Crash/segfault during enum/int comparison in drizzled::optimizer::SqlSelect::cleanup (this=0x21c6940) at drizzled/optimizer/range.cc:390

Bug #639716 reported by Patrick Crews
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Drizzle
Fix Released
Critical
Andrew Hutchings
7.0
Fix Released
Critical
Andrew Hutchings

Bug Description

Crash / segfault when comparing a character-containing enum to an integer:
SELECT X . `col_int_key` FROM `c` AS X LEFT JOIN `a` AS Y USING ( `col_enum_key` ) WHERE X . `col_enum_key` = ( SELECT `col_int_not_null_key` FROM `aa` WHERE `pk` = 5 ) LIMIT 8;

This only occurs when the WHERE clause is comparing enum to int. Altering the WHERE clause to enum-enum or int-int works fine.

It should be noted that col_enum_key contains character values, which could be contributing to the crash.

Backtrace:
Program terminated with signal 11, Segmentation fault.
#0 0x00000000007459b9 in drizzled::optimizer::SqlSelect::cleanup (this=0x21c6940) at drizzled/optimizer/range.cc:390
390 delete quick;
(gdb) backtrace
#0 0x00000000007459b9 in drizzled::optimizer::SqlSelect::cleanup (this=0x21c6940) at drizzled/optimizer/range.cc:390
#1 0x0000000000745a8f in ~SqlSelect (this=0x21c6940, __in_chrg=<value optimized out>) at drizzled/optimizer/range.cc:406
#2 0x00000000007d3740 in drizzled::JoinTable::cleanup (this=0x22624a0) at drizzled/sql_select.cc:1460
#3 0x0000000000706047 in drizzled::Join::cleanup (this=0x21d7fa8, full=true) at drizzled/join.cc:1915
#4 0x0000000000705ba0 in drizzled::Join::destroy (this=0x21d7fa8) at drizzled/join.cc:1736
#5 0x00000000007ef70f in drizzled::Select_Lex::cleanup (this=0x7f0ba8017528) at drizzled/sql_union.cc:711
#6 0x00000000007d0de9 in drizzled::mysql_select (session=0x7f0ba80168b0, rref_pointer_array=0x7f0ba80176e0,
    tables=0x21a2a60, wild_num=0, fields=..., conds=0x21a3b28, og_num=0, order=0x0, group=0x0, having=0x0,
    select_options=2147500032, result=0x21a3d48, unit=0x7f0ba8017328, select_lex=0x7f0ba8017528)
    at drizzled/sql_select.cc:439
#7 0x00000000007d0625 in drizzled::handle_select (session=0x7f0ba80168b0, lex=0x7f0ba8017308, result=0x21a3d48,
    setup_tables_done_option=0) at drizzled/sql_select.cc:146
#8 0x00000000007ccc2f in drizzled::execute_sqlcom_select (session=0x7f0ba80168b0, all_tables=0x21a2a60)
    at drizzled/sql_parse.cc:544
#9 0x00000000008258b3 in drizzled::statement::Select::execute (this=0x2240600) at drizzled/statement/select.cc:32
#10 0x00000000007cc7ba in mysql_execute_command (session=0x7f0ba80168b0) at drizzled/sql_parse.cc:479
#11 0x00000000007cd57c in drizzled::mysql_parse (session=0x7f0ba80168b0,
    inBuf=0x218cb38 "SELECT X . `col_int_key` FROM `c` AS X LEFT JOIN `a` AS Y USING ( `col_enum_key` ) WHERE X . `col_enum_key` = ( SELECT `col_int_not_null_key` FROM `aa` WHERE `pk` = 5 ) LIMIT 8", length=176) at drizzled/sql_parse.cc:750
#12 0x00000000007cc10e in drizzled::dispatch_command (command=drizzled::COM_QUERY, session=0x7f0ba80168b0,
    packet=0x7f0ba80018b1 "SELECT X . `col_int_key` FROM `c` AS X LEFT JOIN `a` AS Y USING ( `col_enum_key` ) WHERE X . `col_enum_key` = ( SELECT `col_int_not_null_key` FROM `aa` WHERE `pk` = 5 ) LIMIT 8", packet_length=176)
    at drizzled/sql_parse.cc:224
#13 0x000000000078ef41 in drizzled::Session::executeStatement (this=0x7f0ba80168b0) at drizzled/session.cc:667
#14 0x000000000078e7db in drizzled::Session::run (this=0x7f0ba80168b0) at drizzled/session.cc:522
#15 0x00007f0bbf916b54 in MultiThreadScheduler::runSession (this=0x2146220, session=0x7f0ba80168b0)
    at ./plugin/multi_thread/multi_thread.h:67
#16 0x00007f0bbf9149e2 in session_thread (arg=0x7f0ba80168b0) at plugin/multi_thread/multi_thread.cc:52
#17 0x00007f0bc35f69ca in start_thread (arg=<value optimized out>) at pthread_create.c:300
---Type <return> to continue, or q <return> to quit---
#18 0x00007f0bc33536fd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#19 0x0000000000000000 in ?? ()

Related branches

Revision history for this message
Patrick Crews (patrick-crews) wrote :

This crash only occurs if the server has the transaction log enabled (--transaction-log.enable).

Otherwise, things work as expected.

Revision history for this message
Patrick Crews (patrick-crews) wrote :

CORRECTION: Not tied to the transaction log!
I had missed copying the keys when creating the test-case.

However, running the test-case below via test-run or the drizzle client results in:
ERROR 1691 (HY000): Received an invalid enum value '1963982848'.

Perhaps this is tied to dbd-drizzle or the randgen itself. Will investigate a bit further / assign myself.

Test case.
--disable_warnings
DROP TABLE IF EXISTS `a`;
DROP TABLE IF EXISTS `aa`;
DROP TABLE IF EXISTS `c`;
--enable_warnings

CREATE TABLE `a` (
  `pk` INT NOT NULL DEFAULT '0',
  `col_enum_key` ENUM('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') DEFAULT NULL,
  PRIMARY KEY (`pk`),
  KEY `col_enum_key` (`col_enum_key`)
) ENGINE=InnoDB COLLATE = utf8_general_ci;

CREATE TABLE `aa` (
  `pk` INT NOT NULL DEFAULT '0',
  `col_int_not_null_key` INT NOT NULL,
  PRIMARY KEY (`pk`),
  KEY `col_int_not_null_key` (`col_int_not_null_key`)
) ENGINE=InnoDB COLLATE = utf8_general_ci;

INSERT INTO `aa` VALUES (1,-523436032),(2,1),(3,621543424),(4,880148480),(5,1963982848),(6,8),(7,1445462016),(8,0),(9,-747241472),(10,6);

CREATE TABLE `c` (
  `pk` INT NOT NULL DEFAULT '0',
  `col_int_key` INT DEFAULT NULL,
  `col_enum_key` ENUM('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') DEFAULT NULL,
  PRIMARY KEY (`pk`),
  KEY `col_int_key` (`col_int_key`),
  KEY `col_enum_key` (`col_enum_key`)
) ENGINE=InnoDB COLLATE = utf8_general_ci;

INSERT INTO `c` VALUES (1,NULL,'h');

SELECT X . `col_int_key` FROM `c` AS X LEFT JOIN `a` AS Y USING ( `col_enum_key` ) WHERE X . `col_enum_key` = ( SELECT `col_int_not_null_key` FROM `aa` WHERE `pk` = 5 ) LIMIT 8 ;

DROP TABLE `a`,`aa`,`c`;

Changed in drizzle:
assignee: nobody → Patrick Crews (patrick-crews)
Revision history for this message
Andrew Hutchings (linuxjedi) wrote :

Invalid enum seen before: bug#628419

Revision history for this message
Patrick Crews (patrick-crews) wrote :

Hmmm. For whatever reason, this appears to be the same as:
https://bugs.launchpad.net/drizzle/+bug/628419

Need to dig into this on the randgen / dbd-drizzle side to see what is going on here.

Changed in drizzle:
assignee: Patrick Crews (patrick-crews) → Andrew Hutchings (linuxjedi)
Changed in drizzle:
assignee: Andrew Hutchings (linuxjedi) → nobody
assignee: nobody → Padraig O'Sullivan (posulliv)
Changed in drizzle:
assignee: Padraig O'Sullivan (posulliv) → Andrew Hutchings (linuxjedi)
Revision history for this message
Andrew Hutchings (linuxjedi) wrote :

This is a duplicate of bug#628419, my original fix doesn't work properly :(

Revision history for this message
Andrew Hutchings (linuxjedi) wrote :

I can generate several different stacks from this but the common denominator is drizzled::Join::cleanup drizzled/join.cc:1900

My only guess is this is cleaning up join table objects that are not fully initialized.

Revision history for this message
Andrew Hutchings (linuxjedi) wrote :
Download full text (8.9 KiB)

Valgrind report gives a better detail of the problem:

==26992== Thread 17:
==26992== Conditional jump or move depends on uninitialised value(s)
==26992== at 0x8DE166: drizzled::JoinTable::cleanup() (sql_select.cc:1217)
==26992== by 0x8218AF: drizzled::Join::cleanup(bool) (join.cc:1902)
==26992== by 0x8213D5: drizzled::Join::destroy() (join.cc:1721)
==26992== by 0x8F9328: drizzled::Select_Lex::cleanup() (sql_union.cc:711)
==26992== by 0x8DC2B1: drizzled::mysql_select(drizzled::Session*, drizzled::Item***, drizzled::TableList*, unsigned int, drizzled::List<drizzled::Item>&, drizzled::Item*, unsigned int, drizzled::Order*, drizzled::Order*, drizzled::Item*, unsigned long, drizzled::select_result*, drizzled::Select_Lex_Unit*, drizzled::Select_Lex*) (sql_select.cc:442)
==26992== by 0x8DBB4C: drizzled::handle_select(drizzled::Session*, drizzled::LEX*, drizzled::select_result*, unsigned long) (sql_select.cc:149)
==26992== by 0x8D82D6: drizzled::execute_sqlcom_select(drizzled::Session*, drizzled::TableList*) (sql_parse.cc:544)
==26992== by 0x931192: drizzled::statement::Select::execute() (select.cc:32)
==26992== by 0x8D7F74: drizzled::mysql_execute_command(drizzled::Session*) (sql_parse.cc:479)
==26992== by 0x8D8BBC: drizzled::mysql_parse(drizzled::Session*, char const*, unsigned int) (sql_parse.cc:751)
==26992== by 0x8D7863: drizzled::dispatch_command(drizzled::enum_server_command, drizzled::Session*, char*, unsigned int) (sql_parse.cc:227)
==26992== by 0x8A76C7: drizzled::Session::executeStatement() (session.cc:710)
==26992==
==26992== Conditional jump or move depends on uninitialised value(s)
==26992== at 0x8DE194: drizzled::JoinTable::cleanup() (sql_select.cc:1219)
==26992== by 0x8218AF: drizzled::Join::cleanup(bool) (join.cc:1902)
==26992== by 0x8213D5: drizzled::Join::destroy() (join.cc:1721)
==26992== by 0x8F9328: drizzled::Select_Lex::cleanup() (sql_union.cc:711)
==26992== by 0x8DC2B1: drizzled::mysql_select(drizzled::Session*, drizzled::Item***, drizzled::TableList*, unsigned int, drizzled::List<drizzled::Item>&, drizzled::Item*, unsigned int, drizzled::Order*, drizzled::Order*, drizzled::Item*, unsigned long, drizzled::select_result*, drizzled::Select_Lex_Unit*, drizzled::Select_Lex*) (sql_select.cc:442)
==26992== by 0x8DBB4C: drizzled::handle_select(drizzled::Session*, drizzled::LEX*, drizzled::select_result*, unsigned long) (sql_select.cc:149)
==26992== by 0x8D82D6: drizzled::execute_sqlcom_select(drizzled::Session*, drizzled::TableList*) (sql_parse.cc:544)
==26992== by 0x931192: drizzled::statement::Select::execute() (select.cc:32)
==26992== by 0x8D7F74: drizzled::mysql_execute_command(drizzled::Session*) (sql_parse.cc:479)
==26992== by 0x8D8BBC: drizzled::mysql_parse(drizzled::Session*, char const*, unsigned int) (sql_parse.cc:751)
==26992== by 0x8D7863: drizzled::dispatch_command(drizzled::enum_server_command, drizzled::Session*, char*, unsigned int) (sql_parse.cc:227)
==26992== by 0x8A76C7: drizzled::Session::executeStatement() (session.cc:710)
==26992==
==26992== Conditional jump or move depends on uninitialised value(s)
==26992== at 0x8DE1C3: drizzled::Joi...

Read more...

Revision history for this message
Andrew Hutchings (linuxjedi) wrote :

(sorry, offsets in that slightly wrong as I have done some hacks to try and figure things out)

Revision history for this message
Andrew Hutchings (linuxjedi) wrote :

something else appears to have fixed this in the last couple of weeks but added regression suite tests anyway.

Revision history for this message
Andrew Hutchings (linuxjedi) wrote :

doesn't crash for me, but does on the build bots :(

Revision history for this message
Andrew Hutchings (linuxjedi) wrote :

bug is due to uninitialized classes used in the join optimizer. Can be hit in many other ways too.

Revision history for this message
Andrew Hutchings (linuxjedi) wrote :

fix has a lot of valgrind problems, need to rethink allocation and initialization.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.