Bug #67230 EXPLAIN can crash server or deny service on SELECT statement
Submitted: 15 Oct 2012 8:59 Modified: 12 Nov 2012 15:57
Reporter: Jan Rusch Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Optimizer Severity:S1 (Critical)
Version:5.6.7 5.6.8 OS:Windows (7 64bit)
Assigned to: Gleb Shchepa CPU Architecture:Any
Tags: crash, denial of service, DoS, explain, regression, SELECT

[15 Oct 2012 8:59] Jan Rusch 
Description:
EXPLAIN in certain combinations with a SELECT statement can crash a MySQL 5.6.7 server or lead to a denial of service. No logging is done to error log.

How to repeat:
Execute the following script:

CREATE DATABASE `test`;

DROP TABLE IF EXISTS `test`.`t3`;
CREATE TABLE  `test`.`t3` (
  `c1` varchar(35) NOT NULL,
  `c2` varchar(35) NOT NULL,
  `c3` varchar(45) NOT NULL,
  PRIMARY KEY (`c1`,`c2`,`c3`) USING BTREE
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

DROP TABLE IF EXISTS `test`.`t4`;
CREATE TABLE  `test`.`t4` (
  `c1` varchar(35) NOT NULL,
  `c2` char(3) NOT NULL DEFAULT '',
  `c3` char(3) NOT NULL DEFAULT '',
  `c4` char(3) NOT NULL,
  PRIMARY KEY (`c1`,`c2`,`c3`,`c4`) USING BTREE
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

USE `test`;

EXPLAIN SELECT RES.c1, COUNT(DISTINCT RES.c2) FROM (
(SELECT DISTINCT t3.c1, t3.c2
FROM t3, t4
WHERE t3.c2 =  t4.c1
AND t4.c2 = "e")
UNION
(SELECT DISTINCT t3.c1, t3.c2
FROM t3, t4
WHERE t3.c2 = t4.c1
AND t4.c3 = "p")) AS RES, t4
WHERE RES.c2 = t4.c1
AND NOT t4.c4 = "p"
GROUP BY c1;

The above SELECT statement without EXPLAIN works without any problems.

On our side three MySQL 5.6.7 server either crash immediately without logging anything or they continue running, but are either very slow or do not accept new connections. I tried with MySQL 5.6.1 and MySQL 5.5.23. Both are not affected.
[9 Nov 2012 7:42] Jan Rusch 
Still crashing on 5.6.8
[12 Nov 2012 15:57] Paul DuBois 
Noted in 5.6.9, 5.7.0 changelogs.

For some SELECT statements, EXPLAIN could cause a server crash.