Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
5.5.25, 5.3.7
-
None
-
None
-
Running under Mageia RPM packages on x86_64 system (note I tested on 5.5.23, but others have confirmed the issue on newer builds).
Description
Certain datasets and queries result in a crash (segv) of the mysqld daemon.
I will attach a dataset that can be used to reproduce the issue.
The following query can then be run on the data to reproduce the crash:
SELECT COUNT(*) FROM points INNER JOIN entries USING(entry_id) WHERE point_valid AND element_id=2 AND Contains(PolyFromText('POLYGON((-0.32274092990144 52.153573199526,0.76983859527361 51.180702899733,-1.2134199194054 50.962667621632,-0.32274092990144 52.153573199526))'),point);
|
The following backtrace was generated (in 5.5.23):
Program received signal SIGSEGV, Segmentation fault.
|
[Switching to Thread 0x7f42f3621700 (LWP 22847)]
|
0x00007f42f182d7a0 in __memcpy_ssse3 () from /lib64/libc.so.6
|
(gdb) bt
|
#0 0x00007f42f182d7a0 in __memcpy_ssse3 () from /lib64/libc.so.6
|
#1 0x00000000006c9bf1 in Field_blob::get_key_image (this=<optimized out>, buff=0x7f429831e080 " ", length=32, type_arg=<optimized out>) at /usr/include/bits/string3.h:52
|
#2 0x000000000079df71 in key_copy (to_key=0x7f429831e080 " ", from_record=0x7f429827a3e8 "\251\004'34\222\262?\251\004'34\222\262?j\036\035<\001\vJ@j\036\035<\001\vJ@J\001",
|
key_info=<optimized out>, key_length=32, with_zerofill=false) at /usr/src/debug/mariadb-5.5.23/sql/key.cc:146
|
#3 0x00000000007e2d4d in QUICK_ROR_INTERSECT_SELECT::get_next (this=0x7f4298313b40) at /usr/src/debug/mariadb-5.5.23/sql/opt_range.cc:10738
|
#4 0x00000000007eadd6 in rr_quick (info=0x7f42983187b8) at /usr/src/debug/mariadb-5.5.23/sql/records.cc:339
|
#5 0x00000000005d6dd9 in sub_select (join=0x7f42982ede88, join_tab=0x7f4298318708, end_of_records=<optimized out>) at /usr/src/debug/mariadb-5.5.23/sql/sql_select.cc:15946
|
#6 0x00000000005df1cf in do_select (join=0x7f42982ede88, fields=0x0, table=0x7f4298314148, procedure=0x0) at /usr/src/debug/mariadb-5.5.23/sql/sql_select.cc:15619
|
#7 0x00000000005ef9f2 in JOIN::exec (this=0x7f42982ede88) at /usr/src/debug/mariadb-5.5.23/sql/sql_select.cc:2357
|
#8 0x00000000005f1472 in mysql_select (thd=0x42ee100, rref_pointer_array=<optimized out>, tables=<optimized out>, wild_num=1, fields=<optimized out>, conds=<optimized out>, og_num=3,
|
order=0x7f42982de038, group=0x7f42982ddd88, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7f42982de158, unit=0x42f02d8, select_lex=0x42f09b0)
|
at /usr/src/debug/mariadb-5.5.23/sql/sql_select.cc:3003
|
#9 0x00000000005f57c4 in handle_select (thd=0x42ee100, lex=0x42f0228, result=0x7f42982de158, setup_tables_done_option=0) at /usr/src/debug/mariadb-5.5.23/sql/sql_select.cc:310
|
#10 0x00000000005a3754 in execute_sqlcom_select (thd=0x42ee100, all_tables=0x7f42982c25c0) at /usr/src/debug/mariadb-5.5.23/sql/sql_parse.cc:4616
|
#11 0x00000000005abb16 in mysql_execute_command (thd=0x42ee100) at /usr/src/debug/mariadb-5.5.23/sql/sql_parse.cc:2184
|
#12 0x00000000005b0e16 in mysql_parse (parser_state=0x7f42f36209c0, thd=0x42ee100, rawbuf=<optimized out>, length=<optimized out>)
|
at /usr/src/debug/mariadb-5.5.23/sql/sql_parse.cc:5731
|
#13 mysql_parse (thd=0x42ee100, rawbuf=<optimized out>, length=<optimized out>, parser_state=0x7f42f36209c0) at /usr/src/debug/mariadb-5.5.23/sql/sql_parse.cc:5656
|
#14 0x00000000005b2363 in dispatch_command (command=COM_QUERY, thd=0x42ee100,
|
packet=0x42f1ab1 "SELECT suppliers.*, members.name, loc_tn6.tree_node_id AS loc_tree_node_id, (ACOS(\n SIN(RADIANS(Y(egep.point))) * SIN(RADIANS(51.428643469796))\n + COS(RADIANS(Y(egep.point))) * COS(RADIANS(51.4"..., packet_length=4083288744) at /usr/src/debug/mariadb-5.5.23/sql/sql_parse.cc:1055
|
#15 0x000000000065e9b7 in do_handle_one_connection (thd_arg=<optimized out>) at /usr/src/debug/mariadb-5.5.23/sql/sql_connect.cc:1253
|
#16 0x000000000065eac0 in handle_one_connection (arg=0x42ee100) at /usr/src/debug/mariadb-5.5.23/sql/sql_connect.cc:1168
|
#17 0x00007f42f2cc8b99 in start_thread () from /lib64/libpthread.so.0
|
#18 0x00007f42f17e50cd in clone () from /lib64/libc.so.6
|
#19 0x0000000000000000 in ?? ()
|
(gdb) bt full
|
#0 0x00007f42f182d7a0 in __memcpy_ssse3 () from /lib64/libc.so.6
|
No symbol table info available.
|
#1 0x00000000006c9bf1 in Field_blob::get_key_image (this=<optimized out>, buff=0x7f429831e080 " ", length=32, type_arg=<optimized out>) at /usr/include/bits/string3.h:52
|
def_temp = 32
|
blob_length = 32
|
blob = 0x3c1d1e6a3fb29234 <Address 0x3c1d1e6a3fb29234 out of bounds>
|
local_char_length = <optimized out>
|
#2 0x000000000079df71 in key_copy (to_key=0x7f429831e080 " ", from_record=0x7f429827a3e8 "\251\004'34\222\262?\251\004'34\222\262?j\036\035<\001\vJ@j\036\035<\001\vJ@J\001",
|
key_info=<optimized out>, key_length=32, with_zerofill=false) at /usr/src/debug/mariadb-5.5.23/sql/key.cc:146
|
bytes = <optimized out>
|
length = 32
|
key_part = 0x7f42982847c0
|
#3 0x00000000007e2d4d in QUICK_ROR_INTERSECT_SELECT::get_next (this=0x7f4298313b40) at /usr/src/debug/mariadb-5.5.23/sql/opt_range.cc:10738
|
quick = 0x7f42982cf200
|
last_rowid_count = <optimized out>
|
quick_it = {<base_list_iterator> = {list = 0x7f4298313b80, el = 0x7f429831b5b8, prev = <optimized out>, current = <optimized out>}, <No data fields>}
|
qr = <optimized out>
|
error = 0
|
cmp = <optimized out>
|
#4 0x00000000007eadd6 in rr_quick (info=0x7f42983187b8) at /usr/src/debug/mariadb-5.5.23/sql/records.cc:339
|
tmp = <optimized out>
|
#5 0x00000000005d6dd9 in sub_select (join=0x7f42982ede88, join_tab=0x7f4298318708, end_of_records=<optimized out>) at /usr/src/debug/mariadb-5.5.23/sql/sql_select.cc:15946
|
error = <optimized out>
|
rc = <optimized out>
|
info = 0x7f42983187b8
|
skip_over = <optimized out>
|
#6 0x00000000005df1cf in do_select (join=0x7f42982ede88, fields=0x0, table=0x7f4298314148, procedure=0x0) at /usr/src/debug/mariadb-5.5.23/sql/sql_select.cc:15619
|
rc = 0
|
error = NESTED_LOOP_OK
|
join_tab = 0x7f4298318708
|
end_select = 0x5e46c0 <end_write(JOIN*, JOIN_TAB*, bool)>
|
#7 0x00000000005ef9f2 in JOIN::exec (this=0x7f42982ede88) at /usr/src/debug/mariadb-5.5.23/sql/sql_select.cc:2357
|
save_proc = 0x0
|
columns_list = <optimized out>
|
__FUNCTION__ = "exec"
|
curr_join = 0x7f42982ede88
|
tmp_error = <optimized out>
|
curr_all_fields = 0x7f42982ee178
|
curr_fields_list = 0x42f0ac0
|
curr_tmp_table = 0x7f4298314148
|
#8 0x00000000005f1472 in mysql_select (thd=0x42ee100, rref_pointer_array=<optimized out>, tables=<optimized out>, wild_num=1, fields=<optimized out>, conds=<optimized out>, og_num=3,
|
order=0x7f42982de038, group=0x7f42982ddd88, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7f42982de158, unit=0x42f02d8, select_lex=0x42f09b0)
|
at /usr/src/debug/mariadb-5.5.23/sql/sql_select.cc:3003
|
err = <optimized out>
|
free_join = true
|
join = 0x7f42982ede88
|
__FUNCTION__ = "mysql_select"
|
#9 0x00000000005f57c4 in handle_select (thd=0x42ee100, lex=0x42f0228, result=0x7f42982de158, setup_tables_done_option=0) at /usr/src/debug/mariadb-5.5.23/sql/sql_select.cc:310
|
unit = 0x42f02d8
|
res = <optimized out>
|
select_lex = 0x42f09b0
|
#10 0x00000000005a3754 in execute_sqlcom_select (thd=0x42ee100, all_tables=0x7f42982c25c0) at /usr/src/debug/mariadb-5.5.23/sql/sql_parse.cc:4616
|
---Type <return> to continue, or q <return> to quit---
|
lex = 0x42f0228
|
result = 0x7f42982de158
|
res = <optimized out>
|
#11 0x00000000005abb16 in mysql_execute_command (thd=0x42ee100) at /usr/src/debug/mariadb-5.5.23/sql/sql_parse.cc:2184
|
privileges_requested = <optimized out>
|
up_result = 0
|
lex = 0x42f0228
|
select_lex = 0x42f09b0
|
first_table = 0x7f42982c25c0
|
unit = 0x42f02d8
|
__FUNCTION__ = "mysql_execute_command"
|
res = <optimized out>
|
all_tables = 0x7f42982c25c0
|
have_table_map_for_update = false
|
#12 0x00000000005b0e16 in mysql_parse (parser_state=0x7f42f36209c0, thd=0x42ee100, rawbuf=<optimized out>, length=<optimized out>)
|
at /usr/src/debug/mariadb-5.5.23/sql/sql_parse.cc:5731
|
found_semicolon = <optimized out>
|
lex = 0x42f0228
|
err = <optimized out>
|
error = <optimized out>
|
#13 mysql_parse (thd=0x42ee100, rawbuf=<optimized out>, length=<optimized out>, parser_state=0x7f42f36209c0) at /usr/src/debug/mariadb-5.5.23/sql/sql_parse.cc:5656
|
No locals.
|
#14 0x00000000005b2363 in dispatch_command (command=COM_QUERY, thd=0x42ee100,
|
packet=0x42f1ab1 "SELECT suppliers.*, members.name, loc_tn6.tree_node_id AS loc_tree_node_id, (ACOS(\n SIN(RADIANS(Y(egep.point))) * SIN(RADIANS(51.428643469796))\n + COS(RADIANS(Y(egep.point))) * COS(RADIANS(51.4"..., packet_length=4083288744) at /usr/src/debug/mariadb-5.5.23/sql/sql_parse.cc:1055
|
packet_end = <optimized out>
|
parser_state = {m_lip = {m_thd = 0x42ee100, yylineno = 7, yytoklen = 1, yylval = 0x7f42f361f470, lookahead_token = -1, lookahead_yylval = 0x0, m_ptr = 0x7f4298005796 "\r",
|
m_tok_start = 0x7f4298005796 "\r", m_tok_end = 0x7f4298005796 "\r", m_end_of_query = 0x7f4298005795 "", m_tok_start_prev = 0x7f4298005795 "",
|
m_buf = 0x7f4298004c98 "SELECT suppliers.*, members.name, loc_tn6.tree_node_id AS loc_tree_node_id, (ACOS(\n SIN(RADIANS(Y(egep.point))) * SIN(RADIANS(51.428643469796))\n + COS(RADIANS(Y(egep.point))) * COS(RADIANS(51.4"..., m_buf_length = 2813, m_echo = true, m_echo_saved = false,
|
m_cpp_buf = 0x7f4298005800 "SELECT suppliers.*, members.name, loc_tn6.tree_node_id AS loc_tree_node_id, (ACOS(\n SIN(RADIANS(Y(egep.point))) * SIN(RADIANS(51.428643469796))\n + COS(RADIANS(Y(egep.point))) * COS(RADIANS(51.4"..., m_cpp_ptr = 0x7f42980062fd "", m_cpp_tok_start = 0x7f42980062fd "", m_cpp_tok_start_prev = 0x7f42980062fd "",
|
m_cpp_tok_end = 0x7f42980062fd "", m_body_utf8 = 0x0, m_body_utf8_ptr = 0x42ee100 "p\377\021\001", m_cpp_utf8_processed_ptr = 0x0, next_state = MY_LEX_END,
|
found_semicolon = 0x0, tok_bitmap = 127 '\177', ignore_space = false, stmt_prepare_mode = false, multi_statements = true, in_comment = NO_COMMENT,
|
in_comment_saved = 3112726272, m_cpp_text_start = 0x7f42980062fc "5", m_cpp_text_end = 0x7f42980062fd "", m_underscore_cs = 0x0}, m_yacc = {yacc_yyss = 0x0,
|
yacc_yyvs = 0x0, m_set_signal_info = {m_item = {0x0 <repeats 12 times>}}, m_lock_type = TL_READ_DEFAULT, m_mdl_type = MDL_SHARED_READ}}
|
net = 0x7f42f3620aa8
|
error = false
|
__FUNCTION__ = "dispatch_command"
|
#15 0x000000000065e9b7 in do_handle_one_connection (thd_arg=<optimized out>) at /usr/src/debug/mariadb-5.5.23/sql/sql_connect.cc:1253
|
create_user = true
|
thd = 0x42ee100
|
#16 0x000000000065eac0 in handle_one_connection (arg=0x42ee100) at /usr/src/debug/mariadb-5.5.23/sql/sql_connect.cc:1168
|
thd = 0x42ee100
|
#17 0x00007f42f2cc8b99 in start_thread () from /lib64/libpthread.so.0
|
No symbol table info available.
|
#18 0x00007f42f17e50cd in clone () from /lib64/libc.so.6
|
No symbol table info available.
|
#19 0x0000000000000000 in ?? ()
|
No symbol table info available.
|