[MDEV-19178] Server crash in create_view_field or Assertion `m_sp == __null' failed in Item_func_sp::fix_fields after invalidating view by dropping function Created: 2019-04-04  Updated: 2023-11-28

Status: Confirmed
Project: MariaDB Server
Component/s: Stored routines, Views
Affects Version/s: 5.5, 10.1, 10.2, 10.3, 10.4, 10.5, 10.6, 10.7, 10.8, 10.9, 10.10
Fix Version/s: 10.4, 10.5, 10.6, 10.11, 11.0

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Oleksandr Byelkin
Resolution: Unresolved Votes: 0
Labels: None

Issue Links:
Relates
relates to MDEV-14557 Assertion `m_sp == __null' failed in ... Stalled
relates to MDEV-20410 Pure virtual method called in Item_re... Closed

 Description   

Note: The assertion looks like MDEV-14557, but the location, stack trace and test case are different, so I'm filing it separately. Still, I assume the root cause is the same, MDEV-5816, so I'm setting fix version to 10.5. Feel free to fix in earlier versions if it turns out possible/reasonable.

CREATE TABLE t1 (a INT);
 
CREATE FUNCTION zero() RETURNS INT RETURN 0;
 
CREATE VIEW v1 AS SELECT zero() AS zero FROM t1;
 
CREATE FUNCTION f(i INT) RETURNS INT RETURN i;
 
CREATE VIEW v2 AS SELECT f(zero) AS f FROM v1;
 
DROP FUNCTION zero;
 
UPDATE v2 SET f = 4;

10.4 0dc442ac

 
mysqld: /data/src/10.4/sql/item_func.cc:6341: virtual bool Item_func_sp::fix_fields(THD*, Item**): Assertion `m_sp == __null' failed.
 
190405  0:30:34 [ERROR] mysqld got signal 6 ;
 
 
 
#7  0x00007ff850698ee2 in __assert_fail () from /lib/x86_64-linux-gnu/libc.so.6
 
#8  0x00005573dadcca3b in Item_func_sp::fix_fields (this=0x7ff8380184b8, thd=0x7ff838000b00, ref=0x7ff8380481d0) at /data/src/10.4/sql/item_func.cc:6341
 
#9  0x00005573dab18fe6 in create_view_field (thd=0x7ff838000b00, view=0x7ff8380156c0, field_ref=0x7ff8380481d0, name=0x7ff8380481d8) at /data/src/10.4/sql/table.cc:6378
 
#10 0x00005573dab18e5f in Field_iterator_view::create_item (this=0x7ff84a810870, thd=0x7ff838000b00) at /data/src/10.4/sql/table.cc:6353
 
#11 0x00005573da95a27e in find_field_in_view (thd=0x7ff838000b00, table_list=0x7ff8380156c0, name=0x7ff838015d80 "f", length=1, item_name=0x7ff838015d80 "f", ref=0x7ff838015f38, register_tree_change=true) at /data/src/10.4/sql/sql_base.cc:5700
 
#12 0x00005573da95b108 in find_field_in_table_ref (thd=0x7ff838000b00, table_list=0x7ff8380156c0, name=0x7ff838015d80 "f", length=1, item_name=0x7ff838015d80 "f", db_name=0x0, table_name=0x0, ref=0x7ff838015f38, check_privileges=true, allow_rowid=true, cached_field_index_ptr=0x7ff838015e5c, register_tree_change=true, actual_table=0x7ff84a810a60) at /data/src/10.4/sql/sql_base.cc:6039
 
#13 0x00005573da95bd6a in find_field_in_tables (thd=0x7ff838000b00, item=0x7ff838015d88, first_table=0x7ff8380156c0, last_table=0x0, ref=0x7ff838015f38, report_error=REPORT_ALL_ERRORS, check_privileges=true, register_tree_change=true) at /data/src/10.4/sql/sql_base.cc:6348
 
#14 0x00005573dad5d4ee in Item_field::fix_outer_field (this=0x7ff838015d88, thd=0x7ff838000b00, from_field=0x7ff84a810e70, reference=0x7ff838015f38) at /data/src/10.4/sql/item.cc:5516
 
#15 0x00005573dad5e0d5 in Item_field::fix_fields (this=0x7ff838015d88, thd=0x7ff838000b00, reference=0x7ff838015f38) at /data/src/10.4/sql/item.cc:5766
 
#16 0x00005573da8e5ed3 in Item::fix_fields_if_needed (this=0x7ff838015d88, thd=0x7ff838000b00, ref=0x7ff838015f38) at /data/src/10.4/sql/item.h:955
 
#17 0x00005573da8e5f01 in Item::fix_fields_if_needed_for_scalar (this=0x7ff838015d88, thd=0x7ff838000b00, ref=0x7ff838015f38) at /data/src/10.4/sql/item.h:959
 
#18 0x00005573da95ebe9 in setup_fields (thd=0x7ff838000b00, ref_pointer_array=..., fields=..., column_usage=MARK_COLUMNS_WRITE, sum_func_list=0x0, pre_fix=0x0, allow_sum_func=false) at /data/src/10.4/sql/sql_base.cc:7554
 
#19 0x00005573daafd74d in setup_fields_with_no_wrap (thd=0x7ff838000b00, ref_pointer_array=..., item=..., column_usage=MARK_COLUMNS_WRITE, sum_func_list=0x0, allow_sum_func=false) at /data/src/10.4/sql/sql_base.h:376
 
#20 0x00005573daaf4b5d in mysql_update (thd=0x7ff838000b00, table_list=0x7ff8380156c0, fields=..., values=..., conds=0x0, order_num=0, order=0x0, limit=18446744073709551615, ignore=false, found_return=0x7ff84a811850, updated_return=0x7ff84a811910) at /data/src/10.4/sql/sql_update.cc:455
 
#21 0x00005573da9f3926 in mysql_execute_command (thd=0x7ff838000b00) at /data/src/10.4/sql/sql_parse.cc:4648
 
#22 0x00005573da9ffbe4 in mysql_parse (thd=0x7ff838000b00, rawbuf=0x7ff8380155e8 "UPDATE v2 SET f = 4", length=19, parser_state=0x7ff84a812180, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:8154
 
#23 0x00005573da9eb630 in dispatch_command (command=COM_QUERY, thd=0x7ff838000b00, packet=0x7ff838139261 "UPDATE v2 SET f = 4", packet_length=19, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:1832
 
#24 0x00005573da9e9e16 in do_command (thd=0x7ff838000b00) at /data/src/10.4/sql/sql_parse.cc:1365
 
#25 0x00005573dab61e55 in do_handle_one_connection (connect=0x5573dd87d520) at /data/src/10.4/sql/sql_connect.cc:1398
 
#26 0x00005573dab61bc6 in handle_one_connection (arg=0x5573dd87d520) at /data/src/10.4/sql/sql_connect.cc:1301
 
#27 0x00005573db055cb9 in pfs_spawn_thread (arg=0x5573dd96f8f0) at /data/src/10.4/storage/perfschema/pfs.cc:1862
 
#28 0x00007ff852587494 in start_thread (arg=0x7ff84a813700) at pthread_create.c:333
 
#29 0x00007ff85075593f in clone () from /lib/x86_64-linux-gnu/libc.so.6



 Comments   
Comment by Elena Stepanova [ 2019-04-30 ]

Here is a test case with a very similar stack trace, with the difference that it's SIGSEGV which affects non-debug builds as well.

--let $datadir= `SELECT @@datadir`
 
--write_file $datadir/test/load.data
 
1
 
EOF
 
 
 
CREATE TABLE t1 (a INT, b INT);
 
INSERT INTO t1 (a) VALUES (1),(2);
 
CREATE TRIGGER tr BEFORE INSERT ON t1 FOR EACH ROW INSERT INTO t2 SELECT * FROM x;
 
 
 
CREATE TABLE t2 (c INT, d INT);
 
 
 
CREATE TABLE t3 (a INT);
 
CREATE VIEW v3 AS SELECT * FROM t3;
 
 
 
CREATE TABLE x (a INT, f INT);
 
 
 
INSERT INTO t1 (a) VALUES (3);
 
DROP TABLE x;
 
CREATE VIEW x AS SELECT * FROM v3;
 
--error ER_BAD_FIELD_ERROR
 
LOAD DATA INFILE 'load.data' IGNORE INTO TABLE t1;
 
--error ER_BAD_FIELD_ERROR
 
INSERT INTO t1 (a) VALUES (4);
 
 
 
# Cleanup
 
--remove_file $datadir/test/load.data
 
DROP VIEW x, v3;
 
DROP TABLE t1, t2, t3;

10.2 00377147 debug

 
#3  <signal handler called>
 
#4  0x000055fefacfb55c in create_view_field (thd=0x7f1c40000b00, view=0x7f1c4003e6b0, field_ref=0x7f1c400a84d8, name=0x7f1c400a84e8 "a") at /data/src/10.2/sql/table.cc:5850
 
#5  0x000055fefacfb459 in Field_iterator_view::create_item (this=0x7f1c52505840, thd=0x7f1c40000b00) at /data/src/10.2/sql/table.cc:5825
 
#6  0x000055fefab814b3 in find_field_in_view (thd=0x7f1c40000b00, table_list=0x7f1c4003e6b0, name=0x7f1c4003f020 "a", length=1, item_name=0x7f1c4003f020 "a", ref=0x7f1c4003e668, register_tree_change=true) at /data/src/10.2/sql/sql_base.cc:5318
 
#7  0x000055fefab8247e in find_field_in_table_ref (thd=0x7f1c40000b00, table_list=0x7f1c4003e6b0, name=0x7f1c4003f020 "a", length=1, item_name=0x7f1c4003f020 "a", db_name=0x0, table_name=0x0, ref=0x7f1c4003e668, check_privileges=true, allow_rowid=true, cached_field_index_ptr=0x7f1c4003efd4, register_tree_change=true, actual_table=0x7f1c52505a38) at /data/src/10.2/sql/sql_base.cc:5678
 
#8  0x000055fefab82d2c in find_field_in_tables (thd=0x7f1c40000b00, item=0x7f1c4003ef10, first_table=0x7f1c4003e6b0, last_table=0x0, ref=0x7f1c4003e668, report_error=IGNORE_EXCEPT_NON_UNIQUE, check_privileges=true, register_tree_change=true) at /data/src/10.2/sql/sql_base.cc:5914
 
#9  0x000055fefae8d539 in Item_field::fix_fields (this=0x7f1c4003ef10, thd=0x7f1c40000b00, reference=0x7f1c4003e668) at /data/src/10.2/sql/item.cc:5454
 
#10 0x000055fefab85ded in setup_fields (thd=0x7f1c40000b00, ref_pointer_array=..., fields=..., mark_used_columns=MARK_COLUMNS_READ, sum_func_list=0x7f1c4009fe00, pre_fix=0x7f1c400402a8, allow_sum_func=true) at /data/src/10.2/sql/sql_base.cc:7184
 
#11 0x000055fefac2d9f1 in JOIN::prepare (this=0x7f1c4009fae0, tables_init=0x7f1c4003e6b0, wild_num=0, conds_init=0x0, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7f1c40040168, unit_arg=0x7f1c4003fa30) at /data/src/10.2/sql/sql_select.cc:814
 
#12 0x000055fefac383cf in mysql_select (thd=0x7f1c40000b00, tables=0x7f1c4003e6b0, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=3489663744, result=0x7f1c4009fa38, unit=0x7f1c4003fa30, select_lex=0x7f1c40040168) at /data/src/10.2/sql/sql_select.cc:3797
 
#13 0x000055fefac2c66b in handle_select (thd=0x7f1c40000b00, lex=0x7f1c4003f968, result=0x7f1c4009fa38, setup_tables_done_option=1073741824) at /data/src/10.2/sql/sql_select.cc:376
 
#14 0x000055fefabf0cc5 in mysql_execute_command (thd=0x7f1c40000b00) at /data/src/10.2/sql/sql_parse.cc:4545
 
#15 0x000055fefafed5ea in sp_instr_stmt::exec_core (this=0x7f1c4003ecd0, thd=0x7f1c40000b00, nextp=0x7f1c52506d44) at /data/src/10.2/sql/sp_head.cc:3248
 
#16 0x000055fefafecc55 in sp_lex_keeper::reset_lex_and_exec_core (this=0x7f1c4003ed10, thd=0x7f1c40000b00, nextp=0x7f1c52506d44, open_tables=false, instr=0x7f1c4003ecd0) at /data/src/10.2/sql/sp_head.cc:3011
 
#17 0x000055fefafed295 in sp_instr_stmt::execute (this=0x7f1c4003ecd0, thd=0x7f1c40000b00, nextp=0x7f1c52506d44) at /data/src/10.2/sql/sp_head.cc:3164
 
#18 0x000055fefafe8451 in sp_head::execute (this=0x7f1c4003d288, thd=0x7f1c40000b00, merge_da_on_success=false) at /data/src/10.2/sql/sp_head.cc:1329
 
#19 0x000055fefafe9048 in sp_head::execute_trigger (this=0x7f1c4003d288, thd=0x7f1c40000b00, db_name=0x7f1c4006df88, table_name=0x7f1c4006df98, grant_info=0x7f1c4003cf58) at /data/src/10.2/sql/sp_head.cc:1658
 
#20 0x000055fefacd1719 in Table_triggers_list::process_triggers (this=0x7f1c4003c9c8, thd=0x7f1c40000b00, event=TRG_EVENT_INSERT, time_type=TRG_ACTION_BEFORE, old_row_is_record1=true) at /data/src/10.2/sql/sql_trigger.cc:2199
 
#21 0x000055fefab889de in fill_record_n_invoke_before_triggers (thd=0x7f1c40000b00, table=0x7f1c40038310, fields=..., values=..., ignore_errors=false, event=TRG_EVENT_INSERT) at /data/src/10.2/sql/sql_base.cc:8193
 
#22 0x000055fefabc8650 in mysql_insert (thd=0x7f1c40000b00, table_list=0x7f1c40012540, fields=..., values_list=..., update_fields=..., update_values=..., duplic=DUP_ERROR, ignore=false) at /data/src/10.2/sql/sql_insert.cc:966
 
#23 0x000055fefabf05d8 in mysql_execute_command (thd=0x7f1c40000b00) at /data/src/10.2/sql/sql_parse.cc:4438
 
#24 0x000055fefabfba93 in mysql_parse (thd=0x7f1c40000b00, rawbuf=0x7f1c40012458 "INSERT INTO t1 (a) VALUES (4)", length=29, parser_state=0x7f1c52508200, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:8013
 
#25 0x000055fefabe9590 in dispatch_command (command=COM_QUERY, thd=0x7f1c40000b00, packet=0x7f1c4008e121 "INSERT INTO t1 (a) VALUES (4)", packet_length=29, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1833
 
#26 0x000055fefabe7ead in do_command (thd=0x7f1c40000b00) at /data/src/10.2/sql/sql_parse.cc:1387
 
#27 0x000055fefad3bab9 in do_handle_one_connection (connect=0x55fefe98a030) at /data/src/10.2/sql/sql_connect.cc:1335
 
#28 0x000055fefad3b846 in handle_one_connection (arg=0x55fefe98a030) at /data/src/10.2/sql/sql_connect.cc:1241
 
#29 0x000055fefb0a387e in pfs_spawn_thread (arg=0x55fefe8d5960) at /data/src/10.2/storage/perfschema/pfs.cc:1862
 
#30 0x00007f1c5a2c7494 in start_thread (arg=0x7f1c52509700) at pthread_create.c:333
 
#31 0x00007f1c5828f93f in clone () from /lib/x86_64-linux-gnu/libc.so.6

The actual crash happens for me only on 10.2+, but even 10.1 and 5.5 fail with ASAN heap-use-after-free, which means it's just the matter of luck.

Comment by Alice Sherepa [ 2023-07-28 ]

the initials test currently repeatable on 10.6+, not on 10.4 (9854fb6fa7ceabdf9968a1d1b),10.5. But the one from the comment - on 10.4+

Generated at Thu Feb 08 08:49:38 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.