MySQL Bugs: #18113: SELECT * FROM information

Bug #18113	SELECT * FROM information_schema.xxx crashes server
Submitted:	9 Mar 2006 19:46	Modified:	20 Mar 2006 19:55
Reporter:	Markus Popp	Email Updates:
Status:	Closed	Impact on me:	None
Category:	MySQL Server	Severity:	S1 (Critical)
Version:	5.0.19/5.0.20 BK	OS:	Windows (Windows, Linux)
Assigned to:	Sergei Glukhov	CPU Architecture:	Any

Description:
There's a server crash when SELECT * FROM information_schema.[table_name] is issued. I found the bug in table TABLES and TRIGGERS.

There has been a very similar bug report for MySQL 5.0.16 already:

http://bugs.mysql.com/bug.php?id=15072

Could be a re-occurence of the same bug eventually.

How to repeat:
Enter password: *******
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1 to server version: 5.0.19-nt-max

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> SELECT * FROM information_schema.TABLES;
ERROR 2013 (HY000): Lost connection to MySQL server during query
mysql>

Another important piece of information: I issued the command from a non administrator user (the user has privileges for all databases except mysql).

Thank you for the bug report. I was unable to repeat with current
Windows source server. Which package release did you installed
since our download page still has 5.0.18?

c:\mysql\bin>mysql -uroot
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2 to server version: 5.0.20-nt-max

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> SELECT * FROM information_schema.TABLES\G
*************************** 1. row ***************************
  TABLE_CATALOG: NULL
   TABLE_SCHEMA: information_schema
     TABLE_NAME: CHARACTER_SETS
     TABLE_TYPE: SYSTEM VIEW
         ENGINE: MEMORY
        VERSION: 0
     ROW_FORMAT: Fixed
     TABLE_ROWS: NULL
 AVG_ROW_LENGTH: 576
    DATA_LENGTH: 0
MAX_DATA_LENGTH: 16661376
   INDEX_LENGTH: 0
      DATA_FREE: 0
 AUTO_INCREMENT: NULL
    CREATE_TIME: NULL
    UPDATE_TIME: NULL
     CHECK_TIME: NULL
TABLE_COLLATION: utf8_general_ci
       CHECKSUM: NULL
 CREATE_OPTIONS: max_rows=29127
  TABLE_COMMENT:
*************************** 2. row ***************************
<cut>
 *************************** 35. row ***************************
  TABLE_CATALOG: NULL
   TABLE_SCHEMA: test
     TABLE_NAME: tb5
     TABLE_TYPE: BASE TABLE
         ENGINE: MyISAM
        VERSION: 10
     ROW_FORMAT: Fixed
     TABLE_ROWS: 2
 AVG_ROW_LENGTH: 8
    DATA_LENGTH: 16
MAX_DATA_LENGTH: 2251799813685247
   INDEX_LENGTH: 2048
      DATA_FREE: 0
 AUTO_INCREMENT: 3
    CREATE_TIME: 2006-03-08 16:15:02
    UPDATE_TIME: 2006-03-08 16:16:54
     CHECK_TIME: NULL
TABLE_COLLATION: latin1_swedish_ci
       CHECKSUM: NULL
 CREATE_OPTIONS:
  TABLE_COMMENT:
35 rows in set (0.03 sec)

mysql>

I downloaded MySQL from here: http://dev.mysql.com/get/Downloads/MySQL-5.0/mysql-5.0.19-win32.zip/from/pick

Have you tried the test case provided in bug report 15072 (including the data that I provided)? That bug (which occured in 5.0.16 and was fixed soon) looks very identical to me - maybe it's the same issue again.

I reproduce it with (5.1.8-beta) :
select * from information_schema.tables;

[Switching to Thread 1112632240 (LWP 23700)]
0x08222341 in setup_table_map (table=0x0, table_list=0x9188c78, tablenr=0) at mysql_priv.h:1718
/work/mysql-5.1-bug18078/sql/mysql_priv.h:1718:69260:beg:0x8222341
(gdb) bt
#0  0x08222341 in setup_table_map (table=0x0, table_list=0x9188c78, tablenr=0) at mysql_priv.h:1718
#1  0x0821f5b9 in setup_tables (thd=0x9116a98, context=0x917a850, from_clause=0x917a8f8, tables=0x9188c78, conds=0x9187644, leaves=0x917a90c, select_insert=false) at sql_base.cc:5198
#2  0x0822b622 in JOIN::prepare (this=0x9186898, rref_pointer_array=0x917a944, tables_init=0x9188c78, wild_num=0, conds_init=0x0, og_num=0, order_init=0x0, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x917a820, unit_arg=0x9188890) at sql_select.cc:339
#3  0x0819369f in subselect_single_select_engine::prepare (this=0x9188b38) at item_subselect.cc:1466
#4  0x0818fa9f in Item_subselect::fix_fields (this=0x9188ac0, thd_param=0x9116a98, ref=0x9188ba4) at item_subselect.cc:145
#5  0x08152b32 in Item_func::fix_fields (this=0x9188b58, thd=0x9116a98, ref=0x0) at item_func.cc:163
#6  0x08126a2c in fix_fields_part_func (thd=0x9116a98, tables=0x425147e0, func_expr=0x9188b58, part_info=0x917a718, is_sub_part=false) at sql_partition.cc:1221
#7  0x081279b5 in fix_partition_func (thd=0x9116a98, name=0x91816c0 "./test/t12", table=0x914c580, is_create_table_ind=false) at sql_partition.cc:1822
#8  0x08225f3f in open_table_from_share (thd=0x9116a98, share=0x9181480, alias=0x91b00a0 "t12", db_stat=39, prgflag=44, ha_open_flags=0, outparam=0x914c580, is_create_table=false) at table.cc:1488
#9  0x0821a624 in open_unireg_entry (thd=0x9116a98, entry=0x914c580, table_list=0x91b00a8, alias=0x91b00a0 "t12", cache_key=0x42515230 "test", cache_key_length=9, mem_root=0x42515310) at sql_base.cc:2520
#10 0x08218e40 in open_table (thd=0x9116a98, table_list=0x91b00a8, mem_root=0x42515310, refresh=0x4251533b, flags=2) at sql_base.cc:1956
#11 0x0821adb1 in open_tables (thd=0x9116a98, start=0x42515394, counter=0x42515384, flags=2) at sql_base.cc:2775
#12 0x0821b6ef in open_normal_and_derived_tables (thd=0x9116a98, tables=0x91b00a8, flags=2) at sql_base.cc:3107
#13 0x082ec2a0 in get_all_tables (thd=0x9116a98, tables=0x912ed40, cond=0x0) at sql_show.cc:2441
#14 0x082f5a7e in get_schema_tables_result (join=0x912fc60) at sql_show.cc:4670
#15 0x0822ee80 in JOIN::exec (this=0x912fc60) at sql_select.cc:1350
#16 0x082309ed in mysql_select (thd=0x9116a98, rref_pointer_array=0x9116e38, tables=0x912ed40, wild_num=1, fields=@0x9116d9c, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2684635648, result=0x912fc50, unit=0x9116ae8, select_lex=0x9116d14) at sql_select.cc:1933
#17 0x0822b3ae in handle_select (thd=0x9116a98, lex=0x9116ad8, result=0x912fc50, setup_tables_done_option=0) at sql_select.cc:238
#18 0x081e8ddc in mysql_execute_command (thd=0x9116a98) at sql_parse.cc:2513
#19 0x081f2534 in mysql_parse (thd=0x9116a98, inBuf=0x912ec10 "select * from information_schema.tables", length=39) at sql_parse.cc:5777
#20 0x081e6d11 in dispatch_command (command=COM_QUERY, thd=0x9116a98, packet=0x9107e19 "select * from information_schema.tables", packet_length=40) at sql_parse.cc:1740
#21 0x081e64d5 in do_command (thd=0x9116a98) at sql_parse.cc:1536
#22 0x081e5534 in handle_one_connection (arg=0x9116a98) at sql_parse.cc:1178
#23 0x40173aa7 in start_thread () from /lib/tls/libpthread.so.0
#24 0x402a4c2e in clone () from /lib/tls/libc.so.6

I downloaded the 5.0.19 server and still with not luck for to repeat
the crash, also as you suggested I tested again 15072 without to
repeat also. So I would like to know if you can provide the dump
files how you did with bug 15072 for to try again on my side.

Thanks in advance.

I was able to reproduce the bug with the my.ini file and the dump_mysql.sql and dump.sql, as provided in bug report 15072:

C:\mysql\bin>mysql -u root mysql < C:\dump_mysql.sql

C:\mysql\bin>mysqladmin -u root flush-privileges

C:\mysql\bin>mysql -u mpopp < C:\dump.sql

C:\mysql\bin>mysql -u mpopp
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1 to server version: 5.0.19-nt

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> SELECT * FROM information_schema.TABLES;
ERROR 2013 (HY000): Lost connection to MySQL server during query
mysql>

I also found this bug on Linux (SuSE Linux 10):

mpopp@linux:~> mysql
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1 to server version: 5.0.19-max

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> select * from information_schema.tables;
ERROR 2013 (HY000): Lost connection to MySQL server during query
mysql>

Hi Markus,
do you use the same datadir with 5.0.19 as you used with 5.1.7 during your last testing. If you have experimented with Partitioning it makes changes to the FRM files and it's quite possible that 5.0 is not foreward compatible with these changes.

I was able to repeat with a fresh install of 5.0.19.  I will test with latest
source on Windows and Linux:

Microsoft Windows XP [versão 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

c:\mysql\bin>mysql -u root mysql < C:\markus\dump_mysql.sql

c:\mysql\bin>mysqladmin -u root flush-privileges

c:\mysql\bin>mysql -u root mysql < C:\markus\dump.sql

c:\mysql\bin>mysql -u mpopp
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 4 to server version: 5.0.19-nt

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> SELECT * FROM information_schema.TABLES;
ERROR 2013 (HY000): Lost connection to MySQL server during query
mysql>

They use different directories:

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 13 to server version: 5.0.19-nt-max

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> SHOW VARIABLES LIKE '%dir';
+---------------------------+--------------------------+
| Variable_name             | Value                    |
+---------------------------+--------------------------+
| basedir                   | D:\mysql\                |
| bdb_logdir                |                          |
| bdb_tmpdir                | C:\WINDOWS\TEMP\         |
| character_sets_dir        | D:\mysql\share\charsets\ |
| datadir                   | D:\mysql\Data\           |
| innodb_data_home_dir      |                          |
| innodb_log_arch_dir       |                          |
| innodb_log_group_home_dir | .\                       |
| slave_load_tmpdir         | C:\WINDOWS\TEMP\         |
| tmpdir                    |                          |
+---------------------------+--------------------------+
10 rows in set (0.00 sec)

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 3 to server version: 5.1.7-beta-nt-max

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> SHOW VARIABLES LIKE '%dir';
+---------------------------+----------------------------+
| Variable_name             | Value                      |
+---------------------------+----------------------------+
| basedir                   | D:\mysql51\                |
| bdb_logdir                |                            |
| bdb_tmpdir                | C:\WINDOWS\TEMP            |
| character_sets_dir        | D:\mysql51\share\charsets\ |
| datadir                   | D:\mysql51\Data\           |
| innodb_data_home_dir      |                            |
| innodb_log_arch_dir       |                            |
| innodb_log_group_home_dir | .\                         |
| plugin_dir                | D:\mysql51\lib/            |
| slave_load_tmpdir         | C:\WINDOWS\TEMP            |
| tmpdir                    |                            |
+---------------------------+----------------------------+
11 rows in set (0.08 sec)

Thank you for the bug report. I was able able to repeat on Linux Suse 10
with current source and I just need to test with 5.1:

miguel@hegel:~/dbs/5.0> bin/mysql -u root mysql < /home/miguel/markus/dump_mysql.sql
miguel@hegel:~/dbs/5.0> bin/mysqladmin -u root flush-privileges
miguel@hegel:~/dbs/5.0> bin/mysql -u root mysql < /home/miguel/markus/dump.sql
miguel@hegel:~/dbs/5.0> bin/mysql -u mpopp
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 4 to server version: 5.0.20-debug

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> SELECT * FROM information_schema.TABLES;
ERROR 2013 (HY000): Lost connection to MySQL server during query
mysql> 

060313 11:03:55 [Note] /home/miguel/dbs/5.0/libexec/mysqld: ready for connections.
Version: '5.0.20-debug'  socket: '/tmp/mysql.sock'  port: 3306  Source distribution
[New Thread 1129606064 (LWP 15622)]
[Thread 1129606064 (zombie) exited]
[New Thread 1129606064 (LWP 15625)]
[Thread 1129606064 (zombie) exited]
[New Thread 1129606064 (LWP 15628)]
[Thread 1129606064 (zombie) exited]
[New Thread 1129606064 (LWP 15632)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1129606064 (LWP 15632)]
0x082960f6 in check_grant (thd=0x8e65680, want_access=6306879, tables=0x43544ec8, show_table=1, number=4294967295, no_errors=true)
    at sql_acl.cc:3566
3566        table->grant.orig_want_privilege= (want_access & ~SHOW_VIEW_ACL);
(gdb)

I was unable to repeat this issue with 5.1 Linux version.

Same with me. Thank you!

I see in the history of the bug that the user thought was similar that you were the one who fixed it. What light can you shed on this?

This may be a duplicate of 18139 but I am leaving it open until we know for sure.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/3857

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/3962

Fixed in 5.0.20

Documented in 5.0.20 changelog:

     <listitem>
        <para>
          A <literal>SELECT *</literal> query on an INFORMATION_SCHEMA
          table by a user with limited privileges resulted in a server
          crash. (Bug #18113)
        </para>
      </listitem>

I have the same problem on Linux with MySQL
Server version: 5.0.45-log Source distribution

On gdb I get this on crash
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1585869936 (LWP 26901)]
0x08340790 in btr_search_guess_on_hash ()