Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-21999

Server crashes in LEX::create_item_ident or LEX::create_item_ident_nospvar

Details

    Description

      Note: Possibly related to MDEV-21998. The stack trace is different though, also this one doesn't need sequences, and the crash is reproducible on non-debug builds as well.

      KILL ( SELECT 1 ) IN ( a.b );

      10.4 debug 81f70001

      		 
      #3  <signal handler called>
      		 
      #4  0x000055bf14c926b2 in LEX::create_item_ident_nospvar (this=0x7f8c5c004958, thd=0x7f8c5c000af0, a=0x7f8c6e25a450, b=0x7f8c6e25a460) at /data/src/10.4/sql/sql_lex.cc:7212
      		 
      #5  0x000055bf14c9343c in LEX::create_item_ident (this=0x7f8c5c004958, thd=0x7f8c5c000af0, ca=0x7f8c6e25b5e0, cb=0x7f8c6e25b610) at /data/src/10.4/sql/sql_lex.cc:7404
      		 
      #6  0x000055bf14f7eeb4 in MYSQLparse (thd=0x7f8c5c000af0) at /data/src/10.4/sql/sql_yacc.yy:15566
      		 
      #7  0x000055bf14ccf03a in parse_sql (thd=0x7f8c5c000af0, parser_state=0x7f8c6e25c160, creation_ctx=0x0, do_pfs_digest=true) at /data/src/10.4/sql/sql_parse.cc:10206
      		 
      #8  0x000055bf14cc985e in mysql_parse (thd=0x7f8c5c000af0, rawbuf=0x7f8c5c0132f0 "KILL ( SELECT 1 ) IN ( a.b )", length=28, parser_state=0x7f8c6e25c160, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:7853
      		 
      #9  0x000055bf14cb4bd0 in dispatch_command (command=COM_QUERY, thd=0x7f8c5c000af0, packet=0x7f8c5c136171 "KILL ( SELECT 1 ) IN ( a.b )", packet_length=28, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:1842
      		 
      #10 0x000055bf14cb325d in do_command (thd=0x7f8c5c000af0) at /data/src/10.4/sql/sql_parse.cc:1360
      		 
      #11 0x000055bf14e3c70f in do_handle_one_connection (connect=0x55bf1742b520) at /data/src/10.4/sql/sql_connect.cc:1412
      		 
      #12 0x000055bf14e3c45e in handle_one_connection (arg=0x55bf1742b520) at /data/src/10.4/sql/sql_connect.cc:1316
      		 
      #13 0x000055bf15844d6d in pfs_spawn_thread (arg=0x55bf1733f4b0) at /data/src/10.4/storage/perfschema/pfs.cc:1869
      		 
      #14 0x00007f8c7603b4a4 in start_thread (arg=0x7f8c6e25d700) at pthread_create.c:456
      		 
      #15 0x00007f8c7416fd0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97


      KILL ( SELECT 1 ) IN ( a.b.c );


      #3  <signal handler called>
      		 
      #4  0x000055decf5de581 in LEX::create_item_ident (this=0x7f8d78004958, thd=0x7f8d78000af0, a=0x7f8d941de450, b=0x7f8d941de430, c=0x7f8d941de440) at /data/src/10.4/sql/sql_lex.cc:7428
      		 
      #5  0x000055decf8dbd7c in LEX::create_item_ident (this=0x7f8d78004958, thd=0x7f8d78000af0, ca=0x7f8d941df5e0, cb=0x7f8d941df610, cc=0x7f8d941df640) at /data/src/10.4/sql/sql_lex.h:3929
      		 
      #6  0x000055decf8c9fe2 in MYSQLparse (thd=0x7f8d78000af0) at /data/src/10.4/sql/sql_yacc.yy:15577
      		 
      #7  0x000055decf61a03a in parse_sql (thd=0x7f8d78000af0, parser_state=0x7f8d941e0160, creation_ctx=0x0, do_pfs_digest=true) at /data/src/10.4/sql/sql_parse.cc:10206
      		 
      #8  0x000055decf61485e in mysql_parse (thd=0x7f8d78000af0, rawbuf=0x7f8d780132f0 "KILL ( SELECT 1 ) IN ( a.b.c )", length=30, parser_state=0x7f8d941e0160, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:7853
      		 
      #9  0x000055decf5ffbd0 in dispatch_command (command=COM_QUERY, thd=0x7f8d78000af0, packet=0x7f8d78136171 "KILL ( SELECT 1 ) IN ( a.b.c )", packet_length=30, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:1842
      		 
      #10 0x000055decf5fe25d in do_command (thd=0x7f8d78000af0) at /data/src/10.4/sql/sql_parse.cc:1360
      		 
      #11 0x000055decf78770f in do_handle_one_connection (connect=0x55ded2196530) at /data/src/10.4/sql/sql_connect.cc:1412
      		 
      #12 0x000055decf78745e in handle_one_connection (arg=0x55ded2196530) at /data/src/10.4/sql/sql_connect.cc:1316
      		 
      #13 0x000055ded018fd6d in pfs_spawn_thread (arg=0x55ded20aa4c0) at /data/src/10.4/storage/perfschema/pfs.cc:1869
      		 
      #14 0x00007f8d9b7be4a4 in start_thread (arg=0x7f8d941e1700) at pthread_create.c:456
      		 
      #15 0x00007f8d998f2d0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97

      Reproducible on 10.4, 10.5, debug and non-debug.
      Not reproducible on 10.3.

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. MDEV-21998 Server crashes in st_select_lex::add_table_to_list upon mix of KILL and sequences

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-22000 Server crashes in st_select_lex::inc_in_sum_expr upon DECLARE with group function

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-21998 Server crashes in st_select_lex::add_table_to_list upon mix of KILL and sequences

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Activity

            Ascending order - Click to sort in descending order
            elenst Elena Stepanova added a comment - - edited

            Slightly less meaningless query (more chance to happen in real life, even if by mistake):

            CASE WHEN ( VALUES () ) IN ( a.b ) THEN 1 END CASE;

            10.4 bf2a2444

            		 
            #3  <signal handler called>
            		 
            #4  0x0000561127a64684 in LEX::create_item_ident_nospvar (this=0x7fceec12fc38, thd=0x7fceec000af0, a=0x7fcefde38860, b=0x7fcefde38870) at /data/src/10.4/sql/sql_lex.cc:7222
            		 
            #5  0x0000561127a6540e in LEX::create_item_ident (this=0x7fceec12fc38, thd=0x7fceec000af0, ca=0x7fcefde399f0, cb=0x7fcefde39a20) at /data/src/10.4/sql/sql_lex.cc:7414
            		 
            #6  0x0000561127d479ff in MYSQLparse (thd=0x7fceec000af0) at /data/src/10.4/sql/sql_yacc.yy:15566
            		 
            #7  0x0000561127a9f654 in parse_sql (thd=0x7fceec000af0, parser_state=0x7fcefde3a570, creation_ctx=0x0, do_pfs_digest=true) at /data/src/10.4/sql/sql_parse.cc:10207
            		 
            #8  0x0000561127a9a026 in mysql_parse (thd=0x7fceec000af0, rawbuf=0x7fceec0132f0 "CASE WHEN ( VALUES () ) IN ( a.b ) THEN 1 END CASE", length=50, parser_state=0x7fcefde3a570, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:7854
            		 
            #9  0x0000561127a86753 in dispatch_command (command=COM_QUERY, thd=0x7fceec000af0, packet=0x7fceec1364f1 "CASE WHEN ( VALUES () ) IN ( a.b ) THEN 1 END CASE", packet_length=50, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:1842
            		 
            #10 0x0000561127a84ef5 in do_command (thd=0x7fceec000af0) at /data/src/10.4/sql/sql_parse.cc:1360
            		 
            #11 0x0000561127c0daa8 in do_handle_one_connection (connect=0x56112be5dce0) at /data/src/10.4/sql/sql_connect.cc:1412
            		 
            #12 0x0000561127c0d7f7 in handle_one_connection (arg=0x56112be5dce0) at /data/src/10.4/sql/sql_connect.cc:1316
            		 
            #13 0x000056112860bda1 in pfs_spawn_thread (arg=0x56112be79900) at /data/src/10.4/storage/perfschema/pfs.cc:1869
            		 
            #14 0x00007fcf05c194a4 in start_thread (arg=0x7fcefde3b700) at pthread_create.c:456
            		 
            #15 0x00007fcf03d4dd0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97

            elenst Elena Stepanova added a comment - - edited Slightly less meaningless query (more chance to happen in real life, even if by mistake): CASE WHEN ( VALUES () ) IN ( a.b ) THEN 1 END CASE ; 10.4 bf2a2444 #3 <signal handler called> #4 0x0000561127a64684 in LEX::create_item_ident_nospvar (this=0x7fceec12fc38, thd=0x7fceec000af0, a=0x7fcefde38860, b=0x7fcefde38870) at /data/src/10.4/sql/sql_lex.cc:7222 #5 0x0000561127a6540e in LEX::create_item_ident (this=0x7fceec12fc38, thd=0x7fceec000af0, ca=0x7fcefde399f0, cb=0x7fcefde39a20) at /data/src/10.4/sql/sql_lex.cc:7414 #6 0x0000561127d479ff in MYSQLparse (thd=0x7fceec000af0) at /data/src/10.4/sql/sql_yacc.yy:15566 #7 0x0000561127a9f654 in parse_sql (thd=0x7fceec000af0, parser_state=0x7fcefde3a570, creation_ctx=0x0, do_pfs_digest=true) at /data/src/10.4/sql/sql_parse.cc:10207 #8 0x0000561127a9a026 in mysql_parse (thd=0x7fceec000af0, rawbuf=0x7fceec0132f0 "CASE WHEN ( VALUES () ) IN ( a.b ) THEN 1 END CASE", length=50, parser_state=0x7fcefde3a570, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:7854 #9 0x0000561127a86753 in dispatch_command (command=COM_QUERY, thd=0x7fceec000af0, packet=0x7fceec1364f1 "CASE WHEN ( VALUES () ) IN ( a.b ) THEN 1 END CASE", packet_length=50, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:1842 #10 0x0000561127a84ef5 in do_command (thd=0x7fceec000af0) at /data/src/10.4/sql/sql_parse.cc:1360 #11 0x0000561127c0daa8 in do_handle_one_connection (connect=0x56112be5dce0) at /data/src/10.4/sql/sql_connect.cc:1412 #12 0x0000561127c0d7f7 in handle_one_connection (arg=0x56112be5dce0) at /data/src/10.4/sql/sql_connect.cc:1316 #13 0x000056112860bda1 in pfs_spawn_thread (arg=0x56112be79900) at /data/src/10.4/storage/perfschema/pfs.cc:1869 #14 0x00007fcf05c194a4 in start_thread (arg=0x7fcefde3b700) at pthread_create.c:456 #15 0x00007fcf03d4dd0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97
            sanja Oleksandr Byelkin added a comment -

            It looks like fixed by MDEV-21998

            ==============================================================================
            		 
             
            		 
            TEST                                      RESULT   TIME (ms) or COMMENT
            		 
            --------------------------------------------------------------------------
            		 
             
            		 
            worker[1] Using MTR_BUILD_THREAD 300, with reserved ports 16000..16019
            		 
            KILL ( SELECT 1 ) IN ( a.b );
            		 
            ERROR 42S22: Unknown column 'b' in 'field list'
            		 
            KILL ( SELECT 1 ) IN ( a.b.c );
            		 
            ERROR 42S22: Unknown column 'c' in 'field list'
            		 
            main.test                                [ pass ]      1
            		 
            --------------------------------------------------------------------------

            sanja Oleksandr Byelkin added a comment - It looks like fixed by MDEV-21998 ==============================================================================   TEST RESULT TIME (ms) or COMMENT --------------------------------------------------------------------------   worker[1] Using MTR_BUILD_THREAD 300, with reserved ports 16000..16019 KILL ( SELECT 1 ) IN ( a.b ); ERROR 42S22: Unknown column 'b' in 'field list' KILL ( SELECT 1 ) IN ( a.b.c ); ERROR 42S22: Unknown column 'c' in 'field list' main.test [ pass ] 1 --------------------------------------------------------------------------

            People

              sanja Oleksandr Byelkin
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.