Bug #115885 MySQL 8.0.36 Crashing and Restarting Frequently
Submitted: 21 Aug 2024 17:14 Modified: 8 Apr 8:11
Reporter: Sreedhar D Email Updates:
Status: Duplicate Impact on me:
None 
Category:MySQL Server Severity:S3 (Non-critical)
Version:8.0.36, 8.0.41 OS:Any
Assigned to: CPU Architecture:Any

[21 Aug 2024 17:14] Sreedhar D 
Description:
We are facing mysql crashes very frequently in MySQL environments

2024-08-20T09:40:28Z UTC - mysqld got signal 11 ;
Most likely, you have hit a bug, but this error can also be caused by malfunctioning hardware.
Thread pointer: 0x14fc94774000
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
stack_bottom = 14fc8fd6b210 thread_stack 0x40000
/rdsdbbin/mysql/bin/mysqld(my_print_stacktrace(unsigned char const*, unsigned long)+0x2e) [0x151bd7e]
/rdsdbbin/mysql/bin/mysqld(print_fatal_signal(int)+0x276) [0xc179e6]
/rdsdbbin/mysql/bin/mysqld(handle_fatal_signal+0x7c) [0xc17c7c]
/lib64/libpthread.so.0(+0x118e0) [0x15003a37d8e0]
/rdsdbbin/mysql/bin/mysqld(Item_cache::walk(bool (Item::*)(unsigned char*), enum_walk, unsigned char*)+0x7c) [0xd15efc]
/rdsdbbin/mysql/bin/mysqld() [0xa2e725]
/rdsdbbin/mysql/bin/mysqld(Item_func::walk(bool (Item::*)(unsigned char*), enum_walk, unsigned char*)+0x92) [0xd5e662]
/rdsdbbin/mysql/bin/mysqld(Item_cond::walk(bool (Item::*)(unsigned char*), enum_walk, unsigned char*)+0x75) [0xd3af05]
/rdsdbbin/mysql/bin/mysqld(Query_block::check_column_privileges(THD*)+0x119) [0xb2ab59]
/rdsdbbin/mysql/bin/mysqld(Query_block::check_privileges_for_subqueries(THD*)+0x47) [0xb2a9f7]
/rdsdbbin/mysql/bin/mysqld(Query_block::check_column_privileges(THD*)+0x2ac) [0xb2acec]
/rdsdbbin/mysql/bin/mysqld(Sql_cmd_select::check_privileges(THD*)+0xc8) [0xb43328]
/rdsdbbin/mysql/bin/mysqld(Sql_cmd_dml::execute(THD*)+0x3f8) [0xb321f8]
/rdsdbbin/mysql/bin/mysqld(mysql_execute_command(THD*, bool)+0x938) [0xaf39f8]
/rdsdbbin/mysql/bin/mysqld(sp_instr_stmt::exec_core(THD*, unsigned int*)+0x4f) [0xa3e45f]
/rdsdbbin/mysql/bin/mysqld(sp_lex_instr::reset_lex_and_exec_core(THD*, unsigned int*, bool)+0x148) [0xa561f8]
/rdsdbbin/mysql/bin/mysqld(sp_lex_instr::validate_lex_and_execute_core(THD*, unsigned int*, bool)+0x116) [0xa56606]
/rdsdbbin/mysql/bin/mysqld(sp_instr_stmt::execute(THD*, unsigned int*)+0x103) [0xa569c3]
/rdsdbbin/mysql/bin/mysqld(sp_head::execute(THD*, bool)+0x6a9) [0xa4e289]
/rdsdbbin/mysql/bin/mysqld(sp_head::execute_procedure(THD*, mem_root_deque<Item*>*)+0x8d4) [0xa4fdc4]
/rdsdbbin/mysql/bin/mysqld(Sql_cmd_call::execute_inner(THD*)+0x12b) [0xf0184b]
/rdsdbbin/mysql/bin/mysqld(Sql_cmd_dml::execute(THD*)+0x1f6) [0xb31ff6]
/rdsdbbin/mysql/bin/mysqld(mysql_execute_command(THD*, bool)+0x938) [0xaf39f8]
/rdsdbbin/mysql/bin/mysqld(dispatch_sql_command(THD*, Parser_state*)+0x587) [0xaf74f7]
/rdsdbbin/mysql/bin/mysqld(dispatch_command(THD*, COM_DATA const*, enum_server_command)+0x19df) [0xaf95ef]
/rdsdbbin/mysql/bin/mysqld(do_command(THD*)+0x1c9) [0xafa059]
/rdsdbbin/mysql/bin/mysqld() [0xc18b8f]
/rdsdbbin/mysql/bin/mysqld() [0x18cedbf]
/lib64/libpthread.so.0(+0x744b) [0x15003a37344b]
/lib64/libc.so.6(clone+0x3f) [0x150039b5852f]

Trying to get some variables.
Some pointers may be invalid and cause the dump to abort.
Query (14fc05587280): SELECT rule_name AS `name`,id,service_id, (SELECT `name` FROM service_details WHERE id=service_id) AS service_name,'rule' AS `type`,'' AS flowtype FROM usm.rule_details rd WHERE   rd.id IN (SELECT rule_id FROM usm.channel_mapping scm WHERE scm.app_id= NAME_CONST('v_app_id',_latin1'a_1692004211951851' COLLATE 'latin1_swedish_ci') OR scm.service_code =  NAME_CONST('v_app_id',_latin1'a_1692004211951851' COLLATE 'latin1_swedish_ci'))   AND rd.id NOT IN (SELECT rule_id FROM flow_rule_mapping)   UNION    SELECT `Name`,id,service_id,(SELECT `name` FROM service_details WHERE id=service_id) AS service_name, 'flow' AS `type`,`Type` AS flowtype FROM usm.service_voice_workflow rd WHERE   rd.id IN (SELECT flow_id FROM usm.channel_mapping scm WHERE scm.app_id= NAME_CONST('v_app_id',_latin1'a_1692004211951851' COLLATE 'latin1_swedish_ci') OR scm.service_code =  NAME_CONST('v_app_id',_latin1'a_1692004211951851' COLLATE 'latin1_swedish_ci'))
Connection ID (thread ID): 34691621
Status: NOT_KILLED

The manual page at http://dev.mysql.com/doc/mysql/en/crashing.html contains
information that should help you find out what is causing the crash.

How to repeat:
can't replicate the issue but the errors repeats all the time

Suggested fix:
The MySQL should not restart unexpectedly
[21 Aug 2024 17:36] MySQL Verification Team 
Hi Mr. Sreeedhar,

Thank you for your bug report.

We inspected your stacktrace and the query that was run and we discovered that your bug is 100 % a duplicate of the following Security Vulnerability bug:

https://bugs.mysql.com/bug.php?id=114662

Since that Security Vulnerability  bug contains a full test case and other sensitive information, it is not visible to the public.

Hence, we shall leave a comment there that your report is a duplicate of that one, so that you get informed when and where the original bug was fixed.

Duplicate.
[22 Aug 2024 5:54] Sreedhar D 
Thank you for letting me know. I understand that my bug report is a duplicate of a security vulnerability (Bug #114662). Since the information is not publicly available, I appreciate you adding a comment to the original report to track the fix.

Could you provide more details about the bug and especially regarding any potential data security implications?

Request for workaround (if applicable): If possible, could you share any temporary workarounds that might be helpful until a permanent fix is released? Are there any suggestions to avoid the bug by modifying the SELECT query pattern, or could upgrading to a minor version like 8.0.37 or 8.0.38 resolve the issue?

Upgrade information (if applicable):  Would upgrading to one of these versions (8.0.37 or 8.0.38 potentially address the issue?
[22 Aug 2024 9:51] MySQL Verification Team 
Hi Mr. Sreedhar,

First of all, any crashing bug is a security vulnerability, by Oracle standards.

Regarding the workaround, there is none practical..

The only possible manner of avoiding it is to avoid running the same query  against 2 different databases but in the same thread, sequentially.

That is the only workaround available, so far .....
[22 Aug 2024 10:08] Sreedhar D 
Thank you for your reply. Is upgrading to one of these versions (8.0.37 or 8.0.38)  to avoid the issue? We will take appropriate action based on your answer.
[22 Aug 2024 10:13] MySQL Verification Team 
Hi Mr. Sreedhar,

Since that bug is not fixed yet, upgrade would not be of any help.

You will be informed when this bug is fixed and in which release  is it fixed.

That would be then a release to upgrade to.
[23 Aug 2024 7:53] Sreedhar D 
Could you please review the shared SELECT statement again? The SELECT query seems to be related to a single database with a UNION operation. Are you suggesting us to avoid using UNION in the SELECT statement?
[23 Aug 2024 9:53] MySQL Verification Team 
HI Mr. D.,

We are not suggesting anything like that.

We are only quoting the only available workaround for this bug, which is the following one:

The only possible manner of avoiding it is to avoid running the same query  against 2 different databases but in the same thread, sequentially.

We do not see where did we mention any UNION here .......

Hence, we do not see how is your question related to the only workaround for the original bug.
[14 Oct 2024 9:42] MySQL Verification Team 
Hi Mr. Sreedhar,

Thank you for your stored procedure and table info.

We have tried to reproduce the problem , but with no luck.

Let us inform you that this is a forum for the reports with fully repeatable test cases. We tried several times to repeat your test case, but there is no problem what so ever ...

This is not a forum for providing guidance.

If you want a guidance and if you are a customer, just open an SR on our MOS page.

If you are not a customer, consider becoming one, since this is a forum for fully repeatable test cases only.

You can get info on our support offers on 

https://www.mysql.com/support/

Can't repeat.
[8 Apr 8:11] MySQL Verification Team 
Same crashes 8.0.41.

2025-04-08T08:04:58.556391Z 0 [System] [MY-010931] [Server] D:\my\mysql-commercial-8.0.41-winx64\bin\mysqld.exe: ready for connections. Version: '8.0.41-commercial'  socket: ''  port: 3306  MySQL Enterprise Server - Commercial.
2025-04-08T08:06:34Z UTC - mysqld got exception 0xc0000005 ;
Most likely, you have hit a bug, but this error can also be caused by malfunctioning hardware.
Thread pointer: 0x281303120f0
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
7ff642ceb777    mysqld.exe!Item_field::add_field_to_cond_set_processor()[item.cc:897]
7ff64297e6be    mysqld.exe!Item::walk()[item.h:2465]
7ff642af739c    mysqld.exe!Item_cache::walk()[item.cc:9591]
7ff642af7255    mysqld.exe!Item_ref::walk()[item.h:5842]
...
-- 
Shane, MySQL Senior Principal Technical Support Engineer
Oracle Corporation
http://dev.mysql.com/
[8 Apr 9:24] MySQL Verification Team 
I could repeat this crash on 8.0.37 and 8.0.41 but no longer repeatable
on 8.4.4.  At least the same tests ran 10x longer before I stopped them on 8.4.4.

Suspect that something else has solved it in 8.4 tree, would be good to check from original reporter if 8.4 solves.

-- 
Shane, MySQL Senior Principal Technical Support Engineer
Oracle Corporation
http://dev.mysql.com/
[8 Apr 10:26] MySQL Verification Team 
8.0.41 valgrind output :

==14210== Thread 43 connection:
==14210== Invalid read of size 8
at : Item_cache::walk (item.cc:9592)
by : Item_ref::walk (item.h:5843)
by : Item_func::walk (item_func.cc:618)
by : Item_cond::walk (item_cmpfunc.cc:5769)
by : Query_block::check_column_privileges (sql_select.cc:2041)
by : UnknownInlinedFun (sql_select.cc:2140)
by : Query_block::check_column_privileges (sql_select.cc:2074)
by : Sql_cmd_select::check_privileges (sql_select.cc:1156)
by : Sql_cmd_dml::execute (sql_select.cc:724)
by : mysql_execute_command (sql_parse.cc:4722)
by : UnknownInlinedFun (sp_instr.cc:990)
by : sp_lex_instr::reset_lex_and_exec_core (sp_instr.cc:462)
by : sp_lex_instr::validate_lex_and_execute_core (sp_instr.cc:750)
by : sp_instr_stmt::execute (sp_instr.cc:916)
==14210==  Address 0x3abe0d60 is 48 bytes inside a block of size 27,696 free'd
at : free (vg_replace_malloc.c:538)
by : UnknownInlinedFun (my_malloc.cc:299)
by : UnknownInlinedFun (my_malloc.cc:360)
by : UnknownInlinedFun (my_malloc.cc:407)
by : UnknownInlinedFun (my_malloc.cc:469)
by : UnknownInlinedFun (my_alloc.cc:217)
by : MEM_ROOT::Clear() (my_alloc.cc:186)
by : dispatch_command (sql_parse.cc:2524)
by : do_command (sql_parse.cc:1440)
by : handle_connection (connection_handler_per_thread.cc:303)
by : pfs_spawn_thread (pfs.cc:3050)
by : start_thread (in /usr/lib64/libpthread-2.17.so)
by : clone (in /usr/lib64/libc-2.17.so)
==14210==  Block was alloc'd at
at : malloc (vg_replace_malloc.c:307)
by : UnknownInlinedFun (my_malloc.cc:280)
by : UnknownInlinedFun (my_malloc.cc:323)
by : UnknownInlinedFun (my_malloc.cc:373)
by : UnknownInlinedFun (my_malloc.cc:387)
by : MEM_ROOT::AllocBlock (my_alloc.cc:90)
by : UnknownInlinedFun (my_alloc.cc:157)
by : MEM_ROOT::AllocSlow(unsigned long) (my_alloc.cc:144)
by : UnknownInlinedFun (my_alloc.h:165)
by : UnknownInlinedFun (item.h:879)
by : PTI_simple_ident_nospvar_ident::itemize (parse_tree_items.cc:466)
by : PT_item_list::contextualize (parse_tree_helpers.h:116)
by : PT_update::make_cmd (parse_tree_nodes.cc:931)
by : UnknownInlinedFun (sql_lex.cc:4968)
by : UnknownInlinedFun (sql_class.cc:3068)
by : parse_sql (sql_parse.cc:7135)
by : dispatch_sql_command (sql_parse.cc:5268)
by : dispatch_command (sql_parse.cc:2055)
by : do_command (sql_parse.cc:1440)
by : handle_connection (connection_handler_per_thread.cc:303)
by : pfs_spawn_thread (pfs.cc:3050)
==14210==
==14210== Invalid read of size 8
at : UnknownInlinedFun (item.h:2465)
by : Item_cache::walk (item.cc:9592)
by : Item_ref::walk (item.h:5843)
by : Item_func::walk (item_func.cc:618)
by : Item_cond::walk (item_cmpfunc.cc:5769)
by : Query_block::check_column_privileges (sql_select.cc:2041)
by : UnknownInlinedFun (sql_select.cc:2140)
by : Query_block::check_column_privileges (sql_select.cc:2074)
by : Sql_cmd_select::check_privileges (sql_select.cc:1156)
by : Sql_cmd_dml::execute (sql_select.cc:724)
by : mysql_execute_command (sql_parse.cc:4722)
by : UnknownInlinedFun (sp_instr.cc:990)
by : sp_lex_instr::reset_lex_and_exec_core (sp_instr.cc:462)
by : sp_lex_instr::validate_lex_and_execute_core (sp_instr.cc:750)
by : sp_instr_stmt::execute (sp_instr.cc:916)
==14210==  Address 0x3abe0d60 is 48 bytes inside a block of size 27,696 free'd
at : free (vg_replace_malloc.c:538)
by : UnknownInlinedFun (my_malloc.cc:299)
by : UnknownInlinedFun (my_malloc.cc:360)
by : UnknownInlinedFun (my_malloc.cc:407)
by : UnknownInlinedFun (my_malloc.cc:469)
by : UnknownInlinedFun (my_alloc.cc:217)
by : MEM_ROOT::Clear() (my_alloc.cc:186)
by : dispatch_command (sql_parse.cc:2524)
by : do_command (sql_parse.cc:1440)
by : handle_connection (connection_handler_per_thread.cc:303)
by : pfs_spawn_thread (pfs.cc:3050)
by : start_thread (in /usr/lib64/libpthread-2.17.so)
by : clone (in /usr/lib64/libc-2.17.so)
==14210==  Block was alloc'd at
at : malloc (vg_replace_malloc.c:307)
by : UnknownInlinedFun (my_malloc.cc:280)
by : UnknownInlinedFun (my_malloc.cc:323)
by : UnknownInlinedFun (my_malloc.cc:373)
by : UnknownInlinedFun (my_malloc.cc:387)
by : MEM_ROOT::AllocBlock (my_alloc.cc:90)
by : UnknownInlinedFun (my_alloc.cc:157)
by : MEM_ROOT::AllocSlow(unsigned long) (my_alloc.cc:144)
by : UnknownInlinedFun (my_alloc.h:165)
by : UnknownInlinedFun (item.h:879)
by : PTI_simple_ident_nospvar_ident::itemize (parse_tree_items.cc:466)
by : PT_item_list::contextualize (parse_tree_helpers.h:116)
by : PT_update::make_cmd (parse_tree_nodes.cc:931)
by : UnknownInlinedFun (sql_lex.cc:4968)
by : UnknownInlinedFun (sql_class.cc:3068)
by : parse_sql (sql_parse.cc:7135)
by : dispatch_sql_command (sql_parse.cc:5268)
by : dispatch_command (sql_parse.cc:2055)
by : do_command (sql_parse.cc:1440)
by : handle_connection (connection_handler_per_thread.cc:303)
by : pfs_spawn_thread (pfs.cc:3050)
==14210==
==14210== Invalid read of size 8
at : UnknownInlinedFun (item.h:2466)
by : Item_cache::walk (item.cc:9592)
by : Item_ref::walk (item.h:5843)
by : Item_func::walk (item_func.cc:618)
by : Item_cond::walk (item_cmpfunc.cc:5769)
by : UnknownInlinedFun (sql_optimizer.cc:8189)
by : JOIN::estimate_rowcount() (sql_optimizer.cc:5933)
by : JOIN::make_join_plan() (sql_optimizer.cc:5372)
by : JOIN::optimize(bool) (sql_optimizer.cc:695)
by : Query_block::optimize (sql_select.cc:2001)
by : Query_expression::optimize (sql_union.cc:1007)
by : Query_block::optimize (sql_select.cc:2010)
by : Query_expression::optimize (sql_union.cc:1007)
by : Sql_cmd_dml::execute_inner (sql_select.cc:999)
==14210==  Address 0x3abe0d60 is 48 bytes inside a block of size 27,696 free'd
at : free (vg_replace_malloc.c:538)
by : UnknownInlinedFun (my_malloc.cc:299)
by : UnknownInlinedFun (my_malloc.cc:360)
by : UnknownInlinedFun (my_malloc.cc:407)
by : UnknownInlinedFun (my_malloc.cc:469)
by : UnknownInlinedFun (my_alloc.cc:217)
by : MEM_ROOT::Clear() (my_alloc.cc:186)
by : dispatch_command (sql_parse.cc:2524)
by : do_command (sql_parse.cc:1440)
by : handle_connection (connection_handler_per_thread.cc:303)
by : pfs_spawn_thread (pfs.cc:3050)
by : start_thread (in /usr/lib64/libpthread-2.17.so)
by : clone (in /usr/lib64/libc-2.17.so)
==14210==  Block was alloc'd at
at : malloc (vg_replace_malloc.c:307)
by : UnknownInlinedFun (my_malloc.cc:280)
by : UnknownInlinedFun (my_malloc.cc:323)
by : UnknownInlinedFun (my_malloc.cc:373)
by : UnknownInlinedFun (my_malloc.cc:387)
by : MEM_ROOT::AllocBlock (my_alloc.cc:90)
by : UnknownInlinedFun (my_alloc.cc:157)
by : MEM_ROOT::AllocSlow(unsigned long) (my_alloc.cc:144)
by : UnknownInlinedFun (my_alloc.h:165)
by : UnknownInlinedFun (item.h:879)
by : PTI_simple_ident_nospvar_ident::itemize (parse_tree_items.cc:466)
by : PT_item_list::contextualize (parse_tree_helpers.h:116)
by : PT_update::make_cmd (parse_tree_nodes.cc:931)
by : UnknownInlinedFun (sql_lex.cc:4968)
by : UnknownInlinedFun (sql_class.cc:3068)
by : parse_sql (sql_parse.cc:7135)
by : dispatch_sql_command (sql_parse.cc:5268)
by : dispatch_command (sql_parse.cc:2055)
by : do_command (sql_parse.cc:1440)
by : handle_connection (connection_handler_per_thread.cc:303)
by : pfs_spawn_thread (pfs.cc:3050)
==14210==
==14210== Invalid read of size 8
at : Item_cache::walk (item.cc:9592)
by : Item_ref::walk (item.h:5843)
by : Item_func::walk (item_func.cc:618)
by : Item_cond::walk (item_cmpfunc.cc:5769)
by : Query_block::check_column_privileges (sql_select.cc:2041)
by : UnknownInlinedFun (sql_select.cc:2140)
by : Query_block::check_column_privileges (sql_select.cc:2074)
by : Sql_cmd_select::check_privileges (sql_select.cc:1156)
by : Sql_cmd_dml::execute (sql_select.cc:724)
by : mysql_execute_command (sql_parse.cc:4722)
by : UnknownInlinedFun (sp_instr.cc:990)
by : sp_lex_instr::reset_lex_and_exec_core (sp_instr.cc:462)
by : sp_lex_instr::validate_lex_and_execute_core (sp_instr.cc:750)
by : sp_instr_stmt::execute (sp_instr.cc:916)
==14210==  Address 0x248 is not stack'd, malloc'd or (recently) free'd