Bug #39002 crash with insert .. select * from ... on duplicate key update col=default
Submitted: 25 Aug 2008 11:32 Modified: 17 Oct 2008 18:14
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: DML Severity:S1 (Critical)
Version:5.0.42, 5.0.66a, 5.0.70, 5.1.28, 6.0.5 OS:Any
Assigned to: Gleb Shchepa
Triage: D1 (Critical)

[25 Aug 2008 11:32] Shane Bester
Description:
mysqld.exe!Item_default_value::transform()[item.cc:6206]
mysqld.exe!select_insert::prepare()[sql_insert.cc:2922]
mysqld.exe!JOIN::prepare()[sql_select.cc:629]
mysqld.exe!mysql_select()[sql_select.cc:2340]
mysqld.exe!handle_select()[sql_select.cc:269]
mysqld.exe!mysql_execute_command()[sql_parse.cc:3009]
mysqld.exe!mysql_parse()[sql_parse.cc:5656]
mysqld.exe!dispatch_command()[sql_parse.cc:1137]
mysqld.exe!do_command()[sql_parse.cc:794]
mysqld.exe!handle_one_connection()[sql_connect.cc:1115]
mysqld.exe!pthread_start()[my_winthread.c:85]
mysqld.exe!_callthreadstart()[thread.c:293]
mysqld.exe!_threadstart()[thread.c:277]
kernel32.dll!FlsSetValue()

How to repeat:
drop table if exists `t1`;
create table `t1` (`d` int) engine=myisam;
insert into `t1` (`d`)select * from `t1` on duplicate key update `d`=default;
[26 Aug 2008 21:28] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/52610

2674 Gleb Shchepa	2008-08-27
      Bug #39002: The server crashes on the query:
        INSERT .. SELECT .. ON DUPLICATE KEY UPDATE col=DEFAULT
      
      In order to get correct values from update fields that
      belongs to the SELECT part in the INSERT .. SELECT .. ON
      DUPLICATE KEY UPDATE statement, the server adds referenced
      fields to the select list. Part of the code that does this
      transformation is shared between implementations of
      the DEFAULT(col) function and the DEFAULT keyword (in
      the col=DEFAULT expression), and an implementation of
      the DEFAULT keyword is incomplete.
      
      
      The Item_default_value::transform() function has been
      modified to take into account the fact that the DEFAULT
      keyword has no arguments dislike the DEFAULT(col) function
      that always has an argument.
[2 Sep 2008 17:33] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/53082

2681 Gleb Shchepa	2008-09-02
      Bug #39002: The server crashes on the query:
        INSERT .. SELECT .. ON DUPLICATE KEY UPDATE col=DEFAULT
      
      In order to get correct values from update fields that
      belongs to the SELECT part in the INSERT .. SELECT .. ON
      DUPLICATE KEY UPDATE statement, the server adds referenced
      fields to the select list. Part of the code that does this
      transformation is shared between implementations of
      the DEFAULT(col) function and the DEFAULT keyword (in
      the col=DEFAULT expression), and an implementation of
      the DEFAULT keyword is incomplete.
[3 Sep 2008 8:14] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/53135

2647 Gleb Shchepa	2008-09-03
      Bug #39002: The server crashes on the query:
        INSERT .. SELECT .. ON DUPLICATE KEY UPDATE col=DEFAULT
      
      In order to get correct values from update fields that
      belongs to the SELECT part in the INSERT .. SELECT .. ON
      DUPLICATE KEY UPDATE statement, the server adds referenced
      fields to the select list. Part of the code that does this
      transformation is shared between implementations of
      the DEFAULT(col) function and the DEFAULT keyword (in
      the col=DEFAULT expression), and an implementation of
      the DEFAULT keyword is incomplete.
[15 Sep 2008 8:11] Bugs System
Pushed into 5.0.70  (revid:gshchepa@mysql.com-20080903073243-qxqh92aso1qh2m9z) (version source revid:kgeorge@mysql.com-20080910094058-fygie2nur8py7y8j) (pib:3)
[15 Sep 2008 8:34] Bugs System
Pushed into 5.1.29  (revid:gshchepa@mysql.com-20080903073243-qxqh92aso1qh2m9z) (version source revid:kgeorge@mysql.com-20080910094421-1i1kxv3n1bxskiqa) (pib:3)
[16 Sep 2008 14:28] Paul Dubois
Noted in 5.0.70, 5.1.29 changelogs.

Statements of the form INSERT ... SELECT .. ON DUPLICATE KEY UPDATE
col_name = DEFAULT could result in a server crash.

Setting report to NDI pending push into 6.0.x.
[1 Oct 2008 16:02] Bugs System
Pushed into 5.1.29  (revid:gshchepa@mysql.com-20080903073243-qxqh92aso1qh2m9z) (version source revid:kgeorge@mysql.com-20080910094421-1i1kxv3n1bxskiqa) (pib:4)
[1 Oct 2008 17:17] Paul Dubois
Setting report to NDI pending push into 6.0.x.
[17 Oct 2008 16:46] Bugs System
Pushed into 6.0.8-alpha  (revid:gshchepa@mysql.com-20080903073243-qxqh92aso1qh2m9z) (version source revid:kpettersson@mysql.com-20080911114255-81pt7q1uvl1fkojq) (pib:5)
[17 Oct 2008 18:14] Paul Dubois
Noted in 6.0.8 changelog.
[28 Oct 2008 21:02] Bugs System
Pushed into 5.1.29-ndb-6.2.17  (revid:gshchepa@mysql.com-20080903073243-qxqh92aso1qh2m9z) (version source revid:tomas.ulin@sun.com-20081028140209-u4emkk1xphi5tkfb) (pib:5)
[28 Oct 2008 22:20] Bugs System
Pushed into 5.1.29-ndb-6.3.19  (revid:gshchepa@mysql.com-20080903073243-qxqh92aso1qh2m9z) (version source revid:tomas.ulin@sun.com-20081028194045-0353yg8cvd2c7dd1) (pib:5)
[1 Nov 2008 9:45] Bugs System
Pushed into 5.1.29-ndb-6.4.0  (revid:gshchepa@mysql.com-20080903073243-qxqh92aso1qh2m9z) (version source revid:jonas@mysql.com-20081101082305-qx5a1bj0z7i8ueys) (pib:5)