MySQL Bugs: #11414: Crash on Windows with a simple group by query

Bug #11414	Crash on Windows with a simple group by query
Submitted:	17 Jun 2005 13:05	Modified:	25 Jul 2005 20:04
Reporter:	Igor Babaev	Email Updates:
Status:	Closed	Impact on me:	None
Category:	MySQL Server: Optimizer	Severity:	S1 (Critical)
Version:	4.1.13	OS:	Windows (Windows NT)
Assigned to:	Igor Babaev	CPU Architecture:	Any

Description:
When debugging the Server 4.1.13 I found out that the following sequence of statements causes the Server to crash:

mysql> CREATE TABLE t1 (n INT);
Query OK, 0 rows affected (0.04 sec)

mysql> INSERT INTO t1 VALUES (1);
Query OK, 1 row affected (0.00 sec)

mysql> SELECT n+1 AS n FROM t1 GROUP BY n;
+------+
| n    |
+------+
|    2 |
+------+
1 row in set (0.00 sec)

mysql>

At this point I recieve in MS Visual C++ "Unhandled exception in mysql-debug.exe: 0xC0000005: Access Violation". The exception arises when attempting to execute the cleanup() function call in Item::delete_self(). The Server does not respond to any subsequent query;

Note that this happens only if t1 contains only one row. In case of two rows everything looks ok (I continue after restarting the Server):

mysql> INSERT INTO t1 VALUES (2);
ERROR 2006 (HY000): MySQL server has gone
No connection. Trying to reconnect...
Connection id:    1
Current database: test

Query OK, 1 row affected (0.27 sec)

mysql> SELECT n+1 AS n FROM t1 GROUP BY n;
+------+
| n    |
+------+
|    2 |
|    3 |
+------+
2 rows in set (0.01 sec)

mysql> SELECT * FROM t1;
+------+
| n    |
+------+
|    1 |
|    2 |
+------+
2 rows in set (0.00 sec)

How to repeat:
DROP TABLE IF EXISTS t1;

CREATE TABLE t1 (n INT);

INSERT INTO t1 VALUES (1);

SELECT n+1 AS n FROM t1 GROUP BY n;

SELECT * FROM t1;

Thank you for the bug report I was able to repeat:

/item.h
--323--

  virtual Item *neg_transformer(THD *thd) { return NULL; }
  virtual Item *safe_charset_converter(CHARSET_INFO *tocs);
  void delete_self()
  {
    cleanup();
^^^^^^^^^^^^
    delete this;
  }
};

Call stack:

>	mysqld-debug.exe!Item::delete_self()  Line 327 + 0x8	C++
 	mysqld-debug.exe!free_items(Item * item=0x02fb9768)  Line 1189 + 0x8	C++
 	mysqld-debug.exe!THD::end_statement()  Line 1526 + 0xc	C++
 	mysqld-debug.exe!mysql_parse(THD * thd=0x00f01880, char * inBuf=0x02fb8668, unsigned int length=34)  Line 4235	C++
 	mysqld-debug.exe!dispatch_command(enum_server_command command=COM_QUERY, THD * thd=0x00f01880, char * packet=0x02fb05a9, unsigned int packet_length=35)  Line 1503 + 0x1d	C++
 	mysqld-debug.exe!do_command(THD * thd=0x00f01880)  Line 1316 + 0x31	C++
 	mysqld-debug.exe!handle_one_connection(void * arg=0x00f01880)  Line 1048 + 0x9	C++
 	mysqld-debug.exe!pthread_start(void * param=0x00e1a970)  Line 63 + 0x7	C
 	mysqld-debug.exe!_threadstart(void * ptd=0x00f0fcc8)  Line 173 + 0xd	C
 	kernel32.dll!7c80b50b() 	
 	kernel32.dll!7c8399f3()

I was unable to repeat on Linux. Will test latest BK source for Windows:

mysql> SELECT n+1 AS n FROM t1 GROUP BY n;
+------+
| n    |
+------+
|    2 |
+------+
1 row in set (0.05 sec)

mysql> 
mysql> SELECT * FROM t1;
+------+
| n    |
+------+
|    1 |
+------+
1 row in set (0.00 sec)

mysql>

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/internals/26479

This bug had been already fixed in 5.0. I downported that fic into 4.1.

ChangeSet
  1.2319 05/06/28 03:18:37 igor@rurik.mysql.com +3 -0
  group_by.result, group_by.test:
    Added a test case for bug #11414.
  sql_select.cc:
    Fixed bug #11414: crash on Windows with some simple
    GROUP BY queries.
    It happened to an allocation of an array containing
    0 Copy_field elements in setup_copy_fields.
    The bug had been already fixed in 5.0.
 
This fix will appear in 4.1.13.

Documented in 4.1.13 changelog:

<listitem><para>Possible crash on Windows when performing GROUP BY on a calculated field. (Bug #11414)</para></listitem>