Description:
With the new usage of editline in MySQL 5.7, we can enter the visual editor in the MySQL client just by hitting the "v" key. Previously, we had to use the "edit" builtin command, or the "\e" statement terminator.

But when I finish editing a query and exit the editor, I expect the SQL statement to execute. Instead I get this crash report:

mysql> mysql(44311,0x7fff7c042300) malloc: *** error for object 0x7fd25382aa95: pointer being freed was not allocated...
*** set a breakpoint in malloc_error_break to debug
Abort trap: 6

Then mysql client terminates, and returns to the calling shell.

Where I wrote "..." in the example above, a trailing fragment of my SQL statement is also output.

How to repeat:
1. Open mysql client.

2. Up-arrow to get a command from your history.

3. Press "v" to open the editor.

4. No need to make any change to the query, but you may, the bug occurs whether you change the query or not.

5. Exit the editor. For example, exit vim with ZZ or :wq or :x

6. The malloc error happens immediately as you exit the editor, and the mysql client terminates.

I had to change my ~/.editrc to be able to reproduce this.

[dvaneeden@dve-mac ~]$ cat .editrc
mysql:bind -v
[dvaneeden@dve-mac ~]$ mysql --version
mysql  Ver 14.14 Distrib 5.7.11, for Linux (x86_64) using  EditLine wrapper
[dvaneeden@dve-mac ~]$ gdb --args mysql -h 127.0.0.1 -P 5711 -u msandbox -pmsandbox
GNU gdb (GDB) Fedora 7.10.1-30.fc23
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from mysql...done.
(gdb) r
Starting program: /usr/bin/mysql -h 127.0.0.1 -P 5711 -u msandbox -pmsandbox
Missing separate debuginfos, use: dnf debuginfo-install mysql-community-client-5.7.11-1.fc23.x86_64
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 8
Server version: 5.7.11-debug-log branch=fetch_first

Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> Detaching after fork from child process 27550.

mysql> Detaching after fork from child process 27552.
*** Error in `/usr/bin/mysql': munmap_chunk(): invalid pointer: 0x0000000000b5b7f9 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x77da5)[0x7ffff677eda5]
/lib64/libc.so.6(cfree+0x1a8)[0x7ffff678ae08]
/usr/bin/mysql[0x4dbb36]
/usr/bin/mysql[0x4d08bf]
/usr/bin/mysql[0x4c5391]
/usr/bin/mysql[0x4bc6a2]
/usr/bin/mysql[0x40f845]
/usr/bin/mysql[0x4063e9]
/lib64/libc.so.6(__libc_start_main+0xf0)[0x7ffff6727580]
/usr/bin/mysql[0x406a29]
======= Memory map: ========
<output removed>

Program received signal SIGABRT, Aborted.
0x00007ffff673ba98 in raise () from /lib64/libc.so.6
(gdb) bt
#0  0x00007ffff673ba98 in raise () from /lib64/libc.so.6
#1  0x00007ffff673d69a in abort () from /lib64/libc.so.6
#2  0x00007ffff677edaa in __libc_message () from /lib64/libc.so.6
#3  0x00007ffff678ae08 in free () from /lib64/libc.so.6
#4  0x00000000004dbb36 in vi_histedit (el=0xa79750, c=<optimized out>)
    at /export/home/pb2/build/sb_0-17781605-1454370851.24/rpm/BUILD/mysql-5.7.11/mysql-5.7.11/cmd-line-utils/libedit/vi.c:1079
#5  0x00000000004d08bf in el_wgets (el=el@entry=0xa79750, nread=nread@entry=0x7fffffffda14)
    at /export/home/pb2/build/sb_0-17781605-1454370851.24/rpm/BUILD/mysql-5.7.11/mysql-5.7.11/cmd-line-utils/libedit/read.c:626
#6  0x00000000004c5391 in el_gets (el=0xa79750, nread=nread@entry=0x7fffffffda14)
    at /export/home/pb2/build/sb_0-17781605-1454370851.24/rpm/BUILD/mysql-5.7.11/mysql-5.7.11/cmd-line-utils/libedit/eln.c:74
#7  0x00000000004bc6a2 in readline (p=p@entry=0xaae360 "mysql> ")
    at /export/home/pb2/build/sb_0-17781605-1454370851.24/rpm/BUILD/mysql-5.7.11/mysql-5.7.11/cmd-line-utils/libedit/readline.c:441
#8  0x000000000040f845 in read_and_execute (interactive=<optimized out>)
    at /export/home/pb2/build/sb_0-17781605-1454370851.24/rpm/BUILD/mysql-5.7.11/mysql-5.7.11/client/mysql.cc:2318
#9  0x00000000004063e9 in main (argc=9, argv=0xa72d78)
    at /export/home/pb2/build/sb_0-17781605-1454370851.24/rpm/BUILD/mysql-5.7.11/mysql-5.7.11/client/mysql.cc:1447
(gdb)

https://github.com/mysql/mysql-server/blob/5.7/cmd-line-utils/libedit/vi.c#L1079

$ valgrind mysql -h 127.0.0.1 -P 5711 -u msandbox -pmsandbox
==28394== Memcheck, a memory error detector
==28394== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==28394== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==28394== Command: mysql -h 127.0.0.1 -P 5711 -u msandbox -pmsandbox
==28394== 
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 10
Server version: 5.7.11-debug-log branch=fetch_first

Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> ==28394== Invalid free() / delete / delete[] / realloc()
==28394==    at 0x4C29E00: free (vg_replace_malloc.c:530)
==28394==    by 0x4DBB35: vi_histedit (vi.c:1079)
==28394==    by 0x4D08BE: el_wgets (read.c:626)
==28394==    by 0x4C5390: el_gets (eln.c:74)
==28394==    by 0x4BC6A1: readline (readline.c:441)
==28394==    by 0x40F844: read_and_execute(bool) (mysql.cc:2318)
==28394==    by 0x4063E8: main (mysql.cc:1447)
==28394==  Address 0x66d3f19 is 9 bytes inside a block of size 65,536 alloc'd
==28394==    at 0x4C28D06: malloc (vg_replace_malloc.c:299)
==28394==    by 0x4DB969: vi_histedit (vi.c:1027)
==28394==    by 0x4D08BE: el_wgets (read.c:626)
==28394==    by 0x4C5390: el_gets (eln.c:74)
==28394==    by 0x4BC6A1: readline (readline.c:441)
==28394==    by 0x40F844: read_and_execute(bool) (mysql.cc:2318)
==28394==    by 0x4063E8: main (mysql.cc:1447)
==28394== 

    -> \q
Bye
==28394== 
==28394== HEAP SUMMARY:
==28394==     in use at exit: 853,409 bytes in 13,079 blocks
==28394==   total heap usage: 26,348 allocs, 13,270 frees, 1,114,729 bytes allocated
==28394== 
==28394== LEAK SUMMARY:
==28394==    definitely lost: 40 bytes in 1 blocks
==28394==    indirectly lost: 0 bytes in 0 blocks
==28394==      possibly lost: 65,536 bytes in 1 blocks
==28394==    still reachable: 787,833 bytes in 13,077 blocks
==28394==         suppressed: 0 bytes in 0 blocks
==28394== Rerun with --leak-check=full to see details of leaked memory
==28394== 
==28394== For counts of detected and suppressed errors, rerun with: -v
==28394== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

Hello Bill Karwin,

Thank you for the report.
Verified as described on OL6 with MySQL 5.7.11 build.

Thanks,
Umesh

Posted by developer:
 
Fixed in 5.7.30, 8.0.20 by this change:

The bundled libedit library was upgraded to version 3.1.