Bug #52122 crash when converting derived table column to decimal
Submitted: 17 Mar 2010 3:29 Modified: 12 Apr 2010 14:28
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Duplicate Impact on me:
None 
Category:MySQL Server: DML Severity:S1 (Critical)
Version:5.6.99-m4-debug, mysql-6.0-codebase OS:Any
Assigned to: Assigned Account CPU Architecture:Any
Tags: regression

[17 Mar 2010 3:29] Shane Bester 
Description:
Version: '5.6.99-m4-debug'  socket: ''  port: 3306  Source distribution
100317  5:28:24 - mysqld got exception 0xc0000005 ;

mysqld.exe!decimal2string()[decimal.c:387]
mysqld.exe!decimal2double()[decimal.c:954]
mysqld.exe!my_decimal2double()[my_decimal.h:314]
mysqld.exe!Item_cache_decimal::val_real()[item.cc:7508]
mysqld.exe!Item_func_plus::real_op()[item_func.cc:1094]
mysqld.exe!Item_func_numhybrid::val_int()[item_func.cc:829]
mysqld.exe!Item_func_trig_cond::val_int()[item_cmpfunc.h:434]
mysqld.exe!Item::val_bool()[item.cc:184]
mysqld.exe!Item_cond_and::val_int()[item_cmpfunc.cc:4389]
mysqld.exe!evaluate_join_record()[sql_select.cc:11522]
mysqld.exe!sub_select()[sql_select.cc:11473]
mysqld.exe!do_select()[sql_select.cc:11225]
mysqld.exe!JOIN::exec()[sql_select.cc:2311]
mysqld.exe!st_select_lex_unit::exec()[sql_union.cc:514]
mysqld.exe!mysql_union()[sql_union.cc:34]
mysqld.exe!handle_select()[sql_select.cc:249]
mysqld.exe!execute_sqlcom_select()[sql_parse.cc:4703]
mysqld.exe!mysql_execute_command()[sql_parse.cc:2191]
mysqld.exe!mysql_parse()[sql_parse.cc:5735]
mysqld.exe!dispatch_command()[sql_parse.cc:1024]
mysqld.exe!do_command()[sql_parse.cc:710]
mysqld.exe!do_handle_one_connection()[sql_connect.cc:1174]
mysqld.exe!handle_one_connection()[sql_connect.cc:1113]
mysqld.exe!pthread_start()[my_winthread.c:61]
mysqld.exe!_callthreadstartex()[threadex.c:348]
mysqld.exe!_threadstartex()[threadex.c:331]
kernel32.dll!FlsSetValue()

How to repeat:
.
[17 Mar 2010 4:05] MySQL Verification Team 
#testcase (run in valgrind if no crash, or run multiple times)

set sql_mode='';
drop table if exists t25,t99;
create table `t25` (
  `col0` varchar(139),
  `col1` bit(57)
) engine=myisam default charset=latin1;

create table `t99` (
  `col0` year(4),
  `col3` timestamp
) engine=myisam ;

insert into `t25` values ('0','\0\0\0\0\0\0\0\0');
insert into `t25` values ('',null);
insert into `t99` values (2010,'2010-03-16 23:14:31');
insert into `t99` values (2010,'2010-03-16 23:14:31');

select 1 from t25 as t25 
right outer join
(
    select `t99`.`col0` as col0 
    from
      t99 as t99 
      right join t25
      using(col0)
      group by t99.col3
) as d_2277_1_134  
on from_days(t25.col1) + cast(d_2277_1_134.col0 as decimal);
[17 Mar 2010 4:09] MySQL Verification Team 
valgrind errors after a few executions of testcase

Attachment: bug52122_5.6.99-m4-valgrind-output.txt (text/plain), 89.67 KiB.
[17 Mar 2010 4:24] Valeriy Kravchuk 
Verified just as described also with mysql-6.0-codebase on Mac OS X:

...
thd: 0x1a5e018
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
stack_bottom = 0xb0c2ef34 thread_stack 0x30c00
0   mysqld                              0x005d7722 my_print_stacktrace + 44
1   mysqld                              0x001096d4 handle_segfault + 884
2   libSystem.B.dylib                   0x940472bb _sigtramp + 43
3   ???                                 0xffffffff 0x0 + 4294967295
4   mysqld                              0x005959c1 decimal2double + 80
5   mysqld                              0x00039298 _Z17my_decimal2doublejPK10my_decimalPd + 24
6   mysqld                              0x0002506a _ZN18Item_cache_decimal8val_realEv + 184
7   mysqld                              0x00049c91 _ZN14Item_func_plus7real_opEv + 77
8   mysqld                              0x00053a43 _ZN19Item_func_numhybrid7val_intEv + 335
9   mysqld                              0x000b2a53 _ZN19Item_func_trig_cond7val_intEv + 47
10  mysqld                              0x0019e97d _Z18do_sj_dups_weedoutP3THDP12SJ_TMP_TABLE + 1121
11  mysqld                              0x0019ef14 _Z10sub_selectP4JOINP13st_join_tableb + 454
12  mysqld                              0x001ac99e _ZN4JOIN9join_freeEv + 1572
13  mysqld                              0x001c65c7 _ZN4JOIN4execEv + 8997
14  mysqld                              0x001c0d1b _Z12mysql_selectP3THDPPP4ItemP10TABLE_LISTjR4ListIS1_ES2_jP8st_orderSB_S2_SB_yP13select_resultP18st_select_lex_unitP13st_select_lex + 797
15  mysqld                              0x001c691c _Z13handle_selectP3THDP3LEXP13select_resultm + 556
16  mysqld                              0x0011c9da _Z15update_precheckP3THDP10TABLE_LIST + 1072
17  mysqld                              0x0011ea1d _Z21mysql_execute_commandP3THD + 3137
18  mysqld                              0x0012760d _Z11mysql_parseP3THDPKcjPS2_ + 723
19  mysqld                              0x0012820e _Z16dispatch_command19enum_server_commandP3THDPcj + 2618
20  mysqld                              0x00129659 _Z10do_commandP3THD + 621
21  mysqld                              0x00114f7e _Z24do_handle_one_connectionP3THD + 414
22  mysqld                              0x00115043 handle_one_connection + 37
23  libSystem.B.dylib                   0x9400c095 _pthread_start + 321
24  libSystem.B.dylib                   0x9400bf52 thread_start + 34
Trying to get some variables.
Some pointers may be invalid and cause the dump to abort...
thd->query at 0x1a86e28 = select 1 from t25 as t25 
right outer join
(
    select `t99`.`col0` as col0 
    from
      t99 as t99 
      right join t25
      using(col0)
      group by t99.col3
) as d_2277_1_134  
on from_days(t25.col1) + cast(d_2277_1_134.col0 as decimal)
[29 Mar 2010 19:30] Guilhem Bichot 
regression source is the same as for BUG#52168:

epotemkin@mysql.com-20091201212551-amf9utmatlvsbbar
(was fix for Bug#33546: Slowdown on re-evaluation of constant expressions)
[30 Mar 2010 11:28] Manyi Lu 
See also 52168
[12 Apr 2010 14:28] Øystein Grøvlen 
This is the same issue as Bug#52168 except that here the offending function is
Item_cache_decimal::val_real(), instead of Item_cache_decimal::val_int().
I will fix both issues as part of Bug#52168, and include the following simplified test case for the val_real() issue:

create table t1 (col0 integer, col1 real);
create table t2 (col0 integer);

insert into t1 values (0, 0.0), (null, null);
insert into t2 values (1);

select 1 from t1 
join
( 
  select t2.col0 from t2 right join t1 using(col0) 
  group by t2.col0
) as subq  
where t1.col1 + cast(subq.col0 as decimal);

drop table t1, t2;
[15 Jun 2010 8:12] Bugs System 
Pushed into 5.5.5-m3 (revid:alik@sun.com-20100615080459-smuswd9ooeywcxuc) (version source revid:mmakela@bk-internal.mysql.com-20100415070122-1nxji8ym4mao13ao) (merge vers: 5.1.47) (pib:16)
[15 Jun 2010 8:27] Bugs System 
Pushed into mysql-next-mr (revid:alik@sun.com-20100615080558-cw01bzdqr1bdmmec) (version source revid:mmakela@bk-internal.mysql.com-20100415070122-1nxji8ym4mao13ao) (pib:16)