[MDEV-5382] Crash with complex multi-subquery query + derived_merge=ON - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 5.3.12, 5.5.34, 10.0.6
Fix Version/s: 5.5.35, 10.0.7, 5.3.13
Component/s: None
Labels:
None

Description

(Thanks to shad0w1e on Freenode #mysql for finding this bug. I reduced it to a minimal test case and figured out the affected versions.)

The following will crash MariaDB. MySQL is not similarly affected:

DROP TABLE IF EXISTS `t1`;

CREATE TABLE `t1` (

  `a` INT DEFAULT NULL

);

DROP TABLE IF EXISTS `t2`;

CREATE TABLE `t2` (

  `b` INT DEFAULT NULL

);

# No crash:

SET SESSION optimizer_switch='derived_merge=OFF';

SELECT c1

FROM (

  SELECT (

    SELECT 1

    FROM t1

    WHERE t1.a <= t2.b

    UNION ALL

    SELECT 1

    FROM t1

    WHERE t1.a <= t2.b

    ORDER BY a DESC

  ) AS c1

  FROM t2

) t3;

# Crash:

SET SESSION optimizer_switch='derived_merge=ON';

SELECT c1

FROM (

  SELECT (

    SELECT 1

    FROM t1

    WHERE t1.a <= t2.b

    UNION ALL

    SELECT 1

    FROM t1

    WHERE t1.a <= t2.b

    ORDER BY a DESC

  ) AS c1

  FROM t2

) t3;

Attachments

Activity

Ascending order - Click to sort in descending order

Elena Stepanova added a comment - 2013-12-04 10:13

Thanks for reporting this.
Also reproducible on 5.3:

#3 <signal handler called>
#4 0x00000000005a1857 in Item_field::register_field_in_read_map (this=0x3630ce0, arg=0x0) at item.cc:933
#5 0x00000000005bc090 in Item::walk (this=0x3630ce0, processor=&virtual Item::register_field_in_read_map(unsigned char*), walk_subquery=true, arg=0x0) at item.h:1009
#6 0x0000000000634793 in Item_subselect::walk (this=0x3630e20, processor=&virtual table offset 640, walk_subquery=true, argument=0x0) at item_subselect.cc:556
#7 0x000000000070bb3e in find_field_in_table_ref (thd=0x3585bc8, table_list=0x36318b0, name=0x3609a98 "c1", length=2, item_name=0x3609a98 "c1", db_name=0x0, table_name=0x0, ref=0x3609ba8, check_privileges=true, allow_rowid=true, cached_field_index_ptr=0x3609b5c, register_tree_change=true, actual_table=0x7fad48977398) at sql_base.cc:6432
#8 0x000000000070c298 in find_field_in_tables (thd=0x3585bc8, item=0x3609aa0, first_table=0x36318b0, last_table=0x0, ref=0x3609ba8, report_error=IGNORE_EXCEPT_NON_UNIQUE, check_privileges=true, register_tree_change=true) at sql_base.cc:6664
#9 0x00000000005abb25 in Item_field::fix_fields (this=0x3609aa0, thd=0x3585bc8, reference=0x3609ba8) at item.cc:4702
#10 0x000000000070eb85 in setup_fields (thd=0x3585bc8, ref_pointer_array=0x3633a30, fields=..., mark_used_columns=MARK_COLUMNS_READ, sum_func_list=0x36320e8, allow_sum_func=true) at sql_base.cc:7858
#11 0x0000000000726c0c in JOIN::prepare (this=0x3631de8, rref_pointer_array=0x35888b8, tables_init=0x36318b0, wild_num=0, conds_init=0x0, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x3588660, unit_arg=0x3588158) at sql_select.cc:666
#12 0x000000000072f56b in mysql_select (thd=0x3585bc8, rref_pointer_array=0x35888b8, tables=0x36318b0, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147764736, result=0x3631dc8, unit=0x3588158, select_lex=0x3588660) at sql_select.cc:2989
#13 0x0000000000726081 in handle_select (thd=0x3585bc8, lex=0x35880b8, result=0x3631dc8, setup_tables_done_option=0) at sql_select.cc:288
#14 0x00000000006b4d7c in execute_sqlcom_select (thd=0x3585bc8, all_tables=0x36318b0) at sql_parse.cc:5172
#15 0x00000000006abf18 in mysql_execute_command (thd=0x3585bc8) at sql_parse.cc:2305
#16 0x00000000006b76e3 in mysql_parse (thd=0x3585bc8, rawbuf=0x3609900 "SELECT c1\nFROM (\nSELECT (\nSELECT 1\nFROM t1\nWHERE t1.a <= t2.b\nUNION ALL\nSELECT 1\nFROM t1\nWHERE t1.a <= t2.b\nORDER BY a DESC\n) AS c1\nFROM t2\n) t3", length=144, found_semicolon=0x7fad48978cb8) at sql_parse.cc:6173
#17 0x00000000006a96f8 in dispatch_command (command=COM_QUERY, thd=0x3585bc8, packet=0x3600499 "SELECT c1\nFROM (\nSELECT (\nSELECT 1\nFROM t1\nWHERE t1.a <= t2.b\nUNION ALL\nSELECT 1\nFROM t1\nWHERE t1.a <= t2.b\nORDER BY a DESC\n) AS c1\nFROM t2\n) t3", packet_length=144) at sql_parse.cc:1243
#18 0x00000000006a89e4 in do_command (thd=0x3585bc8) at sql_parse.cc:923
#19 0x00000000006a586d in handle_one_connection (arg=0x3585bc8) at sql_connect.cc:1231
#20 0x00007fad52167b50 in start_thread (arg=<optimized out>) at pthread_create.c:304
#21 0x00007fad5150aa7d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112

Elena Stepanova added a comment - 2013-12-04 10:13 Thanks for reporting this. Also reproducible on 5.3: #3 <signal handler called> #4 0x00000000005a1857 in Item_field::register_field_in_read_map (this=0x3630ce0, arg=0x0) at item.cc:933 #5 0x00000000005bc090 in Item::walk (this=0x3630ce0, processor=&virtual Item::register_field_in_read_map(unsigned char*), walk_subquery=true, arg=0x0) at item.h:1009 #6 0x0000000000634793 in Item_subselect::walk (this=0x3630e20, processor=&virtual table offset 640, walk_subquery=true, argument=0x0) at item_subselect.cc:556 #7 0x000000000070bb3e in find_field_in_table_ref (thd=0x3585bc8, table_list=0x36318b0, name=0x3609a98 "c1", length=2, item_name=0x3609a98 "c1", db_name=0x0, table_name=0x0, ref=0x3609ba8, check_privileges=true, allow_rowid=true, cached_field_index_ptr=0x3609b5c, register_tree_change=true, actual_table=0x7fad48977398) at sql_base.cc:6432 #8 0x000000000070c298 in find_field_in_tables (thd=0x3585bc8, item=0x3609aa0, first_table=0x36318b0, last_table=0x0, ref=0x3609ba8, report_error=IGNORE_EXCEPT_NON_UNIQUE, check_privileges=true, register_tree_change=true) at sql_base.cc:6664 #9 0x00000000005abb25 in Item_field::fix_fields (this=0x3609aa0, thd=0x3585bc8, reference=0x3609ba8) at item.cc:4702 #10 0x000000000070eb85 in setup_fields (thd=0x3585bc8, ref_pointer_array=0x3633a30, fields=..., mark_used_columns=MARK_COLUMNS_READ, sum_func_list=0x36320e8, allow_sum_func=true) at sql_base.cc:7858 #11 0x0000000000726c0c in JOIN::prepare (this=0x3631de8, rref_pointer_array=0x35888b8, tables_init=0x36318b0, wild_num=0, conds_init=0x0, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x3588660, unit_arg=0x3588158) at sql_select.cc:666 #12 0x000000000072f56b in mysql_select (thd=0x3585bc8, rref_pointer_array=0x35888b8, tables=0x36318b0, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147764736, result=0x3631dc8, unit=0x3588158, select_lex=0x3588660) at sql_select.cc:2989 #13 0x0000000000726081 in handle_select (thd=0x3585bc8, lex=0x35880b8, result=0x3631dc8, setup_tables_done_option=0) at sql_select.cc:288 #14 0x00000000006b4d7c in execute_sqlcom_select (thd=0x3585bc8, all_tables=0x36318b0) at sql_parse.cc:5172 #15 0x00000000006abf18 in mysql_execute_command (thd=0x3585bc8) at sql_parse.cc:2305 #16 0x00000000006b76e3 in mysql_parse (thd=0x3585bc8, rawbuf=0x3609900 "SELECT c1\nFROM (\nSELECT (\nSELECT 1\nFROM t1\nWHERE t1.a <= t2.b\nUNION ALL\nSELECT 1\nFROM t1\nWHERE t1.a <= t2.b\nORDER BY a DESC\n) AS c1\nFROM t2\n) t3", length=144, found_semicolon=0x7fad48978cb8) at sql_parse.cc:6173 #17 0x00000000006a96f8 in dispatch_command (command=COM_QUERY, thd=0x3585bc8, packet=0x3600499 "SELECT c1\nFROM (\nSELECT (\nSELECT 1\nFROM t1\nWHERE t1.a <= t2.b\nUNION ALL\nSELECT 1\nFROM t1\nWHERE t1.a <= t2.b\nORDER BY a DESC\n) AS c1\nFROM t2\n) t3", packet_length=144) at sql_parse.cc:1243 #18 0x00000000006a89e4 in do_command (thd=0x3585bc8) at sql_parse.cc:923 #19 0x00000000006a586d in handle_one_connection (arg=0x3585bc8) at sql_connect.cc:1231 #20 0x00007fad52167b50 in start_thread (arg=<optimized out>) at pthread_create.c:304 #21 0x00007fad5150aa7d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112

Igor Babaev (Inactive) added a comment - 2013-12-04 21:00

I've started working on this bug.

Igor Babaev (Inactive) added a comment - 2013-12-04 21:00 I've started working on this bug.

Igor Babaev (Inactive) added a comment - 2013-12-05 22:42

The fix for this bug was pushed into the 5.3 tree.

Igor Babaev (Inactive) added a comment - 2013-12-05 22:42 The fix for this bug was pushed into the 5.3 tree.

Daniel Bartholomew added a comment - 2014-01-29 19:32

http://bazaar.launchpad.net/~maria-captains/maria/5.5/revision/2502.567.178

Daniel Bartholomew added a comment - 2014-01-29 19:32 http://bazaar.launchpad.net/~maria-captains/maria/5.5/revision/2502.567.178

Daniel Bartholomew added a comment - 2014-01-29 19:33

http://bazaar.launchpad.net/~maria-captains/maria/5.5/revision/2502.567.177

http://bazaar.launchpad.net/~maria-captains/maria/5.5/revision/2502.582.1

Daniel Bartholomew added a comment - 2014-01-29 19:33 http://bazaar.launchpad.net/~maria-captains/maria/5.5/revision/2502.567.177 http://bazaar.launchpad.net/~maria-captains/maria/5.5/revision/2502.582.1

People

Assignee:: Igor Babaev (Inactive)

Reporter:: Jeremy Cole

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 2013-12-04 02:10

Updated:: 2014-01-29 19:33

Resolved:: 2013-12-05 22:42

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server