Bug #36142 double free/memory corruption errors on cleanup of join
Submitted: 16 Apr 2008 15:31 Modified: 30 May 2008 7:51
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Can't repeat Impact on me:
None 
Category:MySQL Server: DML Severity:S2 (Serious)
Version:6.0.5-debug-bk OS:Linux
Assigned to: CPU Architecture:Any

[16 Apr 2008 15:31] Shane Bester 
Description:
there's a double free bug when running certain queries:

*** glibc detected *** /home/sbester/mysql/6.0/mysql-6.0.5-alpha-linux-i686/bin/mysqld: free(): invalid pointer: 0x0a26afd8 ***

Version: '6.0.5-alpha-debug'  socket: '/tmp/mysql.sock'  port: 3306  yes
mysqld(print_stacktrace
mysqld(handle_segfault
/lib/i686/nosegneg/libc.so.6(cfree
mysqld(my_no_flags_free
mysqld(st_join_table::cleanup
mysqld(JOIN::cleanup
mysqld(JOIN::join_free
mysqld(JOIN::exec
mysqld(mysql_select
mysqld(handle_select
mysqld(mysql_execute_command
mysqld(mysql_parse
mysqld(dispatch_command
mysqld(do_command
mysqld(handle_one_connection

======= Memory map: ========
00101000-00126000 r-xp 00000000 fd:00 4785451    /lib/i686/nosegneg/libm-2.5.so
00126000-00127000 r--p 00024000 fd:00 4785451    /lib/i686/nosegneg/libm-2.5.so
00127000-00128000 rw-p 00025000 fd:00 4785451    /lib/i686/nosegneg/libm-2.5.so
0012a000-0013c000 r-xp 00000000 fd:00 4543623    /usr/lib/libz.so.1.2.3
0013c000-0013d000 rw-p 00011000 fd:00 4543623    /usr/lib/libz.so.1.2.3
002c3000-002dc000 r-xp 00000000 fd:00 4785344    /lib/ld-2.5.so
002dc000-002dd000 r--p 00018000 fd:00 4785344    /lib/ld-2.5.so
002dd000-002de000 rw-p 00019000 fd:00 4785344    /lib/ld-2.5.so
002e0000-002f2000 r-xp 00000000 fd:00 4785458    /lib/libnsl-2.5.so
002f2000-002f3000 r--p 00012000 fd:00 4785458    /lib/libnsl-2.5.so
002f3000-002f4000 rw-p 00013000 fd:00 4785458    /lib/libnsl-2.5.so
002f4000-002f6000 rw-p 002f4000 00:00 0 
00c92000-00dcd000 r-xp 00000000 fd:00 4785442    /lib/i686/nosegneg/libc-2.5.so
00dcd000-00dcf000 r--p 0013a000 fd:00 4785442    /lib/i686/nosegneg/libc-2.5.so
00dcf000-00dd0000 rw-p 0013c000 fd:00 4785442    /lib/i686/nosegneg/libc-2.5.so
00dd0000-00dd3000 rw-p 00dd0000 00:00 0 
00dd5000-00dd7000 r-xp 00000000 fd:00 4785443    /lib/libdl-2.5.so
00dd7000-00dd8000 r--p 00001000 fd:00 4785443    /lib/libdl-2.5.so
00dd8000-00dd9000 rw-p 00002000 fd:00 4785443    /lib/libdl-2.5.so
00ddb000-00dee000 r-xp 00000000 fd:00 4785444    /lib/i686/nosegneg/libpthread-2.5.so
00dee000-00def000 r--p 00012000 fd:00 4785444    /lib/i686/nosegneg/libpthread-2.5.so
00def000-00df0000 rw-p 00013000 fd:00 4785444    /lib/i686/nosegneg/libpthread-2.5.so
00df0000-00df2000 rw-p 00df0000 00:00 0 
00df4000-00dfb000 r-xp 00000000 fd:00 4785447    /lib/i686/nosegneg/librt-2.5.so
00dfb000-00dfc000 r--p 00006000 fd:00 4785447    /lib/i686/nosegneg/librt-2.5.so

note: run the testcase a few times if crash doesn't happen, or glibc doesn't complain.  mostly the connection hanged, and I had to kill -9 the server. 

maybe related to bug #36128 - but this is consistently different stack/glibc warnings.

How to repeat:
too large to paste here, see attachment
[16 Apr 2008 15:44] MySQL Verification Team 
import this a few times into 6.0.5-debug ..

Attachment: bug36142.sql (application/unknown, text), 6.34 KiB.
[16 Apr 2008 17:14] MySQL Verification Team 
this is trickier to repeat than I expected. I'd have to write a SP to do it reliably.
[29 May 2008 23:00] Bugs System 
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
[30 May 2008 7:51] MySQL Verification Team 
giving up on this one.  i just tried 6.0.6 on the same box and even under valgrind there are no errors.