[MDEV-8903] Buildbot valgrind failure: Invalid read of size 1 in sql_memdup, QUICK_RANGE Created: 2015-10-06  Updated: 2020-02-10  Resolved: 2015-10-06

Status: Closed
Project: MariaDB Server
Component/s: Optimizer
Affects Version/s: 10.0.22
Fix Version/s: 10.0.22

Type: Bug Priority: Major
Reporter: Sergei Petrunia Assignee: Sergei Petrunia
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
Relates
relates to MDEV-8779 mysqld got signal 11 in sql/opt_range... Closed
relates to MDEV-21701 [draft] Closed

 Description   

Buildbot shows a valgrind failure in range optimizer:
http://buildbot.askmonty.org/buildbot/builders/work-amd64-valgrind/builds/7689/steps/test/logs/stdio

multiple tests (e.g.main.partition_innodb) fail like this:

==16359== Thread 19:
 
==16359== Invalid read of size 1
 
==16359==    at 0x4C30940: memcpy@@GLIBC_2.14 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
 
==16359==    by 0x64B559: memcpy (string3.h:53)
 
==16359==    by 0x64B559: sql_memdup(void const*, unsigned long) (thr_malloc.cc:114)
 
==16359==    by 0x7E2C74: QUICK_RANGE (opt_range.h:77)
 
==16359==    by 0x7E2C74: get_quick_keys(PARAM*, QUICK_RANGE_SELECT*, st_key_part*, SEL_ARG*, unsigned char*, unsigned int, unsigned char*, unsigned int) (opt_range.cc:11016)
 
==16359==    by 0x7E3162: get_quick_select(PARAM*, unsigned int, SEL_ARG*, unsigned int, unsigned int, st_mem_root*) (opt_range.cc:10891)
 
==16359==    by 0x7E325C: TRP_ROR_INTERSECT::make_quick(PARAM*, bool, st_mem_root*) (opt_range.cc:7497)
 
==16359==    by 0x7E0508: SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool, bool) (opt_range.cc:3273)
 
==16359==    by 0x5C89A3: get_quick_record_count(THD*, SQL_SELECT*, TABLE*, Bitmap<64u> const*, unsigned long long) (sql_select.cc:3348)
 
==16359==    by 0x5ECDFC: make_join_statistics(JOIN*, List<TABLE_LIST>&, Item*, st_dynamic_array*) (sql_select.cc:3956)
 
==16359==    by 0x5F3CAD: JOIN::optimize_inner() (sql_select.cc:1337)
 
==16359==    by 0x5F5F64: JOIN::optimize() (sql_select.cc:1022)
 
==16359==    by 0x5F68EE: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:3297)
 
==16359==    by 0x5F6B23: handle_select(THD*, LEX*, select_result*, unsigned long) (sql_select.cc:373)
 
==16359==    by 0x5A2429: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5275)
 
==16359==    by 0x5AD644: mysql_execute_command(THD*) (sql_parse.cc:2563)
 
==16359==    by 0x5AFCC7: mysql_parse(THD*, char*, unsigned int, Parser_state*) (sql_parse.cc:6532)
 
==16359==    by 0x5B15E6: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1309)
 
==16359==  Address 0x16384b08 is 0 bytes after a block of size 40 alloc'd
 
==16359==    at 0x4C2BBA0: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
 
==16359==    by 0xAE5308: my_malloc (my_malloc.c:100)
 
==16359==    by 0xADDEFC: alloc_root (my_alloc.c:180)
 
==16359==    by 0x7DFF2C: SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool, bool) (opt_range.cc:3111)
 
==16359==    by 0x5C89A3: get_quick_record_count(THD*, SQL_SELECT*, TABLE*, Bitmap<64u> const*, unsigned long long) (sql_select.cc:3348)
 
==16359==    by 0x5ECDFC: make_join_statistics(JOIN*, List<TABLE_LIST>&, Item*, st_dynamic_array*) (sql_select.cc:3956)
 
==16359==    by 0x5F3CAD: JOIN::optimize_inner() (sql_select.cc:1337)
 
==16359==    by 0x5F5F64: JOIN::optimize() (sql_select.cc:1022)
 
==16359==    by 0x5F68EE: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:3297)
 
==16359==    by 0x5F6B23: handle_select(THD*, LEX*, select_result*, unsigned long) (sql_select.cc:373)
 
==16359==    by 0x5A2429: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5275)
 
==16359==    by 0x5AD644: mysql_execute_command(THD*) (sql_parse.cc:2563)
 
==16359==    by 0x5AFCC7: mysql_parse(THD*, char*, unsigned int, Parser_state*) (sql_parse.cc:6532)
 
==16359==    by 0x5B15E6: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1309)
 
==16359==    by 0x669092: do_handle_one_connection(THD*) (sql_connect.cc:1378)
 
==16359==    by 0x6690E7: handle_one_connection (sql_connect.cc:1293)



 Comments   
Comment by Sergei Petrunia [ 2015-10-06 ]

The problem was introduced by this fix:

MDEV-8779: mysqld got signal 11 in sql/opt_range_mrr.cc:100(step_down_to)

Comment by Sergei Petrunia [ 2015-10-06 ]

The cause is here in opt_range.h:

  QUICK_RANGE(const uchar *min_key_arg, uint min_length_arg,
 
              key_part_map min_keypart_map_arg,
 
	      const uchar *max_key_arg, uint max_length_arg,
 
              key_part_map max_keypart_map_arg,
 
	      uint flag_arg)
 
    : min_key((uchar*) sql_memdup(min_key_arg,min_length_arg+1)),
 
      max_key((uchar*) sql_memdup(max_key_arg,max_length_arg+1)),

Note the "+1". I dont see a reason it should be there. When SQL_SELECT::test_quick_select calculates max_key_len, it doesn't take this +1 into account.

Generated at Thu Feb 08 07:30:39 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.