Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-15573

Server crashes in Item_func::print_op upon execution of PS

    XMLWordPrintable

    Details

      Description

      Note: this is a spin-off of MDEV-15492.

      --source include/have_innodb.inc
       
      SET @qcs.save= @@global.query_cache_size, @qct.save= @@global.query_cache_type;
      SET GLOBAL query_cache_size= 512*1024*1024, query_cache_type= ON;
       
      --connect (con1,localhost,root,,test)
      CREATE TABLE t1 (a INT) ENGINE=InnoDB;
      CREATE TABLE t2 (b INT) ENGINE=InnoDB;
      CREATE VIEW v AS select a from t1 join t2;
       
      PREPARE stmt FROM "SELECT * FROM t1 WHERE a in (SELECT a FROM v)";
       
      --connect (con2,localhost,root,,test)
      PREPARE stmt FROM "SELECT * FROM t1 WHERE a in (SELECT a FROM v)";
      EXECUTE stmt;
       
      --connection con1
      EXECUTE stmt;
      INSERT INTO t2 VALUES (0);
      EXECUTE stmt;
      START TRANSACTION;
      EXECUTE stmt;
       
      # Cleanup
      --disconnect con1
      --disconnect con2
      --connection default
      DROP VIEW v;
      DROP TABLE t1, t2;
      SET GLOBAL query_cache_size= @qcs.save, query_cache_type= @qct.save;
      

      5.5 0943b33de3daa

      #3  <signal handler called>
      #4  0x000000000080a202 in Item_func::print_op (this=0x7f2d424ef030, str=0x7f2d5237cc80, query_type=QT_ORDINARY) at /data/src/5.5/sql/item_func.cc:496
      #5  0x00000000007f1db9 in Item_bool_func2::print (this=0x7f2d424ef030, str=0x7f2d5237cc80, query_type=QT_ORDINARY) at /data/src/5.5/sql/item_cmpfunc.h:386
      #6  0x00000000007ecf84 in Item_cond::print (this=0x7f2d424241a0, str=0x7f2d5237cc80, query_type=QT_ORDINARY) at /data/src/5.5/sql/item_cmpfunc.cc:4702
      #7  0x00000000007d75b8 in dbug_print_item (item=0x7f2d424241a0) at /data/src/5.5/sql/item.cc:10012
      #8  0x000000000062eae0 in JOIN::prepare (this=0x7f2d424243b0, rref_pointer_array=0x7f2d424a3ab0, tables_init=0x7f2d424a45e8, wild_num=0, conds_init=0x7f2d424241a0, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7f2d424a3810, unit_arg=0x7f2d424a3130) at /data/src/5.5/sql/sql_select.cc:642
      #9  0x000000000063793a in mysql_select (thd=0x7f2d4a210060, rref_pointer_array=0x7f2d424a3ab0, tables=0x7f2d424a45e8, wild_num=0, fields=..., conds=0x7f2d424241a0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2417232640, result=0x7f2d424a7088, unit=0x7f2d424a3130, select_lex=0x7f2d424a3810) at /data/src/5.5/sql/sql_select.cc:3098
      #10 0x000000000062e19c in handle_select (thd=0x7f2d4a210060, lex=0x7f2d424a3080, result=0x7f2d424a7088, setup_tables_done_option=0) at /data/src/5.5/sql/sql_select.cc:323
      #11 0x0000000000607632 in execute_sqlcom_select (thd=0x7f2d4a210060, all_tables=0x7f2d424a45e8) at /data/src/5.5/sql/sql_parse.cc:4678
      #12 0x00000000006009b3 in mysql_execute_command (thd=0x7f2d4a210060) at /data/src/5.5/sql/sql_parse.cc:2224
      #13 0x00000000006217e9 in Prepared_statement::execute (this=0x7f2d424d9460, expanded_query=0x7f2d5237dd90, open_cursor=false) at /data/src/5.5/sql/sql_prepare.cc:3932
      #14 0x00000000006208fd in Prepared_statement::execute_loop (this=0x7f2d424d9460, expanded_query=0x7f2d5237dd90, open_cursor=false, packet=0x0, packet_end=0x0) at /data/src/5.5/sql/sql_prepare.cc:3591
      #15 0x000000000061ea1b in mysql_sql_stmt_execute (thd=0x7f2d4a210060) at /data/src/5.5/sql/sql_prepare.cc:2740
      #16 0x00000000006009e1 in mysql_execute_command (thd=0x7f2d4a210060) at /data/src/5.5/sql/sql_parse.cc:2234
      #17 0x000000000060a1fe in mysql_parse (thd=0x7f2d4a210060, rawbuf=0x7f2d42424078 "EXECUTE stmt", length=12, parser_state=0x7f2d5237e640) at /data/src/5.5/sql/sql_parse.cc:5923
      #18 0x00000000005fdf13 in dispatch_command (command=COM_QUERY, thd=0x7f2d4a210060, packet=0x7f2d4a215061 "EXECUTE stmt", packet_length=12) at /data/src/5.5/sql/sql_parse.cc:1066
      #19 0x00000000005fd105 in do_command (thd=0x7f2d4a210060) at /data/src/5.5/sql/sql_parse.cc:793
      #20 0x000000000070024f in do_handle_one_connection (thd_arg=0x7f2d4a210060) at /data/src/5.5/sql/sql_connect.cc:1268
      #21 0x00000000006fffdc in handle_one_connection (arg=0x7f2d4a210060) at /data/src/5.5/sql/sql_connect.cc:1184
      #22 0x0000000000a0e071 in pfs_spawn_thread (arg=0x7f2d4a392b60) at /data/src/5.5/storage/perfschema/pfs.cc:1015
      #23 0x00007f2d52004494 in start_thread (arg=0x7f2d5237f700) at pthread_create.c:333
      #24 0x00007f2d50a1a93f in clone () from /lib/x86_64-linux-gnu/libc.so.6
      

      10.1 1bec0c45954

      ==12743==ERROR: AddressSanitizer: use-after-poison on address 0x62b000016738 at pc 0x55a800de7fb2 bp 0x7f06db921e30 sp 0x7f06db921e28
      READ of size 8 at 0x62b000016738 thread T24
          #0 0x55a800de7fb1 in Item_func::print_op(String*, enum_query_type) /data/src/10.1/sql/item_func.cc:481
          #1 0x55a800d6c332 in Item_bool_rowready_func2::print(String*, enum_query_type) /data/src/10.1/sql/item_cmpfunc.h:470
          #2 0x55a800d446c4 in Item_cond::print(String*, enum_query_type) /data/src/10.1/sql/item_cmpfunc.cc:4957
          #3 0x55a800d16b89 in dbug_print_item(Item*) /data/src/10.1/sql/item.cc:9926
          #4 0x55a8008708e1 in JOIN::prepare(Item***, TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /data/src/10.1/sql/sql_select.cc:716
          #5 0x55a80089cba3 in mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_0x62b000016738 is located 5432 bytes inside of 24716-byte region [0x62b000015200,0x62b00001b28c)
      allocated by thread T24 here:
          #0 0x7f06e401773f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
          #1 0x55a801ae7ef2 in sf_malloc /data/src/10.1/mysys/safemalloc.c:115
          #2 0x55a801be0d1a (/data/bld/10.1-asan/bin/mysqld+0x1d93d1a)
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                sanja Oleksandr Byelkin
                Reporter:
                elenst Elena Stepanova
              • Votes:
                1 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: