segfault in Item_char_typecast::fix_length_and_dec, bad cast_cs
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Drizzle |
Fix Released
|
Critical
|
Brian Aker | ||
Cherry |
Fix Released
|
Critical
|
Brian Aker |
Bug Description
Caught with randgen, getting the following during a test:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fdb9d662910 (LWP 12176)]
drizzled:
at drizzled/
185 (!my_charset_
&my_charset_bin && cast_cs != &my_charset_bin);
(gdb) bt
#0 drizzled:
at drizzled/
#1 0x0000000000524314 in drizzled:
session=
#2 0x00000000005389f9 in drizzled:
session=0x1f8, ref=0x1) at drizzled/
#3 0x00000000005ecaa0 in drizzled:
ref_
mark_
at drizzled/
#4 0x00000000006205f2 in drizzled:
table_
values=<value optimized out>, conds=0x2aa3e28,
order_
ignore=false) at drizzled/
#5 0x000000000064298a in drizzled:
at drizzled/
#6 0x00000000006054c4 in mysql_execute_
at drizzled/
#7 0x0000000000606c45 in drizzled:
inBuf=0x2bd5b48 "UPDATE `table1_
at drizzled/
#8 0x00000000006070cd in drizzled:
command=<value optimized out>, session=0x307a3a0,
packet=
packet_
#9 0x00000000005da54f in drizzled:
at drizzled/
#10 0x00000000005dbe32 in drizzled:
at drizzled/
#11 0x00007fdba44fa352 in MultiThreadSche
arg=<value optimized out>) at ./plugin/
#12 session_thread (arg=<value optimized out>)
at plugin/
#13 0x00007fdbb70f3a04 in start_thread (arg=<value optimized out>)
at pthread_
(gdb) frame 0
#0 drizzled:
at drizzled/
185 (!my_charset_
(gdb) print cast_cs
$1 = (const drizzled:
(gdb) print cast_cs->mbmaxlen
Cannot access memory at address 0x28c
(gdb) print *this
$25 = {<drizzled:
marker = 0 '\000', decimals = 31 '\037', fixed = false,
tmp_arg = {0x2aa3aa8, 0x0}, allowed_arg_cols = 1, arg_count = 1,
cast_length = -1, cast_cs = 0x1f8, from_cs = 0xb160e0,
charset_
Alloced_length = 0, alloced = false, str_charset = 0xb102e0}}
This dereference is causing the segfault. The cast_cs member is invalud, but the rest of the object seems to be intact. The query being run is:
UPDATE `table1_
Not sure of the rest of the query context around this, look into randgen for it. Hopefully there is something obvious with the cast_cs member and surrounding object.
Changed in drizzle: | |
status: | New → Confirmed |
importance: | Undecided → Critical |
Almost guarantee that this is caused by misalignment in the variables bookmark cleanup in drizzled/ plugin/ loader. cc. That code needs to be completely rewritten.
-jay