Bug #34726 open_tables() crashes server if running with --debug
Submitted: 21 Feb 2008 14:14 Modified: 15 Apr 2008 2:23
Reporter: Guilhem Bichot Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S3 (Non-critical)
Version:5.1, 6.0-bk OS:Any
Assigned to: CPU Architecture:Any

[21 Feb 2008 14:14] Guilhem Bichot 
Description:
At the end of open_tables() (sql/sql_base.cc) if there was an error we come here:
 err:
  thd_proc_info(thd, 0);
  free_root(&new_frm_mem, MYF(0));              // Free pre-alloced block

thd_proc_info(thd, 0) is wrong: it causes the 0 to be dereferenced as a string pointer in the DBUG_PRINT of set_thd_proc_info() (which thd_proc_info() calls).
Please grep for all places where thd_proc_info() is used with 0 or NULL, and the same for set_thd_proc_info().
It is annoying as it prevents from using --debug in this case.
Bug seems to be in 5.1 too.

How to repeat:
run with --debug, provoke a failure in open_tables().
[21 Feb 2008 14:25] Guilhem Bichot 
Correction: we come to label "err:" even in non-error cases. So the
  DBUG_PRINT("proc_info", ("%s:%d  %s", calling_file, calling_line, info));
of set_thd_proc_info() is called with "info" being NULL.
It does not crash on my Linux (because %s here prints "(null)"), Windows has this nice behaviour too
http://msdn2.microsoft.com/en-us/library/hf4y5e3w(VS.71).aspx
but on Solaris 10 Sparc 64 bit we see a segmentation fault, which prevents using --debug.
[3 Mar 2008 17:31] Chad MILLER 
$ grep thd_proc_info */* |egrep '(NULL|0)'
sql/item_func.cc:  thd_proc_info(thd, 0);
sql/item_func.cc:  thd_proc_info(thd, 0);
sql/lock.cc:    thd_proc_info(thd, 0);
sql/lock.cc:  thd_proc_info(thd, 0);
sql/log_event.cc:  thd_proc_info(thd, 0);
sql/log_event.cc:  thd_proc_info(thd, 0);
sql/repl_failsafe.cc:  thd_proc_info(thd, 0);
sql/sp_head.cc:  thd_proc_info(thd, 0);
sql/sql_base.cc:    thd_proc_info(thd, 0);
sql/sql_base.cc:  thd_proc_info(thd, 0);
sql/sql_base.cc:  thd_proc_info(thd, 0);
sql/sql_base.cc:  thd_proc_info(thd, 0);
sql/sql_insert.cc:    thd_proc_info(&(di->thd), 0);
sql/sql_insert.cc:  thd_proc_info(&thd, 0);
sql/sql_parse.cc:  thd_proc_info(thd, 0);
sql/sql_parse.cc:  thd_proc_info(thd, 0);
sql/sql_repl.cc:  thd_proc_info(thd, 0);
sql/sql_repl.cc:  thd_proc_info(thd, 0);
[5 Mar 2008 16:25] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/43475

ChangeSet@1.2523, 2008-03-05 11:23:58-05:00, cmiller@zippy.cornsilk.net +1 -0
  Bug#34726: open_tables() crashes server if running with --debug
  
  The DBUG code emits the current value of the proc_info member of THD,
  which may be set to NULL.  It was wrong to dereference that value
  with the format string %s without verifying that it was valid.
  
  Now, insert an inline test that substitutes the string "(null)" for
  NULL pointers.
[5 Mar 2008 22:15] Chad MILLER 
Queued to 5.1-build and 6.0-build.
[27 Mar 2008 22:03] Bugs System 
Pushed into 5.1.24-rc
[28 Mar 2008 11:10] Bugs System 
Pushed into 6.0.5-alpha
[15 Apr 2008 2:23] Paul DuBois 
Noted in 5.1.24, 6.0.5 changelogs.

A server running with the --debug option could attempt to dereference
a null pointer when opening tables, resulting in a crash.