Bug #42744 crash in JOIN_CACHE::write_record_data, Field::is_null
Submitted: 10 Feb 2009 23:02 Modified: 16 Nov 2010 3:54
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Optimizer Severity:S1 (Critical)
Version:6.0.10-debug OS:Windows
Assigned to: Igor Babaev CPU Architecture:Any

[10 Feb 2009 23:02] Shane Bester 
Description:
mysqld.exe!Field::is_null()[field.h:263]
mysqld.exe!JOIN_CACHE::write_record_data()[sql_join_cache.cc:966]
mysqld.exe!JOIN_CACHE::put_record()[sql_join_cache.cc:1186]
mysqld.exe!sub_select_cache()[sql_select.cc:16042]
mysqld.exe!JOIN_CACHE::generate_full_extensions()[sql_join_cache.cc:1877]
mysqld.exe!JOIN_CACHE_BNL::join_matching_records()[sql_join_cache.cc:1770]
mysqld.exe!JOIN_CACHE::join_records()[sql_join_cache.cc:1591]
mysqld.exe!sub_select_cache()[sql_select.cc:16029]
mysqld.exe!sub_select()[sql_select.cc:16187]
mysqld.exe!do_select()[sql_select.cc:15792]
mysqld.exe!JOIN::exec()[sql_select.cc:2877]
mysqld.exe!mysql_select()[sql_select.cc:3060]
mysqld.exe!handle_select()[sql_select.cc:315]
mysqld.exe!execute_sqlcom_select()[sql_parse.cc:4756]
mysqld.exe!mysql_execute_command()[sql_parse.cc:2063]
mysqld.exe!mysql_parse()[sql_parse.cc:5751]
mysqld.exe!dispatch_command()[sql_parse.cc:1009]
mysqld.exe!do_command()[sql_parse.cc:691]
mysqld.exe!handle_one_connection()[sql_connect.cc:1146]
mysqld.exe!pthread_start()[my_winthread.c:61]
mysqld.exe!_callthreadstartex()[threadex.c:348]
mysqld.exe!_threadstartex()[threadex.c:331]

How to repeat:
drop table if exists `a`,`b`;
create table `a` (`c3` mediumtext) engine=innodb;
create table `b` (`a` int primary key,`c1` tinyblob) engine=innodb;
insert into `a` values (null);
insert into `a` values (null);
insert into `b` values (1,null);

select `b`.`c1` from `a`,`b`
where  `c3` in (select 1 from `b`) ;
[10 Feb 2009 23:27] MySQL Verification Team 
Verified as described.
[12 Feb 2009 1:53] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/65978

2693 Igor Babaev	2009-02-11
      Fixed bug #42744.
      When processing a query the function calc_used_field_length was called
      only once for each joined table tab. The function sets some field counters
      in the JOIN_TAB structure for tab and their values depend on the value of
      tab->read_set. The value of tab->read_set may change between the first call
      of calc_used_field_length and the last call of this function in 
      JOIN_CACHE::calc_record_fields. Yet the method did not recalculate the
      value of the counters. As a result the function could allocate less memory
      than it was needed for the descriptors of fields stored in join caches.
      In some situations it could lead to memory corruption and crashes.
[12 Feb 2009 18:22] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/66080

2695 Igor Babaev	2009-02-12
      Fixed bug #42744.
      When processing a query the function calc_used_field_length was called
      only once for each joined table tab. The function sets some field counters
      in the JOIN_TAB structure for tab and their values depend on the value of
      tab->read_set. The value of tab->read_set may change between the first call
      of calc_used_field_length and the last call of this function in 
      JOIN_CACHE::calc_record_fields. Yet the method did not recalculate the
      value of the counters. As a result the function could allocate less memory
      than it was needed for the descriptors of fields stored in join caches.
      In some situations it could lead to memory corruption and crashes.
[16 Feb 2009 18:08] Bugs System 
Pushed into 6.0.10-alpha (revid:alik@sun.com-20090216180446-dl1xovi02kbd2fgn) (version source revid:igor@mysql.com-20090212182705-z6mk4dvgdby69bkh) (merge vers: 6.0.10-alpha) (pib:6)
[27 Feb 2009 20:42] Paul DuBois 
Noted in 6.0.10 changelog.

The optimizer could underestimate the memory required for column
descriptors during join processing and cause memory corruption or a
server crash.
[16 Aug 2010 6:33] Bugs System 
Pushed into mysql-next-mr (revid:alik@sun.com-20100816062819-bluwgdq8q4xysmlg) (version source revid:alik@sun.com-20100816062612-enatdwnv809iw3s9) (pib:20)
[13 Nov 2010 16:24] Bugs System 
Pushed into mysql-trunk 5.6.99-m5 (revid:alexander.nozdrin@oracle.com-20101113155825-czmva9kg4n31anmu) (version source revid:vasil.dimov@oracle.com-20100629074804-359l9m9gniauxr94) (merge vers: 5.6.99-m4) (pib:21)
[16 Nov 2010 3:54] Paul DuBois 
Noted in 5.6.1 changelog.