Bug #1384568 “A query on empty table with BLOBs may crash server...” : Bugs : Percona Server moved to https://jira.percona.com/projects/PS

Revision history for this message

Roel Van de Paar (roel11) wrote on 2014-10-23:

#1

1867_bundle.tar.gz Edit (37.9 MiB, application/x-tar)

Revision history for this message

Roel Van de Paar (roel11) wrote on 2014-12-02:

#2

DROP DATABASE test;CREATE DATABASE test;USE test;
CREATE TABLE t1(a INT KEY,B TEXT)ENGINE=InnoDB;
explain extended select * FROM t1 x,t1 y where(x.a=2 or (x.a,x.b)in ((0,0),(5,0),(4,3))) and y.a=x.d and y.b=x.b;

Revision history for this message

Roel Van de Paar (roel11) wrote on 2014-12-02:

#3

http://bugs.mysql.com/bug.php?id=74644

tags:

added: i48128

Revision history for this message

Roel Van de Paar (roel11) wrote on 2014-12-02:

#4

Reproduces best in debug, but not a debug-only bug

summary:

- mysqld got signal 11 ; on select, may be GRANT related (single threaded)
- | handle_fatal_signal (sig=11) in __memmove_ssse3_back from String::copy
+ mysqld got signal 11 ; on EXPLAIN (single threaded) |
+ handle_fatal_signal (sig=11) in __memmove_ssse3_back from String::copy

Laurynas Biveinis (laurynas-biveinis) on 2014-12-02

summary:	- mysqld got signal 11 ; on EXPLAIN (single threaded) \| - handle_fatal_signal (sig=11) in __memmove_ssse3_back from String::copy + EXPLAIN crashes server
tags:	added: upstream

Revision history for this message

Przemek (pmalkowski) wrote on 2014-12-02: Re: EXPLAIN crashes server

#5

Download full text (5.6 KiB)

I can reproduce the crash using the test case on PS 5.6.19 and PS 5.6.21, however, when I install jemalloc, no more crashing happens. So seems that using jemalloc may be a good enough workaround for now.

[root@vagrant-centos65 ~]# rpm -qa|grep Percona-Server
Percona-Server-shared-56-5.6.21-rel70.1.el6.x86_64
Percona-Server-shared-51-5.1.73-rel14.12.624.rhel6.x86_64
Percona-Server-client-56-5.6.21-rel70.1.el6.x86_64
Percona-Server-server-56-5.6.21-rel70.1.el6.x86_64

MySQL> DROP DATABASE test;CREATE DATABASE test;USE test;CREATE TABLE t1(a INT KEY,b TEXT)ENGINE=InnoDB;explain extended select * FROM t1 x,t1 y where(x.a=2 or (x.a,x.b)in ((0,0),(5,0),(4,3))) and y.a=x.a and y.b=x.b;
Query OK, 1 row affected (0.15 sec)

Query OK, 1 row affected (0.00 sec)

Database changed
Query OK, 0 rows affected (0.35 sec)

ERROR 2013 (HY000): Lost connection to MySQL server during query

Err log:
2014-12-02 11:47:39 10633 [Note] /usr/sbin/mysqld: ready for connections.
Version: '5.6.21-70.1' socket: '/var/lib/mysql/mysql.sock' port: 3306 Percona Server (GPL), Release 70.1, Revision 698
11:51:19 UTC - mysqld got signal 11 ;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.
We will try our best to scrape up some info that will hopefully help
diagnose the problem, but since we have already crashed,
something is definitely wrong and this may fail.
Please help us make Percona Server better by reporting any
bugs at http://bugs.percona.com/

key_buffer_size=8388608
read_buffer_size=131072
max_used_connections=1
max_threads=153
thread_count=1
connection_count=1
It is possible that mysqld could use up to
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 69184 K bytes of memory
Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x2c3dfa0
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
stack_bottom = 7fcac40dfd40 thread_stack 0x40000
/usr/sbin/mysqld(my_print_stacktrace+0x2c)[0x8bdcec]
/usr/sbin/mysqld(handle_fatal_signal+0x461)[0x6512a1]
/lib64/libpthread.so.0(+0xf710)[0x7fcae304b710]
/lib64/libc.so.6(+0x89b78)[0x7fcae16feb78]
/lib64/libc.so.6(memmove+0x192)[0x7fcae16f8992]
/usr/sbin/mysqld(_ZN6String4copyERKS_+0x26)[0x716126]
/usr/sbin/mysqld(_ZN20cmp_item_sort_string11store_valueEP4Item+0x33)[0x5cdb43]
/usr/sbin/mysqld(_ZN12cmp_item_row11store_valueEP4Item+0x7c)[0x5c91ac]
/usr/sbin/mysqld(_ZN12Item_func_in18fix_length_and_decEv+0x8b4)[0x5c9c24]
/usr/sbin/mysqld(_ZN9Item_func10fix_fieldsEP3THDPP4Item+0x1f5)[0x5e6d75]
/usr/sbin/mysqld(_ZN12Item_func_in10fix_fieldsEP3THDPP4Item+0x13)[0x5bfbd3]
/usr/sbin/mysqld(_ZN9Item_cond10fix_fieldsEP3THDPP4Item+0x106)[0x5bf576]
/usr/sbin/mysqld(_ZN9Item_cond10fix_fieldsEP3THDPP4Item+0x106)[0x5bf576]
/usr/sbin/mysqld(_Z11setup_condsP3THDP10TABLE_LISTS2_PP4Item+0x10a)[0x68a63a]
/usr/sbin/mysqld(_ZN4JOIN7prepareEP10TABLE_LISTjP4ItemjP8st_orderS5_S3_P13st_select_lexP18st_select_lex_unit+0x4de)[0x6ed...

I can reproduce the crash using the test case on PS 5.6.19 and PS 5.6.21, however, when I install jemalloc, no more crashing happens. So seems that using jemalloc may be a good enough workaround for now.

[root@vagrant-centos65 ~]# rpm -qa|grep Percona-Server
Percona-Server-shared-56-5.6.21-rel70.1.el6.x86_64
Percona-Server-shared-51-5.1.73-rel14.12.624.rhel6.x86_64
Percona-Server-client-56-5.6.21-rel70.1.el6.x86_64
Percona-Server-server-56-5.6.21-rel70.1.el6.x86_64

MySQL> DROP DATABASE test;CREATE DATABASE test;USE test;CREATE TABLE t1(a INT KEY,b TEXT)ENGINE=InnoDB;explain extended select * FROM t1 x,t1 y where(x.a=2 or (x.a,x.b)in ((0,0),(5,0),(4,3))) and y.a=x.a and y.b=x.b;
Query OK, 1 row affected (0.15 sec)

Query OK, 1 row affected (0.00 sec)

Database changed
Query OK, 0 rows affected (0.35 sec)

ERROR 2013 (HY000): Lost connection to MySQL server during query

Err log:
2014-12-02 11:47:39 10633 [Note] /usr/sbin/mysqld: ready for connections.
Version: '5.6.21-70.1'  socket: '/var/lib/mysql/mysql.sock'  port: 3306  Percona Server (GPL), Release 70.1, Revision 698
11:51:19 UTC - mysqld got signal 11 ;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.
We will try our best to scrape up some info that will hopefully help
diagnose the problem, but since we have already crashed, 
something is definitely wrong and this may fail.
Please help us make Percona Server better by reporting any
bugs at http://bugs.percona.com/

key_buffer_size=8388608
read_buffer_size=131072
max_used_connections=1
max_threads=153
thread_count=1
connection_count=1
It is possible that mysqld could use up to 
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 69184 K  bytes of memory
Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x2c3dfa0
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
stack_bottom = 7fcac40dfd40 thread_stack 0x40000
/usr/sbin/mysqld(my_print_stacktrace+0x2c)[0x8bdcec]
/usr/sbin/mysqld(handle_fatal_signal+0x461)[0x6512a1]
/lib64/libpthread.so.0(+0xf710)[0x7fcae304b710]
/lib64/libc.so.6(+0x89b78)[0x7fcae16feb78]
/lib64/libc.so.6(memmove+0x192)[0x7fcae16f8992]
/usr/sbin/mysqld(_ZN6String4copyERKS_+0x26)[0x716126]
/usr/sbin/mysqld(_ZN20cmp_item_sort_string11store_valueEP4Item+0x33)[0x5cdb43]
/usr/sbin/mysqld(_ZN12cmp_item_row11store_valueEP4Item+0x7c)[0x5c91ac]
/usr/sbin/mysqld(_ZN12Item_func_in18fix_length_and_decEv+0x8b4)[0x5c9c24]
/usr/sbin/mysqld(_ZN9Item_func10fix_fieldsEP3THDPP4Item+0x1f5)[0x5e6d75]
/usr/sbin/mysqld(_ZN12Item_func_in10fix_fieldsEP3THDPP4Item+0x13)[0x5bfbd3]
/usr/sbin/mysqld(_ZN9Item_cond10fix_fieldsEP3THDPP4Item+0x106)[0x5bf576]
/usr/sbin/mysqld(_ZN9Item_cond10fix_fieldsEP3THDPP4Item+0x106)[0x5bf576]
/usr/sbin/mysqld(_Z11setup_condsP3THDP10TABLE_LISTS2_PP4Item+0x10a)[0x68a63a]
/usr/sbin/mysqld(_ZN4JOIN7prepareEP10TABLE_LISTjP4ItemjP8st_orderS5_S3_P13st_select_lexP18st_select_lex_unit+0x4de)[0x6ed4be]
/usr/sbin/mysqld(_Z12mysql_selectP3THDP10TABLE_LISTjR4ListI4ItemEPS4_P10SQL_I_ListI8st_orderESB_S7_yP13select_resultP18st_select_lex_unitP13st_select_lex+0x89e)[0x6f6a2e]
/usr/sbin/mysqld[0x7c572d]
/usr/sbin/mysqld(_Z24explain_query_expressionP3THDP13select_result+0x67)[0x7ca617]
/usr/sbin/mysqld[0x55ae37]
/usr/sbin/mysqld(_Z21mysql_execute_commandP3THD+0x378f)[0x6d288f]
/usr/sbin/mysqld(_Z11mysql_parseP3THDPcjP12Parser_state+0x5c8)[0x6d6168]
/usr/sbin/mysqld(_Z16dispatch_command19enum_server_commandP3THDPcj+0xfb7)[0x6d7887]
/usr/sbin/mysqld(_Z24do_handle_one_connectionP3THD+0x162)[0x6a57f2]
/usr/sbin/mysqld(handle_one_connection+0x40)[0x6a58e0]
/usr/sbin/mysqld(pfs_spawn_thread+0x143)[0xac8523]
/lib64/libpthread.so.0(+0x79d1)[0x7fcae30439d1]
/lib64/libc.so.6(clone+0x6d)[0x7fcae175d9dd]

Trying to get some variables.
Some pointers may be invalid and cause the dump to abort.
Query (7fca8c004f50): is an invalid pointer
Connection ID (thread ID): 1
Status: NOT_KILLED

[root@vagrant-centos65 ~]# yum install -y jemalloc.x86_64
[root@vagrant-centos65 ~]# /etc/init.d/mysql restart
Shutting down MySQL (Percona Server).. SUCCESS! 
Starting MySQL (Percona Server)... SUCCESS!

[root@vagrant-centos65 ~]# lsof -p `pidof mysqld`|grep jema
mysqld  10907 mysql  mem    REG                8,1   210024   6961 /usr/lib64/libjemalloc.so.1

MySQL> DROP DATABASE test;CREATE DATABASE test;USE test;CREATE TABLE t1(a INT KEY,b TEXT)ENGINE=InnoDB;explain extended select * FROM t1 x,t1 y where(x.a=2 or (x.a,x.b)in ((0,0),(5,0),(4,3))) and y.a=x.a and y.b=x.b;
Query OK, 1 row affected (0.02 sec)

Query OK, 1 row affected (0.00 sec)

Database changed
Query OK, 0 rows affected (0.44 sec)

+----+-------------+-------+--------+---------------+---------+---------+----------+------+----------+-------------+
| id | select_type | table | type   | possible_keys | key     | key_len | ref      | rows | filtered | Extra       |
+----+-------------+-------+--------+---------------+---------+---------+----------+------+----------+-------------+
|  1 | SIMPLE      | x     | ALL    | PRIMARY       | NULL    | NULL    | NULL     |    1 |   100.00 | Using where |
|  1 | SIMPLE      | y     | eq_ref | PRIMARY       | PRIMARY | 4       | test.x.a |    1 |   100.00 | Using where |
+----+-------------+-------+--------+---------------+---------+---------+----------+------+----------+-------------+
2 rows in set, 1 warning (0.00 sec)

With jemalloc, I cannot reproduce the crash even in a 100 loop of the test case.

Revision history for this message

Laurynas Biveinis (laurynas-biveinis) wrote on 2014-12-02:

#6

Using Jemalloc might trade a clear crash for a silent server memory corruption elsewhere, I wouldn't consider it as a workaround.

Revision history for this message

George Ormond Lorch III (gl-az) wrote on 2014-12-03:

#7

Download full text (3.6 KiB)

I can finally reproduce this in debug and valgrind.

I can eliminate the EXPLAIN and just use this sequence shortened from Roels test above:
DROP DATABASE IF EXISTS test; CREATE DATABASE test; USE test; CREATE TABLE t1(a INT KEY,B TEXT)ENGINE=InnoDB; select * FROM t1 x,t1 y where(x.a=2 or (x.a,x.b)in ((0,0),(5,0),(4,3))) and y.a=x.d and y.b=x.b;

Look at the last two expressions of the where:
and y.a=x.d and y.b=x.b;

"and y.a=x.d and"

There is no 'd' in the table definition, this is causing the crash. Ideally the server shouldn't crash but return an error instead.

Valgrind+vgdb is giving me this:
==26044== Conditional jump or move depends on uninitialised value(s)
==26044== at 0x65206F: Item_field::val_str(String*) (item.cc:2673)
==26044== by 0x6864DD: cmp_item_sort_string::store_value(Item*) (item_cmpfunc.h:1166)
==26044== by 0x67BEEF: cmp_item_row::store_value(Item*) (item_cmpfunc.cc:4190)
==26044== by 0x67D296: Item_func_in::fix_length_and_dec() (item_cmpfunc.cc:4590)
==26044== by 0x69FF2D: Item_func::fix_fields(THD*, Item**) (item_func.cc:231)
==26044== by 0x67C6B8: Item_func_in::fix_fields(THD*, Item**) (item_cmpfunc.cc:4362)
==26044== by 0x67E101: Item_cond::fix_fields(THD*, Item**) (item_cmpfunc.cc:4838)
==26044== by 0x67E101: Item_cond::fix_fields(THD*, Item**) (item_cmpfunc.cc:4838)
==26044== by 0x76F8E2: setup_conds(THD*, TABLE_LIST*, TABLE_LIST*, Item**) (sql_base.cc:9003)
==26044== by 0x7FE8CB: setup_without_group(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, TABLE_LIST*, List<Item>&, List<Item>&, Item**, st_order*, st_order*, int*, int*) (sql_resolver.cc:952)
==26044== by 0x7FC1C0: JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, st_order*, Item*, st_select_lex*, st_select_lex_unit*) (sql_resolver.cc:177)
==26044== by 0x803D3B: mysql_prepare_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*, bool*) (sql_select.cc:1054)
==26044== Uninitialised value was created by a heap allocation
==26044== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==26044== by 0xAA2918: my_malloc (my_malloc.c:38)
==26044== by 0xA9C14A: alloc_root (my_alloc.c:224)
==26044== by 0x899ED5: open_table_from_share(THD*, TABLE_SHARE*, char const*, unsigned int, unsigned int, unsigned int, TABLE*, bool) (table.cc:2168)
==26044== by 0x763CB1: open_table(THD*, TABLE_LIST*, Open_table_context*) (sql_base.cc:3205)
==26044== by 0x76635D: open_and_process_table(THD*, LEX*, TABLE_LIST*, unsigned int*, unsigned int, Prelocking_strategy*, bool, Open_table_context*) (sql_base.cc:4699)
==26044== by 0x7672C9: open_tables(THD*, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) (sql_base.cc:5213)
==26044== by 0x76843A: open_normal_and_derived_tables(THD*, TABLE_LIST*, unsigned int) (sql_base.cc:5913)
==26044== by 0x7DA78F: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5589)
==26044== by 0x7D2E84: mysql_execute_command(THD*) (sql_parse.cc:2974)
==26044== by 0x7DD136: mysql_parse(THD*, char*, unsigned int, P...

I can finally reproduce this in debug and valgrind.

I can eliminate the EXPLAIN and just use this sequence shortened from Roels test above:
DROP DATABASE IF EXISTS test; CREATE DATABASE test; USE test; CREATE TABLE t1(a INT KEY,B TEXT)ENGINE=InnoDB; select * FROM t1 x,t1 y where(x.a=2 or (x.a,x.b)in ((0,0),(5,0),(4,3))) and y.a=x.d and y.b=x.b;

Look at the last two expressions of the where:
and y.a=x.d and y.b=x.b;

"and y.a=x.d and"

There is no 'd' in the table definition, this is causing the crash. Ideally the server shouldn't crash but return an error instead.

Valgrind+vgdb is giving me this:
==26044== Conditional jump or move depends on uninitialised value(s)
==26044==    at 0x65206F: Item_field::val_str(String*) (item.cc:2673)
==26044==    by 0x6864DD: cmp_item_sort_string::store_value(Item*) (item_cmpfunc.h:1166)
==26044==    by 0x67BEEF: cmp_item_row::store_value(Item*) (item_cmpfunc.cc:4190)
==26044==    by 0x67D296: Item_func_in::fix_length_and_dec() (item_cmpfunc.cc:4590)
==26044==    by 0x69FF2D: Item_func::fix_fields(THD*, Item**) (item_func.cc:231)
==26044==    by 0x67C6B8: Item_func_in::fix_fields(THD*, Item**) (item_cmpfunc.cc:4362)
==26044==    by 0x67E101: Item_cond::fix_fields(THD*, Item**) (item_cmpfunc.cc:4838)
==26044==    by 0x67E101: Item_cond::fix_fields(THD*, Item**) (item_cmpfunc.cc:4838)
==26044==    by 0x76F8E2: setup_conds(THD*, TABLE_LIST*, TABLE_LIST*, Item**) (sql_base.cc:9003)
==26044==    by 0x7FE8CB: setup_without_group(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, TABLE_LIST*, List<Item>&, List<Item>&, Item**, st_order*, st_order*, int*, int*) (sql_resolver.cc:952)
==26044==    by 0x7FC1C0: JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, st_order*, Item*, st_select_lex*, st_select_lex_unit*) (sql_resolver.cc:177)
==26044==    by 0x803D3B: mysql_prepare_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*, bool*) (sql_select.cc:1054)
==26044==  Uninitialised value was created by a heap allocation
==26044==    at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==26044==    by 0xAA2918: my_malloc (my_malloc.c:38)
==26044==    by 0xA9C14A: alloc_root (my_alloc.c:224)
==26044==    by 0x899ED5: open_table_from_share(THD*, TABLE_SHARE*, char const*, unsigned int, unsigned int, unsigned int, TABLE*, bool) (table.cc:2168)
==26044==    by 0x763CB1: open_table(THD*, TABLE_LIST*, Open_table_context*) (sql_base.cc:3205)
==26044==    by 0x76635D: open_and_process_table(THD*, LEX*, TABLE_LIST*, unsigned int*, unsigned int, Prelocking_strategy*, bool, Open_table_context*) (sql_base.cc:4699)
==26044==    by 0x7672C9: open_tables(THD*, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) (sql_base.cc:5213)
==26044==    by 0x76843A: open_normal_and_derived_tables(THD*, TABLE_LIST*, unsigned int) (sql_base.cc:5913)
==26044==    by 0x7DA78F: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5589)
==26044==    by 0x7D2E84: mysql_execute_command(THD*) (sql_parse.cc:2974)
==26044==    by 0x7DD136: mysql_parse(THD*, char*, unsigned int, Parser_state*) (sql_parse.cc:6792)
==26044==    by 0x7CF6BE: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1434)

So it seems that the space is being allocated for the field x.d but never initialized. I'm not (yet) intimately familiar with this portion of the server so still have some debugging to do to figure out how to fix it.

Shuffling the statement around or selectively removing some elements will pass and return an error in some cases or continue crashing in others.

Revision history for this message

George Ormond Lorch III (gl-az) wrote on 2014-12-03:

#8

My bad, changing the x.d to x.a and it still crashes, but still from the backtrace, memory probing and valgrind trace I can see easily that a field exists but is uninitialized/had totally bogus data within it.

Revision history for this message

George Ormond Lorch III (gl-az) wrote on 2014-12-03:

#9

Reduced further to:
DROP DATABASE IF EXISTS test; CREATE DATABASE test; USE test; CREATE TABLE t1(a INT KEY,B TEXT)ENGINE=InnoDB; select * FROM t1 x,t1 y where (x.a,x.b) in ((5,0),(4,3));

I tried with a few variations of the in set and it seems any 2 or more combinations of (x.a, x.b) will crash.

Revision history for this message

George Ormond Lorch III (gl-az) wrote on 2014-12-03:

#10

Ruling out type conversions and eliminating alias...still happens with:
DROP DATABASE IF EXISTS test; CREATE DATABASE test; USE test; CREATE TABLE t1(a INT KEY,b INT)ENGINE=InnoDB; select * FROM t1 where (t1.a,t1.b) in ((5,0),(4,3));

Revision history for this message

Przemek (pmalkowski) wrote on 2014-12-03:

#11

I am able to trigger the crash with:
DROP table t1; CREATE TABLE t1(a INT KEY,b text) ENGINE=InnoDB; select * FROM t1 where (a,b) in ((0,0),(5,0),(4,3));
but not with:
DROP table t1;CREATE TABLE t1(a INT KEY,b int)ENGINE=InnoDB; select * FROM t1 where (a,b) in ((0,0),(5,0),(4,3));

Tested on MySQL Community 5.6.21. Error log:
Thread pointer: 0x2bebb90
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
stack_bottom = 7f7cc321de50 thread_stack 0x40000
/usr/sbin/mysqld(my_print_stacktrace+0x3b)[0x8efafb]
/usr/sbin/mysqld(handle_fatal_signal+0x491)[0x6841b1]
/lib64/libpthread.so.0[0x38e500f6d0]
/lib64/libc.so.6[0x38e494daf0]
/usr/sbin/mysqld(_ZN6String4copyERKS_+0x26)[0x743566]
/usr/sbin/mysqld(_ZN20cmp_item_sort_string11store_valueEP4Item+0x33)[0x5fed03]
/usr/sbin/mysqld(_ZN12cmp_item_row11store_valueEP4Item+0x7c)[0x5fa36c]
/usr/sbin/mysqld(_ZN12Item_func_in18fix_length_and_decEv+0x8b4)[0x5fade4]
/usr/sbin/mysqld(_ZN9Item_func10fix_fieldsEP3THDPP4Item+0x21d)[0x61801d]
/usr/sbin/mysqld(_ZN12Item_func_in10fix_fieldsEP3THDPP4Item+0x13)[0x5f0b73]
/usr/sbin/mysqld(_Z11setup_condsP3THDP10TABLE_LISTS2_PP4Item+0x10a)[0x6bd1ca]
/usr/sbin/mysqld(_ZN4JOIN7prepareEP10TABLE_LISTjP4ItemjP8st_orderS5_S3_P13st_select_lexP18st_select_lex_unit+0x51b)[0x71bd6b]
/usr/sbin/mysqld(_Z12mysql_selectP3THDP10TABLE_LISTjR4ListI4ItemEPS4_P10SQL_I_ListI8st_orderESB_S7_yP13select_resultP18st_select_lex_unitP13st_select_lex+0x89e)[0x7254fe]
/usr/sbin/mysqld(_Z13handle_selectP3THDP13select_resultm+0x175)[0x725745]
/usr/sbin/mysqld[0x58cd70]
/usr/sbin/mysqld(_Z21mysql_execute_commandP3THD+0x34a4)[0x701d14]
/usr/sbin/mysqld(_Z11mysql_parseP3THDPcjP12Parser_state+0x3a8)[0x704fb8]
/usr/sbin/mysqld(_Z16dispatch_command19enum_server_commandP3THDPcj+0xf90)[0x7066d0]
/usr/sbin/mysqld(_Z24do_handle_one_connectionP3THD+0x152)[0x6d48c2]
/usr/sbin/mysqld(handle_one_connection+0x40)[0x6d4980]
/usr/sbin/mysqld(pfs_spawn_thread+0x143)[0xb355e3]
/lib64/libpthread.so.0[0x38e5007ee5]
/lib64/libc.so.6(clone+0x6d)[0x38e48f4b8d]

Trying to get some variables.
Some pointers may be invalid and cause the dump to abort.
Query (7f7c9c006cd0): select * FROM t1 where (a,b) in ((0,0),(5,0),(4,3))
Connection ID (thread ID): 1

I am able to trigger the crash with:
DROP table t1; CREATE TABLE t1(a INT KEY,b text) ENGINE=InnoDB; select * FROM t1 where (a,b) in ((0,0),(5,0),(4,3));
but not with:
DROP table t1;CREATE TABLE t1(a INT KEY,b int)ENGINE=InnoDB; select * FROM t1 where (a,b) in ((0,0),(5,0),(4,3));

Tested on MySQL Community 5.6.21. Error log:
Thread pointer: 0x2bebb90
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
stack_bottom = 7f7cc321de50 thread_stack 0x40000
/usr/sbin/mysqld(my_print_stacktrace+0x3b)[0x8efafb]
/usr/sbin/mysqld(handle_fatal_signal+0x491)[0x6841b1]
/lib64/libpthread.so.0[0x38e500f6d0]
/lib64/libc.so.6[0x38e494daf0]
/usr/sbin/mysqld(_ZN6String4copyERKS_+0x26)[0x743566]
/usr/sbin/mysqld(_ZN20cmp_item_sort_string11store_valueEP4Item+0x33)[0x5fed03]
/usr/sbin/mysqld(_ZN12cmp_item_row11store_valueEP4Item+0x7c)[0x5fa36c]
/usr/sbin/mysqld(_ZN12Item_func_in18fix_length_and_decEv+0x8b4)[0x5fade4]
/usr/sbin/mysqld(_ZN9Item_func10fix_fieldsEP3THDPP4Item+0x21d)[0x61801d]
/usr/sbin/mysqld(_ZN12Item_func_in10fix_fieldsEP3THDPP4Item+0x13)[0x5f0b73]
/usr/sbin/mysqld(_Z11setup_condsP3THDP10TABLE_LISTS2_PP4Item+0x10a)[0x6bd1ca]
/usr/sbin/mysqld(_ZN4JOIN7prepareEP10TABLE_LISTjP4ItemjP8st_orderS5_S3_P13st_select_lexP18st_select_lex_unit+0x51b)[0x71bd6b]
/usr/sbin/mysqld(_Z12mysql_selectP3THDP10TABLE_LISTjR4ListI4ItemEPS4_P10SQL_I_ListI8st_orderESB_S7_yP13select_resultP18st_select_lex_unitP13st_select_lex+0x89e)[0x7254fe]
/usr/sbin/mysqld(_Z13handle_selectP3THDP13select_resultm+0x175)[0x725745]
/usr/sbin/mysqld[0x58cd70]
/usr/sbin/mysqld(_Z21mysql_execute_commandP3THD+0x34a4)[0x701d14]
/usr/sbin/mysqld(_Z11mysql_parseP3THDPcjP12Parser_state+0x3a8)[0x704fb8]
/usr/sbin/mysqld(_Z16dispatch_command19enum_server_commandP3THDPcj+0xf90)[0x7066d0]
/usr/sbin/mysqld(_Z24do_handle_one_connectionP3THD+0x152)[0x6d48c2]
/usr/sbin/mysqld(handle_one_connection+0x40)[0x6d4980]
/usr/sbin/mysqld(pfs_spawn_thread+0x143)[0xb355e3]
/lib64/libpthread.so.0[0x38e5007ee5]
/lib64/libc.so.6(clone+0x6d)[0x38e48f4b8d]

Trying to get some variables.
Some pointers may be invalid and cause the dump to abort.
Query (7f7c9c006cd0): select * FROM t1 where (a,b) in ((0,0),(5,0),(4,3))
Connection ID (thread ID): 1

Revision history for this message

George Ormond Lorch III (gl-az) wrote on 2014-12-03:

#13

Clarify, not crash, gets valgrind "Conditional jump or move depends on uninitialised value(s)". Only happens on a newly created, empty table or a truncated table. If you insert then delete rows to empty, doesn't happen and doesn't happen if there are any rows in the table.

Revision history for this message

George Ormond Lorch III (gl-az) wrote on 2014-12-05:

#14

Download full text (9.8 KiB)

Leaving this here in case anyone needs to pick this up while I am out next week...

So, during the select, something seems to not be properly parsing and setting up the item values for the JOIN comparison correctly...

With this simple query and a debug build:
DROP DATABASE IF EXISTS test; CREATE DATABASE test; USE test; CREATE TABLE t1(a INT KEY,b text) ENGINE=InnoDB; select * FROM t1 where (a,b) in ((0,0),(5,0),(4,3));

The crash is happening when an attempt is made to copy a string from a bogus memory address. That address lies within an Item_field->Field_blob and is copied into a String from within Field_blob::val_str. The thing is the Field_blob is bad and I'm still trying to figure out where that is getting set up from. The call stack where the bogus address is getting set on the object that is actually where the crash is on is:
#0 0x0000000000666350 in String::set (this=0x7fffa80058a0,
    str=0x7fffa8011b9000 <error: Cannot access memory at address 0x7fffa8011b9000>, arg_length=127,
    cs=0x16b76e0 <my_charset_latin1>) at /data/percona/ST-48128/5.6/sql/sql_string.h:258
#1 0x000000000091408f in Field_blob::val_str (this=0x7fffa8011c68, val_buffer=0x7fffa8006c90, val_ptr=0x7fffa80058a0)
    at /data/percona/ST-48128/5.6/sql/field.cc:7899
#2 0x00000000006520ce in Item_field::val_str (this=0x7fffa8005890, str=0x7fffa8006c90)
    at /data/percona/ST-48128/5.6/sql/item.cc:2676
#3 0x00000000006864de in cmp_item_sort_string::store_value (this=0x7fffa8006c28, item=0x7fffa8005890)
    at /data/percona/ST-48128/5.6/sql/item_cmpfunc.h:1166
#4 0x000000000067bef0 in cmp_item_row::store_value (this=0x7fffa8006b78, item=0x7fffa80059d0)
    at /data/percona/ST-48128/5.6/sql/item_cmpfunc.cc:4190
#5 0x000000000067d297 in Item_func_in::fix_length_and_dec (this=0x7fffa80061c0)
    at /data/percona/ST-48128/5.6/sql/item_cmpfunc.cc:4590
#6 0x000000000069ff2e in Item_func::fix_fields (this=0x7fffa80061c0, thd=0x209a950, ref=0x7fffa8006708)
    at /data/percona/ST-48128/5.6/sql/item_func.cc:231
#7 0x000000000067c6b9 in Item_func_in::fix_fields (this=0x7fffa80061c0, thd=0x209a950, ref=0x7fffa8006708)
    at /data/percona/ST-48128/5.6/sql/item_cmpfunc.cc:4362
#8 0x000000000076f8e3 in setup_conds (thd=0x209a950, tables=0x7fffa8005200, leaves=0x7fffa8005200, conds=0x7fffa8006708)
    at /data/percona/ST-48128/5.6/sql/sql_base.cc:9003
#9 0x00000000007fe8cc in setup_without_group (thd=0x209a950, ref_pointer_array=..., tables=0x7fffa8005200,
    leaves=0x7fffa8005200, fields=..., all_fields=..., conds=0x7fffa8006708, order=0x0, group=0x0,
    hidden_group_field_count=0x7fffa80065ec, hidden_order_field_count=0x7ffff04086c0)
    at /data/percona/ST-48128/5.6/sql/sql_resolver.cc:952
#10 0x00000000007fc1c1 in JOIN::prepare (this=0x7fffa80063c8, tables_init=0x7fffa8005200, wild_num=1, conds_init=0x7fffa80061c0,
    og_num=0, order_init=0x0, group_init=0x0, having_init=0x0, select_lex_arg=0x209d5b0, unit_arg=0x209cf68)
    at /data/percona/ST-48128/5.6/sql/sql_resolver.cc:177
#11 0x0000000000803d3c in mysql_prepare_select (thd=0x209a950, tables=0x7fffa8005200, wild_num=1, fields=...,
    conds=0x7fffa80061c0, og_num=0, order=0x0, group=0x0, having=0x0, select_o...

Leaving this here in case anyone needs to pick this up while I am out next week...

So, during the select, something seems to not be properly parsing and setting up the item values for the JOIN comparison correctly...

With this simple query and a debug build:
DROP DATABASE IF EXISTS test; CREATE DATABASE test; USE test; CREATE TABLE t1(a INT KEY,b text) ENGINE=InnoDB; select * FROM t1 where (a,b) in ((0,0),(5,0),(4,3));

The crash is happening when an attempt is made to copy a string from a bogus memory address. That address lies within an Item_field->Field_blob and is copied into a String from within Field_blob::val_str. The thing is the Field_blob is bad and I'm still trying to figure out where that is getting set up from. The call stack where the bogus address is getting set on the object that is actually where the crash is on is:
#0  0x0000000000666350 in String::set (this=0x7fffa80058a0,
    str=0x7fffa8011b9000 <error: Cannot access memory at address 0x7fffa8011b9000>, arg_length=127,
    cs=0x16b76e0 <my_charset_latin1>) at /data/percona/ST-48128/5.6/sql/sql_string.h:258
#1  0x000000000091408f in Field_blob::val_str (this=0x7fffa8011c68, val_buffer=0x7fffa8006c90, val_ptr=0x7fffa80058a0)
    at /data/percona/ST-48128/5.6/sql/field.cc:7899
#2  0x00000000006520ce in Item_field::val_str (this=0x7fffa8005890, str=0x7fffa8006c90)
    at /data/percona/ST-48128/5.6/sql/item.cc:2676
#3  0x00000000006864de in cmp_item_sort_string::store_value (this=0x7fffa8006c28, item=0x7fffa8005890)
    at /data/percona/ST-48128/5.6/sql/item_cmpfunc.h:1166
#4  0x000000000067bef0 in cmp_item_row::store_value (this=0x7fffa8006b78, item=0x7fffa80059d0)
    at /data/percona/ST-48128/5.6/sql/item_cmpfunc.cc:4190
#5  0x000000000067d297 in Item_func_in::fix_length_and_dec (this=0x7fffa80061c0)
    at /data/percona/ST-48128/5.6/sql/item_cmpfunc.cc:4590
#6  0x000000000069ff2e in Item_func::fix_fields (this=0x7fffa80061c0, thd=0x209a950, ref=0x7fffa8006708)
    at /data/percona/ST-48128/5.6/sql/item_func.cc:231
#7  0x000000000067c6b9 in Item_func_in::fix_fields (this=0x7fffa80061c0, thd=0x209a950, ref=0x7fffa8006708)
    at /data/percona/ST-48128/5.6/sql/item_cmpfunc.cc:4362
#8  0x000000000076f8e3 in setup_conds (thd=0x209a950, tables=0x7fffa8005200, leaves=0x7fffa8005200, conds=0x7fffa8006708)
    at /data/percona/ST-48128/5.6/sql/sql_base.cc:9003
#9  0x00000000007fe8cc in setup_without_group (thd=0x209a950, ref_pointer_array=..., tables=0x7fffa8005200,
    leaves=0x7fffa8005200, fields=..., all_fields=..., conds=0x7fffa8006708, order=0x0, group=0x0,
    hidden_group_field_count=0x7fffa80065ec, hidden_order_field_count=0x7ffff04086c0)
    at /data/percona/ST-48128/5.6/sql/sql_resolver.cc:952
#10 0x00000000007fc1c1 in JOIN::prepare (this=0x7fffa80063c8, tables_init=0x7fffa8005200, wild_num=1, conds_init=0x7fffa80061c0,
    og_num=0, order_init=0x0, group_init=0x0, having_init=0x0, select_lex_arg=0x209d5b0, unit_arg=0x209cf68)
    at /data/percona/ST-48128/5.6/sql/sql_resolver.cc:177
#11 0x0000000000803d3c in mysql_prepare_select (thd=0x209a950, tables=0x7fffa8005200, wild_num=1, fields=...,
    conds=0x7fffa80061c0, og_num=0, order=0x0, group=0x0, having=0x0, select_options=2147748608, result=0x7fffa80063a0,
    unit=0x209cf68, select_lex=0x209d5b0, free_join=0x7ffff040894b) at /data/percona/ST-48128/5.6/sql/sql_select.cc:1054
#12 0x0000000000803ff7 in mysql_select (thd=0x209a950, tables=0x7fffa8005200, wild_num=1, fields=..., conds=0x7fffa80061c0,
    order=0x209d778, group=0x209d6b0, having=0x0, select_options=2147748608, result=0x7fffa80063a0, unit=0x209cf68,
    select_lex=0x209d5b0) at /data/percona/ST-48128/5.6/sql/sql_select.cc:1177
#13 0x00000000008020ae in handle_select (thd=0x209a950, result=0x7fffa80063a0, setup_tables_done_option=0)
---Type <return> to continue, or q <return> to quit---
    at /data/percona/ST-48128/5.6/sql/sql_select.cc:110
#14 0x00000000007da906 in execute_sqlcom_select (thd=0x209a950, all_tables=0x7fffa8005200)
    at /data/percona/ST-48128/5.6/sql/sql_parse.cc:5616
#15 0x00000000007d2e85 in mysql_execute_command (thd=0x209a950) at /data/percona/ST-48128/5.6/sql/sql_parse.cc:2974
#16 0x00000000007dd137 in mysql_parse (thd=0x209a950,
    rawbuf=0x7fffa8004fd0 "select * FROM t1 where (a,b) in ((0,0),(5,0),(4,3))", length=51, parser_state=0x7ffff040a1d0)
    at /data/percona/ST-48128/5.6/sql/sql_parse.cc:6792
#17 0x00000000007cf6bf in dispatch_command (command=COM_QUERY, thd=0x209a950,
    packet=0x216ffb1 "select * FROM t1 where (a,b) in ((0,0),(5,0),(4,3))", packet_length=51)
    at /data/percona/ST-48128/5.6/sql/sql_parse.cc:1434
#18 0x00000000007ce615 in do_command (thd=0x209a950) at /data/percona/ST-48128/5.6/sql/sql_parse.cc:1051
#19 0x0000000000797fbe in do_handle_one_connection (thd_arg=0x209a950) at /data/percona/ST-48128/5.6/sql/sql_connect.cc:1532
#20 0x0000000000797ad5 in handle_one_connection (arg=0x209a950) at /data/percona/ST-48128/5.6/sql/sql_connect.cc:1443
#21 0x0000000000da9f7f in pfs_spawn_thread (arg=0x2112900) at /data/percona/ST-48128/5.6/storage/perfschema/pfs.cc:1860
#22 0x00007ffff757f182 in start_thread (arg=0x7ffff040b700) at pthread_create.c:312
#23 0x00007ffff6a8bfbd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

The Field_blob in frame 1 at this point looks like:
(gdb) p *this
$148 = {
  <Field_longstr> = {
    <Field_str> = {
      <Field> = {
        _vptr.Field = 0x10351b0 <vtable for Field_blob+16>,
        ptr = 0x7fffa8011bb5 "\177",
        null_ptr = 0x7fffa8011bb0 "\220\033\001\250\377\177",
        table = 0x7fffa8010dd0,
        orig_table = 0x7fffa8010dd0,
        table_name = 0x7fffa8010ea8,
        field_name = 0x7fffa805c503 "b",
        comment = {
          str = 0xfcc3f0 "",
          length = 0
        },
        key_start = {
          map = 0
        },
        part_of_key = {
          map = 0
        },
        part_of_key_not_clustered = {
          map = 0
        },
        part_of_sortkey = {
          map = 0
        },
        unireg_check = Field::BLOB_FIELD,
        field_length = 65535,
        flags = 16,
        field_index = 1,
        null_bit = 1 '\001',
        is_created_from_null_item = false
      },
      members of Field_str:
      field_charset = 0x16b76e0 <my_charset_latin1>,
      field_derivation = DERIVATION_IMPLICIT
    }, <No data fields>},
  members of Field_blob:
  packlength = 2,
  value = {
    Ptr = 0x0,
    str_length = 0,
    Alloced_length = 0,
    alloced = false,
    str_charset = 0x1561360 <my_charset_bin>
  }
}
(gdb) x/64bx ptr
0x7fffa8011bb5: 0x7f    0x00    0x00    0x90    0x1b    0x01    0xa8    0xff
0x7fffa8011bbd: 0x7f    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x7fffa8011bc5: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x7fffa8011bcd: 0x00    0x00    0x00    0xe8    0x1b    0x01    0xa8    0xff
0x7fffa8011bd5: 0x7f    0x00    0x00    0x68    0x1c    0x01    0xa8    0xff
0x7fffa8011bdd: 0x7f    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x7fffa8011be5: 0x00    0x00    0x00    0x50    0x90    0x03    0x01    0x00
0x7fffa8011bed: 0x00    0x00    0x00    0xb1    0x1b    0x01    0xa8    0xff

So as I understand the layout here, the first 2 bytes of ptr are supposed to be the number of bytes that contain the size of the blob. In this particular debugging session, most memory addresses are 0x007fffa8nnnn...curious that the first value is 7f...

Looking further at this dump of Field_blob::ptr, it looks like Field_blob::ptr is actualy not the correct value, it would make sense if it began one byte later, leaving the size at 0 and the address of the blob data at 0x7fffa8011b90 which looks like a somewhat valid address within this session, but instead it is calculating the address to be 0x7fffa8011b9000 which is completely out of range for this process.

A dump of the owning Item from frame 2:
(gdb) p * this
$152 = {
  <Item_ident> = {
    <Item> = {
      _vptr.Item = 0xefbe70 <vtable for Item_field+16>,
      is_expensive_cache = -1 '\377',
      rsize = 0,
      str_value = {
        Ptr = 0x7fffa8011b9000 <error: Cannot access memory at address 0x7fffa8011b9000>,
        str_length = 0,
        Alloced_length = 0,
        alloced = false,
        str_charset = 0x1561360 <my_charset_bin>
      },
      item_name = {
        <Name_string> = {
          <Simple_cstring> = {
            m_str = 0x7fffa8005888 "b",
            m_length = 1
          }, <No data fields>},
        members of Item_name_string:
        m_is_autogenerated = true
      },
      orig_name = {
        <Name_string> = {
          <Simple_cstring> = {
            m_str = 0x0,
            m_length = 0
          }, <No data fields>},
        members of Item_name_string:
        m_is_autogenerated = true
      },
      next = 0x7fffa8005780,
      max_length = 65535,
      marker = 0,
      decimals = 31 '\037',
      maybe_null = 1 '\001',
      null_value = 0 '\000',
      unsigned_flag = 0 '\000',
      with_sum_func = 0 '\000',
      fixed = 1 '\001',
      collation = {
        collation = 0x16b76e0 <my_charset_latin1>,
        derivation = DERIVATION_IMPLICIT,
        repertoire = 3
      },
      cmp_context = 4294967295,
      runtime_item = false,
      with_subselect = 0 '\000',
      with_stored_program = 0 '\000',
      tables_locked_cache = false
    },
    members of Item_ident:
    orig_db_name = 0x0,
    orig_table_name = 0x0,
    orig_field_name = 0x7fffa8005888 "b",
    context = 0x209d600,
    db_name = 0x7fffa805c470 "test",
    table_name = 0x7fffa80142a0 "t1",
    field_name = 0x7fffa805c503 "b",
    alias_name_used = false,
    cached_field_index = 1,
    cached_table = 0x7fffa8005200,
    depended_from = 0x0
  },
  members of Item_field:
  field = 0x7fffa8011c68,
  result_field = 0x7fffa8011c68,
  item_equal = 0x0,
  no_const_subst = false,
  have_privileges = 0,
  any_privileges = false
}

We need to figure out where the parsing and creation of this Field_blob is coming from and see if we can spot the error there.

Revision history for this message

George Ormond Lorch III (gl-az) wrote on 2014-12-05:

#15

OK, so this bogus value of ptr is getting set from table.cc:open_table_from_share during the call to move_field_offset:

2217 /* Setup copy of fields from share, but use the right alias and record */
2218 for (i=0 ; i < share->fields; i++, field_ptr++)
2219 {
2220 Field *new_field= share->field[i]->clone(&outparam->mem_root);
2221 *field_ptr= new_field;
2222 if (new_field == NULL)
2223 goto err;
2224 new_field->init(outparam);
2225 new_field->move_field_offset((my_ptrdiff_t) (outparam->record[0] -
2226 outparam->s->default_values));
2227 }

I don't know if this is valid or not but

(my_ptrdiff_t) (outparam->record[0] - outparam->s->default_values))

is calculating to

(gdb) p (my_ptrdiff_t)(outparam->record[0] - outparam->s->default_values)
$167 = -305392

which seems like a _really_ odd value to be moving an offset within a buffer.

Revision history for this message

Sergei Glushchenko (sergei.glushchenko) wrote on 2014-12-13:

#16

Offset is OK. It is not offset within the buffer. It is offest to add to pointer for it to into another buffer after clone (memcpy) done.

The real reason for the crash is that outparam->record[0] is not initialized. It usually initialized later in JOIN::exec when records read from table or in many across the code with read_record to fill it with default values. JOIN::exec is too late for given SELECT query, because JOIN::prepare needs Field_blob::is_null which in case needs default values to be in place.

Revision history for this message

Sergei Glushchenko (sergei.glushchenko) wrote on 2014-12-13:

#17

5.1 and 5.5 are not affected. The logic behind specific SELECT is different for these versions.

Laurynas Biveinis (laurynas-biveinis) on 2014-12-15

summary:

- EXPLAIN crashes server
+ A query on empty table with BLOBs crashes server

Laurynas Biveinis (laurynas-biveinis) on 2014-12-15

summary:

- A query on empty table with BLOBs crashes server
+ A query on empty table with BLOBs may crash server

Revision history for this message

Shahriyar Rzayev (rzayev-sehriyar) wrote on 2018-01-25:

#18

Percona now uses JIRA for bug reports so this bug report is migrated to: https://jira.percona.com/browse/PS-176

	Status	Importance	Assigned to	Milestone
MySQL Server	Unknown	Unknown	mysql-bugs #74644
Percona Server moved to https://jira.percona.com/projects/PS	Fix Released	High	Sergei Glushchenko	Percona Server moved to https://jira.percona.com/projects/PS 5.6.22-71.0
5.1	Invalid	Undecided	Unassigned
5.5	Invalid	Undecided	Unassigned
5.6	Fix Released	High	Sergei Glushchenko	Percona Server moved to https://jira.percona.com/projects/PS 5.6.22-71.0

Percona Server moved to https://jira.percona.com/projects/PS

A query on empty table with BLOBs may crash server

Bug Description

Related branches

Other bug subscribers

Bug attachments

Remote bug watches