Bug #15096 View -> Function -> View = Crash
Submitted: 21 Nov 2005 12:24 Modified: 6 Dec 2005 21:49
Reporter: Martin Aspeli Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Views Severity:S2 (Serious)
Version:5.0.15/5.0.17 BK OS:Windows (Windows XP/Linux)
Assigned to: Oleksandr Byelkin CPU Architecture:Any

[21 Nov 2005 12:24] Martin Aspeli
Description:
Hi,

We had some rather troublesome crashes in MySQL 5.0.15, on Windows XP (rather poor hardware unfortunately, don't know of it's relevant). The crashes occured during CREATE VIEW, and we tracked it down to a sequence with a CREATE VIEW referring to a FUNCTION which in turn referred to another VIEW.

How to repeat:
The following SQL script reliably reproduces the problem here:

DROP VIEW IF EXISTS inside;
CREATE VIEW inside AS SELECT 42 AS Meaning;

DELIMITER //
DROP FUNCTION IF EXISTS testFunc //
CREATE FUNCTION testFunc() RETURNS INTEGER
BEGIN
  DECLARE retn INTEGER;
  SELECT Meaning FROM inside INTO retn;
  RETURN retn;
END
//
DELIMITER ;

DROP VIEW IF EXISTS outside;
CREATE VIEW outside AS SELECT testFunc();

The last CREATE VIEW statement causes mysqld-nt to eat CPU for a few seconds, until it crashes.
[21 Nov 2005 12:33] MySQL Verification Team
Thank you for the bug report.

[New Thread 1099537328 (LWP 6659)]
051121 10:31:33 [Note] /home/miguel/dbs/5.0/libexec/mysqld: ready for connections.
Version: '5.0.17-debug'  socket: '/tmp/mysql.sock'  port: 3306  Source distribution
[New Thread 1131895728 (LWP 6662)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1131895728 (LWP 6662)]
0x0833e4ab in mysql_create_view (thd=0x8e5e520, mode=VIEW_CREATE_NEW) at sql_view.cc:354
354         if (tbl->table->s->tmp_table != NO_TMP_TABLE && !tbl->view &&
(gdb) bt full
#0  0x0833e4ab in mysql_create_view (thd=0x8e5e520, mode=VIEW_CREATE_NEW) at sql_view.cc:354
        lex = (LEX *) 0x8e5e560
        view = (TABLE_LIST *) 0x8e8ad50
        sl = (SELECT_LEX *) 0x0
        res = false
        _db_func_ = 0x43774738 "ÈOwC·\006 \b"
        _db_file_ = 0x8e5e520 "¨J`\b(1}\b,1}\b¼J`\bxÁè\b@åå\b"
        _db_level_ = 0
        _db_framep_ = (char **) 0x8e92c78
        tbl = (TABLE_LIST *) 0x8e8b7f0
        link_to_local = true
        tables = (TABLE_LIST *) 0x0
        select_lex = (SELECT_LEX *) 0x8e5e798
        unit = (SELECT_LEX_UNIT *) 0x8e5e570
#1  0x082006da in mysql_execute_command (thd=0x8e5e520) at sql_parse.cc:4556
        res = false
        lex = (LEX *) 0x8e5e560
        _db_func_ = 0x43775bb0 "°[wCl©æ\b°[wC\001"
        _db_file_ = 0x0
        _db_level_ = 140171931
        _db_framep_ = (char **) 0x87d22dc
        result = 0
        select_lex = (SELECT_LEX *) 0x8e5e798
        first_table = (TABLE_LIST *) 0x8e8ad50
        all_tables = (TABLE_LIST *) 0x8e8ad50
        unit = (SELECT_LEX_UNIT *) 0x8e5e570
        __PRETTY_FUNCTION__ = "bool mysql_execute_command(THD*)"
#2  0x08201669 in mysql_parse (thd=0x8e5e520, inBuf=0x8e8ac90 "CREATE VIEW outside AS SELECT testFunc()", length=40) at sql_parse.cc:5581
        lex = (LEX *) 0x8e5e560
        _db_func_ = 0x87e1700 "è%e\b"
        _db_file_ = 0x8201f00 "\203Ä ¡\024Å~\b\205Àt/\203ì\bhïSa\bh¨\006"
        _db_level_ = 1131893528
        _db_framep_ = (char **) 0x0
        __PRETTY_FUNCTION__ = "void mysql_parse(THD*, char*, uint)"
#3  0x08201f7f in dispatch_command (command=COM_QUERY, thd=0x8e5e520, packet=0x8e82c31 "CREATE VIEW outside AS SELECT testFunc()", 
    packet_length=41) at sql_parse.cc:1709
        packet_end = 0x8e8acb8 ""
        net = (NET *) 0x8e5ed14
---Type <return> to continue, or q <return> to quit---
        _db_func_ = 0x4 <Address 0x4 out of bounds>
        _db_file_ = 0x0
        error = false
        _db_level_ = 16787816
        _db_framep_ = (char **) 0x8e5f60c
#4  0x082032e8 in do_command (thd=0x8e5e520) at sql_parse.cc:1510
        packet = 0x8e82c30 "\003CREATE VIEW outside AS SELECT testFunc()"
        old_timeout = 30
        packet_length = 41
        net = (NET *) 0x8e5ed14
        command = COM_QUERY
        _db_func_ = 0x43775378 "XTwCô6 \b åå\b\001"
        _db_file_ = 0x8e5f728 "Hfä\b"
        _db_level_ = 149186120
        _db_framep_ = (char **) 0x1010
#5  0x082036f4 in handle_one_connection (arg=0x8e5e520) at sql_parse.cc:1155
        error = 0
        net = (NET *) 0x8e5ed14
        sctx = (Security_context *) 0x8e5f4ec
        thd = (class THD *) 0x8e5e520
        launch_time = 0
        set = {__val = {0 <repeats 32 times>}}
#6  0x40181297 in start_thread () from /lib/tls/libpthread.so.0
No symbol table info available.
#7  0x402bc37e in clone () from /lib/tls/libc.so.6
No symbol table info available.
#8  0x43775bb0 in ?? ()
No symbol table info available.
(gdb)
[22 Nov 2005 8:19] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/internals/32518
[30 Nov 2005 14:07] Konstantin Osipov
Approved by email.
[1 Dec 2005 10:16] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/internals/32898
[3 Dec 2005 17:53] Oleksandr Byelkin
Thank you for bug report!
Fix for this bug is pushed to 5.0.17 and 5.1.4.
[6 Dec 2005 21:49] Paul DuBois
Noted in 5.0.17, 5.1.4 changelogs.