PBXT

jump or move depends on uninitialised value in my_type_to_string

Bug #451085 reported by Oleksandr "Sanja" Byelkin
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MariaDB
Fix Released
Undecided
Unassigned
PBXT
Fix Released
Undecided
Vladimir Kolesnikov

Bug Description

valgrind see 2 jump or move depends on uninitialised value in my_type_to_string in cast test:
==11018== Conditional jump or move depends on uninitialised value(s)
==11018== at 0x5AAF7D: String::c_ptr() (sql_string.h:110)
==11018== by 0x9BC1A7: my_type_to_string(XTThread*, Field*, st_table*) (myxt_xt.cc:2820)
==11018== by 0x9BC42D: XTDDColumnFactory::createFromMySQLField(XTThread*, st_table*, Field*) (myxt_xt.cc:3266)
==11018== by 0x9BC6D1: myxt_create_table_from_table(XTThread*, st_table*) (myxt_xt.cc:2856)
==11018== by 0x9AB221: ha_pbxt::create(char const*, st_table*, st_ha_create_information*) (ha_pbxt.cc:5063)
==11018== by 0x7A4B26: handler::ha_create(char const*, st_table*, st_ha_create_information*) (handler.cc:3376)
==11018== by 0x7A7C19: ha_create_table(THD*, char const*, char const*, char const*, st_ha_create_information*, bool) (handler.cc:3587)
==11018== by 0x75875B: rea_create_table(THD*, char const*, char const*, char const*, st_ha_create_information*, List<Create_field>&, unsigned int, st_key*, handler*) (unireg.cc:416)
==11018== by 0x7C61BE: mysql_create_table_no_lock(THD*, char const*, char const*, st_ha_create_information*, Alter_info*, bool, unsigned int) (sql_table.cc:3853)
==11018== by 0x7C658F: mysql_create_table(THD*, char const*, char const*, st_ha_create_information*, Alter_info*, bool, unsigned int) (sql_table.cc:3960)
==11018== by 0x67C4AA: mysql_execute_command(THD*) (sql_parse.cc:2732)
==11018== by 0x683ECE: mysql_parse(THD*, char const*, unsigned int, char const**) (sql_parse.cc:5979)
==11018== by 0x684CD8: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1223)
==11018== by 0x68602C: do_command(THD*) (sql_parse.cc:862)
==11018== by 0x671F79: handle_one_connection (sql_connect.cc:1130)
==11018== by 0x5048016: start_thread (in /lib64/libpthread-2.9.so)
==11018==
==11018== Conditional jump or move depends on uninitialised value(s)
==11018== at 0x9CBC3F: xt_strcat(unsigned long, char*, char const*) (strutil_xt.cc:75)
==11018== by 0x9BC207: my_type_to_string(XTThread*, Field*, st_table*) (myxt_xt.cc:2828)
==11018== by 0x9BC42D: XTDDColumnFactory::createFromMySQLField(XTThread*, st_table*, Field*) (myxt_xt.cc:3266)
==11018== by 0x9BC6D1: myxt_create_table_from_table(XTThread*, st_table*) (myxt_xt.cc:2856)
==11018== by 0x9AB221: ha_pbxt::create(char const*, st_table*, st_ha_create_information*) (ha_pbxt.cc:5063)
==11018== by 0x7A4B26: handler::ha_create(char const*, st_table*, st_ha_create_information*) (handler.cc:3376)
==11018== by 0x7A7C19: ha_create_table(THD*, char const*, char const*, char const*, st_ha_create_information*, bool) (handler.cc:3587)
==11018== by 0x75875B: rea_create_table(THD*, char const*, char const*, char const*, st_ha_create_information*, List<Create_field>&, unsigned int, st_key*, handler*) (unireg.cc:416)
==11018== by 0x7C61BE: mysql_create_table_no_lock(THD*, char const*, char const*, st_ha_create_information*, Alter_info*, bool, unsigned int) (sql_table.cc:3853)
==11018== by 0x7C658F: mysql_create_table(THD*, char const*, char const*, st_ha_create_information*, Alter_info*, bool, unsigned int) (sql_table.cc:3960)
==11018== by 0x67C4AA: mysql_execute_command(THD*) (sql_parse.cc:2732)
==11018== by 0x683ECE: mysql_parse(THD*, char const*, unsigned int, char const**) (sql_parse.cc:5979)
==11018== by 0x684CD8: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1223)
==11018== by 0x68602C: do_command(THD*) (sql_parse.cc:862)
==11018== by 0x671F79: handle_one_connection (sql_connect.cc:1130)
==11018== by 0x5048016: start_thread (in /lib64/libpthread-2.9.so)

for more cases see:

http://askmonty.org/buildbot/builders/gentoo-amd64-sanja/builds/4/steps/test_1/logs/mysqld.1.err.1
http://askmonty.org/buildbot/builders/gentoo-amd64-sanja/builds/4/steps/test_1/logs/mysqld.1.err.3
http://askmonty.org/buildbot/builders/gentoo-amd64-sanja/builds/4/steps/test_1/logs/mysqld.1.err.4

Can be repeated if run pbxt test suite under valgrind (valgrind build (one of BUILD/compile*valgrind* ) and --valgrind parameter of mysql-test-run)

Related branches

lp:~vkolesnikov/pbxt/pbxt-bug-451085
PBXT Core: Pending requested
Diff: 48 lines
2 files modified
ChangeLog (+2/-0)
src/myxt_xt.cc (+12/-3)
Vladimir Kolesnikov (vkolesnikov)
Changed in pbxt:
assignee: nobody → Vladimir Kolesnikov (vkolesnikov)
status: New → In Progress
Revision history for this message
Michael Widenius (monty) wrote : re: [Bug 451085] Re: jump or move depends on uninitialised value in my_type_to_string

Hi!

>>>>> "Oleksandr" == Oleksandr Byelkin <Oleksandr> writes:

Oleksandr> ** Also affects: maria
Oleksandr> Importance: Undecided
Oleksandr> Status: New

Oleksandr> --
Oleksandr> jump or move depends on uninitialised value in my_type_to_string
Oleksandr> https://bugs.launchpad.net/bugs/451085
Oleksandr> You received this bug notification because you are a member of Maria-
Oleksandr> captains, which is the registrant for Maria.

Oleksandr> Status in Maria: New
Oleksandr> Status in PrimeBase XT: New

Oleksandr> Bug description:
Oleksandr> valgFrind see 2 jump or move depends on uninitialised value in my_type_to_string in cast test:
Oleksandr> ==11018== Conditional jump or move depends on uninitialised value(s)
Oleksandr> ==11018== at 0x5AAF7D: String::c_ptr() (sql_string.h:110)
Oleksandr> ==11018== by 0x9BC1A7: my_type_to_string(XTThread*, Field*, st_table*) (myxt_xt.cc:2820)
Oleksandr> ==11018== by 0x9BC42D: XTDDColumnFactory::createFromMySQLField(XTThread*, st_table*, Field*) (myxt_xt.cc:3266)

The reason for c_ptr() giving an error is that this function checks if
the end pointer is zero, which in some cases may be not initialized
memory (this is still safe in 99.999% of all cases as all strings
points to thread specific memory).

<cut>

Proposed fix:

 ptr = type.c_ptr();
 if (ptr != buffer)
  xt_strcpy(sizeof(buffer), buffer, ptr);

->
 ptr = type.ptr();
 if (ptr != buffer)
  xt_strcpy(min(sizeof(buffer)-1,type.length(), buffer, ptr);

An even better solution would be to introduce xt_strmake()

char *xt_strmake(register char *dst, register const char *src, size_t length)
{
  memcpy(dst, src, length);
  dst[length]= 0;
}

and then use this instead of xt_strcpy()

This would be the fastest solution...

Regards,
Monty

Revision history for this message
Vladimir Kolesnikov (vkolesnikov) wrote :

Hi Monty,

thanks for the input. It was not me who wrote the original code, but when looking at it I've got into the .c_str() trap as well...

Vladimir Kolesnikov (vkolesnikov)
Changed in pbxt:
status: In Progress → Fix Committed
Michael Widenius (monty)
Changed in pbxt:
status: Fix Committed → Fix Released
Changed in maria:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers