Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Fixed
    • 5.3.12, 5.5.45, 10.0.21, 10.1.6
    • 5.5.47, 10.0.23, 10.1.9
    • OTHER
    • None
    • Debian 7.8 (kernel=3.2.0-4-amd64), 16GB RAM
      CentOS 7.1 (kernel=3.10.0-229.11.1.el7.x86_64), 8GB RAM
    • 10.1.9-2

    Description

      I have got a segmentation fault error with query.
      A client take a message - Error Code: 2013. Lost connection to MySQL server during query.

      Query

      insert into _tmp (id, r)
      select id,p from
      (
        select id, 
        d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d as p
        from (
          select id, if(r=r,1,2) as d
          from _tmp
        ) a
      ) b
      on duplicate key update r=p;

      Table _tmp has a structure:

      CREATE TABLE `_tmp` (
        `id` int(10) unsigned NOT NULL,
        `r` float NOT NULL,
        PRIMARY KEY (`id`)
      ) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;

      But if simplify query the error will go away.
      For example: replace one or more '+d' on '+1'
      or replace 'r=r' on 'r=1'
      or replace 'r=p' on 'r=1'.

      The error is repeatable on MariaDB 5.5.45, 10.0.21, 10.1.6.
      There is no error on Mysql 5.5 and 5.0.

      Error log shows:

      150817  4:15:17 [ERROR] mysqld got signal 11 ;
       
      Server version: 10.1.6-MariaDB-1~wheezy-log
      key_buffer_size=134217728
      read_buffer_size=2097152
      max_used_connections=3
      max_threads=102
      thread_count=2
      It is possible that mysqld could use up to
      key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 759823 K  bytes of memory
      Hope that's ok; if not, decrease some variables in the equation.
       
      Thread pointer: 0x0x7f333dbde008
      Attempting backtrace. You can use the following information to find out
      where mysqld died. If you see no messages after this, something went
      terribly wrong...
      stack_bottom = 0x7f3370172e30 thread_stack 0x48000
      /usr/sbin/mysqld(my_print_stacktrace+0x2b)[0x7f3370cb658b]
      /usr/sbin/mysqld(handle_fatal_signal+0x455)[0x7f337084de05]
      /lib/x86_64-linux-gnu/libpthread.so.0(+0xf0a0)[0x7f336fe3f0a0]
       
      Trying to get some variables.
      Some pointers may be invalid and cause the dump to abort.
      Query (0x7f335602d020): is an invalid pointer
      Connection ID (thread ID): 5
      Status: NOT_KILLED

      ------------------------------------------

      Binary log mariadb-bin.000001 is in the private uploads.

      Attachments

        Activity

          Thanks for the report and the test case.

          Stack trace from 5.5 e40bc659335f7f8b69427ed2d215c34c045a5ed7

          #3  <signal handler called>
          #4  0x00000000013766f0 in vtable for Item_ref ()
          #5  0x000000000069761d in count_field_types (select_lex=0x7f1c96384a70, param=0x7f1c96562b98, fields=..., reset_with_sum_func=false) at 5.5/sql/sql_select.cc:20894
          #6  0x0000000000664fc7 in JOIN::prepare_stage2 (this=0x7f1c96562998) at 5.5/sql/sql_select.cc:932
          #7  0x0000000000664ecd in JOIN::prepare (this=0x7f1c96562998, rref_pointer_array=0x7f1c96384ce0, tables_init=0x7f1c965f46b0, wild_num=0, conds_init=0x0, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7f1c96384a70, unit_arg=0x7f1c96384390) at 5.5/sql/sql_select.cc:906
          #8  0x000000000066c831 in mysql_select (thd=0x7f1c96381060, rref_pointer_array=0x7f1c96384ce0, tables=0x7f1c965f46b0, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=3489925888, result=0x7f1c96562900, unit=0x7f1c96384390, select_lex=0x7f1c96384a70) at 5.5/sql/sql_select.cc:3072
          #9  0x00000000006632f1 in handle_select (thd=0x7f1c96381060, lex=0x7f1c963842e0, result=0x7f1c96562900, setup_tables_done_option=1073741824) at 5.5/sql/sql_select.cc:319
          #10 0x0000000000637731 in mysql_execute_command (thd=0x7f1c96381060) at 5.5/sql/sql_parse.cc:3060
          #11 0x000000000063f062 in mysql_parse (thd=0x7f1c96381060, rawbuf=0x7f1c9652a078 "insert into _tmp (id, r)\nselect id,p from\n(\n  select id, \n  d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d as p\n  from (\n    select id, if(r=r,1,2) as d\n    from _tmp\n  ) a\n) b\non duplicate key"..., length=211, parser_state=0x7f1c88bb5670) at 5.5/sql/sql_parse.cc:5909
          #12 0x0000000000632ca5 in dispatch_command (command=COM_QUERY, thd=0x7f1c96381060, packet=0x7f1c964e6061 "insert into _tmp (id, r)\nselect id,p from\n(\n  select id, \n  d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d as p\n  from (\n    select id, if(r=r,1,2) as d\n    from _tmp\n  ) a\n) b\non duplicate key"..., packet_length=211) at 5.5/sql/sql_parse.cc:1079
          #13 0x0000000000631e31 in do_command (thd=0x7f1c96381060) at 5.5/sql/sql_parse.cc:793
          #14 0x0000000000734f49 in do_handle_one_connection (thd_arg=0x7f1c96381060) at 5.5/sql/sql_connect.cc:1269
          #15 0x0000000000734cc3 in handle_one_connection (arg=0x7f1c96381060) at 5.5/sql/sql_connect.cc:1185
          #16 0x00007f1cb134db50 in start_thread (arg=<optimized out>) at pthread_create.c:304
          #17 0x00007f1caf60395d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
          #18 0x0000000000000000 in ?? ()

          elenst Elena Stepanova added a comment - Thanks for the report and the test case. Stack trace from 5.5 e40bc659335f7f8b69427ed2d215c34c045a5ed7 #3 <signal handler called> #4 0x00000000013766f0 in vtable for Item_ref () #5 0x000000000069761d in count_field_types (select_lex=0x7f1c96384a70, param=0x7f1c96562b98, fields=..., reset_with_sum_func=false) at 5.5/sql/sql_select.cc:20894 #6 0x0000000000664fc7 in JOIN::prepare_stage2 (this=0x7f1c96562998) at 5.5/sql/sql_select.cc:932 #7 0x0000000000664ecd in JOIN::prepare (this=0x7f1c96562998, rref_pointer_array=0x7f1c96384ce0, tables_init=0x7f1c965f46b0, wild_num=0, conds_init=0x0, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7f1c96384a70, unit_arg=0x7f1c96384390) at 5.5/sql/sql_select.cc:906 #8 0x000000000066c831 in mysql_select (thd=0x7f1c96381060, rref_pointer_array=0x7f1c96384ce0, tables=0x7f1c965f46b0, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=3489925888, result=0x7f1c96562900, unit=0x7f1c96384390, select_lex=0x7f1c96384a70) at 5.5/sql/sql_select.cc:3072 #9 0x00000000006632f1 in handle_select (thd=0x7f1c96381060, lex=0x7f1c963842e0, result=0x7f1c96562900, setup_tables_done_option=1073741824) at 5.5/sql/sql_select.cc:319 #10 0x0000000000637731 in mysql_execute_command (thd=0x7f1c96381060) at 5.5/sql/sql_parse.cc:3060 #11 0x000000000063f062 in mysql_parse (thd=0x7f1c96381060, rawbuf=0x7f1c9652a078 "insert into _tmp (id, r)\nselect id,p from\n(\n select id, \n d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d as p\n from (\n select id, if(r=r,1,2) as d\n from _tmp\n ) a\n) b\non duplicate key"..., length=211, parser_state=0x7f1c88bb5670) at 5.5/sql/sql_parse.cc:5909 #12 0x0000000000632ca5 in dispatch_command (command=COM_QUERY, thd=0x7f1c96381060, packet=0x7f1c964e6061 "insert into _tmp (id, r)\nselect id,p from\n(\n select id, \n d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d+d as p\n from (\n select id, if(r=r,1,2) as d\n from _tmp\n ) a\n) b\non duplicate key"..., packet_length=211) at 5.5/sql/sql_parse.cc:1079 #13 0x0000000000631e31 in do_command (thd=0x7f1c96381060) at 5.5/sql/sql_parse.cc:793 #14 0x0000000000734f49 in do_handle_one_connection (thd_arg=0x7f1c96381060) at 5.5/sql/sql_connect.cc:1269 #15 0x0000000000734cc3 in handle_one_connection (arg=0x7f1c96381060) at 5.5/sql/sql_connect.cc:1185 #16 0x00007f1cb134db50 in start_thread (arg=<optimized out>) at pthread_create.c:304 #17 0x00007f1caf60395d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112 #18 0x0000000000000000 in ?? ()
          sanja Oleksandr Byelkin added a comment - - edited

          Problem is memory overrun. ref_pointer_array_size is 50 but all_fields has 51 element.

          sanja Oleksandr Byelkin added a comment - - edited Problem is memory overrun. ref_pointer_array_size is 50 but all_fields has 51 element.
          sanja Oleksandr Byelkin added a comment - - edited

          Problem made by Item_field::update_value_transformer which leads to huge Item_ref chain...

          sanja Oleksandr Byelkin added a comment - - edited Problem made by Item_field::update_value_transformer which leads to huge Item_ref chain...

          every transformation of field d generate longer and longer chain of fields r

          sanja Oleksandr Byelkin added a comment - every transformation of field d generate longer and longer chain of fields r

          revision-id: 22150288580624fd22407897faaf0b93c71a22b6 (mariadb-5.5.46-3-g2215028)
          parent(s): df804208657dfae10e24d656d9228f05e57b14a5
          committer: Oleksandr Byelkin
          timestamp: 2015-11-06 16:36:41 +0100
          message:

          DEV-8632 Segmentation fault on INSERT

          View/derived fields should be taken into account when we build ref_pointer_array constructed.

          DBUG_ASSERTs added to avoid memory overrun.

          —

          sanja Oleksandr Byelkin added a comment - revision-id: 22150288580624fd22407897faaf0b93c71a22b6 (mariadb-5.5.46-3-g2215028) parent(s): df804208657dfae10e24d656d9228f05e57b14a5 committer: Oleksandr Byelkin timestamp: 2015-11-06 16:36:41 +0100 message: DEV-8632 Segmentation fault on INSERT View/derived fields should be taken into account when we build ref_pointer_array constructed. DBUG_ASSERTs added to avoid memory overrun. —

          Looks good.

          svoj Sergey Vojtovich added a comment - Looks good.

          People

            sanja Oleksandr Byelkin
            QweR/hi Konstantin
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.