[MDEV-7821] Server crashes in Item_func_group_concat::fix_fields on 2nd execution of PS - JIRA

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 5.1.67, 5.2.14, 5.3.12, 10.1, 10.0, 5.5
Fix Version/s: 10.0.21, 10.1.7, 5.5.45
Component/s: Data Manipulation - Subquery, Prepared Statements
Labels:
- upstream

Sprint:
5.5.45

Description

Stack trace from 5.5 commit 86f46a3da4a6d82cb510dc4c270d46cfd6a8965b

#3  <signal handler called>
#4  0x0000000000896832 in Item_func_group_concat::fix_fields (this=0x7fac14d3cd28, thd=0x7fac20226060, ref=0x7fac14d3afa8) at 5.5/sql/item_sum.cc:3415
#5  0x00000000005e2368 in setup_fields (thd=0x7fac20226060, ref_pointer_array=0x7fac14d3f0b8, fields=..., mark_used_columns=MARK_COLUMNS_READ, sum_func_list=0x7fac14d515c0, allow_sum_func=true) at 5.5/sql/sql_base.cc:8169
#6  0x0000000000663cec in JOIN::prepare (this=0x7fac14d51298, rref_pointer_array=0x7fac14d39a80, tables_init=0x7fac14d3d338, wild_num=0, conds_init=0x0, og_num=1, order_init=0x0, skip_order_by=false, group_init=0x7fac14d3f078, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7fac14d39810, unit_arg=0x7fac14d39130) at 5.5/sql/sql_select.cc:723
#7  0x000000000066c43b in mysql_select (thd=0x7fac20226060, rref_pointer_array=0x7fac14d39a80, tables=0x7fac14d3d338, wild_num=0, fields=..., conds=0x0, og_num=1, order=0x0, group=0x7fac14d3f078, having=0x0, proc_param=0x0, select_options=2416184064, result=0x7fac14d3e018, unit=0x7fac14d39130, select_lex=0x7fac14d39810) at 5.5/sql/sql_select.cc:3074
#8  0x0000000000662fbd in handle_select (thd=0x7fac20226060, lex=0x7fac14d39080, result=0x7fac14d3e018, setup_tables_done_option=0) at 5.5/sql/sql_select.cc:319
#9  0x000000000063c1fc in execute_sqlcom_select (thd=0x7fac20226060, all_tables=0x7fac14d3d338) at 5.5/sql/sql_parse.cc:4689
#10 0x00000000006353de in mysql_execute_command (thd=0x7fac20226060) at 5.5/sql/sql_parse.cc:2234
#11 0x0000000000656655 in Prepared_statement::execute (this=0x7fac14ddf460, expanded_query=0x7fac27393c90, open_cursor=false) at 5.5/sql/sql_prepare.cc:3928
#12 0x000000000065576c in Prepared_statement::execute_loop (this=0x7fac14ddf460, expanded_query=0x7fac27393c90, open_cursor=false, packet=0x0, packet_end=0x0) at 5.5/sql/sql_prepare.cc:3587
#13 0x0000000000653890 in mysql_sql_stmt_execute (thd=0x7fac20226060) at 5.5/sql/sql_prepare.cc:2737
#14 0x000000000063540c in mysql_execute_command (thd=0x7fac20226060) at 5.5/sql/sql_parse.cc:2244
#15 0x000000000063ece2 in mysql_parse (thd=0x7fac20226060, rawbuf=0x7fac14d51078 "EXECUTE stmt", length=12, parser_state=0x7fac27394620) at 5.5/sql/sql_parse.cc:5909
#16 0x0000000000632925 in dispatch_command (command=COM_QUERY, thd=0x7fac20226060, packet=0x7fac16cb5061 "EXECUTE stmt", packet_length=12) at 5.5/sql/sql_parse.cc:1079
#17 0x0000000000631ab1 in do_command (thd=0x7fac20226060) at 5.5/sql/sql_parse.cc:793
#18 0x0000000000734122 in do_handle_one_connection (thd_arg=0x7fac20226060) at 5.5/sql/sql_connect.cc:1266
#19 0x0000000000733be1 in handle_one_connection (arg=0x7fac20226060) at 5.5/sql/sql_connect.cc:1181
#20 0x0000000000b6c629 in pfs_spawn_thread (arg=0x7fac2022ea20) at 5.5/storage/perfschema/pfs.cc:1015
#21 0x00007fac26fcdb50 in start_thread (arg=<optimized out>) at pthread_create.c:304
#22 0x00007fac2528370d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112

Test case

CREATE TABLE t1 (f1 INT);
INSERT INTO t1 VALUES (2),(3);

CREATE TABLE t2 (f2 INT);
INSERT INTO t2 VALUES (1),(8);

PREPARE stmt FROM "
SELECT GROUP_CONCAT( t2a.f2 ORDER BY 1, ( t2a.f2 IN ( SELECT f1 FROM t1 ) ) ), t2a.f2 
FROM t2 AS t2a, t2 AS t2b 
GROUP BY t2a.f2
";

EXECUTE stmt;
EXECUTE stmt;

Gliffy Diagrams

Attachments

Issue Links

links to

Bug #76458 - Server crashes in Item_func_group_concat::fix_fields on 2nd execution of PS

Github revision

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Elena Stepanova added a comment - 2015-03-23 14:32

It's an upstream bug (http://bugs.mysql.com/bug.php?id=76458), which is why it stays unassigned for now; we can either wait to see whether it gets fixed in MySQL 5.5, or somebody can just pick it up and fix directly in MariaDB.

Show

Elena Stepanova added a comment - 2015-03-23 14:32 It's an upstream bug ( http://bugs.mysql.com/bug.php?id=76458 ), which is why it stays unassigned for now; we can either wait to see whether it gets fixed in MySQL 5.5, or somebody can just pick it up and fix directly in MariaDB.

Hide

Permalink

Sergey Vojtovich added a comment - 2015-07-30 10:41

Not fixed in mysql-5.5.45 and mysql-5.6.26.

Show

Sergey Vojtovich added a comment - 2015-07-30 10:41 Not fixed in mysql-5.5.45 and mysql-5.6.26.

Hide

Permalink

Sergey Vojtovich added a comment - 2015-07-30 14:49

Somewhat simpler test:

CREATE TABLE t1(a INT);
INSERT INTO t1 VALUES(1),(2);
PREPARE stmt FROM "SELECT GROUP_CONCAT(t1a.a ORDER BY 1, t1a.a=0) FROM t1 AS t1a, t1 AS t1b GROUP BY t1a.a";
EXECUTE stmt;
EXECUTE stmt;

Show

Sergey Vojtovich added a comment - 2015-07-30 14:49 Somewhat simpler test: CREATE TABLE t1(a INT); INSERT INTO t1 VALUES(1),(2); PREPARE stmt FROM "SELECT GROUP_CONCAT(t1a.a ORDER BY 1, t1a.a=0) FROM t1 AS t1a, t1 AS t1b GROUP BY t1a.a"; EXECUTE stmt; EXECUTE stmt;

Hide

Permalink

Sergey Vojtovich added a comment - 2015-07-30 18:03

Sergei Golubchik, please review fix for this bug. Note that I'm not completely sure about fix correctness, it's mostly expansion of revision mentioned in the commit message.

Show

Sergey Vojtovich added a comment - 2015-07-30 18:03 Sergei Golubchik , please review fix for this bug. Note that I'm not completely sure about fix correctness, it's mostly expansion of revision mentioned in the commit message.

People

Assignee:

Sergey Vojtovich

Reporter:

Elena Stepanova

Votes:

0 Vote for this issue

Watchers:

3 Start watching this issue

Dates

Created:

2015-03-23 14:30

Updated:

2015-07-31 23:11

Resolved:

2015-07-31 12:07

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

1h 30m

Agile

Completed Sprint:

5.5.45 ended 2015-08-05
View on Board