Bug #9902 Crash with simple stored function using user defined variables
Submitted: 14 Apr 2005 13:20 Modified: 19 Apr 2005 13:54
Reporter: Alexander Keremidarski Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S1 (Critical)
Version:5.0.x OS:
Assigned to: Per-Erik Martin CPU Architecture:Any

[14 Apr 2005 13:20] Alexander Keremidarski
Description:
 select inc() from t1;

crashes with following backtrace

0x81d8fae handle_segfault + 482
0xffffe420 _end + -141834576
(nil)
0x4cd4edb1 _end + 1147195457
0x82fc808 _ZN11Query_cache21send_result_to_clientEP3THDPcj + 144
0x83345f3 _ZN13sp_instr_stmt7executeEP3THDPj + 251
0x8332367 _ZN7sp_head7executeEP3THD + 663
0x83328f3 _ZN7sp_head16execute_functionEP3THDPP4ItemjS4_ + 651
0x816e99b _ZN12Item_func_sp7executeEPP4Item + 575
0x816f1a6 _ZN12Item_func_sp8val_realEv + 24
0x816f1f7 _ZN12Item_func_sp7val_intEv + 17
0x814af4f _ZN4Item4sendEP8ProtocolP6String + 343
0x81c4fb8 _ZN11select_send9send_dataER4ListI4ItemE + 300
0x823befa _Z8end_sendP4JOINP13st_join_tableb + 290
0x823a788 _Z10sub_selectP4JOINP13st_join_tableb + 630
0x823a1cb _Z9do_selectP4JOINP4ListI4ItemEP8st_tableP9Procedure + 643
0x8229510 _ZN4JOIN4execEv + 6948
0x822a5c0 _Z12mysql_selectP3THDPPP4ItemP13st_table_listjR4ListIS1_ES2_jP8st_orderSB_S2_SB_mP13select_resultP18st_select_lex_unitP13st_sel + 710
0x8224a6c _Z13handle_selectP3THDP6st_lexP13select_resultm + 352
0x81f15c6 _Z21mysql_execute_commandP3THD + 1508
0x81f96ed _Z11mysql_parseP3THDPcj + 455
0x81ef6d4 _Z16dispatch_command19enum_server_commandP3THDPcj + 1966
0x81eef1b _Z10do_commandP3THD + 625
0x81ee0a6 handle_one_connection + 778
0x4cf75341 _end + 1149449681
0x4cdf4fee _end + 1147875966

How to repeat:
delimiter //

CREATE FUNCTION `test`.`inc`() RETURNS int(11)
begin
set @x := @x + 1;
return @x;
end
//

set @x := 1 //
select inc() //

select inc() from t1// -- crash!
[14 Apr 2005 13:21] Alexander Keremidarski
Forgot to mention that t1 can be any table.

Bug does happen only when selecting from table with at least 1 row.

Does *not* happen under gdb
[14 Apr 2005 13:40] Alexander Keremidarski
Verified under Fedora Core 3 with 5.0 build from 

ChangeSet@1.1892, 2005-04-10 07:55:30+02:00, pekka@mysql.com
[14 Apr 2005 14:11] Kouber Saparev
I'm reproducing the bug too on Windows 2000 NT, with MySQL 5.0.3.
[14 Apr 2005 14:31] Kouber Saparev
Actually the server crashes only when there are at least 2 (two) rows in the table, with only one row (i.e. one invocation of the function) it works just fine.
[14 Apr 2005 18:36] Alexander Keremidarski
Furfther investigation revealed that the crash happens only if Query_cache is ON

mysql> SELECT SQL_NO_CACHE inc() FROM t1;
+-------+
| inc() |
+-------+
|     4 |
|     5 |
+-------+

mysql> SELECT SQL_CACHE inc() FROM t1;
ERROR 2006 (HY000): MySQL server has gone away

crash happens at sql/sql_cache.cc:930::

  /* Check that we haven't forgot to reset the query cache variables */
  DBUG_ASSERT(thd->net.query_cache_query == 0);

Backtrace is:
#0  0xb7e56bd1 in kill () from /lib/i686/libc.so.6
#1  0xb7f84251 in pthread_kill () from /lib/i686/libpthread.so.0
#2  0xb7f845bb in raise () from /lib/i686/libpthread.so.0
#3  0xb7e56838 in raise () from /lib/i686/libc.so.6
#4  0xb7e57e80 in abort () from /lib/i686/libc.so.6
#5  0xb7e4f821 in __assert_fail () from /lib/i686/libc.so.6
#6  0x082fd340 in Query_cache::send_result_to_client(THD*, char*, unsigned) (this=0x872b3a0, thd=0x8d9cf00, sql=0x8d98718 "SET @x := @x + 1", query_length=16) at sql_cache.cc:930
#7  0x0833512b in sp_instr_stmt::execute(THD*, unsigned*) (this=0x8dca220, thd=0x8d9cf00, nextp=0x99ee5cb0) at sp_head.cc:1355
#8  0x08332e9f in sp_head::execute(THD*) (this=0x8dc9968, thd=0x8d9cf00) at sp_head.cc:558
#9  0x0833342b in sp_head::execute_function(THD*, Item**, unsigned, Item**) (this=0x8dc9968, thd=0x8d9cf00, argp=0xa5a5a5a5, argcount=0, resp=0x99ee5eb4) at sp_head.cc:673
#10 0x0816ecdf in Item_func_sp::execute(Item**) (this=0x8d969d8, itp=0x99ee5eb4) at item_func.cc:4566
#11 0x0816f4ea in Item_func_sp::val_real() (this=0x8d969d8) at item_func.h:1319
#12 0x0816f53b in Item_func_sp::val_int() (this=0x8d969d8) at item_func.h:1311
#13 0x0814b295 in Item::send(Protocol*, String*) (this=0x8d969d8, protocol=0x8d9d8e8, buffer=0x99ee5fc0) at item.cc:3608
#14 0x081c5824 in select_send::send_data(List<Item>&) (this=0x8d97210, items=@0x8d9d190) at sql_class.cc:872
#15 0x0823c852 in end_send (join=0x8d97220, join_tab=0x8d9841c, end_of_records=false) at sql_select.cc:9924
#16 0x0823b0e0 in sub_select (join=0x8d97220, join_tab=0x8d982c0, end_of_records=false) at sql_select.cc:9284
#17 0x0823ab23 in do_select (join=0x8d97220, fields=0x8d9d190, table=0x0, procedure=0x0) at sql_select.cc:8985
#18 0x08229e68 in JOIN::exec() (this=0x8d97220) at sql_select.cc:1644
#19 0x0822af18 in mysql_select(THD*, Item***, st_table_list*, unsigned, List<Item>&, Item*, unsigned, st_order*, st_order*, Item*, st_order*, unsigned long, select_result*, st_select_lex_unit*, st_select_lex*) (thd=0x8d9cf00, rref_pointer_array=0x8d9d228, tables=0x8d97010, wild_num=0, fields=@0x8d9d190, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2158250560, result=0x8d97210, unit=0x8d9cf50, select_lex=0x8d9d124) at sql_select.cc:2062
#20 0x082253c4 in handle_select(THD*, st_lex*, select_result*, unsigned long) (thd=0x8d9cf00, lex=0x8d9cf40, result=0x8d97210, setup_tables_done_option=0) at sql_select.cc:228
#21 0x081f1e32 in mysql_execute_command(THD*) (thd=0x8d9cf00) at sql_parse.cc:2387
#22 0x081fa027 in mysql_parse(THD*, char*, unsigned) (thd=0x8d9cf00, inBuf=0x8d96940 "SELECT SQL_CACHE inc() FROM t1", length=30) at sql_parse.cc:5172
#23 0x081eff40 in dispatch_command(enum_server_command, THD*, char*, unsigned) (command=COM_QUERY, thd=0x8d9cf00, packet=0x8db9d79 "", packet_length=31) at sql_parse.cc:1647
#24 0x081ef787 in do_command(THD*) (thd=0x8d9cf00) at sql_parse.cc:1453
#25 0x081ee912 in handle_one_connection (arg=0x8d9cf00) at sql_parse.cc:1110
#26 0xb7f80ce1 in pthread_start_thread () from /lib/i686/libpthread.so.0
#27 0xb7f80e51 in pthread_start_thread_event () from /lib/i686/libpthread.so.0
#28 0xb7ef461a in clone () from /lib/i686/libc.so.6
[14 Apr 2005 18:37] Alexander Keremidarski
The last backtrace is from mysqld build from

ChangeSet@1.1831, 2005-04-14 16:39:42+05:00, ramil@mysql.com
[15 Apr 2005 9:26] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/internals/24043
[18 Apr 2005 21:44] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/internals/24122