[MDEV-28881] Server crashes in Dep_analysis_context::create_table_value/check_func_dependency Created: 2022-06-17  Updated: 2022-07-26  Resolved: 2022-07-20

Status: Closed
Project: MariaDB Server
Component/s: Optimizer
Affects Version/s: 10.10
Fix Version/s: 10.10.0

Type: Bug Priority: Major
Reporter: Alice Sherepa Assignee: Oleg Smirnov
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
Duplicate
is duplicated by MDEV-28875 [draft] LeakSanitizer: detected memor... Closed
Problem/Incident
is caused by MDEV-26278 Table elimination does not work acros... Closed

 Description    

CREATE TABLE t1 (a1 int, a2 int);
 
INSERT INTO t1 VALUES (0,276),(5,277),(NULL,278);
 
 
 
CREATE TABLE t2 ( a1 int, a2 int, KEY a2 (a2)) ;
 
INSERT INTO t2 VALUES (11,NULL),(185,0);
 
 
 
SELECT t1.*
 
FROM t1
 
LEFT JOIN
 
 (SELECT * FROM
 
   (SELECT t2.a1 AS a1, min(t2.a2) AS a2
 
    FROM t2
 
    WHERE t2.a2 <> NULL
 
    GROUP BY t2.a1) dt)dt2 ON dt2.a2 = t1.a2;

preview-10.10-optimizer f332260c9872a428f68e0461329bb5fa29461592

 
220620 11:06:20 [ERROR] mysqld got signal 11 ;
 
 
 
Server version: 10.10.0-MariaDB-debug-log
 
 
 
sql/signal_handler.cc:226(handle_fatal_signal)[0x560a57115df1]
 
sigaction.c:0(__restore_rt)[0x7fd562edf420]
 
sql/opt_table_elimination.cc:1743(Dep_analysis_context::create_unique_pseudo_key_if_needed(TABLE_LIST*, Dep_value_table*))[0x560a56e0e6ab]
 
sql/opt_table_elimination.cc:1687(Dep_analysis_context::create_table_value(TABLE_LIST*))[0x560a56e0e2bc]
 
sql/opt_table_elimination.cc:939(check_func_dependency(JOIN*, unsigned long long, List_iterator<TABLE_LIST>*, TABLE_LIST*, Item*))[0x560a56e0a09f]
 
sql/opt_table_elimination.cc:873(eliminate_tables_for_list(JOIN*, List<TABLE_LIST>*, unsigned long long, Item*, unsigned long long, Json_writer_array*))[0x560a56e09a50]
 
sql/opt_table_elimination.cc:832(eliminate_tables_for_list(JOIN*, List<TABLE_LIST>*, unsigned long long, Item*, unsigned long long, Json_writer_array*))[0x560a56e0959d]
 
sql/opt_table_elimination.cc:772(eliminate_tables(JOIN*))[0x560a56e090c4]
 
sql/sql_select.cc:5483(make_join_statistics(JOIN*, List<TABLE_LIST>&, st_dynamic_array*))[0x560a5695575f]
 
sql/sql_select.cc:2511(JOIN::optimize_inner())[0x560a569374a1]
 
sql/sql_select.cc:1850(JOIN::optimize())[0x560a569303c6]
 
sql/sql_select.cc:5038(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x560a56951b7c]
 
sql/sql_select.cc:583(handle_select(THD*, LEX*, select_result*, unsigned long))[0x560a56921f9f]
 
sql/sql_parse.cc:6260(execute_sqlcom_select(THD*, TABLE_LIST*))[0x560a56846cff]
 
sql/sql_parse.cc:3944(mysql_execute_command(THD*, bool))[0x560a56835734]
 
sql/sql_parse.cc:8036(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x560a56851fdf]
 
sql/sql_parse.cc:1896(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x560a56827fc4]
 
sql/sql_parse.cc:1407(do_command(THD*, bool))[0x560a56824d45]
 
sql/sql_connect.cc:1418(do_handle_one_connection(CONNECT*, bool))[0x560a56cda39a]
 
sql/sql_connect.cc:1314(handle_one_connection)[0x560a56cd9c26]
 
perfschema/pfs.cc:2203(pfs_spawn_thread)[0x560a579bfbd2]
 
nptl/pthread_create.c:478(start_thread)[0x7fd562ed3609]
 
 
 
Query (0x6290001092a8): SELECT t1.*
 
FROM t1
 
LEFT JOIN
 
(SELECT * FROM
 
(SELECT t2.a1 AS a1, min(t2.a2) AS a2
 
FROM t2
 
WHERE t2.a2 <> NULL
 
GROUP BY t2.a1) dt)dt2 ON dt2.a2 = t1.a2

if there is no index on a2:

 
 
CREATE TABLE t1 (a1 int, a2 int);
 
INSERT INTO t1 VALUES (0,276),(5,277),(NULL,278);
 
 
 
CREATE TABLE t2 ( a1 int, a2 int) ;
 
INSERT INTO t2 VALUES (11,NULL),(185,0);
 
 
 
SELECT t1.*
 
FROM t1
 
LEFT JOIN
 
 (SELECT * FROM
 
   (SELECT t2.a1 AS a1, min(t2.a2) AS a2
 
    FROM t2
 
    WHERE t2.a2 <> NULL
 
    GROUP BY t2.a1) dt)dt2 ON dt2.a2 = t1.a2;

preview-10.10-optimizer f332260c9872a428f68e0461329bb5fa29461592

 
=================================================================
 
==860941==ERROR: LeakSanitizer: detected memory leaks
 
 
 
Direct leak of 40 byte(s) in 1 object(s) allocated from:
 
    #0 0x7f5b336d5587 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cc:104
 
    #1 0x562a4c0bdc44 in __gnu_cxx::new_allocator<std::_Rb_tree_node<unsigned short> >::allocate(unsigned long, void const*) (/10.10/bld/sql/mariadbd+0x21dec44)
 
    #2 0x562a4c0bdb43 in std::allocator_traits<std::allocator<std::_Rb_tree_node<unsigned short> > >::allocate(std::allocator<std::_Rb_tree_node<unsigned short> >&, unsigned long) (/10.10/bld/sql/mariadbd+0x21deb43)
 
    #3 0x562a4c0bda24 in std::_Rb_tree<unsigned short, unsigned short, std::_Identity<unsigned short>, std::less<unsigned short>, std::allocator<unsigned short> >::_M_get_node() (/10.10/bld/sql/mariadbd+0x21dea24)
 
    #4 0x562a4c0bdac7 in std::_Rb_tree_node<unsigned short>* std::_Rb_tree<unsigned short, unsigned short, std::_Identity<unsigned short>, std::less<unsigned short>, std::allocator<unsigned short> >::_M_create_node<unsigned short const&>(unsigned short const&) (/10.10/bld/sql/mariadbd+0x21deac7)
 
    #5 0x562a4c0bd97b in std::_Rb_tree_node<unsigned short>* std::_Rb_tree<unsigned short, unsigned short, std::_Identity<unsigned short>, std::less<unsigned short>, std::allocator<unsigned short> >::_Alloc_node::operator()<unsigned short const&>(unsigned short const&) const (/10.10/bld/sql/mariadbd+0x21de97b)
 
    #6 0x562a4c0bd729 in std::_Rb_tree_node<unsigned short>* std::_Rb_tree<unsigned short, unsigned short, std::_Identity<unsigned short>, std::less<unsigned short>, std::allocator<unsigned short> >::_M_clone_node<std::_Rb_tree<unsigned short, unsigned short, std::_Identity<unsigned short>, std::less<unsigned short>, std::allocator<unsigned short> >::_Alloc_node>(std::_Rb_tree_node<unsigned short> const*, std::_Rb_tree<unsigned short, unsigned short, std::_Identity<unsigned short>, std::less<unsigned short>, std::allocator<unsigned short> >::_Alloc_node&) (/10.10/bld/sql/mariadbd+0x21de729)
 
    #7 0x562a4c0bcec3 in std::_Rb_tree_node<unsigned short>* std::_Rb_tree<unsigned short, unsigned short, std::_Identity<unsigned short>, std::less<unsigned short>, std::allocator<unsigned short> >::_M_copy<std::_Rb_tree<unsigned short, unsigned short, std::_Identity<unsigned short>, std::less<unsigned short>, std::allocator<unsigned short> >::_Alloc_node>(std::_Rb_tree_node<unsigned short> const*, std::_Rb_tree_node_base*, std::_Rb_tree<unsigned short, unsigned short, std::_Identity<unsigned short>, std::less<unsigned short>, std::allocator<unsigned short> >::_Alloc_node&) (/10.10/bld/sql/mariadbd+0x21ddec3)
 
    #8 0x562a4c0bbdfc in std::_Rb_tree_node<unsigned short>* std::_Rb_tree<unsigned short, unsigned short, std::_Identity<unsigned short>, std::less<unsigned short>, std::allocator<unsigned short> >::_M_copy<std::_Rb_tree<unsigned short, unsigned short, std::_Identity<unsigned short>, std::less<unsigned short>, std::allocator<unsigned short> >::_Alloc_node>(std::_Rb_tree<unsigned short, unsigned short, std::_Identity<unsigned short>, std::less<unsigned short>, std::allocator<unsigned short> > const&, std::_Rb_tree<unsigned short, unsigned short, std::_Identity<unsigned short>, std::less<unsigned short>, std::allocator<unsigned short> >::_Alloc_node&) (/10.10/bld/sql/mariadbd+0x21dcdfc)
 
    #9 0x562a4c0bb1c0 in std::_Rb_tree<unsigned short, unsigned short, std::_Identity<unsigned short>, std::less<unsigned short>, std::allocator<unsigned short> >::_M_copy(std::_Rb_tree<unsigned short, unsigned short, std::_Identity<unsigned short>, std::less<unsigned short>, std::allocator<unsigned short> > const&) /usr/include/c++/9/bits/stl_tree.h:917
 
    #10 0x562a4c0ba67b in std::_Rb_tree<unsigned short, unsigned short, std::_Identity<unsigned short>, std::less<unsigned short>, std::allocator<unsigned short> >::_Rb_tree(std::_Rb_tree<unsigned short, unsigned short, std::_Identity<unsigned short>, std::less<unsigned short>, std::allocator<unsigned short> > const&) /usr/include/c++/9/bits/stl_tree.h:955
 
    #11 0x562a4c0b9a90 in std::set<unsigned short, std::less<unsigned short>, std::allocator<unsigned short> >::set(std::set<unsigned short, std::less<unsigned short>, std::allocator<unsigned short> > const&) /usr/include/c++/9/bits/stl_set.h:223
 
    #12 0x562a4c0b9b53 in Dep_module_pseudo_key::Dep_module_pseudo_key(Dep_value_table*, std::set<unsigned short, std::less<unsigned short>, std::allocator<unsigned short> >&&) /10.10/src/sql/opt_table_elimination.cc:477
 
    #13 0x562a4c0b67ce in Dep_analysis_context::create_unique_pseudo_key_if_needed(TABLE_LIST*, Dep_value_table*) /10.10/src/sql/opt_table_elimination.cc:1763
 
    #14 0x562a4c0b62bb in Dep_analysis_context::create_table_value(TABLE_LIST*) /10.10/src/sql/opt_table_elimination.cc:1686
 
    #15 0x562a4c0b209e in check_func_dependency /10.10/src/sql/opt_table_elimination.cc:939
 
    #16 0x562a4c0b1a4f in eliminate_tables_for_list /10.10/src/sql/opt_table_elimination.cc:872
 
    #17 0x562a4c0b159c in eliminate_tables_for_list /10.10/src/sql/opt_table_elimination.cc:832
 
    #18 0x562a4c0b10c3 in eliminate_tables(JOIN*) /10.10/src/sql/opt_table_elimination.cc:769
 
    #19 0x562a4bbfd75e in make_join_statistics /10.10/src/sql/sql_select.cc:5482
 
    #20 0x562a4bbdf4a0 in JOIN::optimize_inner() /10.10/src/sql/sql_select.cc:2511
 
    #21 0x562a4bbd83c5 in JOIN::optimize() /10.10/src/sql/sql_select.cc:1850
 
    #22 0x562a4bbf9b7b in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.10/src/sql/sql_select.cc:5038
 
    #23 0x562a4bbc9f9e in handle_select(THD*, LEX*, select_result*, unsigned long) /10.10/src/sql/sql_select.cc:583
 
    #24 0x562a4baeecfe in execute_sqlcom_select /10.10/src/sql/sql_parse.cc:6260
 
    #25 0x562a4badd733 in mysql_execute_command(THD*, bool) /10.10/src/sql/sql_parse.cc:3944
 
    #26 0x562a4baf9fde in mysql_parse(THD*, char*, unsigned int, Parser_state*) /10.10/src/sql/sql_parse.cc:8036
 
    #27 0x562a4bacffc3 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /10.10/src/sql/sql_parse.cc:1894
 
    #28 0x562a4baccd44 in do_command(THD*, bool) /10.10/src/sql/sql_parse.cc:1407
 
    #29 0x562a4bf82399 in do_handle_one_connection(CONNECT*, bool) /10.10/src/sql/sql_connect.cc:1418



 Comments   
Comment by Oleg Smirnov [ 2022-06-21 ]

alice, can you please test branch bb-10.10-MDEV-28881? I believe I've fixed both the crash and the memory leak (at least my ASAN doesn't complain), but I don't know which LeakSanitizer you're using, maybe it still detects a leak.

Comment by Alice Sherepa [ 2022-06-21 ]

oleg.smirnov I've checked on that branch, no memory leak now.

Comment by Oleg Smirnov [ 2022-06-21 ]

Thank you, alice! Passing for review then

Comment by Sergei Petrunia [ 2022-07-05 ]

Review input: https://lists.launchpad.net/maria-developers/msg13173.html

Comment by Oleg Smirnov [ 2022-07-08 ]

Review comments are fixed

Comment by Sergei Petrunia [ 2022-07-12 ] 

-  if (first_select && first_select->group_list.elements > 0)
 
+  if (first_select && first_select->join &&
 
+      first_select->group_list.elements > 0)

oleg.smirnov, for the first_select->join please add a comment saying
that first_select->join is NULL for degenerate derived tables
which are known to have just one row and so were already materialized
by the optimizer.

The second patch is ok.

Ok to push both patches after this is addressed.

Comment by Oleg Smirnov [ 2022-07-20 ]

Pushed to preview-10.10-optimizer.

Generated at Thu Feb 08 10:04:11 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.