[MDEV-4812] Valgrind warnings (Invalid write) in dynamic_column_update_many on COLUMN_ADD - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Duplicate
Affects Version/s: 10.0.3, 5.5.32, 5.3.12
Fix Version/s: 10.0.5, 5.5.33, 5.3.13
Component/s: None
Labels:
None

Description

Note: the test case looks similar to ~~MDEV-4811~~, but the assertion doesn't fail here, instead it either causes valgrind warnings or crashes.

==11100== Invalid write of size 1

==11100==    at 0xB6CA29: dynamic_column_update_many (ma_dyncol.c:2031)

==11100==    by 0x5EC963: Item_func_dyncol_add::val_str(String*) (item_strfunc.cc:3769)

==11100==    by 0x58B2DB: Item::send(Protocol*, String*) (item.cc:5970)

==11100==    by 0x659DBB: select_send::send_data(List<Item>&) (sql_class.cc:2012)

==11100==    by 0x730E1C: end_send(JOIN*, st_join_table*, bool) (sql_select.cc:16974)

==11100==    by 0x72DBE8: do_select(JOIN*, List<Item>*, st_table*, Procedure*) (sql_select.cc:15548)

==11100==    by 0x70E1C1: JOIN::exec() (sql_select.cc:2769)

==11100==    by 0x70EA4C: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2990)

==11100==    by 0x7054C0: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:288)

==11100==    by 0x6917D1: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5172)

==11100==    by 0x688599: mysql_execute_command(THD*) (sql_parse.cc:2305)

==11100==    by 0x69425B: mysql_parse(THD*, char*, unsigned int, char const**) (sql_parse.cc:6173)

==11100==    by 0x685CB6: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1243)

==11100==    by 0x684F27: do_command(THD*) (sql_parse.cc:923)

==11100==    by 0x681DC1: handle_one_connection (sql_connect.cc:1231)

==11100==    by 0x548DE99: start_thread (pthread_create.c:308)

==11100==  Address 0xf8438b3 is 51 bytes inside a block of size 178 free'd

==11100==    at 0x4C2A82E: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)

==11100==    by 0xB73E26: _myfree (safemalloc.c:337)

==11100==    by 0xB73B04: _myrealloc (safemalloc.c:260)

==11100==    by 0xB83667: dynstr_append_mem (string.c:109)

==11100==    by 0xB69B84: dynamic_column_string_store (ma_dyncol.c:434)

==11100==    by 0xB6A6DD: data_store (ma_dyncol.c:854)

==11100==    by 0xB6CC6C: dynamic_column_update_many (ma_dyncol.c:2070)

==11100==    by 0x5EC963: Item_func_dyncol_add::val_str(String*) (item_strfunc.cc:3769)

==11100==    by 0x58B2DB: Item::send(Protocol*, String*) (item.cc:5970)

==11100==    by 0x659DBB: select_send::send_data(List<Item>&) (sql_class.cc:2012)

==11100==    by 0x730E1C: end_send(JOIN*, st_join_table*, bool) (sql_select.cc:16974)

==11100==    by 0x72DBE8: do_select(JOIN*, List<Item>*, st_table*, Procedure*) (sql_select.cc:15548)

==11100==    by 0x70E1C1: JOIN::exec() (sql_select.cc:2769)

==11100==    by 0x70EA4C: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2990)

==11100==    by 0x7054C0: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:288)

==11100==    by 0x6917D1: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5172)

bzr version-info

revision-id: sergii@pisem.net-20130715163225-6ch6x34lsufode3d

revno: 3670

branch-nick: 5.3

Code fragment:

2006:      else

2007:      {

2008:        /*

2009:          Adjust all headers since last loop.

2010:          We have to do this as the offset for data has moved

2011:        */

2012:        for (k= start; k < end; k++)

2013:        {

2014:          uchar *read= header_base + k * entry_size;

2015:          size_t offs;

2016:          uint nm;

2017:          DYNAMIC_COLUMN_TYPE tp;

2018:

2019:          nm= uint2korr(read);                    /* Column nummber */

2020:          type_and_offset_read(&tp, &offs, read, offset_size);

2021:          if (k == start)

2022:            first_offset= offs;

2023:          else if (offs < first_offset)

2024:          {

2025:            dynamic_column_column_free(&tmp);

2026:            rc= ER_DYNCOL_FORMAT;

2027:            goto end;

2028:          }

2029:

2030:          offs+= plan[i].ddelta;

2031:          int2store(write, nm);

2032:          /* write rest of data at write + COLUMN_NUMBER_SIZE */

2033:          type_and_offset_store(write, new_offset_size, tp, offs);

2034:          write+= new_entry_size;

2035:        }

2036:      }

Test case:

CREATE TABLE t1 (dyncol TINYBLOB) ENGINE=MyISAM;

INSERT INTO t1 SET dyncol = COLUMN_CREATE( 7, REPEAT('k',487), 209, REPEAT('x',464) );

--error 0,ER_DYN_COL_WRONG_FORMAT

SELECT COLUMN_ADD( dyncol, 7, '22:22:22', 8, REPEAT('x',270) AS CHAR ) FROM t1;

Attachments

Issue Links

is duplicated by

MDEV-4811 Assertion `offset < 0x1f' fails in type_and_offset_store on COLUMN_ADD

Closed

Valgrind warnings (Invalid write) in dynamic_column_update_many on COLUMN_ADD

Details

Description

Attachments

Issue Links

Activity

People

Dates