Bug #36021 open_binary_frm() makes server crash with glibc error "double free or corruptio
Submitted: 12 Apr 2008 21:40 Modified: 14 Jul 2009 14:28
Reporter: Rafal Somla Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: General Severity:S3 (Non-critical)
Version:6.0 source OS:Any
Assigned to: Jon Olav Hauglid CPU Architecture:Any
Tags: disabled
Triage: Triaged: D2 (Serious)

[12 Apr 2008 21:40] Rafal Somla
Description:
Function open_binary_frm() sometimes does double free() on the same memory. In debug builds this leads to a server crash because glibc has a run-time detection for such problems. Glibc reports: "double free or corruption (fasttop)"

This happens e.g. when open_binary_frm() is called for a table with invalid storage engine. When this is detected inside the function, the following code is executed:

      else if (!tmp_plugin)
      {
        /* purecov: begin inspected */
        error= 8;
        my_error(ER_UNKNOWN_STORAGE_ENGINE, MYF(0), name.str);
        my_free(buff, MYF(0));
        goto err;
        /* purecov: end */
      }

Thus my_free() is called on buff and then we jump to err:

 err:
  if (buff)
    my_free(buff, MYF(0));

Thus buff will be freed for the second time which triggers the problem.

Note that there are few more places inside open_binary_frm() where my_free(buff,...) is called before "goto err".

How to repeat:
See code of open_binary_frm() in table.cc.

Suggested fix:
Never do my_free(buff,...) before "goto err" since memory will be freed there.
[13 Apr 2008 5:25] Jonas Oreland
already fixed in mysql-5.1-telco-6.2
which is merged with mysql-6.0 on a regular basis
[13 Apr 2008 9:26] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/45316

ChangeSet@1.2609, 2008-04-13 11:24:04+02:00, rafal@quant.(none) +1 -0
  This patch disables backup_no_engine test which must wait for BUG#36021
  to be fixed.
[13 Apr 2008 9:28] Rafal Somla
The patch added here by bk commit is not a solution for this bug.
[15 Apr 2008 17:58] Bugs System
Pushed into 6.0.5-alpha
[18 Jun 2009 11:31] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/76553

2802 Jon Olav Hauglid	2009-06-18
      Bug #36021 open_binary_frm() makes server crash with glibc error 
                 "double free or corruptio 
      
      Extra calls to my_free() have already been removed, unable to reproduce.
      
      Re-enabled backup_no_engine test which had been disabled because it 
      triggered this bug. Test case updated to match current backup syntax.
[14 Jul 2009 14:28] Paul Dubois
Looks like this was already fixed by some other patch. No changelog entry needed.