MariaDB

Crash in reinit_stmt_before_use() on subquery in the SELECT list

Bug #611691 reported by Philip Stoev
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MariaDB
Invalid
Undecided
Unassigned
MariaDB 5.2

Bug Description

In Maria 5.2 and 5.3 , the following query:

SELECT (
SELECT `pk`
FROM C
WHERE table1 .`col_int_nokey` ) , `col_varchar_key` field12
FROM D table1
GROUP BY field12

crashes when executed as a prepared statement.

backtrace:

#3 0x0826c388 in handle_segfault (sig=11) at mysqld.cc:2693
#4 <signal handler called>
#5 0x0832375f in reinit_stmt_before_use (thd=0xaa4b528, lex=0xb5d5c3f8) at sql_prepare.cc:2335
#6 0x08325eef in Prepared_statement::execute (this=0xb5d4d6f0, expanded_query=0xb60d2430, open_cursor=false) at sql_prepare.cc:3570
#7 0x0832547e in Prepared_statement::execute_loop (this=0xb5d4d6f0, expanded_query=0xb60d2430, open_cursor=false, packet=0x0, packet_end=0x0)
    at sql_prepare.cc:3262
#8 0x08323e6a in mysql_sql_stmt_execute (thd=0xaa4b528) at sql_prepare.cc:2532
#9 0x0827ea56 in mysql_execute_command (thd=0xaa4b528) at sql_parse.cc:2273
#10 0x0828a204 in mysql_parse (thd=0xaa4b528, inBuf=0xb5d2d930 "EXECUTE st1", length=11, found_semicolon=0xb60d3230) at sql_parse.cc:6024
#11 0x0827c45e in dispatch_command (command=COM_QUERY, thd=0xaa4b528, packet=0xaa63879 "EXECUTE st1", packet_length=11) at sql_parse.cc:1183
#12 0x0827b904 in do_command (thd=0xaa4b528) at sql_parse.cc:890
#13 0x08278a64 in handle_one_connection (arg=0xaa4b528) at sql_connect.cc:1153
#14 0x00a08919 in start_thread () from /lib/libpthread.so.0
#15 0x00951e5e in clone () from /lib/libc.so.6

explain:

id select_type table type possible_keys key key_len ref rows Extra
1 PRIMARY table1 ALL NULL NULL NULL NULL 100 Using temporary; Using filesort
2 DEPENDENT SUBQUERY C index NULL PRIMARY 4 NULL 20 Using where; Using index

in mysql 5.5.5 the same query crashes as follows:

#3 0x0811b321 in handle_segfault (sig=11) at /export/home/pb2/build/sb_0-2019843-1278441673.38/mysql-5.5.5-m3/sql/mysqld.cc:2791
#4 <signal handler called>
#5 0x081c9e37 in simplify_joins (join=0xad216920, join_list=0xad2155ac, conds=0xad205cf8, top=true)
    at /export/home/pb2/build/sb_0-2019843-1278441673.38/mysql-5.5.5-m3/sql/sql_select.cc:8901
#6 0x081d1908 in JOIN::optimize (this=0xad216920) at /export/home/pb2/build/sb_0-2019843-1278441673.38/mysql-5.5.5-m3/sql/sql_select.cc:892
#7 0x0831bb72 in subselect_single_select_engine::exec (this=0xad216080)
    at /export/home/pb2/build/sb_0-2019843-1278441673.38/mysql-5.5.5-m3/sql/item_subselect.cc:1912
#8 0x0831a4a3 in Item_subselect::exec (this=0xad215fe8) at /export/home/pb2/build/sb_0-2019843-1278441673.38/mysql-5.5.5-m3/sql/item_subselect.cc:288
#9 0x0831a765 in Item_singlerow_subselect::val_int (this=0xad215fe8)
    at /export/home/pb2/build/sb_0-2019843-1278441673.38/mysql-5.5.5-m3/sql/item_subselect.cc:598
#10 0x082b3585 in Item_copy_int::copy (this=0xad205fd0) at /export/home/pb2/build/sb_0-2019843-1278441673.38/mysql-5.5.5-m3/sql/item.cc:3657
#11 0x081b9a43 in copy_fields (param=0xad20566c) at /export/home/pb2/build/sb_0-2019843-1278441673.38/mysql-5.5.5-m3/sql/sql_select.cc:15637
#12 0x081c133a in end_send (join=0xad204610, join_tab=0xad205d94, end_of_records=false)
    at /export/home/pb2/build/sb_0-2019843-1278441673.38/mysql-5.5.5-m3/sql/sql_select.cc:12495
#13 0x081bb982 in evaluate_join_record (join=0xad204610, join_tab=0xad205c00, error=0)
    at /export/home/pb2/build/sb_0-2019843-1278441673.38/mysql-5.5.5-m3/sql/sql_select.cc:11707
#14 0x081bfddc in sub_select (join=0xad204610, join_tab=0xad205c00, end_of_records=false)
    at /export/home/pb2/build/sb_0-2019843-1278441673.38/mysql-5.5.5-m3/sql/sql_select.cc:11582
#15 0x081c563c in do_select (join=0xad204610, fields=0xad205774, table=0x0, procedure=0x0)
    at /export/home/pb2/build/sb_0-2019843-1278441673.38/mysql-5.5.5-m3/sql/sql_select.cc:11334
#16 0x081da351 in JOIN::exec (this=0xad204610) at /export/home/pb2/build/sb_0-2019843-1278441673.38/mysql-5.5.5-m3/sql/sql_select.cc:2354
#17 0x081d5ce1 in mysql_select (thd=0xa968b08, rref_pointer_array=0xad214e94, tables=0xad216268, wild_num=0, fields=..., conds=0x0, og_num=1, order=0x0,
    group=0xad2166a8, having=0x0, proc_param=0x0, select_options=2416184064, result=0xad2166d8, unit=0xad214970, select_lex=0xad214d9c)
    at /export/home/pb2/build/sb_0-2019843-1278441673.38/mysql-5.5.5-m3/sql/sql_select.cc:2549
#18 0x081dc23a in handle_select (thd=0xa968b08, lex=0xad214910, result=0xad2166d8, setup_tables_done_option=0)
    at /export/home/pb2/build/sb_0-2019843-1278441673.38/mysql-5.5.5-m3/sql/sql_select.cc:290
#19 0x08193b3d in execute_sqlcom_select (thd=0xa968b08, all_tables=0xad216268)
    at /export/home/pb2/build/sb_0-2019843-1278441673.38/mysql-5.5.5-m3/sql/sql_parse.cc:4882
#20 0x0819979f in mysql_execute_command (thd=0xa968b08) at /export/home/pb2/build/sb_0-2019843-1278441673.38/mysql-5.5.5-m3/sql/sql_parse.cc:2329
#21 0x081acc63 in Prepared_statement::execute (this=0xad209b90, expanded_query=0xaff869ac, open_cursor=false)
    at /export/home/pb2/build/sb_0-2019843-1278441673.38/mysql-5.5.5-m3/sql/sql_prepare.cc:3769
#22 0x081afc8b in Prepared_statement::execute_loop (this=0xad209b90, expanded_query=0xaff869ac, open_cursor=false, packet=0x0, packet_end=0x0)
    at /export/home/pb2/build/sb_0-2019843-1278441673.38/mysql-5.5.5-m3/sql/sql_prepare.cc:3416
#23 0x081b0057 in mysql_sql_stmt_execute (thd=0xa968b08) at /export/home/pb2/build/sb_0-2019843-1278441673.38/mysql-5.5.5-m3/sql/sql_prepare.cc:2596
#24 0x0819a32a in mysql_execute_command (thd=0xa968b08) at /export/home/pb2/build/sb_0-2019843-1278441673.38/mysql-5.5.5-m3/sql/sql_parse.cc:2339
#25 0x0819eebd in mysql_parse (thd=0xa968b08, inBuf=0xad204488 "EXECUTE st1", length=11, parser_state=0xaff88164)
    at /export/home/pb2/build/sb_0-2019843-1278441673.38/mysql-5.5.5-m3/sql/sql_parse.cc:5911
#26 0x081a0eaf in dispatch_command (command=COM_QUERY, thd=0xa968b08, packet=0xa9f45d1 "", packet_length=11)
    at /export/home/pb2/build/sb_0-2019843-1278441673.38/mysql-5.5.5-m3/sql/sql_parse.cc:1135
#27 0x081a13ef in do_command (thd=0xa968b08) at /export/home/pb2/build/sb_0-2019843-1278441673.38/mysql-5.5.5-m3/sql/sql_parse.cc:807
#28 0x082420e9 in do_handle_one_connection (thd_arg=0xa968b08) at /export/home/pb2/build/sb_0-2019843-1278441673.38/mysql-5.5.5-m3/sql/sql_connect.cc:1196
#29 0x0824247f in handle_one_connection (arg=0xa968b08) at /export/home/pb2/build/sb_0-2019843-1278441673.38/mysql-5.5.5-m3/sql/sql_connect.cc:1135
#30 0x08558e62 in pfs_spawn_thread (arg=0xa96bf70) at /export/home/pb2/build/sb_0-2019843-1278441673.38/mysql-5.5.5-m3/storage/perfschema/pfs.cc:1015
#31 0x00a08919 in start_thread () from /lib/libpthread.so.0
#32 0x00951e5e in clone () from /lib/libc.so.6

Revision history for this message
Philip Stoev (pstoev-askmonty) wrote :
Download full text (5.3 KiB)

CREATE TABLE `D` (
  `pk` int(11) NOT NULL AUTO_INCREMENT,
  `col_int_nokey` int(11) DEFAULT NULL,
  `col_int_key` int(11) DEFAULT NULL,
  `col_varchar_key` varchar(1) DEFAULT NULL,
  PRIMARY KEY (`pk`),
  KEY `col_int_key` (`col_int_key`),
  KEY `col_varchar_key` (`col_varchar_key`,`col_int_key`)
) ENGINE=MyISAM AUTO_INCREMENT=101 DEFAULT CHARSET=latin1;
INSERT INTO `D` VALUES (1,6,NULL,'r');
INSERT INTO `D` VALUES (2,8,0,'c');
INSERT INTO `D` VALUES (3,6,0,'o');
INSERT INTO `D` VALUES (4,6,7,'c');
INSERT INTO `D` VALUES (5,3,8,'d');
INSERT INTO `D` VALUES (6,9,4,'v');
INSERT INTO `D` VALUES (7,2,6,'m');
INSERT INTO `D` VALUES (8,1,5,'j');
INSERT INTO `D` VALUES (9,8,NULL,'f');
INSERT INTO `D` VALUES (10,0,NULL,'n');
INSERT INTO `D` VALUES (11,9,8,'z');
INSERT INTO `D` VALUES (12,8,8,'h');
INSERT INTO `D` VALUES (13,NULL,8,'q');
INSERT INTO `D` VALUES (14,0,1,'w');
INSERT INTO `D` VALUES (15,5,1,'z');
INSERT INTO `D` VALUES (16,1,5,'j');
INSERT INTO `D` VALUES (17,1,2,'a');
INSERT INTO `D` VALUES (18,6,7,'m');
INSERT INTO `D` VALUES (19,6,6,'n');
INSERT INTO `D` VALUES (20,1,4,'e');
INSERT INTO `D` VALUES (21,8,7,'u');
INSERT INTO `D` VALUES (22,1,0,'s');
INSERT INTO `D` VALUES (23,0,9,'u');
INSERT INTO `D` VALUES (24,4,3,'r');
INSERT INTO `D` VALUES (25,9,5,'g');
INSERT INTO `D` VALUES (26,8,1,'o');
INSERT INTO `D` VALUES (27,5,1,'w');
INSERT INTO `D` VALUES (28,9,5,'b');
INSERT INTO `D` VALUES (29,5,9,NULL);
INSERT INTO `D` VALUES (30,NULL,2,'y');
INSERT INTO `D` VALUES (31,NULL,5,'y');
INSERT INTO `D` VALUES (32,105,248,'u');
INSERT INTO `D` VALUES (33,0,0,'p');
INSERT INTO `D` VALUES (34,3,8,'s');
INSERT INTO `D` VALUES (35,1,1,'e');
INSERT INTO `D` VALUES (36,75,255,'d');
INSERT INTO `D` VALUES (37,9,9,'d');
INSERT INTO `D` VALUES (38,7,9,'c');
INSERT INTO `D` VALUES (39,NULL,3,'b');
INSERT INTO `D` VALUES (40,NULL,9,'t');
INSERT INTO `D` VALUES (41,4,6,NULL);
INSERT INTO `D` VALUES (42,0,4,'y');
INSERT INTO `D` VALUES (43,204,60,'c');
INSERT INTO `D` VALUES (44,0,7,'d');
INSERT INTO `D` VALUES (45,9,1,'x');
INSERT INTO `D` VALUES (46,8,6,'p');
INSERT INTO `D` VALUES (47,7,4,'e');
INSERT INTO `D` VALUES (48,8,NULL,'g');
INSERT INTO `D` VALUES (49,NULL,8,'x');
INSERT INTO `D` VALUES (50,6,0,'s');
INSERT INTO `D` VALUES (51,5,8,'e');
INSERT INTO `D` VALUES (52,2,151,'l');
INSERT INTO `D` VALUES (53,3,7,'p');
INSERT INTO `D` VALUES (54,7,6,'h');
INSERT INTO `D` VALUES (55,NULL,NULL,'m');
INSERT INTO `D` VALUES (56,145,23,'n');
INSERT INTO `D` VALUES (57,0,2,'v');
INSERT INTO `D` VALUES (58,1,4,'b');
INSERT INTO `D` VALUES (59,7,NULL,'x');
INSERT INTO `D` VALUES (60,3,NULL,'r');
INSERT INTO `D` VALUES (61,NULL,77,'t');
INSERT INTO `D` VALUES (62,2,NULL,'w');
INSERT INTO `D` VALUES (63,2,NULL,'w');
INSERT INTO `D` VALUES (64,2,7,'k');
INSERT INTO `D` VALUES (65,8,1,'a');
INSERT INTO `D` VALUES (66,6,9,'t');
INSERT INTO `D` VALUES (67,1,6,'z');
INSERT INTO `D` VALUES (68,NULL,2,'e');
INSERT INTO `D` VALUES (69,1,3,'q');
INSERT INTO `D` VALUES (70,0,0,'e');
INSERT INTO `D` VALUES (71,4,NULL,'v');
INSERT INTO `D` VALUES (72,1,6,'d');
INSERT INTO `D` VALUES (73,1,3,'u');
INSERT INTO `D` VALUES (74,27,195,'o');
INSERT INTO `D` VALUES (75,4,5,'b')...

Read more...

Philip Stoev (pstoev-askmonty)
Changed in maria:
milestone: none → 5.2
Revision history for this message
Philip Stoev (pstoev-askmonty) wrote :

No longer crashes in either version. Instead, returns error "subquery returns more than 1 row"

Changed in maria:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.