Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-18502

Server crash in find_field_in_tables upon 2nd execution of SP which causes ER_WRONG_GROUP_FIELD

    Details

      Description

      Note: I've seen a similar failure happen recently on 10.1 (af3cbb5), but the provided test case doesn't fail on 10.1 or 10.2. After problem analysis, please see if the code error exists in earlier versions and fix it there if necessary.

      CREATE TABLE t1 (id INT, f VARCHAR(1));
      CREATE VIEW v1 AS SELECT * FROM t1;
      INSERT INTO t1 VALUES (1,'a'),(2,'b');
      CREATE PROCEDURE sp() SELECT f AS f1, MAX(id) AS f2 FROM v1 GROUP BY f1, f2 ORDER BY f1;
      --error ER_WRONG_GROUP_FIELD
      CALL sp;
      --error ER_WRONG_GROUP_FIELD
      CALL sp;
       
      # Cleanup
      DROP PROCEDURE sp;
      DROP VIEW v1;
      DROP TABLE t1;
      

      10.3 a2fc3698 ASAN

      ==30245==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55c107111159 sp 0x7f40421972e0 bp 0x7f40421977f0 T5)
          #0 0x55c107111158 in find_field_in_tables(THD*, Item_ident*, TABLE_LIST*, TABLE_LIST*, Item**, find_item_error_report_type, bool, bool) /data/src/10.3/sql/sql_base.cc:6163
          #1 0x55c1073866e3 in find_order_in_list /data/src/10.3/sql/sql_select.cc:23076
          #2 0x55c107387702 in setup_group(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, List<Item>&, List<Item>&, st_order*, bool*, bool) /data/src/10.3/sql/sql_select.cc:23249
          #3 0x55c1072e4dbd in setup_without_group /data/src/10.3/sql/sql_select.cc:670
          #4 0x55c1072e9864 in JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /data/src/10.3/sql/sql_select.cc:1113
          #5 0x55c107307e2d in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.3/sql/sql_select.cc:4217
          #6 0x55c1072e2b6a in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.3/sql/sql_select.cc:385
          #7 0x55c107265534 in execute_sqlcom_select /data/src/10.3/sql/sql_parse.cc:6551
          #8 0x55c1072539a5 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:3772
          #9 0x55c1070651ed in sp_instr_stmt::exec_core(THD*, unsigned int*) /data/src/10.3/sql/sp_head.cc:3594
          #10 0x55c107063ae1 in sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) /data/src/10.3/sql/sp_head.cc:3322
          #11 0x55c1070649bc in sp_instr_stmt::execute(THD*, unsigned int*) /data/src/10.3/sql/sp_head.cc:3500
          #12 0x55c107057c51 in sp_head::execute(THD*, bool) /data/src/10.3/sql/sp_head.cc:1354
          #13 0x55c10705ceb7 in sp_head::execute_procedure(THD*, List<Item>*) /data/src/10.3/sql/sp_head.cc:2294
          #14 0x55c10724e2ba in do_execute_sp /data/src/10.3/sql/sql_parse.cc:2954
          #15 0x55c10724fd1b in Sql_cmd_call::execute(THD*) /data/src/10.3/sql/sql_parse.cc:3194
          #16 0x55c1072634cf in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:6288
          #17 0x55c10726e3cc in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:8095
          #18 0x55c1072484a4 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1854
          #19 0x55c1072454b6 in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1396
          #20 0x55c1075b8dfb in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403
          #21 0x55c1075b8807 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1309
          #22 0x55c1080ee32f in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1862
          #23 0x7f404e771493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
          #24 0x7f404cb5793e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
       
      AddressSanitizer can not provide additional info.
      SUMMARY: AddressSanitizer: SEGV /data/src/10.3/sql/sql_base.cc:6163 find_field_in_tables(THD*, Item_ident*, TABLE_LIST*, TABLE_LIST*, Item**, find_item_error_report_type, bool, bool)
      Thread T5 created by T0 here:
          #0 0x7f404e9aabba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
          #1 0x55c1080ee8f7 in spawn_thread_v1 /data/src/10.3/storage/perfschema/pfs.cc:1912
          #2 0x55c106faff58 in inline_mysql_thread_create /data/src/10.3/include/mysql/psi/mysql_thread.h:1268
          #3 0x55c106fc6264 in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6589
          #4 0x55c106fc6969 in create_new_thread /data/src/10.3/sql/mysqld.cc:6659
          #5 0x55c106fc7980 in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6934
          #6 0x55c106fc5721 in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6211
          #7 0x55c106fadfdf in main /data/src/10.3/sql/main.cc:25
          #8 0x7f404ca8f2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
       
      ==30245==ABORTING
      

      10.3 debug a2fc3698

      #3  <signal handler called>
      #4  0x0000557bcaf8f5fa in find_field_in_tables (thd=0x7f8e0c000b00, item=0x7f8e0c173d00, first_table=0x7f8e0c182b90, last_table=0x0, ref=0x7f8e1d6a8c28, report_error=IGNORE_ERRORS, check_privileges=false, register_tree_change=false) at /data/src/10.3/sql/sql_base.cc:6163
      #5  0x0000557bcb095376 in find_order_in_list (thd=0x7f8e0c000b00, ref_pointer_array=..., tables=0x7f8e0c182b90, order=0x7f8e0c183308, fields=..., all_fields=..., is_group_field=true, add_to_all_fields=true, from_window_spec=false) at /data/src/10.3/sql/sql_select.cc:23076
      #6  0x0000557bcb09587e in setup_group (thd=0x7f8e0c000b00, ref_pointer_array=..., tables=0x7f8e0c182b90, fields=..., all_fields=..., order=0x7f8e0c183308, hidden_group_fields=0x7f8e0c173307, from_window_spec=false) at /data/src/10.3/sql/sql_select.cc:23249
      #7  0x0000557bcb0572cb in setup_without_group (thd=0x7f8e0c000b00, ref_pointer_array=..., tables=0x7f8e0c182b90, leaves=..., fields=..., all_fields=..., conds=0x7f8e0c173428, order=0x7f8e0c1835f8, group=0x7f8e0c183308, win_specs=..., win_funcs=..., hidden_group_fields=0x7f8e0c173307, reserved=0x7f8e0c1845cc) at /data/src/10.3/sql/sql_select.cc:670
      #8  0x0000557bcb0595be in JOIN::prepare (this=0x7f8e0c173020, tables_init=0x7f8e0c182b90, wild_num=0, conds_init=0x0, og_num=3, order_init=0x7f8e0c1835f8, skip_order_by=false, group_init=0x7f8e0c183308, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7f8e0c1842f0, unit_arg=0x7f8e0c183b80) at /data/src/10.3/sql/sql_select.cc:1113
      #9  0x0000557bcb064783 in mysql_select (thd=0x7f8e0c000b00, tables=0x7f8e0c182b90, wild_num=0, fields=..., conds=0x0, og_num=3, order=0x7f8e0c1835f8, group=0x7f8e0c183308, having=0x0, proc_param=0x0, select_options=2147749632, result=0x7f8e0c172ff8, unit=0x7f8e0c183b80, select_lex=0x7f8e0c1842f0) at /data/src/10.3/sql/sql_select.cc:4217
      #10 0x0000557bcb056768 in handle_select (thd=0x7f8e0c000b00, lex=0x7f8e0c183ab8, result=0x7f8e0c172ff8, setup_tables_done_option=0) at /data/src/10.3/sql/sql_select.cc:385
      #11 0x0000557bcb0211a0 in execute_sqlcom_select (thd=0x7f8e0c000b00, all_tables=0x7f8e0c182b90) at /data/src/10.3/sql/sql_parse.cc:6551
      #12 0x0000557bcb017811 in mysql_execute_command (thd=0x7f8e0c000b00) at /data/src/10.3/sql/sql_parse.cc:3772
      #13 0x0000557bcaf42d90 in sp_instr_stmt::exec_core (this=0x7f8e0c183650, thd=0x7f8e0c000b00, nextp=0x7f8e1d6aa754) at /data/src/10.3/sql/sp_head.cc:3594
      #14 0x0000557bcaf421ed in sp_lex_keeper::reset_lex_and_exec_core (this=0x7f8e0c183698, thd=0x7f8e0c000b00, nextp=0x7f8e1d6aa754, open_tables=false, instr=0x7f8e0c183650) at /data/src/10.3/sql/sp_head.cc:3322
      #15 0x0000557bcaf42972 in sp_instr_stmt::execute (this=0x7f8e0c183650, thd=0x7f8e0c000b00, nextp=0x7f8e1d6aa754) at /data/src/10.3/sql/sp_head.cc:3500
      #16 0x0000557bcaf3c6ed in sp_head::execute (this=0x7f8e0c181a18, thd=0x7f8e0c000b00, merge_da_on_success=true) at /data/src/10.3/sql/sp_head.cc:1354
      #17 0x0000557bcaf3f0b4 in sp_head::execute_procedure (this=0x7f8e0c181a18, thd=0x7f8e0c000b00, args=0x7f8e0c005768) at /data/src/10.3/sql/sp_head.cc:2294
      #18 0x0000557bcb015234 in do_execute_sp (thd=0x7f8e0c000b00, sp=0x7f8e0c181a18) at /data/src/10.3/sql/sql_parse.cc:2954
      #19 0x0000557bcb015db8 in Sql_cmd_call::execute (this=0x7f8e0c014db0, thd=0x7f8e0c000b00) at /data/src/10.3/sql/sql_parse.cc:3194
      #20 0x0000557bcb020088 in mysql_execute_command (thd=0x7f8e0c000b00) at /data/src/10.3/sql/sql_parse.cc:6288
      #21 0x0000557bcb025159 in mysql_parse (thd=0x7f8e0c000b00, rawbuf=0x7f8e0c014cf8 "CALL sp", length=7, parser_state=0x7f8e1d6ac5f0, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:8095
      #22 0x0000557bcb01230d in dispatch_command (command=COM_QUERY, thd=0x7f8e0c000b00, packet=0x7f8e0c00b201 "CALL sp", packet_length=7, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:1854
      #23 0x0000557bcb010ce5 in do_command (thd=0x7f8e0c000b00) at /data/src/10.3/sql/sql_parse.cc:1396
      #24 0x0000557bcb17946d in do_handle_one_connection (connect=0x557bced02450) at /data/src/10.3/sql/sql_connect.cc:1403
      #25 0x0000557bcb1791f1 in handle_one_connection (arg=0x557bced02450) at /data/src/10.3/sql/sql_connect.cc:1309
      #26 0x0000557bcb6156f9 in pfs_spawn_thread (arg=0x557bcec471a0) at /data/src/10.3/storage/perfschema/pfs.cc:1862
      #27 0x00007f8e251dc494 in start_thread (arg=0x7f8e1d6ad700) at pthread_create.c:333
      #28 0x00007f8e235c293f in clone () from /lib/x86_64-linux-gnu/libc.so.6
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                varun Varun Gupta
                Reporter:
                elenst Elena Stepanova
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: