[MDEV-755] LP:682525 - Segfault on SHOW TABLE STATUS (mysqldump) of nested views Created: 2010-11-29  Updated: 2014-11-09  Resolved: 2014-11-09

Status: Closed
Project: MariaDB Server
Component/s: OTHER
Affects Version/s: 5.1.67, 5.2.14
Fix Version/s: N/A

Type: Bug Priority: Major
Reporter: Arjen Lentz (Inactive) Assignee: Sergei Golubchik
Resolution: Won't Fix Votes: 0
Labels: Launchpad, upstream

Attachments: XML File LPexportBug682525.xml     File LPexportBug682525_CreateViews.sql     File LPexportBug682525_Functions.sql     File LPexportBug682525_catt_schema.sql     File LPexportBug682525_error.log-viewdumpcrash-mariadb-5.2.3-ubuntuLucid     File LPexportBug682525_mysql.log-viewdumpcrash-mariadb-5.2.3-ubuntuLucid     File mdev755.test    

 Description   

mysqld (MariaDB) 5.2.3 segfaults during a mysqldump operation, the environment contains nested views.
Views structure, general query log, and error log with stacktrace attached.
Base table structure not currently available as the dump won't complete - will retrieve separately if necessary, but the above info may already allow you to catch the problem.

In stock (Oracle) mysql 5.1.41-3ubuntu12.7 the server the same happens, so the problem is not restricted to MariaDB.

 Comments   
Comment by Arjen Lentz (Inactive) [ 2010-11-29 ]

Re: Segfault on SHOW TABLE STATUS (mysqldump) of nested views

Comment by Arjen Lentz (Inactive) [ 2010-11-29 ]

Error log with stack trace
LPexportBug682525_error.log-viewdumpcrash-mariadb-5.2.3-ubuntuLucid

Comment by Arjen Lentz (Inactive) [ 2010-11-29 ]

Re: Segfault on SHOW TABLE STATUS (mysqldump) of nested views

Comment by Arjen Lentz (Inactive) [ 2010-11-29 ]

general query log with all queries run etc
LPexportBug682525_mysql.log-viewdumpcrash-mariadb-5.2.3-ubuntuLucid

Comment by Arjen Lentz (Inactive) [ 2010-11-29 ]

Re: Segfault on SHOW TABLE STATUS (mysqldump) of nested views
note that the crash happens in the view hierarchy, it's not at the base table level.

Comment by Arjen Lentz (Inactive) [ 2010-11-29 ]

note that the crash happens in the view hierarchy, it's not at the base table level.
views structure (base table structures not included here)
LPexportBug682525_CreateViews.sql

Comment by Arjen Lentz (Inactive) [ 2010-11-29 ]

Re: Segfault on SHOW TABLE STATUS (mysqldump) of nested views
This db (on the same server) does not exhibit the problem (so taking a complete mysqldump was ok).
The main difference with this db is that the definer on views here is 'root'@'%' rather than 'root'@'localhost' as was the case with the schema that causes the crashes, and stored functions in the problem db are declared as DETERMINISTIC whereas in this schema they are not.

Comment by Arjen Lentz (Inactive) [ 2010-11-29 ]

This db (on the same server) does not exhibit the problem (so taking a complete mysqldump was ok).
The main difference with this db is that the definer on views here is 'root'@'%' rather than 'root'@'localhost' as was the case with the schema that causes the crashes, and stored functions in the problem db are declared as DETERMINISTIC whereas in this schema they are not.

complete schema (views+base tables) from another db
LPexportBug682525_catt_schema.sql

Comment by Rasmus Johansson (Inactive) [ 2010-11-29 ]

Re: Segfault on SHOW TABLE STATUS (mysqldump) of nested views
Interestingly, manually running the query
show table status like 'view_course_scheme_units'
(as shown in the errorlog - the command that triggers the crash)
from mysql cmdline client on its own doesn't cause crash. So it might be the sequence of events rather than the individual command.

Comment by Rasmus Johansson (Inactive) [ 2010-11-29 ]

Re: Segfault on SHOW TABLE STATUS (mysqldump) of nested views
Also submitted at http://bugs.mysql.com/58543

Comment by Rasmus Johansson (Inactive) [ 2010-11-29 ]

Re: Segfault on SHOW TABLE STATUS (mysqldump) of nested views
When using the complete views structure, you actually get a different error
mysqldump: Couldn't execute 'SHOW FIELDS FROM `s_c_master`': View 'catt_migrate4.s_c_master' references invalid table(s) or column(s) or function(s) or definer/invoker of view lack rights to use them (1356)

the crash occurs when this top level view is removed and then mysqldump is run again.

Comment by Rasmus Johansson (Inactive) [ 2010-11-29 ]

Re: Segfault on SHOW TABLE STATUS (mysqldump) of nested views
The original db that doesn't exhibit the problem doesn't contain functions declared DETERMINISTIC / CONTAINS SQL

In the problem db with all the options in (functions attached), the mysqldump error is

mysqldump: Couldn't execute 'SHOW FIELDS FROM `s_c_master`': View 'catt_migrate4.s_c_master' references invalid table(s) or column(s) or function(s) or definer/invoker of view lack rights to use them (1356)

The crashing starts when the top level view is removed from the schema.

In the problem db if i remove all CONTAINS SQL, MODIFIES SQL DATA and READS SQL DATA options, I get a segfault/crash:
mysqldump: Couldn't execute 'show table status like 's_c_master'': Lost connection to MySQL server during query (2013)

When all the options are removed, no segfault occurs.
So this is starting to look like an interaction problem with stored procs?

Comment by Rasmus Johansson (Inactive) [ 2010-11-29 ]

The original db that doesn't exhibit the problem doesn't contain functions declared DETERMINISTIC / CONTAINS SQL

In the problem db with all the options in (functions attached), the mysqldump error is

mysqldump: Couldn't execute 'SHOW FIELDS FROM `s_c_master`': View 'catt_migrate4.s_c_master' references invalid table(s) or column(s) or function(s) or definer/invoker of view lack rights to use them (1356)

The crashing starts when the top level view is removed from the schema.

In the problem db if i remove all CONTAINS SQL, MODIFIES SQL DATA and READS SQL DATA options, I get a segfault/crash:
mysqldump: Couldn't execute 'show table status like 's_c_master'': Lost connection to MySQL server during query (2013)

When all the options are removed, no segfault occurs.
So this is starting to look like an interaction problem with stored procs?
Routines from problem db
LPexportBug682525_Functions.sql

Comment by Rasmus Johansson (Inactive) [ 2010-11-29 ]

Re: Segfault on SHOW TABLE STATUS (mysqldump) of nested views
If we modify the following function by removing the DETERMINISTIC option (all other functions are still as they are with deterministic and CONTAINS options), no crash or error occurs. So this is the function that "triggers" the problem:

DELIMITER |

CREATE DEFINER = 'root'@'localhost' FUNCTION userbelongstoorg ()
RETURNS int(11)
CONTAINS SQL
RETURN @userBelongsToOrg|

DELIMITER ;

Comment by Rasmus Johansson (Inactive) [ 2010-11-29 ]

Re: Segfault on SHOW TABLE STATUS (mysqldump) of nested views
(yes we know the above function is technically non-deterministic - the option was a "code bug").
Still, mysqld crashed and it shouldn't, so it's a bug.

Comment by Arjen Lentz (Inactive) [ 2010-11-30 ]

Re: Segfault on SHOW TABLE STATUS (mysqldump) of nested views
For reference, the problem also exists in 5.1.51 (since MariaDB 5.2.3 incorporates code up to that upstream version). So the only unknown right now might be 5.1.53 - however looking at the 5.1.53 change log
http://dev.mysql.com/doc/refman/5.1/en/news-5-1-53.html I see nothing even remotely
related to this.

Comment by Oleksandr Byelkin [ 2010-11-30 ]

Re: Segfault on SHOW TABLE STATUS (mysqldump) of nested views
Is it copy of this bug: http://bugs.mysql.com/bug.php?id=58543 ?

Comment by Rasmus Johansson (Inactive) [ 2010-11-30 ]

Launchpad bug id: 682525

Comment by Elena Stepanova [ 2014-03-18 ]

It is an upstream bug, but the story with it is vague.

Upstream part

The upstream bug report is hidden of course, so there is no telling what status it is in, and/or in which versions it has been fixed.

The bugfix appears to be in MySQL 5.6 tree, obfuscated as "BUG#11765560 - SEGFAULT ON SHOW TABLE STATUS (MYSQLDUMP) OF NESTED VIEWS", but the comment says that it is different from the one in 5.1/5.5 tree, which implies it exists in 5.1 and 5.5.

The bug is still reproducible on the latest MySQL 5.1 tree.

The bug is not reproducible on MySQL 5.5 with the provided data, even though I couldn't find a bugfix there.

MariaDB part

The bug is reproducible on MariaDB 5.1 and 5.2, but not on 5.3 and higher, although possibly it still exists there, but the use case does not reveal it.

Anyway, even though 5.1/5.2 are not a priority, I think this bug is worth fixing because it affects the most important scenario that 5.1/5.2 installations should be now used for – creating a backup and upgrading to higher versions.

Assigned to serg to confirm or reject the priority and target versions, and to reassign if it should be fixed.

Also attached the complete test case (mdev755.test).
It can be used in MTR or be fed to the server via MySQL client.
On release versions, it tends to crash.
On my debug builds, it causes "ERROR HY000: View 'test.view_course_scheme_units' references invalid table(s) or column(s) or function(s) or definer/invoker of view lack rights to use them" in the last line (please note that it is under "disable_abort_on_error", so MTR will still report a pass).
With valgrind, it throws the warnings:

==12861== Thread 4:
 
==12861== Invalid read of size 8
 
==12861==    at 0x701682: find_field_in_table(THD*, st_table*, char const*, unsigned int, bool, unsigned int*) (sql_base.cc:6110)
 
==12861==    by 0x701C93: find_field_in_table_ref(THD*, TABLE_LIST*, char const*, unsigned int, char const*, char const*, char const*, Item**, bool, bool, unsigned int*, bool, TABLE_LIST**) (sql_base.cc:6265)
 
==12861==    by 0x70251C: find_field_in_tables(THD*, Item_ident*, TABLE_LIST*, TABLE_LIST*, Item**, find_item_error_report_type, bool, bool) (sql_base.cc:6537)
 
==12861==    by 0x5CC7BE: Item_field::fix_fields(THD*, Item**) (item.cc:4326)
 
==12861==    by 0x5EDEB2: Item_func::fix_fields(THD*, Item**) (item_func.cc:178)
 
==12861==    by 0x5EDEB2: Item_func::fix_fields(THD*, Item**) (item_func.cc:178)
 
==12861==    by 0x60EF0A: Item_func_if::fix_fields(THD*, Item**) (item_cmpfunc.cc:2603)
 
==12861==    by 0x704C6C: setup_fields(THD*, Item**, List<Item>&, enum_mark_columns, List<Item>*, bool) (sql_base.cc:7711)
 
==12861==    by 0x717A22: JOIN::prepare(Item***, TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) (sql_select.cc:530)
 
==12861==    by 0x865C9D: st_select_lex_unit::prepare(THD*, select_result*, unsigned long) (sql_union.cc:271)
 
==12861==    by 0x867FC3: mysql_derived_prepare(THD*, st_lex*, TABLE_LIST*) (sql_derived.cc:154)
 
==12861==    by 0x867DE9: mysql_handle_derived(st_lex*, bool (*)(THD*, st_lex*, TABLE_LIST*)) (sql_derived.cc:58)
 
==12861==    by 0x6FF575: open_normal_and_derived_tables(THD*, TABLE_LIST*, unsigned int) (sql_base.cc:5214)
 
==12861==    by 0x828848: fill_schema_table_by_open(THD*, bool, st_table*, st_schema_table*, st_mysql_lex_string*, st_mysql_lex_string*, Open_tables_state*) (sql_show.cc:3162)
 
==12861==    by 0x829242: get_all_tables(THD*, TABLE_LIST*, Item*) (sql_show.cc:3493)
 
==12861==    by 0x83534A: get_schema_tables_result(JOIN*, enum_schema_table_state) (sql_show.cc:6295)
 
==12861==  Address 0x1007f598 is 248 bytes inside a block of size 2,244 free'd
 
==12861==    at 0x4C27C8A: free (vg_replace_malloc.c:468)
 
==12861==    by 0xB8BB58: _myfree (safemalloc.c:333)
 
==12861==    by 0x6F6085: free_cache_entry(st_table*) (sql_base.cc:824)
 
==12861==    by 0xB996B8: my_hash_delete (hash.c:566)
 
==12861==    by 0x6F6CA3: close_open_tables(THD*) (sql_base.cc:1211)
 
==12861==    by 0x6F7057: close_thread_tables(THD*) (sql_base.cc:1364)
 
==12861==    by 0x8850F7: sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) (sp_head.cc:2808)
 
==12861==    by 0x886276: sp_instr_freturn::execute(THD*, unsigned int*) (sp_head.cc:3259)
 
==12861==    by 0x8816E3: sp_head::execute(THD*) (sp_head.cc:1292)
 
==12861==    by 0x882927: sp_head::execute_function(THD*, Item**, unsigned int, Field*) (sp_head.cc:1811)
 
==12861==    by 0x60227B: Item_func_sp::execute_impl(THD*) (item_func.cc:6003)
 
==12861==    by 0x602017: Item_func_sp::execute() (item_func.cc:5932)
 
==12861==    by 0x604D69: Item_func_sp::val_int() (item_func.h:1729)
 
==12861==    by 0x5D9400: Item::update_null_value() (item.h:844)
 
==12861==    by 0x603028: Item_func::is_null() (item_func.h:152)
 
==12861==    by 0x61B368: Item_func_isnull::update_used_tables() (item_cmpfunc.h:1320)
 
==12861== Invalid read of size 8
 
==12861==    at 0x7016A3: find_field_in_table(THD*, st_table*, char const*, unsigned int, bool, unsigned int*) (sql_base.cc:6113)
 
==12861==    by 0x701C93: find_field_in_table_ref(THD*, TABLE_LIST*, char const*, unsigned int, char const*, char const*, char const*, Item**, bool, bool, unsigned int*, bool, TABLE_LIST**) (sql_base.cc:6265)
 
==12861==    by 0x70251C: find_field_in_tables(THD*, Item_ident*, TABLE_LIST*, TABLE_LIST*, Item**, find_item_error_report_type, bool, bool) (sql_base.cc:6537)
 
==12861==    by 0x5CC7BE: Item_field::fix_fields(THD*, Item**) (item.cc:4326)
 
==12861==    by 0x5EDEB2: Item_func::fix_fields(THD*, Item**) (item_func.cc:178)
 
==12861==    by 0x5EDEB2: Item_func::fix_fields(THD*, Item**) (item_func.cc:178)
 
==12861==    by 0x60EF0A: Item_func_if::fix_fields(THD*, Item**) (item_cmpfunc.cc:2603)
 
==12861==    by 0x704C6C: setup_fields(THD*, Item**, List<Item>&, enum_mark_columns, List<Item>*, bool) (sql_base.cc:7711)
 
==12861==    by 0x717A22: JOIN::prepare(Item***, TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) (sql_select.cc:530)
 
==12861==    by 0x865C9D: st_select_lex_unit::prepare(THD*, select_result*, unsigned long) (sql_union.cc:271)
 
==12861==    by 0x867FC3: mysql_derived_prepare(THD*, st_lex*, TABLE_LIST*) (sql_derived.cc:154)
 
==12861==    by 0x867DE9: mysql_handle_derived(st_lex*, bool (*)(THD*, st_lex*, TABLE_LIST*)) (sql_derived.cc:58)
 
==12861==    by 0x6FF575: open_normal_and_derived_tables(THD*, TABLE_LIST*, unsigned int) (sql_base.cc:5214)
 
==12861==    by 0x828848: fill_schema_table_by_open(THD*, bool, st_table*, st_schema_table*, st_mysql_lex_string*, st_mysql_lex_string*, Open_tables_state*) (sql_show.cc:3162)
 
==12861==    by 0x829242: get_all_tables(THD*, TABLE_LIST*, Item*) (sql_show.cc:3493)
 
==12861==    by 0x83534A: get_schema_tables_result(JOIN*, enum_schema_table_state) (sql_show.cc:6295)
 
==12861==  Address 0x1007f4c8 is 40 bytes inside a block of size 2,244 free'd
 
==12861==    at 0x4C27C8A: free (vg_replace_malloc.c:468)
 
==12861==    by 0xB8BB58: _myfree (safemalloc.c:333)
 
==12861==    by 0x6F6085: free_cache_entry(st_table*) (sql_base.cc:824)
 
==12861==    by 0xB996B8: my_hash_delete (hash.c:566)
 
==12861==    by 0x6F6CA3: close_open_tables(THD*) (sql_base.cc:1211)
 
==12861==    by 0x6F7057: close_thread_tables(THD*) (sql_base.cc:1364)
 
==12861==    by 0x8850F7: sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) (sp_head.cc:2808)
 
==12861==    by 0x886276: sp_instr_freturn::execute(THD*, unsigned int*) (sp_head.cc:3259)
 
==12861==    by 0x8816E3: sp_head::execute(THD*) (sp_head.cc:1292)
 
==12861==    by 0x882927: sp_head::execute_function(THD*, Item**, unsigned int, Field*) (sp_head.cc:1811)
 
==12861==    by 0x60227B: Item_func_sp::execute_impl(THD*) (item_func.cc:6003)
 
==12861==    by 0x602017: Item_func_sp::execute() (item_func.cc:5932)
 
==12861==    by 0x604D69: Item_func_sp::val_int() (item_func.h:1729)
 
==12861==    by 0x5D9400: Item::update_null_value() (item.h:844)
 
==12861==    by 0x603028: Item_func::is_null() (item_func.h:152)
 
==12861==    by 0x61B368: Item_func_isnull::update_used_tables() (item_cmpfunc.h:1320)
 
==12861== Invalid read of size 8
 
==12861==    at 0x70171F: find_field_in_table(THD*, st_table*, char const*, unsigned int, bool, unsigned int*) (sql_base.cc:6117)
 
==12861==    by 0x701C93: find_field_in_table_ref(THD*, TABLE_LIST*, char const*, unsigned int, char const*, char const*, char const*, Item**, bool, bool, unsigned int*, bool, TABLE_LIST**) (sql_base.cc:6265)
 
==12861==    by 0x70251C: find_field_in_tables(THD*, Item_ident*, TABLE_LIST*, TABLE_LIST*, Item**, find_item_error_report_type, bool, bool) (sql_base.cc:6537)
 
==12861==    by 0x5CC7BE: Item_field::fix_fields(THD*, Item**) (item.cc:4326)
 
==12861==    by 0x5EDEB2: Item_func::fix_fields(THD*, Item**) (item_func.cc:178)
 
==12861==    by 0x5EDEB2: Item_func::fix_fields(THD*, Item**) (item_func.cc:178)
 
==12861==    by 0x60EF0A: Item_func_if::fix_fields(THD*, Item**) (item_cmpfunc.cc:2603)
 
==12861==    by 0x704C6C: setup_fields(THD*, Item**, List<Item>&, enum_mark_columns, List<Item>*, bool) (sql_base.cc:7711)
 
==12861==    by 0x717A22: JOIN::prepare(Item***, TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) (sql_select.cc:530)
 
==12861==    by 0x865C9D: st_select_lex_unit::prepare(THD*, select_result*, unsigned long) (sql_union.cc:271)
 
==12861==    by 0x867FC3: mysql_derived_prepare(THD*, st_lex*, TABLE_LIST*) (sql_derived.cc:154)
 
==12861==    by 0x867DE9: mysql_handle_derived(st_lex*, bool (*)(THD*, st_lex*, TABLE_LIST*)) (sql_derived.cc:58)
 
==12861==    by 0x6FF575: open_normal_and_derived_tables(THD*, TABLE_LIST*, unsigned int) (sql_base.cc:5214)
 
==12861==    by 0x828848: fill_schema_table_by_open(THD*, bool, st_table*, st_schema_table*, st_mysql_lex_string*, st_mysql_lex_string*, Open_tables_state*) (sql_show.cc:3162)
 
==12861==    by 0x829242: get_all_tables(THD*, TABLE_LIST*, Item*) (sql_show.cc:3493)
 
==12861==    by 0x83534A: get_schema_tables_result(JOIN*, enum_schema_table_state) (sql_show.cc:6295)
 
==12861==  Address 0x1007f4c8 is 40 bytes inside a block of size 2,244 free'd
 
==12861==    at 0x4C27C8A: free (vg_replace_malloc.c:468)
 
==12861==    by 0xB8BB58: _myfree (safemalloc.c:333)
 
==12861==    by 0x6F6085: free_cache_entry(st_table*) (sql_base.cc:824)
 
==12861==    by 0xB996B8: my_hash_delete (hash.c:566)
 
==12861==    by 0x6F6CA3: close_open_tables(THD*) (sql_base.cc:1211)
 
==12861==    by 0x6F7057: close_thread_tables(THD*) (sql_base.cc:1364)
 
==12861==    by 0x8850F7: sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) (sp_head.cc:2808)
 
==12861==    by 0x886276: sp_instr_freturn::execute(THD*, unsigned int*) (sp_head.cc:3259)
 
==12861==    by 0x8816E3: sp_head::execute(THD*) (sp_head.cc:1292)
 
==12861==    by 0x882927: sp_head::execute_function(THD*, Item**, unsigned int, Field*) (sp_head.cc:1811)
 
==12861==    by 0x60227B: Item_func_sp::execute_impl(THD*) (item_func.cc:6003)
 
==12861==    by 0x602017: Item_func_sp::execute() (item_func.cc:5932)
 
==12861==    by 0x604D69: Item_func_sp::val_int() (item_func.h:1729)
 
==12861==    by 0x5D9400: Item::update_null_value() (item.h:844)
 
==12861==    by 0x603028: Item_func::is_null() (item_func.h:152)
 
==12861==    by 0x61B368: Item_func_isnull::update_used_tables() (item_cmpfunc.h:1320)
 
==12861== Invalid read of size 8
 
==12861==    at 0x701792: find_field_in_table(THD*, st_table*, char const*, unsigned int, bool, unsigned int*) (sql_base.cc:6132)
 
==12861==    by 0x701C93: find_field_in_table_ref(THD*, TABLE_LIST*, char const*, unsigned int, char const*, char const*, char const*, Item**, bool, bool, unsigned int*, bool, TABLE_LIST**) (sql_base.cc:6265)
 
==12861==    by 0x70251C: find_field_in_tables(THD*, Item_ident*, TABLE_LIST*, TABLE_LIST*, Item**, find_item_error_report_type, bool, bool) (sql_base.cc:6537)
 
==12861==    by 0x5CC7BE: Item_field::fix_fields(THD*, Item**) (item.cc:4326)
 
==12861==    by 0x5EDEB2: Item_func::fix_fields(THD*, Item**) (item_func.cc:178)
 
==12861==    by 0x5EDEB2: Item_func::fix_fields(THD*, Item**) (item_func.cc:178)
 
==12861==    by 0x60EF0A: Item_func_if::fix_fields(THD*, Item**) (item_cmpfunc.cc:2603)
 
==12861==    by 0x704C6C: setup_fields(THD*, Item**, List<Item>&, enum_mark_columns, List<Item>*, bool) (sql_base.cc:7711)
 
==12861==    by 0x717A22: JOIN::prepare(Item***, TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) (sql_select.cc:530)
 
==12861==    by 0x865C9D: st_select_lex_unit::prepare(THD*, select_result*, unsigned long) (sql_union.cc:271)
 
==12861==    by 0x867FC3: mysql_derived_prepare(THD*, st_lex*, TABLE_LIST*) (sql_derived.cc:154)
 
==12861==    by 0x867DE9: mysql_handle_derived(st_lex*, bool (*)(THD*, st_lex*, TABLE_LIST*)) (sql_derived.cc:58)
 
==12861==    by 0x6FF575: open_normal_and_derived_tables(THD*, TABLE_LIST*, unsigned int) (sql_base.cc:5214)
 
==12861==    by 0x828848: fill_schema_table_by_open(THD*, bool, st_table*, st_schema_table*, st_mysql_lex_string*, st_mysql_lex_string*, Open_tables_state*) (sql_show.cc:3162)
 
==12861==    by 0x829242: get_all_tables(THD*, TABLE_LIST*, Item*) (sql_show.cc:3493)
 
==12861==    by 0x83534A: get_schema_tables_result(JOIN*, enum_schema_table_state) (sql_show.cc:6295)
 
==12861==  Address 0x1007f508 is 104 bytes inside a block of size 2,244 free'd
 
==12861==    at 0x4C27C8A: free (vg_replace_malloc.c:468)
 
==12861==    by 0xB8BB58: _myfree (safemalloc.c:333)
 
==12861==    by 0x6F6085: free_cache_entry(st_table*) (sql_base.cc:824)
 
==12861==    by 0xB996B8: my_hash_delete (hash.c:566)
 
==12861==    by 0x6F6CA3: close_open_tables(THD*) (sql_base.cc:1211)
 
==12861==    by 0x6F7057: close_thread_tables(THD*) (sql_base.cc:1364)
 
==12861==    by 0x8850F7: sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) (sp_head.cc:2808)
 
==12861==    by 0x886276: sp_instr_freturn::execute(THD*, unsigned int*) (sp_head.cc:3259)
 
==12861==    by 0x8816E3: sp_head::execute(THD*) (sp_head.cc:1292)
 
==12861==    by 0x882927: sp_head::execute_function(THD*, Item**, unsigned int, Field*) (sp_head.cc:1811)
 
==12861==    by 0x60227B: Item_func_sp::execute_impl(THD*) (item_func.cc:6003)
 
==12861==    by 0x602017: Item_func_sp::execute() (item_func.cc:5932)
 
==12861==    by 0x604D69: Item_func_sp::val_int() (item_func.h:1729)
 
==12861==    by 0x5D9400: Item::update_null_value() (item.h:844)
 
==12861==    by 0x603028: Item_func::is_null() (item_func.h:152)
 
==12861==    by 0x61B368: Item_func_isnull::update_used_tables() (item_cmpfunc.h:1320)
 
==12861== Invalid read of size 8
 
==12861==    at 0x701682: find_field_in_table(THD*, st_table*, char const*, unsigned int, bool, unsigned int*) (sql_base.cc:6110)
 
==12861==    by 0x701C93: find_field_in_table_ref(THD*, TABLE_LIST*, char const*, unsigned int, char const*, char const*, char const*, Item**, bool, bool, unsigned int*, bool, TABLE_LIST**) (sql_base.cc:6265)
 
==12861==    by 0x70251C: find_field_in_tables(THD*, Item_ident*, TABLE_LIST*, TABLE_LIST*, Item**, find_item_error_report_type, bool, bool) (sql_base.cc:6537)
 
==12861==    by 0x5CC1F1: Item_field::fix_outer_field(THD*, Field**, Item**) (item.cc:4182)
 
==12861==    by 0x5CCA92: Item_field::fix_fields(THD*, Item**) (item.cc:4389)
 
==12861==    by 0x5EDEB2: Item_func::fix_fields(THD*, Item**) (item_func.cc:178)
 
==12861==    by 0x5EDEB2: Item_func::fix_fields(THD*, Item**) (item_func.cc:178)
 
==12861==    by 0x60EF0A: Item_func_if::fix_fields(THD*, Item**) (item_cmpfunc.cc:2603)
 
==12861==    by 0x704C6C: setup_fields(THD*, Item**, List<Item>&, enum_mark_columns, List<Item>*, bool) (sql_base.cc:7711)
 
==12861==    by 0x717A22: JOIN::prepare(Item***, TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) (sql_select.cc:530)
 
==12861==    by 0x865C9D: st_select_lex_unit::prepare(THD*, select_result*, unsigned long) (sql_union.cc:271)
 
==12861==    by 0x867FC3: mysql_derived_prepare(THD*, st_lex*, TABLE_LIST*) (sql_derived.cc:154)
 
==12861==    by 0x867DE9: mysql_handle_derived(st_lex*, bool (*)(THD*, st_lex*, TABLE_LIST*)) (sql_derived.cc:58)
 
==12861==    by 0x6FF575: open_normal_and_derived_tables(THD*, TABLE_LIST*, unsigned int) (sql_base.cc:5214)
 
==12861==    by 0x828848: fill_schema_table_by_open(THD*, bool, st_table*, st_schema_table*, st_mysql_lex_string*, st_mysql_lex_string*, Open_tables_state*) (sql_show.cc:3162)
 
==12861==    by 0x829242: get_all_tables(THD*, TABLE_LIST*, Item*) (sql_show.cc:3493)
 
==12861==  Address 0x1007f598 is 248 bytes inside a block of size 2,244 free'd
 
==12861==    at 0x4C27C8A: free (vg_replace_malloc.c:468)
 
==12861==    by 0xB8BB58: _myfree (safemalloc.c:333)
 
==12861==    by 0x6F6085: free_cache_entry(st_table*) (sql_base.cc:824)
 
==12861==    by 0xB996B8: my_hash_delete (hash.c:566)
 
==12861==    by 0x6F6CA3: close_open_tables(THD*) (sql_base.cc:1211)
 
==12861==    by 0x6F7057: close_thread_tables(THD*) (sql_base.cc:1364)
 
==12861==    by 0x8850F7: sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) (sp_head.cc:2808)
 
==12861==    by 0x886276: sp_instr_freturn::execute(THD*, unsigned int*) (sp_head.cc:3259)
 
==12861==    by 0x8816E3: sp_head::execute(THD*) (sp_head.cc:1292)
 
==12861==    by 0x882927: sp_head::execute_function(THD*, Item**, unsigned int, Field*) (sp_head.cc:1811)
 
==12861==    by 0x60227B: Item_func_sp::execute_impl(THD*) (item_func.cc:6003)
 
==12861==    by 0x602017: Item_func_sp::execute() (item_func.cc:5932)
 
==12861==    by 0x604D69: Item_func_sp::val_int() (item_func.h:1729)
 
==12861==    by 0x5D9400: Item::update_null_value() (item.h:844)
 
==12861==    by 0x603028: Item_func::is_null() (item_func.h:152)
 
==12861==    by 0x61B368: Item_func_isnull::update_used_tables() (item_cmpfunc.h:1320)
 
==12861== Invalid read of size 8
 
==12861==    at 0x7016A3: find_field_in_table(THD*, st_table*, char const*, unsigned int, bool, unsigned int*) (sql_base.cc:6113)
 
==12861==    by 0x701C93: find_field_in_table_ref(THD*, TABLE_LIST*, char const*, unsigned int, char const*, char const*, char const*, Item**, bool, bool, unsigned int*, bool, TABLE_LIST**) (sql_base.cc:6265)
 
==12861==    by 0x70251C: find_field_in_tables(THD*, Item_ident*, TABLE_LIST*, TABLE_LIST*, Item**, find_item_error_report_type, bool, bool) (sql_base.cc:6537)
 
==12861==    by 0x5CC1F1: Item_field::fix_outer_field(THD*, Field**, Item**) (item.cc:4182)
 
==12861==    by 0x5CCA92: Item_field::fix_fields(THD*, Item**) (item.cc:4389)
 
==12861==    by 0x5EDEB2: Item_func::fix_fields(THD*, Item**) (item_func.cc:178)
 
==12861==    by 0x5EDEB2: Item_func::fix_fields(THD*, Item**) (item_func.cc:178)
 
==12861==    by 0x60EF0A: Item_func_if::fix_fields(THD*, Item**) (item_cmpfunc.cc:2603)
 
==12861==    by 0x704C6C: setup_fields(THD*, Item**, List<Item>&, enum_mark_columns, List<Item>*, bool) (sql_base.cc:7711)
 
==12861==    by 0x717A22: JOIN::prepare(Item***, TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) (sql_select.cc:530)
 
==12861==    by 0x865C9D: st_select_lex_unit::prepare(THD*, select_result*, unsigned long) (sql_union.cc:271)
 
==12861==    by 0x867FC3: mysql_derived_prepare(THD*, st_lex*, TABLE_LIST*) (sql_derived.cc:154)
 
==12861==    by 0x867DE9: mysql_handle_derived(st_lex*, bool (*)(THD*, st_lex*, TABLE_LIST*)) (sql_derived.cc:58)
 
==12861==    by 0x6FF575: open_normal_and_derived_tables(THD*, TABLE_LIST*, unsigned int) (sql_base.cc:5214)
 
==12861==    by 0x828848: fill_schema_table_by_open(THD*, bool, st_table*, st_schema_table*, st_mysql_lex_string*, st_mysql_lex_string*, Open_tables_state*) (sql_show.cc:3162)
 
==12861==    by 0x829242: get_all_tables(THD*, TABLE_LIST*, Item*) (sql_show.cc:3493)
 
==12861==  Address 0x1007f4c8 is 40 bytes inside a block of size 2,244 free'd
 
==12861==    at 0x4C27C8A: free (vg_replace_malloc.c:468)
 
==12861==    by 0xB8BB58: _myfree (safemalloc.c:333)
 
==12861==    by 0x6F6085: free_cache_entry(st_table*) (sql_base.cc:824)
 
==12861==    by 0xB996B8: my_hash_delete (hash.c:566)
 
==12861==    by 0x6F6CA3: close_open_tables(THD*) (sql_base.cc:1211)
 
==12861==    by 0x6F7057: close_thread_tables(THD*) (sql_base.cc:1364)
 
==12861==    by 0x8850F7: sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) (sp_head.cc:2808)
 
==12861==    by 0x886276: sp_instr_freturn::execute(THD*, unsigned int*) (sp_head.cc:3259)
 
==12861==    by 0x8816E3: sp_head::execute(THD*) (sp_head.cc:1292)
 
==12861==    by 0x882927: sp_head::execute_function(THD*, Item**, unsigned int, Field*) (sp_head.cc:1811)
 
==12861==    by 0x60227B: Item_func_sp::execute_impl(THD*) (item_func.cc:6003)
 
==12861==    by 0x602017: Item_func_sp::execute() (item_func.cc:5932)
 
==12861==    by 0x604D69: Item_func_sp::val_int() (item_func.h:1729)
 
==12861==    by 0x5D9400: Item::update_null_value() (item.h:844)
 
==12861==    by 0x603028: Item_func::is_null() (item_func.h:152)
 
==12861==    by 0x61B368: Item_func_isnull::update_used_tables() (item_cmpfunc.h:1320)
 
==12861== Invalid read of size 8
 
==12861==    at 0x70171F: find_field_in_table(THD*, st_table*, char const*, unsigned int, bool, unsigned int*) (sql_base.cc:6117)
 
==12861==    by 0x701C93: find_field_in_table_ref(THD*, TABLE_LIST*, char const*, unsigned int, char const*, char const*, char const*, Item**, bool, bool, unsigned int*, bool, TABLE_LIST**) (sql_base.cc:6265)
 
==12861==    by 0x70251C: find_field_in_tables(THD*, Item_ident*, TABLE_LIST*, TABLE_LIST*, Item**, find_item_error_report_type, bool, bool) (sql_base.cc:6537)
 
==12861==    by 0x5CC1F1: Item_field::fix_outer_field(THD*, Field**, Item**) (item.cc:4182)
 
==12861==    by 0x5CCA92: Item_field::fix_fields(THD*, Item**) (item.cc:4389)
 
==12861==    by 0x5EDEB2: Item_func::fix_fields(THD*, Item**) (item_func.cc:178)
 
==12861==    by 0x5EDEB2: Item_func::fix_fields(THD*, Item**) (item_func.cc:178)
 
==12861==    by 0x60EF0A: Item_func_if::fix_fields(THD*, Item**) (item_cmpfunc.cc:2603)
 
==12861==    by 0x704C6C: setup_fields(THD*, Item**, List<Item>&, enum_mark_columns, List<Item>*, bool) (sql_base.cc:7711)
 
==12861==    by 0x717A22: JOIN::prepare(Item***, TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) (sql_select.cc:530)
 
==12861==    by 0x865C9D: st_select_lex_unit::prepare(THD*, select_result*, unsigned long) (sql_union.cc:271)
 
==12861==    by 0x867FC3: mysql_derived_prepare(THD*, st_lex*, TABLE_LIST*) (sql_derived.cc:154)
 
==12861==    by 0x867DE9: mysql_handle_derived(st_lex*, bool (*)(THD*, st_lex*, TABLE_LIST*)) (sql_derived.cc:58)
 
==12861==    by 0x6FF575: open_normal_and_derived_tables(THD*, TABLE_LIST*, unsigned int) (sql_base.cc:5214)
 
==12861==    by 0x828848: fill_schema_table_by_open(THD*, bool, st_table*, st_schema_table*, st_mysql_lex_string*, st_mysql_lex_string*, Open_tables_state*) (sql_show.cc:3162)
 
==12861==    by 0x829242: get_all_tables(THD*, TABLE_LIST*, Item*) (sql_show.cc:3493)
 
==12861==  Address 0x1007f4c8 is 40 bytes inside a block of size 2,244 free'd
 
==12861==    at 0x4C27C8A: free (vg_replace_malloc.c:468)
 
==12861==    by 0xB8BB58: _myfree (safemalloc.c:333)
 
==12861==    by 0x6F6085: free_cache_entry(st_table*) (sql_base.cc:824)
 
==12861==    by 0xB996B8: my_hash_delete (hash.c:566)
 
==12861==    by 0x6F6CA3: close_open_tables(THD*) (sql_base.cc:1211)
 
==12861==    by 0x6F7057: close_thread_tables(THD*) (sql_base.cc:1364)
 
==12861==    by 0x8850F7: sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) (sp_head.cc:2808)
 
==12861==    by 0x886276: sp_instr_freturn::execute(THD*, unsigned int*) (sp_head.cc:3259)
 
==12861==    by 0x8816E3: sp_head::execute(THD*) (sp_head.cc:1292)
 
==12861==    by 0x882927: sp_head::execute_function(THD*, Item**, unsigned int, Field*) (sp_head.cc:1811)
 
==12861==    by 0x60227B: Item_func_sp::execute_impl(THD*) (item_func.cc:6003)
 
==12861==    by 0x602017: Item_func_sp::execute() (item_func.cc:5932)
 
==12861==    by 0x604D69: Item_func_sp::val_int() (item_func.h:1729)
 
==12861==    by 0x5D9400: Item::update_null_value() (item.h:844)
 
==12861==    by 0x603028: Item_func::is_null() (item_func.h:152)
 
==12861==    by 0x61B368: Item_func_isnull::update_used_tables() (item_cmpfunc.h:1320)
 
==12861== Invalid read of size 8
 
==12861==    at 0x701792: find_field_in_table(THD*, st_table*, char const*, unsigned int, bool, unsigned int*) (sql_base.cc:6132)
 
==12861==    by 0x701C93: find_field_in_table_ref(THD*, TABLE_LIST*, char const*, unsigned int, char const*, char const*, char const*, Item**, bool, bool, unsigned int*, bool, TABLE_LIST**) (sql_base.cc:6265)
 
==12861==    by 0x70251C: find_field_in_tables(THD*, Item_ident*, TABLE_LIST*, TABLE_LIST*, Item**, find_item_error_report_type, bool, bool) (sql_base.cc:6537)
 
==12861==    by 0x5CC1F1: Item_field::fix_outer_field(THD*, Field**, Item**) (item.cc:4182)
 
==12861==    by 0x5CCA92: Item_field::fix_fields(THD*, Item**) (item.cc:4389)
 
==12861==    by 0x5EDEB2: Item_func::fix_fields(THD*, Item**) (item_func.cc:178)
 
==12861==    by 0x5EDEB2: Item_func::fix_fields(THD*, Item**) (item_func.cc:178)
 
==12861==    by 0x60EF0A: Item_func_if::fix_fields(THD*, Item**) (item_cmpfunc.cc:2603)
 
==12861==    by 0x704C6C: setup_fields(THD*, Item**, List<Item>&, enum_mark_columns, List<Item>*, bool) (sql_base.cc:7711)
 
==12861==    by 0x717A22: JOIN::prepare(Item***, TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) (sql_select.cc:530)
 
==12861==    by 0x865C9D: st_select_lex_unit::prepare(THD*, select_result*, unsigned long) (sql_union.cc:271)
 
==12861==    by 0x867FC3: mysql_derived_prepare(THD*, st_lex*, TABLE_LIST*) (sql_derived.cc:154)
 
==12861==    by 0x867DE9: mysql_handle_derived(st_lex*, bool (*)(THD*, st_lex*, TABLE_LIST*)) (sql_derived.cc:58)
 
==12861==    by 0x6FF575: open_normal_and_derived_tables(THD*, TABLE_LIST*, unsigned int) (sql_base.cc:5214)
 
==12861==    by 0x828848: fill_schema_table_by_open(THD*, bool, st_table*, st_schema_table*, st_mysql_lex_string*, st_mysql_lex_string*, Open_tables_state*) (sql_show.cc:3162)
 
==12861==    by 0x829242: get_all_tables(THD*, TABLE_LIST*, Item*) (sql_show.cc:3493)
 
==12861==  Address 0x1007f508 is 104 bytes inside a block of size 2,244 free'd
 
==12861==    at 0x4C27C8A: free (vg_replace_malloc.c:468)
 
==12861==    by 0xB8BB58: _myfree (safemalloc.c:333)
 
==12861==    by 0x6F6085: free_cache_entry(st_table*) (sql_base.cc:824)
 
==12861==    by 0xB996B8: my_hash_delete (hash.c:566)
 
==12861==    by 0x6F6CA3: close_open_tables(THD*) (sql_base.cc:1211)
 
==12861==    by 0x6F7057: close_thread_tables(THD*) (sql_base.cc:1364)
 
==12861==    by 0x8850F7: sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) (sp_head.cc:2808)
 
==12861==    by 0x886276: sp_instr_freturn::execute(THD*, unsigned int*) (sp_head.cc:3259)
 
==12861==    by 0x8816E3: sp_head::execute(THD*) (sp_head.cc:1292)
 
==12861==    by 0x882927: sp_head::execute_function(THD*, Item**, unsigned int, Field*) (sp_head.cc:1811)
 
==12861==    by 0x60227B: Item_func_sp::execute_impl(THD*) (item_func.cc:6003)
 
==12861==    by 0x602017: Item_func_sp::execute() (item_func.cc:5932)
 
==12861==    by 0x604D69: Item_func_sp::val_int() (item_func.h:1729)
 
==12861==    by 0x5D9400: Item::update_null_value() (item.h:844)
 
==12861==    by 0x603028: Item_func::is_null() (item_func.h:152)
 
==12861==    by 0x61B368: Item_func_isnull::update_used_tables() (item_cmpfunc.h:1320)

Comment by Elena Stepanova [ 2014-11-09 ]

Closing because the upstream fix is in 5.6 and is said not to be applicable to earlier versions, can't reproduce it on MariaDB 5.3+, and obviously nobody will fix it in 5.1 or 5.2.

For the reference, the upstream fix is apparently this:

    ------------------------------------------------------------
 
    revno: 4496.1.1
 
    revision-id: mattias.jonsson@oracle.com-20121030145353-yarpi7ayo8dhoupr
 
    parent: annamalai.gurusami@oracle.com-20121029102431-c90rcglncvnedges
 
    committer: Mattias Jonsson <mattias.jonsson@oracle.com>
 
    branch nick: b14789301-56
 
    timestamp: Tue 2012-10-30 22:53:53 +0800
 
    message:
 
      Bug#14789301: CRASHING SERVER BY STORED FUNCTION
 
      REFERENCING USER DEFINED VARIABLE IN QUERY
 
      
      There are 2 steps resulting in the crash:
 
      1) the stored procedure was executed during JOIN::prepare resulting
 
          in setting thd->user_var_events_alloc to NULL (due to LTM_NONE)
 
      2) the next time the stored procedure was executed in the same statement
 
          it crashes due to thd->user_var_events_alloc was null. (it was not
 
         set to thd->mem_root since LTM_PRELOCKED).
 
      
      The fix is to:
 
      * avoid executing the stored program during prepare phase of
 
      Item_func_isnull (update_used_tables).
 
      
      Also updated a comment which got out of date after bug 14247298.
 
      Also added test case copied from the duplicate bug:
 
      BUG#11765560 - SEGFAULT ON SHOW TABLE STATUS (MYSQLDUMP) OF NESTED
 
      VIEWS
 
      which is a duplicate in 5.6 (other cause in 5.1/5.5), but with another crash.
 
      In 5.1/5.5 this patch cannot be used since it lacks of with_stored_program,
 
      and the problem is caching strategy for is_not_null/isnull and
 
      DETERMINISTIC stored programs.

Generated at Thu Feb 08 06:31:06 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.