Bug #34166 Server crash in SHOW OPEN TABLES and pre-locking.
Submitted: 30 Jan 2008 15:15 Modified: 11 Feb 2008 20:45
Reporter: Konstantin Osipov (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Information schema Severity:S3 (Non-critical)
Version: OS:Any
Assigned to: Konstantin Osipov CPU Architecture:Any

[30 Jan 2008 15:15] Konstantin Osipov
Description:
The server crashes when functions are used with SHOW OPEN TABLES:

--echo #
--echo # Bug#XXX: Server crash in SHOW OPEN TABLES and prelocking
--echo #
--disable_warnings
drop table if exists t1;
drop function if exists f1;
--enable_warnings
create table t1 (a int);
delimiter |;
create function f1() returns int
begin
  insert into t1 (a) values (1);
  return 0;
end|
delimiter ;|
--disable_result_log
show open tables where f1()=0;
show open tables where f1()=0;
--enable_result_log
drop table t1;
drop function f1;

How to repeat:
create table t1 (a int);
delimiter |;
create function f1() returns int
begin
  insert into t1 (a) values (1);
  return 0;
end|
delimiter ;|
--disable_result_log
show open tables where f1()=0;
show open tables where f1()=0;
--enable_result_log
drop table t1;
drop function f1;
[30 Jan 2008 15:18] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/41437

ChangeSet@1.2664, 2008-01-30 18:18:09+03:00, kostja@dipika.(none) +12 -0
  A fix and a test case for Bug#34166 Server crash in SHOW OPEN TABLES and
  pre-locking.
  
  The crash was caused by an implicit assumption in check_table_access() that
  table_list parameter is always a part of lex->query_tables.
  
  When iterating over the passed list of tables, check_table_access() used
  to stop only when lex->query_tables_last_not_own was reached. 
  In case of pre-locking, lex->query_tables_last_own is not NULL and points
  to some element of lex->query_tables. When the parameter
  of check_table_access() was not part of lex->query_tables, loop invariant
  could never be violated and a crash would happen when the current table
  pointer would point beyond the end of the provided list.
  
  The fix is to change the signature of check_table_access() to also accept
  a numeric limit of loop iterations, similarly to check_grant(), and 
  supply this limit in all places when we want to check access of tables
  that are outside lex->query_tables, or just want to check access to one table.
[30 Jan 2008 20:10] Konstantin Osipov
Queued in 5.1-runtime
[11 Feb 2008 16:24] Bugs System
Pushed into 5.1.24-rc
[11 Feb 2008 16:26] Bugs System
Pushed into 6.0.5-alpha
[11 Feb 2008 20:45] Paul DuBois
Noted in 5.1.24, 6.0.5 changelogs.

Use of stored functions in the WHERE clause for SHOW OPEN TABLES
caused a server crash.
[6 Mar 2008 16:03] Jon Stephens
Also documented for 5.1.23-ndb-6.2.14.
[2 Apr 2008 18:05] Jon Stephens
Fix also noted in the 5.1.23-ndb-6.3.11 changelog.