MariaDB

Crash with get_fanout_with_deps in maria-5.3-mwl90

Bug #780359 reported by Philip Stoev
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MariaDB
Fix Released
Medium
Sergey Petrunia
MariaDB 5.3

Bug Description

If the WHERE clause of the subquery contains 2 mutually-exclusive conditions over the same column, mysqld crashes as follows:

#4 <signal handler called>
#5 0x0824311b in get_fanout_with_deps (join=0xae62ed30, tset=1) at item_subselect.cc:4109
#6 0x0824333a in get_post_group_estimate (join=0xae62ed30, join_op_rows=1) at item_subselect.cc:4238
#7 0x082434ff in subselect_hash_sj_engine::optimize (this=0xae6145e8, out_rows=0xae99ed08, cost=0xae99ed00) at item_subselect.cc:4299
#8 0x0823afa2 in Item_subselect::optimize (this=0xae614040, out_rows=0xae99ed08, cost=0xae99ed00) at item_subselect.cc:481
#9 0x083c7e5e in get_delayed_table_estimates (table=0xae626b50, out_rows=0xae636488, scan_time=0xae636498, startup_cost=0xae6364a8) at opt_subselect.cc:858
#10 0x08312e23 in make_join_statistics (join=0xae629ac0, tables_arg=0xae613098, conds=0xae636060, keyuse_array=0xae62ebf0) at sql_select.cc:3233
#11 0x0830b6a7 in JOIN::optimize (this=0xae629ac0) at sql_select.cc:990
#12 0x0831116f in mysql_select (thd=0xa2f4de0, rref_pointer_array=0xa2f6884, tables=0xae613098, wild_num=1, fields=..., conds=0xae614040, og_num=0,
    order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147764736, result=0xae6141d0, unit=0xa2f64e0, select_lex=0xa2f6780)
    at sql_select.cc:2693
#13 0x08309843 in handle_select (thd=0xa2f4de0, lex=0xa2f6484, result=0xae6141d0, setup_tables_done_option=0) at sql_select.cc:280
#14 0x082a6a63 in execute_sqlcom_select (thd=0xa2f4de0, all_tables=0xae613098) at sql_parse.cc:5094
#15 0x0829d8ad in mysql_execute_command (thd=0xa2f4de0) at sql_parse.cc:2239
#16 0x082a9009 in mysql_parse (thd=0xa2f4de0,
    rawbuf=0xae612eb0 "SELECT *\nFROM t1\nWHERE ( f1 ) IN (\nSELECT t2.f3\nFROM t2\nWHERE t2.f3 = 97\nAND t2.f3 = 50\nGROUP BY 1\n)", length=100,
    found_semicolon=0xae9a0228) at sql_parse.cc:6094
#17 0x0829b533 in dispatch_command (command=COM_QUERY, thd=0xa2f4de0,
    packet=0xa34f9f1 "SELECT *\nFROM t1\nWHERE ( f1 ) IN (\nSELECT t2.f3\nFROM t2\nWHERE t2.f3 = 97\nAND t2.f3 = 50\nGROUP BY 1\n)", packet_length=100)
    at sql_parse.cc:1215
#18 0x0829a991 in do_command (thd=0xa2f4de0) at sql_parse.cc:904
#19 0x08297a44 in handle_one_connection (arg=0xa2f4de0) at sql_connect.cc:1154
#20 0x00821919 in start_thread () from /lib/libpthread.so.0
#21 0x0076acce in clone () from /lib/libc.so.6

test case:

DROP TABLE IF EXISTS t1;
CREATE TABLE t1 ( f1 int ) ;
INSERT INTO t1 VALUES (2),(2);

DROP TABLE IF EXISTS t2;
CREATE TABLE t2 (f3 int) ;
INSERT INTO t2 VALUES (2),(2);

SELECT *
FROM t1
WHERE ( f1 ) IN (
        SELECT t2.f3
        FROM t2
        WHERE t2.f3 = 97
        AND t2.f3 = 50
        GROUP BY 1
);

Philip Stoev (pstoev-askmonty)
Changed in maria:
assignee: nobody → Sergey Petrunia (sergefp)
milestone: none → 5.3
Sergey Petrunia (sergefp)
Changed in maria:
status: New → Fix Committed
importance: Undecided → Medium
Daniel Bartholomew (dbart)
Changed in maria:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.