Bug 6764 - mserver5 crashes with corruption, double free, invalid size or invalid pointer
Summary: mserver5 crashes with corruption, double free, invalid size or invalid pointer
Alias: None
Product: SQL
Classification: Unclassified
Component: all (show other bugs)
Version: 11.33.11 (Apr2019-SP1)
Hardware: x86_64 (amd64/em64t) Linux
: High critical
Assignee: SQL devs
Depends on:
Reported: 2019-09-20 17:34 CEST by Stefan Manegold
Modified: 2019-11-28 10:00 CET (History)
0 users

table schema (20.24 KB, text/plain)
2019-09-23 11:44 CEST, Stefan Manegold
query that triggers assertion / crash (83 bytes, application/sql)
2019-09-23 11:45 CEST, Stefan Manegold

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Manegold cwiconfidential 2019-09-20 17:34:07 CEST
mserver5 crashes with one of the following errors:

corrupted double-linked list
corrupted size vs. prev_size
double free or corruption (out)
double free or corruption (!prev)
free(): invalid size
munmap_chunk(): invalid pointer

script to reproduce will follow.
Comment 1 Stefan Manegold cwiconfidential 2019-09-20 17:37:17 CEST
Please find a script to reproduce the bug at
Comment 2 Stefan Manegold cwiconfidential 2019-09-21 21:22:00 CEST
when running a debug build of mserver5,

some crashes still occur:

corrupted double-linked list
corrupted size vs. prev_size
free(): invalid size

while instead(?) of the other crashes (see initial comment), these assertions are triggered:

MonetDB/gdk/gdk_bat.c:1587: BATsetcount: Assertion `b->batCapacity >= cnt' failed.
MonetDB/gdk/gdk_utils.c:1789: GDKfree: Assertion `(asize & 2) == 0' failed.
MonetDB/gdk/gdk_utils.c:1794: GDKfree: Assertion `((char *) s)[i] == '\xBD'' failed.
Comment 3 Stefan Manegold cwiconfidential 2019-09-23 11:44:54 CEST
Created attachment 635 [details]
table schema
Comment 4 Stefan Manegold cwiconfidential 2019-09-23 11:45:24 CEST
Created attachment 636 [details]
query that triggers assertion / crash
Comment 5 Stefan Manegold cwiconfidential 2019-09-23 11:47:07 CEST
For what it's worth,
a simpler way to reproduce the assertion / crash is by loading the data from
into the table defined by attached Bug-6764-schema.ddl
and then run attached Bug-6764-query.sql
Comment 6 Stefan Manegold cwiconfidential 2019-09-23 12:34:53 CEST
ps: the copy into statement should look as follows:

COPY OFFSET 3 INTO "data-x" FROM '.../Bug-6764-data.csv.bz2' DELIMITERS ',','\n','' NULL AS '';
Comment 7 MonetDB Mercurial Repository cwiconfidential 2019-09-23 14:24:38 CEST
Changeset cc708f0d0b28, made by Sjoerd Mullender <sjoerd@acm.org> in the MonetDB repo, refers to this bug.

For complete details, see https://dev.monetdb.org/hg/MonetDB?cmd=changeset;node=cc708f0d0b28

Changeset description:

	Make sure enough space is allocated for extents and histogram BATs.
	This fixes bug 6764.
Comment 8 Stefan Manegold cwiconfidential 2019-09-24 09:21:08 CEST
Changeset cc708f0d0b28 indeed appears to fix also the other incarnations of the bug (crash/assertion) reported here.
Thank you very much!