SET STATEMENT ... FOR <statement> crashes server if <statement> is RW in a RO transaction

Bug #1387951 reported by Roel Van de Paar on 2014-10-31
46
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Percona Server moved to https://jira.percona.com/projects/PS
Fix Released
High
Laurynas Biveinis
5.1
Invalid
Undecided
Unassigned
5.5
Invalid
Undecided
Unassigned
5.6
Fix Released
High
Laurynas Biveinis

Bug Description

(gdb) bt
#0 0x00007faf2ed9b771 in pthread_kill () from /lib64/libpthread.so.0
#1 0x000000000067679d in handle_fatal_signal (sig=11) at /mnt/workspace/percona-server-5.6-binaries-opt-yassl/label_exp/centos6-64/percona-server-5.6.21-69.0/sql/signal_handler.cc:236
#2 <signal handler called>
#3 0x00000000006f54b0 in mysql_execute_command (thd=thd@entry=0x7fae9e721000) at /mnt/workspace/percona-server-5.6-binaries-opt-yassl/label_exp/centos6-64/percona-server-5.6.21-69.0/sql/sql_parse.cc:5468
#4 0x00000000006fc148 in mysql_parse (thd=thd@entry=0x7fae9e721000, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x7faf2f38d270) at /mnt/workspace/percona-server-5.6-binaries-opt-yassl/label_exp/centos6-64/percona-server-5.6.21-69.0/sql/sql_parse.cc:6777
#5 0x00000000006fd8b9 in dispatch_command (command=<optimized out>, thd=0x7fae9e721000, packet=0x7fae92757001 "SET STATEMENT myisam_sort_buffer_size=0,myisam_repair_threads=0,sort_buffer_size=0,binlog_format=row,keep_files_on_create=OFF,max_join_size=0 FOR DROP FUNCTION myProc", packet_length=<optimized out>) at /mnt/workspace/percona-server-5.6-binaries-opt-yassl/label_exp/centos6-64/percona-server-5.6.21-69.0/sql/sql_parse.cc:1432
#6 0x00000000006ff619 in do_command (thd=<optimized out>) at /mnt/workspace/percona-server-5.6-binaries-opt-yassl/label_exp/centos6-64/percona-server-5.6.21-69.0/sql/sql_parse.cc:1049
#7 0x00000000006cb3f2 in do_handle_one_connection (thd_arg=thd_arg@entry=0x7fae9e721000) at /mnt/workspace/percona-server-5.6-binaries-opt-yassl/label_exp/centos6-64/percona-server-5.6.21-69.0/sql/sql_connect.cc:1532
#8 0x00000000006cb4e0 in handle_one_connection (arg=arg@entry=0x7fae9e721000) at /mnt/workspace/percona-server-5.6-binaries-opt-yassl/label_exp/centos6-64/percona-server-5.6.21-69.0/sql/sql_connect.cc:1443
#9 0x0000000000af81f3 in pfs_spawn_thread (arg=0x7fae9e737340) at /mnt/workspace/percona-server-5.6-binaries-opt-yassl/label_exp/centos6-64/percona-server-5.6.21-69.0/storage/perfschema/pfs.cc:1860
#10 0x00007faf2ed96df3 in start_thread () from /lib64/libpthread.so.0
#11 0x00007faf2da6001d in clone () from /lib64/libc.so.6

SET @@session.tx_read_only=TRUE;
SET STATEMENT myisam_sort_buffer_size=0,myisam_repair_threads=0,sort_buffer_size=0,binlog_format=row,keep_files_on_create=OFF,max_join_size=0 FOR DROP FUNCTION myProc;

or

SET @@session.tx_read_only = ON;
SET STATEMENT myisam_sort_buffer_size=800000, myisam_repair_threads=2 FOR OPTIMIZE TABLE t1; ;

Related branches

tags: added: set-statement
Roel Van de Paar (roel11) wrote :

We are seeing this issue in many trials (1 in 4) for PXC, so it is blocking poper PXC testing. Adding qablock.

tags: added: qablock
summary: - handle_fatal_signal (sig=11) in mysql_execute_command for SET STATEMENT
- queries
+ SET STATEMENT ... FOR <statement> crashes server if <statement> is RW in
+ a RO transaction

The cause is thd->variables becoming a dangling pointer:

int
mysql_execute_command(THD *thd)
{
...
  struct system_variables *per_query_variables_backup;
...
  if (sql_command_flags[lex->sql_command] & CF_PREOPEN_TMP_TABLES)
  {
    if (open_temporary_tables(thd, all_tables))
      goto error;
  }
...
  if (lex->set_statement && !lex->var_list.is_empty()) {
    per_query_variables_backup= copy_system_variables(&thd->variables,
                                                      thd->m_enable_plugins);
...
error:
...
  if (lex->set_statement && !lex->var_list.is_empty()) {
...
    free_system_variables(&thd->variables, thd->m_enable_plugins);
    thd->variables= *per_query_variables_backup;
    my_free(per_query_variables_backup);
...
}

This bug is a sibling of bug 1412423 and bug 1418049. These three bugs represent three different error paths in mysql_execute_command that result in dangling thd->variables pointer.

Percona now uses JIRA for bug reports so this bug report is migrated to: https://jira.percona.com/browse/PS-842

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers