Bug #31694 SIGSEGV in Field_string::type (this=0x80372c660) at field.h:1200
Submitted: 18 Oct 2007 15:59 Modified: 31 Jan 2008 14:08
Reporter: Vasil Dimov Email Updates:
Status: Can't repeat Impact on me:
None 
Category:MySQL Server Severity:S2 (Serious)
Version:5.1-bk (5.1.23-beta-debug) OS:Any
Assigned to: Tatiana Azundris Nuernberg CPU Architecture:Any

[18 Oct 2007 15:59] Vasil Dimov 
Description:
While running some tests I hit this:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x801603c40 (LWP 100460)]
0x00000000004c76c2 in Field_string::type (this=0x80372c660) at field.h:1200
1200                MYSQL_TYPE_VAR_STRING : MYSQL_TYPE_STRING);
(gdb) 
(gdb) 
(gdb) bt
#0  0x00000000004c76c2 in Field_string::type (this=0x80372c660) at field.h:1200
#1  0x00000000005fb4d0 in get_mm_leaf (param=0x7ffffe6de470, conf_func=0x803736d18, 
    field=0x80372c660, key_part=0x803785038, type=Item_func::EQ_FUNC, value=0x803736b58)
    at opt_range.cc:5717
#2  0x00000000005fbd9a in get_mm_parts (param=0x7ffffe6de470, cond_func=0x803736d18, 
    field=0x80372c0c0, type=Item_func::EQ_FUNC, value=0x803736b58, cmp_type=STRING_RESULT)
    at opt_range.cc:5530
#3  0x00000000005fd5dd in get_mm_tree (param=0x7ffffe6de470, cond=0x803736d18)
    at opt_range.cc:5476
#4  0x0000000000602666 in SQL_SELECT::test_quick_select (this=0x803737390, 
    thd=0x8045f5028, keys_to_use={map = 8}, prev_tables=0, limit=18446744073709551615, 
    force_quick_range=false) at opt_range.cc:2252
#5  0x0000000000561d55 in get_quick_record_count (thd=0x8045f5028, select=0x803737390, 
    table=0x803735028, keys=0x803737008, limit=18446744073709551615) at sql_select.cc:2356
#6  0x000000000057937d in make_join_statistics (join=0x80373e038, tables=0x0, 
    conds=0x803736d18, keyuse_array=0x80373f5f8) at sql_select.cc:2764
#7  0x000000000057a3a0 in JOIN::optimize (this=0x80373e038) at sql_select.cc:933
#8  0x000000000057e3c4 in mysql_select (thd=0x8045f5028, rref_pointer_array=0x8045f6ba8, 
    tables=0x8037362d8, wild_num=0, fields=@0x8045f6ae0, conds=0x8037368a8, og_num=0, 
    order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2148289024, 
    result=0x803736a98, unit=0x8045f65c8, select_lex=0x8045f69d8) at sql_select.cc:2299
#9  0x0000000000583157 in handle_select (thd=0x8045f5028, lex=0x8045f6528, 
    result=0x803736a98, setup_tables_done_option=0) at sql_select.cc:263
#10 0x00000000004f8ae8 in execute_sqlcom_select (thd=0x8045f5028, all_tables=0x8037362d8)
    at sql_parse.cc:4549
#11 0x00000000004fa5d7 in mysql_execute_command (thd=0x8045f5028) at sql_parse.cc:1886
#12 0x00000000005028ca in mysql_parse (thd=0x8045f5028, 
    inBuf=0x803736038 "select c from ibtest09 where c = 'kjgclgrtfuylfluyfyufyulfulfyyulofuyolfyufyufuyfyufyufyufyufyyufujhfghdkkkkkkkkk'", length=114, 
    found_semicolon=0x7ffffe6e2d90) at sql_parse.cc:5462
#13 0x00000000005035de in dispatch_command (command=COM_QUERY, thd=0x8045f5028, 
    packet=0x8045f8029 "select c from ibtest09 where c = 'kjgclgrtfuylfluyfyufyulfulfyyulofuyolfyufyufuyfyufyufyufyufyyufujhfghdkkkkkkkkk'", packet_length=115) at sql_parse.cc:958
#14 0x0000000000504948 in do_command (thd=0x8045f5028) at sql_parse.cc:717
---Type <return> to continue, or q <return> to quit---
#15 0x00000000004f279e in handle_one_connection (arg=0x8045f5028) at sql_connect.cc:1099
#16 0x0000000800e149a8 in pthread_getprio () from /lib/libthr.so.3
#17 0x00007ffffe6a3000 in ?? ()
Error accessing memory address 0x7ffffe6e3000: Bad address.
(gdb) f 0
#0  0x00000000004c76c2 in Field_string::type (this=0x80372c660) at field.h:1200
1200                MYSQL_TYPE_VAR_STRING : MYSQL_TYPE_STRING);
(gdb) ins orig_table
$1 = (st_table *) 0x7ffffe6deb30
(gdb) ins *orig_table
$2 = {s = 0x0, file = 0x0, next = 0x0, prev = 0x0, in_use = 0x0, field = 0x0, record = {
    0x0, 0x0}, write_row_record = 0x0, insert_values = 0x0, covering_keys = {map = 0}, 
  quick_keys = {map = 0}, merge_keys = {map = 0}, keys_in_use_for_query = {map = 0}, 
  keys_in_use_for_group_by = {map = 0}, keys_in_use_for_order_by = {map = 0}, 
  key_info = 0x0, next_number_field = 0x0, found_next_number_field = 0x0, 
  timestamp_field = 0x0, triggers = 0x0, pos_in_table_list = 0x0, group = 0x0, 
  alias = 0x0, null_flags = 0x0, bitmap_init_value = 0x0, def_read_set = {bitmap = 0x0, 
    n_bits = 0, last_word_mask = 0, last_word_ptr = 0x0, mutex = 0x0}, def_write_set = {
    bitmap = 0x0, n_bits = 0, last_word_mask = 0, last_word_ptr = 0x0, mutex = 0x0}, 
  tmp_set = {bitmap = 0x0, n_bits = 0, last_word_mask = 0, last_word_ptr = 0x0, 
    mutex = 0x0}, read_set = 0x0, write_set = 0x0, query_id = 0, quick_rows = {
    0 <repeats 28 times>, 16, 0 <repeats 35 times>}, const_key_parts = {
    0 <repeats 59 times>, 4294967296, 8814195, 10107835, 34417414592, 140737462005920}, 
  quick_key_parts = {8821017, 0, 8827542, 0, 0, 0, 9802519, 0, 57708864, 8, 4268618144, 
    32767, 8827679, 0, 8827542, 0, 9802627, 0, 8, 48, 8814195, 0, 4268617968, 32767, 
    57676224, 8, 4268618000, 32767, 8821017, 0, 57708864, 0, 0, 0, 9802519, 0, 57708864, 
    8, 4268618256, 32767, 8827679, 0, 8827542, 0, 9802524, 0, 8, 48, 4268618272, 32767, 
    4268618080, 32767, 4268618280, 32767, 57708864, 8, 4268620000, 32767, 4268618144, 
    32767, 4268619488, 32767, 57708864, 8}, quick_n_ranges = {57761792, 8, 4268618336, 
    32767, 8814195, 0, 9799934, 0, 57676224, 8, 4268618192, 32767, 8821017, 0, 
    4268618208, 32767, 8821017, 0, 57708864, 0, 57708864, 8, 4268618256, 32767, 8827314, 
    0, 4268619380, 32767, 4268619384, 32767, 4268619392, 32767, 4268619491, 213, 
    4268619490, 0, 57708864, 8, 4268619424, 32767, 6441462, 0, 0, 0, 57708864, 8, 
    4268618352, 3, 12193984, 0, 4268624096, 32767, 57893944, 8, 512, 0, 4268619488, 
    32767, 1819374371, 808464685, 878653794, 102, 4268618496, 32767}, 
  quick_condition_rows = 8814195, timestamp_field_type = 4268618416, map = 34417414592, 
  lock_position = 4268618432, lock_data_start = 32767, lock_count = 8814195, tablenr = 0, 
  used_fields = 57708864, temp_pool_slot = 1, status = 8814195, db_stat = 0, 
  derived_select_number = 57720976, current_lock = 8, copy_blobs = -112 '\220', 
  maybe_null = 8, null_row = 16 '\020', force_index = -13 'у', distinct = 109 'm', 
  const_table = -2 'ю', no_rows = -1 'я', key_read = 127 '\177', no_keyread = 0 '\0', 
  open_placeholder = 0 '\0', locked_by_logger = 48 '0', no_replicate = 114 'r', 
  locked_by_name = -122 '\206', fulltext_searched = 0 '\0', no_cache = 0 '\0', 
  clear_query_id = 0 '\0', auto_increment_field_not_null = 0 '\0', 
---Type <return> to continue, or q <return> to quit---q
insert_or_update = 0 '\0Quit
(gdb) ins orig_table->s
$3 = (TABLE_SHARE *) 0x0

How to repeat:
N/A

Suggested fix:
--- sql/field.h.orig    2007-10-18 18:56:49.000000000 +0300
+++ sql/field.h 2007-10-18 18:56:54.000000000 +0300
@@ -1191,11 +1191,11 @@
                    NONE, field_name_arg, cs),
      can_alter_field_type(1) {};
 
   enum_field_types type() const
   {
-    return ((can_alter_field_type && orig_table &&
+    return ((can_alter_field_type && orig_table && orig_table->s &&
              orig_table->s->db_create_options & HA_OPTION_PACK_RECORD &&
             field_length >= 4) &&
             orig_table->s->frm_version < FRM_VER_TRUE_VARCHAR ?
            MYSQL_TYPE_VAR_STRING : MYSQL_TYPE_STRING);
   }
[18 Oct 2007 16:29] MySQL Verification Team 
Thank you for the bug report and contribution patch.
[25 Oct 2007 10:04] Tatiana Azundris Nuernberg 
There should not be a table without a table_share to begin with (also, some of the other variables in the st_table have "impossible" values). The orig_table sadly points at garbage; the orig_table setup seems straight-forward, so unless it was given a faulty table-pointer (or the orig_table pointer was somehow corrupted), the table at *orig_table may have been valid originally, but prematurely free()d somewhere along the line.

Consequently, orig_table->s is NULL (rather than some other random value) only by sheer coincidence in all likelihood. We can test for NULL, but not for 'a random wrong value', besides, this would just hide the underlying error. :-/ So we can neither reliably if() nor assert() against this.

Need more info to fix underlying bug; please supply, in order of preference, at least one of:
- SQL code that triggers this bug, and/or
- a core file, and/or
- a print-out of *this / field

Thank you for your help!
[26 Nov 2007 0:00] Bugs System 
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
[31 Jan 2008 13:47] Susanne Ebrecht 
Vasil,

to analyze your problem, we still need:

- SQL code that triggers this bug, and/or
- a core file, and/or
- a print-out of *this / field
[31 Jan 2008 14:08] Vasil Dimov 
Sorry, I do not have any of these and I am unable to reproduce this crash.

Tatjana is right that checking for NULL may only hide the bug further.