[#MDEV-3694] LP:623285 - Crash in quick_range_seq_next() in maria-5.3-dsmrr-cpk with join_cache

[MDEV-3694] LP:623285 - Crash in quick_range_seq_next() in maria-5.3-dsmrr-cpk with join_cache_level = {8,1} Created: 2010-08-24 Updated: 2015-02-02 Resolved: 2012-10-04
Status:	Closed
Project:	MariaDB Server
Component/s:	None
Affects Version/s:	None
Fix Version/s:	None

Type:

Bug

Priority:

Major

Reporter:

Philip Stoev (Inactive)

Assignee:

Sergei Petrunia

Resolution:

Fixed

Votes:

Labels:

Launchpad

Attachments:

LPexportBug623285.xml

Description

The following query:

SELECT table2 .`col_datetime_key`
FROM C JOIN ( CC table2 JOIN C table3 ON table3 .`col_varchar_key` < table2 .`col_varchar_key` ) ON table3 .`col_varchar_nokey` ;

causes the following crash:

#3 0x0828048a in handle_segfault (sig=11) at mysqld.cc:2706
#4 <signal handler called>
#5 0x0839ca86 in quick_range_seq_next (rseq=0x0, range=0xb5d9a704) at opt_range_mrr.cc:322
#6 0x084983d4 in handler::multi_range_read_next (this=0xb5d9a660, range_info=0xb60d1af8) at multi_range_read.cc:266
#7 0x08499f91 in DsMrr_impl::dsmrr_next (this=0xb5d9a9e0, range_info=0xb60d1af8) at multi_range_read.cc:1094
#8 0x0855ae7e in ha_maria::multi_range_read_next (this=0xb5d9a660, range_info=0xb60d1af8) at ha_maria.cc:3514
#9 0x083adcab in QUICK_RANGE_SELECT::get_next (this=0xb5e73790) at opt_range.cc:8403
#10 0x083c1f46 in rr_quick (info=0xb5e4e0f4) at records.cc:322
#11 0x083211e3 in join_init_read_record (tab=0xb5e4e0b0) at sql_select.cc:13870
#12 0x08321006 in join_init_quick_read_record (tab=0xb5e4e0b0) at sql_select.cc:13835
#13 0x0831f6c6 in sub_select (join=0xb5d9fcb8, join_tab=0xb5e4e0b0, end_of_records=false) at sql_select.cc:13083
#14 0x082d9aa4 in JOIN_CACHE::generate_full_extensions (this=0xb5e4e868, rec_ptr=0xb5e4e8f0 "") at sql_join_cache.cc:1944
#15 0x082d9883 in JOIN_CACHE_BNL::join_matching_records (this=0xb5e4e868, skip_last=false) at sql_join_cache.cc:1836
#16 0x082d9352 in JOIN_CACHE::join_records (this=0xb5e4e868, skip_last=false) at sql_join_cache.cc:1639
#17 0x0831f382 in sub_select_cache (join=0xb5d9fcb8, join_tab=0xb5e4def0, end_of_records=true) at sql_select.cc:12878
#18 0x0831f59b in sub_select (join=0xb5d9fcb8, join_tab=0xb5e4dd30, end_of_records=true) at sql_select.cc:13040
#19 0x0831eb55 in do_select (join=0xb5d9fcb8, fields=0xad29a04, table=0x0, procedure=0x0) at sql_select.cc:12636
#20 0x08304ed7 in JOIN::exec (this=0xb5d9fcb8) at sql_select.cc:2355
#21 0x0830560d in mysql_select (thd=0xad27ff0, rref_pointer_array=0xad29a88, tables=0xb5d98df0, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0,
group=0x0, having=0x0, proc_param=0x0, select_options=2147764736, result=0xb5d9fc88, unit=0xad296cc, select_lex=0xad2996c) at sql_select.cc:2556
#22 0x082fdbff in handle_select (thd=0xad27ff0, lex=0xad29670, result=0xb5d9fc88, setup_tables_done_option=0) at sql_select.cc:276
#23 0x0829c1a4 in execute_sqlcom_select (thd=0xad27ff0, all_tables=0xb5d98df0) at sql_parse.cc:5081
#24 0x08292b7c in mysql_execute_command (thd=0xad27ff0) at sql_parse.cc:2265
#25 0x0829e365 in mysql_parse (thd=0xad27ff0,
inBuf=0xb5e3b320 "SELECT table2 .`col_datetime_key`\nFROM C JOIN ( CC table2 JOIN C table3 ON table3 .`col_varchar_key` < table2 .`col_varchar_key` ) ON table3 .`col_varchar_nokey`", length=167, found_semicolon=0xb60d3230) at sql_parse.cc:6027
#26 0x08290632 in dispatch_command (command=COM_QUERY, thd=0xad27ff0, packet=0xad2a011 "", packet_length=170) at sql_parse.cc:1184
#27 0x0828fb20 in do_command (thd=0xad27ff0) at sql_parse.cc:890
#28 0x0828cb58 in handle_one_connection (arg=0xad27ff0) at sql_connect.cc:1153
#29 0x00a08919 in start_thread () from /lib/libpthread.so.0
#30 0x00951e5e in clone () from /lib/libc.so.6

bzr version-info:

revision-id: <email address hidden>
date: 2010-08-19 19:52:58 +0200
build-date: 2010-08-24 13:17:50 +0300
revno: 2821
branch-nick: maria-5.3-dsmrr-cpk

maria-5.3 is not affected.

Comments

Comment by Philip Stoev (Inactive) [ 2010-08-24 ]

Re: Crash in quick_range_seq_next() in maria-5.3-dsmrr-cpk with join_cache_level = 8
Test case:

SET SESSION join_cache_level = 8;
CREATE TABLE `CC` (
`col_int_key` int(11) DEFAULT NULL,
`col_datetime_key` datetime DEFAULT NULL,
`col_varchar_key` varchar(1) DEFAULT NULL,
`col_varchar_nokey` varchar(1) DEFAULT NULL,
KEY `col_varchar_key` (`col_varchar_key`,`col_int_key`)
) ENGINE=MARIA DEFAULT CHARSET=latin1 PAGE_CHECKSUM=1;
INSERT INTO `CC` VALUES (6,'2005-10-07 00:00:00','e','e');
INSERT INTO `CC` VALUES (51,'2000-07-15 05:00:34','f','f');
CREATE TABLE `C` (
`col_int_key` int(11) DEFAULT NULL,
`col_datetime_key` datetime DEFAULT NULL,
`col_varchar_key` varchar(1) DEFAULT NULL,
`col_varchar_nokey` varchar(1) DEFAULT NULL,
KEY `col_varchar_key` (`col_varchar_key`,`col_int_key`)
) ENGINE=MARIA DEFAULT CHARSET=latin1 PAGE_CHECKSUM=1;
INSERT INTO `C` VALUES (2,'2004-10-11 18:13:16','w','w');
INSERT INTO `C` VALUES (2,'1900-01-01 00:00:00','d','d');
SELECT table2 .`col_datetime_key`
FROM C JOIN ( CC table2 JOIN C table3 ON table3 .`col_varchar_key` < table2 .`col_varchar_key` ) ON table3 .`col_varchar_nokey` ;

Comment by Philip Stoev (Inactive) [ 2010-09-06 ]

Re: Crash in quick_range_seq_next() in maria-5.3-dsmrr-cpk with join_cache_level = 8
Also happens with the default value of join_cache_level=1 . Test case

CREATE TABLE `CC` (
`pk` int(11) NOT NULL AUTO_INCREMENT,
`col_int_key` int(11) DEFAULT NULL,
`col_varchar_key` varchar(1) DEFAULT NULL,
`col_varchar_nokey` varchar(1) DEFAULT NULL,
PRIMARY KEY (`pk`),
KEY `col_int_key` (`col_int_key`),
KEY `col_varchar_key` (`col_varchar_key`,`col_int_key`)
) ENGINE=MARIA AUTO_INCREMENT=30 DEFAULT CHARSET=latin1 CHECKSUM=1 PAGE_CHECKSUM=1;
INSERT INTO `CC` VALUES (10,8,'v','v');
INSERT INTO `CC` VALUES (11,9,'r','r');
INSERT INTO `CC` VALUES (12,9,'a','a');
INSERT INTO `CC` VALUES (13,186,'m','m');
INSERT INTO `CC` VALUES (14,NULL,'y','y');
INSERT INTO `CC` VALUES (15,2,'j','j');
INSERT INTO `CC` VALUES (16,3,'d','d');
INSERT INTO `CC` VALUES (17,0,'z','z');
INSERT INTO `CC` VALUES (18,133,'e','e');
INSERT INTO `CC` VALUES (19,1,'h','h');
INSERT INTO `CC` VALUES (20,8,'b','b');
INSERT INTO `CC` VALUES (21,5,'s','s');
INSERT INTO `CC` VALUES (22,5,'e','e');
INSERT INTO `CC` VALUES (23,8,'j','j');
INSERT INTO `CC` VALUES (24,6,'e','e');
INSERT INTO `CC` VALUES (25,51,'f','f');
INSERT INTO `CC` VALUES (26,4,'v','v');
INSERT INTO `CC` VALUES (27,7,'x','x');
INSERT INTO `CC` VALUES (28,6,'m','m');
INSERT INTO `CC` VALUES (29,4,'c','c');
CREATE TABLE `C` (
`pk` int(11) NOT NULL AUTO_INCREMENT,
`col_int_key` int(11) DEFAULT NULL,
`col_varchar_key` varchar(1) DEFAULT NULL,
`col_varchar_nokey` varchar(1) DEFAULT NULL,
PRIMARY KEY (`pk`),
KEY `col_int_key` (`col_int_key`),
KEY `col_varchar_key` (`col_varchar_key`,`col_int_key`)
) ENGINE=MARIA AUTO_INCREMENT=21 DEFAULT CHARSET=latin1 CHECKSUM=1 PAGE_CHECKSUM=1;
INSERT INTO `C` VALUES (1,2,'w','w');
INSERT INTO `C` VALUES (2,9,'m','m');
INSERT INTO `C` VALUES (3,3,'m','m');
INSERT INTO `C` VALUES (4,9,'k','k');
INSERT INTO `C` VALUES (5,NULL,'r','r');
INSERT INTO `C` VALUES (6,9,'t','t');
INSERT INTO `C` VALUES (7,3,'j','j');
INSERT INTO `C` VALUES (8,8,'u','u');
INSERT INTO `C` VALUES (9,8,'h','h');
INSERT INTO `C` VALUES (10,53,'o','o');
INSERT INTO `C` VALUES (11,0,NULL,NULL);
INSERT INTO `C` VALUES (12,5,'k','k');
INSERT INTO `C` VALUES (13,166,'e','e');
INSERT INTO `C` VALUES (14,3,'n','n');
INSERT INTO `C` VALUES (15,0,'t','t');
INSERT INTO `C` VALUES (16,1,'c','c');
INSERT INTO `C` VALUES (17,9,'m','m');
INSERT INTO `C` VALUES (18,5,'y','y');
INSERT INTO `C` VALUES (19,6,'f','f');
INSERT INTO `C` VALUES (20,2,'d','d');

SELECT `col_varchar_nokey`
FROM CC table1
WHERE EXISTS (
SELECT `pk`
FROM C
WHERE `col_varchar_nokey` > table1 .`col_varchar_key` AND `pk` >= 1 ) ;

Comment by Philip Stoev (Inactive) [ 2010-09-08 ]

Re: Crash in quick_range_seq_next() in maria-5.3-dsmrr-cpk with join_cache_level =

{8,1}

Here is another backtrace that is produced by this test case

#4 <signal handler called>
#5 0x0864d61a in handler::read_range_next (this=0x99fc9a80) at handler.cc:4309
#6 0x087f6b60 in handler::multi_range_read_next (this=0x99fc9a80, range_info=0x9a0dc818) at multi_range_read.cc:248
#7 0x087fa947 in DsMrr_impl::dsmrr_next (this=0x99fc9dfc, range_info=0x9a0dc818) at multi_range_read.cc:1094
#8 0x08957438 in ha_maria::multi_range_read_next (this=0x99fc9a80, range_info=0x9a0dc818) at ha_maria.cc:3514
#9 0x0860aa63 in QUICK_RANGE_SELECT::get_next (this=0x99d92e50) at opt_range.cc:8403
#10 0x08632575 in rr_quick (info=0x99fde89c) at records.cc:322
#11 0x084e23fe in sub_select (join=0x99d26ec8, join_tab=0x99fde858, end_of_records=false) at sql_select.cc:13107
#12 0x084e089e in do_select (join=0x99d26ec8, fields=0x99feeb1c, table=0x0, procedure=0x0) at sql_select.cc:12634
#13 0x084af04e in JOIN::exec (this=0x99d26ec8) at sql_select.cc:2355
#14 0x082f231f in subselect_single_select_engine::exec (this=0x99fef6e8) at item_subselect.cc:2716
#15 0x082e5b67 in Item_subselect::exec (this=0x99fef628) at item_subselect.cc:481
#16 0x082e9474 in Item_exists_subselect::val_int (this=0x99fef628) at item_subselect.cc:1106
#17 0x08205dc7 in Item::val_int_result (this=0x99fef628) at item.h:779
#18 0x081fce5b in Item_cache_int::cache_value (this=0x99fc1fe8) at item.cc:7720
#19 0x0820f8c2 in Item_cache_wrapper::cache (this=0x99fc1f88) at item.cc:6725
#20 0x081f709f in Item_cache_wrapper::val_int (this=0x99fc1f88) at item.cc:6779
#21 0x084e2b42 in evaluate_join_record (join=0x99d22058, join_tab=0x99fc0be0, error=0) at sql_select.cc:13182
#22 0x084e2590 in sub_select (join=0x99d22058, join_tab=0x99fc0be0, end_of_records=false) at sql_select.cc:13127
#23 0x084e089e in do_select (join=0x99d22058, fields=0x0, table=0x99fe7170, procedure=0x0) at sql_select.cc:12634
#24 0x084abced in JOIN::exec (this=0x99d22058) at sql_select.cc:1933
#25 0x084aff87 in mysql_select (thd=0xc053758, rref_pointer_array=0xc0551cc, tables=0xb6b676b8, wild_num=0, fields=..., conds=0x99fef9c8, og_num=2,
order=0x99fefd08, group=0x0, having=0x0, proc_param=0x0, select_options=2147797506, result=0x99fefe78, unit=0xc054e30, select_lex=0xc0550c8)
at sql_select.cc:2556
#26 0x084a1141 in handle_select (thd=0xc053758, lex=0xc054dd4, result=0x99fefe78, setup_tables_done_option=0) at sql_select.cc:276
#27 0x083ccf82 in execute_sqlcom_select (thd=0xc053758, all_tables=0xb6b676b8) at sql_parse.cc:5081
#28 0x083ba20b in mysql_execute_command (thd=0xc053758) at sql_parse.cc:2265
#29 0x083d167c in mysql_parse (thd=0xc053758,
inBuf=0xb6b66c08 "/* GenTest::Transform::StraightJoin */ SELECT STRAIGHT_JOIN table1 . `col_varchar_key` AS field1 , table1 . `col_varchar_nokey` AS field2 FROM ( CC AS table1 INNER JOIN ( ( C AS table2 STRAIGHT_J"..., length=748, found_semicolon=0x9a0de230) at sql_parse.cc:6027
#30 0x083b53f7 in dispatch_command (command=COM_QUERY, thd=0xc053758,
packet=0xc07a3c9 "/* GenTest::Transform::StraightJoin */ SELECT STRAIGHT_JOIN table1 . `col_varchar_key` AS field1 , table1 . `col_varchar_nokey` AS field2 FROM ( CC AS table1 INNER JOIN ( ( C AS table2 STRAIGHT_J"..., packet_length=748) at sql_parse.cc:1184
#31 0x083b3bbc in do_command (thd=0xc053758) at sql_parse.cc:890
#32 0x083ad49c in handle_one_connection (arg=0xc053758) at sql_connect.cc:1153
#33 0x00bea919 in start_thread () from /lib/libpthread.so.0
#34 0x00b2ccbe in clone () from /lib/libc.so.6

valgrind warnings:

==2844== Thread 4:
==2844== Conditional jump or move depends on uninitialised value(s)
==2844== at 0x8498418: handler::multi_range_read_next(char**) (in /home/philips/bzr/maria-5.3-dsmrr-cpk/sql/mysqld)
==2844== by 0x849A33A: DsMrr_impl::dsmrr_next(char**) (in /home/philips/bzr/maria-5.3-dsmrr-cpk/sql/mysqld)
==2844== by 0x855B281: ha_maria::multi_range_read_next(char**) (in /home/philips/bzr/maria-5.3-dsmrr-cpk/sql/mysqld)
==2844== by 0x83ADE0A: QUICK_RANGE_SELECT::get_next() (in /home/philips/bzr/maria-5.3-dsmrr-cpk/sql/mysqld)
==2844== by 0x83C20A5: ??? (in /home/philips/bzr/maria-5.3-dsmrr-cpk/sql/mysqld)
==2844== by 0x8321342: join_init_read_record(st_join_table*) (in /home/philips/bzr/maria-5.3-dsmrr-cpk/sql/mysqld)
==2844== by 0x831F825: sub_select(JOIN*, st_join_table*, bool) (in /home/philips/bzr/maria-5.3-dsmrr-cpk/sql/mysqld)
==2844== by 0x831EC7E: ??? (in /home/philips/bzr/maria-5.3-dsmrr-cpk/sql/mysqld)
==2844== by 0x8305036: JOIN::exec() (in /home/philips/bzr/maria-5.3-dsmrr-cpk/sql/mysqld)
==2844== by 0x82365D7: subselect_single_select_engine::exec() (in /home/philips/bzr/maria-5.3-dsmrr-cpk/sql/mysqld)
==2844== by 0x8230CFC: Item_subselect::exec() (in /home/philips/bzr/maria-5.3-dsmrr-cpk/sql/mysqld)
==2844== by 0x823249A: Item_exists_subselect::val_int() (in /home/philips/bzr/maria-5.3-dsmrr-cpk/sql/mysqld)
==2844== by 0x831FC07: ??? (in /home/philips/bzr/maria-5.3-dsmrr-cpk/sql/mysqld)
==2844== by 0x831F9C6: sub_select(JOIN*, st_join_table*, bool) (in /home/philips/bzr/maria-5.3-dsmrr-cpk/sql/mysqld)
==2844== by 0x831EC7E: ??? (in /home/philips/bzr/maria-5.3-dsmrr-cpk/sql/mysqld)
==2844== by 0x8305036: JOIN::exec() (in /home/philips/bzr/maria-5.3-dsmrr-cpk/sql/mysqld)
==2844==
==2844== Use of uninitialised value of size 4
==2844== at 0x839CBE6: quick_range_seq_next(void*, st_key_multi_range*) (in /home/philips/bzr/maria-5.3-dsmrr-cpk/sql/mysqld)
==2844== by 0x8498533: handler::multi_range_read_next(char**) (in /home/philips/bzr/maria-5.3-dsmrr-cpk/sql/mysqld)
==2844== by 0x849A33A: DsMrr_impl::dsmrr_next(char**) (in /home/philips/bzr/maria-5.3-dsmrr-cpk/sql/mysqld)
==2844== by 0x855B281: ha_maria::multi_range_read_next(char**) (in /home/philips/bzr/maria-5.3-dsmrr-cpk/sql/mysqld)
==2844== by 0x83ADE0A: QUICK_RANGE_SELECT::get_next() (in /home/philips/bzr/maria-5.3-dsmrr-cpk/sql/mysqld)
==2844== by 0x83C20A5: ??? (in /home/philips/bzr/maria-5.3-dsmrr-cpk/sql/mysqld)
==2844== by 0x8321342: join_init_read_record(st_join_table*) (in /home/philips/bzr/maria-5.3-dsmrr-cpk/sql/mysqld)
==2844== by 0x831F825: sub_select(JOIN*, st_join_table*, bool) (in /home/philips/bzr/maria-5.3-dsmrr-cpk/sql/mysqld)
==2844== by 0x831EC7E: ??? (in /home/philips/bzr/maria-5.3-dsmrr-cpk/sql/mysqld)
==2844== by 0x8305036: JOIN::exec() (in /home/philips/bzr/maria-5.3-dsmrr-cpk/sql/mysqld)
==2844== by 0x82365D7: subselect_single_select_engine::exec() (in /home/philips/bzr/maria-5.3-dsmrr-cpk/sql/mysqld)
==2844== by 0x8230CFC: Item_subselect::exec() (in /home/philips/bzr/maria-5.3-dsmrr-cpk/sql/mysqld)
==2844== by 0x823249A: Item_exists_subselect::val_int() (in /home/philips/bzr/maria-5.3-dsmrr-cpk/sql/mysqld)
==2844== by 0x831FC07: ??? (in /home/philips/bzr/maria-5.3-dsmrr-cpk/sql/mysqld)
==2844== by 0x831F9C6: sub_select(JOIN*, st_join_table*, bool) (in /home/philips/bzr/maria-5.3-dsmrr-cpk/sql/mysqld)
==2844== by 0x831EC7E: ??? (in /home/philips/bzr/maria-5.3-dsmrr-cpk/sql/mysqld)
==2844==
==2844== Invalid read of size 4
==2844== at 0x839CBE6: quick_range_seq_next(void*, st_key_multi_range*) (in /home/philips/bzr/maria-5.3-dsmrr-cpk/sql/mysqld)
==2844== by 0x8498533: handler::multi_range_read_next(char**) (in /home/philips/bzr/maria-5.3-dsmrr-cpk/sql/mysqld)
==2844== by 0x849A33A: DsMrr_impl::dsmrr_next(char**) (in /home/philips/bzr/maria-5.3-dsmrr-cpk/sql/mysqld)
==2844== by 0x855B281: ha_maria::multi_range_read_next(char**) (in /home/philips/bzr/maria-5.3-dsmrr-cpk/sql/mysqld)
==2844== by 0x83ADE0A: QUICK_RANGE_SELECT::get_next() (in /home/philips/bzr/maria-5.3-dsmrr-cpk/sql/mysqld)
==2844== by 0x83C20A5: ??? (in /home/philips/bzr/maria-5.3-dsmrr-cpk/sql/mysqld)
==2844== by 0x8321342: join_init_read_record(st_join_table*) (in /home/philips/bzr/maria-5.3-dsmrr-cpk/sql/mysqld)
==2844== by 0x831F825: sub_select(JOIN*, st_join_table*, bool) (in /home/philips/bzr/maria-5.3-dsmrr-cpk/sql/mysqld)
==2844== by 0x831EC7E: ??? (in /home/philips/bzr/maria-5.3-dsmrr-cpk/sql/mysqld)
==2844== by 0x8305036: JOIN::exec() (in /home/philips/bzr/maria-5.3-dsmrr-cpk/sql/mysqld)
==2844== by 0x82365D7: subselect_single_select_engine::exec() (in /home/philips/bzr/maria-5.3-dsmrr-cpk/sql/mysqld)
==2844== by 0x8230CFC: Item_subselect::exec() (in /home/philips/bzr/maria-5.3-dsmrr-cpk/sql/mysqld)
==2844== by 0x823249A: Item_exists_subselect::val_int() (in /home/philips/bzr/maria-5.3-dsmrr-cpk/sql/mysqld)
==2844== by 0x831FC07: ??? (in /home/philips/bzr/maria-5.3-dsmrr-cpk/sql/mysqld)
==2844== by 0x831F9C6: sub_select(JOIN*, st_join_table*, bool) (in /home/philips/bzr/maria-5.3-dsmrr-cpk/sql/mysqld)
==2844== by 0x831EC7E: ??? (in /home/philips/bzr/maria-5.3-dsmrr-cpk/sql/mysqld)
==2844== Address 0x4 is not stack'd, malloc'd or (recently) free'd
==2844==

Comment by Sergei Petrunia [ 2010-09-13 ]

Re: Crash in quick_range_seq_next() in maria-5.3-dsmrr-cpk with join_cache_level =

{8,1}

Fixed in 5.3-dsmrr-cpk tree

Comment by Rasmus Johansson (Inactive) [ 2011-12-13 ]

Launchpad bug id: 623285

Generated at Thu Feb 08 06:50:31 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.

[MDEV-3694] LP:623285 - Crash in quick_range_seq_next() in maria-5.3-dsmrr-cpk with join_cache_level = {8,1} Created: 2010-08-24 Updated: 2015-02-02 Resolved: 2012-10-04