Details
Description
PoC:
SELECT |
( WITH x AS |
( ( SELECT * |
FROM ( SELECT 1 x ) x |
GROUP BY x HAVING x = ( x IS NULL OR x IS NULL ) ) ) ( SELECT 1.000000 FROM x ) ) ; |
docker log:
mariadbd(my_print_stacktrace+0x32)[0x55edfcfaa7c2]
|
mariadbd(handle_fatal_signal+0x488)[0x55edfca83cf8]
|
/lib/x86_64-linux-gnu/libc.so.6(+0x42520)[0x7f02a678b520]
|
mariadbd(_ZNK10Item_field11used_tablesEv+0xb)[0x55edfcab1d5b]
|
mariadbd(+0xaba703)[0x55edfca98703]
|
mariadbd(_ZN10Item_field35derived_field_transformer_for_whereEP3THDPh+0x1a)[0x55edfca987ea]
|
mariadbd(_ZN9Item_args14transform_argsEP3THDM4ItemFPS2_S1_PhES4_+0xb5)[0x55edfcafae65]
|
mariadbd(_ZN9Item_func9transformEP3THDM4ItemFPS2_S1_PhES4_+0x2d)[0x55edfcafaecd]
|
mariadbd(_ZN9Item_cond12do_transformEP3THDM4ItemFPS2_S1_PhES4_b+0xd6)[0x55edfcaceb36]
|
mariadbd(_ZN9Item_args14transform_argsEP3THDM4ItemFPS2_S1_PhES4_+0xb5)[0x55edfcafae65]
|
mariadbd(_ZN9Item_func9transformEP3THDM4ItemFPS2_S1_PhES4_+0x2d)[0x55edfcafaecd]
|
mariadbd(_Z27transform_condition_or_partP3THDP4ItemMS1_FS2_S0_PhES3_+0x169)[0x55edfc7ca939]
|
mariadbd(_ZN13st_select_lex31pushdown_cond_into_where_clauseEP3THDP4ItemPS3_MS2_FS3_S1_PhES5_+0x135)[0x55edfc7f9155]
|
mariadbd(_Z25pushdown_cond_for_derivedP3THDP4ItemP10TABLE_LIST+0x24f)[0x55edfc7cabef]
|
mariadbd(_ZN4JOIN14optimize_innerEv+0xb06)[0x55edfc88ffc6]
|
mariadbd(_ZN4JOIN8optimizeEv+0xda)[0x55edfc890e2a]
|
mariadbd(+0x7ec60c)[0x55edfc7ca60c]
|
mariadbd(_Z27mysql_handle_single_derivedP3LEXP10TABLE_LISTj+0x95)[0x55edfc7c9e35]
|
mariadbd(_ZN4JOIN14optimize_innerEv+0xb27)[0x55edfc88ffe7]
|
mariadbd(_ZN4JOIN8optimizeEv+0xda)[0x55edfc890e2a]
|
mariadbd(_ZN13st_select_lex31optimize_unflattened_subqueriesEb+0x115)[0x55edfc7eaa55]
|
mariadbd(_ZN4JOIN28optimize_constant_subqueriesEv+0x35)[0x55edfc989d55]
|
mariadbd(_ZN4JOIN14optimize_innerEv+0x503)[0x55edfc88f9c3]
|
mariadbd(_ZN4JOIN8optimizeEv+0xda)[0x55edfc890e2a]
|
mariadbd(_Z12mysql_selectP3THDP10TABLE_LISTR4ListI4ItemEPS4_jP8st_orderS9_S7_S9_yP13select_resultP18st_select_lex_unitP13st_select_lex+0xd1)[0x55edfc890f21]
|
mariadbd(_Z13handle_selectP3THDP3LEXP13select_resulty+0x154)[0x55edfc891774]
|
mariadbd(+0x826f55)[0x55edfc804f55]
|
mariadbd(_Z21mysql_execute_commandP3THDb+0x419e)[0x55edfc813f0e]
|
mariadbd(_Z11mysql_parseP3THDPcjP12Parser_state+0x1e7)[0x55edfc815237]
|
mariadbd(_Z16dispatch_command19enum_server_commandP3THDPcjb+0x14bd)[0x55edfc817a1d]
|
mariadbd(_Z10do_commandP3THDb+0x138)[0x55edfc819818]
|
mariadbd(_Z24do_handle_one_connectionP7CONNECTb+0x3bf)[0x55edfc9413af]
|
mariadbd(handle_one_connection+0x5d)[0x55edfc9416fd]
|
mariadbd(+0xcd1906)[0x55edfccaf906]
|
/lib/x86_64-linux-gnu/libc.so.6(+0x94b43)[0x7f02a67ddb43]
|
/lib/x86_64-linux-gnu/libc.so.6(clone+0x44)[0x7f02a686ebb4]
|
|
|
Trying to get some variables.
|
Some pointers may be invalid and cause the dump to abort.
|
Query (0x7f02440130d8): SELECT ( WITH x AS ( ( SELECT * FROM ( SELECT 1 x ) x GROUP BY x HAVING x = ( x IS NULL OR x IS NULL ) ) ) ( SELECT 1.000000 FROM x ) )
|
Attachments
Issue Links
- is part of
-
MDEV-29363 Constant subquery causing a crash in pushdown optimization
-
- Closed
-
- relates to
-
-
- Confirmed
-
Activity
The crash happens when we do pushdown from HAVING into WHERE.
We un-fix the items, then create their clone, then call
table_map Item_field::used_tables() const
|
{
|
=> if (field->table->const_table)
|
with field=0 (because the item is not fixed yet).
The testcase can be shortened to:
CREATE VIEW v1 AS SELECT 1 AS a; |
SELECT * FROM v1 |
GROUP BY a HAVING a = (a IS NULL OR a IS NULL); |
With switched off pushdown from HAVING into WHERE optimization the query doesn't crash:
MariaDB [test]> set statement optimizer_switch='condition_pushdown_from_having=off' for |
-> SELECT * FROM v1 |
-> GROUP BY a HAVING a = (a IS NULL OR a IS NULL); |
Empty set (0,001 sec) |
So, the problem should be searched in this optimization.
When the optimization is entered HAVING condition is already transformed into:
multiple equal(/*always not null*/ 1 is null or /*always not null*/ 1 is null, v1.a)
|
/*always not null*/ is just v1.a, and both of these /*always not null*/ are references to the same object.
During optimization (/*always not null*/ 1 is null or /*always not null*/ 1 is null) is marked as an immutable condition with IMMUTABLE_FL flag, that means that is will be not cleaned and fixed at the end of the optimization.
However, during cleanup IMMUTABLE_FL is removed from the first reference of the /*always not null*/
object. When the second reference is met, it already doesn't have IMMUTABLE_FL and is cleaned up.
After the cleanup fixing is made, but the whole condition (/*always not null*/ 1 is null or /*always not null*/ 1 is null) is still marked as immutable and is not fixed. That leads to the situation when the second reference to the /*always not null*/ object is cleaned up, but not fixed, and that causes a crash.
This bug is similar to MDEV-32293 and will be fixed with MDEV-29363 fix.
Fixed in 10.5. Pushed with MDEV-29363 commit.
The testcase for this MDEV is included in the patch (find it here).
The initial query doesn't crash anymore:
MariaDB [t]> SELECT |
-> ( WITH x AS |
-> ( ( SELECT * |
-> FROM ( SELECT 1 x ) x |
-> GROUP BY x HAVING x = ( x IS NULL OR x IS NULL ) ) ) ( SELECT 1.000000 FROM x ) ) ; |
+---------------------------------------------------------------------------------------------------------------------------------------------------+ |
| ( WITH x AS |
( ( SELECT * |
FROM ( SELECT 1 x ) x |
GROUP BY x HAVING x = ( x IS NULL OR x IS NULL ) ) ) ( SELECT 1.000000 FROM x ) ) | |
+---------------------------------------------------------------------------------------------------------------------------------------------------+ |
| NULL | |
+---------------------------------------------------------------------------------------------------------------------------------------------------+ |
1 row in set (0,001 sec) |
Thank you for the report!
I repeated as described in MariaDB 10.4-11.2:
231005 9:15:35 [ERROR] mysqld got signal 11 ;Server version: 10.4.32-MariaDB-debug-log source revision: 50a2e8b1892b6b8a276d4bd75a1a02148f9e6ff2sql/signal_handler.cc:238(handle_fatal_signal)[0x55e20f8f17e9]sigaction.c:0(__restore_rt)[0x7f0d8bbc5420]sql/item.cc:3411(Item_field::used_tables() const)[0x55e20f9605e7]sql/item.cc:7650(find_producing_item(Item*, st_select_lex*))[0x55e20f9818b8]sql/item.cc:7680(Item_field::derived_field_transformer_for_where(THD*, unsigned char*))[0x55e20f981c73]sql/item.cc:602(Item::transform(THD*, Item* (Item::*)(THD*, unsigned char*), unsigned char*))[0x55e20f946b39]sql/item_func.cc:474(Item_args::transform_args(THD*, Item* (Item::*)(THD*, unsigned char*), unsigned char*))[0x55e20fa4fdd1]sql/item_func.cc:510(Item_func::transform(THD*, Item* (Item::*)(THD*, unsigned char*), unsigned char*))[0x55e20fa5004f]sql/item_cmpfunc.cc:5071(Item_cond::do_transform(THD*, Item* (Item::*)(THD*, unsigned char*), unsigned char*, bool))[0x55e20f9ee174]sql/item_cmpfunc.h:3022(Item_cond::transform(THD*, Item* (Item::*)(THD*, unsigned char*), unsigned char*))[0x55e20fa0f11c]sql/item_func.cc:474(Item_args::transform_args(THD*, Item* (Item::*)(THD*, unsigned char*), unsigned char*))[0x55e20fa4fdd1]sql/item_func.cc:510(Item_func::transform(THD*, Item* (Item::*)(THD*, unsigned char*), unsigned char*))[0x55e20fa5004f]sql/sql_derived.cc:1376(transform_condition_or_part(THD*, Item*, Item* (Item::*)(THD*, unsigned char*), unsigned char*))[0x55e20f0615e3]sql/sql_lex.cc:9829(st_select_lex::pushdown_cond_into_where_clause(THD*, Item*, Item**, Item* (Item::*)(THD*, unsigned char*), unsigned char*))[0x55e20f0efd31]sql/sql_derived.cc:1568(pushdown_cond_for_derived(THD*, Item*, TABLE_LIST*))[0x55e20f0623d1]sql/sql_select.cc:2198(JOIN::optimize_inner())[0x55e20f1f00bd]sql/sql_select.cc:1711(JOIN::optimize())[0x55e20f1eac2b]sql/sql_derived.cc:1029(mysql_derived_optimize(THD*, LEX*, TABLE_LIST*))[0x55e20f05ef3f]sql/sql_derived.cc:200(mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int))[0x55e20f0596ea]sql/sql_select.cc:2201(JOIN::optimize_inner())[0x55e20f1f0190]sql/sql_select.cc:1711(JOIN::optimize())[0x55e20f1eac2b]sql/sql_select.cc:4812(mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55e20f20bc1d]sql/sql_select.cc:442(handle_select(THD*, LEX*, select_result*, unsigned long))[0x55e20f1dc922]sql/sql_parse.cc:6475(execute_sqlcom_select(THD*, TABLE_LIST*))[0x55e20f14872c]sql/sql_parse.cc:3978(mysql_execute_command(THD*))[0x55e20f135ea3]sql/sql_parse.cc:8012(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x55e20f151c07]sql/sql_parse.cc:1860(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x55e20f12802d]sql/sql_parse.cc:1378(do_command(THD*))[0x55e20f124b58]sql/sql_connect.cc:1420(do_handle_one_connection(CONNECT*))[0x55e20f5327fd]sql/sql_connect.cc:1325(handle_one_connection)[0x55e20f5320a1]perfschema/pfs.cc:1871(pfs_spawn_thread)[0x55e2101dc99a]nptl/pthread_create.c:478(start_thread)[0x7f0d8bbb9609]Query (0x62b0000a1420): SELECT 1 FROM ( SELECT 1 FROM ( SELECT 1 x )dt1 GROUP BY x HAVING x = ( x IS NULL OR x IS NULL ) ) dt