MySQL Bugs: #46354: Crash in partition_info::check_partition

Bug #46354	Crash in partition_info::check_partition_info on inconsistent subpartitions
Submitted:	23 Jul 2009 12:38	Modified:	5 Aug 2009 8:29
Reporter:	Philip Stoev	Email Updates:
Status:	Closed	Impact on me:	None
Category:	MySQL Server: Partitions	Severity:	S1 (Critical)
Version:	5.1,5.4	OS:	Any
Assigned to:	Mikael Ronström	CPU Architecture:	Any

Description:
This bug is being filed on behalf of PeterG.

When subpartitions are not specified consistently in a CREATE TABLE, mysqld crashes as follows:

#2  0x0000000000642316 in handle_segfault (sig=11) at mysqld.cc:2537
#3  <signal handler called>
#4  0x0000000000841d47 in partition_info::check_partition_info (this=0x293b470, thd=0x28d6498, eng_type=0x7f186792e2d0, file=0x293b898, info=0x7f186792e740,
    check_partition_function=true) at partition_info.cc:994
#5  0x00000000007a5a27 in mysql_create_table_no_lock (thd=0x28d6498, db=0x293aa00 "test", table_name=0x293a698 "t2", create_info=0x7f186792e740,
    alter_info=0x7f186792f040, internal_tmp_table=false, select_field_count=0) at sql_table.cc:3588
#6  0x00000000007a67df in mysql_create_table (thd=0x28d6498, db=0x293aa00 "test", table_name=0x293a698 "t2", create_info=0x7f186792e740,
    alter_info=0x7f186792f040, internal_tmp_table=false, select_field_count=0) at sql_table.cc:3909
#7  0x0000000000654e93 in mysql_execute_command (thd=0x28d6498) at sql_parse.cc:2695
#8  0x000000000065ca17 in mysql_parse (thd=0x28d6498,
    inBuf=0x293a4c8 "create table t2 (s1 int, s2 int) partition by list (s1) subpartition by hash(s2) subpartitions 1 (partition p1 values in (1) , partition p2 values in (2) (subpartition p3))", length=172, found_semicolon=0x7f186792fee0) at sql_parse.cc:5932
#9  0x000000000065d841 in dispatch_command (command=COM_QUERY, thd=0x28d6498,
    packet=0x292aac9 "create table t2 (s1 int, s2 int) partition by list (s1) subpartition by hash(s2) subpartitions 1 (partition p1 values in (1) , partition p2 values in (2) (subpartition p3))", packet_length=172) at sql_parse.cc:1213
#10 0x000000000065ec26 in do_command (thd=0x28d6498) at sql_parse.cc:854
#11 0x000000000064b521 in handle_one_connection (arg=0x28d6498) at sql_connect.cc:1127
#12 0x000000315b0073da in start_thread () from /lib64/libpthread.so.0
#13 0x000000315a4e627d in clone () from /lib64/libc.so.6

The crash is here:

(gdb) list
989             List_iterator<partition_element> sub_it(part_elem->subpartitions);
990             partition_element *sub_elem;
991             do
992             {
993               sub_elem= sub_it++;
994               if (check_table_name(sub_elem->partition_name, <<<<<<< HERE
995                                    strlen(sub_elem->partition_name)))
996               {
997                 my_error(ER_WRONG_PARTITION_NAME, MYF(0));
998                 goto end;

(gdb) print sub_elem
$1 = (partition_element *) 0x0

How to repeat:
CREATE TABLE t2 (s1 int, s2 int)
PARTITION BY LIST (s1)
SUBPARTITION BY HASH (s2) SUBPARTITIONS 1
(
 PARTITION p1 VALUES IN (1),
 PARTITION p2 VALUES IN (2) (SUBPARTITION p3)
);

Missing check of this in parser lead to
use of NULL pointer

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/79196

3023 Mikael Ronstrom	2009-07-23
      Bug#46354 Crash when using list partitioning and subpartitioning and wrong subpartition definition
      modified:
        mysql-test/r/partition.result
        mysql-test/t/partition.test
        sql/sql_yacc.yy

Patch approved by email

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/79545

3047 Mikael Ronstrom	2009-07-29
      Bug#46354, when defining partitions without subpartition definition after defining it with the first partition and using list partition caused crash, fixed by more error checks in parser
      modified:
        mysql-test/r/partition.result
        mysql-test/t/partition.test
        sql/sql_yacc.yy

Pushed into 5.4.4-alpha (revid:alik@sun.com-20090804194615-h40sa098mx4z49qg) (version source revid:kristofer.pettersson@sun.com-20090730110412-h8byqpk2h25td8r5) (merge vers: 5.4.4-alpha) (pib:11)

Pushed into 5.1.38 (revid:davi.arnaut@sun.com-20090804204317-ggodqkik7de6nfpz) (version source revid:davi.arnaut@sun.com-20090804204317-ggodqkik7de6nfpz) (merge vers: 5.1.38) (pib:11)

Documented bugfix in the 5.1.38 and 5.4.4 changelogs, as follows:

    Attempting to create a table using an invalid or inconsistent 
    subpartition definition caused the server to crash. An example 
    of such a statement is shown here:

    CREATE TABLE t2 (s1 INT, s2 INT)
    PARTITION BY LIST (s1) 
        SUBPARTITION BY HASH (s2) SUBPARTITIONS 1
    (
        PARTITION p1 VALUES IN (1),
        PARTITION p2 VALUES IN (2) (SUBPARTITION p3)  
    );

Noted in 5.4.2 changelog because next 5.4 version will be 5.4.2 and not 5.4.4.

Ignore previous comment about 5.4.2.

Pushed into 5.1.39-ndb-6.3.28 (revid:jonas@mysql.com-20091001055605-ap2kiaarr7p40mmv) (version source revid:jonas@mysql.com-20091001055605-ap2kiaarr7p40mmv) (merge vers: 5.1.39-ndb-6.3.28) (pib:11)

Pushed into 5.1.39-ndb-7.0.9 (revid:jonas@mysql.com-20091001072547-kv17uu06hfjhgjay) (version source revid:jonas@mysql.com-20091001071652-irejtnumzbpsbgk2) (merge vers: 5.1.39-ndb-7.0.9) (pib:11)

Pushed into 5.1.39-ndb-7.1.0 (revid:jonas@mysql.com-20091001123013-g9ob2tsyctpw6zs0) (version source revid:jonas@mysql.com-20091001123013-g9ob2tsyctpw6zs0) (merge vers: 5.1.39-ndb-7.1.0) (pib:11)

Pushed into 5.1.39-ndb-6.2.19 (revid:jonas@mysql.com-20091005103850-dwij2dojwpvf5hi6) (version source revid:jonas@mysql.com-20090930185117-bhud4ek1y0hsj1nv) (merge vers: 5.1.39-ndb-6.2.19) (pib:11)

The 5.4 fix has been pushed into 5.4.2.