Bug #47788 Crash in TABLE_LIST::hide_view_error on UPDATE IGNORE + VIEW + SP + ALTER
Submitted: 2 Oct 2009 10:43 Modified: 12 Mar 2010 17:18
Reporter: Philip Stoev Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S3 (Non-critical)
Version:5.1,6.0 OS:Any
Assigned to: Georgi Kodinov CPU Architecture:Any

[2 Oct 2009 10:43] Philip Stoev 
Description:
The following sequence of statements, which contains
- non-updateable view
- UPDATE on the non-updateable view inside an SP
- merge tables

causes mysqld to crash as follows:

#6  0x000000315a42bec9 in __assert_fail () from /lib64/libc.so.6
#7  0x00000000006e7c85 in TABLE_LIST::hide_view_error (this=0x2a05d60, thd=0x290f8c8) at table.cc:3478
#8  0x0000000000594757 in view_error_processor (thd=0x290f8c8, data=0x2a05d60) at item.cc:7863
#9  0x00000000005a5a06 in Name_resolution_context::process_error (this=0x2a23d10, thd=0x290f8c8) at item.h:335
#10 0x000000000059e97e in Item_field::fix_fields (this=0x2a072d0, thd=0x290f8c8, reference=0x2a073e0) at item.cc:4673
#11 0x00000000006d59b9 in setup_fields (thd=0x290f8c8, ref_pointer_array=0x2a24b18, fields=@0x2a23dc8, mark_used_columns=MARK_COLUMNS_READ,
    sum_func_list=0x2a2eff8, allow_sum_func=true) at sql_base.cc:7254
#12 0x00000000007241f7 in JOIN::prepare (this=0x2a29440, rref_pointer_array=0x2a23ea8, tables_init=0x2a074a0, wild_num=0, conds_init=0x2a24858, og_num=0,
    order_init=0x0, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x2a23cc0, unit_arg=0x2a23630) at sql_select.cc:535
#13 0x000000000085a62d in st_select_lex_unit::prepare (this=0x2a23630, thd_arg=0x290f8c8, sel_result=0x29dfe68, additional_options=0) at sql_union.cc:287
#14 0x000000000085b815 in mysql_derived_prepare (thd=0x290f8c8, lex=0x29a4638, orig_table_list=0x2a05d60) at sql_derived.cc:151
#15 0x000000000085b424 in mysql_handle_derived (lex=0x29a4638, processor=0x85b6ee <mysql_derived_prepare(THD*, LEX*, TABLE_LIST*)>) at sql_derived.cc:56
#16 0x000000000074e7ec in mysql_update (thd=0x290f8c8, table_list=0x2a05d60, fields=@0x29a4e70, values=@0x29a5280, conds=0x2a062f8, order_num=0, order=0x0,
    limit=0, handle_duplicates=DUP_ERROR, ignore=true, found_return=0x7f2afe6a0a60, updated_return=0x7f2afe6a0a58) at sql_update.cc:235
#17 0x0000000000686332 in mysql_execute_command (thd=0x290f8c8) at sql_parse.cc:3118
#18 0x000000000087368b in sp_instr_stmt::exec_core (this=0x29a5cd0, thd=0x290f8c8, nextp=0x7f2afe6a10f8) at sp_head.cc:2921
#19 0x00000000008738bb in sp_lex_keeper::reset_lex_and_exec_core (this=0x29a5d10, thd=0x290f8c8, nextp=0x7f2afe6a10f8, open_tables=false, instr=0x29a5cd0)
    at sp_head.cc:2746
#20 0x0000000000879a88 in sp_instr_stmt::execute (this=0x29a5cd0, thd=0x290f8c8, nextp=0x7f2afe6a10f8) at sp_head.cc:2859
#21 0x0000000000875b69 in sp_head::execute (this=0x29e5c60, thd=0x290f8c8) at sp_head.cc:1243
#22 0x00000000008769be in sp_head::execute_procedure (this=0x29e5c60, thd=0x290f8c8, args=0x2911de0) at sp_head.cc:1983
#23 0x000000000068a6f0 in mysql_execute_command (thd=0x290f8c8) at sql_parse.cc:4430
#24 0x000000000068c396 in mysql_parse (thd=0x290f8c8, inBuf=0x296a8a0 "CALL testdb_A . p1_2_A", length=22, found_semicolon=0x7f2afe6a2f00)
    at sql_parse.cc:5991
#25 0x000000000068cfcf in dispatch_command (command=COM_QUERY, thd=0x290f8c8, packet=0x295aa89 "", packet_length=22) at sql_parse.cc:1074
#26 0x000000000068e4be in do_command (thd=0x290f8c8) at sql_parse.cc:756
#27 0x000000000067b048 in handle_one_connection (arg=0x290f8c8) at sql_connect.cc:1164
#28 0x000000315b0073da in start_thread () from /lib64/libpthread.so.0
#29 0x000000315a4e627d in clone () from /lib64/libc.so.6

How to repeat:
--disable_abort_on_error
CREATE DATABASE IF NOT EXISTS testdb_A;
USE testdb_A;
CREATE TABLE `table0_int_autoinc` ( `int` int, pk integer auto_increment, `int_key` int,        primary key (pk), key (`int_key` ));
CREATE TABLE `table1_int_autoinc` ( `int` int, pk integer auto_increment, `int_key` int,        primary key (pk), key (`int_key` ));
CREATE TABLE IF NOT EXISTS testdb_A . t1_base_1_A  LIKE testdb_A . table1_int_autoinc;
CREATE ALGORITHM = TEMPTABLE VIEW testdb_A . t1_view_1_A  AS SELECT   * FROM testdb_A . t1_base_1_A;
DELIMITER |;
CREATE PROCEDURE testdb_A . p1_2_A  () BEGIN UPDATE IGNORE testdb_A . t1_view_1_A SET `int_key` = 7 ; END|
DELIMITER ;|
CREATE TABLE IF NOT EXISTS testdb_A . t1_base_1_A LIKE testdb_A . table1_int_autoinc ;
CREATE TABLE IF NOT EXISTS testdb_A . t1_base_2_A LIKE testdb_A . table1_int_autoinc ;
CREATE TABLE IF NOT EXISTS testdb_A . t1_merge_1_A LIKE testdb_A . table1_int_autoinc ;
ALTER TABLE testdb_A . t1_merge_1_A ENGINE = MERGE UNION ( testdb_A . t1_base_1_A , testdb_A . t1_base_2_A );
CALL testdb_A . p1_2_A;
ALTER TABLE testdb_A . t1_base_1_A  CHANGE COLUMN `int_key` my_column INT;
CALL testdb_A . p1_2_A;
[19 Oct 2009 13:55] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/87341

3170 Georgi Kodinov	2009-10-19
      Bug #47788: Crash in TABLE_LIST::hide_view_error on 
        UPDATE + VIEW + SP + MERGE + ALTER
      
      When cleaning up the stored procedure's internal 
      structures the flag to ignore the errors for 
      INSERT/UPDATE IGNORE was not cleaned up.
      As a result error ignoring was on during name 
      resolution. And this is an abnormal situation : the
      SELECT_LEX flag can be on only during query execution.
      
      Fixed by correctly cleaning up the SELECT_LEX flag 
      when reusing the SELECT_LEX in a second execution.
[20 Oct 2009 11:40] Georgi Kodinov 
Bug #47949 marked as a duplicate of this one.
[26 Oct 2009 10:03] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/88126

3198 Georgi Kodinov	2009-10-19
      Bug #47788: Crash in TABLE_LIST::hide_view_error on 
        UPDATE + VIEW + SP + MERGE + ALTER
      
      When cleaning up the stored procedure's internal 
      structures the flag to ignore the errors for 
      INSERT/UPDATE IGNORE was not cleaned up.
      As a result error ignoring was on during name 
      resolution. And this is an abnormal situation : the
      SELECT_LEX flag can be on only during query execution.
      
      Fixed by correctly cleaning up the SELECT_LEX flag 
      when reusing the SELECT_LEX in a second execution.
[4 Nov 2009 9:25] Bugs System 
Pushed into 5.1.41 (revid:joro@sun.com-20091104092152-qz96bzlf2o1japwc) (version source revid:kristofer.pettersson@sun.com-20091103162305-08l4gkeuif2ozsoj) (merge vers: 5.1.41) (pib:13)
[11 Nov 2009 6:47] Bugs System 
Pushed into 6.0.14-alpha (revid:alik@sun.com-20091110093407-rw5g8dys2baqkt67) (version source revid:alik@sun.com-20091109080109-7dxapd5y5pxlu08w) (merge vers: 6.0.14-alpha) (pib:13)
[11 Nov 2009 6:59] Bugs System 
Pushed into 5.5.0-beta (revid:alik@sun.com-20091109115615-nuohp02h8mdrz8m2) (version source revid:alik@sun.com-20091105092041-sp6eyod7sdlfuj3b) (merge vers: 5.5.0-beta) (pib:13)
[11 Nov 2009 16:11] Paul DuBois 
Noted in 5.1.41, 5.5.0, 6.0.14 changelogs.

During cleanup of a stored procedure's internal structures, the flag
to ignore the errors for INSERT IGNORE or UPDATE IGNORE was not 
cleaned up, which could result in a server crash.
[7 Dec 2009 16:43] Paul DuBois 
Noted in 5.1.40sp1 changelog.
[8 Dec 2009 9:30] Bugs System 
Pushed into 5.1.43 (revid:build@mysql.com-20091208092611-pbno5awyb0v38hs7) (version source revid:build@mysql.com-20091208092611-pbno5awyb0v38hs7) (merge vers: 5.1.43) (pib:13)
[16 Dec 2009 8:38] Bugs System 
Pushed into 6.0.14-alpha (revid:alik@sun.com-20091216083311-xorsasf5kopjxshf) (version source revid:alik@sun.com-20091215065750-5m04ogppd5l0pol5) (merge vers: 6.0.14-alpha) (pib:14)
[16 Dec 2009 8:45] Bugs System 
Pushed into 5.5.0-beta (revid:alik@sun.com-20091216082430-s0gtzibcgkv4pqul) (version source revid:alik@sun.com-20091211070127-kl8uvlrv9cr11kva) (merge vers: 5.5.0-beta) (pib:14)
[16 Dec 2009 8:51] Bugs System 
Pushed into mysql-next-mr (revid:alik@sun.com-20091216083231-rp8ecpnvkkbhtb27) (version source revid:alik@sun.com-20091212203859-fx4rx5uab47wwuzd) (merge vers: 5.6.0-beta) (pib:14)
[18 Dec 2009 10:30] Bugs System 
Pushed into 5.1.41-ndb-7.1.0 (revid:jonas@mysql.com-20091218102229-64tk47xonu3dv6r6) (version source revid:jonas@mysql.com-20091218095730-26gwjidfsdw45dto) (merge vers: 5.1.41-ndb-7.1.0) (pib:15)
[18 Dec 2009 10:46] Bugs System 
Pushed into 5.1.41-ndb-6.2.19 (revid:jonas@mysql.com-20091218100224-vtzr0fahhsuhjsmt) (version source revid:jonas@mysql.com-20091217101452-qwzyaig50w74xmye) (merge vers: 5.1.41-ndb-6.2.19) (pib:15)
[18 Dec 2009 11:02] Bugs System 
Pushed into 5.1.41-ndb-6.3.31 (revid:jonas@mysql.com-20091218100616-75d9tek96o6ob6k0) (version source revid:jonas@mysql.com-20091217154335-290no45qdins5bwo) (merge vers: 5.1.41-ndb-6.3.31) (pib:15)
[18 Dec 2009 11:16] Bugs System 
Pushed into 5.1.41-ndb-7.0.11 (revid:jonas@mysql.com-20091218101303-ga32mrnr15jsa606) (version source revid:jonas@mysql.com-20091218064304-ezreonykd9f4kelk) (merge vers: 5.1.41-ndb-7.0.11) (pib:15)
[12 Mar 2010 14:11] Bugs System 
Pushed into 5.1.44-ndb-7.0.14 (revid:jonas@mysql.com-20100312135944-t0z8s1da2orvl66x) (version source revid:jonas@mysql.com-20100312115609-woou0te4a6s4ae9y) (merge vers: 5.1.44-ndb-7.0.14) (pib:16)
[12 Mar 2010 14:27] Bugs System 
Pushed into 5.1.44-ndb-6.2.19 (revid:jonas@mysql.com-20100312134846-tuqhd9w3tv4xgl3d) (version source revid:jonas@mysql.com-20100312060623-mx6407w2vx76h3by) (merge vers: 5.1.44-ndb-6.2.19) (pib:16)
[12 Mar 2010 14:42] Bugs System 
Pushed into 5.1.44-ndb-6.3.33 (revid:jonas@mysql.com-20100312135724-xcw8vw2lu3mijrhn) (version source revid:jonas@mysql.com-20100312103652-snkltsd197l7q2yg) (merge vers: 5.1.44-ndb-6.3.33) (pib:16)