Details

    Description

      Note: once again, the test case is fragile, so there is no certainty in which version the problem appeared or whether it exists in 10.0 (it doesn't crash on my builds of 10.0).
      Please also see MDEV-7590, MDEV-7581.

      Stack trace from 5.5 rev fdd6c111c254c5044cd9b6c2f7e4d0c74f427a79

      #3  <signal handler called>
      #4  0x0000000000603109 in Item::delete_self (this=0x7ff52720c7d8) at 5.5/sql/item.h:1434
      #5  0x00000000005fd3cd in Query_arena::free_items (this=0x7ff52af49078) at 5.5/sql/sql_class.cc:3160
      #6  0x00000000005f8d6c in THD::cleanup_after_query (this=0x7ff52af49060) at 5.5/sql/sql_class.cc:1883
      #7  0x000000000063b317 in mysql_parse (thd=0x7ff52af49060, rawbuf=0x7ff527288078 "SELECT * FROM (INFORMATION_SCHEMA.`STATISTICS` AS table1 LEFT OUTER JOIN mysql.`time_zone` AS table2 ON ( table2.`Time_zone_id` = table1.`PACKED` ) ) WHERE NOT ( ( ( ( ( ( ( ( ( ( ( (NOT (NOT ( table2"..., length=930, parser_state=0x7ff527bb5620) at 5.5/sql/sql_parse.cc:5926
      #8  0x000000000062ee51 in dispatch_command (command=COM_QUERY, thd=0x7ff52af49060, packet=0x7ff5281e8061 "", packet_length=930) at 5.5/sql/sql_parse.cc:1079
      #9  0x000000000062dfdd in do_command (thd=0x7ff52af49060) at 5.5/sql/sql_parse.cc:793
      #10 0x000000000073072a in do_handle_one_connection (thd_arg=0x7ff52af49060) at 5.5/sql/sql_connect.cc:1266
      #11 0x00000000007301e9 in handle_one_connection (arg=0x7ff52af49060) at 5.5/sql/sql_connect.cc:1181
      #12 0x0000000000b66b61 in pfs_spawn_thread (arg=0x7ff5281518e0) at 5.5/storage/perfschema/pfs.cc:1015
      #13 0x00007ff52dea0b50 in start_thread (arg=<optimized out>) at pthread_create.c:304
      #14 0x00007ff52c7ae70d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112

      Test case

      SET sql_mode=ONLY_FULL_GROUP_BY;
       
      CREATE TABLE C (
        pk INTEGER AUTO_INCREMENT,
        col_int_nokey INTEGER,
        col_int_key INTEGER,
        col_date_key DATE,
        col_date_nokey DATE,
        col_time_key TIME,
        col_time_nokey TIME,
        col_datetime_key DATETIME,
        col_datetime_nokey DATETIME,
        col_varchar_key VARCHAR(1),
        col_varchar_nokey VARCHAR(1),
        PRIMARY KEY (pk)
      ) ENGINE=MyISAM;
      CREATE VIEW view_C AS SELECT * FROM C;
      CREATE TABLE E (
        pk INTEGER AUTO_INCREMENT,
        col_int_key INTEGER,
        col_varchar_key VARCHAR(1),
        PRIMARY KEY (pk)
      ) ENGINE=MyISAM;
      CREATE TABLE BB (
        pk INTEGER AUTO_INCREMENT,
        col_int_key INTEGER,
        col_varchar_key VARCHAR(1),
        PRIMARY KEY (pk)
      ) ENGINE=MyISAM;
      CREATE TABLE CC (
        pk INTEGER AUTO_INCREMENT,
        col_int_nokey INTEGER,
        col_int_key INTEGER,
        col_date_key DATE,
        col_date_nokey DATE,
        col_time_key TIME,
        col_time_nokey TIME,
        col_datetime_key DATETIME,
        col_datetime_nokey DATETIME,
        col_varchar_key VARCHAR(1),
        col_varchar_nokey VARCHAR(1),
        PRIMARY KEY (pk)
      ) ENGINE=MyISAM;
       
      CREATE TRIGGER tr1 BEFORE INSERT ON BB FOR EACH ROW INSERT INTO CC SELECT * FROM view_C LIMIT 0 ; 
      INSERT INTO BB () VALUES ();
      CREATE TRIGGER tr2 BEFORE INSERT ON E FOR EACH ROW INSERT INTO view_C SELECT * FROM CC LIMIT 0 ; 
      INSERT INTO E () VALUES ();
      --send
      	SELECT * FROM (INFORMATION_SCHEMA.`STATISTICS` AS table1 LEFT OUTER JOIN mysql.`time_zone` AS table2 ON ( table2.`Time_zone_id` = table1.`PACKED` ) ) WHERE NOT ( ( ( ( ( ( ( ( ( ( ( (NOT (NOT ( table2.`Time_zone_id` IN ( 6, 1, 4 ) AND table1.`NULLABLE` LIKE 'wait/synch/mutex/%') OR table1.`SUB_PART` > table1.`INDEX_SCHEMA`) AND table1.`TABLE_SCHEMA` <= 'm') OR table2.`Time_zone_id` = table1.`NULLABLE`) OR table1.`TABLE_SCHEMA` <> table2.`Use_leap_seconds`) AND table1.`INDEX_TYPE` IN ( 2, 1, 9 )) OR table1.`TABLE_NAME` IN ( 3, 5, 9 )) OR table1.`COLUMN_NAME` < '2008-07-11 08:47:37.057066') OR table2.`Time_zone_id` >= 8) AND table2.`Time_zone_id` < table2.`Use_leap_seconds`) OR table1.`TABLE_SCHEMA` IN ( 3, 2, 5 )) OR table2.`Time_zone_id` IN ( 7, 8, 7 )) AND table2.`Use_leap_seconds` LIKE 'wait/synch%') OR table1.`INDEX_SCHEMA` < 'uh') OR table2.`Use_leap_seconds` LIKE 'wait/synch/cond%' ORDER BY table1.`INDEX_SCHEMA`;
       
      --connect (con1,localhost,root,,test)
      INSERT INTO BB () VALUES ();
       
      --connection default
      --reap

      Attachments

        Activity

          Also observed on 10.0, during a stress test. Added the Affects Version/s value.

          elenst Elena Stepanova added a comment - Also observed on 10.0, during a stress test. Added the Affects Version/s value.

          On Wheezy, I couldn't get valgrind warnings. However, on CentOS 6, on a non-debug build, I did, maybe it's relevant:

          ==17667== Thread 4:
          ==17667== Invalid write of size 8
          ==17667==    at 0x5C1542: base_list::push_back(void*) (sql_list.h:206)
          ==17667==    by 0x6AD834: Item_field::fix_fields(THD*, Item**) (sql_list.h:512)
          ==17667==    by 0x53868F: setup_fields(THD*, Item**, List<Item>&, enum_mark_columns, List<Item>*, bool) (sql_base.cc:8166)
          ==17667==    by 0x5A7A8E: JOIN::prepare(Item***, TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) (sql_select.cc:719)
          ==17667==    by 0x5EFB3C: st_select_lex_unit::prepare(THD*, select_result*, unsigned long) (sql_union.cc:344)
          ==17667==    by 0x55A7CE: mysql_derived_prepare(THD*, LEX*, TABLE_LIST*) (sql_derived.cc:654)
          ==17667==    by 0x55B2C2: mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) (sql_derived.cc:192)
          ==17667==    by 0x55B1A6: mysql_handle_list_of_derived(LEX*, TABLE_LIST*, unsigned int) (sql_derived.cc:222)
          ==17667==    by 0x56190D: mysql_prepare_insert(THD*, TABLE_LIST*, TABLE*, List<Item>&, List<Item>*, List<Item>&, List<Item>&, enum_duplicates, Item**, bool, bool, bool) (sql_insert.cc:1407)
          ==17667==    by 0x561E6E: mysql_insert_select_prepare(THD*) (sql_insert.cc:3280)
          ==17667==    by 0x57BAF4: mysql_execute_command(THD*) (sql_parse.cc:3050)
          ==17667==    by 0x77A9BB: sp_instr_stmt::exec_core(THD*, unsigned int*) (sp_head.cc:3222)
          ==17667==    by 0x77AB62: sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) (sp_head.cc:3000)
          ==17667==    by 0x77F9D4: sp_instr_stmt::execute(THD*, unsigned int*) (sp_head.cc:3146)
          ==17667==    by 0x77DA63: sp_head::execute(THD*, bool) (sp_head.cc:1433)
          ==17667==    by 0x77DDF2: sp_head::execute_trigger(THD*, st_mysql_lex_string const*, st_mysql_lex_string const*, st_grant_info*) (sp_head.cc:1738)
          ==17667==  Address 0x89f3fc8 is 1,912 bytes inside a block of size 8,152 free'd
          ==17667==    at 0x4A06430: free (vg_replace_malloc.c:446)
          ==17667==    by 0x9C6110: free_root (my_alloc.c:372)
          ==17667==    by 0x77DA99: sp_head::execute(THD*, bool) (sp_head.cc:1450)
          ==17667==    by 0x77DDF2: sp_head::execute_trigger(THD*, st_mysql_lex_string const*, st_mysql_lex_string const*, st_grant_info*) (sp_head.cc:1738)
          ==17667==    by 0x5E8CAE: Table_triggers_list::process_triggers(THD*, trg_event_type, trg_action_time_type, bool) (sql_trigger.cc:2156)
          ==17667==    by 0x538254: fill_record_n_invoke_before_triggers(THD*, List<Item>&, List<Item>&, bool, Table_triggers_list*, trg_event_type) (sql_base.cc:9066)
          ==17667==    by 0x565B85: mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) (sql_insert.cc:907)
          ==17667==    by 0x578267: mysql_execute_command(THD*) (sql_parse.cc:2973)
          ==17667==    by 0x57CFFB: mysql_parse(THD*, char*, unsigned int, Parser_state*) (sql_parse.cc:5799)
          ==17667==    by 0x57E577: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1079)
          ==17667==    by 0x6236C3: do_handle_one_connection(THD*) (sql_connect.cc:1266)
          ==17667==    by 0x623759: handle_one_connection (sql_connect.cc:1181)
          ==17667==    by 0x8EFD05: pfs_spawn_thread (pfs.cc:1015)
          ==17667==    by 0x3D7AE079D0: start_thread (in /lib64/libpthread-2.12.so)
          ==17667==    by 0x3D7AAE89DC: clone (in /lib64/libc-2.12.so)
          ==17667== Invalid read of size 8
          ==17667==    at 0x5C1552: base_list::push_back(void*) (sql_list.h:208)
          ==17667==    by 0x6AD834: Item_field::fix_fields(THD*, Item**) (sql_list.h:512)
          ==17667==    by 0x53868F: setup_fields(THD*, Item**, List<Item>&, enum_mark_columns, List<Item>*, bool) (sql_base.cc:8166)
          ==17667==    by 0x5A7A8E: JOIN::prepare(Item***, TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) (sql_select.cc:719)
          ==17667==    by 0x5EFB3C: st_select_lex_unit::prepare(THD*, select_result*, unsigned long) (sql_union.cc:344)
          ==17667==    by 0x55A7CE: mysql_derived_prepare(THD*, LEX*, TABLE_LIST*) (sql_derived.cc:654)
          ==17667==    by 0x55B2C2: mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) (sql_derived.cc:192)
          ==17667==    by 0x55B1A6: mysql_handle_list_of_derived(LEX*, TABLE_LIST*, unsigned int) (sql_derived.cc:222)
          ==17667==    by 0x56190D: mysql_prepare_insert(THD*, TABLE_LIST*, TABLE*, List<Item>&, List<Item>*, List<Item>&, List<Item>&, enum_duplicates, Item**, bool, bool, bool) (sql_insert.cc:1407)
          ==17667==    by 0x561E6E: mysql_insert_select_prepare(THD*) (sql_insert.cc:3280)
          ==17667==    by 0x57BAF4: mysql_execute_command(THD*) (sql_parse.cc:3050)
          ==17667==    by 0x77A9BB: sp_instr_stmt::exec_core(THD*, unsigned int*) (sp_head.cc:3222)
          ==17667==    by 0x77AB62: sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) (sp_head.cc:3000)
          ==17667==    by 0x77F9D4: sp_instr_stmt::execute(THD*, unsigned int*) (sp_head.cc:3146)
          ==17667==    by 0x77DA63: sp_head::execute(THD*, bool) (sp_head.cc:1433)
          ==17667==    by 0x77DDF2: sp_head::execute_trigger(THD*, st_mysql_lex_string const*, st_mysql_lex_string const*, st_grant_info*) (sp_head.cc:1738)
          ==17667==  Address 0x89f3fc8 is 1,912 bytes inside a block of size 8,152 free'd
          ==17667==    at 0x4A06430: free (vg_replace_malloc.c:446)
          ==17667==    by 0x9C6110: free_root (my_alloc.c:372)
          ==17667==    by 0x77DA99: sp_head::execute(THD*, bool) (sp_head.cc:1450)
          ==17667==    by 0x77DDF2: sp_head::execute_trigger(THD*, st_mysql_lex_string const*, st_mysql_lex_string const*, st_grant_info*) (sp_head.cc:1738)
          ==17667==    by 0x5E8CAE: Table_triggers_list::process_triggers(THD*, trg_event_type, trg_action_time_type, bool) (sql_trigger.cc:2156)
          ==17667==    by 0x538254: fill_record_n_invoke_before_triggers(THD*, List<Item>&, List<Item>&, bool, Table_triggers_list*, trg_event_type) (sql_base.cc:9066)
          ==17667==    by 0x565B85: mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) (sql_insert.cc:907)
          ==17667==    by 0x578267: mysql_execute_command(THD*) (sql_parse.cc:2973)
          ==17667==    by 0x57CFFB: mysql_parse(THD*, char*, unsigned int, Parser_state*) (sql_parse.cc:5799)
          ==17667==    by 0x57E577: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1079)
          ==17667==    by 0x6236C3: do_handle_one_connection(THD*) (sql_connect.cc:1266)
          ==17667==    by 0x623759: handle_one_connection (sql_connect.cc:1181)
          ==17667==    by 0x8EFD05: pfs_spawn_thread (pfs.cc:1015)
          ==17667==    by 0x3D7AE079D0: start_thread (in /lib64/libpthread-2.12.so)
          ==17667==    by 0x3D7AAE89DC: clone (in /lib64/libc-2.12.so)

          elenst Elena Stepanova added a comment - On Wheezy, I couldn't get valgrind warnings. However, on CentOS 6, on a non-debug build, I did, maybe it's relevant: ==17667== Thread 4: ==17667== Invalid write of size 8 ==17667== at 0x5C1542: base_list::push_back(void*) (sql_list.h:206) ==17667== by 0x6AD834: Item_field::fix_fields(THD*, Item**) (sql_list.h:512) ==17667== by 0x53868F: setup_fields(THD*, Item**, List<Item>&, enum_mark_columns, List<Item>*, bool) (sql_base.cc:8166) ==17667== by 0x5A7A8E: JOIN::prepare(Item***, TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) (sql_select.cc:719) ==17667== by 0x5EFB3C: st_select_lex_unit::prepare(THD*, select_result*, unsigned long) (sql_union.cc:344) ==17667== by 0x55A7CE: mysql_derived_prepare(THD*, LEX*, TABLE_LIST*) (sql_derived.cc:654) ==17667== by 0x55B2C2: mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) (sql_derived.cc:192) ==17667== by 0x55B1A6: mysql_handle_list_of_derived(LEX*, TABLE_LIST*, unsigned int) (sql_derived.cc:222) ==17667== by 0x56190D: mysql_prepare_insert(THD*, TABLE_LIST*, TABLE*, List<Item>&, List<Item>*, List<Item>&, List<Item>&, enum_duplicates, Item**, bool, bool, bool) (sql_insert.cc:1407) ==17667== by 0x561E6E: mysql_insert_select_prepare(THD*) (sql_insert.cc:3280) ==17667== by 0x57BAF4: mysql_execute_command(THD*) (sql_parse.cc:3050) ==17667== by 0x77A9BB: sp_instr_stmt::exec_core(THD*, unsigned int*) (sp_head.cc:3222) ==17667== by 0x77AB62: sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) (sp_head.cc:3000) ==17667== by 0x77F9D4: sp_instr_stmt::execute(THD*, unsigned int*) (sp_head.cc:3146) ==17667== by 0x77DA63: sp_head::execute(THD*, bool) (sp_head.cc:1433) ==17667== by 0x77DDF2: sp_head::execute_trigger(THD*, st_mysql_lex_string const*, st_mysql_lex_string const*, st_grant_info*) (sp_head.cc:1738) ==17667== Address 0x89f3fc8 is 1,912 bytes inside a block of size 8,152 free'd ==17667== at 0x4A06430: free (vg_replace_malloc.c:446) ==17667== by 0x9C6110: free_root (my_alloc.c:372) ==17667== by 0x77DA99: sp_head::execute(THD*, bool) (sp_head.cc:1450) ==17667== by 0x77DDF2: sp_head::execute_trigger(THD*, st_mysql_lex_string const*, st_mysql_lex_string const*, st_grant_info*) (sp_head.cc:1738) ==17667== by 0x5E8CAE: Table_triggers_list::process_triggers(THD*, trg_event_type, trg_action_time_type, bool) (sql_trigger.cc:2156) ==17667== by 0x538254: fill_record_n_invoke_before_triggers(THD*, List<Item>&, List<Item>&, bool, Table_triggers_list*, trg_event_type) (sql_base.cc:9066) ==17667== by 0x565B85: mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) (sql_insert.cc:907) ==17667== by 0x578267: mysql_execute_command(THD*) (sql_parse.cc:2973) ==17667== by 0x57CFFB: mysql_parse(THD*, char*, unsigned int, Parser_state*) (sql_parse.cc:5799) ==17667== by 0x57E577: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1079) ==17667== by 0x6236C3: do_handle_one_connection(THD*) (sql_connect.cc:1266) ==17667== by 0x623759: handle_one_connection (sql_connect.cc:1181) ==17667== by 0x8EFD05: pfs_spawn_thread (pfs.cc:1015) ==17667== by 0x3D7AE079D0: start_thread (in /lib64/libpthread-2.12.so) ==17667== by 0x3D7AAE89DC: clone (in /lib64/libc-2.12.so) ==17667== Invalid read of size 8 ==17667== at 0x5C1552: base_list::push_back(void*) (sql_list.h:208) ==17667== by 0x6AD834: Item_field::fix_fields(THD*, Item**) (sql_list.h:512) ==17667== by 0x53868F: setup_fields(THD*, Item**, List<Item>&, enum_mark_columns, List<Item>*, bool) (sql_base.cc:8166) ==17667== by 0x5A7A8E: JOIN::prepare(Item***, TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) (sql_select.cc:719) ==17667== by 0x5EFB3C: st_select_lex_unit::prepare(THD*, select_result*, unsigned long) (sql_union.cc:344) ==17667== by 0x55A7CE: mysql_derived_prepare(THD*, LEX*, TABLE_LIST*) (sql_derived.cc:654) ==17667== by 0x55B2C2: mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) (sql_derived.cc:192) ==17667== by 0x55B1A6: mysql_handle_list_of_derived(LEX*, TABLE_LIST*, unsigned int) (sql_derived.cc:222) ==17667== by 0x56190D: mysql_prepare_insert(THD*, TABLE_LIST*, TABLE*, List<Item>&, List<Item>*, List<Item>&, List<Item>&, enum_duplicates, Item**, bool, bool, bool) (sql_insert.cc:1407) ==17667== by 0x561E6E: mysql_insert_select_prepare(THD*) (sql_insert.cc:3280) ==17667== by 0x57BAF4: mysql_execute_command(THD*) (sql_parse.cc:3050) ==17667== by 0x77A9BB: sp_instr_stmt::exec_core(THD*, unsigned int*) (sp_head.cc:3222) ==17667== by 0x77AB62: sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) (sp_head.cc:3000) ==17667== by 0x77F9D4: sp_instr_stmt::execute(THD*, unsigned int*) (sp_head.cc:3146) ==17667== by 0x77DA63: sp_head::execute(THD*, bool) (sp_head.cc:1433) ==17667== by 0x77DDF2: sp_head::execute_trigger(THD*, st_mysql_lex_string const*, st_mysql_lex_string const*, st_grant_info*) (sp_head.cc:1738) ==17667== Address 0x89f3fc8 is 1,912 bytes inside a block of size 8,152 free'd ==17667== at 0x4A06430: free (vg_replace_malloc.c:446) ==17667== by 0x9C6110: free_root (my_alloc.c:372) ==17667== by 0x77DA99: sp_head::execute(THD*, bool) (sp_head.cc:1450) ==17667== by 0x77DDF2: sp_head::execute_trigger(THD*, st_mysql_lex_string const*, st_mysql_lex_string const*, st_grant_info*) (sp_head.cc:1738) ==17667== by 0x5E8CAE: Table_triggers_list::process_triggers(THD*, trg_event_type, trg_action_time_type, bool) (sql_trigger.cc:2156) ==17667== by 0x538254: fill_record_n_invoke_before_triggers(THD*, List<Item>&, List<Item>&, bool, Table_triggers_list*, trg_event_type) (sql_base.cc:9066) ==17667== by 0x565B85: mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) (sql_insert.cc:907) ==17667== by 0x578267: mysql_execute_command(THD*) (sql_parse.cc:2973) ==17667== by 0x57CFFB: mysql_parse(THD*, char*, unsigned int, Parser_state*) (sql_parse.cc:5799) ==17667== by 0x57E577: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1079) ==17667== by 0x6236C3: do_handle_one_connection(THD*) (sql_connect.cc:1266) ==17667== by 0x623759: handle_one_connection (sql_connect.cc:1181) ==17667== by 0x8EFD05: pfs_spawn_thread (pfs.cc:1015) ==17667== by 0x3D7AE079D0: start_thread (in /lib64/libpthread-2.12.so) ==17667== by 0x3D7AAE89DC: clone (in /lib64/libc-2.12.so)
          elenst Elena Stepanova added a comment - - edited

          The test case below reliably causes for me on 3 different machines a similar crash, but in a stored procedure:

          --source include/have_innodb.inc
           
          SET sql_mode=ONLY_FULL_GROUP_BY;
           
          CREATE TABLE t1 (
            pk INT, 
            f0 INT, f1 INT, f2 INT, f3 INT, f4 INT, 
            f5 INT, f6 INT, f7 INT, f8 INT, f9 INT, 
            PRIMARY KEY (pk)
          );
          CREATE VIEW view_t1 AS SELECT * FROM t1;
          CREATE PROCEDURE sp() 
            SELECT * FROM (
              INFORMATION_SCHEMA.`INNODB_BUFFER_PAGE_LRU` AS table1 
                LEFT JOIN test.view_t1 AS table2 
                ON ( table2.`f6` = table1.`FREE_PAGE_CLOCK` ) 
            ) 
            ORDER BY table1.`NUMBER_RECORDS`, table1.`IS_HASHED` 
            LIMIT 0
          ;
          CALL sp;
          CALL sp;

          5.5 commit fdd6c111

          #3  <signal handler called>
          #4  0x00007fa6cea35fa0 in ?? ()
          #5  0x000000000060310b in Item::delete_self (this=0x7fa6cea345a8) at 5.5/sql/item.h:1434
          #6  0x00000000005fd3cd in Query_arena::free_items (this=0x7fa6d694e078) at 5.5/sql/sql_class.cc:3160
          #7  0x00000000005f8d6c in THD::cleanup_after_query (this=0x7fa6d694e060) at 5.5/sql/sql_class.cc:1883
          #8  0x0000000000910920 in sp_head::execute (this=0x7fa6ce98e078, thd=0x7fa6d694e060, merge_da_on_success=true) at 5.5/sql/sp_head.cc:1449
          #9  0x0000000000912610 in sp_head::execute_procedure (this=0x7fa6ce98e078, thd=0x7fa6d694e060, args=0x7fa6d6952000) at 5.5/sql/sp_head.cc:2199
          #10 0x0000000000636c41 in mysql_execute_command (thd=0x7fa6d694e060) at 5.5/sql/sql_parse.cc:4123
          #11 0x000000000063b20e in mysql_parse (thd=0x7fa6d694e060, rawbuf=0x7fa6ce951078 "CALL sp", length=7, parser_state=0x7fa6dec75620) at 5.5/sql/sql_parse.cc:5909
          #12 0x000000000062ee51 in dispatch_command (command=COM_QUERY, thd=0x7fa6d694e060, packet=0x7fa6d6a74061 "", packet_length=7) at 5.5/sql/sql_parse.cc:1079
          #13 0x000000000062dfdd in do_command (thd=0x7fa6d694e060) at 5.5/sql/sql_parse.cc:793
          #14 0x000000000073072a in do_handle_one_connection (thd_arg=0x7fa6d694e060) at 5.5/sql/sql_connect.cc:1266
          #15 0x00000000007301e9 in handle_one_connection (arg=0x7fa6d694e060) at 5.5/sql/sql_connect.cc:1181
          #16 0x0000000000b66b61 in pfs_spawn_thread (arg=0x7fa6d69ca480) at 5.5/storage/perfschema/pfs.cc:1015
          #17 0x00007fa6de8adb50 in start_thread (arg=<optimized out>) at pthread_create.c:304
          #18 0x00007fa6dd1bb70d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
          #19 0x0000000000000000 in ?? ()

          elenst Elena Stepanova added a comment - - edited The test case below reliably causes for me on 3 different machines a similar crash, but in a stored procedure: --source include/have_innodb.inc   SET sql_mode=ONLY_FULL_GROUP_BY;   CREATE TABLE t1 ( pk INT , f0 INT , f1 INT , f2 INT , f3 INT , f4 INT , f5 INT , f6 INT , f7 INT , f8 INT , f9 INT , PRIMARY KEY (pk) ); CREATE VIEW view_t1 AS SELECT * FROM t1; CREATE PROCEDURE sp() SELECT * FROM ( INFORMATION_SCHEMA.`INNODB_BUFFER_PAGE_LRU` AS table1 LEFT JOIN test.view_t1 AS table2 ON ( table2.`f6` = table1.`FREE_PAGE_CLOCK` ) ) ORDER BY table1.`NUMBER_RECORDS`, table1.`IS_HASHED` LIMIT 0 ; CALL sp; CALL sp; 5.5 commit fdd6c111 #3 <signal handler called> #4 0x00007fa6cea35fa0 in ?? () #5 0x000000000060310b in Item::delete_self (this=0x7fa6cea345a8) at 5.5/sql/item.h:1434 #6 0x00000000005fd3cd in Query_arena::free_items (this=0x7fa6d694e078) at 5.5/sql/sql_class.cc:3160 #7 0x00000000005f8d6c in THD::cleanup_after_query (this=0x7fa6d694e060) at 5.5/sql/sql_class.cc:1883 #8 0x0000000000910920 in sp_head::execute (this=0x7fa6ce98e078, thd=0x7fa6d694e060, merge_da_on_success=true) at 5.5/sql/sp_head.cc:1449 #9 0x0000000000912610 in sp_head::execute_procedure (this=0x7fa6ce98e078, thd=0x7fa6d694e060, args=0x7fa6d6952000) at 5.5/sql/sp_head.cc:2199 #10 0x0000000000636c41 in mysql_execute_command (thd=0x7fa6d694e060) at 5.5/sql/sql_parse.cc:4123 #11 0x000000000063b20e in mysql_parse (thd=0x7fa6d694e060, rawbuf=0x7fa6ce951078 "CALL sp", length=7, parser_state=0x7fa6dec75620) at 5.5/sql/sql_parse.cc:5909 #12 0x000000000062ee51 in dispatch_command (command=COM_QUERY, thd=0x7fa6d694e060, packet=0x7fa6d6a74061 "", packet_length=7) at 5.5/sql/sql_parse.cc:1079 #13 0x000000000062dfdd in do_command (thd=0x7fa6d694e060) at 5.5/sql/sql_parse.cc:793 #14 0x000000000073072a in do_handle_one_connection (thd_arg=0x7fa6d694e060) at 5.5/sql/sql_connect.cc:1266 #15 0x00000000007301e9 in handle_one_connection (arg=0x7fa6d694e060) at 5.5/sql/sql_connect.cc:1181 #16 0x0000000000b66b61 in pfs_spawn_thread (arg=0x7fa6d69ca480) at 5.5/storage/perfschema/pfs.cc:1015 #17 0x00007fa6de8adb50 in start_thread (arg=<optimized out>) at pthread_create.c:304 #18 0x00007fa6dd1bb70d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112 #19 0x0000000000000000 in ?? ()

          I could not repeat using 10.0 with revision 4616 using above test cases.

          jplindst Jan Lindström (Inactive) added a comment - I could not repeat using 10.0 with revision 4616 using above test cases.
          elenst Elena Stepanova added a comment - - edited

          I've set it up on perro, current 5.5 from git (the last test from the comment)

          # login as usual
          cd ~/git/5.5-mdev7594/mysql-test
          perl ./mtr mdev7594

          elenst Elena Stepanova added a comment - - edited I've set it up on perro, current 5.5 from git (the last test from the comment) # login as usual cd ~/git/5.5-mdev7594/mysql-test perl ./mtr mdev7594

          I was able to repeat and fix this test case.
          The issue was that select_lex->non_agg_fields() was not properly reset for re-execution.
          Fixed by moving this to the JOIN structure that is properly reset for each exection.

          monty Michael Widenius added a comment - I was able to repeat and fix this test case. The issue was that select_lex->non_agg_fields() was not properly reset for re-execution. Fixed by moving this to the JOIN structure that is properly reset for each exection.

          The problem was that select_lex->non_agg_fields was not properly reset for re-execution and this caused an overwrite of a random memory position.
          The fix was move non_agg_fields from select_lext to JOIN, which is properly reset.

          Fix pushed into the 5.5 tree.

          monty Michael Widenius added a comment - The problem was that select_lex->non_agg_fields was not properly reset for re-execution and this caused an overwrite of a random memory position. The fix was move non_agg_fields from select_lext to JOIN, which is properly reset. Fix pushed into the 5.5 tree.

          People

            monty Michael Widenius
            elenst Elena Stepanova
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.