Bug #31155 gis types in union'd select cause crash
Submitted: 23 Sep 2007 13:05 Modified: 30 Oct 2007 23:53
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Data Types Severity:S2 (Serious)
Version:5.0.48, 5.1.23-debug OS:Any
Assigned to: Alexey Botchkov CPU Architecture:Any
Tags: crash, gis, UNION

[23 Sep 2007 13:05] Shane Bester 
Description:
Version: '5.1.23-beta-debug'  socket: '/tmp/mysql.sock'  port: 3306  yes
070923 14:41:24 - mysqld got signal 11;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.
We will try our best to scrape up some info that will hopefully help diagnose
the problem, but since we have already crashed, something is definitely wrong
and this may fail.

key_buffer_size=8388572
read_buffer_size=131072
max_used_connections=1
max_threads=151
threads_connected=1
It is possible that mysqld could use up to 
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 337620 K
bytes of memory
Hope that's ok; if not, decrease some variables in the equation.

thd: 0x87bc4a0
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
Cannot determine thread, fp=0x40ca8e4c, backtrace may not be correct.
Stack range sanity check OK, backtrace follows:
0x820111b handle_segfault + 541
0x8154072 Item_field::set_field(Field*) + 38
0x8153c5e Item_field::Item_field(Field*) + 106
0x816e044 Item_sum::result_item(Field*) + 36
0x815f58a Item_type_holder::Item_type_holder(THD*, Item*) + 296
0x8354f9e st_select_lex_unit::prepare(THD*, select_result*, unsigned long) + 1248
0x83546c6 mysql_union(THD*, st_lex*, select_result*, st_select_lex_unit*, unsigned long) + 102
0x825c27a handle_select(THD*, st_lex*, select_result*, unsigned long) + 170
0x8215af4 execute_sqlcom_select(THD*, TABLE_LIST*) + 772
0x820e7d5 mysql_execute_command(THD*) + 1701
0x8217550 mysql_parse(THD*, char const*, unsigned int, char const**) + 372
0x820cc00 dispatch_command(enum_server_command, THD*, char*, unsigned int) + 2354
0x820c2c2 do_command(THD*) + 600
0x820acbd handle_one_connection + 255
0x40038aa7 _end + 931807543
0x4017ec2e _end + 933143230
New value of fp=(nil) failed sanity check, terminating stack trace!
Please read http://dev.mysql.com/doc/refman/5.1/en/resolve-stack-dump.html
and follow instructions on how to resolve the stack trace.
Resolved stack trace is much more helpful in diagnosing the
problem, so please do resolve it
Trying to get some variables.
Some pointers may be invalid and cause the dump to abort...
thd->query at 0x87ec230 = select min(`col002`) from t1 union select `col002` from t1
thd->thread_id=1

How to repeat:
drop table if exists t1;
create table `t1` (`col002` point)engine=myisam;
insert into t1 values (),(),();
select min(`col002`) from t1 union select `col002` from t1;

Suggested fix:
This might be related to bug #31144 "crash when subquery within order by/group by clause returns spatial datatype" . If it's a duplicate, sorry.

Spatial datatypes need a serious code review it seems.
[4 Oct 2007 8:08] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/34871

ChangeSet@1.2544, 2007-10-04 12:01:28+05:00, holyfoot@mysql.com +4 -0
  Bug #31155 gis types in union'd select cause crash.
  
  We use get_geometry_type() call to decide the exact type
  of a geometry field to be created (POINT, POLYGON etc)
  Though this function was only implemented for few items.
  In the bug's case we need to call this function for the
  Item_sum instance, where it was not implemented, what is
  the reason of the crash.
  Fixed by implementing virtual Item::get_geometry_type(),
  so it can be called for any Item.
[4 Oct 2007 10:47] Alexander Barkov 
The patch http://lists.mysql.com/commits/34871 is ok to push.
[29 Oct 2007 8:43] Bugs System 
Pushed into 5.0.52
[29 Oct 2007 8:47] Bugs System 
Pushed into 5.1.23-beta
[29 Oct 2007 8:51] Bugs System 
Pushed into 6.0.4-alpha
[30 Oct 2007 23:53] Paul DuBois 
Noted in 5.0.52, 5.1.23, 6.0.4 changelogs.

Selecting spatial types in a UNION could cause a server crash.
[20 Nov 2007 13:09] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/38130

ChangeSet@1.2573, 2007-11-20 17:04:24+04:00, holyfoot@mysql.com +2 -0
  test case added for the bug #31155
[14 Dec 2007 8:15] Bugs System 
Pushed into 5.0.54
[14 Dec 2007 8:19] Bugs System 
Pushed into 5.1.23-rc
[14 Dec 2007 8:22] Bugs System 
Pushed into 6.0.5-alpha