oqgraph-dev team mailing list archive

Thread
Date
[Bug 1134355] Re: V3 Attempting to rename the ORIGID attribute on a OQGRAPH engine table to 'parent' will cause mysqld to segfault

To: oqgraph-dev@xxxxxxxxxxxxxxxxxxx
From: Andrew McDonnell <bugs@xxxxxxxxxxxxxxxxxxx>
Date: Sat, 10 Aug 2013 13:15:35 -0000
Reply-to: Bug 1134355 <1134355@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Crash can still happen.  I inserted an alternative statement before the
triggering statement and crash happens again.

Extra ino thanks to valgrind:

==28676== Thread 4:
==28676== Invalid read of size 8
==28676==    at 0x75C742: merge_engine_table_options(engine_option_value*, engine_option_value*, st_mem_root*) (create_options.cc:609)
==28676==    by 0x6BBCC4: mysql_prepare_alter_table(THD*, TABLE*, st_ha_create_information*, Alter_info*) (sql_table.cc:5640)
==28676==    by 0x6BE42D: mysql_alter_table(THD*, char*, char*, st_ha_create_information*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool, bool) (sql_table.cc:6503)
==28676==    by 0x96F8DA: Alter_table_statement::execute(THD*) (sql_alter.cc:106)
==28676==    by 0x61C83F: mysql_execute_command(THD*) (sql_parse.cc:4834)
==28676==    by 0x61F9EB: mysql_parse(THD*, char*, unsigned int, Parser_state*) (sql_parse.cc:6124)
==28676==    by 0x6129B9: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1266)
==28676==    by 0x611B34: do_command(THD*) (sql_parse.cc:982)
==28676==    by 0x721BA8: do_handle_one_connection(THD*) (sql_connect.cc:1267)
==28676==    by 0x721650: handle_one_connection (sql_connect.cc:1181)
==28676==    by 0x9C5B45: pfs_spawn_thread (pfs.cc:1800)
==28676==    by 0x4E2F8C9: start_thread (pthread_create.c:300)
==28676==    by 0x59D992C: clone (clone.S:112)
==28676==  Address 0x8f8f8f8f8f8f8faf is not stack'd, malloc'd or (recently) free'd
==28676== 

Odd - table->s->option_list is used in the crash area, but we (maybe?) make a list
static const ha_create_table_option oqgraph_table_option_list[]=
{
  HA_TOPTION_STRING("data_table", table_name),
  HA_TOPTION_STRING("origid", origid),
  HA_TOPTION_STRING("destid", destid),
  HA_TOPTION_STRING("weight", weight),
  HA_TOPTION_END
};
...
  hton->table_options= oqgraph_table_option_list;

But later access as a struct ?!? How does that even work?

  oqgraph_table_option_struct *options=
    reinterpret_cast<oqgraph_table_option_struct*>(table->s->option_struct);


SQL core code, crash zone:

  create_info->option_list= merge_engine_table_options(table->s->option_list,
                                        create_info->option_list, thd->mem_root);

-->

  engine_option_value *end, *opt;
  DBUG_ENTER("merge_engine_table_options");
  LINT_INIT(end);

  /* find last element */
  if (first && second)
    for (end= first; end->next; end= end->next) /* no-op */;

-- 
You received this bug notification because you are a member of OQgraph
developers, which is a bug assignee.
https://bugs.launchpad.net/bugs/1134355

Title:
  V3 Attempting to rename the ORIGID attribute on a OQGRAPH engine table
  to 'parent' will cause mysqld to segfault

Status in OQGraph Engine for MariaDB:
  New

Bug description:
  This segfault is in a different place from #1134338

  Given

  CREATE TABLE tol_tree (
      latch   SMALLINT  UNSIGNED NULL,
      origid  BIGINT    UNSIGNED NULL,
      destid  BIGINT    UNSIGNED NULL,
      weight  DOUBLE    NULL,
      seq     BIGINT    UNSIGNED NULL,
      linkid  BIGINT    UNSIGNED NULL,
      KEY (latch, origid, destid) USING HASH,
      KEY (latch, destid, origid) USING HASH
    ) ENGINE=OQGRAPH data_table='tol' origid='id' destid='id';

  then

  alter table tol_tree ORIGID='parent';

  will segfault mysqld.

  Note, if tol has another not null integer other than parent added to it, the following error is reported instead (and no crash)
  ERROR 1036 (HY000): Table '#sql-36e_1' is read only

  The only difference I can see is:
  | parent      | int(10) unsigned | YES  |     | NULL    | 
  | someother        | int(11)          | NO   |     | NULL    | 

  But then adding 
  | another      | int(10) unsigned | YES  |     | NULL    | 

  Allows the segfault to trigger, so it appears that it only occurs if
  the type itself matches.


  Program received signal SIGSEGV, Segmentation fault.
  [Switching to Thread 0x7ffff7f64700 (LWP 32564)]
  0x000000000075c6ca in merge_engine_table_options (first=0x296c888, second=0x28868d0, root=0x7fffd41d2b58) at /home/andrew/develop/maria/repo/andrew-dev/sql/create_options.cc:609
  609	    for (end= first; end->next; end= end->next) /* no-op */;
  (gdb) bt
  #0  0x000000000075c6ca in merge_engine_table_options (first=0x296c888, second=0x28868d0, root=0x7fffd41d2b58) at /home/andrew/develop/maria/repo/andrew-dev/sql/create_options.cc:609
  #1  0x00000000006bbcc5 in mysql_prepare_alter_table (thd=0x7fffd41cee30, table=0x296e840, create_info=0x7ffff7f62d10, alter_info=0x7ffff7f62e10) at /home/andrew/develop/maria/repo/andrew-dev/sql/sql_table.cc:5640
  #2  0x00000000006be42e in mysql_alter_table (thd=0x7fffd41cee30, new_db=0x28868c0 "test", new_name=0x28862a8 "tol_tree", create_info=0x7ffff7f62d10, table_list=0x28862f8, alter_info=0x7ffff7f62e10, order_num=0, order=0x0, ignore=false, require_online=false) at /home/andrew/develop/maria/repo/andrew-dev/sql/sql_table.cc:6503
  #3  0x000000000096f863 in Alter_table_statement::execute (this=0x2886900, thd=0x7fffd41cee30) at /home/andrew/develop/maria/repo/andrew-dev/sql/sql_alter.cc:106
  #4  0x000000000061c840 in mysql_execute_command (thd=0x7fffd41cee30) at /home/andrew/develop/maria/repo/andrew-dev/sql/sql_parse.cc:4834
  #5  0x000000000061f9ec in mysql_parse (thd=0x7fffd41cee30, rawbuf=0x28861e8 "alter table tol_tree ORIGID='parent'", length=36, parser_state=0x7ffff7f63670) at /home/andrew/develop/maria/repo/andrew-dev/sql/sql_parse.cc:6124
  #6  0x00000000006129ba in dispatch_command (command=COM_QUERY, thd=0x7fffd41cee30, packet=0x7fffd41d40d1 "alter table tol_tree ORIGID='parent'", packet_length=36) at /home/andrew/develop/maria/repo/andrew-dev/sql/sql_parse.cc:1266
  #7  0x0000000000611b35 in do_command (thd=0x7fffd41cee30) at /home/andrew/develop/maria/repo/andrew-dev/sql/sql_parse.cc:982
  #8  0x0000000000721b31 in do_handle_one_connection (thd_arg=0x7fffd41cee30) at /home/andrew/develop/maria/repo/andrew-dev/sql/sql_connect.cc:1267
  #9  0x00000000007215d9 in handle_one_connection (arg=0x7fffd41cee30) at /home/andrew/develop/maria/repo/andrew-dev/sql/sql_connect.cc:1181
  #10 0x00007ffff7bc98ca in start_thread (arg=<value optimized out>) at pthread_create.c:300
  #11 0x00007ffff706b92d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
  #12 0x0000000000000000 in ?? ()

To manage notifications about this bug go to:
https://bugs.launchpad.net/oqgraph/+bug/1134355/+subscriptions
References

[Bug 1134355] [NEW] Attempting to rename the ORIGID attribute on a OQGRAPH engine table to 'parent' will cause mysqld to segfault
From: Andrew McDonnell, 2013-02-27