Bug #54478 | mysqld crashes during boot when running mtr with --debug option | ||
---|---|---|---|
Submitted: | 14 Jun 2010 8:23 | Modified: | 17 Nov 2010 1:23 |
Reporter: | Olav Sandstå | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Server: General | Severity: | S3 (Non-critical) |
Version: | 5.5.5,5.6.99 | OS: | Solaris |
Assigned to: | Olav Sandstå | CPU Architecture: | Any |
[14 Jun 2010 8:23]
Olav Sandstå
[15 Jun 2010 7:37]
Sveta Smirnova
Thank you for the report. Verified as described.
[15 Jun 2010 7:38]
Sveta Smirnova
Looks like duplicate of bug #52884
[15 Jun 2010 7:39]
Sveta Smirnova
Backtrace: /users/ssmirnova/src/mysql-trunk-bugfixing/sql/mysqld:0x1044e40 /users/ssmirnova/src/mysql-trunk-bugfixing/sql/mysqld:_db_doprnt_+0x188 /users/ssmirnova/src/mysql-trunk-bugfixing/sql/mysqld:__1cUfill_schema_schemata6FpnDTHD_pnKTABLE_LIST_pnEItem__i_+0x118 /users/ssmirnova/src/mysql-trunk-bugfixing/sql/mysqld:__1cYget_schema_tables_result6FpnEJOIN_nXenum_schema_table_state__b_+0x334 /users/ssmirnova/src/mysql-trunk-bugfixing/sql/mysqld:__1cEJOINEexec6M_v_+0x888 /users/ssmirnova/src/mysql-trunk-bugfixing/sql/mysqld:__1cbEsubselect_single_select_engineEexec6M_i_+0x604 /users/ssmirnova/src/mysql-trunk-bugfixing/sql/mysqld:__1cOItem_subselectEexec6M_b_+0x9c /users/ssmirnova/src/mysql-trunk-bugfixing/sql/mysqld:__1cYItem_singlerow_subselectHval_int6M_x_+0x58 /users/ssmirnova/src/mysql-trunk-bugfixing/sql/mysqld:__1cWItem_func_set_user_varFcheck6Mb_b_+0x130 /users/ssmirnova/src/mysql-trunk-bugfixing/sql/mysqld:__1cMset_var_userFcheck6MpnDTHD__i_+0x54 /users/ssmirnova/src/mysql-trunk-bugfixing/sql/mysqld:__1cRsql_set_variables6FpnDTHD_pnEList4nMset_var_base____i_+0x84 /users/ssmirnova/src/mysql-trunk-bugfixing/sql/mysqld:__1cVmysql_execute_command6FpnDTHD__i_+0x4678 /users/ssmirnova/src/mysql-trunk-bugfixing/sql/mysqld:__1cLmysql_parse6FpnDTHD_pkcIpnMParser_state__v_+0x298 /users/ssmirnova/src/mysql-trunk-bugfixing/sql/mysqld:0x220d2c /users/ssmirnova/src/mysql-trunk-bugfixing/sql/mysqld:__1cTdo_handle_bootstrap6FpnDTHD__v_+0x7c /users/ssmirnova/src/mysql-trunk-bugfixing/sql/mysqld:handle_bootstrap+0x24 /lib/libc.so.1:0xc88ac
[15 Jun 2010 7:59]
Olav Sandstå
Thanks for verifying this bug. I agree that it looks the same as reported in Bug#52884. Still, I believe this is a different bug based on that Bug#52884 is fixed/closed and that the fix for it (with revision id sergey.glukhov@sun.com-20100520063103-0cwsyi6bwh88t68f) is already present in mysql-trunk-bugfixing.
[22 Jun 2010 19:17]
Omer Barnir
triage: setting to SR55RC (needed for testing I3 - needed for testing) D2 start-up crash
[3 Sep 2010 10:22]
Olav Sandstå
Based on the stack from the core file posted in the initial bug report it seems like the crash occurs when: 1. In fill_schema_schemata() we do the following DBG trace: DBUG_PRINT("INDEX VALUES",("db_name='%s', table_name='%s'", lookup_field_vals.db_value.str, lookup_field_vals.table_value.str)); 2. This results in a call to _db_doprnt_() where the format parameter points to 0x8e0cb70 "db_name='%s', table_name='%s'" 3. In the call to DbugVfprintf() and vsnprintf() the format parameter still points to address 0x8e0cb70. 4. When vsnprintf() calls strlen() the argument to strlen is also 0x8e0cb70. So it seems like strlen() is called with a pointer to the string "db_name='%s', table_name='%s'" which should be a statically allocated. This makes it hard to understand why this should cause a segmentation fault in strlen.
[7 Sep 2010 10:24]
Olav Sandstå
The crash occurs when the following DBUG statement in fill_schema_schemata() (line 3721 in sql_show.cc) is run: DBUG_PRINT("INDEX VALUES",("db_name='%s', table_name='%s'", lookup_field_vals.db_value.str, lookup_field_vals.table_value.str)); and the value of lookup_field_vals.table_value.str is NULL. This DBUG statement eventually ends up in the following code in dbug.c: static void DbugVfprintf(FILE *stream, const char* format, va_list args) { char cvtbuf[1024]; size_t len; /* Do not use my_vsnprintf, it does not support "%g". */ len = vsnprintf(cvtbuf, sizeof(cvtbuf), format, args); (void) fprintf(stream, "%s\n", cvtbuf); } where the crash occurs in the call to vsnprintf. This crash is caused by we calling vsnprintf with a format string containing "%s" with a NULL pointer as the corresponding argument. The fix for this crash is to ensure we do not give a NULL pointer as the value for %s entries in the format string when calling DBUG_PRINT.
[7 Sep 2010 10:44]
Olav Sandstå
Test program for illustrating the vsnprintf crash
Attachment: vsnprintf-test.cc (text/x-c++src), 348 bytes.
[7 Sep 2010 10:46]
Olav Sandstå
The attached program can be used for showing that vsnprintf called with a NULL pointer argument to a %s format string can crash. This program will result in a crash on most versions of Solaris while complete without crash on most Linux versions.
[8 Sep 2010 8:38]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/117758 3204 Olav Sandstaa 2010-09-08 Fix for Bug#54478 "mysqld crashes during boot when running mtr with --debug option" The crash during boot was caused by a DBUG_PRINT statement in fill_schema_schemata() (in sql_show.cc). This DBUG_PRINT statement contained several instances of %s in the format string and for one of these we gave a NULL pointer as the argument. This caused the call to vsnprintf() to crash when running on Solaris. The fix for this problem is to ensure we do not give a NULL pointer as argument. If the variable to be printed is NULL we instead give a "(null)" string as argument. This patch also contains fixes for several other places where we gave a NULL pointer as argument to %s fields in the format string for DBUG_PRINT. These caused several individual tests to fail. @ client/mysqltest.cc Add a test for that string arguments to DBUG_PRINT() is not NULL pointers. If that is the case we instead supply a string containing "(null)". This problem caused vsnprintf() to crash on Solaris. @ mysys/mf_format.c Add a test for that string arguments to DBUG_PRINT() is not NULL pointers. If that is the case we instead supply a string containing "(null)". This problem caused vsnprintf() to crash on Solaris. @ sql/field.cc Add a test for that string arguments to DBUG_PRINT() is not NULL pointers. If that is the case we instead supply a string containing "(null)". This problem caused vsnprintf() to crash on Solaris. @ sql/handler.cc Add a test for that string arguments to DBUG_PRINT() is not NULL pointers. If that is the case we instead supply a string containing "NULL". This problem caused vsnprintf() to crash on Solaris. @ sql/sql_class.cc Add a test for that string arguments to DBUG_PRINT() is not NULL pointers. If that is the case we instead supply a string containing "(null)". This problem caused vsnprintf() to crash on Solaris. @ sql/sql_db.cc Add a test for that string arguments to DBUG_PRINT() is not NULL pointers. If that is the case we instead supply a string containing "(null)". This problem caused vsnprintf() to crash on Solaris. @ sql/sql_insert.cc Add a test for that string arguments to DBUG_PRINT() is not NULL pointers. If that is the case we instead supply a string containing "(null)". This problem caused vsnprintf() to crash on Solaris. @ sql/sql_select.cc Add a test for that string arguments to DBUG_PRINT() is not NULL pointers. If that is the case we instead supply a string containing "(null)". This problem caused vsnprintf() to crash on Solaris. @ sql/sql_show.cc Add a test for that string arguments to DBUG_PRINT() is not NULL pointers. If that is the case we instead supply a string containing "(null)". This problem caused vsnprintf() to crash on Solaris.
[9 Sep 2010 13:24]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/117878 3206 Olav Sandstaa 2010-09-09 Fix for Bug#54478 "mysqld crashes during boot when running mtr with --debug option" The crash during boot was caused by a DBUG_PRINT statement in fill_schema_schemata() (in sql_show.cc). This DBUG_PRINT statement contained several instances of %s in the format string and for one of these we gave a NULL pointer as the argument. This caused the call to vsnprintf() to crash when running on Solaris. The fix for this problem is to replace the call to vsnprintf() with my_vsnprintf() which handles that a NULL pointer is passed as argumens for %s. This patch also extends my_vsnprintf() to support %i in the format string. @ dbug/dbug.c Replace the use of vsnprintf() with my_vsnprintf(). On some platforms vsnprintf() did not handle that a NULL pointer was given as an argument. @ strings/my_vsnprintf.c Add support for %i in format string to my_vsnprintf(). @ unittest/mysys/my_vsnprintf-t.c Add unit tests for %i in format string to my_vsnprintf().
[15 Sep 2010 11:33]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/118297 3206 Olav Sandstaa 2010-09-15 Fix for Bug#54478 "mysqld crashes during boot when running mtr with --debug option" The crash during boot was caused by a DBUG_PRINT statement in fill_schema_schemata() (in sql_show.cc). This DBUG_PRINT statement contained several instances of %s in the format string and for one of these we gave a NULL pointer as the argument. This caused the call to vsnprintf() to crash when running on Solaris. The fix for this problem is to replace the call to vsnprintf() with my_vsnprintf() which handles that a NULL pointer is passed as argumens for %s. This patch also extends my_vsnprintf() to support %i in the format string. @ dbug/dbug.c Replace the use of vsnprintf() with my_vsnprintf(). On some platforms vsnprintf() did not handle that a NULL pointer was given as an argument for a %s in the format string. @ include/mysql/service_my_snprintf.h Add support for %i in format string to my_vsnprintf(). @ strings/my_vsnprintf.c Add support for %i in format string to my_vsnprintf(). @ unittest/mysys/my_vsnprintf-t.c Add unit tests for %i in format string to my_vsnprintf().
[15 Sep 2010 11:52]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/118298 3266 Olav Sandstaa 2010-09-15 [merge] Merging fix for Bug#54478 from mysql-5.5-bugfixing
[15 Sep 2010 11:58]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/118301 3288 Olav Sandstaa 2010-09-15 [merge] Merging fix for Bug#54478 from mysql-trunk-bugfixing
[15 Sep 2010 12:05]
Olav Sandstå
Pushed into mysql-5.5-bugfixing, merged to mysql-trunk-bugfixing and mysql-next-mr-bugfixing. Revision id: olav.sandstaa@oracle.com-20100915113322-io8n04jkw0o7dack
[2 Oct 2010 18:12]
Bugs System
Pushed into mysql-trunk 5.6.1-m4 (revid:alexander.nozdrin@oracle.com-20101002180948-852x1cuv7c6i85ea) (version source revid:alexander.nozdrin@oracle.com-20101002180857-an32jpuwzemsp4f2) (merge vers: 5.6.1-m4) (pib:21)
[2 Oct 2010 18:13]
Bugs System
Pushed into mysql-next-mr (revid:alexander.nozdrin@oracle.com-20101002181053-6iotvl26uurcoryp) (version source revid:alexander.nozdrin@oracle.com-20101002180917-h0n62akupm3z20nt) (pib:21)
[2 Oct 2010 18:16]
Bugs System
Pushed into mysql-5.5 5.5.7-rc (revid:alexander.nozdrin@oracle.com-20101002180831-590ka2tuit9qoxbb) (version source revid:alexander.nozdrin@oracle.com-20101002180831-590ka2tuit9qoxbb) (merge vers: 5.5.7-rc) (pib:21)
[12 Nov 2010 0:37]
Paul DuBois
Noted in 5.5.7, 5.6.1 changelogs. A bad DBUG_PRINT statement in fill_schema_schemata() caused server crashes on Solaris.
[13 Nov 2010 16:19]
Bugs System
Pushed into mysql-trunk 5.6.99-m5 (revid:alexander.nozdrin@oracle.com-20101113155825-czmva9kg4n31anmu) (version source revid:vasil.dimov@oracle.com-20100629074804-359l9m9gniauxr94) (merge vers: 5.6.99-m4) (pib:21)