Description:
Oracle's tool called Discover detects UMR (Uninitialized Memory Read)
in mysqld server when executing '1st' test case located inside
MySQL 5.7.10. This UMR was produced on Sparc Solaris 11.3 T7 system,
but it's not platform specific, and can occur on any other platform.
Error message and call stack reported by Discover looks like this:
======================================
(UMR): accessing uninitialized data ... (8 bytes) on the stack:
lock_table_create(dict_table_t*, unsigned long, trx_t*) + 0x1c54 <lock0lock.cc : 3748>
3748:=> ut_list_append(table->locks, lock, TableLockGetNode());
lock_table(unsigned long, dict_table_t*, lock_mode, que_thr_t*) + 0x868 <lock0lock.cc : 4095>
4095:=> lock_table_create(table, mode | flags, trx);
row_sel_step(que_thr_t*) + 0x1444 <row0sel.cc : 2368>
2368:=> thr);
que_thr_step(que_thr_t*) + 0x1144 <que0que.cc : 1034>
1034:=> thr = row_sel_step(thr);
que_run_threads_low(que_thr_t*) + 0x33c <que0que.cc : 1118>
1118:=> next_thr = que_thr_step(thr);
que_run_threads(que_thr_t*) + 0x1e0 <que0que.cc : 1158>
1158:=> que_run_threads_low(thr);
que_eval_sql(pars_info_t*, const char*, unsigned long, trx_t*) + 0xc10 <que0que.cc : 1235>
1235:=> que_run_threads(thr);
row_merge_drop_temp_indexes() + 0x528 <row0merge.cc : 3701>
3701:=> error = que_eval_sql(NULL, sql, FALSE, trx);
======================================
How to repeat:
1. If you have access to Discover tool, and latest Sun Studio C/C++ compilers
you need to build MySQL-5.7.10 sources in debug mode on Solaris Sparc,
then launch discover binary with input argument as mysqld binary,
and when completed to take a look inside mysql.html file which should
contain call stack shown in description above.
2. If you do not have access to Discover, you need to debug MySQL server
with '1st' test case, and to see that TableLockGetNode() call located
inside storage/innobase/lock/lock0lock.cc/ lines ~3748
ut_list_append(table->locks, lock, TableLockGetNode());
is indeed uninitialized before that point. It should have 1 input argument
because 3-rd parameter 'Functor get_node' inside ut_list_append()
template function definition has such input argument, as it can be seen
from storage/innobase/include/ut0lst.h file:
ut_list_append(
....
Functor get_node)
{
typename List::node_type& node = get_node(*elem);
Below is 34 lines independent executable t.cc test case which accurately
simulates original issue. For it Discover produces exactly the same UMR
message as for original mysqld server.
t.cc
===================================
t.cc
===================================
struct lock_t;
template <typename Type> struct ut_list_node {
Type* prev;
Type* next;
};
struct lock_table_t {
ut_list_node<lock_t> locks;
};
struct lock_t {
union {
lock_table_t tab_lock;
unsigned type_mode;
} un_member;
};
struct TableLockGetNode {
ut_list_node<lock_t>& operator() (lock_t& elem) {
return(elem.un_member.tab_lock.locks);
}
};
template <typename Functor> void ut_list_append(lock_t *elem, Functor get_node){
get_node(*elem);
};
int main () {
lock_t lc,*lock=&lc,*lock2;
lock_table_t ltt;
ut_list_node<lock_t> uln;
uln.prev=lock;
uln.next=lock;
ltt.locks=uln;
lock2=lock;
ut_list_append(lock,TableLockGetNode());
return 0;
}
===================================
Suggested fix:
Define constructor for TableLockGetNode struct with 1 input argument
so that it will match 3-rd parameter of ut_list_append() template function.