Details
Critical Description
Later update: A test case can be found in this comment.
Complex SELECT crashes when executed as prepared statement, with the following crashing thread full backtrace:
Thread 1 (Thread 0x7f864281e700 (LWP 3849)):
|
#0 0x00007f8c31fba741 in pthread_kill () from /lib64/libpthread.so.0
|
No symbol table info available.
|
#1 0x00007f8c332539ab in my_write_core (sig=11) at /home/buildbot/buildbot/padding_for_CPACK_RPM_BUILD_SOURCE_DIRS_PREFIX/mariadb-10.2.14/mysys/stacktrace.c:477
|
No locals.
|
#2 0x00007f8c32c8751b in handle_fatal_signal (sig=11) at /home/buildbot/buildbot/padding_for_CPACK_RPM_BUILD_SOURCE_DIRS_PREFIX/mariadb-10.2.14/sql/signal_handler.cc:305
|
buff = "/mariadb/data/"
|
curr_time = 1536635371
|
tm = {tm_sec = 31, tm_min = 9, tm_hour = 11, tm_mday = 11, tm_mon = 8, tm_year = 118, tm_wday = 2, tm_yday = 253, tm_isdst = 0, tm_gmtoff = 28800, tm_zone = 0x7f8c350c4f50 "SGT"}
|
thd = 0x7f85db7e4cb8
|
print_invalid_query_pointer = false
|
#3 <signal handler called>
|
No symbol table info available.
|
#4 0x00007f8c32dc7e1e in Item_func_in::cleanup (this=0x7f8584cb5170) at /home/buildbot/buildbot/padding_for_CPACK_RPM_BUILD_SOURCE_DIRS_PREFIX/mariadb-10.2.14/sql/item_cmpfunc.h:2355
|
No locals.
|
#5 0x00007f8c329d1603 in Item::delete_self (this=0x7f8584cb5170) at /home/buildbot/buildbot/padding_for_CPACK_RPM_BUILD_SOURCE_DIRS_PREFIX/mariadb-10.2.14/sql/item.h:1847
|
No locals.
|
#6 0x00007f8c329ca012 in Query_arena::free_items (this=0x7f85db7e4cd0) at /home/buildbot/buildbot/padding_for_CPACK_RPM_BUILD_SOURCE_DIRS_PREFIX/mariadb-10.2.14/sql/sql_class.cc:3695
|
next = 0x7f8584cb5060
|
#7 0x00007f8c329c5835 in THD::cleanup_after_query (this=0x7f85db7e4cb8) at /home/buildbot/buildbot/padding_for_CPACK_RPM_BUILD_SOURCE_DIRS_PREFIX/mariadb-10.2.14/sql/sql_class.cc:2226
|
No locals.
|
#8 0x00007f8c32a33921 in Prepared_statement::cleanup_stmt (this=0x7f8597d980d8) at /home/buildbot/buildbot/padding_for_CPACK_RPM_BUILD_SOURCE_DIRS_PREFIX/mariadb-10.2.14/sql/sql_prepare.cc:3808
|
No locals.
|
#9 0x00007f8c32a35e1f in Prepared_statement::execute (this=0x7f8597d980d8, expanded_query=0x7f864281cef0, open_cursor=false)
|
at /home/buildbot/buildbot/padding_for_CPACK_RPM_BUILD_SOURCE_DIRS_PREFIX/mariadb-10.2.14/sql/sql_prepare.cc:4769
|
stmt_backup = {<ilink> = {_vptr.ilink = 0x7f8c339b9870 <vtable for Statement+16>, prev = 0x0, next = 0x0}, <Query_arena> = {_vptr.Query_arena = 0x7f8c339b98a0 <vtable for Statement+64>, free_list = 0x7f85dbf4fdc0,
|
mem_root = 0x44281c8e0, state = 1261}, id = 0, mark_used_columns = MARK_COLUMNS_READ, name = {str = 0x7f8c32ab706e <String::append(char const*, unsigned long)+294> "H\213E\350\213P\b\213E\370\001\302H\213E\350\211P\b\270",
|
length = 140214618147056}, lex = 0x7f85db7e8750, stmt_lex = 0x7f85db7e8750, query_string = {string = {
|
str = 0x7f8584cb2330 "SELECT ... LEFT OUTER JOIN ( \t\t\t\t\t\tSELECT ... ROW_NUMBER() OVER (PARTITION BY ... ORDER BY ...) RNUM ... ", length = 1261}, cs = 0x7f8c33c970e0 <my_charset_utf8_general_ci>}, base_query = {Ptr = 0x0, str_length = 0, Alloced_length = 0, extra_alloc = 0, alloced = false, thread_specific = false,
|
str_charset = 0x7f8c33ae5060 <my_charset_bin>}, db = 0x7f864281c930 "\340ɁB\206\177", db_length = 140240120910893, query_cache_is_applicable = 95 '_'}
|
old_stmt_arena = 0x7f85db7e4cd0
|
saved_cur_db_name_buf = "\340ɁB\206\177"
|
saved_cur_db_name = {str = 0x7f864281c930 "\340ɁB\206\177", length = 202}
|
cur_db_changed = false
|
error = false
|
stmt_db_name = {str = 0x7f85da806d98 "cepdb", length = 5}
|
#10 0x00007f8c32a34345 in Prepared_statement::execute_loop (this=0x7f8597d980d8, expanded_query=0x7f864281cef0, open_cursor=false, packet=0x7f85863e2962 "def\005cepdb\002T3\020rms_rule_dtls_at\aRULE_ID\aRULE_ID\f?",
|
packet_end=0x7f85863e2a11 "E\024LAST_AUTHORIZED_DATE\f?") at /home/buildbot/buildbot/padding_for_CPACK_RPM_BUILD_SOURCE_DIRS_PREFIX/mariadb-10.2.14/sql/sql_prepare.cc:4172
|
reprepare_observer = {m_invalidated = false}
|
error = 91
|
reprepare_attempt = 0
|
#11 0x00007f8c32a3231e in mysql_stmt_execute_common (thd=0x7f85db7e4cb8, stmt_id=16, packet=0x7f85863e2962 "def\005cepdb\002T3\020rms_rule_dtls_at\aRULE_ID\aRULE_ID\f?", packet_end=0x7f85863e2a11 "E\024LAST_AUTHORIZED_DATE\f?",
|
cursor_flags=0, bulk_op=false, read_types=false) at /home/buildbot/buildbot/padding_for_CPACK_RPM_BUILD_SOURCE_DIRS_PREFIX/mariadb-10.2.14/sql/sql_prepare.cc:3170
|
expanded_query = {
|
Ptr = 0x7f85dbe01c58 "SELECT ... ", str_length = 1261, Alloced_length = 1944, extra_alloc = 896, alloced = true, thread_specific = false, str_charset = 0x7f8c33ae5060 <my_charset_bin>}
|
stmt = 0x7f8597d980d8
|
save_protocol = 0x7f85db7e51f0
|
open_cursor = false
|
#12 0x00007f8c32a320d0 in mysqld_stmt_execute (thd=0x7f85db7e4cb8, packet_arg=0x7f85863e2959 "", packet_length=184) at /home/buildbot/buildbot/padding_for_CPACK_RPM_BUILD_SOURCE_DIRS_PREFIX/mariadb-10.2.14/sql/sql_prepare.cc:3068
|
packet = 0x7f85863e2962 "def\005cepdb\002T3\020rms_rule_dtls_at\aRULE_ID\aRULE_ID\f?"
|
stmt_id = 16
|
flags = 0
|
packet_end = 0x7f85863e2a11 "E\024LAST_AUTHORIZED_DATE\f?"
|
#13 0x00007f8c32a0caaa in dispatch_command (command=COM_STMT_EXECUTE, thd=0x7f85db7e4cb8, packet=0x7f85863e2959 "", packet_length=184, is_com_multi=false, is_next_command=false)
|
at /home/buildbot/buildbot/padding_for_CPACK_RPM_BUILD_SOURCE_DIRS_PREFIX/mariadb-10.2.14/sql/sql_parse.cc:1777
|
net = 0x7f85db7e4f20
|
do_end_of_statement = true
|
__FUNCTION__ = "dispatch_command"
|
error = false
|
drop_more_results = false
|
#14 0x00007f8c32a0ba79 in do_command (thd=0x7f85db7e4cb8) at /home/buildbot/buildbot/padding_for_CPACK_RPM_BUILD_SOURCE_DIRS_PREFIX/mariadb-10.2.14/sql/sql_parse.cc:1383
|
return_value = false
|
packet = 0x7f85863e2958 "\001"
|
packet_length = 185
|
net = 0x7f85db7e4f20
|
command = COM_STMT_EXECUTE
|
#15 0x00007f8c32b34860 in do_handle_one_connection (connect=0x7f8c566bcc18) at /home/buildbot/buildbot/padding_for_CPACK_RPM_BUILD_SOURCE_DIRS_PREFIX/mariadb-10.2.14/sql/sql_connect.cc:1335
|
create_user = true
|
thr_create_utime = 5924978319722
|
thd = 0x7f85db7e4cb8
|
#16 0x00007f8c32b345c0 in handle_one_connection (arg=0x7f8c566bcc18) at /home/buildbot/buildbot/padding_for_CPACK_RPM_BUILD_SOURCE_DIRS_PREFIX/mariadb-10.2.14/sql/sql_connect.cc:1241
|
connect = 0x7f8c566bcc18
|
#17 0x00007f8c31fb5dc5 in start_thread () from /lib64/libpthread.so.0
|
No symbol table info available.
|
#18 0x00007f8c3058d1cd in clone () from /lib64/libc.so.6
|
Crash is repeatable in the related environment.
Attachments
Issue Links
- relates to
-
MDEV-15585 signal 11 in cleanup phase
-
- Closed
-
-
-
- Closed
-
-
-
- Open
-
-
-
- Closed
-
Activity
Possibly, MDEV-15347 is not related to this problem.
This problem is about Item_func_in::cleanup()
MDEV-15347 is about Item_in_subselect::cleanup()
valerii, is it possible to find out (or maybe it's already known) which connector is used for this workflow?
Also, a portion of the general log could really help. In this case I'm mostly interested in the commands (Prepare / Execute / Reset etc.) associated with the workflow in question. Previously I observed some differences in behavior and dependency on the connector while working on MDEV-17344
It would be very helpful if the user could check whether the failure is reproducible on a build with the fix for MDEV-15746. It causes many obscure problems with prepared statements, some of which are listed in MDEV-17889.
Re-opening as I've got a test case which produces identical stack trace.
CREATE TABLE t1 (a VARCHAR(8)); |
INSERT INTO t1 VALUES ('abc'),('def'); |
CREATE ALGORITHM=TEMPTABLE VIEW v1 AS SELECT * FROM t1; |
CREATE VIEW v2 AS SELECT * FROM v1; |
SELECT * FROM v2 WHERE IF( a REGEXP 'bar', 'foo', a ) IN ('qux', 'foobar'); |
|
|
# Cleanup
|
DROP VIEW v2; |
DROP VIEW v1; |
DROP TABLE t1; |
|
10.2 f9f96855 |
#3 <signal handler called>
|
#4 0x000055eb72c2dda0 in Item_func_in::cleanup (this=0x7f6ef80134e8) at /data/src/10.2/sql/item_cmpfunc.h:1674
|
#5 0x000055eb7280c6a3 in Item::delete_self (this=0x7f6ef80134e8) at /data/src/10.2/sql/item.h:1924
|
#6 0x000055eb728034c0 in Query_arena::free_items (this=0x7f6ef8000b18) at /data/src/10.2/sql/sql_class.cc:3494
|
#7 0x000055eb727fea29 in THD::cleanup_after_query (this=0x7f6ef8000b00) at /data/src/10.2/sql/sql_class.cc:2090
|
#8 0x000055eb72854ee1 in mysql_parse (thd=0x7f6ef8000b00, rawbuf=0x7f6ef8012468 "SELECT * FROM v2 WHERE IF( a REGEXP 'bar', 'foo', a ) IN ('qux', 'foobar')", length=74, parser_state=0x7f6f0a834200, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:7781
|
#9 0x000055eb728430ab in dispatch_command (command=COM_QUERY, thd=0x7f6ef8000b00, packet=0x7f6ef808d601 "", packet_length=74, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1832
|
#10 0x000055eb728419ff in do_command (thd=0x7f6ef8000b00) at /data/src/10.2/sql/sql_parse.cc:1385
|
#11 0x000055eb72996841 in do_handle_one_connection (connect=0x55eb74f48620) at /data/src/10.2/sql/sql_connect.cc:1336
|
#12 0x000055eb729965ac in handle_one_connection (arg=0x55eb74f48620) at /data/src/10.2/sql/sql_connect.cc:1241
|
#13 0x000055eb731c7542 in pfs_spawn_thread (arg=0x55eb74f6b8d0) at /data/src/10.2/storage/perfschema/pfs.cc:1862
|
#14 0x00007f6f120754a4 in start_thread (arg=0x7f6f0a835700) at pthread_create.c:456
|
#15 0x00007f6f105bdd0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97
|
|
10.2 f9f96855 ASAN |
==13471==ERROR: AddressSanitizer: use-after-poison on address 0x6290000e7b60 at pc 0x55a2462d65f7 bp 0x7ff9a305de70 sp 0x7ff9a305de68
|
READ of size 8 at 0x6290000e7b60 thread T5
|
#0 0x55a2462d65f6 in Item_func_in::cleanup() /data/src/10.2/sql/item_cmpfunc.h:1674
|
#1 0x55a245903a99 in Item::delete_self() /data/src/10.2/sql/item.h:1924
|
#2 0x55a2458ee5d5 in Query_arena::free_items() /data/src/10.2/sql/sql_class.cc:3494
|
#3 0x55a2458e213a in THD::cleanup_after_query() /data/src/10.2/sql/sql_class.cc:2090
|
#4 0x55a2459ab60f in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7781
|
#5 0x55a245987558 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1832
|
#6 0x55a24598456e in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1385
|
#7 0x55a245cbd1a5 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
|
#8 0x55a245cbcb75 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
|
#9 0x55a246ef09bc in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
|
#10 0x7ff9ae92c4a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
|
#11 0x7ff9ace74d0e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8d0e)
|
|
|
0x6290000e7b60 is located 6496 bytes inside of 16460-byte region [0x6290000e6200,0x6290000ea24c)
|
allocated by thread T5 here:
|
#0 0x7ff9aec03d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
|
#1 0x55a246ff58b4 in sf_malloc /data/src/10.2/mysys/safemalloc.c:118
|
#2 0x55a246fc644c in my_malloc /data/src/10.2/mysys/my_malloc.c:101
|
#3 0x55a246fa7f9d in alloc_root /data/src/10.2/mysys/my_alloc.c:242
|
#4 0x55a2457acdf0 in Sql_alloc::operator new(unsigned long, st_mem_root*) /data/src/10.2/sql/sql_list.h:45
|
#5 0x55a245a3d5a7 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2/sql/sql_select.cc:3796
|
#6 0x55a245a1cc2f in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:365
|
#7 0x55a2459a2a18 in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6226
|
#8 0x55a245990d6d in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3533
|
#9 0x55a2459ab358 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7760
|
#10 0x55a245987558 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1832
|
#11 0x55a24598456e in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1385
|
#12 0x55a245cbd1a5 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
|
#13 0x55a245cbcb75 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
|
#14 0x55a246ef09bc in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
|
#15 0x7ff9ae92c4a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
|
|
|
Thread T5 created by T0 here:
|
#0 0x7ff9aeb72f59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
|
#1 0x55a246ef0df8 in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1912
|
#2 0x55a24578ca52 in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1239
|
#3 0x55a2457a104e in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6508
|
#4 0x55a2457a1731 in create_new_thread /data/src/10.2/sql/mysqld.cc:6578
|
#5 0x55a2457a2749 in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6853
|
#6 0x55a2457a05b9 in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6127
|
#7 0x55a24578b3df in main /data/src/10.2/sql/main.cc:25
|
#8 0x7ff9acdac2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
|
|
|
SUMMARY: AddressSanitizer: use-after-poison /data/src/10.2/sql/item_cmpfunc.h:1674 in Item_func_in::cleanup()
|
Shadow bytes around the buggy address:
|
0x0c5280014f10: 00 00 00 00 00 00 00 00 00 00 00 f7 f7 f7 f7 f7
|
0x0c5280014f20: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c5280014f30: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 00 00
|
0x0c5280014f40: f7 00 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c5280014f50: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
=>0x0c5280014f60: f7 f7 f7 f7 f7 f7 00 00 f7 00 00 f7[f7]f7 f7 f7
|
0x0c5280014f70: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c5280014f80: f7 00 00 00 00 00 00 00 00 f7 00 00 f7 00 00 00
|
0x0c5280014f90: 00 00 00 00 00 00 00 00 00 00 00 f7 00 00 00 00
|
0x0c5280014fa0: 00 00 00 00 00 00 00 00 00 00 f7 00 00 00 00 00
|
0x0c5280014fb0: 00 00 00 00 00 00 00 00 00 00 00 f7 00 00 00 00
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Heap right redzone: fb
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack partial redzone: f4
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
==13471==ABORTING
|
Non-debug build doesn't crash on my machine, but with SIGSEGV it's likely just the matter of luck.
Reproducible on 10.2-10.5 with at least InnoDB, MyISAM, Aria.
If the same test case is run with --ps-protocol, it produces the initially reported stack trace:
#3 <signal handler called>
|
#4 0x000055b5d4e9f10c in Item_func_in::cleanup (this=0x7f2840013b00) at /data/src/10.2/sql/item_cmpfunc.h:1673
|
#5 0x000055b5d4a7ec79 in Item::delete_self (this=0x7f2840013b00) at /data/src/10.2/sql/item.h:1898
|
#6 0x000055b5d4a75a96 in Query_arena::free_items (this=0x7f2840000b18) at /data/src/10.2/sql/sql_class.cc:3494
|
#7 0x000055b5d4a70fff in THD::cleanup_after_query (this=0x7f2840000b00) at /data/src/10.2/sql/sql_class.cc:2090
|
#8 0x000055b5d4ae29f1 in Prepared_statement::cleanup_stmt (this=0x7f2840006620) at /data/src/10.2/sql/sql_prepare.cc:3902
|
#9 0x000055b5d4ae5442 in Prepared_statement::execute (this=0x7f2840006620, expanded_query=0x7f2850c71f70, open_cursor=false) at /data/src/10.2/sql/sql_prepare.cc:4865
|
#10 0x000055b5d4ae3685 in Prepared_statement::execute_loop (this=0x7f2840006620, expanded_query=0x7f2850c71f70, open_cursor=false, packet=0x7f284008d73a "def", packet_end=0x7f284008d73a "def") at /data/src/10.2/sql/sql_prepare.cc:4266
|
#11 0x000055b5d4ae1075 in mysql_stmt_execute_common (thd=0x7f2840000b00, stmt_id=4, packet=0x7f284008d73a "def", packet_end=0x7f284008d73a "def", cursor_flags=0, bulk_op=false, read_types=false) at /data/src/10.2/sql/sql_prepare.cc:3268
|
#12 0x000055b5d4ae0c3b in mysqld_stmt_execute (thd=0x7f2840000b00, packet_arg=0x7f284008d731 "", packet_length=9) at /data/src/10.2/sql/sql_prepare.cc:3166
|
#13 0x000055b5d4ab5320 in dispatch_command (command=COM_STMT_EXECUTE, thd=0x7f2840000b00, packet=0x7f284008d731 "", packet_length=9, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1774
|
#14 0x000055b5d4ab3ff5 in do_command (thd=0x7f2840000b00) at /data/src/10.2/sql/sql_parse.cc:1385
|
#15 0x000055b5d4c08dfb in do_handle_one_connection (connect=0x55b5d7493a20) at /data/src/10.2/sql/sql_connect.cc:1336
|
#16 0x000055b5d4c08b66 in handle_one_connection (arg=0x55b5d7493a20) at /data/src/10.2/sql/sql_connect.cc:1241
|
#17 0x000055b5d5438b46 in pfs_spawn_thread (arg=0x55b5d749e810) at /data/src/10.2/storage/perfschema/pfs.cc:1862
|
#18 0x00007f28584b34a4 in start_thread (arg=0x7f2850c73700) at pthread_create.c:456
|
#19 0x00007f28569fbd0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97
|
It is problem of condition pushdown, Item IN copy delete array and then original IN item trys to delete it.
More precise the problem is that IN tries to make copy for pushdown, it make copy of IN but fail it for arguments so the copy of IN done as it was done by get_item_copy and then did not setup as it should. And so it has original Array and tries to delete it first in the copy then in the original Item.
This patch fix this bug problem but I have to check if there are more problem like this.
diff --git a/sql/item.cc b/sql/item.cc
|
index 4f8433c28c0..a1c8ef01b90 100644
|
--- a/sql/item.cc
|
+++ b/sql/item.cc
|
@@ -2446,7 +2446,8 @@ Item* Item_ref::build_clone(THD *thd, MEM_ROOT *mem_root)
|
Item_ref *copy= (Item_ref *) get_copy(thd, mem_root);
|
if (!copy)
|
return 0;
|
- copy->ref=
|
+ DBUG_ASSERT(thd->is_runtime(mem_root));
|
+ copy->ref=
|
(Item**) alloc_root(mem_root, sizeof(Item*));
|
if (!copy->ref)
|
return 0;
|
diff --git a/sql/item_cmpfunc.cc b/sql/item_cmpfunc.cc
|
index a28daf36f05..4572beeca62 100644
|
--- a/sql/item_cmpfunc.cc
|
+++ b/sql/item_cmpfunc.cc
|
@@ -4199,6 +4199,7 @@ bool Item_func_in::create_array(THD *thd)
|
}
|
if (!array || thd->is_fatal_error) // OOM
|
return true;
|
+ has_own_array= TRUE;
|
uint j=0;
|
for (uint i=1 ; i < arg_count ; i++)
|
{
|
@@ -4294,6 +4295,7 @@ bool Item_func_in::fix_length_and_dec()
|
array= new (thd->mem_root) in_row(thd, arg_count-1, 0);
|
if (!array)
|
return TRUE;
|
+ has_own_array= TRUE;
|
cmp= &((in_row*)array)->tmp;
|
}
|
else
|
@@ -4471,12 +4473,24 @@ longlong Item_func_in::val_int()
|
}
|
|
|
+Item *Item_func_in::get_copy(THD *thd, MEM_ROOT *mem_root)
|
+{
|
+ Item_func_in *clone= (Item_func_in *)
|
+ get_item_copy<Item_func_in>(thd, mem_root, this);
|
+ if (clone)
|
+ {
|
+ clone->has_own_array= FALSE;
|
+ bzero(&clone->cmp_items, sizeof(cmp_items));
|
+ }
|
+ return clone;
|
+}
|
+
|
+
|
Item *Item_func_in::build_clone(THD *thd, MEM_ROOT *mem_root)
|
{
|
Item_func_in *clone= (Item_func_in *) Item_func::build_clone(thd, mem_root);
|
if (clone)
|
{
|
- bzero(&clone->cmp_items, sizeof(cmp_items));
|
clone->fix_length_and_dec();
|
}
|
return clone;
|
diff --git a/sql/item_cmpfunc.h b/sql/item_cmpfunc.h
|
index 613fb75bcd6..f0fee0163c2 100644
|
--- a/sql/item_cmpfunc.h
|
+++ b/sql/item_cmpfunc.h
|
@@ -1652,12 +1652,13 @@ class Item_func_in :public Item_func_opt_neg
|
and can be used safely as comparisons for key conditions
|
*/
|
bool arg_types_compatible;
|
+ bool has_own_array;
|
Item_result left_cmp_type;
|
cmp_item *cmp_items[6]; /* One cmp_item for each result type */
|
|
Item_func_in(THD *thd, List<Item> &list):
|
Item_func_opt_neg(thd, list), array(0), have_null(0),
|
- arg_types_compatible(FALSE)
|
+ arg_types_compatible(FALSE), has_own_array(TRUE)
|
{
|
bzero(&cmp_items, sizeof(cmp_items));
|
allowed_arg_cols= 0; // Fetch this value from first argument
|
@@ -1671,7 +1672,8 @@ class Item_func_in :public Item_func_opt_neg
|
uint i;
|
DBUG_ENTER("Item_func_in::cleanup");
|
Item_int_func::cleanup();
|
- delete array;
|
+ if (has_own_array)
|
+ delete array;
|
array= 0;
|
for (i= 0; i <= (uint)TIME_RESULT; i++)
|
{
|
@@ -1708,8 +1710,7 @@ class Item_func_in :public Item_func_opt_neg
|
bool eval_not_null_tables(void *opt_arg);
|
void fix_after_pullout(st_select_lex *new_parent, Item **ref, bool merge);
|
bool count_sargable_conds(void *arg);
|
- Item *get_copy(THD *thd, MEM_ROOT *mem_root)
|
- { return get_item_copy<Item_func_in>(thd, mem_root, this); }
|
+ Item *get_copy(THD *thd, MEM_ROOT *mem_root);
|
Item *build_clone(THD *thd, MEM_ROOT *mem_root);
|
};
|
|
diff --git a/sql/sql_class.h b/sql/sql_class.h
|
index b35f9a93238..fa0285bf9ba 100644
|
--- a/sql/sql_class.h
|
+++ b/sql/sql_class.h
|
@@ -4515,6 +4515,7 @@ class THD :public Statement,
|
current_linfo= 0;
|
mysql_mutex_unlock(&LOCK_thread_count);
|
}
|
+ bool is_runtime (MEM_ROOT *root) { return root == & main_mem_root; }
|
};
|
|
inline void add_to_active_threads(THD *thd)
|
diff --git a/sql/table.cc b/sql/table.cc
|
index d6d86d96016..5252ca46dde 100644
|
--- a/sql/table.cc
|
+++ b/sql/table.cc
|
@@ -8432,6 +8432,7 @@ Item* TABLE_LIST::build_pushable_cond_for_table(THD *thd, Item *cond)
|
{
|
bool cond_and= false;
|
Item_cond *new_cond;
|
+ DBUG_ASSERT(thd->is_runtime(thd->mem_root));
|
if (((Item_cond*) cond)->functype() == Item_func::COND_AND_FUNC)
|
{
|
cond_and= true;
|
OK to push, but please first use stage tree for testing on buildbot (or if you did use ":" after MDEV in comment to make it easy by our robot to attach the commit to MDEV (also possible that our robot which attach the commits is not working again)
I can confirm that
MDEV-15755is in bb-10.2-compatibility, andMDEV-15347is not.