SET STATEMENT ... FOR <statement> crashes server if <statement> needs to re-open a temp table and fails

Bug #1412423 reported by Ramesh Sivaraman on 2015-01-19
38
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Percona Server moved to https://jira.percona.com/projects/PS
Fix Released
High
Laurynas Biveinis
5.1
Won't Fix
Undecided
Unassigned
5.5
New
Undecided
Unassigned
5.6
Fix Released
High
Laurynas Biveinis

Bug Description

** Testcase

DROP DATABASE test;CREATE DATABASE test;USE test;
CREATE TEMPORARY TABLE t1(c1 CHAR (1));
handler t1 open as a1;
INSERT INTO t1 VALUES(_utf16le 0x00D800D8);
SET STATEMENT max_join_size=1000000000000 FOR SELECT * FROM t1;

*** GDB

+bt
#0 0x00007f94be5df771 in pthread_kill () from /lib64/libpthread.so.0
#1 0x00000000006772cd in handle_fatal_signal (sig=11) at /mnt/workspace/percona-server-5.6-binaries-opt-yassl/label_exp/centos6-64/percona-server-5.6.22-71.0/sql/signal_handler.cc:236
#2 <signal handler called>
#3 get_thread_statement_locker_v1 (state=0x7f942df22c08, key=<optimized out>, charset=0x0) at /mnt/workspace/percona-server-5.6-binaries-opt-yassl/label_exp/centos6-64/percona-server-5.6.22-71.0/storage/perfschema/pfs.cc:4491
#4 0x00000000005a8889 in inline_mysql_start_statement (src_file=0xbefbc8 "/mnt/workspace/percona-server-5.6-binaries-opt-yassl/label_exp/centos6-64/percona-server-5.6.22-71.0/sql/mysqld.cc", src_line=996, charset=<optimized out>, db_len=4, db=<optimized out>, key=<optimized out>, state=0x7f942df22c08) at /mnt/workspace/percona-server-5.6-binaries-opt-yassl/label_exp/centos6-64/percona-server-5.6.22-71.0/include/mysql/psi/mysql_statement.h:160
#5 net_after_header_psi (net=0x7f942df21270, user_data=0x7f942df21000, rc=<optimized out>) at /mnt/workspace/percona-server-5.6-binaries-opt-yassl/label_exp/centos6-64/percona-server-5.6.22-71.0/sql/mysqld.cc:993
#6 0x000000000066c7fb in net_read_packet_header (net=0x7f942df21270) at /mnt/workspace/percona-server-5.6-binaries-opt-yassl/label_exp/centos6-64/percona-server-5.6.22-71.0/sql/net_serv.cc:752
#7 net_read_packet (net=0x7f942df21270, complen=0x7f94bebd0db0) at /mnt/workspace/percona-server-5.6-binaries-opt-yassl/label_exp/centos6-64/percona-server-5.6.22-71.0/sql/net_serv.cc:816
#8 0x000000000066d5b4 in my_net_read (net=0x7f942df21270) at /mnt/workspace/percona-server-5.6-binaries-opt-yassl/label_exp/centos6-64/percona-server-5.6.22-71.0/sql/net_serv.cc:894
#9 0x0000000000700742 in do_command (thd=0x7f942df21000) at /mnt/workspace/percona-server-5.6-binaries-opt-yassl/label_exp/centos6-64/percona-server-5.6.22-71.0/sql/sql_parse.cc:985
#10 0x00000000006cc392 in do_handle_one_connection (thd_arg=thd_arg@entry=0x7f942df21000) at /mnt/workspace/percona-server-5.6-binaries-opt-yassl/label_exp/centos6-64/percona-server-5.6.22-71.0/sql/sql_connect.cc:1532
#11 0x00000000006cc480 in handle_one_connection (arg=arg@entry=0x7f942df21000) at /mnt/workspace/percona-server-5.6-binaries-opt-yassl/label_exp/centos6-64/percona-server-5.6.22-71.0/sql/sql_connect.cc:1443
#12 0x0000000000afd6b3 in pfs_spawn_thread (arg=0x7f942df41340) at /mnt/workspace/percona-server-5.6-binaries-opt-yassl/label_exp/centos6-64/percona-server-5.6.22-71.0/storage/perfschema/pfs.cc:1860
#13 0x00007f94be5dadf3 in start_thread () from /lib64/libpthread.so.0
#14 0x00007f94bd2a41ad in clone () from /lib64/libc.so.6

Related branches

What happens if you replace SET STATEMENT ... SELECT with session SET ... ; SELECT ? If it crashes, does the upstream crash too then?

Ramesh Sivaraman (rameshvs02) wrote :

Tested with SESSION command and it is not crashing.

Testcase:

DROP DATABASE test;CREATE DATABASE test;USE test;
CREATE TEMPORARY TABLE t1(c1 CHAR (1));
handler t1 open as a1;
INSERT INTO t1 VALUES(_utf16le 0x00D800D8);
SET SESSION max_join_size=1000000000000 ;
SELECT * FROM t1;

tags: added: set-statement
summary: handle_fatal_signal (sig=11) in get_thread_statement_locker_v1 |
- perfschema/pfs.cc:4491
+ perfschema/pfs.cc:4491on a SET STATEMENT max_join_size query

The cause is thd->variables becoming a dangling pointer:

int
mysql_execute_command(THD *thd)
{
...
  struct system_variables *per_query_variables_backup;
...
  if (thd->tx_read_only &&
      (sql_command_flags[lex->sql_command] & CF_DISALLOW_IN_RO_TRANS))
  {
    my_error(ER_CANT_EXECUTE_IN_READ_ONLY_TRANSACTION, MYF(0));
    goto error;
  }
...
  if (lex->set_statement && !lex->var_list.is_empty()) {
    per_query_variables_backup= copy_system_variables(&thd->variables,
                                                      thd->m_enable_plugins);
...
error:
...
  if (lex->set_statement && !lex->var_list.is_empty()) {
...
    free_system_variables(&thd->variables, thd->m_enable_plugins);
    thd->variables= *per_query_variables_backup;
    my_free(per_query_variables_backup);
...
}

This bug is a sibling of bug 1387951 and bug 1418049. These three bugs represent three different error paths in mysql_execute_command that result in dangling thd->variables pointer.

summary: - handle_fatal_signal (sig=11) in get_thread_statement_locker_v1 |
- perfschema/pfs.cc:4491on a SET STATEMENT max_join_size query
+ SET STATEMENT ... FOR <statement> crashes server if <statement> needs to
+ re-open a temp table and fails

Percona now uses JIRA for bug reports so this bug report is migrated to: https://jira.percona.com/browse/PS-864

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers