Crash in check_and_do_in_subquery_rewrites() with corrlated subquery in select list
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
MariaDB |
Fix Released
|
High
|
Timour Katchaounov |
Bug Description
The second execution of the following query as a stored procedure crashes:
SELECT (
SELECT t1.a
FROM t1
WHERE t1.b = t3.b
AND t1.b IN ( SELECT a FROM t2 )
)
FROM t3
GROUP BY 1;
backtrace:
#3 <signal handler called>
#4 0x000000000080af35 in check_and_
#5 0x000000000074f35f in JOIN::prepare (this=0x1104d640, rref_pointer_
order_init=0x0, group_init=0x0, having_init=0x0, proc_param_
#6 0x0000000000633431 in subselect_
#7 0x00000000006383b5 in Item_subselect:
#8 0x000000000063898d in Item_in_
#9 0x00000000005f13cb in Item_in_
#10 0x00000000005eee03 in Item_cond:
#11 0x00000000006f9c68 in setup_conds (thd=0x10f2d108, tables=0x10ff1f08, leaves=..., conds=0x1104d4e0) at sql_base.cc:8333
#12 0x00000000007597b9 in setup_without_group (thd=0x10f2d108, ref_pointer_
conds=
#13 0x000000000074f061 in JOIN::prepare (this=0x11047420, rref_pointer_
og_num=0, order_init=0x0, group_init=0x0, having_init=0x0, proc_param_
#14 0x0000000000633431 in subselect_
#15 0x00000000006383b5 in Item_subselect:
#16 0x00000000006fdac3 in setup_fields (thd=0x10f2d108, ref_pointer_
sum_
#17 0x000000000074efa6 in JOIN::prepare (this=0x11041200, rref_pointer_
order_init=0x0, group_init=
#18 0x0000000000750088 in mysql_select (thd=0x10f2d108, rref_pointer_
order=0x0, group=0x10ff3ba0, having=0x0, proc_param=0x0, select_
at sql_select.cc:2869
#19 0x0000000000756564 in handle_select (thd=0x10f2d108, lex=0x10ff0458, result=0x1103f4b0, setup_tables_
#20 0x00000000006a312e in execute_
#21 0x00000000006a4e0c in mysql_execute_
#22 0x00000000008bbb8f in sp_instr_
#23 0x00000000008bc57f in sp_lex_
at sp_head.cc:2765
#24 0x00000000008bcd1e in sp_instr_
#25 0x00000000008bedc3 in sp_head::execute (this=0x10fefd80, thd=0x10f2d108) at sp_head.cc:1270
#26 0x00000000008bfb53 in sp_head:
#27 0x00000000006ab9ea in mysql_execute_
#28 0x00000000006adba5 in mysql_parse (thd=0x10f2d108, rawbuf=0x10fb2d40 "CALL sp1()", length=10, found_semicolon
#29 0x00000000006aea3d in dispatch_command (command=COM_QUERY, thd=0x10f2d108, packet=0x10fa99c9 "CALL sp1()", packet_length=10) at sql_parse.cc:1208
#30 0x00000000006b004b in do_command (thd=0x10f2d108) at sql_parse.cc:906
#31 0x000000000069a9eb in handle_
#32 0x00000033b600673d in start_thread () from /lib64/
#33 0x00000033b58d40cd in clone () from /lib64/libc.so.6
explain:
id select_type table type possible_keys key key_len ref rows Extra
1 PRIMARY t3 system NULL NULL NULL NULL 1
2 DEPENDENT SUBQUERY t1 ALL NULL NULL NULL NULL 2 Using where
3 DEPENDENT SUBQUERY t2 ALL NULL NULL NULL NULL 2 Using where
does not appear to require any particular optimizer switches. full optimizer_switch:
index_merge=
test case:
CREATE TABLE t1 (a int, b int);
INSERT INTO t1 VALUES (10,1),(11,7);
CREATE TABLE t2 (a int);
INSERT INTO t2 VALUES (2),(3);
CREATE TABLE t3 (a int, b int);
INSERT INTO t3 VALUES (1,1);
CREATE PROCEDURE sp1 () LANGUAGE SQL
SELECT (
SELECT t1.a
FROM t1
WHERE t1.b = t3.b
AND t1.b IN ( SELECT a FROM t2 )
)
FROM t3
GROUP BY 1;
CALL sp1();
CALL sp1();
Seems to require that t3 contains exactly 1 row. Reproducible in maria-5.3. Not reproducible on maria-5.2, mysql-5.5 .
Changed in maria: | |
milestone: | none → 5.3 |
Changed in maria: | |
assignee: | nobody → Timour Katchaounov (timour) |
Changed in maria: | |
status: | Confirmed → In Progress |
Changed in maria: | |
status: | In Progress → Fix Released |
Unlike other similar bugs, in this case it is essential to execute
the query inside a stored procedure. The crash is not reproducible
inside a prepared statement.