Bug #31145 ALTER TABLE DROP COLUMN, ADD COLUMN crashes (linux) or freezes (win) the server
Submitted: 22 Sep 2007 14:09 Modified: 12 Mar 2010 17:54
Reporter: Vladimir Kolesnikov Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: DDL Severity:S1 (Critical)
Version:5.1.20, 5.1.43 OS:Any (windows/linux)
Assigned to: Georgi Kodinov CPU Architecture:Any

[22 Sep 2007 14:09] Vladimir Kolesnikov 
Description:
Running an ALTER TABLE statement crashes or freezes the server

How to repeat:
Running these queries from an application or MySQL CLI client crashes (on linux) or freezes (on windows) the server:

CREATE DATABASE grtdiff_alter_test;
CREATE TABLE grtdiff_alter_test.t1 (t TEXT, `id` int(11) DEFAULT NULL, `id2` int(11) DEFAULT NULL) ENGINE=MyISAM DEFAULT CHARSET=latin1;
ALTER TABLE `grtdiff_alter_test`.`t1` DROP COLUMN `t` , ADD COLUMN `t2` TEXT  NULL  FIRST ;

Tested with MyISAM and InnoDB engines
[22 Sep 2007 15:15] Vladimir Kolesnikov 
one more test case:

CREATE TABLE grtdiff_alter_test.t1 (`id` int(11) DEFAULT NULL, `id2` int(11) DEFAULT NULL, t TEXT) ENGINE=InnoDB DEFAULT CHARSET=latin1;
ALTER TABLE `grtdiff_alter_test`.`t1` DROP COLUMN `t` , ADD COLUMN `t2` TEXT  NULL  AFTER `id2` ;
[22 Sep 2007 16:18] MySQL Verification Team 
Thank you for the bug report.
[26 Sep 2007 9:59] Konstantin Osipov 
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1257452656 (LWP 9264)]
0x0828bfd0 in Field_blob::max_data_length (this=0x0) at field.h:1402
1402	    return (uint32) (((ulonglong) 1 << (packlength*8)) -1);
(gdb) bt
#0  0x0828bfd0 in Field_blob::max_data_length (this=0x0) at field.h:1402
#1  0x08274f0b in Field_blob::is_equal (this=0x90682c0, new_field=0x9041818)
    at field.cc:8004
#2  0x083e7b8e in compare_tables (table=0x9067610, alter_info=0xb50cb70c, 
    create_info=0xb50cb42c, order_num=0, need_copy_table=0xb50ca2f4, 
    key_info_buffer=0xb50ca318, index_drop_buffer=0xb50ca310, 
    index_drop_count=0xb50ca314, index_add_buffer=0xb50ca308, 
    index_add_count=0xb50ca30c) at sql_table.cc:5031
#3  0x083ed9bc in mysql_alter_table (thd=0x8ffb1d0, 
    new_db=0x903b7b0 "grtdiff_alter_test", new_name=0x903fb30 "t1", 
    create_info=0xb50cb42c, table_list=0x9041478, alter_info=0xb50cb70c, 
    order_num=0, order=0x0, ignore=false) at sql_table.cc:6082
#4  0x082bf5f6 in mysql_execute_command (thd=0x8ffb1d0) at sql_parse.cc:2474
#5  0x082c6d1e in mysql_parse (thd=0x8ffb1d0, 
    inBuf=0x9068070 "ALTER TABLE `grtdiff_alter_test`.`t1` DROP COLUMN `t` , ADD COLUMN `t2` TEXT  NULL  FIRST", length=89, found_semicolon=0xb50cc074)
    at sql_parse.cc:5457
#6  0x082c7957 in dispatch_command (command=COM_QUERY, thd=0x8ffb1d0, 
    packet=0x9037791 "ALTER TABLE `grtdiff_alter_test`.`t1` DROP COLUMN `t` , ADD COLUMN `t2` TEXT  NULL  FIRST", packet_length=90) at sql_parse.cc:958
#7  0x082c8ca3 in do_command (thd=0x8ffb1d0) at sql_parse.cc:717
#8  0x082b5d07 in handle_one_connection (arg=0x8ffb1d0) at sql_connect.cc:1094
#9  0xb7eee31b in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
#10 0xb7df257e in clone () from /lib/tls/i686/cmov/libc.so.6
[24 Oct 2007 15:57] Georgi Kodinov 
I've tried to reproduce using the latest 5.0.52 (BK). I've been able to execute all statements without hangs or crashes. 
I also noted that one of the functions in the quoted call-stack is not present already.
Please re-test with a recent version and re-open this bug if it still crashes.
[9 Dec 2009 20:30] Kevin Regan 
I'm able to reproduce this with 5.1.41.  Notice that the bug was filed against 5.1, but you tried to repro it against 5.0 (could have been found and fixed a couple of years ago).

Splitting this into 2 ALTER TABLE statements with separate DROP and ADD works (server does not crash).
[10 Dec 2009 6:16] MySQL Verification Team 
still repeatable on 5.1.43-debug from bzr.

Invalid read of size 4
at : Field_blob::is_equal(Create_field*) (field.cc:8286)
by : compare_tables (sql_table.cc:5741)
by : mysql_alter_table (sql_table.cc:6850)
by : mysql_execute_command(THD*) (sql_parse.cc:2898)
by : mysql_parse (sql_parse.cc:5970)
by : dispatch_command (sql_parse.cc:1231)
by : do_command(THD*) (sql_parse.cc:872)
by : handle_one_connection (sql_connect.cc:1127)
by : start_thread (in /lib/libpthread-2.5.so)
by : clone (in /lib/libc-2.5.so)
 Address 0x0 is not stack'd, malloc'd or (recently) free'd
[10 Dec 2009 9:52] Georgi Kodinov 
I'm getting the crash on the latest. 5.1.
[10 Dec 2009 11:55] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/93484

3254 Georgi Kodinov	2009-12-10
      Bug #31145: ALTER TABLE DROP COLUMN, ADD COLUMN crashes (linux) or 
        freezes (win) the server
      
      The check for equality was assuming the field object is always 
      created. If it's not it was de-referencing a NULL pointer.
      Fixed to use the data in the create object instead.
[18 Dec 2009 12:01] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/94936

3254 Georgi Kodinov	2009-12-18
      Bug #31145: ALTER TABLE DROP COLUMN, ADD COLUMN crashes (linux) or 
        freezes (win) the server
      
      The check for equality was assuming the field object is always 
      created. If it's not it was de-referencing a NULL pointer.
      Fixed to use the data in the create object instead.
[24 Dec 2009 8:33] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/95651

3297 Georgi Kodinov	2009-12-18
      Bug #31145: ALTER TABLE DROP COLUMN, ADD COLUMN crashes (linux) or 
        freezes (win) the server
      
      The check for equality was assuming the field object is always 
      created. If it's not it was de-referencing a NULL pointer.
      Fixed to use the data in the create object instead.
[15 Jan 2010 9:00] Bugs System 
Pushed into 5.1.43 (revid:joro@sun.com-20100115085139-qkh0i0fpohd9u9p5) (version source revid:joro@sun.com-20091218120030-zwz6r364ayxx5q83) (merge vers: 5.1.42) (pib:16)
[16 Jan 2010 1:38] Paul DuBois 
Noted in 5.1.43 changelog.

ALTER TABLE with both DROP COLUMN and ADD COLUMN clauses could crash
or lock up the server. 

Setting report to NDI pending push to 5.5.x+.
[5 Feb 2010 11:47] Bugs System 
Pushed into mysql-next-mr (revid:alik@sun.com-20100204063540-9czpdmpixi3iw2yb) (version source revid:alik@sun.com-20100119163614-172adculixyu26j5) (pib:16)
[5 Feb 2010 11:53] Bugs System 
Pushed into 6.0.14-alpha (revid:alik@sun.com-20100205113942-oqovjy0eoqbarn7i) (version source revid:alik@sun.com-20100204064210-ljwanqvrjs83s1gq) (merge vers: 6.0.14-alpha) (pib:16)
[5 Feb 2010 11:59] Bugs System 
Pushed into 5.5.2-m2 (revid:alik@sun.com-20100203172258-1n5dsotny40yufxw) (version source revid:alexey.kopytov@sun.com-20091225105650-qletdbs0wz9sx5nc) (merge vers: 5.5.1-m2) (pib:16)
[5 Feb 2010 16:47] Paul DuBois 
Noted in 5.5.2, 6.0.14 changelogs.

Setting report to Need Merge pending push into Celosia.
[12 Mar 2010 14:19] Bugs System 
Pushed into 5.1.44-ndb-7.0.14 (revid:jonas@mysql.com-20100312135944-t0z8s1da2orvl66x) (version source revid:jonas@mysql.com-20100312115609-woou0te4a6s4ae9y) (merge vers: 5.1.44-ndb-7.0.14) (pib:16)
[12 Mar 2010 14:34] Bugs System 
Pushed into 5.1.44-ndb-6.2.19 (revid:jonas@mysql.com-20100312134846-tuqhd9w3tv4xgl3d) (version source revid:jonas@mysql.com-20100312060623-mx6407w2vx76h3by) (merge vers: 5.1.44-ndb-6.2.19) (pib:16)
[12 Mar 2010 14:50] Bugs System 
Pushed into 5.1.44-ndb-6.3.33 (revid:jonas@mysql.com-20100312135724-xcw8vw2lu3mijrhn) (version source revid:jonas@mysql.com-20100312103652-snkltsd197l7q2yg) (merge vers: 5.1.44-ndb-6.3.33) (pib:16)
[12 Mar 2010 17:54] Paul DuBois 
Fixed in earlier 5.1.x, 5.5.x.