Bug #68998 Call to SQLFreeEnv() causes crash in myodbc5w
Submitted: 18 Apr 2013 13:50 Modified: 2 Jun 2013 7:29
Reporter: david grant Email Updates:
Status: No Feedback Impact on me:
None 
Category:Connector / ODBC Severity:S3 (Non-critical)
Version:5.2.4 OS:Windows
Assigned to: Bogdan Degtyariov CPU Architecture:Any
Tags: crash, myodbc5w, ODBC, SQLFreeEnv, windows

[18 Apr 2013 13:50] david grant 
Description:
I am using MySQL ODBC connector to connect to a remote MySQL database.  The application that was using the ODBC connection crashed, and the trace from windby showed the following:

The following information was generated by WinDbg (I have highlighted the information which makes it clear that the problem was with the ODBC driver):

FAULTING_IP: 
ntdll!RtlpNtEnumerateSubKey+1b25
77bee6c3 eb12            jmp     ntdll!RtlpNtEnumerateSubKey+0x1b39 (77bee6d7)

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 77bee6c3 (ntdll!RtlpNtEnumerateSubKey+0x00001b25)
   ExceptionCode: c0000420 (Assertion failure)
  ExceptionFlags: 00000001
NumberParameters: 1
   Parameter[0]: 10a03dc8

DEFAULT_BUCKET_ID:  WRONG_SYMBOLS

PROCESS_NAME:  grkrngrm.exe

ADDITIONAL_DEBUG_TEXT:  
Use '!findthebuild' command to search for the target build information.
If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.

FAULTING_MODULE: 763d0000 kernel32

DEBUG_FLR_IMAGE_TIMESTAMP:  51018190

MODULE_NAME: myodbc5w

ERROR_CODE: (NTSTATUS) 0xc0000420 - <Unable to get error code text>

EXCEPTION_CODE: (NTSTATUS) 0xc0000420 - <Unable to get error code text>

EXCEPTION_PARAMETER1:  10a03dc8

MOD_LIST: <ANALYSIS/>

FAULTING_THREAD:  00000394

PRIMARY_PROBLEM_CLASS:  WRONG_SYMBOLS

BUGCHECK_STR:  APPLICATION_FAULT_WRONG_SYMBOLS

LAST_CONTROL_TRANSFER:  from 77bb290d to 77bee6c3

STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
0e7ff424 77bb290d c0000420 10a03dc8 10a03dc0 ntdll!RtlpNtEnumerateSubKey+0x1b25
0e7ff438 77b54697 10a03dc8 5acabf89 00000000 ntdll!RtlUlonglongByteSwap+0x154bd
0e7ff478 744e3158 7497e280 00000000 74898618 ntdll!RtlDeleteCriticalSection+0x82
0e7ff4d8 744e25c1 00000000 00000000 00000000 myodbc5w!SQLForeignKeysW+0x31a64
0e7ff6e8 744bc0b0 00000004 744bc11c 7454b186 myodbc5w!SQLForeignKeysW+0x30ecd
0e7ff734 7454b22e 744b0000 0e7ff760 77b59950 myodbc5w!SQLForeignKeysW+0xa9bc
0e7ff740 77b59950 744b0000 00000000 00000000 myodbc5w!SQLForeignKeysW+0x99b3a
0e7ff760 77b7acde 7454b210 744b0000 00000000 ntdll!RtlQueryEnvironmentVariable+0x241
0e7ff7e8 77b61261 744b0000 0e7ff80c 5acab3dd ntdll!LdrRemoveLoadAsDataTable+0x5d5
0e7ff82c 76392d1f 744b0000 774f9894 0e7ff868 ntdll!LdrUnloadDll+0x4a
0e7ff83c 750b51b3 744b0000 04cdad90 774f9894 KERNELBASE!FreeLibrary+0x15
0e7ff868 750d999d 00000001 04cdad90 0000000f odbc32!SQLSetEnvAttr+0x1423
0e7ff888 0044121e 04cdad90 00000000 00000000 odbc32!SQLFreeEnv+0x57
0e7fff88 763e33aa 0284548c 0e7fffd4 77b59ef2 grkrngrm!number_portability_thread+0x20e grnumberportability.c @ 880]
0e7fff94 77b59ef2 0284548c 5acab425 00000000 kernel32!BaseThreadInitThunk+0x12
0e7fffd4 77b59ec5 00441010 0284548c ffffffff ntdll!RtlInitializeExceptionChain+0x63
0e7fffec 00000000 00441010 0284548c 00000000 ntdll!RtlInitializeExceptionChain+0x36

FOLLOWUP_IP: 
myodbc5w!SQLForeignKeysW+31a64
744e3158 a1d8e29774      mov     eax,dword ptr [myodbc5w!SQLForeignKeysW+0x4ccbe4 (7497e2d8)]

SYMBOL_STACK_INDEX:  3

SYMBOL_NAME:  myodbc5w!SQLForeignKeysW+31a64

FOLLOWUP_NAME:  MachineOwner

IMAGE_NAME:  myodbc5w.dll

STACK_COMMAND:  ~89s; .ecxr ; kb

BUCKET_ID:  WRONG_SYMBOLS

FAILURE_BUCKET_ID:  WRONG_SYMBOLS_c0000420_myodbc5w.dll!SQLForeignKeysW

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/grkrngrm_exe/10_25_0_0/50f6ee29/ntdll_dll/6_1_7601_17...

Also, when I ran the .lastevent command in WinDbg, 

0:089> .lastevent
Last event: 948.394: Assertion failure - code c0000420 (first/second chance not available)
  debugger time: Thu Apr 18 14:00:13.718 2013 (UTC + 1:00)

How to repeat:
I'm not sure how this can be repeated, since at the time the application itself was not doing anything.
[19 Apr 2013 8:08] Bogdan Degtyariov 
Hi David,

Thank you for a very detailed description of the problem.
One thing is not completely clear for me though:

You application called SQLFreeEnv() function, but the call stack goes further to SQLForeignKeysW(). However, freeing the ENV handler means that all connections belonging to it are closed and DBC handlers are freed. Before the connection is closed and freed all STMT statements are to be closed and freed as well. In other words, SQLForeignKeysW() cannot be called because it works on the statement level. 

The question is how that could happen at all?

The application can leak memory if ENV is freed without releasing memory used for STMT.
There can be all sorts of side effects including crashes.

Can you check your code to make sure the deinitialization goes in three stages:

 1. All STMTs are closed and freed (SQLFreeStmt()).
 2. Then DBCs are closed and freed (SQLFreeConnect()).
 3. Only after step 1 and 2 are done it is safe to free ENV (SQLFreeEnv()).

Thanks.
[1 May 2013 16:43] Shailendra Singh 
Results of WinDbg analysis

Attachment: WinDbgAnalysis.txt (text/plain), 54.33 KiB.
[1 May 2013 16:44] Shailendra Singh 
Hi Bogdan,

I am a colleague of David, and I am working with him to determine the reason behind why our application crashes with MySQL Connector/ODBC driver.
Our application does allocate and deallocate resources as you have suggested in your comment, so I suspect that there may be problem with the Connector/ODBC driver.

I have another reason to suspect why there may be a problem with the Connector/ODBC driver. I re-ran the test, but I used the debug version of myodbc5w.dll file with all debug symbols and line numbers which you posted for Bug #68771. I could get our application to crash again, and this time I also used the myodbc5w.pdb you provided for WinDbg analysis.

The WinDbg results are attached (WinDbgAnalysis.txt) . Could you please take a look, particularly at the call stack?

Regards,
Shailendra
[2 May 2013 7:29] Bogdan Degtyariov 
Hi Shailendra,

Thanks for your comment.
First, I would like to go back to the crash in SQLFreeEnv().
You confirmed that your application does as I suggested: ENV handler is freed after DBC and STMT. If STMT is freed there is no way SQLForeignKeysW() can work normally because of an invalid handle. Needless to say that it is not documented anywhere why ODBC Driver manager (odbc32) would want to call SQLForeignKeysW() from SQLFreeEnv().

So, I guess the crash might happen because of invalid STMT handle.
Does the crash inside SQLFreeEnv() occur on a regular basis?
[14 May 2013 9:00] Bogdan Degtyariov 
One more question.
We have analyzed the stack once more and came to the conclusion that simple safe-guarding HSTMT against NULL is not going to help because the first (HSTMT) parameter is a non-NULL one:

0e7ff740 77b59950 744b0000 00000000 00000000 myodbc5w!SQLForeignKeysW+0x99b3a

Seemingly the stack leads us to using NO_I_S=1 parameter, but in order to investigate this assumption I need your confirmation. The question is: are you using the option "Don't use INFORMATION_SCHEMA for metadata"? Or NO_I_S=1 in the connection string?

Please let us know, so we could proceed with the issue resolution.
Thanks.
[3 Jun 2013 1:00] Bugs System 
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".