Bug #4177 index_merge method use in subquery causes crash
Submitted: 17 Jun 2004 1:06 Modified: 21 Dec 2004 1:04
Reporter: Sergey Petrunya Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S2 (Serious)
Version:5.0-bk OS:
Assigned to: Sergey Petrunya CPU Architecture:Any

[17 Jun 2004 1:06] Sergey Petrunya 
Description:
Query for which index_merge method is used in subquery may crash the server.

How to repeat:
run the following:

create table t0 (a int);
insert into t0 values (1),(2),(3),(4);

drop table if exists t1;
create table t1 (
 a int,
 b int,
 c int,
 filler1 char(255),
 filler2 char(255),
 key (a),
 key (b),
 key (c)
);

delimiter //
create procedure fill_t1 ()
begin
  declare i int default 10000;
  WHILE i > 0 DO
    insert into t1 values (i, i, i, 'filler1', 'filler2');
    SET i = i - 1;
  END WHILE;
end //
delimiter ;//

call fill_t1();
drop procedure fill_t1;

explain select a, a in (select c from t1 where a<3 or b< 3) from t0;
select a, a in (select c from t1 where a<3 or b< 3) from t0;

Suggested fix:
In subselect queries, quick selects are used as follows:

quick= new QUICK_SOMETHING_SELECT()
quick->init();
for each subselect execution
{
  quick->reset(); 
  while (HA_ERR_END_OF_FILE= quick->get_next()) { ... }; 
}

index_merge quick select are only able to handle the first iteration.

The fix is to make index_merge quick selects to handle the above usage scenario.
[20 Jun 2004 4:43] MySQL Verification Team 
Thank you for the bug report. Tested against latest BK 5.0 source tree:

/home/miguel/dbs/5.0/libexec/mysqld: ready for connections.
Version: '5.0.1-alpha-debug-log'  socket: '/home/miguel/dbs/5.0/mysql.sock'  port: 3306
[New Thread 147466 (LWP 529)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 147466 (LWP 529)]
0x081c89d4 in QUICK_INDEX_MERGE_SELECT::reset() (this=0x8531f08)
    at opt_range.cc:780
780       result= cur_quick_select->reset() || prepare_unique();
(gdb) backtrace full
#0  0x081c89d4 in QUICK_INDEX_MERGE_SELECT::reset() (this=0x8531f08)
    at opt_range.cc:780
        result = 0
        _db_func_ = 0x8544528 "hXT\b,îâCXUT\b"
        _db_file_ = 0x8544528 "hXT\b,îâCXUT\b"
        _db_level_ = 1138945684
        _db_framep_ = (char **) 0x8180141
#1  0x08197747 in join_init_read_record (tab=0x8545868) at sql_select.cc:7165
No locals.
#2  0x08196bbe in sub_select (join=0x8544528, join_tab=0x8545868,
    end_of_records=200) at sql_select.cc:6747
        error = 139745384
        found = false
        on_expr = (COND *) 0x0
        select_cond = (COND *) 0x8545c28
        report_error = (my_bool *) 0x85347e0 ""
#3  0x081968d1 in do_select (join=0x8544528, fields=0x8545868, table=0x0,
    procedure=0x0) at sql_select.cc:6655
        error = 0
        join_tab = (JOIN_TAB *) 0x8545868
        end_select = (int (*)(JOIN *, st_join_table *,
    bool)) 0x8197a80 <end_send>
        _db_func_ = 0x8192e05 "\213U\f\211Ð\215eô[^_]ÃU\211åWVS\203ì0\213}$\017¶u\030\215EÔP\215EÐP\215EÌP\215EÈPhâ\023"
---Type <return> to continue, or q <return> to quit---
        _db_file_ = 0x8540d78 "hd8\bh\rT\b\030@S\bà\fT\b"
        _db_level_ = 138210729
        _db_framep_ = (char **) 0x43e2efb4
#4  0x0818bc92 in JOIN::exec() (this=0x8544528) at sql_select.cc:1544
        tmp_error = 0
        _db_func_ = 0x43e2ef90 "8RT\b\220ïâCx\rT\bx\rT\b\bHS\bôïâCx\rT\b©í<\b4AS\bôïâC1\237\022\b(ET\bàïâCäïâC"
        _db_file_ = 0x8540d78 "hd8\bh\rT\b\030@S\bà\fT\b"
        _db_level_ = 139726200
        _db_framep_ = (char **) 0x8534808
        curr_join = (JOIN *) 0x8544528
        curr_all_fields = (List<Item> *) 0x8545238
        curr_fields_list = (List<Item> *) 0x85406c8
        curr_tmp_table = (TABLE *) 0x43e2efa0
#5  0x08129f31 in subselect_single_select_engine::exec() (this=0x8540d78)
    at item_subselect.cc:1206
        _db_func_ = 0x8540ad9 ""
        _db_file_ = 0x0
        _db_level_ = 4
        _db_framep_ = (char **) 0x43e2efe0
        save_where = 0x83ceda9 "order clause"
        save_select = (SELECT_LEX *) 0x8534134
#6  0x08126b63 in Item_subselect::exec() (this=0x8540ce0)
    at item_subselect.cc:188
---Type <return> to continue, or q <return> to quit---
        res = 139675656
        old_root = (MEM_ROOT *) 0x853402c
#7  0x08127e09 in Item_in_subselect::val_int() (this=0x8540ce0)
    at item_subselect.cc:591
No locals.
#8  0x080e3ee5 in Item::val_int_result() (this=0x0) at item.h:169
No locals.
#9  0x08100233 in Item_in_optimizer::val_int() (this=0x8541dc0)
    at item_cmpfunc.cc:550
        tmp = 593727242387849216
#10 0x080e19c9 in Item::send(Protocol*, String*) (this=0x8541dc0,
    protocol=0x8534808, buffer=0x43e2f11c) at item.cc:1718
        nr = 34499413984
        result = 8
        type = MYSQL_TYPE_LONGLONG
#11 0x0813f703 in select_send::send_data(List<Item>&) (this=0x8540f70,
    items=@0x853419c) at sql_class.cc:757
        li = {<base_list_iterator> = {list = 0x853419c, el = 0x8540d98,
    prev = 0x0, current = 0x0}, <No data fields>}
        protocol = (class Protocol *) 0x8534808
        buff = "8ñâC\000\000\000\000dñâC\214F\016\b\220\aS\bpAD\b\000\000\000\000\000\n\000@\000\000\000\000\000\000\020@ÿÿÿÿÿÿï\177\000\000\000\000\000\n\000@\002\000\000\000Õ1\030", '\0' <repea
es>, "\230\vT\b\177\a\177\003\024òâC\000\"T\b\001\000\000\000\000\000\000\000\204òâCKö\030\b\200\017T\b\000\"T\b\030@S\bÑn$@ô\017T\bÄ\025T\b\204òâCVù\030\b \016\000\000dòâChòâC\200\000\004"...
        buffer = {Ptr = 0x43e2f13c "8ñâC", str_length = 766,
  Alloced_length = 766, alloced = false, str_charset = 0x84297c0}
        _db_func_ = 0x43e2f108 "\024ñâC\bñâC"
        _db_file_ = 0x0
        _db_level_ = 138591452
        _db_framep_ = (char **) 0x43e2f114
        item = (class Item *) 0x85347e0
#12 0x08197b34 in end_send (join=0x8540f80, join_tab=0x8545418,
    end_of_records=false) at sql_select.cc:7327
        error = 0
        _db_func_ = 0x8535458 "\bm=\bXÙS\b US\b¨US\b\024"
        _db_file_ = 0x8535510 "ý\002"
        _db_level_ = 139726408
        _db_framep_ = (char **) 0x8540d9c
#13 0x08196c6c in sub_select (join=0x8540f80, join_tab=0x85452d8,
    end_of_records=200) at sql_select.cc:6771
        not_exists_optimize = false
        not_used_in_distinct = false
        found_records = 0
        info = (READ_RECORD *) 0x85452fc
        error = 0
---Type <return> to continue, or q <return> to quit---
        found = true
        on_expr = (COND *) 0x0
        select_cond = (COND *) 0x0
        report_error = (my_bool *) 0x85347e0 ""
#14 0x081968d1 in do_select (join=0x8540f80, fields=0x85452d8, table=0x0,
    procedure=0x0) at sql_select.cc:6655
        error = 0
        join_tab = (JOIN_TAB *) 0x85452d8
        end_select = (int (*)(JOIN *, st_join_table *,
    bool)) 0x8197a80 <end_send>
        _db_func_ = 0x8192e05 "\213U\f\211Ð\215eô[^_]ÃU\211åWVS\203ì0\213}$\017¶u\030\215EÔP\215EÐP\215EÌP\215EÈPhâ\023"
        _db_file_ = 0x8540f80 "ØRT\b,ôâC@#T\b"
        _db_level_ = 139673908
        _db_framep_ = (char **) 0x43e2f5b4
#15 0x0818bc92 in JOIN::exec() (this=0x8540f80) at sql_select.cc:1544
        tmp_error = 0
        _db_func_ = 0x43e2f5f4 "döâC9\210\030\b\030@S\b\034BS\bH\016T\b"
        _db_file_ = 0x818bfe5 "\203Ä0\205Àuw\203ì\fSèËÑÿÿ\203Ä\020\205Àug\213\207T\005"
        _db_level_ = 139726720
        _db_framep_ = (char **) 0x853421c
        curr_join = (JOIN *) 0x8540f80
        curr_all_fields = (List<Item> *) 0x8541c90
---Type <return> to continue, or q <return> to quit---
        curr_fields_list = (List<Item> *) 0x853419c
        curr_tmp_table = (TABLE *) 0x8540f80
#16 0x0818c03f in mysql_select(THD*, Item***, st_table_list*, unsigned, List<Item>&, Item*, unsigned, st_order*, st_order*, Item*, st_order*, unsigned long, select_result*, st_select_lex_unit*, s
    rref_pointer_array=0x853421c, tables=0x8540e48, wild_num=0,
    fields=@0x853419c, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0,
    proc_param=0x0, select_options=42224128, result=0x8540f70, unit=0x8534058,
    select_lex=0x8534134) at sql_select.cc:1664
        err = 1138947684
        free_join = true
        _db_func_ = 0x820189e "\215eô[^_]ÃU\211åWVS\201ìÀ"
        _db_file_ = 0x2ff <Address 0x2ff out of bounds>
        _db_level_ = 1138947612
        _db_framep_ = (char **) 0x43e2f620
        join = (JOIN *) 0x8540f80
#17 0x08188839 in handle_select(THD*, st_lex*, select_result*) (thd=0x8534018,
    lex=0x853404c, result=0x8540f70) at sql_select.cc:203
        unit = (SELECT_LEX_UNIT *) 0x8534058
        res = 139673688
        select_lex = (SELECT_LEX *) 0x8534134
        _db_func_ = 0x813f52b "\203Ä\020\211C\004\213]üÉÃU\211åS\203ì\020\213]\bÇ\003\b²8\bÿ5¼ÒB\b迤ùÿ\203Ä\020\211C\004\213]üÉÃU\211å\203ì\fÿu\020ÿu\f\213E\bÿp\004è\ai"
---Type <return> to continue, or q <return> to quit---
        _db_file_ = 0x1 <Address 0x1 out of bounds>
        _db_level_ = 12
        _db_framep_ = (char **) 0x53404c
#18 0x0816067a in mysql_execute_command(THD*) (thd=0x8534018)
    at sql_parse.cc:1986
        result = (class select_result *) 0x8540f70
        res = -1
        lex = (LEX *) 0x853404c
        tables = (TABLE_LIST *) 0x8540f08
        select_lex = (SELECT_LEX *) 0x8540f70
        unit = (SELECT_LEX_UNIT *) 0x8534058
        _db_func_ = 0x0
        _db_file_ = 0x0
        _db_level_ = 0
        _db_framep_ = (char **) 0x0
#19 0x081654b6 in mysql_parse(THD*, char*, unsigned) (thd=0x8534018,
    inBuf=0x8540510 "select a, a in (select c from t1 where a<3 or b< 3) from t0", length=139673676) at sql_parse.cc:4185
        lex = (LEX *) 0x853404c
        _db_func_ = 0x8534018 "H²8\b\030ÐB\b\034ÐB\bX²8\b@]T\b\030ET\b"
        _db_file_ = 0x3 <Address 0x3 out of bounds>
        _db_level_ = 139673624
        _db_framep_ = (char **) 0x43e2fdb4
#20 0x0815f489 in dispatch_command(enum_server_command, THD*, char*, unsigned)
---Type <return> to continue, or q <return> to quit---
    (command=COM_QUERY, thd=0x8534018, packet=0x8539d39 "", packet_length=60)
    at sql_parse.cc:1475
        net = (NET *) 0x8534578
        error = false
        _db_func_ = 0x3c <Address 0x3c out of bounds>
        _db_file_ = 0x3c <Address 0x3c out of bounds>
        _db_level_ = 1138949412
        _db_framep_ = (char **) 0x3c
        start_of_query = 139673624
#21 0x0815eede in do_command(THD*) (thd=0x8534018) at sql_parse.cc:1290
        packet = 0x8539d38 "\001"
        old_timeout = 30
        packet_length = 60
        net = (NET *) 0x8534578
        command = COM_QUERY
        _db_func_ = 0x813dd72 "\203Ä\020\213]üÉÃU\211åS\203ì\020\213]\bSèX"
        _db_file_ = 0x8535128 "H½S\b"
        _db_level_ = 8192
        _db_framep_ = (char **) 0x1000
#22 0x0815e4f3 in handle_one_connection (arg=0x0) at sql_parse.cc:1028
        error = 138237896
        net = (NET *) 0x8534578
        thd = (class THD *) 0x8534018
        launch_time = 0
---Type <return> to continue, or q <return> to quit---
        set = {__val = {0 <repeats 32 times>}}
#23 0x40044f60 in pthread_start_thread () from /lib/i686/libpthread.so.0
No symbol table info available.
#24 0x400450fe in pthread_start_thread_event () from /lib/i686/libpthread.so.0
No symbol table info available.
#25 0x402ae327 in clone () from /lib/i686/libc.so.6
No symbol table info available.
[21 Nov 2004 8:52] Sergey Petrunya 
bk commit - 5.0 tree (sergefp:1.1646) BUG#4177
[21 Dec 2004 1:04] Sergey Petrunya 
Thank you for your bug report. This issue has been committed to our
source repository of that product and will be incorporated into the
next release.

If necessary, you can access the source repository and build the latest
available version, including the bugfix, yourself. More information 
about accessing the source trees is available at
    http://www.mysql.com/doc/en/Installing_source_tree.html