[MDEV-4812] Valgrind warnings (Invalid write) in dynamic_column_update_many on COLUMN_ADD Created: 2013-07-24  Updated: 2013-08-08  Resolved: 2013-08-01

Status: Closed
Project: MariaDB Server
Component/s: None
Affects Version/s: 10.0.3, 5.5.32, 5.3.12
Fix Version/s: 10.0.5, 5.5.33, 5.3.13

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Oleksandr Byelkin
Resolution: Duplicate Votes: 0
Labels: None

Issue Links:
Duplicate
is duplicated by MDEV-4811 Assertion `offset < 0x1f' fails in ty... Closed
Relates

 Description   

Note: the test case looks similar to MDEV-4811, but the assertion doesn't fail here, instead it either causes valgrind warnings or crashes.

==11100== Invalid write of size 1
 
==11100==    at 0xB6CA29: dynamic_column_update_many (ma_dyncol.c:2031)
 
==11100==    by 0x5EC963: Item_func_dyncol_add::val_str(String*) (item_strfunc.cc:3769)
 
==11100==    by 0x58B2DB: Item::send(Protocol*, String*) (item.cc:5970)
 
==11100==    by 0x659DBB: select_send::send_data(List<Item>&) (sql_class.cc:2012)
 
==11100==    by 0x730E1C: end_send(JOIN*, st_join_table*, bool) (sql_select.cc:16974)
 
==11100==    by 0x72DBE8: do_select(JOIN*, List<Item>*, st_table*, Procedure*) (sql_select.cc:15548)
 
==11100==    by 0x70E1C1: JOIN::exec() (sql_select.cc:2769)
 
==11100==    by 0x70EA4C: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2990)
 
==11100==    by 0x7054C0: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:288)
 
==11100==    by 0x6917D1: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5172)
 
==11100==    by 0x688599: mysql_execute_command(THD*) (sql_parse.cc:2305)
 
==11100==    by 0x69425B: mysql_parse(THD*, char*, unsigned int, char const**) (sql_parse.cc:6173)
 
==11100==    by 0x685CB6: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1243)
 
==11100==    by 0x684F27: do_command(THD*) (sql_parse.cc:923)
 
==11100==    by 0x681DC1: handle_one_connection (sql_connect.cc:1231)
 
==11100==    by 0x548DE99: start_thread (pthread_create.c:308)
 
==11100==  Address 0xf8438b3 is 51 bytes inside a block of size 178 free'd
 
==11100==    at 0x4C2A82E: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
 
==11100==    by 0xB73E26: _myfree (safemalloc.c:337)
 
==11100==    by 0xB73B04: _myrealloc (safemalloc.c:260)
 
==11100==    by 0xB83667: dynstr_append_mem (string.c:109)
 
==11100==    by 0xB69B84: dynamic_column_string_store (ma_dyncol.c:434)
 
==11100==    by 0xB6A6DD: data_store (ma_dyncol.c:854)
 
==11100==    by 0xB6CC6C: dynamic_column_update_many (ma_dyncol.c:2070)
 
==11100==    by 0x5EC963: Item_func_dyncol_add::val_str(String*) (item_strfunc.cc:3769)
 
==11100==    by 0x58B2DB: Item::send(Protocol*, String*) (item.cc:5970)
 
==11100==    by 0x659DBB: select_send::send_data(List<Item>&) (sql_class.cc:2012)
 
==11100==    by 0x730E1C: end_send(JOIN*, st_join_table*, bool) (sql_select.cc:16974)
 
==11100==    by 0x72DBE8: do_select(JOIN*, List<Item>*, st_table*, Procedure*) (sql_select.cc:15548)
 
==11100==    by 0x70E1C1: JOIN::exec() (sql_select.cc:2769)
 
==11100==    by 0x70EA4C: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2990)
 
==11100==    by 0x7054C0: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:288)
 
==11100==    by 0x6917D1: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5172)

bzr version-info

revision-id: sergii@pisem.net-20130715163225-6ch6x34lsufode3d
 
revno: 3670
 
branch-nick: 5.3

Code fragment:

2006:      else
 
2007:      {
 
2008:        /*
 
2009:          Adjust all headers since last loop.
 
2010:          We have to do this as the offset for data has moved
 
2011:        */
 
2012:        for (k= start; k < end; k++)
 
2013:        {
 
2014:          uchar *read= header_base + k * entry_size;
 
2015:          size_t offs;
 
2016:          uint nm;
 
2017:          DYNAMIC_COLUMN_TYPE tp;
 
2018:
 
2019:          nm= uint2korr(read);                    /* Column nummber */
 
2020:          type_and_offset_read(&tp, &offs, read, offset_size);
 
2021:          if (k == start)
 
2022:            first_offset= offs;
 
2023:          else if (offs < first_offset)
 
2024:          {
 
2025:            dynamic_column_column_free(&tmp);
 
2026:            rc= ER_DYNCOL_FORMAT;
 
2027:            goto end;
 
2028:          }
 
2029:
 
2030:          offs+= plan[i].ddelta;
 
2031:          int2store(write, nm);
 
2032:          /* write rest of data at write + COLUMN_NUMBER_SIZE */
 
2033:          type_and_offset_store(write, new_offset_size, tp, offs);
 
2034:          write+= new_entry_size;
 
2035:        }
 
2036:      }

Test case:

CREATE TABLE t1 (dyncol TINYBLOB) ENGINE=MyISAM;
 
 
 
INSERT INTO t1 SET dyncol = COLUMN_CREATE( 7, REPEAT('k',487), 209, REPEAT('x',464) );
 
--error 0,ER_DYN_COL_WRONG_FORMAT
 
SELECT COLUMN_ADD( dyncol, 7, '22:22:22', 8, REPEAT('x',270) AS CHAR ) FROM t1;



 Comments   
Comment by Oleksandr Byelkin [ 2013-07-30 ]

The problem is the same with MDEV-4811 - corrupted data due to string truncation.

Comment by Oleksandr Byelkin [ 2013-08-01 ]

Duplicate of MDEV-4811

Generated at Thu Feb 08 06:59:21 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.