MySQL Bugs: #52345: Segfault in join_read_next_same (info=0x94fa078) at sql

Bug #52345	Segfault in join_read_next_same (info=0x94fa078) at sql_select.cc:11980
Submitted:	24 Mar 2010 20:57	Modified:	26 Mar 2010 15:48
Reporter:	Patrick Crews	Email Updates:
Status:	Duplicate	Impact on me:	None
Category:	MySQL Server: Optimizer	Severity:	S3 (Non-critical)
Version:	5.1	OS:	Any
Assigned to:		CPU Architecture:	Any
Tags:	crashing bug, regression, segfault

Description:
Crash segfault in 5.1-bugteam.
Not present in 6.0-codebase-bugfixing.  Simplified query does not produce a crash in 5.0.
Does not appear to be affected by the variable settings included in the test case.

Crashing query:
SELECT  SUM( `col_varchar_key`  )  
FROM C  
HAVING (  4  ,  3  )  IN (  
SELECT SUBQUERY3_t2 .`col_int_nokey`  , SUBQUERY3_t2 .`col_int_key`  
FROM C SUBQUERY3_t1  JOIN C SUBQUERY3_t2  ON SUBQUERY3_t1 .`col_varchar_key`  )   ;

Partial stacktrace (full output attached as separate file):
Thread 1 (Thread 17836):
#0  0x00a4b422 in __kernel_vsyscall ()
#1  0x009b1e93 in __pthread_kill (threadid=3069025136, signo=11) at ../nptl/sysdeps/unix/sysv/linux/pthread_kill.c:64
#2  0x08cbd8a6 in my_write_core (sig=11) at stacktrace.c:329
#3  0x083cfad2 in handle_segfault (sig=11) at mysqld.cc:2570
#4  <signal handler called>
#5  0x085096d9 in join_read_next_same (info=0xa9fe078) at sql_select.cc:11980
#6  0x085065a0 in sub_select (join=0xa9fcd48, join_tab=0xa9fe038, end_of_records=false) at sql_select.cc:11316
#7  0x08505a33 in do_select (join=0xa9fcd48, fields=0xa9f08ac, table=0x0, procedure=0x0) at sql_select.cc:11067
#8  0x084db4a6 in JOIN::exec (this=0xa9fcd48) at sql_select.cc:2315
#9  0x0833453a in subselect_single_select_engine::exec (this=0xa9f15f8) at item_subselect.cc:1972
#10 0x08328ad1 in Item_subselect::exec (this=0xa9f1548) at item_subselect.cc:265
#11 0x0832cb80 in Item_in_subselect::val_bool (this=0xa9f1548) at item_subselect.cc:865
#12 0x0823e536 in Item::val_bool_result (this=0xa9f1548) at item.h:745
#13 0x082a4086 in Item_in_optimizer::val_int (this=0xa9f1818) at item_cmpfunc.cc:1833
#14 0x084f32fd in return_zero_rows (join=0xa9fad60, result=0xa9f1690, tables=0xa9f04d0, fields=..., send_row=true, 
    select_options=2147764736, info=0x8ea80c8 "Impossible HAVING noticed after reading const tables", having=0xa9f1818) at sql_select.cc:7269
#15 0x084d7bf2 in JOIN::exec (this=0xa9fad60) at sql_select.cc:1834
#16 0x084dc3dd in mysql_select (thd=0xa99e7d8, rref_pointer_array=0xa99fc78, tables=0xa9f04d0, wild_num=0, fields=..., conds=0x0, og_num=0, 
    order=0x0, group=0x0, having=0xa9f1548, proc_param=0x0, select_options=2147764736, result=0xa9f1690, unit=0xa99f910, 
    select_lex=0xa99fb80) at sql_select.cc:2510
#17 0x084cd9c5 in handle_select (thd=0xa99e7d8, lex=0xa99f8b4, result=0xa9f1690, setup_tables_done_option=0) at sql_select.cc:269
#18 0x08408425 in execute_sqlcom_select (thd=0xa99e7d8, all_tables=0xa9f04d0) at sql_parse.cc:5052
#19 0x083f5598 in mysql_execute_command (thd=0xa99e7d8) at sql_parse.cc:2248
#20 0x0840cb28 in mysql_parse (thd=0xa99e7d8, 
    inBuf=0xa9f0058 "SELECT  SUM( `col_varchar_key`  )  \nFROM C  \nHAVING (  4  ,  3  )  IN (  \nSELECT SUBQUERY3_t2 .`col_int_nokey`  , SUBQUERY3_t2 .`col_int_key`  \nFROM C SUBQUERY3_t1  JOIN C SUBQUERY3_t2  ON SUBQUERY3_t"..., length=223, found_semicolon=0xb6ed9058)
    at sql_parse.cc:5971
#21 0x083f09d8 in dispatch_command (command=COM_QUERY, thd=0xa99e7d8, 
    packet=0xa9e4111 "SELECT  SUM( `col_varchar_key`  )  \nFROM C  \nHAVING (  4  ,  3  )  IN (  \nSELECT SUBQUERY3_t2 .`col_int_nokey`  , SUBQUERY3_t2 .`col_int_key`  \nFROM C SUBQUERY3_t1  JOIN C SUBQUERY3_t2  ON SUBQUERY3_t"..., packet_length=226) at sql_parse.cc:1233
#22 0x083eec2f in do_command (thd=0xa99e7d8) at sql_parse.cc:874
#23 0x083eb29b in handle_one_connection (arg=0xa99e7d8) at sql_connect.cc:1127
#24 0x009ac80e in start_thread (arg=0xb6ed9b70) at pthread_create.c:300
#25 0x0029a8de in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130

How to repeat:
MTR test case
#/* Server0: MySQL 5.1.46-gcov-debug-log */

/*!50400 SET SESSION optimizer_switch = 'index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on' */;
/*!50400 SET SESSION engine_condition_pushdown = 'ON' */;

#/* Begin test case for query 0 */

--disable_warnings
DROP TABLE /*! IF EXISTS */ C;
--enable_warnings

CREATE TABLE `C` (
  `col_int_nokey` int(11) DEFAULT NULL,
  `col_int_key` int(11) DEFAULT NULL,
  `col_varchar_key` varchar(1) DEFAULT NULL,
  KEY `col_int_key` (`col_int_key`),
  KEY `col_varchar_key` (`col_varchar_key`,`col_int_key`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;
INSERT INTO `C` VALUES (NULL,2,'w');
INSERT INTO `C` VALUES (7,9,'m');
INSERT INTO `C` VALUES (9,3,'m');
INSERT INTO `C` VALUES (7,9,'k');
INSERT INTO `C` VALUES (4,NULL,'r');
INSERT INTO `C` VALUES (2,9,'t');
INSERT INTO `C` VALUES (6,3,'j');
INSERT INTO `C` VALUES (8,8,'u');
INSERT INTO `C` VALUES (NULL,8,'h');
INSERT INTO `C` VALUES (5,53,'o');
INSERT INTO `C` VALUES (NULL,0,NULL);
INSERT INTO `C` VALUES (6,5,'k');
INSERT INTO `C` VALUES (188,166,'e');
INSERT INTO `C` VALUES (2,3,'n');
INSERT INTO `C` VALUES (1,0,'t');
INSERT INTO `C` VALUES (1,1,'c');
INSERT INTO `C` VALUES (0,9,'m');
INSERT INTO `C` VALUES (9,5,'y');
INSERT INTO `C` VALUES (NULL,6,'f');
INSERT INTO `C` VALUES (4,2,'d');

 
SELECT  SUM( `col_varchar_key`  )  
FROM C  
HAVING (  4  ,  3  )  IN (  
SELECT SUBQUERY3_t2 .`col_int_nokey`  , SUBQUERY3_t2 .`col_int_key`  
FROM C SUBQUERY3_t1  JOIN C SUBQUERY3_t2  ON SUBQUERY3_t1 .`col_varchar_key`  )   ;

DROP TABLE C;
#/* End of test case for query 0 */

Full crash output

Attachment: bug52345_backtrace.txt (text/plain), 11.02 KiB.

Full MTR test with original and simplified queries

Attachment: bug52345_test.txt (text/plain), 4.26 KiB.

Fix for Bug#52336 - Segfault / crash in 5.1 copy_fields (param=0x9872980) at sql_select.cc:15355 also corrects this issue.