Bug #11529 | crash server after use stored procedure | ||
---|---|---|---|
Submitted: | 23 Jun 2005 12:54 | Modified: | 30 Jun 2005 17:10 |
Reporter: | Valentin Komissarov | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Server | Severity: | S1 (Critical) |
Version: | 5.0.7/5.0.8 BK | OS: | Windows (win32/Linux) |
Assigned to: | Bugs System | CPU Architecture: | Any |
[23 Jun 2005 12:54]
Valentin Komissarov
[23 Jun 2005 12:55]
Valentin Komissarov
p.s. InnoDB ENGINE in table necessarily
[23 Jun 2005 13:47]
MySQL Verification Team
Thank you for the bug report I was able to repeat: item_cmpfunc.h --834-- void cleanup() { DBUG_ENTER("Item_func_in::cleanup"); Item_int_func::cleanup(); delete array; ^^^^^^^^^^^^^^^^ delete in_item; array= 0; in_item= 0; DBUG_VOID_RETURN; }^ > mysqld-debug.exe!Item_func_in::cleanup() Line 838 + 0x1f C++ mysqld-debug.exe!cleanup_items(Item * item=0x030e2a68) Line 1287 + 0xb C++ mysqld-debug.exe!sp_head::execute(THD * thd=0x00ffba58) Line 655 + 0xf C++ mysqld-debug.exe!sp_head::execute_procedure(THD * thd=0x00ffba58, List<Item> * args=0x030d35a0) Line 917 + 0xf C++ mysqld-debug.exe!mysql_execute_command(THD * thd=0x00ffba58) Line 4207 + 0x19 C++ mysqld-debug.exe!sp_instr_stmt::exec_core(THD * thd=0x00ffba58, unsigned int * nextp=0x03fae5c4) Line 1553 + 0x9 C++ mysqld-debug.exe!sp_lex_keeper::reset_lex_and_exec_core(THD * thd=0x00ffba58, unsigned int * nextp=0x03fae5c4, int open_tables=0, sp_instr * instr=0x030c6bc8) Line 1472 + 0x13 C++ mysqld-debug.exe!sp_instr_stmt::execute(THD * thd=0x00ffba58, unsigned int * nextp=0x03fae5c4) Line 1530 + 0x19 C++ mysqld-debug.exe!sp_head::execute(THD * thd=0x00ffba58) Line 650 + 0x19 C++ mysqld-debug.exe!sp_head::execute_procedure(THD * thd=0x00ffba58, List<Item> * args=0x00ffbf28) Line 917 + 0xf C++ mysqld-debug.exe!mysql_execute_command(THD * thd=0x00ffba58) Line 4207 + 0x19 C++ mysqld-debug.exe!mysql_parse(THD * thd=0x00ffba58, char * inBuf=0x030a46a0, unsigned int length=21) Line 5364 + 0x9 C++ mysqld-debug.exe!dispatch_command(enum_server_command command=COM_QUERY, THD * thd=0x00ffba58, char * packet=0x030b6e69, unsigned int packet_length=22) Line 1674 + 0x1d C++ mysqld-debug.exe!do_command(THD * thd=0x00ffba58) Line 1477 + 0x31 C++ mysqld-debug.exe!handle_one_connection(void * arg=0x00ffba58) Line 1126 + 0x9 C++ mysqld-debug.exe!pthread_start(void * param=0x030b2758) Line 63 + 0x7 C mysqld-debug.exe!_threadstart(void * ptd=0x00ffff48) Line 173 + 0xd C kernel32.dll!7c80b50b() kernel32.dll!7c8399f3()
[23 Jun 2005 14:12]
MySQL Verification Team
Backtrace on Linux: 050623 11:07:12 [Note] /home/miguel/dbs/5.0/libexec/mysqld: ready for connections. Version: '5.0.8-beta-debug' socket: '/tmp/mysql.sock' port: 3306 Source distribution [New Thread 163851 (LWP 1916)] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 163851 (LWP 1916)] 0x0817d9cb in Item_func_in::cleanup (this=0x8e57128) at item_cmpfunc.h:838 838 delete array; (gdb) backtrace full #0 0x0817d9cb in Item_func_in::cleanup (this=0x8e57128) at item_cmpfunc.h:838 _db_func_ = 0x85c4fd7 "sql_parse.cc" _db_file_ = 0x85c54e8 "cleanup_items" _db_level_ = 136176969 _db_framep_ = (char **) 0xbe5fe7cc #1 0x081de566 in cleanup_items (item=0x8e57128) at sql_parse.cc:1287 _db_func_ = 0x8e386a0 "èßX\b" _db_file_ = 0x0 _db_level_ = 137490378 _db_framep_ = (char **) 0x1 #2 0x0831f16f in sp_head::execute (this=0x8e567e0, thd=0x8e127d0) at sp_head.cc:641 i = (sp_instr *) 0x8e57220 hip = 3193956380 _db_func_ = 0x831f863 "\203Ä \203=TIz\b" _db_file_ = 0x5 <Address 0x5 out of bounds> _db_level_ = 142114080 _db_framep_ = (char **) 0x8e386d8 olddb = "qïf\b\022ïf\b¼è_¾¿lT\bÜ\000\000\000¬è_¾¨è_¾¤è_¾û\003\031@ô_\031@\234è_¾P\002\031@ \206ã\bàû_¾¼è_¾êØ\024\b\001\000\000\000ô_\031@Üè_¾\202\017\024\bØ\206ã\b }x\bÜè_¾¾\017\024\bdé_¾@\000\000\000üè_¾\000\000\000\000Ð'á\b \206ã\büè_¾Æ÷\024\b" dbchanged = false ctx = (sp_rcontext *) 0x8e385b0 ret = 0 ip = 2 old_arena = (class Query_arena *) 0x8e3c540 old_query_id = 26 old_derived_tables = (TABLE *) 0x0 old_lex = (LEX *) 0x8e2bc08 old_change_list = {<base_ilist> = {first = 0x8e14154, last = {_vptr.ilink = 0x85b4a08, prev = 0x8e14150, next = 0x0}}, <No data fields>} old_packet = {Ptr = 0x0, str_length = 0, Alloced_length = 0, alloced = false, str_charset = 0x8787d20} #3 0x0831fc14 in sp_head::execute_procedure (this=0x8e567e0, thd=0x8e127d0, args=0x8e2c02c) at sp_head.cc:903 _db_func_ = 0x81e58d0 "\203Ä \204Àt\024\213U\b\212\205oûÿÿ\210\202¾\a" _db_file_ = 0xbe5fef1c "<ï_¾×\0252\bÐ'á\b\v\200\002" _db_level_ = 148979284 _db_framep_ = (char **) 0x8e58380 ret = 0 csize = 6 params = 0 hmax = 1 ---Type <return> to continue, or q <return> to quit--- cmax = 2 octx = (sp_rcontext *) 0x8e38628 nctx = (sp_rcontext *) 0x8e385b0 tmp_octx = 1 '\001' old_mem_root = (MEM_ROOT *) 0xbe5ff154 call_mem_root = {free = 0x8e385a0, used = 0x0, pre_alloc = 0x0, min_malloc = 32, block_size = 8136, block_num = 5, first_block_usage = 0, error_handler = 0} old_free_list = (class Item *) 0x0 call_free_list = (class Item *) 0x0 #4 0x081e59f4 in mysql_execute_command (thd=0x8e127d0) at sql_parse.cc:4207 select_limit = 18446744073709551615 save_options = 2224048640 save_ctx = {changed = false, master_access = 3193958176, db_access = 3193958172, priv_user = 0xbe5fef18 "Ð'á\b<ï_¾×\0252\bÐ'á\b\v\200\002", priv_host = "\000\000\000\000\000\000\000\000\210æà\b¥ÿÿÿâá\206\000\000\000\000\000\000\000\000\000¸eã\bÈ\r{\b@\215x\bÔö_¾\020(á\b\f\000\000\000 æâ\b\021\000\000\000\f", user = 0x358 <Address 0x358 out of bounds>, host = 0xbe5ffbe0 "àû_¾", ip = 0xbe5ff70c "<÷_¾\230\207\036\bÐ'á\bÐ'á\bhåâ\b\025"} bits_to_be_cleared = 0 nsok = 1 '\001' sp = (class sp_head *) 0x8e567e0 res = false result = 0 lex = (LEX *) 0x8e2bc08 select_lex = (SELECT_LEX *) 0x8e2bdfc slave_fake_lock = false fake_prev_lock = (MYSQL_LOCK *) 0x0 first_table = (TABLE_LIST *) 0x0 all_tables = (TABLE_LIST *) 0x0 unit = (SELECT_LEX_UNIT *) 0x8e2bc18 _db_func_ = 0x40191031 "\201ÃÃO" _db_file_ = 0x866ef12 "my_alloc.c" _db_level_ = 1075385358 _db_framep_ = (char **) 0x8546a7e #5 0x083215d7 in sp_instr_stmt::exec_core (this=0x8e3c8d0, thd=0x8e127d0, nextp=0xbe5ff044) at sp_head.cc:1539 res = 148973520 #6 0x083213a8 in sp_lex_keeper::reset_lex_and_exec_core (this=0x8e3c8ec, thd=0x8e127d0, nextp=0xbe5ff044, open_tables=false, instr=0x8e3c8d0) at sp_head.cc:1458 res = 0 #7 0x0832151c in sp_instr_stmt::execute (this=0x8e3c8d0, thd=0x8e127d0, nextp=0xbe5ff044) at sp_head.cc:1516 ---Type <return> to continue, or q <return> to quit--- query = 0x8e2e568 "CALL `gp_InsUpd_T1`()" query_length = 21 _db_func_ = 0x831efca "\203Ä \211\205\\ÿÿÿ\203½\\ÿÿÿ" _db_file_ = 0x1 <Address 0x1 out of bounds> _db_level_ = 3193958328 _db_framep_ = (char **) 0x8e13f18 res = 0 #8 0x0831f149 in sp_head::execute (this=0x8e3c540, thd=0x8e127d0) at sp_head.cc:639 i = (sp_instr *) 0x8e3c8d0 hip = 8 _db_func_ = 0x831f863 "\203Ä \203=TIz\b" _db_file_ = 0xbe5ff1bc "\f÷_¾ôY\036\b@Åã\bÐ'á\b4,á\b" _db_level_ = 0 _db_framep_ = (char **) 0x0 olddb = '\0' <repeats 88 times>, "ìð_¾4hT\b\035ïf\b\022ïf\bìð_¾\035iT\bH\000\000\000àð_¾Üð_¾Øð_¾" dbchanged = false ctx = (sp_rcontext *) 0x0 ret = 0 ip = 1 old_arena = (class Query_arena *) 0x8e127dc old_query_id = 24 old_derived_tables = (TABLE *) 0x0 old_lex = (LEX *) 0x8e12810 old_change_list = {<base_ilist> = {first = 0x8e14154, last = {_vptr.ilink = 0x85b4a08, prev = 0x8e14150, next = 0x0}}, <No data fields>} old_packet = {Ptr = 0x8e315b8 "\0015\00214\005Name5ûName4ame2\005Name2\f\b", str_length = 12, Alloced_length = 16384, alloced = true, str_charset = 0x8787d20} #9 0x0831fc14 in sp_head::execute_procedure (this=0x8e3c540, thd=0x8e127d0, args=0x8e12c34) at sp_head.cc:903 _db_func_ = 0x81e58d0 "\203Ä \204Àt\024\213U\b\212\205oûÿÿ\210\202¾\a" _db_file_ = 0xbe5ff70c "<÷_¾\230\207\036\bÐ'á\bÐ'á\bhåâ\b\025" _db_level_ = 148979284 _db_framep_ = (char **) 0x8e3ca38 ret = 0 csize = 0 params = 0 hmax = 0 cmax = 0 octx = (sp_rcontext *) 0x0 nctx = (sp_rcontext *) 0x0 ---Type <return> to continue, or q <return> to quit--- tmp_octx = 0 '\0' old_mem_root = (MEM_ROOT *) 0x8e127e4 call_mem_root = {free = 0x8e365b8, used = 0x0, pre_alloc = 0x0, min_malloc = 32, block_size = 8136, block_num = 5, first_block_usage = 0, error_handler = 0} old_free_list = (class Item *) 0x0 call_free_list = (class Item *) 0x0 #10 0x081e59f4 in mysql_execute_command (thd=0x8e127d0) at sql_parse.cc:4207 select_limit = 18446744073709551615 save_options = 2225359360 save_ctx = {changed = false, master_access = 1919252000, db_access = 1852795251, priv_user = 0x726f6620 <Address 0x726f6620 out of bounds>, priv_host = " the right syntax to use near '1,10,'Name1','Name1'),\n (2,11", user = 0x32656d61 <Address 0x32656d61 out of bounds>, host = 0x554e2c27 <Address 0x554e2c27 out of bounds>, ip = 0x2c294c4c <Address 0x2c294c4c out of bounds>} bits_to_be_cleared = 0 nsok = 0 '\0' sp = (class sp_head *) 0x8e3c540 res = false result = 0 lex = (LEX *) 0x8e12810 select_lex = (SELECT_LEX *) 0x8e12a04 slave_fake_lock = false fake_prev_lock = (MYSQL_LOCK *) 0x0 first_table = (TABLE_LIST *) 0x0 all_tables = (TABLE_LIST *) 0x0 unit = (SELECT_LEX_UNIT *) 0x8e12820 _db_func_ = 0x0 _db_file_ = 0x0 _db_level_ = 0 _db_framep_ = (char **) 0xbe5ff6d0 #11 0x081e8798 in mysql_parse (thd=0x8e127d0, inBuf=0x8e2e568 "CALL `gp_InsUpd_T1`()", length=21) at sql_parse.cc:5364 lex = (LEX *) 0x8e12810 _db_func_ = 0x8794540 "(Ï_\b" _db_file_ = 0x81df332 "\203Ä \203=TIz\b" _db_level_ = 3193960892 _db_framep_ = (char **) 0x2800b #12 0x081df392 in dispatch_command (command=COM_QUERY, thd=0x8e127d0, packet=0x8e26509 "CALL `gp_InsUpd_T1`()", packet_length=22) at sql_parse.cc:1674 packet_end = 0x8e2e57d "" net = (NET *) 0x8e12f3c ---Type <return> to continue, or q <return> to quit--- error = false _db_func_ = 0x603ed8 <Address 0x603ed8 out of bounds> _db_file_ = 0x0 _db_level_ = 136916366 _db_framep_ = (char **) 0xbe5ff9dc #13 0x081dec79 in do_command (thd=0x8e127d0) at sql_parse.cc:1477 packet = 0x8e26508 "\003CALL `gp_InsUpd_T1`()" old_timeout = 30 packet_length = 22 net = (NET *) 0x8e12f3c command = COM_QUERY _db_func_ = 0x8e13f98 "ÿÿÿÿ\024" _db_file_ = 0x81b7fcb "\203Ä\020ÉÃU\211å\203ì\b\203ì\fÿu\bè\217" _db_level_ = 3193960956 _db_framep_ = (char **) 0x1010 #14 0x081dde81 in handle_one_connection (arg=0x8e127d0) at sql_parse.cc:1126 error = 0 net = (NET *) 0x8e12f3c thd = (class THD *) 0x8e127d0 launch_time = 0 set = {__val = {0 <repeats 32 times>}} #15 0x4018d54e in pthread_start_thread () from /lib/libpthread.so.0 No symbol table info available. #16 0x4018d5df in pthread_start_thread_event () from /lib/libpthread.so.0 No symbol table info available. #17 0x402fab8a in clone () from /lib/libc.so.6 No symbol table info available. (gdb)
[27 Jun 2005 12:20]
Per-Erik Martin
Didn't crash, but valgrind does complain (on something which might result in a crash on other systems).
[28 Jun 2005 9:57]
Per-Erik Martin
InnoDB is not required to repeat, but using a cursor with the IN operator is. Here's a simpler test case: create procedure bug11529() begin declare c cursor for select ID, Name from t1 where Key2 in (10,13); open c; begin declare vid integer; declare vname varchar(50); declare exit handler for not found begin end; while true do fetch c into vid, vname; end while; end; close c; end
[29 Jun 2005 6:39]
Valentin Komissarov
Declare cursor??? What will give the cursor, if anything no and to leave a cycle it is not necessary? I without problems can bypass this mistake, not using function IN (), but it not the decision of a mistake.
[30 Jun 2005 16:36]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/internals/26560
[30 Jun 2005 17:05]
Per-Erik Martin
Approved by email.
[30 Jun 2005 17:10]
Per-Erik Martin
Pushed to bk 5.0.9