[#MDEV-3810] Item in condition with destroyed virtual table

[MDEV-3810] Item in condition with destroyed virtual table Created: 2012-10-15 Updated: 2012-11-09 Resolved: 2012-11-09
Status:	Closed
Project:	MariaDB Server
Component/s:	None
Affects Version/s:	5.5.27, 5.3.9
Fix Version/s:	5.5.28a, 5.3.10

Type:

Bug

Priority:

Critical

Reporter:

Oleksandr Byelkin

Assignee:

Oleksandr Byelkin

Resolution:

Fixed

Votes:

Labels:

None

Description

If add to setup_without_group call of condition virtual method it will kill server during virew.test:

--- sql/sql_select.cc	2012-08-31 22:23:30 +0000

+++ sql/sql_select.cc	2012-10-15 12:36:35 +0000

@@ -564,6 +564,7 @@ inline int setup_without_group(THD *thd,

   thd->lex->allow_sum_func&= ~(1 << thd->lex->current_select->nest_level);

   res= setup_conds(thd, tables, leaves, conds);

+  DBUG_PRINT("info", ("type %u", (uint)((*conds) ? (*conds)->type(): 0)));

   /* it's not wrong to have non-aggregated columns in a WHERE */

   thd->lex->current_select->set_non_agg_field_used(saved_non_agg_field_used);

The problematic test suite is

--echo #

--echo # LP bug #793386: unexpected 'Duplicate column name ''' error

--echo #                 at the second execution of a PS using a view

--echo #

CREATE TABLE t1 (f1 int, f2 int, f3 int, f4 int);

CREATE VIEW v1 AS

  SELECT t.f1, t.f2, s.f3, s.f4 FROM t1 t, t1 s

    WHERE t.f4 >= s.f2 AND s.f3 < 0;

PREPARE stmt1 FROM

 "SELECT s.f1 AS f1, s.f2 AS f2, s.f3 AS f3, t.f4 AS f4

    FROM v1 AS t LEFT JOIN v1 AS s ON t.f4=s.f4 WHERE t.f2 <> 1225";

EXECUTE stmt1;

EXECUTE stmt1;

DEALLOCATE PREPARE stmt1;

DROP VIEW v1;

DROP TABLE t1;

Comments

Comment by Oleksandr Byelkin [ 2012-10-17 ]

Valgrind complains about it:
==9447== at 0x7905A7: setup_without_group(THD*, Item*, TABLE_LIST, List<TABLE_LIST>&, List<Item>&, List<Item>&, Item*, st_order, st_order*, bool*) (sql_select.cc:521)
==9447== by 0x753A6C: JOIN::prepare(Item**, TABLE_LIST, unsigned int, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) (sql_select.cc:669)
==9447== by 0x8EA921: st_select_lex_unit::prepare(THD*, select_result*, unsigned long) (sql_union.cc:325)
==9447== by 0x8EDDC9: mysql_derived_prepare(THD*, st_lex*, TABLE_LIST*) (sql_derived.cc:625)
==9447== by 0x8ED41D: mysql_handle_single_derived(st_lex*, TABLE_LIST*, unsigned int) (sql_derived.cc:176)
==9447== by 0x751296: TABLE_LIST::handle_derived(st_lex*, unsigned int) (table.cc:5895)
==9447== by 0x5AD88D: st_select_lex::handle_derived(st_lex*, unsigned int) (sql_lex.cc:3204)
==9447== by 0x7535C0: JOIN::prepare(Item**, TABLE_LIST, unsigned int, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) (sql_select.cc:580)
==9447== by 0x75C466: mysql_select(THD*, Item**, TABLE_LIST, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2963)
==9447== by 0x752E36: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:286)
==9447== by 0x6DE298: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5157)
==9447== by 0x6D5057: mysql_execute_command(THD*) (sql_parse.cc:2290)
==9447== by 0x7B2B64: Prepared_statement::execute(String*, bool) (sql_prepare.cc:3740)
==9447== by 0x7B1D5C: Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) (sql_prepare.cc:3421)
==9447== by 0x7B0195: mysql_sql_stmt_execute(THD*) (sql_prepare.cc:2646)
==9447== by 0x6D5088: mysql_execute_command(THD*) (sql_parse.cc:2299)
==9447== Address 0xf857928 is 24 bytes inside a block of size 312 free'd
==9447== at 0x4C2A82E: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==9447== by 0xC74A29: my_no_flags_free (my_malloc.c:78)
==9447== by 0xC7643F: free_root (my_alloc.c:366)
==9447== by 0x6D3C9B: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1646)
==9447== by 0x6D1B0F: do_command(THD*) (sql_parse.cc:923)
==9447== by 0x6CE568: handle_one_connection (sql_connect.cc:1218)
==9447== by 0x548DE99: start_thread (pthread_create.c:308)
==9447== by 0x5F98DBC: clone (clone.S:112)
==9447==

Comment by Oleksandr Byelkin [ 2012-10-18 ]

It might be problem of certain compiler libraries. It can't be repeated on laptop (same linux distribution).

Comment by Oleksandr Byelkin [ 2012-10-24 ]

Here is independent of --debug patch:
=== modified file 'sql/sql_select.cc'
— sql/sql_select.cc 2012-10-18 21:33:06 +0000
+++ sql/sql_select.cc 2012-10-24 06:49:09 +0000
@@ -564,6 +564,7 @@ inline int setup_without_group(THD *thd,

thd->lex->allow_sum_func&= ~(1 << thd->lex->current_select->nest_level);
res= setup_conds(thd, tables, leaves, conds);
+ if (*conds) (*conds)->type();

/* it's not wrong to have non-aggregated columns in a WHERE */
thd->lex->current_select->set_non_agg_field_used(saved_non_agg_field_used);

Comment by Oleksandr Byelkin [ 2012-10-24 ]

now it fails on both my computer so there is something wrong.

Comment by Oleksandr Byelkin [ 2012-10-24 ]

It looks like memory corruprion, because if the bug repeatable depends on vuild, it repeatable oin debug build, but do not repetable on valgrind build.