Sergei Golubchik added a comment - 2013-03-07 15:45 What's happening here: In build_equal_items_for_cond() a local copy of cond_equal is created on the stack: 11608 static COND *build_equal_items_for_cond(THD *thd, COND *cond, 11609 COND_EQUAL *inherited) 11610 { 11611 Item_equal *item_equal; 11612 COND_EQUAL cond_equal; It contains a List inside. When a List is initialized it does this->last = &this->first; later it is copied into an item: 11662 ((Item_cond_and*)cond)->cond_equal= cond_equal; when this function returns the item gets cond->cond_equal.current_level.last pointer points somewhere in the middle of the stack. Later in Item_equal::merge_into_list(): 5766 if (!merge_into) 5767 list->push_back(this); this *last pointer is written into, which corrupts the stack.

Igor Babaev (Inactive) added a comment - 2013-03-08 08:10 This bug manifests itself already in the current build of mariadb 5.3. The returned result for the reported query is incorrect: MariaDB [test] > SELECT * FROM mysql.time_zone -> WHERE ( NOT (Use_leap_seconds <= Use_leap_seconds AND Time_zone_id != 1) -> AND Time_zone_id = Time_zone_id -> OR Time_zone_id <> Time_zone_id ) -> AND Use_leap_seconds <> 'N' -> ; ------------- -----------------+ Time_zone_id Use_leap_seconds ------------- -----------------+ 4 Y ------------- -----------------+ The expected result is an empty set. The problem is seen for the following simplified query: MariaDB [test] > SELECT * FROM mysql.time_zone WHERE (FALSE OR Time_zone_id = 1) AND Use_leap_seconds <> 'N'; ------------- -----------------+ Time_zone_id Use_leap_seconds ------------- -----------------+ 4 Y ------------- -----------------+ 1 row in set (0.00 sec) EXPLAIN EXTENDED for this query returns: MariaDB [test] > EXPLAIN EXTENDED SELECT * FROM mysql.time_zone WHERE (FALSE OR Time_zone_id = 1) AND Use_leap_seconds <> 'N'; --- ----------- --------- ---- ------------- ---- ------- ---- ---- -------- ------------ id select_type table type possible_keys key key_len ref rows filtered Extra --- ----------- --------- ---- ------------- ---- ------- ---- ---- -------- ------------ 1 SIMPLE time_zone ALL NULL NULL NULL NULL 5 100.00 Using where --- ----------- --------- ---- ------------- ---- ------- ---- ---- -------- ------------ MariaDB [test] > show warnings; ------ ---- -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Level Code Message ------ ---- -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Note 1003 select `mysql`.`time_zone`.`Time_zone_id` AS `Time_zone_id`,`mysql`.`time_zone`.`Use_leap_seconds` AS `Use_leap_seconds` from `mysql`.`time_zone` where (`mysql`.`time_zone`.`Use_leap_seconds` <> 'N') ------ ---- -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- It can be seen that the WHERE condition has been converted to a condition that isn't equivalent to the original condition. This bug appeared after the patch for mdev-4177 had been pushed into the 5.3 tree (rev 3628). The bug existed before this patch, but bug mdev-4177 masked it.

Igor Babaev (Inactive) added a comment - 2013-03-08 11:15 The fix has been pushed into the 5.3 tree.