Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
10.4(EOL), 10.5, 10.6, 10.7(EOL)
-
None
Description
CREATE table t1 (i int); |
insert into t1 values (1),(2),(3); |
|
EXECUTE IMMEDIATE "CREATE PROCEDURE p1() SELECT 1 FROM t1 PROCEDURE ANALYSE( 10, (SELECT i FROM t1));"; |
drop table t1; |
10.4 7955e197d0ceca3108bd0d7036edaff0d7e7a9cf |
Version: '10.4.11-MariaDB-debug'
|
/10.4/src/sql/sp_head.cc:803: virtual sp_head::~sp_head(): Assertion `m_thd == __null' failed.
|
191128 17:38:08 [ERROR] mysqld got signal 6 ;
|
|
linux/raise.c:54(__GI_raise)[0x7f1aad83c428]
|
stdlib/abort.c:91(__GI_abort)[0x7f1aad83e02a]
|
assert/assert.c:92(__assert_fail_base)[0x7f1aad834bd7]
|
/lib/x86_64-linux-gnu/libc.so.6(+0x2dc82)[0x7f1aad834c82]
|
sql/sp_head.cc:805(sp_head::~sp_head())[0x556d9881e63e]
|
sql/sp_head.cc:832(sp_head::~sp_head())[0x556d9881e810]
|
sql/sql_lex.cc:819(lex_end_stage1(LEX*))[0x556d988dbc64]
|
sql/sql_prepare.cc:4085(Prepared_statement::prepare(char const*, unsigned int))[0x556d9894295b]
|
sql/sql_prepare.cc:4874(Prepared_statement::execute_immediate(char const*, unsigned int))[0x556d98944fc1]
|
sql/sql_prepare.cc:2922(mysql_sql_stmt_execute_immediate(THD*))[0x556d9893f67c]
|
sql/sql_parse.cc:3906(mysql_execute_command(THD*))[0x556d9891610d]
|
sql/sql_parse.cc:7901(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x556d98924b4b]
|
sql/sql_parse.cc:1844(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x556d9890fcf8]
|
sql/sql_parse.cc:1360(do_command(THD*))[0x556d9890e359]
|
sql/sql_connect.cc:1412(do_handle_one_connection(CONNECT*))[0x556d98a97e4d]
|
sql/sql_connect.cc:1317(handle_one_connection)[0x556d98a97b76]
|
/lib/x86_64-linux-gnu/libpthread.so.0(+0x76ba)[0x7f1aaed2b6ba]
|
x86_64/clone.S:111(clone)[0x7f1aad90e41d]
|
Attachments
Issue Links
- is duplicated by
-
MDEV-23793 Assertion `m_thd == __null' failed in sp_head::~sp_head()
-
- Closed
-
- relates to
-
MDEV-22016 munmap_chunk(): invalid pointer, crash in alloc_root, ASAN heap-use-after-free in lex_end_stage1 or Assertion `m_thd == __null' failed
-
- Closed
-
-
MDEV-28129 MariaDB UAF issue at lex_end_nops(LEX*)
-
- Closed
-
Activity
Field | Original Value | New Value |
---|---|---|
Description |
{noformat}
Version: '10.4.11-MariaDB-debug' /10.4/src/sql/sp_head.cc:803: virtual sp_head::~sp_head(): Assertion `m_thd == __null' failed. 191128 17:38:08 [ERROR] mysqld got signal 6 ; linux/raise.c:54(__GI_raise)[0x7f1aad83c428] stdlib/abort.c:91(__GI_abort)[0x7f1aad83e02a] assert/assert.c:92(__assert_fail_base)[0x7f1aad834bd7] /lib/x86_64-linux-gnu/libc.so.6(+0x2dc82)[0x7f1aad834c82] sql/sp_head.cc:805(sp_head::~sp_head())[0x556d9881e63e] sql/sp_head.cc:832(sp_head::~sp_head())[0x556d9881e810] sql/sql_lex.cc:819(lex_end_stage1(LEX*))[0x556d988dbc64] sql/sql_prepare.cc:4085(Prepared_statement::prepare(char const*, unsigned int))[0x556d9894295b] sql/sql_prepare.cc:4874(Prepared_statement::execute_immediate(char const*, unsigned int))[0x556d98944fc1] sql/sql_prepare.cc:2922(mysql_sql_stmt_execute_immediate(THD*))[0x556d9893f67c] sql/sql_parse.cc:3906(mysql_execute_command(THD*))[0x556d9891610d] sql/sql_parse.cc:7901(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x556d98924b4b] sql/sql_parse.cc:1844(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x556d9890fcf8] sql/sql_parse.cc:1360(do_command(THD*))[0x556d9890e359] sql/sql_connect.cc:1412(do_handle_one_connection(CONNECT*))[0x556d98a97e4d] sql/sql_connect.cc:1317(handle_one_connection)[0x556d98a97b76] /lib/x86_64-linux-gnu/libpthread.so.0(+0x76ba)[0x7f1aaed2b6ba] x86_64/clone.S:111(clone)[0x7f1aad90e41d] {noformat} |
{code:sql}
CREATE table t1 (i int); insert into t1 values (1),(2),(3); EXECUTE IMMEDIATE "CREATE PROCEDURE p1() SELECT 1 FROM t1 PROCEDURE ANALYSE( 10, (SELECT i FROM t1));"; drop table t1; {code} {noformat:title=10.4 } Version: '10.4.11-MariaDB-debug' /10.4/src/sql/sp_head.cc:803: virtual sp_head::~sp_head(): Assertion `m_thd == __null' failed. 191128 17:38:08 [ERROR] mysqld got signal 6 ; linux/raise.c:54(__GI_raise)[0x7f1aad83c428] stdlib/abort.c:91(__GI_abort)[0x7f1aad83e02a] assert/assert.c:92(__assert_fail_base)[0x7f1aad834bd7] /lib/x86_64-linux-gnu/libc.so.6(+0x2dc82)[0x7f1aad834c82] sql/sp_head.cc:805(sp_head::~sp_head())[0x556d9881e63e] sql/sp_head.cc:832(sp_head::~sp_head())[0x556d9881e810] sql/sql_lex.cc:819(lex_end_stage1(LEX*))[0x556d988dbc64] sql/sql_prepare.cc:4085(Prepared_statement::prepare(char const*, unsigned int))[0x556d9894295b] sql/sql_prepare.cc:4874(Prepared_statement::execute_immediate(char const*, unsigned int))[0x556d98944fc1] sql/sql_prepare.cc:2922(mysql_sql_stmt_execute_immediate(THD*))[0x556d9893f67c] sql/sql_parse.cc:3906(mysql_execute_command(THD*))[0x556d9891610d] sql/sql_parse.cc:7901(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x556d98924b4b] sql/sql_parse.cc:1844(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x556d9890fcf8] sql/sql_parse.cc:1360(do_command(THD*))[0x556d9890e359] sql/sql_connect.cc:1412(do_handle_one_connection(CONNECT*))[0x556d98a97e4d] sql/sql_connect.cc:1317(handle_one_connection)[0x556d98a97b76] /lib/x86_64-linux-gnu/libpthread.so.0(+0x76ba)[0x7f1aaed2b6ba] x86_64/clone.S:111(clone)[0x7f1aad90e41d] {noformat} |
Description |
{code:sql}
CREATE table t1 (i int); insert into t1 values (1),(2),(3); EXECUTE IMMEDIATE "CREATE PROCEDURE p1() SELECT 1 FROM t1 PROCEDURE ANALYSE( 10, (SELECT i FROM t1));"; drop table t1; {code} {noformat:title=10.4 } Version: '10.4.11-MariaDB-debug' /10.4/src/sql/sp_head.cc:803: virtual sp_head::~sp_head(): Assertion `m_thd == __null' failed. 191128 17:38:08 [ERROR] mysqld got signal 6 ; linux/raise.c:54(__GI_raise)[0x7f1aad83c428] stdlib/abort.c:91(__GI_abort)[0x7f1aad83e02a] assert/assert.c:92(__assert_fail_base)[0x7f1aad834bd7] /lib/x86_64-linux-gnu/libc.so.6(+0x2dc82)[0x7f1aad834c82] sql/sp_head.cc:805(sp_head::~sp_head())[0x556d9881e63e] sql/sp_head.cc:832(sp_head::~sp_head())[0x556d9881e810] sql/sql_lex.cc:819(lex_end_stage1(LEX*))[0x556d988dbc64] sql/sql_prepare.cc:4085(Prepared_statement::prepare(char const*, unsigned int))[0x556d9894295b] sql/sql_prepare.cc:4874(Prepared_statement::execute_immediate(char const*, unsigned int))[0x556d98944fc1] sql/sql_prepare.cc:2922(mysql_sql_stmt_execute_immediate(THD*))[0x556d9893f67c] sql/sql_parse.cc:3906(mysql_execute_command(THD*))[0x556d9891610d] sql/sql_parse.cc:7901(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x556d98924b4b] sql/sql_parse.cc:1844(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x556d9890fcf8] sql/sql_parse.cc:1360(do_command(THD*))[0x556d9890e359] sql/sql_connect.cc:1412(do_handle_one_connection(CONNECT*))[0x556d98a97e4d] sql/sql_connect.cc:1317(handle_one_connection)[0x556d98a97b76] /lib/x86_64-linux-gnu/libpthread.so.0(+0x76ba)[0x7f1aaed2b6ba] x86_64/clone.S:111(clone)[0x7f1aad90e41d] {noformat} |
{code:sql}
CREATE table t1 (i int); insert into t1 values (1),(2),(3); EXECUTE IMMEDIATE "CREATE PROCEDURE p1() SELECT 1 FROM t1 PROCEDURE ANALYSE( 10, (SELECT i FROM t1));"; drop table t1; {code} {noformat:title=10.4 7955e197d0ceca3108bd0d7036edaff0d7e7a9cf} Version: '10.4.11-MariaDB-debug' /10.4/src/sql/sp_head.cc:803: virtual sp_head::~sp_head(): Assertion `m_thd == __null' failed. 191128 17:38:08 [ERROR] mysqld got signal 6 ; linux/raise.c:54(__GI_raise)[0x7f1aad83c428] stdlib/abort.c:91(__GI_abort)[0x7f1aad83e02a] assert/assert.c:92(__assert_fail_base)[0x7f1aad834bd7] /lib/x86_64-linux-gnu/libc.so.6(+0x2dc82)[0x7f1aad834c82] sql/sp_head.cc:805(sp_head::~sp_head())[0x556d9881e63e] sql/sp_head.cc:832(sp_head::~sp_head())[0x556d9881e810] sql/sql_lex.cc:819(lex_end_stage1(LEX*))[0x556d988dbc64] sql/sql_prepare.cc:4085(Prepared_statement::prepare(char const*, unsigned int))[0x556d9894295b] sql/sql_prepare.cc:4874(Prepared_statement::execute_immediate(char const*, unsigned int))[0x556d98944fc1] sql/sql_prepare.cc:2922(mysql_sql_stmt_execute_immediate(THD*))[0x556d9893f67c] sql/sql_parse.cc:3906(mysql_execute_command(THD*))[0x556d9891610d] sql/sql_parse.cc:7901(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x556d98924b4b] sql/sql_parse.cc:1844(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x556d9890fcf8] sql/sql_parse.cc:1360(do_command(THD*))[0x556d9890e359] sql/sql_connect.cc:1412(do_handle_one_connection(CONNECT*))[0x556d98a97e4d] sql/sql_connect.cc:1317(handle_one_connection)[0x556d98a97b76] /lib/x86_64-linux-gnu/libpthread.so.0(+0x76ba)[0x7f1aaed2b6ba] x86_64/clone.S:111(clone)[0x7f1aad90e41d] {noformat} |
Assignee | Alice Sherepa [ alice ] | Oleksandr Byelkin [ sanja ] |
Summary | [draft] Assertion `m_thd == __null' failed | Assertion `m_thd == __null' failed |
Summary | Assertion `m_thd == __null' failed | Assertion `m_thd == __null' failed in sp_head::~sp_head |
Fix Version/s | 10.4 [ 22408 ] |
Component/s | Prepared Statements [ 10804 ] |
Link |
This issue relates to |
Link |
This issue is duplicated by |
Assignee | Oleksandr Byelkin [ sanja ] | Dmitry Shulga [ JIRAUSER47315 ] |
Workflow | MariaDB v3 [ 101470 ] | MariaDB v4 [ 141669 ] |
Affects Version/s | 10.5 [ 23123 ] | |
Affects Version/s | 10.6 [ 24028 ] | |
Affects Version/s | 10.7 [ 24805 ] |
Fix Version/s | 10.5 [ 23123 ] | |
Fix Version/s | 10.6 [ 24028 ] | |
Fix Version/s | 10.7 [ 24805 ] |
Link |
This issue relates to |
Status | Open [ 1 ] | In Progress [ 3 ] |
Assignee | Dmitry Shulga [ JIRAUSER47315 ] | Oleksandr Byelkin [ sanja ] |
Status | In Progress [ 3 ] | In Review [ 10002 ] |
Assignee | Oleksandr Byelkin [ sanja ] | Dmitry Shulga [ JIRAUSER47315 ] |
Status | In Review [ 10002 ] | Stalled [ 10000 ] |
Fix Version/s | 10.4.25 [ 27510 ] | |
Fix Version/s | 10.5.16 [ 27508 ] | |
Fix Version/s | 10.6.8 [ 27506 ] | |
Fix Version/s | 10.7.4 [ 27504 ] | |
Fix Version/s | 10.8.3 [ 27502 ] | |
Fix Version/s | 10.9.1 [ 27114 ] | |
Fix Version/s | 10.4 [ 22408 ] | |
Fix Version/s | 10.5 [ 23123 ] | |
Fix Version/s | 10.6 [ 24028 ] | |
Fix Version/s | 10.7 [ 24805 ] | |
Resolution | Fixed [ 1 ] | |
Status | Stalled [ 10000 ] | Closed [ 6 ] |
The test case doesn't crash on a non-debug build, but it may be just luck, because it does fail on a non-debug ASAN build:
10.5 ASAN RelWithDebInfo faab0d31a
==26667==ERROR: AddressSanitizer: heap-use-after-free on address 0x62500013f628 at pc 0x56449afea805 bp 0x7f8e480724b0 sp 0x7f8e480724a8
READ of size 8 at 0x62500013f628 thread T5
#0 0x56449afea804 in cleanup_items(Item*) /data/src/10.5-bug/sql/sql_parse.cc:1137
#1 0x56449b03527a in Prepared_statement::cleanup_stmt() /data/src/10.5-bug/sql/sql_prepare.cc:3919
#2 0x56449b03ca61 in Prepared_statement::prepare(char const*, unsigned int) /data/src/10.5-bug/sql/sql_prepare.cc:4112
#3 0x56449b047677 in Prepared_statement::execute_immediate(char const*, unsigned int) /data/src/10.5-bug/sql/sql_prepare.cc:4903
#4 0x56449b047cdf in mysql_sql_stmt_execute_immediate(THD*) /data/src/10.5-bug/sql/sql_prepare.cc:2941
#5 0x56449aff72d6 in mysql_execute_command(THD*) /data/src/10.5-bug/sql/sql_parse.cc:3905
#6 0x56449b00aa94 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.5-bug/sql/sql_parse.cc:7926
#7 0x56449afee230 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.5-bug/sql/sql_parse.cc:1840
#8 0x56449afeab3b in do_command(THD*) /data/src/10.5-bug/sql/sql_parse.cc:1359
#9 0x56449b295b97 in do_handle_one_connection(CONNECT*, bool) /data/src/10.5-bug/sql/sql_connect.cc:1422
#10 0x56449b296306 in handle_one_connection /data/src/10.5-bug/sql/sql_connect.cc:1319
#11 0x56449bb97693 in pfs_spawn_thread /data/src/10.5-bug/storage/perfschema/pfs.cc:2201
#12 0x7f8e525114a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
#13 0x7f8e50645d0e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8d0e)
0x62500013f628 is located 7464 bytes inside of 8240-byte region [0x62500013d900,0x62500013f930)
freed by thread T5 here:
#0 0x7f8e527e8a10 in free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10)
#1 0x56449c488a73 in free_root /data/src/10.5-bug/mysys/my_alloc.c:416
#2 0x1f (<unknown module>)
previously allocated by thread T5 here:
#0 0x7f8e527e8d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
#1 0x56449c49a523 in my_malloc /data/src/10.5-bug/mysys/my_malloc.c:88
Thread T5 created by T0 here:
#0 0x7f8e52757f59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
#1 0x56449bb9790a in my_thread_create /data/src/10.5-bug/storage/perfschema/my_thread.h:34
#2 0x56449bb9790a in pfs_spawn_thread_v1 /data/src/10.5-bug/storage/perfschema/pfs.cc:2252
SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.5-bug/sql/sql_parse.cc:1137 in cleanup_items(Item*)
Shadow bytes around the buggy address:
0x0c4a8001fe70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8001fe80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8001fe90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8001fea0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8001feb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c4a8001fec0: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
0x0c4a8001fed0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8001fee0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8001fef0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8001ff00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8001ff10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==26667==ABORTING
200323 18:46:57 [ERROR] mysqld got signal 6 ;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.
To report this bug, see https://mariadb.com/kb/en/reporting-bugs
We will try our best to scrape up some info that will hopefully help
diagnose the problem, but since we have already crashed,
something is definitely wrong and this may fail.
Server version: 10.5.2-MariaDB-log
key_buffer_size=1048576
read_buffer_size=131072
max_used_connections=1
max_threads=153
thread_count=2
It is possible that mysqld could use up to
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 63593 K bytes of memory
Hope that's ok; if not, decrease some variables in the equation.
Thread pointer: 0x62b000062218
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
stack_bottom = 0x7f8e48075980 thread_stack 0x5fc00
??:0(backtrace)[0x7f8e52774681]
/data/src/10.5-bug/sql/mysqld(my_print_stacktrace+0xb6)[0x56449c4a2986]
/data/src/10.5-bug/sql/mysqld(handle_fatal_signal+0x7e6)[0x56449b531b66]
??:0(__restore_rt)[0x7f8e5251b0e0]
/lib/x86_64-linux-gnu/libc.so.6(gsignal+0xcf)[0x7f8e5058ffff]
/lib/x86_64-linux-gnu/libc.so.6(abort+0x16a)[0x7f8e5059142a]
??:0(__sanitizer_cov_trace_switch)[0x7f8e52802329]
??:0(__asan_print_accumulated_stats)[0x7f8e527f79ab]
??:0(__asan_unpoison_intra_object_redzone)[0x7f8e527f1b57]
??:0(__asan_report_load8)[0x7f8e527f2398]
/data/src/10.5-bug/sql/mysqld(_Z13cleanup_itemsP4Item+0x65)[0x56449afea805]
/data/src/10.5-bug/sql/mysqld(_ZN18Prepared_statement12cleanup_stmtEv+0x6b)[0x56449b03527b]
/data/src/10.5-bug/sql/mysqld(_ZN18Prepared_statement7prepareEPKcj+0x17a2)[0x56449b03ca62]
/data/src/10.5-bug/sql/mysqld(_ZN18Prepared_statement17execute_immediateEPKcj+0x1f8)[0x56449b047678]
sql/sql_parse.cc:1136(cleanup_items(Item*))[0x56449b047ce0]
sql/sql_prepare.cc:3920(Prepared_statement::cleanup_stmt())[0x56449aff72d7]
sql/sql_prepare.cc:4113(Prepared_statement::prepare(char const*, unsigned int))[0x56449b00aa95]
sql/sql_prepare.cc:4903(Prepared_statement::execute_immediate(char const*, unsigned int))[0x56449afee231]
sql/sql_class.h:1463(Item_change_list_savepoint::rollback(Item_change_list*))[0x56449afeab3c]
sql/sql_parse.cc:5441(mysql_execute_command(THD*))[0x56449b295b98]
sql/sql_parse.cc:7943(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x56449b296307]
sql/sql_parse.cc:1842(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x56449bb97694]
nptl/pthread_create.c:456(start_thread)[0x7f8e525114a4]
/lib/x86_64-linux-gnu/libc.so.6(clone+0x3f)[0x7f8e50645d0f]
Trying to get some variables.
Some pointers may be invalid and cause the dump to abort.
Query (0x62b00008ddb8): CREATE PROCEDURE p1() SELECT 1 FROM t1 PROCEDURE ANALYSE( 10, (SELECT i FROM t1))
Connection ID (thread ID): 4
Status: NOT_KILLED
Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=on,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on,split_materialized=on,condition_pushdown_for_subquery=on,rowid_filter=on,condition_pushdown_from_having=on,not_null_range_scan=off
The manual page at http://dev.mysql.com/doc/mysql/en/crashing.html contains
information that should help you find out what is causing the crash.
Writing a core file...
Working directory at /dev/shm/var_t/mysqld.1/data
Resource Limits:
Limit Soft Limit Hard Limit Units
Max cpu time unlimited unlimited seconds
Max file size unlimited unlimited bytes
Max data size unlimited unlimited bytes
Max stack size 8388608 unlimited bytes
Max core file size 0 0 bytes
Max resident set unlimited unlimited bytes
Max processes 128123 128123 processes
Max open files 1024 1024 files
Max locked memory 65536 65536 bytes
Max address space unlimited unlimited bytes
Max file locks unlimited unlimited locks
Max pending signals 128123 128123 signals
Max msgqueue size 819200 819200 bytes
Max nice priority 0 0
Max realtime priority 0 0
Max realtime timeout unlimited unlimited us
Core pattern: core