[MDEV-19164] Assertion `fixed' failed in Item_func_inet_aton::val_int Created: 2019-04-03  Updated: 2019-04-18  Resolved: 2019-04-18

Status: Closed
Project: MariaDB Server
Component/s: Optimizer
Affects Version/s: 10.4
Fix Version/s: 10.4.5

Type: Bug Priority: Major
Reporter: Alice Sherepa Assignee: Igor Babaev
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
Relates
relates to MDEV-14926 AddressSanitizer: heap-use-after-free... Closed

 Description    

create table t1 (d1 date);
 
insert into t1 values (null),('1971-03-06'),('1993-06-05'),('1998-07-08');
 
 
 
select 1 from t1 group by d1 
having d1 between (inet_aton('1978-04-27')) and '2018-08-26';

10.4 5d8ca989974734e931cf247

 
mysqld: /10.4/sql/item_inetfunc.cc:34: virtual longlong Item_func_inet_aton::val_int(): Assertion `fixed' failed.
 
 
 
assert/assert.c:92(__assert_fail_base)[0x7f2c808e0bd7]
 
/lib/x86_64-linux-gnu/libc.so.6(+0x2dc82)[0x7f2c808e0c82]
 
/10.4/sql/mysqld(_ZN19Item_func_inet_aton7val_intEv+0x162)[0x55dd85599846]
 
sql/item_inetfunc.cc:36(Item_func_inet_aton::val_int())[0x55dd8516f23c]
 
sql/item.cc:1302(Item::get_date_from_int(THD*, st_mysql_time*, date_mode_t))[0x55dd8488d620]
 
/10.4/sql/mysqld(+0xf2af89)[0x55dd84761f89]
 
/10.4/sql/mysqld(_ZN4Item26val_datetime_packed_resultEP3THD+0x13d)[0x55dd8516563b]
 
sql/item_func.h:1014(Item_int_func::get_date(THD*, st_mysql_time*, date_mode_t))[0x55dd851b28c0]
 
/10.4/sql/mysqld(_ZN10Item_cache9has_valueEv+0xaa)[0x55dd84e93df8]
 
sql/item.h:1731(Item::get_date_result(THD*, st_mysql_time*, date_mode_t))[0x55dd851c190e]
 
sql/item.cc:121(Item::val_datetime_packed_result(THD*))[0x55dd851e0875]
 
sql/item.cc:9781(Item_cache_temporal::cache_value())[0x55dd84e6de34]
 
sql/item.h:6532(Item_cache::has_value())[0x55dd854d46c4]
 
sql/item.h:6722(Item_cache_date::val_datetime_packed(THD*))[0x55dd84ae3506]
 
sql/item_cmpfunc.cc:2156(Item_func_between::val_int_cmp_datetime())[0x55dd84ae2fce]
 
sql/sql_type.cc:4947(Type_handler_temporal_with_date::Item_func_between_val_int(Item_func_between*) const)[0x55dd84ae0dfb]
 
sql/item_cmpfunc.h:908(Item_func_between::val_int())[0x55dd84a7c9d4]
 
sql/sql_select.cc:20124(evaluate_join_record(JOIN*, st_join_table*, int))[0x55dd84a7a34e]
 
sql/sql_select.cc:20068(sub_select(JOIN*, st_join_table*, bool))[0x55dd84a7dd8c]
 
sql/sql_select.cc:19567(do_select(JOIN*, Procedure*))[0x55dd84a54b82]
 
sql/sql_select.cc:4381(JOIN::exec_inner())[0x55dd849d9f9f]
 
sql/sql_select.cc:4164(JOIN::exec())[0x55dd849c71bc]
 
sql/sql_select.cc:4597(mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55dd849e2260]
 
sql/sql_select.cc:424(handle_select(THD*, LEX*, select_result*, unsigned long))[0x55dd849baf10]
 
sql/sql_parse.cc:6602(execute_sqlcom_select(THD*, TABLE_LIST*))[0x55dd849b7e4f]
 
sql/sql_parse.cc:3891(mysql_execute_command(THD*))[0x55dd84d2afcb]
 
sql/sql_parse.cc:8154(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x55dd84d2a995]
 
sql/sql_parse.cc:1834(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x55dd860e211b]
 
/lib/x86_64-linux-gnu/libpthread.so.0(+0x76ba)[0x7f2c817296ba]
 
x86_64/clone.S:111(clone)[0x7f2c809ba41d]
 
 
 
Trying to get some variables.
 
Some pointers may be invalid and cause the dump to abort.
 
Query (0x62b00007e288): select 1 from t1 group by d1  having d1 between (inet_aton('1978-04-27')) and '2018-08-26'



 Comments   
Comment by Elena Stepanova [ 2019-04-15 ]

Different functions, same problem.

CREATE TABLE t (f DATE);
 
INSERT INTO t VALUES ('2018-01-15');
 
SELECT f, COUNT(*) FROM t GROUP BY f HAVING f NOT BETWEEN 0 AND EXP(0);
 
 
 
# Cleanup
 
DROP TABLE t;

10.4 3c352b59

 
mysqld: /data/src/10.4/sql/item_func.cc:2003: virtual double Item_func_exp::val_real(): Assertion `fixed == 1' failed.
 
190415 17:40:45 [ERROR] mysqld got signal 6 ;
 
 
 
#7  0x00007fd429bb5ee2 in __assert_fail () from /lib/x86_64-linux-gnu/libc.so.6
 
#8  0x00005589f236c56d in Item_func_exp::val_real (this=0x7fd408016938) at /data/src/10.4/sql/item_func.cc:2003
 
#9  0x00005589f22ff395 in Item::get_date_from_real (this=0x7fd408016938, thd=0x7fd408000b00, ltime=0x7fd42452e9c0, fuzzydate=...) at /data/src/10.4/sql/item.cc:1312
 
#10 0x00005589f23542c6 in Item_real_func::get_date (this=0x7fd408016938, thd=0x7fd408000b00, ltime=0x7fd42452e9c0, fuzzydate=...) at /data/src/10.4/sql/item_func.h:422
 
#11 0x00005589f1e917be in Item::get_date_result (this=0x7fd408016938, thd=0x7fd408000b00, ltime=0x7fd42452e9c0, fuzzydate=...) at /data/src/10.4/sql/item.h:1731
 
#12 0x00005589f22fba2a in Item::val_datetime_packed_result (this=0x7fd408016938, thd=0x7fd408000b00) at /data/src/10.4/sql/item.cc:121
 
#13 0x00005589f2318484 in Item_cache_temporal::cache_value (this=0x7fd408017cf0) at /data/src/10.4/sql/item.cc:9746
 
#14 0x00005589f21c9670 in Item_cache::has_value (this=0x7fd408017cf0) at /data/src/10.4/sql/item.h:6512
 
#15 0x00005589f231f3d0 in Item_cache_date::val_datetime_packed (this=0x7fd408017cf0, thd=0x7fd408000b00) at /data/src/10.4/sql/item.h:6702
 
#16 0x00005589f232af1c in Item_func_between::val_int_cmp_datetime (this=0x7fd4080169f8) at /data/src/10.4/sql/item_cmpfunc.cc:2157
 
#17 0x00005589f21b3aea in Type_handler_temporal_with_date::Item_func_between_val_int (this=0x5589f3638448 <type_handler_newdate>, func=0x7fd4080169f8) at /data/src/10.4/sql/sql_type.cc:4946
 
#18 0x00005589f247273a in Item_func_between::val_int (this=0x7fd4080169f8) at /data/src/10.4/sql/item_cmpfunc.h:907
 
#19 0x00005589f21b25c1 in Type_handler_int_result::Item_val_bool (this=0x5589f36383a0 <type_handler_bool>, item=0x7fd4080169f8) at /data/src/10.4/sql/sql_type.cc:4386
 
#20 0x00005589f1e9127e in Item::val_bool (this=0x7fd4080169f8) at /data/src/10.4/sql/item.h:1448
 
#21 0x00005589f203b724 in Item::eval_const_cond (this=0x7fd4080169f8) at /data/src/10.4/sql/item.h:1456
 
#22 0x00005589f201ac50 in Item::remove_eq_conds (this=0x7fd4080169f8, thd=0x7fd408000b00, cond_value=0x7fd408017758, top_level_arg=true) at /data/src/10.4/sql/sql_select.cc:17088
 
#23 0x00005589f1ffbd85 in make_join_statistics (join=0x7fd408017448, tables_list=..., keyuse_array=0x7fd408017738) at /data/src/10.4/sql/sql_select.cc:5242
 
#24 0x00005589f1ff1093 in JOIN::optimize_inner (this=0x7fd408017448) at /data/src/10.4/sql/sql_select.cc:2191
 
#25 0x00005589f1feecc0 in JOIN::optimize (this=0x7fd408017448) at /data/src/10.4/sql/sql_select.cc:1561
 
#26 0x00005589f1ff9b10 in mysql_select (thd=0x7fd408000b00, tables=0x7fd408015e98, wild_num=0, fields=..., conds=0x0, og_num=1, order=0x0, group=0x7fd408016670, having=0x7fd4080169f8, proc_param=0x0, select_options=2147748608, result=0x7fd408017420, unit=0x7fd408004a30, select_lex=0x7fd4080156d8) at /data/src/10.4/sql/sql_select.cc:4588
 
#27 0x00005589f1fea140 in handle_select (thd=0x7fd408000b00, lex=0x7fd408004968, result=0x7fd408017420, setup_tables_done_option=0) at /data/src/10.4/sql/sql_select.cc:424
 
#28 0x00005589f1fb39fd in execute_sqlcom_select (thd=0x7fd408000b00, all_tables=0x7fd408015e98) at /data/src/10.4/sql/sql_parse.cc:6602
 
#29 0x00005589f1fa8fd3 in mysql_execute_command (thd=0x7fd408000b00) at /data/src/10.4/sql/sql_parse.cc:3891
 
#30 0x00005589f1fb7783 in mysql_parse (thd=0x7fd408000b00, rawbuf=0x7fd4080155e8 "SELECT f, COUNT(*) FROM t GROUP BY f HAVING f NOT BETWEEN 0 AND EXP(0)", length=70, parser_state=0x7fd424530180, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:8154
 
#31 0x00005589f1fa31da in dispatch_command (command=COM_QUERY, thd=0x7fd408000b00, packet=0x7fd40800a8a1 "SELECT f, COUNT(*) FROM t GROUP BY f HAVING f NOT BETWEEN 0 AND EXP(0)", packet_length=70, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:1832
 
#32 0x00005589f1fa19c0 in do_command (thd=0x7fd408000b00) at /data/src/10.4/sql/sql_parse.cc:1365
 
#33 0x00005589f2119d4f in do_handle_one_connection (connect=0x5589f5dfb520) at /data/src/10.4/sql/sql_connect.cc:1398
 
#34 0x00005589f2119ac0 in handle_one_connection (arg=0x5589f5dfb520) at /data/src/10.4/sql/sql_connect.cc:1301
 
#35 0x00005589f260483f in pfs_spawn_thread (arg=0x5589f5eed8f0) at /data/src/10.4/storage/perfschema/pfs.cc:1862
 
#36 0x00007fd42bcaa494 in start_thread (arg=0x7fd424531700) at pthread_create.c:333
 
#37 0x00007fd429c7293f in clone () from /lib/x86_64-linux-gnu/libc.so.6

Comment by Alexander Barkov [ 2019-04-15 ]

Item_func_inet_aton::fixed is normally set to true during fix_fields(), but then it's reset to false during cleanup() which is called from here:

select_lex->pushdown_from_having_into_where(thd, having);

shagalla, can you please take over this bug?

Thanks.

Comment by Igor Babaev [ 2019-04-16 ]

Alexander,
fix_fields() is called at each execution of prepared statement again and again. If your cleanup cleans the info from an item but leave it fixed then we have problem with re-execution.
I reassign the bug back to you.

Comment by Alexander Barkov [ 2019-04-16 ]

igor, let me rephrase my previous message:

  • Item_func_inet_aton::fixed is set to true during fix_fields() normally
  • select_lex->pushdown_from_having_into_where(thd, having) resets fixed back to false using cleanup
  • Item_func_inet_aton never gets fixed again so Item_func_inet_aton::val_int() is called with fixed equal to false

From my understanding, the problem is in the code moving having to where. It cleanups Item_func_inet_aton, but never fixes it again.

Note, there are no any prepared statement in the SQL script reported, it's direct execution.

Comment by Igor Babaev [ 2019-04-18 ]

A fix for this bug was pushed into 10.4

Generated at Thu Feb 08 08:49:32 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.