[MDEV-29093] Assertion `0' failed in Item_type_holder::val_str on UPDATE and SIGSEGV in String::copy, UBSAN: reference binding to null pointer of type 'const struct String' - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Duplicate
Affects Version/s: 10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL), 10.11, 11.1(EOL), 11.2(EOL), 11.3(EOL), 11.4
Fix Version/s: 10.4.33
Component/s: Data Manipulation - Update, Optimizer
Labels:

Description

CREATE TABLE c(c CHAR) ENGINE=InnoDB;

INSERT INTO c(c)VALUES (1);

UPDATE c SET c=-0 WHERE(SELECT 0 -0 +0/ 0 + 0 - 0,c WHERE c<0 INTERSECT SELECT c,c FROM c WHERE c>0  -0)IN (SELECT c,c);

Leads to:

10.10.0 88b22356e623fd63aa87273a895521a6e6667bc7 (Debug)
mysqld: /test/10.10_dbg/sql/item.cc:10711: virtual String* Item_type_holder::val_str(String*): Assertion `0' failed.

10.10.0 88b22356e623fd63aa87273a895521a6e6667bc7 (Debug)
Core was generated by `/test/MD120722-mariadb-10.10.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core'.
Program terminated with signal SIGABRT, Aborted.
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
[Current thread is 1 (Thread 0x150d875fa700 (LWP 1804142))]
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x0000150db7b77859 in __GI_abort () at abort.c:79
#2 0x0000150db7b77729 in __assert_fail_base (fmt=0x150db7d0d588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x55fdca46939e "0", file=0x55fdca44e980 "/test/10.10_dbg/sql/item.cc", line=10711, function=<optimized out>) at assert.c:92
#3 0x0000150db7b88fd6 in __GI___assert_fail (assertion=assertion@entry=0x55fdca46939e "0", file=file@entry=0x55fdca44e980 "/test/10.10_dbg/sql/item.cc", line=line@entry=10711, function=function@entry=0x55fdca44f090 "virtual String* Item_type_holder::val_str(String*)") at assert.c:101
#4 0x000055fdc99d1b0f in Item_type_holder::val_str (this=<optimized out>) at /test/10.10_dbg/sql/item.cc:10711
#5 0x000055fdc95a4ed9 in Item::str_result (this=<optimized out>, tmp=<optimized out>) at /test/10.10_dbg/sql/item.h:1780
#6 0x000055fdc99d59e5 in Item_cache_str::cache_value (this=0x150d5c06ff90) at /test/10.10_dbg/sql/item.cc:10476
#7 0x000055fdc99d3444 in Item_cache::has_value (this=0x150d5c06ff90) at /test/10.10_dbg/sql/item.h:7099
#8 Item_cache_str::save_in_field (this=0x150d5c06ff90, field=0x150d5c07efe8, no_conversions=<optimized out>) at /test/10.10_dbg/sql/item.cc:10531
#9 0x000055fdc95a4c83 in Item::save_org_in_field (this=<optimized out>, field=<optimized out>, data=<optimized out>) at /test/10.10_dbg/sql/item.h:1220
#10 0x000055fdc95a4e50 in Item::save_val (this=<optimized out>, to=<optimized out>) at /test/10.10_dbg/sql/item.h:1705
#11 0x000055fdc975f788 in store_key_item::copy_inner (this=0x150d5c07efb0) at /test/10.10_dbg/sql/sql_select.h:1979
#12 0x000055fdc97410fa in store_key::copy (thd=0x150d5c000db8, this=<optimized out>) at /test/10.10_dbg/sql/sql_select.h:1873
#13 cp_buffer_from_ref (thd=thd@entry=0x150d5c000db8, table=table@entry=0x150d5c07f690, ref=ref@entry=0x150d5c07e5e8) at /test/10.10_dbg/sql/sql_select.cc:25008
#14 0x000055fdc9741be6 in cmp_buffer_with_ref (tab_ref=0x150d5c07e5e8, table=0x150d5c07f690, thd=0x150d5c000db8) at /test/10.10_dbg/sql/sql_select.cc:24990
#15 join_read_key2 (thd=0x150d5c000db8, tab=tab@entry=0x0, table=0x150d5c07f690, table_ref=table_ref@entry=0x150d5c07e5e8) at /test/10.10_dbg/sql/sql_select.cc:21942
#16 0x000055fdc9896de8 in Expression_cache_tmptable::check_value (this=0x150d5c07e528, value=0x150d875f88a8) at /test/10.10_dbg/sql/sql_expression_cache.cc:223
#17 0x000055fdc99ee15a in Item_cache_wrapper::check_cache (this=this@entry=0x150d5c07e3e8) at /test/10.10_dbg/sql/item.cc:8866
#18 0x000055fdc99ee244 in Item_cache_wrapper::val_int (this=0x150d5c07e3e8) at /test/10.10_dbg/sql/item.cc:8929
#19 0x000055fdc9715521 in evaluate_join_record (join=join@entry=0x150d5c06d9d0, join_tab=join_tab@entry=0x150d5c077370, error=error@entry=0) at /test/10.10_dbg/sql/sql_select.cc:21376
#20 0x000055fdc972b437 in sub_select (join=0x150d5c06d9d0, join_tab=0x150d5c077370, end_of_records=false) at /test/10.10_dbg/sql/sql_select.cc:21278
#21 0x000055fdc975ed35 in do_select (procedure=<optimized out>, join=0x150d5c06d9d0) at /test/10.10_dbg/sql/sql_select.cc:20823
#22 JOIN::exec_inner (this=this@entry=0x150d5c06d9d0) at /test/10.10_dbg/sql/sql_select.cc:4787
#23 0x000055fdc975f2ce in JOIN::exec (this=this@entry=0x150d5c06d9d0) at /test/10.10_dbg/sql/sql_select.cc:4565
#24 0x000055fdc975d052 in mysql_select (thd=thd@entry=0x150d5c000db8, tables=tables@entry=0x150d5c013db0, fields=@0x150d875f8e60: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55fdcaba97c0 <end_of_list>, last = 0x150d875f8e60, elements = 0}, <No data fields>}, conds=conds@entry=0x150d5c06d5d8, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2200096997504, result=0x150d5c06d8d0, unit=0x150d5c004fd8, select_lex=0x150d5c0057d8) at /test/10.10_dbg/sql/sql_select.cc:5045
#25 0x000055fdc97d6995 in mysql_multi_update (thd=thd@entry=0x150d5c000db8, table_list=0x150d5c013db0, fields=fields@entry=0x150d5c005a78, values=values@entry=0x150d5c005ea8, conds=0x150d5c06d5d8, options=0, handle_duplicates=DUP_ERROR, ignore=false, unit=0x150d5c004fd8, select_lex=0x150d5c0057d8, result=0x150d875f9040) at /test/10.10_dbg/sql/sql_update.cc:1979
#26 0x000055fdc96d6b11 in mysql_execute_command (thd=thd@entry=0x150d5c000db8, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.10_dbg/sql/sql_parse.cc:4486
#27 0x000055fdc96c3464 in mysql_parse (thd=thd@entry=0x150d5c000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x150d875f9470) at /test/10.10_dbg/sql/sql_parse.cc:8036
#28 0x000055fdc96d0a4c in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x150d5c000db8, packet=packet@entry=0x150d5c00b6c9 "UPDATE c SET c=-0 WHERE(SELECT 0 -0 +0/ 0 + 0 - 0,c WHERE c<0 INTERSECT SELECT c,c FROM c WHERE c>0 -0)IN (SELECT c,c)", packet_length=packet_length@entry=119, blocking=blocking@entry=true) at /test/10.10_dbg/sql/sql_class.h:1364
#29 0x000055fdc96d3156 in do_command (thd=0x150d5c000db8, blocking=blocking@entry=true) at /test/10.10_dbg/sql/sql_parse.cc:1407
#30 0x000055fdc98330d0 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55fdcbcee618, put_in_cache=put_in_cache@entry=true) at /test/10.10_dbg/sql/sql_connect.cc:1418
#31 0x000055fdc98335d9 in handle_one_connection (arg=0x55fdcbcee618) at /test/10.10_dbg/sql/sql_connect.cc:1312
#32 0x0000150db8088609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#33 0x0000150db7c74133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.4.26 (dbg), 10.4.26 (opt), 10.5.17 (dbg), 10.5.17 (opt), 10.6.9 (dbg), 10.6.9 (opt), 10.7.5 (dbg), 10.7.5 (opt), 10.8.4 (dbg), 10.8.4 (opt), 10.9.2 (dbg), 10.9.2 (opt), 10.10.0 (dbg), 10.10.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.3.36 (dbg), 10.3.36 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.38 (dbg), 5.7.38 (opt), 8.0.29 (dbg), 8.0.29 (opt)

Attachments

Issue Links

is duplicated by

MDEV-32430 Segmentation fault at /mariadb-11.3.0/sql/item.cc:10525

Closed

relates to

MDEV-29070 SIGSEGV in my_decimal::operator= and Assertion `0' failed in Item_type_holder::val_decimal on SELECT

Closed

MDEV-22391 Assertion `0' failed in Item_type_holder::val_str on utf16 charset table query

Closed

Assertion `0' failed in Item_type_holder::val_str on UPDATE and SIGSEGV in String::copy, UBSAN: reference binding to null pointer of type 'const struct String'

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration