Bug #6358 SELECT COUNT(DISTINCT) crashes server
Submitted: 1 Nov 2004 10:16 Modified: 10 Nov 2004 13:23
Reporter: Marko Mäkelä Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S1 (Critical)
Version:5.0.2-bk OS:Linux (GNU/Linux)
Assigned to: CPU Architecture:Any

[1 Nov 2004 10:16] Marko Mäkelä 
Description:
mysqld crashes due to what looks like a double-free bug in free_tmp_table() after executing a SELECT query. The method entry->file->close() is invoked on an invalid object.

How to repeat:
create table crash(a char(1)not null, b char(1)not null,primary key(a,b))engine=myisam;
insert into crash values('a','A'),('a','B');
select a,count(distinct b)from crash group by a;

Suggested fix:
Set entry->file to NULL when cleaning it up. Check the clean-up logic.
[1 Nov 2004 11:18] MySQL Verification Team 
Back trace:

(gdb) bt
#0  0x081b13fc in free_tmp_table (thd=0x87a8bd8, entry=0x87aa9e0) at sql_select.cc:8314
#1  0x081092f4 in Item_sum_count_distinct::setup (this=0x87b5a70, thd=0x87a8bd8) at item_sum.cc:1368
#2  0x081b83c8 in JOIN::make_sum_func_list (this=0x87b5ed8, field_list=@0x87b6c30, send_fields=@0x87b6c60,
    before_group_by=true, recompute=true) at sql_select.cc:11782
#3  0x081a3860 in JOIN::exec (this=0x87b5ed8) at sql_select.cc:1475
#4  0x081a4b04 in mysql_select (thd=0x87a8bd8, rref_pointer_array=0x87a8ee8, tables=0x87b5cd0, wild_num=0,
    fields=@0x87a8e34, conds=0x0, og_num=1, order=0x0, group=0x87b5e90, having=0x0, proc_param=0x0, select_options=8669696,
    result=0x87b5ec8, unit=0x87a8c1c, select_lex=0x87a8dc8) at sql_select.cc:2029
#5  0x081a06aa in handle_select (thd=0x87a8bd8, lex=0x87a8c10, result=0x87b5ec8) at sql_select.cc:229
#6  0x08175e8d in mysql_execute_command (thd=0x87a8bd8) at sql_parse.cc:2069
#7  0x0817bc69 in mysql_parse (thd=0x87a8bd8, inBuf=0x87b58d0 "select a,count(distinct b)from crash group by a", length=47)
    at sql_parse.cc:4626
#8  0x08174b62 in dispatch_command (command=COM_QUERY, thd=0x87a8bd8,
    packet=0x87a04f9 "select a,count(distinct b)from crash group by a", packet_length=48) at sql_parse.cc:1518
#9  0x08174447 in do_command (thd=0x87a8bd8) at sql_parse.cc:1298
#10 0x081739ac in handle_one_connection (arg=0x87a8bd8) at sql_parse.cc:1034
#11 0xb7e4714b in pthread_start_thread () from /lib/libpthread.so.0
#12 0xb7e471df in pthread_start_thread_event () from /lib/libpthread.so.0
#13 0xb7d7a50a in clone () from /lib/libc.so.6
[1 Nov 2004 15:37] Konstantin Osipov 
To anyone who is going to assign this bug: I'm currently looking at replacing
SUM(DISTINCT), COUNT(DISTINCT) and AVG(DISTINCT) with single implementation, 
which should solve this bug automatically.
[10 Nov 2004 13:23] Marko Mäkelä 
It appears that this bug has been fixed. I noticed two duplicates of this report that were not marked as duplicates, but closed, and I could not repeat the crash with a fresh 5.0 bk pull.