Details
-
Bug
-
Status: Closed (View Workflow)
-
Minor
-
Resolution: Fixed
-
10.0.13, 10.0(EOL)
-
10.1.32
Description
CREATE TABLE t1 (a INT) ENGINE=MyISAM; |
INSERT INTO t1 VALUES (3),(8); |
|
CREATE TABLE t2 (b INT) ENGINE=MyISAM; |
INSERT INTO t2 VALUES (2),(1); |
|
SELECT a FROM t1 |
WHERE 9 IN ( SELECT MIN( a ) FROM t1 ) |
HAVING a <> ( SELECT COUNT(*) FROM t2 ) |
ORDER BY a; |
==30848== Invalid read of size 1
|
==30848== at 0x90E68F: subselect_engine::calc_const_tables(List<TABLE_LIST>&) (item_subselect.cc:4166)
|
==30848== by 0x90E708: subselect_single_select_engine::upper_select_const_tables() (item_subselect.cc:4175)
|
==30848== by 0x904F8B: Item_subselect::update_used_tables() (item_subselect.cc:888)
|
==30848== by 0x8C917E: Item_func::update_used_tables() (item_func.cc:445)
|
==30848== by 0x6B6F0A: JOIN::exec_inner() (sql_select.cc:2927)
|
==30848== by 0x6B4CDB: JOIN::exec() (sql_select.cc:2369)
|
==30848== by 0x6B8046: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:3307)
|
==30848== by 0x6AE640: handle_select(THD*, LEX*, select_result*, unsigned long) (sql_select.cc:372)
|
==30848== by 0x683345: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5269)
|
==30848== by 0x67B646: mysql_execute_command(THD*) (sql_parse.cc:2552)
|
==30848== by 0x685AD0: mysql_parse(THD*, char*, unsigned int, Parser_state*) (sql_parse.cc:6415)
|
==30848== by 0x6788E7: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1307)
|
==30848== by 0x677C8C: do_command(THD*) (sql_parse.cc:1004)
|
==30848== by 0x7941C9: do_handle_one_connection(THD*) (sql_connect.cc:1379)
|
==30848== by 0x793F1C: handle_one_connection (sql_connect.cc:1293)
|
==30848== by 0xCC9D29: pfs_spawn_thread (pfs.cc:1860)
|
==30848== Address 0xdbe21dd is 2,269 bytes inside a block of size 4,772 free'd
|
==30848== at 0x4C27BF4: free (vg_replace_malloc.c:469)
|
==30848== by 0xE52CEE: free_memory (safemalloc.c:276)
|
==30848== by 0xE529B2: sf_free (safemalloc.c:194)
|
==30848== by 0xE41D2D: my_free (my_malloc.c:216)
|
==30848== by 0xE362D9: free_root (my_alloc.c:385)
|
==30848== by 0x6D96E1: free_tmp_table(THD*, TABLE*) (sql_select.cc:17081)
|
==30848== by 0x91013E: subselect_hash_sj_engine::cleanup() (item_subselect.cc:5002)
|
==30848== by 0x9034AB: Item_subselect::cleanup() (item_subselect.cc:152)
|
==30848== by 0x90364A: Item_in_subselect::cleanup() (item_subselect.cc:189)
|
==30848== by 0x6CB94E: st_join_table::cleanup() (sql_select.cc:11224)
|
==30848== by 0x6CC748: JOIN::cleanup(bool) (sql_select.cc:11620)
|
==30848== by 0x6CC35B: JOIN::join_free() (sql_select.cc:11507)
|
==30848== by 0x6B68B7: JOIN::exec_inner() (sql_select.cc:2844)
|
==30848== by 0x6B4CDB: JOIN::exec() (sql_select.cc:2369)
|
==30848== by 0x6B8046: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:3307)
|
==30848== by 0x6AE640: handle_select(THD*, LEX*, select_result*, unsigned long) (sql_select.cc:372)
|
==30848== Invalid read of size 8
|
==30848== at 0x90E69E: subselect_engine::calc_const_tables(List<TABLE_LIST>&) (item_subselect.cc:4167)
|
==30848== by 0x90E708: subselect_single_select_engine::upper_select_const_tables() (item_subselect.cc:4175)
|
==30848== by 0x904F8B: Item_subselect::update_used_tables() (item_subselect.cc:888)
|
==30848== by 0x8C917E: Item_func::update_used_tables() (item_func.cc:445)
|
==30848== by 0x6B6F0A: JOIN::exec_inner() (sql_select.cc:2927)
|
==30848== by 0x6B4CDB: JOIN::exec() (sql_select.cc:2369)
|
==30848== by 0x6B8046: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:3307)
|
==30848== by 0x6AE640: handle_select(THD*, LEX*, select_result*, unsigned long) (sql_select.cc:372)
|
==30848== by 0x683345: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5269)
|
==30848== by 0x67B646: mysql_execute_command(THD*) (sql_parse.cc:2552)
|
==30848== by 0x685AD0: mysql_parse(THD*, char*, unsigned int, Parser_state*) (sql_parse.cc:6415)
|
==30848== by 0x6788E7: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1307)
|
==30848== by 0x677C8C: do_command(THD*) (sql_parse.cc:1004)
|
==30848== by 0x7941C9: do_handle_one_connection(THD*) (sql_connect.cc:1379)
|
==30848== by 0x793F1C: handle_one_connection (sql_connect.cc:1293)
|
==30848== by 0xCC9D29: pfs_spawn_thread (pfs.cc:1860)
|
==30848== Address 0xdbe21a0 is 2,208 bytes inside a block of size 4,772 free'd
|
==30848== at 0x4C27BF4: free (vg_replace_malloc.c:469)
|
==30848== by 0xE52CEE: free_memory (safemalloc.c:276)
|
==30848== by 0xE529B2: sf_free (safemalloc.c:194)
|
==30848== by 0xE41D2D: my_free (my_malloc.c:216)
|
==30848== by 0xE362D9: free_root (my_alloc.c:385)
|
==30848== by 0x6D96E1: free_tmp_table(THD*, TABLE*) (sql_select.cc:17081)
|
==30848== by 0x91013E: subselect_hash_sj_engine::cleanup() (item_subselect.cc:5002)
|
==30848== by 0x9034AB: Item_subselect::cleanup() (item_subselect.cc:152)
|
==30848== by 0x90364A: Item_in_subselect::cleanup() (item_subselect.cc:189)
|
==30848== by 0x6CB94E: st_join_table::cleanup() (sql_select.cc:11224)
|
==30848== by 0x6CC748: JOIN::cleanup(bool) (sql_select.cc:11620)
|
==30848== by 0x6CC35B: JOIN::join_free() (sql_select.cc:11507)
|
==30848== by 0x6B68B7: JOIN::exec_inner() (sql_select.cc:2844)
|
==30848== by 0x6B4CDB: JOIN::exec() (sql_select.cc:2369)
|
==30848== by 0x6B8046: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:3307)
|
==30848== by 0x6AE640: handle_select(THD*, LEX*, select_result*, unsigned long) (sql_select.cc:372)
|
Stack trace from:
revision-id: elenst@montyprogram.com-20140911232154-8kfkykep1qtsn8fi
|
revno: 4393
|
branch-nick: 10.0
|
EXPLAIN:
id select_type table type possible_keys key key_len ref rows filtered Extra
|
1 PRIMARY <subquery2> const distinct_key distinct_key 4 const 1 100.00 Using temporary; Using filesort
|
1 PRIMARY t1 ALL NULL NULL NULL NULL 2 100.00 Using join buffer (flat, BNL join)
|
3 SUBQUERY NULL NULL NULL NULL NULL NULL NULL NULL Select tables optimized away
|
2 MATERIALIZED t1 ALL NULL NULL NULL NULL 2 100.00
|
Warnings:
|
Note 1003 select `test`.`t1`.`a` AS `a` from <materialize> (select min(`test`.`t1`.`a`) from `test`.`t1`) join `test`.`t1` where (`<subquery2>`.`MIN( a )` = 9) having (`test`.`t1`.`a` <> (select count(0) from `test`.`t2`)) order by `test`.`t1`.`a`
|
Minimal optimizer_switch: materialization=on,semijoin=on
Attachments
Issue Links
- relates to
-
MDEV-17616 ASAN heap-use-after-free in subselect_engine::calc_const_tables on 2nd execution of PS
- Closed