Details
-
Bug
-
Status: Closed (View Workflow)
-
Minor
-
Resolution: Fixed
-
10.0.0, 5.5.28a, 5.3.11, 5.2.13, 5.1.66
-
None
Description
Both problems are also reproducible on MySQL 5.1-5.6 and filed as http://bugs.mysql.com/bug.php?id=68031.
Monty has already fixed the crash in Item_func_group_concat::add, which he had a test case for, and apparently the one in Item_func_group_concat::setup got fixed along the way, at least it's not reproducible on maria-5.5-monty revno 3609 revision-id: monty@askmonty.org-20121231143244-fxaurxla5f1kugxo (the bugfix revision).
I'm filing it
- to make sure that the problem in Item_func_group_concat::setup is indeed fixed and not just hidden,
- to have a decision whether we want to have it fixed in 5.3 (or earlier),
- and for the record, as we might need to make references to the bug report in other systems.
Stack traces below are from 5.5.23.
Item_func_group_concat::setup
--source include/have_innodb.inc
|
|
|
DROP TABLE IF EXISTS t1; |
|
|
CREATE TABLE t1 ( |
pk INT NOT NULL PRIMARY KEY, |
d1 DOUBLE, |
d2 DOUBLE, |
i INT NOT NULL DEFAULT '0', |
KEY (i) |
) ENGINE=InnoDB;
|
|
|
INSERT INTO t1 VALUES (1,1.0,1.1,1),(2,2.0,2.2,2); |
|
|
PREPARE stmt FROM " |
SELECT DISTINCT i, GROUP_CONCAT( d1, d2 ORDER BY d1, d2 )
|
FROM t1 a1 NATURAL JOIN t1 a2 GROUP BY i WITH ROLLUP
|
"; |
|
|
EXECUTE stmt; |
EXECUTE stmt; |
It can also be reproduced with stored procedures instead of prepared statements.
Valgrind errors (examples):
==25865== Invalid read of size 8
|
==25865== at 0x54FB28: find_item_in_list(Item*, List<Item>&, unsigned int*, find_item_error_report_type, enum_resolution_type*) (sql_base.cc:6959)
|
==25865== by 0x5A8259: find_order_in_list(THD*, Item**, TABLE_LIST*, st_order*, List<Item>&, List<Item>&, bool) (sql_select.cc:19284)
|
==25865== by 0x5BE066: setup_order(THD*, Item**, TABLE_LIST*, List<Item>&, List<Item>&, st_order*) (sql_select.cc:19394)
|
==25865== by 0x7220C9: Item_func_group_concat::setup(THD*) (item_sum.cc:3407)
|
==25865== by 0x5C2FD0: JOIN::init_execution() (item_sum.h:512)
|
==25865== by 0x5CA33C: JOIN::exec() (sql_select.cc:2317)
|
==25865== by 0x5CBDD3: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:3003)
|
==25865== by 0x5D01AC: handle_select(THD*, LEX*, select_result*, unsigned long) (sql_select.cc:310)
|
==25865== by 0x5836B8: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:4616)
|
==25865== by 0x58BBA0: mysql_execute_command(THD*) (sql_parse.cc:2184)
|
==25865== by 0x59DB40: Prepared_statement::execute(String*, bool) (sql_prepare.cc:3886)
|
==25865== by 0x59DBEB: Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) (sql_prepare.cc:3545)
|
==25865== by 0x59DDB2: mysql_sql_stmt_execute(THD*) (sql_prepare.cc:2711)
|
==25865== by 0x58B395: mysql_execute_command(THD*) (sql_parse.cc:2194)
|
==25865== by 0x590150: mysql_parse(THD*, char*, unsigned int, Parser_state*) (sql_parse.cc:5731)
|
==25865== by 0x591583: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1055)
|
==25865== Address 0x15a26a70 is 7,792 bytes inside a block of size 8,152 free'd
|
==25865== at 0x4C282E0: free (vg_replace_malloc.c:366)
|
==25865== by 0x9E347F: free_root (my_alloc.c:366)
|
==25865== by 0x590511: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1450)
|
==25865== by 0x630172: do_handle_one_connection(THD*) (sql_connect.cc:1253)
|
==25865== by 0x6301FB: handle_one_connection (sql_connect.cc:1168)
|
==25865== by 0x9710F7: pfs_spawn_thread (pfs.cc:1015)
|
==25865== by 0x5895EFB: start_thread (pthread_create.c:304)
|
==25865== by 0x611AF4C: clone (clone.S:112)
|
|
|
==25865== Invalid read of size 8
|
==25865== at 0x5A822A: find_order_in_list(THD*, Item**, TABLE_LIST*, st_order*, List<Item>&, List<Item>&, bool) (sql_select.cc:19256)
|
==25865== by 0x5BE066: setup_order(THD*, Item**, TABLE_LIST*, List<Item>&, List<Item>&, st_order*) (sql_select.cc:19394)
|
==25865== by 0x7220C9: Item_func_group_concat::setup(THD*) (item_sum.cc:3407)
|
==25865== by 0x5C2FD0: JOIN::init_execution() (item_sum.h:512)
|
==25865== by 0x5CA33C: JOIN::exec() (sql_select.cc:2317)
|
==25865== by 0x5CBDD3: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:3003)
|
==25865== by 0x5D01AC: handle_select(THD*, LEX*, select_result*, unsigned long) (sql_select.cc:310)
|
==25865== by 0x5836B8: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:4616)
|
==25865== by 0x58BBA0: mysql_execute_command(THD*) (sql_parse.cc:2184)
|
==25865== by 0x59DB40: Prepared_statement::execute(String*, bool) (sql_prepare.cc:3886)
|
==25865== by 0x59DBEB: Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) (sql_prepare.cc:3545)
|
==25865== by 0x59DDB2: mysql_sql_stmt_execute(THD*) (sql_prepare.cc:2711)
|
==25865== by 0x58B395: mysql_execute_command(THD*) (sql_parse.cc:2194)
|
==25865== by 0x590150: mysql_parse(THD*, char*, unsigned int, Parser_state*) (sql_parse.cc:5731)
|
==25865== by 0x591583: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1055)
|
==25865== by 0x630172: do_handle_one_connection(THD*) (sql_connect.cc:1253)
|
==25865== Address 0x1124e2e0 is 6,528 bytes inside a block of size 8,152 free'd
|
==25865== at 0x4C282E0: free (vg_replace_malloc.c:366)
|
==25865== by 0x9E34A7: free_root (my_alloc.c:372)
|
==25865== by 0x590511: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1450)
|
==25865== by 0x630172: do_handle_one_connection(THD*) (sql_connect.cc:1253)
|
==25865== by 0x6301FB: handle_one_connection (sql_connect.cc:1168)
|
==25865== by 0x9710F7: pfs_spawn_thread (pfs.cc:1015)
|
==25865== by 0x5895EFB: start_thread (pthread_create.c:304)
|
==25865== by 0x611AF4C: clone (clone.S:112)
|
Crash:
#2 <signal handler called>
|
#3 0x0000000000000000 in ?? ()
|
#4 0x00000000005a8239 in find_order_in_list (thd=0x3a71380, ref_pointer_array=0x3b18318, tables=0x3b18478, order=0x3b17e68, fields=..., all_fields=..., is_group_field=false) at sql/sql_select.cc:19267
|
#5 0x00000000005be067 in setup_order (thd=0x3a71380, ref_pointer_array=0x3b18318, tables=0x3b18478, fields=..., all_fields=..., order=0x3b17e68) at sql/sql_select.cc:19394
|
#6 0x00000000007220ca in Item_func_group_concat::setup (this=0x3b17ee0, thd=0x3a71380) at sql/item_sum.cc:3407
|
#7 0x00000000005c2fd1 in aggregator_setup (thd=0x3a71380, this=<optimized out>) at sql/item_sum.h:512
|
#8 setup_sum_funcs (func_ptr=0x3b02bc0, thd=0x3a71380) at sql/sql_select.cc:20401
|
#9 JOIN::init_execution (this=0x3b025c0) at sql/sql_select.cc:1821
|
#10 0x00000000005ca33d in JOIN::exec (this=0x3b025c0) at sql/sql_select.cc:2317
|
#11 0x00000000005cbdd4 in mysql_select (thd=0x3a71380, rref_pointer_array=<optimized out>, tables=<optimized out>, wild_num=0, fields=<optimized out>, conds=<optimized out>, og_num=1, order=0x0, group=0x3b197e0, having=0x0, proc_param=0x0, select_options=2416184065, result=0x3b19820, unit=0x3b16510, select_lex=0x3b16be8) at sql/sql_select.cc:3003
|
#12 0x00000000005d01ad in handle_select (thd=0x3a71380, lex=0x3b16460, result=0x3b19820, setup_tables_done_option=0) at sql/sql_select.cc:310
|
#13 0x00000000005836b9 in execute_sqlcom_select (thd=0x3a71380, all_tables=0x3b18478) at sql/sql_parse.cc:4616
|
#14 0x000000000058bba1 in mysql_execute_command (thd=0x3a71380) at sql/sql_parse.cc:2184
|
#15 0x000000000059db41 in Prepared_statement::execute (this=0x3b0b340, expanded_query=<optimized out>, open_cursor=false) at sql/sql_prepare.cc:3886
|
#16 0x000000000059dbec in Prepared_statement::execute_loop (this=0x3b0b340, expanded_query=0x7f7c42cd1ca0, open_cursor=false, packet=0x0, packet_end=0x0) at sql/sql_prepare.cc:3545
|
#17 0x000000000059ddb3 in mysql_sql_stmt_execute (thd=<optimized out>) at sql/sql_prepare.cc:2711
|
#18 0x000000000058b396 in mysql_execute_command (thd=0x3a71380) at sql/sql_parse.cc:2194
|
#19 0x0000000000590151 in mysql_parse (parser_state=0x7f7c42cd3450, thd=0x3a71380, rawbuf=<optimized out>, length=<optimized out>) at sql/sql_parse.cc:5731
|
#20 mysql_parse (thd=0x3a71380, rawbuf=<optimized out>, length=12, parser_state=0x7f7c42cd3450) at sql/sql_parse.cc:5656
|
#21 0x0000000000591584 in dispatch_command (command=COM_QUERY, thd=0x3a71380, packet=<optimized out>, packet_length=1120744760) at sql/sql_parse.cc:1055
|
#22 0x0000000000630173 in do_handle_one_connection (thd_arg=<optimized out>) at sql/sql_connect.cc:1253
|
#23 0x00000000006301fc in handle_one_connection (arg=0x3a71380) at sql/sql_connect.cc:1168
|
#24 0x00000000009710f8 in pfs_spawn_thread (arg=0x3b3edd0) at storage/perfschema/pfs.cc:1015
|
#25 0x00007f7c549aaefc in start_thread (arg=0x7f7c42cd4700) at pthread_create.c:304
|
#26 0x00007f7c54159f4d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
|
#27 0x0000000000000000 in ?? ()
|
Item_func_group_concat::add
CREATE TABLE t1 ( b VARCHAR(8) NOT NULL, a INT NOT NULL ) ENGINE=MyISAM; |
INSERT INTO t1 (a,b) VALUES (1,'c'),(2,'v'); |
|
|
CREATE TABLE t2 ( c VARCHAR(8), d INT, KEY (c, d) ) ENGINE=MyISAM; |
INSERT INTO t2 VALUES ('v',6),('c',4),('v',3); |
|
|
SELECT b, GROUP_CONCAT( a, b ORDER BY a, b ) |
FROM t1 JOIN t2 ON c = b |
GROUP BY b WITH ROLLUP; |
Valgrind errors:
==26277== Invalid read of size 1
|
==26277== at 0x684600: Field_varstring::cmp_max(unsigned char const*, unsigned char const*, unsigned int) (field.cc:6685)
|
==26277== by 0x71E6C0: group_concat_key_cmp_with_order (item_sum.cc:2964)
|
==26277== by 0x9F3D8C: tree_insert (tree.c:209)
|
==26277== by 0x722EC2: Item_func_group_concat::add() (item_sum.cc:3283)
|
==26277== by 0x5C38F1: end_send_group(JOIN*, st_join_table*, bool) (item_sum.h:524)
|
==26277== by 0x5AD166: evaluate_join_record(JOIN*, st_join_table*, int) (sql_select.cc:16168)
|
==26277== by 0x5B2A48: sub_select(JOIN*, st_join_table*, bool) (sql_select.cc:15988)
|
==26277== by 0x5AD166: evaluate_join_record(JOIN*, st_join_table*, int) (sql_select.cc:16168)
|
==26277== by 0x5B2A48: sub_select(JOIN*, st_join_table*, bool) (sql_select.cc:15988)
|
==26277== by 0x5BA68D: do_select(JOIN*, List<Item>*, TABLE*, Procedure*) (sql_select.cc:15619)
|
==26277== by 0x5CA156: JOIN::exec() (sql_select.cc:2783)
|
==26277== by 0x5CBDD3: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:3003)
|
==26277== by 0x5D01AC: handle_select(THD*, LEX*, select_result*, unsigned long) (sql_select.cc:310)
|
==26277== by 0x5836B8: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:4616)
|
==26277== by 0x58BBA0: mysql_execute_command(THD*) (sql_parse.cc:2184)
|
==26277== by 0x590150: mysql_parse(THD*, char*, unsigned int, Parser_state*) (sql_parse.cc:5731)
|
==26277== Address 0x111724967 is not stack'd, malloc'd or (recently) free'd
|
Crash:
#2 <signal handler called>
|
#3 Field_varstring::cmp_max (this=0x2c49060, a_ptr=0x102c62a57 <Address 0x102c62a57 out of bounds>, b_ptr=0x102c5db48 <Address 0x102c5db48 out of bounds>, max_len=4294967295) at sql/field.cc:6685
|
#4 0x000000000071e6c1 in group_concat_key_cmp_with_order (arg=<optimized out>, key1=0x2c62a58, key2=0x2c5db49) at sql/item_sum.cc:2964
|
#5 0x00000000009f3d8d in tree_insert (tree=0x2c59cd0, key=0x2c5db49, key_size=0, custom_arg=0x2c59b80) at mysys/tree.c:209
|
#6 0x0000000000722ec3 in add (this=<optimized out>) at sql/item_sum.cc:3283
|
#7 Item_func_group_concat::add (this=0x2c59b80) at sql/item_sum.cc:3248
|
#8 0x00000000005c38f2 in aggregator_add (this=<optimized out>) at sql/item_sum.h:524
|
#9 update_sum_func (func_ptr=0x2c46320) at sql/sql_select.cc:20478
|
#10 end_send_group (join=0x2c4dc58, join_tab=<optimized out>, end_of_records=false) at sql/sql_select.cc:17189
|
#11 0x00000000005ad167 in evaluate_join_record (join=0x2c4dc58, join_tab=0x2c58dd8, error=<optimized out>) at sql/sql_select.cc:16168
|
#12 0x00000000005b2a49 in sub_select (join=0x2c4dc58, join_tab=0x2c58dd8, end_of_records=<optimized out>) at sql/sql_select.cc:15988
|
#13 0x00000000005ad167 in evaluate_join_record (join=0x2c4dc58, join_tab=0x2c58ab8, error=<optimized out>) at sql/sql_select.cc:16168
|
#14 0x00000000005b2a49 in sub_select (join=0x2c4dc58, join_tab=0x2c58ab8, end_of_records=<optimized out>) at sql/sql_select.cc:15988
|
#15 0x00000000005ba68e in do_select (join=0x2c4dc58, fields=0x2c4dfd8, table=0x0, procedure=0x0) at sql/sql_select.cc:15619
|
#16 0x00000000005ca157 in JOIN::exec (this=0x2c4dc58) at sql/sql_select.cc:2783
|
#17 0x00000000005cbdd4 in mysql_select (thd=0x2bb24e0, rref_pointer_array=<optimized out>, tables=<optimized out>, wild_num=0, fields=<optimized out>, conds=<optimized out>, og_num=1, order=0x0, group=0x2c46110, having=0x0, proc_param=0x0, select_options=2147748608, result=0x2c461f0, unit=0x2bb46b8, select_lex=0x2bb4d90) at sql/sql_select.cc:3003
|
#18 0x00000000005d01ad in handle_select (thd=0x2bb24e0, lex=0x2bb4608, result=0x2c461f0, setup_tables_done_option=0) at sql/sql_select.cc:310
|
#19 0x00000000005836b9 in execute_sqlcom_select (thd=0x2bb24e0, all_tables=0x2c45008) at sql/sql_parse.cc:4616
|
#20 0x000000000058bba1 in mysql_execute_command (thd=0x2bb24e0) at sql/sql_parse.cc:2184
|
#21 0x0000000000590151 in mysql_parse (parser_state=0x7f852dea8450, thd=0x2bb24e0, rawbuf=<optimized out>, length=<optimized out>) at sql/sql_parse.cc:5731
|
#22 mysql_parse (thd=0x2bb24e0, rawbuf=<optimized out>, length=92, parser_state=0x7f852dea8450) at sql/sql_parse.cc:5656
|
#23 0x0000000000591584 in dispatch_command (command=COM_QUERY, thd=0x2bb24e0, packet=<optimized out>, packet_length=770344248) at sql/sql_parse.cc:1055
|
#24 0x0000000000630173 in do_handle_one_connection (thd_arg=<optimized out>) at sql/sql_connect.cc:1253
|
#25 0x00000000006301fc in handle_one_connection (arg=0x2bb24e0) at sql/sql_connect.cc:1168
|
#26 0x00000000009710f8 in pfs_spawn_thread (arg=0x2ca6b80) at storage/perfschema/pfs.cc:1015
|
#27 0x00007f85390caefc in start_thread (arg=0x7f852dea9700) at pthread_create.c:304
|
#28 0x00007f8538879f4d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
|
#29 0x0000000000000000 in ?? ()
|
Attachments
Issue Links
- links to