Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-11754

Invalid read of size 8 in malloc_size_and_flag / ... Field_blob::free() or crash in

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Fixed
    • N/A
    • 10.2.4
    • OTHER
    • None

    Description

      CREATE TABLE t1 ( 
       pk INTEGER AUTO_INCREMENT,
       b MEDIUMTEXT NULL,
       vb TEXT AS (b) VIRTUAL,
       i SMALLINT NULL,
       PRIMARY KEY(pk)
       ) ENGINE=MyISAM;
      CREATE VIEW v1 AS SELECT * FROM t1;
       
      INSERT INTO t1 (b,i) VALUES
       ('foo',1),('bar',8);
       
      SELECT * FROM v1 WHERE NOT i ORDER BY vb;
      SELECT * FROM v1 WHERE NOT i ORDER BY vb;
      

      bb-10.2-monty f7c350ac022

      ==2252== Invalid read of size 8
      ==2252==    at 0x10DCE0F: malloc_size_and_flag (my_malloc.c:43)
      ==2252==    by 0x10DD3C5: my_free (my_malloc.c:214)
      ==2252==    by 0x5D2B3E: String::free() (sql_string.h:351)
      ==2252==    by 0x90D437: Field_blob::free() (field.h:3359)
      ==2252==    by 0x712CA1: free_tmp_table(THD*, TABLE*) (sql_select.cc:17666)
      ==2252==    by 0x6315B7: close_thread_tables(THD*) (sql_base.cc:767)
      ==2252==    by 0x6AEAA5: mysql_execute_command(THD*) (sql_parse.cc:6220)
      ==2252==    by 0x6B3169: mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) (sql_parse.cc:7839)
      ==2252==    by 0x6A0D2D: dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) (sql_parse.cc:1799)
      ==2252==    by 0x69F707: do_command(THD*) (sql_parse.cc:1359)
      ==2252==    by 0x7ECB9D: do_handle_one_connection(CONNECT*) (sql_connect.cc:1354)
      ==2252==    by 0x7EC92A: handle_one_connection (sql_connect.cc:1260)
      ==2252==    by 0xB436B5: pfs_spawn_thread (pfs.cc:1862)
      ==2252==    by 0x4E3D0A3: start_thread (pthread_create.c:309)
      ==2252==    by 0x6EC287C: clone (clone.S:111)
      ==2252==  Address 0xe28cf70 is 0 bytes inside a block of size 16 free'd
      ==2252==    at 0x4C29F40: free (vg_replace_malloc.c:474)
      ==2252==    by 0x10DD3F5: my_free (my_malloc.c:216)
      ==2252==    by 0x5D2B3E: String::free() (sql_string.h:351)
      ==2252==    by 0x5ECFEC: String::set(char const*, unsigned int, charset_info_st const*) (sql_string.h:274)
      ==2252==    by 0x9000A1: Field_blob::val_str(String*, String*) (field.cc:8059)
      ==2252==    by 0x5E029A: Field::val_str(String*) (field.h:833)
      ==2252==    by 0x90D17E: Field_blob::store_field(Field*) (field.h:3239)
      ==2252==    by 0x911E0E: field_conv_incompatible(Field*, Field*) (field_conv.cc:814)
      ==2252==    by 0x911E6A: field_conv(Field*, Field*) (field_conv.cc:827)
      ==2252==    by 0x93ED83: save_field_in_field(Field*, bool*, Field*, bool) (item.cc:6207)
      ==2252==    by 0x93EF83: Item_field::save_in_field(Field*, bool) (item.cc:6253)
      ==2252==    by 0x7B121E: TABLE::update_virtual_fields(enum_vcol_update_mode) (table.cc:7381)
      ==2252==    by 0x91FA9D: handler::ha_rnd_next(unsigned char*) (handler.cc:2583)
      ==2252==    by 0x914A4B: find_all_keys(THD*, Sort_param*, SQL_SELECT*, SORT_INFO*, st_io_cache*, st_io_cache*, Bounded_queue<unsigned char, unsigned char>*, unsigned long long*) (filesort.cc:793)
      ==2252==    by 0x913063: filesort(THD*, TABLE*, Filesort*, Filesort_tracker*, JOIN*, unsigned long long) (filesort.cc:284)
      ==2252==    by 0x71B8F3: create_sort_index(THD*, JOIN*, st_join_table*, Filesort*) (sql_select.cc:21464)
      ==2252== 
      ==2252== Invalid free() / delete / delete[] / realloc()
      ==2252==    at 0x4C29F40: free (vg_replace_malloc.c:474)
      ==2252==    by 0x10DD3F5: my_free (my_malloc.c:216)
      ==2252==    by 0x5D2B3E: String::free() (sql_string.h:351)
      ==2252==    by 0x90D437: Field_blob::free() (field.h:3359)
      ==2252==    by 0x712CA1: free_tmp_table(THD*, TABLE*) (sql_select.cc:17666)
      ==2252==    by 0x6315B7: close_thread_tables(THD*) (sql_base.cc:767)
      ==2252==    by 0x6AEAA5: mysql_execute_command(THD*) (sql_parse.cc:6220)
      ==2252==    by 0x6B3169: mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) (sql_parse.cc:7839)
      ==2252==    by 0x6A0D2D: dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) (sql_parse.cc:1799)
      ==2252==    by 0x69F707: do_command(THD*) (sql_parse.cc:1359)
      ==2252==    by 0x7ECB9D: do_handle_one_connection(CONNECT*) (sql_connect.cc:1354)
      ==2252==    by 0x7EC92A: handle_one_connection (sql_connect.cc:1260)
      ==2252==    by 0xB436B5: pfs_spawn_thread (pfs.cc:1862)
      ==2252==    by 0x4E3D0A3: start_thread (pthread_create.c:309)
      ==2252==    by 0x6EC287C: clone (clone.S:111)
      ==2252==  Address 0xe28cf70 is 0 bytes inside a block of size 16 free'd
      

      With a considerably uglier and less reliable test case I get this (on a valgrind build, but without valgrind), adding to make it searchable in JIRA:

      #3  <signal handler called>
      #4  0x00007f915cb37c65 in intern_plugin_unlock (lex=0x0, plugin=0x7f91518470c8) at /data/src/bb-10.2-monty-valgrind/sql/sql_plugin.cc:1340
      #5  0x00007f915cb37dba in plugin_unlock (thd=0x0, plugin=0x7f91518470c8) at /data/src/bb-10.2-monty-valgrind/sql/sql_plugin.cc:1365
      #6  0x00007f915cb8cd01 in free_tmp_table (thd=0x7f9151816008, entry=0x7f91518a4020) at /data/src/bb-10.2-monty-valgrind/sql/sql_select.cc:17671
      #7  0x00007f915caab5b8 in close_thread_tables (thd=0x7f9151816008) at /data/src/bb-10.2-monty-valgrind/sql/sql_base.cc:767
      #8  0x00007f915cb28aa6 in mysql_execute_command (thd=0x7f9151816008) at /data/src/bb-10.2-monty-valgrind/sql/sql_parse.cc:6220
      #9  0x00007f915cb2d16a in mysql_parse (thd=0x7f9151816008, rawbuf=0x7f91518940a0 "/* GenTest::Transform::InlineVirtualColumns */  SELECT * FROM test.`view_t5` AS table1 WHERE NOT (NOT ( table1.`col_datetime` < table1.`col_timestamp` AND table1.`col_timestamp` <> table1.`vcol_bit`) "..., length=438, parser_state=0x7f915dc69dc0, is_com_multi=false, is_next_command=false) at /data/src/bb-10.2-monty-valgrind/sql/sql_parse.cc:7839
      #10 0x00007f915cb1ad2e in dispatch_command (command=COM_QUERY, thd=0x7f9151816008, packet=0x7f915185c009 "", packet_length=438, is_com_multi=false, is_next_command=false) at /data/src/bb-10.2-monty-valgrind/sql/sql_parse.cc:1799
      #11 0x00007f915cb19708 in do_command (thd=0x7f9151816008) at /data/src/bb-10.2-monty-valgrind/sql/sql_parse.cc:1359
      #12 0x00007f915cc66b9e in do_handle_one_connection (connect=0x7f915985f5e8) at /data/src/bb-10.2-monty-valgrind/sql/sql_connect.cc:1354
      #13 0x00007f915cc6692b in handle_one_connection (arg=0x7f915985f5e8) at /data/src/bb-10.2-monty-valgrind/sql/sql_connect.cc:1260
      #14 0x00007f915cfbd6b6 in pfs_spawn_thread (arg=0x7f915981ba08) at /data/src/bb-10.2-monty-valgrind/storage/perfschema/pfs.cc:1862
      #15 0x00007f915c14a0a4 in start_thread (arg=0x7f915dc6b300) at pthread_create.c:309
      #16 0x00007f915a0f787d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
      

      Attachments

        Issue Links

          Activity

            People

              monty Michael Widenius
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.