[MDEV-6868] MariaDB server crash ( select with union and order by with subquery ) Created: 2014-10-14  Updated: 2014-11-15  Resolved: 2014-11-15

Status: Closed
Project: MariaDB Server
Component/s: Optimizer
Affects Version/s: 5.5.40, 10.0.14, 5.3.13
Fix Version/s: 5.5.41, 10.0.15

Type: Bug Priority: Critical
Reporter: m.rygiel Assignee: Oleksandr Byelkin
Resolution: Fixed Votes: 0
Labels: crash
Environment:

CentOS 6
Fresh installation of MariaDB


 Description   

When execute this queries server will crash:
------------

CREATE TABLE sample ( id INTEGER, sample_name1 VARCHAR(100), sample_name2 VARCHAR(100), PRIMARY KEY(id) );
 
					
INSERT INTO sample ( id, sample_name1, sample_name2 ) VALUES ( 1, 'aaaa', 'bbbb' ), ( 2, 'cccc', 'dddd' );
 
										
(
 
	SELECT sample_name1 AS testname FROM sample
 
)
 
UNION
 
(
 
	SELECT sample_name2 AS testname FROM sample C ORDER BY (SELECT T.sample_name1 FROM sample T WHERE T.id = C.id)
 
)

------------
Crash messages:

141014  9:47:29 [ERROR] mysqld got signal 11 ;
 
This could be because you hit a bug. It is also possible that this binary
 
or one of the libraries it was linked against is corrupt, improperly built,
 
or misconfigured. This error can also be caused by malfunctioning hardware.
 
 
 
To report this bug, see http://kb.askmonty.org/en/reporting-bugs
 
 
 
We will try our best to scrape up some info that will hopefully help
 
diagnose the problem, but since we have already crashed,
 
something is definitely wrong and this may fail.
 
 
 
Server version: 10.0.14-MariaDB-log
 
key_buffer_size=268435456
 
read_buffer_size=131072
 
max_used_connections=1
 
max_threads=102
 
thread_count=2
 
It is possible that mysqld could use up to
 
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 486186 K  bytes of memory
 
Hope that's ok; if not, decrease some variables in the equation.
 
 
 
Thread pointer: 0x0x7f6ea8bf5008
 
Attempting backtrace. You can use the following information to find out
 
where mysqld died. If you see no messages after this, something went
 
terribly wrong...
 
stack_bottom = 0x7f6e98d3ad30 thread_stack 0x40000
 
/usr/sbin/mysqld(my_print_stacktrace+0x2b)[0xb6b85b]
 
/usr/sbin/mysqld(handle_fatal_signal+0x398)[0x723f08]
 
/lib64/libpthread.so.0(+0xf710)[0x7f6f0b486710]
 
/usr/sbin/mysqld(_ZN10Item_field15fix_outer_fieldEP3THDPP5FieldPP4Item+0xce)[0x7440be]
 
/usr/sbin/mysqld(_ZN10Item_field10fix_fieldsEP3THDPP4Item+0x555)[0x744dd5]
 
/usr/sbin/mysqld(_ZN9Item_func10fix_fieldsEP3THDPP4Item+0x198)[0x772ac8]
 
/usr/sbin/mysqld(_Z11setup_condsP3THDP10TABLE_LISTR4ListIS1_EPP4Item+0x19c)[0x592f0c]
 
/usr/sbin/mysqld[0x6125c2]
 
/usr/sbin/mysqld(_ZN30subselect_single_select_engine7prepareEv+0x125)[0x7a0635]
 
/usr/sbin/mysqld(_ZN14Item_subselect10fix_fieldsEP3THDPP4Item+0xe5)[0x79de55]
 
/usr/sbin/mysqld[0x5f5290]
 
/usr/sbin/mysqld[0x612fc4]
 
/usr/sbin/mysqld(_ZN18st_select_lex_unit7prepareEP3THDP13select_resultm+0x32d)[0x65fcad]
 
/usr/sbin/mysqld(_Z11mysql_unionP3THDP3LEXP13select_resultP18st_select_lex_unitm+0x1f)[0x66056f]
 
/usr/sbin/mysqld(_Z13handle_selectP3THDP3LEXP13select_resultm+0x85)[0x623145]
 
/usr/sbin/mysqld[0x5cac06]
 
/usr/sbin/mysqld(_Z21mysql_execute_commandP3THD+0x4c97)[0x5d58d7]
 
/usr/sbin/mysqld[0x5d7402]
 
/usr/sbin/mysqld(_Z16dispatch_command19enum_server_commandP3THDPcj+0x1b20)[0x5d95c0]
 
/usr/sbin/mysqld(_Z24do_handle_one_connectionP3THD+0x453)[0x6946a3]
 
/usr/sbin/mysqld(handle_one_connection+0x42)[0x694772]
 
/lib64/libpthread.so.0(+0x79d1)[0x7f6f0b47e9d1]
 
/lib64/libc.so.6(clone+0x6d)[0x7f6f09b9cb6d]
 
 
 
Trying to get some variables.
 
Some pointers may be invalid and cause the dump to abort.
 
Query (0x7f6e98843020): is an invalid pointer
 
Connection ID (thread ID): 4
 
Status: NOT_KILLED
 
 
 
Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_
 
keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,sem
 
ijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=off,table_elimination=on,extended_keys=on,exists_to_in=on
 
 
 
The manual page at http://dev.mysql.com/doc/mysql/en/crashing.html contains
 
information that should help you find out what is causing the crash.
 
141014 09:47:29 mysqld_safe Number of processes running now: 0
 
141014 09:47:29 mysqld_safe mysqld restarted

------

Same queries run without problem on clean MySQL 5.6.16 installation.
I also tried to disable optimization switches like this:

SET optimizer_switch='derived_merge=off';
 
SET optimizer_switch='derived_with_keys=off';
 
SET optimizer_switch='engine_condition_pushdown=off';
 
SET optimizer_switch='exists_to_in=off';
 
SET optimizer_switch='extended_keys=off';
 
SET optimizer_switch='firstmatch=off';
 
SET optimizer_switch='index_condition_pushdown=off';
 
SET optimizer_switch='index_merge=off';
 
SET optimizer_switch='index_merge_intersection=off';
 
SET optimizer_switch='index_merge_sort_intersection=off';
 
SET optimizer_switch='index_merge_sort_union=off';
 
SET optimizer_switch='index_merge_union=off';
 
SET optimizer_switch='in_to_exists=off'; ###################
 
SET optimizer_switch='join_cache_bka=off';
 
SET optimizer_switch='join_cache_hashed=off';
 
SET optimizer_switch='join_cache_incremental=off';
 
SET optimizer_switch='loosescan=off';
 
SET optimizer_switch='mrr=off';
 
SET optimizer_switch='mrr_cost_based=off';
 
SET optimizer_switch='mrr_sort_keys=off';
 
SET optimizer_switch='materialization=on';
 
SET optimizer_switch='subquery_cache=off';
 
SET optimizer_switch='semijoin=off';
 
SET optimizer_switch='semijoin_with_cache=off';
 
SET optimizer_switch='firstmatch=off';
 
SET optimizer_switch='partial_match_rowid_merge=off';
 
SET optimizer_switch='partial_match_table_scan=off';
 
SET optimizer_switch='outer_join_with_cache=off';##
 
SET optimizer_switch='optimize_join_buffer_size=off';##
 
SET optimizer_switch='table_elimination=off';

but not change after this, still crashing...

 Comments   
Comment by Elena Stepanova [ 2014-10-14 ]

Thank you for the report and the test case.

----------------------

Debug tack trace from 5.5 revno 4323

 
#3  <signal handler called>
 
#4  0x00000000007fcdac in Item_field::fix_outer_field (this=0x7f7900e88df8, thd=0x7f7904b49060, from_field=0x7f79017b3e58, reference=0x7f7900e88f90) at 5.5/sql/item.cc:4817
 
#5  0x00000000007fddbf in Item_field::fix_fields (this=0x7f7900e88df8, thd=0x7f7904b49060, reference=0x7f7900e88f90) at 5.5/sql/item.cc:5172
 
#6  0x000000000083cfc4 in Item_func::fix_fields (this=0x7f7900e88ef8, thd=0x7f7904b49060, ref=0x7f7900d8b490) at 5.5/sql/item_func.cc:204
 
#7  0x00000000005e0340 in setup_conds (thd=0x7f7904b49060, tables=0x7f7900d69750, leaves=..., conds=0x7f7900d8b490) at 5.5/sql/sql_base.cc:8892
 
#8  0x00000000006a07e8 in setup_without_group (thd=0x7f7904b49060, ref_pointer_array=0x7f7900d6ad38, tables=0x7f7900d69750, leaves=..., fields=..., all_fields=..., conds=0x7f7900d8b490, order=0x0, group=0x0, hidden_group_fields=0x7f7900d8b378) at 5.5/sql/sql_select.cc:577
 
#9  0x000000000065fc14 in JOIN::prepare (this=0x7f7900d8b078, rref_pointer_array=0x7f7900e88a50, tables_init=0x7f7900d69750, wild_num=0, conds_init=0x7f7900e88ef8, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7f7900e887e0, unit_arg=0x7f7900d69078) at 5.5/sql/sql_select.cc:727
 
#10 0x000000000087d5be in subselect_single_select_engine::prepare (this=0x7f7900d69e50) at 5.5/sql/item_subselect.cc:3025
 
#11 0x0000000000875eaf in Item_subselect::fix_fields (this=0x7f7900d69d18, thd_param=0x7f7904b49060, ref=0x7f7900d69ea0) at 5.5/sql/item_subselect.cc:245
 
#12 0x0000000000692000 in find_order_in_list (thd=0x7f7904b49060, ref_pointer_array=0x7f7900d6ac38, tables=0x7f7900e88200, order=0x7f7900d69e90, fields=..., all_fields=..., is_group_field=false) at 5.5/sql/sql_select.cc:20520
 
#13 0x000000000069211b in setup_order (thd=0x7f7904b49060, ref_pointer_array=0x7f7900d6ac38, tables=0x7f7900e88200, fields=..., all_fields=..., order=0x7f7900d69e90) at 5.5/sql/sql_select.cc:20546
 
#14 0x000000000065fd22 in JOIN::prepare (this=0x7f7900d6a6f8, rref_pointer_array=0x7f7900e87c08, tables_init=0x7f7900e88200, wild_num=0, conds_init=0x0, og_num=0, order_init=0x0, skip_order_by=true, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7f7900e87998, unit_arg=0x7f7904b4c380) at 5.5/sql/sql_select.cc:736
 
#15 0x00000000006e064b in st_select_lex_unit::prepare (this=0x7f7904b4c380, thd_arg=0x7f7904b49060, sel_result=0x7f7900d69f78, additional_options=268435456) at 5.5/sql/sql_union.cc:344
 
#16 0x00000000006df8a6 in mysql_union (thd=0x7f7904b49060, lex=0x7f7904b4c2d0, result=0x7f7900d69f78, unit=0x7f7904b4c380, setup_tables_done_option=0) at 5.5/sql/sql_union.cc:37
 
#17 0x000000000065ed4c in handle_select (thd=0x7f7904b49060, lex=0x7f7904b4c2d0, result=0x7f7900d69f78, setup_tables_done_option=0) at 5.5/sql/sql_select.cc:297
 
#18 0x00000000006383df in execute_sqlcom_select (thd=0x7f7904b49060, all_tables=0x7f7900e873b8) at 5.5/sql/sql_parse.cc:4688
 
#19 0x00000000006315c1 in mysql_execute_command (thd=0x7f7904b49060) at 5.5/sql/sql_parse.cc:2233
 
#20 0x000000000063aaee in mysql_parse (thd=0x7f7904b49060, rawbuf=0x7f7900e87078 "(\nSELECT sample_name1 AS testname FROM sample\n)\nUNION\n(\nSELECT sample_name2 AS testname FROM sample C ORDER BY (SELECT T.sample_name1 FROM sample T WHERE T.id = C.id)\n)", length=168, parser_state=0x7f79017b5630) at 5.5/sql/sql_parse.cc:5799
 
#21 0x000000000062eb39 in dispatch_command (command=COM_QUERY, thd=0x7f7904b49060, packet=0x7f7901de8061 "(\nSELECT sample_name1 AS testname FROM sample\n)\nUNION\n(\nSELECT sample_name2 AS testname FROM sample C ORDER BY (SELECT T.sample_name1 FROM sample T WHERE T.id = C.id)\n)", packet_length=168) at 5.5/sql/sql_parse.cc:1079
 
#22 0x000000000062dcc5 in do_command (thd=0x7f7904b49060) at 5.5/sql/sql_parse.cc:793
 
#23 0x000000000072fd42 in do_handle_one_connection (thd_arg=0x7f7904b49060) at 5.5/sql/sql_connect.cc:1266
 
#24 0x000000000072f801 in handle_one_connection (arg=0x7f7904b49060) at 5.5/sql/sql_connect.cc:1181
 
#25 0x0000000000b652fd in pfs_spawn_thread (arg=0x7f7901d518e0) at 5.5/storage/perfschema/pfs.cc:1015
 
#26 0x00007f79079dab50 in start_thread (arg=<optimized out>) at pthread_create.c:304
 
#27 0x00007f79062e920d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112

Comment by Oleksandr Byelkin [ 2014-10-14 ]

It trys to find upper item where it is absend....

Comment by m.rygiel [ 2014-10-14 ]

Ok, but... server crash? It's not very fortunate

Comment by Elena Stepanova [ 2014-10-14 ]

m.rygiel,

Don't take it as if somebody is trying to make excuses, developers just take notes with intermediate findings for themselves or for colleagues.
It is a real bug and will be fixed. Once again, thanks for providing such a good test case.

Comment by Oleksandr Byelkin [ 2014-11-04 ]

eliminate_subselect_processor makes that inconsistance which lead to the crash.

Comment by Oleksandr Byelkin [ 2014-11-04 ]

ORDER BY could be skipped here, so the code trys to remove it but check of the code called after its disconnecting.

Comment by Oleksandr Byelkin [ 2014-11-04 ]

Commited for review

Comment by Sergei Petrunia [ 2014-11-15 ]

Ok to push.

Generated at Thu Feb 08 07:15:11 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.