Bug #32103 optimizer crash when join on int and mediumint with variable in where clause..
Submitted: 5 Nov 2007 11:28 Modified: 19 Nov 2007 4:36
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Optimizer Severity:S1 (Critical)
Version:4.1.22,5.0.50,5.1.23 OS:Any
Assigned to: Alexey Kopytov CPU Architecture:Any
Tags: crash

[5 Nov 2007 11:28] Shane Bester 
Description:
mysqld.exe!my_strtoll10
mysqld.exe!Item_int::Item_int
mysqld.exe!Item_uint::Item_uint
mysqld.exe!Item_uint::clone_item
mysqld.exe!change_cond_ref_to_const
mysqld.exe!change_cond_ref_to_const
mysqld.exe!propagate_cond_constants
mysqld.exe!propagate_cond_constants
mysqld.exe!optimize_cond
mysqld.exe!JOIN::optimize
mysqld.exe!mysql_select
mysqld.exe!handle_select
mysqld.exe!execute_sqlcom_select
mysqld.exe!mysql_execute_command
mysqld.exe!mysql_parse
mysqld.exe!dispatch_command
mysqld.exe!do_command
mysqld.exe!handle_one_connection
mysqld.exe!pthread_start
mysqld.exe!_callthreadstart
mysqld.exe!_threadstart
kernel32.dll!BaseThreadStart

How to repeat:
drop table if exists `t1`;
drop table if exists `t2`;
create table `t1` (`col000` mediumint)engine=myisam;
create table `t2` (`col000` int)engine=myisam;
select * from `t1` join `t2` on `t1`.`col000`=`t2`.`col000` where (`t1`.`col000` <=> @@global.query_cache_min_res_unit);
[5 Nov 2007 11:46] MySQL Verification Team 
any numeric global variable appears to cause a crash.
[7 Nov 2007 15:45] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/37267

ChangeSet@1.2686, 2007-11-07 18:45:04+03:00, kaa@polly.(none) +3 -0
  Fix for bug #32103: optimizer crash when join on int and mediumint with
  variable in where clause.
  
  Problem: the new_item() method of Item_uint used an incorrect
  constructor. "new Item_uint(name, max_length)" calls
  Item_uint::Item_uint(const char *str_arg, uint length) which assumes the
  first argument to be the string representation of the value, not the
  item's name. This could result in either a server crash or incorrect
  results depending on usage scenarios.
  
  Fixed by using the correct constructor in new_item():
  Item_uint::Item_uint(const char *str_arg, longlong i, uint length).
[16 Nov 2007 9:28] Bugs System 
Pushed into 4.1.24
[16 Nov 2007 9:30] Bugs System 
Pushed into 5.0.52
[16 Nov 2007 9:32] Bugs System 
Pushed into 5.1.23-rc
[16 Nov 2007 9:34] Bugs System 
Pushed into 6.0.4-alpha
[19 Nov 2007 4:36] Paul DuBois 
Noted in 4.1.24, 5.0.52, 5.1.23, 6.0.4 changelogs.

The server crashed on optimizations involving a join of INT
and MEDIUMINT columns and a system variable in the WHERE
clause.