Bug #30396 | memory overrun during EXPLAIN EXTENDED | ||
---|---|---|---|
Submitted: | 13 Aug 2007 22:56 | Modified: | 25 Aug 2007 15:58 |
Reporter: | Shane Bester (Platinum Quality Contributor) | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Server: Optimizer | Severity: | S1 (Critical) |
Version: | 5.1.22,5.0.48 | OS: | Any |
Assigned to: | Igor Babaev | CPU Architecture: | Any |
Tags: | crash, explain, memory overrun |
[13 Aug 2007 22:56]
Shane Bester
[13 Aug 2007 23:25]
MySQL Verification Team
run this sql to get a crash on 5.1
Attachment: bug30396_reduced_testcase.sql (application/octet-stream, text), 2.99 KiB.
[13 Aug 2007 23:29]
MySQL Verification Team
The memory overruns seem pretty severe. Even the error messages themselves appear corrupt... Version: '5.1.22-beta-debug' socket: '/tmp/mysql.sock' port: 3306 yes Error: Memory allocated at ¨‘X‰ðâ:148766136 was underrun, discovered at my_alloc.c:201 Error: Memory allocated at ¨‘X‰ðâ:148766136 was overrun, discovered at 'my_alloc.c:201' Error: Memory allocated at :-1515870811 was underrun, discovered at my_alloc.c:201 Error: Memory allocated at :-1515870811 was overrun, discovered at 'my_alloc.c:201' Error: Memory allocated at (null):0 was underrun, discovered at my_alloc.c:201 Error: Memory allocated at (null):0 was overrun, discovered at 'my_alloc.c:201' Error: Safemalloc link list destroyed, discovered at 'my_alloc.c:201' root=0x8de99c0,count=197,irem=(nil) Error: Memory allocated at ¨‘X‰ðâ:148766136 was underrun, discovered at my_alloc.c:355 Error: Memory allocated at ¨‘X‰ðâ:148766136 was overrun, discovered at 'my_alloc.c:355' Error: Memory allocated at :-1515870811 was underrun, discovered at my_alloc.c:355 Error: Memory allocated at :-1515870811 was overrun, discovered at 'my_alloc.c:355' Error: Memory allocated at (null):0 was underrun, discovered at my_alloc.c:355 Error: Memory allocated at (null):0 was overrun, discovered at 'my_alloc.c:355' Error: Safemalloc link list destroyed, discovered at 'my_alloc.c:355'
[14 Aug 2007 8:32]
MySQL Verification Team
I tried to simplify the crashing query, but strange I could only get a crash with 6 or more joins :(
[15 Aug 2007 1:17]
Igor Babaev
I succeeded to cause a memory corruption with 5.0 when running the following script: DROP DATABASE IF EXISTS db_bug30396; CREATE DATABASE db_bug30396 USE db_bug30396; CREATE TABLE t1 ( c1 int(11) NOT NULL AUTO_INCREMENT, c2 varchar(1000) DEFAULT NULL, c3 bigint(20) DEFAULT NULL, c4 bigint(20) DEFAULT NULL, PRIMARY KEY (c1) ); EXPLAIN EXTENDED SELECT join_2.c1 FROM t1 AS join_0, t1 AS join_1, t1 AS join_2, t1 AS join_3, t1 AS join_4, t1 AS join_5, t1 AS join_6, t1 AS join_7 WHERE join_0.c1=join_1.c1 AND join_1.c1=join_2.c1 AND join_2.c1=join_3.c1 AND join_3.c1=join_4.c1 AND join_4.c1=join_5.c1 AND join_5.c1=join_6.c1 AND join_6.c1=join_7.c1 OR join_0.c2 < '?' AND join_1.c2 < '?' AND join_2.c2 > '?' AND join_2.c2 < '!' AND join_3.c2 > '?' AND join_4.c2 = '?' AND join_5.c2 <> '?' AND join_6.c2 <> '?' AND join_7.c2 >= '?' AND join_0.c1=join_1.c1 AND join_1.c1=join_2.c1 AND join_2.c1=join_3.c1 AND join_3.c1=join_4.c1 AND join_4.c1=join_5.c1 AND join_5.c1=join_6.c1 AND join_6.c1=join_7.c1 GROUP BY join_3.c1, join_2.c1, join_7.c1, join_1.c1, join_0.c1; SHOW WARNINGS; On the server side I had: 070814 18:17:43 [Note] /home/igor/mysql-5.0-opt/sql/mysqld: ready for connections. Version: '5.0.48-debug' socket: '/tmp/mysql.sock' port: 3306 Source distribution [New Thread -1256752224 (LWP 23073)] Error: Memory allocated at my_alloc.c:201 was overrun, discovered at 'array.c:123' Error: Memory allocated at my_alloc.c:201 was overrun, discovered at 'array.c:123' Error: Memory allocated at my_alloc.c:201 was overrun, discovered at 'array.c:123' Error: Memory allocated at my_alloc.c:201 was overrun, discovered at 'my_alloc.c:201' ... Program received signal SIGABRT, Aborted.
[15 Aug 2007 17:18]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/32584 ChangeSet@1.2495, 2007-08-15 10:24:18-07:00, igor@olga.mysql.com +7 -0 Fixed bug #30396. The bug caused memory corruption for some queries with top OR level in the WHERE condition if they contained equality predicates and other sargable predicates in disjunctive parts of the condition. The corruption happened because the upper bound of the memory allocated for KEY_FIELD and SARGABLE_PARAM internal structures containing info about potential lookup keys was calculated incorrectly in some cases. In particular it was calculated incorrectly when the WHERE condition was an OR formula with disjuncts being AND formulas including equalities and other sargable predicates.
[23 Aug 2007 16:51]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/32981 ChangeSet@1.2569, 2007-08-23 22:24:31+05:00, gshchepa@gleb.loc +7 -0 Fixed bug #30396. Recommit to 5.1.22. The bug caused memory corruption for some queries with top OR level in the WHERE condition if they contained equality predicates and other sargable predicates in disjunctive parts of the condition. The corruption happened because the upper bound of the memory allocated for KEY_FIELD and SARGABLE_PARAM internal structures containing info about potential lookup keys was calculated incorrectly in some cases. In particular it was calculated incorrectly when the WHERE condition was an OR formula with disjuncts being AND formulas including equalities and other sargable predicates.
[23 Aug 2007 20:50]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/32995 ChangeSet@1.2571, 2007-08-24 02:23:49+05:00, gshchepa@gleb.loc +7 -0 Fixed bug #30396. Recommit to 5.1.22. The bug caused memory corruption for some queries with top OR level in the WHERE condition if they contained equality predicates and other sargable predicates in disjunctive parts of the condition. The corruption happened because the upper bound of the memory allocated for KEY_FIELD and SARGABLE_PARAM internal structures containing info about potential lookup keys was calculated incorrectly in some cases. In particular it was calculated incorrectly when the WHERE condition was an OR formula with disjuncts being AND formulas including equalities and other sargable predicates.
[24 Aug 2007 7:20]
Bugs System
Pushed into 5.1.22-beta
[24 Aug 2007 7:22]
Bugs System
Pushed into 5.0.48
[25 Aug 2007 15:58]
Paul DuBois
Noted in 5.0.48, 5.1.22 changelogs. Memory corruption occurred for some queries with a top-level OR operation in the WHERE condition if they contained equality predicates and other sargable predicates in disjunctive parts of the condition.
[4 Sep 2007 17:11]
Bugs System
Pushed into 5.1.23-beta