[MDEV-15161] Server crashes in get_addon_fields upon using combination of functions Created: 2018-02-01  Updated: 2023-08-24  Resolved: 2023-08-24

Status: Closed
Project: MariaDB Server
Component/s: Server
Affects Version/s: 5.5, 10.0, 10.1, 10.2, 10.3
Fix Version/s: N/A

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Vicențiu Ciorbaru
Resolution: Won't Fix Votes: 0
Labels: None


 Description   

Note: The test case below doesn't crash anymore, see comments instead.

--source include/have_innodb.inc
 
 
 
CREATE TABLE t1 (i INT) ENGINE=InnoDB;
 
SELECT DISTINCT INSERT( ExtractValue( NULL, '/bar' ), UUID_SHORT(), 1, 'foo' ) FROM t1 ORDER BY 1;
 
 
 
# Cleanup
 
DROP TABLE t1;

10.2 b56f9fbe2f6a83

 
#3  <signal handler called>
 
#4  0x0000563d79bf6529 in get_addon_fields (max_length_for_sort_data=1024, ptabfield=0x7f40f8151638, sortlength=1025, addon_buf=0x7f413855c918) at /data/src/10.2/sql/filesort.cc:2031
 
#5  0x0000563d79bf117c in Sort_param::init_for_filesort (this=0x7f413855c8d0, sortlen=1025, table=0x7f40f81505c8, max_length_for_sort_data=1024, maxrows=18446744073709551615, sort_positions=false) at /data/src/10.2/sql/filesort.cc:93
 
#6  0x0000563d79bf1555 in filesort (thd=0x7f40f8000b00, table=0x7f40f81505c8, filesort=0x7f40f8015a08, tracker=0x7f40f8015cf8, join=0x7f40f80134d0, first_table_bit=1) at /data/src/10.2/sql/filesort.cc:196
 
#7  0x0000563d799fe3da in create_sort_index (thd=0x7f40f8000b00, join=0x7f40f80134d0, tab=0x7f40f8014c30, fsort=0x7f40f8015a08) at /data/src/10.2/sql/sql_select.cc:21790
 
#8  0x0000563d799f8e67 in st_join_table::sort_table (this=0x7f40f8014c30) at /data/src/10.2/sql/sql_select.cc:19625
 
#9  0x0000563d799f8ab5 in join_init_read_record (tab=0x7f40f8014c30) at /data/src/10.2/sql/sql_select.cc:19566
 
#10 0x0000563d79a0b3de in AGGR_OP::end_send (this=0x7f40f80158c0) at /data/src/10.2/sql/sql_select.cc:26553
 
#11 0x0000563d799f65b0 in sub_select_postjoin_aggr (join=0x7f40f80134d0, join_tab=0x7f40f8014c30, end_of_records=true) at /data/src/10.2/sql/sql_select.cc:18379
 
#12 0x0000563d799f68d6 in sub_select (join=0x7f40f80134d0, join_tab=0x7f40f8014880, end_of_records=true) at /data/src/10.2/sql/sql_select.cc:18615
 
#13 0x0000563d799f60ec in do_select (join=0x7f40f80134d0, procedure=0x0) at /data/src/10.2/sql/sql_select.cc:18210
 
#14 0x0000563d799d079d in JOIN::exec_inner (this=0x7f40f80134d0) at /data/src/10.2/sql/sql_select.cc:3540
 
#15 0x0000563d799cfc4c in JOIN::exec (this=0x7f40f80134d0) at /data/src/10.2/sql/sql_select.cc:3335
 
#16 0x0000563d799d0e15 in mysql_select (thd=0x7f40f8000b00, tables=0x7f40f8012ce0, wild_num=0, fields=..., conds=0x0, og_num=1, order=0x7f40f80133a0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748609, result=0x7f40f80134b0, unit=0x7f40f80046a0, select_lex=0x7f40f8004dd8) at /data/src/10.2/sql/sql_select.cc:3735
 
#17 0x0000563d799c558a in handle_select (thd=0x7f40f8000b00, lex=0x7f40f80045d8, result=0x7f40f80134b0, setup_tables_done_option=0) at /data/src/10.2/sql/sql_select.cc:373
 
#18 0x0000563d7999139f in execute_sqlcom_select (thd=0x7f40f8000b00, all_tables=0x7f40f8012ce0) at /data/src/10.2/sql/sql_parse.cc:6456
 
#19 0x0000563d79987426 in mysql_execute_command (thd=0x7f40f8000b00) at /data/src/10.2/sql/sql_parse.cc:3467
 
#20 0x0000563d79994d5d in mysql_parse (thd=0x7f40f8000b00, rawbuf=0x7f40f80124e8 "SELECT DISTINCT INSERT( ExtractValue( NULL, '/bar' ), UUID_SHORT(), 1, 'foo' ) FROM t1 ORDER BY 1", length=97, parser_state=0x7f413855e200, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:7898
 
#21 0x0000563d79982cf7 in dispatch_command (command=COM_QUERY, thd=0x7f40f8000b00, packet=0x7f40f808d0e1 "", packet_length=97, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1806
 
#22 0x0000563d7998165a in do_command (thd=0x7f40f8000b00) at /data/src/10.2/sql/sql_parse.cc:1360
 
#23 0x0000563d79acf8c4 in do_handle_one_connection (connect=0x563d7c20beb0) at /data/src/10.2/sql/sql_connect.cc:1335
 
#24 0x0000563d79acf651 in handle_one_connection (arg=0x563d7c20beb0) at /data/src/10.2/sql/sql_connect.cc:1241
 
#25 0x0000563d79eeee10 in pfs_spawn_thread (arg=0x563d7c16f800) at /data/src/10.2/storage/perfschema/pfs.cc:1862
 
#26 0x00007f4148e07494 in start_thread (arg=0x7f413855f700) at pthread_create.c:333
 
#27 0x00007f41471ed93f in clone () from /lib/x86_64-linux-gnu/libc.so.6

Also reproducible on 10.3. Couldn't reproduce on 10.1.

 Comments   
Comment by Alice Sherepa [ 2018-03-15 ]

The same reproducible on 5.5 -10.3 with 

./mtr main.subselect_innodb  --mysqld=--big-tables=1


CURRENT_TEST: main.subselect_innodb
 
mysqltest: At line 435: query 'select distinct (select 1 from `t2` where `a`) `d2` from `t1`' failed: 2013: Lost connection to MySQL server during query
 
 
 
The result from queries just before the failure was:
 
< snip >
 
explain
 
select 1 from t1 where 1 like (select 1 from t1 where 1 <=> (select 1 from t1 group by a1));
 
id	select_type	table	type	possible_keys	key	key_len	ref	rows	Extra
 
1	PRIMARY	t1	ALL	NULL	NULL	NULL	NULL	1	
2	SUBQUERY	t1	ALL	NULL	NULL	NULL	NULL	1	
3	SUBQUERY	t1	ALL	NULL	NULL	NULL	NULL	1	Using temporary; Using filesort
 
select 1 from t1 where 1 like (select 1 from t1 where 1 <=> (select 1 from t1 group by a1));
 
1
 
1
 
drop table t1;
 
#
 
# MDEV-3988 crash in create_tmp_table
 
#
 
drop table if exists `t1`,`t2`;
 
Warnings:
 
Note	1051	Unknown table 'test.t1'
 
Note	1051	Unknown table 'test.t2'
 
create table `t1`(`a` char(1) character set utf8)engine=innodb;
 
create table `t2`(`b` char(1) character set utf8)engine=memory;
 
select distinct (select 1 from `t2` where `a`) `d2` from `t1`;

on 5.5

Thread 1 (Thread 0x7ff3c029c700 (LWP 2317)):
 
#0  __pthread_kill (threadid=<optimized out>, signo=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:62
 
#1  0x0000000000d1c187 in my_write_core (sig=11) at /home/alice/git/5.5/mysys/stacktrace.c:457
 
#2  0x00000000007dce74 in handle_fatal_signal (sig=11) at /home/alice/git/5.5/sql/signal_handler.cc:262
 
#3  <signal handler called>
 
#4  0x00000000007dc257 in get_addon_fields (thd=0x7ff3b8f67000, ptabfield=0x7ff3afce4d20, sortlength=9, plength=0x7ff3c029a08c) at /home/alice/git/5.5/sql/filesort.cc:1753
 
#5  0x00000000007d7804 in filesort (thd=0x7ff3b8f67000, table=0x7ff3afce4018, sortorder=0x7ff3afc141b8, s_length=1, select=0x0, max_rows=18446744073709551615, sort_positions=false, examined_rows=0x7ff3c029a490) at /home/alice/git/5.5/sql/filesort.cc:157
 
#6  0x0000000000678136 in create_sort_index (thd=0x7ff3b8f67000, join=0x7ff3afc4f018, order=0x7ff3afc14278, filesort_limit=18446744073709551615, select_limit=18446744073709551615, is_order_by=false) at /home/alice/git/5.5/sql/sql_select.cc:20049
 
#7  0x000000000064bf15 in JOIN::exec (this=0x7ff3afc4f018) at /home/alice/git/5.5/sql/sql_select.cc:2861
 
#8  0x000000000064ca3b in mysql_select (thd=0x7ff3b8f67000, rref_pointer_array=0x7ff3b8f6ad28, tables=0x7ff3afc4fc18, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748609, result=0x7ff3afc44218, unit=0x7ff3b8f6a328, select_lex=0x7ff3b8f6aa28) at /home/alice/git/5.5/sql/sql_select.cc:3118
 
#9  0x00000000006429fd in handle_select (thd=0x7ff3b8f67000, lex=0x7ff3b8f6a278, result=0x7ff3afc44218, setup_tables_done_option=0) at /home/alice/git/5.5/sql/sql_select.cc:323
 
#10 0x00000000006190fa in execute_sqlcom_select (thd=0x7ff3b8f67000, all_tables=0x7ff3afc4fc18) at /home/alice/git/5.5/sql/sql_parse.cc:4678
 
#11 0x0000000000611bb4 in mysql_execute_command (thd=0x7ff3b8f67000) at /home/alice/git/5.5/sql/sql_parse.cc:2224
 
#12 0x000000000061c032 in mysql_parse (thd=0x7ff3b8f67000, rawbuf=0x7ff3afcf86d8 "select distinct (select 1 from `t2` where `a`) `d2` from `t1`", length=61, parser_state=0x7ff3c029b660) at /home/alice/git/5.5/sql/sql_parse.cc:5923
 
#13 0x000000000060ef22 in dispatch_command (command=COM_QUERY, thd=0x7ff3b8f67000, packet=0x7ff3b7d33001 "select distinct (select 1 from `t2` where `a`) `d2` from `t1`", packet_length=61) at /home/alice/git/5.5/sql/sql_parse.cc:1066
 
#14 0x000000000060e093 in do_command (thd=0x7ff3b8f67000) at /home/alice/git/5.5/sql/sql_parse.cc:793
 
#15 0x0000000000723fbb in do_handle_one_connection (thd_arg=0x7ff3b8f67000) at /home/alice/git/5.5/sql/sql_connect.cc:1268
 
#16 0x0000000000723d24 in handle_one_connection (arg=0x7ff3b8f67000) at /home/alice/git/5.5/sql/sql_connect.cc:1184
 
#17 0x0000000000998603 in pfs_spawn_thread (arg=0x7ff3b8fd6430) at /home/alice/git/5.5/storage/perfschema/pfs.cc:1015
 
#18 0x00007ff3bf4496ba in start_thread (arg=0x7ff3c029c700) at pthread_create.c:333
 
#19 0x00007ff3beaf441d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109

10.2

Thread 1 (Thread 0x7ffa3406c700 (LWP 32515)):
 
#0  __pthread_kill (threadid=<optimized out>, signo=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:62
 
#1  0x000056066c433bea in my_write_core (sig=11) at /home/alice/git/10.2/mysys/stacktrace.c:477
 
#2  0x000056066bcc645f in handle_fatal_signal (sig=11) at /home/alice/git/10.2/sql/signal_handler.cc:305
 
#3  <signal handler called>
 
#4  0x000056066bcc4e14 in get_addon_fields (max_length_for_sort_data=1024, ptabfield=0x7ff9e812b220, sortlength=9, addon_buf=0x7ffa340698d8) at /home/alice/git/10.2/sql/filesort.cc:2031
 
#5  0x000056066bcbf9b8 in Sort_param::init_for_filesort (this=0x7ffa34069890, sortlen=9, table=0x7ff9e812a1b0, max_length_for_sort_data=1024, maxrows=18446744073709551615, sort_positions=false) at /home/alice/git/10.2/sql/filesort.cc:92
 
#6  0x000056066bcbfd92 in filesort (thd=0x7ff9e8000a98, table=0x7ff9e812a1b0, filesort=0x7ff9e8106e90, tracker=0x7ff9e81070f8, join=0x7ff9e810dbb0, first_table_bit=1) at /home/alice/git/10.2/sql/filesort.cc:196
 
#7  0x000056066bacc5b1 in create_sort_index (thd=0x7ff9e8000a98, join=0x7ff9e810dbb0, tab=0x7ff9e8060160, fsort=0x7ff9e8106e90) at /home/alice/git/10.2/sql/sql_select.cc:21817
 
#8  0x000056066bac6fb6 in st_join_table::sort_table (this=0x7ff9e8060160) at /home/alice/git/10.2/sql/sql_select.cc:19652
 
#9  0x000056066bac6c00 in join_init_read_record (tab=0x7ff9e8060160) at /home/alice/git/10.2/sql/sql_select.cc:19593
 
#10 0x000056066bad9616 in AGGR_OP::end_send (this=0x7ff9e80740f0) at /home/alice/git/10.2/sql/sql_select.cc:26594
 
#11 0x000056066bac46d6 in sub_select_postjoin_aggr (join=0x7ff9e810dbb0, join_tab=0x7ff9e8060160, end_of_records=true) at /home/alice/git/10.2/sql/sql_select.cc:18406
 
#12 0x000056066bac49fa in sub_select (join=0x7ff9e810dbb0, join_tab=0x7ff9e805fdb0, end_of_records=true) at /home/alice/git/10.2/sql/sql_select.cc:18642
 
#13 0x000056066bac420b in do_select (join=0x7ff9e810dbb0, procedure=0x0) at /home/alice/git/10.2/sql/sql_select.cc:18237
 
#14 0x000056066ba9ec23 in JOIN::exec_inner (this=0x7ff9e810dbb0) at /home/alice/git/10.2/sql/sql_select.cc:3566
 
#15 0x000056066ba9e0c4 in JOIN::exec (this=0x7ff9e810dbb0) at /home/alice/git/10.2/sql/sql_select.cc:3361
 
#16 0x000056066ba9f294 in mysql_select (thd=0x7ff9e8000a98, tables=0x7ff9e811fba0, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748609, result=0x7ff9e8110260, unit=0x7ff9e8004640, select_lex=0x7ff9e8004d98) at /home/alice/git/10.2/sql/sql_select.cc:3761
 
#17 0x000056066ba93875 in handle_select (thd=0x7ff9e8000a98, lex=0x7ff9e8004578, result=0x7ff9e8110260, setup_tables_done_option=0) at /home/alice/git/10.2/sql/sql_select.cc:376
 
#18 0x000056066ba5f7f4 in execute_sqlcom_select (thd=0x7ff9e8000a98, all_tables=0x7ff9e811fba0) at /home/alice/git/10.2/sql/sql_parse.cc:6456
 
#19 0x000056066ba55572 in mysql_execute_command (thd=0x7ff9e8000a98) at /home/alice/git/10.2/sql/sql_parse.cc:3467
 
#20 0x000056066ba631e0 in mysql_parse (thd=0x7ff9e8000a98, rawbuf=0x7ff9e805e2a0 "select distinct (select 1 from `t2` where `a`) `d2` from `t1`", length=61, parser_state=0x7ffa3406b1f0, is_com_multi=false, is_next_command=false) at /home/alice/git/10.2/sql/sql_parse.cc:7902
 
#21 0x000056066ba50e0f in dispatch_command (command=COM_QUERY, thd=0x7ff9e8000a98, packet=0x7ff9e8007fe9 "", packet_length=61, is_com_multi=false, is_next_command=false) at /home/alice/git/10.2/sql/sql_parse.cc:1806
 
#22 0x000056066ba4f76b in do_command (thd=0x7ff9e8000a98) at /home/alice/git/10.2/sql/sql_parse.cc:1360
 
#23 0x000056066bb9dee9 in do_handle_one_connection (connect=0x56066eb80408) at /home/alice/git/10.2/sql/sql_connect.cc:1335
 
#24 0x000056066bb9dc69 in handle_one_connection (arg=0x56066eb80408) at /home/alice/git/10.2/sql/sql_connect.cc:1241
 
#25 0x000056066befb8ce in pfs_spawn_thread (arg=0x56066eb05ed8) at /home/alice/git/10.2/storage/perfschema/pfs.cc:1862
 
#26 0x00007ffa3a5dc6ba in start_thread (arg=0x7ffa3406c700) at pthread_create.c:333
 
#27 0x00007ffa39a7141d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109

Comment by Alice Sherepa [ 2019-03-25 ]

Still reproducible on 5.5-10.3, but test passes on 10.4 (run with big-tables=1)

CREATE TABLE t1
 
(
 
FOLDERID VARCHAR(32)BINARY NOT NULL
 
, FOLDERNAME VARCHAR(255)BINARY NOT NULL
 
, CREATOR VARCHAR(255)BINARY
 
, CREATED TIMESTAMP NOT NULL
 
, DESCRIPTION VARCHAR(255)BINARY
 
, FOLDERTYPE INTEGER NOT NULL
 
, MODIFIED TIMESTAMP
 
, MODIFIER VARCHAR(255)BINARY
 
, FOLDERSIZE INTEGER NOT NULL
 
, PARENTID VARCHAR(32)BINARY
 
, REPID VARCHAR(32)BINARY
 
, ORIGINATOR INTEGER
 
 
 
, PRIMARY KEY ( FOLDERID )
 
) ENGINE=InnoDB;
 
CREATE INDEX FFOLDERID_IDX ON t1 (FOLDERID);
 
CREATE INDEX CMFLDRPARNT_IDX ON t1 (PARENTID);
 
INSERT INTO t1 VALUES("0c9aab05b15048c59bc35c8461507deb", "System", "System", "2003-06-05 16:30:00", "The system content repository folder.", "3", "2003-06-05 16:30:00", "System", "0", NULL, "9c9aab05b15048c59bc35c8461507deb", "1");
 
INSERT INTO t1 VALUES("2f6161e879db43c1a5b82c21ddc49089", "Default", "System", "2003-06-09 10:52:02", "The default content repository folder.", "3", "2003-06-05 16:30:00", "System", "0", NULL, "03eea05112b845949f3fd03278b5fe43", "1");
 
INSERT INTO t1 VALUES("c373e9f5ad0791724315444553544200", "AddDocumentTest", "admin", "2003-06-09 10:51:25", "Movie Reviews", "0", "2003-06-09 10:51:25", "admin", "0", "2f6161e879db43c1a5b82c21ddc49089", "03eea05112b845949f3fd03278b5fe43", NULL);
 
SELECT 'c373e9f5ad0791a0dab5444553544200' IN(SELECT t1.FOLDERID FROM t1 WHERE t1.PARENTID='2f6161e879db43c1a5b82c21ddc49089' AND t1.FOLDERNAME = 'Level1');
 
drop table t1;
 
 
 
#
 
# UNION unlocking test
 
#
 
create table t1 (a int) engine=innodb;
 
create table t2 (a int) engine=innodb;
 
create table t3 (a int) engine=innodb;
 
insert into t1 values (1),(2),(3),(4);
 
insert into t2 values (10),(20),(30),(40);
 
insert into t3 values (1),(2),(10),(50);
 
select a from t3 where t3.a in (select a from t1 where a <= 3 union select * from t2 where a <= 30);
 
drop table t1,t2,t3;

10.3 f03f4da66373161d604b8ecf3

 
==15951==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x564a6fa341b6 bp 0x7ff29496a240 sp 0x7ff29496a110 T29)
 
    #0 0x564a6fa341b5 in get_addon_fields /10.3/sql/filesort.cc:2006
 
    #1 0x564a6fa281f7 in Sort_param::init_for_filesort(unsigned int, TABLE*, unsigned long, unsigned long long, bool) /10.3/sql/filesort.cc:83
 
    #2 0x564a6fa28bb1 in filesort(THD*, TABLE*, Filesort*, Filesort_tracker*, JOIN*, unsigned long long) /10.3/sql/filesort.cc:190
 
    #3 0x564a6f4805a6 in create_sort_index(THD*, JOIN*, st_join_table*, Filesort*) /10.3/sql/sql_select.cc:22559
 
    #4 0x564a6f47148a in st_join_table::sort_table() /10.3/sql/sql_select.cc:20371
 
    #5 0x564a6f4709cf in join_init_read_record(st_join_table*) /10.3/sql/sql_select.cc:20312
 
    #6 0x564a6f4a2a40 in AGGR_OP::end_send() /10.3/sql/sql_select.cc:27411
 
    #7 0x564a6f469b7e in sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) /10.3/sql/sql_select.cc:19112
 
    #8 0x564a6f46a2da in sub_select(JOIN*, st_join_table*, bool) /10.3/sql/sql_select.cc:19347
 
    #9 0x564a6f468f4e in do_select /10.3/sql/sql_select.cc:18938
 
    #10 0x564a6f407e0c in JOIN::exec_inner() /10.3/sql/sql_select.cc:4040
 
    #11 0x564a6f405ab1 in JOIN::exec() /10.3/sql/sql_select.cc:3834
 
    #12 0x564a6f408f23 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.3/sql/sql_select.cc:4239
 
    #13 0x564a6f3e42c8 in handle_select(THD*, LEX*, select_result*, unsigned long) /10.3/sql/sql_select.cc:385
 
    #14 0x564a6f36b009 in execute_sqlcom_select /10.3/sql/sql_parse.cc:6546
 
    #15 0x564a6f359b62 in mysql_execute_command(THD*) /10.3/sql/sql_parse.cc:3819
 
    #16 0x564a6f373989 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.3/sql/sql_parse.cc:8089
 
    #17 0x564a6f34e4aa in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.3/sql/sql_parse.cc:1857
 
    #18 0x564a6f34b610 in do_command(THD*) /10.3/sql/sql_parse.cc:1403
 
    #19 0x564a6f6a03fd in do_handle_one_connection(CONNECT*) /10.3/sql/sql_connect.cc:1402
 
    #20 0x564a6f69fdda in handle_one_connection /10.3/sql/sql_connect.cc:1308
 
    #21 0x564a709cdf74 in pfs_spawn_thread /10.3/storage/perfschema/pfs.cc:1862
 
    #22 0x7ff2a9e4f6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
 
    #23 0x7ff2a92e441c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)

Comment by Elena Stepanova [ 2023-08-24 ]

10.3 is EOL.

Generated at Thu Feb 08 08:19:08 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.