Bug #36337 Crash in SELECT ... ORDER BY .. DESC LIMIT 1
Submitted: 25 Apr 2008 9:44 Modified: 13 Jun 2008 15:21
Reporter: Jan Kneschke Email Updates:
Status: No Feedback Impact on me:
None 
Category:MySQL Server Severity:S3 (Non-critical)
Version:5.1.24,6.0.4,5.0.51a OS:Linux (x86_64)
Assigned to: CPU Architecture:Any

[25 Apr 2008 9:44] Jan Kneschke 
Description:
Using 5.1.24 from dev.mysql.com (Linux x86_64, generic RPMs) MySQL 5.1.24 crashes in executing 

  SELECT value, end_time FROM dc_string WHERE instance_attribute_id=101 ORDER BY end_time DESC LIMIT 1

How to repeat:
I can't reproduce it by hand on the console, it crashes only when the query is run as part of the application.

/usr/sbin/mysqld[0x6b0e54]
/usr/sbin/mysqld(print_stacktrace+0x9)[0x6b0e99]
/usr/sbin/mysqld(handle_segfault+0x1f8)[0x5aa6d8]
/lib64/libpthread.so.0[0x2aca0736bfb0]
/usr/sbin/mysqld(_ZN18QUICK_RANGE_SELECTD0Ev+0x4d)[0x654c5d]
/usr/sbin/mysqld(_ZN17QUICK_SELECT_DESCC1EP18QUICK_RANGE_SELECTj+0x197)[0x65fff7]
/usr/sbin/mysqld[0x60a090]
/usr/sbin/mysqld[0x60a9f5]
/usr/sbin/mysqld(_ZN4JOIN4execEv+0x7a6)[0x5f6686]
/usr/sbin/mysqld(_Z12mysql_selectP3THDPPP4ItemP10TABLE_LISTjR4ListIS1_ES2_jP8st_orderSB_S2_SB_yP13select_resultP18st_select_lex_unitP13st_select_lex+0x157)[0x5f76e7]
/usr/sbin/mysqld(_Z13handle_selectP3THDP6st_lexP13select_resultm+0x15f)[0x5f349f]
/usr/sbin/mysqld[0x5b9469]
/usr/sbin/mysqld(_Z21mysql_execute_commandP3THD+0x400b)[0x5b903b]
/usr/sbin/mysqld(_Z11mysql_parseP3THDPKcjPS2_+0x141)[0x5ba9b1]
/usr/sbin/mysqld(_Z16dispatch_command19enum_server_commandP3THDPcj+0x3cd)[0x5b3c2d]
/usr/sbin/mysqld(_Z10do_commandP3THD+0xb8)[0x5b3718]
/usr/sbin/mysqld(handle_one_connection+0x10f)[0x5b26cf]
/lib64/libpthread.so.0[0x2aca07364020]
/lib64/libc.so.6(clone+0x6d)[0x2aca07ee628d]
080425 11:25:29 - mysqld got signal 11 ;

...

key_buffer_size=16777216
read_buffer_size=262144
max_used_connections=40
max_threads=151
threads_connected=40
It is possible that mysqld could use up to
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 133869 K
bytes of memory
Hope that's ok; if not, decrease some variables in the equation.

thd: 0x1895220
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
Trying to get some variables.
Some pointers may be invalid and cause the dump to abort...
thd->query at 0x189c650 = SELECT value, end_time FROM dc_string WHERE instance_attribute_id=101 ORDER BY end_time DESC LIMIT 1
thd->thread_id=43
thd->killed=NOT_KILLED

valgrind says:

==26538== Thread 48:
==26538== Conditional jump or move depends on uninitialised value(s)
==26538==    at 0x65FF0B: QUICK_SELECT_DESC::QUICK_SELECT_DESC(QUICK_RANGE_SELECT*, unsigned) (opt_range.cc:8568)
==26538==    by 0x60A08F: test_if_skip_sort_order(st_join_table*, st_order*, unsigned long long, bool, Bitmap<64>*) (sql_select.cc:13206)
==26538==    by 0x60A9F4: create_sort_index(THD*, JOIN*, st_order*, unsigned long long, unsigned long long, bool) (sql_select.cc:13290)
==26538==    by 0x5F6685: JOIN::exec() (sql_select.cc:2121)
==26538==    by 0x5F76E6: mysql_select(THD*, Item***, TABLE_LIST*, unsigned, List<Item>&, Item*, unsigned, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2356)
==26538==    by 0x5F349E: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:257)
==26538==    by 0x5B9468: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:4752)
==26538==    by 0x5B903A: mysql_execute_command(THD*) (sql_parse.cc:2052)
==26538==    by 0x5BA9B0: mysql_parse(THD*, char const*, unsigned, char const**) (sql_parse.cc:5630)
==26538==    by 0x5B3C2C: dispatch_command(enum_server_command, THD*, char*, unsigned) (sql_parse.cc:1121)
==26538==    by 0x5B3717: do_command(THD*) (sql_parse.cc:781)
==26538==    by 0x5B26CE: handle_one_connection (sql_connect.cc:1115)
==26538==
==26538== Use of uninitialised value of size 8
==26538==    at 0x654C5D: QUICK_RANGE_SELECT::~QUICK_RANGE_SELECT() (table.h:665)
==26538==    by 0x65FFF6: QUICK_SELECT_DESC::QUICK_SELECT_DESC(QUICK_RANGE_SELECT*, unsigned) (opt_range.cc:8580)
==26538==    by 0x60A08F: test_if_skip_sort_order(st_join_table*, st_order*, unsigned long long, bool, Bitmap<64>*) (sql_select.cc:13206)
==26538==    by 0x60A9F4: create_sort_index(THD*, JOIN*, st_order*, unsigned long long, unsigned long long, bool) (sql_select.cc:13290)
==26538==    by 0x5F6685: JOIN::exec() (sql_select.cc:2121)
==26538==    by 0x5F76E6: mysql_select(THD*, Item***, TABLE_LIST*, unsigned, List<Item>&, Item*, unsigned, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2356)
==26538==    by 0x5F349E: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:257)
==26538==    by 0x5B9468: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:4752)
==26538==    by 0x5B903A: mysql_execute_command(THD*) (sql_parse.cc:2052)
==26538==    by 0x5BA9B0: mysql_parse(THD*, char const*, unsigned, char const**) (sql_parse.cc:5630)
==26538==    by 0x5B3C2C: dispatch_command(enum_server_command, THD*, char*, unsigned) (sql_parse.cc:1121)
==26538==    by 0x5B3717: do_command(THD*) (sql_parse.cc:781)
==26538==
==26538== Invalid read of size 8
==26538==    at 0x654C5D: QUICK_RANGE_SELECT::~QUICK_RANGE_SELECT() (table.h:665)
==26538==    by 0x65FFF6: QUICK_SELECT_DESC::QUICK_SELECT_DESC(QUICK_RANGE_SELECT*, unsigned) (opt_range.cc:8580)
==26538==    by 0x60A08F: test_if_skip_sort_order(st_join_table*, st_order*, unsigned long long, bool, Bitmap<64>*) (sql_select.cc:13206)
==26538==    by 0x60A9F4: create_sort_index(THD*, JOIN*, st_order*, unsigned long long, unsigned long long, bool) (sql_select.cc:13290)
==26538==    by 0x5F6685: JOIN::exec() (sql_select.cc:2121)
==26538==    by 0x5F76E6: mysql_select(THD*, Item***, TABLE_LIST*, unsigned, List<Item>&, Item*, unsigned, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2356)
==26538==    by 0x5F349E: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:257)
==26538==    by 0x5B9468: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:4752)
==26538==    by 0x5B903A: mysql_execute_command(THD*) (sql_parse.cc:2052)
==26538==    by 0x5BA9B0: mysql_parse(THD*, char const*, unsigned, char const**) (sql_parse.cc:5630)
==26538==    by 0x5B3C2C: dispatch_command(enum_server_command, THD*, char*, unsigned) (sql_parse.cc:1121)
==26538==    by 0x5B3717: do_command(THD*) (sql_parse.cc:781)
==26538==  Address 0x8 is not stack'd, malloc'd or (recently) free'd
[25 Apr 2008 10:07] Valeriy Kravchuk 
Thank you for a problem report. Please, send the results of SHOW CREATE TABLE and SHOW TABLE STATUS results for that dc_string table. 

Send also the results of:

EXPLAIN SELECT value, end_time FROM dc_string WHERE instance_attribute_id=101 ORDER BY end_time DESC LIMIT 1;
[25 Apr 2008 10:26] Jan Kneschke 
*************************** 1. row ***************************
       Table: dc_string
Create Table: CREATE TABLE `dc_string` (
  `instance_attribute_id` int(11) NOT NULL,
  `end_time` bigint(20) NOT NULL,
  `value` varchar(10000) DEFAULT NULL,
  `begin_time` bigint(20) NOT NULL,
  PRIMARY KEY (`instance_attribute_id`,`end_time`),
  KEY `FK831513D1430A28F` (`instance_attribute_id`),
  CONSTRAINT `FK831513D1430A28F` FOREIGN KEY (`instance_attribute_id`) REFERENCES `inventory_instance_attributes` (`instance_attribute_id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8

> SHOW TABLE STATUS LIKE "dc_string"\G
*************************** 1. row ***************************
           Name: dc_string
         Engine: InnoDB
        Version: 10
     Row_format: Compact
           Rows: 32
 Avg_row_length: 512
    Data_length: 16384
Max_data_length: 0
   Index_length: 16384
      Data_free: 119808
 Auto_increment: NULL
    Create_time: 2008-04-25 11:05:59
    Update_time: NULL
     Check_time: NULL
      Collation: utf8_general_ci
       Checksum: NULL
 Create_options:
        Comment:

+----+-------------+-----------+------+---------------------------+---------+---------+-------+------+-------------+
| id | select_type | table     | type | possible_keys             | key     | key_len | ref   | rows | Extra       |
+----+-------------+-----------+------+---------------------------+---------+---------+-------+------+-------------+
|  1 | SIMPLE      | dc_string | ref  | PRIMARY,FK831513D1430A28F | PRIMARY | 4       | const |    4 | Using where |
+----+-------------+-----------+------+---------------------------+---------+---------+-------+------+-------------+
[25 Apr 2008 14:05] Jan Kneschke 
I could reproduce the problem also in 6.0.4 and 5.0.51a and it hits always the same query:

thd->query at 0x25178f0 = SELECT value, end_time FROM dc_string WHERE instance_attribute_id=105 ORDER BY end_time DESC LIMIT 1

This is valgrind for 5.0.51a:

==6425== Thread 32:
==6425== Conditional jump or move depends on uninitialised value(s)
==6425==    at 0x611408: QUICK_SELECT_DESC::QUICK_SELECT_DESC(QUICK_RANGE_SELECT*, unsigned) (in /usr/sbin/mysqld)
==6425==    by 0x5C8EE4: (within /usr/sbin/mysqld)
==6425==    by 0x5C9137: (within /usr/sbin/mysqld)
==6425==    by 0x5B68FA: JOIN::exec() (in /usr/sbin/mysqld)
==6425==    by 0x5B73FD: mysql_select(THD*, Item***, TABLE_LIST*, unsigned, List<Item>&, Item*, unsigned, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (in /usr/sbin/mysqld)
==6425==    by 0x5B31DD: handle_select(THD*, st_lex*, select_result*, unsigned long) (in /usr/sbin/mysqld)
==6425==    by 0x585C82: mysql_execute_command(THD*) (in /usr/sbin/mysqld)
==6425==    by 0x58B74B: mysql_parse(THD*, char const*, unsigned, char const**) (in /usr/sbin/mysqld)
==6425==    by 0x5845BE: dispatch_command(enum_server_command, THD*, char*, unsigned) (in /usr/sbin/mysqld)
==6425==
==6425== Conditional jump or move depends on uninitialised value(s)
==6425==    at 0x6076D3: QUICK_RANGE_SELECT::~QUICK_RANGE_SELECT() (in /usr/sbin/mysqld)
==6425==    by 0x6114F3: QUICK_SELECT_DESC::QUICK_SELECT_DESC(QUICK_RANGE_SELECT*, unsigned) (in /usr/sbin/mysqld)
...
==6425== Conditional jump or move depends on uninitialised value(s)
==6425==    at 0x7FDA07: my_no_flags_free (in /usr/sbin/mysqld)
==6425==    by 0x60770B: QUICK_RANGE_SELECT::~QUICK_RANGE_SELECT() (in /usr/sbin/mysqld)
==6425==    by 0x6114F3: QUICK_SELECT_DESC::QUICK_SELECT_DESC(QUICK_RANGE_SELECT*, unsigned) (in /usr/sbin/mysqld)
...
==6425== Conditional jump or move depends on uninitialised value(s)
==6425==    at 0x4C218CE: free (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==6425==    by 0x7FDA0D: my_no_flags_free (in /usr/sbin/mysqld)
==6425==    by 0x60770B: QUICK_RANGE_SELECT::~QUICK_RANGE_SELECT() (in /usr/sbin/mysqld)
...
==6425== Conditional jump or move depends on uninitialised value(s)
==6425==    at 0x6076DC: QUICK_RANGE_SELECT::~QUICK_RANGE_SELECT() (in /usr/sbin/mysqld)
==6425==    by 0x6114F3: QUICK_SELECT_DESC::QUICK_SELECT_DESC(QUICK_RANGE_SELECT*, unsigned) (in /usr/sbin/mysqld)
...
==6425== Invalid free() / delete / delete[]
==6425==    at 0x4C2191B: free (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==6425==    by 0x7FDA0D: my_no_flags_free (in /usr/sbin/mysqld)
==6425==    by 0x60770B: QUICK_RANGE_SELECT::~QUICK_RANGE_SELECT() (in /usr/sbin/mysqld)
==6425==    by 0x6114F3: QUICK_SELECT_DESC::QUICK_SELECT_DESC(QUICK_RANGE_SELECT*, unsigned) (in /usr/sbin/mysqld)
...
==6425==  Address 0x16A385F8 is 7,968 bytes inside a block of size 8,040 free'd
==6425==    at 0x4C2191B: free (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==6425==    by 0x7FDA0D: my_no_flags_free (in /usr/sbin/mysqld)
==6425==    by 0x7FE4B3: free_root (in /usr/sbin/mysqld)
==6425==    by 0x5A810A: open_tables(THD*, TABLE_LIST**, unsigned*, unsigned) (in /usr/sbin/mysqld)
==6425==    by 0x5A8583: open_and_lock_tables(THD*, TABLE_LIST*) (in /usr/sbin/mysqld)
==6425==    by 0x585C3E: mysql_execute_command(THD*) (in /usr/sbin/mysqld)
==6425==    by 0x58B74B: mysql_parse(THD*, char const*, unsigned, char const**) (in /usr/sbin/mysqld)
==6425==    by 0x5845BE: dispatch_command(enum_server_command, THD*, char*, unsigned) (in /usr/sbin/mysqld)
...
==6425== Conditional jump or move depends on uninitialised value(s)
==6425==    at 0x6076DC: QUICK_RANGE_SELECT::~QUICK_RANGE_SELECT() (in /usr/sbin/mysqld)
==6425==    by 0x6114F3: QUICK_SELECT_DESC::QUICK_SELECT_DESC(QUICK_RANGE_SELECT*, unsigned) (in /usr/sbin/mysqld)
...
==6425== Conditional jump or move depends on uninitialised value(s)
==6425==    at 0x5C8EF5: (within /usr/sbin/mysqld)
==6425==    by 0x5C9137: (within /usr/sbin/mysqld)
...
==6425== Use of uninitialised value of size 8
==6425==    at 0x610BCB: QUICK_RANGE_SELECT::reset() (in /usr/sbin/mysqld)
==6425==    by 0x5C7145: (within /usr/sbin/mysqld)
==6425==    by 0x5C6112: sub_select(JOIN*, st_join_table*, bool) (in /usr/sbin/mysqld)
...
==6425==
==6425== Invalid read of size 4
==6425==    at 0x610BCB: QUICK_RANGE_SELECT::reset() (in /usr/sbin/mysqld)
==6425==    by 0x5C7145: (within /usr/sbin/mysqld)
==6425==    by 0x5C6112: sub_select(JOIN*, st_join_table*, bool) (in /usr/sbin/mysqld)
....
==6425==  Address 0x31000180 is not stack'd, malloc'd or (recently) free'd
[13 May 2008 15:21] Valeriy Kravchuk 
Can you upload a dump of that dc_string table? I can not repeat with behaviour described with dummy data. Is it ever repeatable from mysql command line client? 

If it is repeatable only from application, can you, please, try to run server with general query log enabled and send the log?
[13 Jun 2008 23:00] Bugs System 
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".