Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Critical
-
Resolution: Fixed
-
Affects Version/s: None
-
Fix Version/s: None
-
Component/s: None
-
Labels:
Description
backtrace:
#8 0x006f5b9d in __libc_message () from /lib/libc.so.6
#9 0x006fbfe1 in malloc_printerr () from /lib/libc.so.6
#10 0x08716681 in my_no_flags_free (ptr=0xaf43440) at my_malloc.c:72
#11 0x087174f2 in free_root (root=0x9f965800, MyFlags=0) at my_alloc.c:364
#12 0x0837be32 in SQL_SELECT::test_quick_select (this=0xaf5cbe8, thd=0xae518d0, keys_to_use=..., prev_tables=0, limit=18446744073709551615,
force_quick_range=false) at opt_range.cc:3118
#13 0x082e7b1b in get_quick_record_count (thd=0xae518d0, select=0xaf5cbe8, table=0xaf4ce38, keys=0xaf5c4fc, limit=18446744073709551615) at sql_select.cc:2600
#14 0x082e98d9 in make_join_statistics (join=0xaf5aef8, tables_arg=0xaf4deb8, conds=0xaf4e5d0, keyuse_array=0xaf5c018) at sql_select.cc:3037
#15 0x082e2067 in JOIN::optimize (this=0xaf5aef8) at sql_select.cc:1029
#16 0x082e7843 in mysql_select (thd=0xae518d0, rref_pointer_array=0xae52f70, tables=0xaf4deb8, wild_num=0, fields=..., conds=0xaf4e5d0, og_num=0, order=0x0,
group=0x0, having=0x0, proc_param=0x0, select_options=2147764740, result=0xaf42b20, unit=0xae52be0, select_lex=0xae52e58) at sql_select.cc:2538
#17 0x0830cd08 in mysql_explain_union (thd=0xae518d0, unit=0xae52be0, result=0xaf42b20) at sql_select.cc:17200
#18 0x08286c4c in execute_sqlcom_select (thd=0xae518d0, all_tables=0xaf4deb8) at sql_parse.cc:5144
#19 0x0827d736 in mysql_execute_command (thd=0xae518d0) at sql_parse.cc:2340
#20 0x08288e46 in mysql_parse (thd=0xae518d0, rawbuf=0xaf4beb8 "EXPLAIN SELECT f2 FROM t1 WHERE ( f2 IN ( 1 , 255 ) OR f2 = 8 ) AND f1 IN ( 0 , 74 )",
length=84, found_semicolon=0x9f967220) at sql_parse.cc:6092
#21 0x0827b222 in dispatch_command (command=COM_QUERY, thd=0xae518d0, packet=0xaf0a629 "", packet_length=84) at sql_parse.cc:1269
#22 0x0827a47f in do_command (thd=0xae518d0) at sql_parse.cc:895
#23 0x08277490 in handle_one_connection (arg=0xae518d0) at sql_connect.cc:1138
#24 0x00821919 in start_thread () from /lib/libpthread.so.0
#25 0x0076acce in clone () from /lib/libc.so.6
testcase:
--source include/have_innodb.inc
SET SESSION optimizer_switch=index_merge_sort_intersection=on;
CREATE TABLE t1 (f1 int, f2 int, PRIMARY KEY (f2), KEY (f1)) ENGINE=InnoDB;
INSERT INTO t1 VALUES ('2','5'),('2','3'),('2','8'),('2','438'),('2','4');
SELECT f2 FROM t1 WHERE ( f2 IN ( 1 , 255 ) OR f2 = 8 ) AND f1 IN ( 0 , 74 );
Gliffy Diagrams
Attachments
Activity
- All
- Comments
- Work Log
- History
- Activity
- Transitions
Re: Memory corruption in test_quick_select() in maria-5.1-wl21
This crash happens with InnoDB only. For similar valgrind warnings with other engines, see bug 684144
Re: Memory corruption in test_quick_select() in maria-5.1-wl21
New test case:
--source include/have_innodb.inc;
CREATE TABLE t1 (
f1 int,
f4 varchar(32),
f5 int,
PRIMARY KEY (f1),
KEY (f4)) ENGINE=InnoDB;
INSERT IGNORE INTO t1 VALUES ('5','H','1'),('9','g','0'),('527','i','0'),('528','y','1'),('529','S','6'),('530','m','7'),('531','b','2'),('532','N','1'),('533','V',NULL),('534','l','1'),('535','M','0'),('536','w','1'),('537','j','5'),('538','l','0'),('539','n','2'),('540','m','2'),('541','r','2'),('542','l','2'),('543','h','3'),('544','o','0'),('956','h','0'),('957','g','0'),('958','W','5'),('959','s','3'),('960','w','0'),('961','q','0'),('962','e',NULL),('963','u','7'),('964','q','1'),('965','N',NULL),('966','e','0'),('967','t','3'),('968','e','6'),('969','f',NULL),('970','j','0'),('971','s','3'),('972','I','0'),('973','h','4'),('974','g','1'),('975','s','0'),('976','r','3'),('977','x','1'),('978','v','8'),('979','j',NULL),('980','z','7'),('981','t','9'),('982','j','5'),('983','u',NULL),('984','g','6'),('985','w','1'),('986','h','1'),('987','v','0'),('988','v','0'),('989','c','2'),('990','b','7'),('991','z','0'),('992','M','1'),('993','u','2'),('994','r','2'),('995','b','4'),('996','A','2'),('997','u','0'),('998','a','0'),('999','j','2'),('1','I','2');
EXPLAIN
SELECT DISTINCT *
FROM t1 FORCE KEY
( PRIMARY , f4 )
WHERE
( NOT ( f1 = 149 ) OR ( f1 = 196 ) )
AND ( f4 IS NULL OR f4 LIKE 'h%' ) );
Re: Memory corruption in test_quick_select() in maria-5.1-wl21
correct query
EXPLAIN SELECT DISTINCT * FROM t1 FORCE KEY ( PRIMARY , f4 ) WHERE ( NOT ( f1 = 149 ) OR ( f1 = 196 ) ) AND ( f4 IS NULL OR f4 LIKE CONCAT ('h' , '%' ) );
Launchpad bug id: 684086
Re: Memory corruption in test_quick_select() in maria-5.1-wl21
Valgrind warnings:
==19248== Invalid write of size 1
==19248== at 0x40081BD: memmove (mc_replace_strmem.c:629)
==19248== by 0x838021D: get_best_index_intersect(PARAM*, SEL_TREE*, double) (opt_range.cc:5351)
==19248== by 0x837BB8E: SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool) (opt_range.cc:3067)
==19248== by 0x82E7B1A: get_quick_record_count(THD*, SQL_SELECT*, st_table*, Bitmap<64u> const*, unsigned long long) (sql_select.cc:2600)
==19248== by 0x82E98D8: make_join_statistics(JOIN*, TABLE_LIST*, Item*, st_dynamic_array*) (sql_select.cc:3037)
==19248== by 0x82E2066: JOIN::optimize() (sql_select.cc:1029)
==19248== by 0x82E7842: mysql_select(THD*, Item**, TABLE_LIST, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2538)
==19248== by 0x82DFF48: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:280)
==19248== by 0x8286DD9: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5166)
==19248== by 0x827D735: mysql_execute_command(THD*) (sql_parse.cc:2340)
==19248== by 0x8288E45: mysql_parse(THD*, char*, unsigned int, char const**) (sql_parse.cc:6092)
==19248== by 0x827B221: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1269)
==19248== by 0x827A47E: do_command(THD*) (sql_parse.cc:895)
==19248== by 0x827748F: handle_one_connection (sql_connect.cc:1138)
==19248== by 0x821918: start_thread (in /lib/libpthread-2.12.1.so)
==19248== by 0x76ACCD: clone (in /lib/libc-2.12.1.so)
==19248== Address 0x52d26b7 is 3 bytes after a block of size 20 alloc'd
==19248== at 0x4005BDC: malloc (vg_replace_malloc.c:195)
==19248== by 0x87164F3: my_malloc (my_malloc.c:38)
==19248== by 0x87170F6: alloc_root (my_alloc.c:165)
==19248== by 0x837F54A: prepare_search_best_index_intersect(PARAM*, SEL_TREE*, st_common_index_intersection_info*, st_partial_index_intersection_info*, double) (opt_range.cc:4995)
==19248== by 0x838015A: get_best_index_intersect(PARAM*, SEL_TREE*, double) (opt_range.cc:5339)
==19248== by 0x837BB8E: SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool) (opt_range.cc:3067)
==19248== by 0x82E7B1A: get_quick_record_count(THD*, SQL_SELECT*, st_table*, Bitmap<64u> const*, unsigned long long) (sql_select.cc:2600)
==19248== by 0x82E98D8: make_join_statistics(JOIN*, TABLE_LIST*, Item*, st_dynamic_array*) (sql_select.cc:3037)
==19248== by 0x82E2066: JOIN::optimize() (sql_select.cc:1029)
==19248== by 0x82E7842: mysql_select(THD*, Item**, TABLE_LIST, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2538)
==19248== by 0x82DFF48: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:280)
==19248== by 0x8286DD9: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5166)
==19248== by 0x827D735: mysql_execute_command(THD*) (sql_parse.cc:2340)
==19248== by 0x8288E45: mysql_parse(THD*, char*, unsigned int, char const**) (sql_parse.cc:6092)
==19248== by 0x827B221: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1269)
==19248== by 0x827A47E: do_command(THD*) (sql_parse.cc:895)
==19248==
==19248== Invalid read of size 4
==19248== at 0x83802DF: get_best_index_intersect(PARAM*, SEL_TREE*, double) (opt_range.cc:5365)
==19248== by 0x837BB8E: SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool) (opt_range.cc:3067)
==19248== by 0x82E7B1A: get_quick_record_count(THD*, SQL_SELECT*, st_table*, Bitmap<64u> const*, unsigned long long) (sql_select.cc:2600)
==19248== by 0x82E98D8: make_join_statistics(JOIN*, TABLE_LIST*, Item*, st_dynamic_array*) (sql_select.cc:3037)
==19248== by 0x82E2066: JOIN::optimize() (sql_select.cc:1029)
==19248== by 0x82E7842: mysql_select(THD*, Item**, TABLE_LIST, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2538)
==19248== by 0x82DFF48: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:280)
==19248== by 0x8286DD9: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5166)
==19248== by 0x827D735: mysql_execute_command(THD*) (sql_parse.cc:2340)
==19248== by 0x8288E45: mysql_parse(THD*, char*, unsigned int, char const**) (sql_parse.cc:6092)
==19248== by 0x827B221: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1269)
==19248== by 0x827A47E: do_command(THD*) (sql_parse.cc:895)
==19248== by 0x827748F: handle_one_connection (sql_connect.cc:1138)
==19248== by 0x821918: start_thread (in /lib/libpthread-2.12.1.so)
==19248== by 0x76ACCD: clone (in /lib/libc-2.12.1.so)
==19248== Address 0x52d26b4 is 0 bytes after a block of size 20 alloc'd
==19248== at 0x4005BDC: malloc (vg_replace_malloc.c:195)
==19248== by 0x87164F3: my_malloc (my_malloc.c:38)
==19248== by 0x87170F6: alloc_root (my_alloc.c:165)
==19248== by 0x837F54A: prepare_search_best_index_intersect(PARAM*, SEL_TREE*, st_common_index_intersection_info*, st_partial_index_intersection_info*, double) (opt_range.cc:4995)
==19248== by 0x838015A: get_best_index_intersect(PARAM*, SEL_TREE*, double) (opt_range.cc:5339)
==19248== by 0x837BB8E: SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool) (opt_range.cc:3067)
==19248== by 0x82E7B1A: get_quick_record_count(THD*, SQL_SELECT*, st_table*, Bitmap<64u> const*, unsigned long long) (sql_select.cc:2600)
==19248== by 0x82E98D8: make_join_statistics(JOIN*, TABLE_LIST*, Item*, st_dynamic_array*) (sql_select.cc:3037)
==19248== by 0x82E2066: JOIN::optimize() (sql_select.cc:1029)
==19248== by 0x82E7842: mysql_select(THD*, Item**, TABLE_LIST, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2538)
==19248== by 0x82DFF48: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:280)
==19248== by 0x8286DD9: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5166)
==19248== by 0x827D735: mysql_execute_command(THD*) (sql_parse.cc:2340)
==19248== by 0x8288E45: mysql_parse(THD*, char*, unsigned int, char const**) (sql_parse.cc:6092)
==19248== by 0x827B221: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1269)
==19248== by 0x827A47E: do_command(THD*) (sql_parse.cc:895)
==19248==