[MDEV-11641] innobase_get_stmt_safe() does not copy the last byte of thd->query_string - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.2.2, 10.2.3
Fix Version/s: 10.2.4
Component/s: Storage Engine - InnoDB, Tests
Labels:
None

Description

http://buildbot.askmonty.org/buildbot/builders/xenial-amd64-valgrind/builds/183/steps/test/logs/stdio
Also reproducible locally with cmake . -DCMAKE_BUILD_TYPE=Debug -DWITH_VALGRIND=YES

innodb.innodb_information_schema_tables 'innodb' w3 [ fail ]  Found warnings/errors in server log file!

        Test ended at 2016-12-22 09:15:35

line

==26507== Thread 27:

==26507== Conditional jump or move depends on uninitialised value(s)

==26507==    at 0xFB1FA9: hash_get_nth_cell(hash_table_t*, unsigned long) (hash0hash.ic:40)

==26507==    by 0xFB2440: ha_storage_get(ha_storage_t*, void const*, unsigned long) (ha0storage.cc:59)

==26507==    by 0xFB24CF: ha_storage_put_memlim(ha_storage_t*, void const*, unsigned long, unsigned long) (ha0storage.cc:100)

==26507==    by 0xE36F5A: fill_trx_row(i_s_trx_row_t*, trx_t const*, i_s_locks_row_t const*, trx_i_s_cache_t*) (trx0i_s.cc:503)

==26507==    by 0xE38A17: fetch_data_into_cache_low(trx_i_s_cache_t*, bool, ut_list_base<trx_t, ut_list_node<trx_t> trx_t::*>*) (trx0i_s.cc:1312)

==26507==    by 0xE38B29: fetch_data_into_cache(trx_i_s_cache_t*) (trx0i_s.cc:1338)

==26507==    by 0xE38C07: trx_i_s_possibly_fetch_data_into_cache(trx_i_s_cache_t*) (trx0i_s.cc:1366)

==26507==    by 0xC8D457: trx_i_s_common_fill_table(THD*, TABLE_LIST*, Item*) (i_s.cc:1274)

==26507==    by 0x74BD50: get_schema_tables_result(JOIN*, enum_schema_table_state) (sql_show.cc:8204)

==26507==    by 0x6EAD24: JOIN::exec_inner() (sql_select.cc:3352)

==26507==    by 0x6EA463: JOIN::exec() (sql_select.cc:3199)

==26507==    by 0x6EB5C5: mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:3584)

==26507== Use of uninitialised value of size 8

==26507==    at 0xFB2441: ha_storage_get(ha_storage_t*, void const*, unsigned long) (ha0storage.cc:59)

==26507==    by 0xFB24CF: ha_storage_put_memlim(ha_storage_t*, void const*, unsigned long, unsigned long) (ha0storage.cc:100)

==26507==    by 0xE36F5A: fill_trx_row(i_s_trx_row_t*, trx_t const*, i_s_locks_row_t const*, trx_i_s_cache_t*) (trx0i_s.cc:503)

==26507==    by 0xE38A17: fetch_data_into_cache_low(trx_i_s_cache_t*, bool, ut_list_base<trx_t, ut_list_node<trx_t> trx_t::*>*) (trx0i_s.cc:1312)

==26507==    by 0xE38B29: fetch_data_into_cache(trx_i_s_cache_t*) (trx0i_s.cc:1338)

==26507==    by 0xE38C07: trx_i_s_possibly_fetch_data_into_cache(trx_i_s_cache_t*) (trx0i_s.cc:1366)

==26507==    by 0xC8D457: trx_i_s_common_fill_table(THD*, TABLE_LIST*, Item*) (i_s.cc:1274)

==26507==    by 0x74BD50: get_schema_tables_result(JOIN*, enum_schema_table_state) (sql_show.cc:8204)

==26507==    by 0x6EAD24: JOIN::exec_inner() (sql_select.cc:3352)

==26507==    by 0x6EA463: JOIN::exec() (sql_select.cc:3199)

==26507==    by 0x6EB5C5: mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:3584)

==26507==    by 0x6E055F: handle_select(THD*, LEX*, select_result*, unsigned long) (sql_select.cc:373)

==26507== Conditional jump or move depends on uninitialised value(s)

==26507==    at 0xFB1FA9: hash_get_nth_cell(hash_table_t*, unsigned long) (hash0hash.ic:40)

==26507==    by 0xFB263E: ha_storage_put_memlim(ha_storage_t*, void const*, unsigned long, unsigned long) (ha0storage.cc:132)

==26507==    by 0xE36F5A: fill_trx_row(i_s_trx_row_t*, trx_t const*, i_s_locks_row_t const*, trx_i_s_cache_t*) (trx0i_s.cc:503)

==26507==    by 0xE38A17: fetch_data_into_cache_low(trx_i_s_cache_t*, bool, ut_list_base<trx_t, ut_list_node<trx_t> trx_t::*>*) (trx0i_s.cc:1312)

==26507==    by 0xE38B29: fetch_data_into_cache(trx_i_s_cache_t*) (trx0i_s.cc:1338)

==26507==    by 0xE38C07: trx_i_s_possibly_fetch_data_into_cache(trx_i_s_cache_t*) (trx0i_s.cc:1366)

==26507==    by 0xC8D457: trx_i_s_common_fill_table(THD*, TABLE_LIST*, Item*) (i_s.cc:1274)

==26507==    by 0x74BD50: get_schema_tables_result(JOIN*, enum_schema_table_state) (sql_show.cc:8204)

==26507==    by 0x6EAD24: JOIN::exec_inner() (sql_select.cc:3352)

==26507==    by 0x6EA463: JOIN::exec() (sql_select.cc:3199)

==26507==    by 0x6EB5C5: mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:3584)

==26507==    by 0x6E055F: handle_select(THD*, LEX*, select_result*, unsigned long) (sql_select.cc:373)

==26507== Use of uninitialised value of size 8

==26507==    at 0xFB2647: ha_storage_put_memlim(ha_storage_t*, void const*, unsigned long, unsigned long) (ha0storage.cc:132)

==26507==    by 0xE36F5A: fill_trx_row(i_s_trx_row_t*, trx_t const*, i_s_locks_row_t const*, trx_i_s_cache_t*) (trx0i_s.cc:503)

==26507==    by 0xE38A17: fetch_data_into_cache_low(trx_i_s_cache_t*, bool, ut_list_base<trx_t, ut_list_node<trx_t> trx_t::*>*) (trx0i_s.cc:1312)

==26507==    by 0xE38B29: fetch_data_into_cache(trx_i_s_cache_t*) (trx0i_s.cc:1338)

==26507==    by 0xE38C07: trx_i_s_possibly_fetch_data_into_cache(trx_i_s_cache_t*) (trx0i_s.cc:1366)

==26507==    by 0xC8D457: trx_i_s_common_fill_table(THD*, TABLE_LIST*, Item*) (i_s.cc:1274)

==26507==    by 0x74BD50: get_schema_tables_result(JOIN*, enum_schema_table_state) (sql_show.cc:8204)

==26507==    by 0x6EAD24: JOIN::exec_inner() (sql_select.cc:3352)

==26507==    by 0x6EA463: JOIN::exec() (sql_select.cc:3199)

==26507==    by 0x6EB5C5: mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:3584)

==26507==    by 0x6E055F: handle_select(THD*, LEX*, select_result*, unsigned long) (sql_select.cc:373)

==26507==    by 0x6AC2D9: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:6399)

==26507== Use of uninitialised value of size 8

==26507==    at 0xFB2657: ha_storage_put_memlim(ha_storage_t*, void const*, unsigned long, unsigned long) (ha0storage.cc:132)

==26507==    by 0xE36F5A: fill_trx_row(i_s_trx_row_t*, trx_t const*, i_s_locks_row_t const*, trx_i_s_cache_t*) (trx0i_s.cc:503)

==26507==    by 0xE38A17: fetch_data_into_cache_low(trx_i_s_cache_t*, bool, ut_list_base<trx_t, ut_list_node<trx_t> trx_t::*>*) (trx0i_s.cc:1312)

==26507==    by 0xE38B29: fetch_data_into_cache(trx_i_s_cache_t*) (trx0i_s.cc:1338)

==26507==    by 0xE38C07: trx_i_s_possibly_fetch_data_into_cache(trx_i_s_cache_t*) (trx0i_s.cc:1366)

==26507==    by 0xC8D457: trx_i_s_common_fill_table(THD*, TABLE_LIST*, Item*) (i_s.cc:1274)

==26507==    by 0x74BD50: get_schema_tables_result(JOIN*, enum_schema_table_state) (sql_show.cc:8204)

==26507==    by 0x6EAD24: JOIN::exec_inner() (sql_select.cc:3352)

==26507==    by 0x6EA463: JOIN::exec() (sql_select.cc:3199)

==26507==    by 0x6EB5C5: mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:3584)

==26507==    by 0x6E055F: handle_select(THD*, LEX*, select_result*, unsigned long) (sql_select.cc:373)

==26507==    by 0x6AC2D9: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:6399)

==26507== Conditional jump or move depends on uninitialised value(s)

==26507==    at 0x4C30F78: strlen (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)

==26507==    by 0xC8C3C0: fill_innodb_trx_from_cache(trx_i_s_cache_t*, THD*, TABLE*) (i_s.cc:644)

==26507==    by 0xC8D57F: trx_i_s_common_fill_table(THD*, TABLE_LIST*, Item*) (i_s.cc:1289)

==26507==    by 0x74BD50: get_schema_tables_result(JOIN*, enum_schema_table_state) (sql_show.cc:8204)

==26507==    by 0x6EAD24: JOIN::exec_inner() (sql_select.cc:3352)

==26507==    by 0x6EA463: JOIN::exec() (sql_select.cc:3199)

==26507==    by 0x6EB5C5: mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:3584)

==26507==    by 0x6E055F: handle_select(THD*, LEX*, select_result*, unsigned long) (sql_select.cc:373)

==26507==    by 0x6AC2D9: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:6399)

==26507==    by 0x6A1AE4: mysql_execute_command(THD*) (sql_parse.cc:3423)

==26507==    by 0x6AFC4E: mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) (sql_parse.cc:7842)

==26507==    by 0x69D551: dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) (sql_parse.cc:1799)

Attachments

Issue Links

relates to

MDEV-12070 Introduce thd_query_safe() from MySQL 5.7

Closed

MDEV-7069 Fix buildbot failures in main server trees

Stalled

Activity

Ascending order - Click to sort in descending order

Marko Mäkelä added a comment - 2017-02-15 11:43

This problem was introduced in a merge of MySQL 5.7.9 to MariaDB Server 10.2.2 which included a buggy mock-up version of the function innobase_get_stmt_safe() that fails to copy the last byte of the thd_query_string().
I filed ~~MDEV-12070~~ for implementing the function properly.

Marko Mäkelä added a comment - 2017-02-15 11:43 This problem was introduced in a merge of MySQL 5.7.9 to MariaDB Server 10.2.2 which included a buggy mock-up version of the function innobase_get_stmt_safe() that fails to copy the last byte of the thd_query_string(). I filed MDEV-12070 for implementing the function properly.

Marko Mäkelä added a comment - 2017-02-15 11:46

A simple fix:

diff --git a/storage/innobase/handler/ha_innodb.cc b/storage/innobase/handler/ha_innodb.cc

index e53253db19c..ef599bc5d04 100644

--- a/storage/innobase/handler/ha_innodb.cc

+++ b/storage/innobase/handler/ha_innodb.cc

@@ -2465,8 +2465,8 @@ innobase_get_stmt_safe(

 	stmt =  thd ? thd_query_string(thd) : NULL;

 	if (stmt && stmt->str) {

-		length = stmt->length > buflen ? buflen : stmt->length;

-		memcpy(buf, stmt->str, length-1);

+		length = stmt->length >= buflen ? buflen - 1 : stmt->length;

+		memcpy(buf, stmt->str, length);

 		buf[length]='\0';

 	} else {

 		buf[0]='\0';

With this fix, the tests pass:

innodb.row_lock 'innodb'                 w3 [ pass ]   4630

innodb.innodb_information_schema 'innodb' w2 [ pass ]   7422

main.partition_innodb_plugin 'innodb'    w1 [ pass ]  10631

valgrind_report                          w0 [ pass ]

Marko Mäkelä added a comment - 2017-02-15 11:46 A simple fix: diff --git a/storage/innobase/handler/ha_innodb.cc b/storage/innobase/handler/ha_innodb.cc index e53253db19c..ef599bc5d04 100644 --- a/storage/innobase/handler/ha_innodb.cc +++ b/storage/innobase/handler/ha_innodb.cc @@ -2465,8 +2465,8 @@ innobase_get_stmt_safe( stmt = thd ? thd_query_string(thd) : NULL; if (stmt && stmt->str) { - length = stmt->length > buflen ? buflen : stmt->length; - memcpy(buf, stmt->str, length-1); + length = stmt->length >= buflen ? buflen - 1 : stmt->length; + memcpy(buf, stmt->str, length); buf[length]='\0'; } else { buf[0]='\0'; With this fix, the tests pass: innodb.row_lock 'innodb' w3 [ pass ] 4630 innodb.innodb_information_schema 'innodb' w2 [ pass ] 7422 main.partition_innodb_plugin 'innodb' w1 [ pass ] 10631 valgrind_report w0 [ pass ]

People

Assignee:: Marko Mäkelä

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2016-12-22 23:28

Updated:: 2017-02-15 11:49

Resolved:: 2017-02-15 11:49

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.