[MDEV-32082] Server crash in find_field_in_table Created: 2023-09-04  Updated: 2023-11-13  Resolved: 2023-11-10

Status: Closed
Project: MariaDB Server
Component/s: Server, Versioned Tables
Affects Version/s: 10.4, 10.5, 10.6, 10.9, 10.10, 10.11, 11.0, 11.1, 10.11.5
Fix Version/s: 10.4.33, 10.5.24, 10.6.17, 10.11.7, 11.0.5, 11.1.4, 11.2.3, 11.3.2, 11.4.1

Type: Bug Priority: Major
Reporter: jiaqi Assignee: Aleksey Midenkov
Resolution: Fixed Votes: 0
Labels: pushing

Issue Links:
Relates
relates to MDEV-16094 Crash when using AS OF with a stored ... Closed

 Description   

How to trigger

CREATE TABLE t0 ( c0 MIDDLEINT UNIQUE AUTO_INCREMENT PRIMARY KEY ) WITH SYSTEM VERSIONING ;
 
SELECT ( SELECT ca3 FROM ( SELECT ra2 . ca4 ca3 FROM t0 ra3 ) FOR SYSTEM_TIME AS OF NOW ra4 ) AS ca2 FROM ( SELECT ra1 . c0 ca4 FROM t0 ra1 ORDER BY ra1 . c0 LIMIT 1 ) AS ra2 ;

Sever error log

Server version: 10.11.5-MariaDB source revision: 7875294b6b74b53dd3aaa723e6cc103d2bb47b2c
 
key_buffer_size=134217728
 
read_buffer_size=131072
 
max_used_connections=2
 
max_threads=153
 
thread_count=22
 
It is possible that mysqld could use up to
 
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 468037 K  bytes of memory
 
Hope that's ok; if not, decrease some variables in the equation.
 
 
 
Thread pointer: 0x7fe7940225e8
 
Attempting backtrace. You can use the following information to find out
 
where mysqld died. If you see no messages after this, something went
 
terribly wrong...
 
stack_bottom = 0x7fe7b00cedb0 thread_stack 0x49000
 
mysys/stacktrace.c:215(my_print_stacktrace)[0x55f205038be8]
 
sql/signal_handler.cc:241(handle_fatal_signal)[0x55f2048a5623]
 
/lib/x86_64-linux-gnu/libpthread.so.0(+0x12980)[0x7fe7c811d980]
 
sql/sql_base.cc:6308(find_field_in_table(THD*, TABLE*, char const*, unsigned long, bool, unsigned short*))[0x55f2044615d7]
 
sql/sql_base.cc:6473(find_field_in_table_ref(THD*, TABLE_LIST*, char const*, unsigned long, char const*, char const*, char const*, List<TABLE_LIST>*, Item**, bool, bool, unsigned short*, bool, TABLE_LIST**))[0x55f2044620f3]
 
sql/sql_base.cc:6790(find_field_in_tables(THD*, Item_ident*, TABLE_LIST*, TABLE_LIST*, List<TABLE_LIST>*, Item**, find_item_error_report_type, bool, bool))[0x55f2044632f7]
 
sql/item.cc:6020(Item_field::fix_fields(THD*, Item**))[0x55f2048d6bfe]
 
sql/item.h:1147(Vers_history_point::check_unit(THD*))[0x55f2046886b3]
 
sql/table.cc:10355(vers_select_conds_t::check_units(THD*))[0x55f2046885f6]
 
sql/sql_select.cc:1268(st_select_lex::vers_setup_conds(THD*, TABLE_LIST*))[0x55f204566253]
 
sql/sql_select.cc:1415(JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*))[0x55f204566a15]
 
sql/sql_union.cc:1105(st_select_lex_unit::prepare_join(THD*, st_select_lex*, select_result*, unsigned long long, bool))[0x55f204644dd7]
 
sql/sql_union.cc:1498(st_select_lex_unit::prepare(TABLE_LIST*, select_result*, unsigned long long))[0x55f20463ea14]
 
sql/sql_derived.cc:840(mysql_derived_prepare(THD*, LEX*, TABLE_LIST*))[0x55f2044a6c38]
 
sql/sql_derived.cc:200(mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int))[0x55f2044a984e]
 
sql/table.cc:9523(TABLE_LIST::handle_derived(LEX*, unsigned int))[0x55f2046844cf]
 
sql/sql_lex.h:4500(LEX::handle_list_of_derived(TABLE_LIST*, unsigned int))[0x55f2044a5fd1]
 
sql/sql_select.cc:1397(JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*))[0x55f20456693f]
 
sql/item_subselect.cc:3888(subselect_single_select_engine::prepare(THD*))[0x55f2049e138e]
 
sql/item_subselect.cc:295(Item_subselect::fix_fields(THD*, Item**))[0x55f2049d37cd]
 
sql/item.h:1147(Item::fix_fields_if_needed_for_scalar(THD*, Item**))[0x55f2043e18f0]
 
sql/sql_base.cc:8014(setup_fields(THD*, Bounds_checked_array<Item*>, List<Item>&, enum_column_usage, List<Item>*, List<Item>*, bool))[0x55f204465a3f]
 
sql/sql_select.cc:1484(JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*))[0x55f204566f8e]
 
sql/sql_select.cc:5087(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55f2045630c3]
 
sql/sql_select.cc:586(handle_select(THD*, LEX*, select_result*, unsigned long long))[0x55f204562e69]
 
sql/sql_parse.cc:4728(mysql_execute_command(THD*, bool))[0x55f204512e43]
 
sql/sql_parse.cc:8051(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x55f204502e17]
 
sql/sql_parse.cc:1896(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x55f2044ffe0f]
 
sql/sql_parse.cc:1407(do_command(THD*, bool))[0x55f2045033fe]
 
sql/sql_connect.cc:1416(do_handle_one_connection(CONNECT*, bool))[0x55f2046ca783]
 
sql/sql_connect.cc:1322(handle_one_connection)[0x55f2046ca407]
 
perfschema/pfs.cc:2203(pfs_spawn_thread)[0x55f204ba7d23]
 
nptl/pthread_create.c:463(start_thread)[0x7fe7c81126db]
 
x86_64/clone.S:97(clone)[0x7fe7c761261f]
 
 
 
Trying to get some variables.
 
Some pointers may be invalid and cause the dump to abort.
 
Query (0x7fe794029060): REPLACE INTO t0 SELECT ( SELECT MIN( ra4 . ca3 ) ca1 FROM ( SELECT ra2 . ca4 ca3 FROM t0 ra3 ) FOR SYSTEM_TIME AS OF NOW ra4 ) AS ca2 FROM ( SELECT ra1 . c0 ca4 FROM t0 ra1 ORDER BY ra1 . c0 LIMIT 1 ) AS ra2
 
 
 
Connection ID (thread ID): 44288
 
Status: NOT_KILLED
 
 
 
Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=on,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on,split_materialized=on,condition_pushdown_for_subquery=on,rowid_filter=on,condition_pushdown_from_having=on,not_null_range_scan=off,hash_join_cardinality=off



 Comments   
Comment by Alice Sherepa [ 2023-09-04 ]

Thank you for the report!
I repeated on 10.4-11.3:

CREATE TABLE t1 ( i int) WITH SYSTEM VERSIONING ;
 
SELECT * FROM (SELECT 1 FROM t1) FOR system_time AS OF now ca4;


Version: '10.4.32-MariaDB-debug-log' : 
mysqld: /10.4/src/sql/sql_base.cc:6202: Field* find_field_in_table_ref(THD*, TABLE_LIST*, const char*, size_t, const char*, const char*, const char*, Item**, bool, bool, uint*, bool, TABLE_LIST**): Assertion `table_list->table' failed.
 
230904 11:18:40 [ERROR] mysqld got signal 6 ;
 
 
 
Server version: 10.4.32-MariaDB-debug-log source revision: 02878f128e12448f995efd2551be65dc13c458a5
 
 
 
sql/signal_handler.cc:238(handle_fatal_signal)[0x555bd1884225]
 
sigaction.c:0(__restore_rt)[0x7f3844bbc420]
 
sql/sql_base.cc:6203(find_field_in_table_ref(THD*, TABLE_LIST*, char const*, unsigned long, char const*, char const*, char const*, Item**, bool, bool, unsigned int*, bool, TABLE_LIST**))[0x555bd0f46b1f]
 
sql/sql_base.cc:6506(find_field_in_tables(THD*, Item_ident*, TABLE_LIST*, TABLE_LIST*, Item**, find_item_error_report_type, bool, bool))[0x555bd0f48668]
 
sql/item.cc:5904(Item_field::fix_fields(THD*, Item**))[0x555bd1906d48]
 
sql/item.h:966(Item::fix_fields_if_needed(THD*, Item**))[0x555bd0e2656d]
 
sql/table.cc:9975(Vers_history_point::resolve_unit(THD*))[0x555bd1421188]
 
sql/table.cc:9944(vers_select_conds_t::resolve_units(THD*))[0x555bd1420f15]
 
sql/sql_select.cc:1124(st_select_lex::vers_setup_conds(THD*, TABLE_LIST*))[0x555bd11773f3]
 
sql/sql_select.cc:1269(JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*))[0x555bd1178a94]
 
sql/sql_union.cc:662(st_select_lex_unit::prepare_join(THD*, st_select_lex*, select_result*, unsigned long, bool))[0x555bd138931c]
 
sql/sql_union.cc:1009(st_select_lex_unit::prepare(TABLE_LIST*, select_result*, unsigned long))[0x555bd138cabb]
 
sql/sql_derived.cc:824(mysql_derived_prepare(THD*, LEX*, TABLE_LIST*))[0x555bd0ff0e9d]
 
sql/sql_derived.cc:200(mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int))[0x555bd0fed26e]
 
sql/table.cc:9097(TABLE_LIST::handle_derived(LEX*, unsigned int))[0x555bd1419211]
 
sql/sql_lex.h:4388(LEX::handle_list_of_derived(TABLE_LIST*, unsigned int))[0x555bd1035508]
 
sql/sql_lex.cc:4310(st_select_lex::handle_derived(LEX*, unsigned int))[0x555bd105755b]
 
sql/sql_select.cc:1251(JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*))[0x555bd1178686]
 
sql/sql_select.cc:4789(mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x555bd119f229]
 
sql/sql_select.cc:442(handle_select(THD*, LEX*, select_result*, unsigned long))[0x555bd1170258]
 
sql/sql_parse.cc:6473(execute_sqlcom_select(THD*, TABLE_LIST*))[0x555bd10dc062]
 
sql/sql_parse.cc:3976(mysql_execute_command(THD*))[0x555bd10c97d9]
 
sql/sql_parse.cc:8010(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x555bd10e553d]
 
sql/sql_parse.cc:1860(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x555bd10bb99f]
 
sql/sql_parse.cc:1378(do_command(THD*))[0x555bd10b84ca]
 
sql/sql_connect.cc:1420(do_handle_one_connection(CONNECT*))[0x555bd14c5dcf]
 
sql/sql_connect.cc:1325(handle_one_connection)[0x555bd14c5673]
 
perfschema/pfs.cc:1871(pfs_spawn_thread)[0x555bd216ee00]
 
nptl/pthread_create.c:478(start_thread)[0x7f3844bb0609]
 
 
 
Query (0x62b0000a1290): SELECT * FROM (SELECT 1 FROM t1) FOR system_time AS OF now ca4


230904 11:22:10 [ERROR] mysqld got signal 11 ;
 
 
 
Server version: 10.4.31-MariaDB source revision: 2aea9387497cecb5668ef605b8f80886f9de812c
 
 
 
sql/signal_handler.cc:238(handle_fatal_signal)[0x555de2afd627]
 
sigaction.c:0(__restore_rt)[0x7f44b2709420]
 
sql/sql_base.cc:6042(find_field_in_table(THD*, TABLE*, char const*, unsigned long, bool, unsigned int*))[0x555de28a38cd]
 
sql/sql_base.cc:6203(find_field_in_table_ref(THD*, TABLE_LIST*, char const*, unsigned long, char const*, char const*, char const*, Item**, bool, bool, unsigned int*, bool, TABLE_LIST**))[0x555de28a41df]
 
sql/sql_base.cc:6515(find_field_in_tables(THD*, Item_ident*, TABLE_LIST*, TABLE_LIST*, Item**, find_item_error_report_type, bool, bool))[0x555de28a45c9]
 
sql/item.cc:5904(Item_field::fix_fields(THD*, Item**))[0x555de2b28a07]
 
sql/table.cc:9975(Vers_history_point::resolve_unit(THD*))[0x555de29c6591]
 
sql/table.cc:9944(vers_select_conds_t::resolve_units(THD*))[0x555de29c65c6]
 
sql/sql_select.cc:1124(st_select_lex::vers_setup_conds(THD*, TABLE_LIST*))[0x555de292f431]
 
sql/sql_select.cc:1269(JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*))[0x555de294bc6f]
 
sql/sql_union.cc:675(st_select_lex_unit::prepare_join(THD*, st_select_lex*, select_result*, unsigned long, bool))[0x555de29a8cc2]
 
sql/sql_union.cc:1009(st_select_lex_unit::prepare(TABLE_LIST*, select_result*, unsigned long))[0x555de29acc50]
 
sql/sql_derived.cc:824(mysql_derived_prepare(THD*, LEX*, TABLE_LIST*))[0x555de28c731a]
 
sql/sql_derived.cc:200(mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int))[0x555de28c617d]
 
sql/sql_lex.h:4388(LEX::handle_list_of_derived(TABLE_LIST*, unsigned int))[0x555de28df3c7]
 
sql/sql_select.cc:1251(JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*))[0x555de294bc0b]
 
sql/sql_select.cc:4789(mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x555de2962220]
 
sql/sql_select.cc:454(handle_select(THD*, LEX*, select_result*, unsigned long))[0x555de2962577]
 
sql/sql_parse.cc:6474(execute_sqlcom_select(THD*, TABLE_LIST*))[0x555de27e5fa3]
 
sql/sql_parse.cc:3976(mysql_execute_command(THD*))[0x555de290545b]
 
sql/sql_parse.cc:8010(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x555de2909e72]
 
sql/sql_parse.cc:1919(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x555de290cac2]
 
sql/sql_parse.cc:1379(do_command(THD*))[0x555de290dbe2]
 
sql/sql_connect.cc:1420(do_handle_one_connection(CONNECT*))[0x555de29f2602]
 
sql/sql_connect.cc:1326(handle_one_connection)[0x555de29f26ed]
 
 
 
Query (0x7f4444010300): SELECT * FROM (SELECT 1 FROM t1) FOR system_time AS OF now ca4

Comment by Aleksey Midenkov [ 2023-09-13 ]

Caused by 46be31982a4 which does fix_fields_if_needed() in Vers_history_point::resolve_unit() and this is done under mysql_derived_prepare() when derived is not yet prepared (no table_list->table). Here NOW is treated as field name.

Comment by Aleksey Midenkov [ 2023-09-13 ]

Please review bb-10.4-midenok

Comment by Nikita Malyavin [ 2023-09-13 ]

LGTM

Generated at Thu Feb 08 10:28:41 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.