Bug #59154 reading of freed memory during multiple user variable assignments
Submitted: 24 Dec 2010 12:58 Modified: 16 Feb 2011 10:00
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Duplicate Impact on me:
None 
Category:MySQL Server: DML Severity:S1 (Critical)
Version:5.6.1, 5.6.2, 5.5.10, 5.1 OS:Any
Assigned to: Tor Didriksen CPU Architecture:Any

[24 Dec 2010 12:58] Shane Bester 
Description:
Version: '5.6.1-m5-valgrind-max-debug'  socket: '/tmp/mysql.sock'  port: 3306  Source distribution
Invalid read of size 1
at8: memmove (mc_replace_strmem.c:629)
by: update_hash (item_func.cc:4352)
by: Item_func_set_user_var::update_hash (item_func.cc:4376)
by: Item_func_set_user_var::update (item_func.cc:4652)
by: set_var_user::update (set_var.cc:714)
by: sql_set_variables (set_var.cc:575)
by: mysql_execute_command (sql_parse.cc:3097)
by: mysql_parse (sql_parse.cc:5550)
by: dispatch_command (sql_parse.cc:1078)
by: do_command (sql_parse.cc:815)
by: do_handle_one_connection (sql_connect.cc:748)
by: handle_one_connection (sql_connect.cc:684)
by: start_thread (pthread_create.c:301)
 Address 0xf4c8730 is 0 bytes inside a block of size 64 free'd
at: free (vg_replace_malloc.c:325)
by: my_free (my_malloc.c:128)
by: update_hash (item_func.cc:4328)
by: Item_func_set_user_var::update_hash (item_func.cc:4376)
by: Item_func_set_user_var::update (item_func.cc:4641)
by: set_var_user::update (set_var.cc:714)
by: sql_set_variables (set_var.cc:575)
by: mysql_execute_command (sql_parse.cc:3097)
by: mysql_parse (sql_parse.cc:5550)
by: dispatch_command (sql_parse.cc:1078)
by: do_command (sql_parse.cc:815)
by: do_handle_one_connection (sql_connect.cc:748)
by: handle_one_connection (sql_connect.cc:684)
by: start_thread (pthread_create.c:301)

looks like a regression to me

How to repeat:
#run mysqld in valgrind then,
set @a:='aa',@a:=@a:=@a:=ceil(@@global.port);
[24 Dec 2010 13:21] Valeriy Kravchuk 
Verified with current mysql-trunk on 32-bit Ubuntu 10.04:

Version: '5.6.2-m5-debug'  socket: '/tmp/mysql.sock'  port: 3306  Source distribution
==19802== Thread 18:
==19802== Invalid read of size 1
==19802==    at 0x40274E8: memmove (mc_replace_strmem.c:629)
==19802==    by 0x83DD53E: update_hash(user_var_entry*, bool, void*, unsigned int, Item_result, charset_info_st*, Derivation, bool) (item_func.cc:4352)
==19802==    by 0x83DD64C: Item_func_set_user_var::update_hash(void*, unsigned int, Item_result, charset_info_st*, Derivation, bool) (item_func.cc:4376)
==19802==    by 0x83DE04C: Item_func_set_user_var::update() (item_func.cc:4652)
==19802==    by 0x819C8EA: set_var_user::update(THD*) (set_var.cc:714)
==19802==    by 0x819C40B: sql_set_variables(THD*, List<set_var_base>*) (set_var.cc:575)
==19802==    by 0x8215E87: mysql_execute_command(THD*) (sql_parse.cc:3097)
==19802==    by 0x821CBEB: mysql_parse(THD*, char*, unsigned int, Parser_state*) (sql_parse.cc:5550)
==19802==    by 0x8210802: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1078)
==19802==    by 0x820FB8D: do_command(THD*) (sql_parse.cc:815)
==19802==    by 0x82EDF66: do_handle_one_connection(THD*) (sql_connect.cc:748)
==19802==    by 0x82EDB64: handle_one_connection (sql_connect.cc:684)
==19802==  Address 0x614b067 is 55 bytes inside a block of size 56 free'd
==19802==    at 0x4024B3A: free (vg_replace_malloc.c:366)
==19802==    by 0x853932A: my_free (my_malloc.c:128)
==19802==    by 0x83DD49E: update_hash(user_var_entry*, bool, void*, unsigned int, Item_result, charset_info_st*, Derivation, bool) (item_func.cc:4328)
==19802==    by 0x83DD64C: Item_func_set_user_var::update_hash(void*, unsigned int, Item_result, charset_info_st*, Derivation, bool) (item_func.cc:4376)
==19802==    by 0x83DDFB4: Item_func_set_user_var::update() (item_func.cc:4641)
==19802==    by 0x819C8EA: set_var_user::update(THD*) (set_var.cc:714)
==19802==    by 0x819C40B: sql_set_variables(THD*, List<set_var_base>*) (set_var.cc:575)
==19802==    by 0x8215E87: mysql_execute_command(THD*) (sql_parse.cc:3097)
==19802==    by 0x821CBEB: mysql_parse(THD*, char*, unsigned int, Parser_state*) (sql_parse.cc:5550)
==19802==    by 0x8210802: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1078)
==19802==    by 0x820FB8D: do_command(THD*) (sql_parse.cc:815)
==19802==    by 0x82EDF66: do_handle_one_connection(THD*) (sql_connect.cc:748)
==19802== 
==19802== Invalid read of size 1
==19802==    at 0x40274FA: memmove (mc_replace_strmem.c:629)
==19802==    by 0x83DD53E: update_hash(user_var_entry*, bool, void*, unsigned int, Item_result, charset_info_st*, Derivation, bool) (item_func.cc:4352)
==19802==    by 0x83DD64C: Item_func_set_user_var::update_hash(void*, unsigned int, Item_result, charset_info_st*, Derivation, bool) (item_func.cc:4376)
==19802==    by 0x83DE04C: Item_func_set_user_var::update() (item_func.cc:4652)
==19802==    by 0x819C8EA: set_var_user::update(THD*) (set_var.cc:714)
==19802==    by 0x819C40B: sql_set_variables(THD*, List<set_var_base>*) (set_var.cc:575)
==19802==    by 0x8215E87: mysql_execute_command(THD*) (sql_parse.cc:3097)
==19802==    by 0x821CBEB: mysql_parse(THD*, char*, unsigned int, Parser_state*) (sql_parse.cc:5550)
==19802==    by 0x8210802: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1078)
==19802==    by 0x820FB8D: do_command(THD*) (sql_parse.cc:815)
==19802==    by 0x82EDF66: do_handle_one_connection(THD*) (sql_connect.cc:748)
==19802==    by 0x82EDB64: handle_one_connection (sql_connect.cc:684)
[25 Jan 2011 9:05] Øystein Grøvlen 
Also observed on 5.5 branch.
[8 Feb 2011 7:23] Tor Didriksen 
Not a regression, exists in 5.1 as well.