Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-7601 Server crashes in different ways while executing concurrent flow involving views and non-empty sql_mode
  3. MDEV-7594

Server crashes in Item::delete_self on concurrent query from I_S and INSERT

        Details

          Description

          Note: once again, the test case is fragile, so there is no certainty in which version the problem appeared or whether it exists in 10.0 (it doesn't crash on my builds of 10.0).
          Please also see MDEV-7590, MDEV-7581.

          Stack trace from 5.5 rev fdd6c111c254c5044cd9b6c2f7e4d0c74f427a79
          #3  <signal handler called>
#4  0x0000000000603109 in Item::delete_self (this=0x7ff52720c7d8) at 5.5/sql/item.h:1434
#5  0x00000000005fd3cd in Query_arena::free_items (this=0x7ff52af49078) at 5.5/sql/sql_class.cc:3160
#6  0x00000000005f8d6c in THD::cleanup_after_query (this=0x7ff52af49060) at 5.5/sql/sql_class.cc:1883
#7  0x000000000063b317 in mysql_parse (thd=0x7ff52af49060, rawbuf=0x7ff527288078 "SELECT * FROM (INFORMATION_SCHEMA.`STATISTICS` AS table1 LEFT OUTER JOIN mysql.`time_zone` AS table2 ON ( table2.`Time_zone_id` = table1.`PACKED` ) ) WHERE NOT ( ( ( ( ( ( ( ( ( ( ( (NOT (NOT ( table2"..., length=930, parser_state=0x7ff527bb5620) at 5.5/sql/sql_parse.cc:5926
#8  0x000000000062ee51 in dispatch_command (command=COM_QUERY, thd=0x7ff52af49060, packet=0x7ff5281e8061 "", packet_length=930) at 5.5/sql/sql_parse.cc:1079
#9  0x000000000062dfdd in do_command (thd=0x7ff52af49060) at 5.5/sql/sql_parse.cc:793
#10 0x000000000073072a in do_handle_one_connection (thd_arg=0x7ff52af49060) at 5.5/sql/sql_connect.cc:1266
#11 0x00000000007301e9 in handle_one_connection (arg=0x7ff52af49060) at 5.5/sql/sql_connect.cc:1181
#12 0x0000000000b66b61 in pfs_spawn_thread (arg=0x7ff5281518e0) at 5.5/storage/perfschema/pfs.cc:1015
#13 0x00007ff52dea0b50 in start_thread (arg=<optimized out>) at pthread_create.c:304
#14 0x00007ff52c7ae70d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
          Test case
          SET sql_mode=ONLY_FULL_GROUP_BY;

CREATE TABLE C (
  pk INTEGER AUTO_INCREMENT,
  col_int_nokey INTEGER,
  col_int_key INTEGER,
  col_date_key DATE,
  col_date_nokey DATE,
  col_time_key TIME,
  col_time_nokey TIME,
  col_datetime_key DATETIME,
  col_datetime_nokey DATETIME,
  col_varchar_key VARCHAR(1),
  col_varchar_nokey VARCHAR(1),
  PRIMARY KEY (pk)
) ENGINE=MyISAM;
CREATE VIEW view_C AS SELECT * FROM C;
CREATE TABLE E (
  pk INTEGER AUTO_INCREMENT,
  col_int_key INTEGER,
  col_varchar_key VARCHAR(1),
  PRIMARY KEY (pk)
) ENGINE=MyISAM;
CREATE TABLE BB (
  pk INTEGER AUTO_INCREMENT,
  col_int_key INTEGER,
  col_varchar_key VARCHAR(1),
  PRIMARY KEY (pk)
) ENGINE=MyISAM;
CREATE TABLE CC (
  pk INTEGER AUTO_INCREMENT,
  col_int_nokey INTEGER,
  col_int_key INTEGER,
  col_date_key DATE,
  col_date_nokey DATE,
  col_time_key TIME,
  col_time_nokey TIME,
  col_datetime_key DATETIME,
  col_datetime_nokey DATETIME,
  col_varchar_key VARCHAR(1),
  col_varchar_nokey VARCHAR(1),
  PRIMARY KEY (pk)
) ENGINE=MyISAM;

CREATE TRIGGER tr1 BEFORE INSERT ON BB FOR EACH ROW INSERT INTO CC SELECT * FROM view_C LIMIT 0 ; 
INSERT INTO BB () VALUES ();
CREATE TRIGGER tr2 BEFORE INSERT ON E FOR EACH ROW INSERT INTO view_C SELECT * FROM CC LIMIT 0 ; 
INSERT INTO E () VALUES ();
--send
	SELECT * FROM (INFORMATION_SCHEMA.`STATISTICS` AS table1 LEFT OUTER JOIN mysql.`time_zone` AS table2 ON ( table2.`Time_zone_id` = table1.`PACKED` ) ) WHERE NOT ( ( ( ( ( ( ( ( ( ( ( (NOT (NOT ( table2.`Time_zone_id` IN ( 6, 1, 4 ) AND table1.`NULLABLE` LIKE 'wait/synch/mutex/%') OR table1.`SUB_PART` > table1.`INDEX_SCHEMA`) AND table1.`TABLE_SCHEMA` <= 'm') OR table2.`Time_zone_id` = table1.`NULLABLE`) OR table1.`TABLE_SCHEMA` <> table2.`Use_leap_seconds`) AND table1.`INDEX_TYPE` IN ( 2, 1, 9 )) OR table1.`TABLE_NAME` IN ( 3, 5, 9 )) OR table1.`COLUMN_NAME` < '2008-07-11 08:47:37.057066') OR table2.`Time_zone_id` >= 8) AND table2.`Time_zone_id` < table2.`Use_leap_seconds`) OR table1.`TABLE_SCHEMA` IN ( 3, 2, 5 )) OR table2.`Time_zone_id` IN ( 7, 8, 7 )) AND table2.`Use_leap_seconds` LIKE 'wait/synch%') OR table1.`INDEX_SCHEMA` < 'uh') OR table2.`Use_leap_seconds` LIKE 'wait/synch/cond%' ORDER BY table1.`INDEX_SCHEMA`;

--connect (con1,localhost,root,,test)
INSERT INTO BB () VALUES ();

--connection default
--reap

            Gliffy Diagrams

              Attachments

                Activity

                Ascending order - Click to sort in descending order
                Hide
                Permalink
                elenst Elena Stepanova added a comment -

                Also observed on 10.0, during a stress test. Added the Affects Version/s value.

                Show
                elenst Elena Stepanova added a comment - Also observed on 10.0, during a stress test. Added the Affects Version/s value.
                Hide
                Permalink
                elenst Elena Stepanova added a comment -

                On Wheezy, I couldn't get valgrind warnings. However, on CentOS 6, on a non-debug build, I did, maybe it's relevant:

                ==17667== Thread 4:
==17667== Invalid write of size 8
==17667==    at 0x5C1542: base_list::push_back(void*) (sql_list.h:206)
==17667==    by 0x6AD834: Item_field::fix_fields(THD*, Item**) (sql_list.h:512)
==17667==    by 0x53868F: setup_fields(THD*, Item**, List<Item>&, enum_mark_columns, List<Item>*, bool) (sql_base.cc:8166)
==17667==    by 0x5A7A8E: JOIN::prepare(Item***, TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) (sql_select.cc:719)
==17667==    by 0x5EFB3C: st_select_lex_unit::prepare(THD*, select_result*, unsigned long) (sql_union.cc:344)
==17667==    by 0x55A7CE: mysql_derived_prepare(THD*, LEX*, TABLE_LIST*) (sql_derived.cc:654)
==17667==    by 0x55B2C2: mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) (sql_derived.cc:192)
==17667==    by 0x55B1A6: mysql_handle_list_of_derived(LEX*, TABLE_LIST*, unsigned int) (sql_derived.cc:222)
==17667==    by 0x56190D: mysql_prepare_insert(THD*, TABLE_LIST*, TABLE*, List<Item>&, List<Item>*, List<Item>&, List<Item>&, enum_duplicates, Item**, bool, bool, bool) (sql_insert.cc:1407)
==17667==    by 0x561E6E: mysql_insert_select_prepare(THD*) (sql_insert.cc:3280)
==17667==    by 0x57BAF4: mysql_execute_command(THD*) (sql_parse.cc:3050)
==17667==    by 0x77A9BB: sp_instr_stmt::exec_core(THD*, unsigned int*) (sp_head.cc:3222)
==17667==    by 0x77AB62: sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) (sp_head.cc:3000)
==17667==    by 0x77F9D4: sp_instr_stmt::execute(THD*, unsigned int*) (sp_head.cc:3146)
==17667==    by 0x77DA63: sp_head::execute(THD*, bool) (sp_head.cc:1433)
==17667==    by 0x77DDF2: sp_head::execute_trigger(THD*, st_mysql_lex_string const*, st_mysql_lex_string const*, st_grant_info*) (sp_head.cc:1738)
==17667==  Address 0x89f3fc8 is 1,912 bytes inside a block of size 8,152 free'd
==17667==    at 0x4A06430: free (vg_replace_malloc.c:446)
==17667==    by 0x9C6110: free_root (my_alloc.c:372)
==17667==    by 0x77DA99: sp_head::execute(THD*, bool) (sp_head.cc:1450)
==17667==    by 0x77DDF2: sp_head::execute_trigger(THD*, st_mysql_lex_string const*, st_mysql_lex_string const*, st_grant_info*) (sp_head.cc:1738)
==17667==    by 0x5E8CAE: Table_triggers_list::process_triggers(THD*, trg_event_type, trg_action_time_type, bool) (sql_trigger.cc:2156)
==17667==    by 0x538254: fill_record_n_invoke_before_triggers(THD*, List<Item>&, List<Item>&, bool, Table_triggers_list*, trg_event_type) (sql_base.cc:9066)
==17667==    by 0x565B85: mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) (sql_insert.cc:907)
==17667==    by 0x578267: mysql_execute_command(THD*) (sql_parse.cc:2973)
==17667==    by 0x57CFFB: mysql_parse(THD*, char*, unsigned int, Parser_state*) (sql_parse.cc:5799)
==17667==    by 0x57E577: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1079)
==17667==    by 0x6236C3: do_handle_one_connection(THD*) (sql_connect.cc:1266)
==17667==    by 0x623759: handle_one_connection (sql_connect.cc:1181)
==17667==    by 0x8EFD05: pfs_spawn_thread (pfs.cc:1015)
==17667==    by 0x3D7AE079D0: start_thread (in /lib64/libpthread-2.12.so)
==17667==    by 0x3D7AAE89DC: clone (in /lib64/libc-2.12.so)
==17667== Invalid read of size 8
==17667==    at 0x5C1552: base_list::push_back(void*) (sql_list.h:208)
==17667==    by 0x6AD834: Item_field::fix_fields(THD*, Item**) (sql_list.h:512)
==17667==    by 0x53868F: setup_fields(THD*, Item**, List<Item>&, enum_mark_columns, List<Item>*, bool) (sql_base.cc:8166)
==17667==    by 0x5A7A8E: JOIN::prepare(Item***, TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) (sql_select.cc:719)
==17667==    by 0x5EFB3C: st_select_lex_unit::prepare(THD*, select_result*, unsigned long) (sql_union.cc:344)
==17667==    by 0x55A7CE: mysql_derived_prepare(THD*, LEX*, TABLE_LIST*) (sql_derived.cc:654)
==17667==    by 0x55B2C2: mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) (sql_derived.cc:192)
==17667==    by 0x55B1A6: mysql_handle_list_of_derived(LEX*, TABLE_LIST*, unsigned int) (sql_derived.cc:222)
==17667==    by 0x56190D: mysql_prepare_insert(THD*, TABLE_LIST*, TABLE*, List<Item>&, List<Item>*, List<Item>&, List<Item>&, enum_duplicates, Item**, bool, bool, bool) (sql_insert.cc:1407)
==17667==    by 0x561E6E: mysql_insert_select_prepare(THD*) (sql_insert.cc:3280)
==17667==    by 0x57BAF4: mysql_execute_command(THD*) (sql_parse.cc:3050)
==17667==    by 0x77A9BB: sp_instr_stmt::exec_core(THD*, unsigned int*) (sp_head.cc:3222)
==17667==    by 0x77AB62: sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) (sp_head.cc:3000)
==17667==    by 0x77F9D4: sp_instr_stmt::execute(THD*, unsigned int*) (sp_head.cc:3146)
==17667==    by 0x77DA63: sp_head::execute(THD*, bool) (sp_head.cc:1433)
==17667==    by 0x77DDF2: sp_head::execute_trigger(THD*, st_mysql_lex_string const*, st_mysql_lex_string const*, st_grant_info*) (sp_head.cc:1738)
==17667==  Address 0x89f3fc8 is 1,912 bytes inside a block of size 8,152 free'd
==17667==    at 0x4A06430: free (vg_replace_malloc.c:446)
==17667==    by 0x9C6110: free_root (my_alloc.c:372)
==17667==    by 0x77DA99: sp_head::execute(THD*, bool) (sp_head.cc:1450)
==17667==    by 0x77DDF2: sp_head::execute_trigger(THD*, st_mysql_lex_string const*, st_mysql_lex_string const*, st_grant_info*) (sp_head.cc:1738)
==17667==    by 0x5E8CAE: Table_triggers_list::process_triggers(THD*, trg_event_type, trg_action_time_type, bool) (sql_trigger.cc:2156)
==17667==    by 0x538254: fill_record_n_invoke_before_triggers(THD*, List<Item>&, List<Item>&, bool, Table_triggers_list*, trg_event_type) (sql_base.cc:9066)
==17667==    by 0x565B85: mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) (sql_insert.cc:907)
==17667==    by 0x578267: mysql_execute_command(THD*) (sql_parse.cc:2973)
==17667==    by 0x57CFFB: mysql_parse(THD*, char*, unsigned int, Parser_state*) (sql_parse.cc:5799)
==17667==    by 0x57E577: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1079)
==17667==    by 0x6236C3: do_handle_one_connection(THD*) (sql_connect.cc:1266)
==17667==    by 0x623759: handle_one_connection (sql_connect.cc:1181)
==17667==    by 0x8EFD05: pfs_spawn_thread (pfs.cc:1015)
==17667==    by 0x3D7AE079D0: start_thread (in /lib64/libpthread-2.12.so)
==17667==    by 0x3D7AAE89DC: clone (in /lib64/libc-2.12.so)
                Show
                elenst Elena Stepanova added a comment - On Wheezy, I couldn't get valgrind warnings. However, on CentOS 6, on a non-debug build, I did, maybe it's relevant: ==17667== Thread 4: ==17667== Invalid write of size 8 ==17667== at 0x5C1542: base_list::push_back(void*) (sql_list.h:206) ==17667== by 0x6AD834: Item_field::fix_fields(THD*, Item**) (sql_list.h:512) ==17667== by 0x53868F: setup_fields(THD*, Item**, List<Item>&, enum_mark_columns, List<Item>*, bool) (sql_base.cc:8166) ==17667== by 0x5A7A8E: JOIN::prepare(Item***, TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) (sql_select.cc:719) ==17667== by 0x5EFB3C: st_select_lex_unit::prepare(THD*, select_result*, unsigned long) (sql_union.cc:344) ==17667== by 0x55A7CE: mysql_derived_prepare(THD*, LEX*, TABLE_LIST*) (sql_derived.cc:654) ==17667== by 0x55B2C2: mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) (sql_derived.cc:192) ==17667== by 0x55B1A6: mysql_handle_list_of_derived(LEX*, TABLE_LIST*, unsigned int) (sql_derived.cc:222) ==17667== by 0x56190D: mysql_prepare_insert(THD*, TABLE_LIST*, TABLE*, List<Item>&, List<Item>*, List<Item>&, List<Item>&, enum_duplicates, Item**, bool, bool, bool) (sql_insert.cc:1407) ==17667== by 0x561E6E: mysql_insert_select_prepare(THD*) (sql_insert.cc:3280) ==17667== by 0x57BAF4: mysql_execute_command(THD*) (sql_parse.cc:3050) ==17667== by 0x77A9BB: sp_instr_stmt::exec_core(THD*, unsigned int*) (sp_head.cc:3222) ==17667== by 0x77AB62: sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) (sp_head.cc:3000) ==17667== by 0x77F9D4: sp_instr_stmt::execute(THD*, unsigned int*) (sp_head.cc:3146) ==17667== by 0x77DA63: sp_head::execute(THD*, bool) (sp_head.cc:1433) ==17667== by 0x77DDF2: sp_head::execute_trigger(THD*, st_mysql_lex_string const*, st_mysql_lex_string const*, st_grant_info*) (sp_head.cc:1738) ==17667== Address 0x89f3fc8 is 1,912 bytes inside a block of size 8,152 free'd ==17667== at 0x4A06430: free (vg_replace_malloc.c:446) ==17667== by 0x9C6110: free_root (my_alloc.c:372) ==17667== by 0x77DA99: sp_head::execute(THD*, bool) (sp_head.cc:1450) ==17667== by 0x77DDF2: sp_head::execute_trigger(THD*, st_mysql_lex_string const*, st_mysql_lex_string const*, st_grant_info*) (sp_head.cc:1738) ==17667== by 0x5E8CAE: Table_triggers_list::process_triggers(THD*, trg_event_type, trg_action_time_type, bool) (sql_trigger.cc:2156) ==17667== by 0x538254: fill_record_n_invoke_before_triggers(THD*, List<Item>&, List<Item>&, bool, Table_triggers_list*, trg_event_type) (sql_base.cc:9066) ==17667== by 0x565B85: mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) (sql_insert.cc:907) ==17667== by 0x578267: mysql_execute_command(THD*) (sql_parse.cc:2973) ==17667== by 0x57CFFB: mysql_parse(THD*, char*, unsigned int, Parser_state*) (sql_parse.cc:5799) ==17667== by 0x57E577: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1079) ==17667== by 0x6236C3: do_handle_one_connection(THD*) (sql_connect.cc:1266) ==17667== by 0x623759: handle_one_connection (sql_connect.cc:1181) ==17667== by 0x8EFD05: pfs_spawn_thread (pfs.cc:1015) ==17667== by 0x3D7AE079D0: start_thread (in /lib64/libpthread-2.12.so) ==17667== by 0x3D7AAE89DC: clone (in /lib64/libc-2.12.so) ==17667== Invalid read of size 8 ==17667== at 0x5C1552: base_list::push_back(void*) (sql_list.h:208) ==17667== by 0x6AD834: Item_field::fix_fields(THD*, Item**) (sql_list.h:512) ==17667== by 0x53868F: setup_fields(THD*, Item**, List<Item>&, enum_mark_columns, List<Item>*, bool) (sql_base.cc:8166) ==17667== by 0x5A7A8E: JOIN::prepare(Item***, TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) (sql_select.cc:719) ==17667== by 0x5EFB3C: st_select_lex_unit::prepare(THD*, select_result*, unsigned long) (sql_union.cc:344) ==17667== by 0x55A7CE: mysql_derived_prepare(THD*, LEX*, TABLE_LIST*) (sql_derived.cc:654) ==17667== by 0x55B2C2: mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) (sql_derived.cc:192) ==17667== by 0x55B1A6: mysql_handle_list_of_derived(LEX*, TABLE_LIST*, unsigned int) (sql_derived.cc:222) ==17667== by 0x56190D: mysql_prepare_insert(THD*, TABLE_LIST*, TABLE*, List<Item>&, List<Item>*, List<Item>&, List<Item>&, enum_duplicates, Item**, bool, bool, bool) (sql_insert.cc:1407) ==17667== by 0x561E6E: mysql_insert_select_prepare(THD*) (sql_insert.cc:3280) ==17667== by 0x57BAF4: mysql_execute_command(THD*) (sql_parse.cc:3050) ==17667== by 0x77A9BB: sp_instr_stmt::exec_core(THD*, unsigned int*) (sp_head.cc:3222) ==17667== by 0x77AB62: sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) (sp_head.cc:3000) ==17667== by 0x77F9D4: sp_instr_stmt::execute(THD*, unsigned int*) (sp_head.cc:3146) ==17667== by 0x77DA63: sp_head::execute(THD*, bool) (sp_head.cc:1433) ==17667== by 0x77DDF2: sp_head::execute_trigger(THD*, st_mysql_lex_string const*, st_mysql_lex_string const*, st_grant_info*) (sp_head.cc:1738) ==17667== Address 0x89f3fc8 is 1,912 bytes inside a block of size 8,152 free'd ==17667== at 0x4A06430: free (vg_replace_malloc.c:446) ==17667== by 0x9C6110: free_root (my_alloc.c:372) ==17667== by 0x77DA99: sp_head::execute(THD*, bool) (sp_head.cc:1450) ==17667== by 0x77DDF2: sp_head::execute_trigger(THD*, st_mysql_lex_string const*, st_mysql_lex_string const*, st_grant_info*) (sp_head.cc:1738) ==17667== by 0x5E8CAE: Table_triggers_list::process_triggers(THD*, trg_event_type, trg_action_time_type, bool) (sql_trigger.cc:2156) ==17667== by 0x538254: fill_record_n_invoke_before_triggers(THD*, List<Item>&, List<Item>&, bool, Table_triggers_list*, trg_event_type) (sql_base.cc:9066) ==17667== by 0x565B85: mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) (sql_insert.cc:907) ==17667== by 0x578267: mysql_execute_command(THD*) (sql_parse.cc:2973) ==17667== by 0x57CFFB: mysql_parse(THD*, char*, unsigned int, Parser_state*) (sql_parse.cc:5799) ==17667== by 0x57E577: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1079) ==17667== by 0x6236C3: do_handle_one_connection(THD*) (sql_connect.cc:1266) ==17667== by 0x623759: handle_one_connection (sql_connect.cc:1181) ==17667== by 0x8EFD05: pfs_spawn_thread (pfs.cc:1015) ==17667== by 0x3D7AE079D0: start_thread (in /lib64/libpthread-2.12.so) ==17667== by 0x3D7AAE89DC: clone (in /lib64/libc-2.12.so)
                Hide
                Permalink
                elenst Elena Stepanova added a comment - - edited

                The test case below reliably causes for me on 3 different machines a similar crash, but in a stored procedure:

                
--source include/have_innodb.inc

SET sql_mode=ONLY_FULL_GROUP_BY;

CREATE TABLE t1 (
  pk INT, 
  f0 INT, f1 INT, f2 INT, f3 INT, f4 INT, 
  f5 INT, f6 INT, f7 INT, f8 INT, f9 INT, 
  PRIMARY KEY (pk)
);
CREATE VIEW view_t1 AS SELECT * FROM t1;
CREATE PROCEDURE sp() 
  SELECT * FROM (
    INFORMATION_SCHEMA.`INNODB_BUFFER_PAGE_LRU` AS table1 
      LEFT JOIN test.view_t1 AS table2 
      ON ( table2.`f6` = table1.`FREE_PAGE_CLOCK` ) 
  ) 
  ORDER BY table1.`NUMBER_RECORDS`, table1.`IS_HASHED` 
  LIMIT 0
;
CALL sp;
CALL sp;
                5.5 commit fdd6c111
                #3  <signal handler called>
#4  0x00007fa6cea35fa0 in ?? ()
#5  0x000000000060310b in Item::delete_self (this=0x7fa6cea345a8) at 5.5/sql/item.h:1434
#6  0x00000000005fd3cd in Query_arena::free_items (this=0x7fa6d694e078) at 5.5/sql/sql_class.cc:3160
#7  0x00000000005f8d6c in THD::cleanup_after_query (this=0x7fa6d694e060) at 5.5/sql/sql_class.cc:1883
#8  0x0000000000910920 in sp_head::execute (this=0x7fa6ce98e078, thd=0x7fa6d694e060, merge_da_on_success=true) at 5.5/sql/sp_head.cc:1449
#9  0x0000000000912610 in sp_head::execute_procedure (this=0x7fa6ce98e078, thd=0x7fa6d694e060, args=0x7fa6d6952000) at 5.5/sql/sp_head.cc:2199
#10 0x0000000000636c41 in mysql_execute_command (thd=0x7fa6d694e060) at 5.5/sql/sql_parse.cc:4123
#11 0x000000000063b20e in mysql_parse (thd=0x7fa6d694e060, rawbuf=0x7fa6ce951078 "CALL sp", length=7, parser_state=0x7fa6dec75620) at 5.5/sql/sql_parse.cc:5909
#12 0x000000000062ee51 in dispatch_command (command=COM_QUERY, thd=0x7fa6d694e060, packet=0x7fa6d6a74061 "", packet_length=7) at 5.5/sql/sql_parse.cc:1079
#13 0x000000000062dfdd in do_command (thd=0x7fa6d694e060) at 5.5/sql/sql_parse.cc:793
#14 0x000000000073072a in do_handle_one_connection (thd_arg=0x7fa6d694e060) at 5.5/sql/sql_connect.cc:1266
#15 0x00000000007301e9 in handle_one_connection (arg=0x7fa6d694e060) at 5.5/sql/sql_connect.cc:1181
#16 0x0000000000b66b61 in pfs_spawn_thread (arg=0x7fa6d69ca480) at 5.5/storage/perfschema/pfs.cc:1015
#17 0x00007fa6de8adb50 in start_thread (arg=<optimized out>) at pthread_create.c:304
#18 0x00007fa6dd1bb70d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#19 0x0000000000000000 in ?? ()
                Show
                elenst Elena Stepanova added a comment - - edited The test case below reliably causes for me on 3 different machines a similar crash, but in a stored procedure: --source include/have_innodb.inc SET sql_mode=ONLY_FULL_GROUP_BY; CREATE TABLE t1 ( pk INT, f0 INT, f1 INT, f2 INT, f3 INT, f4 INT, f5 INT, f6 INT, f7 INT, f8 INT, f9 INT, PRIMARY KEY (pk) ); CREATE VIEW view_t1 AS SELECT * FROM t1; CREATE PROCEDURE sp() SELECT * FROM ( INFORMATION_SCHEMA.`INNODB_BUFFER_PAGE_LRU` AS table1 LEFT JOIN test.view_t1 AS table2 ON ( table2.`f6` = table1.`FREE_PAGE_CLOCK` ) ) ORDER BY table1.`NUMBER_RECORDS`, table1.`IS_HASHED` LIMIT 0 ; CALL sp; CALL sp; 5.5 commit fdd6c111 #3 <signal handler called> #4 0x00007fa6cea35fa0 in ?? () #5 0x000000000060310b in Item::delete_self (this=0x7fa6cea345a8) at 5.5/sql/item.h:1434 #6 0x00000000005fd3cd in Query_arena::free_items (this=0x7fa6d694e078) at 5.5/sql/sql_class.cc:3160 #7 0x00000000005f8d6c in THD::cleanup_after_query (this=0x7fa6d694e060) at 5.5/sql/sql_class.cc:1883 #8 0x0000000000910920 in sp_head::execute (this=0x7fa6ce98e078, thd=0x7fa6d694e060, merge_da_on_success=true) at 5.5/sql/sp_head.cc:1449 #9 0x0000000000912610 in sp_head::execute_procedure (this=0x7fa6ce98e078, thd=0x7fa6d694e060, args=0x7fa6d6952000) at 5.5/sql/sp_head.cc:2199 #10 0x0000000000636c41 in mysql_execute_command (thd=0x7fa6d694e060) at 5.5/sql/sql_parse.cc:4123 #11 0x000000000063b20e in mysql_parse (thd=0x7fa6d694e060, rawbuf=0x7fa6ce951078 "CALL sp", length=7, parser_state=0x7fa6dec75620) at 5.5/sql/sql_parse.cc:5909 #12 0x000000000062ee51 in dispatch_command (command=COM_QUERY, thd=0x7fa6d694e060, packet=0x7fa6d6a74061 "", packet_length=7) at 5.5/sql/sql_parse.cc:1079 #13 0x000000000062dfdd in do_command (thd=0x7fa6d694e060) at 5.5/sql/sql_parse.cc:793 #14 0x000000000073072a in do_handle_one_connection (thd_arg=0x7fa6d694e060) at 5.5/sql/sql_connect.cc:1266 #15 0x00000000007301e9 in handle_one_connection (arg=0x7fa6d694e060) at 5.5/sql/sql_connect.cc:1181 #16 0x0000000000b66b61 in pfs_spawn_thread (arg=0x7fa6d69ca480) at 5.5/storage/perfschema/pfs.cc:1015 #17 0x00007fa6de8adb50 in start_thread (arg=<optimized out>) at pthread_create.c:304 #18 0x00007fa6dd1bb70d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112 #19 0x0000000000000000 in ?? ()
                Hide
                Permalink
                jplindst Jan Lindström added a comment -

                I could not repeat using 10.0 with revision 4616 using above test cases.

                Show
                jplindst Jan Lindström added a comment - I could not repeat using 10.0 with revision 4616 using above test cases.
                Hide
                Permalink
                elenst Elena Stepanova added a comment - - edited

                I've set it up on perro, current 5.5 from git (the last test from the comment)

                # login as usual
cd ~/git/5.5-mdev7594/mysql-test
perl ./mtr mdev7594
                Show
                elenst Elena Stepanova added a comment - - edited I've set it up on perro, current 5.5 from git (the last test from the comment) # login as usual cd ~/git/5.5-mdev7594/mysql-test perl ./mtr mdev7594
                Hide
                Permalink
                monty Michael Widenius added a comment -

                I was able to repeat and fix this test case.
                The issue was that select_lex->non_agg_fields() was not properly reset for re-execution.
                Fixed by moving this to the JOIN structure that is properly reset for each exection.

                Show
                monty Michael Widenius added a comment - I was able to repeat and fix this test case. The issue was that select_lex->non_agg_fields() was not properly reset for re-execution. Fixed by moving this to the JOIN structure that is properly reset for each exection.
                Hide
                Permalink
                monty Michael Widenius added a comment -

                The problem was that select_lex->non_agg_fields was not properly reset for re-execution and this caused an overwrite of a random memory position.
                The fix was move non_agg_fields from select_lext to JOIN, which is properly reset.

                Fix pushed into the 5.5 tree.

                Show
                monty Michael Widenius added a comment - The problem was that select_lex->non_agg_fields was not properly reset for re-execution and this caused an overwrite of a random memory position. The fix was move non_agg_fields from select_lext to JOIN, which is properly reset. Fix pushed into the 5.5 tree.

                  People

                  • Assignee:
                    monty Michael Widenius
                    Reporter:
                    elenst Elena Stepanova
                  • Votes:
                    0 Vote for this issue
                    Watchers:
                    3 Start watching this issue

                    Dates

                    • Created:
                      Updated:
                      Resolved:

                      Time Tracking

                      Estimated:
                      Original Estimate - Not Specified
                      Not Specified
                      Remaining:
                      Remaining Estimate - 0 minutes
                      0m
                      Logged:
                      Time Spent - 6 hours
                      6h