MariaDB

Query in trigger causes MariaDB 5.3 to crash or throw Valgrind errors in my_strcasecmp_utf8

Bug #915222 reported by Launchpad Neb
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MariaDB
Fix Released
High
Igor Babaev
MariaDB 5.3

Bug Description

On various 32bit Windows systems, MariaDB 5.3.3 (not 5.2.10) crashes when a specific query within a trigger is executed. There is no entry in the Windows events log, just the following entry in MariaDB's error log. This log is from a dev PC running on Windows XP with MariaDB 5.3.3, serving as a slave. The replication master runs on 5.2.10. I will check if the same problems occur on Linux platform as well.

120112 9:48:04 [ERROR] mysqld got exception 0xc0000005 ;
This could be because you hit a bug. [...]

Server version: 5.3.3-MariaDB-log
key_buffer_size=0
read_buffer_size=4194304
max_used_connections=0
max_threads=62
threads_connected=0
It is possible that mysqld could use up to
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 762338 K ²)
bytes of memory
Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x3a0b5730
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
007D1464 mysqld.exe!my_wildcmp_unicode()
0057E062 mysqld.exe!?check_duplicate_names@@YA_NAAV?$List@VItem@@@@_N@Z()
0058ECC0 mysqld.exe!?mysql_derived_prepare@@YA_NPAVTHD@@PAUst_lex@@PAUTABLE_LIST@@@Z()
0058E4EA mysqld.exe!?mysql_handle_single_derived@@YA_NPAUst_lex@@PAUTABLE_LIST@@I@Z()
004F1B0F mysqld.exe!?handle_derived@TABLE_LIST@@QAE_NPAUst_lex@@I@Z()
004A2A98 mysqld.exe!?handle_derived@st_select_lex@@QAE_NPAUst_lex@@I@Z()
0050F1E2 mysqld.exe!?prepare@JOIN@@QAEHPAPAPAVItem@@PAUTABLE_LIST@@IPAV2@IPAUst_order@@323PAVst_select_lex@@PAVst_select_lex_unit@@@Z()
005442FD mysqld.exe!?prepare@st_select_lex_unit@@QAE_NPAVTHD@@PAVselect_result@@K@Z()
00544F61 mysqld.exe!?mysql_union@@YA_NPAVTHD@@PAUst_lex@@PAVselect_result@@PAVst_select_lex_unit@@K@Z()
00517308 mysqld.exe!?handle_select@@YA_NPAVTHD@@PAUst_lex@@PAVselect_result@@K@Z()
00456DEF mysqld.exe!?mysql_execute_command@@YAHPAVTHD@@@Z()
00567C1F mysqld.exe!?exec_core@sp_instr_stmt@@UAEHPAVTHD@@PAI@Z()
00569E09 mysqld.exe!?reset_lex_and_exec_core@sp_lex_keeper@@QAEHPAVTHD@@PAI_NPAVsp_instr@@@Z()
00569F8C mysqld.exe!?execute@sp_instr_stmt@@UAEHPAVTHD@@PAI@Z()
0056B2DE mysqld.exe!?execute@sp_head@@AAE_NPAVTHD@@@Z()
0056B779 mysqld.exe!?execute_trigger@sp_head@@QAE_NPAVTHD@@PBUst_mysql_lex_string@@1PAUst_grant_info@@@Z()
0057B5EF mysqld.exe!?process_triggers@Table_triggers_list@@QAE_NPAVTHD@@W4trg_event_type@@W4trg_action_time_type@@_N@Z()
00585466 mysqld.exe!?mysql_update@@YAHPAVTHD@@PAUTABLE_LIST@@AAV?$List@VItem@@@@2PAVItem@@IPAUst_order@@_KW4enum_duplicates@@_N@Z()
00456A6C mysqld.exe!?mysql_execute_command@@YAHPAVTHD@@@Z()
0045A175 mysqld.exe!?mysql_parse@@YAXPAVTHD@@PADIPAPBD@Z()
004ECBAD mysqld.exe!?do_apply_event@Query_log_event@@QAEHPBVRelay_log_info@@PBDI@Z()
004ED204 mysqld.exe!?do_apply_event@Query_log_event@@UAEHPBVRelay_log_info@@@Z()
0041BD77 mysqld.exe!?apply_event_and_update_pos@@YAHPAVLog_event@@PAVTHD@@PAVRelay_log_info@@@Z()
00420685 mysqld.exe!?show_master_info@@YA_NPAVTHD@@PAVMaster_info@@@Z()
00422629 mysqld.exe!handle_slave_sql()
007ADFCD mysqld.exe!pthread_start()
00781A99 mysqld.exe!evsignal_add()
00781B17 mysqld.exe!evsignal_add()
7C80B713 kernel32.dll!GetModuleFileNameA()

Trying to get some variables.
Some pointers may be invalid and cause the dump to abort.
Query (4149BBD0): =REPLACE INTO `dbwv`.`kd_statistik`

    SELECT DISTINCT `b`.`vorgangsnummer` AS `vorgangsnummer`,

    MAKE_SET(`dbwv`.`kd_profitcenter`.`debitornummer`, 'r','2.r','4.r') AS `debitor`,

    `dbwv`.`kd_profitcenter`.`bezeichnung` AS `markt`,

    `dbwv`.`kd_profitcenter`.`bkz` AS `bkz`,

    `dbwv`.`kd_profitcenter`.`profitcenternummer` AS `profitcenter`,

    `dbwv`.`kd_profitcenter`.`kostenstelle` AS `kostenstelle`,

    CONCAT('#',`auftview`.`seriennummer`) AS `seriennummer`,

    name_deutsch AS `gerätetyp`,

    sonderbez_beleg AS `bemerkungen`,

    REPLACE(`b`.`einzelbetrag`,'.',',') AS `nettobetrag`,

    CONCAT('K',b.belegnummer) AS `kva-nummer`,

    (SELECT DISTINCT DATE_FORMAT(`bb`.`datum`,'%d.%m.%Y') FROM `dbwv`.`v_belege` `bb` WHERE ((`bb`.`vorgangsnummer` = `b`.`vorgangsnummer`) AND (`bb`.`belegart` = 2))) AS `kva erstellt`,

    (SELECT DISTINCT DATE_FORMAT(`bc`.`statusdatum`,'%d.%m.%Y') FROM `dbwv`.`v_belege` `bc` WHERE ((`bc`.`vorgangsnummer` = `b`.`vorgangsnummer`) AND (`bc`.`belegart` = 2))) AS `auftrag`,

    (dbwv.p_workday_diff(

    (SELECT `be`.`datum` FROM `dbwv`.`v_belege` `be` WHERE ((`be`.`vorgangsnummer` = `b`.`vorgangsnummer`) AND (`be`.`belegart` = 4))),

    (SELECT `bc`.`statusdatum` FROM `dbwv`.`v_belege` `bc` WHERE ((`bc`.`vorgangsnummer` = `b`.`vorgangsnummer`) AND (`bc`.`belegart` = 2)))

    )

    ) AS `dauer tage`,

    CONCAT('L',(SELECT DISTINCT `bd`.`belegnummer` AS `belegnummer` FROM `dbwv`.`v_belege` `bd` WHERE ((`bd`.`vorgangsnummer` = `b`.`vorgangsnummer`) AND (`bd`.`belegart` = 4))),' vom ', (SELECT DATE_FORMAT(`be`.`datum`,'%d.%m.%Y') FROM `dbwv`.`v_belege` `be` WHERE ((`be`.`vorgangsnummer` = `b`.`vorgangsnummer`) AND (`be`.`belegart` = 4)))) AS `lieferschein vom`,
    CONCAT('R',CONVERT((SELECT `be`.`belegnummer` AS `belegnummer` FROM `dbwv`.`v_belege` `be` WHERE ((`be`.`vorgangsnummer` = `b`.`vorgangsnummer`) AND (`be`.`belegart` = 5))) using utf8), ' vom ',(SELECT date_format(`bf`.`datum`, '%d.%m.%Y') FROM `dbwv`.`v_belege` `bf` WHERE ((`bf`.`vorgangsnummer` = `b`.`vorgangsnummer`) AND (`bf`.`belegart` = 5)))) AS `rechunng vom`,
    `dbwv`.`kd_profitcenter`.`firma` AS `cust`
    FROM ((`dbwv`.`v_belege` `b`
    LEFT JOIN `dbw2`.`auftview` on((`b`.`vorgangsnummer` = `auftview`.`vorgangsnr`)))
    LEFT JOIN `dbwv`.`kd_profitcenter` on((`auftview`.`kundenid` = `dbwv`.`kd_profitcenter`.`kundennummer`)))
    WHERE ((`b`.`belegart` = 2) AND (NEW.vorgangsnr = `auftview`.`vorgangsnr`) AND (uid IN (63282,63211,63212,63213)))
    UNION
    SELECT DISTINCT `b`.`vorgangsnummer` AS `vorgangsnummer`,
    MAKE_SET(`dbwv`.`kd_profitcenter`.`debitornummer`, 'r','2.r','4.r') AS `debitor`,
    `dbwv`.`kd_profitcenter`.`Bezeichnung` AS `markt`,
    `dbwv`.`kd_profitcenter`.`bkz` AS `bkz`,
    `dbwv`.`kd_profitcenter`.`profitcenternummer` AS `profitcenter`,
    `dbwv`.`kd_profitcenter`.`kostenstelle` AS `kostenstelle`,
    CONCAT('#',`auftview`.`seriennummer`) AS `seriennummer`,
    `auftview`.`name_deutsch` AS `gerätetyp`,
    sonderbez AS `bemerkungen`,
    NULL AS `nettobetrag`,
    NULL AS `kva-nummer`,
    NULL AS `kva erstellt`,
    NULL AS `auftrag`,
    NULL AS `dauer tage`,
    CONCAT('L',`belegnummer`,' vom ', DATE_FORMAT(`datum`,'%d.%m.%Y')) AS `lieferschein vom`,
    NULL AS `rechnung vom`,
    `dbwv`.`kd_profitcenter`.`Firma` AS `cust`
    FROM ((`dbw2`.`auftview`
    LEFT JOIN `dbwv`.`v_belege` `b` on((`b`.`vorgangsnummer` = `auftview`.`vorgangsnr`)))
    LEFT JOIN `dbwv`.`kd_profitcenter` on((`auftview`.`kundenid` = `dbwv`.`kd_profitcenter`.`kundennummer`)))
    WHERE ((`b`.`belegart` = 4) AND (NEW.vorgangsnr = `auftview`.`vorgangsnr`) AND (uid IN (63282,63211,63212,63213)) AND ((SELECT DISTINCT belegliste.techniknummer FROM dbwv.belegliste WHERE belegart=5 AND belegliste.techniknummer=auftview.techniknr) IS NULL))
Connection ID (thread ID): 2
Status: NOT_KILLED
Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=off,table_elimination=on

²) the same also occurs when the slave is set to use much less memory (eg 128000K).

Revision history for this message
Launchpad Neb (78luphr0rnk2nuqimstywepozxn9kl19tqh0tx66b5dki1xxsh5mkz9gl21a5rlwfnr8jn-launchpad-a811i2i3ytqlsztthjth0svbccw8inm65tmkqp9sarr553jq53in4xm1m8wn3o4rlwaer0) wrote :
Download full text (3.9 KiB)

MariaDB 5.3.3 crashes rather randomly on Debian 6.0 (Squeeze):
120112 11:51:35 [ERROR] mysqld got signal 6 ;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.
We will try our best to scrape up some info that will hopefully help diagnose
the problem, but since we have already crashed, something is definitely wrong
and this may fail.

Server version: 5.3.3-MariaDB-rc-debug
key_buffer_size=0
read_buffer_size=262144
max_used_connections=1
max_threads=153
threads_connected=1
It is possible that mysqld could use up to
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 118730 K
bytes of memory
Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x92df3f8
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
stack_bottom = 0xad94433c thread_stack 0x48000
/opt/mariadb/libexec/mysqld(my_print_stacktrace+0x22) [0x85c5da2]
/opt/mariadb/libexec/mysqld(handle_segfault+0x343) [0x8262b66]
[0xb778e400]
/lib/i686/cmov/libc.so.6(abort+0x182) [0xb74a0b82]
/lib/i686/cmov/libc.so.6(__assert_fail+0xf8) [0xb74968b8]
/opt/mariadb/libexec/mysqld(Item_subselect::fix_fields(THD*, Item**)+0x7c) [0x82066de]
/opt/mariadb/libexec/mysqld(sp_prepare_func_item(THD*, Item**)+0x92) [0x8457940]
/opt/mariadb/libexec/mysqld(sp_instr_jump_if_not::exec_core(THD*, unsigned int*)+0x1b) [0x845e681]
/opt/mariadb/libexec/mysqld(sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*)+0x1cc) [0x845d864]
/opt/mariadb/libexec/mysqld(sp_instr_jump_if_not::execute(THD*, unsigned int*)+0xa8) [0x845e650]
/opt/mariadb/libexec/mysqld(sp_head::execute(THD*)+0x4c6) [0x845a290]
/opt/mariadb/libexec/mysqld(sp_head::execute_trigger(THD*, st_mysql_lex_string const*, st_mysql_lex_string const*, st_grant_info*)+0x2ef) [0x845ac17]
/opt/mariadb/libexec/mysqld(Table_triggers_list::process_triggers(THD*, trg_event_type, trg_action_time_type, bool)+0x196) [0x846e640]
/opt/mariadb/libexec/mysqld(mysql_update(THD*, TABLE_LIST*, List<Item>&, List<Item>&, Item*, unsigned int, st_order*, unsigned long long, enum_duplicates, bool)+0x1817) [0x834005f]
/opt/mariadb/libexec/mysqld(mysql_execute_command(THD*)+0x2d2d) [0x827677d]
/opt/mariadb/libexec/mysqld(mysql_parse(THD*, char*, unsigned int, char const**)+0x271) [0x827f9b2]
/opt/mariadb/libexec/mysqld(Query_log_event::do_apply_event(Relay_log_info const*, char const*, unsigned int)+0x7a7) [0x837ec3f]
/opt/mariadb/libexec/mysqld(Query_log_event::do_apply_event(Relay_log_info const*)+0x2c) [0x837e496]
/opt/mariadb/libexec/mysqld(Log_event::apply_event(Relay_log_info const*)+0x1f) [0x84302c3]
/opt/mariadb/libexec/mysqld(apply_event_and_update_pos(Log_event*, THD*, Relay_log_info*)+0x250) [0x8429d39]
/opt/mariadb/libexec/mysqld() [0x842a1df]
/opt/mariadb/libexec/mysqld(handle_slave_sql+0x9e3) [0x842c444]
/lib/i686/cmov/libpthread.so.0(+0x5955) [0xb7701955]
/lib/i686/cmov/libc.so.6(clone+0x5e) [0xb753ee7e]

Trying to get some v...

Read more...

Revision history for this message
Elena Stepanova (elenst) wrote :

Hi,

For both queries, could you please upload the table structure and data to ftp://ftp.askmonty.org/?
Since there are many tables involved, it might be easier to take the schema dump.
Full error logs might be useful, too.

Thank you.

Revision history for this message
Launchpad Neb (78luphr0rnk2nuqimstywepozxn9kl19tqh0tx66b5dki1xxsh5mkz9gl21a5rlwfnr8jn-launchpad-a811i2i3ytqlsztthjth0svbccw8inm65tmkqp9sarr553jq53in4xm1m8wn3o4rlwaer0) wrote :

I uploaded schema and logs of the crashed Windows version.

The database for the Debian test is equivalent to the one used in Windows.

Revision history for this message
Elena Stepanova (elenst) wrote :

Hi,

Do you still experience the problem on 5.3.5-GA?

I had been trying to reproduce it for some time, but could not get the crash. I will try again if it still exists, but if it's gone along with other fixed bugs, there is no point.

Thank you.

Revision history for this message
nbrnhardt (nb-k) wrote :

I've uploaded the whole database (bug-915222-5.3.5-20120331) including the ZIP version of MariaDB 5.3.5 onto FTP. It's reduced to one case that triggers a trigger... if you do an update on table `vorgangsliste`, the trigger `t_statistik` is run and seems to cause the crash.

Issue a few
UPDATE vorgangsliste SET gerätestatusid=7
and wait for MySQL to do suicide.

In my tests, the first update sometimes gave me zero updates as a result, sometimes a random error message.
Sometimes the next update triggers an access violation, sometimes it seems to do something.
Only issuing multiple updates in a short row causes an access violation for sure.

(Note: In my tests, I started MariaDB from the commandline on Windows XP, SP3, using a RAM-Disk. The Access Violation occured on Aria tables as well as on converted MyISAM tables. I used HeidiSQL to send the UPDATEs and also tested the uploaded package on my laptop. MariaDB also quits there after a few UPDATEs.)

The VC6 debugger always shows the same line of code where it happens:

007D1D24 int 3
007D1D25 int 3
007D1D26 int 3
007D1D27 int 3
007D1D28 int 3
007D1D29 int 3
007D1D2A int 3
007D1D2B int 3
007D1D2C int 3
007D1D2D int 3
007D1D2E int 3
007D1D2F int 3
007D1D30 push ebp
007D1D31 mov ebp,esp
007D1D33 sub esp,8
007D1D36 mov eax,dword ptr [ebp+8]
007D1D39 mov ecx,dword ptr [eax+40h]
007D1D3C push ebx
007D1D3D mov ebx,dword ptr [ebp+10h]
007D1D40 push esi
007D1D41 mov esi,dword ptr [ebp+0Ch]
Access Violation x05> 007D1D44 mov al,byte ptr [esi]
007D1D46 push edi
007D1D47 mov dword ptr [ebp-8],ecx
007D1D4A test al,al
007D1D4C je 007D1E1F
007D1D52 cmp byte ptr [ebx],0
007D1D55 je 007D1E1F
007D1D5B cmp al,80h
007D1D5D jae 007D1D70
007D1D5F movzx eax,al
007D1D62 lea edx,[eax+eax*2]
007D1D65 movzx edi,word ptr [edx*2+91D3E2h]
007D1D6D inc esi
007D1D6E jmp 007D1DB4
007D1D70 mov edx,dword ptr [ebp+8]
007D1D73 lea eax,[esi+3]
007D1D76 push eax
007D1D77 push esi
007D1D78 lea ecx,[ebp+0Ch]
007D1D7B push ecx
007D1D7C push edx
007D1D7D call 007D1500
007D1D82 add esp,10h
007D1D85 test eax,eax
007D1D87 jle 007D1E30
007D1D8D mov edi,dword ptr [ebp+0Ch]
007D1D90 mov ecx,dword ptr [ebp-8]
007D1D93 add esi,eax
007D1D95 mov eax,edi
007D1D97 shr eax,8

Revision history for this message
Elena Stepanova (elenst) wrote :

Hi,

Thank you, now I was able to reproduce it. It seems that XP or 32-bit (or both) is important, I could not get the crash on Win 2008 64-bit or on openSUSE 32-bit.

I will try to make a test case out of it, check whether it's still reproducible on the current 5.3 (soon-to-be 5.3.6), and will pass it further for fixing.

Revision history for this message
Elena Stepanova (elenst) wrote :
Download full text (3.6 KiB)

Unlike crashes which I've only seen on XP, valgrind errors are persistent.
Reproducible on MariaDB 5.3 revno 3488 (stack traces below are from it), and on MariaDB 5.5 revno 3360.
Not reproducible on MySQL 5.5.

No specific optimizer_switch is required, reproducible with all OFF values.

# Simplified test case

CREATE TABLE t1 (a CHAR(1));

CREATE TABLE t2 (d INT, e CHAR(1));

INSERT INTO t2 VALUES (13,'z');

CREATE TRIGGER tr AFTER UPDATE ON t2
  FOR EACH ROW
  REPLACE INTO t3
  SELECT f, a AS alias FROM t3, v;

CREATE TABLE t3 (f INT, g CHAR(8));

CREATE VIEW v AS SELECT a, e FROM t2, t1;

UPDATE t2 SET d=7;
UPDATE t2 SET d=7;
UPDATE t2 SET d=7;
UPDATE t2 SET d=7;

# End of test case

==5080== Invalid read of size 1
==5080== at 0xC929D9: my_strcasecmp_utf8 (ctype-utf8.c:2527)
==5080== by 0x8FD2DB: check_duplicate_names(List<Item>&, bool) (sql_view.cc:138)
==5080== by 0x8F9E10: mysql_derived_prepare(THD*, st_lex*, TABLE_LIST*) (sql_derived.cc:628)
==5080== by 0x8F9396: mysql_handle_single_derived(st_lex*, TABLE_LIST*, unsigned int) (sql_derived.cc:176)
==5080== by 0x76E8E0: TABLE_LIST::handle_derived(st_lex*, unsigned int) (table.cc:5832)
==5080== by 0x8F9423: mysql_handle_list_of_derived(st_lex*, TABLE_LIST*, unsigned int) (sql_derived.cc:208)
==5080== by 0x7B06DB: mysql_prepare_insert(THD*, TABLE_LIST*, st_table*, List<Item>&, List<Item>*, List<Item>&, List<Item>&, enum_duplicates, Item**, bool, bool, bool) (sql_insert.cc:1290)
==5080== by 0x7B50B2: mysql_insert_select_prepare(THD*) (sql_insert.cc:3008)
==5080== by 0x6F87AB: mysql_execute_command(THD*) (sql_parse.cc:3295)
==5080== by 0x91A25D: sp_instr_stmt::exec_core(THD*, unsigned int*) (sp_head.cc:2976)
==5080== by 0x919B6F: sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) (sp_head.cc:2794)
==5080== by 0x91A01E: sp_instr_stmt::execute(THD*, unsigned int*) (sp_head.cc:2919)
==5080== by 0x9160A5: sp_head::execute(THD*) (sp_head.cc:1283)
==5080== by 0x916B91: sp_head::execute_trigger(THD*, st_mysql_lex_string const*, st_mysql_lex_string const*, st_grant_info*) (sp_head.cc:1586)
==5080== by 0x92C192: Table_triggers_list::process_triggers(THD*, trg_event_type, trg_action_time_type, bool) (sql_trigger.cc:2132)
==5080== by 0x7D3C97: mysql_update(THD*, TABLE_LIST*, List<Item>&, List<Item>&, Item*, unsigned int, st_order*, unsigned long long, enum_duplicates, bool) (sql_update.cc:721)
==5080== Address 0xfc1e4d8 is 1,976 bytes inside a block of size 8,168 free'd
==5080== at 0x4C25F7B: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==5080== by 0xC3EBE3: _myfree (safemalloc.c:337)
==5080== by 0xC3DF01: free_root (my_alloc.c:372)
==5080== by 0x916121: sp_head::execute(THD*) (sp_head.cc:1300)
==5080== by 0x916B91: sp_head::execute_trigger(THD*, st_mysql_lex_string const*, st_mysql_lex_string const*, st_grant_info*) (sp_head.cc:1586)
==5080== by 0x92C192: Table_triggers_list::process_triggers(THD*, trg_event_type, trg_action_time_type, bool) (sql_trigger.cc:2132)
==5080== by 0x7D3C97: mysql_update(THD*, TABLE_LIST*, List<Item>&, List<Item>&, Item*, unsigned int, st_order*, unsigned long l...

Read more...

summary: - Query in trigger using Aria tables causes MariaDB 5.3.3 to crash
- (exception 0xc0000005)
+ Query in trigger using tables causes MariaDB 5.3 to crash or throw
+ Valgrind errors in my_strcasecmp_utf8
summary: - Query in trigger using tables causes MariaDB 5.3 to crash or throw
- Valgrind errors in my_strcasecmp_utf8
+ Query in trigger causes MariaDB 5.3 to crash or throw Valgrind errors
+ in my_strcasecmp_utf8
Changed in maria:
milestone: none → 5.3
importance: Undecided → High
Elena Stepanova (elenst)
Changed in maria:
assignee: nobody → Igor Babaev (igorb-seattle)
Revision history for this message
Elena Stepanova (elenst) wrote :

More notes:

1.
Adding rows to t1 and t2 does not make the difference, tried with 2 rows in each of them, still valgrind errors.
Modification of the test case (first 4 statements):
CREATE TABLE t1 (a CHAR(1));
INSERT INTO t1 VALUES ('a'),('b');
CREATE TABLE t2 (d INT, e CHAR(1));
INSERT INTO t2 VALUES (13,'z'),(14,'y');
...

2.
Merging the view manually into the query under trigger made the errors go away. Tried with the following query:
  REPLACE INTO t3
  SELECT f, a AS alias FROM t3, t2, t1;
Problem was not reproducible any longer.

3.
'AS alias' in 'SELECT f, a AS alias FROM t3, v' is left on purpose. If I run just 'SELECT f, a FROM t3, v', without 'AS alias', I'm not getting the errors.

Elena Stepanova (elenst)
tags: added: valgrind
removed: aria
Igor Babaev (igorb-seattle)
Changed in maria:
status: New → Confirmed
Igor Babaev (igorb-seattle)
Changed in maria:
status: Confirmed → In Progress
Revision history for this message
Oleksandr "Sanja" Byelkin (sanja-byelkin) wrote :

The problem after the fix is that Item_in_subselect::select_in_like_transformer takes changed by find_field_in_view left_expr and create Item_in_ optimizer with it, so we have the left_expr referenced from 2 places. One place will be rollback then other one was not and lead to crash.

The only idea is to check list of registered changes and if address of the change found in it then make the same entry for the new address... I do not like the idea...

Igor Babaev (igorb-seattle)
Changed in maria:
status: In Progress → Fix Committed
Revision history for this message
Elena Stepanova (elenst) wrote :

Fixed in MariaDB 5.3.6

Changed in maria:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.