Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-9208

Function->Function->View = Mysqld segfault (Server crashes in Dependency_marker::visit_field on 2nd execution with merged subquery)

Details

    • 5.5.58

    Description

      Mariadb crashes silently due a segfault, test case, backtrace and config file attached.

      server_config.txt = my.cnf;
      crash_sql.txt = test case, just need to be piped into mysql command line utility;
      crash_log.txt = output with mysqld --verbose, without it mysqld dies without a single line.

      For some strange reason, if the last 2 selects are executed after restarting only the server (but allowing the client to reconnect instead of exiting and entering again) the crash won't happen.

      Attachments

        1. crash_log.txt
          7 kB
          Leonardo Backes
        2. crash_sql.txt
          5 kB
          Leonardo Backes
        3. server_config.txt
          0.3 kB
          Leonardo Backes

        Activity

          Ascending order - Click to sort in descending order
          elenst Elena Stepanova added a comment -

          Thanks for the report.

          Simplified test case (sanja, please also check the original attached test case after fixing!):

          CREATE TABLE t1 (i1 INT);
          		 
          insert into t1 values(1),(2);
          		 
           
          		 
          CREATE TABLE t2 (i2 INT);
          		 
          insert into t2 values(1),(2);
          		 
           
          		 
          prepare stmt from "
          		 
            select 1 from (
          		 
              select 
                if (i1<0, 0, 0) as f1,
          		 
                (select f1) as f2
          		 
              from t1, t2 
            ) sq
          		 
          ";
          		 
           
          		 
          execute stmt;
          		 
          execute stmt;

          Reproducible either with derived_merge, or with merge views.
          Reproducible both with InnoDB and MyISAM.
          Reproducible with PS, SP, functions.

          elenst Elena Stepanova added a comment - Thanks for the report. Simplified test case ( sanja , please also check the original attached test case after fixing!): CREATE TABLE t1 (i1 INT); insert into t1 values(1),(2);   CREATE TABLE t2 (i2 INT); insert into t2 values(1),(2);   prepare stmt from " select 1 from ( select if (i1<0, 0, 0) as f1, (select f1) as f2 from t1, t2 ) sq ";   execute stmt; execute stmt; Reproducible either with derived_merge, or with merge views. Reproducible both with InnoDB and MyISAM. Reproducible with PS, SP, functions.
          elenst Elena Stepanova added a comment -

          Stack trace (to make it more searchable):

          Stack trace from 10.1 commit 016790403a4bb6182094870870ce1a1c3e2756dc

          		 
          #3  <signal handler called>
          		 
          #4  0x000055953de75229 in Dependency_marker::visit_field (this=0x7f91b98d9750, item=0x7f91adcb0e20) at /src/10.1/sql/item.cc:6707
          		 
          #5  0x000055953de5bece in Item_field::enumerate_field_refs_processor (this=0x7f91adcb0e20, arg=0x7f91b98d9750 "\020\006\305>\225U") at /src/10.1/sql/item.cc:2388
          		 
          #6  0x000055953db56709 in Item::walk (this=0x7f91adcb0e20, processor=&virtual table offset 768, walk_subquery=false, arg=0x7f91b98d9750 "\020\006\305>\225U") at /src/10.1/sql/item.h:1367
          		 
          #7  0x000055953db548f9 in Item_args::walk_args (this=0x7f91adcb1020, processor=&virtual table offset 768, walk_subquery=false, arg=0x7f91b98d9750 "\020\006\305>\225U") at /src/10.1/sql/item.h:3544
          		 
          #8  0x000055953db54b43 in Item_func_or_sum::walk (this=0x7f91adcb0fa0, processor=&virtual table offset 768, walk_subquery=false, arg=0x7f91b98d9750 "\020\006\305>\225U") at /src/10.1/sql/item.h:3807
          		 
          #9  0x000055953db548f9 in Item_args::walk_args (this=0x7f91adcb12a0, processor=&virtual table offset 768, walk_subquery=false, arg=0x7f91b98d9750 "\020\006\305>\225U") at /src/10.1/sql/item.h:3544
          		 
          #10 0x000055953db54b43 in Item_func_or_sum::walk (this=0x7f91adcb1220, processor=&virtual table offset 768, walk_subquery=false, arg=0x7f91b98d9750 "\020\006\305>\225U") at /src/10.1/sql/item.h:3807
          		 
          #11 0x000055953de6846e in Item_ref::fix_fields (this=0x7f91adc53830, thd=0x7f91b33c98f0, reference=0x7f91adcb1e88) at /src/10.1/sql/item.cc:7002
          		 
          #12 0x000055953de72cc1 in Item_direct_ref::fix_fields (this=0x7f91adc53830, thd=0x7f91b33c98f0, it=0x7f91adcb1e88) at /src/10.1/sql/item.h:4046
          		 
          #13 0x000055953de62b9a in Item_field::fix_outer_field (this=0x7f91adcb1d90, thd=0x7f91b33c98f0, from_field=0x7f91b98d98e0, reference=0x7f91adcb1e88) at /src/10.1/sql/item.cc:4884
          		 
          #14 0x000055953de631b6 in Item_field::fix_fields (this=0x7f91adcb1d90, thd=0x7f91b33c98f0, reference=0x7f91adcb1e88) at /src/10.1/sql/item.cc:5054
          		 
          #15 0x000055953dbaa97b in setup_fields (thd=0x7f91b33c98f0, ref_pointer_array=0x7f91adcb3b50, fields=..., mark_used_columns=MARK_COLUMNS_READ, sum_func_list=0x7f91adc53620, allow_sum_func=true) at /src/10.1/sql/sql_base.cc:7901
          		 
          #16 0x000055953dc4260c in JOIN::prepare (this=0x7f91adc532c0, rref_pointer_array=0x7f91adcb15a0, tables_init=0x0, wild_num=0, conds_init=0x0, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7f91adcb1328, unit_arg=0x7f91adcb1688) at /src/10.1/sql/sql_select.cc:795
          		 
          #17 0x000055953deefbba in subselect_single_select_engine::prepare (this=0x7f91adcb1fc8) at /src/10.1/sql/item_subselect.cc:3553
          		 
          #18 0x000055953dee5c66 in Item_subselect::fix_fields (this=0x7f91adcb1e90, thd_param=0x7f91b33c98f0, ref=0x7f91adcb2018) at /src/10.1/sql/item_subselect.cc:259
          		 
          #19 0x000055953dbaa97b in setup_fields (thd=0x7f91b33c98f0, ref_pointer_array=0x7f91adcb3970, fields=..., mark_used_columns=MARK_COLUMNS_READ, sum_func_list=0x7f91adc53090, allow_sum_func=true) at /src/10.1/sql/sql_base.cc:7901
          		 
          #20 0x000055953dc4260c in JOIN::prepare (this=0x7f91adc52d30, rref_pointer_array=0x7f91adcb0630, tables_init=0x7f91adcb2060, wild_num=0, conds_init=0x0, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7f91adcb03b8, unit_arg=0x7f91adcb0718) at /src/10.1/sql/sql_select.cc:795
          		 
          #21 0x000055953dcdce4c in st_select_lex_unit::prepare (this=0x7f91adcb0718, thd_arg=0x7f91b33c98f0, sel_result=0x7f91adc52c38, additional_options=0) at /src/10.1/sql/sql_union.cc:454
          		 
          #22 0x000055953dbdcd22 in mysql_derived_prepare (thd=0x7f91b33c98f0, lex=0x7f91adcae710, derived=0x7f91adcb3350) at /src/10.1/sql/sql_derived.cc:671
          		 
          #23 0x000055953dbdc0bd in mysql_handle_single_derived (lex=0x7f91adcae710, derived=0x7f91adcb3350, phases=2) at /src/10.1/sql/sql_derived.cc:195
          		 
          #24 0x000055953dd00896 in TABLE_LIST::handle_derived (this=0x7f91adcb3350, lex=0x7f91adcae710, phases=2) at /src/10.1/sql/table.cc:7128
          		 
          #25 0x000055953dbfa284 in st_select_lex::handle_derived (this=0x7f91adcaeed8, lex=0x7f91adcae710, phases=2) at /src/10.1/sql/sql_lex.cc:3820
          		 
          #26 0x000055953dc42228 in JOIN::prepare (this=0x7f91adc526c8, rref_pointer_array=0x7f91adcaf150, tables_init=0x7f91adcb3350, wild_num=0, conds_init=0x0, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7f91adcaeed8, unit_arg=0x7f91adcae7d8) at /src/10.1/sql/sql_select.cc:711
          		 
          #27 0x000055953dc4bd66 in mysql_select (thd=0x7f91b33c98f0, rref_pointer_array=0x7f91adcaf150, tables=0x7f91adcb3350, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2416184064, result=0x7f91adcb3950, unit=0x7f91adcae7d8, select_lex=0x7f91adcaeed8) at /src/10.1/sql/sql_select.cc:3429
          		 
          #28 0x000055953dc418bd in handle_select (thd=0x7f91b33c98f0, lex=0x7f91adcae710, result=0x7f91adcb3950, setup_tables_done_option=0) at /src/10.1/sql/sql_select.cc:384
          		 
          #29 0x000055953dc11b0c in execute_sqlcom_select (thd=0x7f91b33c98f0, all_tables=0x7f91adcb3350) at /src/10.1/sql/sql_parse.cc:5894
          		 
          #30 0x000055953dc079f6 in mysql_execute_command (thd=0x7f91b33c98f0) at /src/10.1/sql/sql_parse.cc:2960
          		 
          #31 0x000055953dc2f6cb in Prepared_statement::execute (this=0x7f91adc9c070, expanded_query=0x7f91b98db990, open_cursor=false) at /src/10.1/sql/sql_prepare.cc:4269
          		 
          #32 0x000055953dc2e566 in Prepared_statement::execute_loop (this=0x7f91adc9c070, expanded_query=0x7f91b98db990, open_cursor=false, packet=0x0, packet_end=0x0) at /src/10.1/sql/sql_prepare.cc:3901
          		 
          #33 0x000055953dc2c61a in mysql_sql_stmt_execute (thd=0x7f91b33c98f0) at /src/10.1/sql/sql_prepare.cc:3033
          		 
          #34 0x000055953dc07a27 in mysql_execute_command (thd=0x7f91b33c98f0) at /src/10.1/sql/sql_parse.cc:2971
          		 
          #35 0x000055953dc15224 in mysql_parse (thd=0x7f91b33c98f0, rawbuf=0x7f91adc52488 "execute stmt", length=12, parser_state=0x7f91b98dc5e0) at /src/10.1/sql/sql_parse.cc:7314
          		 
          #36 0x000055953dc03c5d in dispatch_command (command=COM_QUERY, thd=0x7f91b33c98f0, packet=0x7f91b25c97f1 "execute stmt", packet_length=12) at /src/10.1/sql/sql_parse.cc:1486
          		 
          #37 0x000055953dc0298f in do_command (thd=0x7f91b33c98f0) at /src/10.1/sql/sql_parse.cc:1107
          		 
          #38 0x000055953dd38923 in do_handle_one_connection (thd_arg=0x7f91b33c98f0) at /src/10.1/sql/sql_connect.cc:1350
          		 
          #39 0x000055953dd38687 in handle_one_connection (arg=0x7f91b33c98f0) at /src/10.1/sql/sql_connect.cc:1262
          		 
          #40 0x000055953e442c1c in pfs_spawn_thread (arg=0x7f91b1fb0bf0) at /src/10.1/storage/perfschema/pfs.cc:1860
          		 
          #41 0x00007f91b95570a4 in start_thread () from /lib64/libpthread.so.0
          		 
          #42 0x00007f91b76c504d in clone () from /lib64/libc.so.6

          elenst Elena Stepanova added a comment - Stack trace (to make it more searchable): Stack trace from 10.1 commit 016790403a4bb6182094870870ce1a1c3e2756dc #3 <signal handler called> #4 0x000055953de75229 in Dependency_marker::visit_field (this=0x7f91b98d9750, item=0x7f91adcb0e20) at /src/10.1/sql/item.cc:6707 #5 0x000055953de5bece in Item_field::enumerate_field_refs_processor (this=0x7f91adcb0e20, arg=0x7f91b98d9750 "\020\006\305>\225U") at /src/10.1/sql/item.cc:2388 #6 0x000055953db56709 in Item::walk (this=0x7f91adcb0e20, processor=&virtual table offset 768, walk_subquery=false, arg=0x7f91b98d9750 "\020\006\305>\225U") at /src/10.1/sql/item.h:1367 #7 0x000055953db548f9 in Item_args::walk_args (this=0x7f91adcb1020, processor=&virtual table offset 768, walk_subquery=false, arg=0x7f91b98d9750 "\020\006\305>\225U") at /src/10.1/sql/item.h:3544 #8 0x000055953db54b43 in Item_func_or_sum::walk (this=0x7f91adcb0fa0, processor=&virtual table offset 768, walk_subquery=false, arg=0x7f91b98d9750 "\020\006\305>\225U") at /src/10.1/sql/item.h:3807 #9 0x000055953db548f9 in Item_args::walk_args (this=0x7f91adcb12a0, processor=&virtual table offset 768, walk_subquery=false, arg=0x7f91b98d9750 "\020\006\305>\225U") at /src/10.1/sql/item.h:3544 #10 0x000055953db54b43 in Item_func_or_sum::walk (this=0x7f91adcb1220, processor=&virtual table offset 768, walk_subquery=false, arg=0x7f91b98d9750 "\020\006\305>\225U") at /src/10.1/sql/item.h:3807 #11 0x000055953de6846e in Item_ref::fix_fields (this=0x7f91adc53830, thd=0x7f91b33c98f0, reference=0x7f91adcb1e88) at /src/10.1/sql/item.cc:7002 #12 0x000055953de72cc1 in Item_direct_ref::fix_fields (this=0x7f91adc53830, thd=0x7f91b33c98f0, it=0x7f91adcb1e88) at /src/10.1/sql/item.h:4046 #13 0x000055953de62b9a in Item_field::fix_outer_field (this=0x7f91adcb1d90, thd=0x7f91b33c98f0, from_field=0x7f91b98d98e0, reference=0x7f91adcb1e88) at /src/10.1/sql/item.cc:4884 #14 0x000055953de631b6 in Item_field::fix_fields (this=0x7f91adcb1d90, thd=0x7f91b33c98f0, reference=0x7f91adcb1e88) at /src/10.1/sql/item.cc:5054 #15 0x000055953dbaa97b in setup_fields (thd=0x7f91b33c98f0, ref_pointer_array=0x7f91adcb3b50, fields=..., mark_used_columns=MARK_COLUMNS_READ, sum_func_list=0x7f91adc53620, allow_sum_func=true) at /src/10.1/sql/sql_base.cc:7901 #16 0x000055953dc4260c in JOIN::prepare (this=0x7f91adc532c0, rref_pointer_array=0x7f91adcb15a0, tables_init=0x0, wild_num=0, conds_init=0x0, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7f91adcb1328, unit_arg=0x7f91adcb1688) at /src/10.1/sql/sql_select.cc:795 #17 0x000055953deefbba in subselect_single_select_engine::prepare (this=0x7f91adcb1fc8) at /src/10.1/sql/item_subselect.cc:3553 #18 0x000055953dee5c66 in Item_subselect::fix_fields (this=0x7f91adcb1e90, thd_param=0x7f91b33c98f0, ref=0x7f91adcb2018) at /src/10.1/sql/item_subselect.cc:259 #19 0x000055953dbaa97b in setup_fields (thd=0x7f91b33c98f0, ref_pointer_array=0x7f91adcb3970, fields=..., mark_used_columns=MARK_COLUMNS_READ, sum_func_list=0x7f91adc53090, allow_sum_func=true) at /src/10.1/sql/sql_base.cc:7901 #20 0x000055953dc4260c in JOIN::prepare (this=0x7f91adc52d30, rref_pointer_array=0x7f91adcb0630, tables_init=0x7f91adcb2060, wild_num=0, conds_init=0x0, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7f91adcb03b8, unit_arg=0x7f91adcb0718) at /src/10.1/sql/sql_select.cc:795 #21 0x000055953dcdce4c in st_select_lex_unit::prepare (this=0x7f91adcb0718, thd_arg=0x7f91b33c98f0, sel_result=0x7f91adc52c38, additional_options=0) at /src/10.1/sql/sql_union.cc:454 #22 0x000055953dbdcd22 in mysql_derived_prepare (thd=0x7f91b33c98f0, lex=0x7f91adcae710, derived=0x7f91adcb3350) at /src/10.1/sql/sql_derived.cc:671 #23 0x000055953dbdc0bd in mysql_handle_single_derived (lex=0x7f91adcae710, derived=0x7f91adcb3350, phases=2) at /src/10.1/sql/sql_derived.cc:195 #24 0x000055953dd00896 in TABLE_LIST::handle_derived (this=0x7f91adcb3350, lex=0x7f91adcae710, phases=2) at /src/10.1/sql/table.cc:7128 #25 0x000055953dbfa284 in st_select_lex::handle_derived (this=0x7f91adcaeed8, lex=0x7f91adcae710, phases=2) at /src/10.1/sql/sql_lex.cc:3820 #26 0x000055953dc42228 in JOIN::prepare (this=0x7f91adc526c8, rref_pointer_array=0x7f91adcaf150, tables_init=0x7f91adcb3350, wild_num=0, conds_init=0x0, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7f91adcaeed8, unit_arg=0x7f91adcae7d8) at /src/10.1/sql/sql_select.cc:711 #27 0x000055953dc4bd66 in mysql_select (thd=0x7f91b33c98f0, rref_pointer_array=0x7f91adcaf150, tables=0x7f91adcb3350, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2416184064, result=0x7f91adcb3950, unit=0x7f91adcae7d8, select_lex=0x7f91adcaeed8) at /src/10.1/sql/sql_select.cc:3429 #28 0x000055953dc418bd in handle_select (thd=0x7f91b33c98f0, lex=0x7f91adcae710, result=0x7f91adcb3950, setup_tables_done_option=0) at /src/10.1/sql/sql_select.cc:384 #29 0x000055953dc11b0c in execute_sqlcom_select (thd=0x7f91b33c98f0, all_tables=0x7f91adcb3350) at /src/10.1/sql/sql_parse.cc:5894 #30 0x000055953dc079f6 in mysql_execute_command (thd=0x7f91b33c98f0) at /src/10.1/sql/sql_parse.cc:2960 #31 0x000055953dc2f6cb in Prepared_statement::execute (this=0x7f91adc9c070, expanded_query=0x7f91b98db990, open_cursor=false) at /src/10.1/sql/sql_prepare.cc:4269 #32 0x000055953dc2e566 in Prepared_statement::execute_loop (this=0x7f91adc9c070, expanded_query=0x7f91b98db990, open_cursor=false, packet=0x0, packet_end=0x0) at /src/10.1/sql/sql_prepare.cc:3901 #33 0x000055953dc2c61a in mysql_sql_stmt_execute (thd=0x7f91b33c98f0) at /src/10.1/sql/sql_prepare.cc:3033 #34 0x000055953dc07a27 in mysql_execute_command (thd=0x7f91b33c98f0) at /src/10.1/sql/sql_parse.cc:2971 #35 0x000055953dc15224 in mysql_parse (thd=0x7f91b33c98f0, rawbuf=0x7f91adc52488 "execute stmt", length=12, parser_state=0x7f91b98dc5e0) at /src/10.1/sql/sql_parse.cc:7314 #36 0x000055953dc03c5d in dispatch_command (command=COM_QUERY, thd=0x7f91b33c98f0, packet=0x7f91b25c97f1 "execute stmt", packet_length=12) at /src/10.1/sql/sql_parse.cc:1486 #37 0x000055953dc0298f in do_command (thd=0x7f91b33c98f0) at /src/10.1/sql/sql_parse.cc:1107 #38 0x000055953dd38923 in do_handle_one_connection (thd_arg=0x7f91b33c98f0) at /src/10.1/sql/sql_connect.cc:1350 #39 0x000055953dd38687 in handle_one_connection (arg=0x7f91b33c98f0) at /src/10.1/sql/sql_connect.cc:1262 #40 0x000055953e442c1c in pfs_spawn_thread (arg=0x7f91b1fb0bf0) at /src/10.1/storage/perfschema/pfs.cc:1860 #41 0x00007f91b95570a4 in start_thread () from /lib64/libpthread.so.0 #42 0x00007f91b76c504d in clone () from /lib64/libc.so.6
          Richard Richard Stracke added a comment -

          Perhaps this issue is realated to the not backported bug BUG#19897405CRASH WHILE ACCESSING VIEWS IN STORED ROUTINE

          AND TABLES ARE FLUSHED

          Analysis
          --------
          The server crashes while accessing view columns in the
          stored procedure after DDL/FLUSH TABLE operation
          is performed on the tables used by the SQL statements
          in the stored procedure.

          https://github.com/mysql/mysql-server/commit/7b6899bc7dcc8fc859c1a0c68023bb3dbe6c62d0

          Richard Richard Stracke added a comment - Perhaps this issue is realated to the not backported bug BUG#19897405CRASH WHILE ACCESSING VIEWS IN STORED ROUTINE AND TABLES ARE FLUSHED Analysis -------- The server crashes while accessing view columns in the stored procedure after DDL/FLUSH TABLE operation is performed on the tables used by the SQL statements in the stored procedure. https://github.com/mysql/mysql-server/commit/7b6899bc7dcc8fc859c1a0c68023bb3dbe6c62d0
          sanja Oleksandr Byelkin added a comment -

          the problem is in sel->leaf_tables list created (setup_tables) and freed in previous run.

          sanja Oleksandr Byelkin added a comment - the problem is in sel->leaf_tables list created (setup_tables) and freed in previous run.
          sanja Oleksandr Byelkin added a comment -

          It is call of prepare derived which trigger all derived to prepare, but top most select (which trigger this) has not its table prepared. actually I doubts that such operation should step over derived border (there is no any sens in it because it can not resolve fields there).

          sanja Oleksandr Byelkin added a comment - It is call of prepare derived which trigger all derived to prepare, but top most select (which trigger this) has not its table prepared. actually I doubts that such operation should step over derived border (there is no any sens in it because it can not resolve fields there).
          sanja Oleksandr Byelkin added a comment -

          revision-id: e9e9c94de48442bbe34b0eb5a368df3e025fc6ef (mariadb-5.5.53-34-ge9e9c94de48)
          parent(s): f23b41b9b8a30e0e54a1ec7a8923057b0e57e0f5
          committer: Oleksandr Byelkin
          timestamp: 2016-12-19 22:03:28 +0100
          message:

          MDEV-9208: Function->Function->View = Mysqld segfault (Server crashes in Dependency_marker::visit_field on 2nd execution with merged subquery)

          Prevent crossing name resolution border in finding item tables.

          —

          sanja Oleksandr Byelkin added a comment - revision-id: e9e9c94de48442bbe34b0eb5a368df3e025fc6ef (mariadb-5.5.53-34-ge9e9c94de48) parent(s): f23b41b9b8a30e0e54a1ec7a8923057b0e57e0f5 committer: Oleksandr Byelkin timestamp: 2016-12-19 22:03:28 +0100 message: MDEV-9208 : Function->Function->View = Mysqld segfault (Server crashes in Dependency_marker::visit_field on 2nd execution with merged subquery) Prevent crossing name resolution border in finding item tables. —

          People

            sanja Oleksandr Byelkin
            leobackes Leonardo Backes
            Votes:
            2 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.