| Bug #12651 | Crash on a PS including a subquery which is a select from a simple view | ||
|---|---|---|---|
| Submitted: | 18 Aug 2005 16:49 | Modified: | 9 Sep 2005 18:44 |
| Reporter: | Andrey Hristov | Email Updates: | |
| Status: | Closed | Impact on me: | |
| Category: | MySQL Server | Severity: | S1 (Critical) |
| Version: | 5.0.12-200508181000 | OS: | Linux (Linux/Windows) |
| Assigned to: | Konstantin Osipov | CPU Architecture: | Any |
[18 Aug 2005 16:51]
Andrey Hristov
repro case
Attachment: bug12651.c (text/x-csrc), 1.22 KiB.
[18 Aug 2005 16:53]
Andrey Hristov
After narrowing down the test case the crash moved to line 164, before that it was crashing on line 158. Hopefully when this one is fixed it won't crash on line 158 too.
[18 Aug 2005 18:25]
MySQL Verification Team
Below Windows callstack:
> mysqld-debug.exe!Item_func::fix_fields(THD * thd=0x0100a040, Item * * ref=0x030cefc4) Line 164 + 0x18 C++
mysqld-debug.exe!Item_cond::fix_fields(THD * thd=0x0100a040, Item * * ref=0x030d0c64) Line 2390 + 0x23 C++
mysqld-debug.exe!setup_conds(THD * thd=0x0100a040, st_table_list * tables=0x030d61e0, st_table_list * leaves=0x030d6e80, Item * * conds=0x030d0c64) Line 3666 + 0x24 C++
mysqld-debug.exe!setup_without_group(THD * thd=0x0100a040, Item * * ref_pointer_array=0x030d7060, st_table_list * tables=0x030d61e0, st_table_list * leaves=0x030d6e80, List<Item> & fields={...}, List<Item> & all_fields={...}, Item * * conds=0x030d0c64, st_order * order=0x00000000, st_order * group=0x00000000, int * hidden_group_fields=0x030d0bdc) Line 283 + 0x15 C++
mysqld-debug.exe!JOIN::prepare(Item * * * rref_pointer_array=0x030d5e94, st_table_list * tables_init=0x030d61e0, unsigned int wild_num=0, Item * conds_init=0x030cef38, unsigned int og_num=0, st_order * order_init=0x00000000, st_order * group_init=0x00000000, Item * having_init=0x030d7338, st_order * proc_param_init=0x00000000, st_select_lex * select_lex_arg=0x030d5d70, st_select_lex_unit * unit_arg=0x030d5ee0) Line 351 + 0x15b C++
mysqld-debug.exe!subselect_single_select_engine::prepare() Line 1352 + 0x91 C++
mysqld-debug.exe!Item_subselect::fix_fields(THD * thd_param=0x0100a040, Item * * ref=0x030d70d4) Line 144 + 0x13 C++
mysqld-debug.exe!Item_in_optimizer::fix_fields(THD * thd=0x0100a040, Item * * ref=0x030d6490) Line 691 + 0x38 C++
mysqld-debug.exe!Item_func::fix_fields(THD * thd=0x0100a040, Item * * ref=0x030cfdc4) Line 158 + 0x24 C++
mysqld-debug.exe!setup_conds(THD * thd=0x0100a040, st_table_list * tables=0x030d5b50, st_table_list * leaves=0x030d5b50, Item * * conds=0x030cfdc4) Line 3666 + 0x24 C++
mysqld-debug.exe!setup_without_group(THD * thd=0x0100a040, Item * * ref_pointer_array=0x030d7030, st_table_list * tables=0x030d5b50, st_table_list * leaves=0x030d5b50, List<Item> & fields={...}, List<Item> & all_fields={...}, Item * * conds=0x030cfdc4, st_order * order=0x00000000, st_order * group=0x00000000, int * hidden_group_fields=0x030cfd3c) Line 283 + 0x15 C++
mysqld-debug.exe!JOIN::prepare(Item * * * rref_pointer_array=0x030d5354, st_table_list * tables_init=0x030d5b50, unsigned int wild_num=0, Item * conds_init=0x030d6448, unsigned int og_num=0, st_order * order_init=0x00000000, st_order * group_init=0x00000000, Item * having_init=0x00000000, st_order * proc_param_init=0x00000000, st_select_lex * select_lex_arg=0x030d5230, st_select_lex_unit * unit_arg=0x030d5020) Line 351 + 0x15b C++
mysqld-debug.exe!mysql_select(THD * thd=0x0100a040, Item * * * rref_pointer_array=0x030d5354, st_table_list * tables=0x030d5b50, unsigned int wild_num=0, List<Item> & fields={...}, Item * conds=0x030d6448, unsigned int og_num=0, st_order * order=0x00000000, st_order * group=0x00000000, Item * having=0x00000000, st_order * proc_param=0x00000000, unsigned long select_options=2424588800, select_result * result=0x030d64e8, st_select_lex_unit * unit=0x030d5020, st_select_lex * select_lex=0x030d5230) Line 2064 + 0x34 C++
mysqld-debug.exe!handle_select(THD * thd=0x0100a040, st_lex * lex=0x030d5008, select_result * result=0x030d64e8, unsigned long setup_tables_done_option=0) Line 250 + 0x8c C++
mysqld-debug.exe!mysql_execute_command(THD * thd=0x0100a040) Line 2414 + 0x13 C++
mysqld-debug.exe!mysql_stmt_execute(THD * thd=0x0100a040, char * packet=0x030c6e82, unsigned int packet_length=10) Line 2061 + 0x9 C++
mysqld-debug.exe!dispatch_command(enum_server_command command=COM_STMT_EXECUTE, THD * thd=0x0100a040, char * packet=0x030c6e79, unsigned int packet_length=10) Line 1622 + 0x11 C++
mysqld-debug.exe!do_command(THD * thd=0x0100a040) Line 1460 + 0x31 C++
mysqld-debug.exe!handle_one_connection(void * arg=0x0100a040) Line 1113 + 0x9 C++
mysqld-debug.exe!pthread_start(void * param=0x00f1d7f8) Line 63 + 0x7 C
mysqld-debug.exe!_threadstart(void * ptd=0x030b8af8) Line 173 + 0xd C
kernel32.dll!7c80b50b()
kernel32.dll!7c8399f3()
[19 Aug 2005 10:32]
Andrey Hristov
Crashes also from the mysql cmd client (see the table definitions in the attached C program) :
mysql> use xl_issue2;
Database changed
mysql> prepare some_ps from 'SELECT 1 FROM XL_T1 WHERE LIC_TYPE NOT IN (SELECT USERTYP FROM XL_V1)';
Query OK, 0 rows affected (0.01 sec)
Statement prepared
mysql> execute some_ps;
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1123793840 (LWP 5749)]
0x08166f3a in Item_func::fix_fields (this=0x8e71fa8, thd=0x8e54e90, ref=0x8e6a8c4) at item_func.cc:158
158 if ((!(*arg)->fixed && (*arg)->fix_fields(thd, arg)))
(gdb) bt
#0 0x08166f3a in Item_func::fix_fields (this=0x8e71fa8, thd=0x8e54e90, ref=0x8e6a8c4) at item_func.cc:158
#1 0x08181808 in Item_cond::fix_fields (this=0x8e6a838, thd=0x8e54e90, ref=0x8e6c5c0) at item_cmpfunc.cc:2390
#2 0x08222442 in setup_conds (thd=0x8e54e90, tables=0x8e70f88, leaves=0x8e71bb0, conds=0x8e6c5c0) at sql_base.cc:4553
#3 0x0824e72b in setup_without_group (thd=0x8e54e90, ref_pointer_array=0x8e71d88, tables=0x8e70f88, leaves=0x8e71bb0,
fields=@0x8e70bd0, all_fields=@0x8e6c558, conds=0x8e6c5c0, order=0x0, group=0x0, hidden_group_fields=0x8e6c53e) at sql_select.cc:283
#4 0x0822af70 in JOIN::prepare (this=0x8e6b828, rref_pointer_array=0x8e70c68, tables_init=0x8e70f88, wild_num=0, conds_init=0x8e6a838,
og_num=0, order_init=0x0, group_init=0x0, having_init=0x8e72060, proc_param_init=0x0, select_lex_arg=0x8e70b50, unit_arg=0x8e70ca0)
at sql_select.cc:340
#5 0x081a6d7e in subselect_single_select_engine::prepare (this=0x8e711a0) at item_subselect.cc:1453
#6 0x081a3217 in Item_subselect::fix_fields (this=0x8e71108, thd_param=0x8e54e90, ref=0x8e71dfc) at item_subselect.cc:144
#7 0x0817b21a in Item_in_optimizer::fix_fields (this=0x8e71db0, thd=0x8e54e90, ref=0x8e71208) at item_cmpfunc.cc:691
#8 0x08166f3e in Item_func::fix_fields (this=0x8e711c0, thd=0x8e54e90, ref=0x8e6b730) at item_func.cc:158
#9 0x08222442 in setup_conds (thd=0x8e54e90, tables=0x8e70938, leaves=0x8e70938, conds=0x8e6b730) at sql_base.cc:4553
#10 0x0824e72b in setup_without_group (thd=0x8e54e90, ref_pointer_array=0x8e71d58, tables=0x8e70938, leaves=0x8e70938,
fields=@0x8e6135c, all_fields=@0x8e6b6c8, conds=0x8e6b730, order=0x0, group=0x0, hidden_group_fields=0x8e6b6ae) at sql_select.cc:283
#11 0x0822af70 in JOIN::prepare (this=0x8e6a998, rref_pointer_array=0x8e613f4, tables_init=0x8e70938, wild_num=0, conds_init=0x8e711c0,
og_num=0, order_init=0x0, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x8e612dc, unit_arg=0x8e610e8)
at sql_select.cc:340
#12 0x0823098c in mysql_select (thd=0x8e54e90, rref_pointer_array=0x8e613f4, tables=0x8e70938, wild_num=0, fields=@0x8e6135c,
conds=0x8e711c0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2424588800, result=0x8e71260,
unit=0x8e610e8, select_lex=0x8e612dc) at sql_select.cc:2071
#13 0x0822aba9 in handle_select (thd=0x8e54e90, lex=0x8e610d8, result=0x8e71260, setup_tables_done_option=0) at sql_select.cc:238
#14 0x081f023c in mysql_execute_command (thd=0x8e54e90) at sql_parse.cc:2429
#15 0x0825ae1a in execute_stmt (thd=0x8e54e90, stmt=0x8e61098, expanded_query=0x42fbaa70) at sql_prepare.cc:2209
#16 0x0825ac47 in mysql_sql_stmt_execute (thd=0x8e54e90, stmt_name=0x8e55524) at sql_prepare.cc:2166
#17 0x081f0672 in mysql_execute_command (thd=0x8e54e90) at sql_parse.cc:2519
#18 0x081f8d05 in mysql_parse (thd=0x8e54e90, inBuf=0x8e6a7e0 "execute some_ps", length=15) at sql_parse.cc:5439
#19 0x081ee2f5 in dispatch_command (command=COM_QUERY, thd=0x8e54e90, packet=0x8e575f1 "execute some_ps", packet_length=16)
at sql_parse.cc:1659
#20 0x081edac2 in do_command (thd=0x8e54e90) at sql_parse.cc:1458
#21 0x081ecba2 in handle_one_connection (arg=0x8e54e90) at sql_parse.cc:1111
#22 0x4017aaa7 in start_thread () from /lib/tls/libpthread.so.0
#23 0x402abc2e in clone () from /lib/tls/libc.so.6
[29 Aug 2005 22:06]
Andrey Hristov
Another query that also crashes the server. In this case a dump shows that the VMT pointer is 0x0. In the previous case it is 0x1 and the rsize is !=0. Looks like memory corruption. With the second query it looks like a newly alloced memory..the object is allocated on a memory arena which is cleaned later? prepare s5 from 'SELECT 1 FROM XL_T1 WHERE LIC_TYPE IN (SELECT USERTYP FROM XL_V1);';
[29 Aug 2005 22:11]
Andrey Hristov
A bit more info:
Breakpoint 1, Item_func::fix_fields (this=0x8c52010, thd=0x8c34f90, ref=0x8c4c5f0) at item_func.cc:164
(gdb) print item
$46 = (class Item *) 0x8c4c610
(gdb) print *item
$47 = {_vptr.Item = 0x0, rsize = 0, str_value = {Ptr = 0x0, str_length = 0, Alloced_length = 2779096485, alloced = false, str_charset = 0x0}, name = 0xa5a50000 <Address 0xa5a50000 out of bounds>, orig_name = 0xa5a5a5a5 <Address 0xa5a5a5a5 out of bounds>, next = 0xa5a5a5a5, max_length = 2779096485, name_length = 2779096485, marker = 165 '
(gdb) print this->functype()
$48 = EQ_FUNC
(gdb) print item->fixed
$49 = -91 '
--- this one is 0xA5 (alloced memory)
[8 Sep 2005 19:31]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/internals/29523
[9 Sep 2005 18:44]
Paul DuBois
Noted in 5.0.13 changelog.
Description: Test case attached - could not be made more minimal I think. Crash with the following backtrace : Program received signal SIGSEGV, Segmentation fault. 0x0806b82f in Item_func::fix_fields (this=0x8c4ffd0, thd=0x8c32f00, ref=0x8c4889c) at item_func.cc:164 164 if (item->check_cols(allowed_arg_cols)) (gdb) bt #0 0x0806b82f in Item_func::fix_fields (this=0x8c4ffd0, thd=0x8c32f00, ref=0x8c4889c) at item_func.cc:164 #1 0x08083d6d in Item_cond::fix_fields (this=0x8c48810, thd=0x8c32f00, ref=0x8c4a520) at item_cmpfunc.cc:2390 #2 0x0811c5a0 in setup_conds (thd=0x8c32f00, tables=0x8c4efb0, leaves=0x8c4fbd8, conds=0x8c4a520) at sql_base.cc:4518 #3 0x08123824 in JOIN::prepare (this=0x8c49788, rref_pointer_array=0x8c4ec90, tables_init=0x0, wild_num=0, conds_init=0x0, og_num=0, order_init=0x0, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x8c4eb78, unit_arg=0x8c4ecc8) at sql_select.cc:283 #4 0x080ac9b4 in subselect_single_select_engine::prepare (this=0x8c4f1c8) at item_subselect.cc:1453 #5 0x080a8af8 in Item_subselect::fix_fields (this=0x8c4f130, thd_param=0x8c32f00, ref=0x8c4fe24) at item_subselect.cc:144 #6 0x0807ed74 in Item_in_optimizer::fix_fields (this=0x8c4fdd8, thd=0x8c32f00, ref=0x0) at item_cmpfunc.cc:691 #7 0x0806b807 in Item_func::fix_fields (this=0x8c4f1e8, thd=0x8c32f00, ref=0x8c49690) at item_func.cc:158 #8 0x0811c5a0 in setup_conds (thd=0x8c32f00, tables=0x8c4e960, leaves=0x8c4e960, conds=0x8c49690) at sql_base.cc:4518 #9 0x08123824 in JOIN::prepare (this=0x8c488f8, rref_pointer_array=0x8c3b784, tables_init=0x0, wild_num=0, conds_init=0x0, og_num=0, order_init=0x0, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x8c3b66c, unit_arg=0x8c3b478) at sql_select.cc:283 #10 0x08128150 in mysql_select (thd=0x8c32f00, rref_pointer_array=0x8c3b784, tables=0x8c4e960, wild_num=0, fields=@0x0, conds=0x8c4f1e8, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2424588800, result=0x8c4f288, unit=0x8c3b478, select_lex=0x8c3b66c) at sql_select.cc:2071 #11 0x081234b3 in handle_select (thd=0x8c32f00, lex=0x8c3b468, result=0x8c4f288, setup_tables_done_option=0) at sql_select.cc:238 #12 0x080ec21a in mysql_execute_command (thd=0x8c32f00) at sql_parse.cc:2429 #13 0x0814ca6e in mysql_stmt_execute (thd=0x8c32f00, packet=0x8c353da "", packet_length=0) at sql_prepare.cc:2080 #14 0x080ea42e in dispatch_command (command=COM_STMT_EXECUTE, thd=0x8c32f00, packet=0x8c353d1 "\001", packet_length=10) at sql_parse.cc:1624 #15 0x080e9e19 in do_command (thd=0x8c32f00) at sql_parse.cc:1458 #16 0x080e8f72 in handle_one_connection (arg=0x0) at sql_parse.cc:1111 #17 0x080d8b24 in create_new_thread (thd=0x8c32f00) at mysqld.cc:3654 #18 0x080d91eb in handle_connections_sockets (arg=0x0) at mysqld.cc:3926 #19 0x080d85a7 in main (argc=0, argv=0xbffff0f4) at mysqld.cc:3325 How to repeat: Use the attached C program.