MariaDB

Crash in end_read_record with derived table

Bug #830993 reported by Philip Stoev on 2011-08-22

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	MariaDB	Fix Released	Critical	Sergey Petrunia	MariaDB 5.3

Bug Description

Queries such as:

SELECT alias1 . `col_int_key` AS field1 FROM ( ( SELECT SQ1_alias1 . * FROM ( C AS SQ1_alias1 INNER JOIN ( C AS SQ1_alias2 INNER JOIN C AS SQ1_alias3 ON (SQ1_alias3 . `col_varchar_key` = SQ1_alias2 . `col_varchar_key` ) ) ON (SQ1_alias3 . `col_varchar_key` = SQ1_alias2 . `col_varchar_key` ) ) ) AS alias1 , CC AS alias2 ) WHERE ( EXISTS ( ( SELECT 7 FROM DUAL ) ) ) OR ( alias1 . `col_int_key` = alias1 . `pk` OR alias1 . `col_varchar_key` LIKE CONCAT( 'x' , '%') ) GROUP BY field1 HAVING field1 > 's' ORDER BY alias1 . `col_varchar_key` DESC , CONCAT ( alias2 . `col_varchar_nokey`, alias1 . `col_varchar_key` )

sporadically cause the following crash:

# 2011-08-22T13:18:06 #3 <signal handler called>
# 2011-08-22T13:18:06 #4 0x000000000080e828 in end_read_record (info=0x87da988) at records.cc:294
# 2011-08-22T13:18:06 #5 0x0000000000735c7a in st_join_table::cleanup (this=0x87da8d8) at sql_select.cc:9586
# 2011-08-22T13:18:06 #6 0x0000000000735d7b in JOIN::cleanup (this=0x85f2a40, full=true) at sql_select.cc:9858
# 2011-08-22T13:18:06 #7 0x000000000073ecb6 in JOIN::destroy (this=0x85f2a40) at sql_select.cc:2740
# 2011-08-22T13:18:06 #8 0x000000000089e350 in st_select_lex::cleanup (this=0x2aaac10c6388) at sql_union.cc:929
# 2011-08-22T13:18:06 #9 0x0000000000750629 in mysql_select (thd=0x2aaac10c39f8, rref_pointer_array=0x2aaac10c65d8, tables=0x84346c0, wild_num=0, fields=..., conds=0x85b4fc0,
# 2011-08-22T13:18:06 og_num=3, order=0x85b5650, group=0x85b51c0, having=0x85b5398, proc_param=0x0, select_options=2147764736, result=0x85b5b40, unit=0x2aaac10c5ea0,
# 2011-08-22T13:18:06 select_lex=0x2aaac10c6388) at sql_select.cc:2923
# 2011-08-22T13:18:06 #10 0x0000000000756972 in handle_select (thd=0x2aaac10c39f8, lex=0x2aaac10c5e00, result=0x85b5b40, setup_tables_done_option=0) at sql_select.cc:283
# 2011-08-22T13:18:06 #11 0x00000000006a331e in execute_sqlcom_select (thd=0x2aaac10c39f8, all_tables=0x84346c0) at sql_parse.cc:5090
# 2011-08-22T13:18:06 #12 0x00000000006a4ffc in mysql_execute_command (thd=0x2aaac10c39f8) at sql_parse.cc:2234
# 2011-08-22T13:18:06 #13 0x00000000006add95 in mysql_parse (thd=0x2aaac10c39f8,
# 2011-08-22T13:18:06 rawbuf=0x86d5fb0 "/* 6 */ SELECT alias1 . `col_int_key` AS field1 FROM ( ( SELECT SQ1_alias1 . * FROM ( C AS SQ1_alias1 INNER JOIN ( C AS SQ1_alias2 INNER JOIN C AS SQ1_alias3 ON (SQ1_alias3 . `col_varchar_key` = SQ1_alias2 . `col_varchar_key` ) ) ON (SQ1_alias3 . `col_varchar_key` = SQ1_alias2 . `col_varchar_key` ) ) ) AS alias1 , CC AS alias2 ) WHERE ( EXISTS ( ( SELECT 7 FROM DUAL ) ) ) OR ( alias1 . `col_int_key` = alias1 . `pk` OR alias1 . `col_varchar_key` LIKE CONCAT( 'x' , '%') ) GROUP BY field1 HAVING field1 > 's' ORDER BY alias1 . `col_varchar_key` DESC , CONCAT ( alias2 . `col_varchar_nokey`, alias1 . `col_varchar_key` )", length=635, found_semicolon=0x4ec09f08) at sql_parse.cc:6091
# 2011-08-22T13:18:06 #14 0x00000000006aec65 in dispatch_command (command=COM_QUERY, thd=0x2aaac10c39f8,
# 2011-08-22T13:18:06 packet=0x2aaac10c76c9 "/* 6 */ SELECT alias1 . `col_int_key` AS field1 FROM ( ( SELECT SQ1_alias1 . * FROM ( C AS SQ1_alias1 INNER JOIN ( C AS SQ1_alias2 INNER JOIN C AS SQ1_alias3 ON (SQ1_alias3 . `col_varchar_key` = SQ1_alias2 . `col_varchar_key` ) ) ON (SQ1_alias3 . `col_varchar_key` = SQ1_alias2 . `col_varchar_key` ) ) ) AS alias1 , CC AS alias2 ) WHERE ( EXISTS ( ( SELECT 7 FROM DUAL ) ) ) OR ( alias1 . `col_int_key` = alias1 . `pk` OR alias1 . `col_varchar_key` LIKE CONCAT( 'x' , '%') ) GROUP BY field1 HAVING field1 > 's' ORDER BY alias1 . `col_varchar_key` DESC , CONCAT ( alias2 . `col_varchar_nokey`, alias1 . `col_varchar_key` )", packet_length=635) at sql_parse.cc:1211
# 2011-08-22T13:18:06 #15 0x00000000006b0273 in do_command (thd=0x2aaac10c39f8) at sql_parse.cc:906
# 2011-08-22T13:18:06 #16 0x000000000069aba7 in handle_one_connection (arg=0x2aaac10c39f8) at sql_connect.cc:1186
# 2011-08-22T13:18:06 #17 0x00000033b600673d in start_thread () from /lib64/libpthread.so.0
# 2011-08-22T13:18:06 #18 0x00000033b58d40cd in clone () from /lib64/libc.so.6

The crash happens repeatably inside RQG but is difficult to reproduce outside of it, so concurrency or some other inter-query interaction may be present.

Revision history for this message

Philip Stoev (pstoev-askmonty) wrote on 2011-08-22:

Valgrind warning:

==4530== Thread 30:
==4530== Invalid read of size 8
==4530== at 0x80E828: end_read_record(READ_RECORD*) (records.cc:294)
==4530== by 0x735C79: st_join_table::cleanup() (sql_select.cc:9586)
==4530== by 0x735D7A: JOIN::cleanup(bool) (sql_select.cc:9858)
==4530== by 0x73ECB5: JOIN::destroy() (sql_select.cc:2740)
==4530== by 0x89E34F: st_select_lex::cleanup() (sql_union.cc:929)
==4530== by 0x750628: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsi
gned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2923)
==4530== by 0x756971: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:283)
==4530== by 0x6A331D: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5090)
==4530== by 0x6A4FFB: mysql_execute_command(THD*) (sql_parse.cc:2234)
==4530== by 0x6ADD94: mysql_parse(THD*, char*, unsigned int, char const**) (sql_parse.cc:6091)
==4530== by 0x6AEC64: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1211)
==4530== by 0x6B0272: do_command(THD*) (sql_parse.cc:906)
==4530== by 0x69ABA6: handle_one_connection (sql_connect.cc:1186)
==4530== by 0x33B600673C: start_thread (in /lib64/libpthread-2.5.so)
==4530== by 0x33B58D40CC: clone (in /lib64/libc-2.5.so)
==4530== Address 0x8f8f8f8f8f8f912f is not stack'd, malloc'd or (recently) free'd

Revision history for this message

Philip Stoev (pstoev-askmonty) wrote on 2011-08-22:

bug830993.yy Edit (36.2 KiB, text/plain)

To reproduce with the RQG:

perl runall.pl --queries=100M --duration=180 --threads=6 --views --reporter=QueryTimeout,Backtrace,ErrorLog,Deadlock --basedir1=/home/philips/bzr/maria-5.3 --mysqld1=--optimizer_switch=semijoin=ON,materialization=OFF --notnull --grammar=bug830993.yy --skip-gendata --mysqld1=--init-file=`pwd`/conf/optimizer/world.sql --seed=1313772755 --valgrind --duration=900

Changed in maria:
assignee:	nobody → Michael Widenius (monty)

Revision history for this message

Philip Stoev (pstoev-askmonty) wrote on 2011-08-23:

Additional information from the error log:

Error: Memory allocated at sql_join_cache.cc:910 was overrun, discovered at 'sql_join_cache.h:650'

and another related backtrace:

# 2011-08-23T08:15:04 #3 <signal handler called>
# 2011-08-23T08:15:04 #4 0x00000033b5830265 in raise () from /lib64/libc.so.6
# 2011-08-23T08:15:04 #5 0x00000033b5831d10 in abort () from /lib64/libc.so.6
# 2011-08-23T08:15:04 #6 0x00000033b586a99b in __libc_message () from /lib64/libc.so.6
# 2011-08-23T08:15:04 #7 0x00000033b5872555 in _int_free () from /lib64/libc.so.6
# 2011-08-23T08:15:04 #8 0x00000033b58728bb in free () from /lib64/libc.so.6
# 2011-08-23T08:15:04 #9 0x0000000000bdd26a in _myfree (ptr=0x2c51a78, filename=0xd8d388 "sql_join_cache.h", lineno=650, myflags=88) at safemalloc.c:335
# 2011-08-23T08:15:04 #10 0x00000000006f61f0 in JOIN_CACHE::free (this=0x2aa3f50) at sql_join_cache.h:650
# 2011-08-23T08:15:04 #11 0x0000000000735b80 in st_join_table::cleanup (this=0x2a62b98) at sql_select.cc:9563
# 2011-08-23T08:15:04 #12 0x0000000000735d7b in JOIN::cleanup (this=0x2b40bb0, full=true) at sql_select.cc:9858
# 2011-08-23T08:15:04 #13 0x0000000000735fce in JOIN::join_free (this=0x2b40bb0) at sql_select.cc:9778
# 2011-08-23T08:15:04 #14 0x00000000007556bd in JOIN::exec (this=0x2b40bb0) at sql_select.cc:2454
# 2011-08-23T08:15:04 #15 0x0000000000750558 in mysql_select (thd=0x2aaabd48ab18, rref_pointer_array=0x2aaabd48d6f8, tables=0x2ca2660, wild_num=0, fields=...$
# 2011-08-23T08:15:04 og_num=3, order=0x2bddbc8, group=0x2bdda30, having=0x0, proc_param=0x0, select_options=2147764736, result=0x2bdde18, unit=0x2aaabd4$
# 2011-08-23T08:15:04 select_lex=0x2aaabd48d4a8) at sql_select.cc:2901
# 2011-08-23T08:15:04 #16 0x0000000000756972 in handle_select (thd=0x2aaabd48ab18, lex=0x2aaabd48cf20, result=0x2bdde18, setup_tables_done_option=0) at sql_s$
# 2011-08-23T08:15:04 #17 0x00000000006a331e in execute_sqlcom_select (thd=0x2aaabd48ab18, all_tables=0x2ca2660) at sql_parse.cc:5090
# 2011-08-23T08:15:04 #18 0x00000000006a4ffc in mysql_execute_command (thd=0x2aaabd48ab18) at sql_parse.cc:2234
# 2011-08-23T08:15:04 #19 0x00000000006add95 in mysql_parse (thd=0x2aaabd48ab18,
# 2011-08-23T08:15:04 rawbuf=0x2a5c320 "/* 6 */ SELECT alias2 . `pk` AS field1 FROM ( ( SELECT SQ1_alias1 . * FROM C AS SQ1_alias1 ) AS alias1 ,$
# 2011-08-23T08:15:04 #20 0x00000000006aec65 in dispatch_command (command=COM_QUERY, thd=0x2aaabd48ab18,
# 2011-08-23T08:15:04 packet=0x2aaabd490f69 "/* 6 */ SELECT alias2 . `pk` AS field1 FROM ( ( SELECT SQ1_alias1 . * FROM C AS SQ1_alias1 ) AS ali$
# 2011-08-23T08:15:04 #21 0x00000000006b0273 in do_command (thd=0x2aaabd48ab18) at sql_parse.cc:906
# 2011-08-23T08:15:04 #22 0x000000000069aba7 in handle_one_connection (arg=0x2aaabd48ab18) at sql_connect.cc:1186
# 2011-08-23T08:15:04 #23 0x00000033b600673d in start_thread () from /lib64/libpthread.so.0
# 2011-08-23T08:15:04 #24 0x00000033b58d40cd in clone () from /lib64/libc.so.6
# 2011-08-23T08:15:04 #5 0x00000033b5831d10 in abort () from /lib64/libc.so.6

Additional information from the error log:

Error: Memory allocated at sql_join_cache.cc:910 was overrun, discovered at 'sql_join_cache.h:650'

and another related backtrace:

# 2011-08-23T08:15:04 #3  <signal handler called>
# 2011-08-23T08:15:04 #4  0x00000033b5830265 in raise () from /lib64/libc.so.6
# 2011-08-23T08:15:04 #5  0x00000033b5831d10 in abort () from /lib64/libc.so.6
# 2011-08-23T08:15:04 #6  0x00000033b586a99b in __libc_message () from /lib64/libc.so.6
# 2011-08-23T08:15:04 #7  0x00000033b5872555 in _int_free () from /lib64/libc.so.6
# 2011-08-23T08:15:04 #8  0x00000033b58728bb in free () from /lib64/libc.so.6
# 2011-08-23T08:15:04 #9  0x0000000000bdd26a in _myfree (ptr=0x2c51a78, filename=0xd8d388 "sql_join_cache.h", lineno=650, myflags=88) at safemalloc.c:335
# 2011-08-23T08:15:04 #10 0x00000000006f61f0 in JOIN_CACHE::free (this=0x2aa3f50) at sql_join_cache.h:650
# 2011-08-23T08:15:04 #11 0x0000000000735b80 in st_join_table::cleanup (this=0x2a62b98) at sql_select.cc:9563
# 2011-08-23T08:15:04 #12 0x0000000000735d7b in JOIN::cleanup (this=0x2b40bb0, full=true) at sql_select.cc:9858
# 2011-08-23T08:15:04 #13 0x0000000000735fce in JOIN::join_free (this=0x2b40bb0) at sql_select.cc:9778
# 2011-08-23T08:15:04 #14 0x00000000007556bd in JOIN::exec (this=0x2b40bb0) at sql_select.cc:2454
# 2011-08-23T08:15:04 #15 0x0000000000750558 in mysql_select (thd=0x2aaabd48ab18, rref_pointer_array=0x2aaabd48d6f8, tables=0x2ca2660, wild_num=0, fields=...$
# 2011-08-23T08:15:04     og_num=3, order=0x2bddbc8, group=0x2bdda30, having=0x0, proc_param=0x0, select_options=2147764736, result=0x2bdde18, unit=0x2aaabd4$
# 2011-08-23T08:15:04     select_lex=0x2aaabd48d4a8) at sql_select.cc:2901
# 2011-08-23T08:15:04 #16 0x0000000000756972 in handle_select (thd=0x2aaabd48ab18, lex=0x2aaabd48cf20, result=0x2bdde18, setup_tables_done_option=0) at sql_s$
# 2011-08-23T08:15:04 #17 0x00000000006a331e in execute_sqlcom_select (thd=0x2aaabd48ab18, all_tables=0x2ca2660) at sql_parse.cc:5090
# 2011-08-23T08:15:04 #18 0x00000000006a4ffc in mysql_execute_command (thd=0x2aaabd48ab18) at sql_parse.cc:2234
# 2011-08-23T08:15:04 #19 0x00000000006add95 in mysql_parse (thd=0x2aaabd48ab18,
# 2011-08-23T08:15:04     rawbuf=0x2a5c320 "/* 6 */   SELECT    alias2 . `pk` AS field1 FROM ( (  SELECT   SQ1_alias1 . * FROM C AS SQ1_alias1  ) AS alias1 ,$
# 2011-08-23T08:15:04 #20 0x00000000006aec65 in dispatch_command (command=COM_QUERY, thd=0x2aaabd48ab18,
# 2011-08-23T08:15:04     packet=0x2aaabd490f69 "/* 6 */   SELECT    alias2 . `pk` AS field1 FROM ( (  SELECT   SQ1_alias1 . * FROM C AS SQ1_alias1  ) AS ali$
# 2011-08-23T08:15:04 #21 0x00000000006b0273 in do_command (thd=0x2aaabd48ab18) at sql_parse.cc:906
# 2011-08-23T08:15:04 #22 0x000000000069aba7 in handle_one_connection (arg=0x2aaabd48ab18) at sql_connect.cc:1186
# 2011-08-23T08:15:04 #23 0x00000033b600673d in start_thread () from /lib64/libpthread.so.0
# 2011-08-23T08:15:04 #24 0x00000033b58d40cd in clone () from /lib64/libc.so.6
# 2011-08-23T08:15:04 #5  0x00000033b5831d10 in abort () from /lib64/libc.so.6

Philip Stoev (pstoev-askmonty) on 2011-08-23

Changed in maria:
milestone:	none → 5.3

Revision history for this message

Philip Stoev (pstoev-askmonty) wrote on 2011-08-24:

Download full text (12.3 KiB)

A non-concurrent test case. Not reproducible with maria-5.3 before views

SET SESSION optimizer_switch = 'index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,index_condition_pushdown=off,derived_merge=off,derived_with_keys=off,firstmatch=off,loosescan=off,materialization=off,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=off,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=off,semijoin_with_cache=off,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=off,table_elimination=on';
--disable_warnings
DROP TABLE /*! IF EXISTS */ t1;
DROP TABLE /*! IF EXISTS */ t2;
--enable_warnings

CREATE TABLE t1 ( a int(11) NOT NULL AUTO_INCREMENT, b int(11) DEFAULT NULL, c int(11) DEFAULT NULL, d time DEFAULT NULL, e varchar(1) DEFAULT NULL, f varchar(1) DEFAULT NULL, PRIMARY KEY (a), KEY c (c), KEY d (d), KEY e (e,c));
INSERT INTO t1 VALUES (10,NULL,8,'22:55:23','x','x'),(11,8,7,'10:19:31','d','d'),(12,1,1,'14:40:36','r','r'),(13,9,7,'04:37:47','f','f'),(14,4,9,'19:34:06','y','y'),(15,3,NULL,'20:35:33','u','u'),(16,2,1,NULL,'m','m'),(17,NULL,9,'14:43:37',NULL,NULL),(18,2,2,'02:23:09','o','o'),(19,NULL,9,'01:22:45','w','w'),(20,6,2,'00:00:00','m','m'),(21,7,4,'00:13:25','q','q'),(22,2,0,'03:47:16',NULL,NULL),(23,5,4,'01:41:48','d','d'),(24,7,8,'00:00:00','g','g'),(25,6,NULL,'22:32:04','x','x'),(26,6,NULL,'16:44:14','f','f'),(27,2,0,'17:38:37','p','p'),(28,9,NULL,'08:46:48','j','j'),(29,6,8,'14:11:27','c','c');
CREATE TABLE t2 ( a int(11) NOT NULL AUTO_INCREMENT, b int(11) DEFAULT NULL, c int(11) DEFAULT NULL, d time DEFAULT NULL, e varchar(1) DEFAULT NULL, f varchar(1) DEFAULT NULL, PRIMARY KEY (a), KEY c (c), KEY d (d), KEY e (e,c));
INSERT INTO t2 VALUES (1,2,4,'22:34:09','v','v'),(2,150,62,'14:26:02','v','v'),(3,NULL,7,'14:03:03','c','c'),(4,2,1,'01:46:09',NULL,NULL),(5,5,0,'16:21:18','x','x'),(6,3,7,'18:56:33','i','i'),(7,1,7,NULL,'e','e'),(8,4,1,'09:29:08','p','p'),(9,NULL,7,'19:11:10','s','s'),(10,2,1,'11:57:26','j','j'),(11,6,5,'00:39:46','z','z'),(12,6,2,'03:28:15','c','c'),(13,8,0,'06:44:18','a','a'),(14,2,1,'14:36:39','q','q'),(15,6,8,'18:42:45','y','y'),(16,8,1,'02:57:29',NULL,NULL),(17,3,1,'16:46:13','r','r'),(18,3,9,'19:39:02','v','v'),(19,9,1,NULL,NULL,NULL),(20,6,5,'20:58:33','r','r');

SELECT *
FROM (
SELECT *
FROM t2 ) AS alias1 ,
t1 AS alias2 , t2
WHERE alias1.c = SOME
(
SELECT SQ3_alias1.b
FROM t2 AS SQ3_alias1 STRAIGHT_JOIN t2 AS SQ3_alias2
);

If you run it with MTR without --valgrind, it will report:

Error: Memory allocated at sql_join_cache.cc:910 was overrun, discovered at 'sq_join_cache.h:650'

With --valgrind , you will get:

A non-concurrent test case. Not reproducible with maria-5.3 before views

CREATE TABLE t1 (  a int(11) NOT NULL AUTO_INCREMENT,  b int(11) DEFAULT NULL,  c int(11) DEFAULT NULL,  d time DEFAULT NULL,  e varchar(1) DEFAULT NULL,  f varchar(1) DEFAULT NULL,  PRIMARY KEY (a),  KEY c (c),  KEY d (d),  KEY e (e,c));
INSERT INTO t1 VALUES (10,NULL,8,'22:55:23','x','x'),(11,8,7,'10:19:31','d','d'),(12,1,1,'14:40:36','r','r'),(13,9,7,'04:37:47','f','f'),(14,4,9,'19:34:06','y','y'),(15,3,NULL,'20:35:33','u','u'),(16,2,1,NULL,'m','m'),(17,NULL,9,'14:43:37',NULL,NULL),(18,2,2,'02:23:09','o','o'),(19,NULL,9,'01:22:45','w','w'),(20,6,2,'00:00:00','m','m'),(21,7,4,'00:13:25','q','q'),(22,2,0,'03:47:16',NULL,NULL),(23,5,4,'01:41:48','d','d'),(24,7,8,'00:00:00','g','g'),(25,6,NULL,'22:32:04','x','x'),(26,6,NULL,'16:44:14','f','f'),(27,2,0,'17:38:37','p','p'),(28,9,NULL,'08:46:48','j','j'),(29,6,8,'14:11:27','c','c');
CREATE TABLE t2 (  a int(11) NOT NULL AUTO_INCREMENT,  b int(11) DEFAULT NULL,  c int(11) DEFAULT NULL,  d time DEFAULT NULL,  e varchar(1) DEFAULT NULL,  f varchar(1) DEFAULT NULL,  PRIMARY KEY (a),  KEY c (c),  KEY d (d),  KEY e (e,c));
INSERT INTO t2 VALUES (1,2,4,'22:34:09','v','v'),(2,150,62,'14:26:02','v','v'),(3,NULL,7,'14:03:03','c','c'),(4,2,1,'01:46:09',NULL,NULL),(5,5,0,'16:21:18','x','x'),(6,3,7,'18:56:33','i','i'),(7,1,7,NULL,'e','e'),(8,4,1,'09:29:08','p','p'),(9,NULL,7,'19:11:10','s','s'),(10,2,1,'11:57:26','j','j'),(11,6,5,'00:39:46','z','z'),(12,6,2,'03:28:15','c','c'),(13,8,0,'06:44:18','a','a'),(14,2,1,'14:36:39','q','q'),(15,6,8,'18:42:45','y','y'),(16,8,1,'02:57:29',NULL,NULL),(17,3,1,'16:46:13','r','r'),(18,3,9,'19:39:02','v','v'),(19,9,1,NULL,NULL,NULL),(20,6,5,'20:58:33','r','r');

SELECT *
FROM (
SELECT *
FROM t2 ) AS alias1 ,
t1 AS alias2 , t2
WHERE alias1.c = SOME
(
SELECT SQ3_alias1.b
FROM t2 AS SQ3_alias1 STRAIGHT_JOIN t2 AS SQ3_alias2
);

If you run it with MTR without --valgrind, it will report:

Error: Memory allocated at sql_join_cache.cc:910 was overrun, discovered at 'sq_join_cache.h:650'

With --valgrind , you will get:

==17182== Thread 4:
==17182== Invalid write of size 1
==17182==    at 0x6F2806: JOIN_CACHE::write_record_data(unsigned char*, bool*) (sql_join_cache.cc:1409)
==17182==    by 0x6F2DBC: JOIN_CACHE::put_record() (sql_join_cache.cc:1517)
==17182==    by 0x735885: sub_select_cache(JOIN*, st_join_table*, bool) (sql_select.cc:14855)
==17182==    by 0x6F0D6D: JOIN_CACHE::generate_full_extensions(unsigned char*) (sql_join_cache.cc:2339)
==17182==    by 0x6F127B: JOIN_CACHE::join_matching_records(bool) (sql_join_cache.cc:2232)
==17182==    by 0x6EEFF8: JOIN_CACHE::join_records(bool) (sql_join_cache.cc:2031)
==17182==    by 0x7357CB: sub_select_cache(JOIN*, st_join_table*, bool) (sql_select.cc:14842)
==17182==    by 0x735297: sub_select(JOIN*, st_join_table*, bool) (sql_select.cc:15004)
==17182==    by 0x7357EE: sub_select_cache(JOIN*, st_join_table*, bool) (sql_select.cc:14844)
==17182==    by 0x735297: sub_select(JOIN*, st_join_table*, bool) (sql_select.cc:15004)
==17182==    by 0x736774: do_select(JOIN*, List<Item>*, st_table*, Procedure*) (sql_select.cc:14728)
==17182==    by 0x7566FF: JOIN::exec() (sql_select.cc:2680)
==17182==    by 0x750617: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2901)
==17182==    by 0x756A31: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:283)
==17182==    by 0x6A33DD: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5090)
==17182==    by 0x6A50BB: mysql_execute_command(THD*) (sql_parse.cc:2234)
==17182==  Address 0xe39d22c is 0 bytes after a block of size 131,116 alloc'd
==17182==    at 0x4A05E1C: malloc (vg_replace_malloc.c:195)
==17182==    by 0xBDC9FD: _mymalloc (safemalloc.c:138)
==17182==    by 0x6F3261: JOIN_CACHE::alloc_buffer() (sql_join_cache.cc:910)
==17182==    by 0x6F42EA: JOIN_CACHE::init() (sql_join_cache.cc:1039)
==17182==    by 0x6F4645: JOIN_CACHE_BNL::init() (sql_join_cache.cc:3529)
==17182==    by 0x7375B7: check_join_cache_usage(st_join_table*, unsigned long long, unsigned int, unsigned int, st_join_table*) (sql_select.cc:9036)
==17182==    by 0x737C7F: check_join_cache_usage_for_tables(JOIN*, unsigned long long, unsigned int) (sql_select.cc:9193)
==17182==    by 0x74ADD8: make_join_readinfo(JOIN*, unsigned long long, unsigned int) (sql_select.cc:9278)
==17182==    by 0x74E320: JOIN::optimize() (sql_select.cc:1497)
==17182==    by 0x750572: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2887)
==17182==    by 0x756A31: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:283)
==17182==    by 0x6A33DD: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5090)
==17182==    by 0x6A50BB: mysql_execute_command(THD*) (sql_parse.cc:2234)
==17182==    by 0x6ADE54: mysql_parse(THD*, char*, unsigned int, char const**) (sql_parse.cc:6091)
==17182==    by 0x6AED24: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1211)
==17182==    by 0x6B0332: do_command(THD*) (sql_parse.cc:906)
==17182== Invalid read of size 1
==17182==    at 0x6F15C9: JOIN_CACHE::read_record_field(st_cache_field*, bool) (sql_join_cache.cc:1804)
==17182==    by 0x6F1E0B: JOIN_CACHE::read_all_record_fields() (sql_join_cache.cc:1692)
==17182==    by 0x6F1F8C: JOIN_CACHE::get_record() (sql_join_cache.cc:1559)
==17182==    by 0x6EEA53: JOIN_CACHE_BNL::read_next_candidate_for_match(unsigned char*) (sql_join_cache.cc:3499)
==17182==    by 0x6F126E: JOIN_CACHE::join_matching_records(bool) (sql_join_cache.cc:2231)
==17182==    by 0x6EEFF8: JOIN_CACHE::join_records(bool) (sql_join_cache.cc:2031)
==17182==    by 0x7358BC: sub_select_cache(JOIN*, st_join_table*, bool) (sql_select.cc:14862)
==17182==    by 0x6F0D6D: JOIN_CACHE::generate_full_extensions(unsigned char*) (sql_join_cache.cc:2339)
==17182==    by 0x6F127B: JOIN_CACHE::join_matching_records(bool) (sql_join_cache.cc:2232)
==17182==    by 0x6EEFF8: JOIN_CACHE::join_records(bool) (sql_join_cache.cc:2031)
==17182==    by 0x7357CB: sub_select_cache(JOIN*, st_join_table*, bool) (sql_select.cc:14842)
==17182==    by 0x735297: sub_select(JOIN*, st_join_table*, bool) (sql_select.cc:15004)
==17182==    by 0x7357EE: sub_select_cache(JOIN*, st_join_table*, bool) (sql_select.cc:14844)
==17182==    by 0x735297: sub_select(JOIN*, st_join_table*, bool) (sql_select.cc:15004)
==17182==    by 0x736774: do_select(JOIN*, List<Item>*, st_table*, Procedure*) (sql_select.cc:14728)
==17182==    by 0x7566FF: JOIN::exec() (sql_select.cc:2680)
==17182==  Address 0xe39d22c is 0 bytes after a block of size 131,116 alloc'd
==17182==    at 0x4A05E1C: malloc (vg_replace_malloc.c:195)
==17182==    by 0xBDC9FD: _mymalloc (safemalloc.c:138)
==17182==    by 0x6F3261: JOIN_CACHE::alloc_buffer() (sql_join_cache.cc:910)
==17182==    by 0x6F42EA: JOIN_CACHE::init() (sql_join_cache.cc:1039)
==17182==    by 0x6F4645: JOIN_CACHE_BNL::init() (sql_join_cache.cc:3529)
==17182==    by 0x7375B7: check_join_cache_usage(st_join_table*, unsigned long long, unsigned int, unsigned int, st_join_table*) (sql_select.cc:9036)
==17182==    by 0x737C7F: check_join_cache_usage_for_tables(JOIN*, unsigned long long, unsigned int) (sql_select.cc:9193)
==17182==    by 0x74ADD8: make_join_readinfo(JOIN*, unsigned long long, unsigned int) (sql_select.cc:9278)
==17182==    by 0x74E320: JOIN::optimize() (sql_select.cc:1497)
==17182==    by 0x750572: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2887)
==17182==    by 0x756A31: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:283)
==17182==    by 0x6A33DD: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5090)
==17182==    by 0x6A50BB: mysql_execute_command(THD*) (sql_parse.cc:2234)
==17182==    by 0x6ADE54: mysql_parse(THD*, char*, unsigned int, char const**) (sql_parse.cc:6091)
==17182==    by 0x6AED24: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1211)
==17182==    by 0x6B0332: do_command(THD*) (sql_parse.cc:906)
==17182== Invalid read of size 1
==17182==    at 0x6F15C9: JOIN_CACHE::read_record_field(st_cache_field*, bool) (sql_join_cache.cc:1804)
==17182==    by 0x6F1E0B: JOIN_CACHE::read_all_record_fields() (sql_join_cache.cc:1692)
==17182==    by 0x6F1E6E: JOIN_CACHE::get_record_by_pos(unsigned char*) (sql_join_cache.cc:1591)
==17182==    by 0x6EE626: JOIN_CACHE::restore_last_record() (sql_join_cache.cc:1980)
==17182==    by 0x6EF221: JOIN_CACHE::join_records(bool) (sql_join_cache.cc:2103)
==17182==    by 0x7358BC: sub_select_cache(JOIN*, st_join_table*, bool) (sql_select.cc:14862)
==17182==    by 0x6F0D6D: JOIN_CACHE::generate_full_extensions(unsigned char*) (sql_join_cache.cc:2339)
==17182==    by 0x6F127B: JOIN_CACHE::join_matching_records(bool) (sql_join_cache.cc:2232)
==17182==    by 0x6EEFF8: JOIN_CACHE::join_records(bool) (sql_join_cache.cc:2031)
==17182==    by 0x7357CB: sub_select_cache(JOIN*, st_join_table*, bool) (sql_select.cc:14842)
==17182==    by 0x735297: sub_select(JOIN*, st_join_table*, bool) (sql_select.cc:15004)
==17182==    by 0x7357EE: sub_select_cache(JOIN*, st_join_table*, bool) (sql_select.cc:14844)
==17182==    by 0x735297: sub_select(JOIN*, st_join_table*, bool) (sql_select.cc:15004)
==17182==    by 0x736774: do_select(JOIN*, List<Item>*, st_table*, Procedure*) (sql_select.cc:14728)
==17182==    by 0x7566FF: JOIN::exec() (sql_select.cc:2680)
==17182==    by 0x750617: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2901)
==17182==  Address 0xe39d22c is 0 bytes after a block of size 131,116 alloc'd
==17182==    at 0x4A05E1C: malloc (vg_replace_malloc.c:195)
==17182==    by 0xBDC9FD: _mymalloc (safemalloc.c:138)
==17182==    by 0x6F3261: JOIN_CACHE::alloc_buffer() (sql_join_cache.cc:910)
==17182==    by 0x6F42EA: JOIN_CACHE::init() (sql_join_cache.cc:1039)
==17182==    by 0x6F4645: JOIN_CACHE_BNL::init() (sql_join_cache.cc:3529)
==17182==    by 0x7375B7: check_join_cache_usage(st_join_table*, unsigned long long, unsigned int, unsigned int, st_join_table*) (sql_select.cc:9036)
==17182==    by 0x737C7F: check_join_cache_usage_for_tables(JOIN*, unsigned long long, unsigned int) (sql_select.cc:9193)
==17182==    by 0x74ADD8: make_join_readinfo(JOIN*, unsigned long long, unsigned int) (sql_select.cc:9278)
==17182==    by 0x74E320: JOIN::optimize() (sql_select.cc:1497)
==17182==    by 0x750572: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2887)
==17182==    by 0x756A31: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:283)
==17182==    by 0x6A33DD: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5090)
==17182==    by 0x6A50BB: mysql_execute_command(THD*) (sql_parse.cc:2234)
==17182==    by 0x6ADE54: mysql_parse(THD*, char*, unsigned int, char const**) (sql_parse.cc:6091)
==17182==    by 0x6AED24: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1211)
==17182==    by 0x6B0332: do_command(THD*) (sql_parse.cc:906)
Error: Memory allocated at sql_join_cache.cc:910 was overrun, discovered at 'sql_join_cache.h:650'

summary:	- Crash in end_read_record + Crash in end_read_record with derived table
Changed in maria:
assignee:	Michael Widenius (monty) → nobody

Timour Katchaounov (timour) on 2011-08-24

Changed in maria:
status:	New → Confirmed

Sergey Petrunia (sergefp) on 2011-08-26

Changed in maria:
assignee:	nobody → Igor Babaev (igorb-seattle)

Sergey Petrunia (sergefp) on 2011-08-29

Changed in maria:
assignee:	Igor Babaev (igorb-seattle) → Sergey Petrunia (sergefp)
importance:	Undecided → High

Sergey Petrunia (sergefp) on 2011-08-29

Changed in maria:
importance:	High → Critical

Revision history for this message

Sergey Petrunia (sergefp) wrote on 2011-09-05:

I did not get any valgrind warnings when running testcase from comment #4 on a 32-bit system. I could repeat them on 64-bit system.

Sergey Petrunia (sergefp) on 2011-09-08

Changed in maria:
status:	Confirmed → Fix Committed

Daniel Bartholomew (dbart) on 2011-12-13

Changed in maria:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

bug830993.yy Edit

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.