Bug #46570 test udf fails with valgrind
Submitted: 5 Aug 2009 16:11 Modified: 2 Apr 2010 18:01
Reporter: Marc ALFF Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S1 (Critical)
Version:6.0-codebase, 5.5.99-m3 OS:Linux (suse 11.0)
Assigned to: Alexey Botchkov CPU Architecture:Any

[5 Aug 2009 16:11] Marc ALFF 
Description:
CURRENT_TEST: main.udf
==13337== Memcheck, a memory error detector.
==13337== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==13337== Using LibVEX rev 1804, a library for dynamic binary translation.
==13337== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==13337== Using valgrind-3.3.0, a dynamic binary instrumentation framework.
==13337== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==13337== For more details, rerun with: -v
==13337== 
090805 19:00:52 [Warning] The syntax '--log' is deprecated and will be removed in MySQL 7.0. Please use '--general-log --general-log-file' instead.
090805 19:00:52 [Warning] The syntax '--log-slow-queries' is deprecated and will be removed in MySQL 7.0. Please use '--slow-query-log'/'--slow-query-log-file' instead.
090805 19:00:53 [Note] Plugin 'FEDERATED' is disabled.
090805 19:00:53 [Note] Plugin 'InnoDB' is disabled.
090805 19:00:53 [Note] Plugin 'ndbcluster' is disabled.
090805 19:00:54 [Note] Event Scheduler: Loaded 0 events
090805 19:00:54 [Note] /home/malff/BZR-TREE/mysql-azalea/sql/mysqld: ready for connections.
Version: '5.4.4-alpha-valgrind-max-debug-log'  socket: '/home/malff/BZR-TREE/mysql-azalea/mysql-test/var/tmp/mysqld.1.sock'  port: 13000  Source distribution
==13337== Thread 3:
==13337== Conditional jump or move depends on uninitialised value(s)
==13337==    at 0x4016223: (within /lib/ld-2.8.so)
==13337==    by 0x42F65C3: (within /lib/libc-2.8.so)
==13337==    by 0x42F6989: _dl_sym (in /lib/libc-2.8.so)
==13337==    by 0x407CDE7: (within /lib/libdl-2.8.so)
==13337==    by 0x400DE25: (within /lib/ld-2.8.so)
==13337==    by 0x407D0DB: (within /lib/libdl-2.8.so)
==13337==    by 0x407CD72: dlsym (in /lib/libdl-2.8.so)
==13337==    by 0x8480F5F: _ZL9init_symsP11st_udf_funcPc (sql_udf.cc:75)
==13337==    by 0x8481358: mysql_create_function(THD*, st_udf_func*) (sql_udf.cc:461)
==13337==    by 0x8303A60: mysql_execute_command(THD*) (sql_parse.cc:3881)
==13337==    by 0x83072EE: mysql_parse(THD*, char const*, unsigned, char const**) (sql_parse.cc:5942)
==13337==    by 0x8307CF5: dispatch_command(enum_server_command, THD*, char*, unsigned) (sql_parse.cc:1061)
==13337==    by 0x8308F72: do_command(THD*) (sql_parse.cc:743)
==13337==    by 0x82F6412: handle_one_connection (sql_connect.cc:1158)
==13337==    by 0x406A174: start_thread (in /lib/libpthread-2.8.so)
==13337==    by 0x42BFDAD: clone (in /lib/libc-2.8.so)
==13337== 
==13337== Conditional jump or move depends on uninitialised value(s)
==13337==    at 0x401622E: (within /lib/ld-2.8.so)
==13337==    by 0x42F65C3: (within /lib/libc-2.8.so)
==13337==    by 0x42F6989: _dl_sym (in /lib/libc-2.8.so)
==13337==    by 0x407CDE7: (within /lib/libdl-2.8.so)
==13337==    by 0x400DE25: (within /lib/ld-2.8.so)
==13337==    by 0x407D0DB: (within /lib/libdl-2.8.so)
==13337==    by 0x407CD72: dlsym (in /lib/libdl-2.8.so)
==13337==    by 0x8480F5F: _ZL9init_symsP11st_udf_funcPc (sql_udf.cc:75)
==13337==    by 0x8481358: mysql_create_function(THD*, st_udf_func*) (sql_udf.cc:461)
==13337==    by 0x8303A60: mysql_execute_command(THD*) (sql_parse.cc:3881)
==13337==    by 0x83072EE: mysql_parse(THD*, char const*, unsigned, char const**) (sql_parse.cc:5942)
==13337==    by 0x8307CF5: dispatch_command(enum_server_command, THD*, char*, unsigned) (sql_parse.cc:1061)
==13337==    by 0x8308F72: do_command(THD*) (sql_parse.cc:743)
==13337==    by 0x82F6412: handle_one_connection (sql_connect.cc:1158)
==13337==    by 0x406A174: start_thread (in /lib/libpthread-2.8.so)
==13337==    by 0x42BFDAD: clone (in /lib/libc-2.8.so)
==13337== 
==13337== Conditional jump or move depends on uninitialised value(s)
==13337==    at 0x401620C: (within /lib/ld-2.8.so)
==13337==    by 0x42F65C3: (within /lib/libc-2.8.so)
==13337==    by 0x42F6989: _dl_sym (in /lib/libc-2.8.so)
==13337==    by 0x407CDE7: (within /lib/libdl-2.8.so)
==13337==    by 0x400DE25: (within /lib/ld-2.8.so)
==13337==    by 0x407D0DB: (within /lib/libdl-2.8.so)
==13337==    by 0x407CD72: dlsym (in /lib/libdl-2.8.so)
==13337==    by 0x8480F5F: _ZL9init_symsP11st_udf_funcPc (sql_udf.cc:75)
==13337==    by 0x8481358: mysql_create_function(THD*, st_udf_func*) (sql_udf.cc:461)
==13337==    by 0x8303A60: mysql_execute_command(THD*) (sql_parse.cc:3881)
==13337==    by 0x83072EE: mysql_parse(THD*, char const*, unsigned, char const**) (sql_parse.cc:5942)
==13337==    by 0x8307CF5: dispatch_command(enum_server_command, THD*, char*, unsigned) (sql_parse.cc:1061)
==13337==    by 0x8308F72: do_command(THD*) (sql_parse.cc:743)
==13337==    by 0x82F6412: handle_one_connection (sql_connect.cc:1158)
==13337==    by 0x406A174: start_thread (in /lib/libpthread-2.8.so)
==13337==    by 0x42BFDAD: clone (in /lib/libc-2.8.so)
==13337== 
==13337== Conditional jump or move depends on uninitialised value(s)
==13337==    at 0x4016217: (within /lib/ld-2.8.so)
==13337==    by 0x42F65C3: (within /lib/libc-2.8.so)
==13337==    by 0x42F6989: _dl_sym (in /lib/libc-2.8.so)
==13337==    by 0x407CDE7: (within /lib/libdl-2.8.so)
==13337==    by 0x400DE25: (within /lib/ld-2.8.so)
==13337==    by 0x407D0DB: (within /lib/libdl-2.8.so)
==13337==    by 0x407CD72: dlsym (in /lib/libdl-2.8.so)
==13337==    by 0x8480F5F: _ZL9init_symsP11st_udf_funcPc (sql_udf.cc:75)
==13337==    by 0x8481358: mysql_create_function(THD*, st_udf_func*) (sql_udf.cc:461)
==13337==    by 0x8303A60: mysql_execute_command(THD*) (sql_parse.cc:3881)
==13337==    by 0x83072EE: mysql_parse(THD*, char const*, unsigned, char const**) (sql_parse.cc:5942)
==13337==    by 0x8307CF5: dispatch_command(enum_server_command, THD*, char*, unsigned) (sql_parse.cc:1061)
==13337==    by 0x8308F72: do_command(THD*) (sql_parse.cc:743)
==13337==    by 0x82F6412: handle_one_connection (sql_connect.cc:1158)
==13337==    by 0x406A174: start_thread (in /lib/libpthread-2.8.so)
==13337==    by 0x42BFDAD: clone (in /lib/libc-2.8.so)

How to repeat:
Run udf.test with valgrind
[6 Aug 2009 5:51] Sveta Smirnova 
Thank you for the report.

Verified as described:

Version: '5.4.4-alpha-debug-log'  socket: '/users/ssmirnova/blade12/src/mysql-azalea/mysql-test/var/tmp/mysqld.1.sock'  port: 13000  Source distribution
==17160== Thread 3:
==17160== Syscall param pwrite64(buf) points to uninitialised byte(s)
==17160==    at 0x3429E0D708: (within /lib64/libpthread-2.5.so)
==17160==    by 0xB1FF6D: my_pwrite (my_pread.c:162)
==17160==    by 0xB21191: key_cache_pwrite (mf_keycache.c:803)
==17160==    by 0xB26217: flush_cached_blocks (mf_keycache.c:3554)
==17160==    by 0xB268F4: flush_key_blocks_int (mf_keycache.c:3850)
==17160==    by 0xB26E5B: flush_key_blocks (mf_keycache.c:4107)
==17160==    by 0xA4A017: mi_lock_database (mi_locking.c:74)
==17160==    by 0xA31EFF: ha_myisam::external_lock(THD*, int) (ha_myisam.cc:1805)
==17160==    by 0x8295D4: handler::ha_external_lock(THD*, int) (handler.cc:5475)
==17160==    by 0x6B7A54: unlock_external(THD*, TABLE**, unsigned int) (lock.cc:822)
==17160==    by 0x6B6C39: mysql_unlock_tables(THD*, st_mysql_lock*) (lock.cc:437)
==17160==    by 0x7249D6: close_thread_tables(THD*, bool) (sql_base.cc:1466)
==17160==    by 0x6CF75B: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1411)
==17160==    by 0x6CD819: do_command(THD*) (sql_parse.cc:743)
==17160==    by 0x6CBFE5: handle_one_connection (sql_connect.cc:1158)
==17160==    by 0x3429E061B4: start_thread (in /lib64/libpthread-2.5.so)
==17160==  Address 0x533aff2 is 2,106 bytes inside a block of size 850,988 alloc'd
==17160==    at 0x4A075EE: malloc (vg_replace_malloc.c:207)
==17160==    by 0xB2D91F: _mymalloc (safemalloc.c:147)
==17160==    by 0xB499E8: my_large_malloc (my_largepage.c:64)
==17160==    by 0xB20714: init_key_cache (mf_keycache.c:439)
==17160==    by 0x825A45: ha_init_key_cache (handler.cc:3678)
==17160==    by 0x6E83E0: process_key_caches(int (*)(char const*, st_key_cache*)) (set_var.cc:4820)
==17160==    by 0x6C1C1A: init_server_components() (mysqld.cc:4120)
==17160==    by 0x6C277C: main (mysqld.cc:4634)
==17160==
==17160== Conditional jump or move depends on uninitialised value(s)
==17160==    at 0x60784B: String::c_ptr() (sql_string.h:98)
==17160==    by 0x61663A: udf_handler::fix_fields(THD*, Item_result_field*, unsigned int, Item**) (item_func.cc:3015)
==17160==    by 0x621A4A: Item_udf_func::fix_fields(THD*, Item**) (item_func.h:1041)
==17160==    by 0x8BDEDD: sp_prepare_func_item(THD*, Item**) (sp_head.cc:309)
==17160==    by 0x5EFCAF: Item_trigger_field::set_value(THD*, sp_rcontext*, Item**) (item.cc:6916)
==17160==    by 0x8C70C9: Item_trigger_field::set_value(THD*, Item**) (item.h:2956)
==17160==    by 0x8C4C14: sp_instr_set_trigger_field::exec_core(THD*, unsigned int*) (sp_head.cc:3020)
==17160==    by 0x8C42D6: sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) (sp_head.cc:2755)
==17160==    by 0x8C4BD9: sp_instr_set_trigger_field::execute(THD*, unsigned int*) (sp_head.cc:3013)
==17160==    by 0x8C0955: sp_head::execute(THD*) (sp_head.cc:1250)
==17160==    by 0x8C149C: sp_head::execute_trigger(THD*, st_mysql_lex_string const*, st_mysql_lex_string const*, st_grant_info*) (sp_head.cc:1561)
==17160==    by 0x8D6638: Table_triggers_list::process_triggers(THD*, trg_event_type, trg_action_time_type, bool) (sql_trigger.cc:2012)
==17160==    by 0x730EEC: fill_record_n_invoke_before_triggers(THD*, Field**, List<Item>&, bool, Table_triggers_list*, trg_event_type) (sql_base.cc:7518)
==17160==    by 0x77D985: mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) (sql_insert.cc:800)
==17160==    by 0x6D39E0: mysql_execute_command(THD*) (sql_parse.cc:3220)
==17160==    by 0x8C48A7: sp_instr_stmt::exec_core(THD*, unsigned int*) (sp_head.cc:2931)
[10 Sep 2009 9:16] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/82903

2814 Alexey Botchkov	2009-09-10
      Bug#46570      test udf fails with valgrind
          the value obtained by String::c_ptr() method not always
          has the ending zero. The String::c_ptr_safe() is more correct here.
      
      per-file comments:
        sql/item_func.cc
      Bug#46570      test udf fails with valgrind
          c_ptr_safe() used for UDF parameters as the library expects
          zero-ending strings.
[1 Oct 2009 14:23] Kristofer Pettersson 
Alexey: Do you think you could describe what caused the valgrind error to show ?
Where does the udf subsystem require 0-terminated strings?
[8 Oct 2009 11:24] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/86132

2814 Alexey Botchkov	2009-10-08
      Bug#46570      test udf fails with valgrind
          the value obtained by String::c_ptr() method not always
          has the ending zero. Particularly in this bug the
          dlsym() expects zero-ending string.
          The String::c_ptr_safe() is more correct here.
      
      per-file comments:
        sql/item_func.cc
      Bug#46570      test udf fails with valgrind
          c_ptr_safe() used for UDF parameters as the library expects
          zero-ending strings.
[23 Dec 2009 13:08] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/95536

2948 Alexey Botchkov	2009-12-22
      Bug#46570      test udf fails with valgrind
          the value obtained by String::c_ptr() method not always
          has the ending zero. Particularly in this bug the
          dlsym() expects zero-ending string.
          The String::c_ptr_safe() is more correct here.
      
      per-file comments:
        sql/item_func.cc
      Bug#46570      test udf fails with valgrind
          c_ptr_safe() used for UDF parameters as the library expects
          zero-ending strings.
[23 Dec 2009 13:45] Alexey Botchkov 
pushed into mysql-next-mr-bugfixing
[6 Mar 2010 10:57] Bugs System 
Pushed into 5.5.3-m3 (revid:alik@sun.com-20100306103849-hha31z2enhh7jwt3) (version source revid:guilhem@mysql.com-20100108092756-k0zzf4kvx9b7bh38) (merge vers: 6.0.14-alpha) (pib:16)
[2 Apr 2010 18:01] Paul DuBois 
Noted in 5.5.3 changelog.

Valgrind warnings about memory allocation overruns for handling
CREATE FUNCTION statements for UDFs were corrected.