Bug #45195 valgrind warnings about uninitialized values in store_record_in_cache()
Submitted: 29 May 2009 13:58 Modified: 20 Jun 2010 22:36
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Optimizer Severity:S2 (Serious)
Version:5.1.30, 5.1.34, 5.1.36, 5.1.39, 5.1.40, 5.1 bzr, next-mr bzr OS:Linux (32-bit fc8)
Assigned to: Sergei Glukhov CPU Architecture:Any
Tags: valgrind

[29 May 2009 13:58] Shane Bester
Description:
valgrind output from 5.1.36

Conditional jump or move depends on uninitialised value(s)
at: store_record_in_cache(st_join_cache*) (sql_select.cc:14031)
by: sub_select_cache(JOIN*, st_join_table*, bool) (sql_select.cc:10961)
by: evaluate_join_record(JOIN*, st_join_table*, int) (sql_select.cc:11246)
by: sub_select(JOIN*, st_join_table*, bool) (sql_select.cc:11131)
by: do_select(JOIN*, List<Item>*, st_table*, Procedure*) (sql_select.cc:10887)
by: JOIN::exec() (sql_select.cc:2199)
by: mysql_select (sql_select.cc:2386)
by: handle_select (sql_select.cc:268)
by: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5011)
by: mysql_execute_command(THD*) (sql_parse.cc:2208)
by: mysql_parse(THD*, char const*, unsigned, char const**) (sql_parse.cc:5931)
by: dispatch_command (sql_parse.cc:1213)

sql_select:14031 is this code line:

for (str=copy->str,end= str+copy->length;
   end > str && end[-1] == ' ' ;
   end--) ;

How to repeat:
flush tables;
drop table if exists `t1`,`t2`,`mm1`;
create table `t1`(`a` char(9),`b` int,key(`b`),key(`a`))engine=myisam;
create table `t2`(`a` char(9),`b` int,key(`b`),key(`a`))engine=myisam;

insert into `t1` values ('1',null),(null,null);
insert into `t2` values ('1',null),(null,null);

create table `mm1`(`a` char(9),`b` int,key(`b`),key(`a`))
engine=merge  union=(`t1`,`t2`);

select `t1`.`a` from `mm1`,`t1`;
[2 Jul 2009 23:00] Bugs System
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
[15 Oct 2009 17:58] MySQL Verification Team
still repeatable in 5.1.39. I suggest you do this simply:

tar zxvf mysql-advanced-gpl-5.1.39-linux-i686-glibc23.tar.gz
cd mysql-advanced-gpl-5.1.39-linux-i686-glibc23
./scripts/mysql_install_db --no-defaults

valgrind --tool=memcheck --track-origins=yes -v --show-reachable=no ./bin/mysqld  --no-defaults  --basedir=./ --datadir=./data  --port=3306

Then login via a client and paste the testcase and watch the errors:
Conditional jump or move depends on uninitialised value(s)
at : store_record_in_cache (sql_select.cc:14060)
by : sub_select_cache (sql_select.cc:10965)
by : evaluate_join_record (sql_select.cc:11250)
by : sub_select) (sql_select.cc:11135)
by : do_select (sql_select.cc:10891)
by : JOIN::exec (sql_select.cc:2209)
by : mysql_select (sql_select.cc:2398)
by : handle_select (sql_select.cc:268)
by : execute_sqlcom_select (sql_parse.cc:5011)
by : mysql_execute_command (sql_parse.cc:2206)
by : mysql_parse (sql_parse.cc:5931)
by : dispatch_command (sql_parse.cc:1213)
 Uninitialised value was created by a heap allocation
at : malloc (vg_replace_malloc.c:195)
by : my_malloc (my_malloc.c:34)
by : alloc_root (my_alloc.c:201)
by : myisam_create_handler (sql_list.h:39)
by : get_new_handler (handler.cc:248)
by : open_table_from_share (table.cc:1670)
by : open_unireg_entry (sql_base.cc:3907)
by : open_table (sql_base.cc:2910)
by : open_tables (sql_base.cc:4575)
by : open_and_lock_tables_derived (sql_base.cc:4981)
by : execute_sqlcom_select (mysql_priv.h:1562)
by : mysql_execute_command (sql_parse.cc:2206)

The offending line is:

for (str=copy->str,end= str+copy->length;
    end > str && end[-1] == ' ' ;
    end--) ;
[17 Nov 2009 20:53] Sveta Smirnova
Verified as described with version 5.1 and next-mr
[29 Jan 2010 13:01] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/98615

3337 Sergey Glukhov	2010-01-29
      Bug#45195 valgrind warnings about uninitialized values in store_record_in_cache()
      The problem becomes apparent only if HAVE_purify is undefined.
      It related to the part of code placed in open_table_from_share() fuction
      where we initialize record buffer only if HAVE_purify is enabled.
      So in case of HAVE_purify=OFF record buffer is not initialized
      on open table stage.
      Next we read key, find NULL value and update appropriate null bit
      but do not update record buffer. After that the record is stored
      in the join cache(store_record_in_cache). For CHAR fields we
      strip trailing spaces and in our case this procedure uses
      uninitialized record buffer.
      The fix is to skip stripping space procedure in case of null values
      for CHAR fields(partially based on 6.0 JOIN_CACHE implementation).
     @ mysql-test/r/join.result
        test case
     @ mysql-test/t/join.test
        test case
     @ sql/field.cc
        code updated according to new CACHE_FIELD struct
     @ sql/sql_select.cc
        code updated according to new CACHE_FIELD struct
     @ sql/sql_select.h
        CACHE_FIELD struct:
        added new fields: Field *field, uint type;
        removed fields: Field_blob *blob_field, bool strip;
[10 Feb 2010 14:56] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/99837

3374 Sergey Glukhov	2010-02-10
      Bug#45195 valgrind warnings about uninitialized values in store_record_in_cache()
      The problem becomes apparent only if HAVE_purify is undefined.
      It related to the part of code placed in open_table_from_share() fuction
      where we initialize record buffer only if HAVE_purify is enabled.
      So in case of HAVE_purify=OFF record buffer is not initialized
      on open table stage.
      Next we read key, find NULL value and update appropriate null bit
      but do not update record buffer. After that the record is stored
      in the join cache(store_record_in_cache). For CHAR fields we
      strip trailing spaces and in our case this procedure uses
      uninitialized record buffer.
      The fix is to skip stripping space procedure in case of null values
      for CHAR fields(partially based on 6.0 JOIN_CACHE implementation).
     @ mysql-test/r/join.result
        test case
     @ mysql-test/t/join.test
        test case
     @ sql/field.cc
        code updated according to new CACHE_FIELD struct
     @ sql/sql_select.cc
        code updated according to new CACHE_FIELD struct
     @ sql/sql_select.h
        CACHE_FIELD struct:
        added new fields: Field *field, uint type;
        removed fields: Field_blob *blob_field, bool strip;
[25 Feb 2010 16:25] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/101491

3922 Alexey Kopytov	2010-02-25 [merge]
      Manual merge of the patch for bug #50335.
      Also picked the test case for bug #45195 that was previously
      null-merged to mysql-pe.
[1 Mar 2010 8:43] Bugs System
Pushed into 5.1.45 (revid:joro@sun.com-20100301083827-xnimmrjg6bh33o1o) (version source revid:joerg@mysql.com-20100212173307-ph563zr4wmoklgwd) (merge vers: 5.1.45) (pib:16)
[2 Mar 2010 14:32] Bugs System
Pushed into 6.0.14-alpha (revid:alik@sun.com-20100302142746-u1gxdf5yk2bjrq3e) (version source revid:alik@sun.com-20100301095421-4cz64ibem1h2quve) (merge vers: 6.0.14-alpha) (pib:16)
[2 Mar 2010 14:37] Bugs System
Pushed into 5.5.3-m2 (revid:alik@sun.com-20100302072233-t3uqgjzdukt1pyhe) (version source revid:alexey.kopytov@sun.com-20100221213311-xf5nyv391dsw9v6j) (merge vers: 5.5.2-m2) (pib:16)
[2 Mar 2010 14:43] Bugs System
Pushed into mysql-next-mr (revid:alik@sun.com-20100302072432-k8xvfkgcggkwgi94) (version source revid:alik@sun.com-20100224135227-rcqs9pe9b2in80pf) (pib:16)
[16 Mar 2010 0:15] Paul DuBois
Noted in 5.1.45, 5.5.3, 6.0.14 changelogs.

Valgrind warnings about uninitialized variables in optimizer code
were silenced.
[17 Jun 2010 12:17] Bugs System
Pushed into 5.1.47-ndb-7.0.16 (revid:martin.skold@mysql.com-20100617114014-bva0dy24yyd67697) (version source revid:vasil.dimov@oracle.com-20100331130613-8ja7n0vh36a80457) (merge vers: 5.1.46) (pib:16)
[17 Jun 2010 13:05] Bugs System
Pushed into 5.1.47-ndb-6.2.19 (revid:martin.skold@mysql.com-20100617115448-idrbic6gbki37h1c) (version source revid:martin.skold@mysql.com-20100609140708-52rvuyq4q500sxkq) (merge vers: 5.1.45-ndb-6.2.19) (pib:16)
[17 Jun 2010 13:45] Bugs System
Pushed into 5.1.47-ndb-6.3.35 (revid:martin.skold@mysql.com-20100617114611-61aqbb52j752y116) (version source revid:vasil.dimov@oracle.com-20100331130613-8ja7n0vh36a80457) (merge vers: 5.1.46) (pib:16)