[MDEV-398] Segv related to spacial queries Created: 2012-07-16  Updated: 2012-07-18  Resolved: 2012-07-18

Status: Closed
Project: MariaDB Server
Component/s: None
Affects Version/s: 5.5.25, 5.3.7
Fix Version/s: 5.5.27, 5.3.8

Type: Bug Priority: Major
Reporter: Colin Guthrie Assignee: Sergei Petrunia
Resolution: Fixed Votes: 0
Labels: None
Environment:

Running under Mageia RPM packages on x86_64 system (note I tested on 5.5.23, but others have confirmed the issue on newer builds).

Attachments: File crash_memcpy_ssse3.sql.xz     File mdev-398.sql    

 Description   

Certain datasets and queries result in a crash (segv) of the mysqld daemon.

I will attach a dataset that can be used to reproduce the issue.

The following query can then be run on the data to reproduce the crash:

SELECT COUNT(*) FROM points INNER JOIN entries USING(entry_id) WHERE point_valid AND element_id=2 AND Contains(PolyFromText('POLYGON((-0.32274092990144 52.153573199526,0.76983859527361 51.180702899733,-1.2134199194054 50.962667621632,-0.32274092990144 52.153573199526))'),point);

The following backtrace was generated (in 5.5.23):

Program received signal SIGSEGV, Segmentation fault.
 
[Switching to Thread 0x7f42f3621700 (LWP 22847)]
 
0x00007f42f182d7a0 in __memcpy_ssse3 () from /lib64/libc.so.6
 
(gdb) bt
 
#0  0x00007f42f182d7a0 in __memcpy_ssse3 () from /lib64/libc.so.6
 
#1  0x00000000006c9bf1 in Field_blob::get_key_image (this=<optimized out>, buff=0x7f429831e080 " ", length=32, type_arg=<optimized out>) at /usr/include/bits/string3.h:52
 
#2  0x000000000079df71 in key_copy (to_key=0x7f429831e080 " ", from_record=0x7f429827a3e8 "\251\004'34\222\262?\251\004'34\222\262?j\036\035<\001\vJ@j\036\035<\001\vJ@J\001", 
    key_info=<optimized out>, key_length=32, with_zerofill=false) at /usr/src/debug/mariadb-5.5.23/sql/key.cc:146
 
#3  0x00000000007e2d4d in QUICK_ROR_INTERSECT_SELECT::get_next (this=0x7f4298313b40) at /usr/src/debug/mariadb-5.5.23/sql/opt_range.cc:10738
 
#4  0x00000000007eadd6 in rr_quick (info=0x7f42983187b8) at /usr/src/debug/mariadb-5.5.23/sql/records.cc:339
 
#5  0x00000000005d6dd9 in sub_select (join=0x7f42982ede88, join_tab=0x7f4298318708, end_of_records=<optimized out>) at /usr/src/debug/mariadb-5.5.23/sql/sql_select.cc:15946
 
#6  0x00000000005df1cf in do_select (join=0x7f42982ede88, fields=0x0, table=0x7f4298314148, procedure=0x0) at /usr/src/debug/mariadb-5.5.23/sql/sql_select.cc:15619
 
#7  0x00000000005ef9f2 in JOIN::exec (this=0x7f42982ede88) at /usr/src/debug/mariadb-5.5.23/sql/sql_select.cc:2357
 
#8  0x00000000005f1472 in mysql_select (thd=0x42ee100, rref_pointer_array=<optimized out>, tables=<optimized out>, wild_num=1, fields=<optimized out>, conds=<optimized out>, og_num=3, 
    order=0x7f42982de038, group=0x7f42982ddd88, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7f42982de158, unit=0x42f02d8, select_lex=0x42f09b0)
 
    at /usr/src/debug/mariadb-5.5.23/sql/sql_select.cc:3003
 
#9  0x00000000005f57c4 in handle_select (thd=0x42ee100, lex=0x42f0228, result=0x7f42982de158, setup_tables_done_option=0) at /usr/src/debug/mariadb-5.5.23/sql/sql_select.cc:310
 
#10 0x00000000005a3754 in execute_sqlcom_select (thd=0x42ee100, all_tables=0x7f42982c25c0) at /usr/src/debug/mariadb-5.5.23/sql/sql_parse.cc:4616
 
#11 0x00000000005abb16 in mysql_execute_command (thd=0x42ee100) at /usr/src/debug/mariadb-5.5.23/sql/sql_parse.cc:2184
 
#12 0x00000000005b0e16 in mysql_parse (parser_state=0x7f42f36209c0, thd=0x42ee100, rawbuf=<optimized out>, length=<optimized out>)
 
    at /usr/src/debug/mariadb-5.5.23/sql/sql_parse.cc:5731
 
#13 mysql_parse (thd=0x42ee100, rawbuf=<optimized out>, length=<optimized out>, parser_state=0x7f42f36209c0) at /usr/src/debug/mariadb-5.5.23/sql/sql_parse.cc:5656
 
#14 0x00000000005b2363 in dispatch_command (command=COM_QUERY, thd=0x42ee100, 
    packet=0x42f1ab1 "SELECT suppliers.*, members.name, loc_tn6.tree_node_id AS loc_tree_node_id,  (ACOS(\n    SIN(RADIANS(Y(egep.point))) * SIN(RADIANS(51.428643469796))\n    + COS(RADIANS(Y(egep.point))) * COS(RADIANS(51.4"..., packet_length=4083288744) at /usr/src/debug/mariadb-5.5.23/sql/sql_parse.cc:1055
 
#15 0x000000000065e9b7 in do_handle_one_connection (thd_arg=<optimized out>) at /usr/src/debug/mariadb-5.5.23/sql/sql_connect.cc:1253
 
#16 0x000000000065eac0 in handle_one_connection (arg=0x42ee100) at /usr/src/debug/mariadb-5.5.23/sql/sql_connect.cc:1168
 
#17 0x00007f42f2cc8b99 in start_thread () from /lib64/libpthread.so.0
 
#18 0x00007f42f17e50cd in clone () from /lib64/libc.so.6
 
#19 0x0000000000000000 in ?? ()
 
(gdb) bt full
 
#0  0x00007f42f182d7a0 in __memcpy_ssse3 () from /lib64/libc.so.6
 
No symbol table info available.
 
#1  0x00000000006c9bf1 in Field_blob::get_key_image (this=<optimized out>, buff=0x7f429831e080 " ", length=32, type_arg=<optimized out>) at /usr/include/bits/string3.h:52
 
        def_temp = 32
 
        blob_length = 32
 
        blob = 0x3c1d1e6a3fb29234 <Address 0x3c1d1e6a3fb29234 out of bounds>
 
        local_char_length = <optimized out>
 
#2  0x000000000079df71 in key_copy (to_key=0x7f429831e080 " ", from_record=0x7f429827a3e8 "\251\004'34\222\262?\251\004'34\222\262?j\036\035<\001\vJ@j\036\035<\001\vJ@J\001", 
    key_info=<optimized out>, key_length=32, with_zerofill=false) at /usr/src/debug/mariadb-5.5.23/sql/key.cc:146
 
        bytes = <optimized out>
 
        length = 32
 
        key_part = 0x7f42982847c0
 
#3  0x00000000007e2d4d in QUICK_ROR_INTERSECT_SELECT::get_next (this=0x7f4298313b40) at /usr/src/debug/mariadb-5.5.23/sql/opt_range.cc:10738
 
        quick = 0x7f42982cf200
 
        last_rowid_count = <optimized out>
 
        quick_it = {<base_list_iterator> = {list = 0x7f4298313b80, el = 0x7f429831b5b8, prev = <optimized out>, current = <optimized out>}, <No data fields>}
 
        qr = <optimized out>
 
        error = 0
 
        cmp = <optimized out>
 
#4  0x00000000007eadd6 in rr_quick (info=0x7f42983187b8) at /usr/src/debug/mariadb-5.5.23/sql/records.cc:339
 
        tmp = <optimized out>
 
#5  0x00000000005d6dd9 in sub_select (join=0x7f42982ede88, join_tab=0x7f4298318708, end_of_records=<optimized out>) at /usr/src/debug/mariadb-5.5.23/sql/sql_select.cc:15946
 
        error = <optimized out>
 
        rc = <optimized out>
 
        info = 0x7f42983187b8
 
        skip_over = <optimized out>
 
#6  0x00000000005df1cf in do_select (join=0x7f42982ede88, fields=0x0, table=0x7f4298314148, procedure=0x0) at /usr/src/debug/mariadb-5.5.23/sql/sql_select.cc:15619
 
        rc = 0
 
        error = NESTED_LOOP_OK
 
        join_tab = 0x7f4298318708
 
        end_select = 0x5e46c0 <end_write(JOIN*, JOIN_TAB*, bool)>
 
#7  0x00000000005ef9f2 in JOIN::exec (this=0x7f42982ede88) at /usr/src/debug/mariadb-5.5.23/sql/sql_select.cc:2357
 
        save_proc = 0x0
 
        columns_list = <optimized out>
 
        __FUNCTION__ = "exec"
 
        curr_join = 0x7f42982ede88
 
        tmp_error = <optimized out>
 
        curr_all_fields = 0x7f42982ee178
 
        curr_fields_list = 0x42f0ac0
 
        curr_tmp_table = 0x7f4298314148
 
#8  0x00000000005f1472 in mysql_select (thd=0x42ee100, rref_pointer_array=<optimized out>, tables=<optimized out>, wild_num=1, fields=<optimized out>, conds=<optimized out>, og_num=3, 
    order=0x7f42982de038, group=0x7f42982ddd88, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7f42982de158, unit=0x42f02d8, select_lex=0x42f09b0)
 
    at /usr/src/debug/mariadb-5.5.23/sql/sql_select.cc:3003
 
        err = <optimized out>
 
        free_join = true
 
        join = 0x7f42982ede88
 
        __FUNCTION__ = "mysql_select"
 
#9  0x00000000005f57c4 in handle_select (thd=0x42ee100, lex=0x42f0228, result=0x7f42982de158, setup_tables_done_option=0) at /usr/src/debug/mariadb-5.5.23/sql/sql_select.cc:310
 
        unit = 0x42f02d8
 
        res = <optimized out>
 
        select_lex = 0x42f09b0
 
#10 0x00000000005a3754 in execute_sqlcom_select (thd=0x42ee100, all_tables=0x7f42982c25c0) at /usr/src/debug/mariadb-5.5.23/sql/sql_parse.cc:4616
 
---Type <return> to continue, or q <return> to quit---
 
        lex = 0x42f0228
 
        result = 0x7f42982de158
 
        res = <optimized out>
 
#11 0x00000000005abb16 in mysql_execute_command (thd=0x42ee100) at /usr/src/debug/mariadb-5.5.23/sql/sql_parse.cc:2184
 
        privileges_requested = <optimized out>
 
        up_result = 0
 
        lex = 0x42f0228
 
        select_lex = 0x42f09b0
 
        first_table = 0x7f42982c25c0
 
        unit = 0x42f02d8
 
        __FUNCTION__ = "mysql_execute_command"
 
        res = <optimized out>
 
        all_tables = 0x7f42982c25c0
 
        have_table_map_for_update = false
 
#12 0x00000000005b0e16 in mysql_parse (parser_state=0x7f42f36209c0, thd=0x42ee100, rawbuf=<optimized out>, length=<optimized out>)
 
    at /usr/src/debug/mariadb-5.5.23/sql/sql_parse.cc:5731
 
        found_semicolon = <optimized out>
 
        lex = 0x42f0228
 
        err = <optimized out>
 
        error = <optimized out>
 
#13 mysql_parse (thd=0x42ee100, rawbuf=<optimized out>, length=<optimized out>, parser_state=0x7f42f36209c0) at /usr/src/debug/mariadb-5.5.23/sql/sql_parse.cc:5656
 
No locals.
 
#14 0x00000000005b2363 in dispatch_command (command=COM_QUERY, thd=0x42ee100, 
    packet=0x42f1ab1 "SELECT suppliers.*, members.name, loc_tn6.tree_node_id AS loc_tree_node_id,  (ACOS(\n    SIN(RADIANS(Y(egep.point))) * SIN(RADIANS(51.428643469796))\n    + COS(RADIANS(Y(egep.point))) * COS(RADIANS(51.4"..., packet_length=4083288744) at /usr/src/debug/mariadb-5.5.23/sql/sql_parse.cc:1055
 
        packet_end = <optimized out>
 
        parser_state = {m_lip = {m_thd = 0x42ee100, yylineno = 7, yytoklen = 1, yylval = 0x7f42f361f470, lookahead_token = -1, lookahead_yylval = 0x0, m_ptr = 0x7f4298005796 "\r", 
            m_tok_start = 0x7f4298005796 "\r", m_tok_end = 0x7f4298005796 "\r", m_end_of_query = 0x7f4298005795 "", m_tok_start_prev = 0x7f4298005795 "", 
            m_buf = 0x7f4298004c98 "SELECT suppliers.*, members.name, loc_tn6.tree_node_id AS loc_tree_node_id,  (ACOS(\n    SIN(RADIANS(Y(egep.point))) * SIN(RADIANS(51.428643469796))\n    + COS(RADIANS(Y(egep.point))) * COS(RADIANS(51.4"..., m_buf_length = 2813, m_echo = true, m_echo_saved = false, 
            m_cpp_buf = 0x7f4298005800 "SELECT suppliers.*, members.name, loc_tn6.tree_node_id AS loc_tree_node_id,  (ACOS(\n    SIN(RADIANS(Y(egep.point))) * SIN(RADIANS(51.428643469796))\n    + COS(RADIANS(Y(egep.point))) * COS(RADIANS(51.4"..., m_cpp_ptr = 0x7f42980062fd "", m_cpp_tok_start = 0x7f42980062fd "", m_cpp_tok_start_prev = 0x7f42980062fd "", 
            m_cpp_tok_end = 0x7f42980062fd "", m_body_utf8 = 0x0, m_body_utf8_ptr = 0x42ee100 "p\377\021\001", m_cpp_utf8_processed_ptr = 0x0, next_state = MY_LEX_END, 
            found_semicolon = 0x0, tok_bitmap = 127 '\177', ignore_space = false, stmt_prepare_mode = false, multi_statements = true, in_comment = NO_COMMENT, 
            in_comment_saved = 3112726272, m_cpp_text_start = 0x7f42980062fc "5", m_cpp_text_end = 0x7f42980062fd "", m_underscore_cs = 0x0}, m_yacc = {yacc_yyss = 0x0, 
            yacc_yyvs = 0x0, m_set_signal_info = {m_item = {0x0 <repeats 12 times>}}, m_lock_type = TL_READ_DEFAULT, m_mdl_type = MDL_SHARED_READ}}
 
        net = 0x7f42f3620aa8
 
        error = false
 
        __FUNCTION__ = "dispatch_command"
 
#15 0x000000000065e9b7 in do_handle_one_connection (thd_arg=<optimized out>) at /usr/src/debug/mariadb-5.5.23/sql/sql_connect.cc:1253
 
        create_user = true
 
        thd = 0x42ee100
 
#16 0x000000000065eac0 in handle_one_connection (arg=0x42ee100) at /usr/src/debug/mariadb-5.5.23/sql/sql_connect.cc:1168
 
        thd = 0x42ee100
 
#17 0x00007f42f2cc8b99 in start_thread () from /lib64/libpthread.so.0
 
No symbol table info available.
 
#18 0x00007f42f17e50cd in clone () from /lib64/libc.so.6
 
No symbol table info available.
 
#19 0x0000000000000000 in ?? ()
 
No symbol table info available.



 Comments   
Comment by Colin Guthrie [ 2012-07-16 ]

Note that tweaking the data set slightly can avoid the crash so the order of the data seems important.

e.g. running

UPDATE points SET element_id=3 WHERE element_id=1;

Is enough to make things work properly.

Comment by Elena Stepanova [ 2012-07-16 ]

Attached mdev-398.sql – somewhat reduced data in text format (can be used in MTR or in the client). Reducing it further changes the execution plan (no index_merge anymore), so the problem does not show up.

A shorter query which also reproduces the problem:

SELECT COUNT FROM points WHERE element_id=2
AND Contains(PolyFromText('POLYGON((-0.32274092990144 52.153573199526,0.76983859527361 51.180702899733,-1.2134199194054 50.962667621632,-0.32274092990144 52.153573199526))'),point);

COUNT is not important here, SELECT * or even SELECT 1 works too – count just makes the output neater if the query didn't crash.

Minimal optimizer_switch: index_merge=on,index_merge_intersection=on

EXPLAIN:

id select_type table type possible_keys key key_len ref rows filtered Extra
1 SIMPLE points index_merge idx_eli,idx_p idx_p,idx_eli 34,4 NULL 4 75.00 Using intersect(idx_p,idx_eli); Using where; Using index
Warnings:
Note 1003 select count(0) AS `COUNT` from `test`.`points` where ((`test`.`points`.`element_id` = 2) and st_contains(st_geometryfromtext('POLYGON((-0.32274092990144 52.153573199526,0.76983859527361 51.180702899733,-1.2134199194054 50.962667621632,-0.32274092990144 52.153573199526))'),`test`.`points`.`point`))
SELECT COUNT FROM points WHERE element_id=2
AND Contains(PolyFromText('POLYGON((-0.32274092990144 52.153573199526,0.76983859527361 51.180702899733,-1.2134199194054 50.962667621632,-0.32274092990144 52.153573199526))'),point);

Reproducible on current maria/5.3 revno 3551 and maria/5.5 revno 3466.

Comment by Sergei Petrunia [ 2012-07-17 ]

It seems, index_merge/intersect (or a recent update of it?) is unable to work on GIS indexes. I'll need to discuss GIS indexes with Holyfoot: are GIS scans ROR-scans, do they meaningfully support index_only (ha_myisam::index_flags() code looks like they do, however, I am unable to construct an example where GIS range scan would use "Using index")

Comment by Sergei Petrunia [ 2012-07-18 ]

Fix pushed into 5.3 tree

Comment by Colin Guthrie [ 2012-07-18 ]

That's awesome, thanks Sergei (and Holyfoot and Elena too!). Such a quick response for both triaging and fixing. So much better than previous experiences in the "old" days

Generated at Thu Feb 08 06:28:27 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.