[MDEV-15729] Server crashes in Field::make_field upon HANDLER READ executed with PS protocol - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 5.5(EOL), 10.0(EOL), 10.1(EOL), 10.2(EOL), 10.3(EOL)
Fix Version/s: 5.5.61, 10.0.36, 10.1.34, 10.2.16, 10.3.8
Component/s: Prepared Statements, Server
Labels:
None

Description

5.5 ddc5c65333a4ad
#3 <signal handler called>
#4 0x0000000000786511 in Field::make_field (this=0x7efd41cdfb98, field=0x7efd6cbcbe40) at /data/src/5.5/sql/field.cc:1581
#5 0x0000000000786aa9 in Field_num::make_field (this=0x7efd41cdfb98, field=0x7efd6cbcbe40) at /data/src/5.5/sql/field.cc:1713
#6 0x00000000007cc346 in Item_field::make_field (this=0x7efd41ce0078, tmp_field=0x7efd6cbcbe40) at /data/src/5.5/sql/item.cc:6039
#7 0x0000000000565da1 in Protocol::send_result_set_metadata (this=0x7efd48e87660, list=0x7efd41cf8368, flags=4) at /data/src/5.5/sql/protocol.cc:755
#8 0x00000000005c885b in select_send::send_result_set_metadata (this=0x7efd41cf6b00, list=..., flags=4) at /data/src/5.5/sql/sql_class.cc:2326
#9 0x000000000061d453 in mysql_test_handler_read (stmt=0x7efd41d2f460, tables=0x7efd41cf6530) at /data/src/5.5/sql/sql_prepare.cc:2014
#10 0x000000000061d84c in check_prepared_statement (stmt=0x7efd41d2f460) at /data/src/5.5/sql/sql_prepare.cc:2142
#11 0x0000000000620486 in Prepared_statement::prepare (this=0x7efd41d2f460, packet=0x7efd4f372061 "", packet_len=20) at /data/src/5.5/sql/sql_prepare.cc:3390
#12 0x000000000061dbae in mysqld_stmt_prepare (thd=0x7efd48e87060, packet=0x7efd4f372061 "", packet_length=20) at /data/src/5.5/sql/sql_prepare.cc:2292
#13 0x00000000005fde52 in dispatch_command (command=COM_STMT_PREPARE, thd=0x7efd48e87060, packet=0x7efd4f372061 "", packet_length=20) at /data/src/5.5/sql/sql_parse.cc:1035
#14 0x00000000005fd217 in do_command (thd=0x7efd48e87060) at /data/src/5.5/sql/sql_parse.cc:793
#15 0x0000000000700373 in do_handle_one_connection (thd_arg=0x7efd48e87060) at /data/src/5.5/sql/sql_connect.cc:1268
#16 0x0000000000700100 in handle_one_connection (arg=0x7efd48e87060) at /data/src/5.5/sql/sql_connect.cc:1184
#17 0x00007efd6c81d494 in start_thread (arg=0x7efd6cbcd700) at pthread_create.c:333
#18 0x00007efd6b23393f in clone () from /lib/x86_64-linux-gnu/libc.so.6

Note: the test cannot be run in MTR without modifying the code, because mysqltest.cc artificially restricts the set of statements which can be run via PS protocol. With the following addition it can be possible:

diff --git a/client/mysqltest.cc b/client/mysqltest.cc

index efc25f3..9e69ea8 100644

--- a/client/mysqltest.cc

+++ b/client/mysqltest.cc

@@ -8776,6 +8776,7 @@ void init_re(void)

     "[[:space:]]*SELECT[[:space:]]|"

     "[[:space:]]*CREATE[[:space:]]+TABLE[[:space:]]|"

     "[[:space:]]*DO[[:space:]]|"

+    ".*READ[[:space:]]|"

     "[[:space:]]*SET[[:space:]]+OPTION[[:space:]]|"

     "[[:space:]]*DELETE[[:space:]]+MULTI[[:space:]]|"

     "[[:space:]]*UPDATE[[:space:]]+MULTI[[:space:]]|"

# Run with --ps-protocol

CREATE TABLE `t1` (`i` INT) ;

HANDLER test.t1 OPEN handler_a ;

HANDLER handler_a READ FIRST;

Alternatively, here is a crude C test:

#include <my_global.h>

#include <mysql.h>

int main(int argc, char **argv)

  MYSQL *con = mysql_init(NULL);

  MYSQL_STMT *stmt = mysql_stmt_init(con);

  if (con == NULL)

    goto err;

  if (mysql_real_connect(con, "127.0.0.1", "root", "", "test", 0, NULL, 0) == NULL)

    goto err;

  if (mysql_query(con, "DROP TABLE IF EXISTS t1"))

    goto err;

  if (mysql_query(con, "CREATE TABLE t1 (i INT)"))

    goto err;

  if (mysql_query(con,"HANDLER t1 OPEN h"))

    goto err;

  if (mysql_stmt_prepare(stmt, "HANDLER h READ FIRST",20))

    goto err;

  if (mysql_stmt_execute(stmt))

    goto err;

  mysql_close(con);

  exit(0);

err:

  fprintf(stderr, "%s\n", mysql_error(con));

  if (con)

    mysql_close(con);

Same result can be achieved with perl's DBD::mysql by using mysql_server_prepare=1.

Not reproducible with PREPARE / EXECUTE.
Not reproducible with MySQL 5.5-5.7, they return "This command is not supported in the prepared statement protocol yet" instead.

Attachments

Issue Links

relates to

MDEV-15489 [Draft] Server crashes in Field::make_field

Open

Activity

Elena Stepanova added a comment - 2018-04-07 20:44

Variation which probably doesn't deserve a separate JIRA entry:

10.3 1730ac5c4ae1dc62f6fca5e751a8b08e9119be6a
#3 <signal handler called>
#4 0x000055d0084dea2f in Field::make_send_field (this=0x7fb0041442d0, field=0x7fb068509bd0) at /home/travis/src/sql/field.cc:1952
#5 0x000055d0084df95b in Field_num::make_send_field (this=0x7fb0041442d0, field=0x7fb068509bd0) at /home/travis/src/sql/field.cc:2178
#6 0x000055d008540899 in Item_field::make_send_field (this=0x7fb004090d68, thd=0x7fb00400c520, tmp_field=0x7fb068509bd0) at /home/travis/src/sql/item.cc:6779
#7 0x000055d00812350e in Protocol::send_result_set_metadata (this=0x7fb00400cb40, list=0x7fb004054cc8, flags=4) at /home/travis/src/sql/protocol.cc:824
#8 0x000055d0081c9a7e in select_send::send_result_set_metadata (this=0x7fb0040dfe98, list=..., flags=4) at /home/travis/src/sql/sql_class.cc:2943
#9 0x000055d00824dc05 in mysql_test_handler_read (stmt=0x7fb004145c20, tables=0x7fb0040df848) at /home/travis/src/sql/sql_prepare.cc:2214
#10 0x000055d00824e288 in check_prepared_statement (stmt=0x7fb004145c20) at /home/travis/src/sql/sql_prepare.cc:2434
#11 0x000055d008251bd6 in Prepared_statement::prepare (this=0x7fb004145c20, packet=0x7fb004016b31 "", packet_len=54) at /home/travis/src/sql/sql_prepare.cc:3963
#12 0x000055d00824e600 in mysqld_stmt_prepare (thd=0x7fb00400c520, packet=0x7fb004016b31 "", packet_length=54) at /home/travis/src/sql/sql_prepare.cc:2596
#13 0x000055d00822364f in dispatch_command (command=COM_STMT_PREPARE, thd=0x7fb00400c520, packet=0x7fb004016b31 "", packet_length=54, is_com_multi=false, is_next_command=false) at /home/travis/src/sql/sql_parse.cc:1799
#14 0x000055d0082223ca in do_command (thd=0x7fb00400c520) at /home/travis/src/sql/sql_parse.cc:1387
#15 0x000055d008387b71 in do_handle_one_connection (connect=0x55d00ca5e1a0) at /home/travis/src/sql/sql_connect.cc:1402
#16 0x000055d0083878fe in handle_one_connection (arg=0x55d00ca5e1a0) at /home/travis/src/sql/sql_connect.cc:1308
#17 0x00007fb06c819184 in start_thread (arg=0x7fb06850b700) at pthread_create.c:312
#18 0x00007fb06bd2603d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

Elena Stepanova added a comment - 2018-04-07 20:44 Variation which probably doesn't deserve a separate JIRA entry: 10.3 1730ac5c4ae1dc62f6fca5e751a8b08e9119be6a #3 <signal handler called> #4 0x000055d0084dea2f in Field::make_send_field (this=0x7fb0041442d0, field=0x7fb068509bd0) at /home/travis/src/sql/field.cc:1952 #5 0x000055d0084df95b in Field_num::make_send_field (this=0x7fb0041442d0, field=0x7fb068509bd0) at /home/travis/src/sql/field.cc:2178 #6 0x000055d008540899 in Item_field::make_send_field (this=0x7fb004090d68, thd=0x7fb00400c520, tmp_field=0x7fb068509bd0) at /home/travis/src/sql/item.cc:6779 #7 0x000055d00812350e in Protocol::send_result_set_metadata (this=0x7fb00400cb40, list=0x7fb004054cc8, flags=4) at /home/travis/src/sql/protocol.cc:824 #8 0x000055d0081c9a7e in select_send::send_result_set_metadata (this=0x7fb0040dfe98, list=..., flags=4) at /home/travis/src/sql/sql_class.cc:2943 #9 0x000055d00824dc05 in mysql_test_handler_read (stmt=0x7fb004145c20, tables=0x7fb0040df848) at /home/travis/src/sql/sql_prepare.cc:2214 #10 0x000055d00824e288 in check_prepared_statement (stmt=0x7fb004145c20) at /home/travis/src/sql/sql_prepare.cc:2434 #11 0x000055d008251bd6 in Prepared_statement::prepare (this=0x7fb004145c20, packet=0x7fb004016b31 "", packet_len=54) at /home/travis/src/sql/sql_prepare.cc:3963 #12 0x000055d00824e600 in mysqld_stmt_prepare (thd=0x7fb00400c520, packet=0x7fb004016b31 "", packet_length=54) at /home/travis/src/sql/sql_prepare.cc:2596 #13 0x000055d00822364f in dispatch_command (command=COM_STMT_PREPARE, thd=0x7fb00400c520, packet=0x7fb004016b31 "", packet_length=54, is_com_multi=false, is_next_command=false) at /home/travis/src/sql/sql_parse.cc:1799 #14 0x000055d0082223ca in do_command (thd=0x7fb00400c520) at /home/travis/src/sql/sql_parse.cc:1387 #15 0x000055d008387b71 in do_handle_one_connection (connect=0x55d00ca5e1a0) at /home/travis/src/sql/sql_connect.cc:1402 #16 0x000055d0083878fe in handle_one_connection (arg=0x55d00ca5e1a0) at /home/travis/src/sql/sql_connect.cc:1308 #17 0x00007fb06c819184 in start_thread (arg=0x7fb06850b700) at pthread_create.c:312 #18 0x00007fb06bd2603d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

MariaDB Server

Server crashes in Field::make_field upon HANDLER READ executed with PS protocol

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration