[MDEV-26355] heap-use-after-free issue of MariaDB / convert_const_to_int assertion - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Duplicate
Affects Version/s: 10.5.13, 10.6.5, 10.3(EOL), 10.4(EOL)
Fix Version/s: N/A
Component/s: Data types
Labels:
- crash
Environment:
Linux x64

Description

Reported by:

Yaoguang Chen of Ant Security Light-Year Lab

step to reproduce:

CREATE TABLE v0 ( v1 BIGINT NOT NULL PRIMARY KEY , EVENTS TEXT DEFAULT ( v1 IN ( ( ROW ( NULL , -1 ) , v1 IN ( 'x' , 'x' ) ) ) ) ) ;

asan report:

ersion: '10.6.5-MariaDB' socket: '/tmp/mysql_mar.sock' port: 3309 Source distribution
=================================================================
==1443179==ERROR: AddressSanitizer: heap-use-after-free on address 0x61d000033bd0 at pc 0x55ce73aa9f29 bp 0x7f5d75f311a0 sp 0x7f5d75f31190
READ of size 8 at 0x61d000033bd0 thread T23
#0 0x55ce73aa9f28 in Item_change_list::rollback_item_tree_changes() /home/supersix/fuzz/security/MariaDB/server/sql/sql_class.cc:2969
#1 0x55ce73bf28fc in mysql_parse(THD*, char*, unsigned int, Parser_state*) /home/supersix/fuzz/security/MariaDB/server/sql/sql_parse.cc:8053
#2 0x55ce73c280b3 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /home/supersix/fuzz/security/MariaDB/server/sql/sql_parse.cc:1896
#3 0x55ce73c2d513 in do_command(THD*, bool) /home/supersix/fuzz/security/MariaDB/server/sql/sql_parse.cc:1404
#4 0x55ce740ef6fc in do_handle_one_connection(CONNECT*, bool) /home/supersix/fuzz/security/MariaDB/server/sql/sql_connect.cc:1418
#5 0x55ce740f0e56 in handle_one_connection /home/supersix/fuzz/security/MariaDB/server/sql/sql_connect.cc:1312
#6 0x55ce74f3cd2f in pfs_spawn_thread /home/supersix/fuzz/security/MariaDB/server/storage/perfschema/pfs.cc:2201
#7 0x7f5d95569608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
#8 0x7f5d9513d292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

0x61d000033bd0 is located 1872 bytes inside of 1992-byte region [0x61d000033480,0x61d000033c48)
freed by thread T23 here:
#0 0x7f5d95af47cf in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
#1 0x55ce75ab0484 in free_root /home/supersix/fuzz/security/MariaDB/server/mysys/my_alloc.c:410
#2 0x55ce74015100 in open_table_from_share(THD*, TABLE_SHARE*, st_mysql_const_lex_string const*, unsigned int, unsigned int, unsigned int, TABLE*, bool, List<String>*) /home/supersix/fuzz/security/MariaDB/server/sql/table.cc:4410
#3 0x55ce745bd84a in ha_create_table(THD*, char const*, char const*, char const*, HA_CREATE_INFO*, st_mysql_const_unsigned_lex_string*, bool) /home/supersix/fuzz/security/MariaDB/server/sql/handler.cc:5876
#4 0x55ce73f29f2c in create_table_impl /home/supersix/fuzz/security/MariaDB/server/sql/sql_table.cc:4447
#5 0x55ce73f2b57a in mysql_create_table_no_lock(THD*, st_ddl_log_state*, st_ddl_log_state*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, Table_specification_st*, Alter_info*, bool*, int, TABLE_LIST*) /home/supersix/fuzz/security/MariaDB/server/sql/sql_table.cc:4546
#6 0x55ce73f2c194 in mysql_create_table(THD*, TABLE_LIST*, Table_specification_st*, Alter_info*) /home/supersix/fuzz/security/MariaDB/server/sql/sql_table.cc:4658
#7 0x55ce73f32f29 in Sql_cmd_create_table_like::execute(THD*) /home/supersix/fuzz/security/MariaDB/server/sql/sql_table.cc:11778
#8 0x55ce73c33887 in mysql_execute_command(THD*, bool) /home/supersix/fuzz/security/MariaDB/server/sql/sql_parse.cc:5997
#9 0x55ce73bf2684 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /home/supersix/fuzz/security/MariaDB/server/sql/sql_parse.cc:8030
#10 0x55ce73c280b3 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /home/supersix/fuzz/security/MariaDB/server/sql/sql_parse.cc:1896
#11 0x55ce73c2d513 in do_command(THD*, bool) /home/supersix/fuzz/security/MariaDB/server/sql/sql_parse.cc:1404
#12 0x55ce740ef6fc in do_handle_one_connection(CONNECT*, bool) /home/supersix/fuzz/security/MariaDB/server/sql/sql_connect.cc:1418
#13 0x55ce740f0e56 in handle_one_connection /home/supersix/fuzz/security/MariaDB/server/sql/sql_connect.cc:1312
#14 0x55ce74f3cd2f in pfs_spawn_thread /home/supersix/fuzz/security/MariaDB/server/storage/perfschema/pfs.cc:2201
#15 0x7f5d95569608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477

previously allocated by thread T23 here:
#0 0x7f5d95af4bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
#1 0x55ce75ac8c1c in my_malloc /home/supersix/fuzz/security/MariaDB/server/mysys/my_malloc.c:90
#2 0x55ce75aafd6b in alloc_root /home/supersix/fuzz/security/MariaDB/server/mysys/my_alloc.c:244
#3 0x55ce73901878 in Item::operator new(unsigned long, st_mem_root*) /home/supersix/fuzz/security/MariaDB/server/sql/item.h:854
#4 0x55ce743d78a5 in MYSQLparse(THD*) /home/supersix/fuzz/security/MariaDB/server/build_asan/sql/sql_yacc.yy:6192
#5 0x55ce73c06779 in parse_sql(THD*, Parser_state*, Object_creation_ctx*, bool) /home/supersix/fuzz/security/MariaDB/server/sql/sql_parse.cc:10382
#6 0x55ce73ff1699 in unpack_vcol_info_from_frm /home/supersix/fuzz/security/MariaDB/server/sql/table.cc:3783
#7 0x55ce73ffacea in parse_vcol_defs(THD*, st_mem_root*, TABLE*, bool*, vcol_init_mode) /home/supersix/fuzz/security/MariaDB/server/sql/table.cc:1242
#8 0x55ce74015bff in open_table_from_share(THD*, TABLE_SHARE*, st_mysql_const_lex_string const*, unsigned int, unsigned int, unsigned int, TABLE*, bool, List<String>*) /home/supersix/fuzz/security/MariaDB/server/sql/table.cc:4179
#9 0x55ce745bd84a in ha_create_table(THD*, char const*, char const*, char const*, HA_CREATE_INFO*, st_mysql_const_unsigned_lex_string*, bool) /home/supersix/fuzz/security/MariaDB/server/sql/handler.cc:5876
#10 0x55ce73f29f2c in create_table_impl /home/supersix/fuzz/security/MariaDB/server/sql/sql_table.cc:4447
#11 0x55ce73f2b57a in mysql_create_table_no_lock(THD*, st_ddl_log_state*, st_ddl_log_state*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, Table_specification_st*, Alter_info*, bool*, int, TABLE_LIST*) /home/supersix/fuzz/security/MariaDB/server/sql/sql_table.cc:4546
#12 0x55ce73f2c194 in mysql_create_table(THD*, TABLE_LIST*, Table_specification_st*, Alter_info*) /home/supersix/fuzz/security/MariaDB/server/sql/sql_table.cc:4658
#13 0x55ce73f32f29 in Sql_cmd_create_table_like::execute(THD*) /home/supersix/fuzz/security/MariaDB/server/sql/sql_table.cc:11778
#14 0x55ce73c33887 in mysql_execute_command(THD*, bool) /home/supersix/fuzz/security/MariaDB/server/sql/sql_parse.cc:5997
#15 0x55ce73bf2684 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /home/supersix/fuzz/security/MariaDB/server/sql/sql_parse.cc:8030
#16 0x55ce73c280b3 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /home/supersix/fuzz/security/MariaDB/server/sql/sql_parse.cc:1896
#17 0x55ce73c2d513 in do_command(THD*, bool) /home/supersix/fuzz/security/MariaDB/server/sql/sql_parse.cc:1404
#18 0x55ce740ef6fc in do_handle_one_connection(CONNECT*, bool) /home/supersix/fuzz/security/MariaDB/server/sql/sql_connect.cc:1418
#19 0x55ce740f0e56 in handle_one_connection /home/supersix/fuzz/security/MariaDB/server/sql/sql_connect.cc:1312
#20 0x55ce74f3cd2f in pfs_spawn_thread /home/supersix/fuzz/security/MariaDB/server/storage/perfschema/pfs.cc:2201
#21 0x7f5d95569608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477

Thread T23 created by T0 here:
#0 0x7f5d95a21805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
#1 0x55ce74f3cfe2 in my_thread_create /home/supersix/fuzz/security/MariaDB/server/storage/perfschema/my_thread.h:48
#2 0x55ce74f3cfe2 in pfs_spawn_thread_v1 /home/supersix/fuzz/security/MariaDB/server/storage/perfschema/pfs.cc:2252
#3 0x55ce738c1b48 in inline_mysql_thread_create /home/supersix/fuzz/security/MariaDB/server/include/mysql/psi/mysql_thread.h:1139
#4 0x55ce738c1b48 in create_thread_to_handle_connection(CONNECT*) /home/supersix/fuzz/security/MariaDB/server/sql/mysqld.cc:5922
#5 0x55ce738d1235 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /home/supersix/fuzz/security/MariaDB/server/sql/mysqld.cc:6043
#6 0x55ce738d200e in handle_connections_sockets() /home/supersix/fuzz/security/MariaDB/server/sql/mysqld.cc:6167
#7 0x55ce738d419b in mysqld_main(int, char**) /home/supersix/fuzz/security/MariaDB/server/sql/mysqld.cc:5817
#8 0x7f5d950420b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: heap-use-after-free /home/supersix/fuzz/security/MariaDB/server/sql/sql_class.cc:2969 in Item_change_list::rollback_item_tree_changes()
Shadow bytes around the buggy address:
0x0c3a7fffe720: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3a7fffe730: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3a7fffe740: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3a7fffe750: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3a7fffe760: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c3a7fffe770: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd
0x0c3a7fffe780: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
0x0c3a7fffe790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fffe7a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fffe7b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fffe7c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1443179==ABORTING

Attachments

Issue Links

duplicates

MDEV-25638 Assertion `!result' failed in convert_const_to_int

Closed

Activity

Ascending order - Click to sort in descending order

Daniel Black added a comment - 2021-08-13 08:36

Different failure for the same input. Thanks for the bug report:

10.5.13-0268b871228-debug
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:49
#1 0x00007ffff74ad8a4 in __GI_abort () at abort.c:79
#2 0x00007ffff74ad789 in __assert_fail_base (fmt=<optimized out>, assertion=<optimized out>, file=<optimized out>, line=<optimized out>, function=<optimized out>) at assert.c:92
#3 0x00007ffff74bca16 in __GI___assert_fail (assertion=0x38537c0 <str> "!result", file=0x384e8c0 <str> "/home/dan/repos/mariadb-server-10.5/sql/item_cmpfunc.cc", line=370, function=0x3853800 <__PRETTY_FUNCTION__._ZL20convert_const_to_intP3THDP10Item_fieldPP4Item> "bool convert_const_to_int(THD , Item_field , Item **)") at assert.c:101
#4 0x00000000017c2463 in convert_const_to_int (thd=0x62b00009a288, field_item=0x61d00019fc18, item=0x61d0001a0088) at /home/dan/repos/mariadb-server-10.5/sql/item_cmpfunc.cc:370
#5 0x00000000017f85e6 in Item_func_in::value_list_convert_const_to_int (this=0x61d00019ff38, thd=0x62b00009a288) at /home/dan/repos/mariadb-server-10.5/sql/item_cmpfunc.cc:4504
#6 0x00000000013cfcd7 in Type_handler_real_result::Item_func_in_fix_comparator_compatible_types (this=0x57d60c0 <type_handler_double>, thd=0x62b00009a288, func=0x61d00019ff38) at /home/dan/repos/mariadb-server-10.5/sql/sql_type.cc:5881
#7 0x00000000017f78f3 in Item_func_in::fix_length_and_dec (this=0x61d00019ff38) at /home/dan/repos/mariadb-server-10.5/sql/item_cmpfunc.cc:4421
#8 0x0000000001863902 in Item_func::fix_fields (this=0x61d00019ff38, thd=0x62b00009a288, ref=0x61d0001a01c0) at /home/dan/repos/mariadb-server-10.5/sql/item_func.cc:370
#9 0x00000000017f6ad5 in Item_func_in::fix_fields (this=0x61d00019ff38, thd=0x62b00009a288, ref=0x61d0001a01c0) at /home/dan/repos/mariadb-server-10.5/sql/item_cmpfunc.cc:4337
#10 0x000000000093bac1 in Item::fix_fields_if_needed (this=0x61d00019ff38, thd=0x62b00009a288, ref=0x61d0001a01c0) at /home/dan/repos/mariadb-server-10.5/sql/item.h:988
#11 0x0000000001919c62 in Item_row::fix_fields (this=0x61d0001a0128, thd=0x62b00009a288, ref=0x61d0001a05c8) at /home/dan/repos/mariadb-server-10.5/sql/item_row.cc:45
#12 0x000000000093bac1 in Item::fix_fields_if_needed (this=0x61d0001a0128, thd=0x62b00009a288, ref=0x61d0001a05c8) at /home/dan/repos/mariadb-server-10.5/sql/item.h:988
#13 0x0000000001863164 in Item_func::fix_fields (this=0x61d0001a0528, thd=0x62b00009a288, ref=0x61d0001a0208) at /home/dan/repos/mariadb-server-10.5/sql/item_func.cc:352
#14 0x00000000010cb8a2 in fix_vcol_expr (thd=0x62b00009a288, vcol=0x61d0001a01f8) at /home/dan/repos/mariadb-server-10.5/sql/table.cc:3496
#15 0x0000000001110773 in fix_and_check_vcol_expr (thd=0x62b00009a288, table=0x7fffd0816d60, vcol=0x61d0001a01f8) at /home/dan/repos/mariadb-server-10.5/sql/table.cc:3581
#16 0x00000000010c23b0 in unpack_vcol_info_from_frm (thd=0x62b00009a288, mem_root=0x7fffd0817030, table=0x7fffd0816d60, expr_str=0x7fffd0815060, vcol_ptr=0x619000093650, error_reported=0x7fffd0815f00) at /home/dan/repos/mariadb-server-10.5/sql/table.cc:3707
#17 0x00000000010bf406 in parse_vcol_defs (thd=0x62b00009a288, mem_root=0x7fffd0817030, table=0x7fffd0816d60, error_reported=0x7fffd0815f00, mode=VCOL_INIT_DEPENDENCY_FAILURE_IS_ERROR) at /home/dan/repos/mariadb-server-10.5/sql/table.cc:1235
#18 0x00000000010cf567 in open_table_from_share (thd=0x62b00009a288, share=0x7fffd08173f0, alias=0x42beae0 <empty_clex_str>, db_stat=0, prgflag=1, ha_open_flags=0, outparam=0x7fffd0816d60, is_create_table=true, partitions_to_open=0x0) at /home/dan/repos/mariadb-server-10.5/sql/table.cc:4086
#19 0x00000000016fbe38 in ha_create_table (thd=0x62b00009a288, path=0x7fffd0819270 "./test_db/v0", db=0x62b0000a1b88 "test_db", table_name=0x62b0000a1458 "v0", create_info=0x7fffd0819b90, frm=0x7fffd0819500) at /home/dan/repos/mariadb-server-10.5/sql/handler.cc:5564
#20 0x0000000000fc0532 in create_table_impl (thd=0x62b00009a288, orig_db=@0x62b0000a14c0: {str = 0x62b0000a1b88 "test_db", length = 7}, orig_table_name=@0x62b0000a14d0: {str = 0x62b0000a1458 "v0", length = 2}, db=@0x62b0000a14c0: {str = 0x62b0000a1b88 "test_db", length = 7}, table_name=@0x62b0000a14d0: {str = 0x62b0000a1458 "v0", length = 2}, path=0x7fffd0819270 "./test_db/v0", options={m_options = DDL_options_st::OPT_NONE}, create_info=0x7fffd0819b90, alter_info=0x7fffd0819e30, create_table_mode=0, is_trans=0x7fffd0819760, key_info=0x7fffd0819240, key_count=0x7fffd0819260, frm=0x7fffd0819500) at /home/dan/repos/mariadb-server-10.5/sql/sql_table.cc:5392
#21 0x0000000000fbdf8f in mysql_create_table_no_lock (thd=0x62b00009a288, db=0x62b0000a14c0, table_name=0x62b0000a14d0, create_info=0x7fffd0819b90, alter_info=0x7fffd0819e30, is_trans=0x7fffd0819760, create_table_mode=0, table_list=0x62b0000a14a8) at /home/dan/repos/mariadb-server-10.5/sql/sql_table.cc:5476
#22 0x0000000000fc1904 in mysql_create_table (thd=0x62b00009a288, create_table=0x62b0000a14a8, create_info=0x7fffd0819b90, alter_info=0x7fffd0819e30) at /home/dan/repos/mariadb-server-10.5/sql/sql_table.cc:5580
#23 0x0000000001002302 in Sql_cmd_create_table_like::execute (this=0x62b0000a1420, thd=0x62b00009a288) at /home/dan/repos/mariadb-server-10.5/sql/sql_table.cc:12199
#24 0x0000000000cc6e79 in mysql_execute_command (thd=0x62b00009a288) at /home/dan/repos/mariadb-server-10.5/sql/sql_parse.cc:6056
#25 0x0000000000c9aa05 in mysql_parse (thd=0x62b00009a288, rawbuf=0x62b0000a12a8 "CREATE TABLE v0 ( v1 BIGINT NOT NULL PRIMARY KEY , EVENTS TEXT DEFAULT ( v1 IN ( ( ROW ( NULL , -1 ) , v1 IN ( 'x' , 'x' ) ) ) ) )", length=130, parser_state=0x7fffd081ea60, is_com_multi=false, is_next_command=false) at /home/dan/repos/mariadb-server-10.5/sql/sql_parse.cc:8100
#26 0x0000000000c92fa2 in dispatch_command (command=COM_QUERY, thd=0x62b00009a288, packet=0x6290000dc289 "CREATE TABLE v0 ( v1 BIGINT NOT NULL PRIMARY KEY , EVENTS TEXT DEFAULT ( v1 IN ( ( ROW ( NULL , -1 ) , v1 IN ( 'x' , 'x' ) ) ) ) )", packet_length=130, is_com_multi=false, is_next_command=false) at /home/dan/repos/mariadb-server-10.5/sql/sql_parse.cc:1891
#27 0x0000000000c9d080 in do_command (thd=0x62b00009a288) at /home/dan/repos/mariadb-server-10.5/sql/sql_parse.cc:1370
#28 0x00000000011f33b1 in do_handle_one_connection (connect=0x61100004b208, put_in_cache=true) at /home/dan/repos/mariadb-server-10.5/sql/sql_connect.cc:1418
#29 0x00000000011f299f in handle_one_connection (arg=0x61100004b208) at /home/dan/repos/mariadb-server-10.5/sql/sql_connect.cc:1312
#30 0x00000000021e17b9 in pfs_spawn_thread (arg=0x6160002ba508) at /home/dan/repos/mariadb-server-10.5/storage/perfschema/pfs.cc:2201
#31 0x00007ffff78ad299 in start_thread (arg=0x7fffd0821640) at pthread_create.c:481
#32 0x00007ffff7587353 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

#4 0x00000000017c2463 in convert_const_to_int (thd=0x62b00009a288, field_item=0x61d00019fc18, item=0x61d0001a0088) at /home/dan/repos/mariadb-server-10.5/sql/item_cmpfunc.cc:370
370 DBUG_ASSERT(!result);
(gdb) list
365 /* Restore the original field value. */
366 if (save_field_value)
367 {
368 result= field->store(orig_field_val, TRUE);
369 /* orig_field_val must be a valid value that can be restored back. */
370 DBUG_ASSERT(!result);
371 }
372 if (table && table->read_set)
373 dbug_tmp_restore_column_maps(&table->read_set, &table->write_set, old_maps);
374 }
(gdb) p *field_item
$1 = (Item_field) {<Item_ident> = {<Item_result_field> = {<Item_fixed_hybrid> = {<Item> = {<Value_source> = {<No data fields>}, <Type_all_attributes> = {<Type_std_attributes> = {<Type_numeric_attributes> = {max_length = 20, decimals = 0, unsigned_flag = false}, collation = {collation = 0x4cb4f60 <my_charset_latin1>, derivation = DERIVATION_NUMERIC, repertoire = MY_REPERTOIRE_ASCII}}, _vptr$Type_all_attributes = 0x43a6ed0 <vtable for Item_field+16>}, join_tab_idx = 61, is_expensive_cache = -1 '\377', rsize = 0, str_value = {<Charset> = {m_charset = 0x4be0420 <my_charset_bin>}, <Binary_string> = {<Static_binary_string> = {<Sql_alloc> = {<No data fields>}, Ptr = 0x0, str_length = 0}, Alloced_length = 0, extra_alloc = 0, alloced = false, thread_specific = false}, <No data fields>}, name = {str = 0x61d00019fc08 "v1", length = 2}, orig_name = 0x0, next = 0x61d00019fb28, marker = 0, maybe_null = false, in_rollup = false, null_value = false, with_param = false, with_window_func = false, with_field = true, common_flags = 1 '\001'}, fixed = true}, result_field = 0x6190000934a8}, orig_db_name = {str = 0x0, length = 0}, orig_table_name = {str = 0x0, length = 0}, orig_field_name = {str = 0x61d00019fc08 "v1", length = 2}, context = 0x7fffd0813990, db_name = {str = 0x62b0000a1b88 "test_db", length = 7}, table_name = {str = 0x619000093428 "", length = 0}, field_name = {str = 0x619000092bf9 "v1", length = 2}, alias_name_used = false, cached_field_index = 0, cached_table = 0x0, depended_from = 0x0, can_be_depended = true}, <Load_data_outvar> = {_vptr$Load_data_outvar = 0x43a7528 <vtable for Item_field+1640>}, field = 0x6190000934a8, item_equal = 0x0, have_privileges = NO_ACL, any_privileges = false}
(gdb) p *item
$2 = (Item_int_with_ref *) 0x61d0001a0778
(gdb) p **item
$3 = (Item_int_with_ref) {<Item_int> = {<Item_num> = {<Item_literal> = {<Item_basic_constant> = {<Item_basic_value> = {<Item> = {<Value_source> = {<No data fields>}, <Type_all_attributes> = {<Type_std_attributes> = {<Type_numeric_attributes> = {max_length = 21, decimals = 0, unsigned_flag = false}, collation = {collation = 0x4cb4f60 <my_charset_latin1>, derivation = DERIVATION_NUMERIC, repertoire = MY_REPERTOIRE_ASCII}}, _vptr$Type_all_attributes = 0x43b6bf0 <vtable for Item_int_with_ref+16>}, join_tab_idx = 61, is_expensive_cache = -1 '\377', rsize = 0, str_value = {<Charset> = {m_charset = 0x4be0420 <my_charset_bin>}, <Binary_string> = {<Static_binary_string> = {<Sql_alloc> = {<No data fields>}, Ptr = 0x0, str_length = 0}, Alloced_length = 0, extra_alloc = 0, alloced = false, thread_specific = false}, <No data fields>}, name = {str = 0x0, length = 0}, orig_name = 0x0, next = 0x61d0001a0528, marker = 0, maybe_null = false, in_rollup = false, null_value = false, with_param = false, with_window_func = false, with_field = false, common_flags = 1 '\001'}, <Item_const> = {_vptr$Item_const = 0x43b7230 <vtable for Item_int_with_ref+1616>}, <No data fields>}, <No data fields>}, <No data fields>}, <No data fields>}, value = 0}, ref = 0x61d00019fd70}
(gdb) info locals
sql_mode = {thd = 0x62b00009a288, old_mode = 1411383296}
orig_field_val = 13744632839234567870
save_field_value = true
table = 0x7fffd0816d60
check_level_save = {m_thd = 0x62b00009a288, m_check_level = CHECK_FIELD_IGNORE}
old_maps = {0x0, 0x0}
field = 0x6190000934a8
result = 1

Daniel Black added a comment - 2021-08-13 08:36 Different failure for the same input. Thanks for the bug report: 10.5.13-0268b871228-debug (gdb) bt #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:49 #1 0x00007ffff74ad8a4 in __GI_abort () at abort.c:79 #2 0x00007ffff74ad789 in __assert_fail_base (fmt=<optimized out>, assertion=<optimized out>, file=<optimized out>, line=<optimized out>, function=<optimized out>) at assert.c:92 #3 0x00007ffff74bca16 in __GI___assert_fail (assertion=0x38537c0 <str> "!result", file=0x384e8c0 <str> "/home/dan/repos/mariadb-server-10.5/sql/item_cmpfunc.cc", line=370, function=0x3853800 <__PRETTY_FUNCTION__._ZL20convert_const_to_intP3THDP10Item_fieldPP4Item> "bool convert_const_to_int(THD *, Item_field *, Item **)") at assert.c:101 #4 0x00000000017c2463 in convert_const_to_int (thd=0x62b00009a288, field_item=0x61d00019fc18, item=0x61d0001a0088) at /home/dan/repos/mariadb-server-10.5/sql/item_cmpfunc.cc:370 #5 0x00000000017f85e6 in Item_func_in::value_list_convert_const_to_int (this=0x61d00019ff38, thd=0x62b00009a288) at /home/dan/repos/mariadb-server-10.5/sql/item_cmpfunc.cc:4504 #6 0x00000000013cfcd7 in Type_handler_real_result::Item_func_in_fix_comparator_compatible_types (this=0x57d60c0 <type_handler_double>, thd=0x62b00009a288, func=0x61d00019ff38) at /home/dan/repos/mariadb-server-10.5/sql/sql_type.cc:5881 #7 0x00000000017f78f3 in Item_func_in::fix_length_and_dec (this=0x61d00019ff38) at /home/dan/repos/mariadb-server-10.5/sql/item_cmpfunc.cc:4421 #8 0x0000000001863902 in Item_func::fix_fields (this=0x61d00019ff38, thd=0x62b00009a288, ref=0x61d0001a01c0) at /home/dan/repos/mariadb-server-10.5/sql/item_func.cc:370 #9 0x00000000017f6ad5 in Item_func_in::fix_fields (this=0x61d00019ff38, thd=0x62b00009a288, ref=0x61d0001a01c0) at /home/dan/repos/mariadb-server-10.5/sql/item_cmpfunc.cc:4337 #10 0x000000000093bac1 in Item::fix_fields_if_needed (this=0x61d00019ff38, thd=0x62b00009a288, ref=0x61d0001a01c0) at /home/dan/repos/mariadb-server-10.5/sql/item.h:988 #11 0x0000000001919c62 in Item_row::fix_fields (this=0x61d0001a0128, thd=0x62b00009a288, ref=0x61d0001a05c8) at /home/dan/repos/mariadb-server-10.5/sql/item_row.cc:45 #12 0x000000000093bac1 in Item::fix_fields_if_needed (this=0x61d0001a0128, thd=0x62b00009a288, ref=0x61d0001a05c8) at /home/dan/repos/mariadb-server-10.5/sql/item.h:988 #13 0x0000000001863164 in Item_func::fix_fields (this=0x61d0001a0528, thd=0x62b00009a288, ref=0x61d0001a0208) at /home/dan/repos/mariadb-server-10.5/sql/item_func.cc:352 #14 0x00000000010cb8a2 in fix_vcol_expr (thd=0x62b00009a288, vcol=0x61d0001a01f8) at /home/dan/repos/mariadb-server-10.5/sql/table.cc:3496 #15 0x0000000001110773 in fix_and_check_vcol_expr (thd=0x62b00009a288, table=0x7fffd0816d60, vcol=0x61d0001a01f8) at /home/dan/repos/mariadb-server-10.5/sql/table.cc:3581 #16 0x00000000010c23b0 in unpack_vcol_info_from_frm (thd=0x62b00009a288, mem_root=0x7fffd0817030, table=0x7fffd0816d60, expr_str=0x7fffd0815060, vcol_ptr=0x619000093650, error_reported=0x7fffd0815f00) at /home/dan/repos/mariadb-server-10.5/sql/table.cc:3707 #17 0x00000000010bf406 in parse_vcol_defs (thd=0x62b00009a288, mem_root=0x7fffd0817030, table=0x7fffd0816d60, error_reported=0x7fffd0815f00, mode=VCOL_INIT_DEPENDENCY_FAILURE_IS_ERROR) at /home/dan/repos/mariadb-server-10.5/sql/table.cc:1235 #18 0x00000000010cf567 in open_table_from_share (thd=0x62b00009a288, share=0x7fffd08173f0, alias=0x42beae0 <empty_clex_str>, db_stat=0, prgflag=1, ha_open_flags=0, outparam=0x7fffd0816d60, is_create_table=true, partitions_to_open=0x0) at /home/dan/repos/mariadb-server-10.5/sql/table.cc:4086 #19 0x00000000016fbe38 in ha_create_table (thd=0x62b00009a288, path=0x7fffd0819270 "./test_db/v0", db=0x62b0000a1b88 "test_db", table_name=0x62b0000a1458 "v0", create_info=0x7fffd0819b90, frm=0x7fffd0819500) at /home/dan/repos/mariadb-server-10.5/sql/handler.cc:5564 #20 0x0000000000fc0532 in create_table_impl (thd=0x62b00009a288, orig_db=@0x62b0000a14c0: {str = 0x62b0000a1b88 "test_db", length = 7}, orig_table_name=@0x62b0000a14d0: {str = 0x62b0000a1458 "v0", length = 2}, db=@0x62b0000a14c0: {str = 0x62b0000a1b88 "test_db", length = 7}, table_name=@0x62b0000a14d0: {str = 0x62b0000a1458 "v0", length = 2}, path=0x7fffd0819270 "./test_db/v0", options={m_options = DDL_options_st::OPT_NONE}, create_info=0x7fffd0819b90, alter_info=0x7fffd0819e30, create_table_mode=0, is_trans=0x7fffd0819760, key_info=0x7fffd0819240, key_count=0x7fffd0819260, frm=0x7fffd0819500) at /home/dan/repos/mariadb-server-10.5/sql/sql_table.cc:5392 #21 0x0000000000fbdf8f in mysql_create_table_no_lock (thd=0x62b00009a288, db=0x62b0000a14c0, table_name=0x62b0000a14d0, create_info=0x7fffd0819b90, alter_info=0x7fffd0819e30, is_trans=0x7fffd0819760, create_table_mode=0, table_list=0x62b0000a14a8) at /home/dan/repos/mariadb-server-10.5/sql/sql_table.cc:5476 #22 0x0000000000fc1904 in mysql_create_table (thd=0x62b00009a288, create_table=0x62b0000a14a8, create_info=0x7fffd0819b90, alter_info=0x7fffd0819e30) at /home/dan/repos/mariadb-server-10.5/sql/sql_table.cc:5580 #23 0x0000000001002302 in Sql_cmd_create_table_like::execute (this=0x62b0000a1420, thd=0x62b00009a288) at /home/dan/repos/mariadb-server-10.5/sql/sql_table.cc:12199 #24 0x0000000000cc6e79 in mysql_execute_command (thd=0x62b00009a288) at /home/dan/repos/mariadb-server-10.5/sql/sql_parse.cc:6056 #25 0x0000000000c9aa05 in mysql_parse (thd=0x62b00009a288, rawbuf=0x62b0000a12a8 "CREATE TABLE v0 ( v1 BIGINT NOT NULL PRIMARY KEY , EVENTS TEXT DEFAULT ( v1 IN ( ( ROW ( NULL , -1 ) , v1 IN ( 'x' , 'x' ) ) ) ) )", length=130, parser_state=0x7fffd081ea60, is_com_multi=false, is_next_command=false) at /home/dan/repos/mariadb-server-10.5/sql/sql_parse.cc:8100 #26 0x0000000000c92fa2 in dispatch_command (command=COM_QUERY, thd=0x62b00009a288, packet=0x6290000dc289 "CREATE TABLE v0 ( v1 BIGINT NOT NULL PRIMARY KEY , EVENTS TEXT DEFAULT ( v1 IN ( ( ROW ( NULL , -1 ) , v1 IN ( 'x' , 'x' ) ) ) ) )", packet_length=130, is_com_multi=false, is_next_command=false) at /home/dan/repos/mariadb-server-10.5/sql/sql_parse.cc:1891 #27 0x0000000000c9d080 in do_command (thd=0x62b00009a288) at /home/dan/repos/mariadb-server-10.5/sql/sql_parse.cc:1370 #28 0x00000000011f33b1 in do_handle_one_connection (connect=0x61100004b208, put_in_cache=true) at /home/dan/repos/mariadb-server-10.5/sql/sql_connect.cc:1418 #29 0x00000000011f299f in handle_one_connection (arg=0x61100004b208) at /home/dan/repos/mariadb-server-10.5/sql/sql_connect.cc:1312 #30 0x00000000021e17b9 in pfs_spawn_thread (arg=0x6160002ba508) at /home/dan/repos/mariadb-server-10.5/storage/perfschema/pfs.cc:2201 #31 0x00007ffff78ad299 in start_thread (arg=0x7fffd0821640) at pthread_create.c:481 #32 0x00007ffff7587353 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 #4 0x00000000017c2463 in convert_const_to_int (thd=0x62b00009a288, field_item=0x61d00019fc18, item=0x61d0001a0088) at /home/dan/repos/mariadb-server-10.5/sql/item_cmpfunc.cc:370 370 DBUG_ASSERT(!result); (gdb) list 365 /* Restore the original field value. */ 366 if (save_field_value) 367 { 368 result= field->store(orig_field_val, TRUE); 369 /* orig_field_val must be a valid value that can be restored back. */ 370 DBUG_ASSERT(!result); 371 } 372 if (table && table->read_set) 373 dbug_tmp_restore_column_maps(&table->read_set, &table->write_set, old_maps); 374 } (gdb) p *field_item $1 = (Item_field) {<Item_ident> = {<Item_result_field> = {<Item_fixed_hybrid> = {<Item> = {<Value_source> = {<No data fields>}, <Type_all_attributes> = {<Type_std_attributes> = {<Type_numeric_attributes> = {max_length = 20, decimals = 0, unsigned_flag = false}, collation = {collation = 0x4cb4f60 <my_charset_latin1>, derivation = DERIVATION_NUMERIC, repertoire = MY_REPERTOIRE_ASCII}}, _vptr$Type_all_attributes = 0x43a6ed0 <vtable for Item_field+16>}, join_tab_idx = 61, is_expensive_cache = -1 '\377', rsize = 0, str_value = {<Charset> = {m_charset = 0x4be0420 <my_charset_bin>}, <Binary_string> = {<Static_binary_string> = {<Sql_alloc> = {<No data fields>}, Ptr = 0x0, str_length = 0}, Alloced_length = 0, extra_alloc = 0, alloced = false, thread_specific = false}, <No data fields>}, name = {str = 0x61d00019fc08 "v1", length = 2}, orig_name = 0x0, next = 0x61d00019fb28, marker = 0, maybe_null = false, in_rollup = false, null_value = false, with_param = false, with_window_func = false, with_field = true, common_flags = 1 '\001'}, fixed = true}, result_field = 0x6190000934a8}, orig_db_name = {str = 0x0, length = 0}, orig_table_name = {str = 0x0, length = 0}, orig_field_name = {str = 0x61d00019fc08 "v1", length = 2}, context = 0x7fffd0813990, db_name = {str = 0x62b0000a1b88 "test_db", length = 7}, table_name = {str = 0x619000093428 "", length = 0}, field_name = {str = 0x619000092bf9 "v1", length = 2}, alias_name_used = false, cached_field_index = 0, cached_table = 0x0, depended_from = 0x0, can_be_depended = true}, <Load_data_outvar> = {_vptr$Load_data_outvar = 0x43a7528 <vtable for Item_field+1640>}, field = 0x6190000934a8, item_equal = 0x0, have_privileges = NO_ACL, any_privileges = false} (gdb) p *item $2 = (Item_int_with_ref *) 0x61d0001a0778 (gdb) p **item $3 = (Item_int_with_ref) {<Item_int> = {<Item_num> = {<Item_literal> = {<Item_basic_constant> = {<Item_basic_value> = {<Item> = {<Value_source> = {<No data fields>}, <Type_all_attributes> = {<Type_std_attributes> = {<Type_numeric_attributes> = {max_length = 21, decimals = 0, unsigned_flag = false}, collation = {collation = 0x4cb4f60 <my_charset_latin1>, derivation = DERIVATION_NUMERIC, repertoire = MY_REPERTOIRE_ASCII}}, _vptr$Type_all_attributes = 0x43b6bf0 <vtable for Item_int_with_ref+16>}, join_tab_idx = 61, is_expensive_cache = -1 '\377', rsize = 0, str_value = {<Charset> = {m_charset = 0x4be0420 <my_charset_bin>}, <Binary_string> = {<Static_binary_string> = {<Sql_alloc> = {<No data fields>}, Ptr = 0x0, str_length = 0}, Alloced_length = 0, extra_alloc = 0, alloced = false, thread_specific = false}, <No data fields>}, name = {str = 0x0, length = 0}, orig_name = 0x0, next = 0x61d0001a0528, marker = 0, maybe_null = false, in_rollup = false, null_value = false, with_param = false, with_window_func = false, with_field = false, common_flags = 1 '\001'}, <Item_const> = {_vptr$Item_const = 0x43b7230 <vtable for Item_int_with_ref+1616>}, <No data fields>}, <No data fields>}, <No data fields>}, <No data fields>}, value = 0}, ref = 0x61d00019fd70} (gdb) info locals sql_mode = {thd = 0x62b00009a288, old_mode = 1411383296} orig_field_val = 13744632839234567870 save_field_value = true table = 0x7fffd0816d60 check_level_save = {m_thd = 0x62b00009a288, m_check_level = CHECK_FIELD_IGNORE} old_maps = {0x0, 0x0} field = 0x6190000934a8 result = 1

Alice Sherepa added a comment - 2021-08-27 13:25

Thanks! This is the same issue as ~~MDEV-25638~~

Alice Sherepa added a comment - 2021-08-27 13:25 Thanks! This is the same issue as MDEV-25638

People

Assignee:: Unassigned

Reporter:: yaoguang

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2021-08-13 07:38

Updated:: 2021-08-27 13:25

Resolved:: 2021-08-27 13:24

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server