[MDEV-4326] Server crashes in append_query_string on 2nd execution of a PS with string in LIMIT via API - JIRA

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.0.1, 5.5.30, 5.1.67, 5.2.14, 5.3.12
Fix Version/s: 10.0.3, 5.5.31, 5.3.13, 5.2.15, 5.1.73
Component/s: None
Labels:
- upstream

Description

#3  <signal handler called>
#4  0x000000000077c664 in append_query_string (thd=0x32e7d88, csinfo=0x1, from=0x7f3c80021d70, to=0x7f3cff0cc660) at log_event.cc:602
#5  0x00000000005a5233 in Item_param::query_val_str (this=0x7f3c80021d60, thd=0x32e7d88, str=0x7f3cff0cc660) at item.cc:3156
#6  0x00000000007389e7 in insert_params_with_log (stmt=0x7f3c8001d7b8, null_array=0x3364682 "", read_pos=0x3364686 "", data_end=0x3364686 "", query=0x7f3cff0cc7b0) at sql_prepare.cc:807
#7  0x000000000073dce5 in Prepared_statement::set_parameters (this=0x7f3c8001d7b8, expanded_query=0x7f3cff0cc7b0, packet=0x3364684 "\001\061", packet_end=0x3364686 "") at sql_prepare.cc:3250
#8  0x000000000073ddc3 in Prepared_statement::execute_loop (this=0x7f3c8001d7b8, expanded_query=0x7f3cff0cc7b0, open_cursor=false, packet=0x3364682 "", packet_end=0x3364686 "") at sql_prepare.cc:3316
#9  0x000000000073c0da in mysqld_stmt_execute (thd=0x32e7d88, packet_arg=0x3364679 "\002", packet_length=13) at sql_prepare.cc:2519
#10 0x0000000000688dcf in dispatch_command (command=COM_STMT_EXECUTE, thd=0x32e7d88, packet=0x3364679 "\002", packet_length=13) at sql_parse.cc:1249
#11 0x0000000000687edc in do_command (thd=0x32e7d88) at sql_parse.cc:906
#12 0x0000000000684e73 in handle_one_connection (arg=0x32e7d88) at sql_connect.cc:1238
#13 0x00007f3cfe426e9a in start_thread (arg=0x7f3cff0cd700) at pthread_create.c:308

Stack trace from:

revision-id: sergii@pisem.net-20130320202051-m8qdk6zvcci9vr5s
revno: 3194
branch-nick: 5.1

Also reproducible on all of current MariaDB 5.1-10.0, MySQL 5.1-5.6.

Test case:

<?php

// Suppressing warning:
// PHP Warning: mysqli::mysqli(): Headers and client library minor version mismatch. Headers:50167 Library:50307
$mysqli = @new mysqli( "127.0.0.1", "root", "", "mysql");
if ($mysqli->connect_errno) {
echo "Failed to connect to MySQL: (" . $mysqli->connect_errno . ") " . $mysqli->connect_error;
}
$result = mysqli_query( $mysqli, "SELECT VERSION()" );
print_r( mysqli_fetch_row( $result ) );

mysqli_query( $mysqli, "SET GLOBAL general_log = 1");
$result = mysqli_query( $mysqli, "SHOW GLOBAL VARIABLES LIKE 'general_log'" );
print_r( mysqli_fetch_row( $result ) );


if (!($stmti = $mysqli->prepare("SELECT * FROM mysql.user LIMIT ?"))) {
echo "Prepare failed: (" . $mysqli->errno . ") " . $mysqli->error;
}

$int = 1;
if (!$stmti->bind_param("i", $int)) {
echo "Binding parameters failed: (" . $stmti->errno . ") " . $stmti->error;
}

if (!$stmti->execute()) {
echo "Execute failed: (" . $stmti->errno . ") " . $stmti->error;
} else {
echo "Int Success\n";
}

if (!$stmti->execute()) {
echo "Execute failed: (" . $stmti->errno . ") " . $stmti->error;
} else {
echo "Int Success\n";
}

$stmti->free_result();
$stmti->close();

if (!($stmts = $mysqli->prepare("SELECT * FROM mysql.user LIMIT ?"))) {
echo "Prepare failed: (" . $mysqli->errno . ") " . $mysqli->error;
}

$str = '1';
if (!$stmts->bind_param("s", $str)) {
echo "Binding parameters failed: (" . $stmts->errno . ") " . $stmts->error;
}

if (!$stmts->execute()) {
echo "Execute failed: (" . $stmts->errno . ") " . $stmts->error;
} else {
echo "Str Success\n";
}

if (!$stmts->execute()) {
echo "Execute failed: (" . $stmts->errno . ") " . $stmts->error;
} else {
echo "Str Success\n";
}

$stmts->free_result();
$stmts->close();
?>

Gliffy Diagrams

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

diff
2 kB
2013-03-28 13:59

Issue Links

links to

Bug #68890 - Server crash in append_query_string on 2nd execution of PS with string in LIMIT

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Elena Stepanova added a comment - 2013-03-26 14:20 - edited

general log:

/data/bzr/5.5/sql/mysqld, Version: 5.5.30-MariaDB-debug (Source distribution). started with:
Tcp port: 3306 Unix socket: /data/bzr/5.5/data/tmp/mysql.sock
Time Id Command Argument
130326 16:19:29 2 Query SHOW GLOBAL VARIABLES LIKE 'general_log'
2 Prepare SELECT * FROM mysql.user LIMIT ?
2 Execute SELECT * FROM mysql.user LIMIT 1
2 Execute SELECT * FROM mysql.user LIMIT 1
2 Close stmt
2 Prepare SELECT * FROM mysql.user LIMIT ?
2 Execute SELECT * FROM mysql.user LIMIT 1

Show

Elena Stepanova added a comment - 2013-03-26 14:20 - edited general log: /data/bzr/5.5/sql/mysqld, Version: 5.5.30-MariaDB-debug (Source distribution). started with: Tcp port: 3306 Unix socket: /data/bzr/5.5/data/tmp/mysql.sock Time Id Command Argument 130326 16:19:29 2 Query SHOW GLOBAL VARIABLES LIKE 'general_log' 2 Prepare SELECT * FROM mysql.user LIMIT ? 2 Execute SELECT * FROM mysql.user LIMIT 1 2 Execute SELECT * FROM mysql.user LIMIT 1 2 Close stmt 2 Prepare SELECT * FROM mysql.user LIMIT ? 2 Execute SELECT * FROM mysql.user LIMIT 1

Hide

Permalink

Oleksandr Byelkin added a comment - 2013-03-28 14:00

Attached 'diff' is my unsuccessful attempt to repeat the bug via C API.

Show

Oleksandr Byelkin added a comment - 2013-03-28 14:00 Attached 'diff' is my unsuccessful attempt to repeat the bug via C API.

Hide

Permalink

Elena Stepanova added a comment - 2013-03-29 08:38

Sanja,

I think you forgot

bind.buffer_type=MYSQL_TYPE_STRING;

after the second prepare.

Show

Elena Stepanova added a comment - 2013-03-29 08:38 Sanja, I think you forgot bind.buffer_type=MYSQL_TYPE_STRING; after the second prepare.

Hide

Permalink

Oleksandr Byelkin added a comment - 2013-03-29 09:21

Somehow string of zero length passed to the parameter binding inside server.

Show

Oleksandr Byelkin added a comment - 2013-03-29 09:21 Somehow string of zero length passed to the parameter binding inside server.

Hide

Permalink

Elena Stepanova added a comment - 2013-04-09 00:24 - edited

As discussed, refiled it for MySQL as http://bugs.mysql.com/bug.php?id=68890

Upd:
They made it private and closed as a duplicate of bugs http://bugs.mysql.com/bug.php?id=68401 and http://bugs.mysql.com/bug.php?id=68606, both of which are also private and I don't have access to either.

Show

Elena Stepanova added a comment - 2013-04-09 00:24 - edited As discussed, refiled it for MySQL as http://bugs.mysql.com/bug.php?id=68890 Upd: They made it private and closed as a duplicate of bugs http://bugs.mysql.com/bug.php?id=68401 and http://bugs.mysql.com/bug.php?id=68606 , both of which are also private and I don't have access to either.

Hide

Permalink

Oleksandr Byelkin added a comment - 2013-04-09 10:00

fix committed.

Show

Oleksandr Byelkin added a comment - 2013-04-09 10:00 fix committed.

Hide

Permalink

Oleksandr Byelkin added a comment - 2013-04-09 10:16

please, review

Show

Oleksandr Byelkin added a comment - 2013-04-09 10:16 please, review

Hide

Permalink

Oleksandr Byelkin added a comment - 2013-05-10 14:43

pushed to 5.1

Show

Oleksandr Byelkin added a comment - 2013-05-10 14:43 pushed to 5.1

Hide

Permalink

Sergei Golubchik added a comment - 2013-05-13 16:31

pushed in 5.1

Show

Sergei Golubchik added a comment - 2013-05-13 16:31 pushed in 5.1

People

Assignee:

Oleksandr Byelkin

Reporter:

Elena Stepanova

Votes:

0 Vote for this issue

Watchers:

4 Start watching this issue

Dates

Created:

2013-03-25 13:23

Updated:

2013-05-13 16:31

Resolved:

2013-05-13 16:31

Agile

View on Board