Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-3493

LP:782305 - Wrong result/valgrind warning in Item_sum_hybrid::any_value()

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:

      Description

      Executing a particular prepared statement twice caused the following valgrind warning:

      ==21705== Thread 9:
      ==21705== Invalid read of size 1
      ==21705== at 0x82120E2: Item_sum_hybrid::any_value() (item_sum.h:889)
      ==21705== by 0x8202D5D: Item_func_not_all::empty_underlying_subquery() (item_cmpfunc.cc:333)
      ==21705== by 0x8202E5C: Item_func_nop_all::val_int() (item_cmpfunc.cc:363)
      ==21705== by 0x81C37D3: Item::val_bool() (item.cc:187)
      ==21705== by 0x820EA75: Item_cond_and::val_int() (item_cmpfunc.cc:4701)
      ==21705== by 0x832CACC: evaluate_join_record(JOIN*, st_join_table*, int) (sql_select.cc:14162)
      ==21705== by 0x832C737: sub_select(JOIN*, st_join_table*, bool) (sql_select.cc:14067)
      ==21705== by 0x832BB09: do_select(JOIN*, List<Item>, st_table, Procedure*) (sql_select.cc:13602)
      ==21705== by 0x8310749: JOIN::exec() (sql_select.cc:2114)
      ==21705== by 0x83128A1: mysql_select(THD*, Item**, TABLE_LIST, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2772)
      ==21705== by 0x8458F0F: mysql_derived_filling(THD*, st_lex*, TABLE_LIST*) (sql_derived.cc:296)
      ==21705== by 0x845881A: mysql_handle_derived(st_lex*, bool (THD*, st_lex*, TABLE_LIST*)) (sql_derived.cc:56)
      ==21705== by 0x82F34F1: open_and_lock_tables_derived(THD*, TABLE_LIST*, bool) (sql_base.cc:5125)
      ==21705== by 0x82AEA18: open_and_lock_tables(THD*, TABLE_LIST*) (mysql_priv.h:1670)
      ==21705== by 0x82A7D1F: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5060)
      ==21705== by 0x829ED7D: mysql_execute_command(THD*) (sql_parse.cc:2239)

      crash backtrace:

      1. 2011-05-13T20:06:54 #3 0x0828c410 in handle_segfault (sig=11) at mysqld.cc:2778
      2. 2011-05-13T20:06:54 #4 <signal handler called>
      3. 2011-05-13T20:06:54 #5 0x082120e2 in Item_sum_hybrid::any_value (this=0xa8e4aa8) at item_sum.h:889
      4. 2011-05-13T20:06:54 #6 0x08202d5e in Item_func_not_all::empty_underlying_subquery (this=0xa831dc8) at item_cmpfunc.cc:333
      5. 2011-05-13T20:06:54 #7 0x08202e5d in Item_func_nop_all::val_int (this=0xa831dc8) at item_cmpfunc.cc:363
      6. 2011-05-13T20:06:54 #8 0x081c37d4 in Item::val_bool (this=0xa831dc8) at item.cc:187
      7. 2011-05-13T20:06:54 #9 0x0820ea76 in Item_cond_and::val_int (this=0xa859718) at item_cmpfunc.cc:4701
      8. 2011-05-13T20:06:54 #10 0x0832cacd in evaluate_join_record (join=0xa84d9a8, join_tab=0xa858db8, error=0) at sql_select.cc:14162
      9. 2011-05-13T20:06:54 #11 0x0832c738 in sub_select (join=0xa84d9a8, join_tab=0xa858db8, end_of_records=false) at sql_select.cc:14067
      10. 2011-05-13T20:06:54 #12 0x0832cda5 in evaluate_join_record (join=0xa84d9a8, join_tab=0xa858bd4, error=0) at sql_select.cc:14262
      11. 2011-05-13T20:06:54 #13 0x0832c880 in sub_select (join=0xa84d9a8, join_tab=0xa858bd4, end_of_records=false) at sql_select.cc:14107
      12. 2011-05-13T20:06:54 #14 0x0832bb0a in do_select (join=0xa84d9a8, fields=0x0, table=0xa77f530, procedure=0x0) at sql_select.cc:13602
      13. 2011-05-13T20:06:54 #15 0x0831074a in JOIN::exec (this=0xa84d9a8) at sql_select.cc:2114
      14. 2011-05-13T20:06:54 #16 0x083128a2 in mysql_select (thd=0xa78aa10, rref_pointer_array=0xa84d094, tables=0xa77d7e0, wild_num=0, fields=..., conds=0xa7967e0, og_num=0, order=0x0,
      15. 2011-05-13T20:06:54 group=0x0, having=0x0, proc_param=0x0, select_options=2416200201, result=0xa796f40, unit=0xa84d130, select_lex=0xa84cf90) at sql_select.cc:2772
      16. 2011-05-13T20:06:54 #17 0x08458f10 in mysql_derived_filling (thd=0xa78aa10, lex=0xa7fa2b0, orig_table_list=0xa834b68) at sql_derived.cc:296
      17. 2011-05-13T20:06:54 #18 0x0845881b in mysql_handle_derived (lex=0xa7fa2b0, processor=0x8458d2d <mysql_derived_filling(THD*, LEX*, TABLE_LIST*)>) at sql_derived.cc:56
      18. 2011-05-13T20:06:54 #19 0x082f34f2 in open_and_lock_tables_derived (thd=0xa78aa10, tables=0xa84c440, derived=true) at sql_base.cc:5125
      19. 2011-05-13T20:06:54 #20 0x082aea19 in open_and_lock_tables (thd=0xa78aa10, tables=0xa84c440) at mysql_priv.h:1670
      20. 2011-05-13T20:06:54 #21 0x082a7d20 in execute_sqlcom_select (thd=0xa78aa10, all_tables=0xa84c440) at sql_parse.cc:5060
      21. 2011-05-13T20:06:54 #22 0x0829ed7e in mysql_execute_command (thd=0xa78aa10) at sql_parse.cc:2239
      22. 2011-05-13T20:06:54 #23 0x0835258c in Prepared_statement::execute (this=0xa72cd50, expanded_query=0x9159178c, open_cursor=false) at sql_prepare.cc:3677
      23. 2011-05-13T20:06:54 #24 0x08351a74 in Prepared_statement::execute_loop (this=0xa72cd50, expanded_query=0x9159178c, open_cursor=false, packet=0x0, packet_end=0x0)
      24. 2011-05-13T20:06:54 at sql_prepare.cc:3352
      25. 2011-05-13T20:06:54 #25 0x08350390 in mysql_sql_stmt_execute (thd=0xa78aa10) at sql_prepare.cc:2613
      26. 2011-05-13T20:06:54 #26 0x0829eda7 in mysql_execute_command (thd=0xa78aa10) at sql_parse.cc:2248
      27. 2011-05-13T20:06:54 #27 0x082aa4d7 in mysql_parse (thd=0xa78aa10, rawbuf=0xa796130 "EXECUTE prep_stmt_21349 /* TRANSFORM_OUTCOME_UNORDERED_MATCH */", length=63,
      28. 2011-05-13T20:06:54 found_semicolon=0x91592228) at sql_parse.cc:6094
      29. 2011-05-13T20:06:54 #28 0x0829ca07 in dispatch_command (command=COM_QUERY, thd=0xa78aa10, packet=0xa78cc11 "EXECUTE prep_stmt_21349 /* TRANSFORM_OUTCOME_UNORDERED_MATCH */",
      30. 2011-05-13T20:06:54 packet_length=63) at sql_parse.cc:1215
      31. 2011-05-13T20:06:54 #29 0x0829be65 in do_command (thd=0xa78aa10) at sql_parse.cc:904
      32. 2011-05-13T20:06:54 #30 0x08298f18 in handle_one_connection (arg=0xa78aa10) at sql_connect.cc:1154
      33. 2011-05-13T20:06:54 #31 0x00821919 in start_thread () from /lib/libpthread.so.0
      34. 2011-05-13T20:06:54 #32 0x0076acce in clone () from /lib/libc.so.6

      A test case will be attached shortly.

        Gliffy Diagrams

          Attachments

            Activity

            Hide
            timour Timour Katchaounov added a comment -

            Re: Wrong result/valgrind warning in Item_sum_hybrid::any_value()
            This bug is likely related to either derived tables, or non-semijoin subquery execution.
            Assigning to Igor so he can evaluate if it it is related to derived tables. If not, the bug
            should be assigned to Timour.

            Show
            timour Timour Katchaounov added a comment - Re: Wrong result/valgrind warning in Item_sum_hybrid::any_value() This bug is likely related to either derived tables, or non-semijoin subquery execution. Assigning to Igor so he can evaluate if it it is related to derived tables. If not, the bug should be assigned to Timour.
            Hide
            philipstoev Philip Stoev added a comment -

            Re: Wrong result/valgrind warning in Item_sum_hybrid::any_value()
            Not reproducible on maria-5.2, mysql-5.1. No valgrind warnings and the results from the two executions match.

            Show
            philipstoev Philip Stoev added a comment - Re: Wrong result/valgrind warning in Item_sum_hybrid::any_value() Not reproducible on maria-5.2, mysql-5.1. No valgrind warnings and the results from the two executions match.
            Hide
            philipstoev Philip Stoev added a comment -

            Re: Wrong result/valgrind warning in Item_sum_hybrid::any_value()
            Simplified test case for the wrong result. Does not reproduce the valgrind warning though.

            DROP TABLE IF EXISTS t1;
            CREATE TABLE t1 ( f10 int) ;
            INSERT IGNORE INTO t1 VALUES (2),(2);

            DROP TABLE IF EXISTS t2;
            CREATE TABLE t2 (f10 int) ;
            INSERT IGNORE INTO t2 VALUES (2),(2);

            DROP TABLE IF EXISTS t3;
            CREATE TABLE t3 ( f3 int) ;
            INSERT IGNORE INTO t3 VALUES (2),(2);

            PREPARE st1 FROM '
            SELECT *
            FROM t2, t3
            WHERE t2.f10 <= SOME ( SELECT f10 FROM t1 );
            ';
            EXECUTE st1;
            EXECUTE st1;

            EXPLAIN:

            1 PRIMARY t2 ALL NULL NULL NULL NULL 2 Using where
            1 PRIMARY t3 ALL NULL NULL NULL NULL 2 Using join buffer (flat, BNL join)
            2 SUBQUERY t1 ALL NULL NULL NULL NULL 4  
            Show
            philipstoev Philip Stoev added a comment - Re: Wrong result/valgrind warning in Item_sum_hybrid::any_value() Simplified test case for the wrong result. Does not reproduce the valgrind warning though. DROP TABLE IF EXISTS t1; CREATE TABLE t1 ( f10 int) ; INSERT IGNORE INTO t1 VALUES (2),(2); DROP TABLE IF EXISTS t2; CREATE TABLE t2 (f10 int) ; INSERT IGNORE INTO t2 VALUES (2),(2); DROP TABLE IF EXISTS t3; CREATE TABLE t3 ( f3 int) ; INSERT IGNORE INTO t3 VALUES (2),(2); PREPARE st1 FROM ' SELECT * FROM t2, t3 WHERE t2.f10 <= SOME ( SELECT f10 FROM t1 ); '; EXECUTE st1; EXECUTE st1; EXPLAIN: 1 PRIMARY t2 ALL NULL NULL NULL NULL 2 Using where 1 PRIMARY t3 ALL NULL NULL NULL NULL 2 Using join buffer (flat, BNL join) 2 SUBQUERY t1 ALL NULL NULL NULL NULL 4  
            Hide
            timour Timour Katchaounov added a comment -

            Re: Wrong result/valgrind warning in Item_sum_hybrid::any_value()
            Analysis:

            During the first execution, in
            Item_allany_subselect::transform_into_max_min()
            if (... !select_lex->with_sum_func && ...)
            Initially here select_lex->with_sum_func == false, we get inside
            the IF branch, and
            /*
            (ALL && (> || =>)) || (ANY && (< || =<))
            for ALL condition is inverted
            */
            item= new Item_sum_max(*select_lex->ref_pointer_array);
            creates a new Item_sum_max. Its constructor calls
            Item_sum::mark_as_sum_func(), which sets
            cur_select->with_sum_func= 1;

            During the second execution, in the same place,
            select_lex->with_sum_func = true, so we get into the
            ELSE branch instead. This branch deals with aggregate
            queries.

            On one hand this transformation is repeated for each
            PS execution, however, the transformation is not undone.
            Thus during the next call to exec, it turns out that
            select_lex->with_sum_func is TRUE instead of false,
            which repeats the transformation in a different way
            as if the query has an aggregate function. In this way
            the transformation is not repeated the same way.

            Show
            timour Timour Katchaounov added a comment - Re: Wrong result/valgrind warning in Item_sum_hybrid::any_value() Analysis: During the first execution, in Item_allany_subselect::transform_into_max_min() if (... !select_lex->with_sum_func && ...) Initially here select_lex->with_sum_func == false, we get inside the IF branch, and /* (ALL && (> || =>)) || (ANY && (< || =<)) for ALL condition is inverted */ item= new Item_sum_max(*select_lex->ref_pointer_array); creates a new Item_sum_max. Its constructor calls Item_sum::mark_as_sum_func(), which sets cur_select->with_sum_func= 1; During the second execution, in the same place, select_lex->with_sum_func = true, so we get into the ELSE branch instead. This branch deals with aggregate queries. On one hand this transformation is repeated for each PS execution, however, the transformation is not undone. Thus during the next call to exec, it turns out that select_lex->with_sum_func is TRUE instead of false, which repeats the transformation in a different way as if the query has an aggregate function. In this way the transformation is not repeated the same way.
            Hide
            ratzpo Rasmus Johansson added a comment -

            Launchpad bug id: 782305

            Show
            ratzpo Rasmus Johansson added a comment - Launchpad bug id: 782305

              People

              • Assignee:
                timour Timour Katchaounov
                Reporter:
                philipstoev Philip Stoev
              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: