Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-5686

Server crashes in in base_list_iterator::next_fast with AND/OR and impossible condition inside IN SQ

        Details

        • Type: Bug
        • Status: Closed
        • Priority: Major
        • Resolution: Fixed
        • Affects Version/s: 5.5.35, 10.0.8, 5.3.13
        • Fix Version/s: 5.5.37, 10.0.10, 5.3.13
        • Component/s: None
        • Labels:
          None

          Description

          CREATE TABLE t1 (a INT, b INT, c VARCHAR(3)) ENGINE=MyISAM;
INSERT INTO t1 VALUES (1,1,'CAN'),(2,2,'AUS');

CREATE TABLE t2 (f INT) ENGINE=MyISAM;
INSERT INTO t2 VALUES (3);

SELECT * FROM t2 WHERE f NOT IN ( 
  SELECT b FROM t1 WHERE 0 OR ( c IN ('USA') OR c NOT IN ('USA') ) AND a = b 
);

          Note: If the crash is not reproducible, run with valgrind.

          #3  <signal handler called>
#4  0x000000000058a8bd in base_list_iterator::next_fast (this=0x7f06c9076f50) at sql_list.h:449
#5  0x000000000058cab5 in List_iterator_fast<Item>::operator++ (this=0x7f06c9076f50) at sql_list.h:561
#6  0x0000000000602d7c in Item_equal_iterator<List_iterator_fast, Item>::operator++ (this=0x7f06c9076f50) at item_cmpfunc.h:1824
#7  0x00000000005fe7a7 in Item_equal::contains (this=0x29c4370, field=0x29b5a90) at item_cmpfunc.cc:5603
#8  0x00000000005abe9f in Item_field::find_item_equal (this=0x298ded8, cond_equal=0x29bf8e8) at item.cc:4970
#9  0x0000000000745053 in eliminate_item_equal (cond=0x0, upper_levels=0x29bf8e8, item_equal=0x29c2198) at sql_select.cc:11945
#10 0x00000000007459b2 in substitute_for_best_equal_field (context_tab=0x1, cond=0x29c2198, cond_equal=0x29bf8e8, table_join_idx=0x29c2718) at sql_select.cc:12236
#11 0x0000000000745699 in substitute_for_best_equal_field (context_tab=0x1, cond=0x298e510, cond_equal=0x29c4758, table_join_idx=0x29c2718) at sql_select.cc:12163
#12 0x0000000000745699 in substitute_for_best_equal_field (context_tab=0x1, cond=0x29c4670, cond_equal=0x29c4758, table_join_idx=0x29c2718) at sql_select.cc:12163
#13 0x0000000000728878 in JOIN::optimize (this=0x29c04a0) at sql_select.cc:1253
#14 0x0000000000588e9b in st_select_lex::optimize_unflattened_subqueries (this=0x290b620) at sql_lex.cc:3166
#15 0x00000000008182bb in JOIN::optimize_unflattened_subqueries (this=0x29bfd08) at opt_subselect.cc:4903
#16 0x0000000000729b71 in JOIN::optimize (this=0x29bfd08) at sql_select.cc:1575
#17 0x000000000072ec11 in mysql_select (thd=0x2908b88, rref_pointer_array=0x290b878, tables=0x298cb60, wild_num=1, fields=..., conds=0x29bfbb8, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147764736, result=0x298e8a0, unit=0x290b118, select_lex=0x290b620) at sql_select.cc:2993
#18 0x000000000072570d in handle_select (thd=0x2908b88, lex=0x290b078, result=0x298e8a0, setup_tables_done_option=0) at sql_select.cc:288
#19 0x00000000006b4444 in execute_sqlcom_select (thd=0x2908b88, all_tables=0x298cb60) at sql_parse.cc:5172
#20 0x00000000006ab5e0 in mysql_execute_command (thd=0x2908b88) at sql_parse.cc:2305
#21 0x00000000006b6dab in mysql_parse (thd=0x2908b88, rawbuf=0x298c8c0 "SELECT * FROM t2 WHERE f NOT IN ( \nSELECT b FROM t1 WHERE 0 OR ( c IN ('USA') OR c NOT IN ('USA') ) AND a = b \n)", length=112, found_semicolon=0x7f06c9078cb8) at sql_parse.cc:6173
#22 0x00000000006a8dc0 in dispatch_command (command=COM_QUERY, thd=0x2908b88, packet=0x2983459 "SELECT * FROM t2 WHERE f NOT IN ( \nSELECT b FROM t1 WHERE 0 OR ( c IN ('USA') OR c NOT IN ('USA') ) AND a = b \n)", packet_length=112) at sql_parse.cc:1243
#23 0x00000000006a80ac in do_command (thd=0x2908b88) at sql_parse.cc:923
#24 0x00000000006a4f3d in handle_one_connection (arg=0x2908b88) at sql_connect.cc:1231
#25 0x00007f06d2867b50 in start_thread (arg=<optimized out>) at pthread_create.c:304
#26 0x00007f06d1c0aa7d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112

          Stack trace from:

          revision-id: psergey@askmonty.org-20140214212653-cjbm9hqh0gpxapba
revno: 3758
branch-nick: 5.3
BUILD/compile-pentium-debug-max-no-ndb

          The problem started appearing on 5.3 tree with the following revision:

          revno: 3627
revision-id: igor@askmonty.org-20130222011312-0n7i0ki83efkz17e
parent: igor@askmonty.org-20130221032202-ed2p8w1a984bxa2p
committer: Igor Babaev <igor@askmonty.org>
branch nick: maria-5.3-mdev4172
timestamp: Thu 2013-02-21 17:13:12 -0800
message:
  Fixed bug mdev-4172.
  This bug in the legacy code could manifest itself in queries with
  semi-join materialized subqueries.
  ...

            Gliffy Diagrams

              Attachments

                Activity

                Hide
                Permalink
                igor Igor Babaev added a comment -

                The fix for this bug was pushed into the 5.3 tree.

                Show
                igor Igor Babaev added a comment - The fix for this bug was pushed into the 5.3 tree.

                  People

                  • Assignee:
                    igor Igor Babaev
                    Reporter:
                    elenst Elena Stepanova
                  • Votes:
                    1 Vote for this issue
                    Watchers:
                    2 Start watching this issue

                    Dates

                    • Created:
                      Updated:
                      Resolved: