Percona Server moved to https://jira.percona.com/projects/PS

SET STATEMENT ... FOR <statement> crashes server if <statement> needs to re-open a temp table and fails

Bug #1412423 reported by Ramesh Sivaraman
38
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Percona Server moved to https://jira.percona.com/projects/PS
Fix Released
High
Laurynas Biveinis
Percona Server moved to https://jira.percona.com/projects/PS 5.6.22-72.0
5.1
Won't Fix
Undecided
Unassigned
5.5
New
Undecided
Unassigned
5.6
Fix Released
High
Laurynas Biveinis
Percona Server moved to https://jira.percona.com/projects/PS 5.6.22-72.0

Bug Description

** Testcase

DROP DATABASE test;CREATE DATABASE test;USE test;
CREATE TEMPORARY TABLE t1(c1 CHAR (1));
handler t1 open as a1;
INSERT INTO t1 VALUES(_utf16le 0x00D800D8);
SET STATEMENT max_join_size=1000000000000 FOR SELECT * FROM t1;

*** GDB

+bt
#0 0x00007f94be5df771 in pthread_kill () from /lib64/libpthread.so.0
#1 0x00000000006772cd in handle_fatal_signal (sig=11) at /mnt/workspace/percona-server-5.6-binaries-opt-yassl/label_exp/centos6-64/percona-server-5.6.22-71.0/sql/signal_handler.cc:236
#2 <signal handler called>
#3 get_thread_statement_locker_v1 (state=0x7f942df22c08, key=<optimized out>, charset=0x0) at /mnt/workspace/percona-server-5.6-binaries-opt-yassl/label_exp/centos6-64/percona-server-5.6.22-71.0/storage/perfschema/pfs.cc:4491
#4 0x00000000005a8889 in inline_mysql_start_statement (src_file=0xbefbc8 "/mnt/workspace/percona-server-5.6-binaries-opt-yassl/label_exp/centos6-64/percona-server-5.6.22-71.0/sql/mysqld.cc", src_line=996, charset=<optimized out>, db_len=4, db=<optimized out>, key=<optimized out>, state=0x7f942df22c08) at /mnt/workspace/percona-server-5.6-binaries-opt-yassl/label_exp/centos6-64/percona-server-5.6.22-71.0/include/mysql/psi/mysql_statement.h:160
#5 net_after_header_psi (net=0x7f942df21270, user_data=0x7f942df21000, rc=<optimized out>) at /mnt/workspace/percona-server-5.6-binaries-opt-yassl/label_exp/centos6-64/percona-server-5.6.22-71.0/sql/mysqld.cc:993
#6 0x000000000066c7fb in net_read_packet_header (net=0x7f942df21270) at /mnt/workspace/percona-server-5.6-binaries-opt-yassl/label_exp/centos6-64/percona-server-5.6.22-71.0/sql/net_serv.cc:752
#7 net_read_packet (net=0x7f942df21270, complen=0x7f94bebd0db0) at /mnt/workspace/percona-server-5.6-binaries-opt-yassl/label_exp/centos6-64/percona-server-5.6.22-71.0/sql/net_serv.cc:816
#8 0x000000000066d5b4 in my_net_read (net=0x7f942df21270) at /mnt/workspace/percona-server-5.6-binaries-opt-yassl/label_exp/centos6-64/percona-server-5.6.22-71.0/sql/net_serv.cc:894
#9 0x0000000000700742 in do_command (thd=0x7f942df21000) at /mnt/workspace/percona-server-5.6-binaries-opt-yassl/label_exp/centos6-64/percona-server-5.6.22-71.0/sql/sql_parse.cc:985
#10 0x00000000006cc392 in do_handle_one_connection (thd_arg=thd_arg@entry=0x7f942df21000) at /mnt/workspace/percona-server-5.6-binaries-opt-yassl/label_exp/centos6-64/percona-server-5.6.22-71.0/sql/sql_connect.cc:1532
#11 0x00000000006cc480 in handle_one_connection (arg=arg@entry=0x7f942df21000) at /mnt/workspace/percona-server-5.6-binaries-opt-yassl/label_exp/centos6-64/percona-server-5.6.22-71.0/sql/sql_connect.cc:1443
#12 0x0000000000afd6b3 in pfs_spawn_thread (arg=0x7f942df41340) at /mnt/workspace/percona-server-5.6-binaries-opt-yassl/label_exp/centos6-64/percona-server-5.6.22-71.0/storage/perfschema/pfs.cc:1860
#13 0x00007f94be5dadf3 in start_thread () from /lib64/libpthread.so.0
#14 0x00007f94bd2a41ad in clone () from /lib64/libc.so.6

Related branches

lp:~laurynas-biveinis/percona-server/bug1387951
Laurynas Biveinis (community): Approve
Diff: 150 lines (+82/-6)
3 files modified
mysql-test/r/percona_statement_set.result (+29/-2)
mysql-test/t/percona_statement_set.test (+48/-2)
sql/sql_parse.cc (+5/-2)
Revision history for this message
Laurynas Biveinis (laurynas-biveinis) wrote :

What happens if you replace SET STATEMENT ... SELECT with session SET ... ; SELECT ? If it crashes, does the upstream crash too then?

Revision history for this message
Ramesh Sivaraman (rameshvs02) wrote :

Tested with SESSION command and it is not crashing.

Testcase:

DROP DATABASE test;CREATE DATABASE test;USE test;
CREATE TEMPORARY TABLE t1(c1 CHAR (1));
handler t1 open as a1;
INSERT INTO t1 VALUES(_utf16le 0x00D800D8);
SET SESSION max_join_size=1000000000000 ;
SELECT * FROM t1;

Laurynas Biveinis (laurynas-biveinis)
tags: added: set-statement
summary: handle_fatal_signal (sig=11) in get_thread_statement_locker_v1 |
- perfschema/pfs.cc:4491
+ perfschema/pfs.cc:4491on a SET STATEMENT max_join_size query
Revision history for this message
Laurynas Biveinis (laurynas-biveinis) wrote :

The cause is thd->variables becoming a dangling pointer:

int
mysql_execute_command(THD *thd)
{
...
  struct system_variables *per_query_variables_backup;
...
  if (thd->tx_read_only &&
      (sql_command_flags[lex->sql_command] & CF_DISALLOW_IN_RO_TRANS))
  {
    my_error(ER_CANT_EXECUTE_IN_READ_ONLY_TRANSACTION, MYF(0));
    goto error;
  }
...
  if (lex->set_statement && !lex->var_list.is_empty()) {
    per_query_variables_backup= copy_system_variables(&thd->variables,
                                                      thd->m_enable_plugins);
...
error:
...
  if (lex->set_statement && !lex->var_list.is_empty()) {
...
    free_system_variables(&thd->variables, thd->m_enable_plugins);
    thd->variables= *per_query_variables_backup;
    my_free(per_query_variables_backup);
...
}

This bug is a sibling of bug 1387951 and bug 1418049. These three bugs represent three different error paths in mysql_execute_command that result in dangling thd->variables pointer.

summary: - handle_fatal_signal (sig=11) in get_thread_statement_locker_v1 |
- perfschema/pfs.cc:4491on a SET STATEMENT max_join_size query
+ SET STATEMENT ... FOR <statement> crashes server if <statement> needs to
+ re-open a temp table and fails
Revision history for this message
Shahriyar Rzayev (rzayev-sehriyar) wrote :

Percona now uses JIRA for bug reports so this bug report is migrated to: https://jira.percona.com/browse/PS-864

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.