MariaDB

Memory freed in subselect_hash_sj_engine::cleanup() is subsequently accessed

Bug #869876 reported by Philip Stoev on 2011-10-07

This bug report is a duplicate of: Bug #860561: One-time crash in mark_as_null_row with semijoin+materialization. Edit Remove

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	MariaDB	New	High	Sergey Petrunia	MariaDB 5.3

Bug Description

The following valgrind traces show that memory freed is then accessed:

==25409== Invalid write of size 1
==25409== at 0x6F8122: mark_as_null_row(st_table*) (mysql_priv.h:2629)
==25409== by 0x756264: return_zero_rows(JOIN*, select_result*, List<TABLE_LIST>&, List<Item>&, bool, unsigned long long, char const*, Item*) (sql_select.cc
:10232)
==25409== by 0x756BC7: JOIN::exec() (sql_select.cc:2131)
==25409== by 0x752D75: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, uns
igned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2900)
==25409== by 0x75919F: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:283)
==25409== by 0x6A4DCB: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5110)
==25409== by 0x6A6EAB: mysql_execute_command(THD*) (sql_parse.cc:2250)
==25409== by 0x6AFC96: mysql_parse(THD*, char*, unsigned int, char const**) (sql_parse.cc:6110)
==25409== by 0x6B0824: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1221)
==25409== by 0x6B1E4E: do_command(THD*) (sql_parse.cc:916)
==25409== by 0x69C2E2: handle_one_connection (sql_connect.cc:1191)
==25409== by 0x33B600673C: start_thread (in /lib64/libpthread-2.5.so)
==25409== by 0x33B58D40CC: clone (in /lib64/libc-2.5.so)
==25409== Address 0x285b39e8 is 2,136 bytes inside a block of size 4,148 free'd
==25409== at 0x4A05A31: free (vg_replace_malloc.c:325)
==25409== by 0xBE0475: _myfree (safemalloc.c:335)
==25409== by 0xBDF67F: free_root (my_alloc.c:364)
==25409== by 0x72EF6F: free_tmp_table(THD*, st_table*) (sql_select.cc:14601)
==25409== by 0x630FE2: subselect_hash_sj_engine::cleanup() (item_subselect.cc:4371)
==25409== by 0x631C0C: Item_subselect::cleanup() (item_subselect.cc:130)
==25409== by 0x631D6B: Item_in_subselect::cleanup() (item_subselect.cc:165)
==25409== by 0x738314: st_join_table::cleanup() (sql_select.cc:9618)
==25409== by 0x738450: JOIN::cleanup(bool) (sql_select.cc:9899)
==25409== by 0x7386A3: JOIN::join_free() (sql_select.cc:9819)
==25409== by 0x756235: return_zero_rows(JOIN*, select_result*, List<TABLE_LIST>&, List<Item>&, bool, unsigned long long, char const*, Item*) (sql_select.cc
:10225)
==25409== by 0x756BC7: JOIN::exec() (sql_select.cc:2131)
==25409== by 0x752D75: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, uns
igned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2900)
==25409== by 0x75919F: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:283)
==25409== by 0x6A4DCB: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5110)
==25409== by 0x6A6EAB: mysql_execute_command(THD*) (sql_parse.cc:2250)

and

==25409== Invalid read of size 1
==25409== at 0x62BBC1: subselect_engine::calc_const_tables(List<TABLE_LIST>&) (item_subselect.cc:3559)
==25409== by 0x62BC69: subselect_single_select_engine::upper_select_const_tables() (item_subselect.cc:3568)
==25409== by 0x631576: Item_subselect::update_used_tables() (item_subselect.cc:781)
==25409== by 0x5C9A84: Item_func::update_used_tables() (item_func.cc:423)
==25409== by 0x5E6A4F: Item_cond::update_used_tables() (item_cmpfunc.cc:4414)
==25409== by 0x758499: JOIN::exec() (sql_select.cc:2531)
==25409== by 0x752D75: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, uns
igned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2900)
==25409== by 0x75919F: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:283)
==25409== by 0x6A4DCB: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5110)
==25409== by 0x6A6EAB: mysql_execute_command(THD*) (sql_parse.cc:2250)
==25409== by 0x6AFC96: mysql_parse(THD*, char*, unsigned int, char const**) (sql_parse.cc:6110)
==25409== by 0x6B0824: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1221)
==25409== by 0x6B1E4E: do_command(THD*) (sql_parse.cc:916)
==25409== by 0x69C2E2: handle_one_connection (sql_connect.cc:1191)
==25409== by 0x33B600673C: start_thread (in /lib64/libpthread-2.5.so)
==25409== by 0x33B58D40CC: clone (in /lib64/libc-2.5.so)
==25409== Address 0x2884b78d is 2,141 bytes inside a block of size 4,148 free'd
==25409== at 0x4A05A31: free (vg_replace_malloc.c:325)
==25409== by 0xBE0475: _myfree (safemalloc.c:335)
==25409== by 0xBDF67F: free_root (my_alloc.c:364)
==25409== by 0x72EF6F: free_tmp_table(THD*, st_table*) (sql_select.cc:14601)
==25409== by 0x630FE2: subselect_hash_sj_engine::cleanup() (item_subselect.cc:4371)
==25409== by 0x631C0C: Item_subselect::cleanup() (item_subselect.cc:130)
==25409== by 0x631D6B: Item_in_subselect::cleanup() (item_subselect.cc:165)
==25409== by 0x738314: st_join_table::cleanup() (sql_select.cc:9618)
==25409== by 0x738450: JOIN::cleanup(bool) (sql_select.cc:9899)
==25409== by 0x7386A3: JOIN::join_free() (sql_select.cc:9819)
==25409== by 0x757EE2: JOIN::exec() (sql_select.cc:2453)
==25409== by 0x752D75: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, uns
igned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2900)
==25409== by 0x75919F: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:283)
==25409== by 0x6A4DCB: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5110)
==25409== by 0x6A6EAB: mysql_execute_command(THD*) (sql_parse.cc:2250)
==25409== by 0x6AFC96: mysql_parse(THD*, char*, unsigned int, char const**) (sql_parse.cc:6110)
==25409==

RQG command line:

perl runall.pl --queries=100000000 --debug --seed=time --mysqld1=--debug-assert-if-crashed-table --mysqld1=--innodb_stats_sample_pages=256 --mysqld1=--max_join_size=1000000 --queries=100M --duration=900 --threads=6 --seed=time --mysqld1=--log-output=file --no-mask --views --reporter=QueryTimeout,Backtrace,ErrorLog,Deadlock --basedir1=/home/philips/bzr/maria-5.3 --mysqld1=--optimizer_switch=derived_merge=ON,derived_with_keys=ON,semijoin=ON,materialization=ON,firstmatch=ON,loosescan=ON --validator=Transformer --transformers=DisableChosenPlan,ConvertLiteralsToSubqueries,ExecuteAsInsertSelect,ExecuteAsSelectItem,ExecuteAsUpdateDelete,ExecuteAsWhereSubquery,InlineSubqueries --notnull --engine=Aria --grammar=conf/optimizer/optimizer_subquery_semijoin.yy --valgrind --duration=1200

Philip Stoev (pstoev-askmonty) on 2011-10-07

Changed in maria:
milestone:	none → 5.3
assignee:	nobody → Sergey Petrunia (sergefp)

Sergey Petrunia (sergefp) on 2011-10-10

Changed in maria:
importance:	Undecided → High

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #860561 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.