Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-4274

Valgrind warnings or server crash in Item_equal_iterator<List_iterator_fast, Item>::get_curr_field, from get_full_func_mm_tree

        Details

        • Type: Bug
        • Status: Closed
        • Priority: Major
        • Resolution: Fixed
        • Affects Version/s: 10.0.1, 5.5.30, 5.3.12
        • Fix Version/s: 10.0.3, 5.5.31, 5.3.13
        • Component/s: None
        • Labels:

          Description

          The problem appeared in 5.3 with the following revision:

          revno: 3628
revision-id: igor@askmonty.org-20130225031611-jk8lyhhjazov66qc
committer: Igor Babaev <igor@askmonty.org>
branch nick: maria-5.3-mdev4177
timestamp: Sun 2013-02-24 19:16:11 -0800
message:
  Fixed bug mdev-4177

          Crash on 5.5:

          #3  <signal handler called>
#4  0x000000000067e2f8 in Item_equal_iterator<List_iterator_fast, Item>::get_curr_field (this=0x7f489637a860) at 5.5/sql/item_cmpfunc.h:1849
#5  0x00000000008d3945 in get_full_func_mm_tree (param=0x7f489637ac70, cond_func=0x7f488c009060, field_item=0x7f488c008ec8, value=0x7f488c008fd0, inv=false) at 5.5/sql/opt_range.cc:7307
#6  0x00000000008d46ab in get_mm_tree (param=0x7f489637ac70, cond=0x7f488c009060) at 5.5/sql/opt_range.cc:7492
#7  0x00000000008d3b34 in get_mm_tree (param=0x7f489637ac70, cond=0x7f488c022488) at 5.5/sql/opt_range.cc:7341
#8  0x00000000008ca974 in SQL_SELECT::test_quick_select (this=0x7f488c024788, thd=0x2423240, keys_to_use=..., prev_tables=0, limit=18446744073709551615, force_quick_range=false, ordered_output=false) at 5.5/sql/opt_range.cc:3052
#9  0x000000000064673f in get_quick_record_count (thd=0x2423240, select=0x7f488c024788, table=0x7f488c01b8f0, keys=0x7f488c023210, limit=18446744073709551615) at 5.5/sql/sql_select.cc:3099
#10 0x00000000006484b1 in make_join_statistics (join=0x7f488c021a38, tables_list=..., conds=0x7f488c022488, keyuse_array=0x7f488c021d40) at 5.5/sql/sql_select.cc:3648
#11 0x000000000063fb3d in JOIN::optimize (this=0x7f488c021a38) at 5.5/sql/sql_select.cc:1209
#12 0x00000000006464ad in mysql_select (thd=0x2423240, rref_pointer_array=0x2425fa8, tables=0x7f488c007728, wild_num=1, fields=..., conds=0x7f488c021918, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7f488c021a18, unit=0x2425678, select_lex=0x2425d50) at 5.5/sql/sql_select.cc:3048
#13 0x000000000063d0b6 in handle_select (thd=0x2423240, lex=0x24255c8, result=0x7f488c021a18, setup_tables_done_option=0) at 5.5/sql/sql_select.cc:318
#14 0x0000000000615fae in execute_sqlcom_select (thd=0x2423240, all_tables=0x7f488c007728) at 5.5/sql/sql_parse.cc:4641
#15 0x000000000060ea61 in mysql_execute_command (thd=0x2423240) at 5.5/sql/sql_parse.cc:2195
#16 0x0000000000618832 in mysql_parse (thd=0x2423240, rawbuf=0x7f488c0074c8 "SELECT * FROM t1 INNER JOIN t2 ON ( c = a ) \nWHERE 1 IS NULL OR b < 33 AND b = c", length=80, parser_state=0x7f489637e500) at 5.5/sql/sql_parse.cc:5756
#17 0x000000000060bfd4 in dispatch_command (command=COM_QUERY, thd=0x2423240, packet=0x2517641 "SELECT * FROM t1 INNER JOIN t2 ON ( c = a ) \nWHERE 1 IS NULL OR b < 33 AND b = c ", packet_length=81) at 5.5/sql/sql_parse.cc:1068
#18 0x000000000060b219 in do_command (thd=0x2423240) at 5.5/sql/sql_parse.cc:794
#19 0x000000000070f7f6 in do_handle_one_connection (thd_arg=0x2423240) at 5.5/sql/sql_connect.cc:1266
#20 0x000000000070f1e1 in handle_one_connection (arg=0x2423240) at 5.5/sql/sql_connect.cc:1181
#21 0x0000000000a9bc40 in pfs_spawn_thread (arg=0x24b72e0) at 5.5/storage/perfschema/pfs.cc:1015
#22 0x00007f48a1a6be9a in start_thread (arg=0x7f489637f700) at pthread_create.c:308
#23 0x00007f48a0d5fcbd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112

          revision-id: elenst@gmail.com-20130314125220-1je2vyildyigre1b
revno: 3697
branch-nick: 5.5

          Test case:

          CREATE TABLE t1 (a INT, b INT, KEY (b)) ENGINE=MyISAM;
INSERT INTO t1 VALUES (6,8);

CREATE TABLE t2 (c INT, KEY (c)) ENGINE=MyISAM;
INSERT INTO t2 VALUES (6),(9);

SELECT * FROM t1 INNER JOIN t2 ON ( c = a ) 
WHERE 1 IS NULL OR b < 33 AND b = c ;

          Reproducible with the default optimizer_switch as well as with all OFF values (except for in_to_exists or materialization, one of which is required to execute the query).

          EXPLAIN also crashes.

          Please note that the condition 1 IS NULL does not have to be this degenerative, for example a query like 

          SELECT * FROM t1 INNER JOIN t2 ON ( c = a ) 
WHERE ( SELECT SUM(d) FROM t3 ) IS NULL OR ( b < 33 ) AND ( b = c );

          where t3 is not empty, crashes too.

          Valgrind warnings on 5.3 (built with BUILD/compile-pentium-valgrind-max-no-ndb):

          ==12137== Thread 4:
==12137== Conditional jump or move depends on uninitialised value(s)
==12137==    at 0x7E6548: get_full_func_mm_tree(RANGE_OPT_PARAM*, Item_func*, Item_field*, Item*, bool) (opt_range.cc:7181)
==12137==    by 0x7E72AE: get_mm_tree(RANGE_OPT_PARAM*, Item*) (opt_range.cc:7368)
==12137==    by 0x7E669F: get_mm_tree(RANGE_OPT_PARAM*, Item*) (opt_range.cc:7217)
==12137==    by 0x7DD7CA: SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool, bool) (opt_range.cc:3081)
==12137==    by 0x714A52: get_quick_record_count(THD*, SQL_SELECT*, st_table*, Bitmap<64u> const*, unsigned long long) (sql_select.cc:3039)
==12137==    by 0x7167DC: make_join_statistics(JOIN*, List<TABLE_LIST>&, Item*, st_dynamic_array*) (sql_select.cc:3583)
==12137==    by 0x70DBDC: JOIN::optimize() (sql_select.cc:1158)
==12137==    by 0x71472E: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2976)
==12137==    by 0x70B16E: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:288)
==12137==    by 0x69658E: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5172)
==12137==    by 0x68D34D: mysql_execute_command(THD*) (sql_parse.cc:2305)
==12137==    by 0x699008: mysql_parse(THD*, char*, unsigned int, char const**) (sql_parse.cc:6173)
==12137==    by 0x68AAF1: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1243)
==12137==    by 0x689D8F: do_command(THD*) (sql_parse.cc:923)
==12137==    by 0x6867EA: handle_one_connection (sql_connect.cc:1231)
==12137==    by 0x548DE99: start_thread (pthread_create.c:308)
==12137== Use of uninitialised value of size 8
==12137==    at 0x5DF2FA: Item_equal_iterator<List_iterator_fast, Item>::get_curr_field() (item_cmpfunc.h:1847)
==12137==    by 0x7E6485: get_full_func_mm_tree(RANGE_OPT_PARAM*, Item_func*, Item_field*, Item*, bool) (opt_range.cc:7183)
==12137==    by 0x7E72AE: get_mm_tree(RANGE_OPT_PARAM*, Item*) (opt_range.cc:7368)
==12137==    by 0x7E669F: get_mm_tree(RANGE_OPT_PARAM*, Item*) (opt_range.cc:7217)
==12137==    by 0x7DD7CA: SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool, bool) (opt_range.cc:3081)
==12137==    by 0x714A52: get_quick_record_count(THD*, SQL_SELECT*, st_table*, Bitmap<64u> const*, unsigned long long) (sql_select.cc:3039)
==12137==    by 0x7167DC: make_join_statistics(JOIN*, List<TABLE_LIST>&, Item*, st_dynamic_array*) (sql_select.cc:3583)
==12137==    by 0x70DBDC: JOIN::optimize() (sql_select.cc:1158)
==12137==    by 0x71472E: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2976)
==12137==    by 0x70B16E: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:288)
==12137==    by 0x69658E: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5172)
==12137==    by 0x68D34D: mysql_execute_command(THD*) (sql_parse.cc:2305)
==12137==    by 0x699008: mysql_parse(THD*, char*, unsigned int, char const**) (sql_parse.cc:6173)
==12137==    by 0x68AAF1: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1243)
==12137==    by 0x689D8F: do_command(THD*) (sql_parse.cc:923)
==12137==    by 0x6867EA: handle_one_connection (sql_connect.cc:1231)
==12137== Use of uninitialised value of size 8
==12137==    at 0x5DF31B: Item_equal_iterator<List_iterator_fast, Item>::get_curr_field() (item_cmpfunc.h:1848)
==12137==    by 0x7E6485: get_full_func_mm_tree(RANGE_OPT_PARAM*, Item_func*, Item_field*, Item*, bool) (opt_range.cc:7183)
==12137==    by 0x7E72AE: get_mm_tree(RANGE_OPT_PARAM*, Item*) (opt_range.cc:7368)
==12137==    by 0x7E669F: get_mm_tree(RANGE_OPT_PARAM*, Item*) (opt_range.cc:7217)
==12137==    by 0x7DD7CA: SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool, bool) (opt_range.cc:3081)
==12137==    by 0x714A52: get_quick_record_count(THD*, SQL_SELECT*, st_table*, Bitmap<64u> const*, unsigned long long) (sql_select.cc:3039)
==12137==    by 0x7167DC: make_join_statistics(JOIN*, List<TABLE_LIST>&, Item*, st_dynamic_array*) (sql_select.cc:3583)
==12137==    by 0x70DBDC: JOIN::optimize() (sql_select.cc:1158)
==12137==    by 0x71472E: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2976)
==12137==    by 0x70B16E: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:288)
==12137==    by 0x69658E: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5172)
==12137==    by 0x68D34D: mysql_execute_command(THD*) (sql_parse.cc:2305)
==12137==    by 0x699008: mysql_parse(THD*, char*, unsigned int, char const**) (sql_parse.cc:6173)
==12137==    by 0x68AAF1: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1243)
==12137==    by 0x689D8F: do_command(THD*) (sql_parse.cc:923)
==12137==    by 0x6867EA: handle_one_connection (sql_connect.cc:1231)
==12137== Use of uninitialised value of size 8
==12137==    at 0x566547: base_list_iterator::next_fast() (sql_list.h:449)
==12137==    by 0x5689AC: List_iterator_fast<Item>::operator++(int) (sql_list.h:561)
==12137==    by 0x5DF2D3: Item_equal_iterator<List_iterator_fast, Item>::operator++(int) (item_cmpfunc.h:1835)
==12137==    by 0x7E653F: get_full_func_mm_tree(RANGE_OPT_PARAM*, Item_func*, Item_field*, Item*, bool) (opt_range.cc:7181)
==12137==    by 0x7E72AE: get_mm_tree(RANGE_OPT_PARAM*, Item*) (opt_range.cc:7368)
==12137==    by 0x7E669F: get_mm_tree(RANGE_OPT_PARAM*, Item*) (opt_range.cc:7217)
==12137==    by 0x7DD7CA: SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool, bool) (opt_range.cc:3081)
==12137==    by 0x714A52: get_quick_record_count(THD*, SQL_SELECT*, st_table*, Bitmap<64u> const*, unsigned long long) (sql_select.cc:3039)
==12137==    by 0x7167DC: make_join_statistics(JOIN*, List<TABLE_LIST>&, Item*, st_dynamic_array*) (sql_select.cc:3583)
==12137==    by 0x70DBDC: JOIN::optimize() (sql_select.cc:1158)
==12137==    by 0x71472E: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2976)
==12137==    by 0x70B16E: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:288)
==12137==    by 0x69658E: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5172)
==12137==    by 0x68D34D: mysql_execute_command(THD*) (sql_parse.cc:2305)
==12137==    by 0x699008: mysql_parse(THD*, char*, unsigned int, char const**) (sql_parse.cc:6173)
==12137==    by 0x68AAF1: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1243)

            Gliffy Diagrams

              Attachments

                Activity

                Hide
                Permalink
                elenst Elena Stepanova added a comment -

                Fixed by the following revision:

                ------------------------------------------------------------
                revno: 3653
                revision-id: igor@askmonty.org-20130430033140-qhx9wsgc5w2dx14r
                parent: sergii@pisem.net-20130411173539-tzwl0193224o7t7u
                committer: Igor Babaev <igor@askmonty.org>
                branch nick: maria-5.3-mdev4274
                timestamp: Mon 2013-04-29 20:31:40 -0700
                message:
                Fixed bug mdev-4274.
                This bug was the result of incompleteness of the patch for bug mdev-4177.
                When an OR condition is simplified to a single conjunct it is merged
                into the embedding AND condition. Multiple equalities are also merged,
                and any field item involved in those equality should acquire a pointer
                to a the multiple equality formed by this merge.

                Show
                elenst Elena Stepanova added a comment - Fixed by the following revision: ------------------------------------------------------------ revno: 3653 revision-id: igor@askmonty.org-20130430033140-qhx9wsgc5w2dx14r parent: sergii@pisem.net-20130411173539-tzwl0193224o7t7u committer: Igor Babaev <igor@askmonty.org> branch nick: maria-5.3-mdev4274 timestamp: Mon 2013-04-29 20:31:40 -0700 message: Fixed bug mdev-4274. This bug was the result of incompleteness of the patch for bug mdev-4177. When an OR condition is simplified to a single conjunct it is merged into the embedding AND condition. Multiple equalities are also merged, and any field item involved in those equality should acquire a pointer to a the multiple equality formed by this merge.

                  People

                  • Assignee:
                    igor Igor Babaev
                    Reporter:
                    elenst Elena Stepanova
                  • Votes:
                    0 Vote for this issue
                    Watchers:
                    2 Start watching this issue

                    Dates

                    • Created:
                      Updated:
                      Resolved: