[MDEV-15846] Sever crashed with MEDIAN() window function - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.3(EOL)
Fix Version/s: 10.3.7
Component/s: Optimizer - Window functions
Labels:
None

Description

CREATE TABLE t ( pk int PRIMARY KEY, a1 int, a2 int);

SELECT MEDIAN(`a1`) OVER (),

       MEDIAN(`a2`) OVER (PARTITION BY `pk`)

FROM t;

==19377==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x55dbf0b11383 bp 0x7f4ee8cb6d40 sp 0x7f4ee8cb6d20 T5)

    #0 0x55dbf0b11382 in Item_window_func::check_result_type_of_order_item() /home/alice/git/10.3/sql/item_windowfunc.cc:176

    #1 0x55dbf0442100 in setup_windows(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, List<Item>&, List<Item>&, List<Window_spec>&, List<Item_window_func>&) /home/alice/git/10.3/sql/sql_window.cc:320

    #2 0x55dbf0058aef in setup_without_group /home/alice/git/10.3/sql/sql_select.cc:670

    #3 0x55dbf005d202 in JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /home/alice/git/10.3/sql/sql_select.cc:1097

    #4 0x55dbf007a83f in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/alice/git/10.3/sql/sql_select.cc:4130

    #5 0x55dbf005663b in handle_select(THD*, LEX*, select_result*, unsigned long) /home/alice/git/10.3/sql/sql_select.cc:382

    #6 0x55dbeffdd667 in execute_sqlcom_select /home/alice/git/10.3/sql/sql_parse.cc:6535

    #7 0x55dbeffcbc82 in mysql_execute_command(THD*) /home/alice/git/10.3/sql/sql_parse.cc:3764

    #8 0x55dbeffe569c in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/alice/git/10.3/sql/sql_parse.cc:7991

    #9 0x55dbeffc0802 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/alice/git/10.3/sql/sql_parse.cc:1841

    #10 0x55dbeffbd9a9 in do_command(THD*) /home/alice/git/10.3/sql/sql_parse.cc:1386

    #11 0x55dbf0307eaa in do_handle_one_connection(CONNECT*) /home/alice/git/10.3/sql/sql_connect.cc:1402

    #12 0x55dbf03078b2 in handle_one_connection /home/alice/git/10.3/sql/sql_connect.cc:1308

    #13 0x55dbf0bc0e3a in pfs_spawn_thread /home/alice/git/10.3/storage/perfschema/pfs.cc:1862

    #14 0x7f4ef36316b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)

    #15 0x7f4ef2ac641c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)

AddressSanitizer can not provide additional info.

SUMMARY: AddressSanitizer: SEGV /home/alice/git/10.3/sql/item_windowfunc.cc:176 Item_window_func::check_result_type_of_order_item()

Thread T5 created by T0 here:

    #0 0x7f4ef40d5253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)

    #1 0x55dbf0bc1227 in spawn_thread_v1 /home/alice/git/10.3/storage/perfschema/pfs.cc:1912

    #2 0x55dbefd48ea6 in inline_mysql_thread_create /home/alice/git/10.3/include/mysql/psi/mysql_thread.h:1268

    #3 0x55dbefd5e0b8 in create_thread_to_handle_connection(CONNECT*) /home/alice/git/10.3/sql/mysqld.cc:6534

    #4 0x55dbefd5e7b8 in create_new_thread /home/alice/git/10.3/sql/mysqld.cc:6604

    #5 0x55dbefd5f7e4 in handle_connections_sockets() /home/alice/git/10.3/sql/mysqld.cc:6879

    #6 0x55dbefd5d57d in mysqld_main(int, char**) /home/alice/git/10.3/sql/mysqld.cc:6156

    #7 0x55dbefd4783f in main /home/alice/git/10.3/sql/main.cc:25

    #8 0x7f4ef29df82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

==19377==ABORTING

----------SERVER LOG END-------------

Attachments

Activity

Ascending order - Click to sort in descending order

Alice Sherepa created issue - 2018-04-11 14:36

Alice Sherepa made changes - 2018-04-11 14:37

Field	Original Value	New Value
Assignee		Varun Gupta [ varun ]

Alice Sherepa made changes - 2018-04-11 14:38

Status

Open [ 1 ]

Confirmed [ 10101 ]

Alice Sherepa made changes - 2018-04-11 14:40

Description

{code:sql}
CREATE TABLE t ( pk int PRIMARY KEY, a1 int NULL , a2 int NULL);

SELECT MEDIAN(`a1`) OVER (),
       MEDIAN(`a2`) OVER (PARTITION BY `pk`)
FROM t;
{code}

{noformat}
==19377==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x55dbf0b11383 bp 0x7f4ee8cb6d40 sp 0x7f4ee8cb6d20 T5)
    #0 0x55dbf0b11382 in Item_window_func::check_result_type_of_order_item() /home/alice/git/10.3/sql/item_windowfunc.cc:176
    #1 0x55dbf0442100 in setup_windows(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, List<Item>&, List<Item>&, List<Window_spec>&, List<Item_window_func>&) /home/alice/git/10.3/sql/sql_window.cc:320
    #2 0x55dbf0058aef in setup_without_group /home/alice/git/10.3/sql/sql_select.cc:670
    #3 0x55dbf005d202 in JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /home/alice/git/10.3/sql/sql_select.cc:1097
    #4 0x55dbf007a83f in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/alice/git/10.3/sql/sql_select.cc:4130
    #5 0x55dbf005663b in handle_select(THD*, LEX*, select_result*, unsigned long) /home/alice/git/10.3/sql/sql_select.cc:382
    #6 0x55dbeffdd667 in execute_sqlcom_select /home/alice/git/10.3/sql/sql_parse.cc:6535
    #7 0x55dbeffcbc82 in mysql_execute_command(THD*) /home/alice/git/10.3/sql/sql_parse.cc:3764
    #8 0x55dbeffe569c in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/alice/git/10.3/sql/sql_parse.cc:7991
    #9 0x55dbeffc0802 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/alice/git/10.3/sql/sql_parse.cc:1841
    #10 0x55dbeffbd9a9 in do_command(THD*) /home/alice/git/10.3/sql/sql_parse.cc:1386
    #11 0x55dbf0307eaa in do_handle_one_connection(CONNECT*) /home/alice/git/10.3/sql/sql_connect.cc:1402
    #12 0x55dbf03078b2 in handle_one_connection /home/alice/git/10.3/sql/sql_connect.cc:1308
    #13 0x55dbf0bc0e3a in pfs_spawn_thread /home/alice/git/10.3/storage/perfschema/pfs.cc:1862
    #14 0x7f4ef36316b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #15 0x7f4ef2ac641c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/alice/git/10.3/sql/item_windowfunc.cc:176 Item_window_func::check_result_type_of_order_item()
Thread T5 created by T0 here:
    #0 0x7f4ef40d5253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
    #1 0x55dbf0bc1227 in spawn_thread_v1 /home/alice/git/10.3/storage/perfschema/pfs.cc:1912
    #2 0x55dbefd48ea6 in inline_mysql_thread_create /home/alice/git/10.3/include/mysql/psi/mysql_thread.h:1268
    #3 0x55dbefd5e0b8 in create_thread_to_handle_connection(CONNECT*) /home/alice/git/10.3/sql/mysqld.cc:6534
    #4 0x55dbefd5e7b8 in create_new_thread /home/alice/git/10.3/sql/mysqld.cc:6604
    #5 0x55dbefd5f7e4 in handle_connections_sockets() /home/alice/git/10.3/sql/mysqld.cc:6879
    #6 0x55dbefd5d57d in mysqld_main(int, char**) /home/alice/git/10.3/sql/mysqld.cc:6156
    #7 0x55dbefd4783f in main /home/alice/git/10.3/sql/main.cc:25
    #8 0x7f4ef29df82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

==19377==ABORTING
----------SERVER LOG END-------------
{noformat}

{code:sql}
CREATE TABLE t ( pk int PRIMARY KEY, a1 int, a2 int);

SELECT MEDIAN(`a1`) OVER (),
       MEDIAN(`a2`) OVER (PARTITION BY `pk`)
FROM t;
{code}

{noformat}
==19377==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x55dbf0b11383 bp 0x7f4ee8cb6d40 sp 0x7f4ee8cb6d20 T5)
    #0 0x55dbf0b11382 in Item_window_func::check_result_type_of_order_item() /home/alice/git/10.3/sql/item_windowfunc.cc:176
    #1 0x55dbf0442100 in setup_windows(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, List<Item>&, List<Item>&, List<Window_spec>&, List<Item_window_func>&) /home/alice/git/10.3/sql/sql_window.cc:320
    #2 0x55dbf0058aef in setup_without_group /home/alice/git/10.3/sql/sql_select.cc:670
    #3 0x55dbf005d202 in JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /home/alice/git/10.3/sql/sql_select.cc:1097
    #4 0x55dbf007a83f in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/alice/git/10.3/sql/sql_select.cc:4130
    #5 0x55dbf005663b in handle_select(THD*, LEX*, select_result*, unsigned long) /home/alice/git/10.3/sql/sql_select.cc:382
    #6 0x55dbeffdd667 in execute_sqlcom_select /home/alice/git/10.3/sql/sql_parse.cc:6535
    #7 0x55dbeffcbc82 in mysql_execute_command(THD*) /home/alice/git/10.3/sql/sql_parse.cc:3764
    #8 0x55dbeffe569c in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/alice/git/10.3/sql/sql_parse.cc:7991
    #9 0x55dbeffc0802 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/alice/git/10.3/sql/sql_parse.cc:1841
    #10 0x55dbeffbd9a9 in do_command(THD*) /home/alice/git/10.3/sql/sql_parse.cc:1386
    #11 0x55dbf0307eaa in do_handle_one_connection(CONNECT*) /home/alice/git/10.3/sql/sql_connect.cc:1402
    #12 0x55dbf03078b2 in handle_one_connection /home/alice/git/10.3/sql/sql_connect.cc:1308
    #13 0x55dbf0bc0e3a in pfs_spawn_thread /home/alice/git/10.3/storage/perfschema/pfs.cc:1862
    #14 0x7f4ef36316b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #15 0x7f4ef2ac641c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/alice/git/10.3/sql/item_windowfunc.cc:176 Item_window_func::check_result_type_of_order_item()
Thread T5 created by T0 here:
    #0 0x7f4ef40d5253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
    #1 0x55dbf0bc1227 in spawn_thread_v1 /home/alice/git/10.3/storage/perfschema/pfs.cc:1912
    #2 0x55dbefd48ea6 in inline_mysql_thread_create /home/alice/git/10.3/include/mysql/psi/mysql_thread.h:1268
    #3 0x55dbefd5e0b8 in create_thread_to_handle_connection(CONNECT*) /home/alice/git/10.3/sql/mysqld.cc:6534
    #4 0x55dbefd5e7b8 in create_new_thread /home/alice/git/10.3/sql/mysqld.cc:6604
    #5 0x55dbefd5f7e4 in handle_connections_sockets() /home/alice/git/10.3/sql/mysqld.cc:6879
    #6 0x55dbefd5d57d in mysqld_main(int, char**) /home/alice/git/10.3/sql/mysqld.cc:6156
    #7 0x55dbefd4783f in main /home/alice/git/10.3/sql/main.cc:25
    #8 0x7f4ef29df82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

==19377==ABORTING
----------SERVER LOG END-------------
{noformat}

Varun Gupta (Inactive) added a comment - 2018-04-12 00:22 - edited

bool st_select_lex::add_order_to_list(THD *thd, Item *item, bool asc)

  return add_to_list(thd, order_list, item, asc);

(lldb) p &order_list.first

(st_order **) $80 = 0x0000000120837ee0

(lldb) p order_list.next

(st_order **) $81 = 0x0000000120838b30

(lldb) p order_list.elements

(uint) $82 = 0

So here we see that first element is not pointing to the next element(which it should for an empty list). So an initialisation for the order list is not initialised correctly.

Varun Gupta (Inactive) added a comment - 2018-04-12 00:22 - edited bool st_select_lex::add_order_to_list(THD *thd, Item *item, bool asc) { return add_to_list(thd, order_list, item, asc); } (lldb) p &order_list.first (st_order **) $80 = 0x0000000120837ee0 (lldb) p order_list.next (st_order **) $81 = 0x0000000120838b30 (lldb) p order_list.elements (uint) $82 = 0 So here we see that first element is not pointing to the next element(which it should for an empty list). So an initialisation for the order list is not initialised correctly.

Varun Gupta (Inactive) made changes - 2018-04-12 01:13

Status

Confirmed [ 10101 ]

In Progress [ 3 ]

Varun Gupta (Inactive) made changes - 2018-04-12 01:14

Assignee	Varun Gupta [ varun ]	Vicentiu Ciorbaru [ cvicentiu ]
Status	In Progress [ 3 ]	In Review [ 10002 ]

Sergei Golubchik made changes - 2018-04-17 17:15

Priority

Major [ 3 ]

Critical [ 2 ]

Igor Babaev (Inactive) made changes - 2018-04-21 06:30

Assignee

Vicentiu Ciorbaru [ cvicentiu ]

Igor Babaev [ igor ]

Igor Babaev (Inactive) made changes - 2018-04-21 06:45

Assignee	Igor Babaev [ igor ]	Varun Gupta [ varun ]
Status	In Review [ 10002 ]	Stalled [ 10000 ]

Varun Gupta (Inactive) made changes - 2018-04-21 13:14

Fix Version/s		10.3.7 [ 23005 ]
Fix Version/s	10.3 [ 22126 ]
Resolution		Fixed [ 1 ]
Status	Stalled [ 10000 ]	Closed [ 6 ]

Varun Gupta (Inactive) added a comment - 2018-04-21 13:15

Fixed by ~~MDEV-15902~~, just added the test case in the patch for this issue.

Varun Gupta (Inactive) added a comment - 2018-04-21 13:15 Fixed by MDEV-15902 , just added the test case in the patch for this issue.

Sergei Golubchik made changes - 2021-12-06 21:47

Workflow

MariaDB v3 [ 86496 ]

MariaDB v4 [ 154142 ]

People

Assignee:: Varun Gupta (Inactive)

Reporter:: Alice Sherepa

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2018-04-11 14:36

Updated:: 2018-04-21 13:15

Resolved:: 2018-04-21 13:14

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server

Details

Description

Attachments

Activity

People

Dates

Git Integration