Bug #12280 Triggers: crash if flush tables
Submitted: 29 Jul 2005 22:29 Modified: 10 Aug 2005 16:54
Reporter: Peter Gulutzan Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S3 (Non-critical)
Version:5.0.11-beta-debug OS:Linux (SUSE 9.2)
Assigned to: Dmitry Lenev CPU Architecture:Any

[29 Jul 2005 22:29] Peter Gulutzan 
Description:
If the trigger body is "flush tables", server crashes
when I activate the trigger.

How to repeat:
mysql> delimiter //
mysql>
mysql> create table tl1 (s1 int)//
Query OK, 0 rows affected (0.01 sec)

mysql> create trigger tl1_ai after insert on tl1 for each row flush tables//
Query OK, 0 rows affected (0.01 sec)

mysql> insert into tl1 values (0)//
ERROR 2013 (HY000): Lost connection to MySQL server during query
[29 Jul 2005 22:42] MySQL Verification Team 
Thank you for the bug report.

050729 19:40:14 [Note] /home/miguel/dbs/5.0/libexec/mysqld: ready for connections.
Version: '5.0.11-beta-debug'  socket: '/tmp/mysql.sock'  port: 3306  Source distribution
[New Thread 1132452784 (LWP 11859)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1132452784 (LWP 11859)]
0x081e31f0 in cleanup_items (item=0x8f8f8f8f) at sql_parse.cc:1277
1277        item->cleanup();
(gdb) backtrace full
#0  0x081e31f0 in cleanup_items (item=0x8f8f8f8f) at sql_parse.cc:1277
        _db_func_ = 0x8e201b8 "insert into tl1 values (0)"
        _db_file_ = 0x1a <Address 0x1a out of bounds>
        _db_level_ = 137513616
        _db_framep_ = (char **) 0x0
#1  0x08324c43 in sp_head::execute (this=0x8e1e188, thd=0x8e04460) at sp_head.cc:675
        i = (sp_instr *) 0x8e1e390
        hip = 1132447736
        _db_func_ = 0x8324f4d "\203Ä \203=4¸z\b"
        _db_file_ = 0x437fc858 "\230È\177CPF!\b\210áá\b`Dà\b"
        _db_level_ = 141006148
        _db_framep_ = (char **) 0x8e2061c
        olddb = "Õlg\bvlg\bXÇ\177CÍCU\bÜ\000\000\000HÇ\177CDÇ\177C@Ç\177CHÇ\177Cú@\030@\005\000\000\000\000\000\000\000\200Dà\b¨\001â\b0\006â\bû\024\024\b\034\006â\b°Û\177C¨Ç\177C0\006â\bð\005â\b\000\000\000\000\230Ç\177C!\027\034\bè!\\\b \034\\\b\230Ç\177C\205\027\034\bC\006\000\000\224Ç\177C\220Ç\177C\214Ç\177C"
        dbchanged = false
        ctx = (sp_rcontext *) 0x8e205f0
        ret = 0
        ip = 2408550288
        old_arena = (class Query_arena *) 0x8e0446c
        old_query_id = 7
        old_derived_tables = (TABLE *) 0x0
        old_lex = (LEX *) 0x8e044a0
        old_change_list = {<base_ilist> = {first = 0x8e056f0, last = {_vptr.ilink = 0x85c29f0, prev = 0x8e056ec, 
      next = 0x0}}, <No data fields>}
        old_packet = {Ptr = 0x8e357f0 "\003def", str_length = 57, Alloced_length = 16384, alloced = true, str_charset = 0x878ec80}
#2  0x08325257 in sp_head::execute_function (this=0x8e1e188, thd=0x8e04460, argp=0x0, argcount=0, resp=0x0) at sp_head.cc:800
        _db_func_ = 0x814c863 "\203Ä\020\211Eì\213EìÉÃU\211å\203ì\b\213E\020\210Eÿ\203ì\bj"
        _db_file_ = 0x437fc878 ""
        _db_level_ = 148915296
        _db_framep_ = (char **) 0x0
        csize = 0
        params = 0
        hmax = 0
        cmax = 0
        octx = (sp_rcontext *) 0x0
        nctx = (sp_rcontext *) 0x8e205f0
        i = 0
        ret = 140545740
---Type <return> to continue, or q <return> to quit---
        call_mem_root = {free = 0x8e1c180, used = 0x0, pre_alloc = 0x0, min_malloc = 32, block_size = 8136, block_num = 5, 
  first_block_usage = 0, error_handler = 0}
        call_arena = {_vptr.Query_arena = 0x85c2558, free_list = 0x0, mem_root = 0x437fc800, is_backup_arena = false, 
  state = INITIALIZED_FOR_SP}
        backup_arena = {_vptr.Query_arena = 0x85c2558, free_list = 0x8e20390, mem_root = 0x8e04480, is_backup_arena = true, 
  state = CONVENTIONAL_EXECUTION}
#3  0x08214650 in Table_triggers_list::process_triggers (this=0x8e05ca0, thd=0x8e04460, event=TRG_EVENT_INSERT, time_type=TRG_ACTION_AFTER, 
    old_row_is_record1=true) at sql_trigger.h:112
        tmp_disable_binlog__save_options = 2158250496
        save_in_sub_stmt = false
        nsok = 0 '\0'
        res = 0
#4  0x0823ed10 in write_record (thd=0x8e04460, table=0x8e10ef0, info=0x437fcab0) at sql_insert.cc:1077
        error = 0
        trg_error = 0
        key = 0x0
        _db_func_ = 0xe20228 <Address 0xe20228 out of bounds>
        _db_file_ = 0x0
        _db_level_ = 0
        _db_framep_ = (char **) 0x8e20378
#5  0x0823d7f0 in mysql_insert (thd=0x8e04460, table_list=0x8e20228, fields=@0x8e048bc, values_list=@0x8e048e0, update_fields=@0x8e048d4, 
    update_values=@0x8e048c8, duplic=DUP_ERROR, ignore=false) at sql_insert.cc:480
        error = 0
        res = 0
[5 Aug 2005 10:36] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/internals/27913
[10 Aug 2005 6:30] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/internals/28097
[10 Aug 2005 7:25] Dmitry Lenev 
Fixed in 5.0.12 by disallowing use of FLUSH command in stored functions and triggers.
[10 Aug 2005 16:54] Jon Stephens 
Thank you for your bug report. This issue has been committed to our
source repository of that product and will be incorporated into the
next release.

If necessary, you can access the source repository and build the latest
available version, including the bugfix, yourself. More information 
about accessing the source trees is available at
    http://www.mysql.com/doc/en/Installing_source_tree.html

Additional info:

Documented in 5.0.12 changelog.
[24 Aug 2005 19:43] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/internals/28777