Bug #50755 Crash if stored routine def contains version comments
Submitted: 30 Jan 2010 12:21 Modified: 14 Oct 2010 14:07
Reporter: Libing Song Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Parser Severity:S3 (Non-critical)
Version:5.1+ OS:Any
Assigned to: Davi Arnaut
Tags: stored routine parsing, version comments replication
Triage: Triaged: D1 (Critical)

[30 Jan 2010 12:21] Libing Song
Description:
the statement in cpp_buf is not right when the original statement like this:
INSERT/*!INOT*/t1 VALUES(1); (There is no space between INSERT and the comment)
The statement in the cpp_buf after removing special comments is like that:
INSERTINTOt1 VALUES(1);

How to repeat:
'CREATE EVENT' uses pre-processed query to binlog the statement. So the bug can repeat like this:

source include/master-slave.inc;
CREATE/*!*/EVENT e1 ON SCHEDULE EVERY 10 DAY DO/*!*/SELECT 'abc';
source include/show_binlog_events.inc;
source include/master-slave-end.inc;

Suggested fix:
A blank space should be inserted into pre-processed query on this occasion.

CAUTION
-------
A blank space can not be inserted after '--', for '-- ' has a special semantic.
for example:
INSERT INTO t1 SELECT 5--/*!*/2;
[21 Mar 2010 13:18] Andrei Elkin
Resetting triage estimates because of new evidence discovered.
Setting up a trigger definition the way of the description causes a segfault:

create table t1 (a int);
create table t2 (a int);
create trigger trg_t2_ins_t1 before insert on t2 for each row insert/*!into*/t1 values (1);

show triggers;

=> segfault

That means not only logging  of the stored routine is affected but also its execution.
[1 Apr 2010 13:15] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/104908

3439 Davi Arnaut	2010-04-01
      Bug#50755: Crash if stored routine def contains version comments
      
      The problem was that a syntactically invalid trigger could cause
      the server to crash when trying to list triggers. The crash would
      happen due to a mishap in the backup/restore procedure that should
      protect parser items which are not associated with the trigger. The
      backup/restore is used to isolate the parse tree (and context) of
      a statement from the load (and parsing) of a trigger. In this case,
      a error during the parsing of a trigger could cause the improper
      backup/restore sequence.
      
      The solution is to properly restore the original statement context
      before the parser is exited due to syntax errors in the trigger body.
     @ mysql-test/r/trigger.result
        Add test case result for Bug#50755
     @ mysql-test/t/trigger.test
        Add test case for Bug#50755
     @ sql/sp_head.cc
        Merge sp_head::destroy() and sp_head destructor. Retrieve THD
        from the LEX so that m_thd is not necessary.
     @ sql/sql_lex.cc
        Explicitly restore the original environment.
[29 Apr 2010 23:19] Davi Arnaut
Queued to mysql-5.1-bugteam
[3 May 2010 13:12] Davi Arnaut
Parser issue reported as Bug#53373
[5 May 2010 15:12] Bugs System
Pushed into 5.1.47 (revid:joro@sun.com-20100505145753-ivlt4hclbrjy8eye) (version source revid:davi.arnaut@sun.com-20100401131522-895y8uzvv8ag44gs) (merge vers: 5.1.47) (pib:16)
[13 May 2010 0:38] Paul Dubois
Noted in 5.1.47 changelog.

A syntactically invalid trigger could cause the server to crash when
trying to list triggers.
[28 May 2010 5:56] Bugs System
Pushed into mysql-next-mr (revid:alik@sun.com-20100524190136-egaq7e8zgkwb9aqi) (version source revid:vasil.dimov@oracle.com-20100331130613-8ja7n0vh36a80457) (pib:16)
[28 May 2010 6:25] Bugs System
Pushed into 6.0.14-alpha (revid:alik@sun.com-20100524190941-nuudpx60if25wsvx) (version source revid:vasil.dimov@oracle.com-20100331130613-8ja7n0vh36a80457) (merge vers: 5.1.46) (pib:16)
[28 May 2010 6:52] Bugs System
Pushed into 5.5.5-m3 (revid:alik@sun.com-20100524185725-c8k5q7v60i5nix3t) (version source revid:alexey.kopytov@sun.com-20100507161755-e2lpi9tdulcm5njq) (merge vers: 5.5.5-m3) (pib:16)
[30 May 2010 1:11] Paul Dubois
Noted in 5.5.5 changelog.
[16 Jun 2010 7:42] Shane Bester
just for reference, the stack trace from a 5.1.46 crash is this:

mysqld-debug.exe!Protocol::send_fields()[protocol.cc:591]
mysqld-debug.exe!select_send::send_fields()[sql_class.cc:1582]
mysqld-debug.exe!JOIN::exec()[sql_select.cc:2314]
mysqld-debug.exe!mysql_select()[sql_select.cc:2512]
mysqld-debug.exe!handle_select()[sql_select.cc:269]
mysqld-debug.exe!execute_sqlcom_select()[sql_parse.cc:5052]
mysqld-debug.exe!mysql_execute_command()[sql_parse.cc:2248]
mysqld-debug.exe!mysql_parse()[sql_parse.cc:5971]
mysqld-debug.exe!dispatch_command()[sql_parse.cc:1233]
mysqld-debug.exe!do_command()[sql_parse.cc:874]
mysqld-debug.exe!handle_one_connection()[sql_connect.cc:1127]
mysqld-debug.exe!pthread_start()[my_winthread.c:85]
mysqld-debug.exe!_callthreadstart()[thread.c:293]
mysqld-debug.exe!_threadstart()[thread.c:277]
kernel32.dll!FlsSetValue()
[17 Jun 2010 11:57] Bugs System
Pushed into 5.1.47-ndb-7.0.16 (revid:martin.skold@mysql.com-20100617114014-bva0dy24yyd67697) (version source revid:vasil.dimov@oracle.com-20100331130613-8ja7n0vh36a80457) (merge vers: 5.1.46) (pib:16)
[17 Jun 2010 12:36] Bugs System
Pushed into 5.1.47-ndb-6.2.19 (revid:martin.skold@mysql.com-20100617115448-idrbic6gbki37h1c) (version source revid:vasil.dimov@oracle.com-20100331130613-8ja7n0vh36a80457) (merge vers: 5.1.46) (pib:16)
[17 Jun 2010 13:23] Bugs System
Pushed into 5.1.47-ndb-6.3.35 (revid:martin.skold@mysql.com-20100617114611-61aqbb52j752y116) (version source revid:vasil.dimov@oracle.com-20100331130613-8ja7n0vh36a80457) (merge vers: 5.1.46) (pib:16)
[6 Jul 2010 19:01] Paul Dubois
Noted in 5.1.46sp1 changelog.
[8 Jul 2010 18:53] Bugs System
Pushed into 5.1.49 (revid:sunanda.menon@sun.com-20100708184626-16el4v8gjjci6m1r) (version source revid:sunanda.menon@sun.com-20100708184626-16el4v8gjjci6m1r) (merge vers: 5.1.49) (pib:16)
[4 Aug 2010 7:50] Bugs System
Pushed into mysql-trunk 5.5.6-m3 (revid:alik@sun.com-20100731131027-1n61gseejyxsqk5d) (version source revid:alik@sun.com-20100731074942-o840woifuqioxxe4) (merge vers: 5.5.6-m3) (pib:18)
[4 Aug 2010 8:07] Bugs System
Pushed into mysql-trunk 5.6.1-m4 (revid:alik@ibmvm-20100804080001-bny5271e65xo34ig) (version source revid:alik@sun.com-20100731075120-qz9z8c25zum2wgmm) (merge vers: 5.6.99-m4) (pib:18)
[4 Aug 2010 8:23] Bugs System
Pushed into mysql-trunk 5.6.1-m4 (revid:alik@ibmvm-20100804081533-c1d3rbipo9e8rt1s) (version source revid:alik@sun.com-20100731075120-qz9z8c25zum2wgmm) (merge vers: 5.6.99-m4) (pib:18)
[4 Aug 2010 9:03] Bugs System
Pushed into mysql-next-mr (revid:alik@ibmvm-20100804081630-ntapn8bf9pko9vj3) (version source revid:alik@sun.com-20100731075120-qz9z8c25zum2wgmm) (pib:20)
[4 Aug 2010 23:15] Paul Dubois
Already fixed in 5.1.x, 5.5.x.
Bug does not appear in any released 5.6.x version.
[14 Oct 2010 8:33] Bugs System
Pushed into mysql-5.1-telco-7.0 5.1.51-ndb-7.0.20 (revid:martin.skold@mysql.com-20101014082627-jrmy9xbfbtrebw3c) (version source revid:martin.skold@mysql.com-20101014082627-jrmy9xbfbtrebw3c) (merge vers: 5.1.51-ndb-7.0.20) (pib:21)
[14 Oct 2010 8:48] Bugs System
Pushed into mysql-5.1-telco-6.3 5.1.51-ndb-6.3.39 (revid:martin.skold@mysql.com-20101014083757-5qo48b86d69zjvzj) (version source revid:martin.skold@mysql.com-20101014083757-5qo48b86d69zjvzj) (merge vers: 5.1.51-ndb-6.3.39) (pib:21)
[14 Oct 2010 9:03] Bugs System
Pushed into mysql-5.1-telco-6.2 5.1.51-ndb-6.2.19 (revid:martin.skold@mysql.com-20101014084420-y54ecj85j5we27oa) (version source revid:martin.skold@mysql.com-20101014084420-y54ecj85j5we27oa) (merge vers: 5.1.51-ndb-6.2.19) (pib:21)
[14 Oct 2010 14:07] Jon Stephens
Already documented as shown; no additional changelog entries required. Set back to Closed state.