Bug #32191 Memory overrun when using join buffering for falcon table with a blob
Submitted: 8 Nov 2007 17:57 Modified: 22 Nov 2007 11:19
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Falcon storage engine Severity:S1 (Critical)
Version:6.0.3, 6.0.4-debug OS:Any
Assigned to: Sergey Petrunya CPU Architecture:Any

[8 Nov 2007 17:57] Shane Bester 
Description:
executing many queries with subqueries and their explain's, sometimes causes a random crash, with stack trace:

handle_segfault + 541                         
_end + 931074869
_end + 932816330
sub_select_cache(JOIN*, st_join_table*, bool) 
evaluate_join_record(JOIN*, st_join_table*, in
sub_select(JOIN*, st_join_table*, bool) + 232
do_select(JOIN*, List<Item>*, st_table*, Proce
JOIN::exec() + 1848
_Z12mysql_selectP3THDPPP4ItemP10TABLE_LISTjR4L
mysql_derived_filling(THD*, st_lex*, TABLE_LIS
mysql_handle_derived(st_lex*, bool (*)(THD*, s
open_and_lock_tables(THD*, TABLE_LIST*) + 248
execute_sqlcom_select(THD*, TABLE_LIST*) + 162
mysql_execute_command(THD*) + 1691
mysql_parse(THD*, char const*, unsigned int, c
dispatch_command(enum_server_command, THD*, ch
do_command(THD*) + 658
handle_one_connection + 255
_end + 931049569
_end + 933144874

How to repeat:
.
[9 Nov 2007 15:46] MySQL Verification Team 
I have a simple testcase at last:

Two tables:

drop table if exists `t1`;
create table`t1` (`a` bigint(20) default null)engine=falcon;
drop table if exists `t2`;
create table `t2`(`b` mediumblob)engine=falcon;

t1 contains 9 records.
t2 contains 6 records.

this query crashes due to memory corruption:
select 1 from `t2`,`t1` where `b` < `a`

The memory corruption is sometimes not noticed.  In order to crash, you need
1) run the query over and over in a loop.
2) to improve chances of a crash, run in multiple threads.
3) run under valgrind or -debug server

Full stack trace is like this:

mysqld-debug.exe!memcpy
mysqld-debug.exe!store_record_in_cache
mysqld-debug.exe!sub_select_cache
mysqld-debug.exe!evaluate_join_record
mysqld-debug.exe!sub_select
mysqld-debug.exe!do_select
mysqld-debug.exe!JOIN::exec
mysqld-debug.exe!mysql_select
mysqld-debug.exe!handle_select
mysqld-debug.exe!execute_sqlcom_select
mysqld-debug.exe!mysql_execute_command
mysqld-debug.exe!mysql_parse
mysqld-debug.exe!dispatch_command
mysqld-debug.exe!do_command
mysqld-debug.exe!handle_one_connection
mysqld-debug.exe!pthread_start
mysqld-debug.exe!_threadstart
kernel32.dll!FlsSetValue
[9 Nov 2007 15:48] MySQL Verification Team 
the tables and their data.

Attachment: bug32191_data.sql (application/octet-stream, text), 1.30 KiB.
[9 Nov 2007 15:56] MySQL Verification Team 
load the data into a clean installation. compile this testcase and run it. crash happens.

Attachment: bug32191.c (text/plain), 5.09 KiB.
[14 Nov 2007 17:21] Sergey Petrunya 
Changing category to Falcon as the problem only happens with Falcon storage engine.
[14 Nov 2007 17:32] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/37760

ChangeSet@1.2658, 2007-11-14 20:31:37+03:00, sergefp@mysql.com +2 -0
  BUG#32191: Memory overrun when using join buffering for falcon table with a blob:
  The problem: Falcon didn't follow the established convention that
    "If a blob column has NULL value, then its length and blob data 
     pointer must be set to 0".
  The fix:
  - Made falcon follow the convention
  - Documented it
  There is no testcase as this is buffer overrun and small repeatable testcase
  cannot be made.
[14 Nov 2007 18:35] Kevin Lewis 
Sergey an Igor,
I just pushed almost this same change into mysql-6.0-falcon-team yesterday for Bug#32194.  Except that I just called field->reset() for any type of NULL field, not just blobs.  Bug#32194 was using nullable int fields.  I think we should always reset the field in decodeRecord when the field is NULL, no matter what type it is, just to avoid any other problems.
[14 Nov 2007 18:39] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/37767

ChangeSet@1.2658, 2007-11-14 21:39:26+03:00, sergefp@mysql.com +2 -0
  BUG#32191: Memory overrun when using join buffering for falcon table with a blob:
  The problem: Falcon didn't follow the established convention that
    "If a blob column has NULL value, then its length and blob data 
     pointer must be set to 0".
  The fix:
  - Made falcon follow the convention
  - Documented it
  There is no testcase as this is buffer overrun and small repeatable testcase
  cannot be made.
[14 Nov 2007 18:55] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/37770

ChangeSet@1.2685, 2007-11-14 21:55:26+03:00, sergefp@mysql.com +2 -0
  BUG#32191: Memory overrun when using join buffering for falcon table with a blob:
  The problem: Falcon didn't follow the established convention that
    "If a blob column has NULL value, then its length and blob data 
     pointer must be set to 0".
  The fix:
  - Made falcon follow the convention
  - Documented it
  There is no testcase as this is buffer overrun and small repeatable testcase
  cannot be made.
[15 Nov 2007 20:32] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/37889

ChangeSet@1.2664, 2007-11-15 23:31:40+03:00, sergefp@mysql.com +2 -0
  BUG#32191: Memory overrun when using join buffering for falcon table with a blob:
  The problem: Falcon didn't follow the established convention that
    "If a blob column has NULL value, then its length and blob data 
     pointer must be set to 0".
  The fix:
  - Made falcon follow the convention
  - Documented it
  There is no testcase as this is buffer overrun and small repeatable testcase
  cannot be made.
  [re-committing this to push into build tree]
[16 Nov 2007 9:35] Bugs System 
Pushed into 6.0.4-alpha
[16 Nov 2007 16:06] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/37962

ChangeSet@1.2635, 2007-11-16 19:04:37+03:00, sergefp@mysql.com +2 -0
  BUG#32191: Memory overrun when using join buffering for falcon table with a blob:
  The problem: Falcon didn't follow the established convention that
    "If a blob column has NULL value, then its length and blob data 
     pointer must be set to 0".
  The fix:
  - Made falcon follow the convention
  - Documented it
  There is no testcase as this is buffer overrun and small repeatable testcase
  cannot be made.
  [re-committing this to push into build tree]
[21 Nov 2007 18:54] Bugs System 
Pushed into 6.0.4-alpha
[22 Nov 2007 10:55] Stefan Hinz 
Moved from 6.0.4 to 6.0.3 as per Build team.
[22 Nov 2007 11:19] MC Brown 
A note has been added to the 6.0.3 changelog: 

When comparing a BLOB value that was null, memory corruption could occur casuing the server to crash.
[29 Nov 2007 12:53] Bugs System 
Pushed into 6.0.4-alpha