Bug #32191 | Memory overrun when using join buffering for falcon table with a blob | ||
---|---|---|---|
Submitted: | 8 Nov 2007 17:57 | Modified: | 22 Nov 2007 11:19 |
Reporter: | Shane Bester (Platinum Quality Contributor) | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Server: Falcon storage engine | Severity: | S1 (Critical) |
Version: | 6.0.3, 6.0.4-debug | OS: | Any |
Assigned to: | Sergey Petrunya | CPU Architecture: | Any |
[8 Nov 2007 17:57]
Shane Bester
[9 Nov 2007 15:46]
MySQL Verification Team
I have a simple testcase at last: Two tables: drop table if exists `t1`; create table`t1` (`a` bigint(20) default null)engine=falcon; drop table if exists `t2`; create table `t2`(`b` mediumblob)engine=falcon; t1 contains 9 records. t2 contains 6 records. this query crashes due to memory corruption: select 1 from `t2`,`t1` where `b` < `a` The memory corruption is sometimes not noticed. In order to crash, you need 1) run the query over and over in a loop. 2) to improve chances of a crash, run in multiple threads. 3) run under valgrind or -debug server Full stack trace is like this: mysqld-debug.exe!memcpy mysqld-debug.exe!store_record_in_cache mysqld-debug.exe!sub_select_cache mysqld-debug.exe!evaluate_join_record mysqld-debug.exe!sub_select mysqld-debug.exe!do_select mysqld-debug.exe!JOIN::exec mysqld-debug.exe!mysql_select mysqld-debug.exe!handle_select mysqld-debug.exe!execute_sqlcom_select mysqld-debug.exe!mysql_execute_command mysqld-debug.exe!mysql_parse mysqld-debug.exe!dispatch_command mysqld-debug.exe!do_command mysqld-debug.exe!handle_one_connection mysqld-debug.exe!pthread_start mysqld-debug.exe!_threadstart kernel32.dll!FlsSetValue
[9 Nov 2007 15:48]
MySQL Verification Team
the tables and their data.
Attachment: bug32191_data.sql (application/octet-stream, text), 1.30 KiB.
[9 Nov 2007 15:56]
MySQL Verification Team
load the data into a clean installation. compile this testcase and run it. crash happens.
Attachment: bug32191.c (text/plain), 5.09 KiB.
[14 Nov 2007 17:21]
Sergey Petrunya
Changing category to Falcon as the problem only happens with Falcon storage engine.
[14 Nov 2007 17:32]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/37760 ChangeSet@1.2658, 2007-11-14 20:31:37+03:00, sergefp@mysql.com +2 -0 BUG#32191: Memory overrun when using join buffering for falcon table with a blob: The problem: Falcon didn't follow the established convention that "If a blob column has NULL value, then its length and blob data pointer must be set to 0". The fix: - Made falcon follow the convention - Documented it There is no testcase as this is buffer overrun and small repeatable testcase cannot be made.
[14 Nov 2007 18:35]
Kevin Lewis
Sergey an Igor, I just pushed almost this same change into mysql-6.0-falcon-team yesterday for Bug#32194. Except that I just called field->reset() for any type of NULL field, not just blobs. Bug#32194 was using nullable int fields. I think we should always reset the field in decodeRecord when the field is NULL, no matter what type it is, just to avoid any other problems.
[14 Nov 2007 18:39]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/37767 ChangeSet@1.2658, 2007-11-14 21:39:26+03:00, sergefp@mysql.com +2 -0 BUG#32191: Memory overrun when using join buffering for falcon table with a blob: The problem: Falcon didn't follow the established convention that "If a blob column has NULL value, then its length and blob data pointer must be set to 0". The fix: - Made falcon follow the convention - Documented it There is no testcase as this is buffer overrun and small repeatable testcase cannot be made.
[14 Nov 2007 18:55]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/37770 ChangeSet@1.2685, 2007-11-14 21:55:26+03:00, sergefp@mysql.com +2 -0 BUG#32191: Memory overrun when using join buffering for falcon table with a blob: The problem: Falcon didn't follow the established convention that "If a blob column has NULL value, then its length and blob data pointer must be set to 0". The fix: - Made falcon follow the convention - Documented it There is no testcase as this is buffer overrun and small repeatable testcase cannot be made.
[15 Nov 2007 20:32]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/37889 ChangeSet@1.2664, 2007-11-15 23:31:40+03:00, sergefp@mysql.com +2 -0 BUG#32191: Memory overrun when using join buffering for falcon table with a blob: The problem: Falcon didn't follow the established convention that "If a blob column has NULL value, then its length and blob data pointer must be set to 0". The fix: - Made falcon follow the convention - Documented it There is no testcase as this is buffer overrun and small repeatable testcase cannot be made. [re-committing this to push into build tree]
[16 Nov 2007 9:35]
Bugs System
Pushed into 6.0.4-alpha
[16 Nov 2007 16:06]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/37962 ChangeSet@1.2635, 2007-11-16 19:04:37+03:00, sergefp@mysql.com +2 -0 BUG#32191: Memory overrun when using join buffering for falcon table with a blob: The problem: Falcon didn't follow the established convention that "If a blob column has NULL value, then its length and blob data pointer must be set to 0". The fix: - Made falcon follow the convention - Documented it There is no testcase as this is buffer overrun and small repeatable testcase cannot be made. [re-committing this to push into build tree]
[21 Nov 2007 18:54]
Bugs System
Pushed into 6.0.4-alpha
[22 Nov 2007 10:55]
Stefan Hinz
Moved from 6.0.4 to 6.0.3 as per Build team.
[22 Nov 2007 11:19]
MC Brown
A note has been added to the 6.0.3 changelog: When comparing a BLOB value that was null, memory corruption could occur casuing the server to crash.
[29 Nov 2007 12:53]
Bugs System
Pushed into 6.0.4-alpha