Bug #106864 memory leak
Submitted: 29 Mar 14:05 Modified: 4 Jun 13:56
Reporter: ver fish Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Command-line Clients Severity:S3 (Non-critical)
Version:8.0.28 OS:Ubuntu
Assigned to: CPU Architecture:x86

[29 Mar 14:05] ver fish
Description:
I am currently doing fuzzing on mysql, and I found ASAN has a bug report as follows
==16103==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 168 byte(s) in 1 object(s) allocated from:
    #0 0x49d6a2 in calloc (/usr/local/mysql/bin/mysql+0x49d6a2)
    #1 0x6aadc2 in my_raw_malloc(unsigned long, int) /home/mysql/mysql-server/mysys/my_malloc.cc:186:13
    #2 0x6aaabf in my_malloc(unsigned int, unsigned long, int) /home/mysql/mysql-server/mysys/my_malloc.cc:68:28
    #3 0x534cdf in mysql_extension_init /home/mysql/mysql-server/sql-common/client.cc:3246:40
    #4 0x56ad9e in mysql_send_query /home/mysql/mysql-server/sql-common/client.cc:7573:26
    #5 0x56e2a9 in mysql_real_query /home/mysql/mysql-server/sql-common/client.cc:7704:7
    #6 0x4e3f35 in build_completion_hash(bool, bool) /home/mysql/mysql-server/client/mysql.cc:2844:7
    #7 0x4d6386 in com_rehash(String*, char*) /home/mysql/mysql-server/client/mysql.cc:4098:3
    #8 0x4db3cb in reconnect() /home/mysql/mysql-server/client/mysql.cc:3025:21
    #9 0x4db672 in mysql_real_query_for_lazy(char const*, unsigned long, bool) /home/mysql/mysql-server/client/mysql.cc:3080:9
    #10 0x4d4696 in com_go(String*, char*) /home/mysql/mysql-server/client/mysql.cc:3314:11
    #11 0x4ea6eb in add_line(String&, char*, unsigned long, char*, bool*, bool) /home/mysql/mysql-server/client/mysql.cc:2545:13
    #12 0x4cf3f8 in read_and_execute(bool) /home/mysql/mysql-server/client/mysql.cc:2300:9
    #13 0x4cc7a3 in main /home/mysql/mysql-server/client/mysql.cc:1441:24
    #14 0x7fcb20eec0b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16

Indirect leak of 152 byte(s) in 1 object(s) allocated from:
    #0 0x49d6a2 in calloc (/usr/local/mysql/bin/mysql+0x49d6a2)
    #1 0x6aadc2 in my_raw_malloc(unsigned long, int) /home/mysql/mysql-server/mysys/my_malloc.cc:186:13
    #2 0x6aaabf in my_malloc(unsigned int, unsigned long, int) /home/mysql/mysql-server/mysys/my_malloc.cc:68:28
    #3 0x534d1c in mysql_extension_init /home/mysql/mysql-server/sql-common/client.cc:3250:7
    #4 0x56ad9e in mysql_send_query /home/mysql/mysql-server/sql-common/client.cc:7573:26
    #5 0x56e2a9 in mysql_real_query /home/mysql/mysql-server/sql-common/client.cc:7704:7
    #6 0x4e3f35 in build_completion_hash(bool, bool) /home/mysql/mysql-server/client/mysql.cc:2844:7
    #7 0x4d6386 in com_rehash(String*, char*) /home/mysql/mysql-server/client/mysql.cc:4098:3
    #8 0x4db3cb in reconnect() /home/mysql/mysql-server/client/mysql.cc:3025:21
    #9 0x4db672 in mysql_real_query_for_lazy(char const*, unsigned long, bool) /home/mysql/mysql-server/client/mysql.cc:3080:9
    #10 0x4d4696 in com_go(String*, char*) /home/mysql/mysql-server/client/mysql.cc:3314:11
    #11 0x4ea6eb in add_line(String&, char*, unsigned long, char*, bool*, bool) /home/mysql/mysql-server/client/mysql.cc:2545:13
    #12 0x4cf3f8 in read_and_execute(bool) /home/mysql/mysql-server/client/mysql.cc:2300:9
    #13 0x4cc7a3 in main /home/mysql/mysql-server/client/mysql.cc:1441:24
    #14 0x7fcb20eec0b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: 320 byte(s) leaked in 2 allocation(s).

The SQL seed is as follows:

CREATE TABLE v0 ( v1 INT ) ;
 INSERT INTO v0 ( v1 ) VALUES ( 4 ) ;
 CREATE VIEW v3 ( v4 ) AS SELECT * FROM v0 WINDOW v2 AS ( PARTITION BY ( SELECT v1 ) ORDER BY 88921320.000000 DESC ) ORDER BY 12019627.000000 IS NULL DESC ;
 INSERT INTO v3 ( v4 ) VALUES ( 30 ) , ( 36 ) ;
 SELECT v4 NOT LIKE v4 IS NULL , -1 , 2147483647 , 18 FROM v3 WINDOW v5 AS ( PARTITION BY v4 ORDER BY ( v4 ) <= 'x' IN ( SELECT DISTINCT v4 WHERE v1 = v4 + 99 GROUP BY v4 HAVING v4 = 58 ) ) ;

How to repeat:
I compiled mysql-8.0.28 on ubuntu20.04 as follows:
export CC=afl-clang-fast
export CXX=afl-clang-fast++
cmake .. -DDOWNLOAD_BOOST=1 -DWITH_BOOST=../boost -DWITH_ASAN=1 -DWITH_ASAN_SCOPE=1 -DWITH_DEBUG=1 -DCPACK_MONOLITHIC_INSTALL=1
make -j20
[29 Mar 14:40] MySQL Verification Team
Hi Mr. ver,

Thank you for your bug report.

Are you sure that you have found a memory leak in the server ????

From what we can see, this looks more like a memory leak in the mysql client.

This is because the code stack, which you have provided, has nothing to do with the execution of the query.

Can you please, clarify this.

We are waiting on your feedback.
[30 Mar 12:57] MySQL Verification Team
One more request .......

You have searched for memory leak upon sending a query ..... That is not enough .....

What you should do is getting the response from server and getting the results etc ......

Then, you should see whether there is a leak or not. Current analysis is not acceptable. 

You should let client side complete entire process and then see if there is a leak.
[30 Mar 15:20] MySQL Verification Team
I can repeat this on current trunk asan build.
Login with client.  Restart server.  Run a query, e.g. SELECT NOW(); so that client reconnects.  Quit client.  See report:

=================================================================
==1286129==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 168 byte(s) in 1 object(s) allocated from:
    #0 0x7fc9b143bad7 in calloc (/lib64/libasan.so.6+0xaead7)
    #1 0x4acc5d in my_raw_malloc /home/build/git/o_mysql-git/mysys/my_malloc.cc:380
    #2 0x4acd3e in my_malloc(unsigned int, unsigned long, int) /home/build/git/o_mysql-git/mysys/my_malloc.cc:258
    #3 0x437b0a in mysql_extension_init /home/build/git/o_mysql-git/sql-common/client.cc:3283
    #4 0x45fcde in mysql_send_query /home/build/git/o_mysql-git/sql-common/client.cc:7757
    #5 0x45fdd2 in mysql_real_query /home/build/git/o_mysql-git/sql-common/client.cc:7878
    #6 0x416773 in build_completion_hash /home/build/git/o_mysql-git/client/mysql.cc:2848
    #7 0x416eef in com_rehash /home/build/git/o_mysql-git/client/mysql.cc:4102
    #8 0x41d71c in reconnect /home/build/git/o_mysql-git/client/mysql.cc:3029
    #9 0x41d80c in mysql_real_query_for_lazy /home/build/git/o_mysql-git/client/mysql.cc:3084
    #10 0x41eea3 in com_go /home/build/git/o_mysql-git/client/mysql.cc:3318
    #11 0x420945 in add_line /home/build/git/o_mysql-git/client/mysql.cc:2552
    #12 0x42130d in read_and_execute /home/build/git/o_mysql-git/client/mysql.cc:2307
    #13 0x40d6b4 in main /home/build/git/o_mysql-git/client/mysql.cc:1446
    #14 0x7fc9b0797b74 in __libc_start_main (/lib64/libc.so.6+0x27b74)

Indirect leak of 152 byte(s) in 1 object(s) allocated from:
    #0 0x7fc9b143bad7 in calloc (/lib64/libasan.so.6+0xaead7)
    #1 0x4acc5d in my_raw_malloc /home/build/git/o_mysql-git/mysys/my_malloc.cc:380
    #2 0x4acd3e in my_malloc(unsigned int, unsigned long, int) /home/build/git/o_mysql-git/mysys/my_malloc.cc:258
    #3 0x437b1e in mysql_extension_init /home/build/git/o_mysql-git/sql-common/client.cc:3287
    #4 0x45fcde in mysql_send_query /home/build/git/o_mysql-git/sql-common/client.cc:7757
    #5 0x45fdd2 in mysql_real_query /home/build/git/o_mysql-git/sql-common/client.cc:7878
    #6 0x416773 in build_completion_hash /home/build/git/o_mysql-git/client/mysql.cc:2848
    #7 0x416eef in com_rehash /home/build/git/o_mysql-git/client/mysql.cc:4102
    #8 0x41d71c in reconnect /home/build/git/o_mysql-git/client/mysql.cc:3029
    #9 0x41d80c in mysql_real_query_for_lazy /home/build/git/o_mysql-git/client/mysql.cc:3084
    #10 0x41eea3 in com_go /home/build/git/o_mysql-git/client/mysql.cc:3318
    #11 0x420945 in add_line /home/build/git/o_mysql-git/client/mysql.cc:2552
    #12 0x42130d in read_and_execute /home/build/git/o_mysql-git/client/mysql.cc:2307
    #13 0x40d6b4 in main /home/build/git/o_mysql-git/client/mysql.cc:1446
    #14 0x7fc9b0797b74 in __libc_start_main (/lib64/libc.so.6+0x27b74)

SUMMARY: AddressSanitizer: 320 byte(s) leaked in 2 allocation(s).
[31 Mar 3:39] MySQL Verification Team
thanks for the report!
[4 Jun 13:56] Margaret Fisher
Posted by developer:
 
Changelog entry added for MySQL 8.0.30:

When the mysql client was unable to reconnect to the server following an unexpected server halt, the process of building the completion hash allocated memory that was not freed. The reconnection operation now does not build the completion hash if the client fails to reconnect, and the memory concerned is freed if the client is disconnected.