[MDEV-4812] Valgrind warnings (Invalid write) in dynamic_column_update_many on COLUMN_ADD - JIRA

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Duplicate
Affects Version/s: 10.0.3, 5.5.32, 5.3.12
Fix Version/s: 10.0.5, 5.5.33, 5.3.13
Component/s: None
Labels:
None

Description

Note: the test case looks similar to ~~MDEV-4811~~, but the assertion doesn't fail here, instead it either causes valgrind warnings or crashes.

==11100== Invalid write of size 1
==11100==    at 0xB6CA29: dynamic_column_update_many (ma_dyncol.c:2031)
==11100==    by 0x5EC963: Item_func_dyncol_add::val_str(String*) (item_strfunc.cc:3769)
==11100==    by 0x58B2DB: Item::send(Protocol*, String*) (item.cc:5970)
==11100==    by 0x659DBB: select_send::send_data(List<Item>&) (sql_class.cc:2012)
==11100==    by 0x730E1C: end_send(JOIN*, st_join_table*, bool) (sql_select.cc:16974)
==11100==    by 0x72DBE8: do_select(JOIN*, List<Item>*, st_table*, Procedure*) (sql_select.cc:15548)
==11100==    by 0x70E1C1: JOIN::exec() (sql_select.cc:2769)
==11100==    by 0x70EA4C: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2990)
==11100==    by 0x7054C0: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:288)
==11100==    by 0x6917D1: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5172)
==11100==    by 0x688599: mysql_execute_command(THD*) (sql_parse.cc:2305)
==11100==    by 0x69425B: mysql_parse(THD*, char*, unsigned int, char const**) (sql_parse.cc:6173)
==11100==    by 0x685CB6: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1243)
==11100==    by 0x684F27: do_command(THD*) (sql_parse.cc:923)
==11100==    by 0x681DC1: handle_one_connection (sql_connect.cc:1231)
==11100==    by 0x548DE99: start_thread (pthread_create.c:308)
==11100==  Address 0xf8438b3 is 51 bytes inside a block of size 178 free'd
==11100==    at 0x4C2A82E: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==11100==    by 0xB73E26: _myfree (safemalloc.c:337)
==11100==    by 0xB73B04: _myrealloc (safemalloc.c:260)
==11100==    by 0xB83667: dynstr_append_mem (string.c:109)
==11100==    by 0xB69B84: dynamic_column_string_store (ma_dyncol.c:434)
==11100==    by 0xB6A6DD: data_store (ma_dyncol.c:854)
==11100==    by 0xB6CC6C: dynamic_column_update_many (ma_dyncol.c:2070)
==11100==    by 0x5EC963: Item_func_dyncol_add::val_str(String*) (item_strfunc.cc:3769)
==11100==    by 0x58B2DB: Item::send(Protocol*, String*) (item.cc:5970)
==11100==    by 0x659DBB: select_send::send_data(List<Item>&) (sql_class.cc:2012)
==11100==    by 0x730E1C: end_send(JOIN*, st_join_table*, bool) (sql_select.cc:16974)
==11100==    by 0x72DBE8: do_select(JOIN*, List<Item>*, st_table*, Procedure*) (sql_select.cc:15548)
==11100==    by 0x70E1C1: JOIN::exec() (sql_select.cc:2769)
==11100==    by 0x70EA4C: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2990)
==11100==    by 0x7054C0: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:288)
==11100==    by 0x6917D1: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5172)

bzr version-info

revision-id: sergii@pisem.net-20130715163225-6ch6x34lsufode3d
revno: 3670
branch-nick: 5.3

Code fragment:

2006:      else
2007:      {
2008:        /*
2009:          Adjust all headers since last loop.
2010:          We have to do this as the offset for data has moved
2011:        */
2012:        for (k= start; k < end; k++)
2013:        {
2014:          uchar *read= header_base + k * entry_size;
2015:          size_t offs;
2016:          uint nm;
2017:          DYNAMIC_COLUMN_TYPE tp;
2018:
2019:          nm= uint2korr(read);                    /* Column nummber */
2020:          type_and_offset_read(&tp, &offs, read, offset_size);
2021:          if (k == start)
2022:            first_offset= offs;
2023:          else if (offs < first_offset)
2024:          {
2025:            dynamic_column_column_free(&tmp);
2026:            rc= ER_DYNCOL_FORMAT;
2027:            goto end;
2028:          }
2029:
2030:          offs+= plan[i].ddelta;
2031:          int2store(write, nm);
2032:          /* write rest of data at write + COLUMN_NUMBER_SIZE */
2033:          type_and_offset_store(write, new_offset_size, tp, offs);
2034:          write+= new_entry_size;
2035:        }
2036:      }

Test case:

CREATE TABLE t1 (dyncol TINYBLOB) ENGINE=MyISAM;

INSERT INTO t1 SET dyncol = COLUMN_CREATE( 7, REPEAT('k',487), 209, REPEAT('x',464) );
--error 0,ER_DYN_COL_WRONG_FORMAT
SELECT COLUMN_ADD( dyncol, 7, '22:22:22', 8, REPEAT('x',270) AS CHAR ) FROM t1;

Gliffy Diagrams

Attachments

Issue Links

is duplicated by

MDEV-4811 Assertion `offset < 0x1f' fails in type_and_offset_store on COLUMN_ADD

Closed

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Oleksandr Byelkin added a comment - 2013-07-30 14:50

The problem is the same with ~~MDEV-4811~~ - corrupted data due to string truncation.

Show

Oleksandr Byelkin added a comment - 2013-07-30 14:50 The problem is the same with MDEV-4811 - corrupted data due to string truncation.

Hide

Permalink

Oleksandr Byelkin added a comment - 2013-08-01 11:46

Duplicate of ~~MDEV-4811~~

Show

Oleksandr Byelkin added a comment - 2013-08-01 11:46 Duplicate of MDEV-4811

Valgrind warnings (Invalid write) in dynamic_column_update_many on COLUMN_ADD

Details

Description

Gliffy Diagrams

Attachments

Issue Links

Activity

People

Dates

Agile