[MDEV-31178] Server crash on second execution of prepare statement with in_predicate_conversion_threshold=1 (or =2) Created: 2023-05-03  Updated: 2024-01-05

Status: Confirmed
Project: MariaDB Server
Component/s: Prepared Statements
Affects Version/s: 10.11.1, 10.3.38, 10.4.28, 10.5.19, 10.6.12, 10.8.7, 10.9.5, 10.10.3
Fix Version/s: 10.4, 10.5, 10.6, 10.11, 11.0, 11.1, 11.2, 11.3, 11.4

Type: Bug Priority: Critical
Reporter: Lena Startseva Assignee: Igor Babaev
Resolution: Unresolved Votes: 0
Labels: regression

Issue Links:
Relates
relates to MDEV-23182 Server crashes in Item::fix_fields_if... Closed
relates to MDEV-31003 Second execution for ps-protocol Stalled

 Description   

Server crash on second execution of prepare statement with in_predicate_conversion_threshold=1 or in_predicate_conversion_threshold =2

Test:

SET @@in_predicate_conversion_threshold=1;
 
 
 
CREATE TABLE t1 (a BIGINT);
 
INSERT INTO t1 VALUES (1), (2), (3);
 
 
 
prepare stmt1 from "SELECT * FROM t1 WHERE a IN ('1','5','3')";
 
 
 
execute stmt1;
 
execute stmt1;
 
 
 
deallocate prepare stmt1;
 
drop table t1;
 
 
 
SET @@in_predicate_conversion_threshold= default;

Stacktrace:

Thread pointer: 0x7f759c000da0
 
Attempting backtrace. You can use the following information to find out
 
where mysqld died. If you see no messages after this, something went
 
terribly wrong...
 
stack_bottom = 0x7f75ad224c70 thread_stack 0x49000
 
mysys/stacktrace.c:174(my_print_stacktrace)[0x5620feb1c68a]
 
sql/signal_handler.cc:238(handle_fatal_signal)[0x5620fe1a9120]
 
libc_sigaction.c:0(__restore_rt)[0x7f75b3042520]
 
sql/item.h:966(Item::fix_fields_if_needed(THD*, Item**))[0x5620fdd27021]
 
sql/item.h:970(Item::fix_fields_if_needed_for_scalar(THD*, Item**))[0x5620fdd27095]
 
sql/sql_tvc.cc:62(fix_fields_for_tvc(THD*, List_iterator_fast<List<Item> >&))[0x5620fe0c2146]
 
sql/sql_tvc.cc:238(table_value_constr::prepare(THD*, st_select_lex*, select_result*, st_select_lex_unit*))[0x5620fe0c288f]
 
sql/sql_union.cc:1086(st_select_lex_unit::prepare(TABLE_LIST*, select_result*, unsigned long))[0x5620fdf68dac]
 
sql/sql_derived.cc:821(mysql_derived_prepare(THD*, LEX*, TABLE_LIST*))[0x5620fddf1355]
 
sql/sql_derived.cc:200(mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int))[0x5620fddefa1d]
 
sql/table.cc:9099(TABLE_LIST::handle_derived(LEX*, unsigned int))[0x5620fdf9eef4]
 
sql/sql_lex.h:4391(LEX::handle_list_of_derived(TABLE_LIST*, unsigned int))[0x5620fde0c26f]
 
sql/sql_lex.cc:4310(st_select_lex::handle_derived(LEX*, unsigned int))[0x5620fde18f96]
 
sql/sql_select.cc:1222(JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*))[0x5620fde990ef]
 
sql/sql_select.cc:4774(mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x5620fdea6a7f]
 
sql/sql_select.cc:442(handle_select(THD*, LEX*, select_result*, unsigned long))[0x5620fde95c99]
 
sql/sql_parse.cc:6463(execute_sqlcom_select(THD*, TABLE_LIST*))[0x5620fde57d7c]
 
sql/sql_parse.cc:3966(mysql_execute_command(THD*))[0x5620fde4e2d4]
 
sql/sql_prepare.cc:5024(Prepared_statement::execute(String*, bool))[0x5620fde7ead5]
 
sql/sql_prepare.cc:4493(Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*))[0x5620fde7cd64]
 
sql/sql_prepare.cc:3578(mysql_sql_stmt_execute(THD*))[0x5620fde7a516]
 
sql/sql_parse.cc:3983(mysql_execute_command(THD*))[0x5620fde4e319]
 
sql/sql_parse.cc:7998(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x5620fde5bf13]
 
sql/sql_parse.cc:1860(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x5620fde47b41]
 
sql/sql_parse.cc:1378(do_command(THD*))[0x5620fde4638d]
 
sql/sql_connect.cc:1420(do_handle_one_connection(CONNECT*))[0x5620fdfe8fc0]
 
sql/sql_connect.cc:1325(handle_one_connection)[0x5620fdfe8d1c]
 
perfschema/pfs.cc:1871(pfs_spawn_thread)[0x5620fe57350d]
 
nptl/pthread_create.c:442(start_thread)[0x7f75b3094b43]
 
x86_64/clone3.S:83(__clone3)[0x7f75b3126a00]



 Comments   
Comment by Elena Stepanova [ 2023-05-03 ]

The failure apparently started happening after this commit in 10.3.38

commit 37a316c01d778a62a056d5d20110ef18bb55975e
 
Author: Dmitry Shulga
 
Date:   Fri Dec 9 21:10:25 2022 +0700
 
 
 
    MDEV-29988: Major performance regression with 10.6.11

So it's a reasonably fresh regression.

Comment by Roel Van de Paar [ 2023-05-05 ]

Stacks across versions look slightly different:

SIGSEGV|Item::fix_fields_if_needed_for_scalar|fix_fields_for_tvc|table_value_constr::prepare|st_select_lex_unit::prepare
 
SIGSEGV|Item::fix_fields_if_needed|Item::fix_fields_if_needed_for_scalar|fix_fields_for_tvc|table_value_constr::prepare
 
SIGSEGV|Item::fix_fields_if_needed|Item::fix_fields_if_needed|Item::fix_fields_if_needed_for_scalar|fix_fields_for_tvc

Generated at Thu Feb 08 10:21:52 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.