Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-16235

[10.0] Server crashes in my_utf8_uni or in my_strtod_int upon SELECT .. LIMIT 0

    Details

      Description

      SELECT * FROM mysql.slow_log WHERE sql_text != 'foo' LIMIT 0;
      

      5.5 2b749a7bf4

      #2  0x00000000007af0a3 in handle_fatal_signal (sig=11) at /data/src/5.5/sql/signal_handler.cc:262
      #3  <signal handler called>
      #4  0x0000000000cda067 in my_utf8_uni (cs=0x14d1940 <my_charset_utf8_general_ci>, pwc=0x7fec15611610, s=0xa5a5a5a5a5a5a5a5 <error: Cannot access memory at address 0xa5a5a5a5a5a5a5a5>, e=0xa5a5a5a5a64b4b4a <error: Cannot access memory at address 0xa5a5a5a5a64b4b4a>) at /data/src/5.5/strings/ctype-utf8.c:2316
      #5  0x0000000000cdae1b in my_strnncollsp_utf8 (cs=0x14d1940 <my_charset_utf8_general_ci>, s=0xa5a5a5a5a5a5a5a5 <error: Cannot access memory at address 0xa5a5a5a5a5a5a5a5>, slen=10855845, t=0x7fec0e572348 "foo", tlen=3, diff_if_only_endspace_difference=0 '\000') at /data/src/5.5/strings/ctype-utf8.c:2761
      #6  0x0000000000690953 in sortcmp (s=0x7fec0e5488d8, t=0x7fec0e5722c0, cs=0x14d1940 <my_charset_utf8_general_ci>) at /data/src/5.5/sql/sql_string.cc:736
      #7  0x00000000007e1554 in Arg_comparator::compare_string (this=0x7fec0e548b40) at /data/src/5.5/sql/item_cmpfunc.cc:999
      #8  0x00000000007f2516 in Arg_comparator::compare (this=0x7fec0e548b40) at /data/src/5.5/sql/item_cmpfunc.h:77
      #9  0x00000000007e4486 in Item_func_ne::val_int (this=0x7fec0e548a78) at /data/src/5.5/sql/item_cmpfunc.cc:1968
      #10 0x000000000063543c in JOIN::exec (this=0x7fec0e548cb0) at /data/src/5.5/sql/sql_select.cc:2336
      #11 0x0000000000637f1e in mysql_select (thd=0x7fec0f653060, rref_pointer_array=0x7fec0f656d08, tables=0x7fec0e5482d0, wild_num=1, fields=..., conds=0x7fec0e548a78, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7fec0e548c90, unit=0x7fec0f656388, select_lex=0x7fec0f656a68) at /data/src/5.5/sql/sql_select.cc:3118
      #12 0x000000000062e6c6 in handle_select (thd=0x7fec0f653060, lex=0x7fec0f6562d8, result=0x7fec0e548c90, setup_tables_done_option=0) at /data/src/5.5/sql/sql_select.cc:323
      #13 0x0000000000607ade in execute_sqlcom_select (thd=0x7fec0f653060, all_tables=0x7fec0e5482d0) at /data/src/5.5/sql/sql_parse.cc:4678
      #14 0x0000000000600e5f in mysql_execute_command (thd=0x7fec0f653060) at /data/src/5.5/sql/sql_parse.cc:2224
      #15 0x000000000060a6aa in mysql_parse (thd=0x7fec0f653060, rawbuf=0x7fec0e548078 "SELECT * FROM mysql.slow_log WHERE sql_text != 'foo' LIMIT 0", length=60, parser_state=0x7fec15612640) at /data/src/5.5/sql/sql_parse.cc:5923
      #16 0x00000000005fe3bf in dispatch_command (command=COM_QUERY, thd=0x7fec0f653060, packet=0x7fec12349061 "SELECT * FROM mysql.slow_log WHERE sql_text != 'foo' LIMIT 0", packet_length=60) at /data/src/5.5/sql/sql_parse.cc:1066
      #17 0x00000000005fd5b1 in do_command (thd=0x7fec0f653060) at /data/src/5.5/sql/sql_parse.cc:793
      #18 0x00000000007007e5 in do_handle_one_connection (thd_arg=0x7fec0f653060) at /data/src/5.5/sql/sql_connect.cc:1268
      #19 0x0000000000700572 in handle_one_connection (arg=0x7fec0f653060) at /data/src/5.5/sql/sql_connect.cc:1184
      #20 0x0000000000942e57 in pfs_spawn_thread (arg=0x7fec1037b080) at /data/src/5.5/storage/perfschema/pfs.cc:1015
      #21 0x00007fec1524f064 in start_thread (arg=0x7fec15613700) at pthread_create.c:309
      #22 0x00007fec13cd262d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
      

      Also reproducible on 10.0.
      Couldn't reproduce on 10.1-10.3, not sure if the bug doesn't exist there, or it's just better hidden.

      5.5 started crashing after this commit:

      commit 5e61e1716e763315009318081fba5994b8910242
      Author: Igor Babaev
      Date:   Mon Apr 16 16:59:19 2018 -0700
       
          MDEV-14515 ifnull result depends on number of rows in joined table
          
          Any expensive WHERE condition for a table-less query with
          implicit aggregation was lost. As a result the used aggregate
          functions were calculated over a non-empty set of rows even
          in the case when the condition was false.
      

      Another example with somewhat different stack trace, otherwise the same applies (versions and revision):

      SELECT * FROM mysql.help_topic WHERE help_category_id != example LIMIT 0;
      

      #3  <signal handler called>
      #4  0x0000000000ce6422 in my_strtod_int (s00=0xa5a5a5a5a5a5a5a5 <error: Cannot access memory at address 0xa5a5a5a5a5a5a5a5>, se=0x7f69153d4660, error=0x7f69153d466c, buf=0x7f69153d3780 "\240\067=\025i\177", buf_size=3680) at /data/src/5.5/strings/dtoa.c:1377
      #5  0x0000000000ce50ad in my_strtod (str=0xa5a5a5a5a5a5a5a5 <error: Cannot access memory at address 0xa5a5a5a5a5a5a5a5>, end=0x7f69153d4660, error=0x7f69153d466c) at /data/src/5.5/strings/dtoa.c:468
      #6  0x0000000000ccdf2e in my_strntod_8bit (cs=0x14d1940 <my_charset_utf8_general_ci>, str=0xa5a5a5a5a5a5a5a5 <error: Cannot access memory at address 0xa5a5a5a5a5a5a5a5>, length=42405, end=0x7f69153d4660, err=0x7f69153d466c) at /data/src/5.5/strings/ctype-simple.c:727
      #7  0x000000000079a8e4 in Field_blob::val_real (this=0x7f690e458be0) at /data/src/5.5/sql/field.cc:7217
      #8  0x00000000007c3a9b in Item_field::val_real (this=0x7f690e5489f0) at /data/src/5.5/sql/item.cc:2627
      #9  0x00000000007e18c8 in Arg_comparator::compare_real (this=0x7f690e548bc0) at /data/src/5.5/sql/item_cmpfunc.cc:1078
      #10 0x00000000007f2516 in Arg_comparator::compare (this=0x7f690e548bc0) at /data/src/5.5/sql/item_cmpfunc.h:77
      #11 0x00000000007e4486 in Item_func_ne::val_int (this=0x7f690e548af8) at /data/src/5.5/sql/item_cmpfunc.cc:1968
      #12 0x000000000063543c in JOIN::exec (this=0x7f690e548d30) at /data/src/5.5/sql/sql_select.cc:2336
      #13 0x0000000000637f1e in mysql_select (thd=0x7f690f653060, rref_pointer_array=0x7f690f656d08, tables=0x7f690e5482e8, wild_num=1, fields=..., conds=0x7f690e548af8, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7f690e548d10, unit=0x7f690f656388, select_lex=0x7f690f656a68) at /data/src/5.5/sql/sql_select.cc:3118
      #14 0x000000000062e6c6 in handle_select (thd=0x7f690f653060, lex=0x7f690f6562d8, result=0x7f690e548d10, setup_tables_done_option=0) at /data/src/5.5/sql/sql_select.cc:323
      #15 0x0000000000607ade in execute_sqlcom_select (thd=0x7f690f653060, all_tables=0x7f690e5482e8) at /data/src/5.5/sql/sql_parse.cc:4678
      #16 0x0000000000600e5f in mysql_execute_command (thd=0x7f690f653060) at /data/src/5.5/sql/sql_parse.cc:2224
      #17 0x000000000060a6aa in mysql_parse (thd=0x7f690f653060, rawbuf=0x7f690e548078 "SELECT * FROM mysql.help_topic WHERE help_category_id != example LIMIT 0", length=72, parser_state=0x7f69153d5640) at /data/src/5.5/sql/sql_parse.cc:5923
      #18 0x00000000005fe3bf in dispatch_command (command=COM_QUERY, thd=0x7f690f653060, packet=0x7f6912349061 "SELECT * FROM mysql.help_topic WHERE help_category_id != example LIMIT 0", packet_length=72) at /data/src/5.5/sql/sql_parse.cc:1066
      #19 0x00000000005fd5b1 in do_command (thd=0x7f690f653060) at /data/src/5.5/sql/sql_parse.cc:793
      #20 0x00000000007007e5 in do_handle_one_connection (thd_arg=0x7f690f653060) at /data/src/5.5/sql/sql_connect.cc:1268
      #21 0x0000000000700572 in handle_one_connection (arg=0x7f690f653060) at /data/src/5.5/sql/sql_connect.cc:1184
      #22 0x0000000000942e57 in pfs_spawn_thread (arg=0x7f691037b080) at /data/src/5.5/storage/perfschema/pfs.cc:1015
      #23 0x00007f6915012064 in start_thread (arg=0x7f69153d6700) at pthread_create.c:309
      #24 0x00007f6913a9562d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                igor Igor Babaev
                Reporter:
                elenst Elena Stepanova
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: