[MDEV-17738] Server crashes in Item::delete_self on closing connection after unsuccessful PS Created: 2018-11-16  Updated: 2018-12-21  Resolved: 2018-12-21

Status: Closed
Project: MariaDB Server
Component/s: Prepared Statements
Affects Version/s: 10.2
Fix Version/s: 10.2.20

Type: Bug Priority: Critical
Reporter: Elena Stepanova Assignee: Alexander Barkov
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
Duplicate
is duplicated by MDEV-17741 Assertion `thd->Item_change_list::is_... Closed
Relates
relates to MDEV-15802 [Draft] Server crashes in Item::delet... Open
relates to MDEV-17344 [Draft] Server crashes in Prepared_st... Open
relates to MDEV-17741 Assertion `thd->Item_change_list::is_... Closed

 Description   

Please also see MDEV-17741, it is likely to have the same or closely related root cause. If it is so, please make sure both are fixed at the same time

SET SQL_MODE='STRICT_ALL_TABLES';
 
PREPARE stmt FROM "CREATE TABLE ps AS SELECT 1 FROM DUAL WHERE 'foo' && 0";
 
--error ER_TRUNCATED_WRONG_VALUE
 
EXECUTE stmt;
 
 
 
--source include/restart_mysqld.inc
 
 
 
# Cleanup
 
SELECT 'All done';

10.2 7e75643778

 
#3  <signal handler called>
 
#4  0x000055d3b8bef52b in Item::delete_self (this=0x7f2c9415e8d0) at /data/src/10.2/sql/item.h:1848
 
#5  0x000055d3b8be64ac in Query_arena::free_items (this=0x7f2c94006618) at /data/src/10.2/sql/sql_class.cc:3467
 
#6  0x000055d3b8c5377f in Prepared_statement::~Prepared_statement (this=0x7f2c94006600, __in_chrg=<optimized out>) at /data/src/10.2/sql/sql_prepare.cc:3827
 
#7  0x000055d3b8c5390e in Prepared_statement::~Prepared_statement (this=0x7f2c94006600, __in_chrg=<optimized out>) at /data/src/10.2/sql/sql_prepare.cc:3836
 
#8  0x000055d3b8be6b9d in delete_statement_as_hash_key (key=0x7f2c94006600) at /data/src/10.2/sql/sql_class.cc:3608
 
#9  0x000055d3b95d663b in my_hash_free_elements (hash=0x7f2c94002598) at /data/src/10.2/mysys/hash.c:129
 
#10 0x000055d3b95d6755 in my_hash_reset (hash=0x7f2c94002598) at /data/src/10.2/mysys/hash.c:171
 
#11 0x000055d3b8be6fe9 in Statement_map::reset (this=0x7f2c94002598) at /data/src/10.2/sql/sql_class.cc:3740
 
#12 0x000055d3b8bdfd65 in THD::free_connection (this=0x7f2c94000b00) at /data/src/10.2/sql/sql_class.cc:1442
 
#13 0x000055d3b8b48017 in unlink_thd (thd=0x7f2c94000b00) at /data/src/10.2/sql/mysqld.cc:2922
 
#14 0x000055d3b8b48494 in one_thread_per_connection_end (thd=0x7f2c94000b00, put_in_cache=true) at /data/src/10.2/sql/mysqld.cc:3063
 
#15 0x000055d3b8d77236 in do_handle_one_connection (connect=0x55d3bbca6930) at /data/src/10.2/sql/sql_connect.cc:1354
 
#16 0x000055d3b8d76eda in handle_one_connection (arg=0x55d3bbca6930) at /data/src/10.2/sql/sql_connect.cc:1241
 
#17 0x000055d3b919a53c in pfs_spawn_thread (arg=0x55d3bbc0a0b0) at /data/src/10.2/storage/perfschema/pfs.cc:1862
 
#18 0x00007f2cacc67494 in start_thread (arg=0x7f2ca5265700) at pthread_create.c:333
 
#19 0x00007f2cab04593f in clone () from /lib/x86_64-linux-gnu/libc.so.6

If I replace server restart with DEALLOCATE, other strange things happen:

SET SQL_MODE='STRICT_ALL_TABLES';
 
PREPARE stmt FROM "CREATE TABLE ps AS SELECT 1 FROM DUAL WHERE 'foo' && 0";
 
--error ER_TRUNCATED_WRONG_VALUE
 
EXECUTE stmt;
 
 
 
DEALLOCATE PREPARE stmt;
 
 
 
# Cleanup
 
SELECT 'All done';


PREPARE stmt FROM "CREATE TABLE ps AS SELECT 1 FROM DUAL WHERE 'foo' && 0";
 
Warnings:
 
Warning	1292	Truncated incorrect INTEGER value: 'foo'
 
EXECUTE stmt;
 
ERROR 22007: Truncated incorrect INTEGER value: 'foo'
 
DEALLOCATE PREPARE stmt;
 
bug.t4a                                  [ fail ]
 
        Test ended at 2018-11-16 14:26:37
 
 
 
CURRENT_TEST: bug.t4a
 
mysqltest: At line 6: query 'DEALLOCATE PREPARE stmt' failed: 1243: Unknown prepared statement handler (stmt) given to DEALLOCATE PREPARE

So, the statement gets prepared (even although with a warning), it attempts to be executed (even although with an error), but by DEALLOCATE it seems to have disappeared.

Same test case with ASAN:

10.2 861038f2e8

 
==11339==ERROR: AddressSanitizer: use-after-poison on address 0x62b00002c250 at pc 0x55719e64f8be bp 0x7f7ea3e09980 sp 0x7f7ea3e09978
 
READ of size 8 at 0x62b00002c250 thread T5
 
    #0 0x55719e64f8bd in Query_arena::free_items() /data/src/10.2/sql/sql_class.cc:3464
 
    #1 0x55719e7531f1 in Prepared_statement::~Prepared_statement() /data/src/10.2/sql/sql_prepare.cc:3839
 
    #2 0x55719e753671 in Prepared_statement::~Prepared_statement() /data/src/10.2/sql/sql_prepare.cc:3848
 
    #3 0x55719e650db2 in delete_statement_as_hash_key /data/src/10.2/sql/sql_class.cc:3608
 
    #4 0x55719fcdefcd in my_hash_free_elements /data/src/10.2/mysys/hash.c:129
 
    #5 0x55719fcdf2a7 in my_hash_reset /data/src/10.2/mysys/hash.c:171
 
    #6 0x55719e6515e7 in Statement_map::reset() /data/src/10.2/sql/sql_class.cc:3740
 
    #7 0x55719e63ef6f in THD::free_connection() /data/src/10.2/sql/sql_class.cc:1442
 
    #8 0x55719e4ef6ce in unlink_thd(THD*) /data/src/10.2/sql/mysqld.cc:2922
 
    #9 0x55719e4effa2 in one_thread_per_connection_end(THD*, bool) /data/src/10.2/sql/mysqld.cc:3063
 
    #10 0x55719ea2d6fa in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1354
 
    #11 0x55719ea2ceed in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
 
    #12 0x55719f447a63 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
 
    #13 0x7f7eb0070493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
 
    #14 0x7f7eae67193e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
 
 
 
0x62b00002c250 is located 8272 bytes inside of 24716-byte region [0x62b00002a200,0x62b00003028c)
 
allocated by thread T5 here:
 
    #0 0x7f7eb02da73f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
 
    #1 0x55719fd6ac4b in sf_malloc /data/src/10.2/mysys/safemalloc.c:118
 
    #2 0x55719fd39ea2 in my_malloc /data/src/10.2/mysys/my_malloc.c:101
 
    #3 0x55719fd19c9a in init_alloc_root /data/src/10.2/mysys/my_alloc.c:78
 
    #4 0x55719e9aac24 in init_sql_alloc(st_mem_root*, unsigned int, unsigned int, unsigned long) /data/src/10.2/sql/thr_malloc.cc:64
 
    #5 0x55719e7529e9 in Prepared_statement::Prepared_statement(THD*) /data/src/10.2/sql/sql_prepare.cc:3768
 
    #6 0x55719e74d8a4 in mysql_sql_stmt_prepare(THD*) /data/src/10.2/sql/sql_prepare.cc:2805
 
    #7 0x55719e6f49a3 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3496
 
    #8 0x55719e710977 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:8013
 
    #9 0x55719e6eb361 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1824
 
    #10 0x55719e6e8405 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1378
 
    #11 0x55719ea2d4d8 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
 
    #12 0x55719ea2ceed in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
 
    #13 0x55719f447a63 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
 
    #14 0x7f7eb0070493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
 
 
 
Thread T5 created by T0 here:
 
    #0 0x7f7eb02a9bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
 
    #1 0x55719f44802b in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1912
 
    #2 0x55719e4e537e in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1239
 
    #3 0x55719e4fa31b in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6466
 
    #4 0x55719e4faa20 in create_new_thread /data/src/10.2/sql/mysqld.cc:6536
 
    #5 0x55719e4fba37 in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6811
 
    #6 0x55719e4f9870 in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6085
 
    #7 0x55719e4e371f in main /data/src/10.2/sql/main.cc:25
 
    #8 0x7f7eae5a92b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
 
 
 
SUMMARY: AddressSanitizer: use-after-poison /data/src/10.2/sql/sql_class.cc:3464 Query_arena::free_items()
 
Shadow bytes around the buggy address:
 
  0x0c567fffd7f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c567fffd800: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c567fffd810: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c567fffd820: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c567fffd830: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
=>0x0c567fffd840: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7
 
  0x0c567fffd850: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c567fffd860: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c567fffd870: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c567fffd880: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c567fffd890: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Heap right redzone:      fb
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack partial redzone:   f4
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Contiguous container OOB:fc
 
  ASan internal:           fe
 
==11339==ABORTING

On some reason, the crash is only reproducible on 10.2.

 Comments   
Comment by Elena Stepanova [ 2018-11-17 ]

Other variations:

SET SQL_MODE= 'STRICT_ALL_TABLES';
 
 
 
CREATE TABLE t1 (a INT); 
PREPARE stmt FROM "CREATE TABLE tmp AS SELECT * FROM t1 WHERE 'foo' && 0";
 
--error ER_TRUNCATED_WRONG_VALUE
 
EXECUTE stmt;
 
SELECT a FROM t1 GROUP BY a;
 
SELECT * FROM t1;

10.2 f74649b522fd ASAN

 
==24408==ERROR: AddressSanitizer: use-after-poison on address 0x62b00002d5f8 at pc 0x55e11da7ed93 bp 0x7f64c0e160c0 sp 0x7f64c0e160b8
 
READ of size 8 at 0x62b00002d5f8 thread T5
 
    #0 0x55e11da7ed92 in Mem_root_array<st_order*, true>::size() const /data/src/10.2/sql/mem_root_array.h:228
 
    #1 0x55e11da7ebf9 in Mem_root_array<st_order*, true>::empty() const /data/src/10.2/sql/mem_root_array.h:227
 
    #2 0x55e11da7e415 in Mem_root_array<st_order*, true>::clear() (/data/bld/10.2-asan/bin/mysqld+0xc71415)
 
    #3 0x55e11da60f85 in lex_start(THD*) /data/src/10.2/sql/sql_lex.cc:700
 
    #4 0x55e11daaf41c in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7952
 
    #5 0x55e11da8a3ed in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1824
 
    #6 0x55e11da87491 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1378
 
    #7 0x55e11ddcc21e in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
 
    #8 0x55e11ddcbc33 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
 
    #9 0x55e11e7e6797 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
 
    #10 0x7f64cd07e493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
 
    #11 0x7f64cb67f93e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
 
 
 
0x62b00002d5f8 is located 13304 bytes inside of 24716-byte region [0x62b00002a200,0x62b00003028c)
 
allocated by thread T5 here:
 
    #0 0x7f64cd2e873f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
 
    #1 0x55e11f10971b in sf_malloc /data/src/10.2/mysys/safemalloc.c:118
 
    #2 0x55e11f0d8972 in my_malloc /data/src/10.2/mysys/my_malloc.c:101
 
    #3 0x55e11f0b876a in init_alloc_root /data/src/10.2/mysys/my_alloc.c:78
 
    #4 0x55e11dd4996a in init_sql_alloc(st_mem_root*, unsigned int, unsigned int, unsigned long) /data/src/10.2/sql/thr_malloc.cc:64
 
    #5 0x55e11daf17fb in Prepared_statement::Prepared_statement(THD*) /data/src/10.2/sql/sql_prepare.cc:3756
 
    #6 0x55e11daec8e0 in mysql_sql_stmt_prepare(THD*) /data/src/10.2/sql/sql_prepare.cc:2805
 
    #7 0x55e11da939de in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3495
 
    #8 0x55e11daaf9b3 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:8012
 
    #9 0x55e11da8a3ed in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1824
 
    #10 0x55e11da87491 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1378
 
    #11 0x55e11ddcc21e in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
 
    #12 0x55e11ddcbc33 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
 
    #13 0x55e11e7e6797 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
 
    #14 0x7f64cd07e493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
 
 
 
Thread T5 created by T0 here:
 
    #0 0x7f64cd2b7bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
 
    #1 0x55e11e7e6d5f in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1912
 
    #2 0x55e11d88440e in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1239
 
    #3 0x55e11d8993a6 in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6466
 
    #4 0x55e11d899aab in create_new_thread /data/src/10.2/sql/mysqld.cc:6536
 
    #5 0x55e11d89aac2 in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6811
 
    #6 0x55e11d8988fb in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6085
 
    #7 0x55e11d8827af in main /data/src/10.2/sql/main.cc:25
 
    #8 0x7f64cb5b72b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
 
 
 
SUMMARY: AddressSanitizer: use-after-poison /data/src/10.2/sql/mem_root_array.h:228 Mem_root_array<st_order*, true>::size() const
 
Shadow bytes around the buggy address:
 
  0x0c567fffda60: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c567fffda70: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c567fffda80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c567fffda90: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c567fffdaa0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
=>0x0c567fffdab0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7[f7]
 
  0x0c567fffdac0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c567fffdad0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c567fffdae0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c567fffdaf0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c567fffdb00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Heap right redzone:      fb
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack partial redzone:   f4
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Contiguous container OOB:fc
 
  ASan internal:           fe
 
==24408==ABORTING
 
----------SERVER LOG END-------------

With a slightly more complicated test case, on a non-ASAN build:

#3  <signal handler called>
 
#4  0x000055ac8008b7bb in Mem_root_array<st_order*, true>::push_back (this=0x7f1af046ab38, element=@0x7f1b3dceae60: 0x7f1af046be60) at /data/src/10.2/sql/mem_root_array.h:169
 
#5  0x000055ac80085c11 in st_select_lex::fix_prepare_information (this=0x7f1af0004e18, thd=0x7f1af0000b00, conds=0x7f1af046c398, having_conds=0x7f1af046c140) at /data/src/10.2/sql/sql_lex.cc:3677
 
#6  0x000055ac800d617b in JOIN::prepare (this=0x7f1af046bf90, tables_init=0x7f1af046b0d0, wild_num=0, conds_init=0x7f1af046ba10, og_num=1, order_init=0x0, skip_order_by=false, group_init=0x7f1af046be60, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7f1af0004e18, unit_arg=0x7f1af00046e0) at /data/src/10.2/sql/sql_select.cc:906
 
#7  0x000055ac800e031d in mysql_select (thd=0x7f1af0000b00, tables=0x7f1af046b0d0, wild_num=0, fields=..., conds=0x7f1af046ba10, og_num=1, order=0x0, group=0x7f1af046be60, having=0x0, proc_param=0x0, select_options=2147748609, result=0x7f1af046bf70, unit=0x7f1af00046e0, select_lex=0x7f1af0004e18) at /data/src/10.2/sql/sql_select.cc:3794
 
#8  0x000055ac800d4607 in handle_select (thd=0x7f1af0000b00, lex=0x7f1af0004618, result=0x7f1af046bf70, setup_tables_done_option=0) at /data/src/10.2/sql/sql_select.cc:376
 
#9  0x000055ac8009fc6b in execute_sqlcom_select (thd=0x7f1af0000b00, all_tables=0x7f1af046b0d0) at /data/src/10.2/sql/sql_parse.cc:6478
 
#10 0x000055ac80095beb in mysql_execute_command (thd=0x7f1af0000b00) at /data/src/10.2/sql/sql_parse.cc:3484
 
#11 0x000055ac800a3b45 in mysql_parse (thd=0x7f1af0000b00, rawbuf=0x7f1af04677e8 "SELECT DISTINCT BIT_LENGTH( ( BINARY ( CEIL( ( CASE ( ExtractValue( -5473843872092127232, '/ba/b/dc/b/e/eceabbeb/dcbead/edad/ddceeddecbecbdccda/b/ccdc/aac/dbcdaeecbec/eaeecaa/eb/b/beceb/cd/dda/aabdcaa"..., length=843, parser_state=0x7f1b3dcec250, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:8012
 
#12 0x000055ac8009148f in dispatch_command (command=COM_QUERY, thd=0x7f1af0000b00, packet=0x7f1af00088a1 "SELECT DISTINCT BIT_LENGTH( ( BINARY ( CEIL( ( CASE ( ExtractValue( -5473843872092127232, '/ba/b/dc/b/e/eceabbeb/dcbead/edad/ddceeddecbecbdccda/b/ccdc/aac/dbcdaeecbec/eaeecaa/eb/b/beceb/cd/dda/aabdcaa"..., packet_length=845, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1824
 
#13 0x000055ac8008fdf2 in do_command (thd=0x7f1af0000b00) at /data/src/10.2/sql/sql_parse.cc:1378
 
#14 0x000055ac801e234d in do_handle_one_connection (connect=0x55ac8325c9a0) at /data/src/10.2/sql/sql_connect.cc:1335
 
#15 0x000055ac801e20da in handle_one_connection (arg=0x55ac8325c9a0) at /data/src/10.2/sql/sql_connect.cc:1241
 
#16 0x00007f1b56e82494 in start_thread (arg=0x7f1b3dced700) at pthread_create.c:333
 
#17 0x00007f1b5548393f in clone () from /lib/x86_64-linux-gnu/libc.so.6

See also MDEV-17741 which is probably the same problem.

Comment by Elena Stepanova [ 2018-11-18 ]

More variations:

SET SQL_MODE= 'STRICT_ALL_TABLES';
 
 
 
CREATE TABLE t1 (a INT); 
PREPARE stmt FROM "CREATE TABLE tmp AS SELECT * FROM t1 WHERE 'foo' && 0";
 
--error ER_TRUNCATED_WRONG_VALUE
 
EXECUTE stmt;
 
SELECT a FROM t1 GROUP BY a;
 
 
 
INSERT t1 SELECT * FROM ( SELECT * FROM t1 ) sq;

10.2 f74649b52

 
#3  <signal handler called>
 
#4  0x0000558d5ec574f8 in base_list_iterator::next (this=0x7f2d966850c0) at /data/src/10.2/sql/sql_list.h:456
 
#5  0x0000558d5ec73aaf in List_iterator<Item>::operator++ (this=0x7f2d966850c0) at /data/src/10.2/sql/sql_list.h:567
 
#6  0x0000558d5ede4cb4 in TABLE_LIST::change_refs_to_fields (this=0x7f2d8415e930) at /data/src/10.2/sql/table.cc:8218
 
#7  0x0000558d5ec5e5eb in find_dup_table (thd=0x7f2d84000b00, table=0x7f2d8415cf40, table_list=0x7f2d8415e2c8, check_flag=0) at /data/src/10.2/sql/sql_base.cc:1086
 
#8  0x0000558d5ec5e70f in unique_table (thd=0x7f2d84000b00, table=0x7f2d8415cf40, table_list=0x7f2d8415e2c8, check_flag=0) at /data/src/10.2/sql/sql_base.cc:1131
 
#9  0x0000558d5ecb487b in select_insert::prepare (this=0x7f2d8415f850, values=..., u=0x7f2d840046e0) at /data/src/10.2/sql/sql_insert.cc:3621
 
#10 0x0000558d5ed13bd1 in JOIN::prepare (this=0x7f2d8415f8f8, tables_init=0x7f2d8415e930, wild_num=1, conds_init=0x0, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7f2d84004e18, unit_arg=0x7f2d840046e0) at /data/src/10.2/sql/sql_select.cc:1051
 
#11 0x0000558d5ed1d31d in mysql_select (thd=0x7f2d84000b00, tables=0x7f2d8415e930, wild_num=1, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=3489925888, result=0x7f2d8415f850, unit=0x7f2d840046e0, select_lex=0x7f2d84004e18) at /data/src/10.2/sql/sql_select.cc:3794
 
#12 0x0000558d5ed11607 in handle_select (thd=0x7f2d84000b00, lex=0x7f2d84004618, result=0x7f2d8415f850, setup_tables_done_option=1073741824) at /data/src/10.2/sql/sql_select.cc:376
 
#13 0x0000558d5ecd5d41 in mysql_execute_command (thd=0x7f2d84000b00) at /data/src/10.2/sql/sql_parse.cc:4542
 
#14 0x0000558d5ece0b45 in mysql_parse (thd=0x7f2d84000b00, rawbuf=0x7f2d8415ce38 "INSERT t1 SELECT * FROM ( SELECT * FROM t1 ) sq", length=47, parser_state=0x7f2d96686200, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:8012
 
#15 0x0000558d5ecce48f in dispatch_command (command=COM_QUERY, thd=0x7f2d84000b00, packet=0x7f2d8408c4f1 "INSERT t1 SELECT * FROM ( SELECT * FROM t1 ) sq", packet_length=47, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1824
 
#16 0x0000558d5ecccdf2 in do_command (thd=0x7f2d84000b00) at /data/src/10.2/sql/sql_parse.cc:1378
 
#17 0x0000558d5ee1f34d in do_handle_one_connection (connect=0x558d615e0930) at /data/src/10.2/sql/sql_connect.cc:1335
 
#18 0x0000558d5ee1f0da in handle_one_connection (arg=0x558d615e0930) at /data/src/10.2/sql/sql_connect.cc:1241
 
#19 0x0000558d5f244cea in pfs_spawn_thread (arg=0x558d615440b0) at /data/src/10.2/storage/perfschema/pfs.cc:1862
 
#20 0x00007f2d9de66494 in start_thread (arg=0x7f2d96687700) at pthread_create.c:333
 
#21 0x00007f2d9c46793f in clone () from /lib/x86_64-linux-gnu/libc.so.6

Comment by Elena Stepanova [ 2018-12-09 ]

Yet another variation, happens intermittently with the one in {[Mem_root_array}} on a somewhat similar test case with SELECT ... ROLLUP ... HAVING after unsuccessful CREATE TABLE in PS.

10.2 53440e2dda

 
#3  <signal handler called>
 
#4  0x000055870faf39cc in change_group_ref (thd=0x7f1630000b00, expr=0x7f1630045f80, group_list=0x7f1630047cb0, changed=0x7f1694c4bd7f) at /data/src/10.2/sql/sql_select.cc:23875
 
#5  0x000055870faf3b25 in change_group_ref (thd=0x7f1630000b00, expr=0x7f1630046370, group_list=0x7f1630047cb0, changed=0x7f1694c4bdee) at /data/src/10.2/sql/sql_select.cc:23893
 
#6  0x000055870faf3f7b in JOIN::rollup_init (this=0x7f1630048a08) at /data/src/10.2/sql/sql_select.cc:23978
 
#7  0x000055870fab7b5e in JOIN::prepare_stage2 (this=0x7f1630048a08) at /data/src/10.2/sql/sql_select.cc:1098
 
#8  0x000055870fab79ba in JOIN::prepare (this=0x7f1630048a08, tables_init=0x7f1630046560, wild_num=0, conds_init=0x7f1630047110, og_num=2, order_init=0x0, skip_order_by=false, group_init=0x7f1630047cb0, having_init=0x7f1630048860, proc_param_init=0x0, select_lex_arg=0x7f1630004e18, unit_arg=0x7f16300046e0) at /data/src/10.2/sql/sql_select.cc:1055
 
#9  0x000055870fac10cf in mysql_select (thd=0x7f1630000b00, tables=0x7f1630046560, wild_num=0, fields=..., conds=0x7f1630047110, og_num=2, order=0x0, group=0x7f1630047cb0, having=0x7f1630048860, proc_param=0x0, select_options=551903562497, result=0x7f16300489e8, unit=0x7f16300046e0, select_lex=0x7f1630004e18) at /data/src/10.2/sql/sql_select.cc:3794
 
#10 0x000055870fab53b9 in handle_select (thd=0x7f1630000b00, lex=0x7f1630004618, result=0x7f16300489e8, setup_tables_done_option=0) at /data/src/10.2/sql/sql_select.cc:376
 
#11 0x000055870fa8084a in execute_sqlcom_select (thd=0x7f1630000b00, all_tables=0x7f1630046560) at /data/src/10.2/sql/sql_parse.cc:6479
 
#12 0x000055870fa767ca in mysql_execute_command (thd=0x7f1630000b00) at /data/src/10.2/sql/sql_parse.cc:3485
 
#13 0x000055870fa84725 in mysql_parse (thd=0x7f1630000b00, rawbuf=0x7f16300438f8 "SELECT DISTINCT SUM( WEEKOFYEAR( 6835619809418280960 ) ) AS field1, CURRENT_USER AS field2, SUM( `col_int_nokey` * `col_int_nokey` ) AS field3, CASE `col_datetime_nokey` WHEN `col_int_nokey` THEN `col"..., length=1624, parser_state=0x7f1694c4d250, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:8013
 
#14 0x000055870fa7205d in dispatch_command (command=COM_QUERY, thd=0x7f1630000b00, packet=0x7f16300088a1 "SELECT DISTINCT SUM( WEEKOFYEAR( 6835619809418280960 ) ) AS field1, CURRENT_USER AS field2, SUM( `col_int_nokey` * `col_int_nokey` ) AS field3, CASE `col_datetime_nokey` WHEN `col_int_nokey` THEN `col"..., packet_length=1624, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1824
 
#15 0x000055870fa709c0 in do_command (thd=0x7f1630000b00) at /data/src/10.2/sql/sql_parse.cc:1378
 
#16 0x000055870fbc3131 in do_handle_one_connection (connect=0x55871253cc50) at /data/src/10.2/sql/sql_connect.cc:1335
 
#17 0x000055870fbc2ebe in handle_one_connection (arg=0x55871253cc50) at /data/src/10.2/sql/sql_connect.cc:1241
 
#18 0x00007f1699a94494 in start_thread (arg=0x7f1694c4e700) at pthread_create.c:333
 
#19 0x00007f169809593f in clone () from /lib/x86_64-linux-gnu/libc.so.6

Generated at Thu Feb 08 08:38:44 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.