[MDEV-5382] Crash with complex multi-subquery query + derived_merge=ON - JIRA

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 5.3.12, 5.5.34, 10.0.6
Fix Version/s: 5.5.35, 10.0.7, 5.3.13
Component/s: None
Labels:
None

Description

(Thanks to shad0w1e on Freenode #mysql for finding this bug. I reduced it to a minimal test case and figured out the affected versions.)

The following will crash MariaDB. MySQL is not similarly affected:

DROP TABLE IF EXISTS `t1`;
CREATE TABLE `t1` (
  `a` INT DEFAULT NULL
);

DROP TABLE IF EXISTS `t2`;
CREATE TABLE `t2` (
  `b` INT DEFAULT NULL
);

# No crash:
SET SESSION optimizer_switch='derived_merge=OFF';

SELECT c1
FROM (
  SELECT (
    SELECT 1
    FROM t1
    WHERE t1.a <= t2.b
    UNION ALL
    SELECT 1
    FROM t1
    WHERE t1.a <= t2.b
    ORDER BY a DESC
  ) AS c1
  FROM t2
) t3;

# Crash:
SET SESSION optimizer_switch='derived_merge=ON';

SELECT c1
FROM (
  SELECT (
    SELECT 1
    FROM t1
    WHERE t1.a <= t2.b
    UNION ALL
    SELECT 1
    FROM t1
    WHERE t1.a <= t2.b
    ORDER BY a DESC
  ) AS c1
  FROM t2
) t3;

Gliffy Diagrams

Attachments

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Elena Stepanova added a comment - 2013-12-04 10:13

Thanks for reporting this.
Also reproducible on 5.3:

#3 <signal handler called>
#4 0x00000000005a1857 in Item_field::register_field_in_read_map (this=0x3630ce0, arg=0x0) at item.cc:933
#5 0x00000000005bc090 in Item::walk (this=0x3630ce0, processor=&virtual Item::register_field_in_read_map(unsigned char*), walk_subquery=true, arg=0x0) at item.h:1009
#6 0x0000000000634793 in Item_subselect::walk (this=0x3630e20, processor=&virtual table offset 640, walk_subquery=true, argument=0x0) at item_subselect.cc:556
#7 0x000000000070bb3e in find_field_in_table_ref (thd=0x3585bc8, table_list=0x36318b0, name=0x3609a98 "c1", length=2, item_name=0x3609a98 "c1", db_name=0x0, table_name=0x0, ref=0x3609ba8, check_privileges=true, allow_rowid=true, cached_field_index_ptr=0x3609b5c, register_tree_change=true, actual_table=0x7fad48977398) at sql_base.cc:6432
#8 0x000000000070c298 in find_field_in_tables (thd=0x3585bc8, item=0x3609aa0, first_table=0x36318b0, last_table=0x0, ref=0x3609ba8, report_error=IGNORE_EXCEPT_NON_UNIQUE, check_privileges=true, register_tree_change=true) at sql_base.cc:6664
#9 0x00000000005abb25 in Item_field::fix_fields (this=0x3609aa0, thd=0x3585bc8, reference=0x3609ba8) at item.cc:4702
#10 0x000000000070eb85 in setup_fields (thd=0x3585bc8, ref_pointer_array=0x3633a30, fields=..., mark_used_columns=MARK_COLUMNS_READ, sum_func_list=0x36320e8, allow_sum_func=true) at sql_base.cc:7858
#11 0x0000000000726c0c in JOIN::prepare (this=0x3631de8, rref_pointer_array=0x35888b8, tables_init=0x36318b0, wild_num=0, conds_init=0x0, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x3588660, unit_arg=0x3588158) at sql_select.cc:666
#12 0x000000000072f56b in mysql_select (thd=0x3585bc8, rref_pointer_array=0x35888b8, tables=0x36318b0, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147764736, result=0x3631dc8, unit=0x3588158, select_lex=0x3588660) at sql_select.cc:2989
#13 0x0000000000726081 in handle_select (thd=0x3585bc8, lex=0x35880b8, result=0x3631dc8, setup_tables_done_option=0) at sql_select.cc:288
#14 0x00000000006b4d7c in execute_sqlcom_select (thd=0x3585bc8, all_tables=0x36318b0) at sql_parse.cc:5172
#15 0x00000000006abf18 in mysql_execute_command (thd=0x3585bc8) at sql_parse.cc:2305
#16 0x00000000006b76e3 in mysql_parse (thd=0x3585bc8, rawbuf=0x3609900 "SELECT c1\nFROM (\nSELECT (\nSELECT 1\nFROM t1\nWHERE t1.a <= t2.b\nUNION ALL\nSELECT 1\nFROM t1\nWHERE t1.a <= t2.b\nORDER BY a DESC\n) AS c1\nFROM t2\n) t3", length=144, found_semicolon=0x7fad48978cb8) at sql_parse.cc:6173
#17 0x00000000006a96f8 in dispatch_command (command=COM_QUERY, thd=0x3585bc8, packet=0x3600499 "SELECT c1\nFROM (\nSELECT (\nSELECT 1\nFROM t1\nWHERE t1.a <= t2.b\nUNION ALL\nSELECT 1\nFROM t1\nWHERE t1.a <= t2.b\nORDER BY a DESC\n) AS c1\nFROM t2\n) t3", packet_length=144) at sql_parse.cc:1243
#18 0x00000000006a89e4 in do_command (thd=0x3585bc8) at sql_parse.cc:923
#19 0x00000000006a586d in handle_one_connection (arg=0x3585bc8) at sql_connect.cc:1231
#20 0x00007fad52167b50 in start_thread (arg=<optimized out>) at pthread_create.c:304
#21 0x00007fad5150aa7d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112

Show

Elena Stepanova added a comment - 2013-12-04 10:13 Thanks for reporting this. Also reproducible on 5.3: #3 <signal handler called> #4 0x00000000005a1857 in Item_field::register_field_in_read_map (this=0x3630ce0, arg=0x0) at item.cc:933 #5 0x00000000005bc090 in Item::walk (this=0x3630ce0, processor=&virtual Item::register_field_in_read_map(unsigned char*), walk_subquery=true, arg=0x0) at item.h:1009 #6 0x0000000000634793 in Item_subselect::walk (this=0x3630e20, processor=&virtual table offset 640, walk_subquery=true, argument=0x0) at item_subselect.cc:556 #7 0x000000000070bb3e in find_field_in_table_ref (thd=0x3585bc8, table_list=0x36318b0, name=0x3609a98 "c1", length=2, item_name=0x3609a98 "c1", db_name=0x0, table_name=0x0, ref=0x3609ba8, check_privileges=true, allow_rowid=true, cached_field_index_ptr=0x3609b5c, register_tree_change=true, actual_table=0x7fad48977398) at sql_base.cc:6432 #8 0x000000000070c298 in find_field_in_tables (thd=0x3585bc8, item=0x3609aa0, first_table=0x36318b0, last_table=0x0, ref=0x3609ba8, report_error=IGNORE_EXCEPT_NON_UNIQUE, check_privileges=true, register_tree_change=true) at sql_base.cc:6664 #9 0x00000000005abb25 in Item_field::fix_fields (this=0x3609aa0, thd=0x3585bc8, reference=0x3609ba8) at item.cc:4702 #10 0x000000000070eb85 in setup_fields (thd=0x3585bc8, ref_pointer_array=0x3633a30, fields=..., mark_used_columns=MARK_COLUMNS_READ, sum_func_list=0x36320e8, allow_sum_func=true) at sql_base.cc:7858 #11 0x0000000000726c0c in JOIN::prepare (this=0x3631de8, rref_pointer_array=0x35888b8, tables_init=0x36318b0, wild_num=0, conds_init=0x0, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x3588660, unit_arg=0x3588158) at sql_select.cc:666 #12 0x000000000072f56b in mysql_select (thd=0x3585bc8, rref_pointer_array=0x35888b8, tables=0x36318b0, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147764736, result=0x3631dc8, unit=0x3588158, select_lex=0x3588660) at sql_select.cc:2989 #13 0x0000000000726081 in handle_select (thd=0x3585bc8, lex=0x35880b8, result=0x3631dc8, setup_tables_done_option=0) at sql_select.cc:288 #14 0x00000000006b4d7c in execute_sqlcom_select (thd=0x3585bc8, all_tables=0x36318b0) at sql_parse.cc:5172 #15 0x00000000006abf18 in mysql_execute_command (thd=0x3585bc8) at sql_parse.cc:2305 #16 0x00000000006b76e3 in mysql_parse (thd=0x3585bc8, rawbuf=0x3609900 "SELECT c1\nFROM (\nSELECT (\nSELECT 1\nFROM t1\nWHERE t1.a <= t2.b\nUNION ALL\nSELECT 1\nFROM t1\nWHERE t1.a <= t2.b\nORDER BY a DESC\n) AS c1\nFROM t2\n) t3", length=144, found_semicolon=0x7fad48978cb8) at sql_parse.cc:6173 #17 0x00000000006a96f8 in dispatch_command (command=COM_QUERY, thd=0x3585bc8, packet=0x3600499 "SELECT c1\nFROM (\nSELECT (\nSELECT 1\nFROM t1\nWHERE t1.a <= t2.b\nUNION ALL\nSELECT 1\nFROM t1\nWHERE t1.a <= t2.b\nORDER BY a DESC\n) AS c1\nFROM t2\n) t3", packet_length=144) at sql_parse.cc:1243 #18 0x00000000006a89e4 in do_command (thd=0x3585bc8) at sql_parse.cc:923 #19 0x00000000006a586d in handle_one_connection (arg=0x3585bc8) at sql_connect.cc:1231 #20 0x00007fad52167b50 in start_thread (arg=<optimized out>) at pthread_create.c:304 #21 0x00007fad5150aa7d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112

Hide

Permalink

Igor Babaev added a comment - 2013-12-04 21:00

I've started working on this bug.

Show

Igor Babaev added a comment - 2013-12-04 21:00 I've started working on this bug.

Hide

Permalink

Igor Babaev added a comment - 2013-12-05 22:42

The fix for this bug was pushed into the 5.3 tree.

Show

Igor Babaev added a comment - 2013-12-05 22:42 The fix for this bug was pushed into the 5.3 tree.

Hide

Permalink

Daniel Bartholomew added a comment - 2014-01-29 19:32

http://bazaar.launchpad.net/~maria-captains/maria/5.5/revision/2502.567.178

Show

Daniel Bartholomew added a comment - 2014-01-29 19:32 http://bazaar.launchpad.net/~maria-captains/maria/5.5/revision/2502.567.178

Hide

Permalink

Daniel Bartholomew added a comment - 2014-01-29 19:33

http://bazaar.launchpad.net/~maria-captains/maria/5.5/revision/2502.567.177

http://bazaar.launchpad.net/~maria-captains/maria/5.5/revision/2502.582.1

Show

Daniel Bartholomew added a comment - 2014-01-29 19:33 http://bazaar.launchpad.net/~maria-captains/maria/5.5/revision/2502.567.177 http://bazaar.launchpad.net/~maria-captains/maria/5.5/revision/2502.582.1

Crash with complex multi-subquery query + derived_merge=ON

Details

Description

Gliffy Diagrams

Attachments

Activity

People

Dates

Agile