Bug #39161 Crash in UNION ALL query in Field_string::type
Submitted: 1 Sep 2008 15:36 Modified: 5 Oct 2008 17:27
Reporter: Mark Robson Email Updates:
Status: No Feedback Impact on me:
None 
Category:MySQL Server: General Severity:S1 (Critical)
Version:5.0.67-community OS:Linux (Centos 5.2 x86_64)
Assigned to: CPU Architecture:Any

[1 Sep 2008 15:36] Mark Robson 
Description:
An intermittent crash which occurs when executing a query with UNION ALL and joins on a MyISAM table.

Stack trace:

#0  0x00000000005aae45 in Field_string::type (this=0xc6696e0) at field.h:1095
#1  0x0000000000681a86 in get_mm_parts (param=0x432b2860, cond_func=0x2aaea46e1a68, field=0xf5ecb90, type=UNKNOWN_FUNC,
    value=0x2aaea5649818, cmp_type=<value optimized out>) at opt_range.cc:4403
#2  0x000000000068822f in get_func_mm_tree (param=0x432b2860, cond_func=0x2aaea46e1a68, field=0xf5ecb90, value=0x2aaea5649818,
    cmp_type=STRING_RESULT, inv=false) at opt_range.cc:3903
#3  0x000000000068887b in get_full_func_mm_tree (param=0x432b2860, cond_func=0x2aaea46e1a68, field_item=0x2aaea5649710,
    value=0x2aaea5649818, inv=false) at opt_range.cc:4001
#4  0x0000000000688c6d in get_mm_tree (param=0x432b2860, cond=0x2aaea46e1a68) at opt_range.cc:4188
#5  0x0000000000688aab in get_mm_tree (param=0x432b2860, cond=0x2aaea46e1ef8) at opt_range.cc:4043
#6  0x000000000068e4a8 in SQL_SELECT::test_quick_select (this=0x8434920, thd=0x2aae9e6d9c10, keys_to_use=<value optimized out>,
    prev_tables=<value optimized out>, limit=<value optimized out>, force_quick_range=<value optimized out>) at opt_range.cc:2075
#7  0x0000000000628de6 in make_join_statistics (join=0xcdd0890, tables=<value optimized out>, conds=<value optimized out>,
    keyuse_array=0xcdd1a70) at sql_select.cc:2334
#8  0x0000000000629b28 in JOIN::optimize (this=0xcdd0890) at sql_select.cc:903
#9  0x000000000070aa6c in st_select_lex_unit::exec (this=0x2aae9e6db0f0) at sql_union.cc:480
#10 0x000000000070b778 in mysql_union (thd=0x2aae9e6d9c10, lex=<value optimized out>, result=0x2aaea46e2f60, unit=0x2aae9e6db0f0,
    setup_tables_done_option=<value optimized out>) at sql_union.cc:34
#11 0x00000000006364b8 in handle_select (thd=0x2aae9e6d9c10, lex=0x2aae9e6db060, result=0x2aaea46e2f60, setup_tables_done_option=0)
    at sql_select.cc:235
#12 0x00000000005db64a in mysql_execute_command (thd=0x2aae9e6d9c10) at sql_parse.cc:2761
#13 0x00000000005e014d in mysql_parse (thd=0x2aae9e6d9c10,
    inBuf=0xae5e9b0 "(SELECT    CONCAT(MR.Qid, MR.HostName) AS ID, \n          MR.ID as PoolId, \n          MR.DateAndTime,"...,
    length=2482, found_semicolon=0x432b69f8) at sql_parse.cc:6233
#14 0x00000000005e0695 in dispatch_command (command=COM_QUERY, thd=0x2aae9e6d9c10, packet=<value optimized out>,
    packet_length=<value optimized out>) at sql_parse.cc:1898
#15 0x00000000005e2654 in handle_one_connection (arg=<value optimized out>) at sql_parse.cc:1595
#16 0x0000003770006307 in start_thread () from /lib64/libpthread.so.0
#17 0x000000376ecd1ded in clone () from /lib64/libc.so.6

The same queries are regularly run against 4.1.16 on 32-bit with no problem. 

key_buffer is approx. 16GB, server has 32G of ram.

How to repeat:
Doesn't happen very often, needs several days of simulated production load to repeat.
[1 Sep 2008 15:40] Sveta Smirnova 
Thank you for the report.

Please also provide output of SHOW CREATE TABLE for second table used in the query.
[1 Sep 2008 16:05] Mark Robson 
Other table was created with:

CREATE TABLE TMPDelta_14121_110825 (
 MsgRecipsID int(10) unsigned NOT NULL PRIMARY KEY,
 Processed set('reviewed','released','forwarded','deleted','reported-as-spam','not-reviewed','release-pending','release-failed','forward-pending','forward-failed')
) ENGINE=MyISAM
[1 Sep 2008 17:58] MySQL Verification Team 
Could you please provide dump file to populate the tables with data enough to repeat the bug?. Thanks in advance.
[2 Sep 2008 8:15] Mark Robson 
I can't provide dump files to reproduce the bug - in fact I can't reproduce it reliably.

It takes several days of simulated production load to reproduce- and I'm confident it's not a hardware fault.
[2 Sep 2008 8:20] MySQL Verification Team 
Hi Mark!  It could be a small memory corruption or invalid read of memory.  In this case, can you please start mysqld under valgrind and run the query a few times manually.  Then shutdown and check if there are any warnings from valgrind?

valgrind  --tool=memcheck   --leak-check=yes -v --show-reachable=yes \
./path/to/mysqld --defaults-file=/path/to/my.cnf

Just replace the paths with the proper ones on your system.
Thanks!
[3 Sep 2008 11:09] Mark Robson 
It appears that orig_table->s is NULL, so the line

orig_table->s->db_create_options

Tries to dereference a null pointer.

This has happened twice now and crashed in exactly the same spot with the same condition. I will run Valgrind now.
[3 Sep 2008 14:40] MySQL Verification Team 
See bug: http://bugs.mysql.com/bug.php?id=37284.
[5 Sep 2008 17:27] Valeriy Kravchuk 
Please, inform about any results with Valgrind.
[5 Oct 2008 23:00] Bugs System 
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".