[#CONC-60] segfault when executing 'SELECT * FROM table' through connector/c++ on a specific table

[CONC-60] segfault when executing 'SELECT * FROM table' through connector/c++ on a specific table Created: 2013-10-19 Updated: 2013-11-20 Resolved: 2013-11-20
Status:	Closed
Project:	MariaDB Connector/C
Component/s:	None
Affects Version/s:	None
Fix Version/s:	None

Type:

Bug

Priority:

Critical

Reporter:

Lionel Elie Mamane

Assignee:

Georg Richter

Resolution:

Fixed

Votes:

Labels:

None

Environment:

Reproduced on Microsoft Windows and Debian GNU/Linux amd64.
LIbreOffice version 4.1 uses MySQL Connector/C++ 1.1.2 (statically) linked with libmariadb.
Reproduced when connecting to 5.6.12-enterprise-commercial-advanced-log and when connecting to 5.1.66-0+squeeze1 (Debian).

Reproduced with bzr revision 40 and bzr revision 101 (current tip of trunk) of libmariadb.

Attachments:

LOG

REPRODUCTION_SCRIPT

agendas_nodata.sql

libreoffice.patch

mariadb-native-client.patch

tst.odb

Description

Original LibreOffice bug report: https://bugs.freedesktop.org/70496

When LibreOffice executes 'SELECT * FROM agendas' (via MySQL Connector/C++ 1.1.2) through a prepared statement (with no parameters), it leads to a segfault in libmariadb. When MySQL Connector/C++ is linked against libmysqlclient18 5.5.31+dfsg-0+wheezy1, the segfault does not happen.

The full original reproduction database can be downloaded from zip file in directory mysqldumps from
FTP server ftp://pmg.pmgroup.be
Login: algemeen
Password: loginftppmg
but I'm also attaching a smaller example.

Backtrace & other gdb information:

#0 net_field_length (packet=0x7fff57edd758)
at /home/master/src/libreoffice/workdirs/master/workdir/unxlngx6/UnpackedTarball/mariadb/libmariadb/libmariadb.c:466
#1 0x00007f82b282b990 in mthd_stmt_read_all_rows (stmt=0x291ce50)
at /home/master/src/libreoffice/workdirs/master/workdir/unxlngx6/UnpackedTarball/mariadb/libmariadb/my_stmt.c:206
#2 0x00007f82b282ff3a in mysql_stmt_store_result (stmt=0x291ce50)
at /home/master/src/libreoffice/workdirs/master/workdir/unxlngx6/UnpackedTarball/mariadb/libmariadb/my_stmt.c:1307
#3 0x00007f82b281e962 in sql::mysql::NativeAPI::LibmysqlStaticProxy::stmt_store_result (this=0x273e060, stmt=0x291ce50)
at /home/master/src/libreoffice/workdirs/master/workdir/unxlngx6/UnpackedTarball/mysqlcppconn/driver/nativeapi/libmysql_static_proxy.cpp:548
#4 0x00007f82b2820fc7 in sql::mysql::NativeAPI::MySQL_NativeStatementWrapper::store_result (this=0x291daf0)
at /home/master/src/libreoffice/workdirs/master/workdir/unxlngx6/UnpackedTarball/mysqlcppconn/driver/nativeapi/mysql_native_statement_wrapper.cpp:233
#5 0x00007f82b27fd0c9 in sql::mysql::MySQL_Prepared_Statement::executeQuery (this=0x2917de0)
at /home/master/src/libreoffice/workdirs/master/workdir/unxlngx6/UnpackedTarball/mysqlcppconn/driver/mysql_prepared_statement.cpp:494
#6 0x00007f82b2d1fbc8 in connectivity::mysqlc::OPreparedStatement::executeQuery (this=0x291c120)
at /home/master/src/libreoffice/workdirs/master/mysqlc/source/mysqlc_preparedstatement.cxx:282
(gdb) frame
#2 0x00007f82b282ff3a in mysql_stmt_store_result (stmt=0x291ce50)
at /home/master/src/libreoffice/workdirs/master/workdir/unxlngx6/UnpackedTarball/mariadb/libmariadb/my_stmt.c:1307
1307 if (stmt->mysql->methods->db_stmt_read_all_rows(stmt))
(gdb) print *stmt
$5 = {
mem_root =

{ free = 0x0, used = 0x0, pre_alloc = 0x0, min_malloc = 32, block_size = 2008, block_num = 0, first_block_usage = 0, error_handler = 0 }

,
mysql = 0x27459d0,
stmt_id = 10,
flags = 0,
state = MYSQL_STMT_WAITING_USE_OR_STORE,
fields = 0x291eec8,
field_count = 23,
param_count = 0,
send_types_to_server = 0 '\000',
params = 0x0,
bind = 0x291e448,
result = {
rows = 2307,
fields = 0,
data = 0x28d2318,
alloc =

{ free = 0x28d32f0, used = 0x29afb20, pre_alloc = 0x0, min_malloc = 32, block_size = 4056, block_num = 0, first_block_usage = 0, error_handler = 0 }

},
result_cursor = 0x0,
bind_result_done = 0 '\000',
bind_param_done = 1 '\001',
upsert_status =

{ warning_count = 0, server_status = 34, affected_rows = 18446744073709551615, last_insert_id = 0 }

,
last_errno = 0,
last_error = '\000' <repeats 512 times>,
sqlstate = "00000",
update_max_length = 1 '\001',
prefetch_rows = 1,
list =

{ prev = 0x0, next = 0x0, data = 0x291ce50 }

,
cursor_exists = 0 '\000',
extension = 0x291d9a0,
fetch_row_func = 0,
execute_count = 1,
default_rset_handler = 0x7f82b282c277 <_mysql_stmt_use_result>,
m = 0x0
}
(gdb) print *stmt->mysql
$6 = {
net =

{ vio = 0x2748560, buff = 0x2766100 "", buff_end = 0x2768100 "ҙ\231\231\231\231\231\aq", write_pos = 0x2766100 "", read_pos = 0x2766100 "", fd = 36, remain_in_buf = 0, length = 0, buf_length = 0, where_b = 0, max_packet = 8192, max_packet_size = 16777215, pkt_nr = 2334, compress_pkt_nr = 2334, write_timeout = 0, read_timeout = 30, retry_count = 0, fcntl = 0, return_status = 0x0, reading_or_writing = 0 '\000', save_char = 0 '\000', unused_1 = 0 '\000', unused_2 = 0 '\000', compress = 0 '\000', unused_3 = 0 '\000', unused_4 = 0x0, last_errno = 0, error = 0 '\000', unused_5 = 0 '\000', unused_6 = 0 '\000', last_error = '\000' <repeats 511 times>, sqlstate = "00000", extension = 0x0 }

,
unused_0 = 0x0,
host = 0x2748528 "127.0.0.1",
user = 0x2735790 "root",
passwd = 0x2741170 "XXXXXX_REMOVED_XXXXXXXX",
unix_socket = 0x0,
server_version = 0x2746270 "5.1.66-0+squeeze1",
host_info = 0x2748510 "127.0.0.1 via TCP/IP",
info = 0x0,
db = 0x27488a0 "fdo70496",
charset = 0x7f82b2a8fae0,
fields = 0x2920428,
field_alloc =

{ free = 0x2920410, used = 0x0, pre_alloc = 0x0, min_malloc = 32, block_size = 8152, block_num = 0, first_block_usage = 0, error_handler = 0 }

,
affected_rows = 18446744073709551615,
insert_id = 0,
extra_info = 0,
thread_id = 330254,
packet_length = 7,
port = 3306,
client_flag = 2007693,
server_capabilities = 63487,
protocol_version = 10,
field_count = 23,
server_status = 34,
server_language = 8,
warning_count = 0,
options =

{ connect_timeout = 0, read_timeout = 0, write_timeout = 0, port = 0, protocol = 1, client_flag = 128, host = 0x0, user = 0x0, password = 0x0, unix_socket = 0x0, db = 0x0, init_command = 0x0, my_cnf_file = 0x0, my_cnf_group = 0x0, charset_dir = 0x0, charset_name = 0x27339e0 "utf8", ssl_key = 0x0, ssl_cert = 0x0, ssl_ca = 0x0, ssl_capath = 0x0, ssl_cipher = 0x0, shared_memory_base_name = 0x0, max_allowed_packet = 0, use_ssl = 0 '\000', compress = 0 '\000', named_pipe = 0 '\000', unused_1 = 0 '\000', unused_2 = 0 '\000', unused_3 = 0 '\000', unused_4 = 0 '\000', methods_to_use = MYSQL_OPT_CONNECT_TIMEOUT, client_ip = 0x0, secure_auth = 0 '\000', report_data_truncation = 0 '\000', local_infile_init = 0, local_infile_read = 0, local_infile_end = 0, local_infile_error = 0, local_infile_userdata = 0x0, extension = 0x27463b0 }

,
status = MYSQL_STATUS_GET_RESULT,
free_me = 1 '\001',
reconnect = 0 '\000',
scramble_buff = "RGP9m:vg$vKP2IVU(dAX",
unused_1 = 0 '\000',
unused_2 = 0x0,
unused_3 = 0x0,
unused_4 = 0x0,
unused_5 = 0x0,
stmts = 0x291d160,
methods = 0x7f82b2a9ada0,
thd = 0x0,
unbuffered_fetch_owner = 0x0,
info_buffer = 0x0,
extension = 0x0
}
(gdb) down
#1 0x00007f82b282b990 in mthd_stmt_read_all_rows (stmt=0x291ce50)
at /home/master/src/libreoffice/workdirs/master/workdir/unxlngx6/UnpackedTarball/mariadb/libmariadb/my_stmt.c:206
206 size_t len= net_field_length(&cp);
(gdb) print cp
$7 = (uchar *) 0x1876621f <Address 0x1876621f out of bounds>
(gdb) print i
$8 = 16

Comments

Comment by Georg Richter [ 2013-10-20 ]

Which version of client library do you use?

Can't repeat issue with latest rev. 102

Comment by Lionel Elie Mamane [ 2013-10-20 ]

Reproduced with bzr revision 40 and bzr revision 101 of libmariadb.

Comment by Lionel Elie Mamane [ 2013-10-21 ]

Here is my exact reproduction script. Usually LibreOffice builds mariadb-native-client through its own build system, but to exclude problems coming from that, I built mariadb-native-client through its own build system.

Comment by Lionel Elie Mamane [ 2013-10-21 ]

LibreOffice test file

Comment by Lionel Elie Mamane [ 2013-10-21 ]

patch applied to mariadb-native-client so that it builds in a way that it can be statically linked into a dynamic library.

Comment by Lionel Elie Mamane [ 2013-10-21 ]

patch applied to LibreOffice sources to link against externally build mariadb-native-client

Needs

commit 02a11749da521e8e2099b464c0fcbebce9e95e22
Author: Lionel Elie Mamane <lionel@mamane.lu>
Date: Sat Oct 19 22:57:40 2013 +0200

fdo#70496 revert to using libmysqlclient

Change-Id: I5b98b5e7840e4f1c6005aee0c1f43ef814ecf77b

or later.

Comment by Lionel Elie Mamane [ 2013-10-21 ]

Don't know if it is relevant, but LibreOffice executes these two queries on the same table:
SELECT * FROM "fdo70496"."agendas" WHERE ( 0 = 1 )
(several times, which it uses to get metadata / table structure) and then
SELECT * FROM "fdo70496"."agendas"
which is where the crash happens.

Comment by Lionel Elie Mamane [ 2013-10-21 ]

I tried single-stepping (in gdb) through execution of mysql_stmt_store_result and mthd_stmt_read_all_rows, but in the end it always finishes with error "Lost connection to MySQL server during query"... My single-stepping makes it too slow :-|

Comment by Lionel Elie Mamane [ 2013-10-21 ]

Anyway, here is what happens before the mysql_stmt_store_result

Comment by Georg Richter [ 2013-10-27 ]

Can you please retest with latest revision (104). I did some rework on prepared statements (max_length for double was not set correctly).
If the problem persiists, can you please activate the debug log and attach it to the bugreport? (export MYSQL_DEBUG=d:t:O,/pathto/debug.log)

Comment by Lionel Elie Mamane [ 2013-10-28 ]

Reproduced with revision 105, with much the same backtrace:

#0 net_field_length (packet=packet@entry=0x7ffff78e3818)
at /home/master/src/libreoffice/mariadb/mariadb-native-client.trunk/libmariadb/libmariadb.c:466
466 if (*pos < 251)
(gdb) bt
#0 net_field_length (packet=packet@entry=0x7ffff78e3818)
at /home/master/src/libreoffice/mariadb/mariadb-native-client.trunk/libmariadb/libmariadb.c:466
#1 0x00007f30d9d28e93 in mthd_stmt_read_all_rows (stmt=0x32fe5d0)
at /home/master/src/libreoffice/mariadb/mariadb-native-client.trunk/libmariadb/my_stmt.c:210
#2 0x00007f30d9d2aba1 in mysql_stmt_store_result (stmt=0x32fe5d0)
at /home/master/src/libreoffice/mariadb/mariadb-native-client.trunk/libmariadb/my_stmt.c:1339
#3 0x00007f30d9d1f332 in sql::mysql::NativeAPI::LibmysqlStaticProxy::stmt_store_result (this=0x31313b0, stmt=
0x32fe5d0)
at /home/master/src/libreoffice/workdirs/master/workdir/unxlngx6/UnpackedTarball/mysqlcppconn/driver/nativeapi/libmysql_static_proxy.cpp:548

Comment by Georg Richter [ 2013-10-28 ]

Hi,

unfortunately I wasn't able to build LibreOffice. Would it be possible to get access to your machine or to install it on one of our test machines?
You can reach me usually on irc (freenode channel #maria, nickname georg(with some underscores)) or via mail my firstname@mariadb dot com. Since we want to publish the next release before end of the year I like to close/fix this bug asap.

Thanks for your help!

Comment by Georg Richter [ 2013-11-20 ]

Fixed in rev. 107.

Special thanks to Lionel for his tremendous help!

Generated at Thu Feb 08 03:02:35 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.

[CONC-60] segfault when executing 'SELECT * FROM table' through connector/c++ on a specific table Created: 2013-10-19 Updated: 2013-11-20 Resolved: 2013-11-20