Bug #45796 invalid memory reads and writes when altering merge and base tables
Submitted: 26 Jun 2009 23:49 Modified: 16 Jul 2009 14:06
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Merge storage engine Severity:S1 (Critical)
Version:5.1.34, 5.1.37 OS:Any
Assigned to: Alexey Kopytov CPU Architecture:Any
Tags: regression

[26 Jun 2009 23:49] Shane Bester
Description:
Since 5.1, invalid reading and writing of memory after altering merge/base tables can lead to a crash and/or valgrind errors;

==28038== Invalid write of size 1
at: memset (mc_replace_strmem.c:479)
by: myrg_attach_children (myrg_open.c:433)
by: ha_myisammrg::attach_children() (ha_myisammrg.cc:546)
by: ha_myisammrg::extra(ha_extra_function) (ha_myisammrg.cc:944)
by: attach_merge_children(TABLE_LIST*) (sql_base.cc:4147)
by: open_tables(THD*, TABLE_LIST**, unsigned*, unsigned) (sql_base.cc:4709)
by: open_and_lock_tables_derived(THD*, TABLE_LIST*, bool) (sql_base.cc:4977)
by: open_n_lock_single_table (mysql_priv.h:1550)
by: mysql_alter_table(sql_table.cc:6428)
by: mysql_execute_command(THD*) (sql_parse.cc:2860)
by: mysql_parse(THD*, char const*, unsigned, char const**) (sql_parse.cc:5933)
by: dispatch_command (sql_parse.cc:1213)

There are many more errors, see attached file for full details.

How to repeat:
start mysqld under valgrind and run this sequence of sql:

flush tables;
drop table if exists `m1`,`t1`;
create table `t1`(`c1` int)engine=myisam;
create table `m1`(`c1` int)engine=merge union=(`t1`);
alter table `m1` add index `idx_c1`(`c1`);
alter table `m1`union=(`t1`);
alter table `t1` add index `idx_c1`(`c1`);
alter table `m1` add index `idx_c1`(`c1`);
[26 Jun 2009 23:51] MySQL Verification Team
full valgrind error output

Attachment: bug45796_5.1.37_full_valgrind_output.txt (text/plain), 14.17 KiB.

[10 Jul 2009 11:34] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/78374

3006 Alexey Kopytov	2009-07-10
      Bug #45796: invalid memory reads and writes when altering merge 
                  and base tables 
      
      myrg_attach_children() could reuse a buffer that was allocated 
      previously based on a definition of a child table. The problem 
      was that the child's definition might have been changed, so 
      reusing the buffer could lead to crashes or valgrind errors 
      under some circumstances. 
       
      Fixed by changing myrg_attach_children() so that the 
      rec_per_key_part buffer is reused only when the child table
      have not changed, and reallocated otherwise (the old buffer is 
      deallocated if necessary).
      modified:
        include/myisammrg.h
        mysql-test/r/merge.result
        mysql-test/t/merge.test
        storage/myisammrg/ha_myisammrg.cc
        storage/myisammrg/myrg_open.c
[13 Jul 2009 17:48] Bugs System
Pushed into 5.1.37 (revid:joro@sun.com-20090713174543-cd2x7q1gi1hzoand) (version source revid:alexey.kopytov@sun.com-20090712145643-t991j92a43izo8nr) (merge vers: 5.1.37) (pib:11)
[16 Jul 2009 14:06] Tony Bedford
An entry was added to the 5.1.37 changelog:

Invalid memory reads and writes were generated when altering merge and base tables. This could lead to a crash or Valgrind errors:

==28038== Invalid write of size 1
at: memset (mc_replace_strmem.c:479)
by: myrg_attach_children (myrg_open.c:433)
by: ha_myisammrg::attach_children() (ha_myisammrg.cc:546)
by: ha_myisammrg::extra(ha_extra_function) (ha_myisammrg.cc:944)
by: attach_merge_children(TABLE_LIST*) (sql_base.cc:4147)
by: open_tables(THD*, TABLE_LIST**, unsigned*, unsigned) (sql_base.cc:4709)
by: open_and_lock_tables_derived(THD*, TABLE_LIST*, bool) (sql_base.cc:4977)
by: open_n_lock_single_table (mysql_priv.h:1550)
by: mysql_alter_table(sql_table.cc:6428)
by: mysql_execute_command(THD*) (sql_parse.cc:2860)
by: mysql_parse(THD*, char const*, unsigned, char const**) (sql_parse.cc:5933)
by: dispatch_command (sql_parse.cc:1213)
[4 Aug 2009 19:51] Bugs System
Pushed into 5.4.4-alpha (revid:alik@sun.com-20090804194615-h40sa098mx4z49qg) (version source revid:alexey.kopytov@sun.com-20090712150910-yzwm265x62239mm5) (merge vers: 5.4.4-alpha) (pib:11)
[26 Aug 2009 13:46] Bugs System
Pushed into 5.1.37-ndb-7.0.8 (revid:jonas@mysql.com-20090826132541-yablppc59e3yb54l) (version source revid:jonas@mysql.com-20090826132541-yablppc59e3yb54l) (merge vers: 5.1.37-ndb-7.0.8) (pib:11)
[26 Aug 2009 13:46] Bugs System
Pushed into 5.1.37-ndb-6.3.27 (revid:jonas@mysql.com-20090826105955-bkj027t47gfbamnc) (version source revid:jonas@mysql.com-20090826105955-bkj027t47gfbamnc) (merge vers: 5.1.37-ndb-6.3.27) (pib:11)
[26 Aug 2009 13:48] Bugs System
Pushed into 5.1.37-ndb-6.2.19 (revid:jonas@mysql.com-20090825194404-37rtosk049t9koc4) (version source revid:jonas@mysql.com-20090825194404-37rtosk049t9koc4) (merge vers: 5.1.37-ndb-6.2.19) (pib:11)
[27 Aug 2009 16:33] Bugs System
Pushed into 5.1.35-ndb-7.1.0 (revid:magnus.blaudd@sun.com-20090827163030-6o3kk6r2oua159hr) (version source revid:jonas@mysql.com-20090826132541-yablppc59e3yb54l) (merge vers: 5.1.37-ndb-7.0.8) (pib:11)