Bug #32676 insert delayed crash with wrong column and function specified ..
Submitted: 23 Nov 2007 18:20 Modified: 11 Jan 2008 16:09
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Locking Severity:S1 (Critical)
Version:5.0.50, 5.1.23, 6.0.3 OS:Any
Assigned to: Ramil Kalimullin CPU Architecture:Any
Tags: DoS

[23 Nov 2007 18:20] Shane Bester 
Description:
insert delayed statements into a table where the specified column didn't exist, causes a crash.  Stack trace:

On windows 5.1.23:

mysqld.exe!end_delayed_insert
mysqld.exe!mysql_insert
mysqld.exe!mysql_execute_command
mysqld.exe!mysql_parse
mysqld.exe!dispatch_command
mysqld.exe!do_command
mysqld.exe!handle_one_connection
mysqld.exe!pthread_start
mysqld.exe!_callthreadstart
mysqld.exe!_threadstart

On linux, I saw this assertion:

Version: '5.1.23-rc-debug-log'  socket: '/tmp/mysql.sock'  port: 3306  yes
safe_mutex: Trying to lock unitialized mutex at sql_insert.cc, line 2181
071123 19:42:51 - mysqld got signal 6;

How to repeat:
#server must be started cleanly.

flush tables;
drop table if exists `t`;
create table `t` (`a` int)engine=myisam;
insert delayed into `t` set `b`=b();
[23 Nov 2007 18:26] MySQL Verification Team 
Call Stack for 5.0:

 	ntdll.dll!0000000077c32676() 	
 	[Frames below may be incorrect and/or missing, no symbols loaded for ntdll.dll]	
>	mysqld.exe!mysql_insert(THD * thd=0x000000000341ec80, TABLE_LIST * table_list=0x000000000341ec80, List<Item> & fields={...}, List<List<Item> > & values_list={...}, List<Item> & update_fields={...}, List<Item> & update_values={...}, enum_duplicates duplic=DUP_ERROR, int ignore=0)  Line 987 + 0x14 bytes	C++
 	mysqld.exe!mysql_execute_command(THD * thd=0x000000000341ec80)  Line 3529 + 0x4c bytes	C++
 	mysqld.exe!mysql_parse(THD * thd=0x00000000034312a1, const char * inBuf=0x00000000034392f3, unsigned int length=54652032, const char * * found_semicolon=0x00000001404295a4)  Line 6098	C++
 	mysqld.exe!dispatch_command(enum_server_command command=COM_SLEEP, THD * thd=0x0000000000000000, char * packet=0x000000000341f610, unsigned int packet_length=1900464)  Line 1823	C++
 	mysqld.exe!handle_one_connection(void * arg=0x000000000341ec80)  Line 1201 + 0xb3 bytes	C++
 	mysqld.exe!pthread_start()  + 0x55 bytes	C
 	mysqld.exe!_callthreadstart()  Line 295	C
 	mysqld.exe!_threadstart(void * ptd=0x0000000000000000)  Line 275 + 0x5 bytes	C
 	kernel32.dll!0000000077a0cdcd() 	
 	ntdll.dll!0000000077c2c6e1()
[26 Nov 2007 9:29] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/38480

ChangeSet@1.2579, 2007-11-26 13:29:26+04:00, ramil@mysql.com +3 -0
  Fix for bug #32676: insert delayed crash with wrong column and function specified
  
  Problem: using wrong local lock type value in the mysql_insert() results in a crash. 
  
  Fix: use a proper value.
[12 Dec 2007 23:00] Bugs System 
Pushed into 6.0.5-alpha
[12 Dec 2007 23:02] Bugs System 
Pushed into 5.1.23-rc
[12 Dec 2007 23:03] Bugs System 
Pushed into 5.0.54
[11 Jan 2008 16:09] Paul DuBois 
Noted in 5.0.54, 5.1.23, 6.0.5 changelogs.

Specifying a non-existent column for an INSERT DELAYED statement 
caused a server crash rather than producing an error.