Details
-
Bug
-
Status: Open (View Workflow)
-
Minor
-
Resolution: Unresolved
-
3.3.16, 3.4.5
-
None
-
None
-
Linux/Windows at least
Description
When developing a C++ abstraction for a custom language, I encountered the following bug that caused the a crash with PC at address 0. The attached program contains a program that reproduces the issue. It is tested with client version 3.3.16. I tried compiling with the latest version (3.4.5) as well, but I failed to get the new version to connect to my database (probably an unrelated configuration issue on my machine). I examined the code, and the issue in question remains.
The problem is caused by the following sequence of calls to the connector:
1. create two prepared statements, a and b.
2. execute statement a, and extract results from it.
3. execute statement b
4. free and reset statement a
5. extract results from statement b
The issue above is that step 4 is out of sync (and it is a usage error). The problem is that it causes step 5 to crash, rather than producing an out of sync error (looking at the code, it does produce an out of sync error, but it crashes before returning to the caller, so it is not possible to act on the error).
When debugging, I found the cause of these symptoms. When calling "mysql_stmt_fetch" at step 5, the statement has its "fetch_row_func" set to NULL. My understanding is that this is normal, since no results have been fetched yet. The start of "mysql_stmt_fetch" realizes this (by inspecting "state") and calls "default_rset_handler", which at the time refers to "_mysql_stmt_use_result". "_mysql_stmt_use_result" realizes that commands are executed out of sync and invokes "SET_CLIENT_ERROR(..., CR_COMMANDS_OUT_OF_SYNC, ...)" and returns to the caller. Note that this happens without setting "fetch_row_func" (which makes sense). After this, "mysql_stmt_fetch" calls "db_stmt_fetch", which refers to "mthd_stmt_fetch_row", which in turn calls "fetch_row_func" that is still NULL. This causes the crash.
From what I can see, the solution would be to either let "_mysql_stmt_use_result" inform the caller that it failed, so that "mysql_stmt_fetch" can return early if the call to "default_rset_handler" fails. Or to check for null in "mthd_stmt_fetch_row". Since the code sets an appropriate error, it is probably enough to just avoid the crash and return back to the caller. However, I don't know what the preferred way to do this would be.