Bug #31095 server crashes with group by null with rollup
Submitted: 19 Sep 2007 12:22 Modified: 9 Nov 2007 0:24
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: General Severity:S1 (Critical)
Version:5.0.48, 5.1.23BK OS:Any
Assigned to: Evgeny Potemkin CPU Architecture:Any
Tags: crash, rollup

[19 Sep 2007 12:22] Shane Bester
Description:
Stack range sanity check OK, backtrace follows:
0x820111b handle_segfault + 541
0x81fdb2c sortcmp(String const*, String const*, charset_info_st*) + 24
0x81707f8 Cached_item_str::cmp() + 126
0x8279df2 test_if_group_changed(List<Cached_item>&) + 104
0x827498b end_send_group(JOIN*, st_join_table*, bool) + 839
0x8272ad3 evaluate_join_record(JOIN*, st_join_table*, int, char*) + 445
0x82728b9 sub_select(JOIN*, st_join_table*, bool) + 209
0x8272400 do_select(JOIN*, List<Item>*, st_table*, Procedure*) + 756
0x82612bf JOIN::exec() + 7053
0x826181e _Z12mysql_selectP3THDPPP4ItemP10TABLE_LISTjR4ListIS1_ES2_jP8st_orderSB_S2_SB_yP13select_resultP18st_select_lex_unitP13st_select + 638
0x825c33d handle_select(THD*, st_lex*, select_result*, unsigned long) + 365
0x8215af4 execute_sqlcom_select(THD*, TABLE_LIST*) + 772
0x820e7d5 mysql_execute_command(THD*) + 1701
0x8217550 mysql_parse(THD*, char const*, unsigned int, char const**) + 372
0x820cc00 dispatch_command(enum_server_command, THD*, char*, unsigned int) + 2354
0x820c2c2 do_command(THD*) + 600
0x820acbd handle_one_connection + 255
0x40038aa7 _end + 931807543
0x4017ec2e _end + 933143230

How to repeat:
drop table if exists t1;
create table t1(a int primary key)engine=innodb;
insert into t1 values (1),(2),(3),(4),(5),(6);
select a,count(a) from t1 group by null;

Suggested fix:
.
[19 Sep 2007 12:23] Shane Bester
testcase that crashes:

drop table if exists t1;
create table t1(a int primary key)engine=myisam;
insert into t1 values (1),(2),(3),(4),(5),(6);
select a,count(a) from t1 group by null with rollup;
[28 Sep 2007 20:27] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/34663

ChangeSet@1.2539, 2007-09-29 00:22:54+00:00, evgen@moonbone.local +3 -0
  Bug#31095: Unexpected NULL constant caused server crash.
  
  The Item_func_rollup_const class is used for wrapping constants to avoid
  wrong result for ROLLUP queries with DISTINCT and a constant in the select
  list. This class is also used to wrap up a NULL constant but its null_value
  wasn't set accordingly. This led to a server crash.
  
  Now the null_value of an object of the Item_func_rollup_const class is set
  by the JOIN::rollup_init function when the object is used to wrap a NULL
  constant.
[1 Oct 2007 16:09] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/34725

ChangeSet@1.2539, 2007-10-01 20:03:50+00:00, evgen@moonbone.local +3 -0
  Bug#31095: Unexpected NULL constant caused server crash.
  
  The Item_func_rollup_const class is used for wrapping constants to avoid
  wrong result for ROLLUP queries with DISTINCT and a constant in the select
  list. This class is also used to wrap up a NULL constant but its null_value
  wasn't set accordingly. This led to a server crash.
  
  Now the null_value of an object of the Item_func_rollup_const class is set
  by its fix_length_and_dec member function.
[29 Oct 2007 8:43] Bugs System
Pushed into 5.0.52
[29 Oct 2007 8:46] Bugs System
Pushed into 5.1.23-beta
[29 Oct 2007 8:49] Bugs System
Pushed into 6.0.4-alpha
[9 Nov 2007 0:24] Paul Dubois
Noted in 5.0.52, 5.1.23, 6.0.4 changelogs.

GROUP BY NULL WITH ROLLUP could cause a server crash.