Bug #26830 subquery, group by .. with rollup crashes server
Submitted: 4 Mar 2007 6:43 Modified: 15 Mar 2007 4:00
Reporter: Shane Bester
Status: Closed
Category:Server: General Severity:S1 (Critical)
Version:5.0.38BK, 5.1.17BK OS:Any (*)
Assigned to: Bugs System Target Version:
Tags: with rollup, subquery, crash

[4 Mar 2007 6:43] Shane Bester 
Description:
when a query has a subquery containing a group by with rollup, and an index in the column
grouped by, the server can crash.

The testcase crashes my windows + linux mysqld server when built as debug binary. (-g -01
--with-debug=full)

mysqld-debug.exe!setup_sum_funcs(THD * thd=0x028802a8, Item_sum * * func_ptr=0x028acfb0) 
Line 14122 + 0xc bytes	C++
mysqld-debug.exe!JOIN::exec()  Line 1777 + 0x31 bytes	C++
mysqld-debug.exe!mysql_select(THD * thd=0x028802a8, Item * * *
rref_pointer_array=0x028a6b58, st_table_list * tables=0x028a70a8, unsigned int wild_num=0,
List<Item> & fields={...}, Item * conds=0x00000000, unsigned int og_num=1, st_order *
order=0x00000000, st_order * group=0x028a7350, Item * having=0x00000000, st_order *
proc_param=0x00000000, unsigned __int64 select_options=2424588800, select_result *
result=0x028a77e8, st_select_lex_unit * unit=0x028a6be0, st_select_lex *
select_lex=0x028a6a30)  Line 2081	C++
mysqld-debug.exe!mysql_derived_filling(THD * thd=0x028802a8, st_lex * lex=0x028802e8,
st_table_list * orig_table_list=0x028a75c0)  Line 266 + 0x94 bytes	C++
mysqld-debug.exe!mysql_handle_derived(st_lex * lex=0x028802e8, int (THD *, st_lex *,
st_table_list *)* processor=0x0054d880)  Line 56 + 0x15 bytes	C++
mysqld-debug.exe!open_and_lock_tables(THD * thd=0x028802a8, st_table_list *
tables=0x028a75c0)  Line 2471 + 0x3b bytes	C++
mysqld-debug.exe!mysql_execute_command(THD * thd=0x028802a8)  Line 2594 + 0xd bytes	C++
mysqld-debug.exe!mysql_parse(THD * thd=0x028802a8, char * inBuf=0x028a6718, unsigned int
length=74)  Line 5909 + 0x9 bytes	C++
mysqld-debug.exe!dispatch_command(enum_server_command command=COM_QUERY, THD *
thd=0x028802a8, char * packet=0x0289e619, unsigned int packet_length=75)  Line 1786 + 0x1d
bytes	C++
mysqld-debug.exe!do_command(THD * thd=0x028802a8)  Line 1568 + 0x31 bytes	C++
mysqld-debug.exe!handle_one_connection(void * arg=0x028802a8)  Line 1194 + 0x9 bytes	C++
mysqld-debug.exe!pthread_start(void * param=0x028751a0)  Line 62 + 0x7 bytes	C
mysqld-debug.exe!_callthreadstart()  Line 293 + 0xf bytes	C
mysqld-debug.exe!_threadstart(void * ptd=0x0286c450)  Line 277	C

release binary might also crash, but that can be more compiler and os dependent.

How to repeat:
drop table if exists `t1`;
create table `t1` (`a` int,key (`a`)) engine=innodb;
select 1 from ( select sum(`a`) from `t1` group by `a` with rollup) as `a`;
[4 Mar 2007 6:51] Shane Bester 
stack from 5.0.38BK on linux

Attachment: linux.stack.txt (text/plain), 3.64 KiB.
[4 Mar 2007 7:37] Shane Bester 
5.1.17BK stack

Attachment: linux.stack.5.1.17.txt (text/plain), 2.14 KiB.
[4 Mar 2007 9:01] Valeriy Kravchuk 
Thank you for a bug report. Verified just as described. 

5.0.38-BK non-debug does not crash, while 5.1.17-BK crashed even without --with-debug on
Linux:

openxs@suse:~/dbs/5.1> bin/mysql -uroot test
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1
Server version: 5.1.17-beta Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> drop table if exists `t1`;
Query OK, 0 rows affected (0.01 sec)

mysql> create table `t1` (`a` int,key (`a`)) engine=innodb;
Query OK, 0 rows affected (0.01 sec)

mysql> select 1 from ( select sum(`a`) from `t1` group by `a` with rollup) as `
a`;
Empty set (0.00 sec)

mysql>
Number of processes running now: 0
070304 06:51:08  mysqld restarted

Resolved stack trace:

openxs@suse:~/dbs/5.1> bin/resolve_stack_dump -s /tmp/mysqld51.sym -n 26830.sta
ck
0x82087bd handle_segfault + 605
(nil)
0x821dd9c _Z11mysql_parseP3THDPcj + 540
0x821ecb2 _Z16dispatch_command19enum_server_commandP3THDPcj + 3682
0x821f6e6 _Z10do_commandP3THD + 150
0x820dd03 handle_one_connection + 387
0x40047aa7 _end + 931979059
0x4023ec2e _end + 934039738
[10 Mar 2007 10:47] Igor Babaev 
The bug can be demonstrated with on a MyISAM table as well:

mysql> CREATE TABLE t1 (a int, KEY (a));
Query OK, 0 rows affected (0.45 sec)

mysql> INSERT INTO t1 VALUES (3), (1), (4), (1), (3), (1), (1);
Query OK, 7 rows affected (0.00 sec)
Records: 7  Duplicates: 0  Warnings: 0

mysql> SELECT * FROM (SELECT a, SUM(a) FROM t1 GROUP BY a WITH ROLLUP) as t;
ERROR 2013 (HY000): Lost connection to MySQL server during query

On the server side we have:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1291916384 (LWP 2823)]
0x08277a10 in setup_sum_funcs (thd=0x8d32ae0, func_ptr=0x8d4e458) at sql_select.cc:14204
/home/igor/dev-opt/mysql-5.0-opt-bug26830/sql/sql_select.cc:14204:460327:beg:0x8277a10

The segfault happens the in the following function:
static bool setup_sum_funcs(THD *thd, Item_sum **func_ptr)
{
  Item_sum *func;
  DBUG_ENTER("setup_sum_funcs");
  while ((func= *(func_ptr++))) // <- Segfault
  {
    if (func->setup(thd))
      DBUG_RETURN(TRUE);
  }
  DBUG_RETURN(FALSE);
}
[10 Mar 2007 12:03] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/21673

ChangeSet@1.2472, 2007-03-10 02:47:47-08:00, igor@olga.mysql.com +3 -0
  Fixed bug #26830: a crash for the query with a subselect containing ROLLUP.
  Crash happened because the function get_best_group_min_max detected
  joins with ROLLUP incorrectly.
[12 Mar 2007 6:05] Igor Babaev 
Pushed to 5.0.38, 5.1.17
[15 Mar 2007 4:00] Paul DuBois 
Noted in 5.0.38, 5.1.17 changelogs.

Use of a subquery containing GROUP BY and WITH ROLLUP caused a server
crash.