Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-29263

SIGSEGV in JOIN::get_partial_cost_and_fanout on SELECT

    XMLWordPrintable

Details

    Description

      Happens only with InnoDB SE. Added number of potentially related bugs in links.

      CREATE TABLE t(c INT KEY,d INT) ENGINE=InnoDB;
      		 
      SELECT * FROM t WHERE c IN (0,0) AND c IN (0,d IN (SELECT c FROM t GROUP BY d,d HAVING (d=c AND d AND 1))) AND d=0;

      Leads to:

      10.10.0 e1caa4bd5e8b4645944b85d4b603bf9fc9ef6ca4 (Optimized)

      		 
      Core was generated by `/test/MD290722-mariadb-10.10.0-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
      		 
      Program terminated with signal SIGSEGV, Segmentation fault.
      		 
      #0  JOIN::get_partial_cost_and_fanout (this=this@entry=0x153fec01c320, 
          end_tab_idx=<optimized out>, 
          filter_map=filter_map@entry=18446744073709551615, 
          read_time_arg=read_time_arg@entry=0x15404c16f948, 
          record_count_arg=record_count_arg@entry=0x15404c16f940)
      		 
          at /test/10.10_opt/sql/sql_select.cc:9441
      		 
      9441	    if (end_tab->bush_root_tab && end_tab->bush_root_tab == tab)
      		 
      [Current thread is 1 (Thread 0x15404c174700 (LWP 486952))]
      		 
      (gdb) bt
      		 
      #0  JOIN::get_partial_cost_and_fanout (this=this@entry=0x153fec01c320, end_tab_idx=<optimized out>, filter_map=filter_map@entry=18446744073709551615, read_time_arg=read_time_arg@entry=0x15404c16f948, record_count_arg=record_count_arg@entry=0x15404c16f940) at /test/10.10_opt/sql/sql_select.cc:9441
      		 
      #1  0x00005599ca62e3ce in JOIN::choose_subquery_plan (this=this@entry=0x153fec01cce8, join_tables=1) at /test/10.10_opt/sql/item.h:2624
      		 
      #2  0x00005599ca544ee5 in make_join_statistics (keyuse_array=0x153fec01d030, tables_list=@0x153fec011de0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x153fec01d2c8, last = 0x153fec01d2c8, elements = 1}, <No data fields>}, join=0x153fec01cce8) at /test/10.10_opt/sql/sql_select.cc:6012
      		 
      #3  JOIN::optimize_inner (this=0x153fec01cce8) at /test/10.10_opt/sql/sql_select.cc:2521
      		 
      #4  0x00005599ca5455c3 in JOIN::optimize (this=0x153fec01cce8) at /test/10.10_opt/sql/sql_select.cc:1863
      		 
      #5  0x00005599ca7e91e0 in subselect_single_select_engine::exec (this=0x153fec013cb8) at /test/10.10_opt/sql/item_subselect.cc:4060
      		 
      #6  0x00005599ca7e890c in Item_subselect::exec (this=0x153fec013a90) at /test/10.10_opt/sql/item_subselect.cc:854
      		 
      #7  0x00005599ca7e8d74 in Item_in_subselect::val_bool (this=0x153fec013a90) at /test/10.10_opt/sql/item_subselect.cc:1989
      		 
      #8  0x00005599ca754ae4 in Item_in_optimizer::val_int (this=0x153fec01d7f8) at /test/10.10_opt/sql/item_cmpfunc.cc:1637
      		 
      #9  Item_in_optimizer::val_int (this=0x153fec01d7f8) at /test/10.10_opt/sql/item_cmpfunc.cc:1545
      		 
      #10 0x00005599ca737643 in Item::save_int_in_field (this=0x153fec01d7f8, field=0x153fec017e58, no_conversions=<optimized out>) at /test/10.10_opt/sql/item.cc:6842
      		 
      #11 0x00005599ca7273e7 in Item::save_in_field (this=0x153fec01d7f8, field=0x153fec017e58, no_conversions=<optimized out>) at /test/10.10_opt/sql/item.cc:6852
      		 
      #12 0x00005599ca7307e0 in Item::save_in_field_no_warnings (this=this@entry=0x153fec01d7f8, field=field@entry=0x153fec017e58, no_conversions=no_conversions@entry=true) at /test/10.10_opt/sql/item.cc:1519
      		 
      #13 0x00005599ca3e2c37 in Field::get_mm_leaf_int (this=0x153fec017e58, prm=0x15404c1705a0, key_part=0x153fec04b990, cond=<optimized out>, op=SCALAR_CMP_EQ, value=0x153fec01d7f8, unsigned_field=false) at /test/10.10_opt/sql/opt_range.cc:8964
      		 
      #14 0x00005599ca5da739 in Field_int::get_mm_leaf (this=<optimized out>, param=<optimized out>, key_part=<optimized out>, cond=<optimized out>, op=<optimized out>, value=<optimized out>) at /test/10.10_opt/sql/field.h:2535
      		 
      #15 0x00005599ca3e1a4a in Item_bool_func::get_mm_parts (value=0x153fec01d7f8, type=Item_func::EQ_FUNC, field=0x153fec017e58, param=<optimized out>, this=0x153fec013d40) at /test/10.10_opt/sql/opt_range.cc:8642
      		 
      #16 Item_bool_func::get_mm_parts (this=0x153fec013d40, param=<optimized out>, field=0x153fec017e58, type=Item_func::EQ_FUNC, value=0x153fec01d7f8) at /test/10.10_opt/sql/opt_range.cc:8607
      		 
      #17 0x00005599ca3e896c in Item_func_in::get_func_mm_tree (this=0x153fec013d40, param=0x15404c1705a0, field=0x153fec017e58, value=<optimized out>) at /test/10.10_opt/sql/opt_range.cc:7987
      		 
      #18 0x00005599ca3e82c3 in Item_bool_func::get_full_func_mm_tree (this=0x153fec013d40, param=0x15404c1705a0, field_item=0x153fec011910, value=0x0) at /test/10.10_opt/sql/opt_range.cc:8295
      		 
      #19 0x00005599ca3e840a in Item_cond_and::get_mm_tree (this=<optimized out>, param=0x15404c1705a0, cond_ptr=<optimized out>) at /test/10.10_opt/sql/sql_list.h:603
      		 
      #20 0x00005599ca3eec1c in SQL_SELECT::test_quick_select (this=this@entry=0x153fec01f378, thd=thd@entry=0x153fec000c58, keys_to_use=<optimized out>, prev_tables=prev_tables@entry=0, limit=limit@entry=18446744073709551615, force_quick_range=force_quick_range@entry=false, ordered_output=false, remove_false_parts_of_where=true, only_single_index_range_scan=false) at /test/10.10_opt/sql/opt_range.cc:2886
      		 
      #21 0x00005599ca544a5d in get_quick_record_count (keys=0x153fec01e060, limit=18446744073709551615, table=0x153fec0167e8, select=0x153fec01f378, thd=0x153fec000c58) at /test/10.10_opt/sql/sql_select.cc:5106
      		 
      #22 make_join_statistics (keyuse_array=0x153fec01c668, tables_list=@0x153fec010a80: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x153fec014510, last = 0x153fec014510, elements = 1}, <No data fields>}, join=0x153fec01c320) at /test/10.10_opt/sql/sql_select.cc:5855
      		 
      #23 JOIN::optimize_inner (this=0x153fec01c320) at /test/10.10_opt/sql/sql_select.cc:2521
      		 
      #24 0x00005599ca5455c3 in JOIN::optimize (this=this@entry=0x153fec01c320) at /test/10.10_opt/sql/sql_select.cc:1863
      		 
      #25 0x00005599ca5456ae in mysql_select (thd=0x153fec000c58, tables=0x153fec010e40, fields=@0x153fec010b08: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x153fec010df8, last = 0x153fec014668, elements = 2}, <No data fields>}, conds=0x153fec013ea0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x153fec0144e8, unit=0x153fec004cd0, select_lex=0x153fec010868) at /test/10.10_opt/sql/sql_select.cc:5048
      		 
      #26 0x00005599ca545e47 in handle_select (thd=thd@entry=0x153fec000c58, lex=lex@entry=0x153fec004bf8, result=result@entry=0x153fec0144e8, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.10_opt/sql/sql_select.cc:581
      		 
      #27 0x00005599ca4c7b81 in execute_sqlcom_select (thd=0x153fec000c58, all_tables=0x153fec010e40) at /test/10.10_opt/sql/sql_parse.cc:6261
      		 
      #28 0x00005599ca4d56ed in mysql_execute_command (thd=0x153fec000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.10_opt/sql/sql_parse.cc:3945
      		 
      #29 0x00005599ca4c2d85 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x153fec000c58) at /test/10.10_opt/sql/sql_parse.cc:8037
      		 
      #30 mysql_parse (thd=0x153fec000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.10_opt/sql/sql_parse.cc:7959
      		 
      #31 0x00005599ca4ce89a in dispatch_command (command=COM_QUERY, thd=0x153fec000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.10_opt/sql/sql_class.h:1366
      		 
      #32 0x00005599ca4d07c2 in do_command (thd=0x153fec000c58, blocking=blocking@entry=true) at /test/10.10_opt/sql/sql_parse.cc:1407
      		 
      #33 0x00005599ca5e86ef in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5599cd37a248, put_in_cache=put_in_cache@entry=true) at /test/10.10_opt/sql/sql_connect.cc:1418
      		 
      #34 0x00005599ca5e89cd in handle_one_connection (arg=0x5599cd37a248) at /test/10.10_opt/sql/sql_connect.cc:1312
      		 
      #35 0x0000154070618609 in start_thread (arg=<optimized out>) at pthread_create.c:477
      		 
      #36 0x0000154070204133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

      10.10.0 e1caa4bd5e8b4645944b85d4b603bf9fc9ef6ca4 (Debug)

      		 
      Core was generated by `/test/MD290722-mariadb-10.10.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core'.
      		 
      Program terminated with signal SIGSEGV, Segmentation fault.
      		 
      #0  JOIN::get_partial_cost_and_fanout (this=this@entry=0x14e34c024e60, 
          end_tab_idx=<optimized out>, 
          filter_map=filter_map@entry=18446744073709551615, 
          read_time_arg=read_time_arg@entry=0x14e3d81f6158, 
          record_count_arg=record_count_arg@entry=0x14e3d81f6150)
      		 
          at /test/10.10_dbg/sql/sql_select.cc:9441
      		 
      9441	    if (end_tab->bush_root_tab && end_tab->bush_root_tab == tab)
      		 
      [Current thread is 1 (Thread 0x14e3d81f9700 (LWP 487777))]
      		 
      (gdb) bt
      		 
      #0  JOIN::get_partial_cost_and_fanout (this=this@entry=0x14e34c024e60, end_tab_idx=<optimized out>, filter_map=filter_map@entry=18446744073709551615, read_time_arg=read_time_arg@entry=0x14e3d81f6158, record_count_arg=record_count_arg@entry=0x14e3d81f6150) at /test/10.10_dbg/sql/sql_select.cc:9441
      		 
      #1  0x000055924e23bf1d in JOIN::choose_subquery_plan (this=this@entry=0x14e34c025828, join_tables=1) at /test/10.10_dbg/sql/item.h:2624
      		 
      #2  0x000055924e0ff229 in make_join_statistics (join=join@entry=0x14e34c025828, tables_list=@0x14e34c015300: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14e34c025e08, last = 0x14e34c025e08, elements = 1}, <No data fields>}, keyuse_array=keyuse_array@entry=0x14e34c025b70) at /test/10.10_dbg/sql/sql_select.cc:6012
      		 
      #3  0x000055924e10612e in JOIN::optimize_inner (this=this@entry=0x14e34c025828) at /test/10.10_dbg/sql/sql_select.cc:2521
      		 
      #4  0x000055924e10656e in JOIN::optimize (this=0x14e34c025828) at /test/10.10_dbg/sql/sql_select.cc:1863
      		 
      #5  0x000055924e4709fd in subselect_single_select_engine::exec (this=0x14e34c0171d8) at /test/10.10_dbg/sql/item_subselect.cc:4060
      		 
      #6  0x000055924e47016e in Item_subselect::exec (this=this@entry=0x14e34c016fb0) at /test/10.10_dbg/sql/item_subselect.cc:854
      		 
      #7  0x000055924e47543b in Item_in_subselect::exec (this=0x14e34c016fb0) at /test/10.10_dbg/sql/item_subselect.cc:1036
      		 
      #8  0x000055924e46f315 in Item_in_subselect::val_bool (this=0x14e34c016fb0) at /test/10.10_dbg/sql/item_subselect.cc:1989
      		 
      #9  0x000055924df4cf11 in Item::val_bool_result (this=<optimized out>) at /test/10.10_dbg/sql/item.h:1783
      		 
      #10 0x000055924e3b84c4 in Item_in_optimizer::val_int (this=0x14e34c026338) at /test/10.10_dbg/sql/item_cmpfunc.cc:1637
      		 
      #11 0x000055924e393dd3 in Item::save_int_in_field (this=0x14e34c026338, field=0x14e34c029ce8, no_conversions=<optimized out>) at /test/10.10_dbg/sql/item.cc:6842
      		 
      #12 0x000055924e272d64 in Type_handler_int_result::Item_save_in_field (this=<optimized out>, item=<optimized out>, field=<optimized out>, no_conversions=<optimized out>) at /test/10.10_dbg/sql/sql_type.cc:4362
      		 
      #13 0x000055924e37a4f1 in Item::save_in_field (this=0x14e34c026338, field=0x14e34c029ce8, no_conversions=<optimized out>) at /test/10.10_dbg/sql/item.cc:6852
      		 
      #14 0x000055924e38ac65 in Item::save_in_field_no_warnings (this=this@entry=0x14e34c026338, field=field@entry=0x14e34c029ce8, no_conversions=no_conversions@entry=true) at /test/10.10_dbg/sql/item.cc:1519
      		 
      #15 0x000055924df6072b in Field::get_mm_leaf_int (this=0x14e34c029ce8, prm=0x14e3d81f6ce0, key_part=0x14e34c072cf0, cond=<optimized out>, op=SCALAR_CMP_EQ, value=0x14e34c026338, unsigned_field=false) at /test/10.10_dbg/sql/opt_range.cc:8964
      		 
      #16 0x000055924e1c82d7 in Field_int::get_mm_leaf (this=<optimized out>, param=<optimized out>, key_part=<optimized out>, cond=<optimized out>, op=<optimized out>, value=<optimized out>) at /test/10.10_dbg/sql/field.h:2535
      		 
      #17 0x000055924df5114f in Item_bool_func::get_mm_leaf (this=0x14e34c017260, param=0x14e3d81f6ce0, field=0x14e34c029ce8, key_part=0x14e34c072cf0, functype=Item_func::EQ_FUNC, value=0x14e34c026338) at /test/10.10_dbg/sql/item_func.h:88
      		 
      #18 0x000055924df5f97d in Item_bool_func::get_mm_parts (this=this@entry=0x14e34c017260, param=param@entry=0x14e3d81f6ce0, field=field@entry=0x14e34c029ce8, type=type@entry=Item_func::EQ_FUNC, value=0x14e34c026338) at /test/10.10_dbg/sql/opt_range.cc:8642
      		 
      #19 0x000055924df77022 in Item_func_in::get_func_mm_tree (this=0x14e34c017260, param=0x14e3d81f6ce0, field=0x14e34c029ce8, value=<optimized out>) at /test/10.10_dbg/sql/opt_range.cc:7987
      		 
      #20 0x000055924df63e3a in Item_bool_func::get_full_func_mm_tree (this=this@entry=0x14e34c017260, param=param@entry=0x14e3d81f6ce0, field_item=0x14e34c014e30, value=value@entry=0x0) at /test/10.10_dbg/sql/opt_range.cc:8295
      		 
      #21 0x000055924df77ef9 in Item_func_in::get_mm_tree (this=0x14e34c017260, param=0x14e3d81f6ce0, cond_ptr=<optimized out>) at /test/10.10_dbg/sql/opt_range.cc:8528
      		 
      #22 0x000055924df63f45 in Item_cond_and::get_mm_tree (this=<optimized out>, param=0x14e3d81f6ce0, cond_ptr=<optimized out>) at /test/10.10_dbg/sql/sql_list.h:603
      		 
      #23 0x000055924df6e476 in SQL_SELECT::test_quick_select (this=this@entry=0x14e34c027ec0, thd=thd@entry=0x14e34c000db8, keys_to_use=<optimized out>, prev_tables=prev_tables@entry=0, limit=limit@entry=18446744073709551615, force_quick_range=force_quick_range@entry=false, ordered_output=false, remove_false_parts_of_where=true, only_single_index_range_scan=false) at /test/10.10_dbg/sql/opt_range.cc:2886
      		 
      #24 0x000055924e0fec42 in get_quick_record_count (limit=18446744073709551615, keys=0x14e34c026ba8, table=0x14e34c029818, select=0x14e34c027ec0, thd=0x14e34c000db8) at /test/10.10_dbg/sql/sql_select.cc:5106
      		 
      #25 make_join_statistics (join=join@entry=0x14e34c024e60, tables_list=@0x14e34c013fa0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14e34c017a30, last = 0x14e34c017a30, elements = 1}, <No data fields>}, keyuse_array=keyuse_array@entry=0x14e34c0251a8) at /test/10.10_dbg/sql/sql_select.cc:5855
      		 
      #26 0x000055924e10612e in JOIN::optimize_inner (this=this@entry=0x14e34c024e60) at /test/10.10_dbg/sql/sql_select.cc:2521
      		 
      #27 0x000055924e10656e in JOIN::optimize (this=this@entry=0x14e34c024e60) at /test/10.10_dbg/sql/sql_select.cc:1863
      		 
      #28 0x000055924e106661 in mysql_select (thd=thd@entry=0x14e34c000db8, tables=0x14e34c014360, fields=@0x14e34c014028: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14e34c014318, last = 0x14e34c017b88, elements = 2}, <No data fields>}, conds=0x14e34c0173c0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x14e34c017a08, unit=0x14e34c004ff0, select_lex=0x14e34c013d88) at /test/10.10_dbg/sql/sql_select.cc:5048
      		 
      #29 0x000055924e106eaa in handle_select (thd=thd@entry=0x14e34c000db8, lex=lex@entry=0x14e34c004f18, result=result@entry=0x14e34c017a08, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.10_dbg/sql/sql_select.cc:581
      		 
      #30 0x000055924e071258 in execute_sqlcom_select (thd=thd@entry=0x14e34c000db8, all_tables=0x14e34c014360) at /test/10.10_dbg/sql/sql_parse.cc:6261
      		 
      #31 0x000055924e07d56a in mysql_execute_command (thd=thd@entry=0x14e34c000db8, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.10_dbg/sql/sql_parse.cc:3945
      		 
      #32 0x000055924e06b534 in mysql_parse (thd=thd@entry=0x14e34c000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14e3d81f8330) at /test/10.10_dbg/sql/sql_parse.cc:8037
      		 
      #33 0x000055924e078b1c in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14e34c000db8, packet=packet@entry=0x14e34c00b6e9 "SELECT * FROM t WHERE c IN (0,0) AND c IN (0,d IN (SELECT c FROM t GROUP BY d,d HAVING (d=c AND d AND 1))) AND d=0", packet_length=packet_length@entry=114, blocking=blocking@entry=true) at /test/10.10_dbg/sql/sql_class.h:1366
      		 
      #34 0x000055924e07b226 in do_command (thd=0x14e34c000db8, blocking=blocking@entry=true) at /test/10.10_dbg/sql/sql_parse.cc:1407
      		 
      #35 0x000055924e1dc744 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x559251cffcf8, put_in_cache=put_in_cache@entry=true) at /test/10.10_dbg/sql/sql_connect.cc:1418
      		 
      #36 0x000055924e1dcc4d in handle_one_connection (arg=0x559251cffcf8) at /test/10.10_dbg/sql/sql_connect.cc:1312
      		 
      #37 0x000014e4054bb609 in start_thread (arg=<optimized out>) at pthread_create.c:477
      		 
      #38 0x000014e4050a7133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

      Bug confirmed present in:
      MariaDB: 10.5.17 (dbg), 10.5.17 (opt), 10.6.9 (dbg), 10.6.9 (opt), 10.7.5 (dbg), 10.7.5 (opt), 10.8.4 (dbg), 10.8.4 (opt), 10.9.2 (dbg), 10.9.2 (opt), 10.10.0 (dbg), 10.10.0 (opt)

      Bug (or feature/syntax) confirmed not present in:
      MariaDB: 10.3.36 (dbg), 10.3.36 (opt), 10.4.26 (dbg), 10.4.26 (opt)
      MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.38 (dbg), 5.7.38 (opt), 8.0.29 (dbg), 8.0.29 (opt)

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-2736 LP:836523 - Crash in JOIN::get_partial_cost_and_fanout with semijoin+materialization

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-7823 Server crashes in next_depth_first_tab on nested IN clauses with SQ inside

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-10693 Server crashes in in next_depth_first_tab

          • Major - Major loss of function.
          • Closed

          Activity

            People

              Johnston Rex Johnston
              Roel Roel Van de Paar
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.