[MDEV-17020] Assertion `length > 0' failed in ptr_compare upon ORDER BY with bad conversion - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.0(EOL), 10.1(EOL), 10.2(EOL)
Fix Version/s: 10.0.37, 10.3.11, 10.1.37, 10.2.19
Component/s: Server
Labels:
None

Description

SET sql_mode= '';

CREATE TABLE t1 (pk INT PRIMARY KEY);

INSERT INTO t1 VALUES (1),(2);

SELECT * FROM t1 ORDER BY 'foo', CONVERT(pk, CHAR(0)) LIMIT 2;

# Cleanup

DROP TABLE t1;

10.0 bcc677bb7
mysqld: /data/src/10.0/mysys/ptr_cmp.c:94: ptr_compare: Assertion `length > 0' failed.
180819 17:32:54 [ERROR] mysqld got signal 6 ;

#7 0x00007fec92194ee2 in __assert_fail () from /lib/x86_64-linux-gnu/libc.so.6
#8 0x0000000000e2966d in ptr_compare (compare_length=0x7fec94262f48, a=0x7fec8a859a38, b=0x7fec8a859a30) at /data/src/10.0/mysys/ptr_cmp.c:94
#9 0x0000000000e2a66a in queue_insert (queue=0x7fec94262f60, element=0x7fec8a859a38 "L\232\205\212\354\177") at /data/src/10.0/mysys/queues.c:203
#10 0x000000000083a5ef in Bounded_queue<unsigned char, unsigned char>::push (this=0x7fec94262f40, element=0x7fec94262e10 "") at /data/src/10.0/sql/bounded_queue.h:190
#11 0x0000000000836e58 in find_all_keys (param=0x7fec94263000, select=0x7fec8abb13b0, fs_info=0x7fec94262f90, buffpek_pointers=0x7fec94263220, tempfile=0x7fec94263080, pq=0x7fec94262f40, found_rows=0x7fec942634c8) at /data/src/10.0/sql/filesort.cc:817
#12 0x00000000008357e4 in filesort (thd=0x7fec8c2a2070, table=0x7fec8a89e470, sortorder=0x7fec8abb1900, s_length=1, select=0x7fec8abb13b0, max_rows=2, sort_positions=false, examined_rows=0x7fec942634d0, found_rows=0x7fec942634c8) at /data/src/10.0/sql/filesort.cc:297
#13 0x00000000006b514c in create_sort_index (thd=0x7fec8c2a2070, join=0x7fec8a8facf0, order=0x7fec8a8fabd8, filesort_limit=2, select_limit=2, is_order_by=true) at /data/src/10.0/sql/sql_select.cc:20996
#14 0x0000000000689f34 in JOIN::exec_inner (this=0x7fec8a8facf0) at /data/src/10.0/sql/sql_select.cc:3093
#15 0x00000000006875fe in JOIN::exec (this=0x7fec8a8facf0) at /data/src/10.0/sql/sql_select.cc:2409
#16 0x000000000068a9a0 in mysql_select (thd=0x7fec8c2a2070, rref_pointer_array=0x7fec8c2a63a0, tables=0x7fec8a8fa2c8, wild_num=1, fields=..., conds=0x0, og_num=2, order=0x7fec8a8fa970, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7fec8a8facd0, unit=0x7fec8c2a5a08, select_lex=0x7fec8c2a60f8) at /data/src/10.0/sql/sql_select.cc:3348
#17 0x0000000000680a14 in handle_select (thd=0x7fec8c2a2070, lex=0x7fec8c2a5940, result=0x7fec8a8facd0, setup_tables_done_option=0) at /data/src/10.0/sql/sql_select.cc:377
#18 0x0000000000654f07 in execute_sqlcom_select (thd=0x7fec8c2a2070, all_tables=0x7fec8a8fa2c8) at /data/src/10.0/sql/sql_parse.cc:5301
#19 0x000000000064d45d in mysql_execute_command (thd=0x7fec8c2a2070) at /data/src/10.0/sql/sql_parse.cc:2557
#20 0x0000000000657d64 in mysql_parse (thd=0x7fec8c2a2070, rawbuf=0x7fec8a8fa088 "SELECT * FROM t1 ORDER BY 'foo', CONVERT(pk, CHAR(0)) LIMIT 2", length=61, parser_state=0x7fec94264640) at /data/src/10.0/sql/sql_parse.cc:6637
#21 0x000000000064a684 in dispatch_command (command=COM_QUERY, thd=0x7fec8c2a2070, packet=0x7fec8d7e5071 "SELECT * FROM t1 ORDER BY 'foo', CONVERT(pk, CHAR(0)) LIMIT 2", packet_length=61) at /data/src/10.0/sql/sql_parse.cc:1300
#22 0x0000000000649984 in do_command (thd=0x7fec8c2a2070) at /data/src/10.0/sql/sql_parse.cc:1003
#23 0x000000000076acdc in do_handle_one_connection (thd_arg=0x7fec8c2a2070) at /data/src/10.0/sql/sql_connect.cc:1377
#24 0x000000000076aa4e in handle_one_connection (arg=0x7fec8c2a2070) at /data/src/10.0/sql/sql_connect.cc:1292
#25 0x0000000000accef0 in pfs_spawn_thread (arg=0x7fec8c1a2370) at /data/src/10.0/storage/perfschema/pfs.cc:1861
#26 0x00007fec93e98494 in start_thread (arg=0x7fec94265700) at pthread_create.c:333
#27 0x00007fec9225193f in clone () from /lib/x86_64-linux-gnu/libc.so.6

Reproducible on 10.0, 10.1, 10.2, with at least InnoDB and MyISAM.
Couldn't reproduce on 10.3

Attachments

Activity

Ascending order - Click to sort in descending order

Varun Gupta (Inactive) added a comment - 2018-08-30 08:48

Some investigations

* thread #2, stop reason = step over

    frame #0: 0x0000000100fbd064 mysqld`ptr_compare(compare_length=0x0000700005eb4a08, a=0x00006100000102b8, b=0x00006100000102b0) at ptr_cmp.c:94

   91  	  reg3 int length= *compare_length;

   92  	  reg1 uchar *first,*last;

-> 94  	  DBUG_ASSERT(length > 0);

   95  	  first= *a; last= *b;

   96  	  while (--length)

   97  	  {

Target 0: (mysqld) stopped.

(lldb) p length

(int) $1 = 0

(lldb) p compare_length

(size_t *) $2 = 0x0000700005eb4a08

(lldb) p *compare_length

(size_t) $3 = 0

The stacktrace is

(lldb) bt

* thread #2, stop reason = step over

  * frame #0: 0x0000000100fbd064 mysqld`ptr_compare(compare_length=0x0000700005eb4a08, a=0x00006100000102b8, b=0x00006100000102b0) at ptr_cmp.c:94

    frame #1: 0x0000000100fbfbcc mysqld`queue_insert(queue=<unavailable>, element=<unavailable>) at queues.c:203

    frame #2: 0x000000010006c669 mysqld`find_all_keys(param=0x0000700005eb4950, select=0x00006290000647e0, fs_info=0x0000700005eb4ab0, buffpek_pointers=0x0000700005eb4740, tempfile=0x0000700005eb4530, pq=0x0000700005eb4a00, found_rows=<unavailable>) at filesort.cc:817

    frame #3: 0x0000000100068798 mysqld`filesort(thd=<unavailable>, table=<unavailable>, sortorder=<unavailable>, s_length=<unavailable>, select=<unavailable>, max_rows=<unavailable>, sort_positions=<unavailable>, examined_rows=0x0000700005eb4bf0, found_rows=0x0000700005eb4c10) at filesort.cc:292

    frame #4: 0x000000010054153d mysqld`create_sort_index(thd=0x000062a00005a270, join=0x000062500003f5e8, order=0x0000625000000000, filesort_limit=<unavailable>, select_limit=<unavailable>, is_order_by=true) at sql_select.cc:20994

    frame #5: 0x0000000100548c18 mysqld`JOIN::exec_inner(this=<unavailable>) at sql_select.cc:3088

    frame #6: 0x00000001005466ed mysqld`JOIN::exec(this=0x000062500003f5e8) at sql_select.cc:2409

    frame #7: 0x000000010051611d mysqld`mysql_select(thd=0x000062a00005a270, rref_pointer_array=<unavailable>, tables=<unavailable>, wild_num=<unavailable>, fields=<unavailable>, conds=<unavailable>, og_num=<unavailable>, order=<unavailable>, group=<unavailable>, having=<unavailable>, proc_param=<unavailable>, select_options=<unavailable>, result=<unavailable>, unit=<unavailable>, select_lex=<unavailable>) at sql_select.cc:3348

    frame #8: 0x0000000100515d13 mysqld`handle_select(thd=0x000062a00005a270, lex=0x000062a00005db40, result=<unavailable>, setup_tables_done_option=<unavailable>) at sql_select.cc:365

    frame #9: 0x000000010049f51c mysqld`execute_sqlcom_select(thd=0x000062a00005a270, all_tables=0x000062500003ebc8) at sql_parse.cc:5301

    frame #10: 0x0000000100491b8c mysqld`mysql_execute_command(thd=<unavailable>) at sql_parse.cc:2557

    frame #11: 0x000000010048eaf3 mysqld`mysql_parse(thd=0x000062a00005a270, rawbuf=<unavailable>, length=<unavailable>, parser_state=0x0000700005eb72f0) at sql_parse.cc:6637

    frame #12: 0x0000000100489f43 mysqld`dispatch_command(command=<unavailable>, thd=<unavailable>, packet="?u, packet_length=46177) at sql_parse.cc:1300

    frame #13: 0x000000010048d86b mysqld`do_command(thd=0x000062a00005a270) at sql_parse.cc:1003

    frame #14: 0x00000001006ff407 mysqld`do_handle_one_connection(thd_arg=<unavailable>) at sql_connect.cc:1377

    frame #15: 0x00000001006fee5d mysqld`::handle_one_connection(arg=0x000062a00005a270) at sql_connect.cc:1292

    frame #16: 0x00007fff73c99661 libsystem_pthread.dylib`_pthread_body + 340

    frame #17: 0x00007fff73c9950d libsystem_pthread.dylib`_pthread_start + 377

    frame #18: 0x00007fff73c98bf9 libsystem_pthread.dylib`thread_start + 13

Varun Gupta (Inactive) added a comment - 2018-08-30 08:48 Some investigations * thread #2, stop reason = step over frame #0: 0x0000000100fbd064 mysqld`ptr_compare(compare_length=0x0000700005eb4a08, a=0x00006100000102b8, b=0x00006100000102b0) at ptr_cmp.c:94 91 reg3 int length= *compare_length; 92 reg1 uchar *first,*last; 93 -> 94 DBUG_ASSERT(length > 0); 95 first= *a; last= *b; 96 while (--length) 97 { Target 0: (mysqld) stopped. (lldb) p length (int) $1 = 0 (lldb) p compare_length (size_t *) $2 = 0x0000700005eb4a08 (lldb) p *compare_length (size_t) $3 = 0 The stacktrace is (lldb) bt * thread #2, stop reason = step over * frame #0: 0x0000000100fbd064 mysqld`ptr_compare(compare_length=0x0000700005eb4a08, a=0x00006100000102b8, b=0x00006100000102b0) at ptr_cmp.c:94 frame #1: 0x0000000100fbfbcc mysqld`queue_insert(queue=<unavailable>, element=<unavailable>) at queues.c:203 frame #2: 0x000000010006c669 mysqld`find_all_keys(param=0x0000700005eb4950, select=0x00006290000647e0, fs_info=0x0000700005eb4ab0, buffpek_pointers=0x0000700005eb4740, tempfile=0x0000700005eb4530, pq=0x0000700005eb4a00, found_rows=<unavailable>) at filesort.cc:817 frame #3: 0x0000000100068798 mysqld`filesort(thd=<unavailable>, table=<unavailable>, sortorder=<unavailable>, s_length=<unavailable>, select=<unavailable>, max_rows=<unavailable>, sort_positions=<unavailable>, examined_rows=0x0000700005eb4bf0, found_rows=0x0000700005eb4c10) at filesort.cc:292 frame #4: 0x000000010054153d mysqld`create_sort_index(thd=0x000062a00005a270, join=0x000062500003f5e8, order=0x0000625000000000, filesort_limit=<unavailable>, select_limit=<unavailable>, is_order_by=true) at sql_select.cc:20994 frame #5: 0x0000000100548c18 mysqld`JOIN::exec_inner(this=<unavailable>) at sql_select.cc:3088 frame #6: 0x00000001005466ed mysqld`JOIN::exec(this=0x000062500003f5e8) at sql_select.cc:2409 frame #7: 0x000000010051611d mysqld`mysql_select(thd=0x000062a00005a270, rref_pointer_array=<unavailable>, tables=<unavailable>, wild_num=<unavailable>, fields=<unavailable>, conds=<unavailable>, og_num=<unavailable>, order=<unavailable>, group=<unavailable>, having=<unavailable>, proc_param=<unavailable>, select_options=<unavailable>, result=<unavailable>, unit=<unavailable>, select_lex=<unavailable>) at sql_select.cc:3348 frame #8: 0x0000000100515d13 mysqld`handle_select(thd=0x000062a00005a270, lex=0x000062a00005db40, result=<unavailable>, setup_tables_done_option=<unavailable>) at sql_select.cc:365 frame #9: 0x000000010049f51c mysqld`execute_sqlcom_select(thd=0x000062a00005a270, all_tables=0x000062500003ebc8) at sql_parse.cc:5301 frame #10: 0x0000000100491b8c mysqld`mysql_execute_command(thd=<unavailable>) at sql_parse.cc:2557 frame #11: 0x000000010048eaf3 mysqld`mysql_parse(thd=0x000062a00005a270, rawbuf=<unavailable>, length=<unavailable>, parser_state=0x0000700005eb72f0) at sql_parse.cc:6637 frame #12: 0x0000000100489f43 mysqld`dispatch_command(command=<unavailable>, thd=<unavailable>, packet="?u, packet_length=46177) at sql_parse.cc:1300 frame #13: 0x000000010048d86b mysqld`do_command(thd=0x000062a00005a270) at sql_parse.cc:1003 frame #14: 0x00000001006ff407 mysqld`do_handle_one_connection(thd_arg=<unavailable>) at sql_connect.cc:1377 frame #15: 0x00000001006fee5d mysqld`::handle_one_connection(arg=0x000062a00005a270) at sql_connect.cc:1292 frame #16: 0x00007fff73c99661 libsystem_pthread.dylib`_pthread_body + 340 frame #17: 0x00007fff73c9950d libsystem_pthread.dylib`_pthread_start + 377 frame #18: 0x00007fff73c98bf9 libsystem_pthread.dylib`thread_start + 13

Varun Gupta (Inactive) added a comment - 2018-08-30 12:11 - edited

The issue is maybe_null is set for CONVERT(pk, CHAR(0)) to be true on 10.2.

bool Item_str_func::fix_fields(THD *thd, Item **ref)

  bool res= Item_func::fix_fields(thd, ref);

/*

    In Item_str_func::check_well_formed_result() we may set null_value

    flag on the same condition as in test() below.

*/

  maybe_null= maybe_null || thd->is_strict_mode();

  return res;

So the sql_mode has different default values in different version
Picking from the documentation:

Since MariaDB 10.2.4, SQL_MODE is by default set to

NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION,STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO.

In earlier versions of MariaDB 10.2, and since MariaDB 10.1.7, SQL_MODE is by default set to

NO_ENGINE_SUBSTITUTION,NO_AUTO_CREATE_USER.

For earlier versions of MariaDB 10.1, and MariaDB 10.0 and before, no default is set.

Varun Gupta (Inactive) added a comment - 2018-08-30 12:11 - edited The issue is maybe_null is set for CONVERT(pk, CHAR(0)) to be true on 10.2. bool Item_str_func::fix_fields(THD *thd, Item **ref) { bool res= Item_func::fix_fields(thd, ref); /* In Item_str_func::check_well_formed_result() we may set null_value flag on the same condition as in test() below. */ maybe_null= maybe_null || thd->is_strict_mode(); return res; } So the sql_mode has different default values in different version Picking from the documentation: Since MariaDB 10.2.4, SQL_MODE is by default set to NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION,STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO. In earlier versions of MariaDB 10.2, and since MariaDB 10.1.7, SQL_MODE is by default set to NO_ENGINE_SUBSTITUTION,NO_AUTO_CREATE_USER. For earlier versions of MariaDB 10.1, and MariaDB 10.0 and before, no default is set.

Varun Gupta (Inactive) added a comment - 2018-08-30 18:51

Patch
http://lists.askmonty.org/pipermail/commits/2018-August/012859.html

Varun Gupta (Inactive) added a comment - 2018-08-30 18:51 Patch http://lists.askmonty.org/pipermail/commits/2018-August/012859.html

Varun Gupta (Inactive) added a comment - 2018-09-13 12:44

Feedback from psergey
http://lists.askmonty.org/pipermail/commits/2018-September/012918.html

Varun Gupta (Inactive) added a comment - 2018-09-13 12:44 Feedback from psergey http://lists.askmonty.org/pipermail/commits/2018-September/012918.html

Varun Gupta (Inactive) added a comment - 2018-09-13 17:29 - edited

New Patch:
http://lists.askmonty.org/pipermail/commits/2018-September/012928.html

Another solution could be to have a new compare function to handle zerolength sortkeys

Varun Gupta (Inactive) added a comment - 2018-09-13 17:29 - edited New Patch: http://lists.askmonty.org/pipermail/commits/2018-September/012928.html Another solution could be to have a new compare function to handle zerolength sortkeys

Varun Gupta (Inactive) added a comment - 2018-09-18 14:45

Patch
http://lists.askmonty.org/pipermail/commits/2018-September/012943.html

Varun Gupta (Inactive) added a comment - 2018-09-18 14:45 Patch http://lists.askmonty.org/pipermail/commits/2018-September/012943.html

Sergei Petrunia added a comment - 2018-10-11 11:33

Ok to push

Sergei Petrunia added a comment - 2018-10-11 11:33 Ok to push

People

Assignee:: Varun Gupta (Inactive)

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2018-08-19 14:34

Updated:: 2018-10-15 16:27

Resolved:: 2018-10-15 16:27

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server