[#MDEV-11999] seg fault in main.win test

(cd mysql-test/ ; ./mtr   --parallel=4   --force --gdb --max-test-fail=40 main.win )

Thread 6 "mysqld" received signal SIGSEGV, Segmentation fault.

[Switching to Thread 0x7ffff7f20300 (LWP 1890)]

0x0000555555b1ad9a in Prepared_statement::~Prepared_statement (this=0x7fffeab78008, __in_chrg=<optimized out>)

    at /home/dan/repos/mariadb-server/sql/sql_prepare.cc:3677

3677      delete cursor;

(gdb) bt

#0  0x0000555555b1ad9a in Prepared_statement::~Prepared_statement (this=0x7fffeab78008, __in_chrg=<optimized out>)

    at /home/dan/repos/mariadb-server/sql/sql_prepare.cc:3677

#1  0x0000555555b1aeea in Prepared_statement::~Prepared_statement (this=0x7fffeab78008, __in_chrg=<optimized out>)

    at /home/dan/repos/mariadb-server/sql/sql_prepare.cc:3691

#2  0x0000555555ab0c93 in delete_statement_as_hash_key (key=0x7fffeab78008) at /home/dan/repos/mariadb-server/sql/sql_class.cc:3668

#3  0x00005555564bf1d3 in my_hash_free_elements (hash=0x7fffeaa14a40) at /home/dan/repos/mariadb-server/mysys/hash.c:123

#4  0x00005555564bf2fb in my_hash_reset (hash=0x7fffeaa14a40) at /home/dan/repos/mariadb-server/mysys/hash.c:166

#5  0x0000555555ab10f1 in Statement_map::reset (this=0x7fffeaa14a40) at /home/dan/repos/mariadb-server/sql/sql_class.cc:3800

#6  0x0000555555aaa39a in THD::free_connection (this=0x7fffeaa13088) at /home/dan/repos/mariadb-server/sql/sql_class.cc:1516

#7  0x0000555555a16c82 in unlink_thd (thd=0x7fffeaa13088) at /home/dan/repos/mariadb-server/sql/mysqld.cc:2969

#8  0x0000555555a1710a in one_thread_per_connection_end (thd=0x7fffeaa13088, put_in_cache=true)

    at /home/dan/repos/mariadb-server/sql/mysqld.cc:3110

#9  0x0000555555c34c31 in do_handle_one_connection (connect=0x7ffff3c641a8) at /home/dan/repos/mariadb-server/sql/sql_connect.cc:1373

#10 0x0000555555c348d7 in handle_one_connection (arg=0x7ffff3c641a8) at /home/dan/repos/mariadb-server/sql/sql_connect.cc:1260

#11 0x000055555648f21b in pfs_spawn_thread (arg=0x7ffff3c37608) at /home/dan/repos/mariadb-server/storage/perfschema/pfs.cc:1862

#12 0x00007ffff7bc45ca in start_thread () from /lib64/libpthread.so.0

#13 0x00007ffff56370ed in clone () from /lib64/libc.so.6

(gdb) p *this

$2 = {<Statement> = {<ilink> = {_vptr.ilink = 0x555556cee830 <vtable for Prepared_statement+16>, prev = 0x0, next = 0x0}, <Query_arena> = {

      _vptr.Query_arena = 0x555556cee868 <vtable for Prepared_statement+72>, free_list = 0x7fffeaa524a0, mem_root = 0x7fffeab78380,

      is_backup_arena = false, is_reprepared = false, state = Query_arena::STMT_EXECUTED}, id = 2, mark_used_columns = MARK_COLUMNS_READ, name = {

      str = 0x7fffeaa4f800 "stmtnt", length = 4}, lex = 0x7fffeab07020, query_string = {string = {

        str = 0x7fffeaa1c6e0 "select\n  pk, c,\n  count(*) over w1 as CNT\nfrom t1\nwindow w1 as (partition by c order by pk\n", ' ' <repeats 14 times>, "rows between 2 preceding and 2 following)", length = 146}, cs = 0x555556e9c540 <my_charset_latin1>}, base_query = {Ptr = 0x0,

      str_length = 0, Alloced_length = 0, extra_alloc = 0, alloced = false, thread_specific = false,

      str_charset = 0x555556df9e20 <my_charset_bin>}, db = 0x7fffeaa4f830 "test", db_length = 4, query_cache_is_applicable = 0 '\000'},

  thd = 0x7fffeaa13088, result = {<select_send> = {<select_result> = {<select_result_sink> = {<Sql_alloc> = {dummy_for_valgrind = false},

          _vptr.select_result_sink = 0x555556cee8e8 <vtable for Select_fetch_protocol_binary+16>, thd = 0x7fffeaa13088}, unit = 0x0},

      is_result_set_started = false}, protocol = {<Protocol> = {_vptr.Protocol = 0x555556ce8ea8 <vtable for Protocol_binary+16>,

        packet = 0x7fffeaa13700, convert = 0x7fffeaa13720, field_pos = 0, field_types = 0x0, field_count = 0, thd = 0x7fffeaa13088},

      bit_fields = 0}}, param_array = 0x0, cursor = 0x555555b6050f <sub_select_postjoin_aggr(JOIN*, st_join_table*, bool)>, packet = 0x0,

  packet_end = 0x0, iterations = 0, param_count = 0, last_errno = 0, flags = 2, select_number_after_prepare = 1,

  last_error = '\000' <repeats 511 times>, start_param = 0 '\000',

  set_params = 0x555555b14c94 <insert_params_with_log(Prepared_statement*, uchar*, uchar*, uchar*, String*)>,

  set_bulk_params = 0x555555b151a7 <insert_bulk_params(Prepared_statement*, uchar**, uchar*, bool)>,

  set_params_from_actual_params = 0x555555b1577a <insert_params_from_actual_params_with_log(Prepared_statement*, List<Item>&, String*)>,

  main_mem_root = {free = 0x0, used = 0x7fffeabaf2c8, pre_alloc = 0x0, min_malloc = 32, block_size = 16345, block_num = 4, first_block_usage = 0,

    error_handler = 0x555555bfebc5 <sql_alloc_error_handler()>}, m_sql_mode = 1342177280}

(gdb) p cursor

$3 = (Server_side_cursor *) 0x555555b6050f <sub_select_postjoin_aggr(JOIN*, st_join_table*, bool)>

(gdb) p *cursor

$4 = {<Query_arena> = {_vptr.Query_arena = 0xec834853e5894855, free_list = 0x758948b87d894858, mem_root = 0x8b48ac4588d089b0,

    is_backup_arena = 69, is_reprepared = 176, state = 186496}, <Sql_alloc> = {dummy_for_valgrind = false}, result = 0xbe0d8d481f7500c8}

   0x0000555555b1ad73 <+139>:   callq  0x55555650a8ab <_db_doprnt_>

   0x0000555555b1ad78 <+144>:   mov    -0x28(%rbp),%rax

   0x0000555555b1ad7c <+148>:   mov    0x128(%rax),%rax

   0x0000555555b1ad83 <+155>:   test   %rax,%rax

   0x0000555555b1ad86 <+158>:   je     0x555555b1adad <Prepared_statement::~Prepared_statement()+197>

   0x0000555555b1ad88 <+160>:   mov    -0x28(%rbp),%rax

   0x0000555555b1ad8c <+164>:   mov    0x128(%rax),%rax

   0x0000555555b1ad93 <+171>:   mov    (%rax),%rax

   0x0000555555b1ad96 <+174>:   add    $0x10,%rax

=> 0x0000555555b1ad9a <+178>:   mov    (%rax),%rax

   0x0000555555b1ad9d <+181>:   mov    -0x28(%rbp),%rdx

   0x0000555555b1ada1 <+185>:   mov    0x128(%rdx),%rdx

   0x0000555555b1ada8 <+192>:   mov    %rdx,%rdi

   0x0000555555b1adab <+195>:   callq  *%rax

   0x0000555555b1adad <+197>:   mov    -0x28(%rbp),%rax

   0x0000555555b1adb1 <+201>:   add    $0x18,%rax

   0x0000555555b1adb5 <+205>:   mov    %rax,%rdi

   0x0000555555b1adb8 <+208>:   callq  0x555555ab0534 <Query_arena::free_items()>

10.2 e51b015fc35 + valgrind

perl ./mtr main.win --valgrind

==32609== Invalid write of size 8

==32609==    at 0x6F0F7E: JOIN::create_postjoin_aggr_table(st_join_table*, List<Item>*, st_order*, bool, bool, bool) (sql_select.cc:2782)

==32609==    by 0x6EF2A0: JOIN::make_aggr_tables_info() (sql_select.cc:2354)

==32609==    by 0x6EBFCE: JOIN::optimize_inner() (sql_select.cc:1449)

==32609==    by 0x6EAADF: JOIN::optimize() (sql_select.cc:1076)

==32609==    by 0x6F3763: mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:3586)

==32609==    by 0x6E8516: handle_select(THD*, LEX*, select_result*, unsigned long) (sql_select.cc:373)

==32609==    by 0x6B3ED4: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:6399)

==32609==    by 0x6A9EEC: mysql_execute_command(THD*) (sql_parse.cc:3429)

==32609==    by 0x6B78A5: mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) (sql_parse.cc:7842)

==32609==    by 0x6A59AE: dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) (sql_parse.cc:1800)

==32609==    by 0x6A43A6: do_command(THD*) (sql_parse.cc:1360)

==32609==    by 0x7F2453: do_handle_one_connection(CONNECT*) (sql_connect.cc:1354)

==32609==    by 0x7F21E0: handle_one_connection (sql_connect.cc:1260)

==32609==    by 0xB4DD9F: pfs_spawn_thread (pfs.cc:1862)

==32609==    by 0x4E3D0A3: start_thread (pthread_create.c:309)

==32609==    by 0x6EC287C: clone (clone.S:111)

==32609==  Address 0xedafaf0 is 704 bytes inside a block of size 1,152 free'd

==32609==    at 0x4C29F40: free (vg_replace_malloc.c:474)

==32609==    by 0x10DFE7E: my_free (my_malloc.c:217)

==32609==    by 0x10354CC: mi_close (mi_close.c:127)

==32609==    by 0x101E20D: ha_myisam::close() (ha_myisam.cc:875)

==32609==    by 0x9257CC: handler::ha_close() (handler.cc:2565)

==32609==    by 0x7AC30B: closefrm(TABLE*) (table.cc:3370)

==32609==    by 0x898015: intern_close_table(TABLE*) (table_cache.cc:222)

==32609==    by 0x89AA81: tdc_remove_table(THD*, enum_tdc_remove_table_type, char const*, char const*, bool) (table_cache.cc:1132)

==32609==    by 0x76AD41: mysql_rm_table_no_locks(THD*, TABLE_LIST*, bool, bool, bool, bool, bool) (sql_table.cc:2459)

==32609==    by 0x76A02A: mysql_rm_table(THD*, TABLE_LIST*, char, char) (sql_table.cc:2090)

==32609==    by 0x6ADAF6: mysql_execute_command(THD*) (sql_parse.cc:4693)

==32609==    by 0x6B78A5: mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) (sql_parse.cc:7842)

==32609==    by 0x6A59AE: dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) (sql_parse.cc:1800)

==32609==    by 0x6A43A6: do_command(THD*) (sql_parse.cc:1360)

==32609==    by 0x7F2453: do_handle_one_connection(CONNECT*) (sql_connect.cc:1354)

==32609==    by 0x7F21E0: handle_one_connection (sql_connect.cc:1260)

10.2 e51b015f + ps protocol

perl ./mtr main.win --ps

#3  <signal handler called>

#4  0x00007f2f76372a6d in JOIN::choose_tableless_subquery_plan (this=0x7f2f6a864118) at /data/src/10.2/sql/opt_subselect.cc:5739

#5  0x00007f2f762150b9 in JOIN::optimize_inner (this=0x7f2f6a864118) at /data/src/10.2/sql/sql_select.cc:2138

#6  0x00007f2f762116be in JOIN::optimize (this=0x7f2f6a864118) at /data/src/10.2/sql/sql_select.cc:1076

#7  0x00007f2f7621a1bc in mysql_select (thd=0x7f2f6a816070, tables=0x0, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2416184064, result=0x7f2f6a9a8d78, unit=0x7f2f6a9a7150, select_lex=0x7f2f6a9a7880) at /data/src/10.2/sql/sql_select.cc:3586

#8  0x00007f2f7620f101 in handle_select (thd=0x7f2f6a816070, lex=0x7f2f6a9a7088, result=0x7f2f6a9a8d78, setup_tables_done_option=0) at /data/src/10.2/sql/sql_select.cc:373

#9  0x00007f2f761db5fb in execute_sqlcom_select (thd=0x7f2f6a816070, all_tables=0x0) at /data/src/10.2/sql/sql_parse.cc:6399

#10 0x00007f2f761d1615 in mysql_execute_command (thd=0x7f2f6a816070) at /data/src/10.2/sql/sql_parse.cc:3429

#11 0x00007f2f761fc07f in Prepared_statement::execute (this=0x7f2f6a828e70, expanded_query=0x7f2f772f0bf0, open_cursor=false) at /data/src/10.2/sql/sql_prepare.cc:4639

#12 0x00007f2f761fa478 in Prepared_statement::execute_loop (this=0x7f2f6a828e70, expanded_query=0x7f2f772f0bf0, open_cursor=false, packet=0x7f2f6a85807a "", packet_end=0x7f2f6a85807a "") at /data/src/10.2/sql/sql_prepare.cc:4073

#13 0x00007f2f761f7e70 in mysqld_stmt_execute (thd=0x7f2f6a816070, packet_arg=0x7f2f6a858071 "/\001", packet_length=9) at /data/src/10.2/sql/sql_prepare.cc:3093

#14 0x00007f2f761ccd53 in dispatch_command (command=COM_STMT_EXECUTE, thd=0x7f2f6a816070, packet=0x7f2f6a858071 "/\001", packet_length=9, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1742

#15 0x00007f2f761cbacf in do_command (thd=0x7f2f6a816070) at /data/src/10.2/sql/sql_parse.cc:1360

#16 0x00007f2f7631450c in do_handle_one_connection (connect=0x7f2f72c71410) at /data/src/10.2/sql/sql_connect.cc:1354

#17 0x00007f2f76314299 in handle_one_connection (arg=0x7f2f72c71410) at /data/src/10.2/sql/sql_connect.cc:1260

#18 0x00007f2f76657d00 in pfs_spawn_thread (arg=0x7f2f72c0f9f0) at /data/src/10.2/storage/perfschema/pfs.cc:1862

#19 0x00007f2f757fb0a4 in start_thread (arg=0x7f2f772f2300) at pthread_create.c:309

#20 0x00007f2f737a887d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

[MDEV-11999] seg fault in main.win test Created: 2017-02-06 Updated: 2017-02-08 Resolved: 2017-02-08
Status:	Closed
Project:	MariaDB Server
Component/s:	Prepared Statements
Affects Version/s:	10.2.4
Fix Version/s:	10.2.4

[MDEV-11999] seg fault in main.win test Created: 2017-02-06 Updated: 2017-02-08 Resolved: 2017-02-08