Bug #24261 | crash when WHERE contains NOT IN ('<negative value>') for unsigned column type | ||
---|---|---|---|
Submitted: | 13 Nov 2006 14:04 | Modified: | 1 Feb 2007 7:00 |
Reporter: | d di (Basic Quality Contributor) | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Server | Severity: | S1 (Critical) |
Version: | 5.0.27,5.0BK | OS: | Any (*) |
Assigned to: | Alexey Kopytov | CPU Architecture: | Any |
Tags: | 00481E82, 5.0.27, access violation, av, c0000005, crash, gpf |
[13 Nov 2006 14:04]
d di
[13 Nov 2006 15:35]
MySQL Verification Team
Hi David, according to .map file, this function in opt_range.cpp crashed because next_arg was NULL. SEL_ARG *SEL_ARG::last() { SEL_ARG *next_arg=this; if (!next_arg->right) return 0; // MAYBE_KEY while (next_arg->right != &null_element) next_arg=next_arg->right; return next_arg; } So, it could be a single query causing a crash. Would you enable general query log (add "log=general_query.log" to my.ini) for those 10 mins and and catch the offending query?
[13 Nov 2006 17:08]
MySQL Verification Team
Thanks, please upload output of: show create table `log`; show table status like 'log'; check table `log`;
[13 Nov 2006 18:12]
MySQL Verification Team
I have repeated a crash, but used 5.0.26 on linux. Assigning to myself to make proper standalone testcase. 0x817adf8 handle_segfault + 356 0x82156b1 _Z16get_func_mm_treeP13st_qsel_paramP9Item_funcP5FieldP4Item11Item_resultb + 617 0x82138d9 _Z21get_full_func_mm_treeP13st_qsel_paramP9Item_funcP10Item_fieldP4Itemb + 389 0x8211d82 _Z11get_mm_treeP13st_qsel_paramP4Item + 658 0x820bc3b _ZN10SQL_SELECT17test_quick_selectEP3THD6BitmapILj64EEyyb + 1283 0x81e6e37 _Z12mysql_deleteP3THDP13st_table_listP4ItemP11st_sql_listyyb + 1319 0x8190919 _Z21mysql_execute_commandP3THD + 4465 0x8196a02 _Z11mysql_parseP3THDPcj + 306 0x818e2a6 _Z16dispatch_command19enum_server_commandP3THDPcj + 1182 0x818ddcd _Z10do_commandP3THD + 129 0x818d4c4 handle_one_connection + 620 0x40041aa7 _end + 933731511 0x40176c2e _end + 934997566
[13 Nov 2006 18:29]
MySQL Verification Team
-------------- testcase: -------------- drop table if exists `t1`; create table `t1` (`c1` tinyint(3) unsigned,KEY (`c1`)) ENGINE=MyISAM; DELETE FROM `t1` WHERE NOT (c1 IN ('-1', '0'));
[13 Nov 2006 18:36]
MySQL Verification Team
debug info from 5.0.27_debug
Attachment: 5.0.27_debug.txt (plain/text, text), 2.89 KiB.
[13 Nov 2006 18:53]
MySQL Verification Team
crashes: DELETE FROM `t1` WHERE NOT (c1 IN ('-1', '0')); doesn't crash: DELETE FROM `t1` WHERE NOT (c1 IN (-1, 0)); so it appears to be single quotes causing a problem.
[13 Nov 2006 18:54]
Timothy Smith
Perhaps bug #19618 was not completely fixed.
[27 Nov 2006 16:13]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/15858 ChangeSet@1.2334, 2006-11-27 19:12:10+03:00, kaa@polly.local +3 -0 Fix for bug #24261 "crash when WHERE contains NOT IN ('<negative value>') for unsigned column type" When calculating a SEL_TREE for the "c_{i-1} < X < c_i" interval, check if the tree returned for the "-inf < X < c_0" interval is NULL
[31 Jan 2007 19:17]
Chad MILLER
Available in 5.0.36, 5.1.15-beta.
[1 Feb 2007 1:09]
Jon Stephens
Successfully resisted urge to document as "Travelling to Denmark, issuing NET START MYSQL, and drinking a cup of coffee caused the server to crash". :)
[1 Feb 2007 1:10]
Jon Stephens
Thank you for your bug report. This issue has been committed to our source repository of that product and will be incorporated into the next release. If necessary, you can access the source repository and build the latest available version, including the bug fix. More information about accessing the source trees is available at http://dev.mysql.com/doc/en/installing-source.html Documented bugfix in 5.0.36 and 5.1.15 changelogs.