Bug#36075756 ASAN crash on MaterializeIterator<Profiler>::load_HF_row_into_hash_map() [1/2 noclose]

To see this error, we needed to run with ASAN compiled in and
--sanitize on the repro test case. It didn't trigger an ASAN error as
such, but hit an assert. Possibly this happens only with ASAN because
space usage increases on the heap due to ASAN padding before and after
allocated objects.

The error is another instance of the third issue solved in Bug#35686098
Assertion `n < size()' failed in Element_type& Mem_root_array_YY:

(quote):
  "we ran out of space in the dedicated hash table upon re-reading one
   of the on-disk chunks into the hash table."

The fix there was to use the general mem_root instead of the dedicated
one for the hash set operation for that particular corner case.
Specifically, we used the general mem_root when allocating the hash
map *payload*.

In this bug, we see the same issue: we can't fit the last row (#10 out
of 10 long varchar strings, i.e. blobs in the repro) into the hash
table mem_root: this time we run out when we allocate space for the
hash map *key*, in check_unique_fields_hash_map prior to calling
ImmutableStringWithLength::Encode(<hash key>).  The solution is the
same, use the general mem_root for this case: i.e. we generalize the
solution from Bug#35686098 to cover running out of space for both the
key and payload.

Change-Id: Id869e6afad7c996950779c008dcf650e21b17027

Author: Dag Wanvik

mysql-test/include/query_expression_debug.inc

@@ -173,4 +173,21 @@ SET SESSION tmp_table_size=default;
 SET SESSION set_operations_buffer_size=default;
 SET SESSION optimizer_trace="enabled=default";
 
+--echo #
+--echo # Bug#36075756 ASAN crash on MaterializeIterator<Profiler>::load_HF_row_into_hash_map()
+--echo #
+--echo # Simulate overflow during SS_READING_RIGHT_HF
+SET SESSION set_operations_buffer_size = 16384;
+SET SESSION debug_set_operations_secondary_overflow_at='0 0 100 right_operand';
+SET SESSION optimizer_trace="enabled=on";
+SELECT * FROM t INTERSECT SELECT * FROM t ORDER BY i LIMIT 1;
+let $show_trace=
+  SELECT JSON_PRETTY(JSON_EXTRACT(trace, '$.steps[*].join_execution.steps[1]."materialize for intersect".steps[0]."de-duplicate with hash table".steps[0]'))
+  FROM information_schema.optimizer_trace;
+--echo # Should show overflow injection:
+eval $show_trace;
+SET SESSION set_operations_buffer_size=default;
+SET SESSION optimizer_trace="enabled=default";
+SET SESSION debug_set_operations_secondary_overflow_at=default;
+
 DROP TABLE t;

mysql-test/r/query_expression-bugs.result

@@ -441,3 +441,34 @@ EXPLAIN
 
 SET optimizer_switch="hash_set_operations=default";
 DROP TABLE t;
+#
+# Bug#36075756 ASAN crash on
+# MaterializeIterator<Profiler>::load_HF_row_into_hash_map()
+#
+CREATE TABLE t1 (c1 INT, c2 TIME);
+INSERT INTO t1 VALUES (4,'09:29:08'), (NULL,'19:11:10'), (2,'11:57:26'),
+(6,'00:39:46'), (6,'03:28:15'),    (8,'06:44:18'),
+(2,'14:36:39'), (6,'18:42:45'),    (8,'02:57:29'),
+(3,'16:46:13');
+CREATE VIEW view_t1 AS SELECT * FROM t1;
+# Used to assert with -DWITH_DEBUG=1 -DWITH_ASAN=1 (both required)
+# build on Oracle Linux Server 8
+SELECT SUBSTRING(t.rep, 1, 4) AS sub, LENGTH(t.rep) AS len
+FROM
+( SELECT REPEAT(c1, c2) AS rep FROM view_t1
+EXCEPT DISTINCT
+SELECT DISTINCT RANK() OVER () FROM t1 ) AS t
+ORDER BY len;
+sub	len
+NULL	NULL
+6666	3946
+8888	25729
+6666	32815
+8888	64418
+4444	92908
+2222	115726
+2222	143639
+3333	164613
+6666	184245
+DROP VIEW view_t1;
+DROP TABLE t1;

mysql-test/r/query_expression_debug.result

@@ -286,6 +286,28 @@ SET SESSION debug_set_operations_secondary_overflow_at= default;
 SET SESSION tmp_table_size=default;
 SET SESSION set_operations_buffer_size=default;
 SET SESSION optimizer_trace="enabled=default";
+#
+# Bug#36075756 ASAN crash on MaterializeIterator<Profiler>::load_HF_row_into_hash_map()
+#
+# Simulate overflow during SS_READING_RIGHT_HF
+SET SESSION set_operations_buffer_size = 16384;
+SET SESSION debug_set_operations_secondary_overflow_at='0 0 100 right_operand';
+SET SESSION optimizer_trace="enabled=on";
+SELECT * FROM t INTERSECT SELECT * FROM t ORDER BY i LIMIT 1;
+i	d	c
+0	2022-04-30	abracadabra
+# Should show overflow injection:
+SELECT JSON_PRETTY(JSON_EXTRACT(trace, '$.steps[*].join_execution.steps[1]."materialize for intersect".steps[0]."de-duplicate with hash table".steps[0]'))
+FROM information_schema.optimizer_trace;
+JSON_PRETTY(JSON_EXTRACT(trace, '$.steps[*].join_execution.steps[1]."materialize for intersect".steps[0]."de-duplicate with hash table".steps[0]'))
+[
+  {
+    "injected overflow: SS_READING_RIGHT_HF": {}
+  }
+]
+SET SESSION set_operations_buffer_size=default;
+SET SESSION optimizer_trace="enabled=default";
+SET SESSION debug_set_operations_secondary_overflow_at=default;
 DROP TABLE t;
 #
 # Debug build companion of query_expression.inc
@@ -573,4 +595,26 @@ SET SESSION debug_set_operations_secondary_overflow_at= default;
 SET SESSION tmp_table_size=default;
 SET SESSION set_operations_buffer_size=default;
 SET SESSION optimizer_trace="enabled=default";
+#
+# Bug#36075756 ASAN crash on MaterializeIterator<Profiler>::load_HF_row_into_hash_map()
+#
+# Simulate overflow during SS_READING_RIGHT_HF
+SET SESSION set_operations_buffer_size = 16384;
+SET SESSION debug_set_operations_secondary_overflow_at='0 0 100 right_operand';
+SET SESSION optimizer_trace="enabled=on";
+SELECT * FROM t INTERSECT SELECT * FROM t ORDER BY i LIMIT 1;
+i	d	c
+0	2022-04-30	abracadabra
+# Should show overflow injection:
+SELECT JSON_PRETTY(JSON_EXTRACT(trace, '$.steps[*].join_execution.steps[1]."materialize for intersect".steps[0]."de-duplicate with hash table".steps[0]'))
+FROM information_schema.optimizer_trace;
+JSON_PRETTY(JSON_EXTRACT(trace, '$.steps[*].join_execution.steps[1]."materialize for intersect".steps[0]."de-duplicate with hash table".steps[0]'))
+[
+  {
+    "injected overflow: SS_READING_RIGHT_HF": {}
+  }
+]
+SET SESSION set_operations_buffer_size=default;
+SET SESSION optimizer_trace="enabled=default";
+SET SESSION debug_set_operations_secondary_overflow_at=default;
 DROP TABLE t;

mysql-test/t/query_expression-bugs.test

@@ -194,3 +194,27 @@ eval EXPLAIN ANALYZE $query;
 SET optimizer_switch="hash_set_operations=default";
 
 DROP TABLE t;
+
+--echo #
+--echo # Bug#36075756 ASAN crash on
+--echo # MaterializeIterator<Profiler>::load_HF_row_into_hash_map()
+--echo #
+CREATE TABLE t1 (c1 INT, c2 TIME);
+
+INSERT INTO t1 VALUES (4,'09:29:08'), (NULL,'19:11:10'), (2,'11:57:26'),
+                      (6,'00:39:46'), (6,'03:28:15'),    (8,'06:44:18'),
+                      (2,'14:36:39'), (6,'18:42:45'),    (8,'02:57:29'),
+                      (3,'16:46:13');
+CREATE VIEW view_t1 AS SELECT * FROM t1;
+
+--echo # Used to assert with -DWITH_DEBUG=1 -DWITH_ASAN=1 (both required)
+--echo # build on Oracle Linux Server 8
+SELECT SUBSTRING(t.rep, 1, 4) AS sub, LENGTH(t.rep) AS len
+FROM
+( SELECT REPEAT(c1, c2) AS rep FROM view_t1
+  EXCEPT DISTINCT
+  SELECT DISTINCT RANK() OVER () FROM t1 ) AS t
+ORDER BY len;
+
+DROP VIEW view_t1;
+DROP TABLE t1;

sql/iterators/composite_iterators.cc

@@ -870,12 +870,15 @@ class SpillState {
   bool spill() { return m_spill_read_state != ReadingState::SS_NONE; }
 
 #ifndef NDEBUG
-  bool simulated_secondary_overflow(bool *spill);
+  /// If left operand overflow simulation, spill will get set, if right
+  /// operand overflow simulation, \c rop_overflow will get set.
+  bool simulated_secondary_overflow(bool *spill, bool *rop_overflow);
 
  private:
   size_t m_simulated_set_idx{std::numeric_limits<size_t>::max()};
   size_t m_simulated_chunk_idx{std::numeric_limits<size_t>::max()};
   size_t m_simulated_row_no{std::numeric_limits<size_t>::max()};
+  bool m_right_hf{false};
 
  public:
 #endif
@@ -1430,8 +1433,7 @@ class MaterializeIterator final : public TableRowIterator {
                                     bool *spill);
   void backup_or_restore_blob_pointers(bool backup);
   void update_row_in_hash_map();
-  enum Operand_type { LEFT_OPERAND, RIGHT_OPERAND };
-  bool store_row_in_hash_map(Operand_type type = LEFT_OPERAND);
+  bool store_row_in_hash_map();
   bool handle_hash_map_full(const Operand &operand, ha_rows *stored_rows);
   bool process_row(const Operand &operand, Operands &operands, TABLE *t,
                    uchar *set_counter_0, uchar *set_counter_1, bool *read_next);
@@ -1959,7 +1961,7 @@ bool MaterializeIterator<Profiler>::load_HF_row_into_hash_map() {
     return true;
   }
 
-  spill = store_row_in_hash_map(RIGHT_OPERAND);
+  spill = store_row_in_hash_map();
   if (spill) {
     // It fit before, should fit now
     assert(false);
@@ -2031,19 +2033,18 @@ bool MaterializeIterator<Profiler>::check_unique_fields_hash_map(TABLE *t,
                                                                  bool *found,
                                                                  bool *spill) {
   const size_t max_mem_available = thd()->variables.set_operations_buffer_size;
-
   *spill = false;
 
 #ifndef NDEBUG
+  bool right_op_overflow = false;
   if (m_spill_state.spill()) {
-    if (write &&  // Only inject error for left operand: can only happen there
-        m_spill_state.read_state() ==
-            SpillState::ReadingState::SS_READING_LEFT_IF &&
-        m_spill_state.simulated_secondary_overflow(spill))
+    if (write &&
+        m_spill_state.simulated_secondary_overflow(spill, &right_op_overflow))
       return true;
     if (*spill) return false;
   }
 #endif
+
   if (m_mem_root == nullptr) {
     assert(write);
     m_mem_root = make_unique_destroy_only<MEM_ROOT>(
@@ -2086,17 +2087,52 @@ bool MaterializeIterator<Profiler>::check_unique_fields_hash_map(TABLE *t,
     m_mem_root->ForceNewBlock(required_key_bytes);
     block = m_mem_root->Peek();
   }
+
   size_t bytes_to_commit = 0;
-  if (static_cast<size_t>(block.second - block.first) >= required_key_bytes) {
+
+  if (static_cast<size_t>(block.second - block.first) >= required_key_bytes
+#ifndef NDEBUG
+      && !right_op_overflow
+#endif
+  ) {
+    // Normal case, we have enough space
     char *ptr = block.first;
     secondary_hash_key = ImmutableStringWithLength::Encode(
         pointer_cast<const char *>(&primary_hash), sizeof(primary_hash), &ptr);
     assert(ptr < block.second);
     bytes_to_commit = ptr - block.first;
   } else if (write) {
-    // spill to disk
-    *spill = true;
-    return false;
+    // out of space in dedicated mem_root
+    if (m_spill_state.read_state() ==
+        SpillState::ReadingState::SS_READING_RIGHT_HF) {
+      // When re-reading chunk rows, different row order may cause heap
+      // fragmentation to differ so even though chunk fit in m_mem_root the
+      // first time (as left operand chunk), it may fail to fit when we
+      // re-read.  This should typically only affect the last (few) rows in a
+      // chunk, so use m_overflow_mem_root.
+      char *ptr =
+          static_cast<char *>(m_overflow_mem_root->Alloc(required_key_bytes));
+      if (ptr == nullptr) {
+        my_error(ER_OUTOFMEMORY, MYF(ME_FATALERROR),
+                 thd()->variables.set_operations_buffer_size);
+        return true;
+      }
+      secondary_hash_key = ImmutableStringWithLength::Encode(
+          pointer_cast<const char *>(&primary_hash), sizeof(primary_hash),
+          &ptr);
+#ifndef NDEBUG
+      if (right_op_overflow) {
+        Opt_trace_context *trace = &thd()->opt_trace;
+        Opt_trace_object trace_wrapper(trace);
+        Opt_trace_object trace_exec(trace,
+                                    "injected overflow: SS_READING_RIGHT_HF");
+      }
+#endif
+    } else {
+      // spill to disk
+      *spill = true;
+      return false;
+    }
   }
 
   *found = false;
@@ -2228,12 +2264,10 @@ bool MaterializeIterator<Profiler>::handle_hash_map_full(const Operand &operand,
   positioned on it.  Links any existing entry behind it, i.e. we insert at
   front of the hash bucket, cf.  StoreLinkedImmutableStringFromTableBuffers.
   Update \c m_rows_in_hash_map.
-  @param type indicates whether we are processing the left operand or one of the
-              right operands in the set operation
   @returns true on error
  */
 template <typename Profiler>
-bool MaterializeIterator<Profiler>::store_row_in_hash_map(Operand_type type) {
+bool MaterializeIterator<Profiler>::store_row_in_hash_map() {
   // Save the contents of all columns and make the hash map iterator's value
   // field ("->second") point to it.
   bool dummy = false;
@@ -2250,12 +2284,14 @@ bool MaterializeIterator<Profiler>::store_row_in_hash_map(Operand_type type) {
   // processing the left operand, this would only happen for a minority of
   // chunks and then typically only for the last row.
   assert(m_overflow_mem_root != nullptr);
+  const bool is_right_operand = m_spill_state.read_state() ==
+                                SpillState::ReadingState::SS_READING_RIGHT_HF;
+
   LinkedImmutableString last_row_stored =
       StoreLinkedImmutableStringFromTableBuffers(
-          m_mem_root.get(),
-          (type == RIGHT_OPERAND ? m_overflow_mem_root : nullptr),
+          m_mem_root.get(), (is_right_operand ? m_overflow_mem_root : nullptr),
           m_table_collection, m_next_ptr, m_row_size_upper_bound,
-          (type == RIGHT_OPERAND ? &dummy : nullptr));
+          (is_right_operand ? &dummy : nullptr));
   if (last_row_stored == nullptr) {
     return true;
   }
@@ -3346,7 +3382,11 @@ bool SpillState::write_completed_HFs(THD *thd, const Operands &operands,
 }
 
 #ifndef NDEBUG
-bool SpillState::simulated_secondary_overflow(bool *spill) {
+bool SpillState::simulated_secondary_overflow(bool *spill, bool *rop_overflow) {
+  if (read_state() != SpillState::ReadingState::SS_READING_LEFT_IF &&
+      read_state() != SpillState::ReadingState::SS_READING_RIGHT_HF)
+    return false;
+
   const char *const common_msg =
       "in debug_set_operations_secondary_overflow_at too high: should be "
       "lower than or equal to:";
@@ -3355,12 +3395,13 @@ bool SpillState::simulated_secondary_overflow(bool *spill) {
       m_simulated_set_idx == std::numeric_limits<size_t>::max()) {
     // Parse out variables with
     // syntax: <set-idx:integer 0-based> <chunk-idx:integer 0-based>
-    // <row_no:integer 1-based>
-    int tokens [[maybe_unused]] =
-        sscanf(m_thd->variables.debug_set_operations_secondary_overflow_at,
-               "%zu %zu %zu", &m_simulated_set_idx, &m_simulated_chunk_idx,
-               &m_simulated_row_no);
-    if (tokens != 3 || m_simulated_row_no < 1 ||
+    // <row_no:integer 1-based> [ right_operand ]
+    int tokens = 0;
+    char buff[31];
+    tokens = sscanf(m_thd->variables.debug_set_operations_secondary_overflow_at,
+                    "%zu %zu %zu %30s", &m_simulated_set_idx,
+                    &m_simulated_chunk_idx, &m_simulated_row_no, buff);
+    if (tokens < 3 || m_simulated_row_no < 1 ||
         m_simulated_chunk_idx >= m_chunk_files.size()) {
       my_error(ER_SIMULATED_INJECTION_ERROR, MYF(0), "Chunk number", common_msg,
                m_chunk_files.size() - 1);
@@ -3372,23 +3413,40 @@ bool SpillState::simulated_secondary_overflow(bool *spill) {
                m_no_of_chunk_file_sets - 1);
       return true;
     }
+    m_right_hf = tokens == 4;
+    if (m_right_hf && read_state() == ReadingState::SS_READING_LEFT_IF)
+      return false;
   }
 
   if (m_simulated_set_idx <
       std::numeric_limits<size_t>::max()) {  // initialized
     if (m_current_chunk_file_set == m_simulated_set_idx &&
         m_current_chunk_idx == m_simulated_chunk_idx) {
-      if (m_simulated_row_no >
-          m_row_counts[m_current_chunk_idx][m_current_chunk_file_set]
-              .IF_count) {
-        my_error(ER_SIMULATED_INJECTION_ERROR, MYF(0), "Row number", common_msg,
-                 m_row_counts[m_current_chunk_idx][m_current_chunk_file_set]
-                     .IF_count);
-        return true;
+      const size_t chunk_rows =
+          (!m_right_hf
+               ? m_row_counts[m_current_chunk_idx][m_current_chunk_file_set]
+                     .IF_count
+               :
+
+               m_row_counts[m_current_chunk_idx][m_current_chunk_file_set]
+                   .HF_count);
+      if ((m_right_hf &&
+           read_state() == SpillState::ReadingState::SS_READING_RIGHT_HF) ||
+          !m_right_hf) {
+        if (m_simulated_row_no > chunk_rows) {
+          my_error(ER_SIMULATED_INJECTION_ERROR, MYF(0), "Row number",
+                   common_msg, chunk_rows);
+          return true;
+        }
       }
 
       if (m_current_row_in_chunk == static_cast<size_t>(m_simulated_row_no)) {
-        *spill = true;
+        if (!m_right_hf) {
+          *spill = true;
+        } else if (read_state() ==
+                   SpillState::ReadingState::SS_READING_RIGHT_HF) {
+          *rop_overflow = true;
+        }
       }
     }
   }

sql/sys_vars.cc

@@ -7455,10 +7455,14 @@ static Sys_var_ulonglong Sys_set_operations_buffer_size(
 //   a) set index, cf. explanation in comments for class SpillState
 //   b) chunk index
 //   c) row number
+//   d) optional string: "right_operand"
 // Syntax: <set-idx:integer 0-based> <chunk-idx:integer 0-based>
 //         <row_no:integer 1-based>
 // Example:
 //       SET SESSION debug_set_operations_secondary_overflow_at = '1 5 7';
+//       SET SESSION debug_set_operations_secondary_overflow_at =
+//           '1 5 7 right_operand';
+//
 // If the numbers given are outside range on the high side, they will never
 // trigger any secondary spill.
 static Sys_var_charptr Sys_debug_set_operations_secondary_overflow_at(