Bug #32403 query causes a crash due to stack and memory corruptions
Submitted: 15 Nov 2007 9:26 Modified: 14 Jan 21:23
Reporter: Shane Bester
Status: Closed
Category:Server: Optimizer Severity:S1 (Critical)
Version:5.0.50 OS:Any
Assigned to: Gleb Shchepa Target Version:
Tags: bfsm_2007_12_06

[15 Nov 2007 9:26] Shane Bester 
Description:
Executing a particular query a few times may crash with following stack trace:

mysqld-nt.exe!SEL_ARG::is_same
mysqld-nt.exe!eq_tree
mysqld-nt.exe!eq_tree
mysqld-nt.exe!key_or
mysqld-nt.exe!tree_or
mysqld-nt.exe!get_mm_tree
mysqld-nt.exe!SQL_SELECT::test_quick_select
mysqld-nt.exe!make_join_select
mysqld-nt.exe!JOIN::optimize
mysqld-nt.exe!st_select_lex_unit::exec
mysqld-nt.exe!mysql_union
mysqld-nt.exe!handle_select
mysqld-nt.exe!mysql_execute_command
mysqld-nt.exe!mysql_open_cursor
mysqld-nt.exe!Prepared_statement::execute
mysqld-nt.exe!mysql_stmt_execute
mysqld-nt.exe!dispatch_command
mysqld-nt.exe!do_command
mysqld-nt.exe!handle_one_connection
mysqld-nt.exe!pthread_start
mysqld-nt.exe!_threadstart

See attachment for full backtrace and explain outputs.

How to repeat:
testcase is few hundred MB.   Will upload a small version later.
[22 Nov 2007 22:31] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/38313

ChangeSet@1.2571, 2007-11-23 01:38:38+04:00, gshchepa@gleb.loc +1 -0
  Fixed bug #32403: query causes a crash due to stack and
                    memory corruptions.
  
  Various pointer fields of the SEL_ARG structure were not
  initialized in the several constructors, sometimes that led to
  memory corruptions and server crashes.
[27 Nov 2007 15:51] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/38630

ChangeSet@1.2571, 2007-11-27 19:01:38+04:00, gshchepa@gleb.loc +1 -0
  Fixed bug #32403: query causes a crash due to stack and
                    memory corruptions.
  
  The right pointer field of the SEL_ARG structure was not
  initialized in the constructor and sometimes that led to
  server crashes.
[27 Nov 2007 16:11] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/38632

ChangeSet@1.2571, 2007-11-27 19:14:48+04:00, gshchepa@gleb.loc +1 -0
  Fixed bug #32403: query causes a crash due to stack and
                    memory corruptions.
  
  The right pointer field of the SEL_ARG structure was not
  initialized in the constructor and sometimes that led to
  server crashes.
  
  There is no testcase because the bug occurs only when
  uninitialized memory has particular values, which can't be
  re-created in the test suite.
[14 Dec 2007 9:14] Bugs System 
Pushed into 5.0.54
[14 Dec 2007 9:17] Bugs System 
Pushed into 5.1.23-rc
[14 Dec 2007 9:20] Bugs System 
Pushed into 6.0.5-alpha
[14 Jan 21:23] Jon Stephens 
Documented in the 5.0.54, 5.1.23, and 6.0.5 changelogs as follows:

        Repeated execution of a query containing a
        CASE expression and numerous
        AND and OR relations could
        crash the server. The root cause of the issue was determined to
        be that the internal SEL_ARG structure was
        not properly initialized when created.