Bug #26661 SELECT with UNION kills the daemon
Submitted: 27 Feb 2007 3:24 Modified: 15 Mar 2007 2:58
Reporter: NOT_FOUND NOT_FOUND Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Optimizer Severity:S1 (Critical)
Version:5.0.38BK, 5.1.17BK, 5.2.4BK OS:Linux (RHEL 4, win xp)
Assigned to: Igor Babaev CPU Architecture:Any
Tags: 2013, crash, UNION

[27 Feb 2007 3:24] NOT_FOUND NOT_FOUND
Description:
A SELECT over a subquery with a wrong UNION statement crashes the daemon.

How to repeat:
SELECT User FROM
(
	SELECT * FROM mysql.user

UNION

	SELECT * FROM mysql.user

ORDER BY unknown_column
) AS test;

just run the above. You'll get the error message 2013 Lost connection to  MySQL server during query

My first thought, in RHEL 4, was that it only was showing the wrong message but when I tried it in my win XP box it simply crashed the service.
[27 Feb 2007 6:42] Shane Bester
5.0.38, 5.1.17 and 5.2.4 crashed. 4.1.23 didn't.

mysqld-nt.exe!Item_field::fix_outer_field()  + 0x7f bytes	C++
mysqld-nt.exe!Item_field::fix_fields()  + 0x148 bytes	C++
mysqld-nt.exe!join_read_always_key_or_null()  + 0x682 bytes	C++
mysqld-nt.exe!setup_order()  + 0x37 bytes	C++
mysqld-nt.exe!setup_without_group()  + 0x87 bytes	C++
mysqld-nt.exe!JOIN::prepare()  + 0x1c1 bytes	C++
mysqld-nt.exe!mysql_select()  + 0xc6 bytes	C++
mysqld-nt.exe!st_select_lex_unit::exec()  + 0x551 bytes	C++
mysqld-nt.exe!mysql_derived_filling()  + 0x46 bytes	C++
mysqld-nt.exe!mysql_handle_derived()  + 0x4d bytes	C++
mysqld-nt.exe!open_and_lock_tables()  + 0xb4 bytes	C++
mysqld-nt.exe!mysql_execute_command()  + 0x2e2 bytes	C++
[27 Feb 2007 6:42] Shane Bester
5.0.38 stack

Attachment: bug26661_5.0.38_stack.txt (text/plain), 3.62 KiB.

[27 Feb 2007 6:43] Shane Bester
5.1.17 stack

Attachment: bug26661_5.1.17_stack.txt (text/plain), 2.71 KiB.

[27 Feb 2007 6:43] Shane Bester
5.2.4 stack

Attachment: bug26661_5.2.4_stack.txt (text/plain), 2.97 KiB.

[6 Mar 2007 16:55] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/21240

ChangeSet@1.2432, 2007-03-06 18:45:57+02:00, gkodinov@magare.gmz +4 -0
  Bug #26661: The optimizer uses a special 
  "fake" st_select_lex as a current select
  when resolving ORDER BY and LIMIT for a
  UNION (sub)query. This temporary structure
  doesn't have Item_subselect descendant so
  it cannot resolve the fields in ORDER BY
  correctly.
  Fixed by making a dummy subquery class
  to resolve items in ORDER BY of the UNION and
  remove it right after so it doesn't interfere
  with the rest of the subquery code.
[9 Mar 2007 9:12] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/21558

ChangeSet@1.2433, 2007-03-09 01:12:08-08:00, igor@olga.mysql.com +3 -0
  Fixed bug #26661: crash when order by clause in a union
  construct references invalid name.
  Derived tables currently cannot use outer references.
  Thus there is no outer context for them.
  The 4.1 code takes this fact into account while the 
  Item_field::fix_outer_field code of 5.0 lost the check that blocks
  any attempts to resolve names in outer context for derived tables.
[9 Mar 2007 9:40] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/21567

ChangeSet@1.2433, 2007-03-09 01:45:32-08:00, igor@olga.mysql.com +3 -0
  Fixed bug #26661: crash when order by clause in a union
  construct references invalid name.
  Derived tables currently cannot use outer references.
  Thus there is no outer context for them.
  The 4.1 code takes this fact into account while the 
  Item_field::fix_outer_field code of 5.0 lost the check that blocks
  any attempts to resolve names in outer context for derived tables.
[12 Mar 2007 5:12] Igor Babaev
Pushed to 5.0.38, 5.1.17
[15 Mar 2007 2:58] Paul Dubois
Noted in 5.0.38, 5.1.17 changelogs.

Use of a subquery containing a UNION with an invalid ORDER BY clause
caused a server crash.