| Bug #51738 | Unit test pfs_instr-t crashes | ||
|---|---|---|---|
| Submitted: | 4 Mar 2010 21:43 | Modified: | 10 Mar 2010 18:18 |
| Reporter: | Olav Sandstå | Email Updates: | |
| Status: | Closed | Impact on me: | |
| Category: | MySQL Server: Performance Schema | Severity: | S3 (Non-critical) |
| Version: | 5.5.99 | OS: | Linux (Ubuntu 32 bit) |
| Assigned to: | Marc ALFF | CPU Architecture: | Any |
[4 Mar 2010 21:48]
Olav Sandstå
Running the test in gdb produces the following (corrupted) call stack for the crash:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb7d9a8c0 (LWP 31781)]
0xb7e11e04 in strcpy () from /lib/tls/i686/cmov/libc.so.6
(gdb) where
#0 0xb7e11e04 in strcpy () from /lib/tls/i686/cmov/libc.so.6
#1 0x0805d3e6 in my_load_path (
to=0xbfa433f4 "/home/olav/mysql/develop/opt-bug51215-rev/storage/perfschema/unittest/", 'X' <repeats 130 times>...,
path=0xbfa437b4 'X' <repeats 200 times>..., own_path_prefix=0x0)
at mf_loadpath.c:51
#2 0x58585858 in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
[5 Mar 2010 1:40]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/102386 3122 Marc Alff 2010-03-04 Bug#51738 Unit test pfs_instr-t crashes The unit test pfs_instr-t: - generates a very long (10,000) bytes file name - calls find_or_create_file. This leads to a buffer overflow in mysys in my_realpath(), because my_realpath and mysys file APIs in general do not test for input parameters: mysys assumes every file name is less that FN_REFLEN in length. Calling find_or_create_file with a very long file name is likely to happen when instrumenting third party code that does not use mysys, so this test is legitimate. The fix is to make find_or_create_file in the performance schema more robust in this case.
[7 Mar 2010 19:06]
Marc ALFF
Queued in: - mysql-next-mr-bugfixing (5.6.99-m4) - mysql-6.0-codebase-bugfixing
[10 Mar 2010 13:38]
Bugs System
Pushed into 6.0.14-alpha (revid:alik@sun.com-20100310133305-0jdlngbtrkoqzckh) (version source revid:alik@sun.com-20100310132404-uqarl0o0vlra2kjx) (merge vers: 6.0.14-alpha) (pib:16)
[10 Mar 2010 13:38]
Bugs System
Pushed into 5.5.3-m3 (revid:alik@sun.com-20100310132634-zpyjzn346sgrm59u) (version source revid:alik@sun.com-20100310132634-zpyjzn346sgrm59u) (merge vers: 5.5.3-m3) (pib:16)
[10 Mar 2010 13:39]
Bugs System
Pushed into mysql-next-mr (revid:alik@sun.com-20100310132718-l0tegumhbg8umgjd) (version source revid:alik@sun.com-20100310132252-kpi29r22kjtl493x) (pib:16)
[10 Mar 2010 15:06]
Marc ALFF
Doc team: - fix merged in 5.5.3 and 6.0 - first P_S release, nothing to document
[10 Mar 2010 18:18]
Paul DuBois
Not in any released version. No changelog entry needed.
[1 May 2010 9:46]
Tor Didriksen
Compiled with SunPro mysqld Ver 5.6.99-m4 for pc-solaris2.10 on i386 (Source distribution) this unit test still segfaults: ok 24 - lost 3 ok 25 - no file ok 26 - lost 4 Signal 11 thrown, attempting backtrace. /net/atum07/export/home/didrik/mysqldev-next-mr/next-mr-bf-khepri21-automake/storage/perfschema/unittest/pfs_instr-t:my_print_stacktrace+0x1b /net/atum07/export/home/didrik/mysqldev-next-mr/next-mr-bf-khepri21-automake/storage/perfschema/unittest/pfs_instr-t:0xd2ca /lib/libc.so.1:0xa75df /lib/libc.so.1:0x9d2a0 /net/atum07/export/home/didrik/mysqldev-next-mr/next-mr-bf-khepri21-automake/storage/perfschema/unittest/pfs_instr-t:__1cTfind_or_create_file6FpnKPFS_thread_pnOPFS_file_class_pkcI_pnIPFS_file__+0x139 [ Signal 11 (SEGV)] 0x58585858 Error when traversing the stack, stack appears corrupt. Segmentation Fault (core dumped) Running with valgrind on linux: valgrind --track-origins=yes storage/perfschema/unittest/pfs_instr-t ok 26 - lost 4 ==8428== Conditional jump or move depends on uninitialised value(s) ==8428== at 0x40CDEE: dirname_length (mf_dirname.c:33) ==8428== by 0x40A250: find_or_create_file(PFS_thread*, PFS_file_class*, char const*, unsigned int) (pfs_instr.cc:862) ==8428== by 0x407019: test_no_instances() (pfs_instr-t.cc:142) ==8428== by 0x408091: do_all_tests() (pfs_instr-t.cc:403) ==8428== by 0x4080CB: main (pfs_instr-t.cc:412) ==8428== Uninitialised value was created by a stack allocation ==8428== at 0x40A14C: find_or_create_file(PFS_thread*, PFS_file_class*, char const*, unsigned int) (pfs_instr.cc:792) ==8428== ==8428== Conditional jump or move depends on uninitialised value(s) ==8428== at 0x4A07227: stpcpy (mc_replace_strmem.c:573) ==8428== by 0x40A31F: find_or_create_file(PFS_thread*, PFS_file_class*, char const*, unsigned int) (pfs_instr.cc:884) ==8428== by 0x407019: test_no_instances() (pfs_instr-t.cc:142) ==8428== by 0x408091: do_all_tests() (pfs_instr-t.cc:403) ==8428== by 0x4080CB: main (pfs_instr-t.cc:412) ==8428== Uninitialised value was created by a stack allocation ==8428== at 0x40A14C: find_or_create_file(PFS_thread*, PFS_file_class*, char const*, unsigned int) (pfs_instr.cc:792) ==8428== ==8428== Source and destination overlap in stpcpy(0x7feffcb81, 0x7feffcd40) ==8428== at 0x4A072A8: stpcpy (mc_replace_strmem.c:573) ==8428== by 0x40A31F: find_or_create_file(PFS_thread*, PFS_file_class*, char const*, unsigned int) (pfs_instr.cc:884) ==8428== by 0x407019: test_no_instances() (pfs_instr-t.cc:142) ==8428== by 0x408091: do_all_tests() (pfs_instr-t.cc:403) ==8428== by 0x4080CB: main (pfs_instr-t.cc:412) ==8428== ok 27 - no file The first two warnings can be fixed with: < memcpy(safe_buffer, filename, FN_REFLEN - 2); --- > memcpy(safe_buffer, filename, FN_REFLEN - 1); The third warning is caused by writing too much data into buffer[] First the resolved path, then we concatenate the 512 byte safe_filename. strcncpy() is safer: < ptr= strmov(ptr, safe_filename + dirlen); < *ptr= '\0'; --- > char *buf_end= &buffer[sizeof(buffer)-1]; > strncpy(ptr, safe_filename + dirlen, buf_end - ptr); > *buf_end= '\0';
[1 May 2010 9:50]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/107132 3162 Tor Didriksen 2010-05-01 Bug #51738 Unit test pfs_instr-t crashes Copy 511 rather than 510 bytes into safe_buffer[]. Use strncpy() to ensure we don't overwrite buffer[]. Declare filename_hash_get_key() to be a "C" function, to remove warning from SunPro compiler.
[3 May 2010 9:29]
Tor Didriksen
See also Bug #53363 Unit test pfs_instr-t still crashes
[3 May 2010 10:58]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/107174 3165 Tor Didriksen 2010-05-03 Bug #51738 Unit test pfs_instr-t crashes Copy 511 rather than 510 bytes into safe_buffer[]. Use strncpy() to ensure we don't overwrite buffer[]. Declare filename_hash_get_key() to be a "C" function, to remove warning from SunPro compiler.
Description: The 32 bit debug build unit test pfs_instr-t unit test crashes when running on Ubuntu: ./pfs_instr-t 1..102 ok 1 - zero init ok 2 - no instances init ok 3 - no mutex ok 4 - lost 1 ok 5 - no mutex ok 6 - lost 2 ok 7 - no rwlock ok 8 - lost 1 ok 9 - no rwlock ok 10 - lost 2 ok 11 - no cond ok 12 - lost 1 ok 13 - no cond ok 14 - lost 2 ok 15 - no thread ok 16 - lost 1 ok 17 - no thread ok 18 - lost 2 ok 19 - no file ok 20 - lost 1 ok 21 - no file ok 22 - lost 2 ok 23 - no file ok 24 - lost 3 ok 25 - no file ok 26 - lost 4 Bail out! Signal 11 thrown How to repeat: System info: OS: Ubuntu 8.10 32 bit on AMD 64 bit. Compiler: gcc (Ubuntu 4.3.2-1ubuntu12) 4.3.2 How to repeat: 1. Use sources from mysql-next-mr-bugfixing 2. ./BUILD/compile-pentium-debug-max-no-ndb 3. Run the unit test: cd storage/perfschema/unittest ./pfs_instr-t (or run make test)