Bug #59149 valgrind warnings with "like .. escape .." function
Submitted: 24 Dec 2010 7:54 Modified: 29 Jan 2011 23:08
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Charsets Severity:S3 (Non-critical)
Version:5.0.92,5.1.55,5.5.9,5.6.1 OS:Any
Assigned to: Alexander Barkov CPU Architecture:Any
Triage: Triaged: D1 (Critical)

[24 Dec 2010 7:54] Shane Bester
Description:
Version: '5.6.1-m5-valgrind-max-debug'  socket: '/tmp/mysql.sock'  port: 3306  Source distribution
Thread 18:
Conditional jump or move depends on uninitialised value(s)
at: my_wildcmp_8bit (ctype-simple.c:857)
by: Item_func_like::val_int (item_cmpfunc.cc:4802)
by: Item::send (item.cc:5968)
by: Protocol::send_result_set_row (protocol.cc:848)
by: select_send::send_data (sql_class.cc:1866)
by: end_send (sql_select.cc:18449)
by: do_select (sql_select.cc:16879)
by: JOIN::exec (sql_select.cc:3331)
by: mysql_select (sql_select.cc:3554)
by: handle_select (sql_select.cc:323)
by: execute_sqlcom_select(sql_parse.cc:4513)
by: mysql_execute_command (sql_parse.cc:2096)
by: mysql_parse (sql_parse.cc:5550)
by: dispatch_command (sql_parse.cc:1078)
by: do_command (sql_parse.cc:815)
by: do_handle_one_connection (sql_connect.cc:748)
by: handle_one_connection (sql_connect.cc:684)
by: start_thread (pthread_create.c:301)
Uninitialised value was created by a heap allocation
at: malloc (vg_replace_malloc.c:195)
by: my_malloc (my_malloc.c:38)
by: alloc_root (my_alloc.c:166)
by: Item::operator new (item.h:518)
by: MYSQLparse (sql_yacc.yy:7822)
by: parse_sql (sql_parse.cc:7275)
by: mysql_parse (sql_parse.cc:5505)
by: dispatch_command (sql_parse.cc:1078)
by: do_command (sql_parse.cc:815)
by: do_handle_one_connection (sql_connect.cc:748)
by: handle_one_connection (sql_connect.cc:684)
by: start_thread (pthread_create.c:301)

How to repeat:
#run mysqld in valgrind, then:
select '' like '1' escape count(1),null;
[24 Dec 2010 10:03] Valeriy Kravchuk
Verified with current mysql-5.1-security tree on 32-bit Ubuntu 10.04:

Version: '5.1.55-valgrind-max-debug'  socket: '/tmp/mysql.sock'  port: 3306  Source distribution
==15854== Thread 11:
==15854== Conditional jump or move depends on uninitialised value(s)
==15854==    at 0x8624EC4: my_wildcmp_unicode (ctype-utf8.c:1744)
==15854==    by 0x86262AC: my_wildcmp_utf8 (ctype-utf8.c:2559)
==15854==    by 0x81FC765: Item_func_like::val_int() (item_cmpfunc.cc:4648)
==15854==    by 0x81BDCF6: Item::send(Protocol*, String*) (item.cc:5615)
==15854==    by 0x8262B3D: select_send::send_data(List<Item>&) (sql_class.cc:1691)
==15854==    by 0x8310984: end_send(JOIN*, st_join_table*, bool) (sql_select.cc:12330)
==15854==    by 0x830E374: do_select(JOIN*, List<Item>*, st_table*, Procedure*) (sql_select.cc:11159)
==15854==    by 0x82F8A96: JOIN::exec() (sql_select.cc:2334)
==15854==    by 0x82F92C1: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2544)
==15854==    by 0x82F1964: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:269)
==15854==    by 0x82971DA: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5144)
==15854==    by 0x828D81D: mysql_execute_command(THD*) (sql_parse.cc:2293)
==15854==
[14 Jan 2011 12:44] Alexander Barkov
The problem is repeatable with a simpler test case,
without "null" in the end of select list:

SELECT '' LIKE '1' ESCAPE COUNT(1);
[14 Jan 2011 13:09] Alexander Barkov
The problem is that this query does not return error:

SELECT '' LIKE '1' ESCAPE COUNT(1);

It should return the same error with this query with FROM clause:

SELECT '' LIKE '1' ESCAPE COUNT(1) FROM t1;
ERROR 1210 (HY000): Incorrect arguments to ESCAPE
[14 Jan 2011 13:28] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/128751

3552 Alexander Barkov	2011-01-14
      Bug#59149 valgrind warnings with "like .. escape .." function
      
      Problem: when processing a query like:
        SELECT '' LIKE '1' ESCAPE COUNT(1);
      escape_item->val_str() was never executed and the "escape" class member
      stayed initialized, which led to valgrind uninitialized memory error.
      
      Note, a query with some tables in "FROM" clause
      returns ER_WRONG_ARGUMENTS in the same situation:
      
        SELECT '' LIKE '1' ESCAPE COUNT(1) FROM t1;
        ERROR 1210 (HY000): Incorrect arguments to ESCAPE
      
      Fix: disallowing using aggregate functions in ESCAPE clause,
      even if there are no tables used. There are no much us of that anyway.
[17 Jan 2011 9:34] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/128912

3556 Alexander Barkov	2011-01-17
      Bug#59149 valgrind warnings with "like .. escape .." function
            
      Problem: when processing a query like:
        SELECT '' LIKE '1' ESCAPE COUNT(1);
      escape_item->val_str() was never executed and the "escape" class member
      stayed initialized, which led to valgrind uninitialized memory error.
            
      Note, a query with some tables in "FROM" clause
      returns ER_WRONG_ARGUMENTS in the same situation:
      
         SELECT '' LIKE '1' ESCAPE COUNT(1) FROM t1;
         ERROR 1210 (HY000): Incorrect arguments to ESCAPE
      
      Fix: disallowing using aggregate functions in ESCAPE clause,
      even if there are no tables used. There is no much use of that anyway.
[17 Jan 2011 9:35] Bugs System
Pushed into mysql-5.1 5.1.56 (revid:alexander.barkov@oracle.com-20110117093022-2lqsy48r0jfcd986) (version source revid:alexander.barkov@oracle.com-20110117093022-2lqsy48r0jfcd986) (merge vers: 5.1.56) (pib:24)
[17 Jan 2011 9:49] Bugs System
Pushed into mysql-5.5 5.5.10 (revid:alexander.barkov@oracle.com-20110117093959-g24cybr6403m8zxu) (version source revid:alexander.barkov@oracle.com-20110117093959-g24cybr6403m8zxu) (merge vers: 5.5.10) (pib:24)
[17 Jan 2011 10:02] Bugs System
Pushed into mysql-trunk 5.6.2 (revid:hezx@greatopensource.com-20110117100013-h33ksz5wowjihijn) (version source revid:hezx@greatopensource.com-20110117100013-h33ksz5wowjihijn) (merge vers: 5.6.2) (pib:24)
[21 Jan 2011 19:50] Paul Dubois
Noted in 5.1.56, 5.5.10, 5.6.2 changelogs.

The ESCAPE clause for the LIKE operator allows only expressions that
evaluate to a constant at execution time, but aggregrate functions 
were not being rejected.