MariaDB

Valgrind warning/crash in MRR with join_cache_level=8

Bug #878769 reported by Philip Stoev
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MariaDB
Fix Released
Critical
Igor Babaev
MariaDB 5.3

Bug Description

The test case below produces the following warning:

==16327== Conditional jump or move depends on uninitialised value(s)
==16327== at 0x827B853: key_restore(unsigned char*, unsigned char*, st_key*, unsigned int) (key.cc:191)
==16327== by 0x84BCF38: Mrr_ordered_index_reader::resume_read() (multi_range_read.cc:462)
==16327== by 0x84BD5F2: Mrr_ordered_rndpos_reader::refill_from_index_reader() (multi_range_read.cc:625)
==16327== by 0x84BD45E: Mrr_ordered_rndpos_reader::refill_buffer(bool) (multi_range_read.cc:584)
==16327== by 0x84BDFFC: DsMrr_impl::dsmrr_init(handler*, st_range_seq_if*, void*, unsigned int, unsigned int, st_handler_buffer*) (multi_range_read.cc:920)
==16327== by 0x869B3BF: ha_innobase::multi_range_read_init(st_range_seq_if*, void*, unsigned int, unsigned int, st_handler_buffer*) (ha_innodb.cc:12256)
==16327== by 0x82F5325: JOIN_TAB_SCAN_MRR::open() (sql_join_cache.cc:3814)
==16327== by 0x82F3279: JOIN_CACHE::join_matching_records(bool) (sql_join_cache.cc:2208)
==16327== by 0x82F2E72: JOIN_CACHE::join_records(bool) (sql_join_cache.cc:2045)
==16327== by 0x833D787: sub_select_cache(JOIN*, st_join_table*, bool) (sql_select.cc:14901)
==16327== by 0x833D99F: sub_select(JOIN*, st_join_table*, bool) (sql_select.cc:15063)
==16327== by 0x833D48E: do_select(JOIN*, List<Item>*, st_table*, Procedure*) (sql_select.cc:14785)
==16327== by 0x83203A2: JOIN::exec() (sql_select.cc:2239)
==16327== by 0x8322529: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, un
signed long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2900)
==16327== by 0x831A2FA: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:283)
==16327== by 0x82B4A87: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5112)

test case (further simplification was not possible for sporadic crashes):

--source include/have_innodb.inc
set session optimizer_switch='derived_with_keys=ON,index_condition_pushdown=ON,mrr=ON,join_cache_hashed=ON,mrr_sort_keys=ON';
set session join_cache_level=8;

DROP TABLE IF EXISTS t1;
CREATE TABLE t1 ( col_int_key int(11), col_time_key time, col_varchar_key varchar(1), KEY (col_int_key), KEY (col_varchar_key,col_int_key)) ENGINE=InnoDB;
INSERT IGNORE INTO t1 VALUES (7,'10:19:31','d'),(1,'14:40:36','r'),(7,'04:37:47','f'),(9,'19:34:06','y'),(2,'00:00:00','m'),(4,'00:13:25','q'),(0,'03:47:16',NULL),(4,'01:41:48','d'),(8,'00:00:00','g'),(NULL,'22:32:04','x'),(NULL,'16:44:14','f'),(0,'17:38:37','p'),(NULL,'08:46:48','j'),(8,'14:11:27','c');

DROP TABLE IF EXISTS t2;
CREATE TABLE t2 ( col_int_nokey int(11), col_int_key int(11), col_datetime_key datetime, col_datetime_nokey datetime, col_varchar_key varchar(1), col_varchar_nokey varchar(1), KEY (col_int_key), KEY (col_varchar_key,col_int_key)) ;
INSERT IGNORE INTO t2 VALUES (150,62,'2008-01-03 10:33:32','2008-01-03 10:33:32','v','v'),(2,1,'2007-10-09 19:53:04','2007-10-09 19:53:04',NULL,NULL),(5,0,'2001-11-08 21:02:12','2001-11-08 21:02:12','x','x'),(3,7,'2003-04-01 00:00','2003-04-01 00:00','i','i'),(1,7,'1900-01-01 00:00','1900-01-01 00:00:00','e','e'),(NULL,7,'2005-04-04 01:21','2005-04-04 01:21','s','s'),(2,1,'1900-01-01 00:00','1900-01-01 00:00','j','j'),(8,0,'2004-04-28 21:44','2004-04-28 21:44','a','a'),(6,8,'2001-04-18 00:00','2001-04-18 00:00:00','y','y'),(8,1,'2008-12-18 19:39:55','2008-12-18 19:39:55',NULL,NULL),(3,1,'2000-08-01 12:19:39','2000-08-01 12:19:39','r','r'),(3,9,'2004-09-25 21:29:06','2004-09-25 21:29:06','v','v');

CREATE OR REPLACE ALGORITHM=MERGE VIEW v2 AS SELECT * FROM t2;

SELECT t1.col_time_key, t1.col_varchar_key
FROM
( v2 STRAIGHT_JOIN t1 ON
(t1.col_int_key = v2.col_int_key )
 )
GROUP BY 1 , 2 ;

bzr version-info
revision-id: <email address hidden>
date: 2011-10-19 21:01:42 +0200
build-date: 2011-10-20 13:50:14 +0300
revno: 3242
branch-nick: maria-5.3

full optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,index_condition_
pushdown=on,derived_merge=off,derived_with_keys=on,firstmatch=off,loosescan=off,materialization=off,in_to_exists=on,semijoin=off,partial_match_rowid_merge=on,
partial_match_table_scan=on,subquery_cache=on,mrr=on,mrr_cost_based=off,mrr_sort_keys=on,outer_join_with_cache=off,semijoin_with_cache=off,join_cache_incremen
tal=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=off,table_elimination=on

Revision history for this message
Philip Stoev (pstoev-askmonty) wrote :

Also repeatable without views.

Changed in maria:
assignee: nobody → Igor Babaev (igorb-seattle)
milestone: none → 5.3
summary: - Valgrind warning/crash in MRR with views
+ Valgrind warning/crash in MRR with join_cache_level=8
Revision history for this message
Philip Stoev (pstoev-askmonty) wrote :
Download full text (12.3 KiB)

Further valgrind warnings obtained during the simplification process:

==16855== Conditional jump or move depends on uninitialised value(s)
==16855== at 0x82F1C88: JOIN_CACHE::write_record_data(unsigned char*, bool*) (sql_join_cache.cc:1340)
==16855== by 0x82F23A1: JOIN_CACHE::put_record() (sql_join_cache.cc:1530)
==16855== by 0x833D851: sub_select_cache(JOIN*, st_join_table*, bool) (sql_select.cc:14914)
==16855== by 0x833E2AC: evaluate_join_record(JOIN*, st_join_table*, int) (sql_select.cc:15317)
==16855== by 0x833DD57: sub_select(JOIN*, st_join_table*, bool) (sql_select.cc:15160)
==16855== by 0x833D462: do_select(JOIN*, List<Item>*, st_table*, Procedure*) (sql_select.cc:14783)
==16855== by 0x83203A2: JOIN::exec() (sql_select.cc:2239)
==16855== by 0x8322529: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2900)
==16855== by 0x831A2FA: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:283)
==16855== by 0x82B4A87: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5112)
==16855== by 0x82AB844: mysql_execute_command(THD*) (sql_parse.cc:2250)
==16855== by 0x8364CEB: Prepared_statement::execute(String*, bool) (sql_prepare.cc:3735)
==16855== by 0x8364206: Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) (sql_prepare.cc:3416)
==16855== by 0x8362AD5: mysql_sql_stmt_execute(THD*) (sql_prepare.cc:2641)
==16855== by 0x82AB86D: mysql_execute_command(THD*) (sql_parse.cc:2259)
==16855== by 0x82B70B6: mysql_parse(THD*, char*, unsigned int, char const**) (sql_parse.cc:6112)

==16855== Conditional jump or move depends on uninitialised value(s)
==16855== at 0x82F27EC: JOIN_CACHE::read_record_field(st_cache_field*, bool) (sql_join_cache.cc:1773)
==16855== by 0x82F5CFE: JOIN_CACHE_BKA::get_next_key(unsigned char**) (sql_join_cache.cc:4280)
==16855== by 0x82F553D: bka_range_seq_next(void*, st_key_multi_range*) (sql_join_cache.cc:3924)
==16855== by 0x84BD0EB: Mrr_ordered_index_reader::refill_buffer(bool) (multi_range_read.cc:486)
==16855== by 0x84BD417: Mrr_ordered_rndpos_reader::refill_buffer(bool) (multi_range_read.cc:587)
==16855== by 0x84BDFFC: DsMrr_impl::dsmrr_init(handler*, st_range_seq_if*, void*, unsigned int, unsigned int, st_handler_buffer*) (multi_range_read.cc:920)
==16855== by 0x869B3BF: ha_innobase::multi_range_read_init(st_range_seq_if*, void*, unsigned int, unsigned int, st_handler_buffer*) (ha_innodb.cc:12256)
==16855== by 0x82F5325: JOIN_TAB_SCAN_MRR::open() (sql_join_cache.cc:3814)
==16855== by 0x82F3279: JOIN_CACHE::join_matching_records(bool) (sql_join_cache.cc:2208)
==16855== by 0x82F2E72: JOIN_CACHE::join_records(bool) (sql_join_cache.cc:2045)
==16855== by 0x833D787: sub_select_cache(JOIN*, st_join_table*, bool) (sql_select.cc:14901)
==16855== by 0x833D99F: sub_select(JOIN*, st_join_table*, bool) (sql_select.cc:15063)
==16855== by 0x833D48E: do_select(JOIN*, List<Item>*, st_table*, Procedure*) (sql_select.cc:14785)
==16855== ...

Igor Babaev (igorb-seattle)
Changed in maria:
status: New → Confirmed
importance: Undecided → Critical
Igor Babaev (igorb-seattle)
Changed in maria:
status: Confirmed → In Progress
Revision history for this message
Igor Babaev (igorb-seattle) wrote :

The problem can be reproduced without views and with join_cache_level=6:

==13995== Thread 20:
==13995== Invalid read of size 4
==13995== at 0x93FED6: DsMrr_impl::dsmrr_init(handler*, st_range_seq_if*, void*, unsigned int, unsigned int, st_handler_buffer*) (multi_range_read.cc:851)
==13995== by 0xB4F807: ha_innobase::multi_range_read_init(st_range_seq_if*, void*, unsigned int, unsigned int, st_handler_buffer*) (ha_innodb.cc:12256)
==13995== by 0x7387A8: JOIN_TAB_SCAN_MRR::open() (sql_join_cache.cc:3814)
==13995== by 0x7361C7: JOIN_CACHE::join_matching_records(bool) (sql_join_cache.cc:2208)
==13995== by 0x735D47: JOIN_CACHE::join_records(bool) (sql_join_cache.cc:2045)
==13995== by 0x7899B0: sub_select_cache(JOIN*, st_join_table*, bool) (sql_select.cc:14901)
==13995== by 0x789BC8: sub_select(JOIN*, st_join_table*, bool) (sql_select.cc:15063)
==13995== by 0x78969B: do_select(JOIN*, List<Item>*, st_table*, Procedure*) (sql_select.cc:14785)
==13995== by 0x769CCC: JOIN::exec() (sql_select.cc:2239)
==13995== by 0x76C1EB: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2900)
==13995== by 0x763064: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:283)
==13995== by 0x6F1400: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5112)
==13995== by 0x6E848F: mysql_execute_command(THD*) (sql_parse.cc:2250)
==13995== by 0x6F3DB3: mysql_parse(THD*, char*, unsigned int, char const**) (sql_parse.cc:6112)
==13995== by 0x6E5D65: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1221)
==13995== by 0x6E50D3: do_command(THD*) (sql_parse.cc:916)
==13995== Address 0x1f3d6ca8 is 8 bytes before a block of size 26 free'd
==13995== at 0x4C25F7B: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==13995== by 0xC5C1C7: my_no_flags_free (my_malloc.c:76)
==13995== by 0xC5DDBE: free_root (my_alloc.c:364)
==13995== by 0x6E7180: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1629)
==13995== by 0x6E50D3: do_command(THD*) (sql_parse.cc:916)
==13995== by 0x6E1B5F: handle_one_connection (sql_connect.cc:1191)
==13995== by 0x58B6A4E: start_thread (in /lib64/libpthread-2.11.2.so)
==13995== by 0x651D82C: clone (in /lib64/libc-2.11.2.so)

Igor Babaev (igorb-seattle)
Changed in maria:
status: In Progress → Fix Committed
Daniel Bartholomew (dbart)
Changed in maria:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.