Valgrind warnings 'Invalid read' in subselect_engine::calc_const_tables with SELECT and IN subqueries, GROUP BY, HAVING, materialization+semijoin
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
MariaDB |
Fix Released
|
High
|
Sergey Petrunia |
Bug Description
==16653== Invalid read of size 1
==16653== at 0x6867D7: subselect_
==16653== by 0x686850: subselect_
==16653== by 0x67E7A0: Item_subselect:
==16653== by 0x6034AA: Item_ref:
==16653== by 0x61D959: Item_func:
==16653== by 0x779094: JOIN::exec() (sql_select.
==16653== by 0x77A30C: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_
==16653== by 0x770E14: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:286)
==16653== by 0x6FF3E8: execute_
==16653== by 0x6F64A5: mysql_execute_
==16653== by 0x701DC3: mysql_parse(THD*, char*, unsigned int, char const**) (sql_parse.cc:6153)
==16653== by 0x6F3C43: dispatch_
==16653== by 0x6F2F77: do_command(THD*) (sql_parse.cc:923)
==16653== by 0x6EFDC5: handle_
==16653== by 0x58B6A4E: start_thread (in /lib64/
==16653== by 0x651D82C: clone (in /lib64/
==16653== Address 0xfbaf89f is 2,143 bytes inside a block of size 4,164 free'd
==16653== at 0x4C25F7B: free (in /usr/lib64/
==16653== by 0xC4082F: _myfree (safemalloc.c:337)
==16653== by 0xC3FB13: free_root (my_alloc.c:366)
==16653== by 0x7983F0: free_tmp_
==16653== by 0x6883B8: subselect_
==16653== by 0x67CD65: Item_subselect:
==16653== by 0x67CF40: Item_in_
==16653== by 0x78BE1B: st_join_
==16653== by 0x78C8C7: JOIN::cleanup(bool) (sql_select.
==16653== by 0x78C5C4: JOIN::join_free() (sql_select.
==16653== by 0x778A91: JOIN::exec() (sql_select.
==16653== by 0x77A30C: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_
==16653== by 0x770E14: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:286)
==16653== by 0x6FF3E8: execute_
==16653== by 0x6F64A5: mysql_execute_
==16653== by 0x701DC3: mysql_parse(THD*, char*, unsigned int, char const**) (sql_parse.cc:6153)
bzr version-info
revision-id: <email address hidden>
date: 2012-05-21 19:37:46 +0500
revno: 3527
Also reproducible on maria/5.5 revno 3413.
Reproducible with MyISAM, Aria, InnoDB.
Minimal optimizer_switch:
materialization
Full optimizer_switch (default):
index_merge=
EXPLAIN with default optimizer_switch:
id select_type table type possible_keys key key_len ref rows filtered Extra
1 PRIMARY <subquery3> const distinct_key distinct_key 8 const,const 1 100.00 Using temporary; Using filesort
1 PRIMARY t2 ALL NULL NULL NULL NULL 2 100.00 Using join buffer (flat, BNL join)
3 MATERIALIZED t1 ALL NULL NULL NULL NULL 2 100.00
2 SUBQUERY t1 ALL NULL NULL NULL NULL 2 100.00
Warnings:
Note 1003 select (select sum(`test`
# Test case:
SET optimizer_switch = 'materializatio
CREATE TABLE t1 (a INT);
INSERT INTO t1 VALUES (1),(7);
CREATE TABLE t2 (b INT);
INSERT INTO t2 VALUES (4),(6);
SELECT ( SELECT SUM(a) FROM t1 ) AS t1sum, b
FROM t2
WHERE (1,1) IN ( SELECT MAX(a), MIN(a) FROM t1 )
GROUP BY b
HAVING t1sum <> 1;
# End of test case
Changed in maria: | |
status: | New → In Progress |
Changed in maria: | |
status: | In Progress → Fix Committed |
The problem caused by the following:
When a JOIN is run with temporary- table-based grouping, it will:
(i) Run the actual JOIN, piping its results to the temporary table
(ii) Run JOIN::cleanup(), and then make_simple_join() to read from the temp.table.
(iii) Run a "pseudo-join" which is a 1-table join which reads from temp.table.
right before the (iii) step, item->update_ used_tables( ) call for all items in HAVING clause. In our particular case, the HAVING clause is:
HAVING t1sum <> 1
where t1sum is from
SELECT ( SELECT SUM(a) FROM t1a ) AS t1sum,
This causes us to arrive here: engine: :calc_const_ tables (list=...) at item_subselect. cc:3646 single_ select_ engine: :upper_ select_ const_tables (this=0x7ffefc0 0a698) at item_subselect. cc:3662 :update_ used_tables (this=0x7ffefc0 0a508) at item_subselect. cc:786 :update_ used_tables (this=0x7ffefc0 0cb88) at item.cc:9153 :update_ used_tables (this=0x7ffefc0 0cd78) at item_func.cc:423 3fd58) at sql_select.cc:2592
#0 subselect_
#1 0x000000000065c44f in subselect_
#2 0x00000000006543f4 in Item_subselect:
#3 0x00000000005dadbf in Item_ref:
#4 0x00000000005f4ce8 in Item_func:
#5 0x000000000074afa2 in JOIN::exec (this=0x7ffefc0
subselect_ engine: :calc_const_ tables( ) walks over upper query's leaf_tables. EXPLAIN for the upper query is:
| id | select_type | table | type | possible_keys | key | key_len | ref | rows | Extra | ------- ------+ ------- ------+ ------- +------ ------- --+---- ------- ---+--- ------+ ------- ------+ ------+ ------- ------- ------- ------- ------- -+
+----+-
| 1 | PRIMARY | <subquery3> | const | distinct_key | distinct_key | 8 | const,const | 1 | Using temporary; Using filesort |
| 1 | PRIMARY | t2 | ALL | NULL | NULL | NULL | NULL | 2 | Using join buffer (flat, BNL join) |
the problem here is that TABLE* for <subquery3> was a temporary table, and it has already been deleted on step (ii) mentioned above.