| Bug #105657 | Valgrind complains "Invalid write of size 8" | ||
|---|---|---|---|
| Submitted: | 22 Nov 2021 10:21 | Modified: | 22 Nov 2021 15:09 |
| Reporter: | Xiong Wang | Email Updates: | |
| Status: | Can't repeat | Impact on me: | |
| Category: | MySQL Server | Severity: | S2 (Serious) |
| Version: | 8.0.27 | OS: | Any |
| Assigned to: | CPU Architecture: | Any | |
[22 Nov 2021 11:00]
MySQL Verification Team
I couldn't repeat please try current released version 8.0.27. Thanks.
[22 Nov 2021 11:56]
Xiong Wang
I think it's a source code error. I checked the source code even in 8.0.27.
(gdb) f 5
#5 0x0000000003225d28 in remove_eq_conds (thd=0x7fff3c000da0, cond=0x7fff3c11bc08,
retcond=0x7fffe2bca568, cond_value=0x7fffe2bca564)
at /home/simon/parallel-query-document/sql/sql_optimizer.cc:11462
11462 return fold_condition_exec(thd, cond, retcond, cond_value);
(gdb) f 6
#6 0x0000000003225996 in remove_eq_conds (thd=0x7fff3c000da0, cond=0x7fff3c157338,
retcond=0x7fff3c157198, cond_value=0x7fff3c11992c)
at /home/simon/parallel-query-document/sql/sql_optimizer.cc:11348
11348 if (remove_eq_conds(thd, item, &new_item, &tmp_cond_value)) return true;
(gdb) p new_item
$7 = (Item *) 0x7fff3c11bc08
(gdb) p &new_item
$8 = (Item **) 0x7fffe2bca568 ====> Here is a temporary variable
(gdb) f 0
#0 THD::nocheck_register_item_tree_change (this=0x7fff3c000da0,
place=0x7fffe2bca568, new_value=0x7fff3c157608)
at /home/simon/parallel-query-document/sql/sql_class.cc:1722
1722 change_list.push_front(change);
(gdb) p place
$9 = (Item **) 0x7fffe2bca568
(gdb) p change->place
$10 = (Item **) 0x7fffe2bca568 =====>Here, it's registered in change->place. A temporary pointer is referenced.
(gdb) b THD::rollback_item_tree_changes()
Breakpoint 2 at 0x3193d25: file /home/simon/parallel-query-document/sql/sql_class.cc, line 1738.
(gdb) c
Continuing.
Breakpoint 2, THD::rollback_item_tree_changes (this=0x7fff3c000da0)
at /home/simon/parallel-query-document/sql/sql_class.cc:1738
1738 I_List_iterator<Item_change_record> it(change_list);
(gdb) n
1740 DBUG_TRACE;
(gdb)
1742 while ((change = it++)) {
(gdb)
1743 if (change->m_cancel) continue;
(gdb)
1745 DBUG_PRINT("info", ("rollback_item_tree_changes "
(gdb)
1748 *change->place = change->old_value;
(gdb) p change
$11 = (Item_change_record *) 0x7fff3c157718
(gdb) p change->place
$12 = (Item **) 0x7fffe2bca568 =========>Here, you see change->place tries to be rollbacked. Valgrind will warn.
[22 Nov 2021 15:09]
MySQL Verification Team
Hi Mr. Wang, We tried to repeat the behaviour that you are reporting , but we were not successful. We used AddressSanitizer and couple more tools and not reports what so ever. Much more important are some other facts. Your line numbers in the source files do not correspond at all, with the current source of 8.0.27. Hence, you are not building your MySQL binaries from our sources. Can't repeat.
Description: #0 THD::change_item_tree (this=0x7fff3c000da0, place=0x7fffe2bca568, new_value=0x7fff3c157418) at sql/sql_class.cc:1730 #1 0x00000000038db047 in fold_or_simplify (thd=0x7fff3c000da0, ref_or_field=0x7fff3cc3ad30, ft=Item_func::LT_FUNC, always_true=true, manifest_result=false, retcond=0x7fffe2bca568, cond_value=0x7fffe2bca564) at sql/sql_const_folding.cc:1112 #2 0x00000000038dc1b9 in fold_condition (thd=0x7fff3c000da0, cond=0x7fff3cc3ae88, retcond=0x7fffe2bca568, cond_value=0x7fffe2bca564, manifest_result=false) at sql/sql_const_folding.cc:1466 #3 0x000000000322587a in fold_condition_exec (thd=0x7fff3c000da0, (gdb) f 5 #5 0x0000000003225a08 in remove_eq_conds (thd=0x7fff3c000da0, cond=0x7fff3c157148, retcond=0x7fff3c156fa8, cond_value=0x7fff3c11b44c) at sql/sql_optimizer.cc:11348 11348 if (remove_eq_conds(thd, item, &new_item, &tmp_cond_value)) return true; (gdb) l 11343 *cond_value = Item::COND_UNDEF; 11344 Item *item; 11345 while ((item = li++)) { 11346 Item *new_item; >>>>> Temporary variable 11347 Item::cond_result tmp_cond_value; 11348 if (remove_eq_conds(thd, item, &new_item, &tmp_cond_value)) return true; 11349 11350 if (new_item == nullptr) 11351 li.remove(); 11352 else if (item != new_item) { f 0 1714 if (change_mem == nullptr) { (gdb) p change_mem $53 = (void *) 0x7fff3c157528 How to repeat: create table t1 (a bigint unsigned); create index t1i on t1(a); insert into t1 select 18446744073709551615; insert into t1 select 18446744073709551614; ANALYZE TABLE t1; prepare stmt from 'select * from t1 where a > -1 or a < -1'; execute stmt;