Bug #88133 Conditional jump or move depends on uninitialised value (gcalc_tools.cc:1276)
Submitted: 18 Oct 2017 6:42 Modified: 7 Nov 2017 14:04
Reporter: yghmgl yang Email Updates:
Status: Duplicate Impact on me:
None 
Category:MySQL Server: DML Severity:S3 (Non-critical)
Version:5.6.37 OS:Any
Assigned to: CPU Architecture:Any
Tags: debug valugrind-build

[18 Oct 2017 6:42] yghmgl yang
Description:
==33545== Conditional jump or move depends on uninitialised value(s)
==33545==    at 0x9498C5: Gcalc_operation_reducer::get_result(Gcalc_result_receiver*) (gcalc_tools.cc:1276)
==33545==    by 0x6D54BD: Item_func_spatial_operation::val_str(String*) (item_geofunc.cc:1061)
==33545==    by 0x6D21AB: Item_func_as_wkt::val_str_ascii(String*) (item_geofunc.cc:146)
==33545==    by 0x6DC21F: Item_str_func::val_str_from_val_str_ascii(String*, String*) (item_strfunc.cc:78)
==33545==    by 0x6A86CD: Item_str_ascii_func::val_str(String*) (item_strfunc.h:81)
==33545==    by 0x66E3E0: Item::send(Protocol*, String*) (item.cc:6899)
==33545==    by 0x72F963: Protocol::send_result_set_row(List<Item>*) (protocol.cc:844)
==33545==    by 0x7A13AC: select_send::send_data(List<Item>&) (sql_class.cc:2526)
==33545==    by 0x7B8539: JOIN::exec() (sql_executor.cc:151)
==33545==    by 0x81BC5E: mysql_execute_select(THD*, st_select_lex*, bool) (sql_select.cc:1101)
==33545==    by 0x81BF50: mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, SQL_I_List<st_order>*, SQL_I_List<st_order>*, Item*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:1222)
==33545==    by 0x81A049: handle_select(THD*, select_result*, unsigned long) (sql_select.cc:110)
==33545==    by 0x7F277F: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5237)
==33545==    by 0x7EB005: mysql_execute_command(THD*) (sql_parse.cc:2695)
==33545==    by 0x7F528B: mysql_parse(THD*, char*, unsigned int, Parser_state*) (sql_parse.cc:6489)
==33545==    by 0x7E8005: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1377)
==33545==    by 0x7E7037: do_command(THD*) (sql_parse.cc:1040)
==33545==    by 0x20973B67: threadpool_process_request(THD*) (threadpool_common.cc:321)
==33545==    by 0x20976A37: handle_event(connection_t*) (threadpool_unix.cc:1611)
==33545==    by 0x20976C94: worker_main(void*) (threadpool_unix.cc:1664)
==33545==    by 0xB99FDC: pfs_spawn_thread (pfs.cc:1860)
==33545==    by 0x5043DC4: start_thread (in /usr/lib64/libpthread-2.17.so)
==33545==    by 0x61AC21C: clone (in /usr/lib64/libc-2.17.so)
==33545==  Uninitialised value was created by a heap allocation
==33545==    at 0x4C29C23: malloc (vg_replace_malloc.c:299)

a core file was created and the stack is like this

#0  0x0000000005048741 in pthread_kill () from /lib64/libpthread.so.0
#1  0x0000000000ad9a6e in my_write_core (sig=11) at /sda/src/valgrind/rds-mysql/mysys/stacktrace.c:424
#2  0x000000000073895c in handle_fatal_signal (sig=11) at /sda/src/valgrind/rds-mysql/sql/signal_handler.cc:230
#3  <signal handler called>
#4  0x000000000094931c in Gcalc_operation_reducer::get_result_thread (this=0x360db4b0, cur=0x8f8f8f8f8f8f8f8f, storage=0x360db448, move_upward=1) at /sda/src/valgrind/rds-mysql/sql/gcalc_tools.cc:1137
#5  0x00000000009495c6 in Gcalc_operation_reducer::get_line_result (this=0x360db4b0, cur=0x35c3a598, storage=0x360db448) at /sda/src/valgrind/rds-mysql/sql/gcalc_tools.cc:1206
#6  0x0000000000949a00 in Gcalc_operation_reducer::get_result (this=0x360db4b0, storage=0x360db448) at /sda/src/valgrind/rds-mysql/sql/gcalc_tools.cc:1301
#7  0x00000000006d54be in Item_func_spatial_operation::val_str (this=0x360db2c8, str_value=0x41c5bc0) at /sda/src/valgrind/rds-mysql/sql/item_geofunc.cc:1061
#8  0x00000000006d21ac in Item_func_as_wkt::val_str_ascii (this=0x360db688, str=0x41c5d80) at /sda/src/valgrind/rds-mysql/sql/item_geofunc.cc:146
#9  0x00000000006dc220 in Item_str_func::val_str_from_val_str_ascii (this=0x360db688, str=0x41c5d80, str2=0x360db758) at /sda/src/valgrind/rds-mysql/sql/item_strfunc.cc:78
#10 0x00000000006a86ce in Item_str_ascii_func::val_str (this=0x360db688, str=0x41c5d80) at /sda/src/valgrind/rds-mysql/sql/item_strfunc.h:81
#11 0x000000000066e3e1 in Item::send (this=0x360db688, protocol=0x2ff10d10, buffer=0x41c5d80) at /sda/src/valgrind/rds-mysql/sql/item.cc:6899
#12 0x000000000072f964 in Protocol::send_result_set_row (this=0x2ff10d10, row_items=0x2ff12ec8) at /sda/src/valgrind/rds-mysql/sql/protocol.cc:844
#13 0x00000000007a13ad in select_send::send_data (this=0x360db928, items=...) at /sda/src/valgrind/rds-mysql/sql/sql_class.cc:2526
#14 0x00000000007b853a in JOIN::exec (this=0x360db950) at /sda/src/valgrind/rds-mysql/sql/sql_executor.cc:151
#15 0x000000000081bc5f in mysql_execute_select (thd=0x2ff107f0, select_lex=0x2ff12da8, free_join=true) at /sda/src/valgrind/rds-mysql/sql/sql_select.cc:1101
#16 0x000000000081bf51 in mysql_select (thd=0x2ff107f0, tables=0x0, wild_num=0, fields=..., conds=0x0, order=0x2ff12f70, group=0x2ff12ea8, having=0x0, select_options=68855596032, result=0x360db928, unit=0x2ff12760, select_lex=0x2ff12da8)
    at /sda/src/valgrind/rds-mysql/sql/sql_select.cc:1222
#17 0x000000000081a04a in handle_select (thd=0x2ff107f0, result=0x360db928, setup_tables_done_option=0) at /sda/src/valgrind/rds-mysql/sql/sql_select.cc:110
#18 0x00000000007f2780 in execute_sqlcom_select (thd=0x2ff107f0, all_tables=0x0) at /sda/src/valgrind/rds-mysql/sql/sql_parse.cc:5237
#19 0x00000000007eb006 in mysql_execute_command (thd=0x2ff107f0) at /sda/src/valgrind/rds-mysql/sql/sql_parse.cc:2695
#20 0x00000000007f528c in mysql_parse (thd=0x2ff107f0, rawbuf=0x360d96e0 "SELECT ST_ASTEXT(ST_SYMDIFFERENCE( LINESTRING(POINT(0,0), POINT(POW(2,32),POW(2,32)), POINT(POW(2,32),70)), ST_ENVELOPE( LINESTRING(POINT(POW(2,64),POWER(2,64)), POINT(4294967211,0)))))", 
    length=185, parser_state=0x41c75e0) at /sda/src/valgrind/rds-mysql/sql/sql_parse.cc:6489
#21 0x00000000007e8006 in dispatch_command (command=COM_QUERY, thd=0x2ff107f0, packet=0x307652c1 "", packet_length=186) at /sda/src/valgrind/rds-mysql/sql/sql_parse.cc:1377
#22 0x00000000007e7038 in do_command (thd=0x2ff107f0) at /sda/src/valgrind/rds-mysql/sql/sql_parse.cc:1040
#23 0x0000000020973b68 in threadpool_process_request (thd=0x2ff107f0) at /sda/src/valgrind/rds-mysql/plugin/threadpool/threadpool_common.cc:321
#24 0x0000000020976a38 in handle_event (connection=0x3008b030) at /sda/src/valgrind/rds-mysql/plugin/threadpool/threadpool_unix.cc:1611
#25 0x0000000020976c95 in worker_main (param=0x20b7c600 <all_groups+2048>) at /sda/src/valgrind/rds-mysql/plugin/threadpool/threadpool_unix.cc:1664
#26 0x0000000000b99fdd in pfs_spawn_thread (arg=0x2ff1cce0) at /sda/src/valgrind/rds-mysql/storage/perfschema/pfs.cc:1860
#27 0x0000000005043dc5 in start_thread () from /lib64/libpthread.so.0
#28 0x00000000061ac21d in clone () from /lib64/libc.so.6
(gdb) f 5
#5  0x00000000009495c6 in Gcalc_operation_reducer::get_line_result (this=0x360db4b0, cur=0x35c3a598, storage=0x360db448) at /sda/src/valgrind/rds-mysql/sql/gcalc_tools.cc:1206
1206	  DBUG_RETURN(get_result_thread(cur, storage, move_upward) ||
(gdb) p *cur
$9 = {<Gcalc_dyn_list::Item> = {m_item_id = 9, next = 0x35c3a4e8}, m_outer_poly = 0x8f8f8f8f8f8f8f8f, intersection_point = false, x = -9.9261575707946013e-234, y = -9.9261575707946013e-234, up = 0x8f8f8f8f8f8f8f8f, down = 0x0, glue = 0x0, {pi = 0x35c3a598, 
    first_poly_node = 0x35c3a598}, prev_hook = 0x360db500}
(gdb) f 4
#4  0x000000000094931c in Gcalc_operation_reducer::get_result_thread (this=0x360db4b0, cur=0x8f8f8f8f8f8f8f8f, storage=0x360db448, move_upward=1) at /sda/src/valgrind/rds-mysql/sql/gcalc_tools.cc:1137
1137	      if (cur->intersection_point)
(gdb) l
1132	  double x, y;
1133	  while (cur)
1134	  {
1135	    if (!glue_step)
1136	    {
1137	      if (cur->intersection_point)
1138	      {
1139	        x= float_to_coord(cur->x);
1140	        y= float_to_coord(cur->y);
1141	      }
(gdb) p cur->intersection_point
Cannot access memory at address 0x8f8f8f8f8f8f8fa7
(gdb) 

Assigns a value of 0x8f8f8f8f8f8f8f8f to an uninitialized class object member pointer

How to repeat:
pquery is random execute sql statement, so it hard to find which statement cause this issue,but it happened every day in my daily test.

Suggested fix:
  class res_point : public Gcalc_dyn_list::Item
  {
    res_point *m_outer_poly;
  public:
    bool intersection_point;
    double x,y;
    res_point *up;
    res_point *down;
    res_point *glue;
    union
    {
      const Gcalc_heap::Info *pi; // is valid before get_result_thread()
      res_point *first_poly_node; // is valid after get_result_thread()
    };
    Gcalc_dyn_list::Item **prev_hook;
    res_point *get_next() { return (res_point *)next; }
    void set_outer_poly(res_point *p)
    {
      m_outer_poly= p;
      DBUG_PRINT("info", ("setting outer_poly of #%u to #%u",
                          item_id(),
                          m_outer_poly ? m_outer_poly->item_id() : 0));
    }
    res_point *get_outer_poly() { return m_outer_poly; }
  }

When the class res_point is instantiated, class members such as intersection_point, up, down, glue, etc. are not initialized,
[7 Nov 2017 14:04] MySQL Verification Team
Duplicate of bug: https://bugs.mysql.com/bug.php?id=78201.