[MDEV-22268] virtual longlong Item_func_div::int_op(): Assertion `0' failed in Item_func_div::int_op Created: 2020-04-17  Updated: 2020-06-13  Resolved: 2020-06-13

Status: Closed
Project: MariaDB Server
Component/s: Data types, Temporal Types
Affects Version/s: 10.3, 10.4, 10.5
Fix Version/s: 10.5.4, 10.3.24, 10.4.14

Type: Bug Priority: Major
Reporter: Roel Van de Paar Assignee: Alexander Barkov
Resolution: Fixed Votes: 0
Labels: None


 Description    

SET @@SESSION.div_precision_increment=0;
 
SELECT UTC_TIME / 0;

Leads to:

10.5.3 364e7a9ae6b5fbf69494cec30733b5ad28738cbb

 
mysqld: /test/10.5_dbg/sql/item_func.h:1454: virtual longlong Item_func_div::int_op(): Assertion `0' failed.

10.5.3 364e7a9ae6b5fbf69494cec30733b5ad28738cbb

 
Core was generated by `/test/MD110420-mariadb-10.5.3-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
 
Program terminated with signal SIGABRT, Aborted.
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=6)
 
    at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
 
[Current thread is 1 (Thread 0x7ffa9c59b700 (LWP 8785))]
 
(gdb) bt
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
 
#1  0x0000556c335ef21e in my_write_core (sig=sig@entry=6) at /test/10.5_dbg/mysys/stacktrace.c:518
 
#2  0x0000556c32d9508f in handle_fatal_signal (sig=6) at /test/10.5_dbg/sql/signal_handler.cc:329
 
#3  <signal handler called>
 
#4  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
 
#5  0x00007ffa9acdf801 in __GI_abort () at abort.c:79
 
#6  0x00007ffa9accf39a in __assert_fail_base (fmt=0x7ffa9ae567d8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x556c3391fc81 "0", file=file@entry=0x556c33759330 "/test/10.5_dbg/sql/item_func.h", line=line@entry=1454, function=function@entry=0x556c33909ac0 <Item_func_div::int_op()::__PRETTY_FUNCTION__> "virtual longlong Item_func_div::int_op()") at assert.c:92
 
#7  0x00007ffa9accf412 in __GI___assert_fail (assertion=assertion@entry=0x556c3391fc81 "0", file=file@entry=0x556c33759330 "/test/10.5_dbg/sql/item_func.h", line=line@entry=1454, function=function@entry=0x556c33909ac0 <Item_func_div::int_op()::__PRETTY_FUNCTION__> "virtual longlong Item_func_div::int_op()") at assert.c:101
 
#8  0x0000556c32e2c878 in Item_func_div::int_op (this=<optimized out>) at /test/10.5_dbg/sql/item_func.h:1454
 
#9  0x0000556c32cb9b52 in Item_func_hybrid_field_type::val_int_from_int_op (this=<optimized out>) at /test/10.5_dbg/sql/item_func.h:744
 
#10 Type_handler_int_result::Item_func_hybrid_field_type_val_int (this=<optimized out>, item=<optimized out>) at /test/10.5_dbg/sql/sql_type.cc:5234
 
#11 0x0000556c32df2bc8 in Item_func_hybrid_field_type::val_int (this=0x7ffa6ec74738) at /test/10.5_dbg/sql/item_func.h:800
 
#12 0x0000556c32cd0acd in Type_handler::Item_send_long (this=<optimized out>, item=0x7ffa6ec74738, protocol=0x7ffa6ec15650, buf=<optimized out>) at /test/10.5_dbg/sql/sql_type.cc:7170
 
#13 0x0000556c32cd8225 in Type_handler_long::Item_send (this=<optimized out>, item=<optimized out>, protocol=<optimized out>, buf=<optimized out>) at /test/10.5_dbg/sql/sql_type.h:5415
 
#14 0x0000556c329fd23f in Item::send (this=0x7ffa6ec74738, protocol=0x7ffa6ec15650, buffer=0x7ffa9c599100) at /test/10.5_dbg/sql/item.h:1054
 
#15 0x0000556c329fafaf in Protocol::send_result_set_row (this=this@entry=0x7ffa6ec15650, row_items=row_items@entry=0x7ffa6ec74280) at /test/10.5_dbg/sql/protocol.cc:1082
 
#16 0x0000556c32a8cfa8 in select_send::send_data (this=0x7ffa6ec750e8, items=...) at /test/10.5_dbg/sql/sql_class.cc:3006
 
#17 0x0000556c32b68e8b in select_result_sink::send_data_with_check (sent=0, u=<optimized out>, items=..., this=<optimized out>) at /test/10.5_dbg/sql/sql_class.h:5236
 
#18 JOIN::exec_inner (this=this@entry=0x7ffa6ec75110) at /test/10.5_dbg/sql/sql_select.cc:4331
 
#19 0x0000556c32b69c6b in JOIN::exec (this=this@entry=0x7ffa6ec75110) at /test/10.5_dbg/sql/sql_select.cc:4244
 
#20 0x0000556c32b67f80 in mysql_select (thd=thd@entry=0x7ffa6ec15088, tables=<optimized out>, fields=..., conds=0x0, og_num=0, order=<optimized out>, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7ffa6ec750e8, unit=0x7ffa6ec19090, select_lex=0x7ffa6ec74130) at /test/10.5_dbg/sql/sql_select.cc:4668
 
#21 0x0000556c32b682af in handle_select (thd=thd@entry=0x7ffa6ec15088, lex=lex@entry=0x7ffa6ec18fc8, result=result@entry=0x7ffa6ec750e8, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.5_dbg/sql/sql_select.cc:417
 
#22 0x0000556c32af299a in execute_sqlcom_select (thd=thd@entry=0x7ffa6ec15088, all_tables=0x0) at /test/10.5_dbg/sql/sql_parse.cc:6168
 
#23 0x0000556c32aeb3ed in mysql_execute_command (thd=thd@entry=0x7ffa6ec15088) at /test/10.5_dbg/sql/sql_parse.cc:3901
 
#24 0x0000556c32af89d1 in mysql_parse (thd=thd@entry=0x7ffa6ec15088, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x7ffa9c59a450, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:7953
 
#25 0x0000556c32ae4719 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x7ffa6ec15088, packet=packet@entry=0x7ffa6ec67089 "", packet_length=packet_length@entry=19, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:1839
 
#26 0x0000556c32ae2f6f in do_command (thd=0x7ffa6ec15088) at /test/10.5_dbg/sql/sql_parse.cc:1358
 
#27 0x0000556c32c3da53 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x7ffa730433a8, put_in_cache=put_in_cache@entry=true) at /test/10.5_dbg/sql/sql_connect.cc:1422
 
#28 0x0000556c32c3dd82 in handle_one_connection (arg=arg@entry=0x7ffa730433a8) at /test/10.5_dbg/sql/sql_connect.cc:1319
 
#29 0x0000556c3309e080 in pfs_spawn_thread (arg=0x7ffa9a045888) at /test/10.5_dbg/storage/perfschema/pfs.cc:2201
 
#30 0x00007ffa9b9c26db in start_thread (arg=0x7ffa9c59b700) at pthread_create.c:463
 
#31 0x00007ffa9adc088f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.3.23 (dbg), 10.4.13 (dbg), 10.5.2 (dbg), 10.5.3 (dbg)

Bug confirmed not present in:
MariaDB: 10.1.45 (dbg), 10.1.45 (opt), 10.2.32 (dbg), 10.2.32 (opt), 10.3.23 (opt), 10.4.13 (opt), 10.5.2 (opt), 10.5.3 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.47 (dbg), 5.6.47 (opt), 5.7.29 (dbg), 5.7.29 (opt), 8.0.19 (dbg), 8.0.19 (opt)

 Comments   
Comment by Roel Van de Paar [ 2020-04-17 ]

Any connection with MDEV-12238 perhaps?

Comment by Roel Van de Paar [ 2020-04-17 ]

Another testcase leading to a slightly different stack (val_real instead of val_int):

SET @@SESSION.div_precision_increment=-0;
 
SELECT(-0 * MOD((UTC_TIME / -0)MOD (ATAN('<img src_x0=x onerror="javascript:alert(0)">') MOD COT(0)),-0)) MOD (0 DIV 0);

Comment by Roel Van de Paar [ 2020-04-25 ]

Also seen on Item_func_hybrid_field_type::val_decimal_from_int_op as another code path

Comment by Alexander Barkov [ 2020-06-12 ]

Also repeatable with:

SET @@SESSION.div_precision_increment=0;
 
SELECT TIMESTAMP'2001-01-01 00:00:00'/0;


SET @@SESSION.div_precision_increment=0;
 
SELECT TIME'00:00:00'/0;

Generated at Thu Feb 08 09:13:28 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.