[MDEV-22476] Crash bug in update-related functions, MDEV Created: 2020-05-05  Updated: 2020-05-12  Resolved: 2020-05-06

Status: Closed
Project: MariaDB Server
Component/s: Data Manipulation - Update
Affects Version/s: 10.5.2
Fix Version/s: N/A

Type: Bug Priority: Blocker
Reporter: Yongheng Chen Assignee: Unassigned
Resolution: Duplicate Votes: 0
Labels: None
Environment:

Ubtuntu 18.04

Issue Links:
Duplicate
duplicates MDEV-22464 Server crash on UPDATE with nested su... Closed

 Description   

A crash in MDEV. Release build affected.

POC:

CREATE TABLE v0 ( v1 INT ) ;
 
 INSERT INTO v0 ( v1 ) VALUES ( 90 ) ;
 
 UPDATE v0 SET v1 = 46 WHERE ( SELECT v1 , v1 FROM v0 WHERE v1 = -1 ) IN ( SELECT v1 / 2147483647 , v1 / -1 FROM v0 GROUP BY ( SELECT -128 WHERE v1 = v1 OR v1 = 'x' ) HAVING v1 < 'x' ) ;
 
 INSERT INTO v0 ( v1 ) VALUES ( -1 ) , ( 36 ) ;
 
 SELECT MAX ( v1 ) OVER w , JSON_OBJECTAGG ( v1 ) OVER w FROM v0 WINDOW v2 AS ( PARTITION BY v1 ORDER BY v1 DESC ) ;

Stack dump:

200505 17:59:00 [ERROR] mysqld got signal 11 ;
 
This could be because you hit a bug. It is also possible that this binary
 
or one of the libraries it was linked against is corrupt, improperly built,
 
or misconfigured. This error can also be caused by malfunctioning hardware.
 
 
 
To report this bug, see https://mariadb.com/kb/en/reporting-bugs
 
 
 
We will try our best to scrape up some info that will hopefully help
 
diagnose the problem, but since we have already crashed,
 
something is definitely wrong and this may fail.
 
 
 
Server version: 10.5.3-MariaDB
 
key_buffer_size=134217728
 
read_buffer_size=131072
 
max_used_connections=2
 
max_threads=153
 
thread_count=3
 
It is possible that mysqld could use up to
 
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 467821 K  bytes of memory
 
Hope that's ok; if not, decrease some variables in the equation.
 
 
 
Thread pointer: 0x62b00007e218
 
Attempting backtrace. You can use the following information to find out
 
where mysqld died. If you see no messages after this, something went
 
terribly wrong...
 
stack_bottom = 0x7f7118463840 thread_stack 0x5fc00
 
/usr/local/mysql/bin/mysqld[0x864c31]
 
innobase/lexyy.cc:2122(yy_get_next_buffer())[0x47c6b56]
 
sql/sql_type.h:2949(Type_handler::Item_time_typecast_fix_length_and_dec(Item_time_typecast*) const)[0x1dc0714]
 
??:0(__restore_rt)[0x7f7139ca9890]
 
sql/proxy_protocol.cc:84(parse_v1_header(char*, unsigned long, proxy_peer_info*))[0x1f0c92a]
 
sql/sql_error.h:726(Field_bit_as_char::store(char const*, unsigned long, charset_info_st const*))[0x21451b0]
 
sql/sql_string.h:631(Query_cache::send_result_to_client(THD*, char*, unsigned int))[0x103eb2c]
 
sql/item_cmpfunc.cc:5052(Item_cond::find_not_null_fields(unsigned long long))[0x2430758]
 
sql/item_cmpfunc.cc:2044(Item_func_interval::val_int())[0x23e6899]
 
sql/item_func.h:1056(Item_int_func::Item_int_func(THD*, Item_int_func*))[0x24297ea]
 
asan_interceptors.cc.o:0(__interceptor___lxstat.part.240)[0xc09f62]
 
sql/sql_cache.cc:782(has_no_cache_directive(char const*))[0x103d01f]
 
sql/item.h:5464(Item_direct_ref_to_ident::fix_fields(THD*, Item**))[0x10224b6]
 
sql/item.h:2462(With_sum_func_cache::With_sum_func_cache(Item const*))[0x14bba4c]
 
sql/sql_acl.cc:8196(check_grant_column(THD*, st_grant_info*, char const*, char const*, char const*, unsigned long, Security_context*))[0xf17731]
 
sql/sql_acl.cc:4146(find_user_exact(char const*, char const*))[0xee155b]
 
sql/sql_acl.cc:2951(unsigned long find_first_user<ACL_USER>(ACL_USER*, unsigned long, char const*))[0xed270c]
 
sql/sql_acl.cc:4584(replace_user_table(THD*, User_table const&, LEX_USER*, privilege_t, bool, bool, bool))[0xee38b9]
 
sql/sql_show.cc:6451(store_schema_proc(THD*, TABLE*, TABLE*, char const*, bool, char const*))[0x16b6012]  
sql/sql_string.h:420(Binary_string::Binary_string(char*, unsigned long))[0x16b49c1]
 
maria/ma_loghandler.c:4114(translog_init_with_table)[0x31b30c1]
 
/usr/local/mysql/bin/mysqld[0x8b014f]
 
nptl/pthread_create.c:463(start_thread)[0x7f7139c9e6db]
 
x86_64/clone.S:97(clone)[0x7f713783688f]
 
 
 
Trying to get some variables.
 
Some pointers may be invalid and cause the dump to abort.
 
Query (0x62b000085425): UPDATE v0 SET v1 = 46 WHERE ( SELECT v1 , v1 FROM v0 WHERE v1 = -1 ) IN ( SELECT v1 / 2147483647 , v1 / -1 FROM v0 GROUP BY ( SELECT -128 WHERE v1 = v1 OR v1 = 'x' ) HAVING v1 < 'x' )     
Connection ID (thread ID): 30255
 
Status: NOT_KILLED
 
 
 
Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=on,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on,split_materialized=on,condition_pushdown_for_subquery=on,rowid_filter=on,condition_pushdown_from_having=on,not_null_range_scan=off
 
 
 
The manual page at http://dev.mysql.com/doc/mysql/en/crashing.html contains
 
information that should help you find out what is causing the crash.
 
Writing a core file...
 
Working directory at /usr/local/mysql/data
 
Resource Limits:
 
Limit                     Soft Limit           Hard Limit           Units
 
Max cpu time              unlimited            unlimited            seconds
 
Max file size             unlimited            unlimited            bytes
 
Max data size             unlimited            unlimited            bytes
 
Max stack size            8388608              unlimited            bytes
 
Max core file size        0                    0                    bytes
 
Max resident set          unlimited            unlimited            bytes
 
Max processes             unlimited            unlimited            processes
 
Max open files            1048576              1048576              files
 
Max locked memory         16777216             16777216             bytes
 
Max address space         unlimited            unlimited            bytes
 
Max file locks            unlimited            unlimited            locks
 
Max pending signals       1030951              1030951              signals
 
Max msgqueue size         819200               819200               bytes
 
Max nice priority         0                    0
 
Max realtime priority     0                    0
 
Max realtime timeout      unlimited            unlimited            us
 
Core pattern: co...



 Comments   
Comment by Alice Sherepa [ 2020-05-06 ]

Thanks for the report!
I repeated on 10.5 - it is the same bug as MDEV-22464

10.5

 
#3  <signal handler called>
 
#4  0x00005605c9161720 in Item_ref::fix_fields (this=0x7f1b1c018be8, thd=0x7f1b1c000b18, reference=0x7f1b1c018e48) at /10.5/sql/item.cc:7772
 
#5  0x00005605c8cb562b in Item::fix_fields_if_needed (this=0x7f1b1c018be8, thd=0x7f1b1c000b18, ref=0x7f1b1c018e48) at /10.5/sql/item.h:976
 
#6  0x00005605c91b3045 in Item_func::fix_fields (this=0x7f1b1c018db0, thd=0x7f1b1c000b18, ref=0x7f1b1c067410) at /10.5/sql/item_func.cc:352
 
#7  0x00005605c8cb562b in Item::fix_fields_if_needed (this=0x7f1b1c018db0, thd=0x7f1b1c000b18, ref=0x7f1b1c067410) at /10.5/sql/item.h:976
 
#8  0x00005605c8cb5659 in Item::fix_fields_if_needed_for_scalar (this=0x7f1b1c018db0, thd=0x7f1b1c000b18, ref=0x7f1b1c067410) at /10.5/sql/item.h:980
 
#9  0x00005605c8d3cbb9 in Item::fix_fields_if_needed_for_bool (this=0x7f1b1c018db0, thd=0x7f1b1c000b18, ref=0x7f1b1c067410) at /10.5/sql/item.h:984
 
#10 0x00005605c8e1af03 in JOIN::prepare (this=0x7f1b1c067260, tables_init=0x7f1b1c016b58, conds_init=0x0, og_num=1, order_init=0x0, skip_order_by=false, group_init=0x7f1b1c018b88, having_init=0x7f1b1c018db0, proc_param_init=0x0, select_lex_arg=0x7f1b1c0160c0, unit_arg=0x7f1b1c019000) at /10.5/sql/sql_select.cc:1287
 
#11 0x00005605c921de5b in subselect_single_select_engine::prepare (this=0x7f1b1c019830, thd=0x7f1b1c000b18) at /10.5/sql/item_subselect.cc:3722
 
#12 0x00005605c9210958 in Item_subselect::fix_fields (this=0x7f1b1c065c30, thd_param=0x7f1b1c000b18, ref=0x7f1b1c066490) at /10.5/sql/item_subselect.cc:285
 
#13 0x00005605c921cd90 in Item_in_subselect::fix_fields (this=0x7f1b1c065c30, thd_arg=0x7f1b1c000b18, ref=0x7f1b1c066490) at /10.5/sql/item_subselect.cc:3384
 
#14 0x00005605c8cb562b in Item::fix_fields_if_needed (this=0x7f1b1c065c30, thd=0x7f1b1c000b18, ref=0x7f1b1c066490) at /10.5/sql/item.h:976
 
#15 0x00005605c8cb5659 in Item::fix_fields_if_needed_for_scalar (this=0x7f1b1c065c30, thd=0x7f1b1c000b18, ref=0x7f1b1c066490) at /10.5/sql/item.h:980
 
#16 0x00005605c8d3cbb9 in Item::fix_fields_if_needed_for_bool (this=0x7f1b1c065c30, thd=0x7f1b1c000b18, ref=0x7f1b1c066490) at /10.5/sql/item.h:984
 
#17 0x00005605c8d390df in setup_conds (thd=0x7f1b1c000b18, tables=0x7f1b1c013b68, leaves=..., conds=0x7f1b1c066490) at /10.5/sql/sql_base.cc:8275
 
#18 0x00005605c8e17e34 in setup_without_group (thd=0x7f1b1c000b18, ref_pointer_array=..., tables=0x7f1b1c013b68, leaves=..., fields=..., all_fields=..., conds=0x7f1b1c066490, order=0x0, group=0x0, win_specs=..., win_funcs=..., hidden_group_fields=0x7f1b1c066367, reserved=0x7f1b1c005634) at /10.5/sql/sql_select.cc:693
 
#19 0x00005605c8e1abc5 in JOIN::prepare (this=0x7f1b1c066080, tables_init=0x7f1b1c013b68, conds_init=0x7f1b1c065c30, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7f1b1c005328, unit_arg=0x7f1b1c004b28) at /10.5/sql/sql_select.cc:1246
 
#20 0x00005605c8e27846 in mysql_select (thd=0x7f1b1c000b18, tables=0x7f1b1c013b68, fields=..., conds=0x7f1b1c065c30, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2200096997504, result=0x7f1b1c065fa8, unit=0x7f1b1c004b28, select_lex=0x7f1b1c005328) at /10.5/sql/sql_select.cc:4633
 
#21 0x00005605c8ef9c8b in mysql_multi_update (thd=0x7f1b1c000b18, table_list=0x7f1b1c013b68, fields=0x7f1b1c005478, values=0x7f1b1c0059f0, conds=0x7f1b1c065c30, options=0, handle_duplicates=DUP_ERROR, ignore=false, unit=0x7f1b1c004b28, select_lex=0x7f1b1c005328, result=0x7f1b2ead8ed0) at /10.5/sql/sql_update.cc:1929
 
#22 0x00005605c8dd5758 in mysql_execute_command (thd=0x7f1b1c000b18) at /10.5/sql/sql_parse.cc:4439
 
#23 0x00005605c8de165c in mysql_parse (thd=0x7f1b1c000b18, rawbuf=0x7f1b1c013950 "UPDATE v0 SET v1 = 46 WHERE ( SELECT v1 , v1 FROM v0 WHERE v1 = -1 ) IN ( SELECT v1 / 2147483647 , v1 / -1 FROM v0 GROUP BY ( SELECT -128 WHERE v1 = v1 OR v1 = 'x' ) HAVING v1 < 'x' )", length=183, parser_state=0x7f1b2ead93a0, is_com_multi=false, is_next_command=false) at /10.5/sql/sql_parse.cc:7957
 
#24 0x00005605c8dcd953 in dispatch_command (command=COM_QUERY, thd=0x7f1b1c000b18, packet=0x7f1b1c1b0409 "UPDATE v0 SET v1 = 46 WHERE ( SELECT v1 , v1 FROM v0 WHERE v1 = -1 ) IN ( SELECT v1 / 2147483647 , v1 / -1 FROM v0 GROUP BY ( SELECT -128 WHERE v1 = v1 OR v1 = 'x' ) HAVING v1 < 'x' ) ", packet_length=184, is_com_multi=false, is_next_command=false) at /10.5/sql/sql_parse.cc:1840
 
#25 0x00005605c8dcc0b9 in do_command (thd=0x7f1b1c000b18) at /10.5/sql/sql_parse.cc:1359
 
#26 0x00005605c8f70ce3 in do_handle_one_connection (connect=0x5605cbaff938, put_in_cache=true) at /10.5/sql/sql_connect.cc:1422
 
#27 0x00005605c8f709e7 in handle_one_connection (arg=0x5605cbaff938) at /10.5/sql/sql_connect.cc:1319
 
#28 0x00005605c93ccf86 in pfs_spawn_thread (arg=0x5605cb9fb5d8) at /10.5/storage/perfschema/pfs.cc:2201
 
#29 0x00007f1b3bc066ba in start_thread (arg=0x7f1b2eada700) at pthread_create.c:333
 
#30 0x00007f1b3ae9741d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109

Generated at Thu Feb 08 09:15:01 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.