Thread 21:
Conditional jump or move depends on uninitialised value(s)
at 0x5A6743: Query_cache::send_result_to_client(THD*, char*, unsigned int) (sql_cache.cc:2051)
by 0x5EDE27: mysql_parse(THD*, char*, unsigned int, Parser_state*) (sql_parse.cc:5756)
by 0x800B79: Query_log_event::do_apply_event(Relay_log_info const*, char const*, unsigned int) (log_event.cc:3398)
by 0x800157: Query_log_event::do_apply_event(Relay_log_info const*) (log_event.cc:3166)
by 0x572005: Log_event::apply_event(Relay_log_info const*) (log_event.h:1135)
by 0x56B1A9: apply_event_and_update_pos(Log_event*, THD*, Relay_log_info*) (slave.cc:2351)
by 0x56B6E9: exec_relay_log_event(THD*, Relay_log_info*) (slave.cc:2511)
by 0x56D8F6: handle_slave_sql (slave.cc:3329)
by 0x3A01806D63: start_thread (pthread_create.c:308)
I looked into the souce code, and find that the query buffer allocated in Query_log_event::Query_log_event does not contain the db_len field : sizeof(size_t), but in alloc_query there are statement, length, db_name and flag, therefore result in uninitialized data access in Query_cache::send_result_to_client :
Master : 5.1.48
Slave : 5.5.18(query cache on)
as http:// bugs.mysql. com/bug. php?id= 64624 described, I run the slave in valgrind, and got following infomation:
Thread 21: :send_result_ to_client( THD*, char*, unsigned int) (sql_cache.cc:2051) event:: do_apply_ event(Relay_ log_info const*, char const*, unsigned int) (log_event.cc:3398) event:: do_apply_ event(Relay_ log_info const*) (log_event.cc:3166) :apply_ event(Relay_ log_info const*) (log_event.h:1135) and_update_ pos(Log_ event*, THD*, Relay_log_info*) (slave.cc:2351) log_event( THD*, Relay_log_info*) (slave.cc:2511) create. c:308)
Conditional jump or move depends on uninitialised value(s)
at 0x5A6743: Query_cache:
by 0x5EDE27: mysql_parse(THD*, char*, unsigned int, Parser_state*) (sql_parse.cc:5756)
by 0x800B79: Query_log_
by 0x800157: Query_log_
by 0x572005: Log_event:
by 0x56B1A9: apply_event_
by 0x56B6E9: exec_relay_
by 0x56D8F6: handle_slave_sql (slave.cc:3329)
by 0x3A01806D63: start_thread (pthread_
I looked into the souce code, and find that the query buffer allocated in Query_log_ event:: Query_log_ event does not contain the db_len field : sizeof(size_t), but in alloc_query there are statement, length, db_name and flag, therefore result in uninitialized data access in Query_cache: :send_result_ to_client :
size_t db_len;
memcpy((char *) &db_len, (sql + query_length + 1), sizeof(size_t));
if (thd->db_length != db_len)
{
but I didn't found that this can lead to server crash as the uninitialized data are just junk, but not NULL pointer.
can anyone can tell me why this bug can crash slave?