| Bug #10975 | Prepared statements: crash if function deallocates | ||
|---|---|---|---|
| Submitted: | 30 May 2005 20:38 | Modified: | 10 Jun 2005 18:27 |
| Reporter: | Peter Gulutzan | Email Updates: | |
| Status: | Closed | Impact on me: | |
| Category: | MySQL Server | Severity: | S3 (Non-critical) |
| Version: | 5.0.7-beta-debug | OS: | Linux (SUSE 9.2) |
| Assigned to: | Konstantin Osipov | CPU Architecture: | Any |
[30 May 2005 20:38]
Peter Gulutzan
[30 May 2005 20:46]
MySQL Verification Team
Thank you for the bug report.
Call stack:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 229391 (LWP 14962)]
0x081ee0f6 in check_access (thd=0x8e95d18, want_access=262144,
db=0x8f8f8f8f <Address 0x8f8f8f8f out of bounds>, save_priv=0xbddfe2f8,
dont_check_global_grants=false, no_errors=false) at sql_parse.cc:4696
4696 if ((!db || !db[0]) && !thd->db && !dont_check_global_grants)
(gdb) backtrace full
#0 0x081ee0f6 in check_access (thd=0x8e95d18, want_access=262144,
db=0x8f8f8f8f <Address 0x8f8f8f8f out of bounds>, save_priv=0xbddfe2f8,
dont_check_global_grants=false, no_errors=false) at sql_parse.cc:4696
db_access = 1
db_is_pattern = false
dummy = 3185566212
_db_func_ = 0x0
_db_file_ = 0x1 <Address 0x1 out of bounds>
_db_level_ = 0
_db_framep_ = (char **) 0x40188b11
#1 0x081ee8fd in check_routine_access (thd=0x8e95d18, want_access=262144,
db=0x8f8f8f8f <Address 0x8f8f8f8f out of bounds>, name=0x8f8f8f8f <Address 0x8f8f8f8f out of bounds>,
is_proc=false, no_errors=false) at sql_parse.cc:4861
tables = {{next_local = 0x0, next_global = 0x0, prev_global = 0x0,
db = 0x8f8f8f8f <Address 0x8f8f8f8f out of bounds>,
alias = 0x8f8f8f8f <Address 0x8f8f8f8f out of bounds>,
table_name = 0x8f8f8f8f <Address 0x8f8f8f8f out of bounds>, schema_table_name = 0x0, option = 0x0,
on_expr = 0x0, prep_on_expr = 0x0, cond_equal = 0x0, natural_join = 0x0, use_index = 0x0,
ignore_index = 0x0, table = 0x0, derived_result = 0x0, correspondent_table = 0x0, derived = 0x0,
schema_table = 0x0, schema_select_lex = 0x0, schema_table_reformed = false, schema_table_param = 0x0,
select_lex = 0x0, view = 0x0, field_translation = 0x0, ancestor = 0x0, belong_to_view = 0x0,
next_leaf = 0x0, where = 0x0, check_option = 0x0, query = {str = 0x0, length = 0}, md5 = {str = 0x0,
length = 0}, source = {str = 0x0, length = 0}, view_db = {str = 0x0, length = 0}, view_name = {
str = 0x0, length = 0}, timestamp = {str = 0x0, length = 0}, file_version = 0, updatable_view = 0,
revision = 0, algorithm = 0, with_check = 0, effective_with_check = 0 '\0', effective_algorithm = 0,
privilege_backup = 0, grant = {grant_table = 0x0, version = 0, privilege = 0, want_privilege = 0},
engine_data = 0, callback_func = 0, lock_type = TL_UNLOCK, outer_join = 0, shared = 0, db_length = 0,
table_name_length = 0, updatable = false, straight = false, updating = false, force_index = false,
ignore_leaves = false, no_where_clause = false, dep_tables = 0, on_expr_dep_tables = 0,
nested_join = 0x0, embedding = 0x0, join_list = 0x0, cacheable_table = false,
table_in_first_from_clause = false, skip_temporary = false, contain_auto_increment = false,
---Type <return> to continue, or q <return> to quit---
multitable_view = false, required_type = FRMTYPE_ERROR, timestamp_buffer = '\0' <repeats 19 times>,
prelocking_placeholder = false}}
#2 0x0816d78e in Item_func_sp::execute (this=0x8e97ea0, itp=0xbddfe474) at item_func.cc:4782
_db_func_ = 0x9 <Address 0x9 out of bounds>
_db_file_ = 0x9 <Address 0x9 out of bounds>
_db_level_ = 0
_db_framep_ = (char **) 0xbddfe444
thd = (class THD *) 0x8e95d18
old_client_capabilites = 239245
res = -1109400504
save_ctx = {changed = 143, master_access = 2408550287, db_access = 2408550287, priv_user = 0x0,
priv_host = "\000\000\000\000\217\217\217\217\000\206é\bp\177é\b", '¥' <repeats 12 times>, "\217\217\217\217\000\206é\b", '¥' <repeats 16 times>, "\000\000\000\000\\äß½)",
user = 0x8ea7db8 '\217' <repeats 200 times>..., host = 0xb <Address 0xb out of bounds>,
ip = 0x8e98600 "f11()"}
nsok = 0 '\0'
save_options = 3185566720
#3 0x0816d54f in Item_func_sp::execute (this=0x8e97ea0, flp=0x8e97f18) at item_func.cc:4735
it = (class Item *) 0xbddfe490
f = (class Field *) 0xbddfe48c
#4 0x08171493 in Item_func_sp::val_str (this=0x8e97ea0, str=0xbddfe584) at item_func.h:1346
No locals.
#5 0x08149d6f in Item::send (this=0x8e97ea0, protocol=0x8e9671c, buffer=0xbddfe584) at item.cc:3833
res = (String *) 0x8e985f8
result = false
type = MYSQL_TYPE_VARCHAR
#6 0x081bde87 in select_send::send_data (this=0x8e987a0, items=@0x8e94308) at sql_class.cc:873
li = {<base_list_iterator> = {list = 0x8e94308, el = 0x8e985f8, prev = 0x0,
current = 0x0}, <No data fields>}
protocol = (class Protocol *) 0x8e9671c
buff = "\000>é\b\230©ê\b\000\000\000\000\000\000\000\000\001\000\000\000Ðåß½üåß½z\005\024\b°¨ê\bøåß---Type <return> to continue, or q <return> to quit---
½ôåß½ðåß½ôåß½ðåß½,æß½öóZ\bÚ\000\000\000\034æß½\030æß½\024æß½\030æß½\024æß½\020æß½\214)*\b,]é\bÐ\035é\bx.é\bx-é\b", '\0' <repeats 16 times>, "°¨ê\b|/é\bà/é\bà/é\b,]é\b\000\000\000\000¼æß½>Á\"\b\000\023\000\000\204æß½\200æß½|æß½\200æß½|æß½xæß½\000\000\000\000h\001\000\000\020,é\bx.é\b\000\000"...
buffer = {Ptr = 0xbddfe5a4 "", str_length = 766, Alloced_length = 766, alloced = false,
str_charset = 0x87f2b80}
_db_func_ = 0x0
_db_file_ = 0x8e97968 "þþ\a\001"
_db_level_ = 3185567120
_db_framep_ = (char **) 0xbddfe594
item = (class Item *) 0x8e97ea0
#7 0x08237870 in end_send (join=0x8e91e30, join_tab=0x8e92fe0, end_of_records=false)
at sql_select.cc:10021
error = 0
_db_func_ = 0x823774e "U\211å\203ìh\213E\020\210Eÿ\215Eì\211D$\030\215Eð\211D$\024\215Eô\211D$\020\215Eø\211D$\fÇD$\b\033'"
_db_file_ = 0x2bb4 <Address 0x2bb4 out of bounds>
_db_level_ = 1
_db_framep_ = (char **) 0x0
#8 0x0823591b in do_select (join=0x8e91e30, fields=0x8e94308, table=0x0, procedure=0x0)
at sql_select.cc:8991
end_select = 0x823774e <end_send>
rc = 0
error = NESTED_LOOP_OK
join_tab = (JOIN_TAB *) 0x8e92fe0
_db_func_ = 0x8e94308 "ø\205é\bø\205é\b\001"
_db_file_ = 0x8e9671c "èæa\b\030]é\b\220gé\b¤gé\b"
_db_level_ = 136043844
_db_framep_ = (char **) 0xbddfe98c
#9 0x08223edc in JOIN::exec (this=0x8e91e30) at sql_select.cc:1658
tmp_error = -1834726912
_db_func_ = 0x8e94308 "ø\205é\bø\205é\b\001"
---Type <return> to continue, or q <return> to quit---
_db_file_ = 0x8e95d18 "HÖa\bèÙ\177\bìÙ\177\bXÖa\b"
_db_level_ = 149495344
_db_framep_ = (char **) 0x8e94298
curr_join = (JOIN *) 0x8e91e30
curr_all_fields = (List<Item> *) 0x8e92b5c
curr_fields_list = (List<Item> *) 0x8e94308
curr_tmp_table = (TABLE *) 0x0
#10 0x08224e6b in mysql_select (thd=0x8e95d18, rref_pointer_array=0x8e943a8, tables=0x8e98638,
wild_num=0, fields=@0x8e94308, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0,
select_options=2460240384, result=0x8e987a0, unit=0x8e940b4, select_lex=0x8e94298)
at sql_select.cc:2052
err = false
free_join = true
_db_func_ = 0x8e94298 "\2103_\b"
_db_file_ = 0xbddfeacc "\230Bé\b\230Bé\b´@é\b"
_db_level_ = 4294967295
_db_framep_ = (char **) 0xffffffff
join = (JOIN *) 0x8e91e30
#11 0x0821f2c4 in handle_select (thd=0x8e95d18, lex=0x8e940a4, result=0x8e987a0,
setup_tables_done_option=0) at sql_select.cc:242
unit = (SELECT_LEX_UNIT *) 0x8e940b4
res = false
select_lex = (SELECT_LEX *) 0x8e94298
_db_func_ = 0x0
_db_file_ = 0x0
_db_level_ = 149521976
_db_framep_ = (char **) 0x0
#12 0x081e707a in mysql_execute_command (thd=0x8e95d18) at sql_parse.cc:2400
result = (class select_result *) 0x8e987a0
res = false
result = 0
---Type <return> to continue, or q <return> to quit---
lex = (LEX *) 0x8e940a4
select_lex = (SELECT_LEX *) 0x8e94298
slave_fake_lock = false
fake_prev_lock = (MYSQL_LOCK *) 0x0
first_table = (TABLE_LIST *) 0x8e98638
all_tables = (TABLE_LIST *) 0x8e98638
unit = (SELECT_LEX_UNIT *) 0x8e940b4
_db_func_ = 0xbddff05c ""
_db_file_ = 0x40188008 "]\213\200¸\001"
_db_level_ = 3185569852
_db_framep_ = (char **) 0x4018dd00
#13 0x0824dabe in execute_stmt (thd=0x8e95d18, stmt=0x8e94070, expanded_query=0xbddff0f4)
at sql_prepare.cc:2179
_db_func_ = 0x8e95d24 "XÖa\b"
_db_file_ = 0x0
_db_level_ = 0
_db_framep_ = (char **) 0x8e91e20
#14 0x0824d978 in mysql_sql_stmt_execute (thd=0x8e95d18, stmt_name=0x8e96390) at sql_prepare.cc:2138
stmt = (Prepared_statement *) 0x8e94070
expanded_query = {Ptr = 0x0, str_length = 0, Alloced_length = 0, alloced = false,
str_charset = 0x87f2b80}
_db_func_ = 0x0
_db_file_ = 0x0
_db_level_ = 0
_db_framep_ = (char **) 0x0
#15 0x081e74ac in mysql_execute_command (thd=0x8e95d18) at sql_parse.cc:2490
res = false
result = 0
lex = (LEX *) 0x8e95d58
select_lex = (SELECT_LEX *) 0x8e95f4c
slave_fake_lock = false
---Type <return> to continue, or q <return> to quit---
fake_prev_lock = (MYSQL_LOCK *) 0x0
first_table = (TABLE_LIST *) 0x0
all_tables = (TABLE_LIST *) 0x0
unit = (SELECT_LEX_UNIT *) 0x8e95d68
_db_func_ = 0x0
_db_file_ = 0x0
_db_level_ = 0
_db_framep_ = (char **) 0x8e95d58
#16 0x081ef82b in mysql_parse (thd=0x8e95d18, inBuf=0x8e91de0 "execute stmt1", length=13)
at sql_parse.cc:5260
lex = (LEX *) 0x8e95d58
_db_func_ = 0x8e8ddb6 ""
_db_file_ = 0x0
_db_level_ = 3185571576
_db_framep_ = (char **) 0x0
#17 0x081e5196 in dispatch_command (command=COM_QUERY, thd=0x8e95d18, packet=0x8e8dda9 "",
packet_length=14) at sql_parse.cc:1653
packet_end = 0x8e91ded ""
net = (NET *) 0x8e9648c
error = false
_db_func_ = 0x0
_db_file_ = 0x0
_db_level_ = 0
_db_framep_ = (char **) 0x0
#18 0x081e49a6 in do_command (thd=0x8e95d18) at sql_parse.cc:1456
packet = 0x8e8dda8 "\001"
old_timeout = 30
packet_length = 14
net = (NET *) 0x8e9648c
command = COM_QUERY
_db_func_ = 0x8e974d8 "ÿÿÿÿ\024"
---Type <return> to continue, or q <return> to quit---
_db_file_ = 0x81bbeb0 "ÉÃU\211å\203ì(\213E\b\211\004$è¡"
_db_level_ = 3185572332
_db_framep_ = (char **) 0x1010
#19 0x081e3afb in handle_one_connection (arg=0x8e95d18) at sql_parse.cc:1114
error = 0
net = (NET *) 0x8e9648c
thd = (class THD *) 0x8e95d18
launch_time = 0
set = {__val = {0 <repeats 32 times>}}
#20 0x40184e51 in pthread_start_thread () from /lib/libpthread.so.0
No symbol table info available.
#21 0x40184ecf in pthread_start_thread_event () from /lib/libpthread.so.0
No symbol table info available.
#22 0x4030c65a in clone () from /lib/libc.so.6
No symbol table info available.
(gdb)
[8 Jun 2005 20:44]
Konstantin Osipov
Will be fixed by disallowing dynamic SQL in SP.
[8 Jun 2005 21:55]
Konstantin Osipov
The patch is pushed into 5.0.8 tree. Subject: bk commit - 5.0 tree (konstantin:1.1958) BUG#10605 ChangeSet 1.1958 05/06/09 01:09:05 konstantin@mysql.com +3 -0 Disable dynamic SQL in stored routines. This is to close Bug#10975, Bug#7115, Bug#10605 This feature will be implemented in a future release.
[10 Jun 2005 18:27]
Paul DuBois
Noted in 5.0.8 changelog. Added note to prepared statement section that SQL PS cannot be used in stored routines.
