MySQL Bugs: #110006: mysql crash when free temporary table

Bug #110006	mysql crash when free temporary table
Submitted:	9 Feb 2023 12:04	Modified:	9 Feb 2023 13:45
Reporter:	ting du	Email Updates:
Status:	Unsupported	Impact on me:	None
Category:	MySQL Server	Severity:	S3 (Non-critical)
Version:	5.7.38	OS:	Linux
Assigned to:		CPU Architecture:	Any

Description:
When I execute the SQL "SELECT c1 FROM t17 UNION SELECT BIT_XOR(c3) FROM t19 UNION SELECT t11.c3 FROM t11 LEFT OUTER JOIN t16 ON t11.c3;", I got crash, the stack is:
(gdb) bt 
#0  0x00007f8f9b3a3281 in pthread_kill () from /usr/lib64/libpthread.so.0
#1  0x0000563c4d6d65db in my_write_core (sig=<optimized out>) at ../../../include/my_thread.h:105
#2  0x0000563c4cdaadce in handle_fatal_signal (sig=11) at ../../../sql/signal_handler.cc:241
#3  <signal handler called>
#4  0x00007f8f9ad3b31e in ?? () from /usr/lib64/libc.so.6
#5  0x0000563c4d7105a2 in ha_innobase::delete_table (this=<optimized out>, name=0x7f8f577235a0 "/sda/percona/5.7_dev/tmp/193183/690/tmp/#sql_17f6b_0") at ../../../../storage/innobase/handler/ha_innodb.cc:13817
#6  0x0000563c4ccae83a in free_tmp_table (thd=0x7f8f5da1d800, entry=0x7f8f57722438) at ../../../sql/sql_tmp_table.cc:2434
#7  0x0000563c4ccaea53 in st_select_lex_unit::cleanup (this=0x7f8f5d9fccf0, full=<optimized out>) at ../../../sql/sql_union.cc:942
#8  0x0000563c4cc93ddd in mysql_execute_command (thd=0x7f8f5da1d800, first_level=<optimized out>) at ../../../sql/sql_parse.cc:6231
#9  0x0000563c4cc92d83 in mysql_parse (thd=0x7f8f5da1d800, parser_state=<optimized out>) at ../../../sql/sql_parse.cc:6855
#10 0x0000563c4cc9b35e in dispatch_command (thd=0x7f8f5da1d800, com_data=<optimized out>, command=<optimized out>) at ../../../sql/sql_parse.cc:1825
#11 0x0000563c4cc9a7ce in do_command (thd=thd@entry=0x7f8f5da1d800) at ../../../sql/sql_parse.cc:1074
#12 0x0000563c4cd742f9 in threadpool_process_request (thd=0x7f8f5da1d800) at ../../../../plugin/threadpool/threadpool_common.cc:275
#13 0x0000563c4cd74ed8 in handle_event (connection=0x7f8f5d93f328) at ../../../../plugin/threadpool/threadpool_unix.cc:1916
#14 worker_main (param=param@entry=0x563c4f0a6c00 <all_groups+5632>) at ../../../../plugin/threadpool/threadpool_unix.cc:1975
#15 0x0000563c4d9f4b5b in pfs_spawn_thread (arg=0x7f8f86fe3228) at ../../../../storage/perfschema/pfs.cc:2197
#16 0x00007f8f9b39bf3b in ?? () from /usr/lib64/libpthread.so.0
#17 0x00007f8f9acdc840 in clone () from /usr/lib64/libc.so.6
(gdb) f 5
#5  0x0000563c4d7105a2 in ha_innobase::delete_table (this=<optimized out>, name=0x7f8f577235a0 "/sda/percona/5.7_dev/tmp/193183/690/tmp/#sql_17f6b_0") at ../../../../storage/innobase/handler/ha_innodb.cc:13817
13817	in ../../../../storage/innobase/handler/ha_innodb.cc
(gdb) p table_to_drop->name
$4 = {m_name = 0x0}

And When I restart mysql, it goes well.

How to repeat:
table struct:
mysql> show create table t17;
+-------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Table | Create Table                                                                                                                                                                                                              |
+-------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| t17   | CREATE TABLE `t17` (
  `c1` decimal(65,10) DEFAULT NULL,
  `c2` int(1) unsigned DEFAULT NULL,
  `c3` char(254) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT NULL,
  KEY `c3` (`c3`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1 |
+-------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

mysql> show create table t19;
+-------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Table | Create Table                                                                                                                                                                                                                          |
+-------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| t19   | CREATE TABLE `t19` (
  `c1` double(255,10) unsigned NOT NULL,
  `c2` mediumint(2) DEFAULT NULL,
  `c3` varchar(255) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL,
  PRIMARY KEY (`c1`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1 |
+-------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

mysql> show create table t11;
+-------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Table | Create Table                                                                                                                                                                                                                               |
+-------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| t11   | CREATE TABLE `t11` (
  `c1` int(11) NOT NULL AUTO_INCREMENT,
  `c2` varbinary(254) DEFAULT NULL,
  `c3` json DEFAULT NULL,
  PRIMARY KEY (`c1`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1
/*!50100 PARTITION BY HASH ((c1))
PARTITIONS 670 */ |
+-------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

mysql> show create table t16;
+-------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Table | Create Table                                                                                                                                                                               |
+-------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| t16   | CREATE TABLE `t16` (
  `c2` decimal(1,0) DEFAULT NULL,
  `c3` timestamp(1) NOT NULL DEFAULT CURRENT_TIMESTAMP(1) ON UPDATE CURRENT_TIMESTAMP(1)
) ENGINE=MRG_MyISAM DEFAULT CHARSET=latin1 |
+-------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

Hi Mr. du,

Thank you for your bug report.

We notice that you are not using our product and we support our product.

If you can repeat a problem with our latest binary, then send us a fully repeatable test case and we will check it with our latest binary and change the status of this report.

Unsupported.