[MDEV-9719] Query with window function crashes with --ps-protocol Created: 2016-03-13  Updated: 2016-04-14  Resolved: 2016-03-17

Status: Closed
Project: MariaDB Server
Component/s: Optimizer - Window functions
Fix Version/s: N/A

Type: Task Priority: Major
Reporter: Sergei Petrunia Assignee: Igor Babaev
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
PartOf
is part of MDEV-6115 window functions as in the SQL standard Closed

 Description   

As seen in the buildbot e.g. here: http://buildbot.askmonty.org/buildbot/builders/kvm-fulltest/builds/5609

create table t1(a int, b int, x char(32));
 
insert into t1 values (2, 10, 'xx');
 
insert into t1 values (2, 10, 'zz');
 
insert into t1 values (2, 20, 'yy');
 
insert into t1 values (3, 10, 'xxx');
 
insert into t1 values (3, 20, 'vvv');
 
 
 
prepare s from 'select a, row_number() over (partition by a order by b) from t1';
 
execute s;

The last statement crashes here:

  Program received signal SIGSEGV, Segmentation fault.
 
  [Switching to Thread 0x7ffff4302700 (LWP 20042)]
 
  0x0000555555c1f752 in setup_windows (thd=0x55555aafeaf0, ref_pointer_array=..., tables=0x7fff5400e3a0, fields=..., all_fields=..., win_specs=...) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_window.cc:97
 
(gdb) wher
 
  #0  0x0000555555c1f752 in setup_windows (thd=0x55555aafeaf0, ref_pointer_array=..., tables=0x7fff5400e3a0, fields=..., all_fields=..., win_specs=...) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_window.cc:97
 
  #1  0x0000555555ab5311 in setup_without_group (thd=0x55555aafeaf0, ref_pointer_array=..., tables=0x7fff5400e3a0, leaves=..., fields=..., all_fields=..., conds=0x7fff54005848, order=0x0, group=0x0, win_specs=..., hidden_group_fields=0x7fff54005727, reserved=0x7fff5400d1f4) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_select.cc:659
 
  #2  0x0000555555ab5a3d in JOIN::prepare (this=0x7fff54005448, tables_init=0x7fff5400e3a0, wild_num=0, conds_init=0x0, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7fff5400cf58, unit_arg=0x7fff5400c868) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_select.cc:802
 
  #3  0x0000555555abe280 in mysql_select (thd=0x55555aafeaf0, tables=0x7fff5400e3a0, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2416184064, result=0x7fff5400e998, unit=0x7fff5400c868, select_lex=0x7fff5400cf58) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_select.cc:3415
 
  #4  0x0000555555ab4827 in handle_select (thd=0x55555aafeaf0, lex=0x7fff5400c7a0, result=0x7fff5400e998, setup_tables_done_option=0) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_select.cc:376
 
  #5  0x0000555555a850ba in execute_sqlcom_select (thd=0x55555aafeaf0, all_tables=0x7fff5400e3a0) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_parse.cc:5902
 
  #6  0x0000555555a7af80 in mysql_execute_command (thd=0x55555aafeaf0) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_parse.cc:2961
 
  #7  0x0000555555aa270a in Prepared_statement::execute (this=0x7fff5400c380, expanded_query=0x7ffff4300560, open_cursor=false) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_prepare.cc:4009
 
  #8  0x0000555555aa15ee in Prepared_statement::execute_loop (this=0x7fff5400c380, expanded_query=0x7ffff4300560, open_cursor=false, packet=0x0, packet_end=0x0) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_prepare.cc:3641
 
  #9  0x0000555555a9f721 in mysql_sql_stmt_execute (thd=0x55555aafeaf0) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_prepare.cc:2773
 
  #10 0x0000555555a7afb1 in mysql_execute_command (thd=0x55555aafeaf0) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_parse.cc:2972
 
  #11 0x0000555555a88722 in mysql_parse (thd=0x55555aafeaf0, rawbuf=0x7fff54005258 "execute s", length=9, parser_state=0x7ffff4301100) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_parse.cc:7302

And it crashes because

(gdb) print win_spec
 
  $83 = (Window_spec *) 0x8f8f8f8f8f8f8f8f



 Comments   
Comment by Sergei Petrunia [ 2016-03-13 ]

cvicentiu, igor, FYI.

Comment by Sergei Petrunia [ 2016-03-13 ]

The crash looks like window definition was not allocated on the statement mem_root.
Initially it is allocated in the parser. it uses correct mem_root.

But then, setup_windows() modifies window spec list here:

(gdb) where
 
  #0  __memset_sse2 () at ../sysdeps/x86_64/multiarch/../memset.S:340
 
  #1  0x00005555559bb051 in Sql_alloc::operator delete (ptr=0x7fff5c00eac0, size=16) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_list.h:45
 
  #2  0x0000555555a63117 in base_list::remove (this=0x7ffff42ffe30, prev=0x7ffff42ffe30) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_list.h:248
 
  #3  0x0000555555a6316a in base_list_iterator::remove (this=0x7ffff42ffd50) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_list.h:488
 
  #4  0x0000555555c2244c in List_iterator<Window_spec>::remove (this=0x7ffff42ffd50) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_list.h:556
 
  #5  0x0000555555c1f777 in setup_windows (thd=0x55555aafeaf0, ref_pointer_array=..., tables=0x7fff5c00ec00, fields=..., all_fields=..., win_specs=...) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_window.cc:99
 
  #6  0x0000555555ab5311 in setup_without_group (thd=0x55555aafeaf0, ref_pointer_array=..., tables=0x7fff5c00ec00, leaves=..., fields=..., all_fields=..., conds=0x7fff5c0057b8, order=0x0, group=0x0, win_specs=..., hidden_group_fields=0x7fff5c005697, reserved=0x7fff5c00da54) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_select.cc:659
 
  #7  0x0000555555ab5a3d in JOIN::prepare (this=0x7fff5c0053b8, tables_init=0x7fff5c00ec00, wild_num=0, conds_init=0x0, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7fff5c00d7b8, unit_arg=0x7fff5c00d0c8) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_select.cc:802
 
  #8  0x0000555555b4cd25 in st_select_lex_unit::prepare (this=0x7fff5c00d0c8, thd_arg=0x55555aafeaf0, sel_result=0x0, additional_options=0) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_union.cc:453
 
  #9  0x0000555555a9d19c in mysql_test_select (stmt=0x7fff5c00cbe0, tables=0x7fff5c00ec00) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_prepare.cc:1528
 
  #10 0x0000555555a9e362 in check_prepared_statement (stmt=0x7fff5c00cbe0) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_prepare.cc:2128
 
  #11 0x0000555555aa1015 in Prepared_statement::prepare (this=0x7fff5c00cbe0, packet=0x7fff5c005378 "select a, row_number() over (partition by a order by b) from t1", packet_len=63) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_prepare.cc:3433
 
  #12 0x0000555555a9eccd in mysql_sql_stmt_prepare (thd=0x55555aafeaf0) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_prepare.cc:2492
 
  #13 0x0000555555a7af9d in mysql_execute_command (thd=0x55555aafeaf0) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_parse.cc:2967
 
  #14 0x0000555555a88722 in mysql_parse (thd=0x55555aafeaf0, rawbuf=0x7fff5c005258 "prepare s from 'select a, row_number() over (partition by a order by b) from t1'", length=80, parser_state=0x7ffff4301100) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_parse.cc:7302
 
  #15 0x0000555555a77162 in dispatch_command (command=COM_QUERY, thd=0x55555aafeaf0, packet=0x55555ab05551 "prepare s from 'select a, row_number() over (partition by a order by b) from t1'", packet_length=80) at /home/psergey/dev-git/10.2-window-funcs-r10/sql/sql_parse.cc:1487

This is here:

  while ((win_spec= it++) && i++ < elems)
 
  {
 
    if (win_spec->name() == NULL)
 
    {
 
      it.remove();
 
      win_specs.push_back(win_spec);

It looks like push_back call uses incorrect MEM_ROOT. Instead of statement-lifetime MEM_ROOT, it uses thd->mem_root, which is the mem_root that will be freed once PREPARE command finishes.

Comment by Sergei Petrunia [ 2016-03-17 ]

This one is fixed but now there is MDEV-9754.

Generated at Thu Feb 08 07:36:48 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.