Bug #16001 Supplying an invalid partitioning function can crash the server
Submitted: 27 Dec 2005 5:45 Modified: 2 Nov 2007 15:37
Reporter: Sergey Petrunya Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Partitions Severity:S3 (Non-critical)
Version:5.1-bk OS:Any
Assigned to: Reggie Burnett CPU Architecture:Any

[27 Dec 2005 5:45] Sergey Petrunya 
Description:
Running a CREATE TABLE statement with an incorrect partitioning function may
crash the server.

(But .frm file still gets written, so after server has restarted after the 
crash it will crash again as soon as someone with command-line client tries to 
use that database)

How to repeat:
Run this:

create table u10 (a char(10)) partition by HASH(1+(SELECT MAX(a) from u10)) partitions 2;

And get this:

  Program received signal SIGSEGV, Segmentation fault.
  0x08251eff in setup_table_map (table=0x0, table_list=0x921fe38, tablenr=0) at mysql_priv.h:1610
(gdb) print table
  $8 = (TABLE *) 0x0
(gdb) where
  0x08251eff in setup_table_map (table=0x0, table_list=0x921fe38, tablenr=0) at mysql_priv.h:1610
(gdb) up
  #1  0x0824f5fb in setup_tables (thd=0x91fc270, context=0x921f830, from_clause=0x921f8d4, tables=0x921fe38, conds=0x923ed1c, leaves=0x921f8e8, select_insert=false) at sql_base.cc:5155
(gdb) up
  #2  0x0825a904 in JOIN::prepare (this=0x923df70, rref_pointer_array=0x921f920, tables_init=0x921fe38, wild_num=0, conds_init=0x0, og_num=0, order_init=0x0, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x921f800, unit_arg=0x921fa50) at sql_select.cc:339
(gdb) up
  #3  0x081c86e2 in subselect_single_select_engine::prepare (this=0x9220068) at item_subselect.cc:1466
(gdb) down
  #2  0x0825a904 in JOIN::prepare (this=0x923df70, rref_pointer_array=0x921f920, tables_init=0x921fe38, wild_num=0, conds_init=0x0, og_num=0, order_init=0x0, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x921f800, unit_arg=0x921fa50) at sql_select.cc:339
(gdb) down
  #1  0x0824f5fb in setup_tables (thd=0x91fc270, context=0x921f830, from_clause=0x921f8d4, tables=0x921fe38, conds=0x923ed1c, leaves=0x921f8e8, select_insert=false) at sql_base.cc:5155
(gdb) down
  #0  0x08251eff in setup_table_map (table=0x0, table_list=0x921fe38, tablenr=0) at mysql_priv.h:1610
(gdb) where
  #0  0x08251eff in setup_table_map (table=0x0, table_list=0x921fe38, tablenr=0) at mysql_priv.h:1610
  #1  0x0824f5fb in setup_tables (thd=0x91fc270, context=0x921f830, from_clause=0x921f8d4, tables=0x921fe38, conds=0x923ed1c, leaves=0x921f8e8, select_insert=false) at sql_base.cc:5155
  #2  0x0825a904 in JOIN::prepare (this=0x923df70, rref_pointer_array=0x921f920, tables_init=0x921fe38, wild_num=0, conds_init=0x0, og_num=0, order_init=0x0, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x921f800, unit_arg=0x921fa50) at sql_select.cc:339
  #3  0x081c86e2 in subselect_single_select_engine::prepare (this=0x9220068) at item_subselect.cc:1466
  #4  0x081c4af3 in Item_subselect::fix_fields (this=0x921ffe0, thd_param=0x91fc270, ref=0x92200d4) at item_subselect.cc:145
  #5  0x08187bb2 in Item_func::fix_fields (this=0x9220088, thd=0x91fc270, ref=0x0) at item_func.cc:163
  #6  0x0815ff74 in fix_fields_part_func (thd=0x91fc270, tables=0xb557a5a0, func_expr=0x9220088, part_info=0x921f6c8, sub_part=false) at sql_partition.cc:1288
  #7  0x08160afa in fix_partition_func (thd=0x91fc270, name=0xb557b270 "./pprune2/u10", table=0xb557ac60) at sql_partition.cc:1758
  #8  0x082557e1 in open_table_from_share (thd=0x91fc270, share=0xb557a820, alias=0x871c78c "", db_stat=0, prgflag=1, ha_open_flags=0, outparam=0xb557ac60) at table.cc:1352
  #9  0x082ec551 in ha_create_table (thd=0x91fc270, path=0xb557b270 "./pprune2/u10", db=0x91e41c0 "pprune2", table_name=0x92229c0 "u10", create_info=0x91fc808, update_create_info=false) at handler.cc:2135
  #10 0x082c632b in rea_create_table (thd=0x91fc270, path=0xb557b270 "./pprune2/u10", db=0x91e41c0 "pprune2", table_name=0x92229c0 "u10", create_info=0x91fc808, create_fields=@0x91fc72c, keys=0, key_info=0x9223b58, file=0x92237e8) at unireg.cc:321
  #11 0x082fe45f in mysql_create_table (thd=0x91fc270, db=0x91e41c0 "pprune2", table_name=0x92229c0 "u10", create_info=0x91fc808, fields=@0x91fc72c, keys=@0x91fc720, internal_tmp_table=false, select_field_count=0) at sql_table.cc:1897
  #12 0x0821c9a0 in mysql_execute_command (thd=0x91fc270) at sql_parse.cc:2880
  #13 0x08224987 in mysql_parse (thd=0x91fc270, inBuf=0x9222928 "create table u10 (a char(10)) partition by HASH(1+(SELECT MAX(a) from u10)) partitions 2", length=88) at sql_parse.cc:5635
  #14 0x08219b27 in dispatch_command (command=COM_QUERY, thd=0x91fc270, packet=0x921a8c9 "create table u10 (a char(10)) partition by HASH(1+(SELECT MAX(a) from u10)) partitions 2", packet_length=89) at sql_parse.cc:1708
  #15 0x08219314 in do_command (thd=0x91fc270) at sql_parse.cc:1509
  #16 0x08218379 in handle_one_connection (arg=0x91fc270) at sql_parse.cc:1152
  #17 0xb7e4c13d in pthread_start_thread () from /lib/libpthread.so.0
  #18 0xb7e4c2e2 in pthread_start_thread_event () from /lib/libpthread.so.0
  #19 0xb7d7da7a in clone () from /lib/libc.so.6
(gdb) 

Suggested fix:
I'd like to see a definition of what expressions are allowed as partitioning
functions, including edge cases like UDF calls, SP calls etc etc.
[27 Dec 2005 12:59] Aleksey Kishkin 
tested against 5.1.5-alfa
[17 Feb 2006 17:44] Peter Gulutzan 
Looks like bug#14356, which also has a SELECT in a partition function.
[13 Mar 2006 18:31] Reggie Burnett 
This and all other bugs related to allowing expressions as partition functions are being closed as "won't fix" and replaced with Bug #18198  	Expressions are allowed as partition functions.
[2 Nov 2007 15:37] Mattias Jonsson 
Closing. After the patch for bug#18198, this is not allowed and the crash does not occur.