Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-22187

SIGSEGV in ha_innobase::cmp_ref on DELETE

    XMLWordPrintable

    Details

      Description

      # mysqld options required for replay:  --sql_mode=
      USE test;
      SET @@SESSION.sort_buffer_size=200;
      CREATE TEMPORARY TABLE t1(c1 CHAR(2) PRIMARY KEY,c2 INT ZEROFILL);
      CREATE TEMPORARY TABLE t2(c1 CHAR(255) PRIMARY KEY,c2 CHAR (255));
      INSERT INTO t1 VALUES(0,0);
      INSERT INTO t1 VALUES('aaa',0);
      INSERT INTO t2 VALUES('aaa',0);
      INSERT INTO t2 SELECT * FROM t1;
      DELETE FROM b,c USING t2 AS a JOIN t1 AS b JOIN t2 AS c;
      

      Leads to:

      10.5.3 e8351934b68d6d3ee273292eaa2ece203bb2b846

      Core was generated by `/data/MD020420-mariadb-10.5.3-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
      Program terminated with signal SIGSEGV, Segmentation fault.
      #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
          at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
      [Current thread is 1 (Thread 0x7fe556220700 (LWP 31020))]
      (gdb) bt
      #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
      #1  0x000055ad8b1bed47 in my_write_core (sig=sig@entry=11) at /data/10.5_opt/mysys/stacktrace.c:518
      #2  0x000055ad8ab8087a in handle_fatal_signal (sig=11) at /data/10.5_opt/sql/signal_handler.cc:325
      #3  <signal handler called>
      #4  ha_innobase::cmp_ref (this=0x7fe527856830, ref1=0x7fe5278b0810 "0", ' ' <repeats 199 times>..., ref2=0x7fe5278b0216 "0", ' ' <repeats 199 times>...) at /data/10.5_opt/storage/innobase/handler/ha_innodb.cc:17088
      #5  0x000055ad8b1be84d in queue_insert (queue=queue@entry=0x7fe55621eb40, element=element@entry=0x7fe5278778f8 "\020\b\213'\345\177") at /data/10.5_opt/mysys/queues.c:204
      #6  0x000055ad8ab7ccfa in merge_buffers (param=param@entry=0x7fe55621ec50, from_file=from_file@entry=0x7fe52784c940, to_file=to_file@entry=0x7fe52784cd28, sort_buffer=..., lastbuff=lastbuff@entry=0x7fe527877818, Fb=0x7fe527877818, Tb=0x7fe527877930, flag=1) at /data/10.5_opt/sql/filesort.cc:1869
      #7  0x000055ad8ab7da96 in merge_index (param=param@entry=0x7fe55621ec50, sort_buffer=..., buffpek=buffpek@entry=0x7fe527877818, maxbuffer=<optimized out>, tempfile=tempfile@entry=0x7fe52784c940, outfile=0x7fe52784cd28) at /data/10.5_opt/sql/filesort.cc:2082
      #8  0x000055ad8aa5be19 in Unique::merge (this=this@entry=0x7fe52784c908, table=table@entry=0x7fe5278c1a18, buff=buff@entry=0x7fe5278b0018 "0", ' ' <repeats 199 times>..., buff_size=buff_size@entry=1275, without_last_merge=without_last_merge@entry=false) at /data/10.5_opt/sql/uniques.cc:753
      #9  0x000055ad8aa5c589 in Unique::get (this=0x7fe52784c908, table=table@entry=0x7fe5278c1a18) at /data/10.5_opt/sql/uniques.cc:810
      #10 0x000055ad8accee05 in multi_delete::do_deletes (this=0x7fe52784a4b0) at /data/10.5_opt/sql/sql_delete.cc:1448
      #11 0x000055ad8accef12 in multi_delete::send_eof (this=0x7fe52784a4b0) at /data/10.5_opt/sql/sql_delete.cc:1559
      #12 0x000055ad8a9e9f9c in do_select (procedure=<optimized out>, join=0x7fe52784a520) at /data/10.5_opt/sql/sql_select.cc:20192
      #13 JOIN::exec_inner (this=this@entry=0x7fe52784a520) at /data/10.5_opt/sql/sql_select.cc:4463
      #14 0x000055ad8a9ea257 in JOIN::exec (this=this@entry=0x7fe52784a520) at /data/10.5_opt/sql/sql_select.cc:4244
      #15 0x000055ad8a9e85a2 in mysql_select (thd=thd@entry=0x7fe527812018, tables=0x7fe527847f78, fields=..., conds=conds@entry=0x0, og_num=og_num@entry=0, order=order@entry=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2202244746112, result=0x7fe52784a4b0, unit=0x7fe527815e60, select_lex=0x7fe527816660) at /data/10.5_opt/sql/sql_select.cc:4668
      #16 0x000055ad8a98c308 in mysql_execute_command (thd=thd@entry=0x7fe527812018) at /data/10.5_opt/sql/sql_parse.cc:4806
      #17 0x000055ad8a992a6c in mysql_parse (thd=thd@entry=0x7fe527812018, rawbuf=<optimized out>, length=55, parser_state=parser_state@entry=0x7fe55621f4d0, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /data/10.5_opt/sql/sql_parse.cc:7953
      #18 0x000055ad8a9878e0 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x7fe527812018, packet=packet@entry=0x7fe52783a019 "DELETE FROM b,c USING t2 AS a JOIN t1 AS b JOIN t2 AS c", packet_length=packet_length@entry=55, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /data/10.5_opt/sql/sql_parse.cc:1839
      #19 0x000055ad8a985bff in do_command (thd=0x7fe527812018) at /data/10.5_opt/sql/sql_parse.cc:1358
      #20 0x000055ad8aa7a92e in do_handle_one_connection (connect=<optimized out>, connect@entry=0x7fe553c329b8, put_in_cache=put_in_cache@entry=true) at /data/10.5_opt/sql/sql_connect.cc:1422
      #21 0x000055ad8aa7aad4 in handle_one_connection (arg=arg@entry=0x7fe553c329b8) at /data/10.5_opt/sql/sql_connect.cc:1319
      #22 0x000055ad8ade69da in pfs_spawn_thread (arg=0x7fe553c4b018) at /data/10.5_opt/storage/perfschema/pfs.cc:2201
      #23 0x00007fe5556476db in start_thread (arg=0x7fe556220700) at pthread_create.c:463
      #24 0x00007fe554a4588f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
      

      Bug confirmed present in:
      MariaDB: 10.2.32 (opt), 10.3.23 (opt), 10.4.13 (opt), 10.5.3 (dbg), 10.5.3 (opt)

      Bug confirmed not present in:
      MariaDB: 10.1.45 (dbg), 10.1.45 (opt), 10.2.32 (dbg), 10.3.23 (dbg), 10.4.13 (dbg)
      MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.47 (dbg), 5.6.47 (opt), 5.7.29 (dbg), 5.7.29 (opt), 8.0.19 (dbg), 8.0.19 (opt)

      However;
      MariaDB 10.4.13 (dbg), 10.3.23 (dbg), 10.2.32(dbg):

      10.4.13>DELETE FROM b,c USING t2 AS a JOIN t1 AS b JOIN t2 AS c;
      Query OK, 5 rows affected (0.211 sec)
       
      10.3.23>DELETE FROM b,c USING t2 AS a JOIN t1 AS b JOIN t2 AS c;
      Query OK, 5 rows affected (0.211 sec)
       
      10.2.32>DELETE FROM b,c USING t2 AS a JOIN t1 AS b JOIN t2 AS c;
      Query OK, 5 rows affected (0.37 sec)
      

      And, MariaDB 10.1.45 (opt/dbg):

      10.1.45>DELETE FROM b,c USING t2 AS a JOIN t1 AS b JOIN t2 AS c;
      ERROR 1137 (HY000): Can't reopen table: 'a'
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              varun Varun Gupta
              Reporter:
              Roel Roel Van de Paar
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: