Bug #33142 access after free() for blob replication and online alter table
Submitted: 11 Dec 2007 15:01 Modified: 15 Dec 2007 10:39
Reporter: Kristian Nielsen Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Cluster: Replication Severity:S2 (Serious)
Version:mysql-5.1-new-ndb latest bk OS:Linux
Assigned to: Kristian Nielsen CPU Architecture:Any

[11 Dec 2007 15:01] Kristian Nielsen 
Description:
A recently introduced testcase in mysql-5.1-new-ndb exposes a bug (but the bug was there before the test case)

The bug is seen as a valgrind warning:

VALGRIND: 'Invalid read of size 8'
    COUNT: 2
    FUNCTION: NdbDictionary::Column::getColumnNo()    FILES:    master.err master1.err
    TESTS:    rpl_ndb.rpl_ndb_extraColMaster
    STACK: at 0x979370: NdbDictionary::Column::getColumnNo() const (NdbDictionary.cpp:250)
             by 0x7E0DAE: ndb_unpack_record(st_table*, NdbValue*, st_bitmap*, unsigned char*) (ha_ndbcluster.cc:3460)
             by 0x802E57: ndb_binlog_thread_handle_data_event(Ndb*, NdbEventOperation*, ndb_binlog_index_row&, injector::transaction&) (ha_ndbcluster_binlog.cc:3363)
             by 0x80B658: ndb_binlog_thread_func (ha_ndbcluster_binlog.cc:4153)
             by 0x4B2A192: start_thread (in /lib64/libpthread-2.4.so)
             by 0x51A145C: clone (in /lib64/libc-2.4.so)
           Address 0x91601B8 is 0 bytes inside a block of size 136 free'd
             at 0x4A2066B: free (vg_replace_malloc.c:233)
             by 0x988274: NdbTableImpl::~NdbTableImpl() (NdbDictionaryImpl.cpp:431)
             by 0x973492: NdbEventOperationImpl::receive_event() (NdbEventOperationImpl.cpp:796)
             by 0x97472F: NdbEventBuffer::nextEvent() (NdbEventOperationImpl.cpp:1229)
             by 0x80AFED: ndb_binlog_thread_func (ha_ndbcluster_binlog.cc:3995)
             by 0x4B2A192: start_thread (in /lib64/libpthread-2.4.so)
             by 0x51A145C: clone (in /lib64/libc-2.4.so)

The problem is the same as in BUG#18106, but for NdbBlob objects instead of NdbRecAttr objects.

For replication of online alter table, the code will free() the old table
object, causing later accesses to the NdbColumnImpl object in blob handles to
access invalid memory, potentially causing strange behaviour or crash.

How to repeat:
mysql-test-run.pl rpl_ndb_extraColMaster --valgrind

Suggested fix:
Tomas will commit a patch that loops over all blob handles and replaces the NdbColumnImpl pointers.
[11 Dec 2007 15:04] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/39717

ChangeSet@1.2689, 2007-12-11 16:04:33+01:00, tomas@whalegate.ndb.mysql.com +1 -0
  bug#33142: access after free() for blob replication and online alter table
[14 Dec 2007 17:08] Bugs System 
Pushed into 5.1.23-rc
[14 Dec 2007 17:09] Bugs System 
Pushed into 6.0.5-alpha
[15 Dec 2007 10:39] Jon Stephens 
Thank you for your bug report. This issue has been committed to our source repository of that product and will be incorporated into the next release.

If necessary, you can access the source repository and build the latest available version, including the bug fix. More information about accessing the source trees is available at

    http://dev.mysql.com/doc/en/installing-source.html

Documented in the 5.1.23 and 6.0.5 changelogs as follows:

        Memory was mistakenly freed for NdbBlob
        objects when adding an index while replicating the
        cluster, which could cause mysqld to crash.