Bug #117995 Contribution by Tencent: explain analyze format=json causes crash
Submitted: 16 Apr 9:01 Modified: 19 May 23:45
Reporter: Peiyuan Liu (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Optimizer Severity:S6 (Debug Builds)
Version:trunk, 9.3.0, 8.4.5 OS:Any
Assigned to: CPU Architecture:Any
Tags: Contribution

[16 Apr 9:01] Peiyuan Liu 
Description:
## test SQL
use test;
set explain_json_format_version = 1;
explain analyze format=json select * from ( select 1) b;

## error log
2025-04-16T08:53:45.766320Z 0 [System] [MY-010229] [Server] Starting XA crash recovery...
2025-04-16T08:53:45.774185Z 0 [System] [MY-010232] [Server] XA crash recovery finished.
2025-04-16T08:53:45.943347Z 0 [Warning] [MY-010068] [Server] CA certificate ca.pem is self signed.
2025-04-16T08:53:45.943398Z 0 [System] [MY-013602] [Server] Channel mysql_main configured to support TLS. Encrypted connections are now supported for this channel.
2025-04-16T08:53:46.193282Z 0 [System] [MY-011323] [Server] X Plugin ready for connections. Bind-address: '::' port: 33060, socket: /tmp/mysqlx.sock
2025-04-16T08:53:46.193433Z 0 [System] [MY-010931] [Server] /data/home/peryliu/Projects/mysql-server/build/runtime_output_directory/mysqld: ready for connections. Version: '9.2.0-debug'  socket: '/tmp/mysql.sock'  port: 3306  Source distribution.
mysqld: /data/home/peryliu/Projects/mysql-server/sql/opt_explain.cc:2100: bool explain_query_specification(THD*, const THD*, Query_term*, enum_parsing_context): Assertion `ret || !explain_thd->is_error()' failed.
2025-04-16T08:54:43Z UTC - mysqld got signal 6 ;
Most likely, you have hit a bug, but this error can also be caused by malfunctioning hardware.
BuildID[sha1]=07bf9d0463045e9155c46bdc7004760e591c14a2
Thread pointer: 0x7fea60001040
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
stack_bottom = 7feb38266a50 thread_stack 0x100000
 #0 0x390a21c print_fatal_signal at /data/home/peryliu/Projects/mysql-server/sql/signal_handler.cc:319
 #1 0x390a457 _Z19handle_fatal_signaliP9siginfo_tPv at /data/home/peryliu/Projects/mysql-server/sql/signal_handler.cc:399
 #2 0x7feb6327f98f <unknown>
 #3 0x7feb6173152f <unknown>
 #4 0x7feb61704e64 <unknown>
 #5 0x7feb61704d38 <unknown>
 #6 0x7feb61729e85 <unknown>
 #7 0x3d64c90 _Z27explain_query_specificationP3THDPKS_P10Query_term20enum_parsing_context at /data/home/peryliu/Projects/mysql-server/sql/opt_explain.cc:2100
 #8 0x3d65be4 mysql_explain_query_expression at /data/home/peryliu/Projects/mysql-server/sql/opt_explain.cc:2392
 #9 0x3d5e7d6 explain_subqueries at /data/home/peryliu/Projects/mysql-server/sql/opt_explain.cc:692
 #10 0x3d5ed34 send at /data/home/peryliu/Projects/mysql-server/sql/opt_explain.cc:770
 #11 0x3d64bc9 _Z27explain_query_specificationP3THDPKS_P10Query_term20enum_parsing_context at /data/home/peryliu/Projects/mysql-server/sql/opt_explain.cc:2088
 #12 0x3d65be4 mysql_explain_query_expression at /data/home/peryliu/Projects/mysql-server/sql/opt_explain.cc:2392
 #13 0x3d659cc _Z13explain_queryP3THDPKS_P16Query_expression at /data/home/peryliu/Projects/mysql-server/sql/opt_explain.cc:2356
 #14 0x3737db3 _ZN11Sql_cmd_dml13execute_innerEP3THD at /data/home/peryliu/Projects/mysql-server/sql/sql_select.cc:1126
 #15 0x3736cfa _ZN11Sql_cmd_dml7executeEP3THD at /data/home/peryliu/Projects/mysql-server/sql/sql_select.cc:790
 #16 0x36b244b _Z21mysql_execute_commandP3THDb at /data/home/peryliu/Projects/mysql-server/sql/sql_parse.cc:4742
 #17 0x36b46e4 _Z20dispatch_sql_commandP3THDP12Parser_stateb at /data/home/peryliu/Projects/mysql-server/sql/sql_parse.cc:5404
 #18 0x36aaab7 _Z16dispatch_commandP3THDPK8COM_DATA19enum_server_command at /data/home/peryliu/Projects/mysql-server/sql/sql_parse.cc:2136
 #19 0x36a8ac9 _Z10do_commandP3THD at /data/home/peryliu/Projects/mysql-server/sql/sql_parse.cc:1480
 #20 0x38f2eac handle_connection at /data/home/peryliu/Projects/mysql-server/sql/conn_handler/connection_handler_per_thread.cc:304
 #21 0x5995d99 pfs_spawn_thread at /data/home/peryliu/Projects/mysql-server/storage/perfschema/pfs.cc:3067
 #22 0x7feb632751c9 <unknown>
 #23 0x7feb6171c8d2 <unknown>
 #24 0xffffffffffffffff <unknown>

Trying to get some variables.
Some pointers may be invalid and cause the dump to abort.
Query (7fea6011c0c0): explain analyze format=json select * from ( select 1) b
Connection ID (thread ID): 9
Status: NOT_KILLED

The manual page at http://dev.mysql.com/doc/mysql/en/crashing.html contains
information that should help you find out what is causing the crash.

How to repeat:
## test SQL
use test;
set explain_json_format_version = 1;
explain analyze format=json select * from ( select 1) b;
[16 Apr 9:19] MySQL Verification Team 
Hello Peiyuan Liu,

Thank you for the report and test case.
Verified as described.

regards,
Umesh
[16 Apr 9:20] MySQL Verification Team 
-- 9.3.0 debug build

[umshastr@bug117958:/bv/mybugs/mysql-9.3.0/mysql-test]$ ./mtr --nocheck-testcases bug117995 --debug-server
Logging: ./mtr  --nocheck-testcases bug117995 --debug-server
MySQL Version 9.3.0
Checking supported features
 - Binaries are debug compiled
Using 'all' suites
Collecting tests
Checking leftover processes
Removing old var directory
Creating var directory '/bv/mybugs/mysql-9.3.0/mysql-test/var'
Installing system database
Using parallel: 1
ports_per_thread:30

==============================================================================
                  TEST NAME                       RESULT  TIME (ms) COMMENT
------------------------------------------------------------------------------
use test;
set explain_json_format_version = 1;
explain analyze format=json select * from ( select 1) b;
[ 50%] main.bug117995                            [ fail ]
        Test ended at 2025-04-16 11:18:52

CURRENT_TEST: main.bug117995
mysqltest: At line 3: Query failed.
Query: 'explain analyze format=json select * from ( select 1) b'
Returned error: 2013 (HY000): Lost connection to MySQL server during query

-bt

#0  0x00007f9635e7356c in __pthread_kill_implementation () from /lib64/libc.so.6
#1  0x00000000042eb4e5 in my_write_core (sig=sig@entry=6) at ../../mysql-9.3.0/mysys/stacktrace.cc:342
#2  0x00000000035123bc in handle_fatal_signal (sig=6, info=0x7f962420a5b0, ucontext=0x7f962420a480) at ../../mysql-9.3.0/sql/signal_handler.cc:411
#3  <signal handler called>
#4  0x00007f9635e7356c in __pthread_kill_implementation () from /lib64/libc.so.6
#5  0x00007f9635e26686 in raise () from /lib64/libc.so.6
#6  0x00007f9635e10833 in abort () from /lib64/libc.so.6
#7  0x00007f9635e1075b in __assert_fail_base.cold () from /lib64/libc.so.6
#8  0x00007f9635e1f3c6 in __assert_fail () from /lib64/libc.so.6
#9  0x00000000037f7c2d in explain_query_specification (explain_thd=explain_thd@entry=0x7f9568001040, query_thd=query_thd@entry=0x7f9568001040, query_term=<optimized out>, ctx=ctx@entry=CTX_JOIN) at ../../mysql-9.3.0/sql/opt_explain.cc:2100
#10 0x00000000037f7cef in mysql_explain_query_expression (explain_thd=0x7f9568001040, query_thd=0x7f9568001040, unit=unit@entry=0x7f956800d9c0) at ../../mysql-9.3.0/sql/opt_explain.cc:2392
#11 0x00000000037f7466 in (anonymous namespace)::Explain::explain_subqueries (this=this@entry=0x7f962420afe0) at ../../mysql-9.3.0/sql/opt_explain.cc:692
#12 0x00000000037f771c in (anonymous namespace)::Explain::send (this=this@entry=0x7f962420afe0) at ../../mysql-9.3.0/sql/opt_explain.cc:770
#13 0x00000000037f7b9c in explain_query_specification (explain_thd=explain_thd@entry=0x7f9568001040, query_thd=query_thd@entry=0x7f9568001040, query_term=0x7f956800bce0, ctx=ctx@entry=CTX_JOIN) at ../../mysql-9.3.0/sql/opt_explain.cc:2088
#14 0x00000000037f7cef in mysql_explain_query_expression (explain_thd=explain_thd@entry=0x7f9568001040, query_thd=query_thd@entry=0x7f9568001040, unit=unit@entry=0x7f956800bc20) at ../../mysql-9.3.0/sql/opt_explain.cc:2392
#15 0x00000000037fb436 in explain_query (explain_thd=explain_thd@entry=0x7f9568001040, query_thd=query_thd@entry=0x7f9568001040, unit=unit@entry=0x7f956800bc20) at ../../mysql-9.3.0/sql/opt_explain.cc:2356
#16 0x00000000033d911c in Sql_cmd_dml::execute_inner (this=<optimized out>, thd=0x7f9568001040) at ../../mysql-9.3.0/sql/sql_select.cc:1140
#17 0x00000000033d982b in Sql_cmd_dml::execute (this=0x7f9568020220, thd=0x7f9568001040) at ../../mysql-9.3.0/sql/sql_select.cc:791
#18 0x00000000033766a3 in mysql_execute_command (thd=thd@entry=0x7f9568001040, first_level=first_level@entry=true) at ../../mysql-9.3.0/sql/sql_parse.cc:4757
#19 0x0000000003377cad in dispatch_sql_command (thd=0x7f9568001040, parser_state=parser_state@entry=0x7f962420cb10, is_retry=is_retry@entry=false) at ../../mysql-9.3.0/sql/sql_parse.cc:5431
#20 0x00000000033792df in dispatch_command (thd=<optimized out>, thd@entry=0x7f9568001040, com_data=com_data@entry=0x7f962420d9e0, command=COM_QUERY) at ../../mysql-9.3.0/sql/sql_parse.cc:2147
#21 0x000000000337aa8c in do_command (thd=thd@entry=0x7f9568001040) at ../../mysql-9.3.0/sql/sql_parse.cc:1490
#22 0x00000000035023ac in handle_connection (arg=arg@entry=0xbee15c0) at ../../mysql-9.3.0/sql/conn_handler/connection_handler_per_thread.cc:304
#23 0x0000000004b1eb9e in pfs_spawn_thread (arg=0xc0b1600) at ../../../mysql-9.3.0/storage/perfschema/pfs.cc:3067
#24 0x00007f9635e717f2 in start_thread () from /lib64/libc.so.6
#25 0x00007f9635ef6880 in clone3 () from /lib64/libc.so.6
[16 Apr 9:23] MySQL Verification Team 
-- 8.4.5 debug build affected as well

[umshastr@bug117958:/bv/mybugs/mysql-8.4.5/mysql-test]$ ./mtr --nocheck-testcases bug117995 --debug-server
Logging: ./mtr  --nocheck-testcases bug117995 --debug-server
MySQL Version 8.4.5
Checking supported features
 - Binaries are debug compiled
Using 'all' suites
Collecting tests
Removing old var directory
Creating var directory '/bv/mybugs/mysql-8.4.5/mysql-test/var'
Installing system database
Using parallel: 1

==============================================================================
                  TEST NAME                       RESULT  TIME (ms) COMMENT
------------------------------------------------------------------------------
use test;
set explain_json_format_version = 1;
explain analyze format=json select * from ( select 1) b;
[ 50%] main.bug117995                            [ fail ]
        Test ended at 2025-04-16 11:22:11

CURRENT_TEST: main.bug117995
mysqltest: At line 3: Query 'explain analyze format=json select * from ( select 1) b' failed.
ERROR 2013 (HY000): Lost connection to MySQL server during query
[16 Apr 13:25] Peiyuan Liu 
suggested fix: return immediately after calling my_error in `if (lex->is_explain_analyze)` branch.

```
diff --git a/sql/opt_explain.cc b/sql/opt_explain.cc
index 37106df21a2..e0fb6fda413 100644
--- a/sql/opt_explain.cc
+++ b/sql/opt_explain.cc
@@ -2294,6 +2294,7 @@ bool explain_query(THD *explain_thd, const THD *query_thd,
       my_error(ER_NOT_SUPPORTED_YET, MYF(0),
                "EXPLAIN ANALYZE with TRADITIONAL format");
     }
+    return true;
   }
 
   // Non-iterator-based formats are not supported with the hypergraph
```
[17 Apr 8:07] MySQL Verification Team 
Hello Peiyuan Liu,

I'll follow up with the community team and let you know if anything further needed. Thank you.

regards,
Umesh
[25 Apr 7:49] Peiyuan Liu 
bugfix: explain analyze format=jsonv1 causes crash

(*) I confirm the code being submitted is offered under the terms of the OCA, and that I am authorized to contribute it.

Contribution: 0001-bugfix-explain-analyze-format-jsonv1-crash.patch (application/octet-stream, text), 716 bytes.
[25 Apr 8:09] MySQL Verification Team 
Thank you, for your Contribution.

regards,
Umesh
[19 May 23:45] Jon Stephens 
Documented fix as follows in the MySQL 9.4.0 changelog:

    EXPLAIN ANALYZE FORMAT=JSON did not handle queries with
    subqueries correctly when explain_json_format_version was equal
    to 1.

    Our thanks to Peiyuan Liu and the Tencent team for the
    contribution.

Closed.