[MDEV-28958] Crash when checking whether condition can be pushed into view - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL), 10.11
Fix Version/s: 11.1.0, 10.11.3, 10.8.8, 10.9.6, 10.10.4
Component/s: Optimizer
Labels:

Description

CREATE TABLE c(c INT) ENGINE=InnoDB;

SELECT * FROM(SELECT * FROM c GROUP BY NOT c=c) AS c NATURAL JOIN c AS c GROUP BY c HAVING c=c OR c=c;

Leads to:

10.10.0 081a284712bb661349e2e3802077b12211cede3e (Optimized)
Core was generated by `/test/MD310522-mariadb-10.10.0-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000055ae368d5e44 in Item::clear_extraction_flag (this=0x149bb20a4090)
at /test/10.10_opt/sql/item.h:2664
[Current thread is 1 (Thread 0x149b98d48700 (LWP 3347048))]
(gdb) bt
#0 0x000055ae368d5e44 in Item::clear_extraction_flag (this=0x149bb20a4090) at /test/10.10_opt/sql/item.h:2664
#1 Item::check_pushable_cond (this=0x149bb20a4090, checker=(bool (Item::)(Item const, uchar )) 0x55ae3662aec0 <Item::pushable_cond_checker_for_derived(unsigned char)>, arg=0x149b5404b128 "\001") at /test/10.10_opt/sql/item.cc:7505
#2 0x000055ae368d5f99 in Item::check_pushable_cond (this=0x149b5401fa68, checker=<optimized out>, arg=0x149b5404b128 "\001") at /test/10.10_opt/sql/item.cc:7514
#3 0x000055ae368d5eea in Item::check_pushable_cond (this=this@entry=0x149b540220a8, checker=<optimized out>, arg=0x149b5404b128 "\001") at /test/10.10_opt/sql/item.cc:7514
#4 0x000055ae36629be1 in pushdown_cond_for_derived (thd=0x149b54000c58, cond=0x149b540220a8, derived=derived@entry=0x149b540129e0) at /test/10.10_opt/sql/sql_derived.cc:1538
#5 0x000055ae366e0b45 in JOIN::optimize_inner (this=0x149b54020458) at /test/10.10_opt/sql/sql_select.cc:2318
#6 0x000055ae366e3b13 in JOIN::optimize (this=this@entry=0x149b54020458) at /test/10.10_opt/sql/sql_select.cc:1845
#7 0x000055ae366e3bfe in mysql_select (thd=0x149b54000c58, tables=0x149b540129e0, fields=@0x149b54010ad8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x149b54010dc8, last = 0x149b54010dc8, elements = 1}, <No data fields>}, conds=0x0, og_num=1, order=0x0, group=0x149b540140c8, having=0x149b5401fa68, proc_param=0x0, select_options=<optimized out>, result=0x149b54020430, unit=0x149b54004cb8, select_lex=0x149b54010838) at /test/10.10_opt/sql/sql_select.cc:5030
#8 0x000055ae366e4397 in handle_select (thd=thd@entry=0x149b54000c58, lex=lex@entry=0x149b54004be0, result=result@entry=0x149b54020430, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.10_opt/sql/sql_select.cc:578
#9 0x000055ae366679b1 in execute_sqlcom_select (thd=0x149b54000c58, all_tables=0x149b540129e0) at /test/10.10_opt/sql/sql_parse.cc:6260
#10 0x000055ae3667552d in mysql_execute_command (thd=0x149b54000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.10_opt/sql/sql_parse.cc:3944
#11 0x000055ae36662bb5 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x149b54000c58) at /test/10.10_opt/sql/sql_parse.cc:8036
#12 mysql_parse (thd=0x149b54000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.10_opt/sql/sql_parse.cc:7958
#13 0x000055ae3666e6ca in dispatch_command (command=COM_QUERY, thd=0x149b54000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.10_opt/sql/sql_class.h:1364
#14 0x000055ae366705f2 in do_command (thd=0x149b54000c58, blocking=blocking@entry=true) at /test/10.10_opt/sql/sql_parse.cc:1407
#15 0x000055ae367868af in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55ae39b31eb8, put_in_cache=put_in_cache@entry=true) at /test/10.10_opt/sql/sql_connect.cc:1418
#16 0x000055ae36786b8d in handle_one_connection (arg=0x55ae39b31eb8) at /test/10.10_opt/sql/sql_connect.cc:1312
#17 0x0000149bb1f88609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#18 0x0000149bb1b74133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

10.10.2 5deccac4aaf1be948a0ae10f40bb5f668ac37a4d (Debug)
Core was generated by `/test/MD190922-mariadb-10.10.2-linux-x86_64-dbg/bin/mysqld --no-defaults --core'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 Item::clear_extraction_flag (this=0x14dcb199d090)
at /test/10.10_dbg/sql/item.h:2674
[Current thread is 1 (Thread 0x14dc9880d700 (LWP 620908))]
(gdb) bt
#0 Item::clear_extraction_flag (this=0x14dcb199d090) at /test/10.10_dbg/sql/item.h:2674
#1 Item::check_pushable_cond (this=0x14dcb199d090, checker=(bool (Item::)(Item const, uchar )) 0x558ff487bd8a <Item::pushable_cond_checker_for_derived(unsigned char)>, arg=0x14dc5806c5e8 "\001") at /test/10.10_dbg/sql/item.cc:7521
#2 0x0000558ff4be982e in Item::check_pushable_cond (this=0x14dc58027278, checker=<optimized out>, arg=0x14dc5806c5e8 "\001") at /test/10.10_dbg/sql/item.cc:7530
#3 0x0000558ff4be982e in Item::check_pushable_cond (this=this@entry=0x14dc58029920, checker=<optimized out>, arg=0x14dc5806c5e8 "\001") at /test/10.10_dbg/sql/item.cc:7530
#4 0x0000558ff487a5d6 in pushdown_cond_for_derived (thd=0x14dc58000d48, cond=0x14dc58029920, derived=derived@entry=0x14dc580153b0) at /test/10.10_dbg/sql/sql_derived.cc:1538
#5 0x0000558ff4958f15 in JOIN::optimize_inner (this=this@entry=0x14dc58027c68) at /test/10.10_dbg/sql/sql_select.cc:2339
#6 0x0000558ff49599f6 in JOIN::optimize (this=this@entry=0x14dc58027c68) at /test/10.10_dbg/sql/sql_select.cc:1863
#7 0x0000558ff4959ae9 in mysql_select (thd=thd@entry=0x14dc58000d48, tables=0x14dc580153b0, fields=@0x14dc580134a8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14dc58013798, last = 0x14dc58013798, elements = 1}, <No data fields>}, conds=0x0, og_num=1, order=0x0, group=0x14dc58016aa0, having=0x14dc58027278, proc_param=0x0, select_options=2164525824, result=0x14dc58027c40, unit=0x14dc58004f80, select_lex=0x14dc58013208) at /test/10.10_dbg/sql/sql_select.cc:5056
#8 0x0000558ff495a332 in handle_select (thd=thd@entry=0x14dc58000d48, lex=lex@entry=0x14dc58004ea8, result=result@entry=0x14dc58027c40, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.10_dbg/sql/sql_select.cc:581
#9 0x0000558ff48c43e7 in execute_sqlcom_select (thd=thd@entry=0x14dc58000d48, all_tables=0x14dc580153b0) at /test/10.10_dbg/sql/sql_parse.cc:6261
#10 0x0000558ff48d0755 in mysql_execute_command (thd=thd@entry=0x14dc58000d48, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.10_dbg/sql/sql_parse.cc:3945
#11 0x0000558ff48be68d in mysql_parse (thd=thd@entry=0x14dc58000d48, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14dc9880c330) at /test/10.10_dbg/sql/sql_parse.cc:8035
#12 0x0000558ff48cbcbf in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14dc58000d48, packet=packet@entry=0x14dc5800adb9 "SELECT * FROM(SELECT * FROM c GROUP BY NOT c=c) AS c NATURAL JOIN c AS c GROUP BY c HAVING c=c OR c=c", packet_length=packet_length@entry=101, blocking=blocking@entry=true) at /test/10.10_dbg/sql/sql_class.h:1345
#13 0x0000558ff48ce3e2 in do_command (thd=0x14dc58000d48, blocking=blocking@entry=true) at /test/10.10_dbg/sql/sql_parse.cc:1407
#14 0x0000558ff4a30abd in do_handle_one_connection (connect=<optimized out>, connect@entry=0x558ff77ab1a8, put_in_cache=put_in_cache@entry=true) at /test/10.10_dbg/sql/sql_connect.cc:1416
#15 0x0000558ff4a30fc7 in handle_one_connection (arg=0x558ff77ab1a8) at /test/10.10_dbg/sql/sql_connect.cc:1318
#16 0x000014dcb1881609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#17 0x000014dcb146d133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.7.5 (dbg), 10.7.5 (opt), 10.8.4 (dbg), 10.8.4 (opt), 10.9.2 (dbg), 10.9.2 (opt), 10.10.0 (dbg), 10.10.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.3.36 (dbg), 10.3.36 (opt), 10.4.26 (dbg), 10.4.26 (opt), 10.5.17 (dbg), 10.5.17 (opt), 10.6.9 (dbg), 10.6.9 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.38 (dbg), 5.7.38 (opt), 8.0.29 (dbg), 8.0.29 (opt)

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

diff
4 kB
2022-11-28 13:19

Issue Links

causes

MDEV-32412 Pushdown from HAVING: Item_func is immutable while arguments are not

Stalled

Activity

Ascending order - Click to sort in descending order

Roel Van de Paar created issue - 2022-06-27 10:50

Roel Van de Paar made changes - 2022-06-27 10:52

Field	Original Value	New Value
Summary	SIGSEGV in Item::clear_extraction_flag	SIGSEGV in Item::clear_extraction_flag on SELECT

Roel Van de Paar added a comment - 2022-07-13 07:37

Secondary testcase

CREATE TABLE c(c CHAR) ENGINE=InnoDB;

SELECT * FROM(SELECT * FROM c GROUP BY NOT c=c / c % 0)AS c NATURAL JOIN c AS c GROUP BY c HAVING c=c OR c=c;

Leads to:

10.10.0 081a284712bb661349e2e3802077b12211cede3e (Debug)
Core was generated by `/test/MD310522-mariadb-10.10.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 Item::clear_extraction_flag (this=0x14f25cbb4090)
at /test/10.10_dbg/sql/item.h:2664
[Current thread is 1 (Thread 0x14f213dfe700 (LWP 3169405))]
(gdb) bt
#0 Item::clear_extraction_flag (this=0x14f25cbb4090) at /test/10.10_dbg/sql/item.h:2664
#1 Item::check_pushable_cond (this=0x14f25cbb4090, checker=(bool (Item::)(Item const, uchar )) 0x55aecf0f8a74 <Item::pushable_cond_checker_for_derived(unsigned char)>, arg=0x14f1fc072308 "\001") at /test/10.10_dbg/sql/item.cc:7505
#2 0x000055aecf460afa in Item::check_pushable_cond (this=0x14f1fc024710, checker=<optimized out>, arg=0x14f1fc072308 "\001") at /test/10.10_dbg/sql/item.cc:7514
#3 0x000055aecf460afa in Item::check_pushable_cond (this=this@entry=0x14f1fc026e88, checker=<optimized out>, arg=0x14f1fc072308 "\001") at /test/10.10_dbg/sql/item.cc:7514
#4 0x000055aecf0f72c0 in pushdown_cond_for_derived (thd=0x14f1fc000db8, cond=0x14f1fc026e88, derived=derived@entry=0x14f1fc016218) at /test/10.10_dbg/sql/sql_derived.cc:1538
#5 0x000055aecf1d3971 in JOIN::optimize_inner (this=this@entry=0x14f1fc025100) at /test/10.10_dbg/sql/sql_select.cc:2318
#6 0x000055aecf1d4452 in JOIN::optimize (this=this@entry=0x14f1fc025100) at /test/10.10_dbg/sql/sql_select.cc:1845
#7 0x000055aecf1d4545 in mysql_select (thd=thd@entry=0x14f1fc000db8, tables=0x14f1fc016218, fields=@0x14f1fc014008: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14f1fc0142f8, last = 0x14f1fc0142f8, elements = 1}, <No data fields>}, conds=0x0, og_num=1, order=0x0, group=0x14f1fc017900, having=0x14f1fc024710, proc_param=0x0, select_options=2147748608, result=0x14f1fc0250d8, unit=0x14f1fc004fd8, select_lex=0x14f1fc013d68) at /test/10.10_dbg/sql/sql_select.cc:5030
#8 0x000055aecf1d4d8e in handle_select (thd=thd@entry=0x14f1fc000db8, lex=lex@entry=0x14f1fc004f00, result=result@entry=0x14f1fc0250d8, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.10_dbg/sql/sql_select.cc:578
#9 0x000055aecf140b5e in execute_sqlcom_select (thd=thd@entry=0x14f1fc000db8, all_tables=0x14f1fc016218) at /test/10.10_dbg/sql/sql_parse.cc:6260
#10 0x000055aecf14ce70 in mysql_execute_command (thd=thd@entry=0x14f1fc000db8, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.10_dbg/sql/sql_parse.cc:3944
#11 0x000055aecf13ae3a in mysql_parse (thd=thd@entry=0x14f1fc000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14f213dfd470) at /test/10.10_dbg/sql/sql_parse.cc:8036
#12 0x000055aecf148422 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14f1fc000db8, packet=packet@entry=0x14f1fc00b6d9 "SELECT * FROM(SELECT * FROM c GROUP BY NOT c=c / c % 0)AS c NATURAL JOIN c AS c GROUP BY c HAVING c=c OR c=c", packet_length=packet_length@entry=108, blocking=blocking@entry=true) at /test/10.10_dbg/sql/sql_class.h:1364
#13 0x000055aecf14ab2c in do_command (thd=0x14f1fc000db8, blocking=blocking@entry=true) at /test/10.10_dbg/sql/sql_parse.cc:1407
#14 0x000055aecf2aa3c0 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55aed1601fb8, put_in_cache=put_in_cache@entry=true) at /test/10.10_dbg/sql/sql_connect.cc:1418
#15 0x000055aecf2aa8c9 in handle_one_connection (arg=0x55aed1601fb8) at /test/10.10_dbg/sql/sql_connect.cc:1312
#16 0x000014f25ca98609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#17 0x000014f25c684133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.7.5 (dbg), 10.7.5 (opt), 10.8.4 (dbg), 10.8.4 (opt), 10.9.2 (dbg), 10.9.2 (opt), 10.10.0 (dbg)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.3.36 (dbg), 10.3.36 (opt), 10.4.26 (dbg), 10.4.26 (opt), 10.5.17 (dbg), 10.5.17 (opt), 10.6.9 (dbg), 10.6.9 (opt), 10.10.0 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.38 (dbg), 5.7.38 (opt), 8.0.29 (dbg), 8.0.29 (opt)

Roel Van de Paar added a comment - 2022-07-13 07:37 Secondary testcase CREATE TABLE c(c CHAR ) ENGINE=InnoDB; SELECT * FROM ( SELECT * FROM c GROUP BY NOT c=c / c % 0) AS c NATURAL JOIN c AS c GROUP BY c HAVING c=c OR c=c; Leads to: 10.10.0 081a284712bb661349e2e3802077b12211cede3e (Debug) Core was generated by `/test/MD310522-mariadb-10.10.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core'. Program terminated with signal SIGSEGV, Segmentation fault. #0 Item::clear_extraction_flag (this=0x14f25cbb4090) at /test/10.10_dbg/sql/item.h:2664 [Current thread is 1 (Thread 0x14f213dfe700 (LWP 3169405))] (gdb) bt #0 Item::clear_extraction_flag (this=0x14f25cbb4090) at /test/10.10_dbg/sql/item.h:2664 #1 Item::check_pushable_cond (this=0x14f25cbb4090, checker=(bool (Item::*)(Item * const, uchar *)) 0x55aecf0f8a74 <Item::pushable_cond_checker_for_derived(unsigned char*)>, arg=0x14f1fc072308 "\001") at /test/10.10_dbg/sql/item.cc:7505 #2 0x000055aecf460afa in Item::check_pushable_cond (this=0x14f1fc024710, checker=<optimized out>, arg=0x14f1fc072308 "\001") at /test/10.10_dbg/sql/item.cc:7514 #3 0x000055aecf460afa in Item::check_pushable_cond (this=this@entry=0x14f1fc026e88, checker=<optimized out>, arg=0x14f1fc072308 "\001") at /test/10.10_dbg/sql/item.cc:7514 #4 0x000055aecf0f72c0 in pushdown_cond_for_derived (thd=0x14f1fc000db8, cond=0x14f1fc026e88, derived=derived@entry=0x14f1fc016218) at /test/10.10_dbg/sql/sql_derived.cc:1538 #5 0x000055aecf1d3971 in JOIN::optimize_inner (this=this@entry=0x14f1fc025100) at /test/10.10_dbg/sql/sql_select.cc:2318 #6 0x000055aecf1d4452 in JOIN::optimize (this=this@entry=0x14f1fc025100) at /test/10.10_dbg/sql/sql_select.cc:1845 #7 0x000055aecf1d4545 in mysql_select (thd=thd@entry=0x14f1fc000db8, tables=0x14f1fc016218, fields=@0x14f1fc014008: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14f1fc0142f8, last = 0x14f1fc0142f8, elements = 1}, <No data fields>}, conds=0x0, og_num=1, order=0x0, group=0x14f1fc017900, having=0x14f1fc024710, proc_param=0x0, select_options=2147748608, result=0x14f1fc0250d8, unit=0x14f1fc004fd8, select_lex=0x14f1fc013d68) at /test/10.10_dbg/sql/sql_select.cc:5030 #8 0x000055aecf1d4d8e in handle_select (thd=thd@entry=0x14f1fc000db8, lex=lex@entry=0x14f1fc004f00, result=result@entry=0x14f1fc0250d8, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.10_dbg/sql/sql_select.cc:578 #9 0x000055aecf140b5e in execute_sqlcom_select (thd=thd@entry=0x14f1fc000db8, all_tables=0x14f1fc016218) at /test/10.10_dbg/sql/sql_parse.cc:6260 #10 0x000055aecf14ce70 in mysql_execute_command (thd=thd@entry=0x14f1fc000db8, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.10_dbg/sql/sql_parse.cc:3944 #11 0x000055aecf13ae3a in mysql_parse (thd=thd@entry=0x14f1fc000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14f213dfd470) at /test/10.10_dbg/sql/sql_parse.cc:8036 #12 0x000055aecf148422 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14f1fc000db8, packet=packet@entry=0x14f1fc00b6d9 "SELECT * FROM(SELECT * FROM c GROUP BY NOT c=c / c % 0)AS c NATURAL JOIN c AS c GROUP BY c HAVING c=c OR c=c", packet_length=packet_length@entry=108, blocking=blocking@entry=true) at /test/10.10_dbg/sql/sql_class.h:1364 #13 0x000055aecf14ab2c in do_command (thd=0x14f1fc000db8, blocking=blocking@entry=true) at /test/10.10_dbg/sql/sql_parse.cc:1407 #14 0x000055aecf2aa3c0 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55aed1601fb8, put_in_cache=put_in_cache@entry=true) at /test/10.10_dbg/sql/sql_connect.cc:1418 #15 0x000055aecf2aa8c9 in handle_one_connection (arg=0x55aed1601fb8) at /test/10.10_dbg/sql/sql_connect.cc:1312 #16 0x000014f25ca98609 in start_thread (arg=<optimized out>) at pthread_create.c:477 #17 0x000014f25c684133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 Bug confirmed present in: MariaDB: 10.7.5 (dbg), 10.7.5 (opt), 10.8.4 (dbg), 10.8.4 (opt), 10.9.2 (dbg), 10.9.2 (opt), 10.10.0 (dbg) Bug (or feature/syntax) confirmed not present in: MariaDB: 10.3.36 (dbg), 10.3.36 (opt), 10.4.26 (dbg), 10.4.26 (opt), 10.5.17 (dbg), 10.5.17 (opt), 10.6.9 (dbg), 10.6.9 (opt), 10.10.0 (opt) MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.38 (dbg), 5.7.38 (opt), 8.0.29 (dbg), 8.0.29 (opt)

Sergei Petrunia made changes - 2022-08-09 07:36

Labels

not-10.3 not-10.4 not-10.5 not-10.6 regression-10.7

not-10.3 not-10.4 not-10.5 not-10.6 pushdown_from_having regression-10.7

Roel Van de Paar made changes - 2022-10-06 21:28

Description

{code:sql}
CREATE TABLE c(c INT) ENGINE=InnoDB;
SELECT * FROM(SELECT * FROM c GROUP BY NOT c=c) AS c NATURAL JOIN c AS c GROUP BY c HAVING c=c OR c=c;
{code}

Leads to:

{noformat:title=10.10.0 081a284712bb661349e2e3802077b12211cede3e (Optimized)}
Core was generated by `/test/MD310522-mariadb-10.10.0-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000055ae368d5e44 in Item::clear_extraction_flag (this=0x149bb20a4090)
at /test/10.10_opt/sql/item.h:2664
[Current thread is 1 (Thread 0x149b98d48700 (LWP 3347048))]
(gdb) bt
#0 0x000055ae368d5e44 in Item::clear_extraction_flag (this=0x149bb20a4090) at /test/10.10_opt/sql/item.h:2664
#1 Item::check_pushable_cond (this=0x149bb20a4090, checker=(bool (Item::*)(Item * const, uchar *)) 0x55ae3662aec0 <Item::pushable_cond_checker_for_derived(unsigned char*)>, arg=0x149b5404b128 "\001") at /test/10.10_opt/sql/item.cc:7505
#2 0x000055ae368d5f99 in Item::check_pushable_cond (this=0x149b5401fa68, checker=<optimized out>, arg=0x149b5404b128 "\001") at /test/10.10_opt/sql/item.cc:7514
#3 0x000055ae368d5eea in Item::check_pushable_cond (this=this@entry=0x149b540220a8, checker=<optimized out>, arg=0x149b5404b128 "\001") at /test/10.10_opt/sql/item.cc:7514
#4 0x000055ae36629be1 in pushdown_cond_for_derived (thd=0x149b54000c58, cond=0x149b540220a8, derived=derived@entry=0x149b540129e0) at /test/10.10_opt/sql/sql_derived.cc:1538
#5 0x000055ae366e0b45 in JOIN::optimize_inner (this=0x149b54020458) at /test/10.10_opt/sql/sql_select.cc:2318
#6 0x000055ae366e3b13 in JOIN::optimize (this=this@entry=0x149b54020458) at /test/10.10_opt/sql/sql_select.cc:1845
#7 0x000055ae366e3bfe in mysql_select (thd=0x149b54000c58, tables=0x149b540129e0, fields=@0x149b54010ad8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x149b54010dc8, last = 0x149b54010dc8, elements = 1}, <No data fields>}, conds=0x0, og_num=1, order=0x0, group=0x149b540140c8, having=0x149b5401fa68, proc_param=0x0, select_options=<optimized out>, result=0x149b54020430, unit=0x149b54004cb8, select_lex=0x149b54010838) at /test/10.10_opt/sql/sql_select.cc:5030
#8 0x000055ae366e4397 in handle_select (thd=thd@entry=0x149b54000c58, lex=lex@entry=0x149b54004be0, result=result@entry=0x149b54020430, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.10_opt/sql/sql_select.cc:578
#9 0x000055ae366679b1 in execute_sqlcom_select (thd=0x149b54000c58, all_tables=0x149b540129e0) at /test/10.10_opt/sql/sql_parse.cc:6260
#10 0x000055ae3667552d in mysql_execute_command (thd=0x149b54000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.10_opt/sql/sql_parse.cc:3944
#11 0x000055ae36662bb5 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x149b54000c58) at /test/10.10_opt/sql/sql_parse.cc:8036
#12 mysql_parse (thd=0x149b54000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.10_opt/sql/sql_parse.cc:7958
#13 0x000055ae3666e6ca in dispatch_command (command=COM_QUERY, thd=0x149b54000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.10_opt/sql/sql_class.h:1364
#14 0x000055ae366705f2 in do_command (thd=0x149b54000c58, blocking=blocking@entry=true) at /test/10.10_opt/sql/sql_parse.cc:1407
#15 0x000055ae367868af in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55ae39b31eb8, put_in_cache=put_in_cache@entry=true) at /test/10.10_opt/sql/sql_connect.cc:1418
#16 0x000055ae36786b8d in handle_one_connection (arg=0x55ae39b31eb8) at /test/10.10_opt/sql/sql_connect.cc:1312
#17 0x0000149bb1f88609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#18 0x0000149bb1b74133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
{noformat}
{noformat:title=10.10.0 081a284712bb661349e2e3802077b12211cede3e (Debug)}
Core was generated by `/test/MD310522-mariadb-10.10.0-linux-x86_64-dbg/bin/mariadbd --no-defaults --lc'.
Program terminated with signal SIGABRT, Aborted.
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
[Current thread is 1 (Thread 0x14591ccf6800 (LWP 3342364))]
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x000014591cecf859 in __GI_abort () at abort.c:79
#2 0x000014591cecf729 in __assert_fail_base (fmt=0x14591d065588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x563e5fbb56c0 "! is_set() || m_can_overwrite_status", file=0x563e5fbb5428 "/test/10.10_dbg/sql/sql_error.cc", line=457, function=<optimized out>) at assert.c:92
#3 0x000014591cee0fd6 in __GI___assert_fail (assertion=assertion@entry=0x563e5fbb56c0 "! is_set() || m_can_overwrite_status", file=file@entry=0x563e5fbb5428 "/test/10.10_dbg/sql/sql_error.cc", line=line@entry=457, function=function@entry=0x563e5fbb5638 "void Diagnostics_area::set_error_status(uint, const char*, const char*, const Sql_user_condition_identity&, const Sql_condition*)") at assert.c:101
#4 0x0000563e5ef822ce in Diagnostics_area::set_error_status (this=this@entry=0x563e615de230, sql_errno=sql_errno@entry=6, message=message@entry=0x7ffc8e43c0a0 "Error on delete of '/tmp/#sql-temptable-33001c-1-2.MAD' (Errcode: 2 \"No such file or directory\")", sqlstate=sqlstate@entry=0x563e5fbd37d8 "HY000", ucid=@0x7ffc8e43be80: {m_user_condition_value = 0x0}, error_condition=0x0) at /test/10.10_dbg/sql/sql_error.h:1019
#5 0x0000563e5ef5fe4e in THD::raise_condition (this=this@entry=0x563e615d8478, cond=cond@entry=0x7ffc8e43be70) at /test/10.10_dbg/sql/sql_class.cc:1119
#6 0x0000563e5eea79aa in THD::raise_condition (this=this@entry=0x563e615d8478, sql_errno=sql_errno@entry=6, sqlstate=sqlstate@entry=0x563e5fb95e38 "", level=<optimized out>, msg=msg@entry=0x7ffc8e43c0a0 "Error on delete of '/tmp/#sql-temptable-33001c-1-2.MAD' (Errcode: 2 \"No such file or directory\")") at /test/10.10_dbg/sql/sql_class.h:4867
#7 0x0000563e5ee9c12b in my_message_sql (error=6, str=0x7ffc8e43c0a0 "Error on delete of '/tmp/#sql-temptable-33001c-1-2.MAD' (Errcode: 2 \"No such file or directory\")", MyFlags=4) at /test/10.10_dbg/sql/mysqld.cc:3315
#8 0x0000563e5fa013e9 in my_error (nr=nr@entry=6, MyFlags=MyFlags@entry=4) at /test/10.10_dbg/mysys/my_error.c:124
#9 0x0000563e5fa01082 in my_delete (name=name@entry=0x7ffc8e43c600 "/tmp/#sql-temptable-33001c-1-2.MAD", MyFlags=MyFlags@entry=16) at /test/10.10_dbg/mysys/my_delete.c:53
#10 0x0000563e5fa0996a in my_handler_delete_with_symlink (filename=0x7ffc8e43c600 "/tmp/#sql-temptable-33001c-1-2.MAD", sync_dir=sync_dir@entry=16) at /test/10.10_dbg/mysys/my_symlink2.c:190
#11 0x0000563e5f541cfd in inline_mysql_file_delete_with_symlink (name=name@entry=0x563e61616e38 "/tmp/#sql-temptable-33001c-1-2", ext=ext@entry=0x563e5fda90f6 ".MAD", flags=flags@entry=16) at /test/10.10_dbg/include/mysql/psi/mysql_file.h:1396
#12 0x0000563e5f541d55 in maria_delete_table_files (name=name@entry=0x563e61616e38 "/tmp/#sql-temptable-33001c-1-2", temporary=temporary@entry=1 '\001', flags=flags@entry=16) at /test/10.10_dbg/storage/maria/ma_delete_table.c:103
#13 0x0000563e5f4db497 in ha_maria::drop_table (this=0x563e6161a2c0, name=0x563e61616e38 "/tmp/#sql-temptable-33001c-1-2") at /test/10.10_dbg/storage/maria/ha_maria.cc:2809
#14 0x0000563e5f2c1b39 in handler::ha_drop_table (this=0x563e6161a2c0, name=0x563e61616e38 "/tmp/#sql-temptable-33001c-1-2") at /test/10.10_dbg/sql/handler.cc:5348
#15 0x0000563e5f0382b9 in free_tmp_table (thd=thd@entry=0x563e615d8478, entry=0x563e61615d00) at /test/10.10_dbg/sql/sql_select.cc:20482
#16 0x0000563e5ef4431a in close_thread_tables (thd=thd@entry=0x563e615d8478) at /test/10.10_dbg/sql/sql_base.cc:861
#17 0x0000563e5ef445c1 in close_thread_tables_for_query (thd=thd@entry=0x563e615d8478) at /test/10.10_dbg/sql/sql_base.cc:771
#18 0x0000563e5efdc13c in mysql_execute_command (thd=thd@entry=0x563e615d8478, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.10_dbg/sql/sql_parse.cc:6062
#19 0x0000563e5efc3e3a in mysql_parse (thd=0x563e615d8478, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x7ffc8e43ce50) at /test/10.10_dbg/sql/sql_parse.cc:8036
#20 0x0000563e5efcf619 in bootstrap (file=0x563e60d2efc0 <instrumented_stdin>) at /test/10.10_dbg/sql/sql_class.h:1361
#21 0x0000563e5eea4b0d in mysqld_main (argc=<optimized out>, argv=<optimized out>) at /test/10.10_dbg/sql/mysqld.cc:5834
#22 0x0000563e5ee98b66 in main (argc=<optimized out>, argv=<optimized out>) at /test/10.10_dbg/sql/main.cc:34
{noformat}

Bug confirmed present in:
MariaDB: 10.7.5 (dbg), 10.7.5 (opt), 10.8.4 (dbg), 10.8.4 (opt), 10.9.2 (dbg), 10.9.2 (opt), 10.10.0 (dbg), 10.10.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.3.36 (dbg), 10.3.36 (opt), 10.4.26 (dbg), 10.4.26 (opt), 10.5.17 (dbg), 10.5.17 (opt), 10.6.9 (dbg), 10.6.9 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.38 (dbg), 5.7.38 (opt), 8.0.29 (dbg), 8.0.29 (opt)

{code:sql}
CREATE TABLE c(c INT) ENGINE=InnoDB;
SELECT * FROM(SELECT * FROM c GROUP BY NOT c=c) AS c NATURAL JOIN c AS c GROUP BY c HAVING c=c OR c=c;
{code}

Leads to:

{noformat:title=10.10.0 081a284712bb661349e2e3802077b12211cede3e (Optimized)}
Core was generated by `/test/MD310522-mariadb-10.10.0-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000055ae368d5e44 in Item::clear_extraction_flag (this=0x149bb20a4090)
at /test/10.10_opt/sql/item.h:2664
[Current thread is 1 (Thread 0x149b98d48700 (LWP 3347048))]
(gdb) bt
#0 0x000055ae368d5e44 in Item::clear_extraction_flag (this=0x149bb20a4090) at /test/10.10_opt/sql/item.h:2664
#1 Item::check_pushable_cond (this=0x149bb20a4090, checker=(bool (Item::*)(Item * const, uchar *)) 0x55ae3662aec0 <Item::pushable_cond_checker_for_derived(unsigned char*)>, arg=0x149b5404b128 "\001") at /test/10.10_opt/sql/item.cc:7505
#2 0x000055ae368d5f99 in Item::check_pushable_cond (this=0x149b5401fa68, checker=<optimized out>, arg=0x149b5404b128 "\001") at /test/10.10_opt/sql/item.cc:7514
#3 0x000055ae368d5eea in Item::check_pushable_cond (this=this@entry=0x149b540220a8, checker=<optimized out>, arg=0x149b5404b128 "\001") at /test/10.10_opt/sql/item.cc:7514
#4 0x000055ae36629be1 in pushdown_cond_for_derived (thd=0x149b54000c58, cond=0x149b540220a8, derived=derived@entry=0x149b540129e0) at /test/10.10_opt/sql/sql_derived.cc:1538
#5 0x000055ae366e0b45 in JOIN::optimize_inner (this=0x149b54020458) at /test/10.10_opt/sql/sql_select.cc:2318
#6 0x000055ae366e3b13 in JOIN::optimize (this=this@entry=0x149b54020458) at /test/10.10_opt/sql/sql_select.cc:1845
#7 0x000055ae366e3bfe in mysql_select (thd=0x149b54000c58, tables=0x149b540129e0, fields=@0x149b54010ad8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x149b54010dc8, last = 0x149b54010dc8, elements = 1}, <No data fields>}, conds=0x0, og_num=1, order=0x0, group=0x149b540140c8, having=0x149b5401fa68, proc_param=0x0, select_options=<optimized out>, result=0x149b54020430, unit=0x149b54004cb8, select_lex=0x149b54010838) at /test/10.10_opt/sql/sql_select.cc:5030
#8 0x000055ae366e4397 in handle_select (thd=thd@entry=0x149b54000c58, lex=lex@entry=0x149b54004be0, result=result@entry=0x149b54020430, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.10_opt/sql/sql_select.cc:578
#9 0x000055ae366679b1 in execute_sqlcom_select (thd=0x149b54000c58, all_tables=0x149b540129e0) at /test/10.10_opt/sql/sql_parse.cc:6260
#10 0x000055ae3667552d in mysql_execute_command (thd=0x149b54000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.10_opt/sql/sql_parse.cc:3944
#11 0x000055ae36662bb5 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x149b54000c58) at /test/10.10_opt/sql/sql_parse.cc:8036
#12 mysql_parse (thd=0x149b54000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.10_opt/sql/sql_parse.cc:7958
#13 0x000055ae3666e6ca in dispatch_command (command=COM_QUERY, thd=0x149b54000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.10_opt/sql/sql_class.h:1364
#14 0x000055ae366705f2 in do_command (thd=0x149b54000c58, blocking=blocking@entry=true) at /test/10.10_opt/sql/sql_parse.cc:1407
#15 0x000055ae367868af in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55ae39b31eb8, put_in_cache=put_in_cache@entry=true) at /test/10.10_opt/sql/sql_connect.cc:1418
#16 0x000055ae36786b8d in handle_one_connection (arg=0x55ae39b31eb8) at /test/10.10_opt/sql/sql_connect.cc:1312
#17 0x0000149bb1f88609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#18 0x0000149bb1b74133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
{noformat}
{noformat:title=10.10.2 5deccac4aaf1be948a0ae10f40bb5f668ac37a4d (Debug)}
Core was generated by `/test/MD190922-mariadb-10.10.2-linux-x86_64-dbg/bin/mysqld --no-defaults --core'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 Item::clear_extraction_flag (this=0x14dcb199d090)
at /test/10.10_dbg/sql/item.h:2674
[Current thread is 1 (Thread 0x14dc9880d700 (LWP 620908))]
(gdb) bt
#0 Item::clear_extraction_flag (this=0x14dcb199d090) at /test/10.10_dbg/sql/item.h:2674
#1 Item::check_pushable_cond (this=0x14dcb199d090, checker=(bool (Item::*)(Item * const, uchar *)) 0x558ff487bd8a <Item::pushable_cond_checker_for_derived(unsigned char*)>, arg=0x14dc5806c5e8 "\001") at /test/10.10_dbg/sql/item.cc:7521
#2 0x0000558ff4be982e in Item::check_pushable_cond (this=0x14dc58027278, checker=<optimized out>, arg=0x14dc5806c5e8 "\001") at /test/10.10_dbg/sql/item.cc:7530
#3 0x0000558ff4be982e in Item::check_pushable_cond (this=this@entry=0x14dc58029920, checker=<optimized out>, arg=0x14dc5806c5e8 "\001") at /test/10.10_dbg/sql/item.cc:7530
#4 0x0000558ff487a5d6 in pushdown_cond_for_derived (thd=0x14dc58000d48, cond=0x14dc58029920, derived=derived@entry=0x14dc580153b0) at /test/10.10_dbg/sql/sql_derived.cc:1538
#5 0x0000558ff4958f15 in JOIN::optimize_inner (this=this@entry=0x14dc58027c68) at /test/10.10_dbg/sql/sql_select.cc:2339
#6 0x0000558ff49599f6 in JOIN::optimize (this=this@entry=0x14dc58027c68) at /test/10.10_dbg/sql/sql_select.cc:1863
#7 0x0000558ff4959ae9 in mysql_select (thd=thd@entry=0x14dc58000d48, tables=0x14dc580153b0, fields=@0x14dc580134a8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14dc58013798, last = 0x14dc58013798, elements = 1}, <No data fields>}, conds=0x0, og_num=1, order=0x0, group=0x14dc58016aa0, having=0x14dc58027278, proc_param=0x0, select_options=2164525824, result=0x14dc58027c40, unit=0x14dc58004f80, select_lex=0x14dc58013208) at /test/10.10_dbg/sql/sql_select.cc:5056
#8 0x0000558ff495a332 in handle_select (thd=thd@entry=0x14dc58000d48, lex=lex@entry=0x14dc58004ea8, result=result@entry=0x14dc58027c40, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.10_dbg/sql/sql_select.cc:581
#9 0x0000558ff48c43e7 in execute_sqlcom_select (thd=thd@entry=0x14dc58000d48, all_tables=0x14dc580153b0) at /test/10.10_dbg/sql/sql_parse.cc:6261
#10 0x0000558ff48d0755 in mysql_execute_command (thd=thd@entry=0x14dc58000d48, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.10_dbg/sql/sql_parse.cc:3945
#11 0x0000558ff48be68d in mysql_parse (thd=thd@entry=0x14dc58000d48, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14dc9880c330) at /test/10.10_dbg/sql/sql_parse.cc:8035
#12 0x0000558ff48cbcbf in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14dc58000d48, packet=packet@entry=0x14dc5800adb9 "SELECT * FROM(SELECT * FROM c GROUP BY NOT c=c) AS c NATURAL JOIN c AS c GROUP BY c HAVING c=c OR c=c", packet_length=packet_length@entry=101, blocking=blocking@entry=true) at /test/10.10_dbg/sql/sql_class.h:1345
#13 0x0000558ff48ce3e2 in do_command (thd=0x14dc58000d48, blocking=blocking@entry=true) at /test/10.10_dbg/sql/sql_parse.cc:1407
#14 0x0000558ff4a30abd in do_handle_one_connection (connect=<optimized out>, connect@entry=0x558ff77ab1a8, put_in_cache=put_in_cache@entry=true) at /test/10.10_dbg/sql/sql_connect.cc:1416
#15 0x0000558ff4a30fc7 in handle_one_connection (arg=0x558ff77ab1a8) at /test/10.10_dbg/sql/sql_connect.cc:1318
#16 0x000014dcb1881609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#17 0x000014dcb146d133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
{noformat}

Bug confirmed present in:
MariaDB: 10.7.5 (dbg), 10.7.5 (opt), 10.8.4 (dbg), 10.8.4 (opt), 10.9.2 (dbg), 10.9.2 (opt), 10.10.0 (dbg), 10.10.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.3.36 (dbg), 10.3.36 (opt), 10.4.26 (dbg), 10.4.26 (opt), 10.5.17 (dbg), 10.5.17 (opt), 10.6.9 (dbg), 10.6.9 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.38 (dbg), 5.7.38 (opt), 8.0.29 (dbg), 8.0.29 (opt)

Sergei Petrunia made changes - 2022-11-07 09:50

Assignee

Sergei Petrunia [ psergey ]

Rex [ JIRAUSER52533 ]

Sergei Petrunia added a comment - 2022-11-10 16:27

According to Johnston, still reproducible on current 10.7.

Sergei Petrunia added a comment - 2022-11-10 16:27 According to Johnston , still reproducible on current 10.7.

Sergei Petrunia added a comment - 2022-11-10 16:28

Johnston, please try with valgrind (or a *san) build. Maybe it will immediately show we're trying to access free'd memory.

Sergei Petrunia added a comment - 2022-11-10 16:28 Johnston , please try with valgrind (or a *san) build. Maybe it will immediately show we're trying to access free'd memory.

Rex Johnston added a comment - 2022-11-10 17:17

I can confirm that it's not in 10.5 too. Will try valgrind first.

Rex Johnston added a comment - 2022-11-10 17:17 I can confirm that it's not in 10.5 too. Will try valgrind first.

Rex Johnston added a comment - 2022-11-14 01:33 - edited

Valgrind build fails...

[ 97%] Building CXX object sql/CMakeFiles/sql.dir/opt_split.cc.o

/usr/bin/ld: libmariadbd.a(password_reuse_check.c.o): in function `report_sql_error':

/home/rex/src/mariadb/server/plugin/password_reuse_check/password_reuse_check.c:78: undefined reference to `server_mysql_error'

/usr/bin/ld: /home/rex/src/mariadb/server/plugin/password_reuse_check/password_reuse_check.c:78: undefined reference to `server_mysql_errno'

/usr/bin/ld: libmariadbd.a(password_reuse_check.c.o): in function `create_table':

/home/rex/src/mariadb/server/plugin/password_reuse_check/password_reuse_check.c:94: undefined reference to `server_mysql_real_query'

/usr/bin/ld: libmariadbd.a(password_reuse_check.c.o): in function `run_query_with_table_creation':

/home/rex/src/mariadb/server/plugin/password_reuse_check/password_reuse_check.c:123: undefined reference to `server_mysql_real_query'

/usr/bin/ld: /home/rex/src/mariadb/server/plugin/password_reuse_check/password_reuse_check.c:125: undefined reference to `server_mysql_errno'

/usr/bin/ld: /home/rex/src/mariadb/server/plugin/password_reuse_check/password_reuse_check.c:143: undefined reference to `server_mysql_real_query'

/usr/bin/ld: libmariadbd.a(password_reuse_check.c.o): in function `validate':

/home/rex/src/mariadb/server/plugin/password_reuse_check/password_reuse_check.c:179: undefined reference to `server_mysql_init'

/usr/bin/ld: /home/rex/src/mariadb/server/plugin/password_reuse_check/password_reuse_check.c:220: undefined reference to `server_mysql_close'

/usr/bin/ld: /home/rex/src/mariadb/server/plugin/password_reuse_check/password_reuse_check.c:226: undefined reference to `server_mysql_close'

[ 97%] Building CXX object sql/CMakeFiles/sql.dir/rowid_filter.cc.o

etc.

Investigating.

Rex Johnston added a comment - 2022-11-14 01:33 - edited Valgrind build fails... [ 97%] Building CXX object sql/CMakeFiles/sql.dir/opt_split.cc.o /usr/bin/ld: libmariadbd.a(password_reuse_check.c.o): in function `report_sql_error': /home/rex/src/mariadb/server/plugin/password_reuse_check/password_reuse_check.c:78: undefined reference to `server_mysql_error' /usr/bin/ld: /home/rex/src/mariadb/server/plugin/password_reuse_check/password_reuse_check.c:78: undefined reference to `server_mysql_errno' /usr/bin/ld: libmariadbd.a(password_reuse_check.c.o): in function `create_table': /home/rex/src/mariadb/server/plugin/password_reuse_check/password_reuse_check.c:94: undefined reference to `server_mysql_real_query' /usr/bin/ld: libmariadbd.a(password_reuse_check.c.o): in function `run_query_with_table_creation': /home/rex/src/mariadb/server/plugin/password_reuse_check/password_reuse_check.c:123: undefined reference to `server_mysql_real_query' /usr/bin/ld: /home/rex/src/mariadb/server/plugin/password_reuse_check/password_reuse_check.c:125: undefined reference to `server_mysql_errno' /usr/bin/ld: /home/rex/src/mariadb/server/plugin/password_reuse_check/password_reuse_check.c:143: undefined reference to `server_mysql_real_query' /usr/bin/ld: libmariadbd.a(password_reuse_check.c.o): in function `validate': /home/rex/src/mariadb/server/plugin/password_reuse_check/password_reuse_check.c:179: undefined reference to `server_mysql_init' /usr/bin/ld: /home/rex/src/mariadb/server/plugin/password_reuse_check/password_reuse_check.c:220: undefined reference to `server_mysql_close' /usr/bin/ld: /home/rex/src/mariadb/server/plugin/password_reuse_check/password_reuse_check.c:226: undefined reference to `server_mysql_close' [ 97%] Building CXX object sql/CMakeFiles/sql.dir/rowid_filter.cc.o etc. Investigating.

Roel Van de Paar added a comment - 2022-11-14 11:30

Johnston Try ASAN + UBSAN build (they can be merged) and/or MSAN build.

Roel Van de Paar added a comment - 2022-11-14 11:30 Johnston Try ASAN + UBSAN build (they can be merged) and/or MSAN build.

Rex Johnston made changes - 2022-11-15 03:41

Status

Open [ 1 ]

In Progress [ 3 ]

Rex Johnston added a comment - 2022-11-15 03:43 - edited

Have got valgrind build working. At the crash point...

(gdb) where

#0  0x0000000000adf516 in Item::clear_extraction_flag (this=0x48580a0) at /home/rex/src/mariadb/server.borked/sql/item.h:2688

#1  0x0000000000f2d40b in Item::check_pushable_cond (this=0x48580a0, checker=

    (bool (Item::*)(Item * const, uchar *)) 0xadf51e <Item::pushable_cond_checker_for_derived(unsigned char*)>, arg=0x38eccaa8 "\001")

    at /home/rex/src/mariadb/server.borked/sql/item.cc:7516

#2  0x0000000000f2d4b3 in Item::check_pushable_cond (this=0x38eb1fe0, checker=

    (bool (Item::*)(Item * const, uchar *)) 0xadf51e <Item::pushable_cond_checker_for_derived(unsigned char*)>, arg=0x38eccaa8 "\001")

    at /home/rex/src/mariadb/server.borked/sql/item.cc:7525

#3  0x0000000000f2d4b3 in Item::check_pushable_cond (this=0x38ecfed0, checker=

    (bool (Item::*)(Item * const, uchar *)) 0xadf51e <Item::pushable_cond_checker_for_derived(unsigned char*)>, arg=0x38eccaa8 "\001")

    at /home/rex/src/mariadb/server.borked/sql/item.cc:7525

#4  0x0000000000adec64 in pushdown_cond_for_derived (thd=0x345412b8, cond=0x38ecfed0, derived=0x38eaf3c0) at /home/rex/src/mariadb/server.borked/sql/sql_derived.cc:1538

#5  0x0000000000ba1693 in JOIN::optimize_inner (this=0x38ecb080) at /home/rex/src/mariadb/server.borked/sql/sql_select.cc:2350

#6  0x0000000000b9f9d0 in JOIN::optimize (this=0x38ecb080) at /home/rex/src/mariadb/server.borked/sql/sql_select.cc:1871

#7  0x0000000000bab58d in mysql_select (thd=0x345412b8, tables=0x38eaf3c0, fields=..., conds=0x0, og_num=1, order=0x0, group=0x38eb1210, having=0x38eb1fe0, proc_param=0x0,

    select_options=2164525824, result=0x38eca980, unit=0x345456f8, select_lex=0x38eac5d0) at /home/rex/src/mariadb/server.borked/sql/sql_select.cc:5096

#8  0x0000000000b9a7b4 in handle_select (thd=0x345412b8, lex=0x34545620, result=0x38eca980, setup_tables_done_option=0) at /home/rex/src/mariadb/server.borked/sql/sql_select.cc:581

#9  0x0000000000b44ad1 in execute_sqlcom_select (thd=0x345412b8, all_tables=0x38eaf3c0) at /home/rex/src/mariadb/server.borked/sql/sql_parse.cc:6263

#10 0x0000000000b3c00b in mysql_execute_command (thd=0x345412b8, is_called_from_prepared_stmt=false) at /home/rex/src/mariadb/server.borked/sql/sql_parse.cc:3947

#11 0x0000000000b49453 in mysql_parse (thd=0x345412b8, rawbuf=0x38eabc40 "SELECT * FROM(SELECT * FROM c GROUP BY NOT c=c) AS c NATURAL JOIN c AS c GROUP BY c HAVING c=c OR c=c",

    length=101, parser_state=0x376a0140) at /home/rex/src/mariadb/server.borked/sql/sql_parse.cc:7998

#12 0x0000000000b363f0 in dispatch_command (command=COM_QUERY, thd=0x345412b8,

    packet=0x3454d1a9 "SELECT * FROM(SELECT * FROM c GROUP BY NOT c=c) AS c NATURAL JOIN c AS c GROUP BY c HAVING c=c OR c=c", packet_length=101, blocking=true)

    at /home/rex/src/mariadb/server.borked/sql/sql_parse.cc:1894

#13 0x0000000000b34e33 in do_command (thd=0x345412b8, blocking=true) at /home/rex/src/mariadb/server.borked/sql/sql_parse.cc:1407

#14 0x0000000000d0a0bc in do_handle_one_connection (connect=0x3453f418, put_in_cache=true) at /home/rex/src/mariadb/server.borked/sql/sql_connect.cc:1416

#15 0x0000000000d09e2c in handle_one_connection (arg=0x3453f418) at /home/rex/src/mariadb/server.borked/sql/sql_connect.cc:1318

#16 0x0000000001202cfc in pfs_spawn_thread (arg=0x34540bd8) at /home/rex/src/mariadb/server.borked/storage/perfschema/pfs.cc:2201

#17 0x0000000004eafea7 in start_thread (arg=<optimized out>) at pthread_create.c:477

#18 0x00000000052f9aef in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

(gdb) p this

$2 = (Item * const) 0x48580a0

(gdb) monitor who_points_at 0x48580a0

==18974== Searching for pointers to 0x48580a0

==18974== *0x28e5368 points at 0x48580a0

 Address 0x28e5368 is 0 bytes inside data symbol "Item_true"

==18974== *0x3769f038 points at 0x48580a0

 Address 0x3769f038 is on thread 26's stack

==18974== *0x3769f068 points at 0x48580a0

 Address 0x3769f068 is on thread 26's stack

 in frame #1, created by Item::check_pushable_cond(bool (Item::*)(unsigned char*), unsigned char*) (item.cc:7515)

==18974== *0x3769f0f0 points at 0x48580a0

 Address 0x3769f0f0 is on thread 26's stack

 in frame #2, created by Item::check_pushable_cond(bool (Item::*)(unsigned char*), unsigned char*) (item.cc:7515)

==18974== *0x38eb2128 points at 0x48580a0

 Address 0x38eb2128 is 56 bytes inside a block of size 64 alloc'd

==18974==    at 0x483877F: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)

==18974==    by 0x18B6123: my_malloc (my_malloc.c:90)

==18974==    by 0x18A68ED: alloc_root (my_alloc.c:287)

==18974==    by 0x9B85EA: Sql_alloc::operator new(unsigned long, st_mem_root*) (sql_alloc.h:37)

==18974==    by 0x9B87AF: base_list::push_back(void*, st_mem_root*) (sql_list.h:195)

==18974==    by 0xA05504: List<Item>::push_back(Item*, st_mem_root*) (sql_list.h:505)

==18974==    by 0xF527BD: Item_cond::Item_cond(THD*, Item*, Item*) (item_cmpfunc.cc:4880)

==18974==    by 0xBF3C1B: Item_cond_or::Item_cond_or(THD*, Item*, Item*) (item_cmpfunc.h:3564)

==18974==    by 0xE478F1: MYSQLparse(THD*) (sql_yacc.yy:9082)

==18974==    by 0xB4EC0D: parse_sql(THD*, Parser_state*, Object_creation_ctx*, bool) (sql_parse.cc:10390)

==18974==    by 0xB4929A: mysql_parse(THD*, char*, unsigned int, Parser_state*) (sql_parse.cc:7950)

==18974==    by 0xB363EF: dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) (sql_parse.cc:1894)

==18974== *0x38eb21a8 points at 0x48580a0

 Address 0x38eb21a8 is 56 bytes inside a block of size 64 alloc'd

==18974==    at 0x483877F: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)

==18974==    by 0x18B6123: my_malloc (my_malloc.c:90)

==18974==    by 0x18A68ED: alloc_root (my_alloc.c:287)

==18974==    by 0x9B85EA: Sql_alloc::operator new(unsigned long, st_mem_root*) (sql_alloc.h:37)

==18974==    by 0x9B87AF: base_list::push_back(void*, st_mem_root*) (sql_list.h:195)

==18974==    by 0xA05504: List<Item>::push_back(Item*, st_mem_root*) (sql_list.h:505)

==18974==    by 0xF527DE: Item_cond::Item_cond(THD*, Item*, Item*) (item_cmpfunc.cc:4881)

==18974==    by 0xBF3C1B: Item_cond_or::Item_cond_or(THD*, Item*, Item*) (item_cmpfunc.h:3564)

==18974==    by 0xE478F1: MYSQLparse(THD*) (sql_yacc.yy:9082)

==18974==    by 0xB4EC0D: parse_sql(THD*, Parser_state*, Object_creation_ctx*, bool) (sql_parse.cc:10390)

==18974==    by 0xB4929A: mysql_parse(THD*, char*, unsigned int, Parser_state*) (sql_parse.cc:7950)

==18974==    by 0xB363EF: dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) (sql_parse.cc:1894)

==18974== tid 26 register RAX pointing at 0x48580a0

==18974== tid 26 register RDI pointing at 0x48580a0

Rex Johnston added a comment - 2022-11-15 03:43 - edited Have got valgrind build working. At the crash point... (gdb) where #0 0x0000000000adf516 in Item::clear_extraction_flag (this=0x48580a0) at /home/rex/src/mariadb/server.borked/sql/item.h:2688 #1 0x0000000000f2d40b in Item::check_pushable_cond (this=0x48580a0, checker= (bool (Item::*)(Item * const, uchar *)) 0xadf51e <Item::pushable_cond_checker_for_derived(unsigned char*)>, arg=0x38eccaa8 "\001") at /home/rex/src/mariadb/server.borked/sql/item.cc:7516 #2 0x0000000000f2d4b3 in Item::check_pushable_cond (this=0x38eb1fe0, checker= (bool (Item::*)(Item * const, uchar *)) 0xadf51e <Item::pushable_cond_checker_for_derived(unsigned char*)>, arg=0x38eccaa8 "\001") at /home/rex/src/mariadb/server.borked/sql/item.cc:7525 #3 0x0000000000f2d4b3 in Item::check_pushable_cond (this=0x38ecfed0, checker= (bool (Item::*)(Item * const, uchar *)) 0xadf51e <Item::pushable_cond_checker_for_derived(unsigned char*)>, arg=0x38eccaa8 "\001") at /home/rex/src/mariadb/server.borked/sql/item.cc:7525 #4 0x0000000000adec64 in pushdown_cond_for_derived (thd=0x345412b8, cond=0x38ecfed0, derived=0x38eaf3c0) at /home/rex/src/mariadb/server.borked/sql/sql_derived.cc:1538 #5 0x0000000000ba1693 in JOIN::optimize_inner (this=0x38ecb080) at /home/rex/src/mariadb/server.borked/sql/sql_select.cc:2350 #6 0x0000000000b9f9d0 in JOIN::optimize (this=0x38ecb080) at /home/rex/src/mariadb/server.borked/sql/sql_select.cc:1871 #7 0x0000000000bab58d in mysql_select (thd=0x345412b8, tables=0x38eaf3c0, fields=..., conds=0x0, og_num=1, order=0x0, group=0x38eb1210, having=0x38eb1fe0, proc_param=0x0, select_options=2164525824, result=0x38eca980, unit=0x345456f8, select_lex=0x38eac5d0) at /home/rex/src/mariadb/server.borked/sql/sql_select.cc:5096 #8 0x0000000000b9a7b4 in handle_select (thd=0x345412b8, lex=0x34545620, result=0x38eca980, setup_tables_done_option=0) at /home/rex/src/mariadb/server.borked/sql/sql_select.cc:581 #9 0x0000000000b44ad1 in execute_sqlcom_select (thd=0x345412b8, all_tables=0x38eaf3c0) at /home/rex/src/mariadb/server.borked/sql/sql_parse.cc:6263 #10 0x0000000000b3c00b in mysql_execute_command (thd=0x345412b8, is_called_from_prepared_stmt=false) at /home/rex/src/mariadb/server.borked/sql/sql_parse.cc:3947 #11 0x0000000000b49453 in mysql_parse (thd=0x345412b8, rawbuf=0x38eabc40 "SELECT * FROM(SELECT * FROM c GROUP BY NOT c=c) AS c NATURAL JOIN c AS c GROUP BY c HAVING c=c OR c=c", length=101, parser_state=0x376a0140) at /home/rex/src/mariadb/server.borked/sql/sql_parse.cc:7998 #12 0x0000000000b363f0 in dispatch_command (command=COM_QUERY, thd=0x345412b8, packet=0x3454d1a9 "SELECT * FROM(SELECT * FROM c GROUP BY NOT c=c) AS c NATURAL JOIN c AS c GROUP BY c HAVING c=c OR c=c", packet_length=101, blocking=true) at /home/rex/src/mariadb/server.borked/sql/sql_parse.cc:1894 #13 0x0000000000b34e33 in do_command (thd=0x345412b8, blocking=true) at /home/rex/src/mariadb/server.borked/sql/sql_parse.cc:1407 #14 0x0000000000d0a0bc in do_handle_one_connection (connect=0x3453f418, put_in_cache=true) at /home/rex/src/mariadb/server.borked/sql/sql_connect.cc:1416 #15 0x0000000000d09e2c in handle_one_connection (arg=0x3453f418) at /home/rex/src/mariadb/server.borked/sql/sql_connect.cc:1318 #16 0x0000000001202cfc in pfs_spawn_thread (arg=0x34540bd8) at /home/rex/src/mariadb/server.borked/storage/perfschema/pfs.cc:2201 #17 0x0000000004eafea7 in start_thread (arg=<optimized out>) at pthread_create.c:477 #18 0x00000000052f9aef in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 (gdb) p this $2 = (Item * const) 0x48580a0 (gdb) monitor who_points_at 0x48580a0 ==18974== Searching for pointers to 0x48580a0 ==18974== *0x28e5368 points at 0x48580a0 Address 0x28e5368 is 0 bytes inside data symbol "Item_true" ==18974== *0x3769f038 points at 0x48580a0 Address 0x3769f038 is on thread 26's stack ==18974== *0x3769f068 points at 0x48580a0 Address 0x3769f068 is on thread 26's stack in frame #1, created by Item::check_pushable_cond(bool (Item::*)(unsigned char*), unsigned char*) (item.cc:7515) ==18974== *0x3769f0f0 points at 0x48580a0 Address 0x3769f0f0 is on thread 26's stack in frame #2, created by Item::check_pushable_cond(bool (Item::*)(unsigned char*), unsigned char*) (item.cc:7515) ==18974== *0x38eb2128 points at 0x48580a0 Address 0x38eb2128 is 56 bytes inside a block of size 64 alloc'd ==18974== at 0x483877F: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==18974== by 0x18B6123: my_malloc (my_malloc.c:90) ==18974== by 0x18A68ED: alloc_root (my_alloc.c:287) ==18974== by 0x9B85EA: Sql_alloc::operator new(unsigned long, st_mem_root*) (sql_alloc.h:37) ==18974== by 0x9B87AF: base_list::push_back(void*, st_mem_root*) (sql_list.h:195) ==18974== by 0xA05504: List<Item>::push_back(Item*, st_mem_root*) (sql_list.h:505) ==18974== by 0xF527BD: Item_cond::Item_cond(THD*, Item*, Item*) (item_cmpfunc.cc:4880) ==18974== by 0xBF3C1B: Item_cond_or::Item_cond_or(THD*, Item*, Item*) (item_cmpfunc.h:3564) ==18974== by 0xE478F1: MYSQLparse(THD*) (sql_yacc.yy:9082) ==18974== by 0xB4EC0D: parse_sql(THD*, Parser_state*, Object_creation_ctx*, bool) (sql_parse.cc:10390) ==18974== by 0xB4929A: mysql_parse(THD*, char*, unsigned int, Parser_state*) (sql_parse.cc:7950) ==18974== by 0xB363EF: dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) (sql_parse.cc:1894) ==18974== *0x38eb21a8 points at 0x48580a0 Address 0x38eb21a8 is 56 bytes inside a block of size 64 alloc'd ==18974== at 0x483877F: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==18974== by 0x18B6123: my_malloc (my_malloc.c:90) ==18974== by 0x18A68ED: alloc_root (my_alloc.c:287) ==18974== by 0x9B85EA: Sql_alloc::operator new(unsigned long, st_mem_root*) (sql_alloc.h:37) ==18974== by 0x9B87AF: base_list::push_back(void*, st_mem_root*) (sql_list.h:195) ==18974== by 0xA05504: List<Item>::push_back(Item*, st_mem_root*) (sql_list.h:505) ==18974== by 0xF527DE: Item_cond::Item_cond(THD*, Item*, Item*) (item_cmpfunc.cc:4881) ==18974== by 0xBF3C1B: Item_cond_or::Item_cond_or(THD*, Item*, Item*) (item_cmpfunc.h:3564) ==18974== by 0xE478F1: MYSQLparse(THD*) (sql_yacc.yy:9082) ==18974== by 0xB4EC0D: parse_sql(THD*, Parser_state*, Object_creation_ctx*, bool) (sql_parse.cc:10390) ==18974== by 0xB4929A: mysql_parse(THD*, char*, unsigned int, Parser_state*) (sql_parse.cc:7950) ==18974== by 0xB363EF: dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) (sql_parse.cc:1894) ==18974== tid 26 register RAX pointing at 0x48580a0 ==18974== tid 26 register RDI pointing at 0x48580a0

Rex Johnston made changes - 2022-11-21 06:03

Assignee

Rex Johnston [ JIRAUSER52533 ]

Sergei Petrunia [ psergey ]

Rex Johnston made changes - 2022-11-21 06:04

Status

In Progress [ 3 ]

In Testing [ 10301 ]

Rex Johnston made changes - 2022-11-21 06:05

Status

In Testing [ 10301 ]

Stalled [ 10000 ]

Rex Johnston made changes - 2022-11-21 06:06

Assignee

Sergei Petrunia [ psergey ]

Rex Johnston [ JIRAUSER52533 ]

Rex Johnston made changes - 2022-11-21 06:07

Assignee	Rex Johnston [ JIRAUSER52533 ]	Sergei Petrunia [ psergey ]
Status	Stalled [ 10000 ]	In Review [ 10002 ]

Sergei Petrunia added a comment - 2022-11-28 11:09

Valgrind error I'm observing:

==7302== Process terminating with default action of signal 11 (SIGSEGV)

==7302==  Bad permissions for mapped region at address 0x403C102

==7302==    at 0xA7604E: Item::clear_extraction_flag() (item.h:2674)

==7302==    by 0xEDCE18: Item::check_pushable_cond(bool (Item::*)(unsigned char*), unsigned char*) (item.cc:7521)

==7302==    by 0xEDCEBF: Item::check_pushable_cond(bool (Item::*)(unsigned char*), unsigned char*) (item.cc:7530)

==7302==    by 0xEDCEBF: Item::check_pushable_cond(bool (Item::*)(unsigned char*), unsigned char*) (item.cc:7530)

==7302==    by 0xA7575A: pushdown_cond_for_derived(THD*, Item*, TABLE_LIST*) (sql_derived.cc:1538)

Indeed, the Item_true is a global object which somehow was put into a read-only memory.

And Rex's fix is to make Item_func_eq::build_equal_items allocate a new object which is private to this query and is writable. This is correct.

My concern is, are there any other scenarios where Item tree has a pointer to this global Item_true object? If there are, we can get other similar bugs...
Should we

Stop using the global Item_int altogether?
Make pushdown_cond_for_derived() and Item::clear_extraction_flag() to never modify global read-only Item objects? (We could do that, but what should item->get_extraction_flag() return for global read-only item objects?

Sergei Petrunia added a comment - 2022-11-28 11:09 Valgrind error I'm observing: ==7302== Process terminating with default action of signal 11 (SIGSEGV) ==7302== Bad permissions for mapped region at address 0x403C102 ==7302== at 0xA7604E: Item::clear_extraction_flag() (item.h:2674) ==7302== by 0xEDCE18: Item::check_pushable_cond(bool (Item::*)(unsigned char*), unsigned char*) (item.cc:7521) ==7302== by 0xEDCEBF: Item::check_pushable_cond(bool (Item::*)(unsigned char*), unsigned char*) (item.cc:7530) ==7302== by 0xEDCEBF: Item::check_pushable_cond(bool (Item::*)(unsigned char*), unsigned char*) (item.cc:7530) ==7302== by 0xA7575A: pushdown_cond_for_derived(THD*, Item*, TABLE_LIST*) (sql_derived.cc:1538) Indeed, the Item_true is a global object which somehow was put into a read-only memory. And Rex's fix is to make Item_func_eq::build_equal_items allocate a new object which is private to this query and is writable. This is correct. My concern is, are there any other scenarios where Item tree has a pointer to this global Item_true object? If there are, we can get other similar bugs... Should we Stop using the global Item_int altogether? Make pushdown_cond_for_derived() and Item::clear_extraction_flag() to never modify global read-only Item objects? (We could do that, but what should item->get_extraction_flag() return for global read-only item objects?

Sergei Petrunia added a comment - 2022-11-28 12:08

Discussed this with Monty. We should try to avoid setting/clearing flags like extraction flag in constant items. One needs to take a look at why pushdown_cond_for_derived() does it.

It looks like it should be sufficient to set/clear such flags only for direct children of Item_cond_and/Item_cond_or objects. Items that are constant should not be direct children of Item_cond_and/item_cond_or (as they can be removed in that case).

Sergei Petrunia added a comment - 2022-11-28 12:08 Discussed this with Monty. We should try to avoid setting/clearing flags like extraction flag in constant items. One needs to take a look at why pushdown_cond_for_derived() does it. It looks like it should be sufficient to set/clear such flags only for direct children of Item_cond_and/Item_cond_or objects. Items that are constant should not be direct children of Item_cond_and/item_cond_or (as they can be removed in that case).

Michael Widenius added a comment - 2022-11-28 12:28

The issue is that we are calling clear_extraction_flag on all items, including const items and other items that we are not going to mark or have to mark.

It is a not a good idea to mark all items, including sub items, as the marking and cleanup can become very expensive in the long run. Better to avoid marking all items (just marking AND and OR items can be ok)

One can easily avoid the issue with Item_true/Item_false as these are ALWAYS top level items. Checking for basic_const_item() at function start/function call avoids this issue

Michael Widenius added a comment - 2022-11-28 12:28 The issue is that we are calling clear_extraction_flag on all items, including const items and other items that we are not going to mark or have to mark. It is a not a good idea to mark all items, including sub items, as the marking and cleanup can become very expensive in the long run. Better to avoid marking all items (just marking AND and OR items can be ok) One can easily avoid the issue with Item_true/Item_false as these are ALWAYS top level items. Checking for basic_const_item() at function start/function call avoids this issue

Michael Widenius made changes - 2022-11-28 13:19

Attachment

diff [ 67160 ]

Michael Widenius added a comment - 2022-11-28 13:20

Here is a suggested patch that fixes the issue:
diff

Michael Widenius added a comment - 2022-11-28 13:20 Here is a suggested patch that fixes the issue: diff

Rex Johnston made changes - 2022-11-28 17:18

Assignee

Sergei Petrunia [ psergey ]

Rex Johnston [ JIRAUSER52533 ]

Roel Van de Paar made changes - 2022-11-29 00:40

Affects Version/s

10.11 [ 27614 ]

Roel Van de Paar made changes - 2022-11-29 00:40

Fix Version/s		10.9 [ 26905 ]
Fix Version/s		10.10 [ 27530 ]

Sergei Petrunia added a comment - 2022-11-29 20:26

As far as I understood from the optimizer call this week, Igor will clarify something about which way this should be fixed... (Please re-assign accordingly if it is not correct)

Sergei Petrunia added a comment - 2022-11-29 20:26 As far as I understood from the optimizer call this week, Igor will clarify something about which way this should be fixed... (Please re-assign accordingly if it is not correct)

Sergei Petrunia made changes - 2022-11-29 20:27

Assignee

Rex Johnston [ JIRAUSER52533 ]

Sergei Petrunia [ psergey ]

Sergei Petrunia made changes - 2022-11-29 20:27

Status

In Review [ 10002 ]

Stalled [ 10000 ]

Sergei Petrunia made changes - 2022-11-29 20:27

Assignee

Sergei Petrunia [ psergey ]

Igor Babaev [ igor ]

Igor Babaev (Inactive) added a comment - 2022-11-30 07:05

The following test case is more meaningful and causes the same problem:

create table t1 (c1 int);

insert into t1 values (3), (7), (1), (3), (1), (3);

create table t2 (c2 int);

insert into t2 values (3), (5), (7), (3);

create view v1 as select * from t1 group by c1;

create view v2 as select c1 as a, c2 as b from v1,t2 where c1=c2;

select * from v2 group by a,b having a=b or b > a+10;

Igor Babaev (Inactive) added a comment - 2022-11-30 07:05 The following test case is more meaningful and causes the same problem: create table t1 (c1 int ); insert into t1 values (3), (7), (1), (3), (1), (3); create table t2 (c2 int ); insert into t2 values (3), (5), (7), (3); create view v1 as select * from t1 group by c1; create view v2 as select c1 as a, c2 as b from v1,t2 where c1=c2; select * from v2 group by a,b having a=b or b > a+10;

Igor Babaev (Inactive) added a comment - 2022-11-30 07:34 - edited

If we are not allowed to use the field 'marker' for basis_const_items let's not to use this field for such items:

  bool depends_only_on(table_map view_map)

  { return get_extraction_flag() & MARKER_FULL_EXTRACTION; }

  int get_extraction_flag() const

    if (basic_const_item())

      return MARKER_FULL_EXTRACTION;

    else

      return marker & MARKER_EXTRACTION_MASK;

  void set_extraction_flag(int16 flags)

    if (!basic_const_item())

      marker= marker & ~MARKER_EXTRACTION_MASK;

      marker|= flags;

  void clear_extraction_flag()

    if (!basic_const_item())

      marker= marker & ~MARKER_EXTRACTION_MASK;

Igor Babaev (Inactive) added a comment - 2022-11-30 07:34 - edited If we are not allowed to use the field 'marker' for basis_const_items let's not to use this field for such items: bool depends_only_on(table_map view_map) { return get_extraction_flag() & MARKER_FULL_EXTRACTION; } int get_extraction_flag() const { if (basic_const_item()) return MARKER_FULL_EXTRACTION; else return marker & MARKER_EXTRACTION_MASK; } void set_extraction_flag(int16 flags) { if (!basic_const_item()) { marker= marker & ~MARKER_EXTRACTION_MASK; marker|= flags; } } void clear_extraction_flag() { if (!basic_const_item()) marker= marker & ~MARKER_EXTRACTION_MASK; }

Igor Babaev (Inactive) made changes - 2023-01-26 22:02

Summary

SIGSEGV in Item::clear_extraction_flag on SELECT

Crash when checking whether condition can be pushed into view

Igor Babaev (Inactive) made changes - 2023-01-31 03:47

Status

Stalled [ 10000 ]

In Progress [ 3 ]

Igor Babaev (Inactive) made changes - 2023-01-31 03:47

Assignee	Igor Babaev [ igor ]	Oleksandr Byelkin [ sanja ]
Status	In Progress [ 3 ]	In Review [ 10002 ]

Oleksandr Byelkin added a comment - 2023-02-06 10:46

OK to push.

Oleksandr Byelkin added a comment - 2023-02-06 10:46 OK to push.

Oleksandr Byelkin made changes - 2023-02-06 10:46

Assignee	Oleksandr Byelkin [ sanja ]	Igor Babaev [ igor ]
Status	In Review [ 10002 ]	Stalled [ 10000 ]

Julien Fritsch made changes - 2023-03-03 17:26

Fix Version/s

10.7 [ 24805 ]

Igor Babaev (Inactive) added a comment - 2023-03-16 22:11

A fix for this bug was pushed into 10.8

Igor Babaev (Inactive) added a comment - 2023-03-16 22:11 A fix for this bug was pushed into 10.8

Igor Babaev (Inactive) made changes - 2023-03-16 22:11

Fix Version/s		10.8.8 [ 28518 ]
Fix Version/s		10.9.6 [ 28520 ]
Fix Version/s		10.10.4 [ 28522 ]
Fix Version/s		10.11.3 [ 28524 ]
Fix Version/s		11.1.0 [ 28705 ]
Fix Version/s	10.8 [ 26121 ]
Fix Version/s	10.9 [ 26905 ]
Fix Version/s	10.10 [ 27530 ]
Resolution		Fixed [ 1 ]
Status	Stalled [ 10000 ]	Closed [ 6 ]

Oleg Smirnov made changes - 2024-10-09 06:49

Link

This issue causes MDEV-32412 [ MDEV-32412 ]

People

Assignee:: Igor Babaev (Inactive)

Reporter:: Roel Van de Paar

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Dates

Created:: 2022-06-27 10:50

Updated:: 2024-10-09 06:49

Resolved:: 2023-03-16 22:11

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates

Git Integration