MySQL Bugs: #51571: load xml infile causes server crash

Bug #51571	load xml infile causes server crash
Submitted:	27 Feb 2010 0:35	Modified:	4 Aug 2010 12:17
Reporter:	Simon Hodkinson	Email Updates:
Status:	Closed	Impact on me:	None
Category:	MySQL Server: XML functions	Severity:	S1 (Critical)
Version:	5.5.2-m2, 5.5.3-m2, 5.5.4-m3	OS:	Any (64 bit Windows 7, Mac OS X, Ubuntu 8.04)
Assigned to:	Alexander Barkov	CPU Architecture:	Any
Tags:	xml infile crash

Description:
the following query causes server crash

load xml infile 'xmltest.xml' INTO TABLE rcdpkt ROWS IDENTIFIED BY '<field name>' LINES TERMINATED BY '\r\n'
(
   @PktNum,
  FieldName,
  Showname,
  AValue,
  @protocol,
  pos,
  size,
Showtxt)

 set PktNum='1',
protocol='test';

How to repeat:
create table 

DROP TABLE IF EXISTS telco.rcdpkt;
CREATE TABLE `rcdpkt` (
  `FieldNum` bigint(20) NOT NULL AUTO_INCREMENT,
  `PktNum` bigint(20) NOT NULL,
  `FieldName` varchar(255) DEFAULT NULL,
  `showname` varchar(255) DEFAULT NULL,
  `AValue` varchar(255) DEFAULT NULL,
  `Protocol` varchar(255) DEFAULT NULL,
  `Pos` int(11) DEFAULT NULL,
  `Size` int(11) DEFAULT NULL,
  `ShowTxt` varchar(255) DEFAULT NULL,
  `TimeRcd` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
  PRIMARY KEY (`FieldNum`,`PktNum`,`TimeRcd`)
) ENGINE=MEMORY DEFAULT CHARSET=latin1;

try query 

load xml infile 'xmltest.xml' INTO TABLE rcdpkt ROWS IDENTIFIED BY '<field name>' LINES TERMINATED BY '\r\n'
(
   @PktNum,
  FieldName,
  Showname,
  AValue,
  @protocol,
  pos,
  size,
Showtxt)

 set PktNum='1',
protocol='test';

using test xml file attached

From logs on mysql server....

Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
00000001401B0803    mysqld.exe!read_xml_field()[sql_load.cc:1136]
00000001401B15E9    mysqld.exe!mysql_load()[sql_load.cc:468]
000000014006AF19    mysqld.exe!mysql_execute_command()[sql_parse.cc:3598]
000000014006D956    mysqld.exe!mysql_parse()[sql_parse.cc:6216]
000000014006E5A6    mysqld.exe!dispatch_command()[sql_parse.cc:1244]
000000014006F2AB    mysqld.exe!do_command()[sql_parse.cc:875]
00000001400964B7    mysqld.exe!handle_one_connection()[sql_connect.cc:1154]
0000000140342FDE    mysqld.exe!pthread_start()[my_winthread.c:63]
00000001403B4467    mysqld.exe!_callthreadstartex()[threadex.c:348]
00000001403B453F    mysqld.exe!_threadstartex()[threadex.c:326]
000000007794F56D    kernel32.dll!BaseThreadInitThunk()
0000000077A83281    ntdll.dll!RtlUserThreadStart()
Trying to get some variables.
Some pointers may be invalid and cause the dump to abort...
thd->query at 00000000056AE690=load xml infile 'xmltest.xml' INTO TABLE rcdpkt ROWS IDENTIFIED BY '<field name>' LINES TERMINATED BY '\r\n'
(
   @PktNum,
  FieldName,
  Showname,
  AValue,
  @protocol,
  pos,
  size,
Showtxt)

 set PktNum='1',
protocol='test'
thd->thread_id=2
thd->killed=NOT_KILLED
The manual page at http://dev.mysql.com/doc/mysql/en/crashing.html contains
information that should help you find out what is causing the crash.

Thank you for the bug report. Verified just as described with recent mysql-trunk from bzr on Mac OS X.

Valeriy,

I can't reproduce any problems with the current mysql-trunk.

Can you please verify one again?

Thanks!

Verified with current mysql-trunk on Ubuntu also:

openxs@ubuntu:/home2/openxs/dbs/trunk$ bin/mysql --no-defaults -uroot testReading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1
Server version: 5.5.4-m3-debug Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> CREATE TABLE `rcdpkt` (
    ->   `FieldNum` bigint(20) NOT NULL AUTO_INCREMENT,
    ->   `PktNum` bigint(20) NOT NULL,
    ->   `FieldName` varchar(255) DEFAULT NULL,
    ->   `showname` varchar(255) DEFAULT NULL,
    ->   `AValue` varchar(255) DEFAULT NULL,
    ->   `Protocol` varchar(255) DEFAULT NULL,
    ->   `Pos` int(11) DEFAULT NULL,
    ->   `Size` int(11) DEFAULT NULL,
    ->   `ShowTxt` varchar(255) DEFAULT NULL,
    ->   `TimeRcd` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
    ->   PRIMARY KEY (`FieldNum`,`PktNum`,`TimeRcd`)
    -> ) ENGINE=MEMORY DEFAULT CHARSET=latin1;
Query OK, 0 rows affected (0.00 sec)

mysql> load xml LOCAL infile '/home/openxs/xmltest.xml' INTO TABLE rcdpkt ROWS IDENTIFIED BY '<field name>' LINES TERMINATED BY '\r\n' (    @PktNum,   FieldName,   Showname,   AValue,   @protocol,   pos,   size, Showtxt)   set PktNum='1', protocol='test';
ERROR 2013 (HY000): Lost connection to MySQL server during query
mysql> 100324 14:08:40 mysqld_safe Number of processes running now: 0
100324 14:08:40 mysqld_safe mysqld restarted

mysql> exit
Bye
openxs@ubuntu:/home2/openxs/dbs/trunk$ tail -100 var/ubuntu.err
...
100324 14:06:04 mysqld_safe Starting mysqld daemon with databases from /home2/openxs/dbs/trunk/var
100324 14:06:06 [Note] Buffered information: Performance schema disabled (reason: start parameters).

100324 14:06:06 [Note] Plugin 'FEDERATED' is disabled.
100324 14:06:06 [Note] Plugin 'ndbcluster' is disabled.
InnoDB: The InnoDB memory heap is disabled
InnoDB: Mutexes and rw_locks use GCC atomic builtins
100324 14:06:07  InnoDB: highest supported file format is Barracuda.
100324 14:06:07 InnoDB Plugin 1.0.6 started; log sequence number 44244
100324 14:06:08 [Note] Event Scheduler: Loaded 0 events
100324 14:06:08 [Note] /home2/openxs/dbs/trunk/libexec/mysqld: ready for connections.
Version: '5.5.4-m3-debug'  socket: '/tmp/mysql.sock'  port: 3306  Source distribution
100324 14:08:39 - mysqld got signal 11 ;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.
We will try our best to scrape up some info that will hopefully help diagnose
the problem, but since we have already crashed, something is definitely wrong
and this may fail.

key_buffer_size=8388608
read_buffer_size=131072
max_used_connections=1
max_threads=151
thread_count=1
connection_count=1
It is possible that mysqld could use up to 
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 337841 K
bytes of memory
Hope that's ok; if not, decrease some variables in the equation.

thd: 0x93ece38
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
stack_bottom = 0xa87a23b0 thread_stack 0x30000
/home2/openxs/dbs/trunk/libexec/mysqld(my_print_stacktrace+0x26)[0x87806e1]
/home2/openxs/dbs/trunk/libexec/mysqld(handle_segfault+0x2ee)[0x82c835e]
[0xb76e7420]
/home2/openxs/dbs/trunk/libexec/mysqld(_Z10mysql_loadP3THDP12sql_exchangeP10TABLE_LISTR4ListI4ItemES8_S8_15enum_duplicatesbb+0x1353)[0x8454d63]
/home2/openxs/dbs/trunk/libexec/mysqld(_Z21mysql_execute_commandP3THD+0x4166)[0x82df1b2]
/home2/openxs/dbs/trunk/libexec/mysqld(_Z11mysql_parseP3THDPKcjPS2_+0x229)[0x82e3c5d]
/home2/openxs/dbs/trunk/libexec/mysqld(_Z16dispatch_command19enum_server_commandP3THDPcj+0x9e0)[0x82e47d2]
/home2/openxs/dbs/trunk/libexec/mysqld(_Z10do_commandP3THD+0x241)[0x82e5d31]
/home2/openxs/dbs/trunk/libexec/mysqld(_Z24do_handle_one_connectionP3THD+0x15b)[0x82d2f0d]
/home2/openxs/dbs/trunk/libexec/mysqld(handle_one_connection+0x25)[0x82d2fcb]
/lib/tls/i686/cmov/libpthread.so.0[0xb76c64fb]
/lib/tls/i686/cmov/libc.so.6(clone+0x5e)[0xb75d4e5e]
Trying to get some variables.
Some pointers may be invalid and cause the dump to abort...
thd->query at 0x94606e8 = load xml LOCAL infile '/home/openxs/xmltest.xml' INTO TABLE rcdpkt ROWS IDENTIFIED BY '<field name>' LINES TERMINATED BY '\r\n' (    @PktNum,   FieldName,   Showname,   AValue,   @protocol,   pos,   size, Showtxt)   set PktNum='1', protocol='test'
thd->thread_id=1
thd->killed=NOT_KILLED
...

The same problem is repeatable with mysql-test/std_data/loadxml.dat
with the following queries:

drop table if exists t1;
CREATE  table t1 (a text, b text);
LOAD XML INFILE 'loadxml.dat'
INTO TABLE t1 ROWS IDENTIFIED BY '<row>' (a, @b)
SET b=@b;

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/107357

3027 Alexander Barkov	2010-05-04
      Bug#51571 load xml infile causes server crash
      
      Problem:
      item->name was NULL for Item_user_var_as_out_param
      which made strcmp(something, item->name) crash in the LOAD XML code.
      
      Fix:
      - item_func.h: Adding set_name() in constuctor for Item_user_var_as_out_param
      - sql_load.cc: Changing the condition in write_execute_load_query_log_event() which
      distiguished between Item_user_var_as_out_param and Item_field
      from
        if (item->name == NULL)
      to
        if (item->type() == Item::FIELD_ITEM)
      - loadxml.result, loadxml.test: adding tests

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/107472

3034 Alexander Barkov	2010-05-05
       Bug#51571 load xml infile causes server crash
        
        Problem:
        item->name was NULL for Item_user_var_as_out_param
        which made strcmp(something, item->name) crash in the LOAD XML code.
        
        Fix:
        - item_func.h: Adding set_name() in constuctor for Item_user_var_as_out_param
        - sql_load.cc: Changing the condition in write_execute_load_query_log_event() which
        distiguished between Item_user_var_as_out_param and Item_field
        from
          if (item->name == NULL)
        to
          if (item->type() == Item::FIELD_ITEM)
        - loadxml.result, loadxml.test: adding tests

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/107482

3170 Alexander Barkov	2010-05-05 [merge]
      Mering Bug#51571 from mysql-trunk-bugfixing

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/107494

3868 Alexander Barkov	2010-05-05 [merge]
      Merging Bug#51571 from mysql-next-bugfixing

Pushed into mysql-trunk-bugfixing (mysql-5.5.5-m3)
Pushed into mysql-6.0-codebase-bugfixing (6.0.14)

Pushed into 6.0.14-alpha (revid:alik@sun.com-20100507091908-vqyhpwf2km0aokno) (version source revid:alik@sun.com-20100507091737-12vceffs11elb25g) (merge vers: 6.0.14-alpha) (pib:16)

Pushed into 5.5.5-m3 (revid:alik@sun.com-20100507091655-349gwq21ursz8y4p) (version source revid:alik@sun.com-20100507091655-349gwq21ursz8y4p) (merge vers: 5.5.5-m3) (pib:16)

Pushed into mysql-next-mr (revid:alik@sun.com-20100507091823-nzao4h3qosau4tin) (version source revid:alik@sun.com-20100507091720-ib9r8uny2aeazvas) (pib:16)

Documented bugfix in the 5.5.5 and 6.0.14 changelogs as follows:

      Executing LOAD XML INFILE could sometimes lead to a crash of the 
      MySQL Server.

Closed.

Pushed into mysql-trunk 5.6.1-m4 (revid:alik@ibmvm-20100804080001-bny5271e65xo34ig) (version source revid:alik@sun.com-20100507093958-2y0wy6svnc3zfgqb) (merge vers: 5.6.99-m4) (pib:18)

Pushed into mysql-trunk 5.6.1-m4 (revid:alik@ibmvm-20100804081533-c1d3rbipo9e8rt1s) (version source revid:alik@sun.com-20100507093958-2y0wy6svnc3zfgqb) (merge vers: 5.6.99-m4) (pib:18)

Changelog entry added for 5.6.1. Closed.

5.6 version is 5.6.0 not 5.6.1 - fixed changelog entry.