[MDEV-2141] LP:602278 - RQG: crash in String::free on EXPLAIN SELECT + subquery Created: 2010-07-06  Updated: 2015-02-02  Resolved: 2012-10-04

Status: Closed
Project: MariaDB Server
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Trivial
Reporter: Philip Stoev (Inactive) Assignee: Timour Katchaounov (Inactive)
Resolution: Not a Bug Votes: 0
Labels: Launchpad

Attachments: XML File LPexportBug602278.xml    

 Description   

When executing the query below against the maria-5.3-subqueries tree, the server crashes as follows:

#3 0x0821f8b4 in handle_segfault (sig=11) at mysqld.cc:2683
#4 <signal handler called>
#5 0x0815b8cb in String::free (this=0x1622d9d8) at sql_string.h:203
#6 0x0815b8bf in String::~String (this=0x1622d9d8, __in_chrg=<value optimized out>) at sql_string.h:102
#7 0x0817ea94 in Copy_field::~Copy_field (this=0x1622d9ac, __in_chrg=<value optimized out>) at field.h:2228
#8 0x081805da in TMP_TABLE_PARAM::cleanup (this=0xb5c37eec) at sql_class.h:2806
#9 0x082b02a0 in JOIN::cleanup (this=0xb5c33258, full=true) at sql_select.cc:7919
#10 0x082a13eb in JOIN::destroy (this=0xb5c33258) at sql_select.cc:2237
#11 0x082a13c4 in JOIN::destroy (this=0xb5c2d378) at sql_select.cc:2233
#12 0x083cde13 in st_select_lex::cleanup (this=0xb5efad98) at sql_union.cc:831
#13 0x083cda43 in st_select_lex_unit::cleanup (this=0xb5efaf30) at sql_union.cc:697
#14 0x083cde68 in st_select_lex::cleanup (this=0x93a4fa8) at sql_union.cc:838
#15 0x083cda43 in st_select_lex_unit::cleanup (this=0x93a4d20) at sql_union.cc:697
#16 0x0823cbb5 in mysql_parse (thd=0x93a37c8,
inBuf=0xb5e4bf00 "EXPLAIN\nSELECT table1 .`col_varchar_key`\nFROM (\nSELECT *\nFROM CC ) table1 STRAIGHT_JOIN ( B table2 JOIN CC table3 ON table2 .`col_int_nokey` ) ON table2 .`col_int_nokey`\nWHERE table1 .`col_varch"..., length=362, found_semicolon=0xb61d3228) at sql_parse.cc:6096
#17 0x0822ee15 in dispatch_command (command=COM_QUERY, thd=0x93a37c8, packet=0x9469971 "", packet_length=365) at sql_parse.cc:1253
#18 0x0822e053 in do_command (thd=0x93a37c8) at sql_parse.cc:891
#19 0x0822c4a6 in handle_one_connection (arg=0x93a37c8) at sql_connect.cc:1599
#20 0x00a08919 in start_thread () from /lib/libpthread.so.0
#21 0x00951e5e in clone () from /lib/libc.so.6

bzr version-info:

revision-id: tsk@zen-20100601221000-puyh3el4utyselh9
date: 2010-06-02 01:10:00 +0300
build-date: 2010-07-06 07:12:46 -0700
revno: 2794
branch-nick: maria-5.3-subqueries

maria-5.3 is not affected, but Timour reports that the 5.3-subqueries tree does contain extra patches.

 Comments   
Comment by Philip Stoev (Inactive) [ 2010-07-06 ]

Re: RQG: crash in String::free on EXPLAIN SELECT + subquery
Test case:

--disable_warnings
DROP TABLE /*! IF EXISTS */ CC;
DROP TABLE /*! IF EXISTS */ B;
--enable_warnings

CREATE TABLE `CC` (
`pk` int(11) NOT NULL AUTO_INCREMENT,
`col_int_nokey` int(11) DEFAULT NULL,
`col_int_key` int(11) DEFAULT NULL,
`col_varchar_key` varchar(1) DEFAULT NULL,
`col_varchar_nokey` varchar(1) DEFAULT NULL,
PRIMARY KEY (`pk`),
KEY `col_int_key` (`col_int_key`),
KEY `col_varchar_key` (`col_varchar_key`,`col_int_key`)
) ENGINE=MyISAM AUTO_INCREMENT=30 DEFAULT CHARSET=latin1;
INSERT INTO `CC` VALUES (10,7,8,'v','v');
INSERT INTO `CC` VALUES (11,1,9,'r','r');
INSERT INTO `CC` VALUES (12,5,9,'a','a');
INSERT INTO `CC` VALUES (13,3,186,'m','m');
INSERT INTO `CC` VALUES (14,6,NULL,'y','y');
INSERT INTO `CC` VALUES (15,92,2,'j','j');
INSERT INTO `CC` VALUES (16,7,3,'d','d');
INSERT INTO `CC` VALUES (17,NULL,0,'z','z');
INSERT INTO `CC` VALUES (18,3,133,'e','e');
INSERT INTO `CC` VALUES (19,5,1,'h','h');
INSERT INTO `CC` VALUES (20,1,8,'b','b');
INSERT INTO `CC` VALUES (21,2,5,'s','s');
INSERT INTO `CC` VALUES (22,NULL,5,'e','e');
INSERT INTO `CC` VALUES (23,1,8,'j','j');
INSERT INTO `CC` VALUES (24,0,6,'e','e');
INSERT INTO `CC` VALUES (25,210,51,'f','f');
INSERT INTO `CC` VALUES (26,8,4,'v','v');
INSERT INTO `CC` VALUES (27,7,7,'x','x');
INSERT INTO `CC` VALUES (28,5,6,'m','m');
INSERT INTO `CC` VALUES (29,NULL,4,'c','c');
CREATE TABLE `B` (
`pk` int(11) NOT NULL AUTO_INCREMENT,
`col_int_nokey` int(11) DEFAULT NULL,
`col_int_key` int(11) DEFAULT NULL,
`col_varchar_key` varchar(1) DEFAULT NULL,
`col_varchar_nokey` varchar(1) DEFAULT NULL,
PRIMARY KEY (`pk`),
KEY `col_int_key` (`col_int_key`),
KEY `col_varchar_key` (`col_varchar_key`,`col_int_key`)
) ENGINE=MyISAM AUTO_INCREMENT=2 DEFAULT CHARSET=latin1;
INSERT INTO `B` VALUES (1,1,7,'f','f');

EXPLAIN
SELECT table1 .`col_varchar_key`
FROM (
SELECT *
FROM CC ) table1 STRAIGHT_JOIN ( B table2 JOIN CC table3 ON table2 .`col_int_nokey` ) ON table2 .`col_int_nokey`
WHERE table1 .`col_varchar_key` IN (
SELECT DISTINCT SUBQUERY3_t2 .`col_varchar_key`
FROM CC SUBQUERY3_t1 JOIN B SUBQUERY3_t2 ON SUBQUERY3_t1 .`col_varchar_nokey` ) OR table3 .`pk` ;

Comment by Timour Katchaounov (Inactive) [ 2011-03-09 ]

Re: RQG: crash in String::free on EXPLAIN SELECT + subquery
The bug is no longer reproducible in the latest 5.3 tree:
revno: 2934
committer: timour@askmonty.org
branch nick: 5.3
timestamp: Tue 2011-03-08 23:23:44 +0200

Comment by Timour Katchaounov (Inactive) [ 2011-03-09 ]

Re: RQG: crash in String::free on EXPLAIN SELECT + subquery
Not reproducible in 5.3-mwl89 with any combination of subquery
optimizer switches.

Since it is not recorded what optimizer switches triggered the
crash, and it is not reproducible any more, I will not add the
test case to the regression suite.

Comment by Rasmus Johansson (Inactive) [ 2011-03-09 ]

Launchpad bug id: 602278

Generated at Thu Feb 08 06:39:52 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.