Bug #45562 MySQL command-line client crashes intermittently
Submitted: 17 Jun 2009 16:35 Modified: 8 Sep 2009 14:26
Reporter: Brock Tice Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Command-line Clients Severity:S2 (Serious)
Version:5.1.35 OS:Linux (CentOS 5 amd64)
Assigned to: CPU Architecture:Any

[17 Jun 2009 16:35] Brock Tice
Description:
The 'mysql' client intermittently segfaults after I supply login credentials, i.e.:

-----
ubuntu@domU-12-31-36-00-39-31:/mnt/ebs1/opt/src/mysql-5.1.35$ mysql -u root -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 8
Server version: 5.1.35-debug Source distribution

Segmentation fault (core dumped)
-----

Here's the backtrace:

GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu"...
(gdb) set args -u root -p
(gdb) run
Starting program: /mnt/ebs1/opt/bin/mysql -u root -p
[Thread debugging using libthread_db enabled]
Enter password: 
[New Thread 0x7f98d23c06f0 (LWP 17559)]
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.1.35-debug Source distribution

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f98d23c06f0 (LWP 17559)]
0x0000000000420c89 in term_alloc (el=0x680360, t=0x441ba0, cap=0xffffffffda3c9d10 <Address 0xffffffffda3c9d10 out of bounds>) at term.c:396
396		if (cap == NULL || *cap == '\0') {
Current language:  auto; currently c
(gdb) backtrace
#0  0x0000000000420c89 in term_alloc (el=0x680360, t=0x441ba0, cap=0xffffffffda3c9d10 <Address 0xffffffffda3c9d10 out of bounds>) at term.c:396
#1  0x000000000042249e in term_set (el=0x680360, term=0x7fffda3cc8c7 "xterm-color") at term.c:959
#2  0x0000000000420b34 in term_init (el=0x680360) at term.c:358
#3  0x0000000000429604 in el_init (prog=0x7fffda3cc873 "/mnt/ebs1/opt/bin/mysql", fin=0x7f98d0eed6a0, fout=0x7f98d0eed780, ferr=0x7f98d0eed860) at el.c:83
#4  0x0000000000419162 in rl_initialize () at readline.c:264
#5  0x000000000041b2e3 in read_history (filename=0x67fe40 "/home/ubuntu/.mysql_history") at readline.c:1129
#6  0x0000000000415fdf in main (argc=4, argv=0x664110) at mysql.cc:1190
(gdb) quit

How to repeat:
1) Download release tarball of 5.1.35
2) Configure on Ubuntu 8.04 LTS Server x86_64 using the following options:

./configure --prefix=/mnt/ebs1/opt/ --enable-assembler --with-mysqld-user=ubuntu --with-plugins=innobase,myisam --with-debug

3) Build and follow the normal MySQL set-up for first-time installation (if you haven't already)
4) Start the server
5) Attempt to connect using the 'mysql' command-line client
6) A crash will intermittently occur after you enter your password, because it depends on just which variety of garbage the uninitialized variable happens to get.

Suggested fix:
I am a bit naïve about the source code, but I was able to get things to work fine simply by commenting out the line "area = buf" on line 914 of term.c.

The result is that area is passed NULL, and the receiving function, term_alloc, checks for that and handles it appropriately. It does not handle cases where the passed variable is full of garbage.
[18 Jun 2009 5:56] Sveta Smirnova
Thank you for the report.

> Server version: 5.1.35-debug Source distribution

Please provide configure options you used.
[18 Jun 2009 11:15] Brock Tice
The configure options are already provided in the bug report under steps to reproduce.
[22 Jun 2009 17:00] MySQL Verification Team
I couldn't repeat on Ubutnu 32-bit:

miguel@lara:~/dbs/5.1$ bin/mysql -uroot --port=3308
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1
Server version: 5.1.37-debug Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| test               |
+--------------------+
3 rows in set (0.00 sec)
[27 Jun 2009 19:02] Deek Starr
This continues to occur on 2.6.27-14-server (64bit)
./bin/mysql --defaults-file=./mysql.conf -uroot -p mysql
or 
./bin/mysql --no-defaults --socket=./mysql.sock -u root -p

--Prompts for root password.
Then:

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 16
Server version: 5.1.35 Source distribution

Segmentation fault
[30 Jul 2009 11:46] Valeriy Kravchuk
Please, try to repeat with client from a newer version, 5.1.36, and inform about the results.
[19 Aug 2009 6:22] Alina Dian
Same problem.

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 14
Server version: 5.1.37 Source distribution

Segmentation fault

CentOS 5.3 Host: x86_64-linux-gnu
Configure command: ./configure '--with-extra-charsets=all' '--with-plugins=all' '--with-ssl=/usr/lib64' '--with-named-curses-libs=/usr/lib64/libncurses.so.5'
[30 Aug 2009 23:00] Bugs System
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
[31 Aug 2009 7:28] Sveta Smirnova
Alina,

thank you for the feedback. Which version of ncurcses do you use?
[31 Aug 2009 7:32] Sveta Smirnova
Please also run mysql under gdb and provide us backtrace after it fails.
[8 Sep 2009 14:26] Brock Tice
I have compiled version 5.1.38 with the same configuration, and this issue appears to be resolved. However, this was on a different Linux distribution (CentOS 5)
[5 Aug 2010 20:37] Bart Kedryna
I have the same problem with mysql 5.1.49 on 64-bit SUSE x86_64 (Intel Xeon processor).

The suggested fix by Brock Tice (commenting line 914) did not solve the problem for me, so I dug in. The issue is that function term_set allocates a char buffer, doesn't do anything with it so it contains junk, and passes it to function term_alloc as as const pointer. Function term_alloc then tries to read the contents of this pointer and is segfaulting. I am not sure why but suspect the 'const' part has something to do with it - initializing this buffer with spaces and reading it works fine in term_set, but still segfaults in term_alloc, even though nothing was done to this buffer other than making the pointer to it 'const'.

Regardless, the fix is easy. Since this buffer is not even initialized, it doesn't contain anything useful, and since it's passed to term_alloc as const, it is can't be written to by term_alloc. This means this buffer is completely unnecessary. The fix is to completely comment it out (line 904) and set the area pointer to NULL instead of buf (line 914):

904://      char buf[TC_BUFSIZE];
914:        area = NULL;

Now simply delete client/mysql and execute 'make' again. Works like a charm.
[25 Nov 2010 15:15] Werner Ott
This bug seems to (reproducably) boil down to the gcc compiler version used.

Still in 5.1.51, the mysql client segfaults after supplying the credentials (as described above) (at least when it was compiled with gcc 4.3.x (on openSUSE 11.0 or 11.1)).

For the sake of completeness, although from my point of view irrelevant, these are the settings used when compiling:

CPPFLAGS="-m64" LDFLAGS="-L/lib64 -L/usr/lib64 -L/usr/lib -m64"  CFLAGS="-O3 -m64" CXX=gcc \
 CXXFLAGS="-O3 -felide-constructors -fno-exceptions -fno-rtti -m64" \
 ./configure --quiet \
 --enable-local-infile \
 --enable-shared \
 --enable-static \
 --enable-thread-safe-client \
 --exec-prefix=/usr \
 --infodir=/usr/share/info \
 --libdir=/usr/lib64 \
 --localstatedir=/home/mysql \
 --mandir=/usr/share/man \
 --prefix=/usr \
 --sysconfdir=/etc \
 --with-comment="built 25 NOV 2010 on 2.6.27.7-9-default; gcc 4.3.2; libncurses 5.6" \
 --with-extra-charsets=complex \
 --with-mysqld-user=mysql \
 --with-named-curses-libs=/lib64/libncurses.so.5.6 \
 --with-plugins=innobase \
 --with-tcp-port=3306

Running the client:
 $ gdb /usr/bin/mysql
 Starting program: /usr/bin/mysql
 [Thread debugging using libthread_db enabled]
 (gdb) run -uroot -pMYPASS
 Starting program: /usr/bin/mysql -uroot -pMYPASS

 [Thread debugging using libthread_db enabled]
 Welcome to the MySQL monitor.  Commands end with ; or \g.
 Your MySQL connection id is 7
 Server version: 5.1.51 built 25 NOV 2010 on Linux 2.6.27.7-9-default; gcc 4.3.2; libncurses 5.6

 Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
 This software comes with ABSOLUTELY NO WARRANTY. This is free software,
 and you are welcome to modify and redistribute it under the GPL v2 license

 Program received signal SIGSEGV, Segmentation fault.
 0x000000000041fdc2 in term_alloc ()
 Current language:  auto; currently asm

The backtrace then shows:
 #0  0x000000000041fdc2 in term_alloc ()
 #1  0x0000000000421325 in term_set ()
 #2  0x0000000000421600 in term_init ()
 #3  0x0000000000426bae in el_init ()
 #4  0x0000000000419671 in rl_initialize ()
 #5  0x000000000041a2bd in read_history ()
 #6  0x0000000000413dd8 in main ()

Running a mysql client compiled with gcc 4.2.x on the exact same machine does NOT segfault. This strongly points into the direction of a GCC compiler incompatibility. Regardless of which configure settings were used, a gcc 4.3.x compiled binary always crashes.

This bug should therefore not be closed.
[18 Mar 2011 13:52] Paul Hoffman
I had the same problem with RHEL5 using gcc 4.5.2 and mysql source code 5.1.54
Changing lines 904 and 914 in term.c in the mysql source seemed to fix the client sig fault issue.