| Bug #58900 | query_get_value crashes when result begins with dollar sign | ||
|---|---|---|---|
| Submitted: | 13 Dec 2010 12:50 | Modified: | 28 Jan 2011 15:41 |
| Reporter: | Sven Sandberg | Email Updates: | |
| Status: | Closed | Impact on me: | |
| Category: | Tools: MTR / mysql-test-run | Severity: | S7 (Test Cases) |
| Version: | 5.1+ | OS: | Any |
| Assigned to: | Bjørn Munch | CPU Architecture: | Any |
| Tags: | crash, query_get_value | ||
[13 Dec 2010 13:37]
Valeriy Kravchuk
Verified on 32-but Ubuntu 10.04: openxs@ubuntu:/home2/openxs/dbs/5.1/mysql-test$ ./mtr bug58900 Logging: ./mtr bug58900 101213 15:36:24 [Note] Plugin 'FEDERATED' is disabled. MySQL Version 5.1.54 Checking supported features... - skipping ndbcluster - SSL connections supported - binaries are debug compiled Collecting tests... vardir: /home2/openxs/dbs/5.1/mysql-test/var Checking leftover processes... Removing old var directory... Creating var directory '/home2/openxs/dbs/5.1/mysql-test/var'... Installing system database... Using server port 39254 ============================================================================== TEST RESULT TIME (ms) ------------------------------------------------------------ worker[1] Using MTR_BUILD_THREAD 300, with reserved ports 13000..13009 main.bug58900 [ fail ] Test ended at 2010-12-13 15:36:29 CURRENT_TEST: main.bug58900 mysqltest got signal 11 read_command_buf at 0x80792e0 = let $x= query_get_value(SELECT * FROM t1, a, 1) conn->name at 0x8c49818 = Attempting backtrace... stack_bottom = (nil) thread_stack 0x10000 /home2/openxs/dbs/5.1/bin/mysqltest(my_print_stacktrace+0x26)[0x80636a0] /home2/openxs/dbs/5.1/bin/mysqltest[0x805d6a8] /home2/openxs/dbs/5.1/bin/mysqltest[0x805d6d1] [0x195400] /home2/openxs/dbs/5.1/bin/mysqltest(_Z23var_set_query_get_valueP10st_commandP3VAR+0x490)[0x80522ff] /home2/openxs/dbs/5.1/bin/mysqltest(_Z9eval_exprP3VARPKcPS2_+0x2e3)[0x805271f] /home2/openxs/dbs/5.1/bin/mysqltest(_Z7var_setPKcS0_S0_S0_+0x1bc)[0x80518dd] /home2/openxs/dbs/5.1/bin/mysqltest(_Z6do_letP10st_command+0x1f7)[0x8056413] /home2/openxs/dbs/5.1/bin/mysqltest(main+0xc36)[0x805e4b3] /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe6)[0x528bd6] /home2/openxs/dbs/5.1/bin/mysqltest[0x804e4e1] Writing a core file...
[21 Dec 2010 12:02]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/127399 2962 Bjorn Munch 2010-12-21 Bug #58900 query_get_value crashes when result begins with dollar sign Generalized fix for recursive backtick Optional arg to eval_expr telling it not to interpret
[21 Dec 2010 12:03]
Bjørn Munch
The backtick bug is Bug #58087.
[11 Jan 2011 9:55]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/128406 2966 Bjorn Munch 2011-01-11 Bug #58900 query_get_value crashes when result begins with dollar sign Generalized fix for recursive backtick Optional arg to eval_expr telling it not to interpret
[12 Jan 2011 10:30]
Bjørn Munch
Pushed to -mtr branches
[12 Jan 2011 23:24]
Bugs System
Pushed into mysql-trunk 5.6.2 (revid:bjorn.munch@oracle.com-20110112231827-w6nuz7qcr3f2zylq) (version source revid:bjorn.munch@oracle.com-20110112225756-g2nv4mukrmvnl3uz) (merge vers: 5.6.2) (pib:24)
[12 Jan 2011 23:26]
Bugs System
Pushed into mysql-5.5 5.5.9 (revid:bjorn.munch@oracle.com-20110112225418-3zw6jvo3jywfqsva) (version source revid:bjorn.munch@oracle.com-20110112223239-fep31owswretsv6w) (merge vers: 5.5.9) (pib:24)
[12 Jan 2011 23:29]
Bugs System
Pushed into mysql-5.1 5.1.55 (revid:bjorn.munch@oracle.com-20110112222953-xhso3rjm0isfgvxn) (version source revid:bjorn.munch@oracle.com-20110112222953-xhso3rjm0isfgvxn) (merge vers: 5.1.55) (pib:24)
[14 Jan 2011 17:24]
Paul DuBois
Changes to test suite. No changelog entry needed.
Description: When a test contains a call to query_get_value, and the result begins with a dollar sign, mysqltest crashes. Stack trace: Program terminated with signal 11, Segmentation fault. #0 0x00a24422 in __kernel_vsyscall () #0 0x00a24422 in __kernel_vsyscall () #1 0x00d7ae93 in __pthread_kill (threadid=3077695168, signo=11) at ../nptl/sysdeps/unix/sysv/linux/pthread_kill.c:64 #2 0x0806424b in my_write_core (sig=11) at stacktrace.c:333 #3 0x0805e1bb in signal_handler (sig=11) at mysqltest.cc:7816 #4 <signal handler called> #5 0x08052644 in eval_expr (v=0x9c4e9f8, p=0x9c4ec20 "$string beginning with dollar sign", p_end=0x0, backtick=true) at mysqltest.cc:2402 #6 0x0805241c in var_set_query_get_value (command=0xbfc6c8ac, var=0x9c4e9f8) at mysqltest.cc:2363 #7 0x0805286c in eval_expr (v=0x9c4e9f8, p=0x9c4e1d8 "query_get_value SELECT * FROM t1, a, 1", p_end=0xbfc6cb90, backtick=true) at mysqltest.cc:2436 #8 0x080519e6 in var_set ( var_name=0x9c4e18d "x= query_get_value(SELECT * FROM t1, a, 1)", var_name_end=0x9c4e18e "= query_get_value(SELECT * FROM t1, a, 1)", var_val=0x9c4e1d8 "query_get_value SELECT * FROM t1, a, 1", var_val_end=0x9c4e1ff "") at mysqltest.cc:2109 #9 0x08056dd7 in do_let (command=0x9c4deb8) at mysqltest.cc:4256 #10 0x0805ef8e in main (argc=11, argv=0xbfc6d374) at mysqltest.cc:8187 How to repeat: CREATE TABLE t1 (a TEXT); INSERT INTO t1 VALUES ('$string beginning with dollar sign'); let $x= query_get_value(SELECT * FROM t1, a, 1); Suggested fix: The problem is a NULL pointer dereference in eval_expr. When eval_expr is given a string that begins with a dollar sign, it reads what p_end points to. However, there are several calls to eval_expr that pass p_end=NULL to eval_expr.