Bug #64636 Workbench crashes with specially crafted queries
Submitted: 13 Mar 2012 14:21 Modified: 13 Mar 2012 15:35
Reporter: Nicklas Overgaard Email Updates:
Status: Can't repeat Impact on me:
None 
Category:MySQL Workbench: SQL Editor Severity:S1 (Critical)
Version:5.2.37 rev 8576 OS:Linux (ArchLinux x64)
Assigned to: CPU Architecture:Any
Tags: crash, query, segfault

[13 Mar 2012 14:21] Nicklas Overgaard 
Description:
The workbench crashes with a segfault when excuting most of the queries that NHibernate automatically generates for our business logic.

It produces stacktraces like this:

<stacktrace begin>
*** glibc detected *** /usr/bin/mysql-workbench-bin: corrupted double-linked list: 0x00007f6fa4064640 ***
======= Backtrace: =========
/lib/libc.so.6(+0x78e66)[0x7f6fc8161e66]
/lib/libc.so.6(+0x79253)[0x7f6fc8162253]
/lib/libc.so.6(+0x7a1e3)[0x7f6fc81631e3]
/lib/libc.so.6(__libc_malloc+0x75)[0x7f6fc8165ef5]
/lib/libc.so.6(_IO_str_overflow+0xc6)[0x7f6fc8160c26]
/lib/libc.so.6(_IO_default_xsputn+0x84)[0x7f6fc815f604]
/lib/libc.so.6(_IO_vfprintf+0x378d)[0x7f6fc81309bd]
/lib/libc.so.6(vasprintf+0xb4)[0x7f6fc815af84]
/lib/libc.so.6(asprintf+0x87)[0x7f6fc8137b87]
/lib/libc.so.6(+0x2d92b)[0x7f6fc811692b]
/lib/libc.so.6(+0x2da72)[0x7f6fc8116a72]
/usr/bin/mysql-workbench-bin(_ZN5boost7variantIileSsN6sqlite7UnknownENS1_4NullENS_10shared_ptrISt6vectorIhSaIhEEEENS_6detail7variant5void_ESB_SB_SB_SB_SB_SB_SB_SB_SB_SB_SB_SB_EC1ERKSC_+0x3f)[0x7dae0f]
/usr/lib/mysql-workbench/libwbpublic.so.0(_ZN22Recordset_cdbc_storage14do_unserializeEP9RecordsetPN6sqlite10connectionE+0xb90)[0x7f6fcd769080]
/usr/lib/mysql-workbench/libwbpublic.so.0(_ZN9Recordset5resetEN5boost8weak_ptrI22Recordset_data_storageEEb+0x16b)[0x7f6fcd75381b]
/usr/lib/mysql-workbench/libwbpublic.so.0(_ZN9Recordset5resetEb+0x33)[0x7f6fcd7545f3]
/usr/bin/mysql-workbench-bin(_ZN13SqlEditorForm11do_exec_sqlEPN3grt3GRTEN5boost8weak_ptrIS_EERSsNS3_10shared_ptrI10Sql_editorEENS_9ExecFlagsENS7_ISt6vectorINS7_I9RecordsetEESaISD_EEEE+0x366c)[0x7f64ec]
/usr/bin/mysql-workbench-bin(_ZN5boost6detail8function21function_obj_invoker1INS_3_bi6bind_tIN3grt3RefINS5_8internal6StringEEENS_4_mfi3mf6IS9_13SqlEditorFormPNS5_3GRTENS_8weak_ptrISC_EERSsNS_10shared_ptrI10Sql_editorEENSC_9ExecFlagsENSI_ISt6vectorINSI_I9RecordsetEESaISO_EEEEEENS3_5list7INS3_5valueIPSC_EENS_3argILi1EEENSU_ISG_EENSU_ISsEENSU_ISK_EENSU_ISL_EENSU_ISR_EEEEEES9_SE_E6invokeERNS1_15function_bufferESE_+0xf5)[0x7fe0a5]
/usr/lib/mysql-workbench/libwbpublic.so.0(_ZN5boost6detail8function21function_obj_invoker1INS_8functionIFN3grt3RefINS4_8internal6StringEEEPNS4_3GRTEEEENS4_8ValueRefESA_E6invokeERNS1_15function_bufferESA_+0x23)[0x7f6fcd66e723]
/usr/lib/mysql-workbench/libwbpublic.so.0(_ZN3bec7GRTTask7executeEPN3grt3GRTE+0x22)[0x7f6fcd5da372]
/usr/lib/mysql-workbench/libwbpublic.so.0(_ZN3bec13GRTDispatcher12execute_taskEPNS_11GRTTaskBaseE+0x34)[0x7f6fcd5d8004]
/usr/lib/mysql-workbench/libwbpublic.so.0(_ZN3bec13GRTDispatcher13worker_threadEPv+0x2b6)[0x7f6fcd5d8786]
/usr/lib/libglib-2.0.so.0(+0x6a186)[0x7f6fc977c186]
/usr/lib/libGL.so.1(+0xa7354)[0x7f6fc5ac5354]
======= Memory map: ========
00400000-00e53000 r-xp 00000000 08:06 796466                             /usr/bin/mysql-workbench-bin
01052000-01053000 r--p 00a52000 08:06 796466                             /usr/bin/mysql-workbench-bin
01053000-01058000 rw-p 00a53000 08:06 796466                             /usr/bin/mysql-workbench-bin
01058000-0105e000 rw-p 00000000 00:00 0 
02584000-025c5000 rw-p 00000000 00:00 0                                  [heap]
025c5000-025c7000 rw-p 00000000 00:00 0                                  [heap]
025c7000-04303000 rw-p 00000000 00:00 0                                  [heap]
7f6f8c000000-7f6f8c021000 rw-p 00000000 00:00 0 
7f6f8c021000-7f6f90000000 ---p 00000000 00:00 0 
7f6f90000000-7f6f90021000 rw-p 00000000 00:00 0 
7f6f90021000-7f6f94000000 ---p 00000000 00:00 0 
7f6f94000000-7f6f94021000 rw-p 00000000 00:00 0 
7f6f94021000-7f6f98000000 ---p 00000000 00:00 0 
7f6f98e86000-7f6f98e87000 ---p 00000000 00:00 0 
7f6f98e87000-7f6f99687000 rw-p 00000000 00:00 0 
7f6f99687000-7f6f99688000 ---p 00000000 00:00 0 
7f6f99688000-7f6f99e88000 rw-p 00000000 00:00 0 
7f6f99e88000-7f6f99e89000 ---p 00000000 00:00 0 
7f6f99e89000-7f6f9a689000 rw-p 00000000 00:00 0 
7f6f9a689000-7f6f9a68a000 ---p 00000000 00:00 0 
7f6f9a68a000-7f6f9ae8a000 rw-p 00000000 00:00 0 
7f6f9ae8a000-7f6f9ae97000 r-xp 00000000 08:06 842660                     /usr/lib/libudev.so.0.13.1
7f6f9ae97000-7f6f9b096000 ---p 0000d000 08:06 842660                     /usr/lib/libudev.so.0.13.1
7f6f9b096000-7f6f9b097000 r--p 0000c000 08:06 842660                     /usr/lib/libudev.so.0.13.1
7f6f9b097000-7f6f9b098000 rw-p 0000d000 08:06 842660                     /usr/lib/libudev.so.0.13.1
7f6f9b098000-7f6f9b0af000 r-xp 00000000 08:06 811835                     /usr/lib/libgvfscommon.so.0.0.0
7f6f9b0af000-7f6f9b2ae000 ---p 00017000 08:06 811835                     /usr/lib/libgvfscommon.so.0.0.0
7f6f9b2ae000-7f6f9b2af000 r--p 00016000 08:06 811835                     /usr/lib/libgvfscommon.so.0.0.0
7f6f9b2af000-7f6f9b2b0000 rw-p 00017000 08:06 811835                     /usr/lib/libgvfscommon.so.0.0.0
7f6f9b2b0000-7f6f9c000000 r--p 00000000 08:06 806797                     /usr/share/icons/hicolor/icon-theme.cache
7f6f9c000000-7f6f9c021000 rw-p 00000000 00:00 0 
7f6f9c021000-7f6fa0000000 ---p 00000000 00:00 0 
7f6fa0000000-7f6fa0021000 rw-p 00000000 00:00 0 
7f6fa0021000-7f6fa4000000 ---p 00000000 00:00 0 
7f6fa4000000-7f6fa406f000 rw-p 00000000 00:00 0 
7f6fa406f000-7f6fa8000000 ---p 00000000 00:00 0 
7f6fa8000000-7f6fa8488000 rw-p 00000000 00:00 0 
7f6fa8488000-7f6fac000000 ---p 00000000 00:00 0 
7f6fac000000-7f6fac021000 rw-p 00000000 00:00 0 
7f6fac021000-7f6fb0000000 ---p 00000000 00:00 0 
7f6fb000e000-7f6fb002e000 rw-p 00000000 00:00 0 
7f6fb002e000-7f6fb00c1000 r--p 00000000 08:06 269992                     /usr/share/fonts/TTF/DejaVuLGCSans.ttf
7f6fb00c1000-7f6fb00eb000 r-xp 00000000 08:06 811840                     /usr/lib/gio/modules/libgvfsdbus.so
7f6fb00eb000-7f6fb02ea000 ---p 0002a000 08:06 811840                     /usr/lib/gio/modules/libgvfsdbus.so
7f6fb02ea000-7f6fb02eb000 r--p 00029000 08:06 811840                     /usr/lib/gio/modules/libgvfsdbus.so
7f6fb02eb000-7f6fb02ec000 rw-p 0002a000 08:06 811840                     /usr/lib/gio/modules/libgvfsdbus.so
7f6fb02ec000-7f6fb02ed000 rw-p 00000000 00:00 0 
7f6fb02ed000-7f6fb02ee000 ---p 00000000 00:00 0 
7f6fb02ee000-7f6fb0aee000 rw-p 00000000 00:00 0 
7f6fb0aee000-7f6fb0aef000 ---p 00000000 00:00 0 
7f6fb0aef000-7f6fb12ef000 rw-p 00000000 00:00 0 
7f6fb12ef000-7f6fb12f4000 r-xp 00000000 08:06 651678                     /lib/libnss_dns-2.15.so
7f6fb12f4000-7f6fb14f3000 ---p 00005000 08:06 651678                     /lib/libnss_dns-2.15.so
7f6fb14f3000-7f6fb14f4000 r--p 00004000 08:06 651678                     /lib/libnss_dns-2.15.so
7f6fb14f4000-7f6fb14f5000 rw-p 00005000 08:06 651678                     /lib/libnss_dns-2.15.so
7f6fb14fa000-7f6fb1519000 r--s 00000000 08:06 914551                     /usr/share/mime/mime.cache
7f6fb1519000-7f6fb1529000 rw-p 00000000 00:00 0 
7f6fb1529000-7f6fb152a000 ---p 00000000 00:00 0 
7f6fb152a000-7f6fb1d32000 rw-p 00000000 00:00 0 
7f6fb1d32000-7f6fb1d36000 rw-p 00000000 00:00 0
<stacktrace end>

How to repeat:
Create the following table:

delimiter $$

CREATE TABLE `productMeta` (
  `productID` int(10) unsigned NOT NULL,
  `title` varchar(70) NOT NULL,
  `isDeleted` tinyint(1) NOT NULL DEFAULT '0' ,
  `defaultShortDescription` varchar(150) NOT NULL,
  `defaultLongDescription` text NOT NULL,
  `productType` enum('fee','product','virtual') NOT NULL,
  `productBillingMethod` enum('afterCashing','beforeCashing') NOT NULL ,
  `allowVirtualPrice` tinyint(1) NOT NULL ,
  `metaKeywords` varchar(255) NOT NULL,
  `productGroup` enum('ALL','DK','SE','FI','NO','PL') NOT NULL,
  `generatePdf` tinyint(1) NOT NULL DEFAULT '0' ,
  `autogenerateCode` tinyint(1) NOT NULL DEFAULT '0' ,
  `fetchCode` tinyint(1) NOT NULL DEFAULT '0' ,
  `showRegistration` tinyint(1) NOT NULL DEFAULT '0',
  `isC5Lgk` tinyint(1) NOT NULL DEFAULT '0' ,
  PRIMARY KEY (`productID`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8'$$

And execute the following query (generated by linq-to-nhibernate):

select 
    productmet0_.productID as productID5_,
    productmet0_.title as title5_,
    productmet0_.isDeleted as isDeleted5_,
    productmet0_.defaultShortDescription as defaultS4_5_,
    productmet0_.defaultLongDescription as defaultL5_5_,
    productmet0_.productType as productT6_5_,
    productmet0_.productBillingMethod as productB7_5_,
    productmet0_.allowVirtualPrice as allowVir8_5_,
    productmet0_.metaKeywords as metaKeyw9_5_,
    productmet0_.productGroup as product10_5_,
    productmet0_.generatePdf as generat11_5_,
    productmet0_.autogenerateCode as autogen12_5_,
    productmet0_.fetchCode as fetchCode5_,
    productmet0_.showRegistration as showReg14_5_,
    productmet0_.isC5Lgk as isC15_5_
from
    .productMeta productmet0_
where
    productmet0_.productGroup = 'PL' 
    and case
        when productmet0_.isDeleted = 1 then 1
        else 0
    end = case
        when False = 1 then 1
        else 0
    end
[13 Mar 2012 14:37] Alfredo Kojima 
Does it happen with version 5.2.38?
[13 Mar 2012 15:30] Nicklas Overgaard 
Well, made a full system update which gave me new kernel, new nvidia drivers and a new workbench. Issue seems solved now (at least with the given query).

Sorry for not checking that first!
[13 Mar 2012 15:35] MySQL Verification Team 
Thank you for the feedback.