Bug #31075 crash in get_func_mm_tree
Submitted: 18 Sep 2007 5:28 Modified: 1 Nov 2007 3:06
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Optimizer Severity:S2 (Serious)
Version:5.1.23BK OS:Any
Assigned to: Gleb Shchepa CPU Architecture:Any

[18 Sep 2007 5:28] Shane Bester
Description:
Stack range sanity check OK, backtrace follows:
0x820111b handle_segfault + 541
0x82dc4a8 get_func_mm_tree(RANGE_OPT_PARAM*, Item_func*, Field*, Item*, Item_result, bool) + 442
0x82dc9d9 get_full_func_mm_tree(RANGE_OPT_PARAM*, Item_func*, Item_field*, Item*, bool) + 319
0x82dd2b1 get_mm_tree(RANGE_OPT_PARAM*, Item*) + 2017
0x82d78d6 SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool) + 1844
0x826199e get_quick_record_count(THD*, SQL_SELECT*, st_table*, Bitmap<64u> const*, unsigned long long) + 158
0x8262e6f make_join_statistics(JOIN*, TABLE_LIST*, Item*, st_dynamic_array*) + 5135
0x825d9af JOIN::optimize() + 1889
0x82617c9 _Z12mysql_selectP3THDPPP4ItemP10TABLE_LISTjR4ListIS1_ES2_jP8st_orderSB_S2_SB_yP13select_resultP18st_select_lex_unitP13st_select + 553
0x825c33d handle_select(THD*, st_lex*, select_result*, unsigned long) + 365
0x8215af4 execute_sqlcom_select(THD*, TABLE_LIST*) + 772
0x820e7d5 mysql_execute_command(THD*) + 1701
0x8217550 mysql_parse(THD*, char const*, unsigned int, char const**) + 372
0x820cc00 dispatch_command(enum_server_command, THD*, char*, unsigned int) + 2354
0x820c2c2 do_command(THD*) + 600
0x820acbd handle_one_connection + 255
0x40038aa7 _end + 931807543
0x4017ec2e _end + 933143230

How to repeat:
.

Suggested fix:
.
[18 Sep 2007 10:12] MySQL Verification Team
testcase
--------------

drop table if exists t1;
create table `t1` (`col000` time ,key(`col000` ),`col001` tinyblob ,key(`col001` (1)))engine=myisam;
insert into t1 values (),(),(),(),(),(),(),(),(),();
select interval(col001,col000,col000,col001,col001,col000) from t1 where col000 not in (col000,col001,col001,col000,col000) group by convert(col000 using hp8) ;
[18 Sep 2007 10:15] MySQL Verification Team
sometimes the testcase will cause a hang.  sometimes nothing, but memory is silently overridden/corrupted in this case.  recommend running under valgrind or debug server to test.
[18 Sep 2007 10:15] Domas Mituzas
Same crash on Mac:

5056          if (func->array->result_type() != ROW_RESULT)
(gdb) bt
#0  0x0019c40b in get_func_mm_tree (param=0xb04c8338, cond_func=0x50930e8, field=0x5090f50, value=0x0, cmp_type=INT_RESULT, inv=1) at opt_range.cc:5056
#1  0x0019c8fb in get_full_func_mm_tree (param=0xb04c8338, cond_func=0x50930e8, field_item=0x5092d20, value=0x0, inv=true) at opt_range.cc:5312
#2  0x0019cf3a in get_mm_tree (param=0xb04c8338, cond=0x50930e8) at opt_range.cc:5459
#3  0x0019e37a in SQL_SELECT::test_quick_select (this=0x5093898, thd=0x5082400, keys_to_use={map = 1}, prev_tables=0, limit=18446744073709551615, force_quick_range=false) at opt_range.cc:2252
#4  0x0012442f in make_join_statistics (join=0x50fd010, tables=0x0, conds=0x50930e8, keyuse_array=0x50fe114) at sql_select.cc:2356
#5  0x00128482 in JOIN::optimize (this=0x50fd010) at sql_select.cc:933
#6  0x00134152 in mysql_select (thd=0x5082400, rref_pointer_array=0x5083568, tables=0x5092b38, wild_num=0, fields=@0x5083504, conds=0x50930e8, og_num=1, order=0x0, group=0x50932c8, having=0x0, proc_param=0x0, select_options=2147764736, result=0x5093358, unit=0x5083208, select_lex=0x5083470) at sql_select.cc:2299
#7  0x00134749 in handle_select (thd=0x5082400, lex=0x50831ac, result=0x5093358, setup_tables_done_option=0) at sql_select.cc:263
#8  0x000ba304 in execute_sqlcom_select (thd=0x5082400, all_tables=0x5092b38) at sql_parse.cc:4549
#9  0x000bce9b in mysql_execute_command (thd=0x5082400) at sql_parse.cc:1886
#10 0x000c48ea in mysql_parse (thd=0x5082400, inBuf=0x5092410 "select interval(col001,col000,col000,col001,col001,col000) from t1 where col000 not in\n(col000,col001,col001,col000,col000) group by convert(col000 using hp8)", length=158, found_semicolon=0xb04cbe3c) at sql_parse.cc:5462
#11 0x000c5736 in dispatch_command (command=COM_QUERY, thd=0x5082400, packet=0x3f49001 "select interval(col001,col000,col000,col001,col001,col000) from t1 where col000 not in\n(col000,col001,col001,col000,col000) group by convert(col000 using hp8)", packet_length=159) at sql_parse.cc:958
#12 0x000c688a in do_command (thd=0x5082400) at sql_parse.cc:717
#13 0x000b56d2 in handle_one_connection (arg=0x5082400) at sql_connect.cc:1099
#14 0x90024227 in _pthread_body ()
[18 Sep 2007 10:17] Domas Mituzas
stripped the header of previous paste:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
[Switching to process 5813 thread 0x3103]
0x0019c40b in get_func_mm_tree (param=0xb04c8338, cond_func=0x50930e8, field=0x5090f50, value=0x0, cmp_type=INT_RESULT, inv=1) at opt_range.cc:5056
5056          if (func->array->result_type() != ROW_RESULT)
[18 Sep 2007 10:35] Valeriy Kravchuk
Same crash on 5.1.23-BK on Linux, even without -debug:

openxs@linux:~/dbs/5.1> bin/mysql -uroot test
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1
Server version: 5.1.23-beta Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> create table t01 (c1 time, key(c1), c2 tinyblob, key(c2(1))) engine=MyISAM;
Query OK, 0 rows affected (0.04 sec)

mysql> insert into t01 values (), (), (), (), (), (), (), (), (), ();
Query OK, 10 rows affected (0.01 sec)
Records: 10  Duplicates: 0  Warnings: 0

mysql> select interval(c2,c1,c1,c2,c2,c1) from t01 where c1 not in (c1, c2, c2, c1, c1) group by convert(c1 using hp8);
ERROR 2013 (HY000): Lost connection to MySQL server during query
mysql> 070913 15:00:59 mysqld_safe Number of processes running now: 0
070913 15:01:00 mysqld_safe mysqld restarted

mysql> exit
Bye
openxs@linux:~/dbs/5.1> vi var/linux.err
openxs@linux:~/dbs/5.1> vi 31075.stack
openxs@linux:~/dbs/5.1> nm -n libexec/mysqld > /tmp/mysqld51.sym
openxs@linux:~/dbs/5.1> bin/resolve_stack_dump -s /tmp/mysqld51.sym -n 31075.stack
0x8214dbb handle_segfault + 683
0x82ed239 _Z16get_func_mm_treeP15RANGE_OPT_PARAMP9Item_funcP5FieldP4Item11Item_resultb + 153
0x82ed86e _Z21get_full_func_mm_treeP15RANGE_OPT_PARAMP9Item_funcP10Item_fieldP4Itemb + 494
0x82edc54 _Z11get_mm_treeP15RANGE_OPT_PARAMP4Item + 980
0x82f0137 _ZN10SQL_SELECT17test_quick_selectEP3THD6BitmapILj64EEymb + 2311
[22 Sep 2007 21:13] MySQL Verification Team
so far I've only seen this particular crash with "not in (..)" clauses in the query
[23 Sep 2007 21:49] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/34500

ChangeSet@1.2562, 2007-09-23 22:51:25+02:00, gshchepa@devsrv-b.mysql.com +3 -0
  Fixed bug #31075.
  The `SELECT col FROM t WHERE col NOT IN (col, ...) GROUP BY col'
  crashed in the range optimizer.
  
  The get_func_mm_tree function has been modified to check the
  Item_func_in::array field for the NULL value before using of that
  value.
[23 Sep 2007 23:00] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/34501

ChangeSet@1.2562, 2007-09-24 00:02:39+02:00, gshchepa@devsrv-b.mysql.com +3 -0
  Fixed bug #31075.
  The `SELECT col FROM t WHERE col NOT IN (col, ...) GROUP BY col'
  crashed in the range optimizer.
  
  The get_func_mm_tree function has been modified to check the
  Item_func_in::array field for the NULL value before using of that
  value.
[26 Sep 2007 11:43] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/34556

ChangeSet@1.2562, 2007-09-26 12:45:08+02:00, gshchepa@devsrv-b.mysql.com +3 -0
  Fixed bug #31075.
  The `SELECT col FROM t WHERE col NOT IN (col, ...) GROUP BY col'
  crashed in the range optimizer.
  
  The get_func_mm_tree function has been modified to check the
  Item_func_in::array field for the NULL value before using of that
  value.
[29 Oct 2007 8:46] Bugs System
Pushed into 5.1.23-beta
[29 Oct 2007 8:50] Bugs System
Pushed into 6.0.4-alpha
[1 Nov 2007 3:06] Paul DuBois
Noted in 5.1.23, 6.0.4 changelogs.

Expressions of the form WHERE col NOT IN (col, ...), where the same
column was named both times, could cause a server crash in the
optimizer.