Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-15537

Server crashes in mysql_prepare_alter_table after failed ADD CONSTRAINT CHECK

Details

    Description

      CREATE TABLE t1 (a TEXT DEFAULT '');
      		 
      ALTER TABLE t1 DEFAULT COLLATE utf8_general_ci, LOCK=SHARED;
      		 
      --error ER_BAD_FIELD_ERROR
      		 
      ALTER TABLE t1 ADD CONSTRAINT CHECK (non_existing_column > 0);
      		 
      ALTER TABLE t1 CHANGE COLUMN IF EXISTS b c INT;
      		 
       
      		 
      # Cleanup
      		 
      DROP TABLE t1;

      10.2 a050189773c

      		 
      #3  <signal handler called>
      		 
      #4  0x000055c862b3f6be in mysql_prepare_alter_table (thd=0x7f510c000b00, table=0x7f510c15db60, create_info=0x7f511d19ae50, alter_info=0x7f511d19ada0, alter_ctx=0x7f511d19a240) at /data/src/10.2/sql/sql_table.cc:7677
      		 
      #5  0x000055c862b431e6 in mysql_alter_table (thd=0x7f510c000b00, new_db=0x7f510c012c10 "test", new_name=0x0, create_info=0x7f511d19ae50, table_list=0x7f510c012600, alter_info=0x7f511d19ada0, order_num=0, order=0x0, ignore=false) at /data/src/10.2/sql/sql_table.cc:9015
      		 
      #6  0x000055c862bbd954 in Sql_cmd_alter_table::execute (this=0x7f510c012d08, thd=0x7f510c000b00) at /data/src/10.2/sql/sql_alter.cc:324
      		 
      #7  0x000055c862a78c57 in mysql_execute_command (thd=0x7f510c000b00) at /data/src/10.2/sql/sql_parse.cc:6208
      		 
      #8  0x000055c862a7d5d1 in mysql_parse (thd=0x7f510c000b00, rawbuf=0x7f510c0124f8 "ALTER TABLE t1 CHANGE COLUMN IF EXISTS b c INT", length=46, parser_state=0x7f511d19c200, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:7902
      		 
      #9  0x000055c862a6b4f1 in dispatch_command (command=COM_QUERY, thd=0x7f510c000b00, packet=0x7f510c16b561 "ALTER TABLE t1 CHANGE COLUMN IF EXISTS b c INT", packet_length=46, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1806
      		 
      #10 0x000055c862a69e54 in do_command (thd=0x7f510c000b00) at /data/src/10.2/sql/sql_parse.cc:1360
      		 
      #11 0x000055c862bb8646 in do_handle_one_connection (connect=0x55c8663ba3e0) at /data/src/10.2/sql/sql_connect.cc:1335
      		 
      #12 0x000055c862bb83d3 in handle_one_connection (arg=0x55c8663ba3e0) at /data/src/10.2/sql/sql_connect.cc:1241
      		 
      #13 0x000055c862fd81f8 in pfs_spawn_thread (arg=0x55c866394ea0) at /data/src/10.2/storage/perfschema/pfs.cc:1862
      		 
      #14 0x00007f5124b97494 in start_thread (arg=0x7f511d19d700) at pthread_create.c:333
      		 
      #15 0x00007f5122f7d93f in clone () from /lib/x86_64-linux-gnu/libc.so.6

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-15746 ASAN heap-use-after-free in Item_change_list::rollback_item_tree_changes on ALTER executed as PS

          • Major - Major loss of function.
          • Closed

          Activity

            elenst Elena Stepanova added a comment -

            The failure stopped happening after this commit:
            https://github.com/MariaDB/server/commit/92a13148e80c30422ae5460032169cbe1946fa6d

            commit 92a13148e80c30422ae5460032169cbe1946fa6d
            		 
            Author: Sergei Golubchik
            		 
            Date:   Mon Apr 16 23:14:28 2018 +0200
            		 
             
            		 
                MDEV-15746 ASAN heap-use-after-free in Item_change_list::rollback_item_tree_changes on ALTER executed as PS
            		 
                
                don't try to convert a default value string from a user character set
            		 
                into a column character set, if this particular default value string did
            		 
                not came from the user at all (that is, if it's an ALTER TABLE and the
            		 
                default value string is the *old* default value of the unaltered
            		 
                column).
            		 
                
                This used to crash, because old defaults are allocated on the old
            		 
                table's memroot, which is freed mid-ALTER when the old table is closed.
            		 
                So thd->rollback_item_tree_changes() at the end of the ALTER was writing
            		 
                into the freed memory.

            elenst Elena Stepanova added a comment - The failure stopped happening after this commit: https://github.com/MariaDB/server/commit/92a13148e80c30422ae5460032169cbe1946fa6d commit 92a13148e80c30422ae5460032169cbe1946fa6d Author: Sergei Golubchik Date: Mon Apr 16 23:14:28 2018 +0200   MDEV-15746 ASAN heap-use-after-free in Item_change_list::rollback_item_tree_changes on ALTER executed as PS don't try to convert a default value string from a user character set into a column character set, if this particular default value string did not came from the user at all (that is, if it's an ALTER TABLE and the default value string is the *old* default value of the unaltered column). This used to crash, because old defaults are allocated on the old table's memroot, which is freed mid-ALTER when the old table is closed. So thd->rollback_item_tree_changes() at the end of the ALTER was writing into the freed memory.

            People

              serg Sergei Golubchik
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.