[MDEV-34035] Server crashes at _ZN4JOIN15optimize_stage2Ev - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Duplicate
Affects Version/s: 11.3.2, 11.4.1
Fix Version/s: N/A
Component/s: Optimizer
Labels:
None
Environment:
Ubuntu 20.04 x86_64, docker image mariadb:11.4.1-rc

Description

PoC:

SELECT (WITH x AS (SELECT ('POINT(180 90)') AS x) SELECT x FROM x WHERE x IN (SELECT 0.200000 FROM x WHERE (SELECT x FROM (SELECT 2 UNION SELECT 3) AS x GROUP BY (SELECT x))));

Backtrace:

Server version: 11.4.1-MariaDB-1:11.4.1+maria~ubu2204 source revision: fa69b085b10f19a3a8b6e7adab27c104924333ae

key_buffer_size=134217728

read_buffer_size=131072

max_used_connections=1

max_threads=153

thread_count=1

It is possible that mysqld could use up to

key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 468064 K  bytes of memory

Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x7f6dd00018f8

Attempting backtrace. You can use the following information to find out

where mysqld died. If you see no messages after this, something went

terribly wrong...

stack_bottom = 0x7f6dec173c38 thread_stack 0x49000

Printing to addr2line failed

mariadbd(my_print_stacktrace+0x32)[0x55f7534594f2]

mariadbd(handle_fatal_signal+0x478)[0x55f752f291e8]

/lib/x86_64-linux-gnu/libc.so.6(+0x42520)[0x7f6e017f0520]

mariadbd(+0x8b0a2f)[0x55f752cfba2f]

mariadbd(_ZN4JOIN15optimize_stage2Ev+0x239a)[0x55f752d218da]

mariadbd(_ZN4JOIN14optimize_innerEv+0x146e)[0x55f752d23d2e]

mariadbd(_ZN4JOIN8optimizeEv+0xda)[0x55f752d2427a]

mariadbd(_ZN13st_select_lex31optimize_unflattened_subqueriesEb+0x115)[0x55f752c7bf95]

mariadbd(_ZN4JOIN15optimize_stage2Ev+0x41)[0x55f752d1f581]

mariadbd(_ZN4JOIN14optimize_innerEv+0x146e)[0x55f752d23d2e]

mariadbd(_ZN4JOIN8optimizeEv+0xda)[0x55f752d2427a]

mariadbd(_ZN13st_select_lex31optimize_unflattened_subqueriesEb+0x115)[0x55f752c7bf95]

mariadbd(_ZN4JOIN28optimize_constant_subqueriesEv+0x35)[0x55f752e224b5]

mariadbd(_ZN4JOIN14optimize_innerEv+0x503)[0x55f752d22dc3]

mariadbd(_ZN4JOIN8optimizeEv+0xda)[0x55f752d2427a]

mariadbd(_Z12mysql_selectP3THDP10TABLE_LISTR4ListI4ItemEPS4_jP8st_orderS9_S7_S9_yP13select_resultP18st_select_lex_unitP13st_select_lex+0xd1)[0x55f752d24371]

mariadbd(_Z13handle_selectP3THDP3LEXP13select_resulty+0x154)[0x55f752d24bc4]

mariadbd(+0x84c285)[0x55f752c97285]

mariadbd(_Z21mysql_execute_commandP3THDb+0x440f)[0x55f752ca64af]

mariadbd(_Z11mysql_parseP3THDPcjP12Parser_state+0x1e7)[0x55f752ca7a17]

mariadbd(_Z16dispatch_command19enum_server_commandP3THDPcjb+0x14cd)[0x55f752caa20d]

mariadbd(_Z10do_commandP3THDb+0x138)[0x55f752cac118]

mariadbd(_Z24do_handle_one_connectionP7CONNECTb+0x3bf)[0x55f752dd8f6f]

mariadbd(handle_one_connection+0x5d)[0x55f752dd92bd]

mariadbd(+0xd10af6)[0x55f75315baf6]

/lib/x86_64-linux-gnu/libc.so.6(+0x94ac3)[0x7f6e01842ac3]

/lib/x86_64-linux-gnu/libc.so.6(clone+0x44)[0x7f6e018d3a04]

Trying to get some variables.

Some pointers may be invalid and cause the dump to abort.

Query (0x7f6dd0013530): SELECT (WITH x AS (SELECT ('POINT(180 90)') AS x) SELECT x FROM x WHERE x IN (SELECT 0.200000 FROM x WHERE (SELECT x FROM (SELECT 2 UNION SELECT 3) AS x GROUP BY (SELECT x))))

Connection ID (thread ID): 4

Status: NOT_KILLED

Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=on,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on,split_materialized=on,condition_pushdown_for_subquery=on,rowid_filter=on,condition_pushdown_from_having=on,not_null_range_scan=off,hash_join_cardinality=on,cset_narrowing=off,sargable_casefold=on

The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mariadbd/ contains

information that should help you find out what is causing the crash.

Writing a core file...

Working directory at /var/lib/mysql

Resource Limits:

Limit                     Soft Limit           Hard Limit           Units

Max cpu time              unlimited            unlimited            seconds

Max file size             unlimited            unlimited            bytes

Max data size             unlimited            unlimited            bytes

Max stack size            8388608              unlimited            bytes

Max core file size        unlimited            unlimited            bytes

Max resident set          unlimited            unlimited            bytes

Max processes             2062276              2062276              processes

Max open files            524288               524288               files

Max locked memory         8388608              8388608              bytes

Max address space         unlimited            unlimited            bytes

Max file locks            unlimited            unlimited            locks

Max pending signals       2062276              2062276              signals

Max msgqueue size         819200               819200               bytes

Max nice priority         0                    0

Max realtime priority     0                    0

Max realtime timeout      unlimited            unlimited            us

Core pattern: core

Kernel version: Linux version 6.1.10-1-pve (build@proxmox) (gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2) #1 SMP PREEMPT_DYNAMIC PVE 6.1.10-1 (2023-02-07T00:00Z) ()

Attachments

Issue Links

duplicates

MDEV-30756 Crash in get_sort_by_table / make_join_statistics / update_depend_map_for_order, various UBSAN pointer issues

Stalled

Activity

Alice Sherepa added a comment - 2024-04-30 08:55

Thanks! This is the same bug as MDEV-30756, I will add the test case there:

240430 10:52:29 [ERROR] mysqld got signal 11 ;

Server version: 10.4.34-MariaDB-debug-log source revision: a586b6dbc81b788106cee0f88416c389ae79d26c

sql/signal_handler.cc:235(handle_fatal_signal)[0x563a476e5fbf]

sigaction.c:0(__restore_rt)[0x7ff965aca420]

sql/sql_select.cc:14427(update_depend_map_for_order(JOIN*, st_order*))[0x563a4704293c]

sql/sql_select.cc:14523(remove_const(JOIN*, st_order*, Item*, bool, bool*))[0x563a47043105]

sql/sql_select.cc:2863(JOIN::optimize_stage2())[0x563a46fe7d89]

sql/sql_select.cc:2439(JOIN::optimize_inner())[0x563a46fe3260]

sql/sql_select.cc:1731(JOIN::optimize())[0x563a46fdbce9]

sql/sql_lex.cc:4347(st_select_lex::optimize_unflattened_subqueries(bool))[0x563a46eabcf6]

sql/opt_subselect.cc:5611(JOIN::optimize_unflattened_subqueries())[0x563a47428ee7]

sql/sql_select.cc:3210(JOIN::optimize_stage2())[0x563a46feb212]

sql/sql_select.cc:2439(JOIN::optimize_inner())[0x563a46fe3260]

sql/sql_select.cc:1731(JOIN::optimize())[0x563a46fdbce9]

sql/sql_lex.cc:4347(st_select_lex::optimize_unflattened_subqueries(bool))[0x563a46eabcf6]

sql/opt_subselect.cc:5644(JOIN::optimize_constant_subqueries())[0x563a47428fd4]

sql/sql_select.cc:2089(JOIN::optimize_inner())[0x563a46fdf121]

sql/sql_select.cc:1731(JOIN::optimize())[0x563a46fdbce9]

sql/sql_select.cc:4857(mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x563a46ffd03b]

sql/sql_select.cc:442(handle_select(THD*, LEX*, select_result*, unsigned long))[0x563a46fcd73a]

sql/sql_parse.cc:6558(execute_sqlcom_select(THD*, TABLE_LIST*))[0x563a46f3426c]

sql/sql_parse.cc:3989(mysql_execute_command(THD*))[0x563a46f21459]

sql/sql_parse.cc:8097(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x563a46f3d7e7]

sql/sql_parse.cc:1860(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x563a46f13421]

sql/sql_parse.cc:1378(do_command(THD*))[0x563a46f0ff4c]

sql/sql_connect.cc:1419(do_handle_one_connection(CONNECT*))[0x563a4732615c]

sql/sql_connect.cc:1324(handle_one_connection)[0x563a47325a00]

perfschema/pfs.cc:1871(pfs_spawn_thread)[0x563a47fc4ffa]

nptl/pthread_create.c:478(start_thread)[0x7ff965abe609]

Query (0x62b0000a1290): SELECT (WITH x AS (SELECT ('POINT(180 90)') AS x) SELECT x FROM x WHERE x IN (SELECT 0.200000 FROM x WHERE (SELECT x FROM (SELECT 2 UNION SELECT 3) AS x GROUP BY (SELECT x))))

Alice Sherepa added a comment - 2024-04-30 08:55 Thanks! This is the same bug as MDEV-30756 , I will add the test case there: 240430 10:52:29 [ERROR] mysqld got signal 11 ; Server version: 10.4.34-MariaDB-debug-log source revision: a586b6dbc81b788106cee0f88416c389ae79d26c sql/signal_handler.cc:235(handle_fatal_signal)[0x563a476e5fbf] sigaction.c:0(__restore_rt)[0x7ff965aca420] sql/sql_select.cc:14427(update_depend_map_for_order(JOIN*, st_order*))[0x563a4704293c] sql/sql_select.cc:14523(remove_const(JOIN*, st_order*, Item*, bool, bool*))[0x563a47043105] sql/sql_select.cc:2863(JOIN::optimize_stage2())[0x563a46fe7d89] sql/sql_select.cc:2439(JOIN::optimize_inner())[0x563a46fe3260] sql/sql_select.cc:1731(JOIN::optimize())[0x563a46fdbce9] sql/sql_lex.cc:4347(st_select_lex::optimize_unflattened_subqueries(bool))[0x563a46eabcf6] sql/opt_subselect.cc:5611(JOIN::optimize_unflattened_subqueries())[0x563a47428ee7] sql/sql_select.cc:3210(JOIN::optimize_stage2())[0x563a46feb212] sql/sql_select.cc:2439(JOIN::optimize_inner())[0x563a46fe3260] sql/sql_select.cc:1731(JOIN::optimize())[0x563a46fdbce9] sql/sql_lex.cc:4347(st_select_lex::optimize_unflattened_subqueries(bool))[0x563a46eabcf6] sql/opt_subselect.cc:5644(JOIN::optimize_constant_subqueries())[0x563a47428fd4] sql/sql_select.cc:2089(JOIN::optimize_inner())[0x563a46fdf121] sql/sql_select.cc:1731(JOIN::optimize())[0x563a46fdbce9] sql/sql_select.cc:4857(mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x563a46ffd03b] sql/sql_select.cc:442(handle_select(THD*, LEX*, select_result*, unsigned long))[0x563a46fcd73a] sql/sql_parse.cc:6558(execute_sqlcom_select(THD*, TABLE_LIST*))[0x563a46f3426c] sql/sql_parse.cc:3989(mysql_execute_command(THD*))[0x563a46f21459] sql/sql_parse.cc:8097(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x563a46f3d7e7] sql/sql_parse.cc:1860(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x563a46f13421] sql/sql_parse.cc:1378(do_command(THD*))[0x563a46f0ff4c] sql/sql_connect.cc:1419(do_handle_one_connection(CONNECT*))[0x563a4732615c] sql/sql_connect.cc:1324(handle_one_connection)[0x563a47325a00] perfschema/pfs.cc:1871(pfs_spawn_thread)[0x563a47fc4ffa] nptl/pthread_create.c:478(start_thread)[0x7ff965abe609] Query (0x62b0000a1290): SELECT (WITH x AS (SELECT ('POINT(180 90)') AS x) SELECT x FROM x WHERE x IN (SELECT 0.200000 FROM x WHERE (SELECT x FROM (SELECT 2 UNION SELECT 3) AS x GROUP BY (SELECT x))))

MariaDB Server

Server crashes at _ZN4JOIN15optimize_stage2Ev

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration