[MDEV-11754] Invalid read of size 8 in malloc_size_and_flag / ... Field_blob::free() or crash in Created: 2017-01-10  Updated: 2017-01-11  Resolved: 2017-01-11

Status: Closed
Project: MariaDB Server
Component/s: OTHER
Affects Version/s: N/A
Fix Version/s: 10.2.4

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Michael Widenius
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
Relates
relates to MDEV-5800 indexes on virtual (not materialized)... Closed

 Description    

CREATE TABLE t1 ( 
 pk INTEGER AUTO_INCREMENT,
 
 b MEDIUMTEXT NULL,
 
 vb TEXT AS (b) VIRTUAL,
 
 i SMALLINT NULL,
 
 PRIMARY KEY(pk)
 
 ) ENGINE=MyISAM;
 
CREATE VIEW v1 AS SELECT * FROM t1;
 
 
 
INSERT INTO t1 (b,i) VALUES
 
 ('foo',1),('bar',8);
 
 
 
SELECT * FROM v1 WHERE NOT i ORDER BY vb;
 
SELECT * FROM v1 WHERE NOT i ORDER BY vb;

bb-10.2-monty f7c350ac022

 
==2252== Invalid read of size 8
 
==2252==    at 0x10DCE0F: malloc_size_and_flag (my_malloc.c:43)
 
==2252==    by 0x10DD3C5: my_free (my_malloc.c:214)
 
==2252==    by 0x5D2B3E: String::free() (sql_string.h:351)
 
==2252==    by 0x90D437: Field_blob::free() (field.h:3359)
 
==2252==    by 0x712CA1: free_tmp_table(THD*, TABLE*) (sql_select.cc:17666)
 
==2252==    by 0x6315B7: close_thread_tables(THD*) (sql_base.cc:767)
 
==2252==    by 0x6AEAA5: mysql_execute_command(THD*) (sql_parse.cc:6220)
 
==2252==    by 0x6B3169: mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) (sql_parse.cc:7839)
 
==2252==    by 0x6A0D2D: dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) (sql_parse.cc:1799)
 
==2252==    by 0x69F707: do_command(THD*) (sql_parse.cc:1359)
 
==2252==    by 0x7ECB9D: do_handle_one_connection(CONNECT*) (sql_connect.cc:1354)
 
==2252==    by 0x7EC92A: handle_one_connection (sql_connect.cc:1260)
 
==2252==    by 0xB436B5: pfs_spawn_thread (pfs.cc:1862)
 
==2252==    by 0x4E3D0A3: start_thread (pthread_create.c:309)
 
==2252==    by 0x6EC287C: clone (clone.S:111)
 
==2252==  Address 0xe28cf70 is 0 bytes inside a block of size 16 free'd
 
==2252==    at 0x4C29F40: free (vg_replace_malloc.c:474)
 
==2252==    by 0x10DD3F5: my_free (my_malloc.c:216)
 
==2252==    by 0x5D2B3E: String::free() (sql_string.h:351)
 
==2252==    by 0x5ECFEC: String::set(char const*, unsigned int, charset_info_st const*) (sql_string.h:274)
 
==2252==    by 0x9000A1: Field_blob::val_str(String*, String*) (field.cc:8059)
 
==2252==    by 0x5E029A: Field::val_str(String*) (field.h:833)
 
==2252==    by 0x90D17E: Field_blob::store_field(Field*) (field.h:3239)
 
==2252==    by 0x911E0E: field_conv_incompatible(Field*, Field*) (field_conv.cc:814)
 
==2252==    by 0x911E6A: field_conv(Field*, Field*) (field_conv.cc:827)
 
==2252==    by 0x93ED83: save_field_in_field(Field*, bool*, Field*, bool) (item.cc:6207)
 
==2252==    by 0x93EF83: Item_field::save_in_field(Field*, bool) (item.cc:6253)
 
==2252==    by 0x7B121E: TABLE::update_virtual_fields(enum_vcol_update_mode) (table.cc:7381)
 
==2252==    by 0x91FA9D: handler::ha_rnd_next(unsigned char*) (handler.cc:2583)
 
==2252==    by 0x914A4B: find_all_keys(THD*, Sort_param*, SQL_SELECT*, SORT_INFO*, st_io_cache*, st_io_cache*, Bounded_queue<unsigned char, unsigned char>*, unsigned long long*) (filesort.cc:793)
 
==2252==    by 0x913063: filesort(THD*, TABLE*, Filesort*, Filesort_tracker*, JOIN*, unsigned long long) (filesort.cc:284)
 
==2252==    by 0x71B8F3: create_sort_index(THD*, JOIN*, st_join_table*, Filesort*) (sql_select.cc:21464)
 
==2252== 
==2252== Invalid free() / delete / delete[] / realloc()
 
==2252==    at 0x4C29F40: free (vg_replace_malloc.c:474)
 
==2252==    by 0x10DD3F5: my_free (my_malloc.c:216)
 
==2252==    by 0x5D2B3E: String::free() (sql_string.h:351)
 
==2252==    by 0x90D437: Field_blob::free() (field.h:3359)
 
==2252==    by 0x712CA1: free_tmp_table(THD*, TABLE*) (sql_select.cc:17666)
 
==2252==    by 0x6315B7: close_thread_tables(THD*) (sql_base.cc:767)
 
==2252==    by 0x6AEAA5: mysql_execute_command(THD*) (sql_parse.cc:6220)
 
==2252==    by 0x6B3169: mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) (sql_parse.cc:7839)
 
==2252==    by 0x6A0D2D: dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) (sql_parse.cc:1799)
 
==2252==    by 0x69F707: do_command(THD*) (sql_parse.cc:1359)
 
==2252==    by 0x7ECB9D: do_handle_one_connection(CONNECT*) (sql_connect.cc:1354)
 
==2252==    by 0x7EC92A: handle_one_connection (sql_connect.cc:1260)
 
==2252==    by 0xB436B5: pfs_spawn_thread (pfs.cc:1862)
 
==2252==    by 0x4E3D0A3: start_thread (pthread_create.c:309)
 
==2252==    by 0x6EC287C: clone (clone.S:111)
 
==2252==  Address 0xe28cf70 is 0 bytes inside a block of size 16 free'd

With a considerably uglier and less reliable test case I get this (on a valgrind build, but without valgrind), adding to make it searchable in JIRA:

#3  <signal handler called>
 
#4  0x00007f915cb37c65 in intern_plugin_unlock (lex=0x0, plugin=0x7f91518470c8) at /data/src/bb-10.2-monty-valgrind/sql/sql_plugin.cc:1340
 
#5  0x00007f915cb37dba in plugin_unlock (thd=0x0, plugin=0x7f91518470c8) at /data/src/bb-10.2-monty-valgrind/sql/sql_plugin.cc:1365
 
#6  0x00007f915cb8cd01 in free_tmp_table (thd=0x7f9151816008, entry=0x7f91518a4020) at /data/src/bb-10.2-monty-valgrind/sql/sql_select.cc:17671
 
#7  0x00007f915caab5b8 in close_thread_tables (thd=0x7f9151816008) at /data/src/bb-10.2-monty-valgrind/sql/sql_base.cc:767
 
#8  0x00007f915cb28aa6 in mysql_execute_command (thd=0x7f9151816008) at /data/src/bb-10.2-monty-valgrind/sql/sql_parse.cc:6220
 
#9  0x00007f915cb2d16a in mysql_parse (thd=0x7f9151816008, rawbuf=0x7f91518940a0 "/* GenTest::Transform::InlineVirtualColumns */  SELECT * FROM test.`view_t5` AS table1 WHERE NOT (NOT ( table1.`col_datetime` < table1.`col_timestamp` AND table1.`col_timestamp` <> table1.`vcol_bit`) "..., length=438, parser_state=0x7f915dc69dc0, is_com_multi=false, is_next_command=false) at /data/src/bb-10.2-monty-valgrind/sql/sql_parse.cc:7839
 
#10 0x00007f915cb1ad2e in dispatch_command (command=COM_QUERY, thd=0x7f9151816008, packet=0x7f915185c009 "", packet_length=438, is_com_multi=false, is_next_command=false) at /data/src/bb-10.2-monty-valgrind/sql/sql_parse.cc:1799
 
#11 0x00007f915cb19708 in do_command (thd=0x7f9151816008) at /data/src/bb-10.2-monty-valgrind/sql/sql_parse.cc:1359
 
#12 0x00007f915cc66b9e in do_handle_one_connection (connect=0x7f915985f5e8) at /data/src/bb-10.2-monty-valgrind/sql/sql_connect.cc:1354
 
#13 0x00007f915cc6692b in handle_one_connection (arg=0x7f915985f5e8) at /data/src/bb-10.2-monty-valgrind/sql/sql_connect.cc:1260
 
#14 0x00007f915cfbd6b6 in pfs_spawn_thread (arg=0x7f915981ba08) at /data/src/bb-10.2-monty-valgrind/storage/perfschema/pfs.cc:1862
 
#15 0x00007f915c14a0a4 in start_thread (arg=0x7f915dc6b300) at pthread_create.c:309
 
#16 0x00007f915a0f787d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111



 Comments   
Comment by Michael Widenius [ 2017-01-11 ]

Problem was that not all memory was properly reset when cloning a field.
Fix pushed into 10.2 tree

Generated at Thu Feb 08 07:52:24 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.