Bug #31155 gis types in union'd select cause crash
Submitted: 23 Sep 2007 13:05 Modified: 30 Oct 2007 23:53
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Closed Impact on me:
Category:MySQL Server: Data Types Severity:S2 (Serious)
Version:5.0.48, 5.1.23-debug OS:Any
Assigned to: Alexey Botchkov CPU Architecture:Any
Tags: crash, gis, UNION

[23 Sep 2007 13:05] Shane Bester
Version: '5.1.23-beta-debug'  socket: '/tmp/mysql.sock'  port: 3306  yes
070923 14:41:24 - mysqld got signal 11;
thd: 0x87bc4a0
Cannot determine thread, fp=0x40ca8e4c, backtrace may not be correct.
Stack range sanity check OK, backtrace follows:
0x820111b handle_segfault + 541
0x8154072 Item_field::set_field(Field*) + 38
0x8153c5e Item_field::Item_field(Field*) + 106
0x816e044 Item_sum::result_item(Field*) + 36
0x815f58a Item_type_holder::Item_type_holder(THD*, Item*) + 296
0x8354f9e st_select_lex_unit::prepare(THD*, select_result*, unsigned long) + 1248
0x83546c6 mysql_union(THD*, st_lex*, select_result*, st_select_lex_unit*, unsigned long) + 102
0x825c27a handle_select(THD*, st_lex*, select_result*, unsigned long) + 170
0x8215af4 execute_sqlcom_select(THD*, TABLE_LIST*) + 772
0x820e7d5 mysql_execute_command(THD*) + 1701
0x8217550 mysql_parse(THD*, char const*, unsigned int, char const**) + 372
0x820cc00 dispatch_command(enum_server_command, THD*, char*, unsigned int) + 2354
0x820c2c2 do_command(THD*) + 600
0x820acbd handle_one_connection + 255
0x40038aa7 _end + 931807543
0x4017ec2e _end + 933143230
New value of fp=(nil) failed sanity check, terminating stack trace!
thd->query at 0x87ec230 = select min(`col002`) from t1 union select `col002` from t1

How to repeat:
drop table if exists t1;
create table `t1` (`col002` point)engine=myisam;
insert into t1 values (),(),();
select min(`col002`) from t1 union select `col002` from t1;

Suggested fix:
This might be related to bug #31144 "crash when subquery within order by/group by clause returns spatial datatype" . If it's a duplicate, sorry.

Spatial datatypes need a serious code review it seems.
[4 Oct 2007 8:08] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:


ChangeSet@1.2544, 2007-10-04 12:01:28+05:00, holyfoot@mysql.com +4 -0
  Bug #31155 gis types in union'd select cause crash.
  We use get_geometry_type() call to decide the exact type
  of a geometry field to be created (POINT, POLYGON etc)
  Though this function was only implemented for few items.
  In the bug's case we need to call this function for the
  Item_sum instance, where it was not implemented, what is
  the reason of the crash.
  Fixed by implementing virtual Item::get_geometry_type(),
  so it can be called for any Item.
[4 Oct 2007 10:47] Alexander Barkov
The patch http://lists.mysql.com/commits/34871 is ok to push.
[29 Oct 2007 8:43] Bugs System
Pushed into 5.0.52
[29 Oct 2007 8:47] Bugs System
Pushed into 5.1.23-beta
[29 Oct 2007 8:51] Bugs System
Pushed into 6.0.4-alpha
[30 Oct 2007 23:53] Paul Dubois
Noted in 5.0.52, 5.1.23, 6.0.4 changelogs.

Selecting spatial types in a UNION could cause a server crash.
[20 Nov 2007 13:09] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:


ChangeSet@1.2573, 2007-11-20 17:04:24+04:00, holyfoot@mysql.com +2 -0
  test case added for the bug #31155
[14 Dec 2007 8:15] Bugs System
Pushed into 5.0.54
[14 Dec 2007 8:19] Bugs System
Pushed into 5.1.23-rc
[14 Dec 2007 8:22] Bugs System
Pushed into 6.0.5-alpha