Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-15573

Server crashes in Item_func::print_op upon execution of PS

Details

    Description

      Note: this is a spin-off of MDEV-15492.

      --source include/have_innodb.inc
      		 
       
      		 
      SET @qcs.save= @@global.query_cache_size, @qct.save= @@global.query_cache_type;
      		 
      SET GLOBAL query_cache_size= 512*1024*1024, query_cache_type= ON;
      		 
       
      		 
      --connect (con1,localhost,root,,test)
      		 
      CREATE TABLE t1 (a INT) ENGINE=InnoDB;
      		 
      CREATE TABLE t2 (b INT) ENGINE=InnoDB;
      		 
      CREATE VIEW v AS select a from t1 join t2;
      		 
       
      		 
      PREPARE stmt FROM "SELECT * FROM t1 WHERE a in (SELECT a FROM v)";
      		 
       
      		 
      --connect (con2,localhost,root,,test)
      		 
      PREPARE stmt FROM "SELECT * FROM t1 WHERE a in (SELECT a FROM v)";
      		 
      EXECUTE stmt;
      		 
       
      		 
      --connection con1
      		 
      EXECUTE stmt;
      		 
      INSERT INTO t2 VALUES (0);
      		 
      EXECUTE stmt;
      		 
      START TRANSACTION;
      		 
      EXECUTE stmt;
      		 
       
      		 
      # Cleanup
      		 
      --disconnect con1
      		 
      --disconnect con2
      		 
      --connection default
      		 
      DROP VIEW v;
      		 
      DROP TABLE t1, t2;
      		 
      SET GLOBAL query_cache_size= @qcs.save, query_cache_type= @qct.save;

      5.5 0943b33de3daa

      		 
      #3  <signal handler called>
      		 
      #4  0x000000000080a202 in Item_func::print_op (this=0x7f2d424ef030, str=0x7f2d5237cc80, query_type=QT_ORDINARY) at /data/src/5.5/sql/item_func.cc:496
      		 
      #5  0x00000000007f1db9 in Item_bool_func2::print (this=0x7f2d424ef030, str=0x7f2d5237cc80, query_type=QT_ORDINARY) at /data/src/5.5/sql/item_cmpfunc.h:386
      		 
      #6  0x00000000007ecf84 in Item_cond::print (this=0x7f2d424241a0, str=0x7f2d5237cc80, query_type=QT_ORDINARY) at /data/src/5.5/sql/item_cmpfunc.cc:4702
      		 
      #7  0x00000000007d75b8 in dbug_print_item (item=0x7f2d424241a0) at /data/src/5.5/sql/item.cc:10012
      		 
      #8  0x000000000062eae0 in JOIN::prepare (this=0x7f2d424243b0, rref_pointer_array=0x7f2d424a3ab0, tables_init=0x7f2d424a45e8, wild_num=0, conds_init=0x7f2d424241a0, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7f2d424a3810, unit_arg=0x7f2d424a3130) at /data/src/5.5/sql/sql_select.cc:642
      		 
      #9  0x000000000063793a in mysql_select (thd=0x7f2d4a210060, rref_pointer_array=0x7f2d424a3ab0, tables=0x7f2d424a45e8, wild_num=0, fields=..., conds=0x7f2d424241a0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2417232640, result=0x7f2d424a7088, unit=0x7f2d424a3130, select_lex=0x7f2d424a3810) at /data/src/5.5/sql/sql_select.cc:3098
      		 
      #10 0x000000000062e19c in handle_select (thd=0x7f2d4a210060, lex=0x7f2d424a3080, result=0x7f2d424a7088, setup_tables_done_option=0) at /data/src/5.5/sql/sql_select.cc:323
      		 
      #11 0x0000000000607632 in execute_sqlcom_select (thd=0x7f2d4a210060, all_tables=0x7f2d424a45e8) at /data/src/5.5/sql/sql_parse.cc:4678
      		 
      #12 0x00000000006009b3 in mysql_execute_command (thd=0x7f2d4a210060) at /data/src/5.5/sql/sql_parse.cc:2224
      		 
      #13 0x00000000006217e9 in Prepared_statement::execute (this=0x7f2d424d9460, expanded_query=0x7f2d5237dd90, open_cursor=false) at /data/src/5.5/sql/sql_prepare.cc:3932
      		 
      #14 0x00000000006208fd in Prepared_statement::execute_loop (this=0x7f2d424d9460, expanded_query=0x7f2d5237dd90, open_cursor=false, packet=0x0, packet_end=0x0) at /data/src/5.5/sql/sql_prepare.cc:3591
      		 
      #15 0x000000000061ea1b in mysql_sql_stmt_execute (thd=0x7f2d4a210060) at /data/src/5.5/sql/sql_prepare.cc:2740
      		 
      #16 0x00000000006009e1 in mysql_execute_command (thd=0x7f2d4a210060) at /data/src/5.5/sql/sql_parse.cc:2234
      		 
      #17 0x000000000060a1fe in mysql_parse (thd=0x7f2d4a210060, rawbuf=0x7f2d42424078 "EXECUTE stmt", length=12, parser_state=0x7f2d5237e640) at /data/src/5.5/sql/sql_parse.cc:5923
      		 
      #18 0x00000000005fdf13 in dispatch_command (command=COM_QUERY, thd=0x7f2d4a210060, packet=0x7f2d4a215061 "EXECUTE stmt", packet_length=12) at /data/src/5.5/sql/sql_parse.cc:1066
      		 
      #19 0x00000000005fd105 in do_command (thd=0x7f2d4a210060) at /data/src/5.5/sql/sql_parse.cc:793
      		 
      #20 0x000000000070024f in do_handle_one_connection (thd_arg=0x7f2d4a210060) at /data/src/5.5/sql/sql_connect.cc:1268
      		 
      #21 0x00000000006fffdc in handle_one_connection (arg=0x7f2d4a210060) at /data/src/5.5/sql/sql_connect.cc:1184
      		 
      #22 0x0000000000a0e071 in pfs_spawn_thread (arg=0x7f2d4a392b60) at /data/src/5.5/storage/perfschema/pfs.cc:1015
      		 
      #23 0x00007f2d52004494 in start_thread (arg=0x7f2d5237f700) at pthread_create.c:333
      		 
      #24 0x00007f2d50a1a93f in clone () from /lib/x86_64-linux-gnu/libc.so.6

      10.1 1bec0c45954

      		 
      ==12743==ERROR: AddressSanitizer: use-after-poison on address 0x62b000016738 at pc 0x55a800de7fb2 bp 0x7f06db921e30 sp 0x7f06db921e28
      		 
      READ of size 8 at 0x62b000016738 thread T24
      		 
          #0 0x55a800de7fb1 in Item_func::print_op(String*, enum_query_type) /data/src/10.1/sql/item_func.cc:481
      		 
          #1 0x55a800d6c332 in Item_bool_rowready_func2::print(String*, enum_query_type) /data/src/10.1/sql/item_cmpfunc.h:470
      		 
          #2 0x55a800d446c4 in Item_cond::print(String*, enum_query_type) /data/src/10.1/sql/item_cmpfunc.cc:4957
      		 
          #3 0x55a800d16b89 in dbug_print_item(Item*) /data/src/10.1/sql/item.cc:9926
      		 
          #4 0x55a8008708e1 in JOIN::prepare(Item***, TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /data/src/10.1/sql/sql_select.cc:716
      		 
          #5 0x55a80089cba3 in mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_0x62b000016738 is located 5432 bytes inside of 24716-byte region [0x62b000015200,0x62b00001b28c)
      		 
      allocated by thread T24 here:
      		 
          #0 0x7f06e401773f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
      		 
          #1 0x55a801ae7ef2 in sf_malloc /data/src/10.1/mysys/safemalloc.c:115
      		 
          #2 0x55a801be0d1a (/data/bld/10.1-asan/bin/mysqld+0x1d93d1a)

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-15492 Subquery crash similar to MDEV-10050

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

          Activity

            sanja Oleksandr Byelkin added a comment -

            Duplicate of :
            f3994b74327eef37fa6010368f7f8db044cf70f8 is the first bad commit
            commit f3994b74327eef37fa6010368f7f8db044cf70f8
            Author: Oleksandr Byelkin <sanja@mariadb.com>
            Date: Wed Mar 21 12:13:37 2018 +0100

            MDEV-15492: Subquery crash similar to MDEV-10050

            Detection of first execution of PS fixed.
            More debug info.

            sanja Oleksandr Byelkin added a comment - Duplicate of : f3994b74327eef37fa6010368f7f8db044cf70f8 is the first bad commit commit f3994b74327eef37fa6010368f7f8db044cf70f8 Author: Oleksandr Byelkin <sanja@mariadb.com> Date: Wed Mar 21 12:13:37 2018 +0100 MDEV-15492 : Subquery crash similar to MDEV-10050 Detection of first execution of PS fixed. More debug info.

            People

              sanja Oleksandr Byelkin
              elenst Elena Stepanova
              Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.