Bug #44358 valgrind errors with decode() function
Submitted: 20 Apr 2009 5:49 Modified: 12 May 2009 2:47
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: General Severity:S1 (Critical)
Version:5.1.32, 5.1.35 OS:Linux
Assigned to: Sergei Glukhov CPU Architecture:Any
Tags: decode, GIGO, valgrind

[20 Apr 2009 5:49] Shane Bester
Description:
Conditional jump or move depends on uninitialised value(s)
 : strlen (mc_replace_strmem.c:242)
 : SQL_CRYPT::SQL_CRYPT(char const*) (sql_crypt.cc:34)
 : Item_func_decode::val_str(String*) (item_strfunc.cc:1773)
 : Item::save_in_field(Field*, bool) (item.cc:4869)
 : fill_record(THD*, Field**, List<Item>&, bool) (sql_base.cc:8194)
 : select_union::send_data(List<Item>&) (sql_union.cc:60)
 : _ZL8end_sendP4JOINP13st_join_tableb (sql_select.cc:11942)
 : _ZL20evaluate_join_recordP4JOINP13st_join_tablei (sql_select.cc:11202)
 : sub_select(JOIN*, st_join_table*, bool) (sql_select.cc:11087)
 : _ZL9do_selectP4JOINP4ListI4ItemEP8st_tableP9Procedure (sql_select.cc:10843)
 : JOIN::exec() (sql_select.cc:2199)
 : mysql_select(THD*, Item***, TABLE_LIST*, unsigned, List<Item>&, Item*, unsigned, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2378)

The above line number are generated by version: mysql-advanced-gpl-5.1.32-linux-i686-glibc23.tar.gz

How to repeat:
valgrind --tool=memcheck --leak-check=full -v --show-reachable=yes  ./bin/mysqld  --basedir=./ --datadir=./data  --skip-grant-tables --skip-name-resolve 

drop table if exists test;
create table test(col0 tinyint default null)engine=myisam;
insert into test values (-1),(null);
explain select 1 as a from test,(select decode(col0,col0) as b from test) a;

Suggested fix:
check if the warnings are legitimate or not.  If bogus, then add a suppression.
[20 Apr 2009 9:18] MySQL Verification Team
a more potent testcase, that causes invalid reads of memory (hence, can crash)

Attachment: bug44358_new_testcase.sql (application/unknown, text), 6.32 KiB.

[20 Apr 2009 9:19] MySQL Verification Team
the new testcase valgrind outputs from 5.1.32

Attachment: bug44358_new_valgrind_outputs.txt (text/plain), 16.90 KiB.

[20 Apr 2009 9:27] MySQL Verification Team
import the attached testcase multiple times, when running mysqld under valgrind.  it seems the invalid read of memory happens inside some previously allocated buffer that was used for another purpose.  so multiple runs can be needed.

invalid reads of memory could cause crashes on picky platforms, so this is important to fix.
[21 Apr 2009 9:06] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/72549

2863 Sergey Glukhov	2009-04-21
      Bug#44358 valgrind errors with decode() function
      Functions decode() & encode() produce valgrind warnings.
      The fix is to use c_ptr_safe() instead of c_ptr()
     @ mysql-test/r/func_str.result
        test result
     @ mysql-test/t/func_str.test
        test case
     @ sql/item_strfunc.cc
        Functions decode() & encode() produce valgrind warnings.
        The fix is to use c_ptr_safe() instead of c_ptr()
[23 Apr 2009 8:26] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/72696

2863 Sergey Glukhov	2009-04-23
      Bug#44358 valgrind errors with decode() function
      The warning happens because string argument is not zero ended.
      The fix is to add new parameter 'length' to SQL_CRYPT() and
      use ptr() instead of c_ptr().
     @ mysql-test/r/func_str.result
        test result
     @ mysql-test/t/func_str.test
        test case
     @ sql/item_strfunc.cc
        Added new parameter 'length' to SQL_CRYPT
     @ sql/sql_crypt.cc
        Added new parameter 'length' to SQL_CRYPT
     @ sql/sql_crypt.h
        Added new parameter 'length' to SQL_CRYPT
[23 Apr 2009 8:44] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/72697

2864 Sergey Glukhov	2009-04-23
      Bug#44358 valgrind errors with decode() function
      The warning happens because string argument is not zero ended.
      The fix is to add new parameter 'length' to SQL_CRYPT() and
      use ptr() instead of c_ptr().
     @ mysql-test/r/func_str.result
        test result
     @ mysql-test/t/func_str.test
        test case
     @ sql/item_strfunc.cc
        Added new parameter 'length' to SQL_CRYPT
     @ sql/sql_crypt.cc
        Added new parameter 'length' to SQL_CRYPT
     @ sql/sql_crypt.h
        Added new parameter 'length' to SQL_CRYPT
[5 May 2009 19:37] Bugs System
Pushed into 5.1.35 (revid:davi.arnaut@sun.com-20090505190206-9xmh7dlc6kom8exp) (version source revid:davi.arnaut@sun.com-20090505190206-9xmh7dlc6kom8exp) (merge vers: 5.1.35) (pib:6)
[6 May 2009 14:06] Bugs System
Pushed into 6.0.12-alpha (revid:svoj@sun.com-20090506125450-yokcmvqf2g7jhujq) (version source revid:sergey.glukhov@sun.com-20090423084237-j570b1umgk6tb4ha) (merge vers: 6.0.11-alpha) (pib:6)
[12 May 2009 2:47] Paul DuBois
Noted in 5.1.35, 6.0.12 changelogs.

Valgrind warnings for the DECODE(), ENCRYPT(), and FIND_IN_SET()
functions were corrected.
[15 Jun 2009 8:24] Bugs System
Pushed into 5.1.35-ndb-6.3.26 (revid:jonas@mysql.com-20090615074202-0r5r2jmi83tww6sf) (version source revid:jonas@mysql.com-20090615070837-9pccutgc7repvb4d) (merge vers: 5.1.35-ndb-6.3.26) (pib:6)
[15 Jun 2009 9:04] Bugs System
Pushed into 5.1.35-ndb-7.0.7 (revid:jonas@mysql.com-20090615074335-9hcltksp5cu5fucn) (version source revid:jonas@mysql.com-20090615072714-rmfkvrbbipd9r32c) (merge vers: 5.1.35-ndb-7.0.7) (pib:6)
[15 Jun 2009 9:44] Bugs System
Pushed into 5.1.35-ndb-6.2.19 (revid:jonas@mysql.com-20090615061520-sq7ds4yw299ggugm) (version source revid:jonas@mysql.com-20090615054654-ebgpz7elwu1xj36j) (merge vers: 5.1.35-ndb-6.2.19) (pib:6)