Bug #23139 myisamchk and mysqld crash when trying to access table
Submitted: 10 Oct 2006 14:30 Modified: 3 Jan 2007 11:32
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: MyISAM storage engine Severity:S3 (Non-critical)
Version:4.1BK OS:Any (*)
Assigned to: Ingo Strüwing CPU Architecture:Any
Tags: crash myisam myisamchk corrupted

[10 Oct 2006 14:30] Shane Bester
Description:
A particular table crashes when running
myisamchk -dvvvi /path/to/table

Also, accessing it from mysql server, SELECT COUNT(*) from <Table> causes the server to crash.  

00 mysqld_debug!copy_decode_table
01 mysqld_debug!copy_decode_table
02 mysqld_debug!copy_decode_table
03 mysqld_debug!make_quick_table
04 mysqld_debug!make_quick_table
05 mysqld_debug!make_quick_table
06 mysqld_debug!make_quick_table
07 mysqld_debug!make_quick_table
08 mysqld_debug!make_quick_table
09 mysqld_debug!make_quick_table
0a mysqld_debug!make_quick_table
0b mysqld_debug!make_quick_table
0c mysqld_debug!make_quick_table
0d mysqld_debug!read_huff_table
0e mysqld_debug!_mi_read_pack_info
0f mysqld_debug!mi_open
10 mysqld_debug!ha_myisam::open
11 mysqld_debug!handler::ha_open
12 mysqld_debug!openfrm
13 mysqld_debug!open_unireg_entry
14 mysqld_debug!open_table
15 mysqld_debug!open_ltable
16 mysqld_debug!mysql_admin_table
17 mysqld_debug!mysql_check_table
18 mysqld_debug!mysql_execute_command
19 mysqld_debug!mysql_parse
1a mysqld_debug!dispatch_command
1b mysqld_debug!do_command
1c mysqld_debug!handle_one_connection
1d mysqld_debug!pthread_start
1e mysqld_debug!_threadstart
1f KERNEL32!BaseThreadStart+0x52        

How to repeat:
SELECT COUNT(*) FROM <table>

I've uploaded the .frm, .MYI, .MYD files in the private section.

Linux versions also crashed.  See private attachment for all variables
in debug mode.

Suggested fix:
do more error checking on corrupted data in the files. myisamchk in particular shouldn't trust anything, and should check everything.
[12 Oct 2006 19:16] Shane Bester
the table in question is in compressed format, packed.
[24 Oct 2006 20:11] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/14306

ChangeSet@1.2561, 2006-10-24 22:10:53+02:00, istruewing@chilla.local +1 -0
  Bug#23139 - myisamchk and mysqld crash when trying to access table
  
  A corrupted compressed table could crash the server and
  myisamchk.
  
  I added some checks for the pointers in the decode tables.
  This type of corruption will no longer crash the server or
  myisamchk.
  
  No test case. A corrupted compressed table is required.
[31 Oct 2006 17:28] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/14618

ChangeSet@1.2561, 2006-10-31 18:27:45+01:00, istruewing@chilla.local +1 -0
  Bug#23139 - myisamchk and mysqld crash when trying to access table
  
  A corrupted compressed table could crash the server and
  myisamchk.
  
  The data file of an uncompressed table contains just the records.
  There is no header in the data file.
  
  However the data file of a compressed table has a header.
  The header describes how the table was compressed. This
  information is necessary to extract the records from the
  compressed data file.
  
  Part of the compressed data file header are the [de]code tables.
  They are numeric representations of the Huffman trees used for
  coding and decoding. A Huffman tree is a binary tree. Every
  node has two childs. A child can be a terminator or a branch.
  Terminators contain the decoded value. Branches point to another
  tree node.
  
  Since the [de]code table is represented as an array of childs,
  the branches need to point at a child within the same array.
  The corruption of the compressed data file from the bug report
  was a couple of branches that pointed outside their array.
  This condition had not been correctly checked.
  
  I added some checks for the pointers in the decode tables.
  This type of corruption will no longer crash the server or
  myisamchk.
  
  No test case. A corrupted compressed table is required.
[28 Nov 2006 15:06] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/15965

ChangeSet@1.2561, 2006-11-28 15:46:01+01:00, istruewing@chilla.local +1 -0
  Bug#23139 - myisamchk and mysqld crash when trying to access table
  
  A corrupted compressed table could crash the server and
  myisamchk.
  
  The data file of an uncompressed table contains just the records.
  There is no header in the data file.
  
  However the data file of a compressed table has a header.
  The header describes how the table was compressed. This
  information is necessary to extract the records from the
  compressed data file.
  
  Part of the compressed data file header are the [de]code tables.
  They are numeric representations of the Huffman trees used for
  coding and decoding. A Huffman tree is a binary tree. Every
  node has two childs. A child can be a leaf or a branch. Leaves
  contain the decoded value. Branches point to another tree node.
  
  Since the [de]code table is represented as an array of childs,
  the branches need to point at a child within the same array.
  The corruption of the compressed data file from the bug report
  was a couple of branches that pointed outside their array.
  This condition had not been correctly checked.
  
  I added some checks for the pointers in the decode tables.
  This type of corruption will no longer crash the server or
  myisamchk.
  
  No test case. A corrupted compressed table is required.
[30 Nov 2006 8:45] Ingo Strüwing
Queued to 5.1-engines, 5.0-engines, and 4.1-engines.
[27 Dec 2006 0:13] Antony Curtis
Pushed to 5.1.15-beta repository
[27 Dec 2006 2:25] Antony Curtis
Pushed to 5.0.34 repository
[27 Dec 2006 10:00] Antony Curtis
Pushed to 4.1.23 repository
[3 Jan 2007 11:32] Jon Stephens
Thank you for your bug report. This issue has been committed to our source repository of that product and will be incorporated into the next release.

If necessary, you can access the source repository and build the latest available version, including the bug fix. More information about accessing the source trees is available at

    http://dev.mysql.com/doc/en/installing-source.html

Documented bugfix in 4.1.23, 5.0.34, and 5.1.15 changelogs.