Server crashes in subselect_union_engine::no_rows on SELECT with impossible WHERE and UNION in HAVING

Bug #1008686 reported by Elena Stepanova on 2012-06-04
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MariaDB
Fix Released
High
Timour Katchaounov

Bug Description

#2 0x000000000086701c in handle_fatal_signal (sig=11) at signal_handler.cc:273
#3 <signal handler called>
#4 0x000000000065cd2c in subselect_union_engine::no_rows (this=0x3a75da8) at item_subselect.cc:2788
#5 0x0000000000613d19 in Item_in_optimizer::val_int (this=0x3aa19d8) at item_cmpfunc.cc:1715
#6 0x00000000005c33e8 in Item::val_bool (this=0x3aa19d8) at item.cc:199
#7 0x000000000060fd99 in Item_func_not::val_int (this=0x3a75de0) at item_cmpfunc.cc:331
#8 0x00000000005c33e8 in Item::val_bool (this=0x3a75de0) at item.cc:199
#9 0x00000000005df283 in Item::val_bool_result (this=0x3a75de0) at item.h:855
#10 0x00000000005d4f89 in Item_ref::val_bool (this=0x3aa23e8) at item.cc:6761
#11 0x000000000061d5d1 in Item_cond_or::val_int (this=0x3a76030) at item_cmpfunc.cc:4528
#12 0x0000000000766fe4 in return_zero_rows (join=0x3aa0a68, result=0x3aa0a48, tables=..., fields=..., send_row=true, select_options=2147764736, info=0xdf5644 "Impossible WHERE", having=0x3a76030, all_fields=...) at sql_select.cc:10759
#13 0x0000000000750de4 in JOIN::exec (this=0x3aa0a68) at sql_select.cc:2192
#14 0x0000000000753b09 in mysql_select (thd=0x39ef958, rref_pointer_array=0x39f2598, tables=0x3a74630, wild_num=0, fields=..., conds=0x3a74a48, og_num=0, order=0x0, group=0x0, having=0x3a76030, proc_param=0x0, select_options=2147764736, result=0x3aa0a48, unit=0x39f1e40, select_lex=0x39f2348) at sql_select.cc:2976
#15 0x000000000074a595 in handle_select (thd=0x39ef958, lex=0x39f1da0, result=0x3aa0a48, setup_tables_done_option=0) at sql_select.cc:286
#16 0x00000000006d72c6 in execute_sqlcom_select (thd=0x39ef958, all_tables=0x3a74630) at sql_parse.cc:5152
#17 0x00000000006ce08e in mysql_execute_command (thd=0x39ef958) at sql_parse.cc:2285
#18 0x00000000006d9d2e in mysql_parse (thd=0x39ef958, rawbuf=0x3a74140 "SELECT MIN(a) AS min_a, a FROM t1 \nWHERE 0 HAVING a NOT IN ( SELECT 2 UNION SELECT 5 ) OR min_a != 1", length=100, found_semicolon=0x7ff6713fd7e8) at sql_parse.cc:6153
#19 0x00000000006cb7ed in dispatch_command (command=COM_QUERY, thd=0x39ef958, packet=0x3a6acd9 "SELECT MIN(a) AS min_a, a FROM t1 \nWHERE 0 HAVING a NOT IN ( SELECT 2 UNION SELECT 5 ) OR min_a != 1", packet_length=100) at sql_parse.cc:1228
#20 0x00000000006caad4 in do_command (thd=0x39ef958) at sql_parse.cc:923
#21 0x00000000006c796c in handle_one_connection (arg=0x39ef958) at sql_connect.cc:1218
#22 0x00007ff67ac06efc in start_thread (arg=0x7ff6713fe700) at pthread_create.c:304

maria-5.3
bzr version-info
revision-id: <email address hidden>
date: 2012-06-02 16:13:05 +0400
build-date: 2012-06-04 23:27:25 +0400
revno: 3537

Also reproducible on current maria-5.5.
Could not reproduce on maria-5.2, mysql-5.5, mysql-trunk.
Reproducible with MyISAM, Aria, InnoDB.
Reproducible with the default optimizer_switch as well as with all OFF values (except for in_to_exists required to execute the query).

EXPLAIN (with in_to_exists=on, everything else OFF):

id select_type table type possible_keys key key_len ref rows filtered Extra
1 PRIMARY NULL NULL NULL NULL NULL NULL NULL NULL Impossible WHERE
2 DEPENDENT SUBQUERY NULL NULL NULL NULL NULL NULL NULL NULL No tables used
3 DEPENDENT UNION NULL NULL NULL NULL NULL NULL NULL NULL No tables used
NULL UNION RESULT <union2,3> ALL NULL NULL NULL NULL NULL NULL
Warnings:
Note 1003 select min(`test`.`t1`.`a`) AS `min_a`,`test`.`t1`.`a` AS `a` from `test`.`t1` where 0 having ((not(<in_optimizer>(`test`.`t1`.`a`,<exists>(select 2 having trigcond((<cache>(`test`.`t1`.`a`) = <ref_null_helper>(2))) union select 5 having trigcond((<cache>(`test`.`t1`.`a`) = <ref_null_helper>(5))))))) or (`min_a` <> 1))

# Test case:

SET optimizer_switch = 'in_to_exists=on';

CREATE TABLE t1 (a INT);
INSERT INTO t1 VALUES (1),(7);

SELECT MIN(a) AS min_a, a FROM t1
WHERE 0 HAVING a NOT IN ( SELECT 2 UNION SELECT 5 ) OR min_a != 1;

# End of test case

Related branches

Elena Stepanova (elenst) wrote :

The query in the test case is not a very smart one (a mix of aggregate and non-aggregate without GROUP BY), so I've decreased the importance level comparing to what it normally would have been.

Changed in maria:
status: New → In Progress
Timour Katchaounov (timour) wrote :

The crash is due to unit->fake_select_lex->join == NULL

Changed in maria:
status: In Progress → Fix Committed
Changed in maria:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers