MariaDB

Crash in add_ref_to_table_cond() when grouping by a PK

Bug #872702 reported by Philip Stoev
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MariaDB
Fix Released
Critical
Oleksandr "Sanja" Byelkin
MariaDB 5.3

Bug Description

Query:

SELECT a
FROM t1
WHERE a = (
        SELECT t2.a
        FROM t2
) OR t1.a = 73
GROUP BY 1;

backtrace:

#3 0x082987db in handle_segfault (sig=11) at mysqld.cc:2810
#4 <signal handler called>
#5 0x08348964 in add_ref_to_table_cond (thd=0xa2c56e0, join_tab=0xae630f00) at sql_select.cc:19919
#6 0x0831dcb6 in JOIN::optimize (this=0xae6269f0) at sql_select.cc:1543
#7 0x08322209 in mysql_select (thd=0xa2c56e0, rref_pointer_array=0xa2c725c, tables=0xae613078, wild_num=0, fields=..., conds=0xae613f58, og_num=1,
    order=0x0, group=0xae614078, having=0x0, proc_param=0x0, select_options=2147764736, result=0xae614118, unit=0xa2c6e40, select_lex=0xa2c7120)
    at sql_select.cc:2886
#8 0x0831a05f in handle_select (thd=0xa2c56e0, lex=0xa2c6de4, result=0xae614118, setup_tables_done_option=0) at sql_select.cc:283
#9 0x082b482c in execute_sqlcom_select (thd=0xa2c56e0, all_tables=0xae613078) at sql_parse.cc:5112
#10 0x082ab5e9 in mysql_execute_command (thd=0xa2c56e0) at sql_parse.cc:2250
#11 0x082b6e5b in mysql_parse (thd=0xa2c56e0, rawbuf=0xae612ec0 "SELECT a\nFROM t1\nWHERE a = (\nSELECT t2.a\nFROM t2\n) OR t1.a = 73\nGROUP BY 1",
    length=74, found_semicolon=0xae9e1228) at sql_parse.cc:6112
#12 0x082a9238 in dispatch_command (command=COM_QUERY, thd=0xa2c56e0,
    packet=0xa31e321 "SELECT a\nFROM t1\nWHERE a = (\nSELECT t2.a\nFROM t2\n) OR t1.a = 73\nGROUP BY 1", packet_length=74) at sql_parse.cc:1221
#13 0x082a8693 in do_command (thd=0xa2c56e0) at sql_parse.cc:916
#14 0x082a5677 in handle_one_connection (arg=0xa2c56e0) at sql_connect.cc:1191
#15 0x00821919 in start_thread () from /lib/libpthread.so.0
#16 0x0076acce in clone () from /lib/libc.so.6

explain also crashes:

reproducible with default switches. reproducible on maria 5.3. not reproducible on maria-5.2, mysql-5.5

 bzr version-info
revision-id: <email address hidden>
date: 2011-10-12 02:04:03 +0400
build-date: 2011-10-12 10:25:51 +0300
revno: 3224
branch-nick: maria-5.3

test case:

CREATE TABLE t1 (a int, PRIMARY KEY (a)) ;
INSERT INTO t1 VALUES (14),(15),(16),(17),(18),(19),(20);

CREATE TABLE t2 (a int) ;

SELECT a
FROM t1
WHERE a = (
        SELECT t2.a
        FROM t2
) OR t1.a = 73
GROUP BY 1;

Philip Stoev (pstoev-askmonty)
Changed in maria:
milestone: none → 5.1
milestone: 5.1 → 5.3
assignee: nobody → Oleksandr "Sanja" Byelkin (sanja-byelkin)
Oleksandr "Sanja" Byelkin (sanja-byelkin)
Changed in maria:
importance: Undecided → Critical
status: New → In Progress
Revision history for this message
Sergey Petrunia (sergefp) wrote :

This bug has been fixed by this cset:
revno: 3226
revision-id: <email address hidden>
parent: <email address hidden>
committer: Sergey Petrunya <email address hidden>
branch nick: 5.3-push19
timestamp: Wed 2011-10-12 14:23:42 +0400
message:
  Fix compile error: ‘cond_copy’ may be used uninitialized in this function.

Sergey Petrunia (sergefp)
Changed in maria:
status: In Progress → Fix Committed
Daniel Bartholomew (dbart)
Changed in maria:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.