Uploaded image for project: 'Percona Server'
  1. Percona Server
  2. PS-4523

Server crashing when checking privileges for Prepared Statement update with derived tables or subqueries

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Done
    • Priority: Medium
    • Resolution: Fixed
    • Affects Version/s: 5.7.17-13
    • Fix Version/s: 5.7.18-14
    • Component/s: None
    • Labels:
      None

      Description

      Server crashes when Executing update on a Prepared Statement with subquery / derived table in which one of the tables is optimized away.

      How to reproduce:

      Create 2 tables:

      CREATE DATABASE marcelo;
      USE marcelo;
      CREATE TABLE t1 (s1 INT, s2 CHAR(5), s3 FLOAT);
      INSERT INTO t1 VALUES (1,'1',1.0);
      INSERT INTO t1 VALUES (2,'2',2.0);
      CREATE TABLE t2 LIKE t1;
      INSERT INTO t2 SELECT * FROM t1

      Create a user without global privileges:

      GRANT USAGE ON *.* TO 'u1'@'%' IDENTIFIED BY 'sekret';
      GRANT SELECT, UPDATE `marcelo`.* TO 'u1'@'%';
      

      Connect as the new user and issue an update within a Prepare Statement:

      PREPARE p2 FROM "UPDATE t1 as t LEFT JOIN ( SELECT s1 FROM (   SELECT s1 FROM t2 as ttt ) AS kk)  kkk ON t.s1 = kkk.s1 SET s3 = (SELECT s1 FROM t2 as tt WHERE t.s1 = tt.s1)";
      EXECUTE p2;
      

      MySQL will crash on below stack trace

      19:29:42 UTC - mysqld got signal 11 ;
      This could be because you hit a bug. It is also possible that this binary
      or one of the libraries it was linked against is corrupt, improperly built,
      or misconfigured. This error can also be caused by malfunctioning hardware.
      Attempting to collect some information that could help diagnose the problem.
      As this is a crash and something is definitely wrong, the information
      collection process might fail.
      Please help us make Percona Server better by reporting any
      bugs at http://bugs.percona.com/
      
      key_buffer_size=8388608
      read_buffer_size=131072
      max_used_connections=2
      max_threads=152
      thread_count=2
      connection_count=2
      It is possible that mysqld could use up to
      key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 68317 K  bytes of memory
      Hope that's ok; if not, decrease some variables in the equation.
      
      Thread pointer: 0x7f7591c17000
      Attempting backtrace. You can use the following information to find out
      where mysqld died. If you see no messages after this, something went
      terribly wrong...
      stack_bottom = 7f75b9200df0 thread_stack 0x40000
      ./bin/mysqld(my_print_stacktrace+0x2e)[0xff998e]
      ./bin/mysqld(handle_fatal_signal+0x4a1)[0x946991]
      /lib/x86_64-linux-gnu/libpthread.so.0(+0x10330)[0x7f75b8c92330]
      /lib/x86_64-linux-gnu/libc.so.6(+0xa0e17)[0x7f75b6e83e17]
      ./bin/mysqld(_Z16name_hash_searchP7st_hashPKcS2_S2_S2_S2_bb+0x58)[0x958128]
      ./bin/mysqld(_Z18check_grant_columnP3THDP10GRANT_INFOPKcS4_S4_mP16Security_contextm+0xce)[0x96184e]
      ./bin/mysqld(_Z31check_column_grant_in_table_refP3THDP10TABLE_LISTPKcmm+0x8f)[0x9619bf]
      ./bin/mysqld(_ZN20Item_direct_view_ref23check_column_privilegesEPh+0x88)[0x9c0b18]
      ./bin/mysqld(_ZN8Item_ref4walkEM4ItemFbPhENS0_9enum_walkES1_+0x57)[0x9c2aa7]
      ./bin/mysqld(_ZN8Item_ref4walkEM4ItemFbPhENS0_9enum_walkES1_+0x81)[0x9c2ad1]
      ./bin/mysqld(_Z23find_field_in_table_refP3THDP10TABLE_LISTPKcmS4_S4_S4_PP4ItemmbPjbPS2_+0x5f1)[0xdab5d1]
      ./bin/mysqld(_Z20find_field_in_tablesP3THDP10Item_identP10TABLE_LISTS4_PP4Item27find_item_error_report_typemb+0x12f)[0xdab95f]
      ./bin/mysqld(_ZN10Item_field10fix_fieldsEP3THDPP4Item+0x21a)[0x9c17da]
      ./bin/mysqld(_ZN9Item_func12fix_func_argEP3THDPP4Item+0x111)[0xa07261]
      ./bin/mysqld(_ZN9Item_func10fix_fieldsEP3THDPP4Item+0xc7)[0xa07347]
      ./bin/mysqld(_ZN13st_select_lex11setup_condsEP3THD+0x115)[0xe2c8e5]
      ./bin/mysqld(_ZN13st_select_lex7prepareEP3THD+0x406)[0xe30eb6]
      ./bin/mysqld(_Z12handle_queryP3THDP3LEXP12Query_resultyy+0x2c9)[0xe34b39]
      ./bin/mysqld(_Z18mysql_multi_updateP3THDP4ListI4ItemES4_15enum_duplicatesP13st_select_lexPP19Query_result_update+0x90)[0xe7a300]
      ./bin/mysqld(_ZN14Sql_cmd_update26execute_multi_table_updateEP3THD+0x162)[0xe7bdc2]
      ./bin/mysqld(_ZN14Sql_cmd_update7executeEP3THD+0x84)[0xe7bf04]
      ./bin/mysqld(_Z21mysql_execute_commandP3THDb+0x1de9)[0xdfcec9]
      ./bin/mysqld(_ZN18Prepared_statement7executeEP6Stringb+0x260)[0xe262b0]
      ./bin/mysqld(_ZN18Prepared_statement12execute_loopEP6StringbPhS2_+0xbc)[0xe2754c]
      ./bin/mysqld(_Z22mysql_sql_stmt_executeP3THD+0xea)[0xe27ada]
      ./bin/mysqld(_Z21mysql_execute_commandP3THDb+0x1a61)[0xdfcb41]
      ./bin/mysqld(_Z11mysql_parseP3THDP12Parser_state+0x5d5)[0xe00c65]
      ./bin/mysqld(_Z16dispatch_commandP3THDPK8COM_DATA19enum_server_command+0x15cf)[0xe0229f]
      ./bin/mysqld(_Z10do_commandP3THD+0x1cd)[0xe02a0d]
      ./bin/mysqld(handle_connection+0x2a4)[0xebb194]
      ./bin/mysqld(pfs_spawn_thread+0x1b4)[0x1069614]
      /lib/x86_64-linux-gnu/libpthread.so.0(+0x8184)[0x7f75b8c8a184]
      /lib/x86_64-linux-gnu/libc.so.6(clone+0x6d)[0x7f75b6ee103d]
      
      Trying to get some variables.
      Some pointers may be invalid and cause the dump to abort.
      Query (7f7591c86aa8): UPDATE t1 as t LEFT JOIN ( SELECT s1 FROM (   SELECT s1 FROM t2 as ttt ) AS kk)  kkk ON t.s1 = kkk.s1 SET s3 = (SELECT s1 FROM t2 as tt WHERE t.s1 = tt.s1)
      Connection ID (thread ID): 4
      Status: NOT_KILLED
      

        Smart Checklist

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  marcelo.altmann Marcelo Altmann
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: