[MDEV-9208] Function->Function->View = Mysqld segfault (Server crashes in Dependency_marker::visit_field on 2nd execution with merged subquery) Created: 2015-11-30  Updated: 2020-08-25  Resolved: 2017-10-13

Status: Closed
Project: MariaDB Server
Component/s: Optimizer, Prepared Statements, Views
Affects Version/s: 5.5, 10.0, 10.1
Fix Version/s: 5.5.58, 10.0.33, 10.1.29, 10.2.10

Type: Bug Priority: Major
Reporter: Leonardo Backes Assignee: Oleksandr Byelkin
Resolution: Fixed Votes: 2
Labels: None
Environment:

Archlinux 64bits, pacman's package;
Windows Server 2003 SP2 64Bits, official .msi installer 64bits.

Attachments: Text File crash_log.txt     Text File crash_sql.txt     Text File server_config.txt    
Sprint: 5.5.58

 Description   

Mariadb crashes silently due a segfault, test case, backtrace and config file attached.

server_config.txt = my.cnf;
crash_sql.txt = test case, just need to be piped into mysql command line utility;
crash_log.txt = output with mysqld --verbose, without it mysqld dies without a single line.

For some strange reason, if the last 2 selects are executed after restarting only the server (but allowing the client to reconnect instead of exiting and entering again) the crash won't happen.

 Comments   
Comment by Elena Stepanova [ 2015-11-30 ]

Thanks for the report.

Simplified test case (sanja, please also check the original attached test case after fixing!):

CREATE TABLE t1 (i1 INT);
 
insert into t1 values(1),(2);
 
 
 
CREATE TABLE t2 (i2 INT);
 
insert into t2 values(1),(2);
 
 
 
prepare stmt from "
 
  select 1 from (
 
    select 
      if (i1<0, 0, 0) as f1,
 
      (select f1) as f2
 
    from t1, t2 
  ) sq
 
";
 
 
 
execute stmt;
 
execute stmt;

Reproducible either with derived_merge, or with merge views.
Reproducible both with InnoDB and MyISAM.
Reproducible with PS, SP, functions.

Comment by Elena Stepanova [ 2016-06-02 ]

Stack trace (to make it more searchable):

Stack trace from 10.1 commit 016790403a4bb6182094870870ce1a1c3e2756dc

 
#3  <signal handler called>
 
#4  0x000055953de75229 in Dependency_marker::visit_field (this=0x7f91b98d9750, item=0x7f91adcb0e20) at /src/10.1/sql/item.cc:6707
 
#5  0x000055953de5bece in Item_field::enumerate_field_refs_processor (this=0x7f91adcb0e20, arg=0x7f91b98d9750 "\020\006\305>\225U") at /src/10.1/sql/item.cc:2388
 
#6  0x000055953db56709 in Item::walk (this=0x7f91adcb0e20, processor=&virtual table offset 768, walk_subquery=false, arg=0x7f91b98d9750 "\020\006\305>\225U") at /src/10.1/sql/item.h:1367
 
#7  0x000055953db548f9 in Item_args::walk_args (this=0x7f91adcb1020, processor=&virtual table offset 768, walk_subquery=false, arg=0x7f91b98d9750 "\020\006\305>\225U") at /src/10.1/sql/item.h:3544
 
#8  0x000055953db54b43 in Item_func_or_sum::walk (this=0x7f91adcb0fa0, processor=&virtual table offset 768, walk_subquery=false, arg=0x7f91b98d9750 "\020\006\305>\225U") at /src/10.1/sql/item.h:3807
 
#9  0x000055953db548f9 in Item_args::walk_args (this=0x7f91adcb12a0, processor=&virtual table offset 768, walk_subquery=false, arg=0x7f91b98d9750 "\020\006\305>\225U") at /src/10.1/sql/item.h:3544
 
#10 0x000055953db54b43 in Item_func_or_sum::walk (this=0x7f91adcb1220, processor=&virtual table offset 768, walk_subquery=false, arg=0x7f91b98d9750 "\020\006\305>\225U") at /src/10.1/sql/item.h:3807
 
#11 0x000055953de6846e in Item_ref::fix_fields (this=0x7f91adc53830, thd=0x7f91b33c98f0, reference=0x7f91adcb1e88) at /src/10.1/sql/item.cc:7002
 
#12 0x000055953de72cc1 in Item_direct_ref::fix_fields (this=0x7f91adc53830, thd=0x7f91b33c98f0, it=0x7f91adcb1e88) at /src/10.1/sql/item.h:4046
 
#13 0x000055953de62b9a in Item_field::fix_outer_field (this=0x7f91adcb1d90, thd=0x7f91b33c98f0, from_field=0x7f91b98d98e0, reference=0x7f91adcb1e88) at /src/10.1/sql/item.cc:4884
 
#14 0x000055953de631b6 in Item_field::fix_fields (this=0x7f91adcb1d90, thd=0x7f91b33c98f0, reference=0x7f91adcb1e88) at /src/10.1/sql/item.cc:5054
 
#15 0x000055953dbaa97b in setup_fields (thd=0x7f91b33c98f0, ref_pointer_array=0x7f91adcb3b50, fields=..., mark_used_columns=MARK_COLUMNS_READ, sum_func_list=0x7f91adc53620, allow_sum_func=true) at /src/10.1/sql/sql_base.cc:7901
 
#16 0x000055953dc4260c in JOIN::prepare (this=0x7f91adc532c0, rref_pointer_array=0x7f91adcb15a0, tables_init=0x0, wild_num=0, conds_init=0x0, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7f91adcb1328, unit_arg=0x7f91adcb1688) at /src/10.1/sql/sql_select.cc:795
 
#17 0x000055953deefbba in subselect_single_select_engine::prepare (this=0x7f91adcb1fc8) at /src/10.1/sql/item_subselect.cc:3553
 
#18 0x000055953dee5c66 in Item_subselect::fix_fields (this=0x7f91adcb1e90, thd_param=0x7f91b33c98f0, ref=0x7f91adcb2018) at /src/10.1/sql/item_subselect.cc:259
 
#19 0x000055953dbaa97b in setup_fields (thd=0x7f91b33c98f0, ref_pointer_array=0x7f91adcb3970, fields=..., mark_used_columns=MARK_COLUMNS_READ, sum_func_list=0x7f91adc53090, allow_sum_func=true) at /src/10.1/sql/sql_base.cc:7901
 
#20 0x000055953dc4260c in JOIN::prepare (this=0x7f91adc52d30, rref_pointer_array=0x7f91adcb0630, tables_init=0x7f91adcb2060, wild_num=0, conds_init=0x0, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7f91adcb03b8, unit_arg=0x7f91adcb0718) at /src/10.1/sql/sql_select.cc:795
 
#21 0x000055953dcdce4c in st_select_lex_unit::prepare (this=0x7f91adcb0718, thd_arg=0x7f91b33c98f0, sel_result=0x7f91adc52c38, additional_options=0) at /src/10.1/sql/sql_union.cc:454
 
#22 0x000055953dbdcd22 in mysql_derived_prepare (thd=0x7f91b33c98f0, lex=0x7f91adcae710, derived=0x7f91adcb3350) at /src/10.1/sql/sql_derived.cc:671
 
#23 0x000055953dbdc0bd in mysql_handle_single_derived (lex=0x7f91adcae710, derived=0x7f91adcb3350, phases=2) at /src/10.1/sql/sql_derived.cc:195
 
#24 0x000055953dd00896 in TABLE_LIST::handle_derived (this=0x7f91adcb3350, lex=0x7f91adcae710, phases=2) at /src/10.1/sql/table.cc:7128
 
#25 0x000055953dbfa284 in st_select_lex::handle_derived (this=0x7f91adcaeed8, lex=0x7f91adcae710, phases=2) at /src/10.1/sql/sql_lex.cc:3820
 
#26 0x000055953dc42228 in JOIN::prepare (this=0x7f91adc526c8, rref_pointer_array=0x7f91adcaf150, tables_init=0x7f91adcb3350, wild_num=0, conds_init=0x0, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7f91adcaeed8, unit_arg=0x7f91adcae7d8) at /src/10.1/sql/sql_select.cc:711
 
#27 0x000055953dc4bd66 in mysql_select (thd=0x7f91b33c98f0, rref_pointer_array=0x7f91adcaf150, tables=0x7f91adcb3350, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2416184064, result=0x7f91adcb3950, unit=0x7f91adcae7d8, select_lex=0x7f91adcaeed8) at /src/10.1/sql/sql_select.cc:3429
 
#28 0x000055953dc418bd in handle_select (thd=0x7f91b33c98f0, lex=0x7f91adcae710, result=0x7f91adcb3950, setup_tables_done_option=0) at /src/10.1/sql/sql_select.cc:384
 
#29 0x000055953dc11b0c in execute_sqlcom_select (thd=0x7f91b33c98f0, all_tables=0x7f91adcb3350) at /src/10.1/sql/sql_parse.cc:5894
 
#30 0x000055953dc079f6 in mysql_execute_command (thd=0x7f91b33c98f0) at /src/10.1/sql/sql_parse.cc:2960
 
#31 0x000055953dc2f6cb in Prepared_statement::execute (this=0x7f91adc9c070, expanded_query=0x7f91b98db990, open_cursor=false) at /src/10.1/sql/sql_prepare.cc:4269
 
#32 0x000055953dc2e566 in Prepared_statement::execute_loop (this=0x7f91adc9c070, expanded_query=0x7f91b98db990, open_cursor=false, packet=0x0, packet_end=0x0) at /src/10.1/sql/sql_prepare.cc:3901
 
#33 0x000055953dc2c61a in mysql_sql_stmt_execute (thd=0x7f91b33c98f0) at /src/10.1/sql/sql_prepare.cc:3033
 
#34 0x000055953dc07a27 in mysql_execute_command (thd=0x7f91b33c98f0) at /src/10.1/sql/sql_parse.cc:2971
 
#35 0x000055953dc15224 in mysql_parse (thd=0x7f91b33c98f0, rawbuf=0x7f91adc52488 "execute stmt", length=12, parser_state=0x7f91b98dc5e0) at /src/10.1/sql/sql_parse.cc:7314
 
#36 0x000055953dc03c5d in dispatch_command (command=COM_QUERY, thd=0x7f91b33c98f0, packet=0x7f91b25c97f1 "execute stmt", packet_length=12) at /src/10.1/sql/sql_parse.cc:1486
 
#37 0x000055953dc0298f in do_command (thd=0x7f91b33c98f0) at /src/10.1/sql/sql_parse.cc:1107
 
#38 0x000055953dd38923 in do_handle_one_connection (thd_arg=0x7f91b33c98f0) at /src/10.1/sql/sql_connect.cc:1350
 
#39 0x000055953dd38687 in handle_one_connection (arg=0x7f91b33c98f0) at /src/10.1/sql/sql_connect.cc:1262
 
#40 0x000055953e442c1c in pfs_spawn_thread (arg=0x7f91b1fb0bf0) at /src/10.1/storage/perfschema/pfs.cc:1860
 
#41 0x00007f91b95570a4 in start_thread () from /lib64/libpthread.so.0
 
#42 0x00007f91b76c504d in clone () from /lib64/libc.so.6

Comment by Richard Stracke [ 2016-12-14 ]

Perhaps this issue is realated to the not backported bug BUG#19897405CRASH WHILE ACCESSING VIEWS IN STORED ROUTINE

AND TABLES ARE FLUSHED

Analysis
--------
The server crashes while accessing view columns in the
stored procedure after DDL/FLUSH TABLE operation
is performed on the tables used by the SQL statements
in the stored procedure.

https://github.com/mysql/mysql-server/commit/7b6899bc7dcc8fc859c1a0c68023bb3dbe6c62d0

Comment by Oleksandr Byelkin [ 2016-12-19 ]

the problem is in sel->leaf_tables list created (setup_tables) and freed in previous run.

Comment by Oleksandr Byelkin [ 2016-12-19 ]

It is call of prepare derived which trigger all derived to prepare, but top most select (which trigger this) has not its table prepared. actually I doubts that such operation should step over derived border (there is no any sens in it because it can not resolve fields there).

Comment by Oleksandr Byelkin [ 2016-12-19 ]

revision-id: e9e9c94de48442bbe34b0eb5a368df3e025fc6ef (mariadb-5.5.53-34-ge9e9c94de48)
parent(s): f23b41b9b8a30e0e54a1ec7a8923057b0e57e0f5
committer: Oleksandr Byelkin
timestamp: 2016-12-19 22:03:28 +0100
message:

MDEV-9208: Function->Function->View = Mysqld segfault (Server crashes in Dependency_marker::visit_field on 2nd execution with merged subquery)

Prevent crossing name resolution border in finding item tables.

Generated at Thu Feb 08 07:32:57 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.