Bug #53859 Valgrind: opt_sum_query(TABLE_LIST*, List<Item>&, Item*) at opt_sum.cc:305
Submitted: 20 May 2010 14:15 Modified: 14 Oct 2010 15:27
Reporter: John Embretsen Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Optimizer Severity:S3 (Non-critical)
Version:5.1.47, 5.6.99-m4 Dahlia, bzr_mysql-next-mr-opt-backporting, 6.0.14 OS:Any
Assigned to: Martin Hansson
Tags: uninitialized value, valgrind
Triage: Triaged: D2 (Serious)

[20 May 2010 14:15] John Embretsen
Description:
The following valgrind warning was found during RQG testing of the mysql-next-mr-opt-backporting branch as of 2010-05-20:

7778:==15285== Thread 25:
7779:==15285== Conditional jump or move depends on uninitialised value(s)
7780:==15285==    at 0x84EB35: opt_sum_query(TABLE_LIST*, List<Item>&, Item*) (opt_sum.cc:305)
7781:==15285==    by 0x6322E3: JOIN::optimize() (sql_select.cc:1648)
7782:==15285==    by 0x63729B: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:3230)
7783:==15285==    by 0x63CD77: handle_select(THD*, LEX*, select_result*, unsigned long) (sql_select.cc:313)
7784:==15285==    by 0x5DAE2B: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:4784)
7785:==15285==    by 0x5DD0C8: mysql_execute_command(THD*) (sql_parse.cc:2260)
7786:==15285==    by 0x5E47A3: mysql_parse(THD*, char const*, unsigned int, char const**) (sql_parse.cc:5816)
7787:==15285==    by 0x5E5348: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1088)
7788:==15285==    by 0x5E67EB: do_command(THD*) (sql_parse.cc:774)
7789:==15285==    by 0x6C3E21: do_handle_one_connection(THD*) (sql_connect.cc:1188)
7790:==15285==    by 0x6C3EE6: handle_one_connection (sql_connect.cc:1127)
7791:==15285==    by 0x4E333B9: start_thread (in /lib/libpthread-2.9.so)
7792:==15285==    by 0x59F6FCC: clone (in /lib/libc-2.9.so)

How to repeat:
To obtain the RQG:

bzr branch lp:randgen
cd randgen

Assuming you have valgrind-enabled binary in directory /path/to/binary

perl runall.pl \
--queries=100K \
--basedir=/path/to/binary \
--mysqld=--init-file=$PWD/init-file.sql \
--grammar=conf/optimizer/outer_join.yy \
--gendata=conf/optimizer/outer_join.zz \
--Validator=MarkErrorLog \
--valgrind \
--duration=1200

where init-file.sql (which may or may not be relevant) contains:

SET GLOBAL optimizer_join_cache_level=8;
SET GLOBAL optimizer_switch="engine_condition_pushdown=on,firstmatch=on,index_condition_pushdown=on,index_merge=on,index_merge_intersection=on,index_merge_sort_union=on,index_merge_union=on,loosescan=on,materialization=on,mrr=on,mrr_cost_based=off,semijoin=off";
[20 May 2010 16:05] John Embretsen
Bug verified using the mysql-test script pasted below.

Against mysql-5.1-bugteam the trace was slightly different, starting with:

==15265==    at 0x806C05: get_index_min_value(st_table*, st_table_ref*, Item_field*, unsigned int, unsigned int) (opt_sum.cc:159)
==15265==    by 0x807F86: opt_sum_query(TABLE_LIST*, List<Item>&, Item*) (opt_sum.cc:379)
(...)

One further detail from using valgrind option --track-origins=yes:

==26670==  Uninitialised value was created by a stack allocation
==26670==    at 0x84E40F: opt_sum_query(TABLE_LIST*, List<Item>&, Item*) (opt_sum.cc:114)

Also verified against:

mysql-next-mr 
   revid  alik@sun.com-20100520100140-5bzrtadw4w419i3m
mysql-6.0-codebase-bugfixing 
   revid  aelkin@mysql.com-20100519051128-0y11rwakkp49qva0

Test script for reproducing this issue:

-----------------------------------

--disable_warnings
DROP TABLE /*! IF EXISTS */ P;
--enable_warnings

CREATE TABLE `P` (
  `pk` int(11) NOT NULL AUTO_INCREMENT,
  `col_int_key` int(11) DEFAULT NULL,
  PRIMARY KEY (`pk`),
  KEY `col_int_key` (`col_int_key`)
) ENGINE=InnoDB AUTO_INCREMENT=10 DEFAULT CHARSET=latin1;

INSERT INTO `P` VALUES (3,NULL);
INSERT INTO `P` VALUES (8,NULL);
INSERT INTO `P` VALUES (5,-1219493888);
INSERT INTO `P` VALUES (7,0);
INSERT INTO `P` VALUES (6,3);
INSERT INTO `P` VALUES (2,6);
INSERT INTO `P` VALUES (9,7);
INSERT INTO `P` VALUES (1,9);
INSERT INTO `P` VALUES (4,1635516416);

SELECT  MIN(  table1 . `col_int_key` ) AS field1
 FROM  P AS table1
   LEFT  JOIN P AS table2 ON  table1 . `pk` =  table2 . `pk`
 WHERE ( table1 . `col_int_key` > 244 AND table1 . `col_int_key` IS  NULL )
 ORDER BY field1 LIMIT 2 OFFSET 9;

DROP TABLE P;
[27 May 2010 13:03] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/109367

3387 Martin Hansson	2010-05-27
      Bug#53859: Valgrind: opt_sum_query(TABLE_LIST*, List<Item>&,
      Item*) at opt_sum.cc:305
      
      Queries where MIN and MAX functions are applied to indexed
      columns are optimized to read directly from the index if all
      key parts of the index preceding the aggregated key part are
      bound to constants by the WHERE clause. A prefix length is
      also produced. If the aggregated column itself is bound to a
      constant, however, it is also included in the prefix. The
      function that was performing the read missed this detail and
      tried to read outside the key buffer.
      
      Fixed by simply reading the last key part's position in the
      key buffer if the prefix length equals the entire buffer
      length.
[28 May 2010 7:42] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/109448

3387 Martin Hansson	2010-05-28
      Bug#53859: Valgrind: opt_sum_query(TABLE_LIST*, List<Item>&,
      Item*) at opt_sum.cc:305
      
      Queries where MIN and MAX functions are applied to indexed
      columns are optimized to read directly from the index if all
      key parts of the index preceding the aggregated key part are
      bound to constants by the WHERE clause. A prefix length is
      also produced. If the aggregated column itself is bound to a
      constant, however, it is also included in the prefix. The
      function that was performing the read missed this detail and
      tried to read outside the key buffer.
      
      Fixed by simply reading the last key part's position in the
      key buffer if the prefix length equals the entire buffer
      length.
[3 Jun 2010 8:44] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/110064

3388 Martin Hansson	2010-06-03
      Bug#53859: Valgrind: opt_sum_query(TABLE_LIST*, List<Item>&,
      Item*) at opt_sum.cc:305
      
      Queries applying MIN/MAX functions to indexed columns are
      optimized to read directly from the index if all key parts
      of the index preceding the aggregated key part are bound to
      constants by the WHERE clause. A prefix length is also
      produced, equal to the total length of the bound key
      parts. If the aggregated column itself is bound to a
      constant, however, it is also included in the prefix.
      
      Such full search keys are read as closed intervals for
      reasons beyond the scope of this bug. However, the procedure
      missed one case where a key part meant for use as range
      endpoint was being overwritten with a NULL value destined
      for equality checking. In this case the key part was
      overwritten but the range flag remained, causing open
      interval reading to be performed.
      
      Bug was fixed by adding more stringent checking to the
      search key building procedure (matching_cond) and never
      allow overwrites of range predicates with non-range
      predicates.
      
      An assertion was added to make sure open intervals are never
      used with full search keys.
[17 Jun 2010 6:13] Bugs System
Pushed into 5.5.5-m3 (revid:alexey.kopytov@sun.com-20100615145247-8bj0vmuqlotbqsn9) (version source revid:martin.hansson@sun.com-20100611081555-5j7634ulewwpyn1d) (merge vers: 5.5.5-m3) (pib:16)
[17 Jun 2010 6:16] Bugs System
Pushed into mysql-next-mr (revid:alik@sun.com-20100615150216-cubqoyn1fj9b6a2p) (version source revid:alik@sun.com-20100615081608-4ieksdrefamsw3v9) (pib:16)
[19 Jul 2010 14:35] Bugs System
Pushed into 5.1.49 (revid:build@mysql.com-20100719143034-omcma40sblwmay3x) (version source revid:martin.hansson@sun.com-20100611073829-dhr9aeh6d8iff672) (merge vers: 5.1.48) (pib:16)
[20 Jul 2010 2:40] Paul Dubois
Noted in 5.1.49, 5.5.5 changelogs.

Queries that used MIN() or MAX() on indexed columns could be
optimized incorrectly.
[14 Oct 2010 8:34] Bugs System
Pushed into mysql-5.1-telco-7.0 5.1.51-ndb-7.0.20 (revid:martin.skold@mysql.com-20101014082627-jrmy9xbfbtrebw3c) (version source revid:vasil.dimov@oracle.com-20100531152341-x2d4hma644icamh1) (merge vers: 5.5.5-m3) (pib:21)
[14 Oct 2010 8:49] Bugs System
Pushed into mysql-5.1-telco-6.3 5.1.51-ndb-6.3.39 (revid:martin.skold@mysql.com-20101014083757-5qo48b86d69zjvzj) (version source revid:vasil.dimov@oracle.com-20100531152341-x2d4hma644icamh1) (merge vers: 5.5.5-m3) (pib:21)
[14 Oct 2010 9:03] Bugs System
Pushed into mysql-5.1-telco-6.2 5.1.51-ndb-6.2.19 (revid:martin.skold@mysql.com-20101014084420-y54ecj85j5we27oa) (version source revid:vasil.dimov@oracle.com-20100531152341-x2d4hma644icamh1) (merge vers: 5.5.5-m3) (pib:21)
[14 Oct 2010 15:27] Jon Stephens
Already documented in the 5.1.49 changelog; no new changelog entries required. setting back to Closed state.
[24 Mar 2011 9:54] Shane Bester
see bug #58705 for another problem in opt_sum_query