Bug #9159 Server crash during mysql_stmt_close
Submitted: 14 Mar 2005 7:58 Modified: 12 Apr 2005 2:49
Reporter: Georg Richter Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S1 (Critical)
Version:5.0.3 (latest bk, cs 1.1809) OS:Linux (Linux)
Assigned to: Konstantin Osipov

[14 Mar 2005 7:58] Georg Richter
Description:
the sample crashes the server during mysql_stmt_close (see how to repeat). Might be related  to bug #8880.

Stacktrace:

0x819acef handle_segfault + 479
0xffffe420 _end + -140690672
0x81ebf7b Cursor::~Cursor() + 55
0x81ebf7b Cursor::~Cursor() + 55
0x82139de Prepared_statement::~Prepared_statement() + 44
0x8189b4e delete_statement_as_hash_key + 30
0x841eeac hash_delete + 952
0x818c136 Statement_map::erase(Statement*) + 78
0x821351f mysql_stmt_free(THD*, char*) + 163
0x81b213b dispatch_command(enum_server_command, THD*, char*, unsigned int) + 1713
0x81b1a7f do_command(THD*) + 625
0x81b0c14 handle_one_connection + 788
0x4004e9dd _end + 933380301
0x40178ffa _end + 934602474

How to repeat:
#include <stdio.h>
#include <stdlib.h>
#include <mysql.h>

int main (int argc, char **argv) {
	MYSQL *mysql;
	MYSQL_STMT *stmt;
	char *query = "SELECT a,b FROM t1";
	const unsigned long type = CURSOR_TYPE_READ_ONLY;

	mysql = mysql_init(NULL);
	mysql_real_connect(mysql, "localhost", "root", "", "test", 0, NULL, 0);

	mysql_query(mysql, "DROP TABLE IF EXISTS t1");
	mysql_query(mysql, "CREATE TABLE t1 (a int not null primary key, b int)");
	mysql_query(mysql, "INSERT INTO t1 VALUES (1,1)");

	stmt = mysql_stmt_init(mysql);
	mysql_stmt_prepare(stmt, query, strlen(query));
	mysql_stmt_attr_set(stmt, STMT_ATTR_CURSOR_TYPE, (const void *)&type);

	mysql_stmt_execute(stmt);
	mysql_stmt_close(stmt);

	mysql_close(mysql);
}
[14 Mar 2005 12:12] Miguel Solorzano
Verified on Linux and Windows below crash call stack on Windows:

/sql/sql_parse.cpp
--1252--

void free_items(Item *item)
{
  Item *next;
  DBUG_ENTER("free_items");
  for (; item ; item=next)
  {
    next=item->next;
^^^^^^^^^^^^^^^^^^ point of crash
    item->delete_self();
  }
....

>	mysqld.exe!free_items(Item * item=0xa5a5a5a5)  Line 1258 + 0x3	C++
 	mysqld.exe!Cursor::~Cursor()  Line 1967 + 0xc	C++
 	mysqld.exe!Prepared_statement::~Prepared_statement()  Line 2418	C++
 	mysqld.exe!Prepared_statement::`scalar deleting destructor'(unsigned int __flags=1)  + 0xf	C++
 	mysqld.exe!delete_statement_as_hash_key(void * key=0x03812090)  Line 1662 + 0x1f	C++
 	mysqld.exe!hash_delete(st_hash * hash=0x00efed04, unsigned char * record=0x03812090)  Line 492 + 0xa	C
 	mysqld.exe!Statement_map::erase(Statement * statement=0x03812090)  Line 891 + 0xd	C++
 	mysqld.exe!mysql_stmt_free(THD * thd=0x00efde30, char * packet=0x03820201)  Line 2301	C++
 	mysqld.exe!dispatch_command(enum_server_command command=COM_CLOSE_STMT, THD * thd=0x00efde30, char * packet=0x03820201, unsigned int packet_length=5)  Line 1631 + 0xd	C++
 	mysqld.exe!do_command(THD * thd=0x00efde30)  Line 1452 + 0x31	C++
 	mysqld.exe!handle_one_connection(void * arg=0x00efde30)  Line 1109 + 0x9	C++
 	mysqld.exe!pthread_start(void * param=0x00e0ba80)  Line 63 + 0x7	C
 	mysqld.exe!_threadstart(void * ptd=0x00efff78)  Line 173 + 0xd	C
 	kernel32.dll!7c80b50b() 	
 	kernel32.dll!7c8399f3() 	
 	mysqld.exe!mach_dulint_get_much_compressed_size(dulint_struct n={...})  Line 460 + 0xd	C
 	mysqld.exe!mach_dulint_get_much_compressed_size(dulint_struct n={...})  Line 460 + 0xd	C
 	001646b6()
[23 Mar 2005 15:04] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/internals/23313
[23 Mar 2005 15:26] Konstantin Osipov
Subject: bk commit - 5.0 tree (konstantin:1.1829) BUG#9159

ChangeSet
  1.1829 05/03/23 18:01:03 konstantin@mysql.com +5 -0
  Fixes and test cases for Bug#8880 "Commands out of sync error with cursors"
   and Bug#9159 "Server crash during mysql_stmt_close".
  The patch adds support for single-row result sets in cursors.
[24 Mar 2005 14:13] Konstantin Osipov
Pushed into 5.0 tree which is currently tagged 5.0.3 (but really is 5.0.4)
[12 Apr 2005 2:49] Paul Dubois
Noted in 5.0.4 changelog.