Bug #9568 mysql segfaults from CTRL-R
Submitted: 1 Apr 2005 18:00 Modified: 22 Apr 2005 18:51
Reporter: Matthew Lord Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Command-line Clients Severity:S2 (Serious)
Version:4.1.10a OS:Solaris (Solaris 8 and 9 (64 bit))
Assigned to: Magnus Blåudd CPU Architecture:Any

[1 Apr 2005 18:00] Matthew Lord 
Description:
Our 4.1.10a mysql client segfaults on both of our solaris 8 and 9 sparc machines (GPL, readline binaries).

How to repeat:
4.1.10a is installed on sunfire100[b|c]:~/mlord/

cd mysql-test
../bin/mysqld --no-defaults --skip-grant-tables --basedir=.. --tadir=./var/master-data --skip-innodb --skip-ndbcluster --skip-bdb &
../bin/mysql
CTRL-R
[1 Apr 2005 18:01] Matthew Lord 
truss of the client process

Attachment: truss.out (application/octet-stream, text), 68.62 KiB.
[1 Apr 2005 18:46] Timothy Smith 
It might be useful to apply the patches from here:

ftp://ftp.gnu.org/pub/gnu/readline/readline-4.3-patches/

Regards,

Timothy
[6 Apr 2005 2:42] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/internals/23693
[6 Apr 2005 4:18] Jim Winstead 
This doesn't happen with 5.0 after upgrading it to readline-5.0:

http://lists.mysql.com/internals/23689

(Sorry, the other linked patch mentioned the wrong Bug #.)
[14 Apr 2005 15:16] MySQL Verification Team 
Problem is present in 4.1.11 too ...
[15 Apr 2005 11:05] Magnus Blåudd 
See also Bug#2596 "MySQL Client Segmentation Fault on Solaris 9"
[18 Apr 2005 16:16] Magnus Blåudd 
This occurs in function rl_message which is defined like this:
>#if defined (USE_VARARGS)
>int
>#if defined (PREFER_STDARG)
>rl_message (const char *format, ...)
>#else
>rl_message (va_alist)
>     va_dcl
>#endif
>{
>  va_list args;
>#if defined (PREFER_VARARGS)
>  char *format;
>#endif
>
>#if defined (PREFER_STDARG)
>  va_start (args, format);
>#else
>  va_start (args);
>  format = va_arg (args, char *);
>#endif
>
>#if defined (HAVE_VSNPRINTF)
>  vsnprintf (msg_buf, sizeof (msg_buf) - 1, format, args);
>#else
>  vsprintf (msg_buf, format, args);
>  msg_buf[sizeof(msg_buf) - 1] = '\0';	/* overflow? */
>#endif
>  va_end (args);
>
>  rl_display_prompt = msg_buf;
>  (*rl_redisplay_function) ();
>  return 0;
>}
>#else /* !USE_VARARGS */
>int
>rl_message (format, arg1, arg2)
>     char *format;
>    int arg1, arg2;
>{
> sprintf (msg_buf, format, arg1, arg2);

Since USE_VARARGS is not defined the last form is used and since arg1 is used to receive a 64 bit pointer only half the pointer will be "recieved" and the rest of the pointer will be seen in arg2. If  the function is chanegd to something like :
>rl_message (format, arg1, arg2)
>     char *format;
>    long int arg1, arg2;
>{
> sprintf (msg_buf, format, arg1, arg2);

then arg1 will contain a valid 64but pointer which can be passed to sprintf.

But we should aim at defining USE_VARARGS.
[19 Apr 2005 11:14] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/internals/24137
[20 Apr 2005 14:13] Magnus Blåudd 
Pushed to 4.1.12 and 5.0.5
[22 Apr 2005 18:51] Paul DuBois 
Noted in 4.1.12, 5.0.5 changelog.