Bug #15538 Bad SQL causes server crash
Submitted: 6 Dec 2005 19:56 Modified: 24 Jan 2006 21:51
Reporter: Christopher Brooks Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S1 (Critical)
Version:5.0.16-nt/5.0.17 BK OS:Windows (Windows 2003/Linux)
Assigned to: Evgeny Potemkin CPU Architecture:Any

[6 Dec 2005 19:56] Christopher Brooks 
Description:
In migrating from MySQL 4 to MySQL 5 we have encoutered some stability problems.  For instance, the query given (entered through Query Browser) in MySQL 4.1.x gives the error:

"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'LEFT JOIN summary_category_structure scs  ON scs.parentid = lc.childcategoryid
' at line 22"

In MySQL 5 the server process dies, the event viewer says:

Faulting application mysqld-nt.exe, version 0.0.0.0, faulting module mysqld-nt.exe, version 0.0.0.0, fault address 0x001168b2.

Followed by:

The application, C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe, generated an application error The error occurred on 12/06/2005 @ 13:51:57.125 The exception generated was c0000005 at address 005168B2 (mysqld_nt)

How to repeat:
See private comment for example query/data structure.
[7 Dec 2005 1:44] MySQL Verification Team 
Thank you for the bug report.

051206 23:39:28 [Note] /home/miguel/dbs/5.0/libexec/mysqld: ready for connections.
Version: '5.0.17-debug'  socket: '/tmp/mysql.sock'  port: 3306  Source distribution
[New Thread 1131862960 (LWP 5702)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1131862960 (LWP 5702)]
0x0823260d in st_table_list::is_leaf_for_name_resolution (this=0x0) at table.cc:2257
2257              !nested_join);
(gdb) bt full
#0  0x0823260d in st_table_list::is_leaf_for_name_resolution (this=0x0) at table.cc:2257
No locals.
#1  0x0823265f in st_table_list::first_leaf_for_name_resolution (this=0x0) at table.cc:2290
        cur_table_ref = (TABLE_LIST *) 0x0
        cur_nested_join = (NESTED_JOIN *) 0x861803a
        __PRETTY_FUNCTION__ = "TABLE_LIST* st_table_list::first_leaf_for_name_resolution()"
#2  0x081f990b in make_join_on_context (thd=0x8e555d0, left_op=0x0, right_op=0x8e9bb90) at sql_parse.cc:6617
        on_context = (Name_resolution_context *) 0x8e9bd30
#3  0x08213c73 in yyparse (yythd=0x8e555d0) at sql_yacc.yy:5229
        on_context = (Name_resolution_context *) 0x8e99820
        yystate = 3128
        yytoken = 337

<cut>

#7  0x082046b6 in handle_one_connection (arg=0x8e555d0) at sql_parse.cc:1155
        error = 0
        net = (NET *) 0x8e55dc0
        sctx = (Security_context *) 0x8e565a4
        thd = (class THD *) 0x8e555d0
        launch_time = 0
        set = {__val = {0 <repeats 32 times>}}
#8  0x40179297 in start_thread () from /lib/tls/libpthread.so.0
No symbol table info available.
#9  0x402b437e in clone () from /lib/tls/libc.so.6
[16 Dec 2005 21:14] Evgeny Potemkin 
Bug can be reproduced by simpler query:
select * from (select * left join t1 on f1=f2) a;
[21 Dec 2005 20:31] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/338
[22 Dec 2005 11:02] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/359
[11 Jan 2006 20:38] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/937
[13 Jan 2006 13:29] Evgeny Potemkin 
Absence of table in left part of LEFT/RIGHT join wasn't checked before
name resolution which resulted in NULL dereferencing and server crash.

Fixed in 5.0.19, cset 1.1982.2.1
[16 Jan 2006 16:13] Evgeny Potemkin 
Fixed in 5.1.6
[24 Jan 2006 21:51] Jon Stephens 
Thank you for your bug report. This issue has been committed to our
source repository of that product and will be incorporated into the
next release.

If necessary, you can access the source repository and build the latest
available version, including the bugfix, yourself. More information 
about accessing the source trees is available at
    http://www.mysql.com/doc/en/Installing_source_tree.html

Additional info:

Documented bugfix in 5.0.19 and 5.1.6 changelogs. Closed.
[31 Dec 2012 8:14] MySQL Verification Team 
For the record/archives.  this still crashes 5.0.96:

select * from ({xa select * from dual left outer join a on a on})a;

mysqld.exe!TABLE_LIST::is_leaf_for_name_resolution()[table.cc:2332]
mysqld.exe!TABLE_LIST::first_leaf_for_name_resolution()[table.cc:2367]
mysqld.exe!push_new_name_resolution_context()[sql_parse.cc:7254]
mysqld.exe!MYSQLparse()[sql_yacc.yy:6756]
mysqld.exe!mysql_parse()[sql_parse.cc:6460]
mysqld.exe!dispatch_command()[sql_parse.cc:1991]
mysqld.exe!do_command()[sql_parse.cc:1661]
mysqld.exe!handle_one_connection()[sql_parse.cc:1242]
mysqld.exe!pthread_start()[my_winthread.c:85]
mysqld.exe!_callthreadstart()[thread.c:293]
mysqld.exe!_threadstart()[thread.c:275]
kernel32.dll!BaseThreadInitThunk()