Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-4812

Valgrind warnings (Invalid write) in dynamic_column_update_many on COLUMN_ADD

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 10.0.3, 5.5.32, 5.3.12
    • Fix Version/s: 10.0.5, 5.5.33, 5.3.13
    • Component/s: None
    • Labels:
      None

      Description

      Note: the test case looks similar to MDEV-4811, but the assertion doesn't fail here, instead it either causes valgrind warnings or crashes.

      ==11100== Invalid write of size 1
      ==11100==    at 0xB6CA29: dynamic_column_update_many (ma_dyncol.c:2031)
      ==11100==    by 0x5EC963: Item_func_dyncol_add::val_str(String*) (item_strfunc.cc:3769)
      ==11100==    by 0x58B2DB: Item::send(Protocol*, String*) (item.cc:5970)
      ==11100==    by 0x659DBB: select_send::send_data(List<Item>&) (sql_class.cc:2012)
      ==11100==    by 0x730E1C: end_send(JOIN*, st_join_table*, bool) (sql_select.cc:16974)
      ==11100==    by 0x72DBE8: do_select(JOIN*, List<Item>*, st_table*, Procedure*) (sql_select.cc:15548)
      ==11100==    by 0x70E1C1: JOIN::exec() (sql_select.cc:2769)
      ==11100==    by 0x70EA4C: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2990)
      ==11100==    by 0x7054C0: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:288)
      ==11100==    by 0x6917D1: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5172)
      ==11100==    by 0x688599: mysql_execute_command(THD*) (sql_parse.cc:2305)
      ==11100==    by 0x69425B: mysql_parse(THD*, char*, unsigned int, char const**) (sql_parse.cc:6173)
      ==11100==    by 0x685CB6: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1243)
      ==11100==    by 0x684F27: do_command(THD*) (sql_parse.cc:923)
      ==11100==    by 0x681DC1: handle_one_connection (sql_connect.cc:1231)
      ==11100==    by 0x548DE99: start_thread (pthread_create.c:308)
      ==11100==  Address 0xf8438b3 is 51 bytes inside a block of size 178 free'd
      ==11100==    at 0x4C2A82E: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
      ==11100==    by 0xB73E26: _myfree (safemalloc.c:337)
      ==11100==    by 0xB73B04: _myrealloc (safemalloc.c:260)
      ==11100==    by 0xB83667: dynstr_append_mem (string.c:109)
      ==11100==    by 0xB69B84: dynamic_column_string_store (ma_dyncol.c:434)
      ==11100==    by 0xB6A6DD: data_store (ma_dyncol.c:854)
      ==11100==    by 0xB6CC6C: dynamic_column_update_many (ma_dyncol.c:2070)
      ==11100==    by 0x5EC963: Item_func_dyncol_add::val_str(String*) (item_strfunc.cc:3769)
      ==11100==    by 0x58B2DB: Item::send(Protocol*, String*) (item.cc:5970)
      ==11100==    by 0x659DBB: select_send::send_data(List<Item>&) (sql_class.cc:2012)
      ==11100==    by 0x730E1C: end_send(JOIN*, st_join_table*, bool) (sql_select.cc:16974)
      ==11100==    by 0x72DBE8: do_select(JOIN*, List<Item>*, st_table*, Procedure*) (sql_select.cc:15548)
      ==11100==    by 0x70E1C1: JOIN::exec() (sql_select.cc:2769)
      ==11100==    by 0x70EA4C: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2990)
      ==11100==    by 0x7054C0: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:288)
      ==11100==    by 0x6917D1: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5172)

      bzr version-info

      revision-id: sergii@pisem.net-20130715163225-6ch6x34lsufode3d
      revno: 3670
      branch-nick: 5.3

      Code fragment:

      2006:      else
      2007:      {
      2008:        /*
      2009:          Adjust all headers since last loop.
      2010:          We have to do this as the offset for data has moved
      2011:        */
      2012:        for (k= start; k < end; k++)
      2013:        {
      2014:          uchar *read= header_base + k * entry_size;
      2015:          size_t offs;
      2016:          uint nm;
      2017:          DYNAMIC_COLUMN_TYPE tp;
      2018:
      2019:          nm= uint2korr(read);                    /* Column nummber */
      2020:          type_and_offset_read(&tp, &offs, read, offset_size);
      2021:          if (k == start)
      2022:            first_offset= offs;
      2023:          else if (offs < first_offset)
      2024:          {
      2025:            dynamic_column_column_free(&tmp);
      2026:            rc= ER_DYNCOL_FORMAT;
      2027:            goto end;
      2028:          }
      2029:
      2030:          offs+= plan[i].ddelta;
      2031:          int2store(write, nm);
      2032:          /* write rest of data at write + COLUMN_NUMBER_SIZE */
      2033:          type_and_offset_store(write, new_offset_size, tp, offs);
      2034:          write+= new_entry_size;
      2035:        }
      2036:      }

      Test case:

      CREATE TABLE t1 (dyncol TINYBLOB) ENGINE=MyISAM;
       
      INSERT INTO t1 SET dyncol = COLUMN_CREATE( 7, REPEAT('k',487), 209, REPEAT('x',464) );
      --error 0,ER_DYN_COL_WRONG_FORMAT
      SELECT COLUMN_ADD( dyncol, 7, '22:22:22', 8, REPEAT('x',270) AS CHAR ) FROM t1;

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                sanja Oleksandr Byelkin
                Reporter:
                elenst Elena Stepanova
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: