On Wed, Jun 24, 2015 at 07:00:48PM +0530, Diwas Joshi wrote:
hii, please find a patch for MDEV-8343 <https://mariadb.atlassian.net/browse/MDEV-8343> attached to this mail. I have also included a test case in the patch.
So the crash that happens on my machine is: Program received signal SIGSEGV, Segmentation fault. (gdb) wher #0 0x0000555555c30d64 in Create_field::Create_field (this=0x7fffdc0bb260) at /home/psergey/dev-git/10.1-gsoc/sql/field.h:2907 #1 0x0000555555c2bb43 in Create_field::clone (this=0x8f8f8f8f8f8f8f8f, mem_root=0x7fffdc0ba468) at /home/psergey/dev-git/10.1-gsoc/sql/field.cc:10116 #2 0x0000555555d85654 in sp_head::fill_resultset_definition (this=0x7fffdc0ba448, thd=0x5555577ddfc0, create_list=0x5555577e2fb8) at /home/psergey/dev-git/10.1-gsoc/sql/sp_head.cc:2370 #3 0x0000555555bd7a96 in MYSQLparse (thd=0x5555577ddfc0) at /home/psergey/dev-git/10.1-gsoc/sql/sql_yacc.yy:6657 #4 0x0000555555a26e0e in parse_sql (thd=0x5555577ddfc0, parser_state=0x7ffff02810c0, creation_ctx=0x0, do_pfs_digest=true) at /home/psergey/dev-git/10.1-gsoc/sql/sql_parse.cc:9103 #5 0x0000555555a22e51 in mysql_parse (thd=0x5555577ddfc0, rawbuf=0x7fffdc013ad8 "CREATE FUNCTION f1(a INT, b VARCHAR(11))\nRETURNS TABLE t1(id INT, name VARCHAR(11))\nBEGIN\nINSERT INTO t1 SELECT id, name FROM t2 WHERE id = a;\nEND", length=146, parser_state=0x7ffff02810c0) at /home/psergey/dev-git/10.1-gsoc/sql/sql_parse.cc:7116 #6 0x0000555555a1200d in dispatch_command (command=COM_QUERY, thd=0x5555577ddfc0, packet=0x5555577e56e1 "CREATE FUNCTION f1(a INT, b VARCHAR(11))\nRETURNS TABLE t1(id INT, name VARCHAR(11))\nBEGIN\nINSERT INTO t1 SELECT id, name FROM t2 WHERE id = a;\nEND", packet_length=146) at /home/psergey/dev-git/10.1-gsoc/sql/sql_parse.cc:1462 #7 0x0000555555a10dd7 in do_command (thd=0x5555577ddfc0) at /home/psergey/dev-git/10.1-gsoc/sql/sql_parse.cc:1090 #8 0x0000555555b3dcb0 in do_handle_one_connection (thd_arg=0x5555577ddfc0) at /home/psergey/dev-git/10.1-gsoc/sql/sql_connect.cc:1347 #9 0x0000555555b3d9f5 in handle_one_connection (arg=0x5555577ddfc0) at /home/psergey/dev-git/10.1-gsoc/sql/sql_connect.cc:1258 #10 0x0000555555ed9f14 in pfs_spawn_thread (arg=0x5555577ea9c0) at /home/psergey/dev-git/10.1-gsoc/storage/perfschema/pfs.cc:1860 #11 0x00007ffff691de9a in start_thread (arg=0x7ffff0282700) at pthread_create.c:308 #12 0x00 007ffff604e3fd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112 ### Note Create_field::clone(this=0x8f8f8f8f8f8f8f8f ... above. This means it's reading unitialized data. (gdb) up #1 0x0000555555c2bb43 in Create_field::clone (this=0x8f8f8f8f8f8f8f8f, mem_root=0x7fffdc0ba468) at /home/psergey/dev-git/10.1-gsoc/sql/field.cc:10116 (gdb) up #2 0x0000555555d85654 in sp_head::fill_resultset_definition (this=0x7fffdc0ba448, thd=0x5555577ddfc0, create_list=0x5555577e2fb8) at /home/psergey/dev-git/10.1-gsoc/sql/sp_head.cc:2370 (gdb) (gdb) p *create_list $33 = {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x7fffdc014280, last = 0x7fffdc0bb250, elements = 4}, <No data fields>} ### Why 4 elements in the list? The example shows it should have two elements... (gdb) p create_list->first->info $36 = (void *) 0x8f8f8f8f8f8f8f8f ## The first element is invalid already. Looking at where the list come from: if(Lex->sphead->fill_resultset_definition(thd, &Lex->alter_info.create_list)) Lex->alter_info.create_list... MySQL codebase has a nasty habit of not initializing the data if it is not needed. I search for alter_info in the sql_yacc.yy file. I find many lines like this: Lex->alter_info.reset(); If I add this line at the start of the $5 in 'sf_tail' production, the crash goes away. BR Sergei -- Sergei Petrunia, Software Developer MariaDB Corporation | Skype: sergefp | Blog: http://s.petrunia.net/blog