Bug #54488 | crash when using explain and prepared statements with subqueries | ||
---|---|---|---|
Submitted: | 14 Jun 2010 15:15 | Modified: | 20 Nov 2010 2:43 |
Reporter: | Shane Bester (Platinum Quality Contributor) | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Server: Optimizer | Severity: | S1 (Critical) |
Version: | 5.0.91, 5.0.92-bzr, 5.1.47, 5.1.49-bzr, 5.5.3 | OS: | Any |
Assigned to: | Sergei Glukhov | CPU Architecture: | Any |
[14 Jun 2010 15:15]
Shane Bester
[14 Jun 2010 15:22]
Valeriy Kravchuk
Verified just as described: valeriy-kravchuks-macbook-pro:5.0 openxs$ bin/mysql -uroot test Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 2 Server version: 5.0.92-debug Source distribution Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> drop table if exists `t1`; Query OK, 0 rows affected (0.00 sec) mysql> create table `t1`(`a` int)engine=myisam; Query OK, 0 rows affected (0.00 sec) mysql> insert into `t1` values (1),(1); Query OK, 2 rows affected (0.00 sec) Records: 2 Duplicates: 0 Warnings: 0 mysql> prepare `stmt` from 'explain '> select 1 from `t1` '> where(select(select 1 from `t1` group by `a`))'; Query OK, 0 rows affected (0.01 sec) Statement prepared mysql> execute `stmt` ; ERROR 2013 (HY000): Lost connection to MySQL server during query mysql> 100614 18:20:42 mysqld restarted
[14 Jun 2010 15:24]
Valeriy Kravchuk
Stack trace is: Version: '5.1.49-debug' socket: '/tmp/mysql.sock' port: 3306 Source distribution 100614 18:23:25 - mysqld got signal 10 ; This could be because you hit a bug. It is also possible that this binary or one of the libraries it was linked against is corrupt, improperly built, or misconfigured. This error can also be caused by malfunctioning hardware. We will try our best to scrape up some info that will hopefully help diagnose the problem, but since we have already crashed, something is definitely wrong and this may fail. key_buffer_size=8384512 read_buffer_size=131072 max_used_connections=1 max_threads=151 threads_connected=1 It is possible that mysqld could use up to key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 337725 K bytes of memory Hope that's ok; if not, decrease some variables in the equation. thd: 0x101c618 Attempting backtrace. You can use the following information to find out where mysqld died. If you see no messages after this, something went terribly wrong... stack_bottom = 0xb026af64 thread_stack 0x30000 0 mysqld 0x00580bde my_print_stacktrace + 44 1 mysqld 0x00101ae8 handle_segfault + 836 2 libSystem.B.dylib 0x940472bb _sigtramp + 43 3 ??? 0xffffffff 0x0 + 4294967295 4 mysqld 0x001ac1c7 _ZN4JOIN4execEv + 2459 5 mysqld 0x001a8795 _Z12mysql_selectP3THDPPP4ItemP10TABLE_LISTjR4ListIS1_ES2_jP8st_orderSB_S2_SB_yP13select_resultP18st_select_lex_unitP13st_select_lex + 879 6 mysqld 0x001a8cef _Z19mysql_explain_unionP3THDP18st_select_lex_unitP13select_result + 997 7 mysqld 0x001ab4e8 _Z19mysql_explain_unionP3THDP18st_select_lex_unitP13select_result + 11230 8 mysqld 0x001abad5 _ZN4JOIN4execEv + 681 9 mysqld 0x001a8795 _Z12mysql_selectP3THDPPP4ItemP10TABLE_LISTjR4ListIS1_ES2_jP8st_orderSB_S2_SB_yP13select_resultP18st_select_lex_unitP13st_select_lex + 879 10 mysqld 0x001a8cef _Z19mysql_explain_unionP3THDP18st_select_lex_unitP13select_result + 997 11 mysqld 0x001ab4e8 _Z19mysql_explain_unionP3THDP18st_select_lex_unitP13select_result + 11230 12 mysqld 0x001ac1c7 _ZN4JOIN4execEv + 2459 13 mysqld 0x001a8795 _Z12mysql_selectP3THDPPP4ItemP10TABLE_LISTjR4ListIS1_ES2_jP8st_orderSB_S2_SB_yP13select_resultP18st_select_lex_unitP13st_select_lex + 879 14 mysqld 0x001a8cef _Z19mysql_explain_unionP3THDP18st_select_lex_unitP13select_result + 997 15 mysqld 0x0011342e _Z15update_precheckP3THDP10TABLE_LIST + 690 16 mysqld 0x00115cb6 _Z21mysql_execute_commandP3THD + 2936 17 mysqld 0x001c0834 _ZN18Prepared_statement7executeEP6Stringb + 1112 18 mysqld 0x001c4f57 _ZN18Prepared_statement12execute_loopEP6StringbPhS2_ + 327 19 mysqld 0x001c5299 _Z22mysql_sql_stmt_executeP3THD + 491 20 mysqld 0x00115cdf _Z21mysql_execute_commandP3THD + 2977 21 mysqld 0x0011f677 _Z11mysql_parseP3THDPKcjPS2_ + 625 22 mysqld 0x0012044d _Z16dispatch_command19enum_server_commandP3THDPcj + 3079 23 mysqld 0x00121878 _Z10do_commandP3THD + 666 24 mysqld 0x0010c21a handle_one_connection + 372 25 libSystem.B.dylib 0x9400c095 _pthread_start + 321 26 libSystem.B.dylib 0x9400bf52 thread_start + 34 Trying to get some variables. Some pointers may be invalid and cause the dump to abort... thd->query at 0x10b46e8 = explain select 1 from `t1` where(select(select 1 from `t1` group by `a`)) thd->thread_id=1
[14 Jun 2010 18:44]
MySQL Verification Team
prevention of exploitation is to put "max_prepared_stmt_count=0" in my.cnf
[24 Jun 2010 10:11]
Tatiana Azundris Nuernberg
(gdb) bt #0 0x00000001001bf3d9 in select_describe (join=0x1018c6438, need_tmp_table=true, need_order=true, distinct=false, message=0x0) at sql_select.cc:16475 #1 0x00000001001c1a51 in JOIN::exec (this=0x1018c6438) at sql_select.cc:1879 #2 0x00000001001be082 in mysql_select (thd=0x101836428, rref_pointer_array=0x10402b730, tables=0x10402c060, wild_num=0, fields=@0x10402b668, conds=0x0, og_num=1, order=0x0, group=0x10402c390, having=0x0, proc_param=0x0, select_options=2147764740, result=0x104023570, unit=0x10402bc38, select_lex=0x10402b560) at sql_select.cc:2517 #3 0x00000001001be5c4 in mysql_explain_union (thd=0x101836428, unit=0x10402bc38, result=0x104023570) at sql_select.cc:16824 #4 0x00000001001c0d12 in select_describe (join=0x1018c2838, need_tmp_table=false, need_order=false, distinct=false, message=0x10066b7c6 "No tables used") at sql_select.cc:16765 #5 0x00000001001c12e9 in JOIN::exec (this=0x1018c2838) at sql_select.cc:1782 #6 0x00000001001be082 in mysql_select (thd=0x101836428, rref_pointer_array=0x10402b050, tables=0x0, wild_num=0, fields=@0x10402af88, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147764740, result=0x104023570, unit=0x10402b138, select_lex=0x10402ae80) at sql_select.cc:2517 #7 0x00000001001be5c4 in mysql_explain_union (thd=0x101836428, unit=0x10402b138, result=0x104023570) at sql_select.cc:16824 #8 0x00000001001c0d12 in select_describe (join=0x104023b90, need_tmp_table=false, need_order=false, distinct=false, message=0x0) at sql_select.cc:16765 #9 0x00000001001c1a51 in JOIN::exec (this=0x104023b90) at sql_select.cc:1879 #10 0x00000001001be082 in mysql_select (thd=0x101836428, rref_pointer_array=0x10402a0d8, tables=0x10402ab38, wild_num=0, fields=@0x10402a010, conds=0x10402c560, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2416200196, result=0x104023570, unit=0x104029ae0, select_lex=0x104029f08) at sql_select.cc:2517 #11 0x00000001001be5c4 in mysql_explain_union (thd=0x101836428, unit=0x104029ae0, result=0x104023570) at sql_select.cc:16824 #12 0x00000001001281c1 in execute_sqlcom_select (thd=0x101836428, all_tables=0x10402ab38) at sql_parse.cc:5067 #13 0x000000010012a8b1 in mysql_execute_command (thd=0x101836428) at sql_parse.cc:2287 #14 0x00000001001d66af in Prepared_statement::execute (this=0x103a078c8, expanded_query=0x1034c6ec0, open_cursor=false) at sql_prepare.cc:3590 #15 0x00000001001db094 in Prepared_statement::execute_loop (this=0x103a078c8, expanded_query=0x1034c6ec0, open_cursor=false, packet=0x0, packet_end=0x0) at sql_prepare.cc:3265 #16 0x00000001001db398 in mysql_sql_stmt_execute (thd=0x101836428) at sql_prepare.cc:2528 #17 0x000000010012a8dc in mysql_execute_command (thd=0x101836428) at sql_parse.cc:2296 #18 0x0000000100133b51 in mysql_parse (thd=0x101836428, inBuf=0x104023438 "execute `stmt`", length=14, found_semicolon=0x1034c89c0) at sql_parse.cc:6013 #19 0x0000000100134acd in dispatch_command (command=COM_QUERY, thd=0x101836428, packet=0x1018ba429 "", packet_length=14) at sql_parse.cc:1254 #20 0x0000000100136121 in do_command (thd=0x101836428) at sql_parse.cc:882 (gdb) print join->select_lex->type $7 = 0x10066b57f "SUBQUERY" sql_select.cc::select_describe()::475 item_list.push_back(new Item_string(real_table->alias, strlen(real_table->alias), cs));
[20 Oct 2010 13:33]
Paul DuBois
Noted in 5.1.52, 5.5.7 changelogs. In prepared-statement mode, EXPLAIN for a SELECT from a derived table caused a server crash.
[1 Nov 2010 19:01]
Bugs System
Pushed into mysql-5.1 5.1.53 (revid:build@mysql.com-20101101184443-o2olipi8vkaxzsqk) (version source revid:build@mysql.com-20101101184443-o2olipi8vkaxzsqk) (merge vers: 5.1.53) (pib:21)
[9 Nov 2010 19:47]
Bugs System
Pushed into mysql-5.5 5.5.7-rc (revid:sunanda.menon@sun.com-20101109182959-otkxq8vo2dcd13la) (version source revid:sunanda.menon@sun.com-20101109182959-otkxq8vo2dcd13la) (merge vers: 5.5.7-rc) (pib:21)
[13 Nov 2010 16:14]
Bugs System
Pushed into mysql-trunk 5.6.99-m5 (revid:alexander.nozdrin@oracle.com-20101113155825-czmva9kg4n31anmu) (version source revid:alexander.nozdrin@oracle.com-20101113152450-2zzcm50e7i4j35v7) (merge vers: 5.6.1-m4) (pib:21)
[13 Nov 2010 16:40]
Bugs System
Pushed into mysql-next-mr (revid:alexander.nozdrin@oracle.com-20101113160336-atmtmfb3mzm4pz4i) (version source revid:vasil.dimov@oracle.com-20100629074804-359l9m9gniauxr94) (pib:21)