[MDEV-18916] crash in Window_spec::print_partition() with decimals - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.3.13, 10.5.0, 10.2(EOL), 10.3(EOL), 10.4(EOL)
Fix Version/s: 10.2.33, 10.3.24, 10.4.14, 10.5.5
Component/s: Optimizer - Window functions
Labels:
None
Environment:
WinX64

Description

Version: '10.3.13-MariaDB'  socket: ''  port: 3306  mariadb.org binary distribution

[ERROR] mysqld got exception 0xc0000005 ;

mysqld.exe!Window_spec::print_partition()[sql_window.cc:96]

mysqld.exe!Window_spec::print()[sql_window.cc:86]

mysqld.exe!item_name()[sql_type.cc:5487]

mysqld.exe!wrong_precision_error()[sql_type.cc:5495]

mysqld.exe!get_length_and_scale()[sql_type.cc:5520]

mysqld.exe!Type_handler_decimal_result::create_typecast_item()[sql_type.cc:5592]

mysqld.exe!Lex_cast_type_st::create_typecast_item()[item_func.h:2811]

mysqld.exe!MYSQLparse()[sql_yacc.yy:10249]

mysqld.exe!parse_sql()[sql_parse.cc:10125]

mysqld.exe!mysql_parse()[sql_parse.cc:8050]

mysqld.exe!dispatch_command()[sql_parse.cc:1856]

mysqld.exe!do_command()[sql_parse.cc:1395]

mysqld.exe!threadpool_process_request()[threadpool_common.cc:358]

mysqld.exe!tp_callback()[threadpool_common.cc:186]

Some testcases....

do cast((cast((lead(7 ,141)  over w2 )as decimal (38,64))  )as time );

do cast((cume_dist()over w1 )as decimal (32,56));

do cast((cume_dist()over w2 )as decimal (34,41));

do cast((cume_dist()over w2 )as decimal (45,42));

do cast((rank()over w1 )as decimal (53,56));

Attachments

Activity

Ascending order - Click to sort in descending order

Alice Sherepa added a comment - 2019-03-13 19:23

Thanks for the report and the test cases!
Reproducible on 10.2-10.4

Server does not crash on debug versions:

MariaDB [test]> select cast((cast((lead(7 ,141)  over w1 )as decimal (38,39))  )as time );

ERROR 1425 (42000): Too big scale 39 specified for 'lead(7,141) over w1'. Maximum is 38

On non-debug buids:

10.3.13

sql/sql_window.cc:96(Window_spec::print_partition(String*, enum_query_type))[0x5641e8461b87]

sql/sql_window.cc:86(Window_spec::print(Stng*, enum_query_type))[0x5641e8461ee8]

sql/sql_string.h:234(String::c_ptr_safe())[0x5641e8455fcc]

sql/sql_type.cc:5496(wrong_precision_error(unsigned int, Item*, unsigned long long, unsigned int))[0x5641e845d97c]

sql/sql_type.cc:5520(get_length_and_scale(unsigned long long, unsigned long long, unsigned int*, unsigned int*, unsigned int, unsigned int, Item*))[0x5641e845db5c]

sql/sql_type.cc:5592(Type_handler_decimal_result::create_typecast_item(THD*, Item*, Type_cast_attributes const&) const)[0x5641e845dca6]

sql/item_func.h:2811(Lex_cast_type_st::create_typecast_item(THD*, Item*, charset_info_st const*))[0x5641e84a9eef]

sql/sql_yacc.yy:10249(MYSQLparse(THD*))[0x5641e84a33e4]

sql/sql_parse.cc:10106(parse_sql(THD*, Parser_state*, Object_creation_ctx*, bool))[0x5641e8340a85]

sql/sql_parse.cc:8050(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x5641e8340d26]

sql/sql_parse.cc:1854(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x5641e8342f95]

sql/sql_parse.cc:1398(do_command(THD*))[0x5641e834373e]

sql/sql_connect.cc:1403(do_handle_one_connection(CONNECT*))[0x5641e840b3ff]

sql/sql_connect.cc:1311(handle_one_connection)[0x5641e840b524]

/lib/x86_64-linux-gnu/libpthread.so.0(+0x76ba)[0x7ffa199596ba]

x86_64/clone.S:111(clone)[0x7ffa187be41d]

10.2 cac14b92252b3e7bcb, -DBUILD_CONFIG=mysql_release
190313 20:16:41 [ERROR] mysqld got signal 11 ;

/lib/x86_64-linux-gnu/libpthread.so.0(+0x11390)[0x7ffb07d39390]
sql/sql_window.cc:68(Window_spec::print(String*, enum_query_type))[0x55dc8547b5ad]
sql/sql_string.h:230(String::c_ptr_safe())[0x55dc85535c8a]
sql/item_create.cc:86(get_length_and_scale(unsigned long long, unsigned long long, unsigned int, unsigned int, unsigned int, unsigned int, Item*))[0x55dc8554520c]
sql/item_create.cc:7188(create_func_cast(THD, Item, Cast_target, char const, char const, charset_info_st const*))[0x55dc85545a83]
sql/sql_yacc.yy:9389(MYSQLparse(THD*))[0x55dc854a9eca]
sql/sql_parse.cc:10063(parse_sql(THD, Parser_state, Object_creation_ctx*, bool))[0x55dc85350228]
sql/sql_parse.cc:7973(mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool))[0x55dc85359496]
sql/sql_parse.cc:1829(dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool))[0x55dc8535c46c]
sql/sql_parse.cc:1381(do_command(THD*))[0x55dc8535cd67]
sql/sql_connect.cc:1336(do_handle_one_connection(CONNECT*))[0x55dc854279fa]
sql/sql_connect.cc:1244(handle_one_connection)[0x55dc85427b6d]
/lib/x86_64-linux-gnu/libpthread.so.0(+0x76ba)[0x7ffb07d2f6ba]
x86_64/clone.S:111(clone)[0x7ffb073da41d]

Alice Sherepa added a comment - 2019-03-13 19:23 Thanks for the report and the test cases! Reproducible on 10.2-10.4 Server does not crash on debug versions: MariaDB [test]> select cast((cast((lead(7 ,141) over w1 )as decimal (38,39)) )as time ); ERROR 1425 (42000): Too big scale 39 specified for 'lead(7,141) over w1'. Maximum is 38 On non-debug buids: 10.3.13 sql/sql_window.cc:96(Window_spec::print_partition(String*, enum_query_type))[0x5641e8461b87] sql/sql_window.cc:86(Window_spec::print(Stng*, enum_query_type))[0x5641e8461ee8] sql/sql_string.h:234(String::c_ptr_safe())[0x5641e8455fcc] sql/sql_type.cc:5496(wrong_precision_error(unsigned int, Item*, unsigned long long, unsigned int))[0x5641e845d97c] sql/sql_type.cc:5520(get_length_and_scale(unsigned long long, unsigned long long, unsigned int*, unsigned int*, unsigned int, unsigned int, Item*))[0x5641e845db5c] sql/sql_type.cc:5592(Type_handler_decimal_result::create_typecast_item(THD*, Item*, Type_cast_attributes const&) const)[0x5641e845dca6] sql/item_func.h:2811(Lex_cast_type_st::create_typecast_item(THD*, Item*, charset_info_st const*))[0x5641e84a9eef] sql/sql_yacc.yy:10249(MYSQLparse(THD*))[0x5641e84a33e4] sql/sql_parse.cc:10106(parse_sql(THD*, Parser_state*, Object_creation_ctx*, bool))[0x5641e8340a85] sql/sql_parse.cc:8050(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x5641e8340d26] sql/sql_parse.cc:1854(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x5641e8342f95] sql/sql_parse.cc:1398(do_command(THD*))[0x5641e834373e] sql/sql_connect.cc:1403(do_handle_one_connection(CONNECT*))[0x5641e840b3ff] sql/sql_connect.cc:1311(handle_one_connection)[0x5641e840b524] /lib/x86_64-linux-gnu/libpthread.so.0(+0x76ba)[0x7ffa199596ba] x86_64/clone.S:111(clone)[0x7ffa187be41d] 10.2 cac14b92252b3e7bcb, -DBUILD_CONFIG=mysql_release 190313 20:16:41 [ERROR] mysqld got signal 11 ; /lib/x86_64-linux-gnu/libpthread.so.0(+0x11390)[0x7ffb07d39390] sql/sql_window.cc:68(Window_spec::print(String*, enum_query_type))[0x55dc8547b5ad] sql/sql_string.h:230(String::c_ptr_safe())[0x55dc85535c8a] sql/item_create.cc:86(get_length_and_scale(unsigned long long, unsigned long long, unsigned int*, unsigned int*, unsigned int, unsigned int, Item*))[0x55dc8554520c] sql/item_create.cc:7188(create_func_cast(THD*, Item*, Cast_target, char const*, char const*, charset_info_st const*))[0x55dc85545a83] sql/sql_yacc.yy:9389(MYSQLparse(THD*))[0x55dc854a9eca] sql/sql_parse.cc:10063(parse_sql(THD*, Parser_state*, Object_creation_ctx*, bool))[0x55dc85350228] sql/sql_parse.cc:7973(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x55dc85359496] sql/sql_parse.cc:1829(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x55dc8535c46c] sql/sql_parse.cc:1381(do_command(THD*))[0x55dc8535cd67] sql/sql_connect.cc:1336(do_handle_one_connection(CONNECT*))[0x55dc854279fa] sql/sql_connect.cc:1244(handle_one_connection)[0x55dc85427b6d] /lib/x86_64-linux-gnu/libpthread.so.0(+0x76ba)[0x7ffb07d2f6ba] x86_64/clone.S:111(clone)[0x7ffb073da41d]

sbester1 added a comment - 2019-09-14 16:21

still affects 10.4.8

sbester1 added a comment - 2019-09-14 16:21 still affects 10.4.8

sbester1 added a comment - 2020-01-19 05:17

This still affects 10.5.0. In the testcase replace "do " with "select ".

sbester1 added a comment - 2020-01-19 05:17 This still affects 10.5.0. In the testcase replace "do " with "select ".

Varun Gupta (Inactive) added a comment - 2020-07-20 09:47

This case just fails on the release build and not on the debug build.
This is because in the print function which is called when we need to print the window function for the error

The function Item_window_func::print has this snippet, where we print the window name only in debug mode.
I think this ifndef needs to be removed and this would give an error both on debug and non-debug builds

#ifndef DBUG_OFF

  if (!window_spec) // one can call dbug_print_item() anytime in gdb

    str->append(window_name);

  else

#endif

  window_spec->print(str, query_type);

Varun Gupta (Inactive) added a comment - 2020-07-20 09:47 This case just fails on the release build and not on the debug build. This is because in the print function which is called when we need to print the window function for the error The function Item_window_func::print has this snippet, where we print the window name only in debug mode. I think this ifndef needs to be removed and this would give an error both on debug and non-debug builds #ifndef DBUG_OFF if (!window_spec) // one can call dbug_print_item() anytime in gdb str->append(window_name); else #endif window_spec->print(str, query_type); }

Varun Gupta (Inactive) added a comment - 2020-07-20 10:24

Patch
http://lists.askmonty.org/pipermail/commits/2020-July/014290.html

Varun Gupta (Inactive) added a comment - 2020-07-20 10:24 Patch http://lists.askmonty.org/pipermail/commits/2020-July/014290.html

Sergei Petrunia added a comment - 2020-07-26 20:31

Ok to push.

Sergei Petrunia added a comment - 2020-07-26 20:31 Ok to push.

People

Assignee:: Varun Gupta (Inactive)

Reporter:: sbester1

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2019-03-13 17:34

Updated:: 2020-07-28 10:10

Resolved:: 2020-07-27 08:33

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server