[MDEV-7826] Server crashes in Item_subselect::enumerate_field_refs_processor - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 5.3.12, 5.5(EOL), 10.0(EOL), 10.1(EOL)
Fix Version/s: 10.1.26, 5.5.57, 10.0.32, 10.2.8
Component/s: Data Manipulation - Subquery
Labels:
- verified

Description

Note: the query is rather weird, but it is a crash, even on release binaries...

CREATE TABLE t1 (f1 INT) ENGINE=MyISAM;

INSERT INTO t1 VALUES (5),(9);

CREATE TABLE t2 (f2 INT) ENGINE=MyISAM;

INSERT INTO t2 VALUES (0),(6);

CREATE TABLE t3 (f3 INT) ENGINE=MyISAM;

INSERT INTO t3 VALUES (6),(3);

CREATE TABLE t4 (f4 INT) ENGINE=MyISAM;

INSERT INTO t4 VALUES (1),(0);

SELECT

( SELECT MIN(f1) FROM t1 WHERE f1 IN ( SELECT MIN(f4) FROM t2 ) ) AS field7,

( SELECT COUNT(*) FROM t3 WHERE f3 IN ( SELECT MAX(f4) FROM t2 GROUP BY field7 ) )

FROM t4;

Stack trace from 5.5 commit 86f46a3da4a6d82cb510dc4c270d46cfd6a8965b
#3 <signal handler called>
#4 0x000000000087c84c in Item_subselect::enumerate_field_refs_processor (this=0x7f16bba88e50, arg=0x7f16bc3b3b50 "0I7\001") at 5.5/sql/item_subselect.cc:315
#5 0x000000000087d212 in Item_subselect::walk (this=0x7f16bba88e50, processor=&virtual table offset 688, walk_subquery=false, argument=0x7f16bc3b3b50 "0I7\001") at 5.5/sql/item_subselect.cc:631
#6 0x000000000080822b in Item_ref::fix_fields (this=0x7f16bb935b80, thd=0x7f16bc950060, reference=0x7f16bb930468) at 5.5/sql/item.cc:7034
#7 0x0000000000802eaa in Item_field::fix_outer_field (this=0x7f16bb930358, thd=0x7f16bc950060, from_field=0x7f16bc3b3cf8, reference=0x7f16bb930468) at 5.5/sql/item.cc:5005
#8 0x00000000008034cb in Item_field::fix_fields (this=0x7f16bb930358, thd=0x7f16bc950060, reference=0x7f16bb930468) at 5.5/sql/item.cc:5172
#9 0x0000000000696352 in find_order_in_list (thd=0x7f16bc950060, ref_pointer_array=0x7f16bb933d18, tables=0x7f16bb92fd68, order=0x7f16bb930458, fields=..., all_fields=..., is_group_field=true) at 5.5/sql/sql_select.cc:20559
#10 0x0000000000696576 in setup_group (thd=0x7f16bc950060, ref_pointer_array=0x7f16bb933d18, tables=0x7f16bb92fd68, fields=..., all_fields=..., order=0x7f16bb930458, hidden_group_fields=0x7f16bb935898) at 5.5/sql/sql_select.cc:20637
#11 0x00000000006a4c38 in setup_without_group (thd=0x7f16bc950060, ref_pointer_array=0x7f16bb933d18, tables=0x7f16bb92fd68, leaves=..., fields=..., all_fields=..., conds=0x7f16bb9359b0, order=0x0, group=0x7f16bb930458, hidden_group_fields=0x7f16bb935898) at 5.5/sql/sql_select.cc:587
#12 0x0000000000663da4 in JOIN::prepare (this=0x7f16bb9355a0, rref_pointer_array=0x7f16bb92f2e8, tables_init=0x7f16bb92fd68, wild_num=0, conds_init=0x0, og_num=1, order_init=0x0, skip_order_by=false, group_init=0x7f16bb930458, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7f16bb92f078, unit_arg=0x7f16bb92f3d8) at 5.5/sql/sql_select.cc:727
#13 0x0000000000883bfa in subselect_single_select_engine::prepare (this=0x7f16bb930638) at 5.5/sql/item_subselect.cc:3025
#14 0x000000000087c4eb in Item_subselect::fix_fields (this=0x7f16bb930498, thd_param=0x7f16bc950060, ref=0x7f16bb935488) at 5.5/sql/item_subselect.cc:245
#15 0x0000000000882f26 in Item_in_subselect::fix_fields (this=0x7f16bb930498, thd_arg=0x7f16bc950060, ref=0x7f16bb935488) at 5.5/sql/item_subselect.cc:2708
#16 0x00000000005e4040 in setup_conds (thd=0x7f16bc950060, tables=0x7f16bb96a920, leaves=..., conds=0x7f16bb935488) at 5.5/sql/sql_base.cc:8894
#17 0x00000000006a4b3a in setup_without_group (thd=0x7f16bc950060, ref_pointer_array=0x7f16bb933bc8, tables=0x7f16bb96a920, leaves=..., fields=..., all_fields=..., conds=0x7f16bb935488, order=0x0, group=0x0, hidden_group_fields=0x7f16bb935370) at 5.5/sql/sql_select.cc:577
#18 0x0000000000663da4 in JOIN::prepare (this=0x7f16bb935078, rref_pointer_array=0x7f16bb969f98, tables_init=0x7f16bb96a920, wild_num=0, conds_init=0x7f16bb930498, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7f16bb969d28, unit_arg=0x7f16bb96a088) at 5.5/sql/sql_select.cc:727
#19 0x0000000000883bfa in subselect_single_select_engine::prepare (this=0x7f16bb9307b0) at 5.5/sql/item_subselect.cc:3025
#20 0x000000000087c4eb in Item_subselect::fix_fields (this=0x7f16bb930678, thd_param=0x7f16bc950060, ref=0x7f16bb9307f8) at 5.5/sql/item_subselect.cc:245
#21 0x00000000005e2368 in setup_fields (thd=0x7f16bc950060, ref_pointer_array=0x7f16bb9325a0, fields=..., mark_used_columns=MARK_COLUMNS_READ, sum_func_list=0x7f16bb9323a0, allow_sum_func=true) at 5.5/sql/sql_base.cc:8169
#22 0x0000000000663cec in JOIN::prepare (this=0x7f16bb932078, rref_pointer_array=0x7f16bc953cd0, tables_init=0x7f16bb930930, wild_num=0, conds_init=0x0, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7f16bc953a60, unit_arg=0x7f16bc953380) at 5.5/sql/sql_select.cc:723
#23 0x000000000066c43b in mysql_select (thd=0x7f16bc950060, rref_pointer_array=0x7f16bc953cd0, tables=0x7f16bb930930, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7f16bb930fd0, unit=0x7f16bc953380, select_lex=0x7f16bc953a60) at 5.5/sql/sql_select.cc:3074
#24 0x0000000000662fbd in handle_select (thd=0x7f16bc950060, lex=0x7f16bc9532d0, result=0x7f16bb930fd0, setup_tables_done_option=0) at 5.5/sql/sql_select.cc:319
#25 0x000000000063c1fc in execute_sqlcom_select (thd=0x7f16bc950060, all_tables=0x7f16bb930930) at 5.5/sql/sql_parse.cc:4689
#26 0x00000000006353de in mysql_execute_command (thd=0x7f16bc950060) at 5.5/sql/sql_parse.cc:2234
#27 0x000000000063ece2 in mysql_parse (thd=0x7f16bc950060, rawbuf=0x7f16bba87078 "SELECT \n( SELECT MIN(f1) FROM t1 WHERE f1 IN ( SELECT MIN(f4) FROM t2 ) ) AS field7,\n( SELECT COUNT(*) FROM t3 WHERE f3 IN ( SELECT MAX(f4) FROM t2 GROUP BY field7 ) )\nFROM t4", length=175, parser_state=0x7f16bc3b5620) at 5.5/sql/sql_parse.cc:5909
#28 0x0000000000632925 in dispatch_command (command=COM_QUERY, thd=0x7f16bc950060, packet=0x7f16bca09061 "SELECT \n( SELECT MIN(f1) FROM t1 WHERE f1 IN ( SELECT MIN(f4) FROM t2 ) ) AS field7,\n( SELECT COUNT(*) FROM t3 WHERE f3 IN ( SELECT MAX(f4) FROM t2 GROUP BY field7 ) )\nFROM t4", packet_length=175) at 5.5/sql/sql_parse.cc:1079
#29 0x0000000000631ab1 in do_command (thd=0x7f16bc950060) at 5.5/sql/sql_parse.cc:793
#30 0x0000000000734122 in do_handle_one_connection (thd_arg=0x7f16bc950060) at 5.5/sql/sql_connect.cc:1266
#31 0x0000000000733be1 in handle_one_connection (arg=0x7f16bc950060) at 5.5/sql/sql_connect.cc:1181
#32 0x0000000000b6c629 in pfs_spawn_thread (arg=0x7f16bc971fc0) at 5.5/storage/perfschema/pfs.cc:1015
#33 0x00007f16c2b46b50 in start_thread (arg=<optimized out>) at pthread_create.c:304
#34 0x00007f16c0dfc70d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112

Attachments

Issue Links

relates to

MDEV-13180 Unused left join causes server crash

Closed

Activity

Ascending order - Click to sort in descending order

Sergei Petrunia added a comment - 2015-04-20 09:35

Looks like the problem is in name resolution code. Re-assigning to Sanja.

Sergei Petrunia added a comment - 2015-04-20 09:35 Looks like the problem is in name resolution code. Re-assigning to Sanja.

Max Bubenick added a comment - 2015-06-01 15:26

Hi, any progress on this? will be fixed for the next release?

Max Bubenick added a comment - 2015-06-01 15:26 Hi, any progress on this? will be fixed for the next release?

Oleksandr Byelkin added a comment - 2015-06-01 15:49

Next release of what server version?

Probably 5.5, but I can't promise without looking on the bug more close.

Oleksandr Byelkin added a comment - 2015-06-01 15:49 Next release of what server version? Probably 5.5, but I can't promise without looking on the bug more close.

Max Bubenick added a comment - 2015-06-01 20:17

Sorry, for 10.0

Max Bubenick added a comment - 2015-06-01 20:17 Sorry, for 10.0

Ceri Williams added a comment - 2015-08-18 20:50

In case it is of any help, I came across this too:

Test
create table t1 (
id integer unsigned primary key,
fk_id integer unsigned
);

create table t2 (
id integer unsigned primary key,
fk_id integer unsigned
);

insert into t1 values(1,1),(2,2),(3,3),(4,4),(5,5);
insert into t2 values(1,2),(2,3),(3,4),(4,5),(5,1);

select
t1.id,
(select group_concat(distinct l1.id) from t2 l1 where l1.fk_id = group_concat(distinct t1.id)) as l1_test,
(select group_concat(distinct l2.id) from t2 l2 where l2.fk_id = l1_test) as l2_test
from t1
inner join t2 using(fk_id)
group by t1.id;

Backtrace
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff7f82700 (LWP 29326)]
0x0000000000768918 in Item_subselect::enumerate_field_refs_processor(unsigned char*) ()
Missing separate debuginfos, use: debuginfo-install MariaDB-server-5.5.45-1.el7.centos.x86_64
(gdb) bt
#0 0x0000000000768918 in Item_subselect::enumerate_field_refs_processor(unsigned char*) ()
#1 0x00000000006fd31e in Item_ref::fix_fields(THD, Item*) ()
#2 0x00000000006fda59 in Item_outer_ref::fix_fields(THD, Item*) ()
#3 0x00000000007033ec in Item_field::fix_outer_field(THD, Field, Item*) ()
#4 0x0000000000703e75 in Item_field::fix_fields(THD, Item*) ()
#5 0x00000000007398d0 in Item_func::fix_fields(THD, Item*) ()
#6 0x0000000000560bb8 in setup_conds(THD, TABLE_LIST, List<TABLE_LIST>&, Item**) ()
#7 0x00000000005ea49f in JOIN::prepare(Item**, TABLE_LIST, unsigned int, Item, unsigned int, st_order, bool, st_order, Item, st_order, st_select_lex, st_select_lex_unit*) [clone .part.233] ()
#8 0x000000000076b4d3 in subselect_single_select_engine::prepare() ()
#9 0x00000000007694f5 in Item_subselect::fix_fields(THD, Item*) ()
#10 0x000000000055eeac in setup_fields(THD, Item, List<Item>&, enum_mark_columns, List<Item>, bool) ()
#11 0x00000000005ea3e2 in JOIN::prepare(Item**, TABLE_LIST, unsigned int, Item, unsigned int, st_order, bool, st_order, Item, st_order, st_select_lex, st_select_lex_unit*) [clone .part.233] ()
#12 0x00000000005f39dc in mysql_select(THD, Item*, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) ()
#13 0x00000000005f3deb in handle_select(THD, LEX, select_result*, unsigned long) ()
#14 0x000000000059d9fe in execute_sqlcom_select(THD, TABLE_LIST) ()
#15 0x00000000005a9bb9 in mysql_execute_command(THD*) ()
#16 0x00000000005ad00e in mysql_parse(THD, char, unsigned int, Parser_state*) ()
#17 0x00000000005aef69 in dispatch_command(enum_server_command, THD, char, unsigned int) ()
#18 0x00000000006655bb in do_handle_one_connection(THD*) ()
#19 0x0000000000665683 in handle_one_connection ()
#20 0x00007ffff7bc6df5 in start_thread () from /lib64/libpthread.so.0
#21 0x00007ffff64441ad in clone () from /lib64/libc.so.6

Whilst testing different versions, I saw the following from Percona 5.5.44:

Error response rather than SIGSEGV
ERROR 1247 (42S22): Reference 'l1_test' not supported (reference to group function)

percona-server-5.5.44-37.3 - sql/item.cc
6520 /*
6521 Check if this is an incorrect reference in a group function or forward
6522 reference. Do not issue an error if this is:
6523 1. outer reference (will be fixed later by the fix_inner_refs function);
6524 2. an unnamed reference inside an aggregate function.
6525 */
6526 if (!((*ref)->type() == REF_ITEM &&
6527 ((Item_ref )(ref))->ref_type() == OUTER_REF) &&
6528 (((*ref)->with_sum_func && name &&
6529 !(current_sel->linkage != GLOBAL_OPTIONS_TYPE &&
6530 current_sel->having_fix_field)) \|\|
6531 !(*ref)->fixed))
6532 {
6533 my_error(ER_ILLEGAL_REFERENCE, MYF(0),
6534 name, ((*ref)->with_sum_func?
6535 "reference to group function":
6536 "forward reference in item list"));
6537 goto error;
6538 }

Ceri Williams added a comment - 2015-08-18 20:50 In case it is of any help, I came across this too: Test create table t1 ( id integer unsigned primary key, fk_id integer unsigned ); create table t2 ( id integer unsigned primary key, fk_id integer unsigned ); insert into t1 values(1,1),(2,2),(3,3),(4,4),(5,5); insert into t2 values(1,2),(2,3),(3,4),(4,5),(5,1); select t1.id, (select group_concat(distinct l1.id) from t2 l1 where l1.fk_id = group_concat(distinct t1.id)) as l1_test, (select group_concat(distinct l2.id) from t2 l2 where l2.fk_id = l1_test) as l2_test from t1 inner join t2 using(fk_id) group by t1.id; Backtrace Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7ffff7f82700 (LWP 29326)] 0x0000000000768918 in Item_subselect::enumerate_field_refs_processor(unsigned char*) () Missing separate debuginfos, use: debuginfo-install MariaDB-server-5.5.45-1.el7.centos.x86_64 (gdb) bt #0 0x0000000000768918 in Item_subselect::enumerate_field_refs_processor(unsigned char*) () #1 0x00000000006fd31e in Item_ref::fix_fields(THD*, Item**) () #2 0x00000000006fda59 in Item_outer_ref::fix_fields(THD*, Item**) () #3 0x00000000007033ec in Item_field::fix_outer_field(THD*, Field**, Item**) () #4 0x0000000000703e75 in Item_field::fix_fields(THD*, Item**) () #5 0x00000000007398d0 in Item_func::fix_fields(THD*, Item**) () #6 0x0000000000560bb8 in setup_conds(THD*, TABLE_LIST*, List<TABLE_LIST>&, Item**) () #7 0x00000000005ea49f in JOIN::prepare(Item***, TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) [clone .part.233] () #8 0x000000000076b4d3 in subselect_single_select_engine::prepare() () #9 0x00000000007694f5 in Item_subselect::fix_fields(THD*, Item**) () #10 0x000000000055eeac in setup_fields(THD*, Item**, List<Item>&, enum_mark_columns, List<Item>*, bool) () #11 0x00000000005ea3e2 in JOIN::prepare(Item***, TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) [clone .part.233] () #12 0x00000000005f39dc in mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) () #13 0x00000000005f3deb in handle_select(THD*, LEX*, select_result*, unsigned long) () #14 0x000000000059d9fe in execute_sqlcom_select(THD*, TABLE_LIST*) () #15 0x00000000005a9bb9 in mysql_execute_command(THD*) () #16 0x00000000005ad00e in mysql_parse(THD*, char*, unsigned int, Parser_state*) () #17 0x00000000005aef69 in dispatch_command(enum_server_command, THD*, char*, unsigned int) () #18 0x00000000006655bb in do_handle_one_connection(THD*) () #19 0x0000000000665683 in handle_one_connection () #20 0x00007ffff7bc6df5 in start_thread () from /lib64/libpthread.so.0 #21 0x00007ffff64441ad in clone () from /lib64/libc.so.6 Whilst testing different versions, I saw the following from Percona 5.5.44: Error response rather than SIGSEGV ERROR 1247 (42S22): Reference 'l1_test' not supported (reference to group function) percona-server-5.5.44-37.3 - sql/item.cc 6520 /* 6521 Check if this is an incorrect reference in a group function or forward 6522 reference. Do not issue an error if this is: 6523 1. outer reference (will be fixed later by the fix_inner_refs function); 6524 2. an unnamed reference inside an aggregate function. 6525 */ 6526 if (!((*ref)->type() == REF_ITEM && 6527 ((Item_ref *)(*ref))->ref_type() == OUTER_REF) && 6528 (((*ref)->with_sum_func && name && 6529 !(current_sel->linkage != GLOBAL_OPTIONS_TYPE && 6530 current_sel->having_fix_field)) || 6531 !(*ref)->fixed)) 6532 { 6533 my_error(ER_ILLEGAL_REFERENCE, MYF(0), 6534 name, ((*ref)->with_sum_func? 6535 "reference to group function": 6536 "forward reference in item list")); 6537 goto error; 6538 }

Elena Stepanova added a comment - 2017-07-03 13:27

People

Assignee:: Sergei Golubchik

Reporter:: Elena Stepanova

Votes:: 2 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 2015-03-24 17:53

Updated:: 2017-07-12 16:56

Resolved:: 2017-07-12 16:56

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server