[MDEV-7826] Server crashes in Item_subselect::enumerate_field_refs_processor Created: 2015-03-24  Updated: 2017-07-12  Resolved: 2017-07-12

Status: Closed
Project: MariaDB Server
Component/s: Data Manipulation - Subquery
Affects Version/s: 5.3.12, 5.5, 10.0, 10.1
Fix Version/s: 10.1.26, 5.5.57, 10.0.32, 10.2.8

Type: Bug Priority: Critical
Reporter: Elena Stepanova Assignee: Sergei Golubchik
Resolution: Fixed Votes: 2
Labels: verified

Issue Links:
Relates
relates to MDEV-13180 Unused left join causes server crash Closed

 Description   

Note: the query is rather weird, but it is a crash, even on release binaries...

CREATE TABLE t1 (f1 INT) ENGINE=MyISAM;
 
INSERT INTO t1 VALUES (5),(9);
 
 
 
CREATE TABLE t2 (f2 INT) ENGINE=MyISAM;
 
INSERT INTO t2 VALUES (0),(6);
 
 
 
CREATE TABLE t3 (f3 INT) ENGINE=MyISAM;
 
INSERT INTO t3 VALUES (6),(3);
 
 
 
CREATE TABLE t4 (f4 INT) ENGINE=MyISAM;
 
INSERT INTO t4 VALUES (1),(0);
 
 
 
SELECT 
( SELECT MIN(f1) FROM t1 WHERE f1 IN ( SELECT MIN(f4) FROM t2 ) ) AS field7,
 
( SELECT COUNT(*) FROM t3 WHERE f3 IN ( SELECT MAX(f4) FROM t2 GROUP BY field7 ) )
 
FROM t4;

Stack trace from 5.5 commit 86f46a3da4a6d82cb510dc4c270d46cfd6a8965b

 
#3  <signal handler called>
 
#4  0x000000000087c84c in Item_subselect::enumerate_field_refs_processor (this=0x7f16bba88e50, arg=0x7f16bc3b3b50 "0I7\001") at 5.5/sql/item_subselect.cc:315
 
#5  0x000000000087d212 in Item_subselect::walk (this=0x7f16bba88e50, processor=&virtual table offset 688, walk_subquery=false, argument=0x7f16bc3b3b50 "0I7\001") at 5.5/sql/item_subselect.cc:631
 
#6  0x000000000080822b in Item_ref::fix_fields (this=0x7f16bb935b80, thd=0x7f16bc950060, reference=0x7f16bb930468) at 5.5/sql/item.cc:7034
 
#7  0x0000000000802eaa in Item_field::fix_outer_field (this=0x7f16bb930358, thd=0x7f16bc950060, from_field=0x7f16bc3b3cf8, reference=0x7f16bb930468) at 5.5/sql/item.cc:5005
 
#8  0x00000000008034cb in Item_field::fix_fields (this=0x7f16bb930358, thd=0x7f16bc950060, reference=0x7f16bb930468) at 5.5/sql/item.cc:5172
 
#9  0x0000000000696352 in find_order_in_list (thd=0x7f16bc950060, ref_pointer_array=0x7f16bb933d18, tables=0x7f16bb92fd68, order=0x7f16bb930458, fields=..., all_fields=..., is_group_field=true) at 5.5/sql/sql_select.cc:20559
 
#10 0x0000000000696576 in setup_group (thd=0x7f16bc950060, ref_pointer_array=0x7f16bb933d18, tables=0x7f16bb92fd68, fields=..., all_fields=..., order=0x7f16bb930458, hidden_group_fields=0x7f16bb935898) at 5.5/sql/sql_select.cc:20637
 
#11 0x00000000006a4c38 in setup_without_group (thd=0x7f16bc950060, ref_pointer_array=0x7f16bb933d18, tables=0x7f16bb92fd68, leaves=..., fields=..., all_fields=..., conds=0x7f16bb9359b0, order=0x0, group=0x7f16bb930458, hidden_group_fields=0x7f16bb935898) at 5.5/sql/sql_select.cc:587
 
#12 0x0000000000663da4 in JOIN::prepare (this=0x7f16bb9355a0, rref_pointer_array=0x7f16bb92f2e8, tables_init=0x7f16bb92fd68, wild_num=0, conds_init=0x0, og_num=1, order_init=0x0, skip_order_by=false, group_init=0x7f16bb930458, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7f16bb92f078, unit_arg=0x7f16bb92f3d8) at 5.5/sql/sql_select.cc:727
 
#13 0x0000000000883bfa in subselect_single_select_engine::prepare (this=0x7f16bb930638) at 5.5/sql/item_subselect.cc:3025
 
#14 0x000000000087c4eb in Item_subselect::fix_fields (this=0x7f16bb930498, thd_param=0x7f16bc950060, ref=0x7f16bb935488) at 5.5/sql/item_subselect.cc:245
 
#15 0x0000000000882f26 in Item_in_subselect::fix_fields (this=0x7f16bb930498, thd_arg=0x7f16bc950060, ref=0x7f16bb935488) at 5.5/sql/item_subselect.cc:2708
 
#16 0x00000000005e4040 in setup_conds (thd=0x7f16bc950060, tables=0x7f16bb96a920, leaves=..., conds=0x7f16bb935488) at 5.5/sql/sql_base.cc:8894
 
#17 0x00000000006a4b3a in setup_without_group (thd=0x7f16bc950060, ref_pointer_array=0x7f16bb933bc8, tables=0x7f16bb96a920, leaves=..., fields=..., all_fields=..., conds=0x7f16bb935488, order=0x0, group=0x0, hidden_group_fields=0x7f16bb935370) at 5.5/sql/sql_select.cc:577
 
#18 0x0000000000663da4 in JOIN::prepare (this=0x7f16bb935078, rref_pointer_array=0x7f16bb969f98, tables_init=0x7f16bb96a920, wild_num=0, conds_init=0x7f16bb930498, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7f16bb969d28, unit_arg=0x7f16bb96a088) at 5.5/sql/sql_select.cc:727
 
#19 0x0000000000883bfa in subselect_single_select_engine::prepare (this=0x7f16bb9307b0) at 5.5/sql/item_subselect.cc:3025
 
#20 0x000000000087c4eb in Item_subselect::fix_fields (this=0x7f16bb930678, thd_param=0x7f16bc950060, ref=0x7f16bb9307f8) at 5.5/sql/item_subselect.cc:245
 
#21 0x00000000005e2368 in setup_fields (thd=0x7f16bc950060, ref_pointer_array=0x7f16bb9325a0, fields=..., mark_used_columns=MARK_COLUMNS_READ, sum_func_list=0x7f16bb9323a0, allow_sum_func=true) at 5.5/sql/sql_base.cc:8169
 
#22 0x0000000000663cec in JOIN::prepare (this=0x7f16bb932078, rref_pointer_array=0x7f16bc953cd0, tables_init=0x7f16bb930930, wild_num=0, conds_init=0x0, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7f16bc953a60, unit_arg=0x7f16bc953380) at 5.5/sql/sql_select.cc:723
 
#23 0x000000000066c43b in mysql_select (thd=0x7f16bc950060, rref_pointer_array=0x7f16bc953cd0, tables=0x7f16bb930930, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7f16bb930fd0, unit=0x7f16bc953380, select_lex=0x7f16bc953a60) at 5.5/sql/sql_select.cc:3074
 
#24 0x0000000000662fbd in handle_select (thd=0x7f16bc950060, lex=0x7f16bc9532d0, result=0x7f16bb930fd0, setup_tables_done_option=0) at 5.5/sql/sql_select.cc:319
 
#25 0x000000000063c1fc in execute_sqlcom_select (thd=0x7f16bc950060, all_tables=0x7f16bb930930) at 5.5/sql/sql_parse.cc:4689
 
#26 0x00000000006353de in mysql_execute_command (thd=0x7f16bc950060) at 5.5/sql/sql_parse.cc:2234
 
#27 0x000000000063ece2 in mysql_parse (thd=0x7f16bc950060, rawbuf=0x7f16bba87078 "SELECT \n( SELECT MIN(f1) FROM t1 WHERE f1 IN ( SELECT MIN(f4) FROM t2 ) ) AS field7,\n( SELECT COUNT(*) FROM t3 WHERE f3 IN ( SELECT MAX(f4) FROM t2 GROUP BY field7 ) )\nFROM t4", length=175, parser_state=0x7f16bc3b5620) at 5.5/sql/sql_parse.cc:5909
 
#28 0x0000000000632925 in dispatch_command (command=COM_QUERY, thd=0x7f16bc950060, packet=0x7f16bca09061 "SELECT \n( SELECT MIN(f1) FROM t1 WHERE f1 IN ( SELECT MIN(f4) FROM t2 ) ) AS field7,\n( SELECT COUNT(*) FROM t3 WHERE f3 IN ( SELECT MAX(f4) FROM t2 GROUP BY field7 ) )\nFROM t4", packet_length=175) at 5.5/sql/sql_parse.cc:1079
 
#29 0x0000000000631ab1 in do_command (thd=0x7f16bc950060) at 5.5/sql/sql_parse.cc:793
 
#30 0x0000000000734122 in do_handle_one_connection (thd_arg=0x7f16bc950060) at 5.5/sql/sql_connect.cc:1266
 
#31 0x0000000000733be1 in handle_one_connection (arg=0x7f16bc950060) at 5.5/sql/sql_connect.cc:1181
 
#32 0x0000000000b6c629 in pfs_spawn_thread (arg=0x7f16bc971fc0) at 5.5/storage/perfschema/pfs.cc:1015
 
#33 0x00007f16c2b46b50 in start_thread (arg=<optimized out>) at pthread_create.c:304
 
#34 0x00007f16c0dfc70d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112



 Comments   
Comment by Sergei Petrunia [ 2015-04-20 ]

Looks like the problem is in name resolution code. Re-assigning to Sanja.

Comment by Max Bubenick [ 2015-06-01 ]

Hi, any progress on this? will be fixed for the next release?

Comment by Oleksandr Byelkin [ 2015-06-01 ]

Next release of what server version?

Probably 5.5, but I can't promise without looking on the bug more close.

Comment by Max Bubenick [ 2015-06-01 ]

Sorry, for 10.0

Comment by Ceri Williams [ 2015-08-18 ]

In case it is of any help, I came across this too:

Test

 
create table t1 (
 
id integer unsigned primary key,
 
fk_id integer unsigned
 
);
 
 
 
create table t2 (
 
id integer unsigned primary key,
 
fk_id integer unsigned
 
);
 
 
 
insert into t1 values(1,1),(2,2),(3,3),(4,4),(5,5);
 
insert into t2 values(1,2),(2,3),(3,4),(4,5),(5,1);
 
 
 
select
 
  t1.id,
 
  (select group_concat(distinct l1.id) from t2 l1 where l1.fk_id = group_concat(distinct t1.id)) as l1_test,
 
  (select group_concat(distinct l2.id) from t2 l2 where l2.fk_id = l1_test) as l2_test
 
from t1
 
inner join t2 using(fk_id)
 
group by t1.id;

Backtrace

 
Program received signal SIGSEGV, Segmentation fault.
 
[Switching to Thread 0x7ffff7f82700 (LWP 29326)]
 
0x0000000000768918 in Item_subselect::enumerate_field_refs_processor(unsigned char*) ()
 
Missing separate debuginfos, use: debuginfo-install MariaDB-server-5.5.45-1.el7.centos.x86_64
 
(gdb) bt
 
#0  0x0000000000768918 in Item_subselect::enumerate_field_refs_processor(unsigned char*) ()
 
#1  0x00000000006fd31e in Item_ref::fix_fields(THD*, Item**) ()
 
#2  0x00000000006fda59 in Item_outer_ref::fix_fields(THD*, Item**) ()
 
#3  0x00000000007033ec in Item_field::fix_outer_field(THD*, Field**, Item**) ()
 
#4  0x0000000000703e75 in Item_field::fix_fields(THD*, Item**) ()
 
#5  0x00000000007398d0 in Item_func::fix_fields(THD*, Item**) ()
 
#6  0x0000000000560bb8 in setup_conds(THD*, TABLE_LIST*, List<TABLE_LIST>&, Item**) ()
 
#7  0x00000000005ea49f in JOIN::prepare(Item***, TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) [clone .part.233] ()
 
#8  0x000000000076b4d3 in subselect_single_select_engine::prepare() ()
 
#9  0x00000000007694f5 in Item_subselect::fix_fields(THD*, Item**) ()
 
#10 0x000000000055eeac in setup_fields(THD*, Item**, List<Item>&, enum_mark_columns, List<Item>*, bool) ()
 
#11 0x00000000005ea3e2 in JOIN::prepare(Item***, TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) [clone .part.233] ()
 
#12 0x00000000005f39dc in mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) ()
 
#13 0x00000000005f3deb in handle_select(THD*, LEX*, select_result*, unsigned long) ()
 
#14 0x000000000059d9fe in execute_sqlcom_select(THD*, TABLE_LIST*) ()
 
#15 0x00000000005a9bb9 in mysql_execute_command(THD*) ()
 
#16 0x00000000005ad00e in mysql_parse(THD*, char*, unsigned int, Parser_state*) ()
 
#17 0x00000000005aef69 in dispatch_command(enum_server_command, THD*, char*, unsigned int) ()
 
#18 0x00000000006655bb in do_handle_one_connection(THD*) ()
 
#19 0x0000000000665683 in handle_one_connection ()
 
#20 0x00007ffff7bc6df5 in start_thread () from /lib64/libpthread.so.0
 
#21 0x00007ffff64441ad in clone () from /lib64/libc.so.6

Whilst testing different versions, I saw the following from Percona 5.5.44:

Error response rather than SIGSEGV

 
ERROR 1247 (42S22): Reference 'l1_test' not supported (reference to group function)

percona-server-5.5.44-37.3 - sql/item.cc

 
6520   /*
 
6521     Check if this is an incorrect reference in a group function or forward
 
6522     reference. Do not issue an error if this is:
 
6523       1. outer reference (will be fixed later by the fix_inner_refs function);
 
6524       2. an unnamed reference inside an aggregate function.
 
6525   */
 
6526   if (!((*ref)->type() == REF_ITEM &&
 
6527        ((Item_ref *)(*ref))->ref_type() == OUTER_REF) &&
 
6528       (((*ref)->with_sum_func && name &&
 
6529         !(current_sel->linkage != GLOBAL_OPTIONS_TYPE &&
 
6530           current_sel->having_fix_field)) ||
 
6531        !(*ref)->fixed))
 
6532   {
 
6533     my_error(ER_ILLEGAL_REFERENCE, MYF(0),
 
6534              name, ((*ref)->with_sum_func?
 
6535                     "reference to group function":
 
6536                     "forward reference in item list"));
 
6537     goto error;
 
6538   }

Comment by Elena Stepanova [ 2017-07-03 ]

See also MDEV-13180.

Comment by Oleksandr Byelkin [ 2017-07-12 ]

OK to push.

Generated at Thu Feb 08 07:22:33 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.