Bug #9106 MySQL coredumps on FreeBSD if the SQL query contains a regexp expression
Submitted: 10 Mar 2005 20:47 Modified: 4 May 2005 18:36
Reporter: Daniel Stefan Haischt Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Compiling Severity:S1 (Critical)
Version:mysql-5.0.2-alpha (FreeBSD port: mysql-c OS:FreeBSD (FreeBSD 5.4-PRERELEASE)
Assigned to: CPU Architecture:Any

[10 Mar 2005 20:47] Daniel Stefan Haischt
Description:
I am using MySQL 5.x on FreeBSD 5.4-PRE together
with libpthread. These are the knobs I did provide
to make (to compile the actual FreeBSD port):

FORCE_PKG_REGISTER=yes \
WITH_OPENSSL=yes \
BUILD_OPTIMIZED=yes \
WITH_PROC_SCOPE_PTH=yes

If executing the following SQL query, mysqld will
quit with a SIGSEGV signal (Actually the SQL statement originates from the b2e blog system).

SELECT post_urltitle
FROM evo_posts
WHERE post_urltitle
REGEXP '^erster_eintrag(_[0-9]+)?$' AND ID <> 0;

Below is the corresponding backtrace:

(gdb) set args --user=mysql --datadir=/var/db/mysql --pid-file=/var/db/mysql/abyssone.abyssworld.de.pid --bind-address=192.168.120.29
(gdb) run
Starting program: /usr/ports/databases/mysql50-server/work/mysql-5.0.2-alpha/sql/mysqld --user=mysql --datadir=/var/db/mysql --pid-file=/var/db/mysql/abyssone.abyssworld.de.pid --bind-address=192.168.120.29
050310 19:05:42  InnoDB: Started; log sequence number 0 44764
/usr/ports/databases/mysql50-server/work/mysql-5.0.2-alpha/sql/mysqld: ready for connections.
Version: '5.0.2-alpha-debug'  socket: '/tmp/mysql.sock'  port: 3306  FreeBSD port: mysql-server-5.0.2

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 3 (LWP 100348)]
p_ere (p=0xbf8ed5f0, stop=128) at regcomp.c:866
866             else if (my_islower(charset,ch))
Current language:  auto; currently c
(gdb) bt full
#0  p_ere (p=0xbf8ed5f0, stop=128) at regcomp.c:866
        c = 0 '\0'
        prevback = 188671256
        prevfwd = 188671256
        conc = 1
        first = 1
#1  0x084022e4 in regcomp (preg=0xb3ed478, pattern=0xa5bcb20 "^erster_eintrag(_[0-9]+)?$", cflags=186002432, charset=0xb162c50) at regcomp.c:177
        pa = {next = 0xa5bcb22 "rster_eintrag(_[0-9]+)?$", end = 0xa5bcb3a "", error = 0, strip = 0xb176500, ssize = 40, slen = 2, ncsalloc = 0,
  g = 0xb162c00, pbegin = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, pend = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, charset = 0x84cf280}
        g = (struct re_guts *) 0xb162c00
        i = 0
        len = 186002512
#2  0x0807feb6 in Item_func_regex::fix_fields (this=0xb3ed408, thd=0x1a, tables=0xb3ed478, ref=0xb3ed704) at sql_string.h:89
        buff = "\000\000\000\000\004×\216¿\030×\216¿@\204\020\bg\b\000\000üÖ\216¿\000×\216¿\004×\216¿\000\000\000\000\000\000\000\000\000\000\001", '\0' <repeats 17 times>, "°Ð>\vxÑ>\v\020Ñ>\vhØ\216¿\\\211\020\b\000p\033\vxÑ>\v Ð>\v Ð>\v\r\000\000\000<Ñ>\v\000\000\000\000\000\000\000\000\001\000\000\000\020Ñ>\v\001\000\000\000\000\000\000\000a\224F\ba\224F\001\r\000\000\000 Ð>\v\000\000\000\000\000\000\000\000àØ\034\v\000\000\000\001", '\0' <repeats 236 times>, "\001\000\000\000ðä>\v\000p\033\vÈÚ\216¿Ð`\005\b\000p\033\v°Ð>\vÈÚ\216¿\200a\005\bà"...
        tmp = {Ptr = 0xbf8ed6d0 "", str_length = 766, Alloced_length = 766, alloced = false, str_charset = 0x84e8440}
        res = (class String *) 0x84cf280
        error = 0
        __func__ = "fix_fields"
#3  0x0807eb49 in Item_cond::fix_fields (this=0xb3ed660, thd=0xb1b7000, tables=0xb3ed178, ref=0xb3ee4ac) at sql_list.h:323
        tmp_table_map = Unhandled dwarf expression opcode 0x93

How to repeat:
Compile MySQL on the following FreeBSD system ...

FreeBSD abyssone.abyssworld.de 5.4-PRERELEASE FreeBSD 5.4-PRERELEASE #4: Fri Mar  4 15:10:39 CET 2005     root@abyssone.abyssworld.de:/usr/obj/usr/src/sys/ABYSSONE  i386

Some paths:  /usr/local/bin/perl /usr/bin/make /usr/local/bin/gmake /usr/bin/gcc /usr/bin/cc
GCC: Using built-in specs.
Configured with: FreeBSD/i386 system compiler
Thread model: posix
gcc version 3.4.2 [FreeBSD] 20040728
Compilation info: CC='cc'  CFLAGS='-O -pipe  -O2  -O3 -fno-omit-frame-pointer -fno-gcse'  CXX='c++'  CXXFLAGS='-O -pipe -O2 -O3 -fno-omit-frame-pointer -fno-gcse -O2 -felide-constructors -fno-exceptions -fno-rtti -O -pipe  -O2  -O3 -fno-omit-frame-pointer -fno-gcse -felide-constructors -fno-rtti -fno-exceptions'  LDFLAGS=' -rpath=/usr/local/lib'  ASFLAGS=''
LIBC:
-r--r--r--  1 root  wheel  883816 Mar  3 17:16 /lib/libc.so.5
-r--r--r--  1 root  wheel  1876040 Mar  3 17:16 /usr/lib/libc.a
lrwxr-xr-x  1 root  wheel  14 Mar  3 17:16 /usr/lib/libc.so -> /lib/libc.so.5
lrwxr-xr-x  1 root  wheel  16 Dec  1 13:13 /usr/lib/libc.so.4 -> /usr/lib/libc.so

... With the following compiler ...

C compiler:	cc (GCC) 3.4.2 [FreeBSD] 20040728
C++ compiler:	c++ (GCC) 3.4.2 [FreeBSD] 20040728

... and the following configure options ...

./configure '--localstatedir=/var/db/mysql' '--with-debug' '--without-readline' '--without-libedit' '--without-bench' '--without-extra-tools' '--with-mysqlfs' '--with-vio' '--with-low-memory' '--with-comment=FreeBSD port: mysql-client-5.0.2' '--enable-thread-safe-client' '--with-openssl=/usr/local' '--enable-assembler' '--with-berkeley-db' '--with-named-thread-libs=-pthread' '--without-server' '--prefix=/usr/local' '--build=i386-portbld-freebsd5.4' 'LDFLAGS= -rpath=/usr/local/lib' 'CFLAG
S=-O -pipe  -O2  -O3 -fno-omit-frame-pointer -fno-gcse' 'CXX=c++' 'build_alias=i386-portbld-freebsd5.4' 'CC=cc' 'CXXFLAGS=-O -pipe -O2 -O3 -fno-omit-frame-pointer -fno-gcse -O2 -felide-constructors -fno-exceptions -fno-rtti -O -pipe  -O2  -O3 -fno-omit-frame-pointer -fno-gcse -felide-constructors -fno-rtti -fno-exceptions'

I did also try to use (without a difference) ...

 --with-collation=utf8_general_ci \
 --with-extra-charsets=all \
 --with-charset=utf8

... because I thought there might be an issue if using latin1.

Suggested fix:
None.
[11 Mar 2005 23:35] Jorge del Conde
Hi,

Can you please provide us with the table schema for 'evo_posts' ?

Thanks.
[11 Mar 2005 23:56] Daniel Stefan Haischt
Below you'll find the original DDL that did create the table 'evo_posts':

CREATE TABLE evo_posts (
                ID int(10) unsigned NOT NULL auto_increment,
                post_author int(4) NOT NULL default '0',
                post_issue_date datetime NOT NULL default '0000-00-00 00:00:00',
                post_mod_date datetime NOT NULL default '0000-00-00 00:00:00',
                post_status enum('published','deprecated','protected','private','draft')
                                                                        NOT NULL default 'published',
                post_locale VARCHAR(20) NOT NULL DEFAULT 'en-EU',
                post_content text NOT NULL,
                post_title text NOT NULL,
                post_urltitle VARCHAR(50) NULL DEFAULT NULL,
                post_url VARCHAR(250) NULL DEFAULT NULL,
                post_category int(4) NOT NULL default '0',
                post_autobr tinyint(4) NOT NULL default '1',
                post_flags SET( 'pingsdone', 'imported'),
                post_karma int(11) NOT NULL default '0',
                post_wordcount int(11) default NULL,
                post_comments ENUM('disabled', 'open', 'closed') NOT NULL DEFAULT 'open',
                post_renderers VARCHAR(179) NOT NULL default 'default',
                PRIMARY KEY post_ID( ID ),
                INDEX post_issue_date( post_issue_date ),
                INDEX post_category( post_category ),
                INDEX post_author( post_author ),
                INDEX post_status( post_status ),
                UNIQUE post_urltitle( post_urltitle )
)
[12 Mar 2005 0:29] Daniel Stefan Haischt
I kinda solved the issue:

 - Initially I did create the database 'b2e' using PhpMyAdmin. If using
   that database MySQL did coredump while using a select statement
   that did contain a REGEXP expression.

 - Today I did drop the b2e database as the user 'b2e' which owns that DB.
   After that I did re-create the database (create database b2e) as user 'b2e'.

 - Finally I did re-run the b2e installer and the core dump did not occure any 
   more. No idea what's going on ...

 - At the very end I did figure out that I did create the very first DB using   
   the following SQL statement 'CREATE DATABASE `b2e` DEFAULT
   CHARACTER SET utf8 COLLATE utf8_unicode_ci;'

   However using the statement 'CREATE DATABASE `b2e` DEFAULT 
   CHARACTER SET latin1 COLLATE latin1_german1_ci;' does not cause a
   mysqld core dump.

Anyway I would say MySQL shouldn't coredump if ...

 - there are issues with the REGEXP
 - there are issues with wrong database permissions
 - there is an issue with the character encoding
[14 Apr 2005 23:00] Bugs System
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
[15 Apr 2005 14:44] Sergei Golubchik
reopened
[4 May 2005 18:36] Hartmut Holzgraefe
verified with 5.0.2 on Linux, doesn't happen anymore with releases >=5.0.3