Details
-
Bug
-
Status: Stalled (View Workflow)
-
Critical
-
Resolution: Unresolved
-
11.1.2, 11.2.1, 10.4(EOL), 10.5, 10.6, 10.9(EOL), 10.10(EOL), 10.11, 11.0(EOL), 11.1(EOL), 11.2(EOL)
-
Ubuntu 20.04 x86-64, docker image mariadb:11.1.2
Description
PoC:
SELECT ( WITH RECURSIVE x AS ( WITH x AS ( SELECT 1 FROM t14 ) SELECT x ) , t14 AS ( SELECT 1 UNION SELECT 'x' FROM x ) SELECT x FROM x WHERE ( SELECT x FROM x ) ) ; |
docker log:
mariadbd(my_print_stacktrace+0x32)[0x5617194927c2]
|
mariadbd(handle_fatal_signal+0x488)[0x561718f6bcf8]
|
/lib/x86_64-linux-gnu/libc.so.6(+0x42520)[0x7ff65ab11520]
|
mariadbd(_ZN18st_select_lex_unit7cleanupEv+0x97)[0x561718dce0c7]
|
mariadbd(_ZN18st_select_lex_unit7prepareEP10TABLE_LISTP13select_resulty+0x841)[0x561718dcead1]
|
mariadbd(+0x7ed21f)[0x561718cb321f]
|
mariadbd(_Z27mysql_handle_single_derivedP3LEXP10TABLE_LISTj+0xda)[0x561718cb1e7a]
|
mariadbd(_ZN13st_select_lex14handle_derivedEP3LEXj+0x47)[0x561718cd0697]
|
mariadbd(_ZN4JOIN7prepareEP10TABLE_LISTP4ItemjP8st_orderbS5_S3_S5_P13st_select_lexP18st_select_lex_unit+0x20f)[0x561718d649ff]
|
mariadbd(+0xb8b908)[0x561719051908]
|
mariadbd(_ZN14Item_subselect10fix_fieldsEP3THDPP4Item+0x1ad)[0x561719050fcd]
|
mariadbd(_Z12setup_fieldsP3THD20Bounds_checked_arrayIP4ItemER4ListIS2_E17enum_column_usagePS6_S9_b+0x147)[0x561718c8b0a7]
|
mariadbd(_ZN4JOIN7prepareEP10TABLE_LISTP4ItemjP8st_orderbS5_S3_S5_P13st_select_lexP18st_select_lex_unit+0x52d)[0x561718d64d1d]
|
mariadbd(_Z12mysql_selectP3THDP10TABLE_LISTR4ListI4ItemEPS4_jP8st_orderS9_S7_S9_yP13select_resultP18st_select_lex_unitP13st_select_lex+0x624)[0x561718d79474]
|
mariadbd(_Z13handle_selectP3THDP3LEXP13select_resulty+0x154)[0x561718d79774]
|
mariadbd(+0x826f55)[0x561718cecf55]
|
mariadbd(_Z21mysql_execute_commandP3THDb+0x419e)[0x561718cfbf0e]
|
mariadbd(_Z11mysql_parseP3THDPcjP12Parser_state+0x1e7)[0x561718cfd237]
|
mariadbd(_Z16dispatch_command19enum_server_commandP3THDPcjb+0x14bd)[0x561718cffa1d]
|
mariadbd(_Z10do_commandP3THDb+0x138)[0x561718d01818]
|
mariadbd(_Z24do_handle_one_connectionP7CONNECTb+0x3bf)[0x561718e293af]
|
mariadbd(handle_one_connection+0x5d)[0x561718e296fd]
|
mariadbd(+0xcd1906)[0x561719197906]
|
/lib/x86_64-linux-gnu/libc.so.6(+0x94b43)[0x7ff65ab63b43]
|
/lib/x86_64-linux-gnu/libc.so.6(clone+0x44)[0x7ff65abf4bb4]
|
|
|
Trying to get some variables.
|
Some pointers may be invalid and cause the dump to abort.
|
Query (0x7ff5f40130d8): SELECT ( WITH RECURSIVE x AS ( WITH x AS ( SELECT 1 FROM t14 ) SELECT x ) , t14 AS ( SELECT 1 UNION SELECT 'x' FROM x ) SELECT x FROM x WHERE ( SELECT x FROM x ) )
|
|
|
Connection ID (thread ID): 4
|
Status: NOT_KILLED
|
|
|
Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=on,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on,split_materialized=on,condition_pushdown_for_subquery=on,rowid_filter=on,condition_pushdown_from_having=on,not_null_range_scan=off,hash_join_cardinality=on
|
Attachments
Issue Links
- relates to
-
-
- Confirmed
-
Activity
It is cleaning up after error "Unknown column 'x' in 'field list'" happened to be mulfunctional on uncompleted data
The With_element without rec_result was created for following unit: "select 1 AS `1` union select 'x' AS x from x" the error happened in select "select x AS x" so above unit was not prepared. IMHO the situaton is legal and presence of rec_result should be checked during cleanup.
commit 4304264d68b8f6a2790e2711a9b92a4b856fd4aa (HEAD -> bb-10.4-MDEV-32308, origin/bb-10.4-MDEV-32308)
|
Author: Oleksandr Byelkin <sanja@mariadb.com>
|
Date: Wed Oct 18 15:27:51 2023 +0200
|
|
|
MDEV-32308 Server crash on cleanup of non-fully-constructed-due-to-an-error CTE
|
|
Check and do not try to access With_element::rec_result on cleanup
|
if it is not assigned.
|
The following query causes a crash of the same kind:
WITH RECURSIVE x(a) AS |
( WITH y(a) AS ( SELECT a FROM z ) SELECT b ), |
z(a) AS ( SELECT 1 as a UNION SELECT a FROM x ) |
SELECT x.a FROM x, x as t; |
Note that usage of 2 references of CTE x in the main query is critical to reproduce the crash.
In debugger I see that CTE x and CTE z are considered as mutually recursive though they are actually not
mutually recursive as the only reference to z occurs in the specification of the CTE y that is a hanging CTE.
julien.fritsch: in this case I have to investigate the problem in its generality, but at the time I don't have any time to do it.
I need to investigate the bug in its generality. So assign it to myself
Thanks! I repeated as described on 10.4-11.2
231010 10:43:19 [ERROR] mysqld got signal 11 ;Server version: 10.4.32-MariaDB-debug-log source revision: 0c7af6a2a19343cb9d4fedbd7165b8f73bc4cf96sql/signal_handler.cc:238(handle_fatal_signal)[0x56090d1a6f8d]sigaction.c:0(__restore_rt)[0x7fe5c8cd6420]sql/sql_union.cc:1958(st_select_lex_unit::cleanup())[0x56090ccb9b97]sql/sql_union.cc:1402(st_select_lex_unit::prepare(TABLE_LIST*, select_result*, unsigned long))[0x56090ccb28cb]sql/sql_derived.cc:824(mysql_derived_prepare(THD*, LEX*, TABLE_LIST*))[0x56090c9125cb]sql/sql_derived.cc:200(mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int))[0x56090c90e99c]sql/table.cc:9097(TABLE_LIST::handle_derived(LEX*, unsigned int))[0x56090cd3b105]sql/sql_lex.h:4395(LEX::handle_list_of_derived(TABLE_LIST*, unsigned int))[0x56090c956e96]sql/sql_lex.cc:4306(st_select_lex::handle_derived(LEX*, unsigned int))[0x56090c978f35]sql/sql_select.cc:1243(JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*))[0x56090ca99fcc]sql/item_subselect.cc:3804(subselect_single_select_engine::prepare(THD*))[0x56090d3ffa0c]sql/item_subselect.cc:289(Item_subselect::fix_fields(THD*, Item**))[0x56090d3d9481]sql/item.h:966(Item::fix_fields_if_needed(THD*, Item**))[0x56090c7475cd]sql/item.h:970(Item::fix_fields_if_needed_for_scalar(THD*, Item**))[0x56090c747607]sql/sql_base.cc:7745(setup_fields(THD*, Bounds_checked_array<Item*>, List<Item>&, enum_column_usage, List<Item>*, List<Item>*, bool))[0x56090c870eaf]sql/sql_select.cc:1330(JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*))[0x56090ca9b269]sql/sql_select.cc:4789(mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x56090cac0e67]sql/sql_select.cc:442(handle_select(THD*, LEX*, select_result*, unsigned long))[0x56090ca91de0]sql/sql_parse.cc:6475(execute_sqlcom_select(THD*, TABLE_LIST*))[0x56090c9fdbe4]sql/sql_parse.cc:3978(mysql_execute_command(THD*))[0x56090c9eb35b]sql/sql_parse.cc:8012(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x56090ca070bf]sql/sql_parse.cc:1860(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x56090c9dd4e5]sql/sql_parse.cc:1378(do_command(THD*))[0x56090c9da010]sql/sql_connect.cc:1420(do_handle_one_connection(CONNECT*))[0x56090cde7deb]sql/sql_connect.cc:1325(handle_one_connection)[0x56090cde768f]perfschema/pfs.cc:1871(pfs_spawn_thread)[0x56090da92274]nptl/pthread_create.c:478(start_thread)[0x7fe5c8cca609]Query (0x62b0000a1420): SELECT ( WITH RECURSIVE x AS ( WITH x AS ( SELECT 1 FROM t14 ) SELECT x ) , t14 AS ( SELECT 1 UNION SELECT 'x' FROM x ) SELECT x FROM x WHERE ( SELECT x FROM x ) )