Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-5012

Server crashes in Item_ref::real_item on EXPLAIN with select subqueries or views, constant table, derived_merge+derived_with_keys

        Details

        • Type: Bug
        • Status: Closed
        • Priority: Major
        • Resolution: Fixed
        • Affects Version/s: None
        • Fix Version/s: 5.5.33
        • Component/s: None
        • Labels:
          None

          Description

          Program terminated with signal 11, Segmentation fault.
#0  0x00000000005c1d10 in Item_ref::real_item (this=0x0) at 5.5/sql/item.h:2979
2979      Item *real_item()
#0  0x00000000005c1d10 in Item_ref::real_item (this=0x0) at 5.5/sql/item.h:2979
#1  0x00000000005c1d51 in Item_ref::real_item (this=0x7fb4f8025b80) at 5.5/sql/item.h:2981
...
...
#8846 0x00000000005c1d51 in Item_ref::real_item (this=0x7fb4f8025b80) at 5.5/sql/item.h:2981
#8847 0x00000000005c1d51 in Item_ref::real_item (this=0x7fb4f8025b80) at 5.5/sql/item.h:2981
#8848 0x00000000007ef0db in Item_direct_view_ref::replace_equal_field (this=0x7fb4f8025b80, arg=0x7fb5009972b0 " \254\002\370\264\177") at 5.5/sql/item.cc:8040
#8849 0x00000000007ec17c in Item_ref::transform (this=0x7fb4f8025b80, transformer=&virtual Item::replace_equal_field(unsigned char*), arg=0x7fb5009972b0 " \254\002\370\264\177") at 5.5/sql/item.cc:6995
#8850 0x000000000065ef26 in substitute_for_best_equal_field (context_tab=0x7fb4f802cbf0, cond=0x7fb4f8025b80, cond_equal=0x7fb4f8023a28, table_join_idx=0x7fb4f802be58) at 5.5/sql/sql_select.cc:12487
#8851 0x0000000000642844 in JOIN::optimize (this=0x7fb4f8024338) at 5.5/sql/sql_select.cc:1353
#8852 0x0000000000648949 in mysql_select (thd=0x2801f70, rref_pointer_array=0x2805bc8, tables=0x7fb4f8020198, wild_num=1, fields=..., conds=0x7fb4f8023938, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748612, result=0x7fb4f8023b10, unit=0x2805288, select_lex=0x2805960) at 5.5/sql/sql_select.cc:3055
#8853 0x0000000000678d0a in mysql_explain_union (thd=0x2801f70, unit=0x2805288, result=0x7fb4f8023b10) at 5.5/sql/sql_select.cc:22664
#8854 0x0000000000617c62 in execute_sqlcom_select (thd=0x2801f70, all_tables=0x7fb4f8020198) at 5.5/sql/sql_parse.cc:4622
#8855 0x0000000000610895 in mysql_execute_command (thd=0x2801f70) at 5.5/sql/sql_parse.cc:2205
#8856 0x000000000061a6e6 in mysql_parse (thd=0x2801f70, rawbuf=0x7fb4f80074c8 "EXPLAIN SELECT * FROM ( SELECT * FROM t1 ) AS table1, ( SELECT DISTINCT * FROM t2 ) AS table2 \nWHERE b = a AND a <> ANY ( SELECT 9 )", length=132, parser_state=0x7fb500998500) at 5.5/sql/sql_parse.cc:5769
#8857 0x000000000060dd5f in dispatch_command (command=COM_QUERY, thd=0x2801f70, packet=0x2873151 "", packet_length=132) at 5.5/sql/sql_parse.cc:1071
#8858 0x000000000060cf6f in do_command (thd=0x2801f70) at 5.5/sql/sql_parse.cc:794
#8859 0x0000000000714cb1 in do_handle_one_connection (thd_arg=0x2801f70) at 5.5/sql/sql_connect.cc:1266
#8860 0x0000000000714698 in handle_one_connection (arg=0x2801f70) at 5.5/sql/sql_connect.cc:1181
#8861 0x0000000000964564 in pfs_spawn_thread (arg=0x2847620) at 5.5/storage/perfschema/pfs.cc:1015
#8862 0x00007fb504884e9a in start_thread (arg=0x7fb500999700) at pthread_create.c:308
#8863 0x00007fb503b78cbd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112

          bzr version-info
revision-id: sergii@pisem.net-20130910090414-fr6p4sqb1cm3uimh
date: 2013-09-10 11:04:14 +0200
build-date: 2013-09-13 03:33:05 +0400
revno: 3887
branch-nick: 5.5

          Started happening from revno 3880 (mysql-5.5.33 merge). Does not crash on mysql-5.5.

          Test case:

          SET optimizer_switch = 'derived_merge=on,derived_with_keys=on,in_to_exists=on';

CREATE TABLE t1 (a INT) ENGINE=MyISAM;
INSERT INTO t1 VALUES (8);

CREATE TABLE t2 (b INT) ENGINE=MyISAM;
INSERT INTO t2 VALUES (1),(7);

EXPLAIN SELECT * FROM ( SELECT * FROM t1 ) AS table1, ( SELECT DISTINCT * FROM t2 ) AS table2 
WHERE b = a AND a <> ANY ( SELECT 9 );

          Also crashes with views instead of select subqueries (merge view for table1 and any view for table2).

            Gliffy Diagrams

              Attachments

                Activity

                Hide
                Permalink
                timour Timour Katchaounov added a comment -

                The cause for the crash is a stack overflow because of infinite recursion in Item_ref::real_item.
                The reason is an Item_direct_view_ref view object whose 'ref' member points to itself.

                I put debug_assert in few places to check for this situation, and apparently the problem is in
                substitute_for_best_equal_field who creates this recursion. Still analyzing where exactly.

                Show
                timour Timour Katchaounov added a comment - The cause for the crash is a stack overflow because of infinite recursion in Item_ref::real_item. The reason is an Item_direct_view_ref view object whose 'ref' member points to itself. I put debug_assert in few places to check for this situation, and apparently the problem is in substitute_for_best_equal_field who creates this recursion. Still analyzing where exactly.

                  People

                  • Assignee:
                    serg Sergei Golubchik
                    Reporter:
                    elenst Elena Stepanova
                  • Votes:
                    0 Vote for this issue
                    Watchers:
                    4 Start watching this issue

                    Dates

                    • Created:
                      Updated:
                      Resolved: