[MDEV-32436] MSAN / Valgrind errors upon subquery from InnoDB table - Jira

XML

Word

Printable

Details

Type: Bug
Status: Stalled (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.6, 10.11, 10.4(EOL), 10.5(EOL), 10.10(EOL), 11.0(EOL), 11.1(EOL), 11.2(EOL)
Fix Version/s: 10.6, 10.11, 11.4, 11.8
Component/s: Optimizer, Storage Engine - InnoDB
Labels:
- MSAN

Bug Category:
Unexpected results

Description

--source include/have_innodb.inc

CREATE TABLE t1 (a VARCHAR(256)) ENGINE=InnoDB;

INSERT INTO t1 VALUES (1),(5);

CREATE TABLE t2 (b INT) ENGINE=InnoDB;

INSERT INTO t2 VALUES (2),(3);

SELECT * FROM t1 WHERE EXISTS (SELECT 1 FROM t2 WHERE b <> t1.a);

# Cleanup

DROP TABLE t1, t2;

10.4 0c7af6a2 Valgrind
==1983132== Thread 27:
==1983132== Conditional jump or move depends on uninitialised value(s)
==1983132== at 0x1280A8A: mach_write_to_2(unsigned char*, unsigned long) (mach0data.inl:58)
==1983132== by 0x1282A8D: rec_set_bit_field_2(unsigned char*, unsigned long, unsigned long, unsigned long, unsigned long) (rem0rec.inl:220)
==1983132== by 0x1282DD3: rec_set_n_fields_old(unsigned char*, unsigned long) (rem0rec.inl:431)
==1983132== by 0x128811B: rec_convert_dtuple_to_rec_old(unsigned char, dtuple_t const, unsigned long) (rem0rec.cc:1425)
==1983132== by 0x1288971: rec_convert_dtuple_to_rec(unsigned char, dict_index_t const, dtuple_t const*, unsigned long) (rem0rec.cc:1776)
==1983132== by 0x1411B68: page_cur_tuple_insert(page_cur_t, dtuple_t const, dict_index_t, unsigned short, mem_block_info_t, unsigned long, mtr_t) (page0cur.inl:272)
==1983132== by 0x142136A: btr_cur_optimistic_insert(unsigned long, btr_cur_t, unsigned short, mem_block_info_t, dtuple_t, unsigned char, big_rec_t, unsigned long, que_thr_t, mtr_t) (btr0cur.cc:3597)
==1983132== by 0x12C1DE6: row_ins_clust_index_entry_low(unsigned long, unsigned long, dict_index_t, unsigned long, dtuple_t, unsigned long, que_thr_t*) (row0ins.cc:2805)
==1983132== by 0x12C37CC: row_ins_clust_index_entry(dict_index_t, dtuple_t, que_thr_t*, unsigned long) (row0ins.cc:3281)
==1983132== by 0x12C3D67: row_ins_index_entry(dict_index_t, dtuple_t, que_thr_t*) (row0ins.cc:3407)
==1983132== by 0x12C46AC: row_ins_index_entry_step(ins_node_t, que_thr_t) (row0ins.cc:3576)
==1983132== by 0x12C4BA4: row_ins(ins_node_t, que_thr_t) (row0ins.cc:3713)
==1983132== by 0x12C5437: row_ins_step(que_thr_t*) (row0ins.cc:3856)
==1983132== by 0x1276DC8: que_thr_step(que_thr_t*) (que0que.cc:945)
==1983132== by 0x12771CD: que_run_threads_low(que_thr_t*) (que0que.cc:1028)
==1983132== by 0x1277467: que_run_threads(que_thr_t*) (que0que.cc:1068)
==1983132==
==1983132== Conditional jump or move depends on uninitialised value(s)
==1983132== at 0x12809EC: mach_write_to_1(unsigned char*, unsigned long) (mach0data.inl:41)
==1983132== by 0x12824A4: rec_set_bit_field_1(unsigned char*, unsigned long, unsigned long, unsigned long, unsigned long) (rem0rec.inl:178)
==1983132== by 0x1282FDD: rec_set_info_bits_old(unsigned char*, unsigned long) (rem0rec.inl:575)
==1983132== by 0x128813E: rec_convert_dtuple_to_rec_old(unsigned char, dtuple_t const, unsigned long) (rem0rec.cc:1428)
==1983132== by 0x1288971: rec_convert_dtuple_to_rec(unsigned char, dict_index_t const, dtuple_t const*, unsigned long) (rem0rec.cc:1776)
==1983132== by 0x1411B68: page_cur_tuple_insert(page_cur_t, dtuple_t const, dict_index_t, unsigned short, mem_block_info_t, unsigned long, mtr_t) (page0cur.inl:272)
==1983132== by 0x142136A: btr_cur_optimistic_insert(unsigned long, btr_cur_t, unsigned short, mem_block_info_t, dtuple_t, unsigned char, big_rec_t, unsigned long, que_thr_t, mtr_t) (btr0cur.cc:3597)
==1983132== by 0x12C1DE6: row_ins_clust_index_entry_low(unsigned long, unsigned long, dict_index_t, unsigned long, dtuple_t, unsigned long, que_thr_t*) (row0ins.cc:2805)
==1983132== by 0x12C37CC: row_ins_clust_index_entry(dict_index_t, dtuple_t, que_thr_t*, unsigned long) (row0ins.cc:3281)
==1983132== by 0x12C3D67: row_ins_index_entry(dict_index_t, dtuple_t, que_thr_t*) (row0ins.cc:3407)
==1983132== by 0x12C46AC: row_ins_index_entry_step(ins_node_t, que_thr_t) (row0ins.cc:3576)
==1983132== by 0x12C4BA4: row_ins(ins_node_t, que_thr_t) (row0ins.cc:3713)
==1983132== by 0x12C5437: row_ins_step(que_thr_t*) (row0ins.cc:3856)
==1983132== by 0x1276DC8: que_thr_step(que_thr_t*) (que0que.cc:945)
==1983132== by 0x12771CD: que_run_threads_low(que_thr_t*) (que0que.cc:1028)
==1983132== by 0x1277467: que_run_threads(que_thr_t*) (que0que.cc:1068)
==1983132==
==1983132== Conditional jump or move depends on uninitialised value(s)
==1983132== at 0x1280A8A: mach_write_to_2(unsigned char*, unsigned long) (mach0data.inl:58)
==1983132== by 0x1282A8D: rec_set_bit_field_2(unsigned char*, unsigned long, unsigned long, unsigned long, unsigned long) (rem0rec.inl:220)
==1983132== by 0x128311A: rec_set_heap_no_new(unsigned char*, unsigned long) (rem0rec.inl:764)
==1983132== by 0x1291B9A: void rec_convert_dtuple_to_rec_comp<false, false>(unsigned char, dict_index_t const, dfield_t const*, unsigned long, rec_comp_status_t, bool) (rem0rec.cc:1562)
==1983132== by 0x1288669: rec_convert_dtuple_to_rec_new(unsigned char, dict_index_t const, dtuple_t const*) (rem0rec.cc:1742)
==1983132== by 0x1288954: rec_convert_dtuple_to_rec(unsigned char, dict_index_t const, dtuple_t const*, unsigned long) (rem0rec.cc:1774)
==1983132== by 0x1411B68: page_cur_tuple_insert(page_cur_t, dtuple_t const, dict_index_t, unsigned short, mem_block_info_t, unsigned long, mtr_t) (page0cur.inl:272)
==1983132== by 0x142136A: btr_cur_optimistic_insert(unsigned long, btr_cur_t, unsigned short, mem_block_info_t, dtuple_t, unsigned char, big_rec_t, unsigned long, que_thr_t, mtr_t) (btr0cur.cc:3597)
==1983132== by 0x12C1DE6: row_ins_clust_index_entry_low(unsigned long, unsigned long, dict_index_t, unsigned long, dtuple_t, unsigned long, que_thr_t*) (row0ins.cc:2805)
==1983132== by 0x12C37CC: row_ins_clust_index_entry(dict_index_t, dtuple_t, que_thr_t*, unsigned long) (row0ins.cc:3281)
==1983132== by 0x12C3D67: row_ins_index_entry(dict_index_t, dtuple_t, que_thr_t*) (row0ins.cc:3407)
==1983132== by 0x12C46AC: row_ins_index_entry_step(ins_node_t, que_thr_t) (row0ins.cc:3576)
==1983132== by 0x12C4BA4: row_ins(ins_node_t, que_thr_t) (row0ins.cc:3713)
==1983132== by 0x12C5437: row_ins_step(que_thr_t*) (row0ins.cc:3856)
==1983132== by 0x12EDBB0: row_insert_for_mysql(unsigned char const, row_prebuilt_t, ins_mode_t) (row0mysql.cc:1395)
==1983132== by 0x111F5A3: ha_innobase::write_row(unsigned char const*) (ha_innodb.cc:8171)
==1983132==
==1983132== Conditional jump or move depends on uninitialised value(s)
==1983132== at 0x12809EC: mach_write_to_1(unsigned char*, unsigned long) (mach0data.inl:41)
==1983132== by 0x12824A4: rec_set_bit_field_1(unsigned char*, unsigned long, unsigned long, unsigned long, unsigned long) (rem0rec.inl:178)
==1983132== by 0x1283010: rec_set_info_bits_new(unsigned char*, unsigned long) (rem0rec.inl:587)
==1983132== by 0x1288686: rec_convert_dtuple_to_rec_new(unsigned char, dict_index_t const, dtuple_t const*) (rem0rec.cc:1747)
==1983132== by 0x1288954: rec_convert_dtuple_to_rec(unsigned char, dict_index_t const, dtuple_t const*, unsigned long) (rem0rec.cc:1774)
==1983132== by 0x1411B68: page_cur_tuple_insert(page_cur_t, dtuple_t const, dict_index_t, unsigned short, mem_block_info_t, unsigned long, mtr_t) (page0cur.inl:272)
==1983132== by 0x142136A: btr_cur_optimistic_insert(unsigned long, btr_cur_t, unsigned short, mem_block_info_t, dtuple_t, unsigned char, big_rec_t, unsigned long, que_thr_t, mtr_t) (btr0cur.cc:3597)
==1983132== by 0x12C1DE6: row_ins_clust_index_entry_low(unsigned long, unsigned long, dict_index_t, unsigned long, dtuple_t, unsigned long, que_thr_t*) (row0ins.cc:2805)
==1983132== by 0x12C37CC: row_ins_clust_index_entry(dict_index_t, dtuple_t, que_thr_t*, unsigned long) (row0ins.cc:3281)
==1983132== by 0x12C3D67: row_ins_index_entry(dict_index_t, dtuple_t, que_thr_t*) (row0ins.cc:3407)
==1983132== by 0x12C46AC: row_ins_index_entry_step(ins_node_t, que_thr_t) (row0ins.cc:3576)
==1983132== by 0x12C4BA4: row_ins(ins_node_t, que_thr_t) (row0ins.cc:3713)
==1983132== by 0x12C5437: row_ins_step(que_thr_t*) (row0ins.cc:3856)
==1983132== by 0x12EDBB0: row_insert_for_mysql(unsigned char const, row_prebuilt_t, ins_mode_t) (row0mysql.cc:1395)
==1983132== by 0x111F5A3: ha_innobase::write_row(unsigned char const*) (ha_innodb.cc:8171)
==1983132== by 0xD0ACD9: handler::ha_write_row(unsigned char const*) (handler.cc:6860)
==1983132==

10.6 8941bdc47 MSAN
Uninitialized bytes in MemcmpInterceptorCommon at offset 4 inside [0x7150000a03b8, 259)
==2014396==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0x55b671823c3e in bcmp (/mnt8t/src/10.6-msan/sql/mariadbd+0x79dc3e)
#1 0x55b671f635e0 in cmp_buffer_with_ref(THD, TABLE, st_table_ref*) /data/src/10.6-msan/sql/sql_select.cc:25596:10
#2 0x55b671f635e0 in join_read_key2(THD, st_join_table, TABLE, st_table_ref) /data/src/10.6-msan/sql/sql_select.cc:22391:7
#3 0x55b6724ee6d7 in Expression_cache_tmptable::check_value(Item**) /data/src/10.6-msan/sql/sql_expression_cache.cc:223:15
#4 0x55b672b2072b in Item_cache_wrapper::check_cache() /data/src/10.6-msan/sql/item.cc:8848:22
#5 0x55b672b20fca in Item_cache_wrapper::val_int() /data/src/10.6-msan/sql/item.cc:8911:22
#6 0x55b672b8aace in Item_in_optimizer::val_int() /data/src/10.6-msan/sql/item_cmpfunc.cc:1637:28
#7 0x55b671f617b9 in evaluate_join_record(JOIN, st_join_table, int) /data/src/10.6-msan/sql/sql_select.cc:21825:25
#8 0x55b671e33847 in sub_select(JOIN, st_join_table, bool) /data/src/10.6-msan/sql/sql_select.cc:21766:9
#9 0x55b671ed39cd in do_select(JOIN, Procedure) /data/src/10.6-msan/sql/sql_select.cc:21257:14
#10 0x55b671ed39cd in JOIN::exec_inner() /data/src/10.6-msan/sql/sql_select.cc:4834:50
#11 0x55b671ecf547 in JOIN::exec() /data/src/10.6-msan/sql/sql_select.cc:4612:3
#12 0x55b671e367d0 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/src/10.6-msan/sql/sql_select.cc:5091:9
#13 0x55b671e351e6 in handle_select(THD, LEX, select_result*, unsigned long) /data/src/10.6-msan/sql/sql_select.cc:559:10
#14 0x55b671d6a64a in execute_sqlcom_select(THD, TABLE_LIST) /data/src/10.6-msan/sql/sql_parse.cc:6285:12
#15 0x55b671d442fe in mysql_execute_command(THD*, bool) /data/src/10.6-msan/sql/sql_parse.cc:3961:12
#16 0x55b671d2bd5a in mysql_parse(THD, char, unsigned int, Parser_state*) /data/src/10.6-msan/sql/sql_parse.cc:8050:18
#17 0x55b671d202a0 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/src/10.6-msan/sql/sql_parse.cc:1896:7
#18 0x55b671d2e150 in do_command(THD*, bool) /data/src/10.6-msan/sql/sql_parse.cc:1409:17
#19 0x55b67235de9f in do_handle_one_connection(CONNECT*, bool) /data/src/10.6-msan/sql/sql_connect.cc:1416:11
#20 0x55b67235d485 in handle_one_connection /data/src/10.6-msan/sql/sql_connect.cc:1318:5
#21 0x55b6737d24ca in pfs_spawn_thread /data/src/10.6-msan/storage/perfschema/pfs.cc:2201:3
#22 0x7f3b2b3b1fd3 in start_thread nptl/./nptl/pthread_create.c:442:8
#23 0x7f3b2b4325bb in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

Uninitialized value was stored to memory at
#0 0x55b671819749 in __msan_memcpy (/mnt8t/src/10.6-msan/sql/mariadbd+0x793749)
#1 0x55b671f6393f in cmp_buffer_with_ref(THD, TABLE, st_table_ref*) /data/src/10.6-msan/sql/sql_select.cc:25588:7
#2 0x55b671f6393f in join_read_key2(THD, st_join_table, TABLE, st_table_ref) /data/src/10.6-msan/sql/sql_select.cc:22391:7

Uninitialized value was stored to memory at
#0 0x55b671819749 in __msan_memcpy (/mnt8t/src/10.6-msan/sql/mariadbd+0x793749)
#1 0x55b6729fe792 in field_conv_memcpy(Field, Field) /data/src/10.6-msan/sql/field_conv.cc:881:5
#2 0x55b6729fe792 in field_conv(Field, Field) /data/src/10.6-msan/sql/field_conv.cc:911:10

Memory was marked as uninitialized
#0 0x55b67181feee in __msan_allocated_memory (/mnt8t/src/10.6-msan/sql/mariadbd+0x799eee)
#1 0x55b67414981e in row_sel_field_store_in_mysql_format_func(unsigned char, mysql_row_templ_t const, dict_index_t const, unsigned long, unsigned char const, unsigned long) /data/src/10.6-msan/storage/innobase/row/row0sel.cc:2802:2

SUMMARY: MemorySanitizer: use-of-uninitialized-value (/mnt8t/src/10.6-msan/sql/mariadbd+0x79dc3e) in bcmp
Exiting

Attachments

Activity

People

Assignee:: Sergei Petrunia

Reporter:: Elena Stepanova

Votes:: 1 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 2023-10-10 15:22

Updated:: 2025-10-23 11:17

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.