Bug 443495 - Perl DBI segfault when issuing query with large number of bind variables
Summary: Perl DBI segfault when issuing query with large number of bind variables
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: perl-DBI
Version: 5.2
Hardware: All
OS: Linux
low
low
Target Milestone: rc
: ---
Assignee: Stepan Kasal
QA Contact: desktop-bugs@redhat.com
URL:
Whiteboard:
Depends On:
Blocks: 444579 444580
TreeView+ depends on / blocked
 
Reported: 2008-04-21 20:37 UTC by David Lawrence
Modified: 2013-04-12 19:41 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-10-20 11:16:57 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
Perl backtrace showing segfault in perl-DBD-MySQL (7.66 KB, text/plain)
2008-04-21 20:37 UTC, David Lawrence
no flags Details
Perl script with SQL to reproduce segfault (27.05 KB, text/plain)
2008-04-21 20:38 UTC, David Lawrence
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2008:0918 0 normal SHIPPED_LIVE perl-DBI, perl-DBD-MySQL, and perl-DBD-Pg bug fix update 2008-10-20 11:16:47 UTC

Description David Lawrence 2008-04-21 20:37:09 UTC
On 5.2 (and 5.1) when running the attached test script with a fairly large
number of bind variables containing integers, we get a segfault crash. The same
query with less bind variables works fine. We have tried stock perl-DBD-MySQL
shipped with RHEL5 and also updated to latest CPAN version with no success. We
tried both the stock mysql and the upcoming mysql errata packages also.

This same query works find in RHEL4 running mysql-5.x from the Application
Stacks product (what live Bugzilla is using).

[root@rhel52 tmp]# rpm -q perl-DBD-MySQL perl-DBI mysql
perl-DBD-MySQL-4.006-1.el5s2
perl-DBI-1.604-1.el5s2
mysql-5.0.45-7.el5
[root@rhel52 tmp]# uname -a
Linux rhel52.devel.redhat.com 2.6.18-84.el5xen #1 SMP Fri Feb 29 16:42:34
EST 2008 x86_64 x86_64 x86_64 GNU/Linux

[root@rhel52 tmp]# gdb --args /usr/bin/perl /tmp/object.pl 2>&1 | tee gdb-perl.txt
output is attached

Also attaching test script we use to cause the query to crash.

Thanks
Dave

Comment 1 David Lawrence 2008-04-21 20:37:09 UTC
Created attachment 303201 [details]
Perl backtrace showing segfault in perl-DBD-MySQL

Comment 2 David Lawrence 2008-04-21 20:38:40 UTC
Created attachment 303202 [details]
Perl script with SQL to reproduce segfault

Attaching script that shows sample SQL that causes the segfault on RHEL5.

Comment 3 David Lawrence 2008-04-21 20:39:14 UTC
This blocks our planned upgrade to Bugzilla 3.2

Comment 4 David Lawrence 2008-04-22 21:04:39 UTC
Changing component to mysql. I was able the mysql srpm from RHEL-4-Stacks-V1
and recompile it on RHEL5. This alleviated the segfault for me. I also had to
recompile perl-DBD-mysql against the older mysql.

[root@bz-web2-test SPECS]# rpm -q mysql
mysql-5.0.44-1.el4s1.1

[root@bz-web2-test SPECS]# rpm -q perl-DBD-mysql
perl-DBD-mysql-4.006-1.el5

So somewhere this occured between 5.0.44 and 5.0.45.

Let me know any other information I can provide.
Dave


Comment 5 Tom Lane 2008-04-24 22:22:53 UTC
Hmm, on my F8 x86_64 machine it dumps core against either 5.0.44 or 5.0.50 (haven't tried 5.0.45).  
Would you confirm what was the working combination you used before?

I'm kinda suspecting an unintentional ABI break (mysql have been guilty of that before).  Robin, can you 
say exactly which mysql RPM version perl-DBD-MySQL-4.006-1.el5s2 was built against?


Comment 6 Tom Lane 2008-04-25 19:47:31 UTC
Okay, I'm bouncing this one back, because it's a bug in DBD-MySQL.  The problem occurs in this line
of code in selectall_arrayref:

    ST(0) =dbixst_bounce_method("DBD::mysql::db::SUPER::selectall_arrayref", items);

Examining the generated assembly code, the address ST(0) is computed before calling the bounce function.
But in the particular case we are looking at here, the function eats all the remaining SV arena space
and forces more to be allocated, and *that moves the Perl stack*.  So on return we store into what turns
out to be the number-of-items count of the just-added arena, and at program exit when that's relied on
to determine how far to scan, the scan goes off into never never land.

The correct coding must of course be

    tmpvar = dbixst_bounce_method("DBD::mysql::db::SUPER::selectall_arrayref", items);
    ST(0) = tmpvar;

There seem to be quite a boatload of occurrences of this pattern in mysql.xsi, and I say that every one of them
is a crash waiting to happen.

Comment 7 Marcela Mašláňová 2008-04-30 09:03:12 UTC
Could you point me in which package and in which version did you find
"dbixst_bounce_method"? I wasn't successful in perl-DBD-MySQL.

Comment 8 Stepan Kasal 2008-04-30 09:14:11 UTC
I haven't finished the previous edit; i apologize for the confusion it has
brought.  :-(

It took me some time, but I found out that mysql.xsi is just a slightly modified
copy of .../auto/DBI/Driver.xst, from package perl-DBI.

So I'm changing the component of this bug to perl-DBI and creating two clones to
record the need to rebuild the perl-DBD-* packages.

Comment 9 RHEL Program Management 2008-05-20 19:17:15 UTC
This bugzilla has Keywords: Regression.  

Since no regressions are allowed between releases, 
it is also being proposed as a blocker for this release.  

Please resolve ASAP.

Comment 11 David Lawrence 2008-07-31 03:52:33 UTC
Removing these from the Bugzilla 3 upgrade tracker as these are ongoing and will
be finished after the upgrade.

Comment 15 errata-xmlrpc 2008-10-20 11:16:57 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0918.html


Note You need to log in before you can comment on or make changes to this bug.