Memory freed in subselect_hash_sj_engine::cleanup() is subsequently accessed
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
MariaDB |
New
|
High
|
Sergey Petrunia |
Bug Description
The following valgrind traces show that memory freed is then accessed:
==25409== Invalid write of size 1
==25409== at 0x6F8122: mark_as_
==25409== by 0x756264: return_
:10232)
==25409== by 0x756BC7: JOIN::exec() (sql_select.
==25409== by 0x752D75: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, uns
igned long long, select_result*, st_select_
==25409== by 0x75919F: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:283)
==25409== by 0x6A4DCB: execute_
==25409== by 0x6A6EAB: mysql_execute_
==25409== by 0x6AFC96: mysql_parse(THD*, char*, unsigned int, char const**) (sql_parse.cc:6110)
==25409== by 0x6B0824: dispatch_
==25409== by 0x6B1E4E: do_command(THD*) (sql_parse.cc:916)
==25409== by 0x69C2E2: handle_
==25409== by 0x33B600673C: start_thread (in /lib64/
==25409== by 0x33B58D40CC: clone (in /lib64/libc-2.5.so)
==25409== Address 0x285b39e8 is 2,136 bytes inside a block of size 4,148 free'd
==25409== at 0x4A05A31: free (vg_replace_
==25409== by 0xBE0475: _myfree (safemalloc.c:335)
==25409== by 0xBDF67F: free_root (my_alloc.c:364)
==25409== by 0x72EF6F: free_tmp_
==25409== by 0x630FE2: subselect_
==25409== by 0x631C0C: Item_subselect:
==25409== by 0x631D6B: Item_in_
==25409== by 0x738314: st_join_
==25409== by 0x738450: JOIN::cleanup(bool) (sql_select.
==25409== by 0x7386A3: JOIN::join_free() (sql_select.
==25409== by 0x756235: return_
:10225)
==25409== by 0x756BC7: JOIN::exec() (sql_select.
==25409== by 0x752D75: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, uns
igned long long, select_result*, st_select_
==25409== by 0x75919F: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:283)
==25409== by 0x6A4DCB: execute_
==25409== by 0x6A6EAB: mysql_execute_
and
==25409== Invalid read of size 1
==25409== at 0x62BBC1: subselect_
==25409== by 0x62BC69: subselect_
==25409== by 0x631576: Item_subselect:
==25409== by 0x5C9A84: Item_func:
==25409== by 0x5E6A4F: Item_cond:
==25409== by 0x758499: JOIN::exec() (sql_select.
==25409== by 0x752D75: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, uns
igned long long, select_result*, st_select_
==25409== by 0x75919F: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:283)
==25409== by 0x6A4DCB: execute_
==25409== by 0x6A6EAB: mysql_execute_
==25409== by 0x6AFC96: mysql_parse(THD*, char*, unsigned int, char const**) (sql_parse.cc:6110)
==25409== by 0x6B0824: dispatch_
==25409== by 0x6B1E4E: do_command(THD*) (sql_parse.cc:916)
==25409== by 0x69C2E2: handle_
==25409== by 0x33B600673C: start_thread (in /lib64/
==25409== by 0x33B58D40CC: clone (in /lib64/libc-2.5.so)
==25409== Address 0x2884b78d is 2,141 bytes inside a block of size 4,148 free'd
==25409== at 0x4A05A31: free (vg_replace_
==25409== by 0xBE0475: _myfree (safemalloc.c:335)
==25409== by 0xBDF67F: free_root (my_alloc.c:364)
==25409== by 0x72EF6F: free_tmp_
==25409== by 0x630FE2: subselect_
==25409== by 0x631C0C: Item_subselect:
==25409== by 0x631D6B: Item_in_
==25409== by 0x738314: st_join_
==25409== by 0x738450: JOIN::cleanup(bool) (sql_select.
==25409== by 0x7386A3: JOIN::join_free() (sql_select.
==25409== by 0x757EE2: JOIN::exec() (sql_select.
==25409== by 0x752D75: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, uns
igned long long, select_result*, st_select_
==25409== by 0x75919F: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:283)
==25409== by 0x6A4DCB: execute_
==25409== by 0x6A6EAB: mysql_execute_
==25409== by 0x6AFC96: mysql_parse(THD*, char*, unsigned int, char const**) (sql_parse.cc:6110)
==25409==
RQG command line:
perl runall.pl --queries=100000000 --debug --seed=time --mysqld1=
Changed in maria: | |
milestone: | none → 5.3 |
assignee: | nobody → Sergey Petrunia (sergefp) |
Changed in maria: | |
importance: | Undecided → High |