[MDEV-9568] mysqlcheck crashes with nonexistent table name Created: 2016-02-16  Updated: 2016-03-22  Resolved: 2016-03-22

Status: Closed
Project: MariaDB Server
Component/s: Scripts & Clients
Affects Version/s: 5.5.43, 5.5.48, 10.0.23, 10.1.9, 10.1.11
Fix Version/s: 5.5.49, 10.0.25, 10.1.13

Type: Bug Priority: Major
Reporter: Horst Schirmeier Assignee: Sergei Golubchik
Resolution: Fixed Votes: 1
Labels: None
Environment:

Debian 8 (amd64)

Attachments: File mysqlcheck-free.diff    
Sprint: 10.1.13

 Description   

Running mysqlcheck (or mysqlanalyze / mysqloptimize / mysqlrepair) with a database name and the name of a nonexistent table leads to a crash:

$ mysqlcheck test doesntexist
 
Failed to SHOW CREATE TABLE `doesntexist`
 
Error: Table 'test.doesntexist' doesn't exist
 
*** Error in `mysqlcheck': free(): invalid pointer: 0x00007ffff23b0348 ***
 
Aborted

GDB session on current git HEAD:

Reading symbols from client/mysqlcheck...done.
 
(gdb) run
 
Starting program: /tmp/server/build/client/mysqlcheck test doesntexist
 
[Thread debugging using libthread_db enabled] 
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".Failed to SHOW CREATE TABLE `doesntexist`
 
Error: Table 'test.doesntexist' doesn't exist
 
*** Error in `/tmp/server/build/client/mysqlcheck': free(): invalid pointer: 0x00007fffffffdef8 ***
 
 
 
 
 
Program received signal SIGABRT, Aborted.
 
0x00007ffff6e23067 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
 
56      ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
 
(gdb) bt 
#0  0x00007ffff6e23067 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
 
#1  0x00007ffff6e24448 in __GI_abort () at abort.c:89
 
#2  0x00007ffff6e611b4 in __libc_message (do_abort=do_abort@entry=1, fmt=fmt@entry=0x7ffff6f56820 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
 
#3  0x00007ffff6e6698e in malloc_printerr (action=1, str=0x7ffff6f528de "free(): invalid pointer", ptr=<optimized out>) at malloc.c:4996
 
#4  0x00007ffff6e67696 in _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at malloc.c:3840
 
#5  0x00005555555760af in is_view (table=<optimized out>) at /tmp/server/client/mysqlcheck.c:526
 
#6  0x00005555555758e7 in process_selected_tables (tables=<optimized out>, table_names=0x555555b08208, db=<optimized out>) at /tmp/server/client/mysqlcheck.c:589
 
#7  main (argc=2, argv=0x555555b08200) at /tmp/server/client/mysqlcheck.c:1207
 
(gdb) frame 5
 
#5  0x00005555555760af in is_view (table=<optimized out>) at /tmp/lol/server/client/mysqlcheck.c:526
 
(gdb) p query
 
$1 = "SHOW CREATE TABLE `doesntexist`\000\227\371\260UUU\000\000\332\371\260UUU\000\000y\201\260UUU\000\000\313\025XUUU\000\000\000\000\000\000\000\000\000\000\b\203\260UUU\000\000-!`UUU\000\000\257\371\260UUU\000
 
\000\352\f\000\000\034\000\000\000\020\346\257UUU\000\000\t\000\000\000\000\000\000\000 \000\000\000\025\000\000\000\020\377\273\367\377\177\000\000\250\025\274\367\377\177\000\000\300\340\377\377\377\177\000\000\
 
036s#\003\000\000\000\000\260\340\377\377\377\177\000\000\260UUU", '\000' <repeats 18 times>, "\001\000/var/ru"...

The my_free(query); call in server/client/mysqlcheck.c:526 fails since commit 6f17e233 when query was moved to the stack. With the attached patch, the crash does not occur anymore.

 Comments   
Comment by Elena Stepanova [ 2016-02-17 ]

Thanks for the report.

The problem appeared in 5.5 tree with this commit:

commit 6f17e233bf7f4de20dda8fb31f63aa52452c4e0a
 
Author: Sergei Golubchik <serg@mariadb.org>
 
Date:   Tue Apr 28 21:24:32 2015 +0200
 
 
 
    post-merge fixes

Generated at Thu Feb 08 07:35:40 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.