[MDEV-277] CHEAP SQ: Server crashes in st_join_table::get_examined_rows with semijoin+materialization, IN and = subqueries Created: 2012-05-17  Updated: 2012-05-18  Resolved: 2012-05-17

Status: Closed
Project: MariaDB Server
Component/s: None
Affects Version/s: None
Fix Version/s: 5.5.25

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Timour Katchaounov (Inactive)
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
Relates
relates to MDEV-193 LP:944706 - Query with impossible or ... Closed

 Description    

#3  <signal handler called>
 
#4  0x000000000067366f in st_join_table::get_examined_rows (this=0x1f81798)
 
    at /home/elenst/5.5-timour/sql/sql_select.cc:10260
 
#5  0x000000000066ad65 in JOIN::get_examined_rows (this=0x1f7dd30)
 
    at /home/elenst/5.5-timour/sql/sql_select.cc:6630
 
#6  0x0000000000867ee1 in Item_subselect::is_expensive (this=0x1f79bd0)
 
    at /home/elenst/5.5-timour/sql/item_subselect.cc:560
 
#7  0x000000000067566c in check_simple_equality (left_item=0x1f588a8, 
    right_item=0x1f79bd0, item=0x1f79d48, cond_equal=0x7f9bf69b0560)
 
    at /home/elenst/5.5-timour/sql/sql_select.cc:11247
 
#8  0x0000000000675d78 in check_equality (thd=0x1e66ac0, item=0x1f79d48, 
    cond_equal=0x7f9bf69b0560, eq_list=0x7f9bf69b05e0)
 
    at /home/elenst/5.5-timour/sql/sql_select.cc:11428
 
#9  0x00000000006761c8 in build_equal_items_for_cond (thd=0x1e66ac0, cond=0x1f79d48, 
    inherited=0x0) at /home/elenst/5.5-timour/sql/sql_select.cc:11594
 
#10 0x00000000006765cc in build_equal_items (thd=0x1e66ac0, cond=0x1f79d48, 
    inherited=0x0, join_list=0x1e69688, cond_equal_ref=0x1f7a390)
 
    at /home/elenst/5.5-timour/sql/sql_select.cc:11726
 
#11 0x00000000006797c3 in optimize_cond (join=0x1f79f88, conds=0x1f79d48, 
    join_list=0x1e69688, cond_value=0x1f7a270, cond_equal=0x1f7a390)
 
    at /home/elenst/5.5-timour/sql/sql_select.cc:13195
 
#12 0x000000000065ab36 in JOIN::optimize (this=0x1f79f88)
 
    at /home/elenst/5.5-timour/sql/sql_select.cc:1060
 
#13 0x0000000000661a94 in mysql_select (thd=0x1e66ac0, rref_pointer_array=0x1e69770, 
    tables=0x1f582c0, wild_num=1, fields=..., conds=0x1f79d48, og_num=0, order=0x0, 
    group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x1f79f68, 
    unit=0x1e68e40, select_lex=0x1e69518)
 
    at /home/elenst/5.5-timour/sql/sql_select.cc:3004
 
#14 0x0000000000658902 in handle_select (thd=0x1e66ac0, lex=0x1e68d90, result=0x1f79f68, 
    setup_tables_done_option=0) at /home/elenst/5.5-timour/sql/sql_select.cc:310
 
#15 0x0000000000632258 in execute_sqlcom_select (thd=0x1e66ac0, all_tables=0x1f582c0)
 
    at /home/elenst/5.5-timour/sql/sql_parse.cc:4616
 
#16 0x000000000062b2bb in mysql_execute_command (thd=0x1e66ac0)
 
    at /home/elenst/5.5-timour/sql/sql_parse.cc:2184
 
#17 0x0000000000634a7b in mysql_parse (thd=0x1e66ac0, 
    rawbuf=0x1f58048 "SELECT * FROM A \nWHERE a1 = ( \nSELECT COUNT(*) FROM A \nWHERE a1 IN ( SELECT a1 FROM A, B )\n)", length=92, parser_state=0x7f9bf69b1600)
 
    at /home/elenst/5.5-timour/sql/sql_parse.cc:5731
 
#18 0x0000000000628929 in dispatch_command (command=COM_QUERY, thd=0x1e66ac0, 
    packet=0x1fe7cc1 "SELECT * FROM A \nWHERE a1 = ( \nSELECT COUNT(*) FROM A \nWHERE a1 IN ( SELECT a1 FROM A, B )\n)", packet_length=92)
 
    at /home/elenst/5.5-timour/sql/sql_parse.cc:1055
 
#19 0x0000000000627bfc in do_command (thd=0x1e66ac0)
 
    at /home/elenst/5.5-timour/sql/sql_parse.cc:794
 
#20 0x0000000000723eed in do_handle_one_connection (thd_arg=0x1e66ac0)
 
    at /home/elenst/5.5-timour/sql/sql_connect.cc:1253
 
#21 0x00000000007239b0 in handle_one_connection (arg=0x1e66ac0)
 
    at /home/elenst/5.5-timour/sql/sql_connect.cc:1168

bzr version-info

revision-id: timour@askmonty.org-20120517104605-5s2rh8r8840gvgs4
 
date: 2012-05-17 13:46:05 +0300
 
revno: 3403

EXPLAIN also crashes.

Test case:

SET optimizer_switch = 'materialization=on,semijoin=on';
 
 
 
CREATE TABLE A (a1 INT);
 
INSERT INTO A VALUES (4),(6);
 
CREATE TABLE B (b1 INT);
 
INSERT INTO B VALUES (1),(7);
 
 
 
SELECT * FROM A
 
WHERE a1 = ( 
  SELECT COUNT(*) FROM A 
  WHERE a1 IN ( SELECT a1 FROM A, B )
 
);



 Comments   
Comment by Timour Katchaounov (Inactive) [ 2012-05-17 ]

The cause for this bug is that the method JOIN::get_examined_rows iterates over all JOIN_TABs of the join assuming they are just a sequence.
In the query above, the innermost subquery is merged into its parent query. When we call JOIN::get_examined_rows for the second-level subquery, the iteration that assumes sequential order of join tabs goes outside the join_tab array and calls the method JOIN_TAB::get_examined_rows on uninitialized memory.

The fix is to properly take into account the fact that a subquery itself may have changed its structure due to semi-join flattening of inner subqueries.

I will need Sergey Petrunia for this.

Comment by Timour Katchaounov (Inactive) [ 2012-05-17 ]

Fix pushed to lp:~maria-captains/maria/5.5-timour

Generated at Thu Feb 08 06:27:33 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.