Bug #33085 Stored functions crash server when used in select list and group by
Submitted: 8 Dec 2007 13:22 Modified: 17 Dec 2007 8:36
Reporter: Mark Leith Email Updates:
Status: Duplicate Impact on me:
None 
Category:MySQL Server: Stored Routines Severity:S2 (Serious)
Version:5.1-BK OS:Any
Assigned to: Georgi Kodinov CPU Architecture:Any
Tags: crash, GROUP BY, Stored Functions

[8 Dec 2007 13:22] Mark Leith 
Description:
When using a stored function within the SELECT list and a GROUP BY, passing an arbitrary value, the server crashes. Using the stored function against a table's column appears to work OK. 

How to repeat:
drop function if exists f1;
delimiter //
create function f1 (i int)
returns int
not deterministic
no sql
begin
  return i;
end//
delimiter ;

drop table if exists t1;
create table t1 (i int);
insert into t1 values (1),(2);

select f1(1), count(*) 
from t1
group by f1(1);
[8 Dec 2007 13:23] Mark Leith 
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000004
[Switching to process 18417 thread 0x2b03]
create_tmp_table (thd=0x5817200, param=0x5882e70, fields=@0x5882f30, group=0x5875660, distinct=false, save_sum_fields=false, select_options=2149861888, rows_limit=18446744073709551615, table_alias=0x5058a0 "") at sql_select.cc:9932
9932        key_part_info->offset= field->offset(table->record[0]);
(gdb) bt full
#0  create_tmp_table (thd=0x5817200, param=0x5882e70, fields=@0x5882f30, group=0x5875660, distinct=false, save_sum_fields=false, select_options=2149861888, rows_limit=18446744073709551615, table_alias=0x5058a0 "") at sql_select.cc:9932
   field = (Field *) 0x0
   maybe_null = true
   cur_group = (ORDER *) 0x5875660
   distinct = false
   save_sum_fields = false
   select_options = 2149861888
   rows_limit = 18446744073709551615
   mem_root_save = (MEM_ROOT *) 0x5818850
   own_root = {
  free = 0x0, 
  used = 0x5863200, 
  pre_alloc = 0x0, 
  min_malloc = 32, 
  block_size = 996, 
  block_num = 5, 
  first_block_usage = 0, 
  error_handler = 0x5fbee <sql_alloc_error_handler>
}
   table = (TABLE *) 0x5863210
   share = (TABLE_SHARE *) 0x58638a8
   i = 0
   field_count = 4
   null_count = 1
   null_pack_length = 1
   copy_func_count = 3
   hidden_null_count = 0
   hidden_null_pack_length = 0
   hidden_field_count = 4294967295
   blob_count = 0
   group_null_items = 0
   string_count = 0
   temp_pool_slot = 0
   fieldnr = 1
   reclength = 9
   string_total_length = 0
   using_unique_constraint = false
   use_packed_rows = false
   not_all_columns = true
   tmpname = 0x5863d78 "#sql_47f1_0"
   tmppath = 0x5863d60 "/var/tmp/#sql_47f1_0"
   path = "/var/tmp/#sql_47f1_0", '\0' <repeats 13 times>, "\006\000\000\000\230\026\000\220\030\206F°´s\032\000\020^\207\0056©I\0008\206F°¬©I\000\000\000\000\000\000\000\000\000@òR\000CC\000\2208\000\200\005\000r\201\005\005\000\000\000àÈ\233\006¼{F°ØÑ\233\006\001\000\000\000>\000\000\000\001\000\000\000\000\000\000\000h\206F°,»I\000\000\000\000\000\000\000ð?\000\000\000\000\000\000\000\000\200\000\000\000\000\000\000\000\001\000\000\000\001\000\000\000\001\000\000\000\000\000\000@\001\000\000\000\t\232I\000\006\000\000\000ø1\210\005\000\000\000\000\t\232I\000\006\000\000\0006©I\000È\206"...
   table_name = "#sql_47f1_0\000°\t\232I\000\006\000\000\0006©I\000\030\210F°¬©I\000¼\210F°6©I\000(\210F°¬©I\000\006\000\000\000\230\026\000\220(\210F°àÈ\233\006àÈ\233\0066©I\000H\210F°àÈ\233\006Ð=\207\005àÈ\233\006X\210F° ºI\000Ð=\207\005\230\026\000\220X\210F°\t\232I\000\006\000\000\000Ü\210F°Ø\210F°d\210F°Ð=\207\0056©I\000\210\210F°¬©I\000Ð=\207\005\000\224P\000¨\210F°\t\232I\000\006\000\000\000\214\210F°\210\210F°àÈ\233\006\006\000\000\0006©I\000¸\210F°¬©I"
   pos = (uchar *) 0x588c189 ""
   group_buff = (uchar *) 0x5863d88 ""
   bitmaps = (uchar *) 0x5863d98 "ÿÿÿÿ"
   null_flags = (uchar *) 0x588c180 "ÿ"
   reg_field = (Field **) 0x5863b1c
   from_field = (Field **) 0x5863b58
   default_field = (Field **) 0x5863b30
   blob_field = (uint *) 0x5863b40
   copy = (Copy_field *) 0x738fc8
   keyinfo = (KEY *) 0x5863b78
   key_part_info = (KEY_PART_INFO *) 0x5863bb0
   copy_func = (Item **) 0x5863b68
   recinfo = (MI_COLUMNDEF *) 0x5863c20
   total_uneven_bit_length = 0
   force_copy_fields = false
   _db_func_ = 0x5227f4 "JOIN::optimize"
   _db_file_ = 0x521e54 "sql_select.cc"
   _db_level_ = 7
   _db_framep_ = (char **) 0xb0468904
   item = (Item *) 0x0
   tmp_from_field = (Field **) 0x5863b5c
#1  0x0012abf8 in JOIN::optimize (this=0x5881e10) at sql_select.cc:1361
   tmp_group = (ORDER *) 0x5875660
   tmp_rows_limit = 398619625601077192
   _db_func_ = 0x522fb0 "mysql_select"
   _db_file_ = 0x521e54 "sql_select.cc"
   _db_level_ = 6
   _db_framep_ = (char **) 0x6
   sel = (SELECT_LEX *) 0x0
#2  0x001347c2 in mysql_select (thd=0x5817200, rref_pointer_array=0x5818374, tables=0x5874968, wild_num=0, fields=@0x5818304, conds=0x0, og_num=1, order=0x0, group=0x5875660, having=0x0, proc_param=0x0, select_options=2149861888, result=0x58758d0, unit=0x5818008, select_lex=0x5818270) at sql_select.cc:2257
   select_options = 2149861888
   err = false
   free_join = true
   _db_func_ = 0x523048 "handle_select"
   _db_file_ = 0x521e54 "sql_select.cc"
   _db_level_ = 5
   _db_framep_ = (char **) 0x5875690
   join = (JOIN *) 0x5881e10
#3  0x00134db9 in handle_select (thd=0x5817200, lex=0x5817fac, result=0x58758d0, setup_tables_done_option=0) at sql_select.cc:258
   unit = (SELECT_LEX_UNIT *) 0x0
   res = false
   select_lex = (SELECT_LEX *) 0x5818270
   _db_func_ = 0x5199c8 "mysql_execute_command"
   _db_file_ = 0x519480 "sql_parse.cc"
   _db_level_ = 4
   _db_framep_ = (char **) 0x0
#4  0x000bb520 in execute_sqlcom_select (thd=0x5817200, all_tables=0x5874968) at sql_parse.cc:4539
   lex = (LEX *) 0x5817fac
   result = (select_result *) 0x58758d0
   res = 208
#5  0x000be097 in mysql_execute_command (thd=0x5817200) at sql_parse.cc:1883
   res = false
   need_start_waiting = false
   up_result = 92683184
   lex = (LEX *) 0x5817fac
   select_lex = (SELECT_LEX *) 0x5818270
   first_table = (TABLE_LIST *) 0x5874968
   all_tables = (TABLE_LIST *) 0x5874968
   unit = (SELECT_LEX_UNIT *) 0x5818008
   _db_func_ = 0x519d90 "mysql_parse"
   _db_file_ = 0x519480 "sql_parse.cc"
   _db_level_ = 3
   _db_framep_ = (char **) 0x5817200
#6  0x000c5b4a in mysql_parse (thd=0x5817200, inBuf=0x5873c10 "select f1(1), count(*) \nfrom t1\ngroup by f1(1)", length=46, found_semicolon=0xb0469e3c) at sql_parse.cc:5446
   lex = (LEX *) 0x5817fac
   lip = {
  m_thd = 0x5817200, 
  yylineno = 3, 
  yytoklen = 1, 
  yylval = 0xb046978c, 
  m_ptr = 0x5873c3f "rministic\nno sql\nbegin\n  return i;\nend", 
  m_tok_start = 0x5873c3f "rministic\nno sql\nbegin\n  return i;\nend", 
  m_tok_end = 0x5873c3f "rministic\nno sql\nbegin\n  return i;\nend", 
  m_end_of_query = 0x5873c3e "", 
  m_tok_start_prev = 0x5873c3e "", 
  m_buf = 0x5873c10 "select f1(1), count(*) \nfrom t1\ngroup by f1(1)", 
  m_buf_length = 46, 
  m_echo = true, 
  m_cpp_buf = 0x5873c88 "select f1(1), count(*) \nfrom t1\ngroup by f1(1)", 
  m_cpp_ptr = 0x5873cb6 "", 
  m_cpp_tok_start = 0x5873cb6 "", 
  m_cpp_tok_start_prev = 0x5873cb6 "", 
  m_cpp_tok_end = 0x5873cb6 "", 
  m_body_utf8 = 0x0, 
  m_body_utf8_ptr = 0x1 <Address 0x1 out of bounds>, 
  m_cpp_utf8_processed_ptr = 0x0, 
  next_state = MY_LEX_END, 
  found_semicolon = 0x0, 
  tok_bitmap = 133 '\205', 
  ignore_space = false, 
  stmt_prepare_mode = false, 
  in_comment = NO_COMMENT, 
  m_cpp_text_start = 0x5873cb4 "1)", 
  m_cpp_text_end = 0x5873cb5 ")", 
  m_underscore_cs = 0x0
}
   err = 176
   thd = (THD *) 0x5817200
   length = 2957416516
   _db_func_ = 0x519e14 "dispatch_command"
   _db_file_ = 0x519480 "sql_parse.cc"
   _db_level_ = 2
   _db_framep_ = (char **) 0x586b200
#7  0x000c6995 in dispatch_command (command=COM_QUERY, thd=0x5817200, packet=0x52f1001 "select f1(1), count(*) \nfrom t1\ngroup by f1(1)", packet_length=47) at sql_parse.cc:953
   packet_end = 0x5873c3e ""
   found_semicolon = 0x0
   net = (NET *) 0x5817270
   _db_func_ = 0x5894fc "?func"
   _db_file_ = 0x589504 "?file"
   _db_level_ = 1
   _db_framep_ = (char **) 0x2
#8  0x000c7acc in do_command (thd=0x5817200) at sql_parse.cc:712
   packet = 0x52f1000 "\003select f1(1), count(*) \nfrom t1\ngroup by f1(1)"
   packet_length = 47
   net = (NET *) 0x5817270
   command = COM_QUERY
   _db_func_ = 0x5894fc "?func"
   _db_file_ = 0x589504 "?file"
   _db_level_ = 1
   _db_framep_ = (char **) 0xb58e1
#9  0x000b6898 in handle_one_connection (arg=0x5817200) at sql_connect.cc:1094
   net = (NET *) 0x5817270
   arg = (void *) 0x5817270
   thd = (THD *) 0x5817200
   launch_time = 92369520
#10 0x90024147 in _pthread_body ()
No symbol table info available.
[8 Dec 2007 13:29] Mark Leith 
Passing in the column from the t1 table is fine:

mysql> select f1(i), count(*) 
    -> from t1
    -> group by f1(i);
+-------+----------+
| f1(i) | count(*) |
+-------+----------+
|     1 |        1 | 
|     2 |        1 | 
+-------+----------+
2 rows in set (0.00 sec)
[17 Dec 2007 8:36] Georgi Kodinov 
Tried in the latest 5.0 and 5.1 bk trees. The bug doesn't appear anymore. Probably fixed by the fix for bug #29338 or the related bug #27354.
Please try it with the latest bk tree and re-open if it still appears.