Bug #39040 valgrind errors/crash when creating views with binlog logging enabled
Submitted: 26 Aug 2008 10:17 Modified: 13 Nov 2008 3:41
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Views Severity:S1 (Critical)
Version:5.0.62, 5.0.66a, 5.0.70-bzr (5.0.x ONLY) OS:Any
Assigned to: Sergei Glukhov CPU Architecture:Any
Tags: regression, valgrind, VIEW

[26 Aug 2008 10:17] Shane Bester 
Description:
when creating a view in 5.0.66a, there's a few invalid reads of memory:

Thread 11:
Invalid read of size 1
: memcpy (mc_replace_strmem.c:406)
: String::append(char const*, unsigned) (sql_string.cc:459)
: mysql_create_view(THD*, TABLE_LIST*, enum_view_create_mode) (sql_view.cc:652)
: mysql_execute_command(THD*) (sql_parse.cc:4986)
: mysql_parse(THD*, char const*, unsigned, char const**) (sql_parse.cc:6178)
: dispatch_command (sql_parse.cc:1875)
: do_command(THD*) (sql_parse.cc:1581)
: handle_one_connection (sql_parse.cc:1187)
: start_thread (in /lib/libpthread-2.5.so)
: clone (in /lib/libc-2.5.so)
Address 0x5008659 is not stack'd, malloc'd or (recently) free'd

How to repeat:
drop table if exists `t1`;
create table `t1` (`b` int) engine=myisam;
drop view if exists `v1`;
create view `v1` as select * from `t1`;
[26 Aug 2008 10:31] MySQL Verification Team 
server must be started with --log-bin because the faulting code is inside a block beginning with if (mysql_bin_log.is_open())
[26 Aug 2008 13:04] MySQL Verification Team 
still repeatable in 5.0.70 with a bigger testcase. will upload it soon.
[26 Aug 2008 13:27] MySQL Verification Team 
errors in 5.0.70 from a better testcase

Attachment: bug39040_5.0.70_valgrind_output.txt (text/plain), 63.11 KiB.
[26 Aug 2008 13:42] MySQL Verification Team 
this is really a serious bug on 5.0.x.  Most "create view" statements can read invalid memory addresses and cause a crash.

my new testcase actually crashes windows x64 5.0.66a release and debug build with stack trace indicating the memory access violation:

mysqld-debug.exe!memcpy
mysqld-debug.exe!String::append
mysqld-debug.exe!mysql_create_view
mysqld-debug.exe!mysql_execute_command
mysqld-debug.exe!mysql_parse
mysqld-debug.exe!dispatch_command
mysqld-debug.exe!do_command
mysqld-debug.exe!handle_one_connection
mysqld-debug.exe!pthread_start
mysqld-debug.exe!_callthreadstart
mysqld-debug.exe!_threadstart
[26 Aug 2008 14:19] MySQL Verification Team 
try importing that privately uploaded testcase a few times if a crash isn't hit the first time ....
[26 Aug 2008 14:44] MySQL Verification Team 
I suspect bug #32575 is related to this.
[26 Aug 2008 14:46] MySQL Verification Team 
I cannot repeat the errors/crash on 5.0.60 or less. so it's a regression.
[14 Sep 2008 6:57] Gleb Shchepa 
See (duplicated) bug #39427 report for details and solution.
[20 Sep 2008 12:15] Martin Hansson 
Shane, the zip file cannot be opened. It appears corrupt. Please post a new one.
[22 Sep 2008 8:54] Martin Hansson 
I can confirm that the suggested fix from http://bugs.mysql.com/bug.php?id=39427 avoids the 'Invalid write' error from valgrind as supplied in this report. It does, however, introduce an invalid read.

==30607==
==30607== Invalid write of size 4
==30607==    at 0x827B687: handle_one_connection (sql_parse.cc:1221)
==30607==    by 0x8253AD1: create_new_thread(THD*) (mysqld.cc:4201)
==30607==    by 0x8254324: handle_connections_sockets (mysqld.cc:4474)
==30607==    by 0x8256E45: main (mysqld.cc:3854)
==30607==  Address 0x7a95e78 is 2,136 bytes inside a block of size 5,376 free'd
==30607==    at 0x402265C: free (vg_replace_malloc.c:323)
==30607==    by 0x85D5AF0: _myfree (safemalloc.c:313)
==30607==    by 0x82430CE: ilink::operator delete(void*, unsigned) (sql_list.h:475)
==30607==    by 0x824035A: THD::~THD() (sql_class.cc:492)
==30607==    by 0x8253497: end_thread(THD*, bool) (mysqld.cc:1716)
==30607==    by 0x827B678: handle_one_connection (sql_parse.cc:1215)
==30607==    by 0x8253AD1: create_new_thread(THD*) (mysqld.cc:4201)
==30607==    by 0x8254324: handle_connections_sockets (mysqld.cc:4474)
==30607==    by 0x8256E45: main (mysqld.cc:3854)
[30 Sep 2008 15:38] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/54791

2684 Martin Hansson	2008-09-30
      Bug#39040: valgrind errors/crash when creating views with binlog
      logging enabled
      
      A string buffer which was included in the 'view' data structure
      was allocated on the stack, causing an invalid pointer when used
      after the function returned. Fixed by allocating the buffer on the
      head instead.
[30 Sep 2008 15:40] Martin Hansson 
Above is a sketch for a solution. IMHO it is better not to use the stack at all
for this type of memory allocation (but MEM_ROOT).

There may be other valgrind issues as well, but it remains to be seen if they are at all related to this bug.
[9 Oct 2008 14:49] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/55946

2702 Sergey Glukhov	2008-10-09
      Bug#39040 valgrind errors/crash when creating views with binlog logging enabled
      A string buffers which were included in the 'view' data structure
      were allocated on the stack, causing an invalid pointer when used
      after the function returned.
      The fix: use copy of values for view->md5 & view->queries
[27 Oct 2008 10:26] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/57093

2713 Sergey Glukhov	2008-10-27
      Bug#39040 valgrind errors/crash when creating views with binlog logging enabled
      A string buffers which were included in the 'view' data structure
      were allocated on the stack, causing an invalid pointer when used
      after the function returned.
      The fix: use copy of values for view->md5 & view->queries
[27 Oct 2008 12:03] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/57098

2684 Sergey Glukhov	2008-10-27 [merge]
      5.0-bugteam->5.1-bugteam merge(bug#39040)
[10 Nov 2008 10:53] Bugs System 
Pushed into 6.0.8-alpha  (revid:sergey.glukhov@sun.com-20081027115851-ar9op9cdv3d0eat7) (version source revid:epotemkin@mysql.com-20081029135504-eie3ebskfjuuq5vu) (pib:5)
[10 Nov 2008 10:59] Bugs System 
Pushed into 5.0.72  (revid:sergey.glukhov@sun.com-20081027102238-thbbrvtzsixtd0jk) (version source revid:kgeorge@mysql.com-20081103095032-zv904ucm2e9lgyxf) (pib:5)
[10 Nov 2008 11:36] Bugs System 
Pushed into 5.1.30  (revid:sergey.glukhov@sun.com-20081027115851-ar9op9cdv3d0eat7) (version source revid:holyfoot@mysql.com-20081027155643-eo4ufcb5tf8zed7v) (pib:5)
[11 Nov 2008 16:06] Paul DuBois 
The versions are actually 5.0.72, 5.1.31, 6.0.9.
[13 Nov 2008 3:41] Paul DuBois 
Noted in 5.0.72, 5.1.31, 6.0.9 changelogs.

With binary logging enabled CREATE VIEW was subject to possible 
buffer overwrite and a server crash.
[18 Nov 2008 21:52] Joerg Bruehe 
A push on Nov 10 never made it into 5.0.72 - that must be 5.0.74.
[19 Nov 2008 0:01] Paul DuBois 
Noted in 5.0.74 changelog, not 5.0.72.
[19 Jan 2009 11:31] Bugs System 
Pushed into 5.1.31-ndb-6.2.17 (revid:tomas.ulin@sun.com-20090119095303-uwwvxiibtr38djii) (version source revid:tomas.ulin@sun.com-20090108105244-8opp3i85jw0uj5ib) (merge vers: 5.1.31-ndb-6.2.17) (pib:6)
[19 Jan 2009 13:08] Bugs System 
Pushed into 5.1.31-ndb-6.3.21 (revid:tomas.ulin@sun.com-20090119104956-guxz190n2kh31fxl) (version source revid:tomas.ulin@sun.com-20090119104956-guxz190n2kh31fxl) (merge vers: 5.1.31-ndb-6.3.21) (pib:6)
[19 Jan 2009 16:14] Bugs System 
Pushed into 5.1.31-ndb-6.4.1 (revid:tomas.ulin@sun.com-20090119144033-4aylstx5czzz88i5) (version source revid:tomas.ulin@sun.com-20090119144033-4aylstx5czzz88i5) (merge vers: 5.1.31-ndb-6.4.1) (pib:6)
[17 Dec 2009 19:39] James Day 
Adding an exmple of the error message so this bug can be more easily found by a search for it. This example is from bug #32575:

                 Last_Errno: 1064
                 Last_Error: Error 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '//*!50002 WITH CHECK OPTION' at line 1' on query. Default database: 'test'. Query: 'CREATE ALGORITHM=UNDEFINED DEFINER=`root`@`localhost` SQL SECURITY DEFINER VIEW `v12` AS select t4.x AS x from t4 where t4.x < 3 */

And another from a different report:

Error 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'CREATE ALGORITHM=UNDEFINED DEFINER=`user`@`%` SQL SECURITY DEFINER VIEW `psv' at line 1' on query. Default database: 'manage'. Query: 'CREATE ALGORITHM=UNDEFINED DEFINER=`user`@`%` SQL SECURITY DEFINER VIEW `bubble` AS CREATE ALGORITHM=UNDEFINED DEFINER=`user`@`%` SQL SECURITY DEFINER VIEW `bubble` AS CREATE ALGORITHM=UNDEFINED DEFINER=`user`@`%` SQL SECURITY DEFINER VIEW `bubble` AS CREATE ALGORITHM=UNDEFINED DEFINER=`user`@`%` SQL SECURITY DEFINER VIEW `bubble` AS CREATE ALGORITHM=UNDEFINED DEFINER=`user`@`%` SQL SECURITY DEFINER VIEW `bubble` AS CREATE ALGORITHM=UNDEFINED DEFINER=`user`@`%` SQL SECURITY DEFINER VIEW `bubble` AS CREATE ALGORITHM=UNDEFINED DEFINER=`user`@`%` SQL SECURITY DEFINER VIEW `bubble` AS CREATE ALGORITHM=UNDEFINED DEFINER