[MDEV-32424] Pushdown: server crashes at JOIN::save_explain_data() - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 11.3.0, 10.4(EOL), 10.5, 10.6, 10.9(EOL), 10.10(EOL), 10.11, 11.0(EOL), 11.1(EOL), 11.2(EOL)
Fix Version/s: 10.5.26, 10.6.19, 10.11.9, 11.1.6, 11.2.5, 11.4.3
Component/s: Optimizer, Server
Labels:
None
Environment:
Ubuntu 20.04

Description

Run these queries in release build:

CREATE TABLE x ( x VARCHAR ( 1 ) ) ;

INSERT INTO x ( x ) VALUES ( 'x' ) , ( NULL ) , ( 'x' ) , ( NULL ) ;

SELECT 1 - x IN ( SELECT x FROM x ORDER BY x + 1 ) FROM x GROUP BY x HAVING x = ( SELECT x AS x FROM x WHERE x = x ORDER BY ( 1 < x AND x = 1 ) ) AND x IN ( 1 , x ) ;

Will trigger Segmentation fault.
GDB info:

Thread 16 "mariadbd" received signal SIGSEGV, Segmentation fault.

[Switching to Thread 0x7fffe011a700 (LWP 46873)]

JOIN::exec (this=0x7fff94079fa0) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:4717

4717	  ANALYZE_START_TRACKING(thd, &explain->time_tracker);

(gdb) p explain

$62 = (Explain_select *) 0x0

(gdb) p &explain->time_tracker

$64 = (Time_and_counter_tracker *) 0xb0

#0  JOIN::exec (this=0x7fff94079fa0) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:4717

#1  0x00005555560b1422 in subselect_single_select_engine::exec (this=0x7fff940725d0)

    at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:4159

#2  0x00005555560b040c in Item_subselect::exec (this=0x7fff94072440)

    at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:812

#3  0x00005555560afda4 in Item_singlerow_subselect::val_str (this=0x7fff94072440,

    str=0x7fffe0118280) at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:1484

#4  0x0000555556028ab8 in cmp_item_sort_string::cmp (this=0x7fff94079c20, arg=0x7fff94072440)

    at /home/wx/mariadb-11.3.0/sql/item_cmpfunc.h:1742

#5  0x0000555556020ce6 in Predicant_to_list_comparator::cmp_arg (i=1, args=0x7fff94072ba8,

    this=0x7fff94072c08) at /home/wx/mariadb-11.3.0/sql/item_cmpfunc.h:2083

#6  Predicant_to_list_comparator::cmp (found_unknown_values=0x7fff94072b9c,

    idx=<synthetic pointer>, args=0x7fff94072ba8, this=0x7fff94072c08)

    at /home/wx/mariadb-11.3.0/sql/item_cmpfunc.h:2260

#7  Item_func_in::val_int (this=0x7fff94072b30)

    at /home/wx/mariadb-11.3.0/sql/item_cmpfunc.cc:4761

#8  0x0000555555f211e4 in Type_handler_int_result::Item_val_bool (this=<optimized out>,

    item=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_type.cc:5082

#9  0x0000555556011c6c in Item_cond_and::val_int (this=0x7fff9407ce00)

    at /home/wx/mariadb-11.3.0/sql/item_cmpfunc.cc:5524

#10 0x0000555555dad3fd in evaluate_join_record (join=join@entry=0x7fff94073708,

    join_tab=join_tab@entry=0x7fff9407be10, error=<optimized out>)

    at /home/wx/mariadb-11.3.0/sql/sql_select.cc:23545

#11 0x0000555555dbf7fb in sub_select (join=0x7fff94073708, join_tab=0x7fff9407be10,

    end_of_records=false) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:23444

#12 0x0000555555df19b2 in do_select (procedure=<optimized out>, join=0x7fff94073708)

    at /home/wx/mariadb-11.3.0/sql/sql_select.cc:22961

#13 JOIN::exec_inner (this=this@entry=0x7fff94073708)

    at /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941

#14 0x0000555555df1d78 in JOIN::exec (this=this@entry=0x7fff94073708)

    at /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718

#15 0x0000555555defe1c in mysql_select (thd=thd@entry=0x7fff94000c58, tables=0x7fff940150f0,

    fields=..., conds=0x0, og_num=1, order=0x0, group=0x7fff94015940, having=0x7fff94072c98,

    proc_param=0x0, select_options=<optimized out>, result=0x7fff940736e0,

    unit=0x7fff94004ee8, select_lex=0x7fff94012de8)

    at /home/wx/mariadb-11.3.0/sql/sql_select.cc:5249

#16 0x0000555555df0607 in handle_select (thd=thd@entry=0x7fff94000c58,

    lex=lex@entry=0x7fff94004e08, result=result@entry=0x7fff940736e0,

    setup_tables_done_option=setup_tables_done_option@entry=0)

    at /home/wx/mariadb-11.3.0/sql/sql_select.cc:628

#17 0x0000555555d6de41 in execute_sqlcom_select (thd=thd@entry=0x7fff94000c58,

    all_tables=0x7fff940150f0) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:6013

#18 0x0000555555d7c2aa in mysql_execute_command (thd=thd@entry=0x7fff94000c58,

    is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false)

    at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:3912

#19 0x0000555555d68c27 in mysql_parse (thd=0x7fff94000c58, rawbuf=<optimized out>,

    length=<optimized out>, parser_state=<optimized out>)

    at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:7734

#20 0x0000555555d74fdd in dispatch_command (command=command@entry=COM_QUERY,

    thd=thd@entry=0x7fff94000c58, packet=packet@entry=0x7fff94008509 "",

    packet_length=packet_length@entry=164, blocking=blocking@entry=true)

    at /home/wx/mariadb-11.3.0/sql/sql_class.h:251

#21 0x0000555555d7721e in do_command (thd=0x7fff94000c58, blocking=blocking@entry=true)

    at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1406

#22 0x0000555555e9a617 in do_handle_one_connection (connect=<optimized out>,

    connect@entry=0x555557e14ea8, put_in_cache=put_in_cache@entry=true)

    at /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1445

#23 0x0000555555e9a94d in handle_one_connection (arg=arg@entry=0x555557e14ea8)

    at /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1347

#24 0x00005555561e658d in pfs_spawn_thread (arg=0x555557dbe968)

    at /home/wx/mariadb-11.3.0/storage/perfschema/pfs.cc:2201

#25 0x00007ffff7b48609 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0

#26 0x00007ffff7719133 in clone () from /lib/x86_64-linux-gnu/libc.so.6

Attachments

Issue Links

duplicates

MDEV-29363 Constant subquery causing a crash in pushdown optimization

Closed

is blocked by

MDEV-29363 Constant subquery causing a crash in pushdown optimization

Closed

is duplicated by

MDEV-32539 Server crash in Time_and_counter_tracker::incr_loops or Assertion failure in JOIN::save_explain_data

Closed

Activity

Ascending order - Click to sort in descending order

View 9 older comments

Dave Gosselin added a comment - 2024-01-29 13:17

ycp I agree if we resolve this ticket by delivering psergei's patch from ~~MDEV-29363~~.

Dave Gosselin added a comment - 2024-01-29 13:17 ycp I agree if we resolve this ticket by delivering psergei 's patch from MDEV-29363 .

Alice Sherepa added a comment - 2024-06-03 12:30

Currently 10.5 fails the same way, but 10.6-11.5 with the following assertion:

mariadbd: /10.6/src/sql/sql_select.cc:4626: bool JOIN::save_explain_data(Explain_query*, bool, bool, bool, bool): Assertion `select_lex->select_number == FAKE_SELECT_LEX_ID || !output || !output->get_select(select_lex->select_number) || output->get_select(select_lex->select_number)->select_lex == select_lex' failed.

240603 14:27:05 [ERROR] mysqld got signal 6 ;

Server version: 10.6.19-MariaDB-debug-log source revision: f2302a62e33a1c83ccc0968149f9543bc315e82b

/lib/x86_64-linux-gnu/libc.so.6(+0x33fd6)[0x7ff0b95ecfd6]

sql/sql_select.cc:4631(JOIN::save_explain_data(Explain_query*, bool, bool, bool, bool))[0x557c8ca25c68]

sql/sql_select.cc:1854(JOIN::build_explain())[0x557c8ca07d43]

sql/sql_select.cc:1914(JOIN::optimize())[0x557c8ca087fc]

sql/sql_lex.cc:5016(st_select_lex::optimize_unflattened_subqueries(bool))[0x557c8c8cafdd]

sql/opt_subselect.cc:5684(JOIN::optimize_unflattened_subqueries())[0x557c8cedbe1b]

sql/sql_select.cc:3202(JOIN::optimize_stage2())[0x557c8ca16350]

sql/sql_select.cc:2614(JOIN::optimize_inner())[0x557c8ca0fddf]

sql/sql_select.cc:1908(JOIN::optimize())[0x557c8ca0874d]

sql/sql_select.cc:5151(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x557c8ca2aba0]

sql/sql_select.cc:559(handle_select(THD*, LEX*, select_result*, unsigned long))[0x557c8c9f9d4b]

sql/sql_parse.cc:6380(execute_sqlcom_select(THD*, TABLE_LIST*))[0x557c8c9594c5]

sql/sql_parse.cc:3988(mysql_execute_command(THD*, bool))[0x557c8c947984]

sql/sql_parse.cc:8146(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x557c8c964904]

sql/sql_parse.cc:1899(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x557c8c939c59]

sql/sql_parse.cc:1410(do_command(THD*, bool))[0x557c8c93699a]

sql/sql_connect.cc:1417(do_handle_one_connection(CONNECT*, bool))[0x557c8cdc1119]

sql/sql_connect.cc:1321(handle_one_connection)[0x557c8cdc0a76]

perfschema/pfs.cc:2203(pfs_spawn_thread)[0x557c8da614e0]

nptl/pthread_create.c:478(start_thread)[0x7ff0b9b07609]

Query (0x62b0000c42a8): SELECT a FROM t1 GROUP BY a HAVING (a = '' OR a = 0) AND a = (SELECT MIN(f) FROM t2)

adding to make it searchable

Alice Sherepa added a comment - 2024-06-03 12:30 Currently 10.5 fails the same way, but 10.6-11.5 with the following assertion: mariadbd: /10.6/src/sql/sql_select.cc:4626: bool JOIN::save_explain_data(Explain_query*, bool, bool, bool, bool): Assertion `select_lex->select_number == FAKE_SELECT_LEX_ID || !output || !output->get_select(select_lex->select_number) || output->get_select(select_lex->select_number)->select_lex == select_lex' failed. 240603 14:27:05 [ERROR] mysqld got signal 6 ; Server version: 10.6.19-MariaDB-debug-log source revision: f2302a62e33a1c83ccc0968149f9543bc315e82b /lib/x86_64-linux-gnu/libc.so.6(+0x33fd6)[0x7ff0b95ecfd6] sql/sql_select.cc:4631(JOIN::save_explain_data(Explain_query*, bool, bool, bool, bool))[0x557c8ca25c68] sql/sql_select.cc:1854(JOIN::build_explain())[0x557c8ca07d43] sql/sql_select.cc:1914(JOIN::optimize())[0x557c8ca087fc] sql/sql_lex.cc:5016(st_select_lex::optimize_unflattened_subqueries(bool))[0x557c8c8cafdd] sql/opt_subselect.cc:5684(JOIN::optimize_unflattened_subqueries())[0x557c8cedbe1b] sql/sql_select.cc:3202(JOIN::optimize_stage2())[0x557c8ca16350] sql/sql_select.cc:2614(JOIN::optimize_inner())[0x557c8ca0fddf] sql/sql_select.cc:1908(JOIN::optimize())[0x557c8ca0874d] sql/sql_select.cc:5151(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x557c8ca2aba0] sql/sql_select.cc:559(handle_select(THD*, LEX*, select_result*, unsigned long))[0x557c8c9f9d4b] sql/sql_parse.cc:6380(execute_sqlcom_select(THD*, TABLE_LIST*))[0x557c8c9594c5] sql/sql_parse.cc:3988(mysql_execute_command(THD*, bool))[0x557c8c947984] sql/sql_parse.cc:8146(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x557c8c964904] sql/sql_parse.cc:1899(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x557c8c939c59] sql/sql_parse.cc:1410(do_command(THD*, bool))[0x557c8c93699a] sql/sql_connect.cc:1417(do_handle_one_connection(CONNECT*, bool))[0x557c8cdc1119] sql/sql_connect.cc:1321(handle_one_connection)[0x557c8cdc0a76] perfschema/pfs.cc:2203(pfs_spawn_thread)[0x557c8da614e0] nptl/pthread_create.c:478(start_thread)[0x7ff0b9b07609] Query (0x62b0000c42a8): SELECT a FROM t1 GROUP BY a HAVING (a = '' OR a = 0) AND a = (SELECT MIN(f) FROM t2) adding to make it searchable

Galina Shalygina (Inactive) added a comment - 2024-07-03 13:53

Currently on 10.5+ fails with this assertion:

Server version: 10.5.26-MariaDB-debug-log source revision: 2739b5f5f85cea81556a8678206342c9758bce28

/lib/x86_64-linux-gnu/libc.so.6(+0x39e96)[0x72c9b4839e96]

sql/sql_select.cc:4373(JOIN::save_explain_data(Explain_query*, bool, bool, bool, bool))[0x5ef25a930324]

sql/sql_select.cc:1706(JOIN::build_explain())[0x5ef25a926186]

sql/sql_select.cc:1766(JOIN::optimize())[0x5ef25a9264d6]

sql/sql_lex.cc:4959(st_select_lex::optimize_unflattened_subqueries(bool))[0x5ef25a89e2ee]

sql/opt_subselect.cc:5672(JOIN::optimize_unflattened_subqueries())[0x5ef25ab10f48]

sql/sql_select.cc:2985(JOIN::optimize_stage2())[0x5ef25a92ade0]

sql/sql_select.cc:2435(JOIN::optimize_inner())[0x5ef25a928c96]

sql/sql_select.cc:1760(JOIN::optimize())[0x5ef25a92649a]

sql/sql_select.cc:4892(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x5ef25a931f45]

sql/sql_select.cc:449(handle_select(THD*, LEX*, select_result*, unsigned long))[0x5ef25a920f1c]

sql/sql_parse.cc:6425(execute_sqlcom_select(THD*, TABLE_LIST*))[0x5ef25a8df4be]

sql/sql_parse.cc:4030(mysql_execute_command(THD*))[0x5ef25a8d6269]

sql/sql_parse.cc:8221(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x5ef25a8e4633]

sql/sql_parse.cc:1895(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x5ef25a8cf92f]

sql/sql_parse.cc:1376(do_command(THD*))[0x5ef25a8ce0c3]

sql/sql_connect.cc:1417(do_handle_one_connection(CONNECT*, bool))[0x5ef25aa9491d]

sql/sql_connect.cc:1321(handle_one_connection)[0x5ef25aa9468d]

perfschema/pfs.cc:2203(pfs_spawn_thread)[0x5ef25b02e2f1]

nptl/pthread_create.c:442(start_thread)[0x72c9b4894ac3]

x86_64/clone3.S:83(__clone3)[0x72c9b4926850]

Galina Shalygina (Inactive) added a comment - 2024-07-03 13:53 Currently on 10.5+ fails with this assertion: Server version: 10.5.26-MariaDB-debug-log source revision: 2739b5f5f85cea81556a8678206342c9758bce28 /lib/x86_64-linux-gnu/libc.so.6(+0x39e96)[0x72c9b4839e96] sql/sql_select.cc:4373(JOIN::save_explain_data(Explain_query*, bool, bool, bool, bool))[0x5ef25a930324] sql/sql_select.cc:1706(JOIN::build_explain())[0x5ef25a926186] sql/sql_select.cc:1766(JOIN::optimize())[0x5ef25a9264d6] sql/sql_lex.cc:4959(st_select_lex::optimize_unflattened_subqueries(bool))[0x5ef25a89e2ee] sql/opt_subselect.cc:5672(JOIN::optimize_unflattened_subqueries())[0x5ef25ab10f48] sql/sql_select.cc:2985(JOIN::optimize_stage2())[0x5ef25a92ade0] sql/sql_select.cc:2435(JOIN::optimize_inner())[0x5ef25a928c96] sql/sql_select.cc:1760(JOIN::optimize())[0x5ef25a92649a] sql/sql_select.cc:4892(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x5ef25a931f45] sql/sql_select.cc:449(handle_select(THD*, LEX*, select_result*, unsigned long))[0x5ef25a920f1c] sql/sql_parse.cc:6425(execute_sqlcom_select(THD*, TABLE_LIST*))[0x5ef25a8df4be] sql/sql_parse.cc:4030(mysql_execute_command(THD*))[0x5ef25a8d6269] sql/sql_parse.cc:8221(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x5ef25a8e4633] sql/sql_parse.cc:1895(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x5ef25a8cf92f] sql/sql_parse.cc:1376(do_command(THD*))[0x5ef25a8ce0c3] sql/sql_connect.cc:1417(do_handle_one_connection(CONNECT*, bool))[0x5ef25aa9491d] sql/sql_connect.cc:1321(handle_one_connection)[0x5ef25aa9468d] perfschema/pfs.cc:2203(pfs_spawn_thread)[0x5ef25b02e2f1] nptl/pthread_create.c:442(start_thread)[0x72c9b4894ac3] x86_64/clone3.S:83(__clone3)[0x72c9b4926850]

Galina Shalygina (Inactive) added a comment - 2024-07-03 14:02 - edited

This MDEV is quite similar to ~~MDEV-29363~~ and will be fixed with its patch.

Consider the testcase:

CREATE TABLE t1 (a VARCHAR (1)) ;

INSERT INTO t1 VALUES ('b') , (NULL);

SELECT a FROM t1

  GROUP BY a HAVING a = (SELECT MIN(a) AS min_a FROM t1) AND a IN (1 , a);

The query doesn't crash with optimizer_switch='condition_pushdown_from_having=off'. So, the problem is in the pushdown from HAVING into WHERE optimization.

In the debugger it can be seen that the condition that is going to be pushed is looking this way:

t1.a in (1,(subquery#2)) and t1.a = (subquery#2)

Here (subquery#2) is a reference to the constant subquery. The constant subquery is marked with IMMUTABLE_FL to prevent it from being cleaned up and fixed. Because of the current realization, when t1.a in (1,(subquery#2)) is processed the flag is removed from (subquery#2). So, the second occurrence of (subquery#2) is cleaned up and fixed, that causes a crash.

As the problematic query in ~~MDEV-29363~~ is almost the same, for details look at this MDEV.

Galina Shalygina (Inactive) added a comment - 2024-07-03 14:02 - edited This MDEV is quite similar to MDEV-29363 and will be fixed with its patch. Consider the testcase: CREATE TABLE t1 (a VARCHAR (1)) ; INSERT INTO t1 VALUES ( 'b' ) , ( NULL ); SELECT a FROM t1 GROUP BY a HAVING a = ( SELECT MIN (a) AS min_a FROM t1) AND a IN (1 , a); The query doesn't crash with optimizer_switch='condition_pushdown_from_having=off' . So, the problem is in the pushdown from HAVING into WHERE optimization. In the debugger it can be seen that the condition that is going to be pushed is looking this way: t1.a in (1,(subquery#2)) and t1.a = (subquery#2) Here (subquery#2) is a reference to the constant subquery. The constant subquery is marked with IMMUTABLE_FL to prevent it from being cleaned up and fixed. Because of the current realization, when t1.a in (1,(subquery#2)) is processed the flag is removed from (subquery#2) . So, the second occurrence of (subquery#2) is cleaned up and fixed, that causes a crash. As the problematic query in MDEV-29363 is almost the same, for details look at this MDEV.

Galina Shalygina (Inactive) added a comment - 2024-07-04 15:41

Fixed in 10.5 with ~~MDEV-29363~~ commit .
Testcase for this MDEV is included in the patch (find here).

The initial query doesn't crash anymore.

MariaDB [t]> CREATE TABLE x ( x VARCHAR ( 1 ) ) ;

MariaDB [t]> INSERT INTO x ( x ) VALUES ( 'x' ) , ( NULL ) , ( 'x' ) , ( NULL ) ;

MariaDB [t]> SELECT 1 - x IN ( SELECT x FROM x ORDER BY x + 1 ) FROM x GROUP BY x HAVING x = ( SELECT x AS x FROM x WHERE x = x ORDER BY ( 1 < x AND x = 1 ) ) AND x IN ( 1 , x ) ;

ERROR 1242 (21000): Subquery returns more than 1 row

Galina Shalygina (Inactive) added a comment - 2024-07-04 15:41 Fixed in 10.5 with MDEV-29363 commit . Testcase for this MDEV is included in the patch (find here ). The initial query doesn't crash anymore. MariaDB [t]> CREATE TABLE x ( x VARCHAR ( 1 ) ) ; MariaDB [t]> INSERT INTO x ( x ) VALUES ( 'x' ) , ( NULL ) , ( 'x' ) , ( NULL ) ; MariaDB [t]> SELECT 1 - x IN ( SELECT x FROM x ORDER BY x + 1 ) FROM x GROUP BY x HAVING x = ( SELECT x AS x FROM x WHERE x = x ORDER BY ( 1 < x AND x = 1 ) ) AND x IN ( 1 , x ) ; ERROR 1242 (21000): Subquery returns more than 1 row

MariaDB Server

Pushdown: server crashes at JOIN::save_explain_data()

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration