Bug #27836 sql_plugin.cc, dynamic_array is not dynamic
Submitted: 15 Apr 2007 12:53 Modified: 18 Jun 2007 17:38
Reporter: Hakan Küçükyılmaz Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: General Severity:S1 (Critical)
Version:5.1 OS:Any
Assigned to: Antony Curtis CPU Architecture:Any

[15 Apr 2007 12:53] Hakan Küçükyılmaz 
Description:
While extending Falcon to have I_S plugins we realized that dynamic_array in sql_pluggin.cc is not dynamci at all.

Quote:
   The server currently has an intrinsic maximum of 16 plugs.  If that 
number is exceeded, the server crashes during initialization.
   The problem is with the dynamic array "plugin_array" in the function 
plugin_init in sql_plugin.cc.  Despite the fact that it is a dynamic 
array,  the function plugin_register_builtin (same module) inserts a 
dynamic element into a hash table.   When the dynamic array is 
automatically extended, the old element is released and the hash table 
corrupted.  Boom.

How to repeat:
In 5.1-falcon tree set initial size back to 16 (original value)

===== sql/sql_plugin.cc 1.47 vs edited =====
666c666
<                             sizeof(struct st_plugin_int),32,32))
---
>                             sizeof(struct st_plugin_int),16,16))

Then try to start mysqld. Valgrind gives good hint:

hakan@lu0011:~/work/mysql/mysql-5.1-falcon$ valgrind sql/mysqld --bootstrap
==29190== Memcheck, a memory error detector.
==29190== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==29190== Using LibVEX rev 1732, a library for dynamic binary translation.
==29190== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==29190== Using valgrind-3.2.3-Debian, a dynamic binary instrumentation framework.
==29190== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==29190== For more details, rerun with: -v
==29190==
070415 14:52:45 [Warning] Changed limits: max_open_files: 1014  max_connections: 512  table_cache: 246
070415 14:52:45 [Warning] Can't create test file /data/mysql-sap/lu0011.lower-test
070415 14:52:45 [Warning] Can't create test file /data/mysql-sap/lu0011.lower-test
==29190== Invalid read of size 4
==29190==    at 0x779380: get_hash_key(char const*, unsigned*, char) (sql_plugin.cc:639)
==29190==    by 0x907954: my_hash_insert (hash.c:152)
==29190==    by 0x779AA6: plugin_register_builtin(st_mysql_plugin*) (sql_plugin.cc:743)
==29190==    by 0x77B929: plugin_init(int) (sql_plugin.cc:685)
==29190==    by 0x60849A: init_server_components() (mysqld.cc:3386)
==29190==    by 0x60BE93: main (mysqld.cc:3772)
==29190==  Address 0x578E1A0 is 144 bytes inside a block of size 812 free'd
==29190==    at 0x4A1B66A: free (vg_replace_malloc.c:233)
==29190==    by 0x900153: _myfree (safemalloc.c:313)
==29190==    by 0x900712: _myrealloc (safemalloc.c:242)
==29190==    by 0x907CBC: alloc_dynamic (array.c:120)
==29190==    by 0x907E74: insert_dynamic (array.c:85)
==29190==    by 0x779A5C: plugin_register_builtin(st_mysql_plugin*) (sql_plugin.cc:740)
==29190==    by 0x77B929: plugin_init(int) (sql_plugin.cc:685)
==29190==    by 0x60849A: init_server_components() (mysqld.cc:3386)
==29190==    by 0x60BE93: main (mysqld.cc:3772)
==29190==

Suggested fix:
Fix dynamic_array to be dynamic. It should survive a resize.

For Falcon we fixed the symptom by starting with element count of 32.
[16 Apr 2007 10:48] Sveta Smirnova 
Thank you for the report.

Verified as described.
[9 May 2007 0:08] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/26342

ChangeSet@1.2511, 2007-05-08 17:08:30-07:00, acurtis@xiphis.org +2 -0
  Bug#27836
    "sql_plugin.cc, dynamic_array is not dynamic"
    When dynamic array resized, existing pointers to array elements became invalid.
    Change plugin_array to store pointers to instances of st_plugin_int.
    Allocate st_plugin_int from plugin_mem_root
    st_plugin_int now stores index within plugin_dl_array instead of pointer.
[9 May 2007 7:38] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/26350

ChangeSet@1.2512, 2007-05-09 00:37:54-07:00, acurtis@ltamd64.xiphis.org +16 -0
  Merge xiphis.org:/home/antony/work2/p2-bug27836.1
  into  xiphis.org:/home/antony/work2/mysql-5.1-falcon.merge
  Inital merge for WL#1722 + Bug#27836
  MERGE: 1.2502.3.9
[22 May 2007 3:35] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/27106

ChangeSet@1.2523, 2007-05-21 20:35:07-07:00, acurtis@xiphis.org +1 -0
  Bug#27836
    "sql_plugin.cc, dynamic_array is not dynamic"
    When the DYNAMIC_ARRAYs were resized, pointers became invalid.
    Solved by only storing pointers within the DYNAMIC_ARRAYs.
[24 May 2007 17:44] Antony Curtis 
Pushed to 5.1-engines
[25 May 2007 19:25] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/27364

ChangeSet@1.2513, 2007-05-24 10:39:24-07:00, antony@ppcg5.local +1 -0
  Bug#27836
    "sql_plugin.cc, dynamic_array is not dynamic"
    When the DYNAMIC_ARRAYs were resized, pointers became invalid.
    Solved by only storing pointers within the DYNAMIC_ARRAYs.
[18 Jun 2007 7:49] Bugs System 
Pushed into 5.1.20-beta
[18 Jun 2007 17:38] Paul DuBois 
No changelog entry needed.