[MDEV-755] LP:682525 - Segfault on SHOW TABLE STATUS (mysqldump) of nested views - JIRA

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Won't Fix
Affects Version/s: 5.1.67, 5.2.14
Fix Version/s: N/A
Component/s: OTHER
Labels:
- Launchpad
- upstream

Description

mysqld (MariaDB) 5.2.3 segfaults during a mysqldump operation, the environment contains nested views.
Views structure, general query log, and error log with stacktrace attached.
Base table structure not currently available as the dump won't complete - will retrieve separately if necessary, but the above info may already allow you to catch the problem.

In stock (Oracle) mysql 5.1.41-3ubuntu12.7 the server the same happens, so the problem is not restricted to MariaDB.

Gliffy Diagrams

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

LPexportBug682525_catt_schema.sql
113 kB
2010-11-29 01:41
LPexportBug682525_CreateViews.sql
23 kB
2010-11-29 01:30
LPexportBug682525_error.log-viewdumpcrash-mariadb-5.2.3-ubuntuLucid
6 kB
2010-11-29 01:27
LPexportBug682525_Functions.sql
8 kB
2010-11-29 03:02
LPexportBug682525_mysql.log-viewdumpcrash-mariadb-5.2.3-ubuntuLucid
71 kB
2010-11-29 01:28
LPexportBug682525.xml
15 kB
2012-10-03 11:32
mdev755.test
59 kB
2014-03-18 12:44

Issue Links

links to

Bug#58543 - Hidden bug report

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Arjen Lentz added a comment - 2010-11-29 01:27

Error log with stack trace
LPexportBug682525_error.log-viewdumpcrash-mariadb-5.2.3-ubuntuLucid

Show

Arjen Lentz added a comment - 2010-11-29 01:27 Error log with stack trace LPexportBug682525_error.log-viewdumpcrash-mariadb-5.2.3-ubuntuLucid

14 older comments

Hide

Permalink

Arjen Lentz added a comment - 2010-11-30 00:50

Re: Segfault on SHOW TABLE STATUS (mysqldump) of nested views
For reference, the problem also exists in 5.1.51 (since MariaDB 5.2.3 incorporates code up to that upstream version). So the only unknown right now might be 5.1.53 - however looking at the 5.1.53 change log
http://dev.mysql.com/doc/refman/5.1/en/news-5-1-53.html I see nothing even remotely
related to this.

Show

Arjen Lentz added a comment - 2010-11-30 00:50 Re: Segfault on SHOW TABLE STATUS (mysqldump) of nested views For reference, the problem also exists in 5.1.51 (since MariaDB 5.2.3 incorporates code up to that upstream version). So the only unknown right now might be 5.1.53 - however looking at the 5.1.53 change log http://dev.mysql.com/doc/refman/5.1/en/news-5-1-53.html I see nothing even remotely related to this.

Hide

Permalink

Oleksandr Byelkin added a comment - 2010-11-30 14:30

Re: Segfault on SHOW TABLE STATUS (mysqldump) of nested views
Is it copy of this bug: http://bugs.mysql.com/bug.php?id=58543 ?

Show

Oleksandr Byelkin added a comment - 2010-11-30 14:30 Re: Segfault on SHOW TABLE STATUS (mysqldump) of nested views Is it copy of this bug: http://bugs.mysql.com/bug.php?id=58543 ?

Hide

Permalink

Rasmus Johansson added a comment - 2010-11-30 16:47

Launchpad bug id: 682525

Show

Rasmus Johansson added a comment - 2010-11-30 16:47 Launchpad bug id: 682525

Hide

Permalink

Elena Stepanova added a comment - 2014-03-18 12:44 - edited

It is an upstream bug, but the story with it is vague.

Upstream part

The upstream bug report is hidden of course, so there is no telling what status it is in, and/or in which versions it has been fixed.

The bugfix appears to be in MySQL 5.6 tree, obfuscated as "BUG#11765560 - SEGFAULT ON SHOW TABLE STATUS (MYSQLDUMP) OF NESTED VIEWS", but the comment says that it is different from the one in 5.1/5.5 tree, which implies it exists in 5.1 and 5.5.

The bug is still reproducible on the latest MySQL 5.1 tree.

The bug is not reproducible on MySQL 5.5 with the provided data, even though I couldn't find a bugfix there.

MariaDB part

The bug is reproducible on MariaDB 5.1 and 5.2, but not on 5.3 and higher, although possibly it still exists there, but the use case does not reveal it.

Anyway, even though 5.1/5.2 are not a priority, I think this bug is worth fixing because it affects the most important scenario that 5.1/5.2 installations should be now used for – creating a backup and upgrading to higher versions.

Assigned to Sergei Golubchik to confirm or reject the priority and target versions, and to reassign if it should be fixed.

Also attached the complete test case (mdev755.test).
It can be used in MTR or be fed to the server via MySQL client.
On release versions, it tends to crash.
On my debug builds, it causes "ERROR HY000: View 'test.view_course_scheme_units' references invalid table(s) or column(s) or function(s) or definer/invoker of view lack rights to use them" in the last line (please note that it is under "disable_abort_on_error", so MTR will still report a pass).
With valgrind, it throws the warnings:

==12861== Thread 4:
==12861== Invalid read of size 8
==12861==    at 0x701682: find_field_in_table(THD*, st_table*, char const*, unsigned int, bool, unsigned int*) (sql_base.cc:6110)
==12861==    by 0x701C93: find_field_in_table_ref(THD*, TABLE_LIST*, char const*, unsigned int, char const*, char const*, char const*, Item**, bool, bool, unsigned int*, bool, TABLE_LIST**) (sql_base.cc:6265)
==12861==    by 0x70251C: find_field_in_tables(THD*, Item_ident*, TABLE_LIST*, TABLE_LIST*, Item**, find_item_error_report_type, bool, bool) (sql_base.cc:6537)
==12861==    by 0x5CC7BE: Item_field::fix_fields(THD*, Item**) (item.cc:4326)
==12861==    by 0x5EDEB2: Item_func::fix_fields(THD*, Item**) (item_func.cc:178)
==12861==    by 0x5EDEB2: Item_func::fix_fields(THD*, Item**) (item_func.cc:178)
==12861==    by 0x60EF0A: Item_func_if::fix_fields(THD*, Item**) (item_cmpfunc.cc:2603)
==12861==    by 0x704C6C: setup_fields(THD*, Item**, List<Item>&, enum_mark_columns, List<Item>*, bool) (sql_base.cc:7711)
==12861==    by 0x717A22: JOIN::prepare(Item***, TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) (sql_select.cc:530)
==12861==    by 0x865C9D: st_select_lex_unit::prepare(THD*, select_result*, unsigned long) (sql_union.cc:271)
==12861==    by 0x867FC3: mysql_derived_prepare(THD*, st_lex*, TABLE_LIST*) (sql_derived.cc:154)
==12861==    by 0x867DE9: mysql_handle_derived(st_lex*, bool (*)(THD*, st_lex*, TABLE_LIST*)) (sql_derived.cc:58)
==12861==    by 0x6FF575: open_normal_and_derived_tables(THD*, TABLE_LIST*, unsigned int) (sql_base.cc:5214)
==12861==    by 0x828848: fill_schema_table_by_open(THD*, bool, st_table*, st_schema_table*, st_mysql_lex_string*, st_mysql_lex_string*, Open_tables_state*) (sql_show.cc:3162)
==12861==    by 0x829242: get_all_tables(THD*, TABLE_LIST*, Item*) (sql_show.cc:3493)
==12861==    by 0x83534A: get_schema_tables_result(JOIN*, enum_schema_table_state) (sql_show.cc:6295)
==12861==  Address 0x1007f598 is 248 bytes inside a block of size 2,244 free'd
==12861==    at 0x4C27C8A: free (vg_replace_malloc.c:468)
==12861==    by 0xB8BB58: _myfree (safemalloc.c:333)
==12861==    by 0x6F6085: free_cache_entry(st_table*) (sql_base.cc:824)
==12861==    by 0xB996B8: my_hash_delete (hash.c:566)
==12861==    by 0x6F6CA3: close_open_tables(THD*) (sql_base.cc:1211)
==12861==    by 0x6F7057: close_thread_tables(THD*) (sql_base.cc:1364)
==12861==    by 0x8850F7: sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) (sp_head.cc:2808)
==12861==    by 0x886276: sp_instr_freturn::execute(THD*, unsigned int*) (sp_head.cc:3259)
==12861==    by 0x8816E3: sp_head::execute(THD*) (sp_head.cc:1292)
==12861==    by 0x882927: sp_head::execute_function(THD*, Item**, unsigned int, Field*) (sp_head.cc:1811)
==12861==    by 0x60227B: Item_func_sp::execute_impl(THD*) (item_func.cc:6003)
==12861==    by 0x602017: Item_func_sp::execute() (item_func.cc:5932)
==12861==    by 0x604D69: Item_func_sp::val_int() (item_func.h:1729)
==12861==    by 0x5D9400: Item::update_null_value() (item.h:844)
==12861==    by 0x603028: Item_func::is_null() (item_func.h:152)
==12861==    by 0x61B368: Item_func_isnull::update_used_tables() (item_cmpfunc.h:1320)
==12861== Invalid read of size 8
==12861==    at 0x7016A3: find_field_in_table(THD*, st_table*, char const*, unsigned int, bool, unsigned int*) (sql_base.cc:6113)
==12861==    by 0x701C93: find_field_in_table_ref(THD*, TABLE_LIST*, char const*, unsigned int, char const*, char const*, char const*, Item**, bool, bool, unsigned int*, bool, TABLE_LIST**) (sql_base.cc:6265)
==12861==    by 0x70251C: find_field_in_tables(THD*, Item_ident*, TABLE_LIST*, TABLE_LIST*, Item**, find_item_error_report_type, bool, bool) (sql_base.cc:6537)
==12861==    by 0x5CC7BE: Item_field::fix_fields(THD*, Item**) (item.cc:4326)
==12861==    by 0x5EDEB2: Item_func::fix_fields(THD*, Item**) (item_func.cc:178)
==12861==    by 0x5EDEB2: Item_func::fix_fields(THD*, Item**) (item_func.cc:178)
==12861==    by 0x60EF0A: Item_func_if::fix_fields(THD*, Item**) (item_cmpfunc.cc:2603)
==12861==    by 0x704C6C: setup_fields(THD*, Item**, List<Item>&, enum_mark_columns, List<Item>*, bool) (sql_base.cc:7711)
==12861==    by 0x717A22: JOIN::prepare(Item***, TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) (sql_select.cc:530)
==12861==    by 0x865C9D: st_select_lex_unit::prepare(THD*, select_result*, unsigned long) (sql_union.cc:271)
==12861==    by 0x867FC3: mysql_derived_prepare(THD*, st_lex*, TABLE_LIST*) (sql_derived.cc:154)
==12861==    by 0x867DE9: mysql_handle_derived(st_lex*, bool (*)(THD*, st_lex*, TABLE_LIST*)) (sql_derived.cc:58)
==12861==    by 0x6FF575: open_normal_and_derived_tables(THD*, TABLE_LIST*, unsigned int) (sql_base.cc:5214)
==12861==    by 0x828848: fill_schema_table_by_open(THD*, bool, st_table*, st_schema_table*, st_mysql_lex_string*, st_mysql_lex_string*, Open_tables_state*) (sql_show.cc:3162)
==12861==    by 0x829242: get_all_tables(THD*, TABLE_LIST*, Item*) (sql_show.cc:3493)
==12861==    by 0x83534A: get_schema_tables_result(JOIN*, enum_schema_table_state) (sql_show.cc:6295)
==12861==  Address 0x1007f4c8 is 40 bytes inside a block of size 2,244 free'd
==12861==    at 0x4C27C8A: free (vg_replace_malloc.c:468)
==12861==    by 0xB8BB58: _myfree (safemalloc.c:333)
==12861==    by 0x6F6085: free_cache_entry(st_table*) (sql_base.cc:824)
==12861==    by 0xB996B8: my_hash_delete (hash.c:566)
==12861==    by 0x6F6CA3: close_open_tables(THD*) (sql_base.cc:1211)
==12861==    by 0x6F7057: close_thread_tables(THD*) (sql_base.cc:1364)
==12861==    by 0x8850F7: sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) (sp_head.cc:2808)
==12861==    by 0x886276: sp_instr_freturn::execute(THD*, unsigned int*) (sp_head.cc:3259)
==12861==    by 0x8816E3: sp_head::execute(THD*) (sp_head.cc:1292)
==12861==    by 0x882927: sp_head::execute_function(THD*, Item**, unsigned int, Field*) (sp_head.cc:1811)
==12861==    by 0x60227B: Item_func_sp::execute_impl(THD*) (item_func.cc:6003)
==12861==    by 0x602017: Item_func_sp::execute() (item_func.cc:5932)
==12861==    by 0x604D69: Item_func_sp::val_int() (item_func.h:1729)
==12861==    by 0x5D9400: Item::update_null_value() (item.h:844)
==12861==    by 0x603028: Item_func::is_null() (item_func.h:152)
==12861==    by 0x61B368: Item_func_isnull::update_used_tables() (item_cmpfunc.h:1320)
==12861== Invalid read of size 8
==12861==    at 0x70171F: find_field_in_table(THD*, st_table*, char const*, unsigned int, bool, unsigned int*) (sql_base.cc:6117)
==12861==    by 0x701C93: find_field_in_table_ref(THD*, TABLE_LIST*, char const*, unsigned int, char const*, char const*, char const*, Item**, bool, bool, unsigned int*, bool, TABLE_LIST**) (sql_base.cc:6265)
==12861==    by 0x70251C: find_field_in_tables(THD*, Item_ident*, TABLE_LIST*, TABLE_LIST*, Item**, find_item_error_report_type, bool, bool) (sql_base.cc:6537)
==12861==    by 0x5CC7BE: Item_field::fix_fields(THD*, Item**) (item.cc:4326)
==12861==    by 0x5EDEB2: Item_func::fix_fields(THD*, Item**) (item_func.cc:178)
==12861==    by 0x5EDEB2: Item_func::fix_fields(THD*, Item**) (item_func.cc:178)
==12861==    by 0x60EF0A: Item_func_if::fix_fields(THD*, Item**) (item_cmpfunc.cc:2603)
==12861==    by 0x704C6C: setup_fields(THD*, Item**, List<Item>&, enum_mark_columns, List<Item>*, bool) (sql_base.cc:7711)
==12861==    by 0x717A22: JOIN::prepare(Item***, TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) (sql_select.cc:530)
==12861==    by 0x865C9D: st_select_lex_unit::prepare(THD*, select_result*, unsigned long) (sql_union.cc:271)
==12861==    by 0x867FC3: mysql_derived_prepare(THD*, st_lex*, TABLE_LIST*) (sql_derived.cc:154)
==12861==    by 0x867DE9: mysql_handle_derived(st_lex*, bool (*)(THD*, st_lex*, TABLE_LIST*)) (sql_derived.cc:58)
==12861==    by 0x6FF575: open_normal_and_derived_tables(THD*, TABLE_LIST*, unsigned int) (sql_base.cc:5214)
==12861==    by 0x828848: fill_schema_table_by_open(THD*, bool, st_table*, st_schema_table*, st_mysql_lex_string*, st_mysql_lex_string*, Open_tables_state*) (sql_show.cc:3162)
==12861==    by 0x829242: get_all_tables(THD*, TABLE_LIST*, Item*) (sql_show.cc:3493)
==12861==    by 0x83534A: get_schema_tables_result(JOIN*, enum_schema_table_state) (sql_show.cc:6295)
==12861==  Address 0x1007f4c8 is 40 bytes inside a block of size 2,244 free'd
==12861==    at 0x4C27C8A: free (vg_replace_malloc.c:468)
==12861==    by 0xB8BB58: _myfree (safemalloc.c:333)
==12861==    by 0x6F6085: free_cache_entry(st_table*) (sql_base.cc:824)
==12861==    by 0xB996B8: my_hash_delete (hash.c:566)
==12861==    by 0x6F6CA3: close_open_tables(THD*) (sql_base.cc:1211)
==12861==    by 0x6F7057: close_thread_tables(THD*) (sql_base.cc:1364)
==12861==    by 0x8850F7: sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) (sp_head.cc:2808)
==12861==    by 0x886276: sp_instr_freturn::execute(THD*, unsigned int*) (sp_head.cc:3259)
==12861==    by 0x8816E3: sp_head::execute(THD*) (sp_head.cc:1292)
==12861==    by 0x882927: sp_head::execute_function(THD*, Item**, unsigned int, Field*) (sp_head.cc:1811)
==12861==    by 0x60227B: Item_func_sp::execute_impl(THD*) (item_func.cc:6003)
==12861==    by 0x602017: Item_func_sp::execute() (item_func.cc:5932)
==12861==    by 0x604D69: Item_func_sp::val_int() (item_func.h:1729)
==12861==    by 0x5D9400: Item::update_null_value() (item.h:844)
==12861==    by 0x603028: Item_func::is_null() (item_func.h:152)
==12861==    by 0x61B368: Item_func_isnull::update_used_tables() (item_cmpfunc.h:1320)
==12861== Invalid read of size 8
==12861==    at 0x701792: find_field_in_table(THD*, st_table*, char const*, unsigned int, bool, unsigned int*) (sql_base.cc:6132)
==12861==    by 0x701C93: find_field_in_table_ref(THD*, TABLE_LIST*, char const*, unsigned int, char const*, char const*, char const*, Item**, bool, bool, unsigned int*, bool, TABLE_LIST**) (sql_base.cc:6265)
==12861==    by 0x70251C: find_field_in_tables(THD*, Item_ident*, TABLE_LIST*, TABLE_LIST*, Item**, find_item_error_report_type, bool, bool) (sql_base.cc:6537)
==12861==    by 0x5CC7BE: Item_field::fix_fields(THD*, Item**) (item.cc:4326)
==12861==    by 0x5EDEB2: Item_func::fix_fields(THD*, Item**) (item_func.cc:178)
==12861==    by 0x5EDEB2: Item_func::fix_fields(THD*, Item**) (item_func.cc:178)
==12861==    by 0x60EF0A: Item_func_if::fix_fields(THD*, Item**) (item_cmpfunc.cc:2603)
==12861==    by 0x704C6C: setup_fields(THD*, Item**, List<Item>&, enum_mark_columns, List<Item>*, bool) (sql_base.cc:7711)
==12861==    by 0x717A22: JOIN::prepare(Item***, TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) (sql_select.cc:530)
==12861==    by 0x865C9D: st_select_lex_unit::prepare(THD*, select_result*, unsigned long) (sql_union.cc:271)
==12861==    by 0x867FC3: mysql_derived_prepare(THD*, st_lex*, TABLE_LIST*) (sql_derived.cc:154)
==12861==    by 0x867DE9: mysql_handle_derived(st_lex*, bool (*)(THD*, st_lex*, TABLE_LIST*)) (sql_derived.cc:58)
==12861==    by 0x6FF575: open_normal_and_derived_tables(THD*, TABLE_LIST*, unsigned int) (sql_base.cc:5214)
==12861==    by 0x828848: fill_schema_table_by_open(THD*, bool, st_table*, st_schema_table*, st_mysql_lex_string*, st_mysql_lex_string*, Open_tables_state*) (sql_show.cc:3162)
==12861==    by 0x829242: get_all_tables(THD*, TABLE_LIST*, Item*) (sql_show.cc:3493)
==12861==    by 0x83534A: get_schema_tables_result(JOIN*, enum_schema_table_state) (sql_show.cc:6295)
==12861==  Address 0x1007f508 is 104 bytes inside a block of size 2,244 free'd
==12861==    at 0x4C27C8A: free (vg_replace_malloc.c:468)
==12861==    by 0xB8BB58: _myfree (safemalloc.c:333)
==12861==    by 0x6F6085: free_cache_entry(st_table*) (sql_base.cc:824)
==12861==    by 0xB996B8: my_hash_delete (hash.c:566)
==12861==    by 0x6F6CA3: close_open_tables(THD*) (sql_base.cc:1211)
==12861==    by 0x6F7057: close_thread_tables(THD*) (sql_base.cc:1364)
==12861==    by 0x8850F7: sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) (sp_head.cc:2808)
==12861==    by 0x886276: sp_instr_freturn::execute(THD*, unsigned int*) (sp_head.cc:3259)
==12861==    by 0x8816E3: sp_head::execute(THD*) (sp_head.cc:1292)
==12861==    by 0x882927: sp_head::execute_function(THD*, Item**, unsigned int, Field*) (sp_head.cc:1811)
==12861==    by 0x60227B: Item_func_sp::execute_impl(THD*) (item_func.cc:6003)
==12861==    by 0x602017: Item_func_sp::execute() (item_func.cc:5932)
==12861==    by 0x604D69: Item_func_sp::val_int() (item_func.h:1729)
==12861==    by 0x5D9400: Item::update_null_value() (item.h:844)
==12861==    by 0x603028: Item_func::is_null() (item_func.h:152)
==12861==    by 0x61B368: Item_func_isnull::update_used_tables() (item_cmpfunc.h:1320)
==12861== Invalid read of size 8
==12861==    at 0x701682: find_field_in_table(THD*, st_table*, char const*, unsigned int, bool, unsigned int*) (sql_base.cc:6110)
==12861==    by 0x701C93: find_field_in_table_ref(THD*, TABLE_LIST*, char const*, unsigned int, char const*, char const*, char const*, Item**, bool, bool, unsigned int*, bool, TABLE_LIST**) (sql_base.cc:6265)
==12861==    by 0x70251C: find_field_in_tables(THD*, Item_ident*, TABLE_LIST*, TABLE_LIST*, Item**, find_item_error_report_type, bool, bool) (sql_base.cc:6537)
==12861==    by 0x5CC1F1: Item_field::fix_outer_field(THD*, Field**, Item**) (item.cc:4182)
==12861==    by 0x5CCA92: Item_field::fix_fields(THD*, Item**) (item.cc:4389)
==12861==    by 0x5EDEB2: Item_func::fix_fields(THD*, Item**) (item_func.cc:178)
==12861==    by 0x5EDEB2: Item_func::fix_fields(THD*, Item**) (item_func.cc:178)
==12861==    by 0x60EF0A: Item_func_if::fix_fields(THD*, Item**) (item_cmpfunc.cc:2603)
==12861==    by 0x704C6C: setup_fields(THD*, Item**, List<Item>&, enum_mark_columns, List<Item>*, bool) (sql_base.cc:7711)
==12861==    by 0x717A22: JOIN::prepare(Item***, TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) (sql_select.cc:530)
==12861==    by 0x865C9D: st_select_lex_unit::prepare(THD*, select_result*, unsigned long) (sql_union.cc:271)
==12861==    by 0x867FC3: mysql_derived_prepare(THD*, st_lex*, TABLE_LIST*) (sql_derived.cc:154)
==12861==    by 0x867DE9: mysql_handle_derived(st_lex*, bool (*)(THD*, st_lex*, TABLE_LIST*)) (sql_derived.cc:58)
==12861==    by 0x6FF575: open_normal_and_derived_tables(THD*, TABLE_LIST*, unsigned int) (sql_base.cc:5214)
==12861==    by 0x828848: fill_schema_table_by_open(THD*, bool, st_table*, st_schema_table*, st_mysql_lex_string*, st_mysql_lex_string*, Open_tables_state*) (sql_show.cc:3162)
==12861==    by 0x829242: get_all_tables(THD*, TABLE_LIST*, Item*) (sql_show.cc:3493)
==12861==  Address 0x1007f598 is 248 bytes inside a block of size 2,244 free'd
==12861==    at 0x4C27C8A: free (vg_replace_malloc.c:468)
==12861==    by 0xB8BB58: _myfree (safemalloc.c:333)
==12861==    by 0x6F6085: free_cache_entry(st_table*) (sql_base.cc:824)
==12861==    by 0xB996B8: my_hash_delete (hash.c:566)
==12861==    by 0x6F6CA3: close_open_tables(THD*) (sql_base.cc:1211)
==12861==    by 0x6F7057: close_thread_tables(THD*) (sql_base.cc:1364)
==12861==    by 0x8850F7: sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) (sp_head.cc:2808)
==12861==    by 0x886276: sp_instr_freturn::execute(THD*, unsigned int*) (sp_head.cc:3259)
==12861==    by 0x8816E3: sp_head::execute(THD*) (sp_head.cc:1292)
==12861==    by 0x882927: sp_head::execute_function(THD*, Item**, unsigned int, Field*) (sp_head.cc:1811)
==12861==    by 0x60227B: Item_func_sp::execute_impl(THD*) (item_func.cc:6003)
==12861==    by 0x602017: Item_func_sp::execute() (item_func.cc:5932)
==12861==    by 0x604D69: Item_func_sp::val_int() (item_func.h:1729)
==12861==    by 0x5D9400: Item::update_null_value() (item.h:844)
==12861==    by 0x603028: Item_func::is_null() (item_func.h:152)
==12861==    by 0x61B368: Item_func_isnull::update_used_tables() (item_cmpfunc.h:1320)
==12861== Invalid read of size 8
==12861==    at 0x7016A3: find_field_in_table(THD*, st_table*, char const*, unsigned int, bool, unsigned int*) (sql_base.cc:6113)
==12861==    by 0x701C93: find_field_in_table_ref(THD*, TABLE_LIST*, char const*, unsigned int, char const*, char const*, char const*, Item**, bool, bool, unsigned int*, bool, TABLE_LIST**) (sql_base.cc:6265)
==12861==    by 0x70251C: find_field_in_tables(THD*, Item_ident*, TABLE_LIST*, TABLE_LIST*, Item**, find_item_error_report_type, bool, bool) (sql_base.cc:6537)
==12861==    by 0x5CC1F1: Item_field::fix_outer_field(THD*, Field**, Item**) (item.cc:4182)
==12861==    by 0x5CCA92: Item_field::fix_fields(THD*, Item**) (item.cc:4389)
==12861==    by 0x5EDEB2: Item_func::fix_fields(THD*, Item**) (item_func.cc:178)
==12861==    by 0x5EDEB2: Item_func::fix_fields(THD*, Item**) (item_func.cc:178)
==12861==    by 0x60EF0A: Item_func_if::fix_fields(THD*, Item**) (item_cmpfunc.cc:2603)
==12861==    by 0x704C6C: setup_fields(THD*, Item**, List<Item>&, enum_mark_columns, List<Item>*, bool) (sql_base.cc:7711)
==12861==    by 0x717A22: JOIN::prepare(Item***, TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) (sql_select.cc:530)
==12861==    by 0x865C9D: st_select_lex_unit::prepare(THD*, select_result*, unsigned long) (sql_union.cc:271)
==12861==    by 0x867FC3: mysql_derived_prepare(THD*, st_lex*, TABLE_LIST*) (sql_derived.cc:154)
==12861==    by 0x867DE9: mysql_handle_derived(st_lex*, bool (*)(THD*, st_lex*, TABLE_LIST*)) (sql_derived.cc:58)
==12861==    by 0x6FF575: open_normal_and_derived_tables(THD*, TABLE_LIST*, unsigned int) (sql_base.cc:5214)
==12861==    by 0x828848: fill_schema_table_by_open(THD*, bool, st_table*, st_schema_table*, st_mysql_lex_string*, st_mysql_lex_string*, Open_tables_state*) (sql_show.cc:3162)
==12861==    by 0x829242: get_all_tables(THD*, TABLE_LIST*, Item*) (sql_show.cc:3493)
==12861==  Address 0x1007f4c8 is 40 bytes inside a block of size 2,244 free'd
==12861==    at 0x4C27C8A: free (vg_replace_malloc.c:468)
==12861==    by 0xB8BB58: _myfree (safemalloc.c:333)
==12861==    by 0x6F6085: free_cache_entry(st_table*) (sql_base.cc:824)
==12861==    by 0xB996B8: my_hash_delete (hash.c:566)
==12861==    by 0x6F6CA3: close_open_tables(THD*) (sql_base.cc:1211)
==12861==    by 0x6F7057: close_thread_tables(THD*) (sql_base.cc:1364)
==12861==    by 0x8850F7: sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) (sp_head.cc:2808)
==12861==    by 0x886276: sp_instr_freturn::execute(THD*, unsigned int*) (sp_head.cc:3259)
==12861==    by 0x8816E3: sp_head::execute(THD*) (sp_head.cc:1292)
==12861==    by 0x882927: sp_head::execute_function(THD*, Item**, unsigned int, Field*) (sp_head.cc:1811)
==12861==    by 0x60227B: Item_func_sp::execute_impl(THD*) (item_func.cc:6003)
==12861==    by 0x602017: Item_func_sp::execute() (item_func.cc:5932)
==12861==    by 0x604D69: Item_func_sp::val_int() (item_func.h:1729)
==12861==    by 0x5D9400: Item::update_null_value() (item.h:844)
==12861==    by 0x603028: Item_func::is_null() (item_func.h:152)
==12861==    by 0x61B368: Item_func_isnull::update_used_tables() (item_cmpfunc.h:1320)
==12861== Invalid read of size 8
==12861==    at 0x70171F: find_field_in_table(THD*, st_table*, char const*, unsigned int, bool, unsigned int*) (sql_base.cc:6117)
==12861==    by 0x701C93: find_field_in_table_ref(THD*, TABLE_LIST*, char const*, unsigned int, char const*, char const*, char const*, Item**, bool, bool, unsigned int*, bool, TABLE_LIST**) (sql_base.cc:6265)
==12861==    by 0x70251C: find_field_in_tables(THD*, Item_ident*, TABLE_LIST*, TABLE_LIST*, Item**, find_item_error_report_type, bool, bool) (sql_base.cc:6537)
==12861==    by 0x5CC1F1: Item_field::fix_outer_field(THD*, Field**, Item**) (item.cc:4182)
==12861==    by 0x5CCA92: Item_field::fix_fields(THD*, Item**) (item.cc:4389)
==12861==    by 0x5EDEB2: Item_func::fix_fields(THD*, Item**) (item_func.cc:178)
==12861==    by 0x5EDEB2: Item_func::fix_fields(THD*, Item**) (item_func.cc:178)
==12861==    by 0x60EF0A: Item_func_if::fix_fields(THD*, Item**) (item_cmpfunc.cc:2603)
==12861==    by 0x704C6C: setup_fields(THD*, Item**, List<Item>&, enum_mark_columns, List<Item>*, bool) (sql_base.cc:7711)
==12861==    by 0x717A22: JOIN::prepare(Item***, TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) (sql_select.cc:530)
==12861==    by 0x865C9D: st_select_lex_unit::prepare(THD*, select_result*, unsigned long) (sql_union.cc:271)
==12861==    by 0x867FC3: mysql_derived_prepare(THD*, st_lex*, TABLE_LIST*) (sql_derived.cc:154)
==12861==    by 0x867DE9: mysql_handle_derived(st_lex*, bool (*)(THD*, st_lex*, TABLE_LIST*)) (sql_derived.cc:58)
==12861==    by 0x6FF575: open_normal_and_derived_tables(THD*, TABLE_LIST*, unsigned int) (sql_base.cc:5214)
==12861==    by 0x828848: fill_schema_table_by_open(THD*, bool, st_table*, st_schema_table*, st_mysql_lex_string*, st_mysql_lex_string*, Open_tables_state*) (sql_show.cc:3162)
==12861==    by 0x829242: get_all_tables(THD*, TABLE_LIST*, Item*) (sql_show.cc:3493)
==12861==  Address 0x1007f4c8 is 40 bytes inside a block of size 2,244 free'd
==12861==    at 0x4C27C8A: free (vg_replace_malloc.c:468)
==12861==    by 0xB8BB58: _myfree (safemalloc.c:333)
==12861==    by 0x6F6085: free_cache_entry(st_table*) (sql_base.cc:824)
==12861==    by 0xB996B8: my_hash_delete (hash.c:566)
==12861==    by 0x6F6CA3: close_open_tables(THD*) (sql_base.cc:1211)
==12861==    by 0x6F7057: close_thread_tables(THD*) (sql_base.cc:1364)
==12861==    by 0x8850F7: sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) (sp_head.cc:2808)
==12861==    by 0x886276: sp_instr_freturn::execute(THD*, unsigned int*) (sp_head.cc:3259)
==12861==    by 0x8816E3: sp_head::execute(THD*) (sp_head.cc:1292)
==12861==    by 0x882927: sp_head::execute_function(THD*, Item**, unsigned int, Field*) (sp_head.cc:1811)
==12861==    by 0x60227B: Item_func_sp::execute_impl(THD*) (item_func.cc:6003)
==12861==    by 0x602017: Item_func_sp::execute() (item_func.cc:5932)
==12861==    by 0x604D69: Item_func_sp::val_int() (item_func.h:1729)
==12861==    by 0x5D9400: Item::update_null_value() (item.h:844)
==12861==    by 0x603028: Item_func::is_null() (item_func.h:152)
==12861==    by 0x61B368: Item_func_isnull::update_used_tables() (item_cmpfunc.h:1320)
==12861== Invalid read of size 8
==12861==    at 0x701792: find_field_in_table(THD*, st_table*, char const*, unsigned int, bool, unsigned int*) (sql_base.cc:6132)
==12861==    by 0x701C93: find_field_in_table_ref(THD*, TABLE_LIST*, char const*, unsigned int, char const*, char const*, char const*, Item**, bool, bool, unsigned int*, bool, TABLE_LIST**) (sql_base.cc:6265)
==12861==    by 0x70251C: find_field_in_tables(THD*, Item_ident*, TABLE_LIST*, TABLE_LIST*, Item**, find_item_error_report_type, bool, bool) (sql_base.cc:6537)
==12861==    by 0x5CC1F1: Item_field::fix_outer_field(THD*, Field**, Item**) (item.cc:4182)
==12861==    by 0x5CCA92: Item_field::fix_fields(THD*, Item**) (item.cc:4389)
==12861==    by 0x5EDEB2: Item_func::fix_fields(THD*, Item**) (item_func.cc:178)
==12861==    by 0x5EDEB2: Item_func::fix_fields(THD*, Item**) (item_func.cc:178)
==12861==    by 0x60EF0A: Item_func_if::fix_fields(THD*, Item**) (item_cmpfunc.cc:2603)
==12861==    by 0x704C6C: setup_fields(THD*, Item**, List<Item>&, enum_mark_columns, List<Item>*, bool) (sql_base.cc:7711)
==12861==    by 0x717A22: JOIN::prepare(Item***, TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) (sql_select.cc:530)
==12861==    by 0x865C9D: st_select_lex_unit::prepare(THD*, select_result*, unsigned long) (sql_union.cc:271)
==12861==    by 0x867FC3: mysql_derived_prepare(THD*, st_lex*, TABLE_LIST*) (sql_derived.cc:154)
==12861==    by 0x867DE9: mysql_handle_derived(st_lex*, bool (*)(THD*, st_lex*, TABLE_LIST*)) (sql_derived.cc:58)
==12861==    by 0x6FF575: open_normal_and_derived_tables(THD*, TABLE_LIST*, unsigned int) (sql_base.cc:5214)
==12861==    by 0x828848: fill_schema_table_by_open(THD*, bool, st_table*, st_schema_table*, st_mysql_lex_string*, st_mysql_lex_string*, Open_tables_state*) (sql_show.cc:3162)
==12861==    by 0x829242: get_all_tables(THD*, TABLE_LIST*, Item*) (sql_show.cc:3493)
==12861==  Address 0x1007f508 is 104 bytes inside a block of size 2,244 free'd
==12861==    at 0x4C27C8A: free (vg_replace_malloc.c:468)
==12861==    by 0xB8BB58: _myfree (safemalloc.c:333)
==12861==    by 0x6F6085: free_cache_entry(st_table*) (sql_base.cc:824)
==12861==    by 0xB996B8: my_hash_delete (hash.c:566)
==12861==    by 0x6F6CA3: close_open_tables(THD*) (sql_base.cc:1211)
==12861==    by 0x6F7057: close_thread_tables(THD*) (sql_base.cc:1364)
==12861==    by 0x8850F7: sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) (sp_head.cc:2808)
==12861==    by 0x886276: sp_instr_freturn::execute(THD*, unsigned int*) (sp_head.cc:3259)
==12861==    by 0x8816E3: sp_head::execute(THD*) (sp_head.cc:1292)
==12861==    by 0x882927: sp_head::execute_function(THD*, Item**, unsigned int, Field*) (sp_head.cc:1811)
==12861==    by 0x60227B: Item_func_sp::execute_impl(THD*) (item_func.cc:6003)
==12861==    by 0x602017: Item_func_sp::execute() (item_func.cc:5932)
==12861==    by 0x604D69: Item_func_sp::val_int() (item_func.h:1729)
==12861==    by 0x5D9400: Item::update_null_value() (item.h:844)
==12861==    by 0x603028: Item_func::is_null() (item_func.h:152)
==12861==    by 0x61B368: Item_func_isnull::update_used_tables() (item_cmpfunc.h:1320)

Show

Elena Stepanova added a comment - 2014-03-18 12:44 - edited It is an upstream bug, but the story with it is vague. Upstream part The upstream bug report is hidden of course, so there is no telling what status it is in, and/or in which versions it has been fixed. The bugfix appears to be in MySQL 5.6 tree, obfuscated as "BUG#11765560 - SEGFAULT ON SHOW TABLE STATUS (MYSQLDUMP) OF NESTED VIEWS", but the comment says that it is different from the one in 5.1/5.5 tree, which implies it exists in 5.1 and 5.5. The bug is still reproducible on the latest MySQL 5.1 tree. The bug is not reproducible on MySQL 5.5 with the provided data, even though I couldn't find a bugfix there. MariaDB part The bug is reproducible on MariaDB 5.1 and 5.2, but not on 5.3 and higher, although possibly it still exists there, but the use case does not reveal it. Anyway, even though 5.1/5.2 are not a priority, I think this bug is worth fixing because it affects the most important scenario that 5.1/5.2 installations should be now used for – creating a backup and upgrading to higher versions. Assigned to Sergei Golubchik to confirm or reject the priority and target versions, and to reassign if it should be fixed. Also attached the complete test case (mdev755.test). It can be used in MTR or be fed to the server via MySQL client. On release versions, it tends to crash. On my debug builds, it causes "ERROR HY000: View 'test.view_course_scheme_units' references invalid table(s) or column(s) or function(s) or definer/invoker of view lack rights to use them" in the last line (please note that it is under "disable_abort_on_error", so MTR will still report a pass). With valgrind, it throws the warnings: ==12861== Thread 4: ==12861== Invalid read of size 8 ==12861== at 0x701682: find_field_in_table(THD*, st_table*, char const*, unsigned int, bool, unsigned int*) (sql_base.cc:6110) ==12861== by 0x701C93: find_field_in_table_ref(THD*, TABLE_LIST*, char const*, unsigned int, char const*, char const*, char const*, Item**, bool, bool, unsigned int*, bool, TABLE_LIST**) (sql_base.cc:6265) ==12861== by 0x70251C: find_field_in_tables(THD*, Item_ident*, TABLE_LIST*, TABLE_LIST*, Item**, find_item_error_report_type, bool, bool) (sql_base.cc:6537) ==12861== by 0x5CC7BE: Item_field::fix_fields(THD*, Item**) (item.cc:4326) ==12861== by 0x5EDEB2: Item_func::fix_fields(THD*, Item**) (item_func.cc:178) ==12861== by 0x5EDEB2: Item_func::fix_fields(THD*, Item**) (item_func.cc:178) ==12861== by 0x60EF0A: Item_func_if::fix_fields(THD*, Item**) (item_cmpfunc.cc:2603) ==12861== by 0x704C6C: setup_fields(THD*, Item**, List<Item>&, enum_mark_columns, List<Item>*, bool) (sql_base.cc:7711) ==12861== by 0x717A22: JOIN::prepare(Item***, TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) (sql_select.cc:530) ==12861== by 0x865C9D: st_select_lex_unit::prepare(THD*, select_result*, unsigned long) (sql_union.cc:271) ==12861== by 0x867FC3: mysql_derived_prepare(THD*, st_lex*, TABLE_LIST*) (sql_derived.cc:154) ==12861== by 0x867DE9: mysql_handle_derived(st_lex*, bool (*)(THD*, st_lex*, TABLE_LIST*)) (sql_derived.cc:58) ==12861== by 0x6FF575: open_normal_and_derived_tables(THD*, TABLE_LIST*, unsigned int) (sql_base.cc:5214) ==12861== by 0x828848: fill_schema_table_by_open(THD*, bool, st_table*, st_schema_table*, st_mysql_lex_string*, st_mysql_lex_string*, Open_tables_state*) (sql_show.cc:3162) ==12861== by 0x829242: get_all_tables(THD*, TABLE_LIST*, Item*) (sql_show.cc:3493) ==12861== by 0x83534A: get_schema_tables_result(JOIN*, enum_schema_table_state) (sql_show.cc:6295) ==12861== Address 0x1007f598 is 248 bytes inside a block of size 2,244 free'd ==12861== at 0x4C27C8A: free (vg_replace_malloc.c:468) ==12861== by 0xB8BB58: _myfree (safemalloc.c:333) ==12861== by 0x6F6085: free_cache_entry(st_table*) (sql_base.cc:824) ==12861== by 0xB996B8: my_hash_delete (hash.c:566) ==12861== by 0x6F6CA3: close_open_tables(THD*) (sql_base.cc:1211) ==12861== by 0x6F7057: close_thread_tables(THD*) (sql_base.cc:1364) ==12861== by 0x8850F7: sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) (sp_head.cc:2808) ==12861== by 0x886276: sp_instr_freturn::execute(THD*, unsigned int*) (sp_head.cc:3259) ==12861== by 0x8816E3: sp_head::execute(THD*) (sp_head.cc:1292) ==12861== by 0x882927: sp_head::execute_function(THD*, Item**, unsigned int, Field*) (sp_head.cc:1811) ==12861== by 0x60227B: Item_func_sp::execute_impl(THD*) (item_func.cc:6003) ==12861== by 0x602017: Item_func_sp::execute() (item_func.cc:5932) ==12861== by 0x604D69: Item_func_sp::val_int() (item_func.h:1729) ==12861== by 0x5D9400: Item::update_null_value() (item.h:844) ==12861== by 0x603028: Item_func::is_null() (item_func.h:152) ==12861== by 0x61B368: Item_func_isnull::update_used_tables() (item_cmpfunc.h:1320) ==12861== Invalid read of size 8 ==12861== at 0x7016A3: find_field_in_table(THD*, st_table*, char const*, unsigned int, bool, unsigned int*) (sql_base.cc:6113) ==12861== by 0x701C93: find_field_in_table_ref(THD*, TABLE_LIST*, char const*, unsigned int, char const*, char const*, char const*, Item**, bool, bool, unsigned int*, bool, TABLE_LIST**) (sql_base.cc:6265) ==12861== by 0x70251C: find_field_in_tables(THD*, Item_ident*, TABLE_LIST*, TABLE_LIST*, Item**, find_item_error_report_type, bool, bool) (sql_base.cc:6537) ==12861== by 0x5CC7BE: Item_field::fix_fields(THD*, Item**) (item.cc:4326) ==12861== by 0x5EDEB2: Item_func::fix_fields(THD*, Item**) (item_func.cc:178) ==12861== by 0x5EDEB2: Item_func::fix_fields(THD*, Item**) (item_func.cc:178) ==12861== by 0x60EF0A: Item_func_if::fix_fields(THD*, Item**) (item_cmpfunc.cc:2603) ==12861== by 0x704C6C: setup_fields(THD*, Item**, List<Item>&, enum_mark_columns, List<Item>*, bool) (sql_base.cc:7711) ==12861== by 0x717A22: JOIN::prepare(Item***, TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) (sql_select.cc:530) ==12861== by 0x865C9D: st_select_lex_unit::prepare(THD*, select_result*, unsigned long) (sql_union.cc:271) ==12861== by 0x867FC3: mysql_derived_prepare(THD*, st_lex*, TABLE_LIST*) (sql_derived.cc:154) ==12861== by 0x867DE9: mysql_handle_derived(st_lex*, bool (*)(THD*, st_lex*, TABLE_LIST*)) (sql_derived.cc:58) ==12861== by 0x6FF575: open_normal_and_derived_tables(THD*, TABLE_LIST*, unsigned int) (sql_base.cc:5214) ==12861== by 0x828848: fill_schema_table_by_open(THD*, bool, st_table*, st_schema_table*, st_mysql_lex_string*, st_mysql_lex_string*, Open_tables_state*) (sql_show.cc:3162) ==12861== by 0x829242: get_all_tables(THD*, TABLE_LIST*, Item*) (sql_show.cc:3493) ==12861== by 0x83534A: get_schema_tables_result(JOIN*, enum_schema_table_state) (sql_show.cc:6295) ==12861== Address 0x1007f4c8 is 40 bytes inside a block of size 2,244 free'd ==12861== at 0x4C27C8A: free (vg_replace_malloc.c:468) ==12861== by 0xB8BB58: _myfree (safemalloc.c:333) ==12861== by 0x6F6085: free_cache_entry(st_table*) (sql_base.cc:824) ==12861== by 0xB996B8: my_hash_delete (hash.c:566) ==12861== by 0x6F6CA3: close_open_tables(THD*) (sql_base.cc:1211) ==12861== by 0x6F7057: close_thread_tables(THD*) (sql_base.cc:1364) ==12861== by 0x8850F7: sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) (sp_head.cc:2808) ==12861== by 0x886276: sp_instr_freturn::execute(THD*, unsigned int*) (sp_head.cc:3259) ==12861== by 0x8816E3: sp_head::execute(THD*) (sp_head.cc:1292) ==12861== by 0x882927: sp_head::execute_function(THD*, Item**, unsigned int, Field*) (sp_head.cc:1811) ==12861== by 0x60227B: Item_func_sp::execute_impl(THD*) (item_func.cc:6003) ==12861== by 0x602017: Item_func_sp::execute() (item_func.cc:5932) ==12861== by 0x604D69: Item_func_sp::val_int() (item_func.h:1729) ==12861== by 0x5D9400: Item::update_null_value() (item.h:844) ==12861== by 0x603028: Item_func::is_null() (item_func.h:152) ==12861== by 0x61B368: Item_func_isnull::update_used_tables() (item_cmpfunc.h:1320) ==12861== Invalid read of size 8 ==12861== at 0x70171F: find_field_in_table(THD*, st_table*, char const*, unsigned int, bool, unsigned int*) (sql_base.cc:6117) ==12861== by 0x701C93: find_field_in_table_ref(THD*, TABLE_LIST*, char const*, unsigned int, char const*, char const*, char const*, Item**, bool, bool, unsigned int*, bool, TABLE_LIST**) (sql_base.cc:6265) ==12861== by 0x70251C: find_field_in_tables(THD*, Item_ident*, TABLE_LIST*, TABLE_LIST*, Item**, find_item_error_report_type, bool, bool) (sql_base.cc:6537) ==12861== by 0x5CC7BE: Item_field::fix_fields(THD*, Item**) (item.cc:4326) ==12861== by 0x5EDEB2: Item_func::fix_fields(THD*, Item**) (item_func.cc:178) ==12861== by 0x5EDEB2: Item_func::fix_fields(THD*, Item**) (item_func.cc:178) ==12861== by 0x60EF0A: Item_func_if::fix_fields(THD*, Item**) (item_cmpfunc.cc:2603) ==12861== by 0x704C6C: setup_fields(THD*, Item**, List<Item>&, enum_mark_columns, List<Item>*, bool) (sql_base.cc:7711) ==12861== by 0x717A22: JOIN::prepare(Item***, TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) (sql_select.cc:530) ==12861== by 0x865C9D: st_select_lex_unit::prepare(THD*, select_result*, unsigned long) (sql_union.cc:271) ==12861== by 0x867FC3: mysql_derived_prepare(THD*, st_lex*, TABLE_LIST*) (sql_derived.cc:154) ==12861== by 0x867DE9: mysql_handle_derived(st_lex*, bool (*)(THD*, st_lex*, TABLE_LIST*)) (sql_derived.cc:58) ==12861== by 0x6FF575: open_normal_and_derived_tables(THD*, TABLE_LIST*, unsigned int) (sql_base.cc:5214) ==12861== by 0x828848: fill_schema_table_by_open(THD*, bool, st_table*, st_schema_table*, st_mysql_lex_string*, st_mysql_lex_string*, Open_tables_state*) (sql_show.cc:3162) ==12861== by 0x829242: get_all_tables(THD*, TABLE_LIST*, Item*) (sql_show.cc:3493) ==12861== by 0x83534A: get_schema_tables_result(JOIN*, enum_schema_table_state) (sql_show.cc:6295) ==12861== Address 0x1007f4c8 is 40 bytes inside a block of size 2,244 free'd ==12861== at 0x4C27C8A: free (vg_replace_malloc.c:468) ==12861== by 0xB8BB58: _myfree (safemalloc.c:333) ==12861== by 0x6F6085: free_cache_entry(st_table*) (sql_base.cc:824) ==12861== by 0xB996B8: my_hash_delete (hash.c:566) ==12861== by 0x6F6CA3: close_open_tables(THD*) (sql_base.cc:1211) ==12861== by 0x6F7057: close_thread_tables(THD*) (sql_base.cc:1364) ==12861== by 0x8850F7: sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) (sp_head.cc:2808) ==12861== by 0x886276: sp_instr_freturn::execute(THD*, unsigned int*) (sp_head.cc:3259) ==12861== by 0x8816E3: sp_head::execute(THD*) (sp_head.cc:1292) ==12861== by 0x882927: sp_head::execute_function(THD*, Item**, unsigned int, Field*) (sp_head.cc:1811) ==12861== by 0x60227B: Item_func_sp::execute_impl(THD*) (item_func.cc:6003) ==12861== by 0x602017: Item_func_sp::execute() (item_func.cc:5932) ==12861== by 0x604D69: Item_func_sp::val_int() (item_func.h:1729) ==12861== by 0x5D9400: Item::update_null_value() (item.h:844) ==12861== by 0x603028: Item_func::is_null() (item_func.h:152) ==12861== by 0x61B368: Item_func_isnull::update_used_tables() (item_cmpfunc.h:1320) ==12861== Invalid read of size 8 ==12861== at 0x701792: find_field_in_table(THD*, st_table*, char const*, unsigned int, bool, unsigned int*) (sql_base.cc:6132) ==12861== by 0x701C93: find_field_in_table_ref(THD*, TABLE_LIST*, char const*, unsigned int, char const*, char const*, char const*, Item**, bool, bool, unsigned int*, bool, TABLE_LIST**) (sql_base.cc:6265) ==12861== by 0x70251C: find_field_in_tables(THD*, Item_ident*, TABLE_LIST*, TABLE_LIST*, Item**, find_item_error_report_type, bool, bool) (sql_base.cc:6537) ==12861== by 0x5CC7BE: Item_field::fix_fields(THD*, Item**) (item.cc:4326) ==12861== by 0x5EDEB2: Item_func::fix_fields(THD*, Item**) (item_func.cc:178) ==12861== by 0x5EDEB2: Item_func::fix_fields(THD*, Item**) (item_func.cc:178) ==12861== by 0x60EF0A: Item_func_if::fix_fields(THD*, Item**) (item_cmpfunc.cc:2603) ==12861== by 0x704C6C: setup_fields(THD*, Item**, List<Item>&, enum_mark_columns, List<Item>*, bool) (sql_base.cc:7711) ==12861== by 0x717A22: JOIN::prepare(Item***, TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) (sql_select.cc:530) ==12861== by 0x865C9D: st_select_lex_unit::prepare(THD*, select_result*, unsigned long) (sql_union.cc:271) ==12861== by 0x867FC3: mysql_derived_prepare(THD*, st_lex*, TABLE_LIST*) (sql_derived.cc:154) ==12861== by 0x867DE9: mysql_handle_derived(st_lex*, bool (*)(THD*, st_lex*, TABLE_LIST*)) (sql_derived.cc:58) ==12861== by 0x6FF575: open_normal_and_derived_tables(THD*, TABLE_LIST*, unsigned int) (sql_base.cc:5214) ==12861== by 0x828848: fill_schema_table_by_open(THD*, bool, st_table*, st_schema_table*, st_mysql_lex_string*, st_mysql_lex_string*, Open_tables_state*) (sql_show.cc:3162) ==12861== by 0x829242: get_all_tables(THD*, TABLE_LIST*, Item*) (sql_show.cc:3493) ==12861== by 0x83534A: get_schema_tables_result(JOIN*, enum_schema_table_state) (sql_show.cc:6295) ==12861== Address 0x1007f508 is 104 bytes inside a block of size 2,244 free'd ==12861== at 0x4C27C8A: free (vg_replace_malloc.c:468) ==12861== by 0xB8BB58: _myfree (safemalloc.c:333) ==12861== by 0x6F6085: free_cache_entry(st_table*) (sql_base.cc:824) ==12861== by 0xB996B8: my_hash_delete (hash.c:566) ==12861== by 0x6F6CA3: close_open_tables(THD*) (sql_base.cc:1211) ==12861== by 0x6F7057: close_thread_tables(THD*) (sql_base.cc:1364) ==12861== by 0x8850F7: sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) (sp_head.cc:2808) ==12861== by 0x886276: sp_instr_freturn::execute(THD*, unsigned int*) (sp_head.cc:3259) ==12861== by 0x8816E3: sp_head::execute(THD*) (sp_head.cc:1292) ==12861== by 0x882927: sp_head::execute_function(THD*, Item**, unsigned int, Field*) (sp_head.cc:1811) ==12861== by 0x60227B: Item_func_sp::execute_impl(THD*) (item_func.cc:6003) ==12861== by 0x602017: Item_func_sp::execute() (item_func.cc:5932) ==12861== by 0x604D69: Item_func_sp::val_int() (item_func.h:1729) ==12861== by 0x5D9400: Item::update_null_value() (item.h:844) ==12861== by 0x603028: Item_func::is_null() (item_func.h:152) ==12861== by 0x61B368: Item_func_isnull::update_used_tables() (item_cmpfunc.h:1320) ==12861== Invalid read of size 8 ==12861== at 0x701682: find_field_in_table(THD*, st_table*, char const*, unsigned int, bool, unsigned int*) (sql_base.cc:6110) ==12861== by 0x701C93: find_field_in_table_ref(THD*, TABLE_LIST*, char const*, unsigned int, char const*, char const*, char const*, Item**, bool, bool, unsigned int*, bool, TABLE_LIST**) (sql_base.cc:6265) ==12861== by 0x70251C: find_field_in_tables(THD*, Item_ident*, TABLE_LIST*, TABLE_LIST*, Item**, find_item_error_report_type, bool, bool) (sql_base.cc:6537) ==12861== by 0x5CC1F1: Item_field::fix_outer_field(THD*, Field**, Item**) (item.cc:4182) ==12861== by 0x5CCA92: Item_field::fix_fields(THD*, Item**) (item.cc:4389) ==12861== by 0x5EDEB2: Item_func::fix_fields(THD*, Item**) (item_func.cc:178) ==12861== by 0x5EDEB2: Item_func::fix_fields(THD*, Item**) (item_func.cc:178) ==12861== by 0x60EF0A: Item_func_if::fix_fields(THD*, Item**) (item_cmpfunc.cc:2603) ==12861== by 0x704C6C: setup_fields(THD*, Item**, List<Item>&, enum_mark_columns, List<Item>*, bool) (sql_base.cc:7711) ==12861== by 0x717A22: JOIN::prepare(Item***, TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) (sql_select.cc:530) ==12861== by 0x865C9D: st_select_lex_unit::prepare(THD*, select_result*, unsigned long) (sql_union.cc:271) ==12861== by 0x867FC3: mysql_derived_prepare(THD*, st_lex*, TABLE_LIST*) (sql_derived.cc:154) ==12861== by 0x867DE9: mysql_handle_derived(st_lex*, bool (*)(THD*, st_lex*, TABLE_LIST*)) (sql_derived.cc:58) ==12861== by 0x6FF575: open_normal_and_derived_tables(THD*, TABLE_LIST*, unsigned int) (sql_base.cc:5214) ==12861== by 0x828848: fill_schema_table_by_open(THD*, bool, st_table*, st_schema_table*, st_mysql_lex_string*, st_mysql_lex_string*, Open_tables_state*) (sql_show.cc:3162) ==12861== by 0x829242: get_all_tables(THD*, TABLE_LIST*, Item*) (sql_show.cc:3493) ==12861== Address 0x1007f598 is 248 bytes inside a block of size 2,244 free'd ==12861== at 0x4C27C8A: free (vg_replace_malloc.c:468) ==12861== by 0xB8BB58: _myfree (safemalloc.c:333) ==12861== by 0x6F6085: free_cache_entry(st_table*) (sql_base.cc:824) ==12861== by 0xB996B8: my_hash_delete (hash.c:566) ==12861== by 0x6F6CA3: close_open_tables(THD*) (sql_base.cc:1211) ==12861== by 0x6F7057: close_thread_tables(THD*) (sql_base.cc:1364) ==12861== by 0x8850F7: sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) (sp_head.cc:2808) ==12861== by 0x886276: sp_instr_freturn::execute(THD*, unsigned int*) (sp_head.cc:3259) ==12861== by 0x8816E3: sp_head::execute(THD*) (sp_head.cc:1292) ==12861== by 0x882927: sp_head::execute_function(THD*, Item**, unsigned int, Field*) (sp_head.cc:1811) ==12861== by 0x60227B: Item_func_sp::execute_impl(THD*) (item_func.cc:6003) ==12861== by 0x602017: Item_func_sp::execute() (item_func.cc:5932) ==12861== by 0x604D69: Item_func_sp::val_int() (item_func.h:1729) ==12861== by 0x5D9400: Item::update_null_value() (item.h:844) ==12861== by 0x603028: Item_func::is_null() (item_func.h:152) ==12861== by 0x61B368: Item_func_isnull::update_used_tables() (item_cmpfunc.h:1320) ==12861== Invalid read of size 8 ==12861== at 0x7016A3: find_field_in_table(THD*, st_table*, char const*, unsigned int, bool, unsigned int*) (sql_base.cc:6113) ==12861== by 0x701C93: find_field_in_table_ref(THD*, TABLE_LIST*, char const*, unsigned int, char const*, char const*, char const*, Item**, bool, bool, unsigned int*, bool, TABLE_LIST**) (sql_base.cc:6265) ==12861== by 0x70251C: find_field_in_tables(THD*, Item_ident*, TABLE_LIST*, TABLE_LIST*, Item**, find_item_error_report_type, bool, bool) (sql_base.cc:6537) ==12861== by 0x5CC1F1: Item_field::fix_outer_field(THD*, Field**, Item**) (item.cc:4182) ==12861== by 0x5CCA92: Item_field::fix_fields(THD*, Item**) (item.cc:4389) ==12861== by 0x5EDEB2: Item_func::fix_fields(THD*, Item**) (item_func.cc:178) ==12861== by 0x5EDEB2: Item_func::fix_fields(THD*, Item**) (item_func.cc:178) ==12861== by 0x60EF0A: Item_func_if::fix_fields(THD*, Item**) (item_cmpfunc.cc:2603) ==12861== by 0x704C6C: setup_fields(THD*, Item**, List<Item>&, enum_mark_columns, List<Item>*, bool) (sql_base.cc:7711) ==12861== by 0x717A22: JOIN::prepare(Item***, TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) (sql_select.cc:530) ==12861== by 0x865C9D: st_select_lex_unit::prepare(THD*, select_result*, unsigned long) (sql_union.cc:271) ==12861== by 0x867FC3: mysql_derived_prepare(THD*, st_lex*, TABLE_LIST*) (sql_derived.cc:154) ==12861== by 0x867DE9: mysql_handle_derived(st_lex*, bool (*)(THD*, st_lex*, TABLE_LIST*)) (sql_derived.cc:58) ==12861== by 0x6FF575: open_normal_and_derived_tables(THD*, TABLE_LIST*, unsigned int) (sql_base.cc:5214) ==12861== by 0x828848: fill_schema_table_by_open(THD*, bool, st_table*, st_schema_table*, st_mysql_lex_string*, st_mysql_lex_string*, Open_tables_state*) (sql_show.cc:3162) ==12861== by 0x829242: get_all_tables(THD*, TABLE_LIST*, Item*) (sql_show.cc:3493) ==12861== Address 0x1007f4c8 is 40 bytes inside a block of size 2,244 free'd ==12861== at 0x4C27C8A: free (vg_replace_malloc.c:468) ==12861== by 0xB8BB58: _myfree (safemalloc.c:333) ==12861== by 0x6F6085: free_cache_entry(st_table*) (sql_base.cc:824) ==12861== by 0xB996B8: my_hash_delete (hash.c:566) ==12861== by 0x6F6CA3: close_open_tables(THD*) (sql_base.cc:1211) ==12861== by 0x6F7057: close_thread_tables(THD*) (sql_base.cc:1364) ==12861== by 0x8850F7: sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) (sp_head.cc:2808) ==12861== by 0x886276: sp_instr_freturn::execute(THD*, unsigned int*) (sp_head.cc:3259) ==12861== by 0x8816E3: sp_head::execute(THD*) (sp_head.cc:1292) ==12861== by 0x882927: sp_head::execute_function(THD*, Item**, unsigned int, Field*) (sp_head.cc:1811) ==12861== by 0x60227B: Item_func_sp::execute_impl(THD*) (item_func.cc:6003) ==12861== by 0x602017: Item_func_sp::execute() (item_func.cc:5932) ==12861== by 0x604D69: Item_func_sp::val_int() (item_func.h:1729) ==12861== by 0x5D9400: Item::update_null_value() (item.h:844) ==12861== by 0x603028: Item_func::is_null() (item_func.h:152) ==12861== by 0x61B368: Item_func_isnull::update_used_tables() (item_cmpfunc.h:1320) ==12861== Invalid read of size 8 ==12861== at 0x70171F: find_field_in_table(THD*, st_table*, char const*, unsigned int, bool, unsigned int*) (sql_base.cc:6117) ==12861== by 0x701C93: find_field_in_table_ref(THD*, TABLE_LIST*, char const*, unsigned int, char const*, char const*, char const*, Item**, bool, bool, unsigned int*, bool, TABLE_LIST**) (sql_base.cc:6265) ==12861== by 0x70251C: find_field_in_tables(THD*, Item_ident*, TABLE_LIST*, TABLE_LIST*, Item**, find_item_error_report_type, bool, bool) (sql_base.cc:6537) ==12861== by 0x5CC1F1: Item_field::fix_outer_field(THD*, Field**, Item**) (item.cc:4182) ==12861== by 0x5CCA92: Item_field::fix_fields(THD*, Item**) (item.cc:4389) ==12861== by 0x5EDEB2: Item_func::fix_fields(THD*, Item**) (item_func.cc:178) ==12861== by 0x5EDEB2: Item_func::fix_fields(THD*, Item**) (item_func.cc:178) ==12861== by 0x60EF0A: Item_func_if::fix_fields(THD*, Item**) (item_cmpfunc.cc:2603) ==12861== by 0x704C6C: setup_fields(THD*, Item**, List<Item>&, enum_mark_columns, List<Item>*, bool) (sql_base.cc:7711) ==12861== by 0x717A22: JOIN::prepare(Item***, TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) (sql_select.cc:530) ==12861== by 0x865C9D: st_select_lex_unit::prepare(THD*, select_result*, unsigned long) (sql_union.cc:271) ==12861== by 0x867FC3: mysql_derived_prepare(THD*, st_lex*, TABLE_LIST*) (sql_derived.cc:154) ==12861== by 0x867DE9: mysql_handle_derived(st_lex*, bool (*)(THD*, st_lex*, TABLE_LIST*)) (sql_derived.cc:58) ==12861== by 0x6FF575: open_normal_and_derived_tables(THD*, TABLE_LIST*, unsigned int) (sql_base.cc:5214) ==12861== by 0x828848: fill_schema_table_by_open(THD*, bool, st_table*, st_schema_table*, st_mysql_lex_string*, st_mysql_lex_string*, Open_tables_state*) (sql_show.cc:3162) ==12861== by 0x829242: get_all_tables(THD*, TABLE_LIST*, Item*) (sql_show.cc:3493) ==12861== Address 0x1007f4c8 is 40 bytes inside a block of size 2,244 free'd ==12861== at 0x4C27C8A: free (vg_replace_malloc.c:468) ==12861== by 0xB8BB58: _myfree (safemalloc.c:333) ==12861== by 0x6F6085: free_cache_entry(st_table*) (sql_base.cc:824) ==12861== by 0xB996B8: my_hash_delete (hash.c:566) ==12861== by 0x6F6CA3: close_open_tables(THD*) (sql_base.cc:1211) ==12861== by 0x6F7057: close_thread_tables(THD*) (sql_base.cc:1364) ==12861== by 0x8850F7: sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) (sp_head.cc:2808) ==12861== by 0x886276: sp_instr_freturn::execute(THD*, unsigned int*) (sp_head.cc:3259) ==12861== by 0x8816E3: sp_head::execute(THD*) (sp_head.cc:1292) ==12861== by 0x882927: sp_head::execute_function(THD*, Item**, unsigned int, Field*) (sp_head.cc:1811) ==12861== by 0x60227B: Item_func_sp::execute_impl(THD*) (item_func.cc:6003) ==12861== by 0x602017: Item_func_sp::execute() (item_func.cc:5932) ==12861== by 0x604D69: Item_func_sp::val_int() (item_func.h:1729) ==12861== by 0x5D9400: Item::update_null_value() (item.h:844) ==12861== by 0x603028: Item_func::is_null() (item_func.h:152) ==12861== by 0x61B368: Item_func_isnull::update_used_tables() (item_cmpfunc.h:1320) ==12861== Invalid read of size 8 ==12861== at 0x701792: find_field_in_table(THD*, st_table*, char const*, unsigned int, bool, unsigned int*) (sql_base.cc:6132) ==12861== by 0x701C93: find_field_in_table_ref(THD*, TABLE_LIST*, char const*, unsigned int, char const*, char const*, char const*, Item**, bool, bool, unsigned int*, bool, TABLE_LIST**) (sql_base.cc:6265) ==12861== by 0x70251C: find_field_in_tables(THD*, Item_ident*, TABLE_LIST*, TABLE_LIST*, Item**, find_item_error_report_type, bool, bool) (sql_base.cc:6537) ==12861== by 0x5CC1F1: Item_field::fix_outer_field(THD*, Field**, Item**) (item.cc:4182) ==12861== by 0x5CCA92: Item_field::fix_fields(THD*, Item**) (item.cc:4389) ==12861== by 0x5EDEB2: Item_func::fix_fields(THD*, Item**) (item_func.cc:178) ==12861== by 0x5EDEB2: Item_func::fix_fields(THD*, Item**) (item_func.cc:178) ==12861== by 0x60EF0A: Item_func_if::fix_fields(THD*, Item**) (item_cmpfunc.cc:2603) ==12861== by 0x704C6C: setup_fields(THD*, Item**, List<Item>&, enum_mark_columns, List<Item>*, bool) (sql_base.cc:7711) ==12861== by 0x717A22: JOIN::prepare(Item***, TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) (sql_select.cc:530) ==12861== by 0x865C9D: st_select_lex_unit::prepare(THD*, select_result*, unsigned long) (sql_union.cc:271) ==12861== by 0x867FC3: mysql_derived_prepare(THD*, st_lex*, TABLE_LIST*) (sql_derived.cc:154) ==12861== by 0x867DE9: mysql_handle_derived(st_lex*, bool (*)(THD*, st_lex*, TABLE_LIST*)) (sql_derived.cc:58) ==12861== by 0x6FF575: open_normal_and_derived_tables(THD*, TABLE_LIST*, unsigned int) (sql_base.cc:5214) ==12861== by 0x828848: fill_schema_table_by_open(THD*, bool, st_table*, st_schema_table*, st_mysql_lex_string*, st_mysql_lex_string*, Open_tables_state*) (sql_show.cc:3162) ==12861== by 0x829242: get_all_tables(THD*, TABLE_LIST*, Item*) (sql_show.cc:3493) ==12861== Address 0x1007f508 is 104 bytes inside a block of size 2,244 free'd ==12861== at 0x4C27C8A: free (vg_replace_malloc.c:468) ==12861== by 0xB8BB58: _myfree (safemalloc.c:333) ==12861== by 0x6F6085: free_cache_entry(st_table*) (sql_base.cc:824) ==12861== by 0xB996B8: my_hash_delete (hash.c:566) ==12861== by 0x6F6CA3: close_open_tables(THD*) (sql_base.cc:1211) ==12861== by 0x6F7057: close_thread_tables(THD*) (sql_base.cc:1364) ==12861== by 0x8850F7: sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) (sp_head.cc:2808) ==12861== by 0x886276: sp_instr_freturn::execute(THD*, unsigned int*) (sp_head.cc:3259) ==12861== by 0x8816E3: sp_head::execute(THD*) (sp_head.cc:1292) ==12861== by 0x882927: sp_head::execute_function(THD*, Item**, unsigned int, Field*) (sp_head.cc:1811) ==12861== by 0x60227B: Item_func_sp::execute_impl(THD*) (item_func.cc:6003) ==12861== by 0x602017: Item_func_sp::execute() (item_func.cc:5932) ==12861== by 0x604D69: Item_func_sp::val_int() (item_func.h:1729) ==12861== by 0x5D9400: Item::update_null_value() (item.h:844) ==12861== by 0x603028: Item_func::is_null() (item_func.h:152) ==12861== by 0x61B368: Item_func_isnull::update_used_tables() (item_cmpfunc.h:1320)

Hide

Permalink

Elena Stepanova added a comment - 2014-11-09 17:58

Closing because the upstream fix is in 5.6 and is said not to be applicable to earlier versions, can't reproduce it on MariaDB 5.3+, and obviously nobody will fix it in 5.1 or 5.2.

For the reference, the upstream fix is apparently this:

    ------------------------------------------------------------
    revno: 4496.1.1
    revision-id: mattias.jonsson@oracle.com-20121030145353-yarpi7ayo8dhoupr
    parent: annamalai.gurusami@oracle.com-20121029102431-c90rcglncvnedges
    committer: Mattias Jonsson <mattias.jonsson@oracle.com>
    branch nick: b14789301-56
    timestamp: Tue 2012-10-30 22:53:53 +0800
    message:
      Bug#14789301: CRASHING SERVER BY STORED FUNCTION
      REFERENCING USER DEFINED VARIABLE IN QUERY
      
      There are 2 steps resulting in the crash:
      1) the stored procedure was executed during JOIN::prepare resulting
          in setting thd->user_var_events_alloc to NULL (due to LTM_NONE)
      2) the next time the stored procedure was executed in the same statement
          it crashes due to thd->user_var_events_alloc was null. (it was not
         set to thd->mem_root since LTM_PRELOCKED).
      
      The fix is to:
      * avoid executing the stored program during prepare phase of
      Item_func_isnull (update_used_tables).
      
      Also updated a comment which got out of date after bug 14247298.
      Also added test case copied from the duplicate bug:
      BUG#11765560 - SEGFAULT ON SHOW TABLE STATUS (MYSQLDUMP) OF NESTED
      VIEWS
      which is a duplicate in 5.6 (other cause in 5.1/5.5), but with another crash.
      In 5.1/5.5 this patch cannot be used since it lacks of with_stored_program,
      and the problem is caching strategy for is_not_null/isnull and
      DETERMINISTIC stored programs.

Show

Elena Stepanova added a comment - 2014-11-09 17:58 Closing because the upstream fix is in 5.6 and is said not to be applicable to earlier versions, can't reproduce it on MariaDB 5.3+, and obviously nobody will fix it in 5.1 or 5.2. For the reference, the upstream fix is apparently this: ------------------------------------------------------------ revno: 4496.1.1 revision-id: mattias.jonsson@oracle.com-20121030145353-yarpi7ayo8dhoupr parent: annamalai.gurusami@oracle.com-20121029102431-c90rcglncvnedges committer: Mattias Jonsson <mattias.jonsson@oracle.com> branch nick: b14789301-56 timestamp: Tue 2012-10-30 22:53:53 +0800 message: Bug#14789301: CRASHING SERVER BY STORED FUNCTION REFERENCING USER DEFINED VARIABLE IN QUERY There are 2 steps resulting in the crash: 1) the stored procedure was executed during JOIN::prepare resulting in setting thd->user_var_events_alloc to NULL (due to LTM_NONE) 2) the next time the stored procedure was executed in the same statement it crashes due to thd->user_var_events_alloc was null. (it was not set to thd->mem_root since LTM_PRELOCKED). The fix is to: * avoid executing the stored program during prepare phase of Item_func_isnull (update_used_tables). Also updated a comment which got out of date after bug 14247298. Also added test case copied from the duplicate bug: BUG#11765560 - SEGFAULT ON SHOW TABLE STATUS (MYSQLDUMP) OF NESTED VIEWS which is a duplicate in 5.6 (other cause in 5.1/5.5), but with another crash. In 5.1/5.5 this patch cannot be used since it lacks of with_stored_program, and the problem is caching strategy for is_not_null/isnull and DETERMINISTIC stored programs.

LP:682525 - Segfault on SHOW TABLE STATUS (mysqldump) of nested views

Details

Description

Gliffy Diagrams

Attachments

Attachments

Issue Links

Activity

People

Dates

Agile