Details
Description
sanja asked me if MemorySanitizer (MDEV-20377) is usable on clang-17. I had previously mostly used it on clang-15, so I tried a clang-16 build of 10.6 and accidentally found a bug that does not appear to be caught by older versions of the compiler:
MSAN_OPTIONS=abort_on_error=1:MSAN_OPTIONS=poison_in_dtor=0 LD_LIBRARY_PATH=~/libmsan-16 MSAN_SYMBOLIZER_PATH=~/bin/llvm-symbolizer-msan ./mtr main.pool_of_threads
|
|
10.6 53c6c823dc7cafefffdc93c79661cfb146ff8641 |
main.pool_of_threads [ fail ]
|
Test ended at 2024-02-16 16:01:09
|
|
|
CURRENT_TEST: main.pool_of_threads
|
mysqltest: In included file "./include/common-tests.inc":
|
included from /mariadb/10.6/mysql-test/main/pool_of_threads.test at line 17:
|
At line 1254: query 'select t2.fld3 from t2 where companynr = 58 and fld3 like "%imaginable%"' failed: <Unknown> (2013): Lost connection to server during query
|
…
|
Version: '10.6.18-MariaDB-debug-log' socket: '/dev/shm/10.6msan/mysql-test/var/tmp/mysqld.1.sock' port: 16000 Source distribution
|
==981332==WARNING: MemorySanitizer: use-of-uninitialized-value
|
#0 0x55fd598bfae1 in Item_func::not_null_tables() const /mariadb/10.6/sql/item_func.cc:624:3
|
#1 0x55fd597e82d6 in Item_cond::eval_not_null_tables(void*) /mariadb/10.6/sql/item_cmpfunc.cc:5187:38
|
#2 0x55fd597e7707 in Item_cond::fix_fields(THD*, Item**) /mariadb/10.6/sql/item_cmpfunc.cc:5078:10
|
#3 0x55fd5a24ce1b in make_cond_for_table_from_pred(THD*, Item*, Item*, unsigned long long, unsigned long long, int, bool, bool, bool) /mariadb/10.6/sql/sql_select.cc:23938:16
|
#4 0x55fd5a17e543 in make_cond_for_table(THD*, Item*, unsigned long long, unsigned long long, int, bool, bool) /mariadb/10.6/sql/sql_select.cc:23866:10
|
#5 0x55fd5a17e543 in make_join_select(JOIN*, SQL_SELECT*, Item*) /mariadb/10.6/sql/sql_select.cc:12543:16
|
#6 0x55fd5a1563f0 in JOIN::optimize_stage2() /mariadb/10.6/sql/sql_select.cc:2855:7
|
#7 0x55fd5a15f3e1 in JOIN::optimize_inner() /mariadb/10.6/sql/sql_select.cc:2590:9
|
#8 0x55fd5a153b70 in JOIN::optimize() /mariadb/10.6/sql/sql_select.cc:1888:10
|
#9 0x55fd5a13c232 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /mariadb/10.6/sql/sql_select.cc:5127:19
|
#10 0x55fd5a13bc9d in handle_select(THD*, LEX*, select_result*, unsigned long) /mariadb/10.6/sql/sql_select.cc:559:10
|
#11 0x55fd5a078ff3 in execute_sqlcom_select(THD*, TABLE_LIST*) /mariadb/10.6/sql/sql_parse.cc:6376:12
|
#12 0x55fd5a0636ce in mysql_execute_command(THD*, bool) /mariadb/10.6/sql/sql_parse.cc:3980:12
|
#13 0x55fd5a053c60 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /mariadb/10.6/sql/sql_parse.cc:8143:18
|
#14 0x55fd5a04cc0c in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /mariadb/10.6/sql/sql_parse.cc:1896:7
|
#15 0x55fd5a054531 in do_command(THD*, bool) /mariadb/10.6/sql/sql_parse.cc:1409:17
|
#16 0x55fd5a7f7c26 in threadpool_process_request(THD*) /mariadb/10.6/sql/threadpool_common.cc:435:13
|
#17 0x55fd5a7f7c26 in tp_callback(TP_connection*) /mariadb/10.6/sql/threadpool_common.cc:249:12
|
#18 0x55fd5a7ffd45 in worker_main(void*) /mariadb/10.6/sql/threadpool_generic.cc:1556:5
|
#19 0x7f01e9dd045b in start_thread nptl/pthread_create.c:444:8
|
#20 0x7f01e9e50bbb in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
|
|
|
Memory was marked as uninitialized
|
#0 0x55fd595d3db1 in __msan_allocated_memory (/dev/shm/10.6msan/sql/mariadbd+0xf26db1) (BuildId: a8f73f07e16a2953)
|
#1 0x55fd5b5e2d85 in my_malloc /mariadb/10.6/mysys/my_malloc.c:114:7
|
I checked this with rr, and indeed the memory is straight from TRASH_ALLOC():
|
10.6 53c6c823dc7cafefffdc93c79661cfb146ff8641 |
#3 0x000055c7785aed86 in my_malloc (key=<optimized out>, size=<optimized out>, size@entry=576, my_flags=<optimized out>) at /mariadb/10.6/mysys/my_malloc.c:114
|
#4 0x000055c7785925e0 in alloc_root (mem_root=0x72b000052d98, length=576) at /mariadb/10.6/mysys/my_alloc.c:189
|
#5 0x000055c7771bbcb1 in Item::operator new (size=552, mem_root=0x215000080b58) at /mariadb/10.6/sql/item.h:861
|
#6 eliminate_item_equal (thd=thd@entry=0x72b00004d018, cond=cond@entry=0x0, upper_levels=0x0, item_equal=<optimized out>) at /mariadb/10.6/sql/sql_select.cc:16889
|
#7 0x000055c777145c0f in substitute_for_best_equal_field (thd=0x72b00004d018, context_tab=context_tab@entry=0x1, cond=0x711000075470, cond_equal=0x711000075548, table_join_idx=0x71e0000213f8,
|
do_substitution=true) at /mariadb/10.6/sql/sql_select.cc:17069
|
#8 0x000055c777120aa1 in JOIN::optimize_stage2 (this=0x71a000030030) at /mariadb/10.6/sql/sql_select.cc:2710
|
The memory is being used here:
|
10.6 53c6c823dc7cafefffdc93c79661cfb146ff8641 |
#0 0x000055c776594018 in __msan_warning_with_origin_noreturn ()
|
#1 0x000055c77688bae2 in Item_func::not_null_tables (this=<optimized out>) at /mariadb/10.6/sql/item_func.cc:624
|
#2 0x000055c7767b42d7 in Item_cond::eval_not_null_tables (this=<optimized out>, opt_arg=<optimized out>) at /mariadb/10.6/sql/item_cmpfunc.cc:5187
|
#3 0x000055c7767b3708 in Item_cond::fix_fields (this=0x711000075970, thd=0x72b00004d018, ref=<optimized out>) at /mariadb/10.6/sql/item_cmpfunc.cc:5078
|
#4 0x000055c777218e1c in make_cond_for_table_from_pred (thd=0x72b00004d018, root_cond=0x711000075470, cond=0x711000075470, tables=13835058055282163713, used_table=used_table@entry=1,
|
join_tab_idx_arg=join_tab_idx_arg@entry=0, exclude_expensive_cond=false, retain_ref_cond=<optimized out>, is_top_and_level=<optimized out>) at /mariadb/10.6/sql/sql_select.cc:23938
|
#5 0x000055c77714a544 in make_cond_for_table (thd=<optimized out>, cond=<optimized out>, tables=<optimized out>, used_table=<optimized out>, join_tab_idx_arg=<optimized out>, exclude_expensive_cond=false,
|
retain_ref_cond=false) at /mariadb/10.6/sql/sql_select.cc:23866
|
#6 make_join_select (join=<optimized out>, join@entry=0x71a000030030, select=<optimized out>, cond=<optimized out>) at /mariadb/10.6/sql/sql_select.cc:12543
|
#7 0x000055c7771223f1 in JOIN::optimize_stage2 (this=0x71a000030030) at /mariadb/10.6/sql/sql_select.cc:2855
|
The construction of the object happens here:
|
eliminate_item_equal() |
eq_item= new (thd->mem_root) Item_func_eq(thd, |
field_item->remove_item_direct_ref(),
|
head_item->remove_item_direct_ref());
|
The following patch, which makes use of the C++11 data member default initializer feature (to have the initialization added to every constructor), fixes the bug:
diff --git a/sql/item_func.h b/sql/item_func.h
|
index 170fc943681..f3d3684f5b1 100644
|
--- a/sql/item_func.h
|
+++ b/sql/item_func.h
|
@@ -89,7 +89,7 @@ class Item_func :public Item_func_or_sum
|
static void wrong_param_count_error(const LEX_CSTRING &schema_name,
|
const LEX_CSTRING &func_name);
|
|
- table_map not_null_tables_cache;
|
+ table_map not_null_tables_cache= 0;
|
|
enum Functype { UNKNOWN_FUNC,EQ_FUNC,EQUAL_FUNC,NE_FUNC,LT_FUNC,LE_FUNC,
|
GE_FUNC,GT_FUNC,FT_FUNC, |
I think that along with that addition, some redundant initialization should be removed.
Attachments
Issue Links
- includes
-
MDEV-33665 main.pool_of_threads fails due to (spurious) uninitialized Item_func::not_null_tables_cache
-
- Closed
-
-
-
- In Progress
-