Bug #30695 Apostrophe in PARTITION clause comment crashes the server
Submitted: 29 Aug 2007 15:13 Modified: 15 Nov 2007 13:08
Reporter: Santo Leto Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Partitions Severity:S1 (Critical)
Version:5.1+ OS:Any
Assigned to: Mattias Jonsson CPU Architecture:Any
Tags: ALTER TABLE, apostrophe, bfsm_2007_10_18, CREATE TABLE, partition

[29 Aug 2007 15:13] Santo Leto 
Description:
An apostrophe ' in the comment of the ADD PARTITION syntax causes the Server to crash.

How to repeat:
Test 1): [all works fine]

DROP DATABASE IF EXISTS `test_partition`;

CREATE DATABASE `test_partition`;

CREATE TABLE `test_partition`.`members` (
    firstname VARCHAR(25) NOT NULL,
    lastname VARCHAR(25) NOT NULL,
    username VARCHAR(16) NOT NULL,
    email VARCHAR(35),
    joined DATE NOT NULL
)
PARTITION BY RANGE( YEAR(joined) ) (
    PARTITION p0 VALUES LESS THAN (1960),
    PARTITION p1 VALUES LESS THAN (1970),
    PARTITION p2 VALUES LESS THAN (1980),
    PARTITION p3 VALUES LESS THAN (1990)
);

ALTER TABLE `test_partition`.`members` ADD PARTITION ( PARTITION `p4` VALUES LESS THAN (2000) COMMENT 'this is my comment...');

SELECT * FROM `test_partition`.`members` LIMIT 1;

Test 2): [the server crashes]

DROP DATABASE IF EXISTS `test_partition`;

CREATE DATABASE `test_partition`;

CREATE TABLE `test_partition`.`members` (
    firstname VARCHAR(25) NOT NULL,
    lastname VARCHAR(25) NOT NULL,
    username VARCHAR(16) NOT NULL,
    email VARCHAR(35),
    joined DATE NOT NULL
)
PARTITION BY RANGE( YEAR(joined) ) (
    PARTITION p0 VALUES LESS THAN (1960),
    PARTITION p1 VALUES LESS THAN (1970),
    PARTITION p2 VALUES LESS THAN (1980),
    PARTITION p3 VALUES LESS THAN (1990)
);

ALTER TABLE `test_partition`.`members` ADD PARTITION ( PARTITION `p5` VALUES LESS THAN (2010) COMMENT 'Howdy, Y\'All...');

SELECT * FROM `test_partition`.`members` LIMIT 1;
[29 Aug 2007 17:05] Valeriy Kravchuk 
Thank you for a bug report. Verified just as described both on 5.1.21 on Windows and on latest 5.1.23-BK on Linux:

...
mysql> ALTER TABLE `test_partition`.`members` ADD PARTITION ( PARTITION `p5` VALUES LESS THAN
    -> (2010) COMMENT 'Howdy, Y\'All...');
Query OK, 0 rows affected (0.04 sec)
Records: 0  Duplicates: 0  Warnings: 0

mysql>
mysql> SELECT * FROM `test_partition`.`members` LIMIT 1;
ERROR 2013 (HY000): Lost connection to MySQL server during query
mysql> 070829 09:07:02 mysqld_safe Number of processes running now: 0
070829 09:07:02 mysqld_safe mysqld restarted

Resolved stack trace:

openxs@linux:~/dbs/5.1> bin/resolve_stack_dump -s /tmp/mysqld51.sym -n 30695.stack
0x8214040 handle_segfault + 688
0x8266b13 _Z21open_table_from_shareP3THDP14st_table_sharePKcjjjP8st_tableb + 1763
0x825e2f0 _Z17open_unireg_entryP3THDP8st_tableP10TABLE_LISTPKcPcjP11st_mem_rootj + 144
0x82607a8 _Z10open_tableP3THDP10TABLE_LISTP11st_mem_rootPbj + 3176
0x82613e6 _Z11open_tablesP3THDPP10TABLE_LISTPjj + 646
0x8261683 _Z20open_and_lock_tablesP3THDP10TABLE_LIST + 35
0x8221975 _Z21execute_sqlcom_selectP3THDP10TABLE_LIST + 85
0x82282ac _Z21mysql_execute_commandP3THD + 21948
0x822b79d _Z11mysql_parseP3THDPKcjPS2_ + 589
0x822c69b _Z16dispatch_command19enum_server_commandP3THDPcj + 3659
0x822d050 _Z10do_commandP3THD + 144
0x821cda6 handle_one_connection + 406
0x40032aa7 _end + 931744659
0x401e1c2e _end + 933510426
[4 Oct 2007 9:46] Ingo Strüwing 
It crashes in open_table_from_share() because table->part_info is NULL. This means that mysql_unpack_partition() didn't reead the partitioning info from the .frm file correctly. A look into the file shows that the comment is there without escaping the embedded quote. Hence parsing of the SQL string fails.

I guess the fix would be to add proper escaping to the SQL string when created in add_partition_options() called from generate_partition_syntax() called from mysql_write_frm(). Perhaps the use of add_keyword_string() should be changed to something with string esacping.
[5 Oct 2007 8:36] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/34953

ChangeSet@1.2568, 2007-10-05 10:10:18+02:00, mattiasj@mattiasj-laptop.(none) +3 -0
  Bug #30695: An apostrophe ' in the comment of the ADD PARTITION causes the Server to crash.
  
  I crashed because of the comment in the partition clause was saved in the frm file without escaping,
  causing the server to crash when it was read/parsed again.
  
  Fixed by escaping the comment when writing it to the frm-file
[10 Oct 2007 7:02] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/35252

ChangeSet@1.2568, 2007-10-10 09:01:57+02:00, mattiasj@mattiasj-laptop.(none) +3 -0
  Bug #30695: An apostrophe ' in the comment of the ADD PARTITION
    causes the Server to crash.
  
  Crashed because of the comment in the partition clause was saved in
  the frm file without escaping, causing the server to crash when it was
  read/parsed again.
  
  Fixed by escaping quoted text in the partition info when writing it to
  the frm-file
  
  NOTE: If the comment is written by an earlier version of the server,
  it will still crash.
  Instead of adding code to allways handle this,
  it would be better to drop the table and recreate it.
  (If needed, edit the frm-file manually and
  replace the apostrophe within the comment with a space)
[10 Oct 2007 18:53] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/35302

ChangeSet@1.2568, 2007-10-10 20:53:29+02:00, mattiasj@mattiasj-laptop.(none) +4 -0
  Bug #30695: An apostrophe ' in the comment of the ADD PARTITION
    causes the Server to crash.
  
  Crashed because of the comment in the partition clause was saved in
  the frm file without escaping, causing the server to crash when it was
  read/parsed again.
  
  Fixed by escaping quoted text in the partition info when writing it to
  the frm-file and added a check that it was able to parse the partition
  info before using it 
  
  NOTE: If the comment is written by an earlier version of the server,
  the corrupted frm-file is still corrupt, drop the table and recreate it.
  (If needed, edit the frm-file manually and replace the apostrophe
  within the comment with a space to allow parsing)
[11 Oct 2007 11:34] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/35343

ChangeSet@1.2568, 2007-10-11 13:34:41+02:00, mattiasj@mattiasj-laptop.(none) +4 -0
  Bug #30695: An apostrophe ' in the comment of the ADD PARTITION
    causes the Server to crash.
  
  Crashed because of the comment in the partition clause was saved in
  the frm file without escaping, causing the server to crash when it was
  read/parsed again.
  
  Fixed by escaping quoted text in the partition info when writing it to
  the frm-file and added a check that it was able to parse the partition
  info before using it 
  
  NOTE: If the comment is written by an earlier version of the server,
  the corrupted frm-file is not fixed, but left corrupted, you have to
  manually drop the table and recreate it.
[23 Oct 2007 20:05] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/36199

ChangeSet@1.2568, 2007-10-23 22:04:09+02:00, mattiasj@mattiasj-laptop.(none) +4 -0
  Bug #30695: An apostrophe ' in the comment of the ADD PARTITION
    causes the Server to crash.
  
  Accessing partitioned table with an apostrophe in partition options
  like DATA DIRECTORY, INDEX DIRECTORY or COMMENT causes server crash.
  
  Partition options were saved in .frm file without escaping.
  When accessing such table it is not possible to properly restore
  partition information.
  Crashed because there was no check for partition info parser failure.
  
  Fixed by escaping quoted text in the partition info when writing it to
  the frm-file and added a check that it was able to parse the partition
  info before using it 
  
  NOTE: If the comment is written by an earlier version of the server,
  the corrupted frm-file is not fixed, but left corrupted, you have to
  manually drop the table and recreate it.
[11 Nov 2007 21:30] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/37546

ChangeSet@1.2612, 2007-11-11 22:30:01+01:00, mattiasj@mattiasj-laptop.(none) +1 -0
  Bug#30695: An apostrophe ' in the comment of the ADD PARTITION
      causes the Server to crash.
  
  Post-pushbuild fix
  
  Pushbuild genereted valgrind warnings.
  
  Changed function to safer variant.
[14 Nov 2007 9:41] Bugs System 
Pushed into 6.0.4-alpha
[14 Nov 2007 9:45] Bugs System 
Pushed into 5.1.23-rc
[15 Nov 2007 12:41] Jon Stephens 
After testing with 5.1.22 and 6.0.3, I've found that this bug was not restricted to ALTER TABLE ... ADD PARTITION - it also appeared in CREATE TABLE. In fact, using an apostrophe in a PARTITION comment in a CREATE TABLE statement crashed the server, and the server could not be restarted until the corresponding .FRM files were removed:

mysql> select version();
+------------------------+
| version()              |
+------------------------+
| 5.1.22-ndb-6.3.7-debug |
+------------------------+
1 row in set (0.00 sec)

mysql> CREATE TABLE apos1 (
    ->     firstname VARCHAR(25) NOT NULL,
    ->     lastname VARCHAR(25) NOT NULL,
    ->     username VARCHAR(16) NOT NULL,
    ->     email VARCHAR(35),
    ->     joined DATE NOT NULL
    -> )
    -> PARTITION BY RANGE( YEAR(joined) ) (
    ->     PARTITION p0 VALUES LESS THAN (1960) COMMENT 'A comment',
    ->     PARTITION p1 VALUES LESS THAN (1970),
    ->     PARTITION p2 VALUES LESS THAN (1980),
    ->     PARTITION p3 VALUES LESS THAN (1990)
    -> );
Query OK, 0 rows affected (0.11 sec)

mysql> select * from apos1;
Empty set (0.00 sec)

mysql> CREATE TABLE apos2 (
    ->     firstname VARCHAR(25) NOT NULL,
    ->     lastname VARCHAR(25) NOT NULL,
    ->     username VARCHAR(16) NOT NULL,
    ->     email VARCHAR(35),
    ->     joined DATE NOT NULL
    -> )
    -> PARTITION BY RANGE( YEAR(joined) ) (
    ->     PARTITION p0 VALUES LESS THAN (1960) COMMENT "Jon's comment",
    ->     PARTITION p1 VALUES LESS THAN (1970),
    ->     PARTITION p2 VALUES LESS THAN (1980),
    ->     PARTITION p3 VALUES LESS THAN (1990)
    -> );
ERROR 2013 (HY000): Lost connection to MySQL server during query
mysql> 071114 22:54:22 mysqld_safe Number of processes running now: 0
071114 22:54:22 mysqld_safe mysqld restarted

mysql> CREATE TABLE apos3 (
    ->     firstname VARCHAR(25) NOT NULL,
    ->     lastname VARCHAR(25) NOT NULL,
    ->     username VARCHAR(16) NOT NULL,
    ->     email VARCHAR(35),
    ->     joined DATE NOT NULL
    -> )
    -> PARTITION BY RANGE( YEAR(joined) ) (
    ->     PARTITION p0 VALUES LESS THAN (1960) COMMENT 'Jon\'s comment',
    ->     PARTITION p1 VALUES LESS THAN (1970),
    ->     PARTITION p2 VALUES LESS THAN (1980),
    ->     PARTITION p3 VALUES LESS THAN (1990)
    -> );
ERROR 2006 (HY000): MySQL server has gone away
No connection. Trying to reconnect...
Connection id:    1
Current database: test

Fortunately the bugfix takes care of this issue as well.

Updated synopsis to reflect the above.
[15 Nov 2007 13:08] Jon Stephens 
Thank you for your bug report. This issue has been committed to our source repository of that product and will be incorporated into the next release.

If necessary, you can access the source repository and build the latest available version, including the bug fix. More information about accessing the source trees is available at

    http://dev.mysql.com/doc/en/installing-source.html

Documented as follows in the 5.1.23 and 6.0.4 changelogs:

        An apostrophe or single quote character (') used in the DATA
        DIRECTORY, INDEX DIRECTORY, or COMMENT for a PARTITION clause
        caused the server to crash. When used as part of a CREATE TABLE
        statement, the crash was immediate. When used in an ALTER TABLE
        statement, the crash did not occur until trying to perform a
        SELECT or DML statement on the table. In either case, the server
        could not be completely restarted until the .FRM file
        corresponding to the newly created or altered table was deleted.

        NOTE: Upgrading to the current (or later) release solves this 
        problem only for tables that are newly created or altered. Tables
        created or altered in previous versions of the server to include
        ' characters in PARTITION options must still be removed by deleting 
        the corresponding .FRM files and re-creating them afterwards.