Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-22019

Sig 11 in next_breadth_first_tab | max_sort_length setting + double GROUP BY leads to crash

Details

    Description

      This testcase:

      SET @@SESSION.max_sort_length=2000000;
      		 
      USE INFORMATION_SCHEMA;
      		 
      SELECT * FROM tables t JOIN columns c ON t.table_schema=c.table_schema WHERE c.table_schema=(SELECT COUNT(*) FROM INFORMATION_SCHEMA.columns GROUP BY column_type) GROUP BY t.table_name;

      Leads to:

      Core was generated by `/data/MD140320-mariadb-10.4.13-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
      		 
      Program terminated with signal SIGSEGV, Segmentation fault.
      		 
      #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
      		 
          at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
      		 
      57	../sysdeps/unix/sysv/linux/pthread_kill.c: No such file or directory.
      		 
      [Current thread is 1 (Thread 0x7f2ebdbde700 (LWP 18246))]
      		 
      (gdb) bt
      		 
      #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
      		 
          at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
      		 
      #1  0x000055e9e382a987 in my_write_core (sig=sig@entry=11) at /data/git/10.4_opt/mysys/stacktrace.c:481
      		 
      #2  0x000055e9e329de3a in handle_fatal_signal (sig=11) at /data/git/10.4_opt/sql/signal_handler.cc:343
      		 
      #3  <signal handler called>
      		 
      #4  0x000055e9e30ca011 in next_breadth_first_tab (tab=0x7f2e76cf7800, n_top_tabs_count=2, 
          first_top_tab=0x7f2e76cf70b0) at /data/git/10.4_opt/sql/sql_select.cc:9921
      		 
      #5  JOIN::cleanup (this=this@entry=0x7f2e76c516b0, full=full@entry=true)
      		 
          at /data/git/10.4_opt/sql/sql_select.cc:13766
      		 
      #6  0x000055e9e30ca6f6 in JOIN::destroy (this=0x7f2e76c516b0) at /data/git/10.4_opt/sql/sql_select.cc:4481
      		 
      #7  0x000055e9e312a4d8 in st_select_lex::cleanup (this=this@entry=0x7f2e76c3f208)
      		 
          at /data/git/10.4_opt/sql/sql_union.cc:2070
      		 
      #8  0x000055e9e30e3392 in mysql_select (thd=thd@entry=0x7f2e76c12008, tables=0x7f2e76c3f7d8, wild_num=1, 
          fields=..., conds=<optimized out>, og_num=1, order=0x0, group=0x7f2e76c42f88, having=0x0, 
          proc_param=0x0, select_options=2684619520, result=0x7f2e76c51688, unit=0x7f2e76c15d70, 
          select_lex=0x7f2e76c3f208) at /data/git/10.4_opt/sql/sql_select.cc:4688
      		 
      #9  0x000055e9e30e35a1 in handle_select (thd=thd@entry=0x7f2e76c12008, lex=lex@entry=0x7f2e76c15cb0, 
          result=result@entry=0x7f2e76c51688, setup_tables_done_option=setup_tables_done_option@entry=0)
      		 
          at /data/git/10.4_opt/sql/sql_select.cc:410
      		 
      #10 0x000055e9e307f681 in execute_sqlcom_select (thd=thd@entry=0x7f2e76c12008, all_tables=0x7f2e76c3f7d8)
      		 
          at /data/git/10.4_opt/sql/sql_parse.cc:6359
      		 
      #11 0x000055e9e3088747 in mysql_execute_command (thd=thd@entry=0x7f2e76c12008)
      		 
          at /data/git/10.4_opt/sql/sql_parse.cc:3898
      		 
      #12 0x000055e9e308f37a in mysql_parse (thd=thd@entry=0x7f2e76c12008, rawbuf=<optimized out>, length=184, 
          parser_state=parser_state@entry=0x7f2ebdbdd140, is_com_multi=is_com_multi@entry=false, 
          is_next_command=is_next_command@entry=false) at /data/git/10.4_opt/sql/sql_parse.cc:7900
      		 
      #13 0x000055e9e3091939 in dispatch_command (command=command@entry=COM_QUERY, 
          thd=thd@entry=0x7f2e76c12008, 
          packet=packet@entry=0x7f2e76c32009 "SELECT * FROM tables t JOIN columns c ON t.table_schema=c.table_schema WHERE c.table_schema=(SELECT COUNT(*) FROM INFORMATION_SCHEMA.columns GROUP BY column_type) GROUP BY t.table_name", packet_length=packet_length@entry=184, is_com_multi=is_com_multi@entry=false, 
          is_next_command=is_next_command@entry=false) at /data/git/10.4_opt/sql/sql_parse.cc:1841
      		 
      #14 0x000055e9e3093220 in do_command (thd=0x7f2e76c12008) at /data/git/10.4_opt/sql/sql_parse.cc:1359
      		 
      #15 0x000055e9e316fb2e in do_handle_one_connection (connect=connect@entry=0x7f2ebac31748)
      		 
          at /data/git/10.4_opt/sql/sql_connect.cc:1412
      		 
      #16 0x000055e9e316fbed in handle_one_connection (arg=0x7f2ebac31748)
      		 
          at /data/git/10.4_opt/sql/sql_connect.cc:1316
      		 
      #17 0x00007f2ebcb676db in start_thread (arg=0x7f2ebdbde700) at pthread_create.c:463
      		 
      #18 0x00007f2ebb80d88f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

      Bug confirmed present in:
      MariaDB: 10.2.32 (dbg), 10.2.32 (opt), 10.3.23 (dbg), 10.3.23 (opt), 10.4.13 (dbg), 10.4.13 (opt), 10.5.2 (dbg), 10.5.2 (opt)

      Bug confirmed not present in:
      MariaDB: 10.1.45 (dbg), 10.1.45 (opt)
      MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.47 (dbg), 5.6.47 (opt), 5.7.29 (dbg), 5.7.29 (opt), 8.0.19 (dbg), 8.0.19 (opt)

      A few observations;

      • Lowering the SESSION.max_sort_length stops the bug from occurring.

      10.4.13>SET @@SESSION.max_sort_length=200000;           # <- one less zero
      		 
      Query OK, 0 rows affected (0.000 sec)       
      10.4.13>USE INFORMATION_SCHEMA;
      		 
      Database changed
      		 
      10.4.13>SELECT * FROM tables t JOIN columns c ON t.table_schema=c.table_schema WHERE c.table_schema=(SELECT COUNT(*) FROM INFORMATION_SCHEMA.columns GROUP BY column_type) GROUP BY t.table_name;
      		 
      ERROR 1242 (21000): Subquery returns more than 1 row
      		 
       
      		 
      10.4.13>SET @@SESSION.max_sort_length=2000000;
      		 
      Query OK, 0 rows affected (0.000 sec)
      		 
      10.4.13>SELECT * FROM tables t JOIN columns c ON t.table_schema=c.table_schema WHERE c.table_schema=(SELECT COUNT(*) FROM INFORMATION_SCHEMA.columns GROUP BY column_type) GROUP BY t.table_name;
      		 
      ERROR 2013 (HY000): Lost connection to MySQL server during query

      • Removing the second GROUP BY stops this bug from occurring:

      10.4.13>SET @@SESSION.max_sort_length=2000000; 
      Query OK, 0 rows affected (0.000 sec)
      		 
      10.4.13>USE INFORMATION_SCHEMA;
      		 
      Database changed
      		 
      10.4.13>SELECT * FROM tables t JOIN columns c ON t.table_schema=c.table_schema WHERE c.table_schema=(SELECT COUNT(*) FROM INFORMATION_SCHEMA.columns GROUP BY column_type);
      		 
      ERROR 1038 (HY001): Out of sort memory, consider increasing server sort buffer size

      Attachments

        Activity

          People

            varun Varun Gupta (Inactive)
            Roel Roel Van de Paar
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.