Bug #51979 Union/intersection of polygons crashes mysql
Submitted: 12 Mar 2010 9:01 Modified: 7 Dec 2011 3:11
Reporter: John Powell Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: GIS Severity:S2 (Serious)
Version:5.6.99-m4 OS:Linux (Ubuntu and centos)
Assigned to: Alexey Botchkov CPU Architecture:Any
Tags: crash, gis, intersection, polygon, UNION

[12 Mar 2010 9:01] John Powell
Description:
Union and intersection functions crash mysql, even on small table. 

stack_bottom = 0xa18fef78 thread_stack 0x30000
/usr/local/mysql-5.1-gis/libexec/mysqld(my_print_stacktrace+0x22) [0x84f7d5c]
/usr/local/mysql-5.1-gis/libexec/mysqld(handle_segfault+0x263) [0x81f12f0]
[0xb7f51400]
/usr/local/mysql-5.1-gis/libexec/mysqld(strmake_root+0x21) [0x84e45f6]
/usr/local/mysql-5.1-gis/libexec/mysqld(sys_var_log_output::value_ptr(THD*, enum_var_type, st_mysql_lex_string*)+0xd6) [0x82199dc]
/usr/local/mysql-5.1-gis/libexec/mysqld [0x833491e]
/usr/local/mysql-5.1-gis/libexec/mysqld(fill_variables(THD*, TABLE_LIST*, Item*)+0xeb) [0x8334da8]
/usr/local/mysql-5.1-gis/libexec/mysqld(get_schema_tables_result(JOIN*, enum_schema_table_state)+0x1de) [0x832a66c]

How to repeat:
load subset table, created from mysqldump as subset.sql, which has been ftp'd.

mysql>set @bbox=geomfromtext('POLYGON((525000 183300,525400 183300,525400 183700,525000 183700,525000 183300))');

Any of the following queries will crash mysql with the error:
ERROR 2013 (HY000): Lost connection to MySQL server during query

mysql> select astext(union(@bbox, geom)) from subset where mbrintersects(@bbox, geom);

mysql> select astext(union(@bbox, geom)) from subset where intersects(@bbox, geom);

mysql> select geometrytype(union(@bbox, geom)) from subset where mbrintersects(@bbox, geom);

mysql> select area(union(@bbox, geom)) from subset where mbrintersects(@bbox, geom);

mysql> select astext(intersection(@bbox, geom)) from subset where mbrintersects(@bbox, geom);

There is already a bug for similar problems with intersection function, http://bugs.mysql.com/bug.php?id=47429, but I included it here again for completeness.
[12 Mar 2010 9:02] John Powell
subset.sql to create table for example

Attachment: subset.zip (application/zip, text), 169.78 KiB.

[12 Mar 2010 12:47] MySQL Verification Team
100312  9:45:38 [Note] Event Scheduler: Loaded 0 events
100312  9:45:38 [Note] 5gis/libexec/mysqld: ready for connections.
Version: '5.1.43-debug'  socket: '/tmp/mysql.sock'  port: 3306  Source distribution
100312  9:46:52 - mysqld got signal 11 ;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.
We will try our best to scrape up some info that will hopefully help diagnose
the problem, but since we have already crashed, something is definitely wrong
and this may fail.

key_buffer_size=8384512
read_buffer_size=131072
max_used_connections=1
max_threads=151
threads_connected=1
It is possible that mysqld could use up to 
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 338308 K
bytes of memory
Hope that's ok; if not, decrease some variables in the equation.

thd: 0x22a4bc8
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
stack_bottom = 0x7f1a0c307eb8 thread_stack 0x40000
5gis/libexec/mysqld(my_print_stacktrace+0x35)[0xb31d97]
5gis/libexec/mysqld(handle_segfault+0x288)[0x6bc9b3]
/lib64/libpthread.so.0[0x3d37c0f0f0]
/lib64/libc.so.6[0x3d37483698]
/lib64/libc.so.6(memmove+0x17a)[0x3d37481aaa]
5gis/libexec/mysqld(_ZN21gcalc_result_receiver9move_holeEjjPj+0xc7)[0x8dd1e7]
5gis/libexec/mysqld(_ZN23gcalc_operation_reducer10get_resultEP21gcalc_result_receiver+0x140)[0x8de9de]
5gis/libexec/mysqld(_ZN27Item_func_spatial_operation7val_strEP6String+0x3c3)[0x67300d]
5gis/libexec/mysqld(_ZN16Item_func_as_wkt7val_strEP6String+0x70)[0x670b52]
5gis/libexec/mysqld(_ZN4Item4sendEP8ProtocolP6String+0x88)[0x5f0140]
5gis/libexec/mysqld(_ZN11select_send9send_dataER4ListI4ItemE+0x135)[0x6a3c09]
5gis/libexec/mysqld[0x75a373]
5gis/libexec/mysqld[0x7583b7]
5gis/libexec/mysqld(_Z10sub_selectP4JOINP13st_join_tableb+0x17a)[0x75805c]
5gis/libexec/mysqld[0x757b66]
5gis/libexec/mysqld(_ZN4JOIN4execEv+0x26bc)[0x740a68]
5gis/libexec/mysqld(_Z12mysql_selectP3THDPPP4ItemP10TABLE_LISTjR4ListIS1_ES2_jP8st_orderSB_S2_SB_yP13select_resultP18st_select_lex_unitP13st_select_lex+0x343)[0x741200]
5gis/libexec/mysqld(_Z13handle_selectP3THDP6st_lexP13select_resultm+0x1c6)[0x739132]
5gis/libexec/mysqld[0x6d7d73]
5gis/libexec/mysqld(_Z21mysql_execute_commandP3THD+0x8e5)[0x6cedc2]
5gis/libexec/mysqld(_Z11mysql_parseP3THDPKcjPS2_+0x2c2)[0x6da1a9]
5gis/libexec/mysqld(_Z16dispatch_command19enum_server_commandP3THDPcj+0xd60)[0x6cc6a5]
5gis/libexec/mysqld(_Z10do_commandP3THD+0x27e)[0x6cb64e]
5gis/libexec/mysqld(handle_one_connection+0x14e)[0x6c999d]
/lib64/libpthread.so.0[0x3d37c06a3a]
/lib64/libc.so.6(clone+0x6d)[0x3d374de67d]
Trying to get some variables.
Some pointers may be invalid and cause the dump to abort...
thd->query at 0x7f19f8004b88 is an invalid pointer
thd->thread_id=1
thd->killed=NOT_KILLED
The manual page at http://dev.mysql.com/doc/mysql/en/crashing.html contains
information that should help you find out what is causing the crash.
[miguel@tikal dbs]$
[12 Mar 2010 12:49] MySQL Verification Team
Thank you for the bug report.
[7 Dec 2011 3:11] Paul DuBois
Noted in 5.6.3 changelog.

Spatial operations on certain corner cases could cause a server
crash: Polygons with zero-point linerings; polygons with touching
linerings.