Bug #15658 Server crashes after creating function as empty string
Submitted: 10 Dec 2005 20:45 Modified: 24 Jan 2006 22:00
Reporter: Markus Popp Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S2 (Serious)
Version:5.0.15/5.0.16/BK 5.0.18 OS:Windows (Windows, Linux)
Assigned to: Per-Erik Martin CPU Architecture:Any

[10 Dec 2005 20:45] Markus Popp 
Description:
I accidently created a User Defined Function with an empty string, which was accepted by the server. Afterwards, calling 'show function status' caused the server to crash (probably the same would occur on creating a Stored Procedure with an empty string).

How to repeat:
C:\>mysql
Enter password: *******
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 5 to server version: 5.0.16-nt-max

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> use test
Database changed
mysql> create function ``() returns int return 0;
Query OK, 0 rows affected (0.00 sec)

mysql> show function status;
ERROR 2013 (HY000): Lost connection to MySQL server during query
mysql> 

... debug output after doing the same thing on a Linux machine with MySQL 5.0.15:

051210 21:36:13  mysqld started
051210 21:36:14  InnoDB: Started; log sequence number 0 2758377
051210 21:36:15 [Note] /opt/lampp/sbin/mysqld: ready for connections.
Version: '5.0.15'  socket: '/opt/lampp/var/mysql/mysql.sock'  port: 3306  Source distribution

Status information:

Current dir: /opt/lampp/var/mysql/
Running threads: 1  Stack size: 196608
Current locks:
lock: 0x8957f30:

lock: 0x8952cf0:

lock: 0x894e650:

lock: 0x8940d68:

lock: 0x893e0d0:

lock: 0x89394b0:

Key caches:
default
Buffer_size:      16777216
Block_size:           1024
Division_limit:        100
Age_limit:             300
blocks used:             3
not flushed:             0
w_requests:              0
writes:                  0
r_requests:              6
reads:                   3

handler status:
read_key:            0
read_next:           2
read_rnd             0
read_first:          3
write:               0
delete               0
update:              0

Table status:
Opened tables:         12
Open tables:            6
Open files:            12
Open streams:           0

Alarm status:
Active alarms:   0
Max used alarms: 1
Next alarm time: 0
mysqld got signal 11;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.
We will try our best to scrape up some info that will hopefully help diagnose
the problem, but since we have already crashed, something is definitely wrong
and this may fail.

key_buffer_size=16777216
read_buffer_size=258048
max_used_connections=1
max_connections=100
threads_connected=1
It is possible that mysqld could use up to 
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_connections = 92783 K
bytes of memory
Hope that's ok; if not, decrease some variables in the equation.

thd=0x894b8c0
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
Cannot determine thread, fp=0x42931eb8, backtrace may not be correct.
Stack range sanity check OK, backtrace follows:
0x813bae1
0x401c496c
0x81f6ac9
0x81f7017
0x81f95dd
0x817c7ca
0x817db3a
0x8192bc9
0x814dcc0
0x8154fcc
0x814c391
0x8157ab3
0x814b32f
0x401bef60
0x40350327
New value of fp=(nil) failed sanity check, terminating stack trace!
Please read http://dev.mysql.com/doc/mysql/en/Using_stack_trace.html and follow instructions on how to resolve the stack trace. Resolved
stack trace is much more helpful in diagnosing the problem, so please do 
resolve it
Trying to get some variables.
Some pointers may be invalid and cause the dump to abort...
thd->query at 0x8977758 = show function status
thd->thread_id=3
The manual page at http://www.mysql.com/doc/en/Crashing.html contains
information that should help you find out what is causing the crash.

Memory status:
Non-mmapped space allocated from system: 4052536
Number of free chunks:			 7
Number of fastbin blocks:		 0
Number of mmapped regions:		 10
Space in mmapped regions:		 47407104
Maximum total allocated space:		 0
Space available in freed fastbin blocks: 0
Total allocated space:			 3916864
Total free space:			 135672
Top-most, releasable space:		 133288
Estimated memory (with thread stack):    51656248

Number of processes running now: 0
051210 21:37:07  mysqld restarted
051210 21:37:08  InnoDB: Started; log sequence number 0 2758377
051210 21:37:08 [Note] /opt/lampp/sbin/mysqld: ready for connections.
Version: '5.0.15'  socket: '/opt/lampp/var/mysql/mysql.sock'  port: 3306  Source distribution

Suggested fix:
I think, an empty string as function/procedure name could be generally prohibited.
[10 Dec 2005 23:05] MySQL Verification Team 
Thank you for the bug report.

051210 20:51:30 [Note] /home/miguel/dbs/5.0/libexec/mysqld: ready for connections.
Version: '5.0.18-debug'  socket: '/tmp/mysql.sock'  port: 3306  Source distribution
[New Thread 1131862960 (LWP 5832)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1131862960 (LWP 5832)]
0x4025fdc3 in strlen () from /lib/tls/libc.so.6
(gdb) bt full
#0  0x4025fdc3 in strlen () from /lib/tls/libc.so.6
No symbol table info available.
#1  0x0830d75b in store_schema_proc (thd=0x8e57638, table=0x8eae4b8, proc_table=0x8eb3a38, wild=0x0, full_access=true, 
    sp_user=0x4376c492 "root@localhost") at sql_show.cc:2826
        enum_idx = 1
        lex = (LEX *) 0x8e57678
        cs = (CHARSET_INFO *) 0x87baa00
        sp_name = 0x0
        definer = 0x8e78d58 "root@localhost"
        tmp_string = {Ptr = 0x0, str_length = 0, Alloced_length = 0, alloced = false, str_charset = 0x87d65e0}
        time = {year = 0, month = 0, day = 1131856552, hour = 139811678, minute = 149661360, second = 149604864, second_part = 0, 
  neg = -100 '\234', time_type = MYSQL_TIMESTAMP_DATE}
        sp_db = 0x8e78d50 "test"
<cut>
[11 Jan 2006 14:12] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/912
[19 Jan 2006 15:20] Per-Erik Martin 
Pushed to bk 5.0.19.
[24 Jan 2006 22:00] Jon Stephens 
Thank you for your bug report. This issue has been committed to our
source repository of that product and will be incorporated into the
next release.

If necessary, you can access the source repository and build the latest
available version, including the bugfix, yourself. More information 
about accessing the source trees is available at
    http://www.mysql.com/doc/en/Installing_source_tree.html

Additional info:

Documented bugfix in 5.0.19 changelog. Closed.