Bug #38291 memory corruption and server crash with view/sp/function
Submitted: 22 Jul 2008 18:01 Modified: 16 Sep 2008 4:26
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: General Severity:S1 (Critical)
Version:5.0.64, 5.0.68-bzr, 5.1.26, 5.1.28-bzr OS:Any
Assigned to: Sergey Glukhov CPU Architecture:Any
Triage: D1 (Critical)

[22 Jul 2008 18:01] Shane Bester
Description:
in a stored procedure that selects from a view referencing a function, we see crashes and/or valgrind errors:

crash stack trace for 5.0.64 :

mysqld-debug.exe!strlen()
mysqld-debug.exe!Protocol::send_fields
mysqld-debug.exe!select_send::send_fields
mysqld-debug.exe!return_zero_rows
mysqld-debug.exe!JOIN::exec
mysqld-debug.exe!mysql_select
mysqld-debug.exe!handle_select
mysqld-debug.exe!mysql_execute_command
mysqld-debug.exe!sp_instr_stmt::exec_core
mysqld-debug.exe!sp_lex_keeper::reset_lex_and_exec_core
mysqld-debug.exe!sp_instr_stmt::execute
mysqld-debug.exe!sp_head::execute
mysqld-debug.exe!sp_head::execute_procedure
mysqld-debug.exe!mysql_execute_command
mysqld-debug.exe!mysql_parse
mysqld-debug.exe!dispatch_command
mysqld-debug.exe!do_command
mysqld-debug.exe!handle_one_connection
mysqld-debug.exe!pthread_start
mysqld-debug.exe!_threadstart

sample of valgrind errors in 5.1.26:

11594 errors in context 1 of 2:
Invalid read of size 1
:my_utf8_uni      (ctype-utf8.c:1954)
:copy_and_convert (sql_string.cc:804)
:String::copy     (sql_string.cc:348)
:Protocol::store_string_aux (protocol.cc:764)
:Protocol_text::store (protocol.cc:782)
:Protocol::send_fields (protocol.cc:551)
:select_send::send_fields (sql_class.cc:1484)
:JOIN::exec() (sql_select.cc:2178)
:mysql_select
:handle_select (sql_select.cc:269)
:execute_sqlcom_select (sql_parse.cc:4765)
:mysql_execute_command (sql_parse.cc:2073)

How to repeat:
see private testcase.
[22 Jul 2008 18:03] Shane Bester
full valgrind and crash backtrace info

Attachment: bug38291_full_valgrind_backtrace.txt (text/plain), 7.73 KiB.

[25 Jul 2008 11:30] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/50496

2673 Sergey Glukhov	2008-07-25
      Bug#38291 memory corruption and server crash with view/sp/function
      The problem:
      Send_field.org_col_name has broken value on secondary execution.
      It happens when result field is created from the field which belongs to view.
      The fix:
      set Send_field.org_col_name with correct value during Send_field intialization.
[20 Aug 2008 7:53] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/52013

2671 Sergey Glukhov	2008-08-20
      Bug#38291 memory corruption and server crash with view/sp/function
      Send_field.org_col_name has broken value on secondary execution.
      It happens when result field is created from the field which belongs to view
      due to forgotten assignment of some Send_field attributes. 
      The fix:
      set Send_field.org_col_name,org_table)name with correct value during Send_field intialization.
[20 Aug 2008 9:58] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/52020

2671 Sergey Glukhov	2008-08-20
      Bug#38291 memory corruption and server crash with view/sp/function
      Send_field.org_col_name has broken value on secondary execution.
      It happens when result field is created from the field which belongs to view
      due to forgotten assignment of some Send_field attributes. 
      The fix:
      set Send_field.org_col_name,org_table_name with correct value during Send_field intialization.
[20 Aug 2008 10:03] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/52022

2671 Sergey Glukhov	2008-08-20
      Bug#38291 memory corruption and server crash with view/sp/function
      Send_field.org_col_name has broken value on secondary execution.
      It happens when result field is created from the field which belongs to view
      due to forgotten assignment of some Send_field attributes. 
      The fix:
      set Send_field.org_col_name,org_table_name with correct value during Send_field intialization.
[21 Aug 2008 17:57] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/52246

2671 Sergey Glukhov	2008-08-20
      Bug#38291 memory corruption and server crash with view/sp/function
      Send_field.org_col_name has broken value on secondary execution.
      It happens when result field is created from the field which belongs to view
      due to forgotten assignment of some Send_field attributes. 
      The fix:
      set Send_field.org_col_name,org_table_name with correct value during Send_field intialization.
[21 Aug 2008 17:57] Bugs System
Pushed into 5.0.70  (revid:gluh@mysql.com-20080820094928-dy5ir4sg67psh919) (version source revid:gluh@mysql.com-20080820094928-dy5ir4sg67psh919) (pib:3)
[21 Aug 2008 18:04] Bugs System
Pushed into 5.1.28  (revid:gluh@mysql.com-20080820094928-dy5ir4sg67psh919) (version source revid:gluh@mysql.com-20080820114201-j5loda1mdi5s2qm2) (pib:3)
[27 Aug 2008 1:30] Paul Dubois
Noted in 5.0.70, 5.1.28 changelogs.

A server crash or Valgrind warnings could result when a stored
procedure selected from a view that referenced a function.

Setting report to NDI pending push into 6.0.x.
[14 Sep 2008 4:51] Bugs System
Pushed into 6.0.7-alpha  (revid:gluh@mysql.com-20080820094928-dy5ir4sg67psh919) (version source revid:john.embretsen@sun.com-20080724122511-9c0oudz1xrdrs6y6) (pib:3)
[16 Sep 2008 4:26] Paul Dubois
Noted in 6.0.7 changelog.