Bug #41849 MySQL-Proxy crashes when closing a connection
Submitted: 4 Jan 2009 6:39 Modified: 3 Jun 2009 15:14
Reporter: Joshua Zhu (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Proxy Severity:S1 (Critical)
Version:0.7.0 r511 OS:Any
Assigned to: Kay Roepke CPU Architecture:Any
Tags: Contribution

[4 Jan 2009 6:39] Joshua Zhu
Description:
# mysql-proxy -V
mysql-proxy 0.7.0
  glib2: 2.18.0
  libevent: 1.3e

The core dump,

# gdb mysql-proxy core.10423
GNU gdb Red Hat Linux (6.5-16.el5rh)
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu"...Using host libthread_db library "/lib64/libthread_db.so.1".
warning: Can't read pathname for load map: Input/output error.
Reading symbols from /usr/local/lib/mysql-proxy/libmysql-chassis.so.0...done.
Loaded symbols for /usr/local/lib/mysql-proxy/libmysql-chassis.so.0
Reading symbols from /usr/local/lib/libgthread-2.0.so.0...done.
Loaded symbols for /usr/local/lib/libgthread-2.0.so.0
Reading symbols from /lib64/libpthread.so.0...done.
Loaded symbols for /lib64/libpthread.so.0
Reading symbols from /usr/local/lib/mysql-proxy/libmysql-proxy.so.0...done.
Loaded symbols for /usr/local/lib/mysql-proxy/libmysql-proxy.so.0
Reading symbols from /usr/local/lib/libevent-1.3e.so.1...done.
Loaded symbols for /usr/local/lib/libevent-1.3e.so.1
Reading symbols from /lib64/libnsl.so.1...done.
Loaded symbols for /lib64/libnsl.so.1
Reading symbols from /lib64/librt.so.1...done.
Loaded symbols for /lib64/librt.so.1
Reading symbols from /lib64/libresolv.so.2...done.
Loaded symbols for /lib64/libresolv.so.2
Reading symbols from /lib64/libm.so.6...done.
Loaded symbols for /lib64/libm.so.6
Reading symbols from /usr/local/lib/libgmodule-2.0.so.0...done.
Loaded symbols for /usr/local/lib/libgmodule-2.0.so.0
Reading symbols from /lib64/libdl.so.2...done.
Loaded symbols for /lib64/libdl.so.2
Reading symbols from /usr/local/lib/libglib-2.0.so.0...done.
Loaded symbols for /usr/local/lib/libglib-2.0.so.0
Reading symbols from /lib64/libc.so.6...done.
Loaded symbols for /lib64/libc.so.6
Reading symbols from /lib64/ld-linux-x86-64.so.2...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
Reading symbols from /usr/local/lib/mysql-proxy/libadmin.so...done.
Loaded symbols for /usr/local/lib/mysql-proxy/libadmin.so
Reading symbols from /usr/local/lib/mysql-proxy/libproxy.so...done.
Loaded symbols for /usr/local/lib/mysql-proxy/libproxy.so
warning: no loadable sections found in added symbol-file system-supplied DSO at 0x7fff5f9fd000
Core was generated by `mysql-proxy --proxy-backend-addresses=192.168.0.243:3307 --proxy-address=192.16'.
Program terminated with signal 11, Segmentation fault.
#0  IA__g_string_free (string=0x1, free_segment=1) at gstring.c:473
473           g_free (string->str);
(gdb) bt
#0  IA__g_string_free (string=0x1, free_segment=1) at gstring.c:473
#1  0x00002ab94b5bf9e6 in network_mysqld_com_init_db_result_free (udata=0x6b0830) at network-mysqld-packet.c:284
#2  0x00002ab94b5bbde3 in network_mysqld_con_free (con=0x69de60) at network-mysqld.c:307
#3  0x00002ab94b5bbf2d in network_mysqld_con_handle (event_fd=28, events=2, user_data=0x69de60) at network-mysqld.c:735
#4  0x00002ab94b7d56d9 in event_base_loop (base=0x610df0, flags=0) at event.c:331
#5  0x00002ab94b15850a in chassis_mainloop (_chas=<value optimized out>) at chassis-mainloop.c:163
#6  0x00000000004023c7 in main (argc=1, argv=0x7fff5f95cf88) at chassis.c:594

How to repeat:
Sorry, I tried to reproduce the bug, but failed. However, by reading the source code of MySQL-Proxy, I finally located where the bug lies. It seems that this bug would be caused when the client closes the connection before the server (backend) sending back the query result of the command COM_STMT_PREPARE. And it's sure that *the definition of function network_mysqld_com_stmt_prepare_result_free missed*.

Suggested fix:
Here are my patches,

1) network-mysqld.c
--- network-mysqld.c	2008-11-07 16:36:22.000000000 +0800
+++ network-mysqld.c.new	2009-01-04 12:38:20.000000000 +0800
@@ -1138,7 +1138,7 @@
 						break;
 					case COM_STMT_PREPARE:
 						con->parse.data = network_mysqld_com_stmt_prepare_result_new();
-						con->parse.data_free = (GDestroyNotify)network_mysqld_com_init_db_result_free;
+						con->parse.data_free = (GDestroyNotify)network_mysqld_com_stmt_prepare_result_free;
 						break;
 					case COM_INIT_DB:
 						con->parse.data = network_mysqld_com_init_db_result_new();

2) network-mysqld-packet.c
--- network-mysqld-packet.c	2008-11-07 16:36:22.000000000 +0800
+++ network-mysqld-packet.c.new	2009-01-04 12:44:56.000000000 +0800
@@ -202,6 +202,12 @@
 	return udata;
 }

+void network_mysqld_com_stmt_prepare_result_free(network_mysqld_com_stmt_prepare_result_t *udata) {
+	if (!udata) return;
+
+	g_free(udata);
+}
+
 int network_mysqld_proto_get_com_stmt_prepare_result(
 		network_packet *packet, 
 		network_mysqld_com_stmt_prepare_result_t *udata) {
[4 Jan 2009 6:47] Joshua Zhu
the patch of network-mysqld.c

Attachment: network-mysqld.c.patch (application/octet-stream, text), 535 bytes.

[4 Jan 2009 6:48] Joshua Zhu
the patch of network-mysqld-packet.c

Attachment: network-mysqld-packet.c.patch (application/octet-stream, text), 458 bytes.

[5 Jan 2009 8:40] Kay Roepke
Thank you for your submission.
We are in the process of updating the public repository, so verifying against the current source will be easier in the future.
However, this particular problem is still present in the latest version.
[16 Jan 2009 8:32] Joshua Zhu
patch for network-mysqld.c (Bazaar revision 561)

Attachment: network-mysqld.c.patch (text/x-diff), 561 bytes.

[16 Jan 2009 8:34] Joshua Zhu
patch for network-mysqld-packet.c (Bazaar revision 561)

Attachment: network-mysqld-packet.c.patch (text/x-diff), 491 bytes.

[6 Feb 2009 13:21] Kay Roepke
the fix has been pushed as:

------------------------------------------------------------
revno: 566
author: Joshua Zhu <josh@joshua>
committer: Kay Roepke <kay@sun.com>
branch nick: trunk
timestamp: Thu 2009-02-05 19:08:18 +0100
message:
  fix bug#41849 MySQL-Proxy crashes when closing a connection using prepared statements
    ------------------------------------------------------------
    revno: 565.1.1
    committer: Joshua Zhu <josh@joshua>
    branch nick: mysql-proxy
    timestamp: Wed 2009-02-04 15:18:12 +0800
    message:
      fix bug 41849 (http://bugs.mysql.com/bug.php?id=41849)

This is available on Launchpad as lp:mysql-proxy.

Thank you for your contribution!
[3 Jun 2009 15:14] Kay Roepke
This change is included in the 0.7.1 release.