Bug #7885 Query causes server to crash.
Submitted: 13 Jan 2005 20:49 Modified: 20 Jan 2005 18:22
Reporter: Carlos Zaltzman Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S3 (Non-critical)
Version:4.1.3b-beta OS:Windows (Windows 98 Second Edition)
Assigned to: Sergey Petrunya CPU Architecture:Any

[13 Jan 2005 20:49] Carlos Zaltzman
Description:
If you have a query like
        SELECT * FROM A WHERE A2 > ANY(SELECT B1 FROM B);
or 
        SELECT * FROM A WHERE A2 > ALL(SELECT B1 FROM B);
and column A2 does not exist then the server crashes.

How to repeat:
CREATE DATABASE TRIAL;
USE TRIAL;
CREATE TABLE A (A1 INT);
CREATE TABLE B (B1 INT);
SELECT * FROM A WHERE A2 > ANY(SELECT B1 FROM B);
[13 Jan 2005 21:07] MySQL Verification Team
Verified with 4.1.9-debug-log
OS: Windows, Linux

Back trace:

(gdb) bt
#0  0x0813af9c in Item_subselect::fix_fields (this=0x8cefdc0, thd_param=0x8cd5590,
    tables=0x8cef9d0, ref=0x8cefed4) at item_subselect.cc:180
#1  0x0810d49c in Item_func::fix_fields (this=0x8cefe90, thd=0x8cd5590, tables=0x8cef9d0,
    ref=0x8cf09ac) at item_func.cc:307
#2  0x081900ea in setup_conds (thd=0x8cd5590, tables=0x8cef9d0, conds=0x8cf09ac)
    at sql_base.cc:2598
#3  0x08194abf in JOIN::prepare (this=0x8ceffe0, rref_pointer_array=0x8cd57c4,
    tables_init=0x8cef9d0, wild_num=1, conds_init=0x8cefe90, og_num=0, order_init=0x0,
    group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x8cd56c0,
    unit_arg=0x8cd55d8) at sql_select.cc:229
#4  0x081980f3 in mysql_select (thd=0x8cd5590, rref_pointer_array=0x8cd57c4, tables=0x8cef9d0,
    wild_num=1, fields=@0x8cd5728, conds=0x8cefe90, og_num=0, order=0x0, group=0x0, having=0x0,
    proc_param=0x0, select_options=8669696, result=0x8ceffd0, unit=0x8cd55d8,
    select_lex=0x8cd56c0) at sql_select.cc:1564
#5  0x0819483c in handle_select (thd=0x8cd5590, lex=0x8cd55cc, result=0x8ceffd0)
    at sql_select.cc:193
#6  0x0817232f in mysql_execute_command (thd=0x8cd5590) at sql_parse.cc:2020
#7  0x08176ea9 in mysql_parse (thd=0x8cd5590,
    inBuf=0x8cef8d0 "SELECT * FROM A WHERE A2 > ANY(SELECT B1 FROM B)", length=48)
    at sql_parse.cc:4093
#8  0x08171002 in dispatch_command (command=COM_QUERY, thd=0x8cd5590,
    packet=0x8cd77c1 "SELECT * FROM A WHERE A2 > ANY(SELECT B1 FROM B)", packet_length=49)
    at sql_parse.cc:1505
#9  0x08170922 in do_command (thd=0x8cd5590) at sql_parse.cc:1291
#10 0x0816fe5b in handle_one_connection (arg=0x8cd5590) at sql_parse.cc:1023
#11 0xb7e4614b in pthread_start_thread () from /lib/libpthread.so.0
#12 0xb7e461df in pthread_start_thread_event () from /lib/libpthread.so.0
#13 0xb7d7950a in clone () from /lib/libc.so.6
[19 Jan 2005 22:52] Sergey Petrunya
Reviewed by Sanja
[19 Jan 2005 23:16] Sergey Petrunya
Thank you for your bug report. This issue has been committed to our
source repository of that product and will be incorporated into the
next release.

If necessary, you can access the source repository and build the latest
available version, including the bugfix, yourself. More information 
about accessing the source trees is available at
    http://www.mysql.com/doc/en/Installing_source_tree.html

Additional info:

Both in 4.1 and 5.0
[20 Jan 2005 18:22] Paul DuBois
Mentioned in 4.1.10 and 5.0.3 change notes.