Bug #20076 Crash if grouping a ucs2 column
Submitted: 25 May 2006 19:19 Modified: 6 Jul 2006 22:25
Reporter: Peter Gulutzan Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Charsets Severity:S1 (Critical)
Version:5.0.23-debug/4.1BK/5.0BK/5.1BK OS:Linux (SUSE 10.0)
Assigned to: Igor Babaev CPU Architecture:Any

[25 May 2006 19:19] Peter Gulutzan 
Description:
I create a table with character set = ucs2 and collation = ucs2_unicode_ci.
I insert 2 rows.
I select, using "group by", trying to collate with collation = ucs2_bin..
Crash.

How to repeat:
mysql> create table tj (s1 char(5) character set ucs2 collate ucs2_unicode_ci);
Query OK, 0 rows affected (0.01 sec)

mysql> insert into tj values ('ZZZZZ'),('ZZZZZ');
Query OK, 2 rows affected (0.00 sec)
Records: 2  Duplicates: 0  Warnings: 0

mysql> select min(s1) from tj group by s1 collate ucs2_bin;
ERROR 2013 (HY000): Lost connection to MySQL server during query
[25 May 2006 22:15] MySQL Verification Team 
Thank you for the bug report.

miguel@hegel:~/dbs/5.0> bin/mysqladmin -uroot create db1
miguel@hegel:~/dbs/5.0> bin/mysql -uroot db1
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2 to server version: 5.0.23-debug

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> create table tj (s1 char(5) character set ucs2 collate ucs2_unicode_ci);
Query OK, 0 rows affected (0.00 sec)

mysql> insert into tj values ('ZZZZZ'),('ZZZZZ');
Query OK, 2 rows affected (0.00 sec)
Records: 2  Duplicates: 0  Warnings: 0

mysql> select min(s1) from tj group by s1 collate ucs2_bin;
ERROR 2013 (HY000): Lost connection to MySQL server during query

060525 19:11:28 [Note] /home/miguel/dbs/5.0/libexec/mysqld: ready for connections.
Version: '5.0.23-debug'  socket: '/tmp/mysql.sock'  port: 3306  Source distribution
[New Thread 1131862960 (LWP 2636)]
[Thread 1131862960 (zombie) exited]
[New Thread 1131862960 (LWP 2638)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1131862960 (LWP 2638)]
0x081e51a1 in String::strip_sp (this=0x8e91388) at sql_string.cc:409
409        while (str_length && my_isspace(str_charset,Ptr[str_length-1]))
(gdb) bt full
#0  0x081e51a1 in String::strip_sp (this=0x8e91388) at sql_string.cc:409
No locals.
#1  0x0816e3cb in Item_sum_hybrid::min_max_update_str_field (this=0x8e91438) at item_sum.cc:2105
        res_str = (String *) 0x8e91388
#2  0x0816e4d5 in Item_sum_hybrid::update_field (this=0x8e91438) at item_sum.cc:2084
No locals.
<cut>

--------------------------------------------------------------------------------
miguel@hegel:~/dbs/4.1> bin/mysql -uroot test
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1 to server version: 4.1.19-debug

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> create table tj (s1 char(5) character set ucs2 collate ucs2_unicode_ci);
Query OK, 0 rows affected (0.11 sec)

mysql> insert into tj values ('ZZZZZ'),('ZZZZZ');
Query OK, 2 rows affected (0.00 sec)
Records: 2  Duplicates: 0  Warnings: 0

mysql> select min(s1) from tj group by s1 collate ucs2_bin;
ERROR 2013 (HY000): Lost connection to MySQL server during query
mysql> 

-----------------------------------------------------------------------------------
miguel@hegel:~/dbs/5.1> bin/mysql -uroot test
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2 to server version: 5.1.12-beta-debug

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql>  create table tj (s1 char(5) character set ucs2 collate ucs2_unicode_ci);
Query OK, 0 rows affected (0.05 sec)

mysql> insert into tj values ('ZZZZZ'),('ZZZZZ');
Query OK, 2 rows affected (0.01 sec)
Records: 2  Duplicates: 0  Warnings: 0

mysql> select min(s1) from tj group by s1 collate ucs2_bin;
ERROR 2013 (HY000): Lost connection to MySQL server during query
mysql>
[22 Jun 2006 22:50] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/8110
[5 Jul 2006 18:10] Evgeny Potemkin 
Server crashed in some cases when a query required a MIN/MAX
aggregation for a 'ucs2' field. 
In these cases  the aggregation caused calls of the function
update_tmptable_sum_func that indirectly invoked 
the method Item_sum_hybrid::min_max_update_str_field() 
containing a call to strip_sp for a ucs2 character set.
The latter led directly to the crash as it used my_isspace
undefined for the ucs2 character set.
Actually the call of strip_sp is not needed at all in this
situation and has been removed by the fix.

Fixed in 4.1.21, 5.0.24, 5.1.12
[6 Jul 2006 22:25] Paul DuBois 
Noted in 4.1.21, 5.0.24, 5.1.12 changelogs.

Use of MIN() or MAX() with GROUP BY on a ucs2 column could cause a 
server crash.
[13 Jul 2006 3:36] Paul DuBois 
5.0.x fix went to 5.0.25 instead.