Bug #27484 server crash with nested rows()
Submitted: 27 Mar 2007 20:36 Modified: 17 Apr 2007 20:20
Reporter: Martin Friebe (Gold Quality Contributor) (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S2 (Serious)
Version:5.0.40, 4.1.23/5.1BK OS:FreeBSD (freebsd)
Assigned to: Igor Babaev CPU Architecture:Any
Tags: crash, nested row, qc, row, subquery

[27 Mar 2007 20:36] Martin Friebe
Description:
The following queries  will crash a mysql server. (including non-debug server, it is not an assert)

 select row(1,row(2,3))   IN (row(1,row(2,3))   ,row(1,1));
 select row(1,row(2,3))   IN (row(1,row(2,3))   ,row(1,1), row(1,row(2,3)));

The following queries, will execute, even so the rows have different amount of columns. An error should be produced:

 select row(1,row(2,3)) IN (row(1,row(2,3)), (select 1,1));
 select row(1,row(2,3)) IN (row(1,row(2,3)), (select 1,1), row(1,row(2,4)));

All the above are 5.0 and 4.1, below are a few queries which will trigger debug-asserts on a 5.0 server (not tested versus 4.1)

 select row(2,1) IN (row(21,2), row(row(1,1,3),0) );

How to repeat:
 select row(1,row(2,3))   IN (row(1,row(2,3))   ,row(1,1));
 select row(1,row(2,3))   IN (row(1,row(2,3))   ,row(1,1), row(1,row(2,3)));

 select row(1,row(2,3)) IN (row(1,row(2,3)), (select 1,1));
 select row(1,row(2,3)) IN (row(1,row(2,3)), (select 1,1), row(1,row(2,4)));

Suggested fix:
see patch, it includes additional test for the "row.test".

Currently checks for correct row-balancing are in many differnt places:
- Item_func::fix_fields calls check_cols
but that does only check the most outer level.

- Item_func_in::fix_length_and_dec()
creates an array, which does some checks, but for non-null constant expressions only.

- A few other places refer to the error msg.

The patch does several things:
- It adds a nested check in fix_fields "check_cols_deeply".

- It does fix some of the crashes were they initially occured.
Those inital occurances should no longer be able to happen, neither should most of the other places that performed checks be reachable anymore.
Therefore the patch also adds debug-assertations to this places

Also in item_cmp_func.cc line 2777:
 /* If an error inside array->set occured, array->sort could fail */
I believe some of the other fixes reduce this to an assert. yet once we know aout the error it can be handled.
[27 Mar 2007 20:37] Martin Friebe
patch for 5.0

Attachment: nested_row.patch (text/x-patch), 8.61 KiB.

[27 Mar 2007 21:44] MySQL Verification Team
Thank you for the bug report. Verified as described on FC 6.0 32-bits.
[9 Apr 2007 17:30] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/24076

ChangeSet@1.2624, 2007-04-09 13:29:51-04:00, cmiller@zippy.cornsilk.net +7 -0
  Bug#27484: server crash with nested rows
  
  There are two possible symptoms of this problem:  1) A server 
  crash, 2) or lossy comparison that signaled equality when there 
  exists an orthogonal "row" that does differ.
  
  Now, verify that two rows that we're comparing for equality have
  the same structure, as a shortcut to being able to signal 
  inequality before testing any values.
[9 Apr 2007 19:14] Chad MILLER
Igor analyzed the bug and says the proposed patch is inappropriate.  He has another means of fixing it in mind.
[11 Apr 2007 5:56] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/24242

ChangeSet@1.2634, 2007-04-10 22:56:38-07:00, igor@olga.mysql.com +3 -0
  Fixed bug #27484: a crash when incompatible row expressions with nested rows
  are used as arguments of the IN predicate.
  Added a function to check compatibility of row expressions. Made sure that this
  function to be called for Item_func_in objects by fix_length_and_dec().
[11 Apr 2007 18:17] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/24307

ChangeSet@1.2634, 2007-04-11 11:18:03-07:00, igor@olga.mysql.com +3 -0
  Fixed bug #27484: a crash when incompatible row expressions with nested rows
  are used as arguments of the IN predicate.
  Added a function to check compatibility of row expressions. Made sure that this
  function to be called for Item_func_in objects by fix_length_and_dec().
[11 Apr 2007 18:40] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/24308

ChangeSet@1.2634, 2007-04-11 11:41:12-07:00, igor@olga.mysql.com +3 -0
  Fixed bug #27484: a crash when incompatible row expressions with nested rows
  are used as arguments of the IN predicate.
  Added a function to check compatibility of row expressions. Made sure that this
  function to be called for Item_func_in objects by fix_length_and_dec().
[15 Apr 2007 16:48] Bugs System
Pushed into 5.1.18-beta
[15 Apr 2007 16:53] Bugs System
Pushed into 5.0.40
[15 Apr 2007 17:02] Bugs System
Pushed into 4.1.23
[17 Apr 2007 20:20] Paul DuBois
Noted in 4.1.23, 5.0.40, 5.1.18 changelogs.

Passing nested row expressions with different structures to an IN
predicate caused a server crash.