MySQL Bugs: #380: MySQL crashes with InnoDB + group

Bug #380	MySQL crashes with InnoDB + group
Submitted:	6 May 2003 10:14	Modified:	19 Jun 2003 12:59
Reporter:	Dmitry Katsubo	Email Updates:
Status:	Closed	Impact on me:	None
Category:	MySQL Server	Severity:	S2 (Serious)
Version:	4.1.0	OS:	Any (any)
Assigned to:	Oleksandr Byelkin	CPU Architecture:	Any

Description:
The script below produces the crash.
Script known to run ok on MySQL 4.0.12.
Script known to run ok on MySQL 4.1.0 with type=MyISAM.
The additional information follows.

Release: mysql-4.1.0-alpha (Official MySQL RPM)
System:  Linux pilot 2.4.20-mosix-migshm #1 Fri Apr 25 15:31:11 EEST 2003 i686 unknown
Architecture: i686

pilot:/usr/tmp # free -t
             total       used       free     shared    buffers     cached
Mem:        514284     509872       4412          0      50928     109032
-/+ buffers/cache:     349912     164372
Swap:      1022392     147636     874756
Total:     1536676     657508     879168

pilot:/usr/tmp # ll /usr/lib/mysql/mysqld.sym
-rw-r--r--    1 root     root       461075 Apr  4 20:02 

pilot:/var/lib/mysql # tail -f mysqld.log
mysqld got signal 11;
...
key_buffer_size=100663296
read_buffer_size=131072
sort_buffer_size=8388600
max_used_connections=0
max_connections=1536
threads_connected=1
It is possible that mysqld could use up to
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_connections = 294900 K
bytes of memory
Hope that's ok; if not, decrease some variables in the equation.

thd=0x8888e18
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
Cannot determine thread, fp=0xbfe7f498, backtrace may not be correct.
Stack range sanity check OK, backtrace follows:
0x80835ca handle_segfault + 450
0x82bb768 pthread_sighandler + 184
0x8093653 mysql_parse__FP3THDPcUi + 435
0x808e3f3 dispatch_command__F19enum_server_commandP3THDPcUi + 2143
0x8094be0 do_command__FP3THD + 156
0x808d337 handle_one_connection + 599
0x82b8f1c pthread_start_thread + 220
0x82ec73a thread_start + 4
New value of fp=(nil) failed sanity check, terminating stack trace!
...
Trying to get some variables.
Some pointers may be invalid and cause the dump to abort...
thd->query at 0x8884688 = select Case When Count(*) < MAX_REQ Then 1 Else 0 End
from SEA_USER
where SEA_USER.USR_ID = 1
group by MAX_REQ
thd->thread_id=1
...

LIBC:
-rwxr-xr-x    1 root     root      1321674 Oct  8  2002 /lib/libc.so.6
-rw-r--r--    1 root     root     23159816 Oct  8  2002 /usr/lib/libc.a
-rw-r--r--    1 root     root          178 Oct  8  2002 /usr/lib/libc.so
-rw-r--r--    1 root     root       869190 Mar 23  2002 /usr/lib/libc-client.a
lrwxrwxrwx    1 root     root           20 Jul 30  2002 /usr/lib/libc-client.so -> libc-client.so.2001a
-rwxr-xr-x    1 root     root       725296 Mar 23  2002 /usr/lib/libc-client.so.2001a

How to repeat:
create database crash;

use crash;

create table SEA_USER
(
        USR_ID          integer not null,
        MAX_REQ         integer not null,
        constraint PK_SEA_USER primary key (USR_ID)
) type=InnoDB;

insert into SEA_USER values (1, 3);

select Case When Count(*) < MAX_REQ Then 1 Else 0 End
from SEA_USER
where SEA_USER.USR_ID = 1
group by MAX_REQ;

I was able to repeat it with slightly simpler query with both MyISAM and InnoDb:

select Case When Count(*) < MAX_REQ Then 1 Else 0 End from SEA_USER;

It happens whenever:
1. There is No expression between CASE and first WHEN
2. First expression after WHEN is aggregate function. 

item_cmpfunc.cc:865

Item *Item_func_case::find_item(String *str)
{

...
    if (!first_expr)
    {
      // No expression between CASE and first WHEN
      if (args[i]->val_int())
          ^^^^^^^^^^^^^^^^^^

ChangeSet 
  1.1537 03/05/17 10:05:07 bell@sanja.is.com.ua +11 -0 
  fixed memory overrun (bug 380)

Thank you for bug report. 
Patch for this bug is pushed into internal bk repository and will be soon in 
public one.