[MDEV-16235] [10.0] Server crashes in my_utf8_uni or in my_strtod_int upon SELECT .. LIMIT 0 - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 5.5(EOL), 10.0(EOL)
Fix Version/s: 5.5.61, 10.0.36
Component/s: Optimizer
Labels:
- regression

Description

SELECT * FROM mysql.slow_log WHERE sql_text != 'foo' LIMIT 0;

5.5 2b749a7bf4
#2 0x00000000007af0a3 in handle_fatal_signal (sig=11) at /data/src/5.5/sql/signal_handler.cc:262
#3 <signal handler called>
#4 0x0000000000cda067 in my_utf8_uni (cs=0x14d1940 <my_charset_utf8_general_ci>, pwc=0x7fec15611610, s=0xa5a5a5a5a5a5a5a5 <error: Cannot access memory at address 0xa5a5a5a5a5a5a5a5>, e=0xa5a5a5a5a64b4b4a <error: Cannot access memory at address 0xa5a5a5a5a64b4b4a>) at /data/src/5.5/strings/ctype-utf8.c:2316
#5 0x0000000000cdae1b in my_strnncollsp_utf8 (cs=0x14d1940 <my_charset_utf8_general_ci>, s=0xa5a5a5a5a5a5a5a5 <error: Cannot access memory at address 0xa5a5a5a5a5a5a5a5>, slen=10855845, t=0x7fec0e572348 "foo", tlen=3, diff_if_only_endspace_difference=0 '\000') at /data/src/5.5/strings/ctype-utf8.c:2761
#6 0x0000000000690953 in sortcmp (s=0x7fec0e5488d8, t=0x7fec0e5722c0, cs=0x14d1940 <my_charset_utf8_general_ci>) at /data/src/5.5/sql/sql_string.cc:736
#7 0x00000000007e1554 in Arg_comparator::compare_string (this=0x7fec0e548b40) at /data/src/5.5/sql/item_cmpfunc.cc:999
#8 0x00000000007f2516 in Arg_comparator::compare (this=0x7fec0e548b40) at /data/src/5.5/sql/item_cmpfunc.h:77
#9 0x00000000007e4486 in Item_func_ne::val_int (this=0x7fec0e548a78) at /data/src/5.5/sql/item_cmpfunc.cc:1968
#10 0x000000000063543c in JOIN::exec (this=0x7fec0e548cb0) at /data/src/5.5/sql/sql_select.cc:2336
#11 0x0000000000637f1e in mysql_select (thd=0x7fec0f653060, rref_pointer_array=0x7fec0f656d08, tables=0x7fec0e5482d0, wild_num=1, fields=..., conds=0x7fec0e548a78, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7fec0e548c90, unit=0x7fec0f656388, select_lex=0x7fec0f656a68) at /data/src/5.5/sql/sql_select.cc:3118
#12 0x000000000062e6c6 in handle_select (thd=0x7fec0f653060, lex=0x7fec0f6562d8, result=0x7fec0e548c90, setup_tables_done_option=0) at /data/src/5.5/sql/sql_select.cc:323
#13 0x0000000000607ade in execute_sqlcom_select (thd=0x7fec0f653060, all_tables=0x7fec0e5482d0) at /data/src/5.5/sql/sql_parse.cc:4678
#14 0x0000000000600e5f in mysql_execute_command (thd=0x7fec0f653060) at /data/src/5.5/sql/sql_parse.cc:2224
#15 0x000000000060a6aa in mysql_parse (thd=0x7fec0f653060, rawbuf=0x7fec0e548078 "SELECT * FROM mysql.slow_log WHERE sql_text != 'foo' LIMIT 0", length=60, parser_state=0x7fec15612640) at /data/src/5.5/sql/sql_parse.cc:5923
#16 0x00000000005fe3bf in dispatch_command (command=COM_QUERY, thd=0x7fec0f653060, packet=0x7fec12349061 "SELECT * FROM mysql.slow_log WHERE sql_text != 'foo' LIMIT 0", packet_length=60) at /data/src/5.5/sql/sql_parse.cc:1066
#17 0x00000000005fd5b1 in do_command (thd=0x7fec0f653060) at /data/src/5.5/sql/sql_parse.cc:793
#18 0x00000000007007e5 in do_handle_one_connection (thd_arg=0x7fec0f653060) at /data/src/5.5/sql/sql_connect.cc:1268
#19 0x0000000000700572 in handle_one_connection (arg=0x7fec0f653060) at /data/src/5.5/sql/sql_connect.cc:1184
#20 0x0000000000942e57 in pfs_spawn_thread (arg=0x7fec1037b080) at /data/src/5.5/storage/perfschema/pfs.cc:1015
#21 0x00007fec1524f064 in start_thread (arg=0x7fec15613700) at pthread_create.c:309
#22 0x00007fec13cd262d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

Also reproducible on 10.0.
Couldn't reproduce on 10.1-10.3, not sure if the bug doesn't exist there, or it's just better hidden.

5.5 started crashing after this commit:

commit 5e61e1716e763315009318081fba5994b8910242

Author: Igor Babaev

Date:   Mon Apr 16 16:59:19 2018 -0700

    MDEV-14515 ifnull result depends on number of rows in joined table

    Any expensive WHERE condition for a table-less query with

    implicit aggregation was lost. As a result the used aggregate

    functions were calculated over a non-empty set of rows even

    in the case when the condition was false.

Another example with somewhat different stack trace, otherwise the same applies (versions and revision):

SELECT * FROM mysql.help_topic WHERE help_category_id != example LIMIT 0;

#3  <signal handler called>

#4  0x0000000000ce6422 in my_strtod_int (s00=0xa5a5a5a5a5a5a5a5 <error: Cannot access memory at address 0xa5a5a5a5a5a5a5a5>, se=0x7f69153d4660, error=0x7f69153d466c, buf=0x7f69153d3780 "\240\067=\025i\177", buf_size=3680) at /data/src/5.5/strings/dtoa.c:1377

#5  0x0000000000ce50ad in my_strtod (str=0xa5a5a5a5a5a5a5a5 <error: Cannot access memory at address 0xa5a5a5a5a5a5a5a5>, end=0x7f69153d4660, error=0x7f69153d466c) at /data/src/5.5/strings/dtoa.c:468

#6  0x0000000000ccdf2e in my_strntod_8bit (cs=0x14d1940 <my_charset_utf8_general_ci>, str=0xa5a5a5a5a5a5a5a5 <error: Cannot access memory at address 0xa5a5a5a5a5a5a5a5>, length=42405, end=0x7f69153d4660, err=0x7f69153d466c) at /data/src/5.5/strings/ctype-simple.c:727

#7  0x000000000079a8e4 in Field_blob::val_real (this=0x7f690e458be0) at /data/src/5.5/sql/field.cc:7217

#8  0x00000000007c3a9b in Item_field::val_real (this=0x7f690e5489f0) at /data/src/5.5/sql/item.cc:2627

#9  0x00000000007e18c8 in Arg_comparator::compare_real (this=0x7f690e548bc0) at /data/src/5.5/sql/item_cmpfunc.cc:1078

#10 0x00000000007f2516 in Arg_comparator::compare (this=0x7f690e548bc0) at /data/src/5.5/sql/item_cmpfunc.h:77

#11 0x00000000007e4486 in Item_func_ne::val_int (this=0x7f690e548af8) at /data/src/5.5/sql/item_cmpfunc.cc:1968

#12 0x000000000063543c in JOIN::exec (this=0x7f690e548d30) at /data/src/5.5/sql/sql_select.cc:2336

#13 0x0000000000637f1e in mysql_select (thd=0x7f690f653060, rref_pointer_array=0x7f690f656d08, tables=0x7f690e5482e8, wild_num=1, fields=..., conds=0x7f690e548af8, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7f690e548d10, unit=0x7f690f656388, select_lex=0x7f690f656a68) at /data/src/5.5/sql/sql_select.cc:3118

#14 0x000000000062e6c6 in handle_select (thd=0x7f690f653060, lex=0x7f690f6562d8, result=0x7f690e548d10, setup_tables_done_option=0) at /data/src/5.5/sql/sql_select.cc:323

#15 0x0000000000607ade in execute_sqlcom_select (thd=0x7f690f653060, all_tables=0x7f690e5482e8) at /data/src/5.5/sql/sql_parse.cc:4678

#16 0x0000000000600e5f in mysql_execute_command (thd=0x7f690f653060) at /data/src/5.5/sql/sql_parse.cc:2224

#17 0x000000000060a6aa in mysql_parse (thd=0x7f690f653060, rawbuf=0x7f690e548078 "SELECT * FROM mysql.help_topic WHERE help_category_id != example LIMIT 0", length=72, parser_state=0x7f69153d5640) at /data/src/5.5/sql/sql_parse.cc:5923

#18 0x00000000005fe3bf in dispatch_command (command=COM_QUERY, thd=0x7f690f653060, packet=0x7f6912349061 "SELECT * FROM mysql.help_topic WHERE help_category_id != example LIMIT 0", packet_length=72) at /data/src/5.5/sql/sql_parse.cc:1066

#19 0x00000000005fd5b1 in do_command (thd=0x7f690f653060) at /data/src/5.5/sql/sql_parse.cc:793

#20 0x00000000007007e5 in do_handle_one_connection (thd_arg=0x7f690f653060) at /data/src/5.5/sql/sql_connect.cc:1268

#21 0x0000000000700572 in handle_one_connection (arg=0x7f690f653060) at /data/src/5.5/sql/sql_connect.cc:1184

#22 0x0000000000942e57 in pfs_spawn_thread (arg=0x7f691037b080) at /data/src/5.5/storage/perfschema/pfs.cc:1015

#23 0x00007f6915012064 in start_thread (arg=0x7f69153d6700) at pthread_create.c:309

#24 0x00007f6913a9562d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

Attachments

Issue Links

duplicates

MDEV-16585 10.0.35 - crash

Closed

MariaDB Server

[10.0] Server crashes in my_utf8_uni or in my_strtod_int upon SELECT .. LIMIT 0

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration