[MDEV-9719] Query with window function crashes with --ps-protocol - Jira

Details

Type: Task
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Fix Version/s: N/A
Component/s: Optimizer - Window functions
Labels:
None

Description

As seen in the buildbot e.g. here: http://buildbot.askmonty.org/buildbot/builders/kvm-fulltest/builds/5609

create table t1(a int, b int, x char(32));

insert into t1 values (2, 10, 'xx');

insert into t1 values (2, 10, 'zz');

insert into t1 values (2, 20, 'yy');

insert into t1 values (3, 10, 'xxx');

insert into t1 values (3, 20, 'vvv');

prepare s from 'select a, row_number() over (partition by a order by b) from t1';

execute s;

The last statement crashes here:

  Program received signal SIGSEGV, Segmentation fault.

  [Switching to Thread 0x7ffff4302700 (LWP 20042)]

  0x0000555555c1f752 in setup_windows (thd=0x55555aafeaf0, ref_pointer_array=..., tables=0x7fff5400e3a0, fields=..., all_fields=..., win_specs=...) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_window.cc:97

(gdb) wher

  #0  0x0000555555c1f752 in setup_windows (thd=0x55555aafeaf0, ref_pointer_array=..., tables=0x7fff5400e3a0, fields=..., all_fields=..., win_specs=...) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_window.cc:97

  #1  0x0000555555ab5311 in setup_without_group (thd=0x55555aafeaf0, ref_pointer_array=..., tables=0x7fff5400e3a0, leaves=..., fields=..., all_fields=..., conds=0x7fff54005848, order=0x0, group=0x0, win_specs=..., hidden_group_fields=0x7fff54005727, reserved=0x7fff5400d1f4) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_select.cc:659

  #2  0x0000555555ab5a3d in JOIN::prepare (this=0x7fff54005448, tables_init=0x7fff5400e3a0, wild_num=0, conds_init=0x0, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7fff5400cf58, unit_arg=0x7fff5400c868) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_select.cc:802

  #3  0x0000555555abe280 in mysql_select (thd=0x55555aafeaf0, tables=0x7fff5400e3a0, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2416184064, result=0x7fff5400e998, unit=0x7fff5400c868, select_lex=0x7fff5400cf58) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_select.cc:3415

  #4  0x0000555555ab4827 in handle_select (thd=0x55555aafeaf0, lex=0x7fff5400c7a0, result=0x7fff5400e998, setup_tables_done_option=0) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_select.cc:376

  #5  0x0000555555a850ba in execute_sqlcom_select (thd=0x55555aafeaf0, all_tables=0x7fff5400e3a0) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_parse.cc:5902

  #6  0x0000555555a7af80 in mysql_execute_command (thd=0x55555aafeaf0) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_parse.cc:2961

  #7  0x0000555555aa270a in Prepared_statement::execute (this=0x7fff5400c380, expanded_query=0x7ffff4300560, open_cursor=false) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_prepare.cc:4009

  #8  0x0000555555aa15ee in Prepared_statement::execute_loop (this=0x7fff5400c380, expanded_query=0x7ffff4300560, open_cursor=false, packet=0x0, packet_end=0x0) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_prepare.cc:3641

  #9  0x0000555555a9f721 in mysql_sql_stmt_execute (thd=0x55555aafeaf0) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_prepare.cc:2773

  #10 0x0000555555a7afb1 in mysql_execute_command (thd=0x55555aafeaf0) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_parse.cc:2972

  #11 0x0000555555a88722 in mysql_parse (thd=0x55555aafeaf0, rawbuf=0x7fff54005258 "execute s", length=9, parser_state=0x7ffff4301100) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_parse.cc:7302

And it crashes because

(gdb) print win_spec

  $83 = (Window_spec *) 0x8f8f8f8f8f8f8f8f

Attachments

Issue Links

is part of

MDEV-6115 window functions as in the SQL standard

Closed

Activity

Ascending order - Click to sort in descending order

Sergei Petrunia added a comment - 2016-03-13 09:27

cvicentiu, igor, FYI.

Sergei Petrunia added a comment - 2016-03-13 09:27 cvicentiu , igor , FYI.

Sergei Petrunia added a comment - 2016-03-13 09:33 - edited

The crash looks like window definition was not allocated on the statement mem_root.
Initially it is allocated in the parser. it uses correct mem_root.

But then, setup_windows() modifies window spec list here:

(gdb) where

  #0  __memset_sse2 () at ../sysdeps/x86_64/multiarch/../memset.S:340

  #1  0x00005555559bb051 in Sql_alloc::operator delete (ptr=0x7fff5c00eac0, size=16) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_list.h:45

  #2  0x0000555555a63117 in base_list::remove (this=0x7ffff42ffe30, prev=0x7ffff42ffe30) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_list.h:248

  #3  0x0000555555a6316a in base_list_iterator::remove (this=0x7ffff42ffd50) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_list.h:488

  #4  0x0000555555c2244c in List_iterator<Window_spec>::remove (this=0x7ffff42ffd50) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_list.h:556

  #5  0x0000555555c1f777 in setup_windows (thd=0x55555aafeaf0, ref_pointer_array=..., tables=0x7fff5c00ec00, fields=..., all_fields=..., win_specs=...) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_window.cc:99

  #6  0x0000555555ab5311 in setup_without_group (thd=0x55555aafeaf0, ref_pointer_array=..., tables=0x7fff5c00ec00, leaves=..., fields=..., all_fields=..., conds=0x7fff5c0057b8, order=0x0, group=0x0, win_specs=..., hidden_group_fields=0x7fff5c005697, reserved=0x7fff5c00da54) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_select.cc:659

  #7  0x0000555555ab5a3d in JOIN::prepare (this=0x7fff5c0053b8, tables_init=0x7fff5c00ec00, wild_num=0, conds_init=0x0, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7fff5c00d7b8, unit_arg=0x7fff5c00d0c8) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_select.cc:802

  #8  0x0000555555b4cd25 in st_select_lex_unit::prepare (this=0x7fff5c00d0c8, thd_arg=0x55555aafeaf0, sel_result=0x0, additional_options=0) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_union.cc:453

  #9  0x0000555555a9d19c in mysql_test_select (stmt=0x7fff5c00cbe0, tables=0x7fff5c00ec00) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_prepare.cc:1528

  #10 0x0000555555a9e362 in check_prepared_statement (stmt=0x7fff5c00cbe0) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_prepare.cc:2128

  #11 0x0000555555aa1015 in Prepared_statement::prepare (this=0x7fff5c00cbe0, packet=0x7fff5c005378 "select a, row_number() over (partition by a order by b) from t1", packet_len=63) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_prepare.cc:3433

  #12 0x0000555555a9eccd in mysql_sql_stmt_prepare (thd=0x55555aafeaf0) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_prepare.cc:2492

  #13 0x0000555555a7af9d in mysql_execute_command (thd=0x55555aafeaf0) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_parse.cc:2967

  #14 0x0000555555a88722 in mysql_parse (thd=0x55555aafeaf0, rawbuf=0x7fff5c005258 "prepare s from 'select a, row_number() over (partition by a order by b) from t1'", length=80, parser_state=0x7ffff4301100) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_parse.cc:7302

  #15 0x0000555555a77162 in dispatch_command (command=COM_QUERY, thd=0x55555aafeaf0, packet=0x55555ab05551 "prepare s from 'select a, row_number() over (partition by a order by b) from t1'", packet_length=80) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_parse.cc:1487

This is here:

  while ((win_spec= it++) && i++ < elems)

    if (win_spec->name() == NULL)

      it.remove();

      win_specs.push_back(win_spec);

It looks like push_back call uses incorrect MEM_ROOT. Instead of statement-lifetime MEM_ROOT, it uses thd->mem_root, which is the mem_root that will be freed once PREPARE command finishes.

Sergei Petrunia added a comment - 2016-03-13 09:33 - edited The crash looks like window definition was not allocated on the statement mem_root. Initially it is allocated in the parser. it uses correct mem_root. But then, setup_windows() modifies window spec list here: (gdb) where #0 __memset_sse2 () at ../sysdeps/x86_64/multiarch/../memset.S:340 #1 0x00005555559bb051 in Sql_alloc::operator delete (ptr=0x7fff5c00eac0, size=16) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_list.h:45 #2 0x0000555555a63117 in base_list::remove (this=0x7ffff42ffe30, prev=0x7ffff42ffe30) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_list.h:248 #3 0x0000555555a6316a in base_list_iterator::remove (this=0x7ffff42ffd50) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_list.h:488 #4 0x0000555555c2244c in List_iterator<Window_spec>::remove (this=0x7ffff42ffd50) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_list.h:556 #5 0x0000555555c1f777 in setup_windows (thd=0x55555aafeaf0, ref_pointer_array=..., tables=0x7fff5c00ec00, fields=..., all_fields=..., win_specs=...) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_window.cc:99 #6 0x0000555555ab5311 in setup_without_group (thd=0x55555aafeaf0, ref_pointer_array=..., tables=0x7fff5c00ec00, leaves=..., fields=..., all_fields=..., conds=0x7fff5c0057b8, order=0x0, group=0x0, win_specs=..., hidden_group_fields=0x7fff5c005697, reserved=0x7fff5c00da54) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_select.cc:659 #7 0x0000555555ab5a3d in JOIN::prepare (this=0x7fff5c0053b8, tables_init=0x7fff5c00ec00, wild_num=0, conds_init=0x0, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7fff5c00d7b8, unit_arg=0x7fff5c00d0c8) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_select.cc:802 #8 0x0000555555b4cd25 in st_select_lex_unit::prepare (this=0x7fff5c00d0c8, thd_arg=0x55555aafeaf0, sel_result=0x0, additional_options=0) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_union.cc:453 #9 0x0000555555a9d19c in mysql_test_select (stmt=0x7fff5c00cbe0, tables=0x7fff5c00ec00) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_prepare.cc:1528 #10 0x0000555555a9e362 in check_prepared_statement (stmt=0x7fff5c00cbe0) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_prepare.cc:2128 #11 0x0000555555aa1015 in Prepared_statement::prepare (this=0x7fff5c00cbe0, packet=0x7fff5c005378 "select a, row_number() over (partition by a order by b) from t1", packet_len=63) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_prepare.cc:3433 #12 0x0000555555a9eccd in mysql_sql_stmt_prepare (thd=0x55555aafeaf0) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_prepare.cc:2492 #13 0x0000555555a7af9d in mysql_execute_command (thd=0x55555aafeaf0) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_parse.cc:2967 #14 0x0000555555a88722 in mysql_parse (thd=0x55555aafeaf0, rawbuf=0x7fff5c005258 "prepare s from 'select a, row_number() over (partition by a order by b) from t1'", length=80, parser_state=0x7ffff4301100) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_parse.cc:7302 #15 0x0000555555a77162 in dispatch_command (command=COM_QUERY, thd=0x55555aafeaf0, packet=0x55555ab05551 "prepare s from 'select a, row_number() over (partition by a order by b) from t1'", packet_length=80) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_parse.cc:1487 This is here: while ((win_spec= it++) && i++ < elems) { if (win_spec->name() == NULL) { it.remove(); win_specs.push_back(win_spec); It looks like push_back call uses incorrect MEM_ROOT. Instead of statement-lifetime MEM_ROOT, it uses thd->mem_root, which is the mem_root that will be freed once PREPARE command finishes.

Sergei Petrunia added a comment - 2016-03-17 16:00

This one is fixed but now there is ~~MDEV-9754~~.

Sergei Petrunia added a comment - 2016-03-17 16:00 This one is fixed but now there is MDEV-9754 .

MariaDB Server

Query with window function crashes with --ps-protocol

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration