Bug #46657 InnoDB plugin: invalid read in index_merge_innodb test (Valgrind)
Submitted: 11 Aug 2009 16:17 Modified: 18 Mar 2010 18:52
Reporter: Guilhem Bichot Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: InnoDB Plugin storage engine Severity:S3 (Non-critical)
Version:5.1 OS:Linux (64bit)
Assigned to: Sergey Vojtovich CPU Architecture:Any
Triage: Triaged: D2 (Serious)

[11 Aug 2009 16:17] Guilhem Bichot
Description:
We can see this kind of report in pushbuild2 for 5.1-innodb_plugin:
main.index_merge_innodb                  w3 [ fail ]
==4615== Invalid read of size 1
==4615==    at 0xA20D30: ha_innobase::add_index(st_table*, st_key*, unsigned) (handler0alter.cc:894)
==4615==    by 0x73715A: mysql_alter_table(THD*, char*, char*, st_ha_create_information*, TABLE_LIST*, Alter_info*, unsigned, st_order*, bool) (sql_table.cc:7067)
==4615==    by 0x6BEBDE: mysql_execute_command(THD*) (sql_parse.cc:2889)
==4615==    by 0x6C4745: mysql_parse(THD*, char const*, unsigned, char const**) (sql_parse.cc:6003)
==4615==    by 0x6C59A5: dispatch_command(enum_server_command, THD*, char*, unsigned) (sql_parse.cc:1222)
==4615==    by 0x635060: emb_advanced_command (lib_sql.cc:139)
==4615==    by 0x5BDB7F: mysql_send_query (client.c:2863)
==4615==    by 0x57D574: do_send_query(st_connection*, char const*, int, int) (mysqltest.cc:715)
==4615==    by 0x587B00: run_query_normal(st_connection*, st_command*, int, char*, int, st_dynamic_string*, st_dynamic_string*) (mysqltest.cc:6437)
==4615==    by 0x58844C: run_query(st_connection*, st_command*, int) (mysqltest.cc:7166)
==4615==    by 0x5897A6: main (mysqltest.cc:7796)
==4615==  Address 0xE0DDEDC is 156 bytes inside a block of size 544 free'd
==4615==    at 0x4A0541E: free (vg_replace_malloc.c:233)
==4615==    by 0xA3BDA4: mem_area_free (mem0pool.c:495)
==4615==    by 0xA3AE16: mem_heap_block_free (mem0mem.c:491)
==4615==    by 0xB1C71A: mem_heap_free_func (mem0mem.ic:504)
==4615==    by 0xB1C6C7: dict_mem_table_free (dict0mem.c:109)
==4615==    by 0xB11E6A: dict_table_remove_from_cache (dict0dict.c:1146)
==4615==    by 0xA6F48C: row_drop_table_for_mysql (row0mysql.c:3317)
==4615==    by 0xA69060: row_merge_drop_table (row0merge.c:2261)
==4615==    by 0xA20C80: ha_innobase::add_index(st_table*, st_key*, unsigned) (handler0alter.cc:865)
==4615==    by 0x73715A: mysql_alter_table(THD*, char*, char*, st_ha_create_information*, TABLE_LIST*, Alter_info*, unsigned, st_order*, bool) (sql_table.cc:7067)
==4615==    by 0x6BEBDE: mysql_execute_command(THD*) (sql_parse.cc:2889)
==4615==    by 0x6C4745: mysql_parse(THD*, char const*, unsigned, char const**) (sql_parse.cc:6003)
==4615==    by 0x6C59A5: dispatch_command(enum_server_command, THD*, char*, unsigned) (sql_parse.cc:1222)
==4615==    by 0x635060: emb_advanced_command (lib_sql.cc:139)
==4615==    by 0x5BDB7F: mysql_send_query (client.c:2863)
==4615==    by 0x57D574: do_send_query(st_connection*, char const*, int, int) (mysqltest.cc:715)

This is specific of the InnoDB plugin.
Similar ones are also seen in mysql-trunk.

How to repeat:
run index_merge_innodb with --valgrind, it seems.
[11 Aug 2009 17:30] Guilhem Bichot
the stack trace I gave is the detailed one when I make the plugin be a builtin; when it's a plugin, we just excerpts in pushbuild2:
/export/home/pb2/test/sb_1-671695-1249375950.81/mysql-5.1.37-linux-x86_64-test/mysql-test/var/7/log/mysqld.1.err	==11121==    at 0x5891EB4: ha_innodb::add_index(st_table*, st_key*, unsigned) (handler0alter.cc:894)
/export/home/pb2/test/sb_1-671695-1249375950.81/mysql-5.1.37-linux-x86_64-test/mysql-test/var/7/log/mysqld.1.err	==11121==    at 0x4A0541E: free (vg_replace_malloc.c:233)
^ Found warnings!!
[12 Aug 2009 12:24] Guilhem Bichot
now that 5.1-innodb_plugin has been merged into 5.1-main, bug can very likely be reproduced with the latest 5.1-main tree, available at
https://code.launchpad.net/~mysql/mysql-server/mysql-5.1
[13 Aug 2009 6:26] Marko Mäkelä
The statement after convert_error: reads innodb_table->flags, which will just have been freed after successfully creating the requested indexes. The fix is simple, because innodb_table is not needed anywhere else on this code path:

Index: handler/handler0alter.cc
===================================================================
--- handler/handler0alter.cc	(revision 5670)
+++ handler/handler0alter.cc	(working copy)
@@ -864,6 +864,7 @@ error_handling:
 		indexed_table->n_mysql_handles_opened++;
 
 		error = row_merge_drop_table(trx, innodb_table);
+		innodb_table = indexed_table;
 		goto convert_error;
 
 	case DB_TOO_BIG_RECORD:
[13 Aug 2009 8:36] Sunny Bains
Marko, OK to commit!
[17 Aug 2009 16:06] Calvin Sun
set to patch approved until the snapshot is sent to mysql.
[25 Aug 2009 15:27] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/81525

2874 Guilhem Bichot	2009-08-25
      Applying fix from Oracle (Marko) for Bug #46657 "InnoDB plugin: invalid read in index_merge_innodb test (Valgrind)"
[25 Aug 2009 15:29] Guilhem Bichot
as it was quite annoying (showing up in test suite), I applied Marko's fix which I got from Calvin, to mysql-trunk.
[25 Aug 2009 15:57] Guilhem Bichot
I don't put the bug in "patch queued" state because the fix isn't in 5.1-main yet (I only put it in mysql-trunk).
[16 Sep 2009 6:45] Bugs System
Pushed into 5.4.4-alpha (revid:alik@sun.com-20090916063112-8hjmu6wkxfx5qxf4) (version source revid:alik@sun.com-20090916062454-qzqttcefueqgsfn3) (merge vers: 5.4.4-alpha) (pib:11)
[4 Nov 2009 11:11] Sergey Vojtovich
Pushed into 5.1.41.
[1 Dec 2009 16:32] Paul Dubois
Noted in 5.1.41 changelog.

A Valgrind error during index creation by InnoDB Plugin was
corrected. 

Setting report to NDI pending push into 5.6.x+.
[6 Jan 2010 6:22] Satya B
This would have been merged by now. Probably svoj missed to mention bug no when merging innodb plugin. svoj can you please look into this.
[18 Mar 2010 16:59] Sergey Vojtovich
This bugfix came along with InnoDB Plugin 1.0.5 snapshot, which was released in 5.5.0-m2.
[18 Mar 2010 18:52] Paul Dubois
Noted in 5.5.0 changelog.