Bug #57321 crashes and valgrind errors from spatial types
Submitted: 7 Oct 2010 17:06 Modified: 18 Jan 2011 20:10
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: GIS Severity:S1 (Critical)
Version:5.1.52, 5.1.53, 5.5.8 OS:Any
Assigned to: Alexey Botchkov CPU Architecture:Any
Tags: crash, valgrind
Triage: Triaged: D1 (Critical)

[7 Oct 2010 17:06] Shane Bester
Description:
This scenario causes many crashes and 4GB memory allocations in random tests.  Run standalone, there will probably just be valgrind warnings:

5.1.53 valgrind output:
Conditional jump or move depends on uninitialised value(s)
at: my_malloc (my_malloc.c:32)
by: _mi_write_blob_record (mi_dynrec.c:293)
by: mi_write (mi_write.c:146)
by: ha_myisam::write_row (ha_myisam.cc:780)
by: handler::ha_write_row (handler.cc:4654)
by: select_union::send_data (sql_union.cc:64)
by: end_send (sql_select.cc:12316)
by: evaluate_join_record (sql_select.cc:11536)
by: sub_select (sql_select.cc:11410)
by: do_select (sql_select.cc:11168)
by: JOIN::exec (sql_select.cc:2331)
by: mysql_select (sql_select.cc:2534)
by: mysql_derived_filling (sql_derived.cc:294)
by: mysql_handle_derived (sql_derived.cc:56)
by: open_and_lock_tables_derived (sql_base.cc:5054)
by: open_and_lock_tables (mysql_priv.h:1522)
by: execute_sqlcom_select (sql_parse.cc:5092)
by: mysql_execute_command (sql_parse.cc:2292)
by: mysql_parse (sql_parse.cc:6051)
by: dispatch_command (sql_parse.cc:1260)
by: do_command (sql_parse.cc:888)
by: handle_one_connection (sql_connect.cc:1136)
by: start_thread (pthread_create.c:301)

How to repeat:
#run mysqld in valgrind:

drop table if exists `t1`;
create table `t1`(`a` polygon NOT NULL)engine=myisam;
insert into `t1` values (geomfromtext("point(0 1)"));
insert into `t1` values (geomfromtext("point(1 0)"));
select * from (select polygon(`t1`.`a`) as `p` from `t1` order by `t1`.`a`) `d`;
[7 Oct 2010 17:08] Shane Bester
full outputs from valgrind

Attachment: bug57321_5.1.53_valgrind_output.txt (text/plain), 27.72 KiB.

[7 Oct 2010 17:20] Shane Bester
this is a serious 5.1 bug.  it manifests itself in many different ways, for example:

drop table if exists `t1`;
create table `t1`(`a` polygon NOT NULL)engine=myisam;
insert into `t1` values (geomfromtext("point(0 1)"));
insert into `t1` values (geomfromtext("point(1 0)"));
select group_concat(distinct polygon(`t1`.`a`)) from `t1` order by `t1`.`a`;

Conditional jump or move depends on uninitialised value(s)
at 0x5B3502: group_concat_key_cmp_with_distinct (item_sum.cc:2818)
by 0x9DAEF5: tree_insert (tree.c:210)
by 0x5B7C60: Unique::unique_add (sql_class.h:2960)
by 0x5B4526: Item_func_group_concat::add (item_sum.cc:3150)
by 0x70B716: update_sum_func (sql_select.cc:15817)
by 0x70267B: end_send_group (sql_select.cc:12481)
....

so, i have to disable all spatial columns in 5.1 testing until this is fixed.
[7 Oct 2010 17:37] Valeriy Kravchuk
Yet another result of this bug:

macbook-pro:5.1 openxs$ bin/mysql -uroot test
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.1.52-debug Source distribution

Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL v2 license

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> drop table if exists `t1`;
Query OK, 0 rows affected, 1 warning (0.00 sec)

mysql> create table `t1`(`a` polygon NOT NULL)engine=myisam;
Query OK, 0 rows affected (0.06 sec)

mysql> insert into `t1` values (geomfromtext("point(0 1)"));
Query OK, 1 row affected (0.01 sec)

mysql> insert into `t1` values (geomfromtext("point(1 0)"));
Query OK, 1 row affected (0.00 sec)

mysql> select * from (select polygon(`t1`.`a`) as `p` from `t1` order by `t1`.`a`) `d`;
ERROR 1041 (HY000): Out of memory; check if mysqld or some other process uses all available memory; if not, you may have to use 'ulimit' to allow mysqld to use more memory or you can add more swap space
[15 Nov 2010 18:30] Shane Bester
affects 5.5.8 also. please fix so that further testing might be possible.

drop table if exists `t`;
create table `t`(`a` linestring not null,`b` int) engine=myisam;
insert into t set a=geomfromtext("point(1 1)"),b=0;
insert into t set a=geomfromtext("point(1 1)"),b=0;
select multipolygon(`a`) from `t` group by `b`;

Version: '5.5.8-rc-valgrind-max-debug'  socket: '/tmp/mysql.sock'  port: 3307  Source distribution
Conditional jump or move depends on uninitialised value(s)
at : my_malloc (my_malloc.c:35)
by : _mi_write_blob_record (mi_dynrec.c:286)
by : mi_write (mi_write.c:141)
by : ha_myisam::write_row(unsigned char*) (ha_myisam.cc:788)
by : handler::ha_write_row(unsigned char*) (handler.cc:4733)
by : select_union::send_data(List<Item>&) (sql_union.cc:67)
<cut>
[29 Dec 2010 17:45] Alexey Botchkov
Item_func_spatial_collection::fix_length_and_dec didn't call parent's method, so
the maybe_null was set to '0' after it. But in this case the result was
just NULL, that caused wrong behaviour.

proposed fix:

=== modified file 'sql/item_geofunc.h'
--- sql/item_geofunc.h  2010-09-09 12:43:45 +0000
+++ sql/item_geofunc.h  2010-01-29 16:29:15 +0000
@@ -181,6 +181,7 @@ public:
   String *val_str(String *);
   void fix_length_and_dec()
   {
+    Item_geometry_func::fix_length_and_dec();
     for (unsigned int i= 0; i < arg_count; ++i)
     {
       if (args[i]->fixed && args[i]->field_type() != MYSQL_TYPE_GEOMETRY)

and tests added:

=== modified file 'mysql-test/r/gis.result'
--- mysql-test/r/gis.result     2010-09-29 14:26:32 +0000
+++ mysql-test/r/gis.result     2010-01-29 16:43:14 +0000
@@ -1014,6 +1014,14 @@ SET @a=0x0000000003000000010000000000000
 SET @a=POLYFROMWKB(@a);
 SET @a=0x00000000030000000000000000000000000000000000144000000000000014400000000000001840000000000000184000000000000014400000000000001440;
 SET @a=POLYFROMWKB(@a);
+create table t1(a polygon NOT NULL)engine=myisam;
+insert into t1 values (geomfromtext("point(0 1)"));
+insert into t1 values (geomfromtext("point(1 0)"));
+select * from (select polygon(t1.a) as p from t1 order by t1.a) d;
+p
+NULL
+NULL
+drop table t1;
 End of 5.1 tests
 CREATE TABLE t1(
 col0 BINARY NOT NULL,

=== modified file 'mysql-test/t/gis.test'
--- mysql-test/t/gis.test       2010-09-29 14:26:32 +0000
+++ mysql-test/t/gis.test       2010-01-29 16:43:03 +0000
@@ -747,6 +747,16 @@ SET @a=0x0000000003000000000000000000000
 SET @a=POLYFROMWKB(@a);

+#
+# Bug #57321    crashes and valgrind errors from spatial types
+#
+
+create table t1(a polygon NOT NULL)engine=myisam;
+insert into t1 values (geomfromtext("point(0 1)"));
+insert into t1 values (geomfromtext("point(1 0)"));
+select * from (select polygon(t1.a) as p from t1 order by t1.a) d;
+drop table t1;
+
 --echo End of 5.1 tests

 #
[12 Jan 2011 14:33] Bugs System
Pushed into mysql-5.1 5.1.55 (revid:holyfoot@mysql.com-20110112130241-50lwmhq562otxw31) (version source revid:holyfoot@mysql.com-20110112130241-50lwmhq562otxw31) (merge vers: 5.1.55) (pib:24)
[12 Jan 2011 14:39] Bugs System
Pushed into mysql-5.5 5.5.9 (revid:holyfoot@mysql.com-20110112131131-72rcqbv2vvs2etli) (version source revid:holyfoot@mysql.com-20110112131131-72rcqbv2vvs2etli) (merge vers: 5.5.9) (pib:24)
[12 Jan 2011 17:30] Bugs System
Pushed into mysql-trunk 5.6.2 (revid:epotemkin@mysql.com-20110112172453-d202wpy4h3s11dys) (version source revid:epotemkin@mysql.com-20110112172453-d202wpy4h3s11dys) (merge vers: 5.6.2) (pib:24)
[18 Jan 2011 20:10] Paul Dubois
Noted in 5.1.55, 5.5.9 changelogs.

NULL geometry values could cause a crash in
Item_func_spatial_collection::fix_length_and_dec.