Bug #59817 explain crash in Item_field::result_type with view, xor, join
Submitted: 30 Jan 2011 8:26 Modified: 1 Feb 2011 15:19
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Duplicate Impact on me:
None 
Category:MySQL Server: Optimizer Severity:S1 (Critical)
Version:5.6.2 OS:Any
Assigned to: Assigned Account CPU Architecture:Any
Tags: regression

[30 Jan 2011 8:26] Shane Bester 
Description:
Version: '5.6.2-m5-valgrind-max-debug'  socket: '/tmp/mysql.sock'  port: 3306  Source distribution
[New Thread 0x7fffe3f98710 (LWP 3125)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffe3f98710 (LWP 3125)]
0x0000000000787379 in Item_field::result_type (this=0x7fffd400c300) at ./sql/item.h:1776
1776        return field->result_type();
(gdb) bt
#0  in Item_field::result_type at ./sql/item.h:1776
#1  in Item_cache::get_cache at ./sql/item.cc:7481
#2  in Item::cache_const_expr_transformer at ./sql/item.cc:6069
#3  in Item::transform at ./sql/item.cc:588
#4  in Item_func::transform at ./sql/item_func.cc:329
#5  in Item_cond::compile at ./sql/item_cmpfunc.cc:4500
#6  in Item_func::compile at ./sql/item_func.cc:386
#7  in Item_func::compile at ./sql/item_func.cc:386
#8  in JOIN::cache_const_exprs at ./sql/sql_select.cc:23576
#9  in JOIN::optimize at ./sql/sql_select.cc:2338
#10 in mysql_select at ./sql/sql_select.cc:3544
#11 in mysql_explain_union at ./sql/sql_select.cc:23170
#12 in select_describe at ./sql/sql_select.cc:23111
#13 in return_zero_rows at ./sql/sql_select.cc:11792
#14 in JOIN::exec at ./sql/sql_select.cc:2835
#15 in mysql_select at ./sql/sql_select.cc:3558
#16 in mysql_explain_union at ./sql/sql_select.cc:23170
#17 in select_describe at ./sql/sql_select.cc:23111
#18 in JOIN::exec at ./sql/sql_select.cc:2873
#19 in mysql_select at ./sql/sql_select.cc:3558
#20 in mysql_explain_union at ./sql/sql_select.cc:23170
#21 in execute_sqlcom_select at ./sql/sql_parse.cc:4487
#22 in mysql_execute_command at ./sql/sql_parse.cc:2096
#23 in mysql_parse at ./sql/sql_parse.cc:5550
#24 in dispatch_command at ./sql/sql_parse.cc:1078
#25 in do_command at ./sql/sql_parse.cc:815
#26 in do_handle_one_connection at ./sql/sql_connect.cc:748
#27 in handle_one_connection at ./sql/sql_connect.cc:684
#28 in start_thread at pthread_create.c:301
#29 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115
(gdb) frame 0
#0  0x0000000000787379 in Item_field::result_type (this=0x7fffd400c300) at ./sql/item.h:1776
1776        return field->result_type();
(gdb) p field
$2 = (Field *) 0x0
(gdb) 

this is a regression in mysql-trunk. 5.5.10 did not crash.
probably related: bug #59793

How to repeat:
drop table if exists `tt`;
create table `tt`(`a` int)engine=myisam;
insert into `tt` values (1),(2);
create or replace view `vv` as select 1 as `a` from `tt`;
explain select 1 from `tt`
left join `tt` `t2` on 1=
(select  1 from `tt` `t3` where 1>= 
 (select 1 from `tt` `t4` where 1> some 
  (select 1 from `tt` `t5`)
 )
 and a> all (select `a` xor 1 from `vv`)
);
[30 Jan 2011 9:28] Valeriy Kravchuk 
Thank you for the bug report. Verified on Mac OS X:

macbook-pro:trunk openxs$ bin/mysql -uroot test
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1
Server version: 5.6.2-m5-debug Source distribution

Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> drop table if exists `tt`;
Query OK, 0 rows affected, 1 warning (0.00 sec)

mysql> create table `tt`(`a` int)engine=myisam;
Query OK, 0 rows affected (0.05 sec)

mysql> insert into `tt` values (1),(2);
Query OK, 2 rows affected (0.00 sec)
Records: 2  Duplicates: 0  Warnings: 0

mysql> create or replace view `vv` as select 1 as `a` from `tt`;
Query OK, 0 rows affected (0.14 sec)

mysql> explain select 1 from `tt`
    -> left join `tt` `t2` on 1=
    -> (select  1 from `tt` `t3` where 1>= 
    ->  (select 1 from `tt` `t4` where 1> some 
    ->   (select 1 from `tt` `t5`)
    ->  )
    ->  and a> all (select `a` xor 1 from `vv`)
    -> );
ERROR 2013 (HY000): Lost connection to MySQL server during query
mysql> 110130 11:26:31 mysqld_safe mysqld restarted

mysql> exit
Bye
macbook-pro:trunk openxs$ tail -100 data/macbook-pro.err 
110130 11:26:07 [ERROR] Native table 'performance_schema'.'table_lock_waits_summary_by_table' has the wrong structure
110130 11:26:07 [Note] Event Scheduler: Loaded 0 events
110130 11:26:07 [Note] /Users/openxs/dbs/trunk/bin/mysqld: ready for connections.
Version: '5.6.2-m5-debug'  socket: '/tmp/mysql.sock'  port: 3306  Source distribution
110130 11:26:31 - mysqld got signal 10 ;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.
We will try our best to scrape up some info that will hopefully help diagnose
the problem, but since we have already crashed, something is definitely wrong
and this may fail.

key_buffer_size=8388608
read_buffer_size=131072
max_used_connections=1
max_threads=151
thread_count=1
connection_count=1
It is possible that mysqld could use up to 
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 337971 K
bytes of memory
Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x1051400
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
stack_bottom = 0xb0800f30 thread_stack 0x30000
0   mysqld                              0x003aad69 my_print_stacktrace + 44
1   mysqld                              0x00103eda handle_segfault + 892
2   libSystem.B.dylib                   0x940472bb _sigtramp + 43
3   ???                                 0xffffffff 0x0 + 4294967295
4   mysqld                              0x0004f2fe _ZN10Item_cache9get_cacheEPK4Item + 24
5   mysqld                              0x0004f433 _ZN4Item28cache_const_expr_transformerEPh + 33
6   mysqld                              0x0004e788 _ZN4Item9transformEMS_FPS_PhES1_ + 138
7   mysqld                              0x000a78b7 _ZN9Item_func9transformEM4ItemFPS0_PhES2_ + 169
8   mysqld                              0x0006e74a _ZN9Item_cond7compileEM4ItemFbPPhES2_MS0_FPS0_S1_ES1_ + 308
9   mysqld                              0x000a7784 _ZN9Item_func7compileEM4ItemFbPPhES2_MS0_FPS0_S1_ES1_ + 210
10  mysqld                              0x000a7784 _ZN9Item_func7compileEM4ItemFbPPhES2_MS0_FPS0_S1_ES1_ + 210
11  mysqld                              0x0020f6d2 _ZN4JOIN17cache_const_exprsEv + 158
12  mysqld                              0x0023eb69 _ZN4JOIN8optimizeEv + 7941
13  mysqld                              0x00241baa _Z12mysql_selectP3THDPPP4ItemP10TABLE_LISTjR4ListIS1_ES2_jP8st_orderSB_S2_SB_yP13select_resultP18st_select_lex_unitP13st_select_lex + 778
14  mysqld                              0x002420cb _Z19mysql_explain_unionP3THDP18st_select_lex_unitP13select_result + 927
15  mysqld                              0x002450cc _Z15select_describeP4JOINbbbPKc + 12220
16  mysqld                              0x002451bb _Z15select_describeP4JOINbbbPKc + 12459
17  mysqld                              0x00245992 _ZN4JOIN4execEv + 1586
18  mysqld                              0x00241c34 _Z12mysql_selectP3THDPPP4ItemP10TABLE_LISTjR4ListIS1_ES2_jP8st_orderSB_S2_SB_yP13select_resultP18st_select_lex_unitP13st_select_lex + 916
19  mysqld                              0x002420cb _Z19mysql_explain_unionP3THDP18st_select_lex_unitP13select_result + 927
20  mysqld                              0x002450cc _Z15select_describeP4JOINbbbPKc + 12220
21  mysqld                              0x00245c6e _ZN4JOIN4execEv + 2318
22  mysqld                              0x00241c34 _Z12mysql_selectP3THDPPP4ItemP10TABLE_LISTjR4ListIS1_ES2_jP8st_orderSB_S2_SB_yP13select_resultP18st_select_lex_unitP13st_select_lex + 916
23  mysqld                              0x002420cb _Z19mysql_explain_unionP3THDP18st_select_lex_unitP13select_result + 927
24  mysqld                              0x001d3efa _Z15update_precheckP3THDP10TABLE_LIST + 628
25  mysqld                              0x001d678a _Z21mysql_execute_commandP3THD + 2864
26  mysqld                              0x001de414 _Z11mysql_parseP3THDPcjP12Parser_state + 644
27  mysqld                              0x001defdc _Z16dispatch_command19enum_server_commandP3THDPcj + 2686
28  mysqld                              0x001e04bc _Z10do_commandP3THD + 664
29  mysqld                              0x002c8fbb _Z24do_handle_one_connectionP3THD + 1095
30  mysqld                              0x002c90a9 handle_one_connection + 37
31  libSystem.B.dylib                   0x9400c095 _pthread_start + 321
32  libSystem.B.dylib                   0x9400bf52 thread_start + 34

Trying to get some variables.
Some pointers may be invalid and cause the dump to abort.
Query (0x10d1810): explain select 1 from `tt`
left join `tt` `t2` on 1=
(select  1 from `tt` `t3` where 1>= 
 (select 1 from `tt` `t4` where 1> some 
  (select 1 from `tt` `t5`)
 )
 and a> all (select `a` xor 1 from `vv`)
)
Connection ID (thread ID): 1
Status: NOT_KILLED
[1 Feb 2011 15:19] Øystein Grøvlen 
This is a duplicate of Bug#59793.  Reverting the fix for Bug#45221 also fixes this test case.