Bug #56883 rpl_row_ignorable_event fails on valgrind run
Submitted: 20 Sep 2010 23:23 Modified: 15 Nov 2010 19:34
Reporter: Luis Soares Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Row Based Replication ( RBR ) Severity:S3 (Non-critical)
Version:mysql-next-mr-bugfixing OS:Any
Assigned to: Luis Soares CPU Architecture:Any
Tags: valgrind

[20 Sep 2010 23:23] Luis Soares
Description:
rpl_row_ignorable_event fails on mysql-next-mr-bugfixing with the following
symptom:

rpl.rpl_row_ignorable_event              [ fail ]  Found warnings/errors in server log file!
        Test ended at 2010-09-19 20:51:20
line
==12584== Thread 17:
==12584== Conditional jump or move depends on uninitialised value(s)
==12584==    at 0x4A066A6: strnlen (mc_replace_strmem.c:230)
==12584==    by 0xAE094A: process_str_arg (my_vsnprintf.c:195)
==12584==    by 0xAE2648: my_vsnprintf_ex (my_vsnprintf.c:605)
==12584==    by 0xAE2A88: my_vsnprintf (my_vsnprintf.c:668)
==12584==    by 0xAE2B77: my_snprintf (my_vsnprintf.c:677)
==12584==    by 0x853C24: Rows_query_log_event::Rows_query_log_event(char const*, unsigned, Format_description_log_event const*) (log_event.cc:9867)
==12584==    by 0x86A2F4: Log_event::read_log_event(char const*, unsigned, char const**, Format_description_log_event const*) (log_event.cc:1331)
==12584==    by 0x883FC4: mysql_client_binlog_statement(THD*) (sql_binlog.cc:239)
==12584==    by 0x5C7C5F: mysql_execute_command(THD*) (sql_parse.cc:4326)
==12584==    by 0x5C8597: mysql_parse(THD*, char*, unsigned, Parser_state*) (sql_parse.cc:5591)
==12584==    by 0x5C9BC9: dispatch_command(enum_server_command, THD*, char*, unsigned) (sql_parse.cc:1130)
==12584==    by 0x5CB033: do_command(THD*) (sql_parse.cc:802)
==12584==    by 0x69DE00: do_handle_one_connection(THD*) (sql_connect.cc:1192)
==12584==    by 0x69DEFC: handle_one_connection (sql_connect.cc:1131)
==12584==    by 0x8CD2FE: pfs_spawn_thread (pfs.cc:1061)
==12584==    by 0x3F6D606366: start_thread (in /lib64/libpthread-2.5.so)
^ Found warnings in /export/home2/pb2/test/sb_0-2290534-1284845216.13/mysql-5.6.99-m5-linux-x86_64-test/mysql-test/var-rpl_binlog_row/log/mysqld.1.err
ok

Details:
  - tree: mysql-next-mr-bugfixing
  - revid: alfranio.correia@oracle.com-20100920121236-sxo39h0p2dc47omn

How to repeat:
See Pb2: http://tinyurl.com/23stvej

Suggested fix:
.
[22 Sep 2010 0:31] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/118769

3298 Luis Soares	2010-09-22
      BUG#56883: rpl_row_ignorable_event fails on valgrind run
      
      The buffer used in mysql_client_binlog_statement is never
      initialized. If an event is processed and its payload is handled
      as a null terminated string, then conditional jumps depending on
      uninitialized values may ocur. This was the case for
      Rows_query_log_event.
      
      We fix this by always setting a null terminator mark on byte
      'buf+event_len' when an event is decoded from the BINLOG
      statement. Given that the buffer is reused for all events on a
      BINLOG statement, then this is also an extra security measure
      against dumping garbage from a previous event somehow...
[22 Sep 2010 0:32] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/118770

3298 Luis Soares	2010-09-22
      BUG#56883: rpl_row_ignorable_event fails on valgrind run
      
      The buffer used in mysql_client_binlog_statement is never
      initialized. If an event is processed and its payload is handled
      as a null terminated string, then conditional jumps depending on
      uninitialized values may ocur. This was the case for
      Rows_query_log_event.
      
      We fix this by always setting a null terminator mark on byte
      'buf+event_len' when an event is decoded from the BINLOG
      statement. Given that the buffer is reused for all events on a
      BINLOG statement, then this is also an extra security measure
      against dumping garbage from a previous event somehow...
[24 Sep 2010 15:25] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/119071

3298 Luis Soares	2010-09-24
      BUG#56883: rpl_row_ignorable_event fails on valgrind run
      
      The buffer used in mysql_client_binlog_statement is never
      initialized and may contain several events data in it. If an
      event is processed and its payload is handled as a null
      terminated string, then conditional jumps depending on
      uninitialized values may ocur. Such cases happen if there is 
      access outside this event portion of the buffer used for 
      storing its data. This was the case for Rows_query_log_event.
      
      We fix this by replacing my_snprintf with strmake (which copies
      only the specified len bytes from str and sets 
      *(my_rows_query+len)= '\0'.
[30 Sep 2010 11:52] Luis Soares
Queued in mysql-next-mr-bugfixing:
http://pb2.norway.sun.com/web.py?template=push_details&push=1612070
[2 Oct 2010 18:15] Bugs System
Pushed into mysql-next-mr (revid:alexander.nozdrin@oracle.com-20101002181053-6iotvl26uurcoryp) (version source revid:alexander.nozdrin@oracle.com-20101002180917-h0n62akupm3z20nt) (pib:21)
[13 Nov 2010 16:17] Bugs System
Pushed into mysql-trunk 5.6.99-m5 (revid:alexander.nozdrin@oracle.com-20101113155825-czmva9kg4n31anmu) (version source revid:vasil.dimov@oracle.com-20100629074804-359l9m9gniauxr94) (merge vers: 5.6.99-m4) (pib:21)
[15 Nov 2010 19:34] Jon Stephens
Bug doesn't appear in a release, closing.