[MDEV-10899] Server crash when using subquery inside Recursive CTE Created: 2016-09-26  Updated: 2016-11-12  Resolved: 2016-09-26

Status: Closed
Project: MariaDB Server
Component/s: Optimizer - CTE
Affects Version/s: 10.2.2
Fix Version/s: 10.2.3

Type: Bug Priority: Major
Reporter: Piotr Klimczak Assignee: Igor Babaev
Resolution: Fixed Votes: 0
Labels: None
Environment:

Mac OS X 10.11

Issue Links:
Relates
relates to MDEV-9864 Implement recursive common table expr... Closed

 Description   

First of all huge thanks for bringing new cool features to MariaDB.
Really great work!

Now, the problem:
Recursive CTE with subquery in FROM crashes server.
In turn having subquery in SELECT works fine.

Example, when executing:

create table t1 (a int);
 
insert into t1 values
 
  (0), (1), (2), (3), (4);
 
create table t2 (a int);
 
insert into t2 values
 
  (1), (2), (3), (4), (5);
 
 
 
with recursive
 
t1 as
 
(
 
select x.a from (select a from t2 where t2.a=3) x
 
union
 
select t2.a from t1,t2 where t1.a+1=t2.a
 
)
 
select * from t1;

Server crashes with:

160926 13:49:43 [ERROR] mysqld got signal 11 ;
 
This could be because you hit a bug. It is also possible that this binary
 
or one of the libraries it was linked against is corrupt, improperly built,
 
or misconfigured. This error can also be caused by malfunctioning hardware.
 
 
 
To report this bug, see https://mariadb.com/kb/en/reporting-bugs
 
 
 
We will try our best to scrape up some info that will hopefully help
 
diagnose the problem, but since we have already crashed, 
something is definitely wrong and this may fail.
 
 
 
Server version: 10.2.2-MariaDB
 
key_buffer_size=134217728
 
read_buffer_size=131072
 
max_used_connections=1
 
max_threads=153
 
thread_count=2
 
It is possible that mysqld could use up to 
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 467194 K  bytes of memory
 
Hope that's ok; if not, decrease some variables in the equation.
 
 
 
Thread pointer: 0x0x143c0eec8
 
Attempting backtrace. You can use the following information to find out
 
where mysqld died. If you see no messages after this, something went
 
terribly wrong...
 
stack_bottom = 0x700000ed4e60 thread_stack 0x48c00
 
0   mysqld                              0x0000000108a91c1c my_print_stacktrace + 60
 
0   mysqld                              0x0000000108352073 handle_fatal_signal + 643
 
0   libsystem_platform.dylib            0x00007fff93f6152a _sigtramp + 26
 
0   mysqld                              0x0000000108eaddc9 _ZZN15Query_log_event11dummy_eventEP6Stringm24enum_binlog_checksum_algE8var_name + 79740
 
0   mysqld                              0x00000001086b7967 _ZN12With_element28check_unrestricted_recursiveEP13st_select_lexRyS2_ + 167
 
0   mysqld                              0x00000001086b7832 _ZN13st_select_lex28check_unrestricted_recursiveEb + 82
 
0   mysqld                              0x000000010857844b _ZN4JOIN7prepareEP10TABLE_LISTjP4ItemjP8st_orderbS5_S3_S5_P13st_select_lexP18st_select_lex_unit + 2571
 
0   mysqld                              0x00000001085ec241 _ZN18st_select_lex_unit7prepareEP3THDP13select_resultm + 1873
 
0   mysqld                              0x000000010851249c _Z21mysql_derived_prepareP3THDP3LEXP10TABLE_LIST + 572
 
0   mysqld                              0x0000000108513761 _Z27mysql_handle_single_derivedP3LEXP10TABLE_LISTj + 193
 
0   mysqld                              0x000000010860669f _ZN10TABLE_LIST14handle_derivedEP3LEXj + 127
 
0   mysqld                              0x000000010852f52f _ZN13st_select_lex14handle_derivedEP3LEXj + 63
 
0   mysqld                              0x0000000108606687 _ZN10TABLE_LIST14handle_derivedEP3LEXj + 103
 
0   mysqld                              0x000000010852f52f _ZN13st_select_lex14handle_derivedEP3LEXj + 63
 
0   mysqld                              0x0000000108577aff _ZN4JOIN7prepareEP10TABLE_LISTjP4ItemjP8st_orderbS5_S3_S5_P13st_select_lexP18st_select_lex_unit + 191
 
0   mysqld                              0x000000010857750d _Z12mysql_selectP3THDP10TABLE_LISTjR4ListI4ItemEPS4_jP8st_orderS9_S7_S9_yP13select_resultP18st_select_lex_unitP13st_select_lex + 413
 
0   mysqld                              0x00000001085771f8 _Z13handle_selectP3THDP3LEXP13select_resultm + 296
 
0   mysqld                              0x0000000108547766 _ZL21execute_sqlcom_selectP3THDP10TABLE_LIST + 886
 
0   mysqld                              0x0000000108542c15 _Z21mysql_execute_commandP3THD + 17221
 
0   mysqld                              0x000000010853d2ed _Z11mysql_parseP3THDPcjP12Parser_statebb + 877
 
0   mysqld                              0x000000010853b0ba _Z16dispatch_command19enum_server_commandP3THDPcjbb + 7978
 
0   mysqld                              0x000000010853c27d _Z10do_commandP3THD + 1021
 
0   mysqld                              0x000000010863bdd0 _Z24do_handle_one_connectionP7CONNECT + 800
 
0   mysqld                              0x000000010863ba98 handle_one_connection + 56
 
0   libsystem_pthread.dylib             0x00007fff8657d99d _pthread_body + 131
 
0   libsystem_pthread.dylib             0x00007fff8657d91a _pthread_body + 0
 
0   libsystem_pthread.dylib             0x00007fff8657b351 thread_start + 13
 
 
 
Trying to get some variables.
 
Some pointers may be invalid and cause the dump to abort.
 
Query (0x143c37520): with recursive
 
t1 as
 
(
 
select x.a from (select a from t2 where t2.a=3) x
 
union
 
select t2.a from t1,t2 where t1.a+1=t2.a
 
)
 
select * from t1
 
 
 
Connection ID (thread ID): 2
 
Status: NOT_KILLED
 
 
 
Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=off,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on
 
 
 
The manual page at http://dev.mysql.com/doc/mysql/en/crashing.html contains
 
information that should help you find out what is causing the crash.
 
160926 13:49:43 mysqld_safe mysqld restarted
 
2016-09-26 13:49:43 140735157006336 [Note] /usr/local/mysql/bin/mysqld (mysqld 10.2.2-MariaDB) starting as process 52482 ...
 
2016-09-26 13:49:43 140735157006336 [Warning] Setting lower_case_table_names=2 because file system for /usr/local/mysql/data/ is case insensitive
 
2016-09-26 13:49:43 140735157006336 [Note] InnoDB: Mutexes and rw_locks use GCC atomic builtins
 
2016-09-26 13:49:43 140735157006336 [Note] InnoDB: Uses event mutexes
 
2016-09-26 13:49:43 140735157006336 [Note] InnoDB: GCC builtin __atomic_thread_fence() is used for memory barrier
 
2016-09-26 13:49:43 140735157006336 [Note] InnoDB: Compressed tables use zlib 1.2.5
 
2016-09-26 13:49:43 140735157006336 [Note] InnoDB: Number of pools: 1
 
2016-09-26 13:49:43 140735157006336 [Note] InnoDB: Using SSE crc32 instructions
 
2016-09-26 13:49:43 140735157006336 [Note] InnoDB: Initializing buffer pool, total size = 128M, instances = 1, chunk size = 128M
 
2016-09-26 13:49:43 140735157006336 [Note] InnoDB: Completed initialization of buffer pool
 
2016-09-26 13:49:43 140735157006336 [Note] InnoDB: Tablespace ID 0 name innodb_system:Default tablespace encryption mode scheme unencrypted
 
2016-09-26 13:49:43 140735157006336 [Note] InnoDB: Highest supported file format is Barracuda.
 
2016-09-26 13:49:43 140735157006336 [Note] InnoDB: Log scan progressed past the checkpoint lsn 903178441
 
2016-09-26 13:49:43 140735157006336 [Note] InnoDB: Doing recovery: scanned up to log sequence number 903178450
 
2016-09-26 13:49:43 140735157006336 [Note] InnoDB: Doing recovery: scanned up to log sequence number 903178450
 
2016-09-26 13:49:43 140735157006336 [Note] InnoDB: Database was not shutdown normally!
 
2016-09-26 13:49:43 140735157006336 [Note] InnoDB: Starting crash recovery.
 
2016-09-26 13:49:43 140735157006336 [Note] InnoDB: Removed temporary tablespace data file: "ibtmp1"
 
2016-09-26 13:49:43 140735157006336 [Note] InnoDB: Creating shared tablespace for temporary tables
 
2016-09-26 13:49:43 140735157006336 [Note] InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...
 
2016-09-26 13:49:43 140735157006336 [Note] InnoDB: File './ibtmp1' size is now 12 MB.
 
2016-09-26 13:49:43 140735157006336 [Note] InnoDB: Tablespace ID 1351 name innodb_temporary:Default tablespace encryption mode scheme unencrypted
 
2016-09-26 13:49:43 140735157006336 [Note] InnoDB: 96 redo rollback segment(s) found. 96 redo rollback segment(s) are active.
 
2016-09-26 13:49:43 140735157006336 [Note] InnoDB: 32 non-redo rollback segment(s) are active.
 
2016-09-26 13:49:43 140735157006336 [Note] InnoDB: Waiting for purge to start
 
2016-09-26 13:49:43 140735157006336 [Note] InnoDB: 5.7.14 started; log sequence number 903178450
 
2016-09-26 13:49:43 123145313570816 [Note] InnoDB: Loading buffer pool(s) from /usr/local/mysql/data/ib_buffer_pool
 
2016-09-26 13:49:43 123145313570816 [Note] InnoDB: Buffer pool(s) load completed at 160926 13:49:43
 
2016-09-26 13:49:43 140735157006336 [Note] Plugin 'FEEDBACK' is disabled.
 
2016-09-26 13:49:43 140735157006336 [Note] Recovering after a crash using tc.log
 
2016-09-26 13:49:43 140735157006336 [Note] Starting crash recovery...
 
2016-09-26 13:49:43 140735157006336 [Note] Crash recovery finished.
 
2016-09-26 13:49:43 140735157006336 [Note] Server socket created on IP: '::'.
 
2016-09-26 13:49:43 140735157006336 [Note] /usr/local/mysql/bin/mysqld: ready for connections.
 
Version: '10.2.2-MariaDB'  socket: '/tmp/mysql.sock'  port: 3306  MariaDB Server



 Comments   
Comment by Elena Stepanova [ 2016-09-26 ]

Thanks for the report and test case.

stack trace from 10.2 1f1990a161

 
#3  <signal handler called>
 
#4  0x00007fe6eeb2e277 in With_element::check_unrestricted_recursive (this=0x7fe6e34684f0, sel=0x7fe6e3464ec8, unrestricted=@0x7fe6efa78548: 0, encountered=@0x7fe6efa78550: 0) at /data/src/10.2/sql/sql_cte.cc:1144
 
#5  0x00007fe6eeb2e17a in With_element::check_unrestricted_recursive (this=0x7fe6e34684f0, sel=0x7fe6e34642a8, unrestricted=@0x7fe6efa78548: 0, encountered=@0x7fe6efa78550: 0) at /data/src/10.2/sql/sql_cte.cc:1130
 
#6  0x00007fe6eeb2df73 in st_select_lex::check_unrestricted_recursive (this=0x7fe6e34642a8, only_standards_compliant=true) at /data/src/10.2/sql/sql_cte.cc:1061
 
#7  0x00007fe6ee9aa08c in JOIN::prepare (this=0x7fe6e3518088, tables_init=0x7fe6e3466488, wild_num=0, conds_init=0x0, og_num=0, order_init=0x0, skip_order_by=true, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7fe6e34642a8, unit_arg=0x7fe6e3464678) at /data/src/10.2/sql/sql_select.cc:861
 
#8  0x00007fe6eea4bd05 in st_select_lex_unit::prepare (this=0x7fe6e3464678, thd_arg=0x7fe6e3416070, sel_result=0x7fe6e3469b28, additional_options=0) at /data/src/10.2/sql/sql_union.cc:565
 
#9  0x00007fe6ee93d938 in mysql_derived_prepare (thd=0x7fe6e3416070, lex=0x7fe6e3419a68, derived=0x7fe6e3467390) at /data/src/10.2/sql/sql_derived.cc:722
 
#10 0x00007fe6ee93c9ca in mysql_handle_single_derived (lex=0x7fe6e3419a68, derived=0x7fe6e3467390, phases=2) at /data/src/10.2/sql/sql_derived.cc:197
 
#11 0x00007fe6eea72f59 in TABLE_LIST::handle_derived (this=0x7fe6e3467390, lex=0x7fe6e3419a68, phases=2) at /data/src/10.2/sql/table.cc:7608
 
#12 0x00007fe6ee95cc2e in st_select_lex::handle_derived (this=0x7fe6e3466aa0, lex=0x7fe6e3419a68, phases=2) at /data/src/10.2/sql/sql_lex.cc:3861
 
#13 0x00007fe6eea72f1a in TABLE_LIST::handle_derived (this=0x7fe6e3468748, lex=0x7fe6e3419a68, phases=2) at /data/src/10.2/sql/table.cc:7605
 
#14 0x00007fe6ee95cc2e in st_select_lex::handle_derived (this=0x7fe6e341a268, lex=0x7fe6e3419a68, phases=2) at /data/src/10.2/sql/sql_lex.cc:3861
 
#15 0x00007fe6ee9a9646 in JOIN::prepare (this=0x7fe6e3468e70, tables_init=0x7fe6e3468748, wild_num=1, conds_init=0x0, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7fe6e341a268, unit_arg=0x7fe6e3419b30) at /data/src/10.2/sql/sql_select.cc:712
 
#16 0x00007fe6ee9b3665 in mysql_select (thd=0x7fe6e3416070, tables=0x7fe6e3468748, wild_num=1, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7fe6e3468e50, unit=0x7fe6e3419b30, select_lex=0x7fe6e341a268) at /data/src/10.2/sql/sql_select.cc:3547
 
#17 0x00007fe6ee9a8837 in handle_select (thd=0x7fe6e3416070, lex=0x7fe6e3419a68, result=0x7fe6e3468e50, setup_tables_done_option=0) at /data/src/10.2/sql/sql_select.cc:373
 
#18 0x00007fe6ee9763cd in execute_sqlcom_select (thd=0x7fe6e3416070, all_tables=0x7fe6e3468748) at /data/src/10.2/sql/sql_parse.cc:6347
 
#19 0x00007fe6ee96bebb in mysql_execute_command (thd=0x7fe6e3416070) at /data/src/10.2/sql/sql_parse.cc:3376
 
#20 0x00007fe6ee979d8c in mysql_parse (thd=0x7fe6e3416070, rawbuf=0x7fe6e3464088 "with recursive\nt1 as\n(\nselect x.a from (select a from t2 where t2.a=3) x\nunion\nselect t2.a from t1,t2 where t1.a+1=t2.a\n)\nselect * from t1", length=138, parser_state=0x7fe6efa79dd0, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:7790
 
#21 0x00007fe6ee967b0f in dispatch_command (command=COM_QUERY, thd=0x7fe6e3416070, packet=0x7fe6e3458071 "with recursive\nt1 as\n(\nselect x.a from (select a from t2 where t2.a=3) x\nunion\nselect t2.a from t1,t2 where t1.a+1=t2.a\n)\nselect * from t1", packet_length=138, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1805
 
#22 0x00007fe6ee9664e9 in do_command (thd=0x7fe6e3416070) at /data/src/10.2/sql/sql_parse.cc:1365
 
#23 0x00007fe6eeaabdc8 in do_handle_one_connection (connect=0x7fe6eb86d410) at /data/src/10.2/sql/sql_connect.cc:1354
 
#24 0x00007fe6eeaabb55 in handle_one_connection (arg=0x7fe6eb86d410) at /data/src/10.2/sql/sql_connect.cc:1260
 
#25 0x00007fe6eedd7780 in pfs_spawn_thread (arg=0x7fe6eb8519f0) at /data/src/10.2/storage/perfschema/pfs.cc:1862
 
#26 0x00007fe6edfd50a4 in start_thread (arg=0x7fe6efa7b300) at pthread_create.c:309
 
#27 0x00007fe6ec18d87d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

Comment by Igor Babaev [ 2016-09-26 ]

The fix for this bug was pushed into the 10.2 tree.
The number of the bug in the patch was erroneously set as mdev-10889.

Generated at Thu Feb 08 07:45:47 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.