Bug #1663 Server crash if connection is closed without mysql_stmt_close call
Submitted: 25 Oct 2003 18:49 Modified: 20 Jan 2004 11:25
Reporter: Dmitri Lenev
Status: Closed
Category:Server Severity:S2 (Serious)
Version:4.1 OS:
Assigned to: Alexey Botchkov Target Version:

[25 Oct 2003 18:49] Dmitri Lenev 
Description:
If we have executed prepared statement "SELECT * FROM A WHERE A.a IN (?,?,?)" (well you
have to apply patch that fixes Bug #1500) and then close connection without calling
mysql_stmt_close() the server will coredump:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 9226 (LWP 30582)]
0x081016ae in ~Item_func_in (this=0x89ba7b8) at item_cmpfunc.h:647
647       ~Item_func_in() { delete array; delete in_item; }
(gdb) bt
#0  0x081016ae in ~Item_func_in (this=0x89ba7b8) at item_cmpfunc.h:647
#1  0x08157b48 in free_items(Item*) (item=0x89ba7b8) at sql_parse.cc:1064
#2  0x08198480 in free_prep_stmt(st_prep_stmt*, TREE_FREE, void*) (stmt=0x89bc4e8,
mode=free_free, 
    not_used=0x0) at sql_prepare.cc:144
#3  0x0832adb1 in delete_tree_element (tree=0x89bb288, element=0x89bc4e8) at tree.c:184
#4  0x0832ac54 in free_tree (tree=0x89bb288, free_flags=144390992) at tree.c:145
#5  0x0832ad2b in delete_tree (tree=0x89b3b50) at tree.c:168
#6  0x0813514d in THD::cleanup() (this=0x89bc4e8) at sql_class.cc:270
#7  0x0814659d in end_thread(THD*, bool) (thd=0x89ab8b0, put_in_cache=true) at
mysqld.cc:1317
#8  0x081576f5 in handle_one_connection (arg=0x89b3b50) at sql_parse.cc:964
#9  0x400261a0 in pthread_start_thread () from /lib/libpthread.so.0
#10 0x4002621f in pthread_start_thread_event () from /lib/libpthread.so.0
(gdb) 

How to repeat:
Do something like (code from tests/client_test.c with fixed bug #1500):

/* Establish connection here */
...
MYSQL_STMT *stmt;
MYSQL_BIND bind[3];
int        rc;
long       int_data[3]= {2,3,4}; 

mysql_query(mysql,"DROP TABLE IF EXISTS test_bg1500");
mysql_query(mysql,"CREATE TABLE test_bg1500 (i INT)");
mysql_query(mysql,"INSERT INTO test_bg1500 VALUES (1),(2)");
mysql_commit(mysql);

stmt= mysql_prepare(mysql,"SELECT i FROM test_bg1500 WHERE i IN (?,?,?)",44);

bind[0].buffer= (char *)int_data;
bind[0].buffer_type= FIELD_TYPE_LONG;
bind[0].is_null= 0;
bind[2]= bind[1]= bind[0];
bind[1].buffer= (char *)(int_data + 1); 
bind[2].buffer= (char *)(int_data + 2);

rc= mysql_bind_param(stmt, bind);

rc= mysql_execute(stmt);

/*
  close connection here without calling mysql_stmt_close() 
  MySQL server will crash
*/

Suggested fix:
I have some suspicions but should investigate this issue more.
[26 Oct 2003 1:44] Dmitri Lenev 
Actually the crash can be reproduced even with mysql_stmt_close();
You just need to execute some query via the same connection after mysql_execute() but
before mysql_stmt_close():

  ...
  stmt= mysql_prepare(mysql,"SELECT i FROM test_bg1663 WHERE i IN (?,?,?)",44);

  bind[0].buffer= (char *)int_data;
  bind[0].buffer_type= FIELD_TYPE_LONG;
  bind[0].is_null= 0;
  bind[2]= bind[1]= bind[0];
  bind[1].buffer= (char *)(int_data + 1);
  bind[2].buffer= (char *)(int_data + 2);

  rc= mysql_bind_param(stmt, bind);

  rc= mysql_execute(stmt);
  
  rc = mysql_query(mysql, "SELECT * FROM test_bg1663");
  
  result = mysql_store_result(mysql);

  /* ... fetch and free result here */

  /* Server should crash here :( */
  mysql_stmt_close(stmt);

I suspect that the reason of this bug is following:
When we are executing prep stmt we allocate some memory in current mem_root (in this
example in Item_func_in::fix_length_and_dec()), and put a pointer to created object in
Item_func_in::array which is allocated in prep stmt memroot.
After that we execute next query, so memory in current mem_root is destroyed... But
Item_func_in::array still references it , so then we do delete array; in ~Item_func_in()
we receive SIGSEGV.

Probably we will have the same problem with any Item which destroys objects allocated
during execution (in fix_fields() or in val()) in its destructor (do we have any?)...
[14 Dec 2003 17:02] Dmitri Lenev 
See also another manifestation of this problem in bug report #2099
[14 Dec 2003 21:46] Miguel Solorzano 
Dmitri I am changing the Priority from Medium to High due
to similar issues at customer side.
[20 Jan 2004 11:25] Alexey Botchkov 
Thank you for your bug report. This issue has been committed to our
source repository of that product and will be incorporated into the
next release.

If necessary, you can access the source repository and build the latest
available version, including the bugfix, yourself. More information 
about accessing the source trees is available at
    http://www.mysql.com/doc/en/Installing_source_tree.html

Additional info:

Fixed with the big cleanup()-related changeset