Invalid memory accesses by mysqldump --innodb-optimize-keys

Bug #1517444 reported by Yura Sorokin on 2015-11-18
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Percona Server moved to https://jira.percona.com/projects/PS
Fix Released
High
Yura Sorokin
5.1
Won't Fix
Undecided
Unassigned
5.5
Fix Released
High
Yura Sorokin
5.6
Fix Released
High
Yura Sorokin

Bug Description

When build with clang Address Sanitizer "mysqldump" utility crashes with the following output.

main.percona_mysqldump_innodb_optimize_keys w1 [ retry-fail ]

        Test ended at 2015-11-13 01:56:23

CURRENT_TEST: main.percona_mysqldump_innodb_optimize_keys

=================================================================

==99700==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61200000b3e7 at pc 0x00010d6fe1b7 bp 0x7fff52c97ad0 sp
0x7fff52c97280

WRITE of size 97 at 0x61200000b3e7 thread T0

    #0 0x10d6fe1b6 in __asan_memmove
(/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/7.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x3a1b6)

    #1 0x10cf7403a in skip_secondary_keys mysqldump.c:2860

    #2 0x10cf703a0 in get_table_structure mysqldump.c:3272

    #3 0x10cf6a77e in dump_table mysqldump.c:4082

    #4 0x10cf6472f in dump_selected_tables mysqldump.c:5467

    #5 0x10cf6196a in main mysqldump.c:6674

    #6 0x7fff852ca5ac in start (/usr/lib/system/libdyld.dylib+0x35ac)

    #7 0x6 (<unknown module>)

Yura Sorokin (yura-sorokin) wrote :
Download full text (13.6 KiB)

Although the "mysqldump" code is the same in 5.7 and 5.6, for some reason ASan does not report this problem in 5.6.
However, when I ran 5.6 "mysqldump" under valgring, it reports "Invalid read/wrire".
**************************************************************************************************************************
[yura@localhost percona-build]$ valgrind ./client/mysqldump -uroot -h127.0.0.1 -P13001 --skip-comments --innodb-optimize-keys test t1
==57781== Memcheck, a memory error detector
==57781== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==57781== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==57781== Command: ./client/mysqldump -uroot -h127.0.0.1 -P13001 --skip-comments --innodb-optimize-keys test t1
==57781==

/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8 */;
/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
/*!40103 SET TIME_ZONE='+00:00' */;
/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;
DROP TABLE IF EXISTS `t1`;
==57781== Invalid write of size 2
==57781== at 0x4C2E006: memcpy@GLIBC_2.2.5 (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==57781== by 0x40A0B3: skip_secondary_keys (mysqldump.c:2747)
==57781== by 0x40AF49: get_table_structure (mysqldump.c:3172)
==57781== by 0x40CCA5: dump_table (mysqldump.c:3922)
==57781== by 0x4106AB: dump_selected_tables (mysqldump.c:5268)
==57781== by 0x412EBC: main (mysqldump.c:6489)
==57781== Address 0x800de86 is 262 bytes inside a block of size 263 alloc'd
==57781== at 0x4C29BFD: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==57781== by 0x45A489: my_malloc (my_malloc.c:38)
==57781== by 0x454745: alloc_root (my_alloc.c:173)
==57781== by 0x41F230: cli_read_rows (client.c:1547)
==57781== by 0x42530C: mysql_store_result (client.c:4222)
==57781== by 0x407063: mysql_query_with_error_report (mysqldump.c:1178)
==57781== by 0x40AA19: get_table_structure (mysqldump.c:3011)
==57781== by 0x40CCA5: dump_table (mysqldump.c:3922)
==57781== by 0x4106AB: dump_selected_tables (mysqldump.c:5268)
==57781== by 0x412EBC: main (mysqldump.c:6489)
==57781==
==57781== Invalid read of size 1
==57781== at 0x409FD8: skip_secondary_keys (mysqldump.c:2727)
==57781== by 0x40AF49: get_table_structure (mysqldump.c:3172)
==57781== by 0x40CCA5: dump_table (mysqldump.c:3922)
==57781== by 0x4106AB: dump_selected_tables (mysqldump.c:5268)
==57781== by 0x412EBC: main (mysqldump.c:6489)
==57781== Address 0x800de87 is 0 bytes after a block of size 263 alloc'd
==57781== at 0x4C29BFD: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==57781== by 0x45A489: my_malloc (my_malloc.c:38)
==57781== by 0x454745: alloc_root (my_alloc.c:173)
==57781== by 0x41F230: cli_read_ro...

Yura Sorokin (yura-sorokin) wrote :

The problem is in the way how secondary key definitions are restored in "skip_secondary_keys()".

Originally introduced in commit ecb27e6
(Bug #1081016: mysqldump --innodb-optimize-keys may produce invalid SQL with explicitly named FK constraints).
https://github.com/percona-ysorokin/percona-server/commit/ecb27e6af65e9ceb4392db0e9c51f43654201688

tags: added: asan ci valgrind
summary: - "percona_mysqldump_innodb_optimize_keys" failure under ASan
+ Invalid memory accesses by mysqldump --innodb-optimize-keys
no longer affects: percona-server/5.7

Percona now uses JIRA for bug reports so this bug report is migrated to: https://jira.percona.com/browse/PS-944

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers