Server crashes in Item_field::fix_after_pullout on INSERT .. SELECT with derived_merge+semijoin, FROM subquery and IN subquery
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
MariaDB |
Fix Released
|
Critical
|
Sergey Petrunia |
Bug Description
#4 <signal handler called>
#5 0x082005f4 in Item_field:
at item.cc:2443
#6 0x0820c2fe in Item_ref:
at item.cc:7376
#7 0x08225b78 in Item_func:
at item_func.cc:257
#8 0x084200cf in convert_subq_to_sj (parent_
#9 0x0841f176 in convert_
#10 0x08352904 in JOIN::optimize (this=0x9479568) at sql_select.cc:937
#11 0x0835927c in mysql_select (thd=0x93efae0, rref_pointer_
fields=..., conds=0x9460868, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0,
select_
#12 0x08350f7f in handle_select (thd=0x93efae0, lex=0x93f1204, result=0x9460bc0,
setup_
#13 0x082e623f in mysql_execute_
#14 0x082ee6c0 in mysql_parse (thd=0x93efae0,
rawbuf=
#15 0x082e10a1 in dispatch_command (command=COM_QUERY, thd=0x93efae0,
packet=
#16 0x082e054b in do_command (thd=0x93efae0) at sql_parse.cc:923
#17 0x082dd4d1 in handle_
#18 0xb76a0b25 in start_thread () from /lib/libpthread
bzr version-info
revision-id: <email address hidden>
date: 2012-03-05 22:33:46 -0800
build-date: 2012-03-12 02:05:03 +0400
revno: 3455
Also reproducible on MariaDB 5.5 (revno 3316).
No crash on mysql-trunk (revno 3706).
Could not reproduce with a vew instead of FROM subquery.
No crash with SELECT without INSERT.
EXPLAIN for SELECT with default optimizer switch (INSERT .. SELECT crashes):
id select_type table type possible_keys key key_len ref rows filtered Extra
1 PRIMARY t1 ALL NULL NULL NULL NULL 2 100.00
1 PRIMARY <subquery3> eq_ref distinct_key distinct_key 4 func 1 100.00
3 MATERIALIZED t2 ALL NULL NULL NULL NULL 2 100.00
Warnings:
Note 1003 select `test`.`t1`.`a` AS `a` from `test`.`t1` semi join (`test`.`t2`) where 1
EXPLAIN for SELECT with minimal optimizer switch, derived_
id select_type table type possible_keys key key_len ref rows filtered Extra
1 PRIMARY t1 ALL NULL NULL NULL NULL 2 100.00
1 PRIMARY t2 ALL NULL NULL NULL NULL 2 100.00 Using where; Start temporary; End temporary
Warnings:
Note 1003 select `test`.`t1`.`a` AS `a` from `test`.`t1` semi join (`test`.`t2`) where (`test`.`t2`.`b` = `test`.`t1`.`a`)
Minimal optimizer_switch: derived_
Full optimizer_switch (default): index_merge=
Test case:
CREATE TABLE t1 ( a INT );
INSERT INTO t1 VALUES (1),(2);
CREATE TABLE t2 ( b INT );
INSERT INTO t2 VALUES (3),(4);
INSERT INTO t1
SELECT * FROM ( SELECT * FROM t1 ) AS alias
WHERE a IN ( SELECT b FROM t2 );
# End of test case
Changed in maria: | |
importance: | Undecided → Critical |
status: | New → Confirmed |
assignee: | Oleksandr "Sanja" Byelkin (sanja-byelkin) → Sergey Petrunia (sergefp) |
Changed in maria: | |
status: | Confirmed → In Progress |
Changed in maria: | |
status: | In Progress → Fix Committed |
Changed in maria: | |
status: | Fix Committed → Fix Released |
The problem is that Item_field- >context= =NULL. I was not aware that this was possible when coding Item_field: :fix_after_ pullout( )
If I track down how such Item_field was created, I can see that such field objects are created only when running INSERT ... SELECT:
#0 Item_field: :Item_field (...) at item.cc:2050 :change_ refs_to_ fields (...) at table.cc:6066 insert: :prepare (...) at sql_insert.cc:3173
#1 0x08347d42 in TABLE_LIST:
#2 0x0833b007 in unique_table (...) at sql_base.cc:1740
#3 0x08398598 in select_
#4 0x08385d2b in JOIN::prepare (...) at sql_select.cc:834
#5 0x08386125 in mysql_select (...) at sql_select.cc:2930
select_ insert: :prepare is special, select_ send::prepare and other select_result objects do not perform such actions.
The fix seems to be easy: we won't need to call fix_fields() for such items (they are created fixed), or do another name resolution, so we can just ignore the absent "context".