Bug #59851 uninitialised value in Item_func_like::select_optimize with subquery and like
Submitted: 31 Jan 2011 16:07 Modified: 16 Aug 2011 1:38
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Optimizer Severity:S2 (Serious)
Version:5.0.93,5.1.56, 5.5.10,5.6.2 OS:Any
Assigned to: CPU Architecture:Any
Tags: valgrind

[31 Jan 2011 16:07] Shane Bester
Description:
Version: '5.5.10-valgrind-max-debug'  socket: 'sock'  port: 3306  Source distribution
Thread 17:
Conditional jump or move depends on uninitialised value(s)
at: Item_func_like::select_optimize const (item_cmpfunc.cc:4696)
by: add_key_fields (sql_select.cc:3577)
by: update_ref_and_keys (sql_select.cc:3971)
by: make_join_statistics (sql_select.cc:2814)
by: JOIN::optimize (sql_select.cc:1051)
by: mysql_select (sql_select.cc:2557)
by: handle_select (sql_select.cc:297)
by: execute_sqlcom_select (sql_parse.cc:4472)
by: mysql_execute_command (sql_parse.cc:2053)
by: mysql_parse (sql_parse.cc:5509)
by: dispatch_command (sql_parse.cc:1035)
by: do_command (sql_parse.cc:772)
by: do_handle_one_connection (sql_connect.cc:748)
by: handle_one_connection (sql_connect.cc:684)
by: start_thread (pthread_create.c:301)
 Uninitialised value was created by a heap allocation
at: malloc (vg_replace_malloc.c:195)
by: my_malloc (my_malloc.c:38)
by: alloc_root (my_alloc.c:166)
by: sql_alloc (thr_malloc.cc:73)
by: Item::operator new (item.h:511)
by: Item_cache::get_cache (item.cc:7377)
by: Item_cache::get_cache (item.cc:7349)
by: subselect_engine::set_row (item_subselect.cc:1836)
by: subselect_single_select_engine::fix_length_and_dec (item_subselect.cc:1848)
by: Item_singlerow_subselect::fix_length_and_dec (item_subselect.cc:518)
by: Item_subselect::fix_fields (item_subselect.cc:199)
by: Item_func::fix_fields (item_func.cc:199)
by: Item_func_like::fix_fields (item_cmpfunc.cc:4709)
by: setup_conds (sql_base.cc:8317)
by: setup_without_group (sql_select.cc:461)
by: JOIN::prepare (sql_select.cc:543)
by: mysql_select (sql_select.cc:2550)
by: handle_select (sql_select.cc:297)
by: execute_sqlcom_select (sql_parse.cc:4472)
by: mysql_execute_command (sql_parse.cc:2053)
by: mysql_parse (sql_parse.cc:5509)
by: dispatch_command (sql_parse.cc:1035)
by: do_command (sql_parse.cc:772)
by: do_handle_one_connection (sql_connect.cc:748)
by: handle_one_connection (sql_connect.cc:684)
by: start_thread (pthread_create.c:301)

(gdb) list
4691        const char *ptr2;
4692
4693        if (!res2 || !(ptr2= res2->ptr()))
4694          return OPTIMIZE_NONE;
4695
4696        if (*ptr2 != wild_many) <------- HERE!!!!!!
4697        {
4698          if (args[0]->result_type() != STRING_RESULT || *ptr2 != wild_one)
4699            return OPTIMIZE_OP;
4700        }

See attached file for full valgrind output.

How to repeat:
#run mysqld in valgrind, then:

drop table if exists `t2`,`t1`;
create table `t2`(`a` int,key(`a`))engine=innodb;
insert into `t2` values (1),(2);
create table `t1`(`b` int,primary key(`b`))engine=innodb;
insert into t1 values (0),(254);
select 1 from `t2` where `a` like 
(select  export_set('1',`b`,`b`,`b`,`b`)from `t1` limit 1);
[31 Jan 2011 16:08] MySQL Verification Team
full outputs from valgrind

Attachment: bug59851_5.5.10_valgrind_output.txt (text/plain), 17.45 KiB.

[1 Feb 2011 9:17] Valeriy Kravchuk
I've got this in valgrind build of current mysql-51 on 32-bit Ubuntu 10.04:

==14500== Thread 11:
==14500== Conditional jump or move depends on uninitialised value(s)
==14500==    at 0x81FD0E2: Item_func_like::select_optimize() const (item_cmpfunc.cc:4666)
==14500==    by 0x82FD005: add_key_fields(JOIN*, key_field_t**, unsigned int*, Item*, unsigned long long, st_sargable_param**) (sql_select.cc:3561)
==14500==    by 0x82FE053: update_ref_and_keys(THD*, st_dynamic_array*, st_join_table*, unsigned int, Item*, COND_EQUAL*, unsigned long long, st_select_lex*, st_sargable_param**) (sql_select.cc:3955)
==14500==    by 0x82FAF13: make_join_statistics(JOIN*, TABLE_LIST*, Item*, st_dynamic_array*) (sql_select.cc:2800)
==14500==    by 0x82F4781: JOIN::optimize() (sql_select.cc:1021)
==14500==    by 0x82FA01C: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2531)
==14500==    by 0x82F2740: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:269)
==14500==    by 0x8298095: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5158)
==14500==    by 0x828E699: mysql_execute_command(THD*) (sql_parse.cc:2293)
==14500==    by 0x829A2BE: mysql_parse(THD*, char*, unsigned int, char const**) (sql_parse.cc:6075)
==14500==    by 0x828C000: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1261)
==14500==    by 0x828B108: do_command(THD*) (sql_parse.cc:889)
==14500== 
==14500== Conditional jump or move depends on uninitialised value(s)
==14500==    at 0x81FD0E2: Item_func_like::select_optimize() const (item_cmpfunc.cc:4666)
==14500==    by 0x83A5488: get_mm_tree(RANGE_OPT_PARAM*, Item*) (opt_range.cc:5504)
==14500==    by 0x839E5CE: SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool) (opt_range.cc:2326)
==14500==    by 0x82FA388: get_quick_record_count(THD*, SQL_SELECT*, st_table*, Bitmap<64u> const*, unsigned long long) (sql_select.cc:2592)
==14500==    by 0x82FBCE5: make_join_statistics(JOIN*, TABLE_LIST*, Item*, st_dynamic_array*) (sql_select.cc:3024)
==14500==    by 0x82F4781: JOIN::optimize() (sql_select.cc:1021)
==14500==    by 0x82FA01C: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2531)
==14500==    by 0x82F2740: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:269)
==14500==    by 0x8298095: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5158)
==14500==    by 0x828E699: mysql_execute_command(THD*) (sql_parse.cc:2293)
==14500==    by 0x829A2BE: mysql_parse(THD*, char*, unsigned int, char const**) (sql_parse.cc:6075)
==14500==    by 0x828C000: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1261)
==14500== 

In -debug build valgrind reported no errors like this :(
[16 Aug 2011 1:38] Paul DuBois
Noted in 5.6.3 changelog.

For the LIKE operator, an attempt to use an uninitialized string 
buffer in the case of an empty wildcard was corrected.