[MDEV-13354] Server crashes in find_field_in_tables upon PS with window function and subquery Created: 2017-07-19  Updated: 2018-05-24  Resolved: 2017-11-23

Status: Closed
Project: MariaDB Server
Component/s: Optimizer - Window functions, Prepared Statements
Affects Version/s: 10.2
Fix Version/s: 10.2.9

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Vicențiu Ciorbaru
Resolution: Fixed Votes: 0
Labels: None


 Description    

CREATE TABLE t1 (i INT);
 
INSERT INTO t1 VALUES (1),(2);
 
PREPARE stmt FROM "SELECT i, Row_number() OVER (PARTITION BY i ORDER BY i) FROM (SELECT * FROM t1) sq";
 
EXECUTE stmt;

10.2 bc75c57cfc18be64f167d91c431076f581b0382b

 
#3  <signal handler called>
 
#4  0x00007f887873a8ca in find_field_in_tables (thd=0x7f8860000b00, item=0x7f8860170bb8, first_table=0x7f88601700c0, last_table=0x0, ref=0x7f8870398ab8, report_error=IGNORE_ERRORS, check_privileges=false, register_tree_change=false) at /data/src/10.2/sql/sql_base.cc:5815
 
#5  0x00007f887881c406 in find_order_in_list (thd=0x7f8860000b00, ref_pointer_array=..., tables=0x7f88601700c0, order=0x7f886016ebc0, fields=..., all_fields=..., is_group_field=false, from_window_spec=true) at /data/src/10.2/sql/sql_select.cc:22191
 
#6  0x00007f887881c7f6 in setup_order (thd=0x7f8860000b00, ref_pointer_array=..., tables=0x7f88601700c0, fields=..., all_fields=..., order=0x7f886016ebc0, from_window_spec=true) at /data/src/10.2/sql/sql_select.cc:22303
 
#7  0x00007f88789645c9 in setup_windows (thd=0x7f8860000b00, ref_pointer_array=..., tables=0x7f88601700c0, fields=..., all_fields=..., win_specs=..., win_funcs=...) at /data/src/10.2/sql/sql_window.cc:212
 
#8  0x00007f88787e30e5 in setup_without_group (thd=0x7f8860000b00, ref_pointer_array=..., tables=0x7f88601700c0, leaves=..., fields=..., all_fields=..., conds=0x7f8860012998, order=0x0, group=0x0, win_specs=..., win_funcs=..., hidden_group_fields=0x7f8860012877, reserved=0x7f886016daec) at /data/src/10.2/sql/sql_select.cc:662
 
#9  0x00007f88787e392a in JOIN::prepare (this=0x7f8860012590, tables_init=0x7f88601700c0, wild_num=0, conds_init=0x0, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7f886016d840, unit_arg=0x7f886016d108) at /data/src/10.2/sql/sql_select.cc:817
 
#10 0x00007f88787edae9 in mysql_select (thd=0x7f8860000b00, tables=0x7f88601700c0, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2416184064, result=0x7f88601706e0, unit=0x7f886016d108, select_lex=0x7f886016d840) at /data/src/10.2/sql/sql_select.cc:3650
 
#11 0x00007f88787e24ea in handle_select (thd=0x7f8860000b00, lex=0x7f886016d040, result=0x7f88601706e0, setup_tables_done_option=0) at /data/src/10.2/sql/sql_select.cc:373
 
#12 0x00007f88787ae3c8 in execute_sqlcom_select (thd=0x7f8860000b00, all_tables=0x7f88601700c0) at /data/src/10.2/sql/sql_parse.cc:6443
 
#13 0x00007f88787a4407 in mysql_execute_command (thd=0x7f8860000b00) at /data/src/10.2/sql/sql_parse.cc:3458
 
#14 0x00007f88787cf339 in Prepared_statement::execute (this=0x7f88601112e0, expanded_query=0x7f887039a5a0, open_cursor=false) at /data/src/10.2/sql/sql_prepare.cc:4735
 
#15 0x00007f88787cd69e in Prepared_statement::execute_loop (this=0x7f88601112e0, expanded_query=0x7f887039a5a0, open_cursor=false, packet=0x0, packet_end=0x0) at /data/src/10.2/sql/sql_prepare.cc:4164
 
#16 0x00007f88787cb38e in mysql_sql_stmt_execute (thd=0x7f8860000b00) at /data/src/10.2/sql/sql_prepare.cc:3271
 
#17 0x00007f88787a444c in mysql_execute_command (thd=0x7f8860000b00) at /data/src/10.2/sql/sql_parse.cc:3474
 
#18 0x00007f88787b1d88 in mysql_parse (thd=0x7f8860000b00, rawbuf=0x7f8860012378 "EXECUTE stmt", length=12, parser_state=0x7f887039b200, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:7879
 
#19 0x00007f887879fe34 in dispatch_command (command=COM_QUERY, thd=0x7f8860000b00, packet=0x7f8860168011 "EXECUTE stmt", packet_length=12, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1817
 
#20 0x00007f887879e775 in do_command (thd=0x7f8860000b00) at /data/src/10.2/sql/sql_parse.cc:1362
 
#21 0x00007f88788ea4e7 in do_handle_one_connection (connect=0x7f887c2f3760) at /data/src/10.2/sql/sql_connect.cc:1354
 
#22 0x00007f88788ea274 in handle_one_connection (arg=0x7f887c2f3760) at /data/src/10.2/sql/sql_connect.cc:1260
 
#23 0x00007f8878c31922 in pfs_spawn_thread (arg=0x7f887c395f40) at /data/src/10.2/storage/perfschema/pfs.cc:1862
 
#24 0x00007f8877dc1064 in start_thread (arg=0x7f887039c700) at pthread_create.c:309
 
#25 0x00007f8875fa662d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111



 Comments   
Comment by Vicențiu Ciorbaru [ 2017-09-18 ]

This bug was made apparent by MDEV-11935.

However the problem lies in a different spot. We seem to be creating Item_direct_view_ref's incorrectly, if we are creating such an item for a derived table instead of a view.

The problem lies in TABLE_LIST::view member being NULL in such a case. sanja Can you please review the following patch which eliminates the problem?

diff --git a/sql/table.cc b/sql/table.cc
 
index 450e116080a..8067066b0a9 100644
 
--- a/sql/table.cc
 
+++ b/sql/table.cc
 
@@ -5765,9 +5765,10 @@ Item *create_view_field(THD *thd, TABLE_LIST *view, Item **field_ref,
 
   {
 
     DBUG_RETURN(field);
 
   }
 
+  Name_resolution_context *context= view->view ? &view->view->select_lex.context :
 
+                                    &thd->lex->select_lex.context;
 
   Item *item= (new (thd->mem_root)
 
-               Item_direct_view_ref(thd, &view->view->select_lex.context,
 
-                                    field_ref, view->alias,
 
+               Item_direct_view_ref(thd, context, field_ref, view->alias,
 
                                     name, view));
 
   /*
 
     Force creation of nullable item for the result tmp table for outer joined

Comment by Vicențiu Ciorbaru [ 2017-09-18 ]

Also, if you set DBUG_ASSERT(view->view); instead of the context variable from the above diff, you'll notice that most test cases with prepared statements fail. In all these cases we are dereferencing a null pointer.

Comment by Vicențiu Ciorbaru [ 2017-09-18 ]

Full patch:
http://lists.askmonty.org/pipermail/commits/2017-September/011482.html

Comment by Oleksandr Byelkin [ 2017-09-26 ]

OK to push! Thank you!

Generated at Thu Feb 08 08:04:57 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.