crash in select_describe

Bug #1006231 reported by sbester on 2012-05-30
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
MariaDB
Fix Released
High
Timour Katchaounov

Bug Description

I:\ade\build\bzr\maria-5.5>bzr revno
3418

mysqld --no-defaults --console --skip-gr --skip-na --core-file

Version: '5.5.24-MariaDB' socket: '' port: 3306 Source distribution
120530 7:41:32 [ERROR] mysqld got exception 0xc0000005 ;

mysqld.exe!select_describe()[sql_select.cc:21331]
mysqld.exe!JOIN::exec()[sql_select.cc:2319]
mysqld.exe!mysql_select()[sql_select.cc:3016]
mysqld.exe!mysql_explain_union()[sql_select.cc:21818]
mysqld.exe!select_describe()[sql_select.cc:21775]
mysqld.exe!JOIN::exec()[sql_select.cc:2319]
mysqld.exe!mysql_select()[sql_select.cc:3016]
mysqld.exe!mysql_explain_union()[sql_select.cc:21818]
mysqld.exe!select_describe()[sql_select.cc:21775]
mysqld.exe!JOIN::exec()[sql_select.cc:2319]
mysqld.exe!mysql_select()[sql_select.cc:3016]
mysqld.exe!mysql_explain_union()[sql_select.cc:21818]
mysqld.exe!execute_sqlcom_select()[sql_parse.cc:4587]
mysqld.exe!mysql_execute_command()[sql_parse.cc:2184]
mysqld.exe!mysql_parse()[sql_parse.cc:5731]
mysqld.exe!dispatch_command()[sql_parse.cc:1058]
mysqld.exe!do_command()[sql_parse.cc:794]
mysqld.exe!do_handle_one_connection()[sql_connect.cc:1253]
mysqld.exe!handle_one_connection()[sql_connect.cc:1168]
mysqld.exe!pthread_start()[my_winthread.c:60]
mysqld.exe!_callthreadstartex()[threadex.c:314]
mysqld.exe!_threadstartex()[threadex.c:292]

#How to repeat:

drop table if exists `t1`;
create table `t1`(`a1` int)engine=innodb;
insert into `t1` values (1);
explain select 1 from `t1` where 1 like
( select 1 from t1 where 1 <=>
 (select 1 from t1 group by `a1`)
);

Related branches

Elena Stepanova (elenst) wrote :

Also reproducible on MariaDB 5.3 revno 3526.
Reproducible with the default optimizer_switch as well as all OFF values (except for in_to_exists which is required to run the query or, in this case, explain).
Not reproducible on MySQL trunk revno 3782, MariaDB 5.2.

Changed in maria:
importance: Undecided → High
assignee: nobody → Timour Katchaounov (timour)
milestone: none → 5.3
Timour Katchaounov (timour) wrote :

This bug is already fixed in the 5.5 branch for lp:944706, task MDEV-193.

The bug can be fixed in 5.3 by backporting the MySQL patch for
mysql bug #12330344.

Changed in maria:
status: New → In Progress
Timour Katchaounov (timour) wrote :

Correction to the previous comment. The bug is not a duplicate for lp:1001117.

Analysis:
When a subquery that needs a temp table is executed during the prepare or optimize
phase of the outer query, at the end of the subquery execution all the JOIN_TABs of
the subquery are replaced by a new JOIN_TAB that selects from the temp table.
However that temp table has no corresponding TABLE_LIST. Once EXPLAIN execution
reaches its last phase, it tries to print the names of the subquery tables through
its TABLE_LISTs, but in the case of this bug there is no such TABLE_LIST (it is NULL),
hence a crash.

This bug is not present in the 5.5 branch for lp:944706, task MDEV-193
because this patch takes care of the situation that causes the crash.

The fix in 5.3 is to block subquery evaluation inside Item_func_like::fix_fields
using the Item::is_expensive() test. When the fix is merged into 5.5 it will
interoperate correctly with the fix for lp:944706.

Changed in maria:
status: In Progress → Fix Committed
Changed in maria:
status: Fix Committed → Fix Released
Jorge Silva (silvas91) wrote :

With my optimizer switch settings and MariaDB 5.3.7:

Thread pointer: 0x02BD73F8
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
004D1D02 mysqld.exe!select_describe()[sql_select.cc:21198]
004E6FBC mysqld.exe!JOIN::exec()[sql_select.cc:2240]
004E7EE2 mysqld.exe!mysql_select()[sql_select.cc:2954]
004E80A8 mysqld.exe!mysql_explain_union()[sql_select.cc:21671]
004D32A6 mysqld.exe!select_describe()[sql_select.cc:21628]
004E6FBC mysqld.exe!JOIN::exec()[sql_select.cc:2240]
004E7EE2 mysqld.exe!mysql_select()[sql_select.cc:2954]
004E80A8 mysqld.exe!mysql_explain_union()[sql_select.cc:21671]
004D32A6 mysqld.exe!select_describe()[sql_select.cc:21628]
004E6FBC mysqld.exe!JOIN::exec()[sql_select.cc:2240]
004E7EE2 mysqld.exe!mysql_select()[sql_select.cc:2954]
004E80A8 mysqld.exe!mysql_explain_union()[sql_select.cc:21671]
00422732 mysqld.exe!execute_sqlcom_select()[sql_parse.cc:5130]
004252E1 mysqld.exe!mysql_execute_command()[sql_parse.cc:2284]
00429F35 mysqld.exe!mysql_parse()[sql_parse.cc:6156]
0042A844 mysqld.exe!dispatch_command()[sql_parse.cc:1230]
0042B40E mysqld.exe!do_command()[sql_parse.cc:927]
004536AC mysqld.exe!handle_one_connection()[sql_connect.cc:1218]
0076EBFD mysqld.exe!pthread_start()[my_winthread.c:90]
00741CB9 mysqld.exe!_callthreadstart()[thread.c:259]
00741D37 mysqld.exe!_threadstart()[thread.c:241]
75D8ED4C kernel32.dll!BaseThreadInitThunk()
777837E3 ntdll.dll!RtlInitializeExceptionChain()
777837B6 ntdll.dll!RtlInitializeExceptionChain()

Trying to get some variables.
Some pointers may be invalid and cause the dump to abort.
Query (02C2FE08): explain select 1 from `t1` where 1 like
( select 1 from t1 where 1 <=>
 (select 1 from t1 group by `a1`)
)Connection ID (thread ID): 1
Status: NOT_KILLED
Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,index_condition_pushdown=on,derived_merge=off,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=off,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=off,table_elimination=on

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers