Bug #52177 crash with explain, row comparison, join, text field............................
Submitted: 18 Mar 2010 11:52 Modified: 20 Jun 2010 17:53
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Optimizer Severity:S1 (Critical)
Version:5.0.90, 5.1.37, 5.1.45, 5.6.99-m4 OS:Any
Assigned to: Sergei Glukhov CPU Architecture:Any
Tags: crash, explain, row

[18 Mar 2010 11:52] Shane Bester 
Description:
Version: '5.6.99-m4-debug'  socket: ''  port: 3306  Source distribution
100318 13:49:56 - mysqld got exception 0xc0000005 ;

mysqld.exe!my_strnncollsp_simple()[ctype-simple.c:188]
mysqld.exe!sortcmp()[sql_string.cc:659]
mysqld.exe!Arg_comparator::compare_e_string()[item_cmpfunc.cc:1330]
mysqld.exe!Arg_comparator::compare()[item_cmpfunc.h:84]
mysqld.exe!Arg_comparator::compare_e_row()[item_cmpfunc.cc:1626]
mysqld.exe!Arg_comparator::compare()[item_cmpfunc.h:84]
mysqld.exe!Item_func_equal::val_int()[item_cmpfunc.cc:1875]
mysqld.exe!Item::val_bool()[item.cc:184]
mysqld.exe!Item_cond_and::val_int()[item_cmpfunc.cc:4389]
mysqld.exe!make_join_select()[sql_select.cc:6304]
mysqld.exe!JOIN::optimize()[sql_select.cc:1122]
mysqld.exe!mysql_select()[sql_select.cc:2492]
mysqld.exe!mysql_explain_union()[sql_select.cc:16911]
mysqld.exe!execute_sqlcom_select()[sql_parse.cc:4681]
mysqld.exe!mysql_execute_command()[sql_parse.cc:2191]
mysqld.exe!mysql_parse()[sql_parse.cc:5735]
mysqld.exe!dispatch_command()[sql_parse.cc:1024]
mysqld.exe!do_command()[sql_parse.cc:710]
mysqld.exe!do_handle_one_connection()[sql_connect.cc:1174]
mysqld.exe!handle_one_connection()[sql_connect.cc:1113]
mysqld.exe!pthread_start()[my_winthread.c:61]
mysqld.exe!_callthreadstartex()[threadex.c:348]
mysqld.exe!_threadstartex()[threadex.c:331]
kernel32.dll!FlsSetValue()

crashes even with the fix for bug #51494 applied

How to repeat:
#run mysqld under valgrind if no crash happens:

drop table if exists `t1`;
create table `t1` (`a` tinyint,`b` text charset latin1, key (`a`)) engine=myisam;
insert into `t1` values (0,''),(0,'');
flush tables;
explain select 1 from `t1` left join `t1` `a` on 1
where row(`t1`.`a`,1111.11)= row(1111.11,1111.11)and
row(`t1`.`b`,1111.11)<=> row('','');
[18 Mar 2010 11:56] MySQL Verification Team 
full outputs from valgrind

Attachment: bug52177_5.6.99-m4-valgrind-output.txt (text/plain), 26.04 KiB.
[18 Mar 2010 12:05] Valeriy Kravchuk 
Valgrind errors are easily repeatable:

...
==6919== Conditional jump or move depends on uninitialised value(s)
==6919==    at 0x828BCC8: Field_blob::val_str(String*, String*) (field.cc:7517)
==6919==    by 0x81F361E: Item_field::val_str(String*) (item.cc:2078)
==6919==    by 0x8238987: Arg_comparator::compare_e_string() (item_cmpfunc.cc:1326)
==6919==    by 0x8216A0E: Arg_comparator::compare() (item_cmpfunc.h:84)
==6919==    by 0x8233278: Arg_comparator::compare_e_row() (item_cmpfunc.cc:1626)
==6919==    by 0x8216A0E: Arg_comparator::compare() (item_cmpfunc.h:84)
==6919==    by 0x8236E2A: Item_func_equal::val_int() (item_cmpfunc.cc:1875)
==6919==    by 0x81F3F81: Item::val_bool() (item.cc:184)
==6919==    by 0x8235B90: Item_cond_and::val_int() (item_cmpfunc.cc:4389)
==6919==    by 0x835FA41: make_join_select(JOIN*, SQL_SELECT*, Item*) (sql_select.cc:6293)
==6919==    by 0x836C959: JOIN::optimize() (sql_select.cc:1122)
==6919==    by 0x836FC5E: mysql_select(THD*, Item***, TABLE_LIST*, unsigned, List<Item>&, Item*, unsigned, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2492)
==6919==    by 0x8370179: mysql_explain_union(THD*, st_select_lex_unit*, select_result*) (sql_select.cc:16900)
==6919==    by 0x82D8B36: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:4658)
==6919==    by 0x82DAA80: mysql_execute_command(THD*) (sql_parse.cc:2168)
==6919==    by 0x82E2CD0: mysql_parse(THD*, char const*, unsigned, char const**) (sql_parse.cc:5712)
==6919==    by 0x82E3845: dispatch_command(enum_server_command, THD*, char*, unsigned) (sql_parse.cc:1024)
==6919==    by 0x82E4DA4: do_command(THD*) (sql_parse.cc:710)
==6919==    by 0x82D2000: do_handle_one_connection(THD*) (sql_connect.cc:1174)
==6919==    by 0x82D20BE: handle_one_connection (sql_connect.cc:1113)
==6919==    by 0x40384FA: start_thread (in /lib/tls/i686/cmov/libpthread-2.7.so)
==6919==    by 0x4195E5D: clone (in /lib/tls/i686/cmov/libc-2.7.so)
[18 Mar 2010 18:10] Valeriy Kravchuk 
This is not a recent regression, as 5.1.37 also crashes (on Mac in this case):

77-52-28-202:5.1 openxs$ bin/mysql -uroot test
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1
Server version: 5.1.37 MySQL Community Server (GPL)

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> drop table if exists `t1`;
Query OK, 0 rows affected (0.02 sec)

mysql> create table `t1` (`a` tinyint,`b` text charset latin1, key (`a`)) engine=myisam;
Query OK, 0 rows affected (0.21 sec)

mysql> insert into `t1` values (0,''),(0,'');
Query OK, 2 rows affected (0.00 sec)
Records: 2  Duplicates: 0  Warnings: 0

mysql> flush tables;
Query OK, 0 rows affected (0.00 sec)

mysql> explain select 1 from `t1` left join `t1` `a` on 1
    -> where row(`t1`.`a`,1111.11)= row(1111.11,1111.11)and
    -> row(`t1`.`b`,1111.11)<=> row('','');
ERROR 2013 (HY000): Lost connection to MySQL server during query
[22 Mar 2010 13:44] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/104001

3412 Sergey Glukhov	2010-03-22
      Bug#52177 crash with explain, row comparison, join, text field
      The crash is the result of an attempt made by JOIN::optimize to evaluate
      the WHERE condition when no records have been actually read.
      The fix is to remove erroneous 'outer_join' variable check.
     @ mysql-test/r/join.result
        test result
     @ mysql-test/t/join.test
        test case
     @ sql/sql_select.cc
        removed erroneous 'outer_join' variable check.
[30 Mar 2010 7:22] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/104594

2854 Sergey Glukhov	2010-03-26
      Bug#52177 crash with explain, row comparison, join, text field
      The crash is the result of an attempt made by JOIN::optimize to evaluate
      the WHERE condition when no records have been actually read.
      The fix is to remove erroneous 'outer_join' variable check.
     @ mysql-test/r/join.result
        test result
     @ mysql-test/t/join.test
        test case
     @ sql/sql_select.cc
        removed erroneous 'outer_join' variable check.
[30 Mar 2010 7:45] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/104596

2854 Sergey Glukhov	2010-03-26
      Bug#52177 crash with explain, row comparison, join, text field
      The crash is the result of an attempt made by JOIN::optimize to evaluate
      the WHERE condition when no records have been actually read.
      The fix is to remove erroneous 'outer_join' variable check.
     @ mysql-test/r/join.result
        test result
     @ mysql-test/t/join.test
        test case
     @ sql/sql_select.cc
        removed erroneous 'outer_join' variable check.
[6 Apr 2010 7:53] Bugs System 
Pushed into 5.0.91 (revid:joro@sun.com-20100406075152-flz4btqirl9hly31) (version source revid:sergey.glukhov@sun.com-20100326074424-vdr03i38fv28dktk) (merge vers: 5.0.91) (pib:16)
[6 Apr 2010 8:01] Bugs System 
Pushed into 5.1.46 (revid:sergey.glukhov@sun.com-20100405111026-7kz1p8qlzglqgfmu) (version source revid:sergey.glukhov@sun.com-20100326074618-e23uktaya427f2tg) (merge vers: 5.1.46) (pib:16)
[15 Apr 2010 23:14] Paul DuBois 
Noted in 5.0.91, 5.1.46 changelogs.

The optimizer could attempt to evaluate the WHERE clause before any
rows had been read, resulting in a server crash.

Setting report to Need Merge pending push to Celosia.
[28 May 2010 5:52] Bugs System 
Pushed into mysql-next-mr (revid:alik@sun.com-20100524190136-egaq7e8zgkwb9aqi) (version source revid:alik@sun.com-20100422150750-vp0n37kp9ywq5ghf) (pib:16)
[28 May 2010 6:21] Bugs System 
Pushed into 6.0.14-alpha (revid:alik@sun.com-20100524190941-nuudpx60if25wsvx) (version source revid:alik@sun.com-20100422150658-fkhgnwwkyugtxrmu) (merge vers: 6.0.14-alpha) (pib:16)
[28 May 2010 6:49] Bugs System 
Pushed into 5.5.5-m3 (revid:alik@sun.com-20100524185725-c8k5q7v60i5nix3t) (version source revid:alexey.kopytov@sun.com-20100403173551-52r97erqowlqwkon) (merge vers: 5.5.4-m3) (pib:16)
[30 May 2010 0:27] Paul DuBois 
Noted in 5.5.5, 6.0.14 changelogs.
[17 Jun 2010 11:52] Bugs System 
Pushed into 5.1.47-ndb-7.0.16 (revid:martin.skold@mysql.com-20100617114014-bva0dy24yyd67697) (version source revid:vasil.dimov@oracle.com-20100331130613-8ja7n0vh36a80457) (merge vers: 5.1.46) (pib:16)
[17 Jun 2010 12:30] Bugs System 
Pushed into 5.1.47-ndb-6.2.19 (revid:martin.skold@mysql.com-20100617115448-idrbic6gbki37h1c) (version source revid:martin.skold@mysql.com-20100609211156-tsac5qhw951miwtt) (merge vers: 5.1.46-ndb-6.2.19) (pib:16)
[17 Jun 2010 13:18] Bugs System 
Pushed into 5.1.47-ndb-6.3.35 (revid:martin.skold@mysql.com-20100617114611-61aqbb52j752y116) (version source revid:vasil.dimov@oracle.com-20100331130613-8ja7n0vh36a80457) (merge vers: 5.1.46) (pib:16)