Bug #25172 Server crash with GROUP and LIMIT
Submitted: 19 Dec 2006 11:28 Modified: 1 Feb 2007 1:51
Reporter: Christian Hammers (Silver Quality Contributor) (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S2 (Serious)
Version:5.0.30 Enterprise OS:Linux (Debian GNU/Linux etch)
Assigned to: Evgeny Potemkin

[19 Dec 2006 11:28] Christian Hammers
Description:
Hello

As reported as Debian bug on bugs.debian.org/403721 by  Benoit Plessis <b.plessis@doyousoft.com> there is a bug in MySQL-5.0.30 that either crash
or freeze connections.

Attached you will find a mysqldump with that creates the t_crash database with all  tables.

I could reproduce the bug on my amd64 system but not on an i386 one so it's maybe architecture dependent.

bye,

-christian-

How to repeat:
mysql> SELECT * FROM m LEFT JOIN u ON u.id = m.checked_out GROUP BY m.id ORDER BY m.row, m.ordering, m.type, m.name LIMIT 0, 30;
ERROR 2013 (HY000): Lost connection to MySQL server during query

If i remove the LIMIT stanza and/or one of the order by everything goes fine.
If i strip the table m to less than 30 line too.

When narrowing the lower subset of entry/sql command i got this one too:

mysql> alter table u drop registerDate;
mysql> SELECT * FROM m LEFT JOIN u ON u.id = m.checked_out GROUP BY m.id ORDER BY m.row, m.ordering, m.type, m.name LIMIT 0, 30;
...
30 rows in set (0.00 sec)
*** glibc detected *** double free or corruption (!prev): 0x00000000012201e0 ***

Suggested fix:
none
[19 Dec 2006 11:29] Christian Hammers
mysqldump of database t_crash

Attachment: crash.sql (text/x-sql), 4.45 KiB.

[18 Jan 2007 17:10] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/18361

ChangeSet@1.2385, 2007-01-18 20:10:06+03:00, evgen@moonbone.local +8 -0
  Bug#25172: Not checked buffer size leads to a server crash.
  
  After fix for bug#21798 JOIN stores the pointer to the buffer for sorting
  fields. It is used while sorting for grouping and for ordering. If ORDER BY
  clause has more elements then the GROUP BY clause then a memory overrun occurs.
  
  Now join stores the size of the allocated buffer and allocates new if needed.
[18 Jan 2007 20:25] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/18379

ChangeSet@1.2385, 2007-01-18 23:24:40+03:00, evgen@moonbone.local +7 -0
  Bug#25172: Not checked buffer size leads to a server crash.
  
  After fix for bug#21798 JOIN stores the pointer to the buffer for sorting
  fields. It is used while sorting for grouping and for ordering. If ORDER BY
  clause has more elements then the GROUP BY clause then a memory overrun occurs.
  
  
  Now the ORDER BY list is always passed to the make_unireg_sortorder()
  function and it allocates buffer big enough to be used for bigger list.
[19 Jan 2007 15:35] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/18443

ChangeSet@1.2385, 2007-01-19 18:34:09+03:00, evgen@moonbone.local +6 -0
  Bug#25172: Not checked buffer size leads to a server crash.
  
  After fix for bug#21798 JOIN stores the pointer to the buffer for sorting
  fields. It is used while sorting for grouping and for ordering. If ORDER BY
  clause has more elements then the GROUP BY clause then a memory overrun occurs.
  
  Now the length of the ORDER BY list is always passed to the 
  make_unireg_sortorder() function and it allocates buffer big enough to be
  used for bigger list.
[28 Jan 2007 2:22] Igor Babaev
The fix has been pushed into 5.0.36, 5.1.16-beta main trees.
[1 Feb 2007 1:51] Jon Stephens
Thank you for your bug report. This issue has been committed to our source repository of that product and will be incorporated into the next release.

If necessary, you can access the source repository and build the latest available version, including the bug fix. More information about accessing the source trees is available at

    http://dev.mysql.com/doc/en/installing-source.html

Documented bugfix in 5.0.36 and 5.1.16 changelogs.