[MDEV-7023] Error 2027: Malformed packet and assertion `field_types == 0 || field_types[field_pos] == MYSQL_TYPE_INT24 || field_types[field_pos] == MYSQL_TYPE_LONG' failure in Protocol_text::store_long Created: 2014-11-05  Updated: 2019-07-09  Resolved: 2015-01-29

Status: Closed
Project: MariaDB Server
Component/s: Data Definition - Procedure
Affects Version/s: 10.1.1
Fix Version/s: 10.1.3

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Oleksandr Byelkin
Resolution: Fixed Votes: 0
Labels: analyze-stmt

Issue Links:
Relates
relates to MDEV-6422 More testing for ANALYZE stmt and JSON Closed
relates to MDEV-406 ANALYZE $stmt Closed
relates to MDEV-17963 Assertion `field_pos < field_count' ... Closed

 Description    

create table t1 (i int);
 
--delimiter |
 
create function f() returns int 
begin 
  analyze insert into t1 values (1); 
  return 1; 
end |
 
--delimiter ;
 
select f();
 

query 'select f()' failed: 2027: Malformed packet
 

10.1/sql/protocol.cc:1091: virtual bool Protocol_text::store_long(longlong): Assertion `field_types == 0 || field_types[field_pos] == MYSQL_TYPE_INT24 || field_types[field_pos] == MYSQL_TYPE_LONG' failed.
 
141105  3:55:26 [ERROR] mysqld got signal 6 ;
 

#6  0x00007fc8aaee96f1 in *__GI___assert_fail (assertion=0x7fc8ae0ed5f0 "field_types == 0 || field_types[field_pos] == MYSQL_TYPE_INT24 || field_types[field_pos] == MYSQL_TYPE_LONG", file=<optimized out>, line=1091, function=0x7fc8ae0ee5e0 "virtual bool Protocol_text::store_long(longlong)") at assert.c:81
 
#7  0x00007fc8ad74d031 in Protocol_text::store_long (this=0x7fc8a83f85f8, from=1) at 10.1/sql/protocol.cc:1089
 
#8  0x00007fc8ada424a9 in Item::send (this=0x7fc8a18ff330, protocol=0x7fc8a83f85f8, buffer=0x7fc8ad2cba20) at 10.1/sql/item.cc:6477
 
#9  0x00007fc8ad74c6ec in Protocol::send_result_set_row (this=0x7fc8a83f85f8, row_items=0x7fc8a83fc598) at 10.1/sql/protocol.cc:905
 
#10 0x00007fc8ad7c0b03 in select_send::send_data (this=0x7fc8a1900f10, items=...) at 10.1/sql/sql_class.cc:2667
 
#11 0x00007fc8ad83c59d in JOIN::exec_inner (this=0x7fc8a19ef088) at 10.1/sql/sql_select.cc:2469
 
#12 0x00007fc8ad83c058 in JOIN::exec (this=0x7fc8a19ef088) at 10.1/sql/sql_select.cc:2392
 
#13 0x00007fc8ad83f650 in mysql_select (thd=0x7fc8a83f8070, rref_pointer_array=0x7fc8a83fc6f8, tables=0x0, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7fc8a1900f10, unit=0x7fc8a83fbd98, select_lex=0x7fc8a83fc480) at 10.1/sql/sql_select.cc:3317
 
#14 0x00007fc8ad835621 in handle_select (thd=0x7fc8a83f8070, lex=0x7fc8a83fbcd0, result=0x7fc8a1900f10, setup_tables_done_option=0) at 10.1/sql/sql_select.cc:372
 
#15 0x00007fc8ad80752d in execute_sqlcom_select (thd=0x7fc8a83f8070, all_tables=0x0) at 10.1/sql/sql_parse.cc:5680
 
#16 0x00007fc8ad7fdac3 in mysql_execute_command (thd=0x7fc8a83f8070) at 10.1/sql/sql_parse.cc:2802
 
#17 0x00007fc8ad80a681 in mysql_parse (thd=0x7fc8a83f8070, rawbuf=0x7fc8a18ff088 "select f()", length=10, parser_state=0x7fc8ad2cd1c0) at 10.1/sql/sql_parse.cc:6953
 
#18 0x00007fc8ad7fa741 in dispatch_command (command=COM_QUERY, thd=0x7fc8a83f8070, packet=0x7fc8a6bfa071 "", packet_length=10) at 10.1/sql/sql_parse.cc:1466
 
#19 0x00007fc8ad7f955f in do_command (thd=0x7fc8a83f8070) at 10.1/sql/sql_parse.cc:1095
 
#20 0x00007fc8ad926f27 in do_handle_one_connection (thd_arg=0x7fc8a83f8070) at 10.1/sql/sql_connect.cc:1351
 
#21 0x00007fc8ad926c6c in handle_one_connection (arg=0x7fc8a83f8070) at 10.1/sql/sql_connect.cc:1262
 
#22 0x00007fc8adeb8f2e in pfs_spawn_thread (arg=0x7fc8aa4249f0) at 10.1/storage/perfschema/pfs.cc:1860
 
#23 0x00007fc8acf03b50 in start_thread (arg=<optimized out>) at pthread_create.c:304
 
#24 0x00007fc8aaf9a20d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112

Stack trace from

 
commit 43f185e171eecdce41e71c548ce0bc2bd6969c0f
 
Author: Alexander Barkov <bar@mariadb.org>
 
Date:   Mon Nov 3 21:45:06 2014 +0400



 Comments   
Comment by Oleksandr Byelkin [ 2015-01-28 ]

Protocol_text::store_long is trying to work on freed memory:
gdb) p/x field_types[13]
$6 = 0x8f8f8f8f
(gdb) p/x field_types[12]
$7 = 0x8f8f8f8f
(gdb)

Comment by Oleksandr Byelkin [ 2015-01-28 ]

mem_root where field_types was allocated was freed after executing instruction 0,and crash happens in instruction 1 execution (RETURN).

Comment by Oleksandr Byelkin [ 2015-01-29 ]

The problem is that statement which returns result sets should be prohibited for the functions => ANALYZE should be prohibited as it done for EXPLAIN & SELECT.

Comment by Oleksandr Byelkin [ 2015-01-29 ]

The problem was that sp_head::MULTI_RESULTS was not set correctly for ANALYZE statement.

Comment by Sergei Petrunia [ 2015-01-29 ]

Ok to push

Generated at Thu Feb 08 07:16:22 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.