Bug #14233 Crash after tampering with the mysql.proc table
Submitted: 22 Oct 2005 19:23 Modified: 8 Dec 2005 23:38
Reporter: Joe Knall Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S2 (Serious)
Version:5.0.13rc/5.0.16 BK source OS:Linux (Linux)
Assigned to: Bugs System CPU Architecture:Any

[22 Oct 2005 19:23] Joe Knall
Description:
inserted a function directly into proc table and wanted to return a resultset instead of a value; now "select function();" crashes the server;

function body: begin select count(*) from `user`; end

How to repeat:
insert into `proc` ( `db` , `name` , `type` , `specific_name` , `language` , `sql_data_access` , `is_deterministic` , `security_type` , `param_list` , `returns` , `body` , `definer` , `created` , `modified` , `sql_mode` , `comment` )
values (
'mysql', 'test', 'FUNCTION', 'test', 'SQL', 'READS_SQL_DATA', 'NO', 'DEFINER', '', 'int(10)', 'begin select count(*) from `user`; end', 'root@localhost', NOW( ) , '0000-00-00 00:00:00', '', ''
);

mysql> select test();
ERROR 2013 (HY000): Lost connection to MySQL server during query

mysql> select test();
ERROR 2006 (HY000): MySQL server has gone away
No connection. Trying to reconnect...
ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/tmp/mysql.sock' (111)
ERROR:
Can't connect to the server

Suggested fix:
catch exception and return a message, don't crash!
[22 Oct 2005 21:48] MySQL Verification Team
Thank you for the bug report.

miguel@hegel:~/dbs/5.0> bin/mysql -uroot mysql
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1 to server version: 5.0.16-debug

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> insert into `proc` ( `db` , `name` , `type` , `specific_name` , `language` ,
    -> `sql_data_access` , `is_deterministic` , `security_type` , `param_list` ,
    -> `returns` , `body` , `definer` , `created` , `modified` , `sql_mode` , `comment`
    -> )
    -> values (
    -> 'mysql', 'test', 'FUNCTION', 'test', 'SQL', 'READS_SQL_DATA', 'NO', 'DEFINER',
    -> '', 'int(10)', 'begin select count(*) from `user`; end', 'root@localhost', NOW(
    -> ) , '0000-00-00 00:00:00', '', ''
    -> );
Query OK, 1 row affected (0.01 sec)

mysql> select test();
ERROR 2013 (HY000): Lost connection to MySQL server during query
mysql> 

051022 19:45:42 [Note] /home/miguel/dbs/5.0/libexec/mysqld: ready for connections.
Version: '5.0.16-debug'  socket: '/tmp/mysql.sock'  port: 3306  Source distribution
[New Thread 1129679792 (LWP 6676)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1129679792 (LWP 6676)]
0x00000000 in ?? ()
(gdb) bt full
#0  0x00000000 in ?? ()
No symbol table info available.
#1  0x08148848 in Item::val_uint (this=0x8e6df18) at item.h:455
No locals.
#2  0x08147bea in st_select_lex_unit::set_limit (this=0x8e41110, sl=0x8e41324) at sql_lex.cc:1838
        select_limit_val = 604156325066335496
#3  0x08228400 in handle_select (thd=0x8e410c0, lex=0x8e41100, result=0x8e6e020, setup_tables_done_option=0) at sql_select.cc:228
        unit = (SELECT_LEX_UNIT *) 0x8e41110
        res = false
        select_lex = (SELECT_LEX *) 0x8e41324
        _db_func_ = 0xe410c0 <Address 0xe410c0 out of bounds>
        _db_file_ = 0x81f03c3 "\203Ä \210Eç\200}ç"
        _db_level_ = 1129676776
        _db_framep_ = (char **) 0xc0
#4  0x081f05a3 in mysql_execute_command (thd=0x8e410c0) at sql_parse.cc:2484
        result = (class select_result *) 0x8e6e020
        res = false
        result = 0
        lex = (LEX *) 0x8e41100
        select_lex = (SELECT_LEX *) 0x8e41324
        first_table = (TABLE_LIST *) 0x0
        all_tables = (TABLE_LIST *) 0x0
        unit = (SELECT_LEX_UNIT *) 0x8e41110
        _db_func_ = 0x0
        _db_file_ = 0x8e41100 "\230\"[\b\001"
        _db_level_ = 1129676776
        _db_framep_ = (char **) 0x8e6d6e0
#5  0x081f813d in mysql_parse (thd=0x8e410c0, inBuf=0x8e6d6f0 "select test()", length=13) at sql_parse.cc:5558
        lex = (LEX *) 0x8e41100
        _db_func_ = 0x87badc0 "ÈÆb\b"
        _db_file_ = 0x81ee871 "\203Ä \203=\024µ|\b"
        _db_level_ = 1129676820
        _db_framep_ = (char **) 0x0
#6  0x081ee8ed in dispatch_command (command=COM_QUERY, thd=0x8e410c0, packet=0x8e65691 "select test()", packet_length=14)
    at sql_parse.cc:1697
        packet_end = 0x8e6d6fd ""
        net = (NET *) 0x8e41894
        error = false
        _db_func_ = 0xe <Address 0xe out of bounds>
---Type <return> to continue, or q <return> to quit---
        _db_file_ = 0x2000 <Address 0x2000 out of bounds>
        _db_level_ = 0
        _db_framep_ = (char **) 0x2
#7  0x081ee1e4 in do_command (thd=0x8e410c0) at sql_parse.cc:1498
        packet = 0x8e65690 "\003select test()"
        old_timeout = 30
        packet_length = 14
        net = (NET *) 0x8e41894
        command = COM_QUERY
        _db_func_ = 0x8e42210 "ÿÿÿÿ"
        _db_file_ = 0x81c6843 "\203Ä\020\213E\bÆ\200à\021"
        _db_level_ = 1129677672
        _db_framep_ = (char **) 0x1010
#8  0x081ed37f in handle_one_connection (arg=0x8e410c0) at sql_parse.cc:1143
        error = 0
        net = (NET *) 0x8e41894
        sctx = (Security_context *) 0x8e4206c
        thd = (class THD *) 0x8e410c0
        launch_time = 0
        set = {__val = {0 <repeats 32 times>}}
#9  0x40174aa7 in start_thread () from /lib/tls/libpthread.so.0
No symbol table info available.
#10 0x402a5c2e in clone () from /lib/tls/libc.so.6
No symbol table info available.
(gdb)
[26 Oct 2005 14:13] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/internals/31503
[26 Oct 2005 14:15] Per-Erik Martin
Please note that tampering directly with the mysql.proc table is not supported and is not likely to work in general.
[26 Oct 2005 15:14] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/internals/31506
[25 Nov 2005 16:15] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/internals/32719
[6 Dec 2005 14:29] Per-Erik Martin
Pushed to 5.0.17 bk.

If the mysql.proc table is at all mentioned in the documentation, it should perhaps be pointed out that it should not be manipulated directly. (If it doesn't say so already.)
[8 Dec 2005 23:38] Paul DuBois
Noted in 5.0.17 changelog.

Put a note about manual proc table manipulation
in the stored routines chapter.