Bug #34747 crash in debug assertion check after derived table
Submitted: 21 Feb 2008 20:12 Modified: 10 Apr 2008 13:48
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: General Severity:S2 (Serious)
Version:5.0.56-debug, 5.1.23-debug OS:Any
Assigned to: Georgi Kodinov CPU Architecture:Any
Tags: group_concat

[21 Feb 2008 20:12] Shane Bester 
Description:
see how to repeat section.

mysqld.exe!end_io_cache
mysqld.exe!close_cached_file
mysqld.exe!Unique::~Unique
mysqld.exe!Unique::`scalar deleting destructor'
mysqld.exe!Item_func_group_concat::cleanup
mysqld.exe!Item::delete_self
mysqld.exe!Query_arena::free_items
mysqld.exe!THD::cleanup_after_query
mysqld.exe!mysql_parse
mysqld.exe!dispatch_command
mysqld.exe!do_command
mysqld.exe!handle_one_connection
mysqld.exe!pthread_start
mysqld.exe!_callthreadstart
mysqld.exe!_threadstart
kernel32.dll!FlsSetValue

crash is caused by assertion accessing wrong pointers:

DBUG_ASSERT(!info->share || !info->share->total_threads);

info->share is invalid pointer .. 0x8f8f8f8f or something..

How to repeat:
build a debug binary.  run this:

drop table if exists `t1`;
create table `t1`(`a` int) engine=myisam;
insert into `t1` values (),();
select `s1`.`d1` from
(
 select 
  `t1`.`a` as `d1`,
  group_concat(distinct `t1`.`a`) as `d2`
 from
  t1 as `t1`,
  t1 as `t2`
 group by 1
) as `s1`;

the query might return, but the server may have crashed afterwards.
run under valgrind if in doubt.
[21 Feb 2008 20:29] MySQL Verification Team 
Thank you for the bug report.

>	mysqld-debug.exe!end_io_cache(st_io_cache * info=0x01749cd8)  Line 1812 + 0xf	C
 	mysqld-debug.exe!close_cached_file(st_io_cache * cache=0x01749cd8)  Line 105 + 0x9	C
 	mysqld-debug.exe!Unique::~Unique()  Line 316 + 0xc	C++
 	mysqld-debug.exe!Unique::`scalar deleting destructor'()  + 0x16	C++
 	mysqld-debug.exe!Item_func_group_concat::cleanup()  Line 3154 + 0x31	C++
 	mysqld-debug.exe!Item::delete_self()  Line 981 + 0xd	C++
 	mysqld-debug.exe!Query_arena::free_items()  Line 2201	C++
 	mysqld-debug.exe!THD::cleanup_after_query()  Line 1077	C++
 	mysqld-debug.exe!mysql_parse(THD * thd=0x016fb340, const char * inBuf=0x0174bda0, unsigned int length=149, const char * * found_semicolon=0x0381fd00)  Line 5643	C++
 	mysqld-debug.exe!dispatch_command(enum_server_command command=COM_QUERY, THD * thd=0x016fb340, char * packet=0x01743cf1, unsigned int packet_length=149)  Line 1121 + 0x1e	C++
 	mysqld-debug.exe!do_command(THD * thd=0x016fb340)  Line 781 + 0x1b	C++
 	mysqld-debug.exe!handle_one_connection(void * arg=0x016fb340)  Line 1120 + 0x9	C++
 	mysqld-debug.exe!pthread_start(void * param=0x016fefe0)  Line 85 + 0x9	C
 	mysqld-debug.exe!_threadstart(void * ptd=0x016fcc88)  Line 196 + 0xd	C
 	kernel32.dll!7c80b683()
[28 Feb 2008 11:32] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/43135

ChangeSet@1.2589, 2008-02-28 13:31:19+02:00, gkodinov@magare.gmz +3 -0
  Bug #34747: crash in debug assertion check after derived table
  
  Was a double-free of the Unique member of Item_func_group_concat.
  This was not causing a crash because the Unique is a descendent of
  Sql_alloc.
  Fixed to free the Unique only if it was allocated for the instance 
  of Item_func_group_concat it was referenced from
[13 Mar 2008 19:27] Bugs System 
Pushed into 6.0.5-alpha
[13 Mar 2008 19:34] Bugs System 
Pushed into 5.1.24-rc
[13 Mar 2008 19:42] Bugs System 
Pushed into 5.0.60
[2 Apr 2008 20:14] Jon Stephens 
Pushed into 5.1.23-ndb-6.3.11.
[10 Apr 2008 13:48] Paul DuBois 
Noted in 5.0.60, 5.1.24, 5.1.24-ndb-6.3.13, 6.0.5 changelogs.

A memory-handling error associated with use of GROUP_CONCAT() in
subqueries could result in a server crash.