[MDEV-23687] Assertion `is_valid_value_slow()' failed in Datetime::Datetime upon EXTRACT under mode ZERO_DATE_TIME_CAST Created: 2020-09-07  Updated: 2023-11-28

Status: Open
Project: MariaDB Server
Component/s: Temporal Types
Affects Version/s: 10.4, 10.5, 10.6, 10.10, 10.11, 11.0, 11.1
Fix Version/s: 10.4, 10.5, 10.6, 10.11, 11.0, 11.1

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Oleksandr Byelkin
Resolution: Unresolved Votes: 0
Labels: None


 Description   

Note: MDEV-23018 mentions the same assertion, but everything else is different there.

SET SESSION old_mode= 'ZERO_DATE_TIME_CAST';
 
SELECT EXTRACT(DAY FROM CAST('100000:00:00' AS DATETIME));

10.4 7f8cd326

 
mysqld: /data/src/10.4/sql/sql_type.h:2172: Datetime::Datetime(THD*, Item*, date_mode_t): Assertion `is_valid_value_slow()' failed.
 
200908  2:10:33 [ERROR] mysqld got signal 6 ;
 
 
 
#6  0x00007f1567d4a729 in __assert_fail_base (fmt=0x7f1567ee0588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x55a1c878c118 "is_valid_value_slow()", file=0x55a1c878c097 "/data/src/10.4/sql/sql_type.h", line=2172, function=<optimized out>) at assert.c:92
 
#7  0x00007f1567d5bf36 in __GI___assert_fail (assertion=0x55a1c878c118 "is_valid_value_slow()", file=0x55a1c878c097 "/data/src/10.4/sql/sql_type.h", line=2172, function=0x55a1c878c1b0 "Datetime::Datetime(THD*, Item*, date_mode_t)") at assert.c:101
 
#8  0x000055a1c78a0c3a in Datetime::Datetime (this=0x7f1561d2cf60, thd=0x7f1550000d90, item=0x7f1550013988, fuzzydate=...) at /data/src/10.4/sql/sql_type.h:2172
 
#9  0x000055a1c7d1929c in Datetime::Datetime (this=0x7f1561d2cf60, thd=0x7f1550000d90, item=0x7f1550013988, fuzzydate=..., dec=0) at /data/src/10.4/sql/sql_type.h:2220
 
#10 0x000055a1c7e4da3a in Item_datetime_typecast::get_date (this=0x7f1550013a38, thd=0x7f1550000d90, ltime=0x7f1561d2cf60, fuzzydate=...) at /data/src/10.4/sql/item_timefunc.cc:2475
 
#11 0x000055a1c7be40f0 in Temporal_hybrid::Temporal_hybrid (this=0x7f1561d2cf60, thd=0x7f1550000d90, item=0x7f1550013a38, fuzzydate=...) at /data/src/10.4/sql/sql_type.cc:254
 
#12 0x000055a1c7e50c06 in Extract_source::Extract_source (this=0x7f1561d2cf60, thd=0x7f1550000d90, item=0x7f1550013a38, mode=...) at /data/src/10.4/sql/sql_type.h:1130
 
#13 0x000055a1c7e4c415 in Item_extract::val_int (this=0x7f1550013af8) at /data/src/10.4/sql/item_timefunc.cc:2159
 
#14 0x000055a1c7bf635d in Type_handler::Item_send_long (this=0x55a1c908dc70 <type_handler_long>, item=0x7f1550013af8, protocol=0x7f1550001358, buf=0x7f1561d2d0a0) at /data/src/10.4/sql/sql_type.cc:6992
 
#15 0x000055a1c7c039c4 in Type_handler_long::Item_send (this=0x55a1c908dc70 <type_handler_long>, item=0x7f1550013af8, protocol=0x7f1550001358, buf=0x7f1561d2d0a0) at /data/src/10.4/sql/sql_type.h:5043
 
#16 0x000055a1c78a1492 in Item::send (this=0x7f1550013af8, protocol=0x7f1550001358, buffer=0x7f1561d2d0a0) at /data/src/10.4/sql/item.h:1038
 
#17 0x000055a1c789b1d3 in Protocol::send_result_set_row (this=0x7f1550001358, row_items=0x7f1550013658) at /data/src/10.4/sql/protocol.cc:1035
 
#18 0x000055a1c79542c2 in select_send::send_data (this=0x7f1550014518, items=...) at /data/src/10.4/sql/sql_class.cc:3010
 
#19 0x000055a1c7a1cefd in JOIN::exec_inner (this=0x7f1550014540) at /data/src/10.4/sql/sql_select.cc:4346
 
#20 0x000055a1c7a1c79a in JOIN::exec (this=0x7f1550014540) at /data/src/10.4/sql/sql_select.cc:4260
 
#21 0x000055a1c7a1deee in mysql_select (thd=0x7f1550000d90, tables=0x0, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7f1550014518, unit=0x7f1550004cb8, select_lex=0x7f1550013510) at /data/src/10.4/sql/sql_select.cc:4695
 
#22 0x000055a1c7a0d8ff in handle_select (thd=0x7f1550000d90, lex=0x7f1550004bf8, result=0x7f1550014518, setup_tables_done_option=0) at /data/src/10.4/sql/sql_select.cc:410
 
#23 0x000055a1c79d3384 in execute_sqlcom_select (thd=0x7f1550000d90, all_tables=0x0) at /data/src/10.4/sql/sql_parse.cc:6355
 
#24 0x000055a1c79c99d6 in mysql_execute_command (thd=0x7f1550000d90) at /data/src/10.4/sql/sql_parse.cc:3889
 
#25 0x000055a1c79d738f in mysql_parse (thd=0x7f1550000d90, rawbuf=0x7f1550013438 "SELECT EXTRACT(DAY FROM CAST('100000:00:00' AS DATETIME))", length=57, parser_state=0x7f1561d2e550, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:7896
 
#26 0x000055a1c79c389e in dispatch_command (command=COM_QUERY, thd=0x7f1550000d90, packet=0x7f1550008791 "", packet_length=57, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:1834
 
#27 0x000055a1c79c2106 in do_command (thd=0x7f1550000d90) at /data/src/10.4/sql/sql_parse.cc:1352
 
#28 0x000055a1c7b4fd55 in do_handle_one_connection (connect=0x55a1cbe27030) at /data/src/10.4/sql/sql_connect.cc:1412
 
#29 0x000055a1c7b4fa9e in handle_one_connection (arg=0x55a1cbe27030) at /data/src/10.4/sql/sql_connect.cc:1316
 
#30 0x000055a1c8565502 in pfs_spawn_thread (arg=0x55a1cbd2d1b0) at /data/src/10.4/storage/perfschema/pfs.cc:1869
 
#31 0x00007f1568273609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#32 0x00007f1567e47103 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Reproducible on 10.4, 10.5.
Can't be reproducible on 10.3 because the assertion was only added in 10.4. I don't know whether the underlying issue (if any) exists in earlier versions.
No obvious problem on a non-debug build.

 Comments   
Comment by Elena Stepanova [ 2023-08-20 ]

If you are trying to run the test case in the description on an ASAN + debug build and it doesn't fail, try just debug, without ASAN. On some reason, it (sometimes) makes a difference.

Or, here is another test case, which in turn fails specifically with ASAN errors:

SET old_mode=ZERO_DATE_TIME_CAST;
 
SELECT EXTRACT(MINUTE FROM TIMESTAMP(220101010101));

10.4 900c4d69

 
==3626939==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55f36317cd2e at pc 0x55f36166740d bp 0x7fb450c611f0 sp 0x7fb450c611e8
 
READ of size 1 at 0x55f36317cd2e thread T5
 
    #0 0x55f36166740c in check_date /data/src/10.4/sql-common/my_time.c:106
 
    #1 0x55f35fdbed7a in check_date /data/src/10.4/sql/sql_time.h:172
 
    #2 0x55f35fdc7a6a in time_to_datetime_with_warn(THD*, st_mysql_time const*, st_mysql_time*, date_conv_mode_t) /data/src/10.4/sql/sql_time.cc:1345
 
    #3 0x55f35ffc0855 in Temporal_with_date::make_from_item(THD*, Item*, date_mode_t) /data/src/10.4/sql/sql_type.cc:909
 
    #4 0x55f35f7b4463 in Temporal_with_date::Temporal_with_date(THD*, Item*, date_mode_t) /data/src/10.4/sql/sql_type.h:1971
 
    #5 0x55f35f7b487c in Datetime::Datetime(THD*, Item*, date_mode_t) /data/src/10.4/sql/sql_type.h:2250
 
    #6 0x55f3601d430b in Datetime::Datetime(THD*, Item*, date_mode_t, unsigned int) /data/src/10.4/sql/sql_type.h:2301
 
    #7 0x55f3604c2c56 in Item_datetime_typecast::get_date(THD*, st_mysql_time*, date_mode_t) /data/src/10.4/sql/item_timefunc.cc:2488
 
    #8 0x55f35ffbaa72 in Temporal_hybrid::Temporal_hybrid(THD*, Item*, date_mode_t) /data/src/10.4/sql/sql_type.cc:255
 
    #9 0x55f3604cad06 in Extract_source::Extract_source(THD*, Item*, date_mode_t) /data/src/10.4/sql/sql_type.h:1211
 
    #10 0x55f3604bf0aa in Item_extract::val_int() /data/src/10.4/sql/item_timefunc.cc:2172
 
    #11 0x55f35ffe0395 in Type_handler::Item_send_long(Item*, Protocol*, st_value*) const /data/src/10.4/sql/sql_type.cc:7106
 
    #12 0x55f35fff98c5 in Type_handler_long::Item_send(Item*, Protocol*, st_value*) const (/mnt8t/bld/10.4-asan/bin/mysqld+0x18b68c5)
 
    #13 0x55f35f7b58ad in Item::send(Protocol*, st_value*) /data/src/10.4/sql/item.h:1044
 
    #14 0x55f35f7a794a in Protocol::send_result_set_row(List<Item>*) /data/src/10.4/sql/protocol.cc:1038
 
    #15 0x55f35f952504 in select_send::send_data(List<Item>&) /data/src/10.4/sql/sql_class.cc:3139
 
    #16 0x55f35fb3ba59 in JOIN::exec_inner() /data/src/10.4/sql/sql_select.cc:4473
 
    #17 0x55f35fb3a62d in JOIN::exec() /data/src/10.4/sql/sql_select.cc:4387
 
    #18 0x55f35fb3e6bf in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.4/sql/sql_select.cc:4826
 
    #19 0x55f35fb0f2fe in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:442
 
    #20 0x55f35fa7e826 in execute_sqlcom_select /data/src/10.4/sql/sql_parse.cc:6473
 
    #21 0x55f35fa6bd3b in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3976
 
    #22 0x55f35fa87a76 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8010
 
    #23 0x55f35fa5dd41 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1857
 
    #24 0x55f35fa5a8b0 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1378
 
    #25 0x55f35fe59e0f in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1420
 
    #26 0x55f35fe59726 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1324
 
    #27 0x55f360ac9e1f in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
 
    #28 0x7fb458aa7fd3 in start_thread nptl/pthread_create.c:442
 
    #29 0x7fb458b285bb in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
 
 
 
Address 0x55f36317cd2e is a wild pointer inside of access range of size 0x000000000001.
 
SUMMARY: AddressSanitizer: global-buffer-overflow /data/src/10.4/sql-common/my_time.c:106 in check_date
 
Shadow bytes around the buggy address:
 
  0x0abeec627950: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
 
  0x0abeec627960: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
 
  0x0abeec627970: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
 
  0x0abeec627980: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
 
  0x0abeec627990: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
 
=>0x0abeec6279a0: f9 f9 f9 f9 f9[f9]f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
 
  0x0abeec6279b0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
 
  0x0abeec6279c0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
 
  0x0abeec6279d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0abeec6279e0: 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9 f9
 
  0x0abeec6279f0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
Thread T5 created by T0 here:
 
    #0 0x7fb459049726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
 
    #1 0x55f360aca20c in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1919
 
    #2 0x55f35f765f89 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1275
 
    #3 0x55f35f77d690 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6287
 
    #4 0x55f35f77dddb in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6357
 
    #5 0x55f35f77e2a9 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6455
 
    #6 0x55f35f77f155 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6613
 
    #7 0x55f35f77cdf3 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5945
 
    #8 0x55f35f7640b8 in main /data/src/10.4/sql/main.cc:25
 
    #9 0x7fb458a46189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
 
 
 
==3626939==ABORTING

Generated at Thu Feb 08 09:24:17 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.