[MDEV-7020] Error: Freeing overrun buffer or server crash after installing/uninstalling mypluglib and reading variables - JIRA

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 10.1.1
Fix Version/s: 10.1.3
Component/s: Plugins
Labels:
None

Description

The problem appeared on 10.1 tree with this revision:

commit 28ebc2a72485c4b2956531010bd3ee247ae91df2
Author: Sergei Golubchik <serg@mariadb.org>
Date:   Wed Aug 27 20:32:32 2014 +0200

    cleanup: sysvar, only one common check_update_type()

Test case

select count(*) from information_schema.session_variables;
install soname 'mypluglib';
select count(*) from information_schema.session_variables;
uninstall soname 'mypluglib';

Error (got via the client):

Error: Freeing overrun buffer  0x7fb4c9de130f, 0x7fb4c9dcf166, 0x7fb4c95a134e, 0x7fb4c95a1493, 0x7fb4c96ae7c5, 0x7fb4c96aef4d, 0x7fb4c96aec6c, 0x7fb4c8c8bb50
Allocated at 0x7fb4c9dcf24e, 0x7fb4c9dca22f, 0x7fb4c9dca402, 0x7fb4c9dc79c8, 0x7fb4c95a3cdd, 0x7fb4c959c34f, 0x7fb4c959e231, 0x7fb4c959e7bf

Crash (got via MTR):

#3  <signal handler called>
#4  0x00007f3155673322 in lfind (head=0x7f3149034aa8, cs=0x7f3155f15720, hashnr=1728686343, key=0x7f31548e7e90 "B\315\261\006\250-\271\330\021^z\006\261\030#\204", keylen=212, cursor=0x7f31548e7db0, pins=0x7f31490e5100) at 10.1/mysys/lf_hash.c:93
#5  0x00007f315567379a in lsearch (head=0x7f3149034aa8, cs=0x7f3155f15720, hashnr=1728686343, key=0x7f31548e7e90 "B\315\261\006\250-\271\330\021^z\006\261\030#\204", keylen=212, pins=0x7f31490e5100) at 10.1/mysys/lf_hash.c:266
#6  0x00007f3155673e98 in lf_hash_search (hash=0x7f3156112380, pins=0x7f31490e5100, key=0x7f31548e7e90, keylen=212) at 10.1/mysys/lf_hash.c:463
#7  0x00007f31554a4333 in find_or_create_digest (thread=0x7f3151f32400, digest_storage=0x7f314fbfb4d4, schema_name=0x7f314fbfb8e0 "\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245\245", schema_name_length=0) at 10.1/storage/perfschema/pfs_digest.cc:217
#8  0x00007f31554da4e4 in end_statement_v1 (locker=0x7f314fbfb430, stmt_da=0x7f314fbfd100) at 10.1/storage/perfschema/pfs.cc:4805
#9  0x00007f3154e11811 in inline_mysql_end_statement (locker=0x7f314fbfb430, stmt_da=0x7f314fbfd100) at 10.1/include/mysql/psi/mysql_statement.h:223
#10 0x00007f3154e16e9a in dispatch_command (command=COM_QUERY, thd=0x7f314fbf8070, packet=0x7f314e3fa071 "", packet_length=17) at 10.1/sql/sql_parse.cc:1935
#11 0x00007f3154e1455f in do_command (thd=0x7f314fbf8070) at 10.1/sql/sql_parse.cc:1095
#12 0x00007f3154f41f27 in do_handle_one_connection (thd_arg=0x7f314fbf8070) at 10.1/sql/sql_connect.cc:1351
#13 0x00007f3154f41c6c in handle_one_connection (arg=0x7f314fbf8070) at 10.1/sql/sql_connect.cc:1262
#14 0x00007f31554d3f2e in pfs_spawn_thread (arg=0x7f3151c24ef0) at 10.1/storage/perfschema/pfs.cc:1860
#15 0x00007f315451eb50 in start_thread (arg=<optimized out>) at pthread_create.c:304
#16 0x00007f31525b520d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112

Stack trace from:

commit 43f185e171eecdce41e71c548ce0bc2bd6969c0f
Author: Alexander Barkov <bar@mariadb.org>
Date:   Mon Nov 3 21:45:06 2014 +0400

cmake . -DCMAKE_BUILD_TYPE=Debug && make

Gliffy Diagrams

Attachments

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Sergei Golubchik added a comment - 2015-02-27 23:08

cannot repeat in the latest 10.1

Show

Sergei Golubchik added a comment - 2015-02-27 23:08 cannot repeat in the latest 10.1

Hide

Permalink

Elena Stepanova added a comment - 2015-02-28 13:55

Once again, the problem disappeared from 10.1 tree after this magic fix:

commit db89dd3a8f7b0d868946d25ba98c6f88612d309a ae09895c9136ef6455d3bac3f25070a90e1df9c2
Author: Sergey Vojtovich <svoj@mariadb.org>
Date:   Fri Dec 26 13:07:43 2014 +0400

    MDEV-7364 - mysqld --help --verbose prints random values for "debug"
    
    getopt value pointer of "debug" variable was pointing to incorrect address:
    &global_system_variables. Runtime statements like SHOW VARIABLES materialize
    value from DBUG structures on demand, so they never access getopt value pointer.
    But mysqld --help --verbose loaded this value from &global_system_variables.
    
    Remove "debug" variable from mysqld --help --verbose output by setting value
    pointer to NULL.

Show

Elena Stepanova added a comment - 2015-02-28 13:55 Once again, the problem disappeared from 10.1 tree after this magic fix: commit db89dd3a8f7b0d868946d25ba98c6f88612d309a ae09895c9136ef6455d3bac3f25070a90e1df9c2 Author: Sergey Vojtovich <svoj@mariadb.org> Date: Fri Dec 26 13:07:43 2014 +0400 MDEV-7364 - mysqld --help --verbose prints random values for "debug" getopt value pointer of "debug" variable was pointing to incorrect address: &global_system_variables. Runtime statements like SHOW VARIABLES materialize value from DBUG structures on demand, so they never access getopt value pointer. But mysqld --help --verbose loaded this value from &global_system_variables. Remove "debug" variable from mysqld --help --verbose output by setting value pointer to NULL.

Error: Freeing overrun buffer or server crash after installing/uninstalling mypluglib and reading variables

Details

Description

Gliffy Diagrams

Attachments

Activity

People

Dates

Agile