Bug #28763 UNION involving GEOMETRY fields crashes server
Submitted: 30 May 2007 5:09 Modified: 14 Jun 2007 19:47
Reporter: David Nugent Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Data Types Severity:S1 (Critical)
Version:5.0.41-log and 5.1.18-beta OS:Any (Linux, FreeBSD 6.2-STABLE)
Assigned to: Evgeny Potemkin CPU Architecture:Any
Tags: regression

[30 May 2007 5:09] David Nugent
Description:
A (SELECT..) UNION (SELECT..) involving a GEOMETRY column causes the server to crash on signal 11.

How to repeat:
mysql> create table x ( a int not null primary key, b geometry );
Query OK, 0 rows affected (0.00 sec)

mysql> create table y ( a int not null primary key, b geometry );
Query OK, 0 rows affected (0.00 sec)

mysql> (select a, b from x) union (select a, b from y);
ERROR 2006 (HY000): MySQL server has gone away
No connection. Trying to reconnect...
Connection id:    4
Current database: test

ERROR 2013 (HY000): Lost connection to MySQL server during query

Error log:
070530 14:54:42 - mysqld got signal 11;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
.. etc

Suggested fix:
Downgrade to a previous release?

This was discovered after upgrading from 5.0.37 in order to work around problems caused by the ON DUPLICATE KEY UPDATE bug detailed in http://bugs.mysql.com/bug.php?id=27210. I guess we need to look for a previous MySQL release which does not exhibit either problem.
[30 May 2007 8:26] Sveta Smirnova
Thank you for the report.

Verified as described. Version 4.1 is not affected.
[30 May 2007 16:29] MySQL Verification Team
stack from 5.1.20BK on windows:

mysqld.exe!Item::tmp_table_field_from_field_type
mysqld.exe!Item_type_holder::make_field_by_type
mysqld.exe!create_tmp_field
mysqld.exe!create_tmp_table
mysqld.exe!select_union::create_result_table
mysqld.exe!st_select_lex_unit::prepare
mysqld.exe!mysql_union
mysqld.exe!handle_select
mysqld.exe!execute_sqlcom_select
mysqld.exe!mysql_execute_command
mysqld.exe!mysql_parse
mysqld.exe!dispatch_command
mysqld.exe!do_command
mysqld.exe!handle_one_connection
mysqld.exe!pthread_start
mysqld.exe!_callthreadstart
mysqld.exe!_threadstart
[7 Jun 2007 19:09] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/28356

ChangeSet@1.2519, 2007-06-07 22:41:58+04:00, evgen@moonbone.local +5 -0
  Bug#28763: Selecting geometry fields in UNION caused server crash.
  
  This bug was introduced by the fix for the bug#27300. In this fix a section
  of code was added to the Item::tmp_table_field_from_field_type method.
  This section supposed to create Field_geom fields for the Item_geometry_func
  class and its descendants. In order to get the geometry type of the current
  item it casted "this" to the Item_geometry_func* type. But the
  Item::tmp_table_field_from_field_type method is also used for creation of
  fields for UNION and in this case this method is called for an object of the
  Item_type_holder class and the cast to the Item_geometry_func* type causes 
  a server crash.
  
  Now the Item::tmp_table_field_from_field_type method correctly works when it's
  called for both the Item_type_holder and the Item_geometry_func classes.
  The new geometry_type variable is added to the Item_type_holder class.
  The new method called get_geometry_type is added to the Item_field
  and the Field classes. It returns geometry type from the field for the
  Item_field and the Field_geom classes and fails an assert for other Field
  descendants.
[8 Jun 2007 4:14] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/28366

ChangeSet@1.2519, 2007-06-08 00:33:03+04:00, evgen@moonbone.local +5 -0
  Bug#28763: Selecting geometry fields in UNION caused server crash.
  
  This bug was introduced by the fix for the bug#27300. In this fix a section
  of code was added to the Item::tmp_table_field_from_field_type method.
  This section intended to create Field_geom fields for the Item_geometry_func
  class and its descendants. In order to get the geometry type of the current
  item it casted "this" to the Item_geometry_func* type. But the
  Item::tmp_table_field_from_field_type method is also used for creation of
  fields for UNION and in this case this method is called for an object of the
  Item_type_holder class and the cast to the Item_geometry_func* type causes 
  a server crash.
  
  Now the Item::tmp_table_field_from_field_type method correctly works when it's
  called for both the Item_type_holder and the Item_geometry_func classes.
  The new geometry_type variable is added to the Item_type_holder class.
  The new method called get_geometry_type is added to the Item_field
  and the Field classes. It returns geometry type from the field for the
  Item_field and the Field_geom classes and fails an assert for other Field
  descendants.
[14 Jun 2007 19:01] Bugs System
Pushed into 5.0.44
[14 Jun 2007 19:01] Bugs System
Pushed into 5.1.20-beta
[14 Jun 2007 19:47] Paul DuBois
Noted in 5.0.44, 5.1.20 changelogs.