Bug #15885 Uninitialised variable "character_set_client"
Submitted: 20 Dec 2005 10:41 Modified: 24 Dec 2005 13:50
Reporter: Magnus Blåudd Email Updates:
Status: Duplicate Impact on me:
None 
Category:MySQL Server: Prepared statements Severity:S3 (Non-critical)
Version:5.0.17-debug OS:Linux (linux)
Assigned to: CPU Architecture:Any

[20 Dec 2005 10:41] Magnus Blåudd
Description:

The variable "value.cs_info.character_set_client " is not initialised and thus when it's used server crash.

Stack print from gdb:

#0  0x008c1402 in __kernel_vsyscall ()
#1  0x0067655f in pthread_kill () from /lib/libpthread.so.0
#2  0x0835a07c in write_core (sig=11) at stacktrace.c:220
#3  0x081e8189 in handle_segfault (sig=11) at mysqld.cc:2057
#4  <signal handler called>
#5  0x08155871 in Item_param::query_val_str (this=0xaacc2e0, str=0x63c100)
    at item.cc:2655
#6  0x08155ed5 in Item_param::print (this=0xaacc2e0, str=0x63c270)
    at item.cc:2799
#7  0x08172262 in Item_func::print_op (this=0xaacc708, str=0x63c270)
    at item_func.cc:342
#8  0x081930c8 in Item_func_regex::print (this=0xaacc708, str=0x63c270)
    at item_cmpfunc.h:1024
#9  0x0827f4c8 in print_where (cond=0xaacc708, info=0x869557b "original")
    at sql_test.cc:58
#10 0x0824cace in optimize_cond (join=0xaafa5d8, conds=0xaacc708,
    join_list=0xaaf3b0c, cond_value=0xaafb30c) at sql_select.cc:7760
#11 0x0825e5f5 in JOIN::optimize (this=0xaafa5d8) at sql_select.cc:619
#12 0x08264648 in mysql_select (thd=0xaad6d98, rref_pointer_array=0xaaf3b58,
    tables=0xaacc0a8, wild_num=0, fields=@0xaaf3abc, conds=0xaacc708,
    og_num=1, order=0xaacc898, group=0x0, having=0x0, proc_param=0x0,
    select_options=2458143232, result=0xaacc8d0, unit=0xaaf3810,
    select_lex=0xaaf3a38) at sql_select.cc:1871
#13 0x082649b6 in handle_select (thd=0xaad6d98, lex=0xaaf3800,
    result=0xaacc8d0, setup_tables_done_option=0) at sql_select.cc:250
#14 0x08203ada in mysql_execute_command (thd=0xaad6d98) at sql_parse.cc:2511
#15 0x08273f97 in Prepared_statement::execute (this=0xaaf37c0,
    expanded_query=0x63d668, open_cursor=false) at sql_prepare.cc:2898
#16 0x0827428c in mysql_sql_stmt_execute (thd=0xaad6d98) at sql_prepare.cc:2289
#17 0x08203b3d in mysql_execute_command (thd=0xaad6d98) at sql_parse.cc:2525
#18 0x0820c21f in mysql_parse (thd=0xaad6d98,
    inBuf=0xaafa4b8 "execute stmt1 using @a", length=22) at sql_parse.cc:5645
#19 0x0820cc69 in dispatch_command (command=COM_QUERY, thd=0xaad6d98,
    packet=0xab01e41 "execute stmt1 using @a", packet_length=23)
    at sql_parse.cc:1730
#20 0x0820e21d in do_command (thd=0xaad6d98) at sql_parse.cc:1531
#21 0x0820e663 in handle_one_connection (arg=0xaad6d98) at sql_parse.cc:1175
#22 0x00673b80 in start_thread () from /lib/libpthread.so.0
#23 0x004159ce in clone () from /lib/libc.so.6

(gdb) up
#1  0x0067655f in pthread_kill () from /lib/libpthread.so.0
(gdb)
#2  0x0835a07c in write_core (sig=11) at stacktrace.c:220
220       pthread_kill(pthread_self(), sig);
Current language:  auto; currently c
(gdb)
#3  0x081e8189 in handle_segfault (sig=11) at mysqld.cc:2057
2057       write_core(sig);
Current language:  auto; currently c++
(gdb)
#4  <signal handler called>
(gdb)
#5  0x08155871 in Item_param::query_val_str (this=0xaacc2e0, str=0x63c100)
    at item.cc:2655
2655          if (value.cs_info.character_set_client->escape_with_backslash_is_dangerous)
(gdb) p value
$1 = {integer = 612900632011318693, real = 1.0576196761787202e-267, cs_info = {
    character_set_client = 0xa5a5a5a5,
    character_set_of_placeholder = 0x88175e0,
    final_character_set_of_str_value = 0x88175e0}, time = {year = 2779096485,
    month = 142702048, day = 142702048, hour = 2779096485,
    minute = 2779096485, second = 2779096485, second_part = 2779096485,
    neg = -91 '\uffff', time_type = -1515870811}}

And when value.cs_info.character_set_client is used, server will crash.

How to repeat:
Crash occurs in func_regex.test if running with mysql-test-run with --debug flag.  It occurs with debug because it tries to print an item, but I guess this could happen at other times as well.

It is the following statements that cause the crash:

#
# regexp cleanup()
#
create table t1 (a varchar(40));
insert into t1 values ('C1'),('C2'),('R1'),('C3'),('R2'),('R3');
prepare stmt1 from 'select a from t1 where a rlike ? order by a';
set @a="^C.*";
execute stmt1 using @a; << Here
set @a="^R.*";
execute stmt1 using @a;
deallocate prepare stmt1;
drop table t1;
[20 Dec 2005 13:53] Aleksey Kishkin
I cannot reproduce it:

mysql> create table t1 (a varchar(40));
Query OK, 0 rows affected (0.00 sec)

mysql> insert into t1 values ('C1'),('C2'),('R1'),('C3'),('R2'),('R3');
Query OK, 6 rows affected (0.00 sec)
Records: 6  Duplicates: 0  Warnings: 0

mysql> prepare stmt1 from 'select a from t1 where a rlike ? order by a';
Query OK, 0 rows affected (0.00 sec)
Statement prepared

mysql> set @a="^C.*";
Query OK, 0 rows affected (0.00 sec)

mysql> execute stmt1 using @a;
+------+
| a    |
+------+
| C1   |
| C2   |
| C3   |
+------+
3 rows in set (0.00 sec)

mysql> set @a="^R.*";
Query OK, 0 rows affected (0.00 sec)

mysql> execute stmt1 using @a;
+------+
| a    |
+------+
| R1   |
| R2   |
| R3   |
+------+
3 rows in set (0.01 sec)

mysql> deallocate prepare stmt1;
Query OK, 0 rows affected (0.00 sec)

mysql> drop table t1;
Query OK, 0 rows affected (0.00 sec)

mysql>
[21 Dec 2005 11:48] Aleksey Kishkin
mysql> select version();
+--------------+
| version()    |
+--------------+
| 5.0.17-debug |
+--------------+
1 row in set (0.00 sec)

mysql> create table t1 (a varchar(40));
Query OK, 0 rows affected (0.01 sec)

mysql> insert into t1 values ('C1'),('C2'),('R1'),('C3'),('R2'),('R3');
Query OK, 6 rows affected (0.01 sec)
Records: 6  Duplicates: 0  Warnings: 0

mysql> prepare stmt1 from 'select a from t1 where a rlike ? order by a';
Query OK, 0 rows affected (0.00 sec)
Statement prepared

mysql> set @a="^C.*";
Query OK, 0 rows affected (0.00 sec)

mysql> execute stmt1 using @a;
ERROR 2013 (HY000): Lost connection to MySQL server during query
mysql> set @a="^R.*";
ERROR 2006 (HY000): MySQL server has gone away
No connection. Trying to reconnect...
ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/tmp/mysql.sock' (111)
ERROR:
Can't connect to the server

mysql> execute stmt1 using @a;
No connection. Trying to reconnect...
ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/tmp/mysql.sock' (111)
ERROR:
Can't connect to the server

mysql> deallocate prepare stmt1;
No connection. Trying to reconnect...
ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/tmp/mysql.sock' (111)
ERROR:
Can't connect to the server
[21 Dec 2005 11:50] Aleksey Kishkin
mysqld got signal 11;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.
We will try our best to scrape up some info that will hopefully help diagnose
the problem, but since we have already crashed, something is definitely wrong
and this may fail.

key_buffer_size=8388600
read_buffer_size=131072
max_used_connections=1
max_connections=100
threads_connected=1
It is possible that mysqld could use up to
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_connections = 225791
 K
bytes of memory
Hope that's ok; if not, decrease some variables in the equation.

thd=0x8bd0d88
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
Cannot determine thread, fp=0xbe5fdcb8, backtrace may not be correct.
Stack range sanity check OK, backtrace follows:
0x8156d98
0x40050715
0x80ebc02
0x80ec148
0x8100331
0x8118d57
0x81c8a52
0x81a8a09
0x819a5a2
0x819db2f
0x8199a36
0x816c15f
0x81c0eb0
0x81bfb14
0x816c1a8
0x817297a
0x816a93a
0x816a31d
0x8169620
0x4004b4eb
0x401b7b0a
New value of fp=(nil) failed sanity check, terminating stack trace!
Please read http://dev.mysql.com/doc/mysql/en/Using_stack_trace.html and follow                                                                            instructions on how to resolve the stack trace. Resolved
stack trace is much more helpful in diagnosing the problem, so please do
resolve it
Trying to get some variables.
Some pointers may be invalid and cause the dump to abort...
thd->query at 0x8bf5728 = select a from t1 where a rlike ? order by a
thd->thread_id=1
The manual page at http://www.mysql.com/doc/en/Crashing.html contains
information that should help you find out what is causing the crash.
[21 Dec 2005 11:55] Aleksey Kishkin
0x8156d98 handle_segfault + 368
0x40050715 _end + 934082565
0x80ebc02 _ZNK10Item_param13query_val_strEP6String + 326
0x80ec148 _ZN10Item_param5printEP6String + 124
0x8100331 _ZN9Item_func8print_opEP6String + 303
0x8118d57 _ZN15Item_func_regex5printEP6String + 17
0x81c8a52 _Z11print_whereP4ItemPKc + 90
0x81a8a09 _Z13optimize_condP4JOINP4ItemP4ListI13st_table_listEPNS1_11cond_resultE + 121
0x819a5a2 _ZN4JOIN8optimizeEv + 592
0x819db2f _Z12mysql_selectP3THDPPP4ItemP13st_table_listjR4ListIS1_ES2_jP8st_orderSB_S2_SB_mP13select_resultP18st_select_lex_unitP13st_sel + 395
0x8199a36 _Z13handle_selectP3THDP6st_lexP13select_resultm + 194
0x816c15f _Z21mysql_execute_commandP3THD + 1505
0x81c0eb0 _ZN18Prepared_statement7executeEP6Stringb + 714
0x81bfb14 _Z22mysql_sql_stmt_executeP3THD + 366
0x816c1a8 _Z21mysql_execute_commandP3THD + 1578
0x817297a _Z11mysql_parseP3THDPcj + 312
0x816a93a _Z16dispatch_command19enum_server_commandP3THDPcj + 1554
0x816a31d _Z10do_commandP3THD + 437
0x8169620 handle_one_connection + 768
0x4004b4eb _end + 934061531
0x401b7b0a _end + 935554042
[24 Dec 2005 13:50] Sergei Golubchik
Isn't that a duplicate of BUG#15871 ?