Crash / segfault in in drizzled::optimizer::SqlSelect::cleanup (this=0x3f1) at drizzled/optimizer/range.cc:388

Bug #628419 reported by Patrick Crews
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Drizzle
Fix Released
High
Andrew Hutchings
7.0
Fix Released
High
Andrew Hutchings

Bug Description

Crashing bug on this query:
SELECT X . `col_int_key` FROM `c` AS X LEFT JOIN `a` AS Y USING ( `col_enum_key` ) WHERE X . `col_enum_key` = ( SELECT `col_int_not_null_key` FROM `aa` WHERE `pk` = 5 ) LIMIT 8

Backtrace:

Program terminated with signal 11, Segmentation fault.
#0 0x0000000000733bbe in drizzled::optimizer::SqlSelect::cleanup (this=0x3f1) at drizzled/optimizer/range.cc:388
388 delete quick;
(gdb) backtrace
#0 0x0000000000733bbe in drizzled::optimizer::SqlSelect::cleanup (this=0x3f1) at drizzled/optimizer/range.cc:388
#1 0x0000000000733cb7 in ~SqlSelect (this=0x3f1, __in_chrg=<value optimized out>) at drizzled/optimizer/range.cc:402
#2 0x00000000007c118c in drizzled::JoinTable::cleanup (this=0x2a39568) at drizzled/sql_select.cc:1460
#3 0x00000000006f3e9b in drizzled::Join::cleanup (this=0x29d8b48, full=true) at drizzled/join.cc:1915
#4 0x00000000006f39f4 in drizzled::Join::destroy (this=0x29d8b48) at drizzled/join.cc:1736
#5 0x00000000007dde3b in drizzled::Select_Lex::cleanup (this=0x2963e38) at drizzled/sql_union.cc:711
#6 0x00000000007be835 in drizzled::mysql_select (session=0x29631c0, rref_pointer_array=0x2963ff0, tables=0x2918020, wild_num=0, fields=..., conds=0x29190e8, og_num=0,
    order=0x0, group=0x0, having=0x0, select_options=2147500032, result=0x29d8b28, unit=0x2963c38, select_lex=0x2963e38) at drizzled/sql_select.cc:439
#7 0x00000000007be071 in drizzled::handle_select (session=0x29631c0, lex=0x2963c18, result=0x29d8b28, setup_tables_done_option=0) at drizzled/sql_select.cc:146
#8 0x00000000007ba67b in drizzled::execute_sqlcom_select (session=0x29631c0, all_tables=0x2918020) at drizzled/sql_parse.cc:544
#9 0x0000000000813ebb in drizzled::statement::Select::execute (this=0x2921f30) at drizzled/statement/select.cc:32
#10 0x00000000007ba206 in mysql_execute_command (session=0x29631c0) at drizzled/sql_parse.cc:479
#11 0x00000000007bafc8 in drizzled::mysql_parse (session=0x29631c0,
    inBuf=0x28fc548 "SELECT X . `col_int_key` FROM `c` AS X LEFT JOIN `a` AS Y USING ( `col_enum_key` ) WHERE X . `col_enum_key` = ( SELECT `col_int_not_null_key` FROM `aa` WHERE `pk` = 5 ) LIMIT 8", length=176) at drizzled/sql_parse.cc:750
#12 0x00000000007b9b5a in drizzled::dispatch_command (command=drizzled::COM_QUERY, session=0x29631c0,
    packet=0x2956a01 "SELECT X . `col_int_key` FROM `c` AS X LEFT JOIN `a` AS Y USING ( `col_enum_key` ) WHERE X . `col_enum_key` = ( SELECT `col_int_not_null_key` FROM `aa` WHERE `pk` = 5 ) LIMIT 8", packet_length=176) at drizzled/sql_parse.cc:224
#13 0x000000000077d2e3 in drizzled::Session::executeStatement (this=0x29631c0) at drizzled/session.cc:666
#14 0x000000000077cb8f in drizzled::Session::run (this=0x29631c0) at drizzled/session.cc:522
#15 0x00007f80559c3b54 in MultiThreadScheduler::runSession (this=0x28dfdd0, session=0x29631c0) at ./plugin/multi_thread/multi_thread.h:67
#16 0x00007f80559c19e2 in session_thread (arg=0x29631c0) at plugin/multi_thread/multi_thread.cc:52
#17 0x00007f80596d19ca in start_thread (arg=<value optimized out>) at pthread_create.c:300
#18 0x00007f805942e6fd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#19 0x0000000000000000 in ?? ()

Related branches

Revision history for this message
Patrick Crews (patrick-crews) wrote :

Strangely enough, this crashes every time with the randgen, but is not working when I try to produce a test case for the test-suite.
The same query and data produces this error (rather than full-on crash):

drizzletest: At line 135: query 'SELECT X . `col_int_key` FROM `c` AS X LEFT JOIN `a` AS Y USING ( `col_enum_key` ) WHERE X . `col_enum_key` = ( SELECT `col_int_not_null_key` FROM `aa` WHERE `pk` = 5 ) LIMIT 8 ' failed: 1691: Received an invalid enum value '1963982848'.

Revision history for this message
Patrick Crews (patrick-crews) wrote :
Download full text (9.1 KiB)

randgen command line:
./gentest.pl --dsn=dbi:drizzle:host=localhost:port=9306:user=root:password=:database=test --threads=1 --engine=Innodb --gendata=conf/drizzle/drizzle.zz --grammar=conf/engines/engine_stress.yy --debug --queries=100000 --threads=1

You can also put the offending query into a randgen grammar by itself and it will crash immediately (leave other values the same).

test-suite test case:

--disable_warnings
DROP TABLE IF EXISTS `a`;
DROP TABLE IF EXISTS `c`;
DROP TABLE IF EXISTS `aa`;
--enable_warnings

CREATE TABLE `a` (
  `col_bigint` bigint DEFAULT NULL,
  `col_enum_not_null` enum('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') NOT NULL,
  `col_enum_not_null_key` enum('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') NOT NULL,
  `col_int_key` int DEFAULT NULL,
  `col_bigint_not_null` bigint NOT NULL,
  `col_enum` enum('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') DEFAULT NULL,
  `col_text_not_null` text NOT NULL,
  `col_char_10_key` varchar(10) DEFAULT NULL,
  `col_int` int DEFAULT NULL,
  `col_char_1024` varchar(1024) DEFAULT NULL,
  `col_char_10_not_null_key` varchar(10) NOT NULL,
  `pk` int NOT NULL AUTO_INCREMENT,
  `col_enum_key` enum('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') DEFAULT NULL,
  `col_char_1024_not_null_key` varchar(1024) NOT NULL,
  `col_char_10` varchar(10) DEFAULT NULL,
  `col_char_1024_key` varchar(1024) DEFAULT NULL,
  `col_text` text,
  `col_text_not_null_key` text NOT NULL,
  `col_bigint_not_null_key` bigint NOT NULL,
  `col_char_1024_not_null` varchar(1024) NOT NULL,
  `col_int_not_null` int NOT NULL,
  `col_int_not_null_key` int NOT NULL,
  `col_char_10_not_null` varchar(10) NOT NULL,
  `col_text_key` text,
  `col_bigint_key` bigint DEFAULT NULL,
  PRIMARY KEY (`pk`),
  KEY `col_enum_not_null_key` (`col_enum_not_null_key`),
  KEY `col_int_key` (`col_int_key`),
  KEY `col_char_10_key` (`col_char_10_key`),
  KEY `col_char_10_not_null_key` (`col_char_10_not_null_key`),
  KEY `col_enum_key` (`col_enum_key`),
  KEY `col_char_1024_not_null_key` (`col_char_1024_not_null_key`(255)),
  KEY `col_char_1024_key` (`col_char_1024_key`(255)),
  KEY `col_text_not_null_key` (`col_text_not_null_key`(255)),
  KEY `col_bigint_not_null_key` (`col_bigint_not_null_key`),
  KEY `col_int_not_null_key` (`col_int_not_null_key`),
  KEY `col_text_key` (`col_text_key`(255)),
  KEY `col_bigint_key` (`col_bigint_key`)
) ENGINE=InnoDB COLLATE = utf8_general_ci;

ALTER TABLE `a` DISABLE KEYS;
ALTER TABLE `a` ENABLE KEYS;

CREATE TABLE `c` (
  `pk` int NOT NULL AUTO_INCREMENT,
  `col_int_key` int DEFAULT NULL,
  `col_text_not_null_key` text NOT NULL,
  `col_bigint_key` bigint DEFAULT NULL,
  `col_char_10_not_null` varchar(10) NOT NULL,
  `col_text_key` text,
  `col_char_10_not_null_key` varchar(10) NOT NULL,
  `col_enum` enum('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') DEFAULT NULL,
  `col_text_not_null` text NOT NULL,
  `col_enum_key` enum('a...

Read more...

Changed in drizzle:
status: New → Confirmed
Revision history for this message
Patrick Crews (patrick-crews) wrote :

It might be possible that this is due to an issue with dbd-drizzle.

Similar backtrace was seen for a different crash.

This doesn't explain the lack of dbd-drizzle crash output, but it would account for why test-run.pl is able to handle this query, but the randgen fails (possibly the error code isn't handled correctly?)

Revision history for this message
Andrew Hutchings (linuxjedi) wrote :

Most likely cause is session->is_error() has not been cleared from the previous query. Then an un-used join condition is cleared in mysql_select causing segfault.

If I'm right we need to find what is dbd-drizzle does differently so that errors are not cleared and make sure the 'quick' pointer is handled nicely, I see another (unlikely) case where a segfault with this variable can happen too..

Changed in drizzle:
assignee: nobody → Andrew Hutchings (linuxjedi)
importance: Undecided → High
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers