Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-5356

Server crashes in Item_equal::contains on 2nd execution of a PS

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.5.34, 10.0.6
    • Fix Version/s: 5.5.35, 10.0.8, 5.3.13
    • Component/s: None
    • Labels:
      None

      Description

      Courtesy of naox

      Stack traces are from 5.3 revno 3727.
      The problem appeared on 5.3 tree with the following revision:

      revno: 3660
      revision-id: sanja@askmonty.org-20130606203340-2je46s13kqicdr74
      message:
        MDEV-4593: p_s: crash in simplify_joins with delete using subselect from view
        
        mysql_derived_merge_for_insert() should not be called for views or derived tables which are not put (directly or via other views) in main SELECT_LEX "join list".

      Two test cases below are very similar, but the stack traces are a bit different, I don't want to take any chances for a partial fix, so I'll file both. Please make sure that the patch fixes both cases.

      Variation 1

      #3  <signal handler called>
      #4  0x00000000005fee9a in Item_equal::contains (this=0x28bfcb0, field=0x0) at item_cmpfunc.cc:5605
      #5  0x00000000005ac5e1 in Item_field::find_item_equal (this=0x2872d60, cond_equal=0x28befa0) at item.cc:4959
      #6  0x00000000005ac8a2 in Item_field::equal_fields_propagator (this=0x2872d60, arg=0x28befa0 "\210ȉ\002\217\217\217\217") at item.cc:5070
      #7  0x00000000005bc102 in Item::compile (this=0x2872d60, analyzer=&virtual Item::subst_argument_checker(unsigned char**), arg_p=0x7f30267a1500, transformer=&virtual Item::equal_fields_propagator(unsigned char*), arg_t=0x28befa0 "\210ȉ\002\217\217\217\217") at item.h:1034
      #8  0x00000000005d32ce in Item_func::compile (this=0x28c12f0, analyzer=&virtual table offset 760, arg_p=0x7f30267a15c8, transformer=&virtual table offset 776, arg_t=0x28befa0 "\210ȉ\002\217\217\217\217") at item_func.cc:396
      #9  0x0000000000744eb2 in build_equal_items_for_cond (thd=0x27b1bc8, cond=0x28c12f0, inherited=0x28befa0) at sql_select.cc:11595
      #10 0x0000000000744a14 in build_equal_items_for_cond (thd=0x27b1bc8, cond=0x28beeb8, inherited=0x28befa0) at sql_select.cc:11511
      #11 0x0000000000744f74 in build_equal_items (join=0x28c1f80, cond=0x28beeb8, inherited=0x0, join_list=0x2871da8, ignore_on_conds=false, cond_equal_ref=0x28c2398) at sql_select.cc:11681
      #12 0x000000000074839b in optimize_cond (join=0x28c1f80, conds=0x28beeb8, join_list=0x2871da8, ignore_on_conds=false, cond_value=0x28c2270, cond_equal=0x28c2398) at sql_select.cc:13227
      #13 0x00000000007282ee in JOIN::optimize (this=0x28c1f80) at sql_select.cc:1028
      #14 0x00000000008b329a in mysql_derived_optimize (thd=0x27b1bc8, lex=0x286f3c8, derived=0x28733d0) at sql_derived.cc:779
      #15 0x00000000008b22c4 in mysql_handle_single_derived (lex=0x286f3c8, derived=0x28733d0, phases=4) at sql_derived.cc:185
      #16 0x000000000072470b in TABLE_LIST::handle_derived (this=0x28733d0, lex=0x286f3c8, phases=4) at table.cc:5926
      #17 0x000000000058971e in st_select_lex::handle_derived (this=0x2870918, lex=0x286f3c8, phases=4) at sql_lex.cc:3207
      #18 0x00000000007246ce in TABLE_LIST::handle_derived (this=0x2874098, lex=0x286f3c8, phases=4) at table.cc:5924
      #19 0x000000000058971e in st_select_lex::handle_derived (this=0x286f970, lex=0x286f3c8, phases=4) at sql_lex.cc:3207
      #20 0x0000000000727d54 in JOIN::optimize (this=0x28bf110) at sql_select.cc:932
      #21 0x000000000072f4b7 in mysql_select (thd=0x27b1bc8, rref_pointer_array=0x286fbc8, tables=0x2870500, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=1342177408, result=0x28bf048, unit=0x286f468, select_lex=0x286f970) at sql_select.cc:2995
      #22 0x000000000078dfe6 in mysql_multi_update (thd=0x27b1bc8, table_list=0x2870500, fields=0x286fa80, values=0x286fef8, conds=0x0, options=0, handle_duplicates=DUP_ERROR, ignore=false, unit=0x286f468, select_lex=0x286f970) at sql_update.cc:1295
      #23 0x00000000006ae5e9 in mysql_execute_command (thd=0x27b1bc8) at sql_parse.cc:3200
      #24 0x00000000008d2e04 in sp_instr_stmt::exec_core (this=0x28746f8, thd=0x27b1bc8, nextp=0x7f30267a2b78) at sp_head.cc:2976
      #25 0x00000000008d2719 in sp_lex_keeper::reset_lex_and_exec_core (this=0x2874738, thd=0x27b1bc8, nextp=0x7f30267a2b78, open_tables=false, instr=0x28746f8) at sp_head.cc:2794
      #26 0x00000000008d2bc6 in sp_instr_stmt::execute (this=0x28746f8, thd=0x27b1bc8, nextp=0x7f30267a2b78) at sp_head.cc:2919
      #27 0x00000000008ced08 in sp_head::execute (this=0x286ed20, thd=0x27b1bc8) at sp_head.cc:1283
      #28 0x00000000008d0911 in sp_head::execute_procedure (this=0x286ed20, thd=0x27b1bc8, args=0x27b4be8) at sp_head.cc:2015
      #29 0x00000000006b28a4 in mysql_execute_command (thd=0x27b1bc8) at sql_parse.cc:4500
      #30 0x00000000006b760f in mysql_parse (thd=0x27b1bc8, rawbuf=0x2835900 "CALL pr()", length=9, found_semicolon=0x7f30267a3cb8) at sql_parse.cc:6173
      #31 0x00000000006a9624 in dispatch_command (command=COM_QUERY, thd=0x27b1bc8, packet=0x282c499 "CALL pr()", packet_length=9) at sql_parse.cc:1243
      #32 0x00000000006a8910 in do_command (thd=0x27b1bc8) at sql_parse.cc:923
      #33 0x00000000006a5799 in handle_one_connection (arg=0x27b1bc8) at sql_connect.cc:1231
      #34 0x00007f302ff92b50 in start_thread (arg=<optimized out>) at pthread_create.c:304
      #35 0x00007f302f335a7d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112

      Test case:

      CREATE TABLE t1 (a INT, b INT);
      INSERT INTO t1 VALUES (1,2),(3,4);
       
      CREATE TABLE t2 (c INT);
      INSERT INTO t2 VALUES (5),(6);
       
      CREATE TABLE t3 (d INT);
      INSERT INTO t3 VALUES (7),(8);
       
      CREATE PROCEDURE pr()
        UPDATE t3,
          (SELECT c FROM
            (SELECT 1 FROM t1 WHERE a=72 AND b) sq, 
            t2
          ) sq2
        SET d=sq2.c;
       
      CALL pr();
      CALL pr();

      Variation 2

      #3  <signal handler called>
      #4  0x00000000005bcbe9 in Item_field::result_type (this=0x22eed70) at item.h:1850
      #5  0x00000000007441c2 in check_simple_equality (left_item=0x22eed70, right_item=0x233d2f0, item=0x233d380, cond_equal=0x7f093b763700) at sql_select.cc:11213
      #6  0x0000000000744718 in check_equality (thd=0x222dbc8, item=0x233d380, cond_equal=0x7f093b763700, eq_list=0x7f093b763750) at sql_select.cc:11374
      #7  0x000000000074481b in build_equal_items_for_cond (thd=0x222dbc8, cond=0x233aec0, inherited=0x0) at sql_select.cc:11476
      #8  0x0000000000744f74 in build_equal_items (join=0x233e070, cond=0x233aec0, inherited=0x0, join_list=0x22eddb8, ignore_on_conds=false, cond_equal_ref=0x233e488) at sql_select.cc:11681
      #9  0x000000000074839b in optimize_cond (join=0x233e070, conds=0x233aec0, join_list=0x22eddb8, ignore_on_conds=false, cond_value=0x233e360, cond_equal=0x233e488) at sql_select.cc:13227
      #10 0x00000000007282ee in JOIN::optimize (this=0x233e070) at sql_select.cc:1028
      #11 0x00000000008b329a in mysql_derived_optimize (thd=0x222dbc8, lex=0x22eb3e8, derived=0x22ef458) at sql_derived.cc:779
      #12 0x00000000008b22c4 in mysql_handle_single_derived (lex=0x22eb3e8, derived=0x22ef458, phases=4) at sql_derived.cc:185
      #13 0x000000000072470b in TABLE_LIST::handle_derived (this=0x22ef458, lex=0x22eb3e8, phases=4) at table.cc:5926
      #14 0x000000000058971e in st_select_lex::handle_derived (this=0x22ec938, lex=0x22eb3e8, phases=4) at sql_lex.cc:3207
      #15 0x00000000007246ce in TABLE_LIST::handle_derived (this=0x22f0168, lex=0x22eb3e8, phases=4) at table.cc:5924
      #16 0x000000000058971e in st_select_lex::handle_derived (this=0x22eb990, lex=0x22eb3e8, phases=4) at sql_lex.cc:3207
      #17 0x0000000000727d54 in JOIN::optimize (this=0x233b118) at sql_select.cc:932
      #18 0x000000000072f4b7 in mysql_select (thd=0x222dbc8, rref_pointer_array=0x22ebbe8, tables=0x22ec520, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=1342177408, result=0x233b050, unit=0x22eb488, select_lex=0x22eb990) at sql_select.cc:2995
      #19 0x000000000078dfe6 in mysql_multi_update (thd=0x222dbc8, table_list=0x22ec520, fields=0x22ebaa0, values=0x22ebf18, conds=0x0, options=0, handle_duplicates=DUP_ERROR, ignore=false, unit=0x22eb488, select_lex=0x22eb990) at sql_update.cc:1295
      #20 0x00000000006ae5e9 in mysql_execute_command (thd=0x222dbc8) at sql_parse.cc:3200
      #21 0x00000000008d2e04 in sp_instr_stmt::exec_core (this=0x22f07c8, thd=0x222dbc8, nextp=0x7f093b764b78) at sp_head.cc:2976
      #22 0x00000000008d2719 in sp_lex_keeper::reset_lex_and_exec_core (this=0x22f0808, thd=0x222dbc8, nextp=0x7f093b764b78, open_tables=false, instr=0x22f07c8) at sp_head.cc:2794
      #23 0x00000000008d2bc6 in sp_instr_stmt::execute (this=0x22f07c8, thd=0x222dbc8, nextp=0x7f093b764b78) at sp_head.cc:2919
      #24 0x00000000008ced08 in sp_head::execute (this=0x22ead30, thd=0x222dbc8) at sp_head.cc:1283
      #25 0x00000000008d0911 in sp_head::execute_procedure (this=0x22ead30, thd=0x222dbc8, args=0x2230be8) at sp_head.cc:2015
      #26 0x00000000006b28a4 in mysql_execute_command (thd=0x222dbc8) at sql_parse.cc:4500
      #27 0x00000000006b760f in mysql_parse (thd=0x222dbc8, rawbuf=0x22b1900 "CALL pr()", length=9, found_semicolon=0x7f093b765cb8) at sql_parse.cc:6173
      #28 0x00000000006a9624 in dispatch_command (command=COM_QUERY, thd=0x222dbc8, packet=0x22a8499 "CALL pr()", packet_length=9) at sql_parse.cc:1243
      #29 0x00000000006a8910 in do_command (thd=0x222dbc8) at sql_parse.cc:923
      #30 0x00000000006a5799 in handle_one_connection (arg=0x222dbc8) at sql_connect.cc:1231
      #31 0x00007f0944f54b50 in start_thread (arg=<optimized out>) at pthread_create.c:304
      #32 0x00007f09442f7a7d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112

      Test case:

      CREATE TABLE t1 (a INT, b INT);
      INSERT INTO t1 VALUES (1,2),(3,4);
       
      CREATE TABLE t2 (c INT);
      INSERT INTO t2 VALUES (5),(6);
       
      CREATE TABLE t3 (d INT);
      INSERT INTO t3 VALUES (7),(8);
       
      CREATE PROCEDURE pr()
        UPDATE t3,
          (SELECT c FROM
            (SELECT 1 FROM t1 WHERE a=72 AND NOT b) sq, 
            t2
          ) sq2
        SET d=sq2.c;
       
      CALL pr();
      CALL pr();

        Attachments

          Activity

            People

            • Assignee:
              sanja Oleksandr Byelkin
              Reporter:
              elenst Elena Stepanova
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: