Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-16128

Server crash in Item_func::print_op on 2nd execution of PS

Details

    Description

      CREATE TABLE t1 (a1 varchar(10));
      		 
      CREATE TABLE t2 (a2 varchar(10));
      		 
      CREATE TABLE t3 (u1 varchar(10) CHARACTER SET utf8 );
      		 
      CREATE TABLE t4 (u2 varchar(10) CHARACTER SET utf8);
      		 
       
      		 
      PREPARE stmt FROM "SELECT t1.* FROM (t1 JOIN t2 JOIN t3 ON (t3.u1 = t2.a2)) WHERE (EXISTS (SELECT 1 FROM t4 WHERE t4.u2 = t1.a1))";
      		 
       
      		 
      EXECUTE stmt;
      		 
      EXECUTE stmt;


      Server version: 10.0.36-MariaDB-debug
      		 
      key_buffer_size=134217728
      		 
      read_buffer_size=131072
      		 
      max_used_connections=1
      		 
      max_threads=153
      		 
      thread_count=1
      		 
      It is possible that mysqld could use up to
      		 
      key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 467083 K  bytes of memory
      		 
      Hope that's ok; if not, decrease some variables in the equation.
      		 
       
      		 
      Thread pointer: 0x7fe12d6db070
      		 
      Attempting backtrace. You can use the following information to find out
      		 
      where mysqld died. If you see no messages after this, something went
      		 
      terribly wrong...
      		 
      stack_bottom = 0x7fe142dcfe78 thread_stack 0x48000
      		 
      handler/ha_innodb.cc:16080(innodb_internal_table_validate(THD*, st_mysql_sys_var*, void*, st_mysql_value*))[0xe61651]
      		 
      /home/alice/BR/m4-10.0/bld/sql//mysqld(handle_fatal_signal+0x2f4)[0x84faa5]
      		 
      /lib/x86_64-linux-gnu/libpthread.so.0(+0x11390)[0x7fe14219d390]
      		 
      /home/alice/BR/m4-10.0/bld/sql//mysqld(_ZN9Item_func8print_opEP6String15enum_query_type+0x62)[0x8b2ad6]
      		 
      /home/alice/BR/m4-10.0/bld/sql//mysqld(_ZN15Item_bool_func25printEP6String15enum_query_type+0x29)[0x8996bd]
      		 
      /home/alice/BR/m4-10.0/bld/sql//mysqld(_ZN9Item_cond5printEP6String15enum_query_type+0x11c)[0x893b62]
      		 
      /home/alice/BR/m4-10.0/bld/sql//mysqld(_Z15dbug_print_itemP4Item+0x7f)[0x87dc03]
      		 
      /home/alice/BR/m4-10.0/bld/sql//mysqld(_ZN4JOIN7prepareEPPP4ItemP10TABLE_LISTjS1_jP8st_orderbS7_S1_S7_P13st_select_lexP18st_select_lex_unit+0x1df)[0x686b29]
      		 
      /home/alice/BR/m4-10.0/bld/sql//mysqld(_Z12mysql_selectP3THDPPP4ItemP10TABLE_LISTjR4ListIS1_ES2_jP8st_orderSB_S2_SB_yP13select_resultP18st_select_lex_unitP13st_select_lex+0x30d)[0x69038b]
      		 
      /home/alice/BR/m4-10.0/bld/sql//mysqld(_Z13handle_selectP3THDP3LEXP13select_resultm+0x183)[0x68614b]
      		 
      /home/alice/BR/m4-10.0/bld/sql//mysqld[0x6587d1]
      		 
      /home/alice/BR/m4-10.0/bld/sql//mysqld(_Z21mysql_execute_commandP3THD+0xab3)[0x650a91]
      		 
      /home/alice/BR/m4-10.0/bld/sql//mysqld(_ZN18Prepared_statement7executeEP6Stringb+0x457)[0x674d4b]
      		 
      /home/alice/BR/m4-10.0/bld/sql//mysqld(_ZN18Prepared_statement12execute_loopEP6StringbPhS2_+0x14b)[0x673d2b]
      		 
      /home/alice/BR/m4-10.0/bld/sql//mysqld(_Z22mysql_sql_stmt_executeP3THD+0x185)[0x671eca]
      		 
      /home/alice/BR/m4-10.0/bld/sql//mysqld(_Z21mysql_execute_commandP3THD+0xae4)[0x650ac2]
      		 
      /home/alice/BR/m4-10.0/bld/sql//mysqld(_Z11mysql_parseP3THDPcjP12Parser_state+0x255)[0x65b6ac]
      		 
      /home/alice/BR/m4-10.0/bld/sql//mysqld(_Z16dispatch_command19enum_server_commandP3THDPcj+0xa9d)[0x64dc1a]
      		 
      /home/alice/BR/m4-10.0/bld/sql//mysqld(_Z10do_commandP3THD+0x347)[0x64cefa]
      		 
      /home/alice/BR/m4-10.0/bld/sql//mysqld(_Z24do_handle_one_connectionP3THD+0x1f8)[0x77b0d1]
      		 
      /home/alice/BR/m4-10.0/bld/sql//mysqld(handle_one_connection+0x33)[0x77ae2e]
      		 
      /lib/x86_64-linux-gnu/libpthread.so.0(+0x76ba)[0x7fe1421936ba]
      		 
      x86_64/clone.S:111(clone)[0x7fe140f8d41d]

      10.1

       
      Thread 1 (Thread 0x7f631607db00 (LWP 12496)):
      		 
      #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ../sysdeps/unix/sysv/linux/pthread_kill.c:62
      		 
      #1  0x000055d2b271c17a in my_write_core (sig=sig@entry=6) at /home/alice/git/10.1/mysys/stacktrace.c:477
      		 
      #2  0x000055d2b22ff388 in handle_fatal_signal (sig=6) at /home/alice/git/10.1/sql/signal_handler.cc:296
      		 
      #3  <signal handler called>
      		 
      #4  0x00007f63141a5428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
      		 
      #5  0x00007f63141a702a in __GI_abort () at abort.c:89
      		 
      #6  0x00007f63148d284d in __gnu_cxx::__verbose_terminate_handler() () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
      		 
      #7  0x00007f63148d06b6 in ?? () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
      		 
      #8  0x00007f63148d0701 in std::terminate() () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
      		 
      #9  0x00007f63148d123f in __cxa_pure_virtual () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
      		 
      #10 0x000055d2b232cff2 in Item_func::convert_const_compared_to_int_field (this=0x7f630b137940, thd=0x7f630f7e9008) at /home/alice/git/10.1/sql/item_cmpfunc.cc:489
      		 
      #11 0x000055d2b232d854 in Item_func::setup_args_and_comparator (this=0x7f630b137940, thd=0x7f630f7e9008, cmp=0x7f630b137a00) at /home/alice/git/10.1/sql/item_cmpfunc.cc:515
      		 
      #12 0x000055d2b235008c in Item_func::fix_fields (this=0x7f630b137940, thd=0x7f630f7e9008, ref=<optimized out>) at /home/alice/git/10.1/sql/item_func.cc:236
      		 
      #13 0x000055d2b232bb79 in Item_cond::fix_fields (this=0x7f630b174188, thd=0x7f630f7e9008, ref=<optimized out>) at /home/alice/git/10.1/sql/item_cmpfunc.cc:4638
      		 
      #14 0x000055d2b21524b1 in setup_conds (thd=thd@entry=0x7f630f7e9008, tables=tables@entry=0x7f630b17ce50, leaves=..., conds=conds@entry=0x7f630b174880) at /home/alice/git/10.1/sql/sql_base.cc:8655
      		 
      #15 0x000055d2b21d1397 in setup_without_group (reserved=0x7f630b17babc, hidden_group_fields=0x7f630b174760, group=0x0, order=0x0, conds=0x7f630b174880, all_fields=..., fields=..., leaves=..., tables=0x7f630b17ce50, ref_pointer_array=<optimized out>, thd=0x7f630f7e9008) at /home/alice/git/10.1/sql/sql_select.cc:649
      		 
      #16 JOIN::prepare (this=0x7f630b174428, rref_pointer_array=0x7f630b17ba98, tables_init=<optimized out>, wild_num=<optimized out>, conds_init=<optimized out>, og_num=<optimized out>, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7f630b17b7f0, unit_arg=0x7f630b17b0f0) at /home/alice/git/10.1/sql/sql_select.cc:808
      		 
      #17 0x000055d2b21dec3e in mysql_select (thd=thd@entry=0x7f630f7e9008, rref_pointer_array=rref_pointer_array@entry=0x7f630b17ba98, tables=0x7f630b17ce50, wild_num=<optimized out>, fields=..., conds=0x7f630b174188, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2416184064, result=0x7f630b180858, unit=0x7f630b17b0f0, select_lex=0x7f630b17b7f0) at /home/alice/git/10.1/sql/sql_select.cc:3454
      		 
      #18 0x000055d2b21dee10 in handle_select (thd=thd@entry=0x7f630f7e9008, lex=lex@entry=0x7f630b17b028, result=result@entry=0x7f630b180858, setup_tables_done_option=setup_tables_done_option@entry=0) at /home/alice/git/10.1/sql/sql_select.cc:388
      		 
      #19 0x000055d2b20e5eb6 in execute_sqlcom_select (thd=thd@entry=0x7f630f7e9008, all_tables=0x7f630b17ce50) at /home/alice/git/10.1/sql/sql_parse.cc:5946
      		 
      #20 0x000055d2b21923f7 in mysql_execute_command (thd=0x7f630f7e9008) at /home/alice/git/10.1/sql/sql_parse.cc:2992
      		 
      #21 0x000055d2b21a5e07 in Prepared_statement::execute (this=this@entry=0x7f630b1ae288, expanded_query=expanded_query@entry=0x7f631607afe0, open_cursor=open_cursor@entry=false) at /home/alice/git/10.1/sql/sql_prepare.cc:4284
      		 
      #22 0x000055d2b21a5f23 in Prepared_statement::execute_loop (this=0x7f630b1ae288, expanded_query=0x7f631607afe0, open_cursor=false, packet_end=<optimized out>, packet=<optimized out>) at /home/alice/git/10.1/sql/sql_prepare.cc:3916
      		 
      #23 0x000055d2b21a6556 in mysql_sql_stmt_execute (thd=thd@entry=0x7f630f7e9008) at /home/alice/git/10.1/sql/sql_prepare.cc:3042
      		 
      #24 0x000055d2b218e5cc in mysql_execute_command (thd=thd@entry=0x7f630f7e9008) at /home/alice/git/10.1/sql/sql_parse.cc:3003
      		 
      #25 0x000055d2b219437a in mysql_parse (thd=0x7f630f7e9008, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /home/alice/git/10.1/sql/sql_parse.cc:7390
      		 
      #26 0x000055d2b219771b in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x7f630f7e9008, packet=packet@entry=0x7f630cf8c009 "EXECUTE stmt", packet_length=packet_length@entry=12) at /home/alice/git/10.1/sql/sql_parse.cc:1491
      		 
      #27 0x000055d2b2197f89 in do_command (thd=0x7f630f7e9008) at /home/alice/git/10.1/sql/sql_parse.cc:1120
      		 
      #28 0x000055d2b22541bc in do_handle_one_connection (thd_arg=thd_arg@entry=0x7f630f7e9008) at /home/alice/git/10.1/sql/sql_connect.cc:1330
      		 
      #29 0x000055d2b2254367 in handle_one_connection (arg=arg@entry=0x7f630f7e9008) at /home/alice/git/10.1/sql/sql_connect.cc:1242
      		 
      #30 0x000055d2b245fbe4 in pfs_spawn_thread (arg=0x7f631343ea08) at /home/alice/git/10.1/storage/perfschema/pfs.cc:1861
      		 
      #31 0x00007f6314bcc6ba in start_thread (arg=0x7f631607db00) at pthread_create.c:333
      		 
      #32 0x00007f631427741d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109

      10.2, 10.3:

      Thread 1 (Thread 0x7efc2274f700 (LWP 15761)):
      		 
      #0  __pthread_kill (threadid=<optimized out>, signo=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:62
      		 
      #1  0x0000556f9914c611 in my_write_core (sig=11) at /home/alice/git/10.2/mysys/stacktrace.c:477
      		 
      #2  0x0000556f989e6bff in handle_fatal_signal (sig=11) at /home/alice/git/10.2/sql/signal_handler.cc:305
      		 
      #3  <signal handler called>
      		 
      #4  0x0000556f989fc8cd in Item::print_parenthesised (this=0x7efc10013380, str=0x7efc2274bcf0, query_type=QT_EXPLAIN, parent_prec=CMP_PRECEDENCE) at /home/alice/git/10.2/sql/item.cc:579
      		 
      #5  0x0000556f98a5f750 in Item_func::print_op (this=0x7efc100450f8, str=0x7efc2274bcf0, query_type=QT_EXPLAIN) at /home/alice/git/10.2/sql/item_func.cc:479
      		 
      #6  0x0000556f98a3a2ff in Item_bool_rowready_func2::print (this=0x7efc100450f8, str=0x7efc2274bcf0, query_type=QT_EXPLAIN) at /home/alice/git/10.2/sql/item_cmpfunc.h:490
      		 
      #7  0x0000556f989fc91d in Item::print_parenthesised (this=0x7efc100450f8, str=0x7efc2274bcf0, query_type=QT_EXPLAIN, parent_prec=AND_PRECEDENCE) at /home/alice/git/10.2/sql/item.cc:582
      		 
      #8  0x0000556f98a33532 in Item_cond::print (this=0x7efc10012660, str=0x7efc2274bcf0, query_type=QT_EXPLAIN) at /home/alice/git/10.2/sql/item_cmpfunc.cc:4850
      		 
      #9  0x0000556f98a1a4cf in dbug_print_item (item=0x7efc10012660) at /home/alice/git/10.2/sql/item.cc:10758
      		 
      #10 0x0000556f987b52a9 in JOIN::prepare (this=0x7efc10012900, tables_init=0x7efc1015d280, wild_num=0, conds_init=0x7efc10012660, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7efc1015bae0, unit_arg=0x7efc1015b3a8) at /home/alice/git/10.2/sql/sql_select.cc:714
      		 
      #11 0x0000556f987bfd82 in mysql_select (thd=0x7efc10000b00, tables=0x7efc1015d280, wild_num=0, fields=..., conds=0x7efc10012660, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2416184064, result=0x7efc10160e20, unit=0x7efc1015b3a8, select_lex=0x7efc1015bae0) at /home/alice/git/10.2/sql/sql_select.cc:3741
      		 
      #12 0x0000556f987b44d8 in handle_select (thd=0x7efc10000b00, lex=0x7efc1015b2e0, result=0x7efc10160e20, setup_tables_done_option=0) at /home/alice/git/10.2/sql/sql_select.cc:376
      		 
      #13 0x0000556f98780077 in execute_sqlcom_select (thd=0x7efc10000b00, all_tables=0x7efc1015d280) at /home/alice/git/10.2/sql/sql_parse.cc:6472
      		 
      #14 0x0000556f98775dfd in mysql_execute_command (thd=0x7efc10000b00) at /home/alice/git/10.2/sql/sql_parse.cc:3483
      		 
      #15 0x0000556f987a141d in Prepared_statement::execute (this=0x7efc10031310, expanded_query=0x7efc2274d560, open_cursor=false) at /home/alice/git/10.2/sql/sql_prepare.cc:4774
      		 
      #16 0x0000556f9879f77b in Prepared_statement::execute_loop (this=0x7efc10031310, expanded_query=0x7efc2274d560, open_cursor=false, packet=0x0, packet_end=0x0) at /home/alice/git/10.2/sql/sql_prepare.cc:4203
      		 
      #17 0x0000556f9879d458 in mysql_sql_stmt_execute (thd=0x7efc10000b00) at /home/alice/git/10.2/sql/sql_prepare.cc:3311
      		 
      #18 0x0000556f98775e42 in mysql_execute_command (thd=0x7efc10000b00) at /home/alice/git/10.2/sql/sql_parse.cc:3499
      		 
      #19 0x0000556f98783aac in mysql_parse (thd=0x7efc10000b00, rawbuf=0x7efc100124f8 "EXECUTE stmt", length=12, parser_state=0x7efc2274e200, is_com_multi=false, is_next_command=false) at /home/alice/git/10.2/sql/sql_parse.cc:7924
      		 
      #20 0x0000556f9877165c in dispatch_command (command=COM_QUERY, thd=0x7efc10000b00, packet=0x7efc10146f31 "EXECUTE stmt", packet_length=12, is_com_multi=false, is_next_command=false) at /home/alice/git/10.2/sql/sql_parse.cc:1820
      		 
      #21 0x0000556f9876ffb8 in do_command (thd=0x7efc10000b00) at /home/alice/git/10.2/sql/sql_parse.cc:1374
      		 
      #22 0x0000556f988be88d in do_handle_one_connection (connect=0x556f9ac98e00) at /home/alice/git/10.2/sql/sql_connect.cc:1335
      		 
      #23 0x0000556f988be60d in handle_one_connection (arg=0x556f9ac98e00) at /home/alice/git/10.2/sql/sql_connect.cc:1241
      		 
      #24 0x0000556f98c1cc02 in pfs_spawn_thread (arg=0x556f9abe3f40) at /home/alice/git/10.2/storage/perfschema/pfs.cc:1862
      		 
      #25 0x00007efc290b96ba in start_thread (arg=0x7efc2274f700) at pthread_create.c:333
      		 
      #26 0x00007efc2854e41d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109

      Attachments

        Issue Links

          causes

          Bug - A problem which impairs or prevents the functions of the product. MDEV-29926 ASAN heap-use-after-free in Explain_query::~Explain_query

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-29988 Major performance regression with 10.6.11

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-30114 prepared statements spend a lot of time in cleanup

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed
          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. MDEV-19605 INSERT ... SELECT crashes (In Item_func::fix_fields) in complex stored procedure

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-22623 mysqld got signal 11 during sp-run

          • Major - Major loss of function.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-7445 Server crash with Signal 6

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Activity

            Ascending order - Click to sort in descending order
            View 10 older comments
            sanja Oleksandr Byelkin added a comment - - edited

            shulga take the patch MDEV-14959 (in comments, see "draft") and check your test case with it, you will see it allocate after first execution in the permanent mem_root (or find a bug in the patch )

            sanja Oleksandr Byelkin added a comment - - edited shulga take the patch MDEV-14959 (in comments, see "draft") and check your test case with it, you will see it allocate after first execution in the permanent mem_root (or find a bug in the patch )
            shulga Dmitry Shulga added a comment -

            For those statements that require conversion of a data
            from one character set to another attempt to run such
            statement in PS mode the second time results in server crash.

            The reason of server crash is that an instance of the class
            Item_func_conv_charset, that created for conversion of a column
            from one character set to another, is allocated on execution
            memory root but pointer to this instance is stored in an item
            allocated on prepared statement memory root. The first time the prepared
            statement completes the instance of the class Item_func_conv_charset
            is released but a pointer to the deallocated object still stored
            inside internal structures created during execution of the statement.
            The second time the same prepared statement executed it references
            the pointer to already deallocated memory that leads to crash.

            One of the possible ways to fix the issue is to place an instance
            of the class Item_func_conv_charset on PS memory root. Since character set
            of a data passed to a prepared statement can change between execution of
            a prepared statement the information about character set used on the last
            execution should be remembered and compared against one used on next
            execution of the prepared statement. In case a character set used on
            next execution of the prepared statement is different from the one
            used on previous execution of the PS statement a new instance of the class
            Item_func_conv_charset should be created on PS memroot and replace
            the current one used on the last execution of the prepared statement.

            shulga Dmitry Shulga added a comment - For those statements that require conversion of a data from one character set to another attempt to run such statement in PS mode the second time results in server crash. The reason of server crash is that an instance of the class Item_func_conv_charset, that created for conversion of a column from one character set to another, is allocated on execution memory root but pointer to this instance is stored in an item allocated on prepared statement memory root. The first time the prepared statement completes the instance of the class Item_func_conv_charset is released but a pointer to the deallocated object still stored inside internal structures created during execution of the statement. The second time the same prepared statement executed it references the pointer to already deallocated memory that leads to crash. One of the possible ways to fix the issue is to place an instance of the class Item_func_conv_charset on PS memory root. Since character set of a data passed to a prepared statement can change between execution of a prepared statement the information about character set used on the last execution should be remembered and compared against one used on next execution of the prepared statement. In case a character set used on next execution of the prepared statement is different from the one used on previous execution of the PS statement a new instance of the class Item_func_conv_charset should be created on PS memroot and replace the current one used on the last execution of the prepared statement.
            shulga Dmitry Shulga added a comment -

            The branch for review is bb-10.3-MDEV-16128

            shulga Dmitry Shulga added a comment - The branch for review is bb-10.3- MDEV-16128
            sanja Oleksandr Byelkin added a comment -

            ok, to push

            sanja Oleksandr Byelkin added a comment - ok, to push
            serg Sergei Golubchik added a comment - - edited

            what about test cases for ? (Item_param) and binary ?

            serg Sergei Golubchik added a comment - - edited what about test cases for ? ( Item_param ) and binary ?

            People

              shulga Dmitry Shulga
              alice Alice Sherepa
              Votes:
              2 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.