Bug #21216 Simultaneous DROP TABLE and SHOW OPEN TABLES causes server to crash
Submitted: 21 Jul 2006 15:54 Modified: 31 Aug 2006 18:58
Reporter: Dmitry Lenev Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S3 (Non-critical)
Version:4.1.22-bk, 5.0.25-bk, 5.1.12-bk OS:Linux (Linux)
Assigned to: Dmitry Lenev CPU Architecture:Any

[21 Jul 2006 15:54] Dmitry Lenev
Description:
Simultaneous execution of DROP TABLE (or RENAME TABLE, or CREATE TABLE, or ALTER TABLE, or any other command that takes name-lock on table) and of SHOW OPEN TABLES causes server crash. Normally this problem can be reproduced in highly concurrent environment.

Note that in 4.1 it fails on assertion so debug build is required.
In 5.0 and 5.1 crash happens becuase of null-pointer dereference so should not depend on build.

How to repeat:
#
# Below script for mysqltest tool tries to reproduce crash which is normally 
# repeatable in highly concurrent environment.
#
--disable_warnings
drop table if exists t1;
--enable_warnings
create table t1 (i int);
lock tables t1 read;
connect (addconroot1, localhost, root,,);
--send drop table t1
connect (addconroot2, localhost, root,,);
# Server should not crash in any of the following statements
show open tables;
connection default;
unlock tables;
connection addconroot1;
--reap
disconnect addconroot1;
disconnect addconroot2;
connection default;
[22 Jul 2006 15:34] MySQL Verification Team
bug21216_4.1.log

Attachment: bug21216_4.1.log (application/octet-stream, text), 3.17 KiB.

[22 Jul 2006 15:44] MySQL Verification Team
bug21216_5.0.log

Attachment: bug21216_5.0.log (application/octet-stream, text), 3.38 KiB.

[22 Jul 2006 15:44] MySQL Verification Team
bug21216_5.1.log

Attachment: bug21216_5.1.log (application/octet-stream, text), 3.06 KiB.

[22 Jul 2006 15:48] MySQL Verification Team
verified on FC4. Crash logs attached above.
[26 Jul 2006 20:46] Konstantin Osipov
A crash is a p1.
Not fixing in 4.1 as it only breaks in debug builds, and the release builds have a workaround for this.
Dmitri, please fix it starting from 5.0
[27 Jul 2006 22:25] Dmitry Lenev
Investigation shows that in 5.0 it also fails on assertion (and should not fail in non-debug build).
[28 Jul 2006 10:36] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/9697
[4 Aug 2006 14:22] Konstantin Osipov
Approved by email.
[21 Aug 2006 8:15] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/10658

ChangeSet@1.2235, 2006-08-21 12:18:59+04:00, dlenev@mockturtle.local +3 -0
  Fix for bug#21216 "Simultaneous DROP TABLE and SHOW OPEN TABLES causes
  server to crash".
  
  Crash caused by assertion failure happened when one ran SHOW OPEN TABLES
  while concurrently doing DROP TABLE (or RENAME TABLE, CREATE TABLE LIKE
  or any other command that takes name-lock) in other connection.
  For non-debug version of server problem exposed itself as wrong output
  of SHOW OPEN TABLES statement (it was missing name-locked tables).
  Finally in 5.1 both debug and non-debug versions simply crashed in
  this situation due to NULL-pointer dereference.
  
  This problem was caused by the fact that table placeholders which were
  added to table cache in order to obtain name-lock had TABLE_SHARE::table_name
  set to 0. Therefore they broke assumption that this member is non-0 for
  all tables in table cache which was checked by assert in list_open_tables()
  (in 5.1 this function simply relies on it).
  The fix simply sets this member for such placeholders to appropriate value
  making this assumption true again.
  
  This patch also includes test for similar bug 12212 "Crash that happens
  during removing of database name from cache" reappeared in 5.1 as bug 19403.
[21 Aug 2006 14:58] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/10683

ChangeSet@1.2280, 2006-08-21 19:02:11+04:00, dlenev@mockturtle.local +5 -0
  Fix for bug#19403/12212 "Crash that happens during removing of database name
  from cache" and #21216 "Simultaneous DROP TABLE and SHOW OPEN TABLES causes
  server to crash".
  
  Crash happened when one ran DROP DATABASE or SHOW OPEN TABLES statements
  while concurrently doing DROP TABLE (or RENAME TABLE, CREATE TABLE LIKE
  or any other command that takes name-lock) in other connection.
  
  This problem was caused by the fact that table placeholders which were
  added to table cache in order to obtain name-lock on table had
  TABLE_SHARE::db and table_name set to 0. Therefore they broke assumption
  that these members are non-0 for all tables in table cache on which some
  of our code relies.
  
  The fix sets these members for such placeholders to appropriate value making
  this assumption true again. As attempt to avoid such problems in future
  we introduce auxiliary TABLE_SHARE::set_table_cache_key() methods which
  should be used when one wants to set TABLE_SHARE::table_cache_key and which
  ensure that TABLE_SHARE::table_name/db are set properly.
  
  Test cases for these bugs were added to 5.0 test-suite (with 5.0-specific
  fix for bug #21216).
[24 Aug 2006 21:05] Petr Chardin
Pushed to 5.1.12
[31 Aug 2006 10:19] Konstantin Osipov
Pushed into 5.0.25 and 5.1.12
[31 Aug 2006 18:58] Paul DuBois
Noted in 5.0.25, 5.1.12 changelogs.