[MDEV-32766] Segmentation fault at /mariadb-11.3.0/sql/sql_select.cc:23373 Created: 2023-11-10  Updated: 2023-11-28

Status: Confirmed
Project: MariaDB Server
Component/s: Optimizer, Server
Affects Version/s: 10.4, 10.5, 10.6, 10.9, 10.10, 10.11, 11.0, 11.1, 11.2, 11.3.0
Fix Version/s: 10.4, 10.5, 10.6, 10.11, 11.0, 11.1, 11.2

Type: Bug Priority: Major
Reporter: Xin Wen Assignee: Sergei Petrunia
Resolution: Unresolved Votes: 0
Labels: None
Environment:

Ubuntu 20.04

Issue Links:
Relates
relates to MDEV-28505 Server crash in sql/sql_select.cc:198... Closed

 Description   

Run these queries in debug build:

CREATE TABLE t0 ( c35 INT , c27 INT ) ;
INSERT INTO t0 VALUES ( -68 , 83 ) , ( -86 , -10 ) ;
ALTER TABLE t0 ADD COLUMN c46 INT AFTER c27 ;
INSERT INTO t0 VALUES ( DEFAULT , DEFAULT , DEFAULT ) , ( DEFAULT , DEFAULT , DEFAULT ) ;
( SELECT c35 AS c28 FROM t0 LIMIT 47 ) ORDER BY TRIM( -26 ) ^ SIN ( 68 ) = ALL ( SELECT c28 AS c0 FROM t0 ) XOR ( -101 = COS ( -46 ) ) = 123 LIMIT 75 ;

Will trigger Segmentation fault.
GDB info:
#0 0x000055555735f6a6 in sub_select (join=0x629000192c60, join_tab=0x62900019a2a8, end_of_records=false) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:23373
#1 0x000055555735dadd in do_select (join=0x629000192c60, procedure=0x0) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:22961
#2 0x00005555572dbfe9 in JOIN::exec_inner (this=0x629000192c60) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941
#3 0x00005555572d93a0 in JOIN::exec (this=0x629000192c60) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718
#4 0x0000555557dce72f in subselect_single_select_engine::exec (this=0x6290000f87d8) at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:4159
#5 0x0000555557da9c85 in Item_subselect::exec (this=0x6290000f8588) at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:812
#6 0x0000555557dab291 in Item_in_subselect::exec (this=0x6290000f8588) at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:994
#7 0x0000555557db650f in Item_in_subselect::val_bool (this=0x6290000f8588) at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:1991
#8 0x0000555556e14cd4 in Item::val_bool_result (this=0x6290000f8588) at /home/wx/mariadb-11.3.0/sql/item.h:1797
#9 0x0000555557bf3f02 in Item_in_optimizer::val_int (this=0x629000193480) at /home/wx/mariadb-11.3.0/sql/item_cmpfunc.cc:1664
#10 0x00005555578b4b6e in Type_handler_int_result::Item_val_bool (this=0x55555b7b68c0 <type_handler_bool>, item=0x629000193480) at /home/wx/mariadb-11.3.0/sql/sql_type.cc:5082
#11 0x0000555556e147f6 in Item::val_bool (this=0x629000193480) at /home/wx/mariadb-11.3.0/sql/item.h:1701
#12 0x0000555557be2e79 in Item_func_not_all::val_int (this=0x6290000f8820) at /home/wx/mariadb-11.3.0/sql/item_cmpfunc.cc:222
#13 0x0000555557c208c3 in Item_func_xor::val_int (this=0x6290000f9050) at /home/wx/mariadb-11.3.0/sql/item_cmpfunc.cc:6497
#14 0x0000555556e14b78 in Item::val_int_result (this=0x6290000f9050) at /home/wx/mariadb-11.3.0/sql/item.h:1793
#15 0x0000555557b00dff in Type_handler_int_result::make_sort_key_part (this=0x55555b7b68c0 <type_handler_bool>, to=0x61d000275708 '\276' <repeats 200 times>..., item=0x6290000f9050, sort_field=0x62900019dd40, tmp_buffer=0x7fffd162a158) at /home/wx/mariadb-11.3.0/sql/filesort.cc:1245
#16 0x0000555557b0cd2d in make_sortkey (param=0x7fffd162a0e0, to=0x61d000275708 '\276' <repeats 200 times>...) at /home/wx/mariadb-11.3.0/sql/filesort.cc:2954
#17 0x0000555557b02449 in make_sortkey (param=0x7fffd162a0e0, to=0x61d000275708 '\276' <repeats 200 times>..., ref_pos=0x61a000212c38 "\210\b", using_packed_sortkeys=false) at /home/wx/mariadb-11.3.0/sql/filesort.cc:1414
#18 0x0000555557b10435 in Bounded_queue<unsigned char, unsigned char>::push (this=0x7fffd162a070, element=0x61a000212c38 "\210\b") at /home/wx/mariadb-11.3.0/sql/bounded_queue.h:189
#19 0x0000555557aff7b4 in find_all_keys (thd=0x62c0001e0288, param=0x7fffd162a0e0, select=0x62900019d3b8, fs_info=0x615000154d00, buffpek_pointers=0x7fffd162a3e0, tempfile=0x7fffd162a230, pq=0x7fffd162a070, found_rows=0x615000154ef0) at /home/wx/mariadb-11.3.0/sql/filesort.cc:1015
#20 0x0000555557afab66 in filesort (thd=0x62c0001e0288, table=0x620000023128, filesort=0x6290001991a0, tracker=0x62900019dc90, join=0x6290001918e0, first_table_bit=1) at /home/wx/mariadb-11.3.0/sql/filesort.cc:408
#21 0x00005555573791c3 in create_sort_index (thd=0x62c0001e0288, join=0x6290001918e0, tab=0x62900019c438, fsort=0x6290001991a0) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:26843
#22 0x00005555573677dd in st_join_table::sort_table (this=0x62900019c438) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:24485
#23 0x0000555557366bdc in join_init_read_record (tab=0x62900019c438) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:24405
#24 0x0000555557360006 in sub_select (join=0x6290001918e0, join_tab=0x62900019c438, end_of_records=false) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:23441
#25 0x000055555735dadd in do_select (join=0x6290001918e0, procedure=0x0) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:22961
#26 0x00005555572dbfe9 in JOIN::exec_inner (this=0x6290001918e0) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941
#27 0x00005555572d93a0 in JOIN::exec (this=0x6290001918e0) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718
#28 0x00005555572ddbab in mysql_select (thd=0x62c0001e0288, tables=0x6290001908d8, fields=..., conds=0x0, og_num=1, order=0x6290000f9130, group=0x0, having=0x0, proc_param=0x0, select_options=2165049856, result=0x6290001918b0, unit=0x62c0001e46d8, select_lex=0x6290001902a8) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:5249
#29 0x00005555572ad18a in handle_select (thd=0x62c0001e0288, lex=0x62c0001e45f8, result=0x6290001918b0, setup_tables_done_option=0) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:628
#30 0x00005555571ce583 in execute_sqlcom_select (thd=0x62c0001e0288, all_tables=0x6290001908d8) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:6013
#31 0x00005555571becf6 in mysql_execute_command (thd=0x62c0001e0288, is_called_from_prepared_stmt=false) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:3912
#32 0x00005555571d95e2 in mysql_parse (thd=0x62c0001e0288, rawbuf=0x6290000f52a8 "( SELECT c35 AS c28 FROM t0 LIMIT 47 ) ORDER BY TRIM( -26 ) ^ SIN ( 68 ) = ALL ( SELECT c28 AS c0 FROM t0 ) XOR ( -101 = COS ( -46 ) ) = 123 LIMIT 75", length=149, parser_state=0x7fffd162c870) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:7734
#33 0x00005555571b1237 in dispatch_command (command=COM_QUERY, thd=0x62c0001e0288, packet=0x6290000fa289 "", packet_length=152, blocking=true) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1893
#34 0x00005555571adf7c in do_command (thd=0x62c0001e0288, blocking=true) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1406
#35 0x000055555768e557 in do_handle_one_connection (connect=0x61100004c108, put_in_cache=true) at /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1445
#36 0x000055555768deb4 in handle_one_connection (arg=0x61100004bfc8) at /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1347
#37 0x00005555582fa350 in pfs_spawn_thread (arg=0x618000005108) at /home/wx/mariadb-11.3.0/storage/perfschema/pfs.cc:2201
#38 0x00007ffff7115609 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
#39 0x00007ffff6ce8133 in clone () from /lib/x86_64-linux-gnu/libc.so.6

 Comments   
Comment by Alice Sherepa [ 2023-11-10 ]

Thanks! I repeated on 10.4-11.2

231110 10:37:34 [ERROR] mysqld got signal 11 ;
 
 
 
Server version: 10.4.32-MariaDB-debug-log source revision: 62d80652be7c19f4ad2bf68d6ffbb4e1eb1d77ea
 
 
 
sql/signal_handler.cc:235(handle_fatal_signal)[0x55d7166a51e9]
 
sigaction.c:0(__restore_rt)[0x7fe817a16420]
 
sql/sql_select.cc:20862(sub_select(JOIN*, st_join_table*, bool))[0x55d71602fa25]
 
sql/sql_select.cc:20443(do_select(JOIN*, Procedure*))[0x55d71602e08c]
 
sql/sql_select.cc:4625(JOIN::exec_inner())[0x55d715fbbbd4]
 
sql/sql_select.cc:4408(JOIN::exec())[0x55d715fb9204]
 
sql/item_subselect.cc:4035(subselect_single_select_engine::exec())[0x55d71690132a]
 
sql/item_subselect.cc:758(Item_subselect::exec())[0x55d7168dc392]
 
sql/item_subselect.cc:938(Item_in_subselect::exec())[0x55d7168dd996]
 
sql/item_subselect.cc:1886(Item_in_subselect::val_bool())[0x55d7168e8f71]
 
sql/item.h:1562(Item::val_bool_result())[0x55d715c1d952]
 
sql/item_cmpfunc.cc:1673(Item_in_optimizer::val_int())[0x55d71677f8f8]
 
sql/sql_type.cc:4638(Type_handler_int_result::Item_val_bool(Item*) const)[0x55d71646792c]
 
sql/item.h:1475(Item::val_bool())[0x55d715c1d48a]
 
sql/item_cmpfunc.cc:219(Item_func_not_all::val_int())[0x55d71676ddba]
 
sql/item_cmpfunc.cc:6381(Item_func_xor::val_int())[0x55d7167ad4a0]
 
sql/item.h:1558(Item::val_int_result())[0x55d715c1d7f6]
 
sql/filesort.cc:1052(Type_handler_int_result::make_sort_key(unsigned char*, Item*, SORT_FIELD_ATTR const*, String*) const)[0x55d71669a434]
 
sql/filesort.cc:1207(make_sortkey(Sort_param*, unsigned char*, unsigned char*))[0x55d71669bb80]
 
sql/filesort.cc:849(find_all_keys(THD*, Sort_param*, SQL_SELECT*, SORT_INFO*, st_io_cache*, st_io_cache*, Bounded_queue<unsigned char, unsigned char>*, unsigned long long*))[0x55d716698eae]
 
sql/filesort.cc:262(filesort(THD*, TABLE*, Filesort*, Filesort_tracker*, JOIN*, unsigned long long))[0x55d7166947a5]
 
sql/sql_select.cc:24246(create_sort_index(THD*, JOIN*, st_join_table*, Filesort*))[0x55d7160490f1]
 
sql/sql_select.cc:21910(st_join_table::sort_table())[0x55d71603750f]
 
sql/sql_select.cc:21849(join_init_read_record(st_join_table*))[0x55d716036a11]
 
sql/sql_select.cc:20919(sub_select(JOIN*, st_join_table*, bool))[0x55d71603012a]
 
sql/sql_select.cc:20443(do_select(JOIN*, Procedure*))[0x55d71602e08c]
 
sql/sql_select.cc:4625(JOIN::exec_inner())[0x55d715fbbbd4]
 
sql/sql_select.cc:4408(JOIN::exec())[0x55d715fb9204]
 
sql/sql_select.cc:4848(mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55d715fbd3e0]
 
sql/sql_select.cc:442(handle_select(THD*, LEX*, select_result*, unsigned long))[0x55d715f8dc56]
 
sql/sql_parse.cc:6475(execute_sqlcom_select(THD*, TABLE_LIST*))[0x55d715ef4c5c]
 
sql/sql_parse.cc:3978(mysql_execute_command(THD*))[0x55d715ee23d3]
 
sql/sql_parse.cc:8014(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x55d715efe1d7]
 
sql/sql_parse.cc:1860(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x55d715ed4563]
 
sql/sql_parse.cc:1378(do_command(THD*))[0x55d715ed108e]
 
sql/sql_connect.cc:1419(do_handle_one_connection(CONNECT*))[0x55d7162e567e]
 
sql/sql_connect.cc:1324(handle_one_connection)[0x55d7162e4f22]
 
perfschema/pfs.cc:1871(pfs_spawn_thread)[0x55d716f82bb0]
 
nptl/pthread_create.c:478(start_thread)[0x7fe817a0a609]
 
 
 
Query (0x62b0000a1290): ( SELECT c35 AS c28 FROM t0 LIMIT 47 ) ORDER BY TRIM( -26 ) ^ SIN ( 68 ) = ALL ( SELECT c28 AS c0 FROM t0 ) XOR ( -101 = COS ( -46 ) ) = 123 LIMIT 75


CREATE TABLE t0 (a int) ;
 
INSERT INTO `t0` VALUES (1),(2),(3);
 
 
 
( SELECT a c28 FROM t0 LIMIT 5 ) ORDER BY  ( SELECT c28 FROM t0 limit 1);


Version: '10.11.6-MariaDB'  
231117 15:54:46 [ERROR] mysqld got signal 11 ;
 
 
 
Server version: 10.11.6-MariaDB source revision: fecd78b83785d5ae96f2c6ff340375be803cd299
 
 
 
sql/signal_handler.cc:238(handle_fatal_signal)[0x5639d64870a7]
 
sigaction.c:0(__restore_rt)[0x7fd633bd0420]
 
sql/sql_select.cc:22204(sub_select(JOIN*, st_join_table*, bool))[0x5639d627e4e3]
 
sql/sql_select.cc:21792(JOIN::exec_inner())[0x5639d62aebb7]
 
sql/sql_select.cc:4664(JOIN::exec())[0x5639d62aeef3]
 
sql/item_subselect.cc:4127(subselect_single_select_engine::exec())[0x5639d65570a6]
 
sql/item_subselect.cc:816(Item_subselect::exec())[0x5639d65555ea]
 
sql/item_subselect.cc:1479(Item_singlerow_subselect::val_int())[0x5639d655617e]
 
sql/item.h:800(Type_handler_int_result::make_sort_key_part(unsigned char*, Item*, SORT_FIELD_ATTR const*, String*) const)[0x5639d64820c2]
 
sql/filesort.cc:3043(make_sortkey(Sort_param*, unsigned char*, unsigned char*, bool))[0x5639d6483648]
 
sql/filesort.cc:981(filesort(THD*, TABLE*, Filesort*, Filesort_tracker*, JOIN*, unsigned long long))[0x5639d6485bbd]
 
sql/sql_select.cc:25707(create_sort_index(THD*, JOIN*, st_join_table*, Filesort*))[0x5639d628a773]
 
sql/sql_select.cc:23318(st_join_table::sort_table())[0x5639d628aa9e]
 
sql/sql_select.cc:23255(join_init_read_record(st_join_table*))[0x5639d628ab60]
 
sql/sql_select.cc:22266(sub_select(JOIN*, st_join_table*, bool))[0x5639d627e312]
 
sql/sql_select.cc:21792(do_select)[0x5639d62aebb7]
 
sql/sql_select.cc:4664(JOIN::exec())[0x5639d62aeef3]
 
sql/sql_select.cc:5145(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x5639d62ad13e]
 
sql/sql_select.cc:600(handle_select(THD*, LEX*, select_result*, unsigned long long))[0x5639d62ad9a4]
 
sql/sql_parse.cc:6291(execute_sqlcom_select(THD*, TABLE_LIST*))[0x5639d60d6973]
 
sql/sql_parse.cc:3961(mysql_execute_command(THD*, bool))[0x5639d623ff98]
 
sql/sql_parse.cc:8032(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x5639d624237b]
 
sql/sql_parse.cc:1955(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x5639d62447b0]
 
sql/sql_parse.cc:1409(do_command(THD*, bool))[0x5639d6245cc3]
 
sql/sql_connect.cc:1416(do_handle_one_connection(CONNECT*, bool))[0x5639d63527e7]
 
sql/sql_connect.cc:1324(handle_one_connection)[0x5639d6352a84]
 
perfschema/pfs.cc:2204(pfs_spawn_thread)[0x5639d66db21c]
 
nptl/pthread_create.c:478(start_thread)[0x7fd633bc4609]
 
 
 
Query (0x7fd5e40131d0): ( SELECT a c28 FROM t0 LIMIT 5 ) ORDER BY  ( SELECT c28 FROM t0 limit 1)

Generated at Thu Feb 08 10:33:51 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.