Bug #68008 Segmentation fault in performance_schema with history size 0
Submitted: 2 Jan 2013 7:02 Modified: 14 Jan 2013 17:20
Reporter: Tianyin Xu Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Performance Schema Severity:S2 (Serious)
Version:5.5.28, 5.5.29 OS:Linux
Assigned to: Marc ALFF CPU Architecture:Any

[2 Jan 2013 7:02] Tianyin Xu 
Description:
Hi, 

I encountered the server crash due to segmentation fault when I tried to disable "performance_schema_events_waits_history_size", i.e., "performance_schema_events_waits_history_size = 0".

The error message is:
Segmentation fault (core dumped)

I tried to figure out which configuration combination caused this problem, and found as long as I had the following combination, the server crashes due to segfault:

loose-enable-performance-schema
performance_schema_events_waits_history_size=0 

The back-trace from GDB is:

(gdb) r
Starting program: /home/tianyin/mysql-5.5.28/usr/local/mysql/bin/mysqld 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7ffff6793700 (LWP 13313)]
[Thread 0x7ffff6793700 (LWP 13313) exited]

Program received signal SIGSEGV, Segmentation fault.
0x000000000086ba92 in copy_events_waits (dest=0x0, source=0x7fffdb8352e8) at /home/tianyin/source_code/mysql-5.5.28/storage/perfschema/pfs_events_waits.cc:86
86	  memcpy(dest, source, sizeof(PFS_events_waits));

(gdb) bt
#0  0x000000000086ba92 in copy_events_waits (dest=0x0, source=0x7fffdb8352e8) at /home/tianyin/source_code/mysql-5.5.28/storage/perfschema/pfs_events_waits.cc:86
#1  0x000000000086bb59 in insert_events_waits_history (thread=0x7fffdb835208, wait=0x7fffdb8352e8)
    at /home/tianyin/source_code/mysql-5.5.28/storage/perfschema/pfs_events_waits.cc:106
#2  0x000000000086ac5d in end_mutex_wait_v1 (locker=0x7fffdb8352d8, rc=0) at /home/tianyin/source_code/mysql-5.5.28/storage/perfschema/pfs.cc:1627
#3  0x0000000000845f8b in inline_mysql_mutex_lock (that=0x10f5760, src_file=0xb0d588 "/home/tianyin/source_code/mysql-5.5.28/mysys/my_open.c", src_line=137)
    at /home/tianyin/source_code/mysql-5.5.28/include/mysql/psi/mysql_thread.h:621
#4  0x000000000084621c in my_register_filename (fd=7, FileName=0x7fffffffd990 "/home/tianyin/mysql-5.5.28/usr/local/mysql/share/english/errmsg.sys", 
    type_of_file=FILE_BY_OPEN, error_message_number=29, MyFlags=0) at /home/tianyin/source_code/mysql-5.5.28/mysys/my_open.c:137
#5  0x000000000084604e in my_open (FileName=0x7fffffffd990 "/home/tianyin/mysql-5.5.28/usr/local/mysql/share/english/errmsg.sys", Flags=0, MyFlags=0)
    at /home/tianyin/source_code/mysql-5.5.28/mysys/my_open.c:52
#6  0x00000000006e2759 in inline_mysql_file_open (key=9, src_file=0xaa1010 "/home/tianyin/source_code/mysql-5.5.28/sql/derror.cc", src_line=119, 
    filename=0x7fffffffd990 "/home/tianyin/mysql-5.5.28/usr/local/mysql/share/english/errmsg.sys", flags=0, myFlags=0)
    at /home/tianyin/source_code/mysql-5.5.28/include/mysql/psi/mysql_file.h:1046
#7  0x00000000006e2bb1 in read_texts (file_name=0xaa1000 "errmsg.sys", language=0xa4ee60 "english", point=0x7fffffffdde0, error_messages=728)
    at /home/tianyin/source_code/mysql-5.5.28/sql/derror.cc:116
#8  0x00000000006e2a16 in init_errmessage () at /home/tianyin/source_code/mysql-5.5.28/sql/derror.cc:70
#9  0x0000000000548070 in init_common_variables () at /home/tianyin/source_code/mysql-5.5.28/sql/mysqld.cc:3360
#10 0x0000000000549636 in mysqld_main (argc=30, argv=0x10fbe48) at /home/tianyin/source_code/mysql-5.5.28/sql/mysqld.cc:4397
#11 0x0000000000543f24 in main (argc=1, argv=0x7fffffffe1d8) at /home/tianyin/source_code/mysql-5.5.28/sql/main.cc:25

How to repeat:
Add the following two lines in the configuration file my.cnf,

#/etc/mysql/my.cnf
loose-enable-performance-schema
performance_schema_events_waits_history_size=0

then start the mysqld, and you can see the segfault:

$ ./bin/mysqld
Segmentation fault (core dumped)

Suggested fix:
It seems to me that "performance_schema_events_waits_history_size=0" is not expected which causes null pointer dereferencing in "copy_events_waits".

I suggest either to check the pointer in the "copy_events_waits" function or abandon the settings like "performance_schema_events_waits_history_size=0" in the parsing functions.
[2 Jan 2013 7:13] MySQL Verification Team 
5.6.9 is not affected.
5.5.30 stack trace:

mysqld.exe!copy_events_waits  Line 87
mysqld.exe!insert_events_waits_history  Line 108
mysqld.exe!end_mutex_wait_v1  Line 1628
mysqld.exe!inline_mysql_mutex_lock  Line 623
mysqld.exe!my_open_osfhandle  Line 61
mysqld.exe!my_win_sopen  Line 263
mysqld.exe!my_win_open  Line 276
mysqld.exe!my_open  Line 45
mysqld.exe!inline_mysql_file_open  Line 1046
mysqld.exe!read_texts  Line 119
mysqld.exe!init_errmessage  Line 71
mysqld.exe!init_common_variables  Line 3360
mysqld.exe!win_main  Line 4397
mysqld.exe!mysql_service  Line 4678
mysqld.exe!mysqld_main  Line 4871
mysqld.exe!main  Line 26
mysqld.exe!__tmainCRTStartup  Line 278
mysqld.exe!mainCRTStartup  Line 189	C
kernel32.dll!BaseThreadInitThunk
ntdll.dll!RtlUserThreadStart
[10 Jan 2013 13:34] Erlend Dahl 
Bug#68009 was marked as a duplicate.
[14 Jan 2013 17:20] Paul DuBois 
Noted in 5.5.30 changelog.

Configuring the server with
performance_schema_events_waits_history_size=0 andperformance_schema_events_waits_history_long_size=0 could cause a
Performance Schema segmentation fault.