[MDEV-11230] PS: crash in Item_func_nullif::fix_length_and_dec Created: 2016-11-03  Updated: 2018-03-14  Resolved: 2017-12-15

Status: Closed
Project: MariaDB Server
Component/s: Character Sets
Affects Version/s: 10.1.19
Fix Version/s: 10.1.29

Type: Bug Priority: Critical
Reporter: Alexander Barkov Assignee: Oleksandr Byelkin
Resolution: Duplicate Votes: 0
Labels: regression

Sprint: 10.1.20, 10.1.23, 10.1.30

 Description   

This is very similar to MDEV-10347, but now with character set conversion:

DROP TABLE IF EXISTS t1,t2;
 
CREATE TABLE t1 (f1 VARCHAR(10), f2 VARCHAR(40));
 
CREATE TABLE t2 (f3 VARCHAR(20));
 
PREPARE stmt FROM "
 
  SELECT (
 
    SELECT IFNULL(f3,4) FROM t2 
    WHERE IFNULL(NULLIF(f1,_utf8'' COLLATE utf8_bin),1)
 
  ) AS sq
 
  FROM t1
 
  GROUP BY f2
 
";
 
EXECUTE stmt;

Stack trace:

#0  0x0000555555cc1907 in Item_func_nullif::fix_length_and_dec (
 
    this=0x7ffece149d18)
 
    at /home/bar/maria-git/server-10.1/sql/item_cmpfunc.cc:2701
 
#1  0x0000555555ce9de8 in Item_func::fix_fields (this=0x7ffece149d18, thd=
 
    0x7ffed7e4c070, ref=0x7ffece14a038)
 
    at /home/bar/maria-git/server-10.1/sql/item_func.cc:234
 
#2  0x0000555555ce9bce in Item_func::fix_fields (this=0x7ffece149fb0, 
    thd=0x7ffed7e4c070, ref=0x7ffece022bf8)
 
    at /home/bar/maria-git/server-10.1/sql/item_func.cc:208
 
#3  0x00005555559f1553 in setup_conds (thd=0x7ffed7e4c070, 
    tables=0x7ffece1493c8, leaves=..., conds=0x7ffece022bf8)
 
    at /home/bar/maria-git/server-10.1/sql/sql_base.cc:8636
 
#4  0x0000555555acffb2 in setup_without_group (thd=0x7ffed7e4c070, 
    ref_pointer_array=0x7ffece14ab50, tables=0x7ffece1493c8, leaves=..., 
    fields=..., all_fields=..., conds=0x7ffece022bf8, order=0x0, group=0x0, 
    hidden_group_fields=0x7ffece022ad8, reserved=0x7ffece14890c)
 
    at /home/bar/maria-git/server-10.1/sql/sql_select.cc:645
 
#5  0x0000555555a87ddf in JOIN::prepare (this=0x7ffece0227b0, 
    rref_pointer_array=0x7ffece1488e8, tables_init=0x7ffece1493c8, wild_num=0, 
    conds_init=0x7ffece149fb0, og_num=0, order_init=0x0, skip_order_by=false, 
    group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=
 
    0x7ffece148670, unit_arg=0x7ffece1489d0)
 
    at /home/bar/maria-git/server-10.1/sql/sql_select.cc:796
 
#6  0x0000555555d3259d in subselect_single_select_engine::prepare (
 
    this=0x7ffece14a1b8, thd=0x7ffed7e4c070)
 
    at /home/bar/maria-git/server-10.1/sql/item_subselect.cc:3570
 
#7  0x0000555555d284fe in Item_subselect::fix_fields (this=0x7ffece14a080, 
    thd_param=0x7ffed7e4c070, ref=0x7ffece14a208)
 
    at /home/bar/maria-git/server-10.1/sql/item_subselect.cc:262
 
#8  0x00005555559ef66c in setup_fields (thd=0x7ffed7e4c070, 
    ref_pointer_array=0x7ffece14a9c0, fields=..., 
    mark_used_columns=MARK_COLUMNS_READ, sum_func_list=0x7ffece022588, 
    allow_sum_func=true)
 
    at /home/bar/maria-git/server-10.1/sql/sql_base.cc:7908
 
#9  0x0000555555a87d1a in JOIN::prepare (this=0x7ffece022228, 
    rref_pointer_array=0x7ffece147ad0, tables_init=0x7ffece14a250, wild_num=0, 
    conds_init=0x0, og_num=1, order_init=0x0, skip_order_by=false, 
    group_init=0x7ffece14a950, having_init=0x0, proc_param_init=0x0, 
    select_lex_arg=0x7ffece147858, unit_arg=0x7ffece147158)
 
    at /home/bar/maria-git/server-10.1/sql/sql_select.cc:794
 
#10 0x0000555555a91419 in mysql_select (thd=0x7ffed7e4c070, 
    rref_pointer_array=0x7ffece147ad0, tables=0x7ffece14a250, wild_num=0,



 Comments   
Comment by Elena Stepanova [ 2016-11-03 ]

On some reason, it does not crash for me, and doesn't produce valgrind warnings, either; but since it's yours anyway, I'll leave it to you as is.

Comment by Alexander Barkov [ 2016-11-04 ]

Elena, please try to pull the latest tree with the fix for MDEV-11219.

Comment by Elena Stepanova [ 2016-11-04 ]

Yes, it happens now. I had a previous revision.

Comment by Oleksandr Byelkin [ 2017-12-13 ]

Now I can't repeat it

Comment by Oleksandr Byelkin [ 2017-12-15 ]

fix came with this merge:

Autor: Sergei Golubchik <serg@mariadb.org> 2017-10-22 13:03:41
Eintragender: Sergei Golubchik <serg@mariadb.org> 2017-10-22 13:03:41
Eltern: d11af09865299033d5eef64531704f6ab8af5304 (MDEV-14076 InnoDB: Failing assertion when accessing INFORMATION_SCHEMA.INNODB_SYS_TABLESPACES upon upgrade from 10.1.0 to 10.1.20)
Eltern: 2eb3c5e5420a724945a4cba914df25aa1e3744ce (MDEV-13918 Race condition between INFORMATION_SCHEMA.INNODB_SYS_TABLESTATS and ALTER/DROP/TRUNCATE TABLE)
Kind: 2aa51f528fd5d23cc54eca8fbd07e88e7b2993c7 (Various compier warnings)
Zweig: viele (70)
Folgt auf: mariadb-10.1.28, mariadb-5.5.58
Vorgänger von: mariadb-10.1.29, mariadb-10.2.10

Merge branch '10.0' into 10.1

Comment by Oleksandr Byelkin [ 2017-12-15 ]

(bisect skip almost all 10.0 commits of the merge because of compilation bug in tokudb and there is no easy way to switch off tokudb in 10.0)

Comment by Elena Stepanova [ 2018-03-14 ]

It was fixed by these 2 chunks:

diff --git a/sql/item.cc b/sql/item.cc
 
index da1692e..ff172e6 100644
 
--- a/sql/item.cc
 
+++ b/sql/item.cc
 
@@ -2133,6 +2133,9 @@ bool Item_func_or_sum::agg_item_set_converter(const DTCollation &coll,
 
                                               Item **args, uint nargs,
 
                                               uint flags, int item_sep)
 
 {
 
+  THD *thd= current_thd;
 
+  if (thd->lex->is_ps_or_view_context_analysis())
 
+    return false;
 
   Item **arg, *safe_args[2]= {NULL, NULL};
 
 
   /*
 
@@ -2148,7 +2151,6 @@ bool Item_func_or_sum::agg_item_set_converter(const DTCollation &coll,
 
     safe_args[1]= args[item_sep];
 
   }
 
 
-  THD *thd= current_thd;
 
   bool res= FALSE;
 
   uint i;

which belong to this patch:

commit ca948e335e0e43538f994484938dd729b32ae286
 
Author: Alexander Barkov <bar@mariadb.org>
 
Date:   Sat Oct 7 13:42:11 2017 +0400
 
 
 
    MDEV-9886 Illegal mix of collations with a view comparing a field to a binary constant

Generated at Thu Feb 08 07:48:19 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.