Item_ref::type_handler() const)[0x55f940186d44]
 
sql/item.h:5453(Item_ref::type_handler() const)[0x55f940186df1]
 
sql/item.h:1083(Item::result_type() const)[0x55f94004ce36]
 
sql/item.h:5552(Item_ref::check_cols(unsigned int))[0x55f9401887c8]
 
sql/item.h:971(Item::fix_fields_if_needed_for_scalar(THD*, Item**))[0x55f94004cdba]
 
sql/item.h:5651(Item_direct_ref::fix_fields(THD*, Item**))[0x55f940b6c3a1]
 
sql/item.h:967(Item::fix_fields_if_needed(THD*, Item**))[0x55f94004cd1d]
 
sql/item_func.cc:365(Item_func::fix_fields(THD*, Item**))[0x55f940c14228]
 
sql/item.h:967(Item::fix_fields_if_needed(THD*, Item**))[0x55f94004cd1d]
 
sql/item.h:971(Item::fix_fields_if_needed_for_scalar(THD*, Item**))[0x55f94004cd57]
 
sql/item.h:976(Item::fix_fields_if_needed_for_bool(THD*, Item**))[0x55f9401852dd]
 
sql/item_cmpfunc.cc:4854(Item_cond::fix_fields(THD*, Item**))[0x55f940bb1114]
 
sql/sql_select.cc:2113(JOIN::optimize_inner())[0x55f9403b1420]
 
sql/sql_select.cc:1731(JOIN::optimize())[0x55f9403ad205]
 
sql/item_subselect.cc:796(Item_in_subselect::optimize(double*, double*))[0x55f940ceddb1]
 
sql/opt_subselect.cc:6343(setup_jtbm_semi_joins(JOIN*, List<TABLE_LIST>*, List<Item>&))[0x55f9407fe4d6]
 
sql/sql_select.cc:2182(JOIN::optimize_inner())[0x55f9403b21be]
 
sql/sql_select.cc:1731(JOIN::optimize())[0x55f9403ad205]
 
sql/sql_lex.cc:4337(st_select_lex::optimize_unflattened_subqueries(bool))[0x55f94027e808]
 
sql/opt_subselect.cc:5611(JOIN::optimize_unflattened_subqueries())[0x55f9407f95c7]
 
sql/sql_select.cc:2962(JOIN::optimize_stage2())[0x55f9403ba583]
 
sql/sql_select.cc:2414(JOIN::optimize_inner())[0x55f9403b44fa]
 
sql/sql_select.cc:1731(JOIN::optimize())[0x55f9403ad205]
 
sql/sql_union.cc:1490(st_select_lex_unit::optimize())[0x55f9405c27d1]
 
sql/sql_union.cc:1524(st_select_lex_unit::exec())[0x55f9405c2ff8]
 
sql/sql_union.cc:42(mysql_union(THD*, LEX*, select_result*, st_select_lex_unit*, unsigned long))[0x55f9405b3928]
 
sql/sql_select.cc:432(handle_select(THD*, LEX*, select_result*, unsigned long))[0x55f94039e91f]
 
sql/sql_parse.cc:6475(execute_sqlcom_select(THD*, TABLE_LIST*))[0x55f940305c5c]
 
sql/sql_parse.cc:3978(mysql_execute_command(THD*))[0x55f9402f33d3]
 
sql/sql_parse.cc:8014(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x55f94030f1d7]
 
sql/sql_parse.cc:1860(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x55f9402e5563]
 
sql/sql_parse.cc:1378(do_command(THD*))[0x55f9402e208e]
 
sql/sql_connect.cc:1419(do_handle_one_connection(CONNECT*))[0x55f9406f667e]
 
sql/sql_connect.cc:1324(handle_one_connection)[0x55f9406f5f22]
 
perfschema/pfs.cc:1871(pfs_spawn_thread)[0x55f941393bb0]
 
nptl/pthread_create.c:478(start_thread)[0x7f89414f7609]
 
 
Query (0x62b0000a1290): WITH RECURSIVE x ( x ) AS ( SELECT 1.000000 ^ 1.000000 UNION SELECT 1 - x FROM x ) SELECT DISTINCT * FROM x UNION SELECT NOT ( SELECT x FROM ( SELECT 1.000000 ^ 'x' * 1.000000 / 1 ^ x = ( SELECT x FROM x WHERE x IN ( WITH x AS ( WITH x AS ( SELECT * FROM x WHERE x / 1 = x % 1 ) SELECT ( NULL = 1.000000 ) OR ( ( x % 1 ) = 1 ) OR ( x BETWEEN 1 AND 1 ) AS x , x + NULL FROM x WHERE x = CASE x WHEN 'x' THEN 'x' WHEN 1 THEN 'x' ELSE x END WINDOW x AS ( PARTITION BY x ORDER BY x DESC ) ) SELECT x FROM x AS x WHERE ( x = 'x' OR x = 'x' ) AND x IS NOT NULL GROUP BY - 'x' >= x ) UNION SELECT 1 - x FROM x ) AND ( x = CASE WHEN 'x' THEN 'x' ELSE x END ) = 1 FROM x GROUP BY x ) AS x WHERE x = 'x' AND x IN ( SELECT - 1 BETWEEN ( SELECT x FROM x AS x WHERE EXISTS ( SELECT x , x * x FROM x ORDER BY ( x BETWEEN ( SELECT DISTINCT x WHERE x BETWEEN ( WITH x AS ( SELECT * FROM x GROUP BY x HAVING ( 1 NOT IN ( ( x < 1 OR 1 - 1 ) , 1 ) ) WINDOW x AS ( ) ) SELECT x AS x FROM x AS x GROUP BY x HAVING x ) AND 1 ) AND 1 ) , x ) GROUP BY x ORDER BY x * 1 ) AND 1 AS x FROM x WHERE x = 'x' GROUP BY x HAVING x ) ) FROM x WHERE ( x = 1 ) OR ( x = 1 ) OR ( x BETWEEN 1 AND 1 ) OR ( x = 1 ) OR ( x BETWEEN 1 AND 1 ) OR 1 OR ( 1 IN ( 1 , 1 ) ) OR ( x BETWEEN 1 AND 1 ) OR ( x = 1 ) OR ( x + 1 = ( SELECT DISTINCT x IS NULL FROM x ) OR x > 1 OR ( x = 1 AND ( x = x OR x = x ) ) ) OR ( x = 1 ) GROUP BY x , x HAVING ( 1 = 1 AND ( FALSE < x ) = 1 ) ORDER BY x + x


CREATE TABLE x ( x INT ) ;
 
INSERT INTO x VALUES ( 1 ) , ( 1 ) , ( 1 ) ;
 
 
 
SELECT  ( SELECT x FROM ( SELECT 5 ) AS x  WHERE x = 'x' AND x IN ( SELECT x FROM x   HAVING x ) ) 
FROM ( SELECT 1 x UNION SELECT 2 ) x 
GROUP BY x  ;
 



231204 15:42:32 [ERROR] mysqld got signal 11 ;
 
 
 
Server version: 10.4.33-MariaDB-debug-log source revision: d8e6bb00888b1f82c031938f4c8ac5d97f6874c3
 
 
 
sigaction.c:0(__restore_rt)[0x7f7644249420]
 
sql/item.h:3449(Item_field::type_handler() const)[0x559d19b48168]
 
sql/item.h:5453(Item_ref::type_handler() const)[0x559d1916492d]
 
sql/item.h:1083(Item::result_type() const)[0x559d19029e46]
 
sql/item.h:5552(Item_ref::check_cols(unsigned int))[0x559d19166304]
 
sql/item.h:971(Item::fix_fields_if_needed_for_scalar(THD*, Item**))[0x559d19029dca]
 
sql/item.h:5651(Item_direct_ref::fix_fields(THD*, Item**))[0x559d19b4b1f5]
 
sql/item.h:967(Item::fix_fields_if_needed(THD*, Item**))[0x559d19029d2d]
 
sql/item_func.cc:365(Item_func::fix_fields(THD*, Item**))[0x559d19bf3072]
 
sql/sql_select.cc:2103(JOIN::optimize_inner())[0x559d1938f56b]
 
sql/sql_select.cc:1731(JOIN::optimize())[0x559d1938b6a7]
 
sql/item_subselect.cc:796(Item_in_subselect::optimize(double*, double*))[0x559d19ccce33]
 
sql/opt_subselect.cc:6343(setup_jtbm_semi_joins(JOIN*, List<TABLE_LIST>*, List<Item>&))[0x559d197dd1e2]
 
sql/sql_select.cc:2182(JOIN::optimize_inner())[0x559d19390660]
 
sql/sql_select.cc:1731(JOIN::optimize())[0x559d1938b6a7]
 
sql/sql_lex.cc:4344(st_select_lex::optimize_unflattened_subqueries(bool))[0x559d1925c6b8]
 
sql/opt_subselect.cc:5611(JOIN::optimize_unflattened_subqueries())[0x559d197d82d3]
 
sql/sql_select.cc:2962(JOIN::optimize_stage2())[0x559d19398a25]
 
sql/sql_select.cc:2414(JOIN::optimize_inner())[0x559d1939299c]
 
sql/sql_select.cc:1731(JOIN::optimize())[0x559d1938b6a7]
 
sql/sql_select.cc:4832(mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x559d193ac691]
 
sql/sql_select.cc:442(handle_select(THD*, LEX*, select_result*, unsigned long))[0x559d1937d0f8]
 
sql/sql_parse.cc:6523(execute_sqlcom_select(THD*, TABLE_LIST*))[0x559d192e40fd]
 
sql/sql_parse.cc:3980(mysql_execute_command(THD*))[0x559d192d171d]
 
sql/sql_parse.cc:8062(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x559d192ed679]
 
sql/sql_parse.cc:1860(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x559d192c3825]
 
sql/sql_parse.cc:1378(do_command(THD*))[0x559d192c0350]
 
sql/sql_connect.cc:1419(do_handle_one_connection(CONNECT*))[0x559d196d5420]
 
sql/sql_connect.cc:1324(handle_one_connection)[0x559d196d4cc4]
 
perfschema/pfs.cc:1871(pfs_spawn_thread)[0x559d1a3732d4]
 
nptl/pthread_create.c:478(start_thread)[0x7f764423d609]
 
 
 
Query (0x62b000062290): SELECT  ( SELECT x FROM ( SELECT 5 ) AS x  WHERE x = 'x' AND x IN ( SELECT x FROM x   HAVING x ) ) 
FROM ( SELECT 1 x UNION SELECT 2 ) x 
GROUP BY x

Generated at Thu Feb 08 10:33:28 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.