Crash on a simple select that uses a temptable view

Bug #1001117 reported by Igor Babaev on 2012-05-18
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fix Released
Timour Katchaounov

Bug Description

The following test case causes a crash of the server in MariaDB 5.5:

SELECT 1 FROM t1 AS t1_0 JOIN t1 ON t1_0.a LIKE (SELECT 1 FROM t1);

(see also bug #12330344 from mysql code line)

Igor Babaev (igorb-seattle) wrote :

I failed to reproduce the crash on MariaDB 5.2/5.3.

Changed in maria:
status: New → Confirmed
importance: Undecided → Critical
assignee: nobody → Oleksandr "Sanja" Byelkin (sanja-byelkin)
milestone: none → 5.5
Changed in maria:
assignee: Oleksandr "Sanja" Byelkin (sanja-byelkin) → Sergey Petrunia (sergefp)
Sergey Petrunia (sergefp) wrote :

The bug shows two problems:

1. [As mentioned in the original bug] Subquery is evaluated while thd->mem_root is pointing to range optimizer's temporary MEM_ROOT

2. Subquery is evaluated by the optimizer. We've had a goal of this not happening, apparently there are still cases where it does happen.

Sergey Petrunia (sergefp) wrote :

Results of discussion with Timour:

1. Backport the original fix.
2. Also, make this: let Item_func_like::select_optimize() evaluate its right argument only if it's constant AND not expensive.

Sergey Petrunia (sergefp) wrote :

The fix has interesting interplay with fix for BUG#944706, will need to discuss with Timour again.

Changed in maria:
status: Confirmed → In Progress
Elena Stepanova (elenst) on 2012-05-20
tags: added: crash optimizer partition view
Sergey Petrunia (sergefp) wrote :

As discussed, re-assigning to Timour, because testscase also shows problem with his fix for constant subqueries.

Changed in maria:
assignee: Sergey Petrunia (sergefp) → Timour Katchaounov (timour)
Timour Katchaounov (timour) wrote :

The fix for bug lp:944706 (MDEV-193) makes the fix by MySQL unnecessary.
The reason is that the patch for lp:944706 pre-optimizes all constant
subqueries. Therefore, the subquery in test case is optimized in the
thread MEM_ROOT, and all its related data structures are there. Thus
deleting works fine. Item_func_like::select_optimize only executes the
subquery, which is fine too.

Unlike MariaDB, MySQL still has lazy optimization. As a result, when
Item_func_like::select_optimize executes the subquery, it also optimizes
the subquery just before execution. Naturally, this happens in the wrong
MEM_ROOT which is deleted after we exit the range optimizer. When the
recursive JOIN cleanup tries to delete optimizer-related class members
of the subquery, this memory is already gone, hence we get a crash.

So with respect to this specific bug, there is nothing to fix.
I will add an is_expensive() guard + the test case to the tree with the lp:944706 fix.
I will not add MySQL's patch, as it is not needed.

Changed in maria:
status: In Progress → Fix Committed
Changed in maria:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers