Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-24176

Server crashes after insert in the table with virtual column generated using date_format() and if()

    XMLWordPrintable

    Details

      Description

      CREATE TABLE t1 (d1 date NOT NULL, d2 date NOT NULL,
      gd text as (concat(d1,if(d1 <> d2, date_format(d2, 'to %Y-%m-%d '), ''))) );
       
      insert into t1(d1,d2) values 
        ('2020-09-01','2020-09-01'),('2020-05-01','2020-09-01');
       
      --exec $MYSQL_DUMP test t1 > "$MYSQLTEST_VARDIR/tmp/1.sql" 2>&1
      insert  into t1 values ('2020-09-01','2020-09-01');
      

      10.2 c048053c8af5083d35f764

      Version: '10.2.36-MariaDB-debug-log'  socket: '/git/10.2/mysql-test/var/tmp/mysqld.1.sock'  port: 16000  Source distribution
      =================================================================
      ==43634==ERROR: AddressSanitizer: use-after-poison on address 0x62b000001288 at pc 0x55c9eb51b0d4 bp 0x7febf2c80cd0 sp 0x7febf2c80cc8
      READ of size 8 at 0x62b000001288 thread T6
          #0 0x55c9eb51b0d3 in Item::val_temporal_packed(enum_field_types) /git/10.2/sql/item.h:1525
          #1 0x55c9eb533dd7 in Arg_comparator::compare_temporal(enum_field_types) /git/10.2/sql/item_cmpfunc.cc:792
          #2 0x55c9eabd087a in Arg_comparator::compare_datetime() /git/10.2/sql/item_cmpfunc.h:105
          #3 0x55c9eb57279f in Arg_comparator::compare() /git/10.2/sql/item_cmpfunc.h:87
          #4 0x55c9eb5402d7 in Item_func_ne::val_int() /git/10.2/sql/item_cmpfunc.cc:1824
          #5 0x55c9eb4bfdc3 in Item::val_bool() /git/10.2/sql/item.cc:112
          #6 0x55c9eb5496fc in Item_func_if::str_op(String*) /git/10.2/sql/item_cmpfunc.cc:2533
          #7 0x55c9eb5fa020 in Item_func_hybrid_field_type::str_op_with_null_check(String*) /git/10.2/sql/item_func.h:467
          #8 0x55c9eb5b7d4d in Item_func_hybrid_field_type::val_str(String*) /git/10.2/sql/item_func.cc:881
          #9 0x55c9eb632ee3 in Item_func_concat::val_str(String*) /git/10.2/sql/item_strfunc.cc:611
          #10 0x55c9eb4efc69 in Item::save_in_field(Field*, bool) /git/10.2/sql/item.cc:6387
          #11 0x55c9eb11e6ce in TABLE::update_virtual_fields(handler*, enum_vcol_update_mode) /git/10.2/sql/table.cc:7759
          #12 0x55c9eb49940a in handler::ha_rnd_next(unsigned char*) /git/10.2/sql/handler.cc:2674
          #13 0x55c9eb85ae15 in rr_sequential(READ_RECORD*) /git/10.2/sql/records.cc:492
          #14 0x55c9eaf59251 in join_init_read_record(st_join_table*) /git/10.2/sql/sql_select.cc:19785
          #15 0x55c9eaf51e3e in sub_select(JOIN*, st_join_table*, bool) /git/10.2/sql/sql_select.cc:18856
          #16 0x55c9eaf4fb0c in do_select /git/10.2/sql/sql_select.cc:18403
          #17 0x55c9eaee6c63 in JOIN::exec_inner() /git/10.2/sql/sql_select.cc:3641
          #18 0x55c9eaee47d5 in JOIN::exec() /git/10.2/sql/sql_select.cc:3436
          #19 0x55c9eaee7e35 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /git/10.2/sql/sql_select.cc:3836
          #20 0x55c9eaec49a9 in handle_select(THD*, LEX*, select_result*, unsigned long) /git/10.2/sql/sql_select.cc:361
          #21 0x55c9eae38bb6 in execute_sqlcom_select /git/10.2/sql/sql_parse.cc:6249
          #22 0x55c9eae23ef0 in mysql_execute_command(THD*) /git/10.2/sql/sql_parse.cc:3558
          #23 0x55c9eae41ee7 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /git/10.2/sql/sql_parse.cc:7761
          #24 0x55c9eae18cd3 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /git/10.2/sql/sql_parse.cc:1827
          #25 0x55c9eae156f8 in do_command(THD*) /git/10.2/sql/sql_parse.cc:1381
          #26 0x55c9eb1bc9b2 in do_handle_one_connection(CONNECT*) /git/10.2/sql/sql_connect.cc:1336
          #27 0x55c9eb1bc273 in handle_one_connection /git/10.2/sql/sql_connect.cc:1241
          #28 0x55c9ec655d23 in pfs_spawn_thread /git/10.2/storage/perfschema/pfs.cc:1869
          #29 0x7febfd780fa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486
          #30 0x7febfd1044ce in clone (/lib/x86_64-linux-gnu/libc.so.6+0xf94ce)
       
      0x62b000001288 is located 4232 bytes inside of 24716-byte region [0x62b000000200,0x62b00000628c)
      allocated by thread T5 here:
          #0 0x7febfd883330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
          #1 0x55c9ec83aac1 in sf_malloc /git/10.2/mysys/safemalloc.c:118
          #2 0x55c9ec8080a9 in my_malloc /git/10.2/mysys/my_malloc.c:101
          #3 0x55c9ec7e5c56 in reset_root_defaults /git/10.2/mysys/my_alloc.c:147
          #4 0x55c9ead5d05b in THD::init_for_queries() /git/10.2/sql/sql_class.cc:1313
          #5 0x55c9eb1bbbb5 in prepare_new_connection_state(THD*) /git/10.2/sql/sql_connect.cc:1172
          #6 0x55c9eb1bc2b9 in thd_prepare_connection(THD*) /git/10.2/sql/sql_connect.cc:1256
          #7 0x55c9eb1bc8dd in do_handle_one_connection(CONNECT*) /git/10.2/sql/sql_connect.cc:1326
          #8 0x55c9eb1bc273 in handle_one_connection /git/10.2/sql/sql_connect.cc:1241
          #9 0x55c9ec655d23 in pfs_spawn_thread /git/10.2/storage/perfschema/pfs.cc:1869
          #10 0x7febfd780fa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486
       
      Thread T6 created by T0 here:
          #0 0x7febfd7eadb0 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x50db0)
          #1 0x55c9ec65615f in spawn_thread_v1 /git/10.2/storage/perfschema/pfs.cc:1919
          #2 0x55c9eabaa494 in inline_mysql_thread_create /git/10.2/include/mysql/psi/mysql_thread.h:1246
          #3 0x55c9eabc253e in create_thread_to_handle_connection(CONNECT*) /git/10.2/sql/mysqld.cc:6567
          #4 0x55c9eabc2c93 in create_new_thread /git/10.2/sql/mysqld.cc:6637
          #5 0x55c9eabc3e14 in handle_connections_sockets() /git/10.2/sql/mysqld.cc:6895
          #6 0x55c9eabc1921 in mysqld_main(int, char**) /git/10.2/sql/mysqld.cc:6186
          #7 0x55c9eaba8de4 in main /git/10.2/sql/main.cc:25
          #8 0x7febfd02f09a in __libc_start_main ../csu/libc-start.c:308
       
      Thread T5 created by T0 here:
          #0 0x7febfd7eadb0 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x50db0)
          #1 0x55c9ec65615f in spawn_thread_v1 /git/10.2/storage/perfschema/pfs.cc:1919
          #2 0x55c9eabaa494 in inline_mysql_thread_create /git/10.2/include/mysql/psi/mysql_thread.h:1246
          #3 0x55c9eabc253e in create_thread_to_handle_connection(CONNECT*) /git/10.2/sql/mysqld.cc:6567
          #4 0x55c9eabc2c93 in create_new_thread /git/10.2/sql/mysqld.cc:6637
          #5 0x55c9eabc3e14 in handle_connections_sockets() /git/10.2/sql/mysqld.cc:6895
          #6 0x55c9eabc1921 in mysqld_main(int, char**) /git/10.2/sql/mysqld.cc:6186
          #7 0x55c9eaba8de4 in main /git/10.2/sql/main.cc:25
          #8 0x7febfd02f09a in __libc_start_main ../csu/libc-start.c:308
       
      SUMMARY: AddressSanitizer: use-after-poison /git/10.2/sql/item.h:1525 in Item::val_temporal_packed(enum_field_types)
      Shadow bytes around the buggy address:
        0x0c567fff8200: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c567fff8210: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c567fff8220: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c567fff8230: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c567fff8240: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      =>0x0c567fff8250: f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c567fff8260: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c567fff8270: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c567fff8280: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c567fff8290: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c567fff82a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
      ==43634==ABORTING
      ----------SERVER LOG END-------------
      mysqltest failed but provided no output
      
      

      Reproducible with InnoDb/MyIsam, non-debug build crashing similarly

      10.5 f424eb974d2cf5fe875

      201109 17:04:20 [ERROR] mysqld got signal 11 ;
       
      Server version: 10.5.8-MariaDB-debug-log
       
      ??:0(__restore_rt)[0x7f684602d730]
      sql/item.h:2584(Item_args::walk_args(bool (Item::*)(void*), bool, void*))[0x55ebabb11c48]
      sql/item.h:5222(Item_func_or_sum::walk(bool (Item::*)(void*), bool, void*))[0x55ebabb12335]
      sql/item.h:2584(Item_args::walk_args(bool (Item::*)(void*), bool, void*))[0x55ebabb11c5d]
      sql/item.h:5222(Item_func_or_sum::walk(bool (Item::*)(void*), bool, void*))[0x55ebabb12335]
      sql/table.cc:3522(fix_session_vcol_expr(THD*, Virtual_column_info*))[0x55ebabce8e3c]
      sql/sql_base.cc:5357(TABLE::fix_vcol_exprs(THD*))[0x55ebabb05d97]
      sql/sql_base.cc:5393(fix_all_session_vcol_exprs(THD*, TABLE_LIST*))[0x55ebabb05fc6]
      sql/sql_base.cc:5576(lock_tables(THD*, TABLE_LIST*, unsigned int, unsigned int))[0x55ebabb066b7]
      sql/sql_base.cc:5188(open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*))[0x55ebabb057d2]
      sql/sql_base.h:507(open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int))[0x55ebababcdf7]
      sql/sql_insert.cc:756(mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*))[0x55ebabb57a01]
      sql/sql_parse.cc:4587(mysql_execute_command(THD*))[0x55ebabbaa59e]
      sql/sql_parse.cc:8044(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x55ebabbb601d]
      sql/sql_parse.cc:1875(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x55ebabba22d8]
      sql/sql_parse.cc:1353(do_command(THD*))[0x55ebabba0a0e]
      sql/sql_connect.cc:1410(do_handle_one_connection(CONNECT*, bool))[0x55ebabd47441]
      sql/sql_connect.cc:1314(handle_one_connection)[0x55ebabd471aa]
      perfschema/pfs.cc:2203(pfs_spawn_thread)[0x55ebac284a4b]
      nptl/pthread_create.c:487(start_thread)[0x7f6846022fa3]
      x86_64/clone.S:97(clone)[0x7f684562b4cf]
       
      Query (0x7f6824013ee0): insert  into t1 values ('2020-09-01','2020-09-01')
      
      

      A shorter version of the test case, but it is crashing only 10.3-10.5, not 10.2

      create table t1 (d1 date, gd text as (if(d1='',date_format(d1,'%y-%m-%d'),'')));
      --exec $MYSQL_DUMP test t1 > "$MYSQLTEST_VARDIR/tmp/1.sql" 2>&1
      insert into t1 values ();
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              serg Sergei Golubchik
              Reporter:
              alice Alice Sherepa
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:

                  Git Integration