MariaDB

Memory corruption in test_quick_select() in maria-5.1-wl21

Bug #684086 reported by Philip Stoev
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MariaDB
Fix Released
Critical
Igor Babaev
MariaDB 5.1

Bug Description

backtrace:

#8 0x006f5b9d in __libc_message () from /lib/libc.so.6
#9 0x006fbfe1 in malloc_printerr () from /lib/libc.so.6
#10 0x08716681 in my_no_flags_free (ptr=0xaf43440) at my_malloc.c:72
#11 0x087174f2 in free_root (root=0x9f965800, MyFlags=0) at my_alloc.c:364
#12 0x0837be32 in SQL_SELECT::test_quick_select (this=0xaf5cbe8, thd=0xae518d0, keys_to_use=..., prev_tables=0, limit=18446744073709551615,
    force_quick_range=false) at opt_range.cc:3118
#13 0x082e7b1b in get_quick_record_count (thd=0xae518d0, select=0xaf5cbe8, table=0xaf4ce38, keys=0xaf5c4fc, limit=18446744073709551615) at sql_select.cc:2600
#14 0x082e98d9 in make_join_statistics (join=0xaf5aef8, tables_arg=0xaf4deb8, conds=0xaf4e5d0, keyuse_array=0xaf5c018) at sql_select.cc:3037
#15 0x082e2067 in JOIN::optimize (this=0xaf5aef8) at sql_select.cc:1029
#16 0x082e7843 in mysql_select (thd=0xae518d0, rref_pointer_array=0xae52f70, tables=0xaf4deb8, wild_num=0, fields=..., conds=0xaf4e5d0, og_num=0, order=0x0,
    group=0x0, having=0x0, proc_param=0x0, select_options=2147764740, result=0xaf42b20, unit=0xae52be0, select_lex=0xae52e58) at sql_select.cc:2538
#17 0x0830cd08 in mysql_explain_union (thd=0xae518d0, unit=0xae52be0, result=0xaf42b20) at sql_select.cc:17200
#18 0x08286c4c in execute_sqlcom_select (thd=0xae518d0, all_tables=0xaf4deb8) at sql_parse.cc:5144
#19 0x0827d736 in mysql_execute_command (thd=0xae518d0) at sql_parse.cc:2340
#20 0x08288e46 in mysql_parse (thd=0xae518d0, rawbuf=0xaf4beb8 "EXPLAIN SELECT f2 FROM t1 WHERE ( f2 IN ( 1 , 255 ) OR f2 = 8 ) AND f1 IN ( 0 , 74 )",
    length=84, found_semicolon=0x9f967220) at sql_parse.cc:6092
#21 0x0827b222 in dispatch_command (command=COM_QUERY, thd=0xae518d0, packet=0xaf0a629 "", packet_length=84) at sql_parse.cc:1269
#22 0x0827a47f in do_command (thd=0xae518d0) at sql_parse.cc:895
#23 0x08277490 in handle_one_connection (arg=0xae518d0) at sql_connect.cc:1138
#24 0x00821919 in start_thread () from /lib/libpthread.so.0
#25 0x0076acce in clone () from /lib/libc.so.6

testcase:

--source include/have_innodb.inc

SET SESSION optimizer_switch=index_merge_sort_intersection=on;

CREATE TABLE t1 (f1 int, f2 int, PRIMARY KEY (f2), KEY (f1)) ENGINE=InnoDB;
INSERT INTO t1 VALUES ('2','5'),('2','3'),('2','8'),('2','438'),('2','4');

SELECT f2 FROM t1 WHERE ( f2 IN ( 1 , 255 ) OR f2 = 8 ) AND f1 IN ( 0 , 74 );

Revision history for this message
Philip Stoev (philip-stoev) wrote :
Download full text (6.7 KiB)

Valgrind warnings:

==19248== Invalid write of size 1
==19248== at 0x40081BD: memmove (mc_replace_strmem.c:629)
==19248== by 0x838021D: get_best_index_intersect(PARAM*, SEL_TREE*, double) (opt_range.cc:5351)
==19248== by 0x837BB8E: SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool) (opt_range.cc:3067)
==19248== by 0x82E7B1A: get_quick_record_count(THD*, SQL_SELECT*, st_table*, Bitmap<64u> const*, unsigned long long) (sql_select.cc:2600)
==19248== by 0x82E98D8: make_join_statistics(JOIN*, TABLE_LIST*, Item*, st_dynamic_array*) (sql_select.cc:3037)
==19248== by 0x82E2066: JOIN::optimize() (sql_select.cc:1029)
==19248== by 0x82E7842: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2538)
==19248== by 0x82DFF48: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:280)
==19248== by 0x8286DD9: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5166)
==19248== by 0x827D735: mysql_execute_command(THD*) (sql_parse.cc:2340)
==19248== by 0x8288E45: mysql_parse(THD*, char*, unsigned int, char const**) (sql_parse.cc:6092)
==19248== by 0x827B221: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1269)
==19248== by 0x827A47E: do_command(THD*) (sql_parse.cc:895)
==19248== by 0x827748F: handle_one_connection (sql_connect.cc:1138)
==19248== by 0x821918: start_thread (in /lib/libpthread-2.12.1.so)
==19248== by 0x76ACCD: clone (in /lib/libc-2.12.1.so)
==19248== Address 0x52d26b7 is 3 bytes after a block of size 20 alloc'd
==19248== at 0x4005BDC: malloc (vg_replace_malloc.c:195)
==19248== by 0x87164F3: my_malloc (my_malloc.c:38)
==19248== by 0x87170F6: alloc_root (my_alloc.c:165)
==19248== by 0x837F54A: prepare_search_best_index_intersect(PARAM*, SEL_TREE*, st_common_index_intersection_info*, st_partial_index_intersection_info*, double) (opt_range.cc:4995)
==19248== by 0x838015A: get_best_index_intersect(PARAM*, SEL_TREE*, double) (opt_range.cc:5339)
==19248== by 0x837BB8E: SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool) (opt_range.cc:3067)
==19248== by 0x82E7B1A: get_quick_record_count(THD*, SQL_SELECT*, st_table*, Bitmap<64u> const*, unsigned long long) (sql_select.cc:2600)
==19248== by 0x82E98D8: make_join_statistics(JOIN*, TABLE_LIST*, Item*, st_dynamic_array*) (sql_select.cc:3037)
==19248== by 0x82E2066: JOIN::optimize() (sql_select.cc:1029)
==19248== by 0x82E7842: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2538)
==19248== by 0x82DFF48: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:280)
==19248== by 0x8286DD9: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5166)
==19248== by 0x827D735: mysql_execute_command(THD*) (sql_parse.cc:2340)
==19248== by 0x8288...

Read more...

Changed in maria:
milestone: none → 5.1
assignee: nobody → Igor Babaev (igorb-seattle)
Revision history for this message
Philip Stoev (philip-stoev) wrote :

This crash happens with InnoDB only. For similar valgrind warnings with other engines, see bug 684144

Revision history for this message
Philip Stoev (philip-stoev) wrote :

New test case:

--source include/have_innodb.inc;

CREATE TABLE t1 (
f1 int,
f4 varchar(32),
f5 int,
PRIMARY KEY (f1),
KEY (f4)) ENGINE=InnoDB;
INSERT IGNORE INTO t1 VALUES ('5','H','1'),('9','g','0'),('527','i','0'),('528','y','1'),('529','S','6'),('530','m','7'),('531','b','2'),('532','N','1'),('533','V',NULL),('534','l','1'),('535','M','0'),('536','w','1'),('537','j','5'),('538','l','0'),('539','n','2'),('540','m','2'),('541','r','2'),('542','l','2'),('543','h','3'),('544','o','0'),('956','h','0'),('957','g','0'),('958','W','5'),('959','s','3'),('960','w','0'),('961','q','0'),('962','e',NULL),('963','u','7'),('964','q','1'),('965','N',NULL),('966','e','0'),('967','t','3'),('968','e','6'),('969','f',NULL),('970','j','0'),('971','s','3'),('972','I','0'),('973','h','4'),('974','g','1'),('975','s','0'),('976','r','3'),('977','x','1'),('978','v','8'),('979','j',NULL),('980','z','7'),('981','t','9'),('982','j','5'),('983','u',NULL),('984','g','6'),('985','w','1'),('986','h','1'),('987','v','0'),('988','v','0'),('989','c','2'),('990','b','7'),('991','z','0'),('992','M','1'),('993','u','2'),('994','r','2'),('995','b','4'),('996','A','2'),('997','u','0'),('998','a','0'),('999','j','2'),('1','I','2');

EXPLAIN
SELECT DISTINCT *
FROM t1 FORCE KEY
( PRIMARY , f4 )
WHERE
( NOT ( f1 = 149 ) OR ( f1 = 196 ) )
 AND ( f4 IS NULL OR f4 LIKE 'h%' ) );

Revision history for this message
Philip Stoev (philip-stoev) wrote :

 correct query

EXPLAIN SELECT DISTINCT * FROM t1 FORCE KEY ( PRIMARY , f4 ) WHERE ( NOT ( f1 = 149 ) OR ( f1 = 196 ) ) AND ( f4 IS NULL OR f4 LIKE CONCAT ('h' , '%' ) );

Igor Babaev (igorb-seattle)
Changed in maria:
importance: Undecided → Critical
status: New → Confirmed
status: Confirmed → In Progress
Igor Babaev (igorb-seattle)
Changed in maria:
status: In Progress → Fix Committed
Daniel Bartholomew (dbart)
Changed in maria:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.