Bug #46456 HANDLER OPEN + TRUNCATE + DROP (temporary) TABLE, crash
Submitted: 29 Jul 2009 17:44 Modified: 18 Dec 2009 13:24
Reporter: Matthias Leich Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Locking Severity:S3 (Non-critical)
Version:5.1, 5.4 OS:Any
Assigned to: Ramil Kalimullin CPU Architecture:Any

[29 Jul 2009 17:44] Matthias Leich 
Description:
--disable_warnings
DROP TABLE IF EXISTS t1;
--enable_warnings

CREATE TEMPORARY TABLE t1 AS SELECT 1 AS f1;

HANDLER t1 OPEN;
TRUNCATE t1;

# Here comes the crash
DROP TABLE t1;

Backtrace from mysql-5.1-bugteam 2009-07-29:
--------------------------------------------
#0  0x00007f044d9cece6 in pthread_kill () from /lib64/libpthread.so.0
#1  0x0000000000afe9fb in my_write_core (sig=11) at stacktrace.c:310
#2  0x00000000006b59a7 in handle_segfault (sig=11) at mysqld.cc:2552
#3  <signal handler called>
#4  0x00000000005ccc00 in handler::ha_index_or_rnd_end (this=0x8f8f8f8f8f8f8f8f) at handler.h:1204
#5  0x00000000005cb062 in mysql_ha_close_table (thd=0x118d1e8, tables=0x121c5e8, is_locked=false) at sql_handler.cc:159
#6  0x00000000005cb310 in mysql_ha_rm_tables (thd=0x118d1e8, tables=0x11f5230, is_locked=false) at sql_handler.cc:765
#7  0x000000000081e4cc in mysql_rm_table_part2 (thd=0x118d1e8, tables=0x11f5230, if_exists=false, drop_temporary=false, drop_view=false, dont_log_query=false) at sql_table.cc:1817
#8  0x000000000081f136 in mysql_rm_table (thd=0x118d1e8, tables=0x11f5230, if_exists=0 '\0', drop_temporary=0 '\0') at sql_table.cc:1749
#9  0x00000000006ca99a in mysql_execute_command (thd=0x118d1e8) at sql_parse.cc:3352
#10 0x00000000006cffbc in mysql_parse (thd=0x118d1e8, inBuf=0x11f5168 "DROP TABLE t1", length=13, found_semicolon=0x40c0bef0) at sql_parse.cc:5931
#11 0x00000000006d0de9 in dispatch_command (command=COM_QUERY, thd=0x118d1e8, packet=0x11e1729 "DROP TABLE t1", packet_length=13) at sql_parse.cc:1213
#12 0x00000000006d2197 in do_command (thd=0x118d1e8) at sql_parse.cc:854
#13 0x00000000006bed68 in handle_one_connection (arg=0x118d1e8) at sql_connect.cc:1127
#14 0x00007f044d9ca040 in start_thread () from /lib64/libpthread.so.0
#15 0x00007f044cc7808d in clone () from /lib64/libc.so.6
#16 0x0000000000000000 in ?? ()

The "magic" thing is that I use a *TEMPORARY* TABLE.
In case of a non TEMPORARY TABLE I get
   query 'TRUNCATE t1' failed: 1105: 
         MyISAM table 't1' is in use (most likely
         by a MERGE table). Try FLUSH TABLES.
which is acceptable.

Results on MySQL 5.4 Azalea 2009-07-23:
---------------------------------------
temporary table: crash with backtrace similar to above
no temporary table: Bug#46452 Crash in MDL, HANDLER OPEN + TRUNCATE TABLE
                 = the backtrace is different and shows MDL stuff

Results on mysql-5.0-bugteam 2009-07-14:
----------------------------------------
No crash and for
temporary table: TRUNCATE is successful
non temporary table: TRUNCATE fails with
        1105: MyISAM table 't1' is in use (most likely by
              a MERGE table). Try FLUSH TABLES.
"Nice" inconsistency

My environment:
- All release compiled from source with
  /BUILD/compile-pentium64-debug-max
- Linux OpenSuSE 11,0 (64 Bit)

IMHO the current crash could be used for
a DoS attack.

How to repeat:
Please see above
[12 Aug 2009 16:52] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/80695

3062 Ramil Kalimullin	2009-08-12
      Fix for bug #46456 [Ver->Prg]: HANDLER OPEN + TRUNCATE + DROP
       (temporary) TABLE, crash
      
      Problem: if one has an open "HANDLER t1", further "TRUNCATE t1" 
      doesn't close the handler and leaves handler table hash in an 
      inconsistent state, that may lead to a server crash.
      
      Fix: TRUNCATE should implicitly close all open handlers.
      
      Doc. request: the fact should be described in the manual accordingly.
     @ mysql-test/r/handler_myisam.result
        Fix for bug #46456 [Ver->Prg]: HANDLER OPEN + TRUNCATE + DROP
         (temporary) TABLE, crash
          - test result.
     @ mysql-test/t/handler_myisam.test
        Fix for bug #46456 [Ver->Prg]: HANDLER OPEN + TRUNCATE + DROP
         (temporary) TABLE, crash
          - test case.
     @ sql/sql_delete.cc
        Fix for bug #46456 [Ver->Prg]: HANDLER OPEN + TRUNCATE + DROP
         (temporary) TABLE, crash
          - remove all truncated tables from the HANDLER's hash.
[21 Aug 2009 5:56] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/81232

3075 Ramil Kalimullin	2009-08-21
      Fix for bug #46456 [Ver->Prg]: HANDLER OPEN + TRUNCATE + DROP
      (temporary) TABLE, crash
      
      Problem: if one has an open "HANDLER t1", further "TRUNCATE t1" 
      doesn't close the handler and leaves handler table hash in an 
      inconsistent state, that may lead to a server crash.
      
      Fix: TRUNCATE should implicitly close all open handlers.
      
      Doc. request: the fact should be described in the manual accordingly.
     @ mysql-test/r/handler_myisam.result
        Fix for bug #46456 [Ver->Prg]: HANDLER OPEN + TRUNCATE + DROP
        (temporary) TABLE, crash
          - test result.
     @ mysql-test/t/handler_myisam.test
        Fix for bug #46456 [Ver->Prg]: HANDLER OPEN + TRUNCATE + DROP
        (temporary) TABLE, crash
          - test case.
     @ sql/sql_delete.cc
        Fix for bug #46456 [Ver->Prg]: HANDLER OPEN + TRUNCATE + DROP
         (temporary) TABLE, crash
          - remove all truncated tables from the HANDLER's hash.
[2 Sep 2009 16:42] Bugs System 
Pushed into 5.1.39 (revid:joro@sun.com-20090902154533-8actmfcsjfqovgsb) (version source revid:ramil@mysql.com-20090821055535-a5aeas33epokjjnp) (merge vers: 5.1.39) (pib:11)
[14 Sep 2009 16:03] Bugs System 
Pushed into 5.4.4-alpha (revid:alik@sun.com-20090914155317-m1g9wodmndzdj4l1) (version source revid:alik@sun.com-20090914155317-m1g9wodmndzdj4l1) (merge vers: 5.4.4-alpha) (pib:11)
[18 Sep 2009 19:42] Paul DuBois 
Noted in 5.1.39, 5.4.4 changelogs.

TRUNCATE TABLE for a table that was opened with HANDLER did not close
the handler and left it in an inconsistent state that could lead to a
server crash.
[1 Oct 2009 5:59] Bugs System 
Pushed into 5.1.39-ndb-6.3.28 (revid:jonas@mysql.com-20091001055605-ap2kiaarr7p40mmv) (version source revid:jonas@mysql.com-20091001055605-ap2kiaarr7p40mmv) (merge vers: 5.1.39-ndb-6.3.28) (pib:11)
[1 Oct 2009 7:25] Bugs System 
Pushed into 5.1.39-ndb-7.0.9 (revid:jonas@mysql.com-20091001072547-kv17uu06hfjhgjay) (version source revid:jonas@mysql.com-20091001071652-irejtnumzbpsbgk2) (merge vers: 5.1.39-ndb-7.0.9) (pib:11)
[1 Oct 2009 13:25] Bugs System 
Pushed into 5.1.39-ndb-7.1.0 (revid:jonas@mysql.com-20091001123013-g9ob2tsyctpw6zs0) (version source revid:jonas@mysql.com-20091001123013-g9ob2tsyctpw6zs0) (merge vers: 5.1.39-ndb-7.1.0) (pib:11)
[2 Oct 2009 1:22] Paul DuBois 
Move 5.4 changelog entry from 5.4.4 to 5.4.3.
[2 Oct 2009 17:16] Paul DuBois 
Added to changelog entry:

Now TRUNCATE TABLE for a table closes all open handlers for the
table.  

Also updated HANDLER and TRUNCATE TABLE sections of manual accordingly.
[5 Oct 2009 10:50] Bugs System 
Pushed into 5.1.39-ndb-6.2.19 (revid:jonas@mysql.com-20091005103850-dwij2dojwpvf5hi6) (version source revid:jonas@mysql.com-20090930185117-bhud4ek1y0hsj1nv) (merge vers: 5.1.39-ndb-6.2.19) (pib:11)
[13 Oct 2009 18:30] Bugs System 
Pushed into 5.1.41 (revid:build@mysql.com-20091013182142-vgsjky3t1v4btufv) (version source revid:build@mysql.com-20091013182142-vgsjky3t1v4btufv) (merge vers: 5.1.41) (pib:13)
[13 Oct 2009 23:31] Paul DuBois 
Already fixed in 5.1.39.
[22 Oct 2009 6:33] Bugs System 
Pushed into 6.0.14-alpha (revid:alik@sun.com-20091022063126-l0qzirh9xyhp0bpc) (version source revid:alik@sun.com-20091019135554-s1pvptt6i750lfhv) (merge vers: 6.0.14-alpha) (pib:13)
[22 Oct 2009 7:05] Bugs System 
Pushed into 5.5.0-beta (revid:alik@sun.com-20091022060553-znkmxm0g0gm6ckvw) (version source revid:alik@sun.com-20091019131937-nchb8tjk88jpfjav) (merge vers: 5.5.0-beta) (pib:13)
[22 Oct 2009 19:17] Paul DuBois 
Noted in 5.5.0, 6.0.14 changelogs.
[18 Dec 2009 10:26] Bugs System 
Pushed into 5.1.41-ndb-7.1.0 (revid:jonas@mysql.com-20091218102229-64tk47xonu3dv6r6) (version source revid:jonas@mysql.com-20091218095730-26gwjidfsdw45dto) (merge vers: 5.1.41-ndb-7.1.0) (pib:15)
[18 Dec 2009 10:42] Bugs System 
Pushed into 5.1.41-ndb-6.2.19 (revid:jonas@mysql.com-20091218100224-vtzr0fahhsuhjsmt) (version source revid:jonas@mysql.com-20091217101452-qwzyaig50w74xmye) (merge vers: 5.1.41-ndb-6.2.19) (pib:15)
[18 Dec 2009 10:58] Bugs System 
Pushed into 5.1.41-ndb-6.3.31 (revid:jonas@mysql.com-20091218100616-75d9tek96o6ob6k0) (version source revid:jonas@mysql.com-20091217154335-290no45qdins5bwo) (merge vers: 5.1.41-ndb-6.3.31) (pib:15)
[18 Dec 2009 11:12] Bugs System 
Pushed into 5.1.41-ndb-7.0.11 (revid:jonas@mysql.com-20091218101303-ga32mrnr15jsa606) (version source revid:jonas@mysql.com-20091218064304-ezreonykd9f4kelk) (merge vers: 5.1.41-ndb-7.0.11) (pib:15)
[18 Dec 2009 13:24] MC Brown 
Already noted in earlier changelogs.