[MDEV-24176] Server crashes after insert in the table with virtual column generated using date_format() and if() - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Blocker
Resolution: Fixed
Affects Version/s: 10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL)
Fix Version/s: 10.3.35, 10.4.25, 10.5.16, 10.6.8, 10.7.4, 10.8.3
Component/s: Virtual Columns
Labels:
None

Description

CREATE TABLE t1 (d1 date NOT NULL, d2 date NOT NULL,

gd text as (concat(d1,if(d1 <> d2, date_format(d2, 'to %Y-%m-%d '), ''))) );

insert into t1(d1,d2) values

  ('2020-09-01','2020-09-01'),('2020-05-01','2020-09-01');

--exec $MYSQL_DUMP test t1 > "$MYSQLTEST_VARDIR/tmp/1.sql" 2>&1

insert  into t1 values ('2020-09-01','2020-09-01');

10.2 c048053c8af5083d35f764
Version: '10.2.36-MariaDB-debug-log' socket: '/git/10.2/mysql-test/var/tmp/mysqld.1.sock' port: 16000 Source distribution
=================================================================
==43634==ERROR: AddressSanitizer: use-after-poison on address 0x62b000001288 at pc 0x55c9eb51b0d4 bp 0x7febf2c80cd0 sp 0x7febf2c80cc8
READ of size 8 at 0x62b000001288 thread T6
#0 0x55c9eb51b0d3 in Item::val_temporal_packed(enum_field_types) /git/10.2/sql/item.h:1525
#1 0x55c9eb533dd7 in Arg_comparator::compare_temporal(enum_field_types) /git/10.2/sql/item_cmpfunc.cc:792
#2 0x55c9eabd087a in Arg_comparator::compare_datetime() /git/10.2/sql/item_cmpfunc.h:105
#3 0x55c9eb57279f in Arg_comparator::compare() /git/10.2/sql/item_cmpfunc.h:87
#4 0x55c9eb5402d7 in Item_func_ne::val_int() /git/10.2/sql/item_cmpfunc.cc:1824
#5 0x55c9eb4bfdc3 in Item::val_bool() /git/10.2/sql/item.cc:112
#6 0x55c9eb5496fc in Item_func_if::str_op(String*) /git/10.2/sql/item_cmpfunc.cc:2533
#7 0x55c9eb5fa020 in Item_func_hybrid_field_type::str_op_with_null_check(String*) /git/10.2/sql/item_func.h:467
#8 0x55c9eb5b7d4d in Item_func_hybrid_field_type::val_str(String*) /git/10.2/sql/item_func.cc:881
#9 0x55c9eb632ee3 in Item_func_concat::val_str(String*) /git/10.2/sql/item_strfunc.cc:611
#10 0x55c9eb4efc69 in Item::save_in_field(Field*, bool) /git/10.2/sql/item.cc:6387
#11 0x55c9eb11e6ce in TABLE::update_virtual_fields(handler*, enum_vcol_update_mode) /git/10.2/sql/table.cc:7759
#12 0x55c9eb49940a in handler::ha_rnd_next(unsigned char*) /git/10.2/sql/handler.cc:2674
#13 0x55c9eb85ae15 in rr_sequential(READ_RECORD*) /git/10.2/sql/records.cc:492
#14 0x55c9eaf59251 in join_init_read_record(st_join_table*) /git/10.2/sql/sql_select.cc:19785
#15 0x55c9eaf51e3e in sub_select(JOIN, st_join_table, bool) /git/10.2/sql/sql_select.cc:18856
#16 0x55c9eaf4fb0c in do_select /git/10.2/sql/sql_select.cc:18403
#17 0x55c9eaee6c63 in JOIN::exec_inner() /git/10.2/sql/sql_select.cc:3641
#18 0x55c9eaee47d5 in JOIN::exec() /git/10.2/sql/sql_select.cc:3436
#19 0x55c9eaee7e35 in mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /git/10.2/sql/sql_select.cc:3836
#20 0x55c9eaec49a9 in handle_select(THD, LEX, select_result*, unsigned long) /git/10.2/sql/sql_select.cc:361
#21 0x55c9eae38bb6 in execute_sqlcom_select /git/10.2/sql/sql_parse.cc:6249
#22 0x55c9eae23ef0 in mysql_execute_command(THD*) /git/10.2/sql/sql_parse.cc:3558
#23 0x55c9eae41ee7 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /git/10.2/sql/sql_parse.cc:7761
#24 0x55c9eae18cd3 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /git/10.2/sql/sql_parse.cc:1827
#25 0x55c9eae156f8 in do_command(THD*) /git/10.2/sql/sql_parse.cc:1381
#26 0x55c9eb1bc9b2 in do_handle_one_connection(CONNECT*) /git/10.2/sql/sql_connect.cc:1336
#27 0x55c9eb1bc273 in handle_one_connection /git/10.2/sql/sql_connect.cc:1241
#28 0x55c9ec655d23 in pfs_spawn_thread /git/10.2/storage/perfschema/pfs.cc:1869
#29 0x7febfd780fa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486
#30 0x7febfd1044ce in clone (/lib/x86_64-linux-gnu/libc.so.6+0xf94ce)

0x62b000001288 is located 4232 bytes inside of 24716-byte region [0x62b000000200,0x62b00000628c)
allocated by thread T5 here:
#0 0x7febfd883330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
#1 0x55c9ec83aac1 in sf_malloc /git/10.2/mysys/safemalloc.c:118
#2 0x55c9ec8080a9 in my_malloc /git/10.2/mysys/my_malloc.c:101
#3 0x55c9ec7e5c56 in reset_root_defaults /git/10.2/mysys/my_alloc.c:147
#4 0x55c9ead5d05b in THD::init_for_queries() /git/10.2/sql/sql_class.cc:1313
#5 0x55c9eb1bbbb5 in prepare_new_connection_state(THD*) /git/10.2/sql/sql_connect.cc:1172
#6 0x55c9eb1bc2b9 in thd_prepare_connection(THD*) /git/10.2/sql/sql_connect.cc:1256
#7 0x55c9eb1bc8dd in do_handle_one_connection(CONNECT*) /git/10.2/sql/sql_connect.cc:1326
#8 0x55c9eb1bc273 in handle_one_connection /git/10.2/sql/sql_connect.cc:1241
#9 0x55c9ec655d23 in pfs_spawn_thread /git/10.2/storage/perfschema/pfs.cc:1869
#10 0x7febfd780fa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486

Thread T6 created by T0 here:
#0 0x7febfd7eadb0 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x50db0)
#1 0x55c9ec65615f in spawn_thread_v1 /git/10.2/storage/perfschema/pfs.cc:1919
#2 0x55c9eabaa494 in inline_mysql_thread_create /git/10.2/include/mysql/psi/mysql_thread.h:1246
#3 0x55c9eabc253e in create_thread_to_handle_connection(CONNECT*) /git/10.2/sql/mysqld.cc:6567
#4 0x55c9eabc2c93 in create_new_thread /git/10.2/sql/mysqld.cc:6637
#5 0x55c9eabc3e14 in handle_connections_sockets() /git/10.2/sql/mysqld.cc:6895
#6 0x55c9eabc1921 in mysqld_main(int, char**) /git/10.2/sql/mysqld.cc:6186
#7 0x55c9eaba8de4 in main /git/10.2/sql/main.cc:25
#8 0x7febfd02f09a in __libc_start_main ../csu/libc-start.c:308

Thread T5 created by T0 here:
#0 0x7febfd7eadb0 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x50db0)
#1 0x55c9ec65615f in spawn_thread_v1 /git/10.2/storage/perfschema/pfs.cc:1919
#2 0x55c9eabaa494 in inline_mysql_thread_create /git/10.2/include/mysql/psi/mysql_thread.h:1246
#3 0x55c9eabc253e in create_thread_to_handle_connection(CONNECT*) /git/10.2/sql/mysqld.cc:6567
#4 0x55c9eabc2c93 in create_new_thread /git/10.2/sql/mysqld.cc:6637
#5 0x55c9eabc3e14 in handle_connections_sockets() /git/10.2/sql/mysqld.cc:6895
#6 0x55c9eabc1921 in mysqld_main(int, char**) /git/10.2/sql/mysqld.cc:6186
#7 0x55c9eaba8de4 in main /git/10.2/sql/main.cc:25
#8 0x7febfd02f09a in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: use-after-poison /git/10.2/sql/item.h:1525 in Item::val_temporal_packed(enum_field_types)
Shadow bytes around the buggy address:
0x0c567fff8200: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c567fff8210: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c567fff8220: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c567fff8230: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c567fff8240: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
=>0x0c567fff8250: f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c567fff8260: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c567fff8270: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c567fff8280: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c567fff8290: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c567fff82a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==43634==ABORTING
----------SERVER LOG END-------------
mysqltest failed but provided no output

Reproducible with InnoDb/MyIsam, non-debug build crashing similarly

10.5 f424eb974d2cf5fe875
201109 17:04:20 [ERROR] mysqld got signal 11 ;

Server version: 10.5.8-MariaDB-debug-log

??:0(__restore_rt)[0x7f684602d730]
sql/item.h:2584(Item_args::walk_args(bool (Item::)(void), bool, void*))[0x55ebabb11c48]
sql/item.h:5222(Item_func_or_sum::walk(bool (Item::)(void), bool, void*))[0x55ebabb12335]
sql/item.h:2584(Item_args::walk_args(bool (Item::)(void), bool, void*))[0x55ebabb11c5d]
sql/item.h:5222(Item_func_or_sum::walk(bool (Item::)(void), bool, void*))[0x55ebabb12335]
sql/table.cc:3522(fix_session_vcol_expr(THD, Virtual_column_info))[0x55ebabce8e3c]
sql/sql_base.cc:5357(TABLE::fix_vcol_exprs(THD*))[0x55ebabb05d97]
sql/sql_base.cc:5393(fix_all_session_vcol_exprs(THD, TABLE_LIST))[0x55ebabb05fc6]
sql/sql_base.cc:5576(lock_tables(THD, TABLE_LIST, unsigned int, unsigned int))[0x55ebabb066b7]
sql/sql_base.cc:5188(open_and_lock_tables(THD, DDL_options_st const&, TABLE_LIST, bool, unsigned int, Prelocking_strategy*))[0x55ebabb057d2]
sql/sql_base.h:507(open_and_lock_tables(THD, TABLE_LIST, bool, unsigned int))[0x55ebababcdf7]
sql/sql_insert.cc:756(mysql_insert(THD, TABLE_LIST, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*))[0x55ebabb57a01]
sql/sql_parse.cc:4587(mysql_execute_command(THD*))[0x55ebabbaa59e]
sql/sql_parse.cc:8044(mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool))[0x55ebabbb601d]
sql/sql_parse.cc:1875(dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool))[0x55ebabba22d8]
sql/sql_parse.cc:1353(do_command(THD*))[0x55ebabba0a0e]
sql/sql_connect.cc:1410(do_handle_one_connection(CONNECT*, bool))[0x55ebabd47441]
sql/sql_connect.cc:1314(handle_one_connection)[0x55ebabd471aa]
perfschema/pfs.cc:2203(pfs_spawn_thread)[0x55ebac284a4b]
nptl/pthread_create.c:487(start_thread)[0x7f6846022fa3]
x86_64/clone.S:97(clone)[0x7f684562b4cf]

Query (0x7f6824013ee0): insert into t1 values ('2020-09-01','2020-09-01')

A shorter version of the test case, but it is crashing only 10.3-10.5, not 10.2

create table t1 (d1 date, gd text as (if(d1='',date_format(d1,'%y-%m-%d'),'')));

--exec $MYSQL_DUMP test t1 > "$MYSQLTEST_VARDIR/tmp/1.sql" 2>&1

insert into t1 values ();

Attachments

Issue Links

blocks

MDEV-25794 vcol_info refix during lock_tables() leads to memory leak until table flush

Open

causes

MDEV-29357 Assertion (fixed) in Item_func_dayname on INSERT

Closed

duplicates

MDEV-25772 Virtual Column with CURDATE function cause suddenly entire MariaDB crash

Closed

is blocked by

MDEV-25638 Assertion `!result' failed in convert_const_to_int

Closed

is duplicated by

MDEV-24160 date_format() mixed with if() in a computed column causes server segfault

Closed

MDEV-26281 ASAN use-after-poison when complex conversion is involved in blob

Closed

MDEV-26407 Server crashes in Item_func_in::cleanup/Item::cleanup_processor

Closed

MDEV-26437 Server crashes in Item_args::walk_args

Closed

MDEV-26619 CURDATE() functions results in lost connection when used in a VIRTUAL column

Closed

MDEV-27897 Serever crash virtual cloum with curdate()

Closed

MDEV-27920 Galera node crashes when inserting rows to a virtual column created with the DAYNAME function

Closed

MDEV-28085 MariaDB SEGV issue

Closed

MDEV-28087 MariaDB SEGV issue

Closed

MDEV-28089 MariaDB SEGV issue

Closed

MDEV-28090 MariaDB SEGV issue

Closed

MDEV-28092 MariaDB SEGV issue

Closed

MDEV-28093 MariaDB UAP issue

Closed

MDEV-28099 MariaDB UAP issue

Closed

relates to

MDEV-25672 table alias from previous statement interferes later commands

Closed

MDEV-26407 Server crashes in Item_func_in::cleanup/Item::cleanup_processor

Closed

MDEV-27966 Assertion `fixed()' failed and Assertion `fixed == 1' failed, both in Item_func_concat::val_str on SELECT after INSERT with collation utf32_bin on utf8_bin table

Closed

MDEV-28034 SIGSEGV in Item_args::walk_args and libstdc++ __cxa_pure_virtual terminate/SIGABRT in Item::check_type_scalar

Closed

(13 is duplicated by, 4 relates to)

Activity

Transition	Time In Source Status	Execution Times

Alice Sherepa made transition - 2020-11-09 17:09

Open

Confirmed

42s

Aleksey Midenkov made transition - 2021-06-03 10:41

Confirmed

In Progress

205d 17h 32m

Aleksey Midenkov made transition - 2022-04-01 06:08

Stalled

In Progress

10d 21h 7m

Aleksey Midenkov made transition - 2022-04-05 10:39

In Progress

In Review

6d 19h 28m

Aleksey Midenkov made transition - 2022-04-12 10:02

Stalled

In Review

4d 13h 2m

Sergei Golubchik made transition - 2022-04-16 22:38

In Review

Stalled

295d 6h 18m

Aleksey Midenkov made transition - 2022-04-18 12:14

Stalled

Closed

1d 13h 35m

People

Assignee:: Aleksey Midenkov

Reporter:: Alice Sherepa

Votes:: 1 Vote for this issue

Watchers:: 8 Start watching this issue

Dates

Created:: 2020-11-09 17:08

Updated:: 2025-01-06 22:25

Resolved:: 2022-04-18 12:14

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration