Bug #59901 extractvalue still broken after fix for bug #44332
Submitted: 2 Feb 2011 19:31 Modified: 28 Jun 2011 18:14
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: XML functions Severity:S2 (Serious)
Version:5.6.2 OS:Any
Assigned to: CPU Architecture:Any
Tags: ExtractValue, valgrind

[2 Feb 2011 19:31] Shane Bester 
Description:
after bug #44332 was fixed I still get errors with different testcases, so a revised fix is needed.

Version: '5.6.2-m5-valgrind-max-debug'  socket: 'sock'  port: 3306  Source distribution
Thread 18:
Conditional jump or move depends on uninitialised value(s)
at: my_xml_scan (xml.c:172)
by: my_xml_parse (xml.c:302)
by: Item_xml_str_func::parse_xml (item_xmlfunc.cc:2778)
by: Item_func_xml_extractvalue::val_str (item_xmlfunc.cc:2799)
by: Item::send (item.cc:5931)
by: Protocol::send_result_set_row (protocol.cc:848)
by: select_send::send_data (sql_class.cc:1910)
by: JOIN::exec (sql_select.cc:2798)
by: mysql_select (sql_select.cc:3584)
by: handle_select(sql_select.cc:323)
by: execute_sqlcom_select (sql_parse.cc:4513)
by: mysql_execute_command (sql_parse.cc:2096)
by: mysql_parse (sql_parse.cc:5550)
by: dispatch_command (sql_parse.cc:1078)
by: do_command (sql_parse.cc:815)
by: do_handle_one_connection (sql_connect.cc:748)
by: handle_one_connection (sql_connect.cc:684)
by: start_thread (pthread_create.c:301)

 Uninitialised value was created by a heap allocation
at: malloc (vg_replace_malloc.c:195)
by: my_malloc (my_malloc.c:38)
by: String::real_alloc (sql_string.cc:44)
by: String::alloc (sql_string.h:233)
by: Item_char_typecast::val_str (item_timefunc.cc:2571)
by: Item_func_xml_extractvalue::val_str (item_xmlfunc.cc:2799)
by: Item::send (item.cc:5931)
by: Protocol::send_result_set_row (protocol.cc:848)
by: select_send::send_data (sql_class.cc:1910)
by: JOIN::exec (sql_select.cc:2798)
by: mysql_select (sql_select.cc:3584)
by: handle_select (sql_select.cc:323)
by: execute_sqlcom_select (sql_parse.cc:4513)
by: mysql_execute_command (sql_parse.cc:2096)
by: mysql_parse (sql_parse.cc:5550)
by: dispatch_command (sql_parse.cc:1078)
by: do_command (sql_parse.cc:815)
by: do_handle_one_connection (sql_connect.cc:748)
by: handle_one_connection (sql_connect.cc:684)
by: start_thread (pthread_create.c:301)

(gdb) list
167   {
168     p->cur++;
169     for (; ( p->cur < p->end ) && (p->cur[0] != a->beg[0]); p->cur++)
170     {}
171     a->end=p->cur;
172     if (a->beg[0] == p->cur[0])p->cur++;  <-------
173     a->beg++;
174     if (!(p->flags & MY_XML_FLAG_SKIP_TEXT_NORMALIZATION))
175       my_xml_norm_text(a);
176     lex=MY_XML_STRING;
(gdb) 

How to repeat:
#run mysqld in valgrind, then:
select extractvalue(convert('<\"',binary(10)),1);
[2 Feb 2011 20:57] Sveta Smirnova 
Thank you for the report.

Verified as described.
[28 Jun 2011 18:14] Jon Stephens 
Documented as follows in the 5.1.57 and 5.5.11 changelogs:

      The server read one byte too many when trying to process an XML string
      lacking a closing quote (') or double quote (") character used as an
      argument for UpdateXML() or ExtractValue().

No changelog entry required for 5.6.2 changelog, since the issue didn't appear
in a 5.6 release.

Closed.