MySQL Bugs: #26661: SELECT with UNION kills the daemon

Bug #26661	SELECT with UNION kills the daemon
Submitted:	27 Feb 2007 3:24	Modified:	15 Mar 2007 2:58
Reporter:	NOT_FOUND NOT_FOUND	Email Updates:
Status:	Closed	Impact on me:	None
Category:	MySQL Server: Optimizer	Severity:	S1 (Critical)
Version:	5.0.38BK, 5.1.17BK, 5.2.4BK	OS:	Linux (RHEL 4, win xp)
Assigned to:	Igor Babaev	CPU Architecture:	Any
Tags:	2013, crash, UNION

Description:
A SELECT over a subquery with a wrong UNION statement crashes the daemon.

How to repeat:
SELECT User FROM
(
	SELECT * FROM mysql.user

UNION

	SELECT * FROM mysql.user

ORDER BY unknown_column
) AS test;

just run the above. You'll get the error message 2013 Lost connection to  MySQL server during query

My first thought, in RHEL 4, was that it only was showing the wrong message but when I tried it in my win XP box it simply crashed the service.

5.0.38, 5.1.17 and 5.2.4 crashed. 4.1.23 didn't.

mysqld-nt.exe!Item_field::fix_outer_field()  + 0x7f bytes	C++
mysqld-nt.exe!Item_field::fix_fields()  + 0x148 bytes	C++
mysqld-nt.exe!join_read_always_key_or_null()  + 0x682 bytes	C++
mysqld-nt.exe!setup_order()  + 0x37 bytes	C++
mysqld-nt.exe!setup_without_group()  + 0x87 bytes	C++
mysqld-nt.exe!JOIN::prepare()  + 0x1c1 bytes	C++
mysqld-nt.exe!mysql_select()  + 0xc6 bytes	C++
mysqld-nt.exe!st_select_lex_unit::exec()  + 0x551 bytes	C++
mysqld-nt.exe!mysql_derived_filling()  + 0x46 bytes	C++
mysqld-nt.exe!mysql_handle_derived()  + 0x4d bytes	C++
mysqld-nt.exe!open_and_lock_tables()  + 0xb4 bytes	C++
mysqld-nt.exe!mysql_execute_command()  + 0x2e2 bytes	C++

5.0.38 stack

Attachment: bug26661_5.0.38_stack.txt (text/plain), 3.62 KiB.

5.1.17 stack

Attachment: bug26661_5.1.17_stack.txt (text/plain), 2.71 KiB.

5.2.4 stack

Attachment: bug26661_5.2.4_stack.txt (text/plain), 2.97 KiB.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/21240

ChangeSet@1.2432, 2007-03-06 18:45:57+02:00, gkodinov@magare.gmz +4 -0
  Bug #26661: The optimizer uses a special 
  "fake" st_select_lex as a current select
  when resolving ORDER BY and LIMIT for a
  UNION (sub)query. This temporary structure
  doesn't have Item_subselect descendant so
  it cannot resolve the fields in ORDER BY
  correctly.
  Fixed by making a dummy subquery class
  to resolve items in ORDER BY of the UNION and
  remove it right after so it doesn't interfere
  with the rest of the subquery code.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/21558

ChangeSet@1.2433, 2007-03-09 01:12:08-08:00, igor@olga.mysql.com +3 -0
  Fixed bug #26661: crash when order by clause in a union
  construct references invalid name.
  Derived tables currently cannot use outer references.
  Thus there is no outer context for them.
  The 4.1 code takes this fact into account while the 
  Item_field::fix_outer_field code of 5.0 lost the check that blocks
  any attempts to resolve names in outer context for derived tables.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/21567

ChangeSet@1.2433, 2007-03-09 01:45:32-08:00, igor@olga.mysql.com +3 -0
  Fixed bug #26661: crash when order by clause in a union
  construct references invalid name.
  Derived tables currently cannot use outer references.
  Thus there is no outer context for them.
  The 4.1 code takes this fact into account while the 
  Item_field::fix_outer_field code of 5.0 lost the check that blocks
  any attempts to resolve names in outer context for derived tables.

Pushed to 5.0.38, 5.1.17

Noted in 5.0.38, 5.1.17 changelogs.

Use of a subquery containing a UNION with an invalid ORDER BY clause
caused a server crash.