Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-5686

Server crashes in in base_list_iterator::next_fast with AND/OR and impossible condition inside IN SQ

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Fixed
    • 5.5.35, 10.0.8, 5.3.13
    • 5.5.37, 10.0.10, 5.3.13
    • None
    • None

    Description

      CREATE TABLE t1 (a INT, b INT, c VARCHAR(3)) ENGINE=MyISAM;
      		 
      INSERT INTO t1 VALUES (1,1,'CAN'),(2,2,'AUS');
      		 
       
      		 
      CREATE TABLE t2 (f INT) ENGINE=MyISAM;
      		 
      INSERT INTO t2 VALUES (3);
      		 
       
      		 
      SELECT * FROM t2 WHERE f NOT IN ( 
        SELECT b FROM t1 WHERE 0 OR ( c IN ('USA') OR c NOT IN ('USA') ) AND a = b 
      );

      Note: If the crash is not reproducible, run with valgrind.

      #3  <signal handler called>
      		 
      #4  0x000000000058a8bd in base_list_iterator::next_fast (this=0x7f06c9076f50) at sql_list.h:449
      		 
      #5  0x000000000058cab5 in List_iterator_fast<Item>::operator++ (this=0x7f06c9076f50) at sql_list.h:561
      		 
      #6  0x0000000000602d7c in Item_equal_iterator<List_iterator_fast, Item>::operator++ (this=0x7f06c9076f50) at item_cmpfunc.h:1824
      		 
      #7  0x00000000005fe7a7 in Item_equal::contains (this=0x29c4370, field=0x29b5a90) at item_cmpfunc.cc:5603
      		 
      #8  0x00000000005abe9f in Item_field::find_item_equal (this=0x298ded8, cond_equal=0x29bf8e8) at item.cc:4970
      		 
      #9  0x0000000000745053 in eliminate_item_equal (cond=0x0, upper_levels=0x29bf8e8, item_equal=0x29c2198) at sql_select.cc:11945
      		 
      #10 0x00000000007459b2 in substitute_for_best_equal_field (context_tab=0x1, cond=0x29c2198, cond_equal=0x29bf8e8, table_join_idx=0x29c2718) at sql_select.cc:12236
      		 
      #11 0x0000000000745699 in substitute_for_best_equal_field (context_tab=0x1, cond=0x298e510, cond_equal=0x29c4758, table_join_idx=0x29c2718) at sql_select.cc:12163
      		 
      #12 0x0000000000745699 in substitute_for_best_equal_field (context_tab=0x1, cond=0x29c4670, cond_equal=0x29c4758, table_join_idx=0x29c2718) at sql_select.cc:12163
      		 
      #13 0x0000000000728878 in JOIN::optimize (this=0x29c04a0) at sql_select.cc:1253
      		 
      #14 0x0000000000588e9b in st_select_lex::optimize_unflattened_subqueries (this=0x290b620) at sql_lex.cc:3166
      		 
      #15 0x00000000008182bb in JOIN::optimize_unflattened_subqueries (this=0x29bfd08) at opt_subselect.cc:4903
      		 
      #16 0x0000000000729b71 in JOIN::optimize (this=0x29bfd08) at sql_select.cc:1575
      		 
      #17 0x000000000072ec11 in mysql_select (thd=0x2908b88, rref_pointer_array=0x290b878, tables=0x298cb60, wild_num=1, fields=..., conds=0x29bfbb8, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147764736, result=0x298e8a0, unit=0x290b118, select_lex=0x290b620) at sql_select.cc:2993
      		 
      #18 0x000000000072570d in handle_select (thd=0x2908b88, lex=0x290b078, result=0x298e8a0, setup_tables_done_option=0) at sql_select.cc:288
      		 
      #19 0x00000000006b4444 in execute_sqlcom_select (thd=0x2908b88, all_tables=0x298cb60) at sql_parse.cc:5172
      		 
      #20 0x00000000006ab5e0 in mysql_execute_command (thd=0x2908b88) at sql_parse.cc:2305
      		 
      #21 0x00000000006b6dab in mysql_parse (thd=0x2908b88, rawbuf=0x298c8c0 "SELECT * FROM t2 WHERE f NOT IN ( \nSELECT b FROM t1 WHERE 0 OR ( c IN ('USA') OR c NOT IN ('USA') ) AND a = b \n)", length=112, found_semicolon=0x7f06c9078cb8) at sql_parse.cc:6173
      		 
      #22 0x00000000006a8dc0 in dispatch_command (command=COM_QUERY, thd=0x2908b88, packet=0x2983459 "SELECT * FROM t2 WHERE f NOT IN ( \nSELECT b FROM t1 WHERE 0 OR ( c IN ('USA') OR c NOT IN ('USA') ) AND a = b \n)", packet_length=112) at sql_parse.cc:1243
      		 
      #23 0x00000000006a80ac in do_command (thd=0x2908b88) at sql_parse.cc:923
      		 
      #24 0x00000000006a4f3d in handle_one_connection (arg=0x2908b88) at sql_connect.cc:1231
      		 
      #25 0x00007f06d2867b50 in start_thread (arg=<optimized out>) at pthread_create.c:304
      		 
      #26 0x00007f06d1c0aa7d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112

      Stack trace from:

      revision-id: psergey@askmonty.org-20140214212653-cjbm9hqh0gpxapba
      		 
      revno: 3758
      		 
      branch-nick: 5.3
      		 
      BUILD/compile-pentium-debug-max-no-ndb

      The problem started appearing on 5.3 tree with the following revision:

      revno: 3627
      		 
      revision-id: igor@askmonty.org-20130222011312-0n7i0ki83efkz17e
      		 
      parent: igor@askmonty.org-20130221032202-ed2p8w1a984bxa2p
      		 
      committer: Igor Babaev <igor@askmonty.org>
      		 
      branch nick: maria-5.3-mdev4172
      		 
      timestamp: Thu 2013-02-21 17:13:12 -0800
      		 
      message:
      		 
        Fixed bug mdev-4172.
      		 
        This bug in the legacy code could manifest itself in queries with
      		 
        semi-join materialized subqueries.
      		 
        ...

      Attachments

        Activity

          igor Igor Babaev (Inactive) added a comment -

          The fix for this bug was pushed into the 5.3 tree.

          igor Igor Babaev (Inactive) added a comment - The fix for this bug was pushed into the 5.3 tree.

          People

            igor Igor Babaev (Inactive)
            elenst Elena Stepanova
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.