Bug #27079 Crash while grouping empty ucs2 strings
Submitted: 13 Mar 2007 12:16 Modified: 4 Apr 2007 5:38
Reporter: [ name withheld ] Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Charsets Severity:S2 (Serious)
Version:4.1.22/5.0/5.1BK OS:Linux (Linux)
Assigned to: Alexander Barkov CPU Architecture:Any
Tags: crash, ucs2, Unicode

[13 Mar 2007 12:16] [ name withheld ] 
Description:
MySQL 4.1.21 and 4.1.22 crash while performing a GROUP BY on an ucs2 typed column when there is at least one empty string in the column.

Backtrace (from gdb):

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1244797872 (LWP 28213)]
my_uca_scanner_next_ucs2 (scanner=0x4a320df0) at ctype-uca.c:6823
6823        scanner->page= (unsigned char)scanner->sbeg[0];
Current language:  auto; currently c
(gdb) bt
#0  my_uca_scanner_next_ucs2 (scanner=0x4a320df0) at ctype-uca.c:6823
#1  0x0838538c in my_hash_sort_uca (cs=0x85089a0, scanner_handler=0x85086c0, s=0x0, slen=0, n1=0x4a320e84, n2=0x4a320e88) at ctype-uca.c:7171
#2  0x083862c6 in my_hash_sort_ucs2_uca (cs=0xffffffff, s=0xffffffff <Address 0xffffffff out of bounds>, slen=4294967295, n1=0xffffffff, n2=0xffffffff) at ctype-uca.c:8000
#3  0x083383dc in mi_unique_hash (def=0x858ba60, record=0x8554868 "\001") at mi_unique.c:115
#4  0x08335d77 in mi_write (info=0x858bbe0, record=0x8554868 "\001") at mi_write.c:89
#5  0x0817bf80 in end_unique_update (join=0x85859f8, join_tab=0x85867dc) at sql_select.cc:7105
#6  0x0817a431 in sub_select (join=0x85859f8, join_tab=0x8586698, end_of_records=false) at sql_select.cc:6221
#7  0x08179f90 in do_select (join=0x85859f8, fields=0x1, table=0x858b080, procedure=0xffffffff) at sql_select.cc:6105
#8  0x0816ecf5 in JOIN::exec (this=0x85859f8) at sql_select.cc:1258
#9  0x0816fec2 in mysql_select (thd=0x854e028, rref_pointer_array=0x854e240, tables=0x85858e0, wild_num=0, fields=@0xffffffff, conds=0x0, og_num=1, order=0x0, group=0x85859b8, having=0x0, proc_param=0x0,
    select_options=0, result=0x85859e8, unit=0x854e070, select_lex=0x854e150) at sql_select.cc:1716
#10 0x0816c86f in handle_select (thd=0x854e028, lex=0x854e064, result=0x85859e8) at sql_select.cc:181
#11 0x08146abc in mysql_execute_command (thd=0x854e028) at sql_parse.cc:2133
#12 0x0814c01d in mysql_parse (thd=0x854e028, inBuf=0x85856e0 "SELECT COUNT( * ) AS `xxxx` , `o_nas` FROM `test` GROUP BY `o_nas`", length=139780196) at sql_parse.cc:4374
#13 0x08145667 in dispatch_command (command=COM_QUERY, thd=0x854e028, packet=0x857d6b1 "SELECT COUNT( * ) AS `xxxx` , `o_nas` FROM `test` GROUP BY `o_nas`", packet_length=67) at sql_parse.cc:1530
#14 0x08145316 in do_command (thd=0x854e028) at sql_parse.cc:1331
#15 0x08144afb in handle_one_connection (arg=0x854e028) at sql_parse.cc:1063
#16 0x4003fb63 in start_thread () from /lib/tls/libpthread.so.0
#17 0x4024918a in clone () from /lib/tls/libc.so.6

How to repeat:
/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8 */;
/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;

--
-- Table structure for table `test`
--

DROP TABLE IF EXISTS `test`;
CREATE TABLE `test` (
  `id` int(11) NOT NULL auto_increment,
  `kod` text character set ucs2 collate ucs2_polish_ci NOT NULL,
  `email` varchar(100) character set ucs2 collate ucs2_polish_ci NOT NULL default '',
  `o_nas` text character set ucs2 collate ucs2_polish_ci NOT NULL,
  PRIMARY KEY  (`id`)
) ENGINE=MyISAM AUTO_INCREMENT=4 DEFAULT CHARSET=latin2;

--
-- Dumping data for table `test`
--

LOCK TABLES `test` WRITE;
/*!40000 ALTER TABLE `test` DISABLE KEYS */;
INSERT INTO `test` VALUES (1,'','',''),(2,'a','b','c');
/*!40000 ALTER TABLE `test` ENABLE KEYS */;
UNLOCK TABLES;

/*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */;
/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;

SELECT COUNT( * ) AS `xxxx` , `o_nas` FROM `test` GROUP BY `o_nas`;
[13 Mar 2007 13:17] MySQL Verification Team 
Testing 4.1 source tree:

/home/miguel/dbs/4.1/libexec/mysqld: ready for connections.
Version: '4.1.23-debug'  socket: '/tmp/mysql.sock'  port: 3306  Source distribution
[New Thread -1309127776 (LWP 10040)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1309127776 (LWP 10040)]
my_uca_scanner_next_ucs2 (scanner=0xb1f835c4) at ctype-uca.c:6823
6823        scanner->page= (unsigned char)scanner->sbeg[0];
Current language:  auto; currently c
(gdb) bt full
#0  my_uca_scanner_next_ucs2 (scanner=0xb1f835c4) at ctype-uca.c:6823
        ucaw = (uint16 **) 0x86a7428
        ucal = (uchar *) 0x86a7828 "\004\004\003\004\003\003\003\003"
#1  0x084af545 in my_hash_sort_uca (cs=0x866b900, scanner_handler=0x866c7ac, s=0x0, slen=0,
    n1=0xb1f83654, n2=0xb1f83650) at ctype-uca.c:7171
        s_res = 140949760
        scanner = {wbeg = 0x868ebdc, sbeg = 0x0, send = 0xfffffffe <Address 0xfffffffe out of bounds>,
  uca_length = 0x86a7828 "\004\004\003\004\003\003\003\003", uca_weight = 0x86a7428, contractions = 0x0,
  implicit = {13876, 45560}, page = 0, code = 1, cs = 0xb1f83630}
#2  0x084af8aa in my_hash_sort_ucs2_uca (cs=0x866b900, s=0x0, slen=0, n1=0xb1f83654, n2=0xb1f83650)
    at ctype-uca.c:8000
No locals.
[13 Mar 2007 13:38] MySQL Verification Team 
Thank you for the bug report. 5.0 and 5.1 also affected by this bug.
[26 Mar 2007 9:56] Alexander Barkov 
A simplified test demonstrating the same problem:

mysql> CREATE TABLE `t1` (
    ->   `c1` text character set ucs2 collate ucs2_polish_ci NOT NULL
    -> ) ENGINE=MyISAM DEFAULT CHARSET=latin2;
Query OK, 0 rows affected (0.01 sec)

mysql> insert into t1 values (''),('a');
Query OK, 2 rows affected (0.00 sec)
Records: 2  Duplicates: 0  Warnings: 0

mysql> SELECT COUNT(*), c1 FROM t1 GROUP BY c1;
ERROR 2013 (HY000): Lost connection to MySQL server during query
[27 Mar 2007 7:23] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/22978
[29 Mar 2007 7:09] Alexander Barkov 
pushed into 5.0.38
pushed into 5.1.17
[31 Mar 2007 23:53] Bugs System 
Pushed into 5.0.40
[31 Mar 2007 23:55] Bugs System 
Pushed into 5.1.18-beta
[3 Apr 2007 22:35] Paul DuBois 
Noted in 5.0.40, 5.1.18 changelogs.

GROUP BY on a ucs2 column caused a server crash when there was at
least one empty string in the column.

Will this be fixed in 4.1.x?
[4 Apr 2007 5:38] Paul DuBois 
No fix for 4.1.x. Closing report.