MariaDB

Crash in subselect_union_engine::no_rows with double UNION and join_cache_level=3,8

Bug #887458 reported by Philip Stoev
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MariaDB
Fix Released
Critical
Oleksandr "Sanja" Byelkin
MariaDB 5.3

Bug Description

This query:

SELECT *
FROM t1, t2
WHERE t2.b IN (
        SELECT 'm' UNION
        SELECT 'm'
) OR t1.b <> SOME (
        SELECT 'v' UNION
        SELECT 't'
);

crashes as follows:

#4 <signal handler called>
#5 0x0824c373 in subselect_union_engine::no_rows (this=0xae514c20) at item_subselect.cc:2703
#6 0x0820ec2e in Item_in_optimizer::val_int (this=0xae52ba18) at item_cmpfunc.cc:1701
#7 0x081e2706 in Item::val_int_result (this=0xae52ba18) at item.h:839
#8 0x081dd848 in Item_cache_int::cache_value (this=0xae565b38) at item.cc:8209
#9 0x081e67d2 in Item_cache_wrapper::cache (this=0xae565ac0) at item.cc:7056
#10 0x081dac96 in Item_cache_wrapper::val_int (this=0xae565ac0) at item.cc:7110
#11 0x0820bab4 in Item_func_nop_all::val_int (this=0xae514c40) at item_cmpfunc.cc:401
#12 0x081ca95c in Item::val_bool (this=0xae514c40) at item.cc:197
#13 0x082170b6 in Item_cond_or::val_int (this=0xae52cae0) at item_cmpfunc.cc:4514
#14 0x082f6b52 in SQL_SELECT::skip_record (this=0xae52cb90, thd=0x9edb6e0) at opt_range.h:922
#15 0x082f7749 in JOIN_CACHE::check_match (this=0xae52ce08, rec_ptr=0xae5452d8 "\377\377\002") at sql_join_cache.cc:2422
#16 0x082f3c10 in JOIN_CACHE::generate_full_extensions (this=0xae52ce08, rec_ptr=0xae5452d8 "\377\377\002") at sql_join_cache.cc:2365
#17 0x082f3a19 in JOIN_CACHE::join_matching_records (this=0xae52ce08, skip_last=false) at sql_join_cache.cc:2265
#18 0x082f34d9 in JOIN_CACHE::join_records (this=0xae52ce08, skip_last=false) at sql_join_cache.cc:2062
#19 0x0833dca5 in sub_select_cache (join=0xae526020, join_tab=0xae52c668, end_of_records=true) at sql_select.cc:14913
#20 0x0833debd in sub_select (join=0xae526020, join_tab=0xae52c468, end_of_records=true) at sql_select.cc:15075
#21 0x0833d9ac in do_select (join=0xae526020, fields=0x9edd1b4, table=0x0, procedure=0x0) at sql_select.cc:14797
#22 0x08322206 in JOIN::exec (this=0xae526020) at sql_select.cc:2679
#23 0x08322a32 in mysql_select (thd=0x9edb6e0, rref_pointer_array=0x9edd25c, tables=0xae5130c0, wild_num=1, fields=..., conds=0xae514cd0, og_num=0,
    order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147764736, result=0xae514df0, unit=0x9edce40, select_lex=0x9edd120)
    at sql_select.cc:2900
#24 0x0831a92f in handle_select (thd=0x9edb6e0, lex=0x9edcde4, result=0xae514df0, setup_tables_done_option=0) at sql_select.cc:283
#25 0x082b5050 in execute_sqlcom_select (thd=0x9edb6e0, all_tables=0xae5130c0) at sql_parse.cc:5112
#26 0x082abe0d in mysql_execute_command (thd=0x9edb6e0) at sql_parse.cc:2250
#27 0x082b7691 in mysql_parse (thd=0x9edb6e0,
    rawbuf=0xae512ec0 "SELECT *\nFROM t1, t2\nWHERE t2.b IN (\nSELECT 'm' UNION\nSELECT 'm'\n) OR t1.b <> SOME (\nSELECT 'v' UNION\nSELECT 't'\n)",
    length=114, found_semicolon=0xae883228) at sql_parse.cc:6113
#28 0x082a9a5c in dispatch_command (command=COM_QUERY, thd=0x9edb6e0, packet=0x9f34571 "", packet_length=114) at sql_parse.cc:1221
#29 0x082a8eb7 in do_command (thd=0x9edb6e0) at sql_parse.cc:916
#30 0x082a5e9b in handle_one_connection (arg=0x9edb6e0) at sql_connect.cc:1191
#31 0x00821919 in start_thread () from /lib/libpthread.so.0
#32 0x0076acce in clone () from /lib/libc.so.6

minimal switch: join_cache_level=3
full switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,index_condition_pushdown=off,derived_merge=off,derived_with_keys=off,firstmatch=on,loosescan=on,materialization=off,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=off,semijoin_with_cache=off,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=off,table_elimination=on

explain:

id select_type table type possible_keys key key_len ref rows Extra
1 PRIMARY t1 ALL NULL NULL NULL NULL 2
1 PRIMARY t2 ALL NULL NULL NULL NULL 2 Using where; Using join buffer (flat, BNL join)
4 DEPENDENT SUBQUERY NULL NULL NULL NULL NULL NULL NULL No tables used
5 DEPENDENT UNION NULL NULL NULL NULL NULL NULL NULL No tables used
NULL UNION RESULT <union4,5> ALL NULL NULL NULL NULL NULL
2 DEPENDENT SUBQUERY NULL NULL NULL NULL NULL NULL NULL No tables used
3 DEPENDENT UNION NULL NULL NULL NULL NULL NULL NULL No tables used
NULL UNION RESULT <union2,3> ALL NULL NULL NULL NULL NULL

 bzr version-info
revision-id: <email address hidden>
date: 2011-11-07 16:39:02 +0400
build-date: 2011-11-08 10:15:29 +0200
revno: 3273
branch-nick: maria-5.3

test case:

CREATE TABLE t2 ( a int, b varchar(1)) ;
INSERT IGNORE INTO t2 VALUES (8,'y'),(8,'y');

CREATE TABLE t1 ( b varchar(1)) ;
INSERT IGNORE INTO t1 VALUES (NULL),(NULL);

SET SESSION join_cache_level=3;

SELECT *
FROM t1, t2
WHERE t2.b IN (
        SELECT 'm' UNION
        SELECT 'm'
) OR t1.b <> SOME (
        SELECT 'v' UNION
        SELECT 't'
);

see also bug https://bugs.launchpad.net/maria/+bug/885162

See original description
Philip Stoev (pstoev-askmonty)
Changed in maria:
milestone: none → 5.3
assignee: nobody → Timour Katchaounov (timour)
Igor Babaev (igorb-seattle)
Changed in maria:
importance: Undecided → Critical
status: New → Confirmed
Philip Stoev (pstoev-askmonty)
description: updated
Timour Katchaounov (timour)
Changed in maria:
assignee: Timour Katchaounov (timour) → Oleksandr "Sanja" Byelkin (sanja-byelkin)
Revision history for this message
Oleksandr "Sanja" Byelkin (sanja-byelkin) wrote :

The same fix as for LP BUG#859375

Changed in maria:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.