Bug #1663 Server crash if connection is closed without mysql_stmt_close call
Submitted: 25 Oct 2003 16:49 Modified: 20 Jan 2004 10:25
Reporter: Dmitry Lenev Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S2 (Serious)
Version:4.1 OS:
Assigned to: Alexey Botchkov CPU Architecture:Any

[25 Oct 2003 16:49] Dmitry Lenev
Description:
If we have executed prepared statement "SELECT * FROM A WHERE A.a IN (?,?,?)" (well you have to apply patch that fixes Bug #1500) and then close connection without calling mysql_stmt_close() the server will coredump:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 9226 (LWP 30582)]
0x081016ae in ~Item_func_in (this=0x89ba7b8) at item_cmpfunc.h:647
647       ~Item_func_in() { delete array; delete in_item; }
(gdb) bt
#0  0x081016ae in ~Item_func_in (this=0x89ba7b8) at item_cmpfunc.h:647
#1  0x08157b48 in free_items(Item*) (item=0x89ba7b8) at sql_parse.cc:1064
#2  0x08198480 in free_prep_stmt(st_prep_stmt*, TREE_FREE, void*) (stmt=0x89bc4e8, mode=free_free, 
    not_used=0x0) at sql_prepare.cc:144
#3  0x0832adb1 in delete_tree_element (tree=0x89bb288, element=0x89bc4e8) at tree.c:184
#4  0x0832ac54 in free_tree (tree=0x89bb288, free_flags=144390992) at tree.c:145
#5  0x0832ad2b in delete_tree (tree=0x89b3b50) at tree.c:168
#6  0x0813514d in THD::cleanup() (this=0x89bc4e8) at sql_class.cc:270
#7  0x0814659d in end_thread(THD*, bool) (thd=0x89ab8b0, put_in_cache=true) at mysqld.cc:1317
#8  0x081576f5 in handle_one_connection (arg=0x89b3b50) at sql_parse.cc:964
#9  0x400261a0 in pthread_start_thread () from /lib/libpthread.so.0
#10 0x4002621f in pthread_start_thread_event () from /lib/libpthread.so.0
(gdb) 

How to repeat:
Do something like (code from tests/client_test.c with fixed bug #1500):

/* Establish connection here */
...
MYSQL_STMT *stmt;
MYSQL_BIND bind[3];
int        rc;
long       int_data[3]= {2,3,4}; 

mysql_query(mysql,"DROP TABLE IF EXISTS test_bg1500");
mysql_query(mysql,"CREATE TABLE test_bg1500 (i INT)");
mysql_query(mysql,"INSERT INTO test_bg1500 VALUES (1),(2)");
mysql_commit(mysql);

stmt= mysql_prepare(mysql,"SELECT i FROM test_bg1500 WHERE i IN (?,?,?)",44);

bind[0].buffer= (char *)int_data;
bind[0].buffer_type= FIELD_TYPE_LONG;
bind[0].is_null= 0;
bind[2]= bind[1]= bind[0];
bind[1].buffer= (char *)(int_data + 1); 
bind[2].buffer= (char *)(int_data + 2);

rc= mysql_bind_param(stmt, bind);

rc= mysql_execute(stmt);

/*
  close connection here without calling mysql_stmt_close() 
  MySQL server will crash
*/

Suggested fix:
I have some suspicions but should investigate this issue more.
[25 Oct 2003 23:44] Dmitry Lenev
Actually the crash can be reproduced even with mysql_stmt_close();
You just need to execute some query via the same connection after mysql_execute() but before mysql_stmt_close():

  ...
  stmt= mysql_prepare(mysql,"SELECT i FROM test_bg1663 WHERE i IN (?,?,?)",44);

  bind[0].buffer= (char *)int_data;
  bind[0].buffer_type= FIELD_TYPE_LONG;
  bind[0].is_null= 0;
  bind[2]= bind[1]= bind[0];
  bind[1].buffer= (char *)(int_data + 1);
  bind[2].buffer= (char *)(int_data + 2);

  rc= mysql_bind_param(stmt, bind);

  rc= mysql_execute(stmt);
  
  rc = mysql_query(mysql, "SELECT * FROM test_bg1663");
  
  result = mysql_store_result(mysql);

  /* ... fetch and free result here */

  /* Server should crash here :( */
  mysql_stmt_close(stmt);

I suspect that the reason of this bug is following:
When we are executing prep stmt we allocate some memory in current mem_root (in this example in Item_func_in::fix_length_and_dec()), and put a pointer to created object in Item_func_in::array which is allocated in prep stmt memroot.
After that we execute next query, so memory in current mem_root is destroyed... But Item_func_in::array still references it , so then we do delete array; in ~Item_func_in() we receive SIGSEGV.

Probably we will have the same problem with any Item which destroys objects allocated during execution (in fix_fields() or in val()) in its destructor (do we have any?)...
[14 Dec 2003 16:02] Dmitry Lenev
See also another manifestation of this problem in bug report #2099
[14 Dec 2003 20:46] Miguel Solorzano
Dmitri I am changing the Priority from Medium to High due
to similar issues at customer side.
[20 Jan 2004 10:25] Alexey Botchkov
Thank you for your bug report. This issue has been committed to our
source repository of that product and will be incorporated into the
next release.

If necessary, you can access the source repository and build the latest
available version, including the bugfix, yourself. More information 
about accessing the source trees is available at
    http://www.mysql.com/doc/en/Installing_source_tree.html

Additional info:

Fixed with the big cleanup()-related changeset