Description:
I got server crashes on my system (Linux, 32-bit, gcc 4.1, compile-pentium-debug-max build) when trying the following testcase from bug #27643 on a recent 5.0 BK clone:

mysql> CREATE TABLE test_table_is_full( test_col1 varchar(32) character set utf8 collate utf8_bin NOT NULL, test_col2 varchar(32) character set utf8 collate utf8_bin NOT NULL ) ENGINE=MyISAM DEFAULT CHARSET=utf8;

mysql> INSERT INTO test_table_is_full values ('AAAAAAAAAA','AAAAAAAAAA'), ('AAAAAAAAAB ','AAAAAAAAAB '), ('AAAAAAAAAB','AAAAAAAAAB'), ('AAAAAAAAAC','AAAAAAAAAC'), ('AAAAAAAAAD','AAAAAAAAAD'), ('AAAAAAAAAE','AAAAAAAAAE'), ('AAAAAAAAAF','AAAAAAAAAF'), ('AAAAAAAAAG','AAAAAAAAAG'), ('AAAAAAAAAH','AAAAAAAAAH'), ('AAAAAAAAAI','AAAAAAAAAI'), ('AAAAAAAAAJ','AAAAAAAAAJ'), ('AAAAAAAAAK','AAAAAAAAAK'); 

mysql> set tmp_table_size=1024; SELECT MAX( test_col1 ) FROM test_table_is_full GROUP BY test_col1,test_col2;

Query OK, 0 rows affected (0.05 sec)

ERROR 2013 (HY000): Lost connection to MySQL server during query

Backtrace:

(gdb) bt
#0  0x085b5e83 in free_root (root=0xb516c0c8, MyFlags=0) at my_alloc.c:355
#1  0x082b2a81 in free_tmp_table (thd=0x8d92ca8, entry=0x8dc7e90) at sql_select.cc:10025
#2  0x082b8497 in JOIN::destroy (this=0x8dcc5e8) at sql_select.cc:2084
#3  0x083cd155 in st_select_lex::cleanup (this=0x8d93c40) at sql_union.cc:736
#4  0x082c9a22 in mysql_select (thd=0x8d92ca8, rref_pointer_array=0x8d93d64, tables=0x8dcc1d0, wild_num=0, fields=@0x8d93cd4, conds=0x0, og_num=2,
    order=0x0, group=0x8dcc450, having=0x0, proc_param=0x0, select_options=2156153344, result=0x8dcc5d8, unit=0x8d93a08, select_lex=0x8d93c40)
    at sql_select.cc:2233
#5  0x082cdf1c in handle_select (thd=0x8d92ca8, lex=0x8d939a4, result=0x8dcc5d8, setup_tables_done_option=0) at sql_select.cc:255
#6  0x082627bd in mysql_execute_command (thd=0x8d92ca8) at sql_parse.cc:2651
#7  0x0826b2f3 in mysql_parse (thd=0x8d92ca8, inBuf=0x8dcbeb8 "SELECT MAX( test_col1 ) FROM test_table_is_full GROUP BY test_col1,test_col2",
    length=76) at sql_parse.cc:6018
#8  0x0826dc3c in dispatch_command (command=COM_QUERY, thd=0x8d92ca8,
    packet=0x8dc3e59 "SELECT MAX( test_col1 ) FROM test_table_is_full GROUP BY test_col1,test_col2", packet_length=77) at sql_parse.cc:1802
#9  0x0826f42b in do_command (thd=0x8d92ca8) at sql_parse.cc:1581
#10 0x08270734 in handle_one_connection (arg=0x8d92ca8) at sql_parse.cc:1193
#11 0xb7f5c31b in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
#12 0xb7e7957e in clone () from /lib/tls/i686/cmov/libc.so.6

Note that the crash does not happen when a fix for bug #27643 is applied. However, since bug #27643 is not about crash, and I suspect that the fix for it just hides the crash problem, I'm reporting this separately.

How to repeat:
CREATE TABLE test_table_is_full( test_col1 varchar(32) character set utf8 collate utf8_bin NOT NULL, test_col2 varchar(32) character set utf8 collate utf8_bin NOT NULL ) ENGINE=MyISAM DEFAULT CHARSET=utf8;

INSERT INTO test_table_is_full values ('AAAAAAAAAA','AAAAAAAAAA'), ('AAAAAAAAAB ','AAAAAAAAAB '), ('AAAAAAAAAB','AAAAAAAAAB'), ('AAAAAAAAAC','AAAAAAAAAC'), ('AAAAAAAAAD','AAAAAAAAAD'), ('AAAAAAAAAE','AAAAAAAAAE'), ('AAAAAAAAAF','AAAAAAAAAF'), ('AAAAAAAAAG','AAAAAAAAAG'), ('AAAAAAAAAH','AAAAAAAAAH'), ('AAAAAAAAAI','AAAAAAAAAI'), ('AAAAAAAAAJ','AAAAAAAAAJ'), ('AAAAAAAAAK','AAAAAAAAAK');

set tmp_table_size=1024; SELECT MAX( test_col1 ) FROM test_table_is_full GROUP BY test_col1,test_col2;

Suggested fix:
The reason for crash has to be investigated.

Verified on debug build using this testcase:

set session tmp_table_size=1024;
set session max_heap_table_size=16384;
drop table if exists test_table_is_full;
CREATE TABLE test_table_is_full(
test_col1 varchar(32) character set utf8 collate utf8_bin NOT NULL,
test_col2 varchar(32) character set utf8 collate utf8_bin NOT NULL )
ENGINE=MyISAM DEFAULT CHARSET=utf8;

INSERT INTO test_table_is_full values
('AAAAAAAAAA','AAAAAAAAAA'),
('AAAAAAAAAB ','AAAAAAAAAB '),
('AAAAAAAAAB','AAAAAAAAAB'),
('AAAAAAAAAC','AAAAAAAAAC'),
('AAAAAAAAAD','AAAAAAAAAD'),
('AAAAAAAAAE','AAAAAAAAAE'),
('AAAAAAAAAF','AAAAAAAAAF'),
('AAAAAAAAAG','AAAAAAAAAG'),
('AAAAAAAAAH','AAAAAAAAAH'),
('AAAAAAAAAI','AAAAAAAAAI'),
('AAAAAAAAAJ','AAAAAAAAAJ'),
('AAAAAAAAAK','AAAAAAAAAK');

SELECT MAX( test_col1 ) FROM test_table_is_full GROUP BY test_col1,test_col2,null;

On windows 5.0.42BK and 5.1.19BK, debug build crashed.

5.1.19 release build corrupted memory, and caused a 100% cpu hang. After KILLing
the hung thread, and reconnecting, the server then crashed due to the memory being corrupted.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/28263

ChangeSet@1.2518, 2007-06-07 00:53:34-07:00, igor@olga.mysql.com +3 -0
  Fixed bug #28449: a crash may happen at some rare conditions when
  a temporary table has grown out of heap memory reserved for it and 
  the remaining disk space is not big enough to store the table as
  a MyISAM table.
  
  The crash happens because the function create_myisam_from_heap
  does not handle safely the mem_root structure associated 
  with the converted table in the case when an error has occurred.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/28265

ChangeSet@1.2518, 2007-06-07 00:59:08-07:00, igor@olga.mysql.com +4 -0
  Fixed bug #28449: a crash may happen at some rare conditions when
  a temporary table has grown out of heap memory reserved for it and 
  the remaining disk space is not big enough to store the table as
  a MyISAM table.
  
  The crash happens because the function create_myisam_from_heap
  does not handle safely the mem_root structure associated 
  with the converted table in the case when an error has occurred.

Pushed into 5.0.44

Pushed into 5.1.20-beta

Noted in 5.0.44, 5.1.20 changelogs.