Bug #20005 Crash while creating temp table
Submitted: 22 May 2006 17:39 Modified: 26 Sep 2006 13:27
Reporter: Matthias Urlichs Email Updates:
Status: No Feedback Impact on me:
None 
Category:MySQL Server Severity:S2 (Serious)
Version:4.1.20, 4.1.11 OS:Linux (Debian Sarge)
Assigned to: CPU Architecture:Any

[22 May 2006 17:39] Matthias Urlichs 
Description:
A "select... from (select foo UNION select bar)" statement can crash the server when creating a temporary table.

Stack dump:
0x81893bf handle_segfault + 703
0x81cd517 create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long, unsigned long, char*) + 2839
0x825a8cc mysql_derived(THD*, st_lex*, st_select_lex_unit*, st_table_list*) + 252
0x825a7bd mysql_handle_derived(st_lex*) + 141
0x81bd1d6 open_and_lock_tables(THD*, st_table_list*) + 102
0x819d6be mysql_execute_command(THD*) + 846
0x81a2dac mysql_parse(THD*, char*, unsigned int) + 204
0x819c165 dispatch_command(enum_server_command, THD*, char*, unsigned int) + 981
0x819bd46 do_command(THD*) + 134
0x819b4a8 handle_one_connection + 856

gdb disassembly before that statement:

0x081cd4db <_Z16create_tmp_tableP3THDP15TMP_TABLE_PARAMR4ListI4ItemEP8st_orderbbmmPc+2779>:     mov    (%edi),%esi
0x081cd4dd <_Z16create_tmp_tableP3THDP15TMP_TABLE_PARAMR4ListI4ItemEP8st_orderbbmmPc+2781>:     xor    %edx,%edx
0x081cd4df <_Z16create_tmp_tableP3THDP15TMP_TABLE_PARAMR4ListI4ItemEP8st_orderbbmmPc+2783>:     mov    (%esi),%ebx
0x081cd4e1 <_Z16create_tmp_tableP3THDP15TMP_TABLE_PARAMR4ListI4ItemEP8st_orderbbmmPc+2785>:     mov    %edx,0x8(%esp)
0x081cd4e5 <_Z16create_tmp_tableP3THDP15TMP_TABLE_PARAMR4ListI4ItemEP8st_orderbbmmPc+2789>:     mov    %eax,0x4(%esp)
0x081cd4e9 <_Z16create_tmp_tableP3THDP15TMP_TABLE_PARAMR4ListI4ItemEP8st_orderbbmmPc+2793>:     mov    (%edi),%esi
0x081cd4eb <_Z16create_tmp_tableP3THDP15TMP_TABLE_PARAMR4ListI4ItemEP8st_orderbbmmPc+2795>:     mov    %esi,(%esp)
0x081cd4ee <_Z16create_tmp_tableP3THDP15TMP_TABLE_PARAMR4ListI4ItemEP8st_orderbbmmPc+2798>:     call   *0x18(%ebx)
0x081cd4f1 <_Z16create_tmp_tableP3THDP15TMP_TABLE_PARAMR4ListI4ItemEP8st_orderbbmmPc+2801>:     xor    %ecx,%ecx
0x081cd4f3 <_Z16create_tmp_tableP3THDP15TMP_TABLE_PARAMR4ListI4ItemEP8st_orderbbmmPc+2803>:     mov    %ecx,0x100(%edi)
0x081cd4f9 <_Z16create_tmp_tableP3THDP15TMP_TABLE_PARAMR4ListI4ItemEP8st_orderbbmmPc+2809>:     mov    0xffffefb8(%ebp),%edi
0x081cd4ff <_Z16create_tmp_tableP3THDP15TMP_TABLE_PARAMR4ListI4ItemEP8st_orderbbmmPc+2815>:     mov    0x8(%edi),%ecx
0x081cd502 <_Z16create_tmp_tableP3THDP15TMP_TABLE_PARAMR4ListI4ItemEP8st_orderbbmmPc+2818>:     mov    0x8(%ebp),%eax
0x081cd505 <_Z16create_tmp_tableP3THDP15TMP_TABLE_PARAMR4ListI4ItemEP8st_orderbbmmPc+2821>:     movl   $0x0,(%ecx)
0x081cd50b <_Z16create_tmp_tableP3THDP15TMP_TABLE_PARAMR4ListI4ItemEP8st_orderbbmmPc+2827>:     mov    %edi,0x4(%esp)
0x081cd50f <_Z16create_tmp_tableP3THDP15TMP_TABLE_PARAMR4ListI4ItemEP8st_orderbbmmPc+2831>:     mov    %eax,(%esp)
0x081cd512 <_Z16create_tmp_tableP3THDP15TMP_TABLE_PARAMR4ListI4ItemEP8st_orderbbmmPc+2834>:     call   0x81ce140 <_Z14free_tmp_tableP3THDP8st_table>
0x081cd517 <_Z16create_tmp_tableP3THDP15TMP_TABLE_PARAMR4ListI4ItemEP8st_orderbbmmPc+2839>:     mov    0xffffef64(%ebp),%edi

... which probably says that the crash happens inside free_tmp_table(), but unfortunately the crash address in that procedure is not captured by the backtrace.

How to repeat:
Unfortunately, the crash seems to happen only on the client's production server; so far, we'vfe been unable to reproduce it on a test system.

Table:
CREATE TABLE `templatedata` (
  `id` varchar(255) NOT NULL default '',
  `activefrom` bigint(20) NOT NULL default '0',
  `activefromts` datetime NOT NULL default '0000-00-00 00:00:00',
  `activeto` datetime default NULL,
  `family` varchar(100) default NULL,
  `campaign` varchar(100) default NULL,
  `doctype` varchar(100) default NULL,
  `creationdate` date default NULL,
  `author` varchar(20) default NULL,
  `validfrom` date default NULL,
  `validto` date default NULL,
  `colors` int(11) default NULL,
  `mindealers` int(11) default NULL,
  `maxdealers` int(11) default NULL,
  `columns` int(11) default NULL,
  `mvreleaseuser` varchar(50) default NULL,
  `mvreleasedate` date default NULL,
  `releaseuser` varchar(50) default NULL,
  `releasedate` date default NULL,
  `withdrawnuser` varchar(50) default NULL,
  `withdrawndate` date default NULL,
  `shortdescription` text,
  `longdescription` text,
  `language` varchar(10) default NULL,
  `category` varchar(20) default NULL,
  `anzeigentyp` varchar(10) default NULL,
  `art` varchar(100) default NULL,
  `width` decimal(10,2) default NULL,
  `spotcolor` varchar(100) default NULL,
  `xmltempl` longtext,
  `isexpired` tinyint(1) default NULL,
  `height` decimal(10,2) default NULL,
  `format` varchar(64) default NULL,
  `dotgain` varchar(16) default NULL,
  `anzeigencode` varchar(64) default NULL,
  `modifiedby` varchar(50) default NULL,
  `modifiedwith` varchar(50) default NULL,
  `ourordernumber` varchar(16) default NULL,
  `initiatorid` varchar(64) default NULL,
  PRIMARY KEY  (`id`,`activefrom`),
  KEY `index_templatedata_1a` (`activeto`,`id`),
  KEY `index_templatedata_4a` (`activeto`,`withdrawndate`,`releasedate`,`mvreleasedate`,`validfrom`,`validto`,`id`),
  KEY `index_templatedata_5a` (`campaign`,`activeto`,`id`(238)),
  KEY `index_templatedata_2a` (`activeto`,`campaign`,`id`(238)),
  KEY `index_templatedata_6a` (`activeto`,`category`,`id`),
  KEY `index_templatedata_6b` (`category`,`activeto`,`id`),
  KEY `index_templatedata_7a` (`activeto`,`ourordernumber`,`id`),
  KEY `index_templatedata_7b` (`ourordernumber`,`activeto`,`id`),
  KEY `index_templatedata_3a` (`activeto`,`family`,`id`(200))
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

Query that triggers the problem: <attachment, it's longer than 8k>
[22 May 2006 17:41] Matthias Urlichs 
SQL statement triggering the bug

Attachment: sql (application/octet-stream, text), 9.81 KiB.
[22 May 2006 17:59] MySQL Verification Team 
Thank you for the bug report. I was unable to repeat testing against
the 4.1.19 source server. Anyway you are reporting a version which
is very older, could you please test against the newest release 4.1.XX
server?

Thanks in advance.
[22 Jun 2006 23:00] Bugs System 
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
[16 Aug 2006 19:25] Sveta Smirnova 
Bug #21458 duplicates this one
[16 Aug 2006 19:39] Lukas Jelinek 
The bug I reported #21458 (and which was found as a duplicate of this) occurred on the version 4.1.20. Please look there for more information.
[16 Aug 2006 20:11] Sveta Smirnova 
Lukas, thank you for the feedback.

Please, accurate indicate your platform, version of package you use and indicate if you use NPTL threads.
[16 Aug 2006 20:43] Lukas Jelinek 
Platform (uname -a): Linux localhost 2.6.11-1.1369_FC4 #1 Thu Jun 2 22:55:56 EDT 2005 i686 athlon i386 GNU/Linux
Package: mysql-server-4.1.20-1.FC4.1
NPTL: yes
[26 Aug 2006 13:27] Valeriy Kravchuk 
Please, try to repeat with a newer version, 4.1.21, and inform about the results.
[26 Sep 2006 23:00] Bugs System 
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
[27 Sep 2006 18:49] Lukas Jelinek 
After I had upgraded to 4.1.21 (RPM package MySQL-server-4.1.21-0.glibc23) the server has been working with no error occurred (and is still working OK). But I think that there is only low probability the error occurs again because the server processes hundreds of similar queries a day. And the original problem (as I reported) came after many weeks of trouble-free operation.