Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-22380

Assertion `name.length == strlen(name.str)' failed in Item::print_item_w_name on SELECT w/ optimizer_trace enabled

Details

    Description

      SET optimizer_trace="enabled=on";
      		 
      SELECT 'a\0';

      Leads to:

      10.5.3 98003440c2f8d20164a191ced1b7d92b283bb68f

      		 
      mysqld: /test/10.5_dbg/sql/item.cc:497: void Item::print_item_w_name(String*, enum_query_type): Assertion `name.length == strlen(name.str)' failed.

      10.5.3 98003440c2f8d20164a191ced1b7d92b283bb68f

      		 
      Core was generated by `/test/MD210420-mariadb-10.5.3-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
      		 
      Program terminated with signal SIGABRT, Aborted.
      		 
      #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=6)
      		 
          at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
      		 
      [Current thread is 1 (Thread 0x7fb8730c0700 (LWP 546313))]
      		 
      (gdb) bt
      		 
      #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
      		 
      #1  0x00005566a1a0103d in my_write_core (sig=sig@entry=6) at /test/10.5_dbg/mysys/stacktrace.c:518
      		 
      #2  0x00005566a11a6d7b in handle_fatal_signal (sig=6) at /test/10.5_dbg/sql/signal_handler.cc:329
      		 
      #3  <signal handler called>
      		 
      #4  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
      		 
      #5  0x00007fb871804801 in __GI_abort () at abort.c:79
      		 
      #6  0x00007fb8717f439a in __assert_fail_base (fmt=0x7fb87197b7d8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x5566a1d13328 "name.length == strlen(name.str)", file=file@entry=0x5566a1d12b0e "/test/10.5_dbg/sql/item.cc", line=line@entry=497, function=function@entry=0x5566a1d12900 <Item::print_item_w_name(String*, enum_query_type)::__PRETTY_FUNCTION__> "void Item::print_item_w_name(String*, enum_query_type)") at assert.c:92
      		 
      #7  0x00007fb8717f4412 in __GI___assert_fail (assertion=assertion@entry=0x5566a1d13328 "name.length == strlen(name.str)", file=file@entry=0x5566a1d12b0e "/test/10.5_dbg/sql/item.cc", line=line@entry=497, function=function@entry=0x5566a1d12900 <Item::print_item_w_name(String*, enum_query_type)::__PRETTY_FUNCTION__> "void Item::print_item_w_name(String*, enum_query_type)") at assert.c:101
      		 
      #8  0x00005566a11d04e5 in Item::print_item_w_name (this=this@entry=0x7fb845874598, str=str@entry=0x7fb8730be050, query_type=query_type@entry=1037) at /test/10.5_dbg/sql/item.cc:497
      		 
      #9  0x00005566a0f58856 in st_select_lex::print (this=this@entry=0x7fb845874120, thd=thd@entry=0x7fb845815088, str=str@entry=0x7fb8730be050, query_type=query_type@entry=1037) at /test/10.5_dbg/sql/sql_select.cc:27658
      		 
      #10 0x00005566a1105eca in opt_trace_print_expanded_query (thd=0x7fb845815088, select_lex=0x7fb845874120, writer=writer@entry=0x7fb8730be5a0) at /test/10.5_dbg/sql/opt_trace.cc:118
      		 
      #11 0x00005566a0f6ce3c in JOIN::prepare (this=this@entry=0x7fb845874f20, tables_init=tables_init@entry=0x0, conds_init=conds_init@entry=0x0, og_num=og_num@entry=0, order_init=order_init@entry=0x0, skip_order_by=skip_order_by@entry=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7fb845874120, unit_arg=0x7fb845819098) at /test/10.5_dbg/sql/sql_select.cc:1482
      		 
      #12 0x00005566a0f79385 in mysql_select (thd=thd@entry=0x7fb845815088, tables=0x0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7fb845874ef8, unit=0x7fb845819098, select_lex=0x7fb845874120) at /test/10.5_dbg/sql/sql_select.cc:4634
      		 
      #13 0x00005566a0f79787 in handle_select (thd=thd@entry=0x7fb845815088, lex=lex@entry=0x7fb845818fd0, result=result@entry=0x7fb845874ef8, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.5_dbg/sql/sql_select.cc:417
      		 
      #14 0x00005566a0f03ef4 in execute_sqlcom_select (thd=thd@entry=0x7fb845815088, all_tables=0x0) at /test/10.5_dbg/sql/sql_parse.cc:6172
      		 
      #15 0x00005566a0efc919 in mysql_execute_command (thd=thd@entry=0x7fb845815088) at /test/10.5_dbg/sql/sql_parse.cc:3901
      		 
      #16 0x00005566a0f09f2b in mysql_parse (thd=thd@entry=0x7fb845815088, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x7fb8730bf450, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:7957
      		 
      #17 0x00005566a0ef5c45 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x7fb845815088, packet=packet@entry=0x7fb845867089 "SELECT 'a\\0'", packet_length=packet_length@entry=12, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:1839
      		 
      #18 0x00005566a0ef449b in do_command (thd=0x7fb845815088) at /test/10.5_dbg/sql/sql_parse.cc:1358
      		 
      #19 0x00005566a104f415 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x7fb8513c53a8, put_in_cache=put_in_cache@entry=true) at /test/10.5_dbg/sql/sql_connect.cc:1422
      		 
      #20 0x00005566a104f744 in handle_one_connection (arg=arg@entry=0x7fb8513c53a8) at /test/10.5_dbg/sql/sql_connect.cc:1319
      		 
      #21 0x00005566a14affb0 in pfs_spawn_thread (arg=0x7fb870c45b08) at /test/10.5_dbg/storage/perfschema/pfs.cc:2201
      		 
      #22 0x00007fb8724e76db in start_thread (arg=0x7fb8730c0700) at pthread_create.c:463
      		 
      #23 0x00007fb8718e588f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

      Bug confirmed present in:
      MariaDB: 10.4.13 (dbg), 10.5.2 (dbg), 10.5.3 (dbg)

      Bug confirmed not present in:
      MariaDB: 10.1.45 (dbg), 10.1.45 (opt), 10.2.32 (dbg), 10.2.32 (opt), 10.3.23 (dbg), 10.3.23 (opt), 10.4.13 (opt), 10.5.2 (opt), 10.5.3 (opt)
      MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.47 (dbg), 5.6.47 (opt), 5.7.29 (dbg), 5.7.29 (opt), 8.0.19 (dbg), 8.0.19 (opt)

      MariaDB 10.3.23, dbg:

      10.3.23>SET optimizer_trace="enabled=on";
      		 
      ERROR 1193 (HY000): Unknown system variable 'optimizer_trace'
      		 
       
      		 
      10.3.23>SELECT 'a\0';
      		 
      +----+
      		 
      | a  |
      		 
      +----+
      		 
      | a  |
      		 
      +----+
      		 
      1 row in set (0.000 sec)

      MariaDB 10.5.3, opt:

      10.5.3>SET optimizer_trace="enabled=on";
      		 
      Query OK, 0 rows affected (0.000 sec)
      		 
       
      		 
      10.5.3>SELECT 'a\0';
      		 
      +----+
      		 
      | a  |
      		 
      +----+
      		 
      | a  |
      		 
      +----+
      		 
      1 row in set (0.000 sec)

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-24349 ASAN use-after-poison in require_quotes or Item::print_item_w_name or Assertion `name.length == strlen(name.str)' failed

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-25399 Assertion `name.length == strlen(name.str)' failed in Item_func_sp::make_send_field

          • Major - Major loss of function.
          • Closed

          Activity

            Ascending order - Click to sort in descending order
            Roel Roel Van de Paar created issue -
            varun Varun Gupta (Inactive) made changes -
            Field Original Value New Value
            Assignee Sergei Petrunia [ psergey ] Varun Gupta [ varun ]
            varun Varun Gupta (Inactive) added a comment -

            This problem can be reproduced for a normal case too (without optimizer_trace enabled)

            CREATE view v1 as SELECT 'a\0';

            varun Varun Gupta (Inactive) added a comment - This problem can be reproduced for a normal case too (without optimizer_trace enabled) CREATE view v1 as SELECT 'a\0' ;
            varun Varun Gupta (Inactive) added a comment -

            I think removing the assert makes sense here because we add a\0 to the output and then the assert is

            name.length == strlen(name)
            so the '\0' is not considered in the length of the string name

            varun Varun Gupta (Inactive) added a comment - I think removing the assert makes sense here because we add a\0 to the output and then the assert is name.length == strlen(name) so the '\0' is not considered in the length of the string name
            varun Varun Gupta (Inactive) made changes -
            Assignee Varun Gupta [ varun ] Alexander Barkov [ bar ]
            bar Alexander Barkov added a comment -

            This query also crashes the server:

            EXPLAIN EXTENDED SELECT 'a\0\1';

            bar Alexander Barkov added a comment - This query also crashes the server: EXPLAIN EXTENDED SELECT 'a\0\1' ;
            Roel Roel Van de Paar made changes -
            Labels not-10.1 not-10.2 not-10.3 affects-tests not-10.1 not-10.2 not-10.3
            Roel Roel Van de Paar added a comment -

            affect-tests: test failure reproducible is oddly affected by this bug, perhaps due to the escape sequence. It requires manual editing per seen occurrence in various (if not each) runs. bar If the fix is easy, would be appreciated. Thank you!

            Roel Roel Van de Paar added a comment - affect-tests: test failure reproducible is oddly affected by this bug, perhaps due to the escape sequence. It requires manual editing per seen occurrence in various (if not each) runs. bar If the fix is easy, would be appreciated. Thank you!
            bar Alexander Barkov added a comment - - edited

            The same crash is happenning with:

            EXECUTE IMMEDIATE CONCAT('EXPLAIN EXTENDED SELECT 1+/*',0x00,'*/1');

            bar Alexander Barkov added a comment - - edited The same crash is happenning with: EXECUTE IMMEDIATE CONCAT( 'EXPLAIN EXTENDED SELECT 1+/*' ,0x00, '*/1' );
            bar Alexander Barkov added a comment -

            Also repeatable with:

            SET optimizer_trace="enabled=on";
            		 
            EXECUTE IMMEDIATE CONCAT('SELECT ''a', 0x00, '''');

            bar Alexander Barkov added a comment - Also repeatable with: SET optimizer_trace= "enabled=on" ; EXECUTE IMMEDIATE CONCAT( 'SELECT ' 'a' , 0x00, '' '' );
            elenst Elena Stepanova made changes -
            Roel Roel Van de Paar made changes -
            Roel Roel Van de Paar made changes -
            Priority Major [ 3 ] Critical [ 2 ]
            bar Alexander Barkov made changes -
            Assignee Alexander Barkov [ bar ] Oleksandr Byelkin [ sanja ]
            bar Alexander Barkov added a comment -

            sanja, can you please assign to someone in the Server team? Thanks.

            bar Alexander Barkov added a comment - sanja , can you please assign to someone in the Server team? Thanks.
            julien.fritsch Julien Fritsch made changes -
            Assignee Oleksandr Byelkin [ sanja ] Sergei Petrunia [ psergey ]
            bar Alexander Barkov added a comment - - edited

            psergey,sanja,Roel,julien.fritsch, I don't think it's really related to optimizer. Sanja's team sounds the best candidate to fix for me.

            bar Alexander Barkov added a comment - - edited psergey , sanja , Roel , julien.fritsch , I don't think it's really related to optimizer. Sanja's team sounds the best candidate to fix for me.
            bar Alexander Barkov added a comment - - edited

            The problem is in the Item code. Item::name is assigned to a string with a 0x00 byte in the middle. The rest of the code does not expect it.

            bar Alexander Barkov added a comment - - edited The problem is in the Item code. Item::name is assigned to a string with a 0x00 byte in the middle. The rest of the code does not expect it.
            julien.fritsch Julien Fritsch made changes -
            Assignee Sergei Petrunia [ psergey ] Oleksandr Byelkin [ sanja ]
            julien.fritsch Julien Fritsch made changes -
            Component/s Optimizer [ 10200 ]
            sanja Oleksandr Byelkin added a comment -

            It is natural so far behaviour, nothing terrible.

            We probably shoud process names of automatic generated fields to avoid special simbols and symbols used in parsing in them.

            sanja Oleksandr Byelkin added a comment - It is natural so far behaviour, nothing terrible. We probably shoud process names of automatic generated fields to avoid special simbols and symbols used in parsing in them.
            bar Alexander Barkov made changes -
            Assignee Oleksandr Byelkin [ sanja ] Alexander Barkov [ bar ]
            bar Alexander Barkov made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            bar Alexander Barkov made changes -
            issue.field.resolutiondate 2021-10-27 03:37:27.0 2021-10-27 03:37:27.347
            bar Alexander Barkov made changes -
            Component/s Character Sets [ 10801 ]
            Fix Version/s 10.3.32 [ 26029 ]
            Fix Version/s 10.4.22 [ 26031 ]
            Fix Version/s 10.5.13 [ 26026 ]
            Fix Version/s 10.6.5 [ 26034 ]
            Fix Version/s 10.7.1 [ 26120 ]
            Fix Version/s 10.4 [ 22408 ]
            Fix Version/s 10.5 [ 23123 ]
            Resolution Fixed [ 1 ]
            Status In Progress [ 3 ] Closed [ 6 ]
            serg Sergei Golubchik made changes -
            Workflow MariaDB v3 [ 107842 ] MariaDB v4 [ 157673 ]

            People

              bar Alexander Barkov
              Roel Roel Van de Paar
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.