Bug #59109 mysqlslap crashes on mysql_fetch_row after ignoring null from mysql_store_result
Submitted: 22 Dec 2010 7:53 Modified: 29 Jan 2011 23:04
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Command-line Clients Severity:S2 (Serious)
Version:5.1, 5.5 OS:Any
Assigned to: Nirbhay Choubey CPU Architecture:Any
Triage: Triaged: D2 (Serious)

[22 Dec 2010 7:53] Shane Bester
Description:
stack trace:

mysqlslap.exe!mysql_fetch_row(st_mysql_res * res=0x00000000) Line 3938	
mysqlslap.exe!run_task(void * p=0x002dfb1c) Line 1883	
mysqlslap.exe!pthread_start(void * p=0x0233a038) Line 61	
mysqlslap.exe!_callthreadstartex() Line 348
mysqlslap.exe!_threadstartex(void * ptd=0x023af1b0) Line 326	
kernel32.dll!_BaseThreadStart@8()

do
{
    if (mysql_field_count(mysql))
    {
       result= mysql_store_result(mysql); <--- can return null
       while ((row = mysql_fetch_row(result)))
         counter++;
       mysql_free_result(result);
    }
} while(mysql_next_result(mysql) == 0);

How to repeat:
It is common knowledge that mysql_store_result can return NULL.
For example when a deadlock or lock wait timeout happens.

See: http://dev.mysql.com/doc/refman/5.5/en/mysql-store-result.html

Suggested fix:
check for NULL return from mysql_store_result and handle it without crashing.
[7 Jan 2011 8:01] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/128136

3531 Nirbhay Choubey	2011-01-07
      Bug#59109 : mysqlslap crashes on mysql_fetch_row after ignoring
                  null from mysql_store_result.
      
      mysqlslap segfaults at a point when it tries to fetch rows from
      the result set.
      
      Under some circumstances, mysql_store_result can return 'NULL',
      even after query execution (mysql_query) succeeds, and eventually
      a segfault might occur if same unchecked return value is passed
      to mysql_fetch_row.
      
      Fixed by adding a check on mysql_store_result's return value.
     @ client/mysqlslap.c
        Bug#59109 : mysqlslap crashes on mysql_fetch_row after ignoring
                    null from mysql_store_result.
        
        Added a check on mysql_store_result's return value. A 'NULL' return
        value here shows an erroneous situation as mysql_field_count has already
        reported a non-zero value.
[7 Jan 2011 8:11] Shane Bester
why exit the program if mysql_store_result returns null ?
[7 Jan 2011 9:41] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/128141

3531 Nirbhay Choubey	2011-01-07
      Bug#59109 : mysqlslap crashes on mysql_fetch_row after ignoring
                  null from mysql_store_result.
      
      mysqlslap segfaults at a point when it tries to fetch rows from
      the result set.
      
      Under some circumstances, mysql_store_result can return 'NULL',
      even after query execution (mysql_query) succeeds, and eventually
      a segfault might occur if same unchecked return value is passed
      to mysql_fetch_row.
      
      Fixed by adding a check on mysql_store_result's return value.
     @ client/mysqlslap.c
        Bug#59109 : mysqlslap crashes on mysql_fetch_row after ignoring
                    null from mysql_store_result.
        
        Added a check on mysql_store_result's return value. A 'NULL' return
        value here shows an erroneous situation as mysql_field_count has already
        reported a non-zero value.
[7 Jan 2011 9:52] Nirbhay Choubey
Shane,

I thought allowing it to proceed  might result in some
wrong/incorrect final report. But that is not the case
here. I have updated the patch.
[12 Jan 2011 6:37] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/128474

3531 Nirbhay Choubey	2011-01-12
      Bug#59109 : mysqlslap crashes on mysql_fetch_row after ignoring
                  null from mysql_store_result.
      
      mysqlslap segfaults at a point when it tries to fetch rows from
      the result set.
      
      Under some circumstances, mysql_store_result can return 'NULL',
      even after query execution (mysql_query) succeeds, and eventually
      a segfault might occur if same unchecked return value is passed
      to mysql_fetch_row.
      
      Fixed by adding a check on mysql_store_result's return value.
     @ client/mysqlslap.c
        Bug#59109 : mysqlslap crashes on mysql_fetch_row after ignoring
                    null from mysql_store_result.
        
        Added a check on mysql_store_result's return value. A 'NULL' return
        value here shows an erroneous situation as mysql_field_count has already
        reported a non-zero value.
[13 Jan 2011 10:27] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/128619

3549 Nirbhay Choubey	2011-01-13
      Bug#59109 : mysqlslap crashes on mysql_fetch_row after ignoring
                  null from mysql_store_result.
      
      mysqlslap segfaults at a point when it tries to fetch rows from
      the result set.
      
      Under some circumstances, mysql_store_result can return 'NULL',
      even after query execution (mysql_query) succeeds, and eventually
      a segfault might occur if same unchecked return value is passed
      to mysql_fetch_row.
      
      Fixed by adding a check on mysql_store_result's return value.
     @ client/mysqlslap.c
        Bug#59109 : mysqlslap crashes on mysql_fetch_row after ignoring
                    null from mysql_store_result.
        
        Added a check on mysql_store_result's return value. A 'NULL' return
        value here shows an erroneous situation as mysql_field_count has already
        reported a non-zero value.
[13 Jan 2011 10:35] Bugs System
Pushed into mysql-5.1 5.1.56 (revid:nirbhay.choubey@sun.com-20110113102642-4i7chbqdhq7gj55e) (version source revid:nirbhay.choubey@sun.com-20110113102642-4i7chbqdhq7gj55e) (merge vers: 5.1.56) (pib:24)
[13 Jan 2011 10:36] Bugs System
Pushed into mysql-5.5 5.5.9 (revid:nirbhay.choubey@sun.com-20110113102913-cv5ikkfbtuaa3ezt) (version source revid:nirbhay.choubey@sun.com-20110113102913-cv5ikkfbtuaa3ezt) (merge vers: 5.5.9) (pib:24)
[13 Jan 2011 10:37] Bugs System
Pushed into mysql-trunk 5.6.2 (revid:nirbhay.choubey@sun.com-20110113103059-9eyidap12mdg9bmw) (version source revid:nirbhay.choubey@sun.com-20110113103059-9eyidap12mdg9bmw) (merge vers: 5.6.2) (pib:24)
[19 Jan 2011 1:34] Paul Dubois
Noted in 5.1.56, 5.5.9, 5.6.2 changelogs.

mysqlslap failed to check for a NULL return from mysql_store_result()
and crashed trying to process the result set.
[6 Feb 2011 14:13] Meiji KIMURA
Duplicated Bug#52773.