[MDEV-19699] Server crashes in Item_null_result::field_type upon SELECT with ROLLUP on constant table Created: 2019-06-05  Updated: 2020-06-02  Resolved: 2019-08-27

Status: Closed
Project: MariaDB Server
Component/s: Data types
Affects Version/s: 10.1, 10.2
Fix Version/s: 10.2.27, 10.1.42

Type: Bug Priority: Critical
Reporter: Elena Stepanova Assignee: Alexander Barkov
Resolution: Fixed Votes: 0
Labels: not-10.3, not-10.4

Issue Links:
Problem/Incident
causes MDEV-21319 COUNT(*) returns 1, actual SELECT ret... Closed
Relates
relates to MDEV-15011 Server crash, hang, buffer overrun, m... Closed
relates to MDEV-22772 Server crashes in Item_null_result::f... Closed
relates to MDEV-20431 GREATEST(int_col,date_col) returns wr... Closed

 Description    

CREATE TABLE t1 (d DATE) ENGINE=MyISAM;
 
INSERT INTO t1 VALUES ('1999-11-04');
 
 
 
SELECT d FROM t1 GROUP BY d WITH ROLLUP HAVING d > '1990-01-01';

10.1 b003b0c9

 
#3  <signal handler called>
 
#4  0x00005600ac2e353f in Item_null_result::field_type (this=0x7f8809847f20) at /data/src/10.1/sql/item.h:2658
 
#5  0x00005600ac20b1d1 in Item_ref::field_type (this=0x7f8809845a20) at /data/src/10.1/sql/item.h:3995
 
#6  0x00005600ac4b9a96 in Item::get_date_with_conversion (this=0x7f8809845a20, ltime=0x7f88140b8c90, fuzzydate=33554433) at /data/src/10.1/sql/item.cc:131
 
#7  0x00005600ac1adbdd in Item::val_datetime_packed (this=0x7f8809845a20) at /data/src/10.1/sql/item.h:1298
 
#8  0x00005600ac4ee9cb in Item::val_temporal_packed (this=0x7f8809845a20, f_type=MYSQL_TYPE_DATETIME) at /data/src/10.1/sql/item.h:1310
 
#9  0x00005600ac4dbe87 in get_datetime_value (thd=0x0, item_arg=0x7f8809845c88, cache_arg=0x7f8809845cd8, f_type=MYSQL_TYPE_DATETIME, is_null=0x7f88140b8d7e) at /data/src/10.1/sql/item_cmpfunc.cc:770
 
#10 0x00005600ac4dbff1 in Arg_comparator::compare_temporal (this=0x7f8809845c88, type=MYSQL_TYPE_DATETIME) at /data/src/10.1/sql/item_cmpfunc.cc:814
 
#11 0x00005600ac1a18c3 in Arg_comparator::compare_datetime (this=0x7f8809845c88) at /data/src/10.1/sql/item_cmpfunc.h:105
 
#12 0x00005600ac4ef230 in Arg_comparator::compare (this=0x7f8809845c88) at /data/src/10.1/sql/item_cmpfunc.h:87
 
#13 0x00005600ac4df053 in Item_func_gt::val_int (this=0x7f8809845bc8) at /data/src/10.1/sql/item_cmpfunc.cc:1836
 
#14 0x00005600ac2db204 in JOIN::rollup_send_data (this=0x7f8809845e10, idx=0) at /data/src/10.1/sql/sql_select.cc:24065
 
#15 0x00005600ac2d0d58 in end_send_group (join=0x7f8809845e10, join_tab=0x0, end_of_records=true) at /data/src/10.1/sql/sql_select.cc:19804
 
#16 0x00005600ac2cd1c8 in do_select (join=0x7f8809845e10, fields=0x7f8809846210, table=0x0, procedure=0x0) at /data/src/10.1/sql/sql_select.cc:18124
 
#17 0x00005600ac2a74c8 in JOIN::exec_inner (this=0x7f8809845e10) at /data/src/10.1/sql/sql_select.cc:3275
 
#18 0x00005600ac2a475b in JOIN::exec (this=0x7f8809845e10) at /data/src/10.1/sql/sql_select.cc:2562
 
#19 0x00005600ac2a7ce9 in mysql_select (thd=0x7f880b7d0070, rref_pointer_array=0x7f880b7d4560, tables=0x7f88098452c0, wild_num=0, fields=..., conds=0x0, og_num=1, order=0x0, group=0x7f88098459c8, having=0x7f8809845bc8, proc_param=0x0, select_options=2147748608, result=0x7f8809845df0, unit=0x7f880b7d3bb8, select_lex=0x7f880b7d42b8) at /data/src/10.1/sql/sql_select.cc:3499
 
#20 0x00005600ac29d3d3 in handle_select (thd=0x7f880b7d0070, lex=0x7f880b7d3af0, result=0x7f8809845df0, setup_tables_done_option=0) at /data/src/10.1/sql/sql_select.cc:376
 
#21 0x00005600ac26cd26 in execute_sqlcom_select (thd=0x7f880b7d0070, all_tables=0x7f88098452c0) at /data/src/10.1/sql/sql_parse.cc:5691
 
#22 0x00005600ac263b43 in mysql_execute_command (thd=0x7f880b7d0070) at /data/src/10.1/sql/sql_parse.cc:3038
 
#23 0x00005600ac27099f in mysql_parse (thd=0x7f880b7d0070, rawbuf=0x7f8809845088 "SELECT d FROM t1 GROUP BY d WITH ROLLUP HAVING d > '1990-01-01'", length=63, parser_state=0x7f88140ba1e0) at /data/src/10.1/sql/sql_parse.cc:7209
 
#24 0x00005600ac25fb55 in dispatch_command (command=COM_QUERY, thd=0x7f880b7d0070, packet=0x7f880d7f0071 "", packet_length=63) at /data/src/10.1/sql/sql_parse.cc:1499
 
#25 0x00005600ac25e913 in do_command (thd=0x7f880b7d0070) at /data/src/10.1/sql/sql_parse.cc:1131
 
#26 0x00005600ac39ae21 in do_handle_one_connection (thd_arg=0x7f880b7d0070) at /data/src/10.1/sql/sql_connect.cc:1330
 
#27 0x00005600ac39ab67 in handle_one_connection (arg=0x7f880b7d0070) at /data/src/10.1/sql/sql_connect.cc:1242
 
#28 0x00005600ac7cee2a in pfs_spawn_thread (arg=0x7f8811c39c70) at /data/src/10.1/storage/perfschema/pfs.cc:1861
 
#29 0x00007f8813d384a4 in start_thread (arg=0x7f88140bb700) at pthread_create.c:456
 
#30 0x00007f881274ed0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97

All of debug, ASAN and non-debug builds crash with SEGV.
Reproducible with MyISAM and Aria. Not reproducible with InnoDB.
Couldn't reproduce with the provided test case on 10.3 and 10.4.

 Comments   
Comment by Elena Stepanova [ 2019-06-05 ]

Must be related to MDEV-15011.

Comment by Alexander Barkov [ 2019-08-27 ]

If I add one more record to the table, it does not crash, neither in 10.1 nor in 10.2:

DROP TABLE IF EXISTS t1;
 
CREATE TABLE t1 (d DATE) ENGINE=MyISAM;
 
INSERT INTO t1 VALUES ('1999-11-04'),('1999-11-05');
 
SELECT d FROM t1 GROUP BY d WITH ROLLUP HAVING d > '1990-01-01';

Comment by Alexander Barkov [ 2019-08-27 ]

The same crash happens with DATETIME:

CREATE OR REPLACE TABLE t1 (d DATETIME) ENGINE=MyISAM;
 
INSERT INTO t1 VALUES ('1999-11-04');
 
SELECT d FROM t1 GROUP BY d WITH ROLLUP HAVING d > '1990-01-01';

Generated at Thu Feb 08 08:53:41 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.