Bug #19474 | readline bug: mysql: free(): invalid pointer | ||
---|---|---|---|
Submitted: | 2 May 2006 3:22 | Modified: | 15 Feb 2007 4:25 |
Reporter: | Michiel Dethmers | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Server: Command-line Clients | Severity: | S2 (Serious) |
Version: | 5.0.23-BK, 5.0.21 | OS: | Linux (Linux, Fedora Core 5) |
Assigned to: | Magnus Blåudd | CPU Architecture: | Any |
[2 May 2006 3:22]
Michiel Dethmers
[12 May 2006 10:58]
Valeriy Kravchuk
Thank you for a problem report. Please, try to repeat with a newer version, 5.0.21. Your report is very similar to bug #15872, fixed in 5.0.21.
[12 May 2006 15:41]
Michiel Dethmers
yes, you're right, it does sound like 15872 updated my Mysql using yum on the Fedora Test Repo, where 5.0.21 has been submitted. When I run my "crashit" php script, it now returns the correct values. ---- Doing query No Error 9980 9981 9982 9983 9984 9985 9986 9987 9988 9989 9990 9991 9992 9993 9994 9995 9996 9997 9998 9999 ---- However, when I pasted the query in the mysql console, being connected from localhost to server on localhost, I still got the crash. (Output pasted below). And strangely enough, when I put the query in a text file and pipe it into the mysql commandline ("mysql < crash.sql") it returns fine with the values. So, it's kind of fixed but not entirely. It's less critical though, because someone is unlikely to type such a query in console, and more likely to use connectors, but the crash is still reproducable. -------- output from console, when using long NOT IN () --------- *** glibc detected *** mysql: free(): invalid pointer: 0x0869a570 *** ======= Backtrace: ========= /lib/libc.so.6[0xc4cf18] /lib/libc.so.6(__libc_free+0x79)[0xc5041d] mysql(rl_free_undo_list+0x1b)[0x8069d6b] mysql(readline_internal_teardown+0xad)[0x805ba4d] mysql(readline+0x5e)[0x805bc4e] mysql[0x8057505] mysql(main+0x4b8)[0x8058e48] /lib/libc.so.6(__libc_start_main+0xdc)[0xbfe7e4] mysql[0x8051b71] ======= Memory map: ======== 0010b000-0011c000 r-xp 00000000 fd:00 11011157 /lib/libnsl-2.4.so 0011c000-0011d000 r-xp 00010000 fd:00 11011157 /lib/libnsl-2.4.so 0011d000-0011e000 rwxp 00011000 fd:00 11011157 /lib/libnsl-2.4.so 0011e000-00120000 rwxp 0011e000 00:00 0 0016f000-001af000 r-xp 00000000 fd:00 13083761 /usr/lib/libncurses.so.5.5 001af000-001b7000 rwxp 00040000 fd:00 13083761 /usr/lib/libncurses.so.5.5 001b7000-001b8000 rwxp 001b7000 00:00 0 00216000-00225000 r-xp 00000000 fd:00 11010073 /lib/libresolv-2.4.so 00225000-00226000 r-xp 0000e000 fd:00 11010073 /lib/libresolv-2.4.so 00226000-00227000 rwxp 0000f000 fd:00 11010073 /lib/libresolv-2.4.so 00227000-00229000 rwxp 00227000 00:00 0 0022b000-0022d000 r-xp 00000000 fd:00 11010077 /lib/libcom_err.so.2.1 0022d000-0022e000 rwxp 00001000 fd:00 11010077 /lib/libcom_err.so.2.1 00230000-00233000 r-xp 00000000 fd:00 13093730 /usr/lib/libkrb5support.so.0.0 00233000-00234000 rwxp 00002000 fd:00 13093730 /usr/lib/libkrb5support.so.0.0 00242000-00361000 r-xp 00000000 fd:00 11011169 /lib/libcrypto.so.0.9.8a 00361000-00374000 rwxp 0011e000 fd:00 11011169 /lib/libcrypto.so.0.9.8a 00374000-00377000 rwxp 00374000 00:00 0 00573000-005e6000 r-xp 00000000 fd:00 13094402 /usr/lib/libkrb5.so.3.2 005e6000-005e8000 rwxp 00073000 fd:00 13094402 /usr/lib/libkrb5.so.3.2 005ea000-00602000 r-xp 00000000 fd:00 13094403 /usr/lib/libgssapi_krb5.so.2.2 00602000-00603000 rwxp 00017000 fd:00 13094403 /usr/lib/libgssapi_krb5.so.2.2 00605000-00629000 r-xp 00000000 fd:00 13094401 /usr/lib/libk5crypto.so.3.0 00629000-0062a000 rwxp 00024000 fd:00 13094401 /usr/lib/libk5crypto.so.3.0 006c4000-00705000 r-xp 00000000 fd:00 11010079 /lib/libssl.so.0.9.8a 00705000-00709000 rwxp 00040000 fd:00 11010079 /lib/libssl.so.0.9.8a 00883000-0088c000 r-xp 00000000 fd:00 11010089 /lib/libnss_files-2.4.so 0088c000-0088d000 r-xp 00008000 fd:00 11010089 /lib/libnss_files-2.4.so 0088d000-0088e000 rwxp 00009000 fd:00 11010089 /lib/libnss_files-2.4.so 00bcb000-00bcc000 r-xp 00bcb000 00:00 0 [vdso] 00bcc000-00be5000 r-xp 00000000 fd:00 11011150 /lib/ld-2.4.so 00be5000-00be6000 r-xp 00018000 fd:00 11011150 /lib/ld-2.4.so 00be6000-00be7000 rwxp 00019000 fd:00 11011150 /lib/ld-2.4.so 00be9000-00d15000 r-xp 00000000 fd:00 11011151 /lib/libc-2.4.so 00d15000-00d18000 r-xp 0012b000 fd:00 11011151 /lib/libc-2.4.so 00d18000-00d19000 rwxp 0012e000 fd:00 11011151 /lib/libc-2.4.so 00d19000-00d1c000 rwxp 00d19000 00:00 0 00d1e000-00d41000 r-xp 00000000 fd:00 11011154 /lib/libm-2.4.so 00d41000-00d42000 r-xp 00022000 fd:00 11011154 /lib/libm-2.4.so 00d42000-00d43000 rwxp 00023000 fd:00 11011154 /lib/libm-2.4.so 00d45000-00d47000 r-xp 00000000 fd:00 11011153 /lib/libdl-2.4.so 00d47000-00d48000 r-xp 00001000 fd:00 11011153 /lib/libdl-2.4.so 00d48000-00d49000 rwxp 00002000 fd:00 11011153 /lib/libdl-2.4.so 00d4b000-00d5d000 r-xp 00000000 fd:00 13093021 /usr/lib/libz.so.1.2.3 00d5d000-00d5e000 rwxp 00011000 fd:00 13093021 /usr/lib/libz.so.1.2.3 00e58000-00f77000 r-xp 00000000 fd:00 14156160 /usr/lib/mysql/libmysqlclient.so.15.0.0 00f77000-00fb9000 rwxp 0011e000 fd:00 14156160 /usr/lib/mysql/libmysqlclient.so.15.0.0 00fb9000-00fba000 rwxp 00fb9000 00:00 0 058f8000-05903000 r-xp 00000000 fd:00 11011155 /lib/libgcc_s-4.1.0-20060304.so.1 05903000-05904000 rwxp 0000a000 fd:00 11011155 /lib/libgcc_s-4.1.0-20060304.so.1 05906000-059e8000 r-xp 00000000 fd:00 13085639 /usr/lib/libstdc++.so.6.0.8 059e8000-059ec000 r-xp 000e2000 fd:00 13085639 /usr/lib/libstdc++.so.6.0.8 059ec000-059ed000 rwxp 000e6000 fd:00 13085639 /usr/lib/libstdc++.so.6.0.8 059ed000-059f3000 rwxp 059ed000 00:00 0 05a3d000-05a42000 r-xp 00000000 fd:00 11011164 /lib/libcrypt-2.4.so 05a42000-05a43000 r-xp 00004000 fd:00 11011164 /lib/libcrypt-2.4.so 05a43000-05a44000 rwxp 00005000 fd:00 11011164 /lib/libcrypt-2.4.so 05a44000-05a6b000 rwxp 05a44000 00:00 0 08048000-0807d000 r-xp 00000000 fd:00 13078688 /usr/bin/mysql 0807d000-08082000 rw-p 00034000 fd:00 13078688 /usr/bin/mysql 08082000-08084000 rw-p 08082000 00:00 0 0866c000-086f9000 rw-p 0866c000 00:00 0 [heap] b7b00000-b7b21000 rw-p b7b00000 00:00 0 b7b21000-b7c00000 ---p b7b21000 00:00 0 b7d00000-b7f00000 r--p 00000000 fd:00 13077720 /usr/lib/locale/locale-archive b7f00000-b7f05000 rw-p b7f00000 00:00 0 b7f10000-b7f17000 r--s 00000000 fd:00 13172995 /usr/lib/gconv/gconv-modules.cache b7f17000-b7f19000 rw-p b7f17000 00:00 0 bfa02000-bfa18000 rw-p bfa02000 00:00 0 [stack] Aborted
[21 May 2006 10:46]
Valeriy Kravchuk
So, it looks like a mysql command line client related bug. Moreover, it can be readline-related. Do you agree? Anyway, please, specify the exact MySQL's binaries package used (we have no FC5-specific) or, if you compiled 5.0.21 from sources, provide the exact configure command line used. What glibc and readline versions do you have on your FC5?
[21 May 2006 23:54]
Michiel Dethmers
Yes I agree, it is more likely to be something else, because piping into mysql works fine. I used the Mysql 5.0.21 RPM that is in the updates repository for FC5. When I did it, it was still in the updates-testing repository, but now it's actually moved to the updates one. http://download.fedora.redhat.com/pub/fedora/linux/core/updates/5/i386/mysql-server-5.0.21... rpm -qif /usr/lib/libreadline.so.5.0 Version : 5.0 Release : 3.2.1 rpm -qif /usr/lib/libc.a Version : 2.4 Release : 8
[22 May 2006 7:20]
Valeriy Kravchuk
Please, try to repeat with statically linked generic Client RPM from MySQL, and inform about the results.
[23 May 2006 14:08]
Michiel Dethmers
hmm, well I will try, but I don't have some spare machines lying around that I can test it on. And I wouldn't want to mess up my workstation to stop me from being able to do things.
[25 Jun 2006 20:44]
Valeriy Kravchuk
I was able to repeat mysql client crash with latest 5.0.23-BK build (on SuSE Linux 9.3). See file uploaded for exact long SQL statement used (downloaded from original reporter's URL). The following configure options were used: ./configure --prefix=/home/openxs/dbs/5.0 --with-extra-charsets=all \ --with-readline --with-federated-storage-engine \ --with-archive-storage-engine --with-blackhole-storage-engine
[25 Jun 2006 20:45]
Valeriy Kravchuk
Long SELECT that leads mysql command line client to crash
Attachment: 19474.txt (text/plain), 40.73 KiB.
[14 Nov 2006 15:48]
Magnus Blåudd
Valgrind points out that a write outside an array occurs at line 763 of display.c, it's in the CHECK_LPOS macro. If that macro is expanded and recompiled it will occur on this line: _rl_wrapped_line[newlines] = _rl_wrapped_multicolumn; Also tested to paste the same large query in bash, it will not crash/segfault but will become totally unresponsive.
[14 Nov 2006 16:11]
Magnus Blåudd
Hmm, did I say bash didn't crash from this one? That is not true. Will try to file a bugreport upstream.
[29 Jan 2007 11:24]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/18939 ChangeSet@1.2392, 2007-01-29 12:24:08+01:00, msvensson@pilot.mysql.com +1 -0 Bug#19474 readline bug: mysql: free(): invalid pointer - Write to uninitialised memory occured since _rl_rapped_lines buffer was not extended in CHECK_INV_LBREAKS macro - Patch submitted to bug-readline@gnu.org
[14 Feb 2007 15:07]
Chad MILLER
Available in 5.0.36 and 5.1.16-beta.
[15 Feb 2007 4:25]
Paul DuBois
Noted in 5.0.36, 5.1.16 changelogs. The readline library wrote to uninitialized memory, causing mysql to crash.