Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-30681

SIGFPE / UBSAN runtime error: division by zero in String::needs_conversion on ALTER

    XMLWordPrintable

Details

    Description

      Reproduces with InnoDB and MyISAM. A non-recent regression in 10.9. Affects optimized builds also.

      CREATE TABLE t (a BINARY (10)) PARTITION BY LIST COLUMNS (a) (PARTITION p VALUES IN (0xFF));
      ALTER TABLE t CHANGE COLUMN a a CHAR(10) BINARY;
      

      Leads to:

      11.0.1 f2dc4d4c10ac36a73b5c1eb765352d3aee808d66 (Debug)

      Core was generated by `/test/MD180223-mariadb-11.0.1-linux-x86_64-dbg/bin/mariadbd --no-defaults --cor'.
      Program terminated with signal SIGFPE, Arithmetic exception.
      #0  0x00005571c1c07ab2 in String::needs_conversion (
          arg_length=arg_length@entry=1, 
          from_cs=from_cs@entry=0x5571c2f49480 <my_charset_bin>, 
          to_cs=to_cs@entry=0x5571c389c340 <my_collation_contextually_typed_binary>, 
          offset=offset@entry=0x1493b00bdd0c) at /test/11.0_dbg/sql/sql_string.cc:337
      337	       (!(*offset=(uint32)(arg_length % to_cs->mbminlen)))))
      [Current thread is 1 (Thread 0x1493b00c4640 (LWP 1952240))]
      (gdb) bt
      #0  0x00005571c1c07ab2 in String::needs_conversion (arg_length=arg_length@entry=1, from_cs=from_cs@entry=0x5571c2f49480 <my_charset_bin>, to_cs=to_cs@entry=0x5571c389c340 <my_collation_contextually_typed_binary>, offset=offset@entry=0x1493b00bdd0c) at /test/11.0_dbg/sql/sql_string.cc:337
      #1  0x00005571c1c07cfb in String::copy (this=this@entry=0x1493b00bddb0, str=0x1493280279a8 "\377", arg_length=1, from_cs=0x5571c2f49480 <my_charset_bin>, to_cs=to_cs@entry=0x5571c389c340 <my_collation_contextually_typed_binary>, errors=errors@entry=0x1493b00bdd90) at /test/11.0_dbg/sql/sql_string.cc:463
      #2  0x00005571c1d37265 in Type_handler::partition_field_append_value (this=<optimized out>, str=0x1493b00bec20, item_expr=<optimized out>, field_cs=0x5571c389c340 <my_collation_contextually_typed_binary>, mode=PARTITION_VALUE_PRINT_MODE_FRM) at /test/11.0_dbg/sql/sql_string.h:282
      #3  0x00005571c1b51857 in add_column_list_values (str=str@entry=0x1493b00bec20, part_info=part_info@entry=0x149328013d70, list_value=0x149328014060, create_info=create_info@entry=0x1493b00c23b0, alter_info=alter_info@entry=0x1493b00c22c0) at /test/11.0_dbg/sql/sql_partition.cc:2347
      #4  0x00005571c1b55ede in add_partition_values (alter_info=0x1493b00c22c0, create_info=0x1493b00c23b0, p_elem=0x149328013f98, part_info=0x149328013d70, str=0x1493b00bec20) at /test/11.0_dbg/sql/sql_partition.cc:2429
      #5  generate_partition_syntax (thd=thd@entry=0x149328000d58, part_info=part_info@entry=0x149328013d70, buf_length=buf_length@entry=0x1493b00bf35c, show_partition_options=show_partition_options@entry=true, create_info=create_info@entry=0x1493b00c23b0, alter_info=alter_info@entry=0x1493b00c22c0) at /test/11.0_dbg/sql/sql_partition.cc:2721
      #6  0x00005571c1b56516 in generate_partition_syntax_for_frm (thd=thd@entry=0x149328000d58, part_info=part_info@entry=0x149328013d70, buf_length=buf_length@entry=0x1493b00bf35c, create_info=create_info@entry=0x1493b00c23b0, alter_info=alter_info@entry=0x1493b00c22c0) at /test/11.0_dbg/sql/sql_partition.cc:2493
      #7  0x00005571c1c1d88c in mysql_create_frm_image (thd=thd@entry=0x149328000d58, db=@0x1493b00c15c0: {str = 0x149328013958 "test", length = 4}, table_name=@0x1493b00c15d0: {str = 0x149328013208 "t", length = 1}, create_info=create_info@entry=0x1493b00c23b0, alter_info=alter_info@entry=0x1493b00c22c0, create_table_mode=create_table_mode@entry=-2, key_info=0x1493b00bfd40, key_count=0x1493b00bfd30, frm=0x1493b00bfd60) at /test/11.0_dbg/sql/sql_table.cc:4182
      #8  0x00005571c1c1e007 in create_table_impl (thd=thd@entry=0x149328000d58, ddl_log_state_create=ddl_log_state_create@entry=0x0, ddl_log_state_rm=<optimized out>, ddl_log_state_rm@entry=0x0, orig_db=@0x1493b00c15c0: {str = 0x149328013958 "test", length = 4}, orig_table_name=@0x1493b00c15d0: {str = 0x149328013208 "t", length = 1}, db=@0x1493b00c1600: {str = 0x149328013958 "test", length = 4}, table_name=@0x1493b00c1630: {str = 0x1493b00c1b2c "#sql-alter-1dc598-4", length = 19}, path=@0x1493b00bfef0: {str = 0x1493b00c1fef "./test/#sql-alter-1dc598-4", length = 26}, options=<optimized out>, create_info=0x1493b00c23b0, alter_info=0x1493b00c22c0, create_table_mode=-2, is_trans=0x0, key_info=0x1493b00bfd40, key_count=0x1493b00bfd30, frm=0x1493b00bfd60) at /test/11.0_dbg/sql/sql_table.cc:4584
      #9  0x00005571c1c24221 in mysql_alter_table (thd=thd@entry=0x149328000d58, new_db=new_db@entry=0x149328005870, new_name=new_name@entry=0x149328005cb8, create_info=create_info@entry=0x1493b00c23b0, table_list=<optimized out>, table_list@entry=0x149328013240, recreate_info=recreate_info@entry=0x1493b00c22a0, alter_info=<optimized out>, order_num=<optimized out>, order=<optimized out>, ignore=<optimized out>, if_exists=<optimized out>) at /test/11.0_dbg/sql/sql_table.cc:10624
      #10 0x00005571c1ca46b0 in Sql_cmd_alter_table::execute (this=<optimized out>, thd=0x149328000d58) at /test/11.0_dbg/sql/sql_alter.cc:558
      #11 0x00005571c1b46db6 in mysql_execute_command (thd=thd@entry=0x149328000d58, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/11.0_dbg/sql/sql_parse.cc:6003
      #12 0x00005571c1b487cf in mysql_parse (thd=thd@entry=0x149328000d58, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x1493b00c32c0) at /test/11.0_dbg/sql/sql_parse.cc:8002
      #13 0x00005571c1b4a963 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x149328000d58, packet=packet@entry=0x14932800ae19 "ALTER TABLE t CHANGE COLUMN a a CHAR(10) BINARY", packet_length=packet_length@entry=47, blocking=blocking@entry=true) at /test/11.0_dbg/sql/sql_class.h:242
      #14 0x00005571c1b4c7bc in do_command (thd=0x149328000d58, blocking=blocking@entry=true) at /test/11.0_dbg/sql/sql_parse.cc:1407
      #15 0x00005571c1c9d6e2 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5571c5ac99f8, put_in_cache=put_in_cache@entry=true) at /test/11.0_dbg/sql/sql_connect.cc:1416
      #16 0x00005571c1c9d941 in handle_one_connection (arg=0x5571c5ac99f8) at /test/11.0_dbg/sql/sql_connect.cc:1318
      #17 0x00001493ca7b5b43 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
      #18 0x00001493ca847a00 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
      

      11.0.1 4d09050ca77a7efac4565d46e4bcd85a5f210c53 (Debug, UBASAN)

      2023-02-18 14:32:30 0 [Note] /test/UBASAN_MD130223-mariadb-11.0.1-linux-x86_64-dbg/bin/mysqld: ready for connections.
      Version: '11.0.1-MariaDB-debug'  socket: '/test/UBASAN_MD130223-mariadb-11.0.1-linux-x86_64-dbg/socket.sock'  port: 10523  MariaDB Server
      /test/11.0_dbg_san/sql/sql_string.cc:337:39: runtime error: division by zero
          #0 0x563c30b8d9ec in String::needs_conversion(unsigned long, charset_info_st const*, charset_info_st const*, unsigned int*) /test/11.0_dbg_san/sql/sql_string.cc:337
          #1 0x563c30b8e5d7 in String::copy(char const*, unsigned long, charset_info_st const*, charset_info_st const*, unsigned int*) /test/11.0_dbg_san/sql/sql_string.cc:463
          #2 0x563c31433847 in Type_handler::partition_field_append_value(String*, Item*, charset_info_st const*, partition_value_print_mode_t) const /test/11.0_dbg_san/sql/sql_type.cc:9362
          #3 0x563c3061be19 in add_column_list_values /test/11.0_dbg_san/sql/sql_partition.cc:2347
          #4 0x563c30636ee6 in add_partition_values /test/11.0_dbg_san/sql/sql_partition.cc:2429
          #5 0x563c30636ee6 in generate_partition_syntax(THD*, partition_info*, unsigned int*, bool, HA_CREATE_INFO*, Alter_info*) /test/11.0_dbg_san/sql/sql_partition.cc:2721
          #6 0x563c30638b76 in generate_partition_syntax_for_frm(THD*, partition_info*, unsigned int*, HA_CREATE_INFO*, Alter_info*) /test/11.0_dbg_san/sql/sql_partition.cc:2493
          #7 0x563c30c1f3da in mysql_create_frm_image(THD*, st_mysql_const_lex_string const&, st_mysql_const_lex_string const&, HA_CREATE_INFO*, Alter_info*, int, st_key**, unsigned int*, st_mysql_const_unsigned_lex_string*) /test/11.0_dbg_san/sql/sql_table.cc:4181
          #8 0x563c30c22a2b in create_table_impl /test/11.0_dbg_san/sql/sql_table.cc:4583
          #9 0x563c30c4f562 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, Table_specification_st*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool, bool) /test/11.0_dbg_san/sql/sql_table.cc:10622
          #10 0x563c30fcb5b9 in Sql_cmd_alter_table::execute(THD*) /test/11.0_dbg_san/sql/sql_alter.cc:557
          #11 0x563c305d0fac in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:6001
          #12 0x563c305da8b1 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8000
          #13 0x563c305ea60f in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894
          #14 0x563c305f83d9 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407
          #15 0x563c30f9a503 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416
          #16 0x563c30f9ba1e in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318
          #17 0x14ccb4ce3b42 in start_thread nptl/pthread_create.c:442
          #18 0x14ccb4d759ff  (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)
       
      230218 14:32:32 [ERROR] mysqld got signal 8 ;
      

      Bug confirmed present in:
      MariaDB: 10.9.6 (dbg), 10.9.6 (opt), 10.10.4 (dbg), 10.10.4 (opt), 10.11.2 (dbg), 10.11.2 (opt), 11.0.1 (dbg), 11.0.1 (opt)

      Bug (or feature/syntax) confirmed not present in:
      MariaDB: 10.3.38 (dbg), 10.3.38 (opt), 10.4.29 (dbg), 10.4.29 (opt), 10.5.20 (dbg), 10.5.20 (opt), 10.6.13 (dbg), 10.6.13 (opt), 10.7.8 (dbg), 10.7.8 (opt), 10.8.8 (dbg), 10.8.8 (opt),
      MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.40 (dbg), 5.7.40 (opt), 8.0.31 (dbg), 8.0.31 (opt)

      The failure started happening on 10.9 after this commit:

      commit 0c4c064f98120e179ddfa49a1010d465a07bdc0a
      Author: Alexander Barkov <bar@mariadb.com>
      Date:   Wed Feb 9 21:21:39 2022 +0400
       
          MDEV-27743 Remove Lex::charset
       
          This patch also fixes:
       
          MDEV-27690 Crash on `CHARACTER SET csname COLLATE DEFAULT` in column definition
          MDEV-27853 Wrong data type on column `COLLATE DEFAULT` and table `COLLATE some_non_default_collation`
          MDEV-28067 Multiple conflicting column COLLATE clauses are not rejected
          MDEV-28118 Wrong collation of `CAST(.. AS CHAR COLLATE DEFAULT)`
          MDEV-28119 Wrong column collation on MODIFY + CONVERT
      

      Attachments

        Issue Links

          Activity

            People

              bar Alexander Barkov
              Roel Roel Van de Paar
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.