Bug #24261 crash when WHERE contains NOT IN ('<negative value>') for unsigned column type
Submitted: 13 Nov 2006 14:04 Modified: 1 Feb 2007 7:00
Reporter: d di (Basic Quality Contributor) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S1 (Critical)
Version:5.0.27,5.0BK OS:Any (*)
Assigned to: Alexey Kopytov
Tags: 00481E82, 5.0.27, access violation, av, c0000005, crash, gpf

[13 Nov 2006 14:04] d di
Description:
Upgraded a server to MySQL 5.0.27.

The upgraded mysqld-nt.exe does basically work, but crashes every ~ 10 minutes.

There's nothing in the MySQL error log except for the "server starting" message.  The server does accept queries, so it should have had time enough to set up it's exception handling.  Either there's no SEH exception handler in MySQL, or it's failing in this particular instance.

Either way, the exception reaches the operation system, which logs the following in the NT event log:

Event Type:	Information
Event Source:	DrWatson
Event ID:	4097
Date:		13-11-2006
Time:		13:17:00

Description:
        The application, , generated an application error
        The error occurred on 11/13/2006 @ 13:17:00.671
        The exception generated was c0000005 at address 00481E82 (<nosymbols>)

Application exception occurred:
        App:  (pid=4480)
        When: 11/13/2006 @ 13:17:00.671
        Exception number: c0000005 (access violation)

System Information:
        Number of Processors: 1
        Processor Type: x86 Family 15 Model 1 Stepping 2
        Windows 2000 Version: 5.0
        Current Build: 2195
        Service Pack: 4
        Current Type: Uniprocessor Free

State Dump for Thread Id 0xc08:

eax=00000000 ebx=0997ce48 ecx=00000000 edx=00000005 esi=01112bc0 edi=0112b298
eip=00481e82 esp=0997cd68 ebp=0112b020 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000202

function: <nosymbols>
        00481e77 cc               int     3
        00481e78 cc               int     3
        00481e79 cc               int     3
        00481e7a cc               int     3
        00481e7b cc               int     3
        00481e7c cc               int     3
        00481e7d cc               int     3
        00481e7e cc               int     3
        00481e7f cc               int     3
        00481e80 8bc1             mov     eax,ecx
FAULT ->00481e82 8b501c           mov     edx,[eax+0x1c]         ds:00ad9ee6=????????
        00481e85 85d2             test    edx,edx
        00481e87 7503             jnz     0048518c
        00481e89 33c0             xor     eax,eax
        00481e8b c3               ret
        00481e8c 81fad4a78400     cmp     edx,0x84a7d4
        00481e92 740d             jz      0048a9a1
        00481e94 8bc2             mov     eax,edx
        00481e96 8b501c           mov     edx,[eax+0x1c]         ds:00ad9ee6=????????
        00481e99 81fad4a78400     cmp     edx,0x84a7d4
        00481e9f 75f3             jnz     0048e294
        00481ea1 c3               ret

Stack Back Trace:

FramePtr ReturnAd Param#1  Param#2  Param#3  Param#4  Function Name
0112B020 00000000 00000000 00000000 00000000 00000000 !<nosymbols> 

How to repeat:
Travel to Denmark,
sit down next to this server,
issue "NET START MySQL",
drink a cup of coffee.

Suggested fix:
Not sure what the actual problem is.
[13 Nov 2006 15:35] Shane Bester
Hi David, according to .map file, this function in opt_range.cpp crashed because next_arg was NULL.

SEL_ARG *SEL_ARG::last()
{
  SEL_ARG *next_arg=this;
  if (!next_arg->right)
    return 0;					// MAYBE_KEY
  while (next_arg->right != &null_element)
    next_arg=next_arg->right;
  return next_arg;
}

So, it could be a single query causing a crash.  Would you enable general query log (add "log=general_query.log" to my.ini) for those 10 mins and and catch the offending query?
[13 Nov 2006 17:08] Shane Bester
Thanks, please upload output of:

show create table `log`;
show table status like 'log';
check table `log`;
[13 Nov 2006 18:12] Shane Bester
I have repeated a crash, but used 5.0.26 on linux.  Assigning to myself to make proper standalone testcase.

0x817adf8 handle_segfault + 356
0x82156b1 _Z16get_func_mm_treeP13st_qsel_paramP9Item_funcP5FieldP4Item11Item_resultb + 617
0x82138d9 _Z21get_full_func_mm_treeP13st_qsel_paramP9Item_funcP10Item_fieldP4Itemb + 389
0x8211d82 _Z11get_mm_treeP13st_qsel_paramP4Item + 658
0x820bc3b _ZN10SQL_SELECT17test_quick_selectEP3THD6BitmapILj64EEyyb + 1283
0x81e6e37 _Z12mysql_deleteP3THDP13st_table_listP4ItemP11st_sql_listyyb + 1319
0x8190919 _Z21mysql_execute_commandP3THD + 4465
0x8196a02 _Z11mysql_parseP3THDPcj + 306
0x818e2a6 _Z16dispatch_command19enum_server_commandP3THDPcj + 1182
0x818ddcd _Z10do_commandP3THD + 129
0x818d4c4 handle_one_connection + 620
0x40041aa7 _end + 933731511
0x40176c2e _end + 934997566
[13 Nov 2006 18:29] Shane Bester
--------------
testcase:
--------------

drop table if exists `t1`;
create table `t1` (`c1` tinyint(3) unsigned,KEY  (`c1`)) ENGINE=MyISAM;
DELETE FROM `t1` WHERE NOT (c1 IN ('-1', '0'));
[13 Nov 2006 18:36] Shane Bester
debug info from 5.0.27_debug

Attachment: 5.0.27_debug.txt (plain/text, text), 2.89 KiB.

[13 Nov 2006 18:53] Shane Bester
crashes:       DELETE FROM `t1` WHERE NOT (c1 IN ('-1', '0'));
doesn't crash: DELETE FROM `t1` WHERE NOT (c1 IN (-1, 0));

so it appears to be single quotes causing a problem.
[13 Nov 2006 18:54] Timothy Smith
Perhaps bug #19618 was not completely fixed.
[27 Nov 2006 16:13] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/15858

ChangeSet@1.2334, 2006-11-27 19:12:10+03:00, kaa@polly.local +3 -0
  Fix for bug #24261 "crash when WHERE contains NOT IN ('<negative value>') for unsigned column type"
  
  When calculating a SEL_TREE for the "c_{i-1} < X < c_i" interval, check if the tree returned for the "-inf < X < c_0" interval is NULL
[31 Jan 2007 19:17] Chad MILLER
Available in 5.0.36, 5.1.15-beta.
[1 Feb 2007 1:09] Jon Stephens
Successfully resisted urge to document as "Travelling to Denmark, issuing NET START MYSQL, and drinking a cup of coffee caused the server to crash". :)
[1 Feb 2007 1:10] Jon Stephens
Thank you for your bug report. This issue has been committed to our source repository of that product and will be incorporated into the next release.

If necessary, you can access the source repository and build the latest available version, including the bug fix. More information about accessing the source trees is available at

    http://dev.mysql.com/doc/en/installing-source.html

Documented bugfix in 5.0.36 and 5.1.15 changelogs.