Bug#17474166 - EXECUTING STATEMENT LIKE 'SHOW ENGINE INNODB'

AND 'KILL SESSION' LEAD TO CRASH Analysis: -------- This situation occurs when the connection executes query "show engine innodb status" and this connection is killed by executing statement "kill <con>" by another connection. In function "innodb_show_status", function "stat_print" is called to print the status but return value of function is not checked. After killing connection, if write to connection fails then error is returned and same is set in Diagnostic area. Since FALSE is returned from "innodb_show_status" now, assert to check no error is set in function "set_eof_status" (called from my_eof) is failing. Fix: ---- Changed code to check return value of function "stat_print" in "innodb_show_status".
2013-10-09 13:32:31 +05:30 · 2013-10-09 13:32:31 +05:30 · c66a037dca
commit c66a037dca
parent c8c948ffa6
3 changed files with 18 additions and 4 deletions
--- a/sql/handler.cc
+++ b/sql/handler.cc
@ -4921,8 +4921,14 @@ bool ha_show_status(THD *thd, handlerton *db_type, enum ha_stat_type stat)
                         "", 0, "DISABLED", 8) ? 1 : 0;
    }
    else
+    {
+      DBUG_EXECUTE_IF("simulate_show_status_failure",
+                      DBUG_SET("+d,simulate_net_write_failure"););
      result= db_type->show_status &&
              db_type->show_status(db_type, thd, stat_print, stat) ? 1 : 0;
+      DBUG_EXECUTE_IF("simulate_show_status_failure",
+                      DBUG_SET("-d,simulate_net_write_failure"););
+    }
  }

  if (!result)
--- a/sql/net_serv.cc
+++ b/sql/net_serv.cc
@ -1,4 +1,4 @@
-/* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@ -370,6 +370,12 @@ my_net_write(NET *net,const uchar *packet,size_t len)

  MYSQL_NET_WRITE_START(len);

+  DBUG_EXECUTE_IF("simulate_net_write_failure", {
+                  my_error(ER_NET_ERROR_ON_WRITE, MYF(0));
+                  return 1;
+                  };
+                 );
+
  /*
    Big packets are handled by splitting them in packets of MAX_PACKET_LENGTH
    length. The last packet is always a packet that is < MAX_PACKET_LENGTH.
--- a/storage/innobase/handler/ha_innodb.cc
+++ b/storage/innobase/handler/ha_innodb.cc
@ -9526,6 +9526,7 @@ innodb_show_status(
 	const long		MAX_STATUS_SIZE = 1048576;
 	ulint			trx_list_start = ULINT_UNDEFINED;
 	ulint			trx_list_end = ULINT_UNDEFINED;
+	bool			ret_val;

 	DBUG_ENTER("innodb_show_status");
 	DBUG_ASSERT(hton == innodb_hton_ptr);
@ -9590,12 +9591,13 @@ innodb_show_status(

 	mutex_exit(&srv_monitor_file_mutex);

-	stat_print(thd, innobase_hton_name, (uint) strlen(innobase_hton_name),
-		   STRING_WITH_LEN(""), str, flen);
+	ret_val= stat_print(thd, innobase_hton_name,
+				(uint) strlen(innobase_hton_name),
+				STRING_WITH_LEN(""), str, flen);

 	my_free(str);

-	DBUG_RETURN(FALSE);
+	DBUG_RETURN(ret_val);
 }

 /************************************************************************//**