Bug #59180 slight variation in testcase of bug #58175 expose bug in 5.1
Submitted: 27 Dec 2010 7:43 Modified: 22 May 2011 14:46
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Can't repeat Impact on me:
None 
Category:MySQL Server: XML functions Severity:S2 (Serious)
Version:5.1.55 OS:Any
Assigned to: CPU Architecture:Any

[27 Dec 2010 7:43] Shane Bester 
Description:
5.1.55 suffers from something like bug #58175

Debugger has detached.  Valgrind regains control.  We continue.
Use of uninitialised value of size 8
at: nr_of_decimals (item.cc:5271)
by: Item_float::Item_float (item.cc:5306)
by: my_xpath_parse_Number (item_xmlfunc.cc:2363)
by: my_xpath_parse_PrimaryExpr (item_xmlfunc.cc:1863)
by: my_xpath_parse_FilterExpr (item_xmlfunc.cc:2010)
by: my_xpath_parse_FilterExpr_opt_slashes_RelativeLocationPath (item_xmlfunc.cc:1968)
by: my_xpath_parse_PathExpr (item_xmlfunc.cc:1987)
by: my_xpath_parse_UnionExpr (item_xmlfunc.cc:1931)
by: my_xpath_parse_UnaryExpr (item_xmlfunc.cc:2317)
by: my_xpath_parse_MultiplicativeExpr (item_xmlfunc.cc:2274)
by: my_xpath_parse_AdditiveExpr) (item_xmlfunc.cc:2226)
by: my_xpath_parse_RelationalExpr (item_xmlfunc.cc:2184)
by: my_xpath_parse_EqualityExpr (item_xmlfunc.cc:2123)
by: my_xpath_parse_AndExpr (item_xmlfunc.cc:2058)
by: my_xpath_parse_OrExpr (item_xmlfunc.cc:2027)
by: my_xpath_parse (item_xmlfunc.cc:2560)
by: Item_xml_str_func::fix_length_and_dec (item_xmlfunc.cc:2599)
by: Item_func::fix_fields (item_func.cc:205)
by: Item_str_func::fix_fields (item_strfunc.cc:63)
by: Item_func::fix_fields (item_func.cc:178)
by: Item_func::fix_fields (item_func.cc:178)
by: setup_fields (sql_base.cc:7561)
by: mysql_do (sql_do.cc:26)
by: mysql_execute_command (sql_parse.cc:2315)
by: mysql_parse (sql_parse.cc:6075)
by: dispatch_command (sql_parse.cc:1261)
by: do_command (sql_parse.cc:889)
by: handle_one_connection (sql_connect.cc:1149)
by: start_thread (pthread_create.c:301)

Uninitialised value was created by a heap allocation
at: malloc (vg_replace_malloc.c:195)
by: my_malloc (my_malloc.c:35)
by: String::real_alloc (sql_string.cc:51)
by: String::alloc (sql_string.h:209)
by: String::copy (sql_string.cc:355)
by: String::set_real (sql_string.cc:184)
by: Item_func_format::val_str (item_strfunc.cc:2125)
by: Item_xml_str_func::fix_length_and_dec (item_xmlfunc.cc:2591)
by: Item_func::fix_fields (item_func.cc:205)
by: Item_str_func::fix_fields (item_strfunc.cc:63)
by: Item_func::fix_fields (item_func.cc:178)
by: Item_func::fix_fields (item_func.cc:178)
by: setup_fields (sql_base.cc:7561)
by: mysql_do (sql_do.cc:26)
by: mysql_execute_command (sql_parse.cc:2315)
by: mysql_parse (sql_parse.cc:6075)
by: dispatch_command (sql_parse.cc:1261)
by: do_command (sql_parse.cc:889)
by: handle_one_connection (sql_connect.cc:1149)
by: start_thread (pthread_create.c:301)

How to repeat:
#run 5.1 mysqld in valgrind then,
select extractvalue(null,format('126','126'));
[28 Dec 2010 11:41] Valeriy Kravchuk 
For some reason I do not see this with current mysql-5.1-security (compile-prentium-valgrind-max build) tree on 32-bit Ubuntu 10.04. Server was started with:

valgrind -v --leak-check=full libexec/mysqld --no-defaults
[30 Dec 2010 8:07] Sveta Smirnova 
Not repeatable for me either.