Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Duplicate
-
10.0.3, 5.5.32, 5.3.12
-
None
-
None
Description
Note: the test case looks similar to MDEV-4811, but the assertion doesn't fail here, instead it either causes valgrind warnings or crashes.
==11100== Invalid write of size 1
|
==11100== at 0xB6CA29: dynamic_column_update_many (ma_dyncol.c:2031)
|
==11100== by 0x5EC963: Item_func_dyncol_add::val_str(String*) (item_strfunc.cc:3769)
|
==11100== by 0x58B2DB: Item::send(Protocol*, String*) (item.cc:5970)
|
==11100== by 0x659DBB: select_send::send_data(List<Item>&) (sql_class.cc:2012)
|
==11100== by 0x730E1C: end_send(JOIN*, st_join_table*, bool) (sql_select.cc:16974)
|
==11100== by 0x72DBE8: do_select(JOIN*, List<Item>*, st_table*, Procedure*) (sql_select.cc:15548)
|
==11100== by 0x70E1C1: JOIN::exec() (sql_select.cc:2769)
|
==11100== by 0x70EA4C: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2990)
|
==11100== by 0x7054C0: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:288)
|
==11100== by 0x6917D1: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5172)
|
==11100== by 0x688599: mysql_execute_command(THD*) (sql_parse.cc:2305)
|
==11100== by 0x69425B: mysql_parse(THD*, char*, unsigned int, char const**) (sql_parse.cc:6173)
|
==11100== by 0x685CB6: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1243)
|
==11100== by 0x684F27: do_command(THD*) (sql_parse.cc:923)
|
==11100== by 0x681DC1: handle_one_connection (sql_connect.cc:1231)
|
==11100== by 0x548DE99: start_thread (pthread_create.c:308)
|
==11100== Address 0xf8438b3 is 51 bytes inside a block of size 178 free'd
|
==11100== at 0x4C2A82E: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
|
==11100== by 0xB73E26: _myfree (safemalloc.c:337)
|
==11100== by 0xB73B04: _myrealloc (safemalloc.c:260)
|
==11100== by 0xB83667: dynstr_append_mem (string.c:109)
|
==11100== by 0xB69B84: dynamic_column_string_store (ma_dyncol.c:434)
|
==11100== by 0xB6A6DD: data_store (ma_dyncol.c:854)
|
==11100== by 0xB6CC6C: dynamic_column_update_many (ma_dyncol.c:2070)
|
==11100== by 0x5EC963: Item_func_dyncol_add::val_str(String*) (item_strfunc.cc:3769)
|
==11100== by 0x58B2DB: Item::send(Protocol*, String*) (item.cc:5970)
|
==11100== by 0x659DBB: select_send::send_data(List<Item>&) (sql_class.cc:2012)
|
==11100== by 0x730E1C: end_send(JOIN*, st_join_table*, bool) (sql_select.cc:16974)
|
==11100== by 0x72DBE8: do_select(JOIN*, List<Item>*, st_table*, Procedure*) (sql_select.cc:15548)
|
==11100== by 0x70E1C1: JOIN::exec() (sql_select.cc:2769)
|
==11100== by 0x70EA4C: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2990)
|
==11100== by 0x7054C0: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:288)
|
==11100== by 0x6917D1: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5172)
|
bzr version-info
revision-id: sergii@pisem.net-20130715163225-6ch6x34lsufode3d
|
revno: 3670
|
branch-nick: 5.3
|
Code fragment:
2006: else
|
2007: {
|
2008: /*
|
2009: Adjust all headers since last loop.
|
2010: We have to do this as the offset for data has moved
|
2011: */
|
2012: for (k= start; k < end; k++)
|
2013: {
|
2014: uchar *read= header_base + k * entry_size;
|
2015: size_t offs;
|
2016: uint nm;
|
2017: DYNAMIC_COLUMN_TYPE tp;
|
2018:
|
2019: nm= uint2korr(read); /* Column nummber */
|
2020: type_and_offset_read(&tp, &offs, read, offset_size);
|
2021: if (k == start)
|
2022: first_offset= offs;
|
2023: else if (offs < first_offset)
|
2024: {
|
2025: dynamic_column_column_free(&tmp);
|
2026: rc= ER_DYNCOL_FORMAT;
|
2027: goto end;
|
2028: }
|
2029:
|
2030: offs+= plan[i].ddelta;
|
2031: int2store(write, nm);
|
2032: /* write rest of data at write + COLUMN_NUMBER_SIZE */
|
2033: type_and_offset_store(write, new_offset_size, tp, offs);
|
2034: write+= new_entry_size;
|
2035: }
|
2036: }
|
Test case:
CREATE TABLE t1 (dyncol TINYBLOB) ENGINE=MyISAM; |
 |
INSERT INTO t1 SET dyncol = COLUMN_CREATE( 7, REPEAT('k',487), 209, REPEAT('x',464) ); |
--error 0,ER_DYN_COL_WRONG_FORMAT
|
SELECT COLUMN_ADD( dyncol, 7, '22:22:22', 8, REPEAT('x',270) AS CHAR ) FROM t1; |
Attachments
Issue Links
- is duplicated by
-
MDEV-4811 Assertion `offset < 0x1f' fails in type_and_offset_store on COLUMN_ADD
- Closed