Bug #8660 UNION query can cause server to crash
Submitted: 21 Feb 2005 19:26 Modified: 31 Mar 2005 14:24
Reporter: Bryan Berg Email Updates:
Status: Duplicate Impact on me:
None 
Category:MySQL Server Severity:S2 (Serious)
Version:4.1.10 OS:Linux (Fedora Core 2, x86_64)
Assigned to: Assigned Account CPU Architecture:Any

[21 Feb 2005 19:26] Bryan Berg
Description:
Given the default 'mysql' db that ships with the product, it's possible to form a UNION query that will cause mysqld to segfault (Fedora Core 2, x86_64, Official RPMs or manually built RPMs):

select count(*),current_timestamp from user union select count(*),current_timestamp from db;

The following queries do not crash the server:
* select count(*),current_timestamp from user union select count(*),1 from db;
* select count(*),1 from user union select count(*),current_timestamp from db;

The crash only occurs when using CURRENT_TIMESTAMP or NOW() in both sides of the query.

The (debug) server leaves this message in the logs when it dies:

mysqld: item.cc:1744: virtual void Item_field::make_field(Send_field*): Assertion `tmp_field->table_name' failed.

The --debug trace doesn't seem to have that much relevant information in it; it's also huge, so if you'd like, I can upload it somewhere.

The gdb stack trace looks like this:

#0  0x000000389e22dc45 in raise () from /lib64/tls/libc.so.6
#1  0x000000389e22f6ce in abort () from /lib64/tls/libc.so.6
#2  0x000000389e227862 in __assert_fail () from /lib64/tls/libc.so.6
#3  0x00000000004aec68 in Item_field::make_field (this=0x141a788, tmp_field=0x446bea80) at item.cc:1744
#4  0x00000000005131b2 in Protocol::send_fields (this=0x13f9ca0, list=0x13f91d8, flag=1) at protocol.cc:530
#5  0x000000000050bdae in select_send::send_fields (this=0x7e08, list=@0x7e4e, flag=6) at sql_class.cc:787
#6  0x0000000000560eb3 in do_select (join=0x141be20, fields=0x13f91d8, table=0x0, procedure=0x0) at sql_select.cc:5627
#7  0x0000000000556f03 in JOIN::exec (this=0x141be20) at sql_select.cc:1479
#8  0x000000000055738a in mysql_select (thd=0x13f9040, rref_pointer_array=0x1405018, tables=0x13f9108, wild_num=0, fields=@0x13f91d8, conds=0x0, og_num=0, order=0x0, group=0x0,
    having=0x0, proc_param=0x0, select_options=277105152, result=0x1405510, unit=0x13f90b8, select_lex=0x1404e50) at sql_select.cc:1600
#9  0x00000000005e13c1 in st_select_lex_unit::exec (this=0x13f90b8) at sql_union.cc:550
#10 0x00000000005dfc39 in mysql_union (thd=0x13f9040, lex=0x7e4e, result=0x0, unit=0x13f90b8) at sql_union.cc:33
#11 0x00000000005539cb in handle_select (thd=0x13f9040, lex=0x13f90a8, result=0x1405510) at sql_select.cc:180
#12 0x000000000052e932 in mysql_execute_command (thd=0x13f9040) at sql_parse.cc:2039
#13 0x0000000000532a72 in mysql_parse (thd=0x13f9040, inBuf=0x1404840 "select count(*),current_timestamp from user union select count(*),current_timestamp from db",
    length=20943016) at sql_parse.cc:4121
#14 0x000000000052d566 in dispatch_command (command=COM_QUERY, thd=0x13f9040, packet=0x1408881 "", packet_length=92) at sql_parse.cc:1477
#15 0x000000000052d060 in do_command (thd=0x13f9040) at sql_parse.cc:1291
#16 0x000000000052c65c in handle_one_connection (arg=0x7e08) at sql_parse.cc:1023
#17 0x000000389f1057fb in start_thread () from /lib64/tls/libpthread.so.0
#18 0x000000389e2bab03 in thread_start () from /lib64/tls/libc.so.6
#19 0x0000000000000000 in ?? ()

This bug is new in 4.1.10.  Downgrading to 4.1.9 fixes the problem.

How to repeat:
use mysql;
select count(*),current_timestamp from user union select count(*),current_timestamp from db;
[21 Feb 2005 21:44] Martin Friebe
can be simplified

(select 1,now()) union (select 2,now())

crashes too
[21 Feb 2005 21:50] Martin Friebe
probably also related

# crash
select default(a) from ( select now() a ) x;

# but fine with any other function or value  instead of now
[21 Feb 2005 22:52] Hartmut Holzgraefe
Verified on SuSE 9.0, x86. Happens on 4.1.10 only, 4.1.9 doesn't seem to be affected
[11 Mar 2005 21:26] Matthew Sayler
ditto:

select CURRENT_DATE() union select CURRENT_DATE()
[14 Mar 2005 12:24] Gregor Odlazek
workaround:

SELECT CONCAT(CURRENT_DATE(), '') UNION SELECT CONCAT(CURRENT_DATE(), '');

it only returns one row, so this is for two rows:
SELECT CONCAT(CURRENT_DATE(), '') UNION SELECT DATE_ADD(CONCAT(CURRENT_DATE(), ''), INTERVAL 1 DAY);
[17 Mar 2005 7:47] Dmitry Lenev
Bug #9216 was marked as duplicate for this one.
[31 Mar 2005 14:24] Sergey Petrunya
No crashes with latest 4.1 tree. The issue has been fixed by Sanja as part of another bug fix.
According to my discussion with Sanja he was working on a more general fix (and seems to have pushed it by now)  The patch for this bug will not be pushed as it is redundant.
[24 Jan 2006 8:57] Aleksey Kishkin
Sergey, could you clarify, which another bugfix did you mean? Was it backported to 4.0?
[24 Jan 2006 13:05] Sergey Petrunya
This bug was fixed by fix for BUG#8824, the fix changeset was:

ChangeSet
#   2005/03/23 08:36:48+02:00 bell@sanja.is.com.ua 
#   fixed union types merging and table related metadata (BUG#8824)

Subject: bk commit - 4.1 tree (bell:1.2129) BUG#8824
Date: Wed, 23 Mar 2005 08:36:53 +0200 (EET)