Bug #46657 InnoDB plugin: invalid read in index_merge_innodb test (Valgrind)
Submitted: 11 Aug 18:17 Modified: 22 Nov 1:41
Reporter: Guilhem Bichot
Status: Need Doc Info
Category:Server: InnoDB Plugin Severity:S3 (Non-critical)
Version:5.1 OS:Linux (64bit)
Assigned to: Satya B Target Version:5.1+
Triage: Triaged: D2 (Serious)

[11 Aug 18:17] Guilhem Bichot 
Description:
We can see this kind of report in pushbuild2 for 5.1-innodb_plugin:
main.index_merge_innodb                  w3 [ fail ]
==4615== Invalid read of size 1
==4615==    at 0xA20D30: ha_innobase::add_index(st_table*, st_key*, unsigned)
(handler0alter.cc:894)
==4615==    by 0x73715A: mysql_alter_table(THD*, char*, char*, st_ha_create_information*,
TABLE_LIST*, Alter_info*, unsigned, st_order*, bool) (sql_table.cc:7067)
==4615==    by 0x6BEBDE: mysql_execute_command(THD*) (sql_parse.cc:2889)
==4615==    by 0x6C4745: mysql_parse(THD*, char const*, unsigned, char const**)
(sql_parse.cc:6003)
==4615==    by 0x6C59A5: dispatch_command(enum_server_command, THD*, char*, unsigned)
(sql_parse.cc:1222)
==4615==    by 0x635060: emb_advanced_command (lib_sql.cc:139)
==4615==    by 0x5BDB7F: mysql_send_query (client.c:2863)
==4615==    by 0x57D574: do_send_query(st_connection*, char const*, int, int)
(mysqltest.cc:715)
==4615==    by 0x587B00: run_query_normal(st_connection*, st_command*, int, char*, int,
st_dynamic_string*, st_dynamic_string*) (mysqltest.cc:6437)
==4615==    by 0x58844C: run_query(st_connection*, st_command*, int) (mysqltest.cc:7166)
==4615==    by 0x5897A6: main (mysqltest.cc:7796)
==4615==  Address 0xE0DDEDC is 156 bytes inside a block of size 544 free'd
==4615==    at 0x4A0541E: free (vg_replace_malloc.c:233)
==4615==    by 0xA3BDA4: mem_area_free (mem0pool.c:495)
==4615==    by 0xA3AE16: mem_heap_block_free (mem0mem.c:491)
==4615==    by 0xB1C71A: mem_heap_free_func (mem0mem.ic:504)
==4615==    by 0xB1C6C7: dict_mem_table_free (dict0mem.c:109)
==4615==    by 0xB11E6A: dict_table_remove_from_cache (dict0dict.c:1146)
==4615==    by 0xA6F48C: row_drop_table_for_mysql (row0mysql.c:3317)
==4615==    by 0xA69060: row_merge_drop_table (row0merge.c:2261)
==4615==    by 0xA20C80: ha_innobase::add_index(st_table*, st_key*, unsigned)
(handler0alter.cc:865)
==4615==    by 0x73715A: mysql_alter_table(THD*, char*, char*, st_ha_create_information*,
TABLE_LIST*, Alter_info*, unsigned, st_order*, bool) (sql_table.cc:7067)
==4615==    by 0x6BEBDE: mysql_execute_command(THD*) (sql_parse.cc:2889)
==4615==    by 0x6C4745: mysql_parse(THD*, char const*, unsigned, char const**)
(sql_parse.cc:6003)
==4615==    by 0x6C59A5: dispatch_command(enum_server_command, THD*, char*, unsigned)
(sql_parse.cc:1222)
==4615==    by 0x635060: emb_advanced_command (lib_sql.cc:139)
==4615==    by 0x5BDB7F: mysql_send_query (client.c:2863)
==4615==    by 0x57D574: do_send_query(st_connection*, char const*, int, int)
(mysqltest.cc:715)

This is specific of the InnoDB plugin.
Similar ones are also seen in mysql-trunk.

How to repeat:
run index_merge_innodb with --valgrind, it seems.
[11 Aug 19:30] Guilhem Bichot 
the stack trace I gave is the detailed one when I make the plugin be a builtin; when it's
a plugin, we just excerpts in pushbuild2:
/export/home/pb2/test/sb_1-671695-1249375950.81/mysql-5.1.37-linux-x86_64-test/mysql-test/var/7/log/mysqld.1.err	==11121==
   at 0x5891EB4: ha_innodb::add_index(st_table*, st_key*, unsigned)
(handler0alter.cc:894)
/export/home/pb2/test/sb_1-671695-1249375950.81/mysql-5.1.37-linux-x86_64-test/mysql-test/var/7/log/mysqld.1.err	==11121==
   at 0x4A0541E: free (vg_replace_malloc.c:233)
^ Found warnings!!
[12 Aug 14:24] Guilhem Bichot 
now that 5.1-innodb_plugin has been merged into 5.1-main, bug can very likely be
reproduced with the latest 5.1-main tree, available at
https://code.launchpad.net/~mysql/mysql-server/mysql-5.1
[13 Aug 8:26] Marko Mäkelä 
The statement after convert_error: reads innodb_table->flags, which will just have been
freed after successfully creating the requested indexes. The fix is simple, because
innodb_table is not needed anywhere else on this code path:

Index: handler/handler0alter.cc
===================================================================
--- handler/handler0alter.cc	(revision 5670)
+++ handler/handler0alter.cc	(working copy)
@@ -864,6 +864,7 @@ error_handling:
 		indexed_table->n_mysql_handles_opened++;
 
 		error = row_merge_drop_table(trx, innodb_table);
+		innodb_table = indexed_table;
 		goto convert_error;
 
 	case DB_TOO_BIG_RECORD:
[13 Aug 10:36] Sunny Bains 
Marko, OK to commit!
[17 Aug 18:06] Calvin Sun 
set to patch approved until the snapshot is sent to mysql.
[25 Aug 17:27] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/81525

2874 Guilhem Bichot	2009-08-25
      Applying fix from Oracle (Marko) for Bug #46657 "InnoDB plugin: invalid read in
index_merge_innodb test (Valgrind)"
[25 Aug 17:29] Guilhem Bichot 
as it was quite annoying (showing up in test suite), I applied Marko's fix which I got
from Calvin, to mysql-trunk.
[25 Aug 17:57] Guilhem Bichot 
I don't put the bug in "patch queued" state because the fix isn't in 5.1-main yet (I only
put it in mysql-trunk).
[16 Sep 8:45] Bugs System 
Pushed into 5.4.4-alpha (revid:alik@sun.com-20090916063112-8hjmu6wkxfx5qxf4) (version
source revid:alik@sun.com-20090916062454-qzqttcefueqgsfn3) (merge vers: 5.4.4-alpha)
(pib:11)
[4 Nov 12:11] Sergey Vojtovich 
Pushed into 5.1.41.