Bug #58177 crash and valgrind warnings in decimal and protocol sending functions...
Submitted: 13 Nov 2010 14:42 Modified: 21 Dec 2010 12:54
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Duplicate Impact on me:
None 
Category:MySQL Server: Data Types Severity:S1 (Critical)
Version:5.1.54, 5.5.7, 5.5.8 OS:Any
Assigned to: Assigned Account CPU Architecture:Any

[13 Nov 2010 14:42] Shane Bester
Description:
this bug reminds me of bug 57278.

Version: '5.5.8-rc-valgrind-max-debug'  socket: '/tmp/mysql.sock'  port: 3306  Source distribution
Invalid read of size 1
at : memcpy (mc_replace_strmem.c:497)
by : my_decimal2decimal (my_decimal.h:250)
by : Item_cache_decimal::cache_value (item.cc:7642)
by : Item_singlerow_subselect::store (item_subselect.cc:510)
by : select_singlerow_subselect::send_data (sql_class.cc:2376)
by : end_send_group (sql_select.cc:12673)
by : do_select (sql_select.cc:11395)
by : JOIN::exec (sql_select.cc:2359)
by : subselect_single_select_engine::exec (item_subselect.cc:1994)
by : Item_subselect::exec (item_subselect.cc:288)
by : Item_singlerow_subselect::val_decimal (item_subselect.cc:630)
by : Item_func_set_user_var::check (item_func.cc:4524)
by : set_var_user::check (set_var.cc:688)
by : sql_set_variables (set_var.cc:570)
by : mysql_execute_command (sql_parse.cc:3075)
by : mysql_parse (sql_parse.cc:5512)
by : dispatch_command (sql_parse.cc:1029)
by : do_command (sql_parse.cc:769)
by : do_handle_one_connection (sql_connect.cc:745)
by : handle_one_connection (sql_connect.cc:684)
by : start_thread (pthread_create.c:301)
Address 0x3b is not stack'd, malloc'd or (recently) free'd
 

How to repeat:
run the testcase a few times if needed. Or run mysqld in valgrind..

------
set names latin1;
set @a:=(select min(get_lock('aaaaaaaaaaaaaaaaa',0)/'0b1111111111111111111111111111111111111111111111111111111111111111111111111'^ (rand())));
select min(get_lock('aaaaaaaaaaaaaaaaa',0)/'0b1111111111111111111111111111111111111111111111111111111111111111111111111'^ (rand()));
-------
[13 Nov 2010 14:43] MySQL Verification Team
look at all this valgrind output....

Attachment: bug58177_5.1.54_valgrind_output.txt (text/plain), 87.14 KiB.

[13 Nov 2010 14:56] Valeriy Kravchuk
I've got the following on Mac OS X:

macbook-pro:5.5 openxs$ bin/mysql -uroot test
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.5.7-rc-debug Source distribution

Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL v2 license

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> set names latin1;
Query OK, 0 rows affected (0.00 sec)

mysql> set @a:=(select
    -> min(get_lock('aaaaaaaaaaaaaaaaa',0)/'0b1111111111111111111111111111111111111111111111111111111111111111111111111'^
    -> (rand())));
Query OK, 0 rows affected, 1 warning (0.00 sec)

mysql> select
    -> min(get_lock('aaaaaaaaaaaaaaaaa',0)/'0b1111111111111111111111111111111111111111111111111111111111111111111111111'^
    -> (rand()));
+------------------------------------------------------------------------------------------------------------------------------+
| min(get_lock('aaaaaaaaaaaaaaaaa',0)/'0b1111111111111111111111111111111111111111111111111111111111111111111111111'^
(rand())) |
+------------------------------------------------------------------------------------------------------------------------------+
|                                                                                                                         NULL |
+------------------------------------------------------------------------------------------------------------------------------+
1 row in set, 1 warning (0.00 sec)

mysql> select min(get_lock('aaaaaaaaaaaaaaaaa',0)/'0b1111111111111111111111111111111111111111111111111111111111111111111111111'^ (rand()));
ERROR 2013 (HY000): Lost connection to MySQL server during query
mysql> exit

No crash of server noted in the error log though.
[13 Nov 2010 15:02] Valeriy Kravchuk
After 10+ executions of this test got a crash finally:

Version: '5.5.7-rc-debug'  socket: '/tmp/mysql.sock'  port: 3306  Source distribution
101113 17:01:15 - mysqld got signal 10 ;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.
We will try our best to scrape up some info that will hopefully help diagnose
the problem, but since we have already crashed, something is definitely wrong
and this may fail.

key_buffer_size=8388608
read_buffer_size=131072
max_used_connections=1
max_threads=151
thread_count=1
connection_count=1
It is possible that mysqld could use up to 
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 337937 K
bytes of memory
Hope that's ok; if not, decrease some variables in the equation.

thd: 0x1020000
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
stack_bottom = 0xb0576f34 thread_stack 0x30000
0   mysqld                              0x005c37f1 my_print_stacktrace + 44
1   mysqld                              0x001058fa handle_segfault + 884
2   libSystem.B.dylib                   0x940472bb _sigtramp + 43
3   ???                                 0xffffffff 0x0 + 4294967295
4   mysqld                              0x0001e669 _ZN18Item_cache_decimal11cache_valueEv + 149
5   mysqld                              0x000ab5eb _ZN24Item_singlerow_subselect5storeEjP4Item + 121
6   mysqld                              0x000e9e8f _ZN26select_singlerow_subselect9send_dataER4ListI4ItemE + 297
7   mysqld                              0x0018cf5a _ZN4JOIN5clearEv + 910
8   mysqld                              0x0019e33a _ZN4JOIN9join_freeEv + 1226
9   mysqld                              0x001b024c _ZN4JOIN4execEv + 8740
10  mysqld                              0x000ade0c _ZN30subselect_single_select_engine4execEv + 1236
11  mysqld                              0x000b0492 _ZN14Item_subselect4execEv + 148
12  mysqld                              0x000ab7a6 _ZN24Item_singlerow_subselect11val_decimalEP10my_decimal + 26
13  mysqld                              0x0004dde9 _ZN22Item_func_set_user_var5checkEb + 553
14  mysqld                              0x0012691d _ZN12set_var_user5checkEP3THD + 71
15  mysqld                              0x00126ae6 _Z17sql_set_variablesP3THDP4ListI12set_var_baseE + 96
16  mysqld                              0x0011c8f6 _Z21mysql_execute_commandP3THD + 15694
17  mysqld                              0x0012136c _Z11mysql_parseP3THDPcjP12Parser_state + 624
18  mysqld                              0x00121efe _Z16dispatch_command19enum_server_commandP3THDPcj + 2632
19  mysqld                              0x00123307 _Z10do_commandP3THD + 621
20  mysqld                              0x001109e2 _Z24do_handle_one_connectionP3THD + 512
21  mysqld                              0x00110ad5 handle_one_connection + 37
22  libSystem.B.dylib                   0x9400c095 _pthread_start + 321
23  libSystem.B.dylib                   0x9400bf52 thread_start + 34
Trying to get some variables.
Some pointers may be invalid and cause the dump to abort...
thd->query at 0x109c210 = set @a:=(select
min(get_lock('aaaaaaaaaaaaaaaaa',0)/'0b1111111111111111111111111111111111111111111111111111111111111111111111111'^
(rand())))
thd->thread_id=2
thd->killed=NOT_KILLED
[21 Dec 2010 12:54] Sergei Glukhov
The problem is fixed in Bug#58030, closed as duplicate