Bug #11167 server crashes on select query
Submitted: 8 Jun 2005 12:19 Modified: 14 Jun 2005 2:15
Reporter: Anton K Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Optimizer Severity:S1 (Critical)
Version:4.1.11 & 4.1.12 OS:Linux (Linux)
Assigned to: Igor Babaev CPU Architecture:Any

[8 Jun 2005 12:19] Anton K
Description:
Server crashes on following select query (table structs and sample data are attached):

SELECT content FROM mom, user WHERE mom.msisdn = '79168056148';

Output from resolve_stack_dump:
0x8146ff0 handle_segfault + 656
0xffffe420 _end + -140715856

From gdb I found, that server segfault in sql_query.cc::read_cached_record()+8009:
memset(copy->str+length,' ',copy->length-length);

Workaround is changing type of `content` field in `mom` table from varchar to text.

How to repeat:
Create database & initial tables:
$ mysqladmin cr crash
$ mysql --default-character-set=utf8 crash < struct.sql

And execute SQL query from mysql client:
$ mysql --default-character-set=utf8 crash
> SELECT content FROM mom, user WHERE mom.msisdn = '79168056148';
ERROR 2013 (HY000) at line 3: Lost connection to MySQL server during query
[8 Jun 2005 12:47] Miguel Solorzano
Thank you for the bug report.

home/miguel/dbs/4.1/libexec/mysqld: ready for connections.
Version: '4.1.13-debug-log'  socket: '/tmp/mysql.sock'  port: 3306  Source distribution
[New Thread -290841680 (LWP 3804)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -290841680 (LWP 3804)]
0x0052ffd7 in memset () from /lib/tls/libc.so.6
(gdb) backtrace full
#0  0x0052ffd7 in memset () from /lib/tls/libc.so.6
No symbol table info available.
#1  0x08c4ce94 in ?? ()
No symbol table info available.
#2  0x081a37e3 in read_cached_record (tab=0x8c4ca7c) at sql_select.cc:8181
        length = 208
        pos = (
    uchar *) 0xeea50764 "м�200им�200м�200и�200о�200 им�200им�200им�200им�200 им�200идм и�200бдн�200им�200�204м�200и�200и�200им�200�204м�204мим.�220д.�224 имдим�200им�200ад.�220дим�200им�200им�200мди�200им�200им�200им�200 м.�224а�...
        last_record = false
        copy = (CACHE_FIELD *) 0x8c81ffd
        end_field = (CACHE_FIELD *) 0x8c4cea8
#3  0x0819f8b3 in flush_cached_records (join=0x8c4ba48, join_tab=0x8c4ca7c, skip_last=false) at sql_select.cc:6065
---Type <return> to continue, or q <return> to quit---
        i = 9
        select = (SQL_SELECT *) 0x0
        error = 0
        info = (READ_RECORD *) 0x8c4caa0
#4  0x0819f468 in sub_select_cache (join=0x8c4ba48, join_tab=0x8c4ca7c, end_of_records=true) at sql_select.cc:5919
        error = 538976288
#5  0x0819f555 in sub_select (join=0x8c4ba48, join_tab=0x8c4c938, end_of_records=3) at sql_select.cc:5946
        on_expr = (COND *) 0x0
        select_cond = (COND *) 0x8c4b988
        error = 147114296
        found = true
        report_error = (my_bool *) 0x8c47cc4 ""
#6  0x0819f25d in do_select (join=0x8c4ba48, fields=0x8c4c938, table=0x0, procedure=0x20202020) at sql_select.cc:5864
        join_tab = (JOIN_TAB *) 0x8c4c938
---Type <return> to continue, or q <return> to quit---
        end_select = (int (*)(JOIN *, st_join_table *, bool)) 0x81a05a6 <end_send>
        _db_func_ = 0x8c4ba48 ' ' <repeats 200 times>...
        _db_file_ = 0x8c4c2c0 ' ' <repeats 200 times>...
        error = 0
        _db_level_ = 147093040
        _db_framep_ = (char **) 0xeeaa0b38
#7  0x08194d4c in JOIN::exec (this=0x8c4ba48) at sql_select.cc:1480
        _db_func_ = 0xeeaa0b78 "�v�213\030\031\b\bu�b\030w�b7�b"
        _db_file_ = 0x819518e "\203�\205�017\205\200"
        curr_join = (JOIN *) 0x8c4ba48
        tmp_error = 538976288
        _db_level_ = 147110472
        _db_framep_ = (char **) 0x8c47718
        curr_all_fields = (List<Item> *) 0x8c4c36c
---Type <return> to continue, or q <return> to quit---
        curr_fields_list = (List<Item> *) 0x8c47698
        curr_tmp_table = (TABLE *) 0x8c4ba48
#8  0x081951f2 in mysql_select (thd=0x8c47508, rref_pointer_array=0x8c47718, tables=0x8c4b7c0, wild_num=0,
    fields=@0x8c47698, conds=0x8c4b988, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0,
    select_options=2156153344, result=0x8c4ba38, unit=0x8c47550, select_lex=0x8c47630) at sql_select.cc:1601
        err = 147112640
        free_join = true
        _db_func_ = 0xeeaa0b98 ""
        _db_file_ = 0x8c4751c "�b"
        join = (JOIN *) 0x8c4ba48
        _db_level_ = 8
        _db_framep_ = (char **) 0xeeaa0b90
#9  0x0819188b in handle_select (thd=0x8c47508, lex=0x8c47544, result=0x8c4ba38) at sql_select.cc:179
        select_lex = (SELECT_LEX *) 0x8c47630
---Type <return> to continue, or q <return> to quit---
        _db_func_ = 0x814fd63 "\203�020\211C\004\213]�U\211�\203�020\213]\b�003�
        _db_file_ = 0x1 <Address 0x1 out of bounds>
        res = 147093040
        _db_level_ = 12
        _db_framep_ = (char **) 0xaa10e8
#10 0x0816e203 in mysql_execute_command (thd=0x8c47508) at sql_parse.cc:2087
        result = (class select_result *) 0x8c4ba38
        res = -1
        lex = (LEX *) 0x8c47544
        slave_fake_lock = false
        _db_func_ = 0x0
        _db_file_ = 0x0
        _db_level_ = 0
        _db_framep_ = (char **) 0x0
---Type <return> to continue, or q <return> to quit---
        fake_prev_lock = (MYSQL_LOCK *) 0x0
        select_lex = (SELECT_LEX *) 0x8c47630
        tables = (TABLE_LIST *) 0x8c4b7c0
        unit = (SELECT_LEX_UNIT *) 0x8c47550
        __PRETTY_FUNCTION__ = "void mysql_execute_command(THD*)"
#11 0x08172bcf in mysql_parse (thd=0x8c47508, inBuf=0x8c4b6c0 ' ' <repeats 200 times>..., length=147092804)
    at sql_parse.cc:4209
        lex = (LEX *) 0x8c47544
        _db_func_ = 0x8c47508 "(\001D\bء]\bܡ]\b8\001D\b0�\b�b"
        _db_file_ = 0x3 <Address 0x3 out of bounds>
        _db_level_ = 147092744
        _db_framep_ = (char **) 0xeeaa1358
        __PRETTY_FUNCTION__ = "void mysql_parse(THD*, char*, uint)"
#12 0x0816ccff in dispatch_command (command=COM_QUERY, thd=0x8c47508, packet=0x8c56a59 ' ' <repeats 200 times>...,
---Type <return> to continue, or q <return> to quit---
    packet_length=63) at sql_parse.cc:1503
        packet_end = 0x8c4b6fe ' ' <repeats 200 times>...
        net = (NET *) 0x8c47a5c
        _db_func_ = 0x70ccb7 "\201�\203"
        _db_file_ = 0x710331 "ZY[�215t&"
        error = false
        _db_level_ = 140430624
        _db_framep_ = (char **) 0x0
#13 0x0816c6e4 in do_command (thd=0x8c47508) at sql_parse.cc:1316
        packet = 0x8c56a58 ' ' <repeats 200 times>...
        old_timeout = 30
        packet_length = 63
        net = (NET *) 0x8c47a5c
        command = COM_QUERY
---Type <return> to continue, or q <return> to quit---
        _db_func_ = 0x814e37a "\213]�\220U\211�S\213]\b\203�fS�"
        _db_file_ = 0x8c48684 "�\b"
        _db_level_ = 8192
        _db_framep_ = (char **) 0x1000
#14 0x0816bc61 in handle_one_connection (arg=0x20202020) at sql_parse.cc:1048
        error = 3
        net = (NET *) 0x8c47a5c
        thd = (class THD *) 0x8c47508
        launch_time = 538976288
        set = {__val = {0 <repeats 32 times>}}
#15 0x0070b1d5 in start_thread () from /lib/tls/libpthread.so.0
No symbol table info available.
#16 0x0058c2da in clone () from /lib/tls/libc.so.6
[13 Jun 2005 13:10] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/internals/25926
[13 Jun 2005 18:03] Igor Babaev
ChangeSet
  1.2287 05/06/13 06:10:19 igor@igor-inspiron.creware.com +4 -0
  ctype_utf8.test, ctype_utf8.result:
    Added a test case for bug #11167.
  sql_select.cc:
    Fixed bug #11167.
    In 4.1 char/varchar fields are limited by 255 characters in
    length that makes them longer than 255 bytes in size for such
    character sets as UTF8. The functions store_record_in_cache
    and read_cached_records did not take into account this
    Moreover the code did not take into account that the size
    of the varchar fields in 5.0 can be up to 65535 bytes.

The fix will appear in 4.1.13 and 5.0.8.
[14 Jun 2005 2:15] Paul Dubois
Noted in 4.1.13, 5.0.8 changelogs.
[15 Jun 2005 20:48] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/internals/26038