Bug #36737 having + full text operator crashes mysql
Submitted: 15 May 2008 15:03 Modified: 15 Mar 2009 3:02
Reporter: Aleksey Idemenev Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: FULLTEXT search Severity:S2 (Serious)
Version:5.0.45, 5.0.60, 5.1.24, 4.1, 6.0 BK OS:Any
Assigned to: Sergey Vojtovich CPU Architecture:Any

[15 May 2008 15:03] Aleksey Idemenev
Description:
Tested on 5.0.45 and 5.1.24
Server crashes when using MATCH() AGAINST() in HAVING clause on GROUP_CONCAT()-anated field

How to repeat:
CREATE TABLE `kw_names` (
  `id` MEDIUMINT(9) UNSIGNED NOT NULL AUTO_INCREMENT,
  `name` VARCHAR(100) COLLATE utf8_general_ci NOT NULL DEFAULT '',
  PRIMARY KEY (`id`),
  UNIQUE KEY `name_unique` (`name`),
  FULLTEXT KEY `ft_name` (`name`)
)ENGINE=MyISAM AUTO_INCREMENT=1952 CHARACTER SET 'utf8' COLLATE 'utf8_general_ci';

SELECT GROUP_CONCAT(DISTINCT kn.name SEPARATOR " ") AS st
FROM kw_names AS kn
WHERE MATCH (kn.name) AGAINST ("festival" IN BOOLEAN MODE)
GROUP BY kn.id
HAVING MATCH(st) AGAINST('festival' IN BOOLEAN MODE);
[15 May 2008 16:38] Valeriy Kravchuk
Thank you for a bug report. Verified just as described with 5.1.24 on Windows XP. Stack trace is:

 	mysqld.exe!Item_func_match::fix_fields(THD * thd=0x05619308, Item * * ref=0x05633e48)  Line 4984	C++
 	mysqld.exe!JOIN::prepare(Item * * * rref_pointer_array=0x0561a6dc, TABLE_LIST * tables_init=0x056326e0, unsigned int wild_num=0, Item * conds_init=0x056329f8, unsigned int og_num=1, st_order * order_init=0x00000000, st_order * group_init=0x05632b70, Item * having_init=0x05632cb8, st_order * proc_param_init=0x00000000, st_select_lex * select_lex_arg=0x0561a5e0, st_select_lex_unit * unit_arg=0x0561a368)  Line 505 + 0x17 bytes	C++
 	mysqld.exe!mysql_select(THD * thd=0x05619308, Item * * * rref_pointer_array=0x0561a6dc, TABLE_LIST * tables=0x056326e0, unsigned int wild_num=0, List<Item> & fields={...}, Item * conds=0x056329f8, unsigned int og_num=1, st_order * order=0x00000000, st_order * group=0x05632b70, Item * having=0x05632cb8, st_order * proc_param=0x00000000, unsigned __int64 select_options=2147764736, select_result * result=0x05632df0, st_select_lex_unit * unit=0x0561a368, st_select_lex * select_lex=0x0561a5e0)  Line 2336 + 0x49 bytes	C++
 	mysqld.exe!handle_select(THD * thd=0x05619308, st_lex * lex=0x0561a308, select_result * result=0x05632df0, unsigned long setup_tables_done_option=0)  Line 269 + 0x79 bytes	C++
 	mysqld.exe!execute_sqlcom_select(THD * thd=0x00000000, TABLE_LIST * all_tables=0x056326e0)  Line 4752 + 0xa bytes	C++
 	mysqld.exe!mysql_execute_command(THD * thd=0x05619308)  Line 2052 + 0xc bytes	C++
 	mysqld.exe!mysql_parse(THD * thd=0x05619308, const char * inBuf=0x05632180, unsigned int length=204, const char * * found_semicolon=0x04b1f9e8)  Line 5634	C++
 	mysqld.exe!dispatch_command(enum_server_command command=COM_QUERY, THD * thd=0x05619308, char * packet=0x05814de1, unsigned int packet_length=204)  Line 1123	C++
 	mysqld.exe!do_command(THD * thd=0x00000003)  Line 781 + 0xf bytes	C++
 	mysqld.exe!handle_one_connection(void * arg=0x05619308)  Line 1115 + 0x6 bytes	C++
 	mysqld.exe!pthread_start(void * param=0x02351e50)  Line 85 + 0x3 bytes	C
>	mysqld.exe!_threadstart(void * ptd=0x02344f70)  Line 196 + 0x6 bytes	C
 	kernel32.dll!7c80b683() 	
 	[Frames below may be incorrect and/or missing, no symbols loaded for kernel32.dll]
[15 May 2008 16:40] Valeriy Kravchuk
5.0.60 also crashes.
[15 May 2008 17:27] Sveta Smirnova
Bug #36738 was marked as duplicate of this one.
[7 Aug 2008 10:25] Sergey Vojtovich
Simplified test case:
CREATE TABLE t1(a TEXT);
SELECT GROUP_CONCAT(a) AS st FROM t1 HAVING MATCH(st) AGAINST('test' IN BOOLEAN MODE);

IIRC MATCH() accepts _column_ list as arguments. In our case it gets result from GROUP_CONCAT() function. This statement should be considered as invalid.

It will be a one line fix to resolve this issue, thus R2/E2.
[29 Jan 2009 9:49] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/64428

2754 Sergey Vojtovich	2009-01-29
      BUG#36737 - having + full text operator crashes mysql
      
      MATCH() function accepts column list as an argument. It was possible to override
      this requirement with aliased non-column select expression. Which results in
      server crash.
      
      With this fix aliased non-column select expressions are not accepted by MATCH()
      function, returning an error.
[12 Feb 2009 10:51] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/66018

2742 Sergey Vojtovich	2009-02-12
      BUG#36737 - having + full text operator crashes mysql
            
      MATCH() function accepts column list as an argument. It was possible to override
      this requirement with aliased non-column select expression. Which results in
      server crash.
      
      With this fix aliased non-column select expressions are not accepted by MATCH()
      function, returning an error.
[19 Feb 2009 13:03] Bugs System
Pushed into 6.0.10-alpha (revid:sergey.glukhov@sun.com-20090218125737-5y5b2xo3duo1wlvo) (version source revid:azundris@mysql.com-20090213182753-tsqikd41gkwowrqq) (merge vers: 6.0.10-alpha) (pib:6)
[5 Mar 2009 1:49] Paul DuBois
Noted in 6.0.10 changelog.

An argument to the MATCH() function that was an alias for an
expression other than a column name caused a server crash.

Setting report to NDI pending push into 5.0.x/5.1.x.
[9 Mar 2009 14:12] Bugs System
Pushed into 5.0.79 (revid:joro@sun.com-20090309135922-a0di9ebkxoj4d4wv) (version source revid:matthias.leich@sun.com-20090213125529-oznlhyq5c50ej39f) (merge vers: 5.0.79) (pib:6)
[9 Mar 2009 14:49] Paul DuBois
Noted in 5.0.79 changelog.

Setting report to NDI pending push into 5.1.x.
[13 Mar 2009 19:05] Bugs System
Pushed into 5.1.33 (revid:joro@sun.com-20090313111355-7bsi1hgkvrg8pdds) (version source revid:vvaintroub@mysql.com-20090218093153-sjzxf01i4ezte0xp) (merge vers: 5.1.33) (pib:6)
[15 Mar 2009 3:02] Paul DuBois
Noted in 5.1.33 changelog.
[9 May 2009 16:44] Bugs System
Pushed into 5.1.34-ndb-6.2.18 (revid:jonas@mysql.com-20090508185236-p9b3as7qyauybefl) (version source revid:jonas@mysql.com-20090508100057-30ote4xggi4nq14v) (merge vers: 5.1.33-ndb-6.2.18) (pib:6)
[9 May 2009 17:41] Bugs System
Pushed into 5.1.34-ndb-6.3.25 (revid:jonas@mysql.com-20090509063138-1u3q3v09wnn2txyt) (version source revid:jonas@mysql.com-20090508175813-s6yele2z3oh6o99z) (merge vers: 5.1.33-ndb-6.3.25) (pib:6)
[9 May 2009 18:38] Bugs System
Pushed into 5.1.34-ndb-7.0.6 (revid:jonas@mysql.com-20090509154927-im9a7g846c6u1hzc) (version source revid:jonas@mysql.com-20090509073226-09bljakh9eppogec) (merge vers: 5.1.33-ndb-7.0.6) (pib:6)