[#MDEV-24176] Server crashes after insert in the table with virtual column generated using date

CREATE TABLE t1 (d1 date NOT NULL, d2 date NOT NULL,

gd text as (concat(d1,if(d1 <> d2, date_format(d2, 'to %Y-%m-%d '), ''))) );

insert into t1(d1,d2) values

  ('2020-09-01','2020-09-01'),('2020-05-01','2020-09-01');

--exec $MYSQL_DUMP test t1 > "$MYSQLTEST_VARDIR/tmp/1.sql" 2>&1

insert  into t1 values ('2020-09-01','2020-09-01');

10.2 c048053c8af5083d35f764
Version: '10.2.36-MariaDB-debug-log' socket: '/git/10.2/mysql-test/var/tmp/mysqld.1.sock' port: 16000 Source distribution
=================================================================
==43634==ERROR: AddressSanitizer: use-after-poison on address 0x62b000001288 at pc 0x55c9eb51b0d4 bp 0x7febf2c80cd0 sp 0x7febf2c80cc8
READ of size 8 at 0x62b000001288 thread T6
#0 0x55c9eb51b0d3 in Item::val_temporal_packed(enum_field_types) /git/10.2/sql/item.h:1525
#1 0x55c9eb533dd7 in Arg_comparator::compare_temporal(enum_field_types) /git/10.2/sql/item_cmpfunc.cc:792
#2 0x55c9eabd087a in Arg_comparator::compare_datetime() /git/10.2/sql/item_cmpfunc.h:105
#3 0x55c9eb57279f in Arg_comparator::compare() /git/10.2/sql/item_cmpfunc.h:87
#4 0x55c9eb5402d7 in Item_func_ne::val_int() /git/10.2/sql/item_cmpfunc.cc:1824
#5 0x55c9eb4bfdc3 in Item::val_bool() /git/10.2/sql/item.cc:112
#6 0x55c9eb5496fc in Item_func_if::str_op(String*) /git/10.2/sql/item_cmpfunc.cc:2533
#7 0x55c9eb5fa020 in Item_func_hybrid_field_type::str_op_with_null_check(String*) /git/10.2/sql/item_func.h:467
#8 0x55c9eb5b7d4d in Item_func_hybrid_field_type::val_str(String*) /git/10.2/sql/item_func.cc:881
#9 0x55c9eb632ee3 in Item_func_concat::val_str(String*) /git/10.2/sql/item_strfunc.cc:611
#10 0x55c9eb4efc69 in Item::save_in_field(Field*, bool) /git/10.2/sql/item.cc:6387
#11 0x55c9eb11e6ce in TABLE::update_virtual_fields(handler*, enum_vcol_update_mode) /git/10.2/sql/table.cc:7759
#12 0x55c9eb49940a in handler::ha_rnd_next(unsigned char*) /git/10.2/sql/handler.cc:2674
#13 0x55c9eb85ae15 in rr_sequential(READ_RECORD*) /git/10.2/sql/records.cc:492
#14 0x55c9eaf59251 in join_init_read_record(st_join_table*) /git/10.2/sql/sql_select.cc:19785
#15 0x55c9eaf51e3e in sub_select(JOIN, st_join_table, bool) /git/10.2/sql/sql_select.cc:18856
#16 0x55c9eaf4fb0c in do_select /git/10.2/sql/sql_select.cc:18403
#17 0x55c9eaee6c63 in JOIN::exec_inner() /git/10.2/sql/sql_select.cc:3641
#18 0x55c9eaee47d5 in JOIN::exec() /git/10.2/sql/sql_select.cc:3436
#19 0x55c9eaee7e35 in mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /git/10.2/sql/sql_select.cc:3836
#20 0x55c9eaec49a9 in handle_select(THD, LEX, select_result*, unsigned long) /git/10.2/sql/sql_select.cc:361
#21 0x55c9eae38bb6 in execute_sqlcom_select /git/10.2/sql/sql_parse.cc:6249
#22 0x55c9eae23ef0 in mysql_execute_command(THD*) /git/10.2/sql/sql_parse.cc:3558
#23 0x55c9eae41ee7 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /git/10.2/sql/sql_parse.cc:7761
#24 0x55c9eae18cd3 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /git/10.2/sql/sql_parse.cc:1827
#25 0x55c9eae156f8 in do_command(THD*) /git/10.2/sql/sql_parse.cc:1381
#26 0x55c9eb1bc9b2 in do_handle_one_connection(CONNECT*) /git/10.2/sql/sql_connect.cc:1336
#27 0x55c9eb1bc273 in handle_one_connection /git/10.2/sql/sql_connect.cc:1241
#28 0x55c9ec655d23 in pfs_spawn_thread /git/10.2/storage/perfschema/pfs.cc:1869
#29 0x7febfd780fa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486
#30 0x7febfd1044ce in clone (/lib/x86_64-linux-gnu/libc.so.6+0xf94ce)

0x62b000001288 is located 4232 bytes inside of 24716-byte region [0x62b000000200,0x62b00000628c)
allocated by thread T5 here:
#0 0x7febfd883330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
#1 0x55c9ec83aac1 in sf_malloc /git/10.2/mysys/safemalloc.c:118
#2 0x55c9ec8080a9 in my_malloc /git/10.2/mysys/my_malloc.c:101
#3 0x55c9ec7e5c56 in reset_root_defaults /git/10.2/mysys/my_alloc.c:147
#4 0x55c9ead5d05b in THD::init_for_queries() /git/10.2/sql/sql_class.cc:1313
#5 0x55c9eb1bbbb5 in prepare_new_connection_state(THD*) /git/10.2/sql/sql_connect.cc:1172
#6 0x55c9eb1bc2b9 in thd_prepare_connection(THD*) /git/10.2/sql/sql_connect.cc:1256
#7 0x55c9eb1bc8dd in do_handle_one_connection(CONNECT*) /git/10.2/sql/sql_connect.cc:1326
#8 0x55c9eb1bc273 in handle_one_connection /git/10.2/sql/sql_connect.cc:1241
#9 0x55c9ec655d23 in pfs_spawn_thread /git/10.2/storage/perfschema/pfs.cc:1869
#10 0x7febfd780fa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486

Thread T6 created by T0 here:
#0 0x7febfd7eadb0 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x50db0)
#1 0x55c9ec65615f in spawn_thread_v1 /git/10.2/storage/perfschema/pfs.cc:1919
#2 0x55c9eabaa494 in inline_mysql_thread_create /git/10.2/include/mysql/psi/mysql_thread.h:1246
#3 0x55c9eabc253e in create_thread_to_handle_connection(CONNECT*) /git/10.2/sql/mysqld.cc:6567
#4 0x55c9eabc2c93 in create_new_thread /git/10.2/sql/mysqld.cc:6637
#5 0x55c9eabc3e14 in handle_connections_sockets() /git/10.2/sql/mysqld.cc:6895
#6 0x55c9eabc1921 in mysqld_main(int, char**) /git/10.2/sql/mysqld.cc:6186
#7 0x55c9eaba8de4 in main /git/10.2/sql/main.cc:25
#8 0x7febfd02f09a in __libc_start_main ../csu/libc-start.c:308

Thread T5 created by T0 here:
#0 0x7febfd7eadb0 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x50db0)
#1 0x55c9ec65615f in spawn_thread_v1 /git/10.2/storage/perfschema/pfs.cc:1919
#2 0x55c9eabaa494 in inline_mysql_thread_create /git/10.2/include/mysql/psi/mysql_thread.h:1246
#3 0x55c9eabc253e in create_thread_to_handle_connection(CONNECT*) /git/10.2/sql/mysqld.cc:6567
#4 0x55c9eabc2c93 in create_new_thread /git/10.2/sql/mysqld.cc:6637
#5 0x55c9eabc3e14 in handle_connections_sockets() /git/10.2/sql/mysqld.cc:6895
#6 0x55c9eabc1921 in mysqld_main(int, char**) /git/10.2/sql/mysqld.cc:6186
#7 0x55c9eaba8de4 in main /git/10.2/sql/main.cc:25
#8 0x7febfd02f09a in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: use-after-poison /git/10.2/sql/item.h:1525 in Item::val_temporal_packed(enum_field_types)
Shadow bytes around the buggy address:
0x0c567fff8200: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c567fff8210: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c567fff8220: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c567fff8230: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c567fff8240: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
=>0x0c567fff8250: f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c567fff8260: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c567fff8270: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c567fff8280: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c567fff8290: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c567fff82a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==43634==ABORTING
----------SERVER LOG END-------------
mysqltest failed but provided no output

10.5 f424eb974d2cf5fe875
201109 17:04:20 [ERROR] mysqld got signal 11 ;

Server version: 10.5.8-MariaDB-debug-log

??:0(__restore_rt)[0x7f684602d730]
sql/item.h:2584(Item_args::walk_args(bool (Item::)(void), bool, void*))[0x55ebabb11c48]
sql/item.h:5222(Item_func_or_sum::walk(bool (Item::)(void), bool, void*))[0x55ebabb12335]
sql/item.h:2584(Item_args::walk_args(bool (Item::)(void), bool, void*))[0x55ebabb11c5d]
sql/item.h:5222(Item_func_or_sum::walk(bool (Item::)(void), bool, void*))[0x55ebabb12335]
sql/table.cc:3522(fix_session_vcol_expr(THD, Virtual_column_info))[0x55ebabce8e3c]
sql/sql_base.cc:5357(TABLE::fix_vcol_exprs(THD*))[0x55ebabb05d97]
sql/sql_base.cc:5393(fix_all_session_vcol_exprs(THD, TABLE_LIST))[0x55ebabb05fc6]
sql/sql_base.cc:5576(lock_tables(THD, TABLE_LIST, unsigned int, unsigned int))[0x55ebabb066b7]
sql/sql_base.cc:5188(open_and_lock_tables(THD, DDL_options_st const&, TABLE_LIST, bool, unsigned int, Prelocking_strategy*))[0x55ebabb057d2]
sql/sql_base.h:507(open_and_lock_tables(THD, TABLE_LIST, bool, unsigned int))[0x55ebababcdf7]
sql/sql_insert.cc:756(mysql_insert(THD, TABLE_LIST, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*))[0x55ebabb57a01]
sql/sql_parse.cc:4587(mysql_execute_command(THD*))[0x55ebabbaa59e]
sql/sql_parse.cc:8044(mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool))[0x55ebabbb601d]
sql/sql_parse.cc:1875(dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool))[0x55ebabba22d8]
sql/sql_parse.cc:1353(do_command(THD*))[0x55ebabba0a0e]
sql/sql_connect.cc:1410(do_handle_one_connection(CONNECT*, bool))[0x55ebabd47441]
sql/sql_connect.cc:1314(handle_one_connection)[0x55ebabd471aa]
perfschema/pfs.cc:2203(pfs_spawn_thread)[0x55ebac284a4b]
nptl/pthread_create.c:487(start_thread)[0x7f6846022fa3]
x86_64/clone.S:97(clone)[0x7f684562b4cf]

Query (0x7f6824013ee0): insert into t1 values ('2020-09-01','2020-09-01')

create table t1 (d1 date, gd text as (if(d1='',date_format(d1,'%y-%m-%d'),'')));

--exec $MYSQL_DUMP test t1 > "$MYSQLTEST_VARDIR/tmp/1.sql" 2>&1

insert into t1 values ();

--echo # MDEV-25772 (duplicate)

create table t1 (d1 datetime , v_d1 tinyint(1) as (d1 < curdate()));

insert into t1 (d1) values ('2021-09-11 08:38:23'), ('2021-09-01 08:38:23');

select * from t1 where v_d1=1;

select * from t1;

drop table t1;

--echo # MDEV-26432 (duplicate)

create table t1 (v2 int, v1 int as ((user() like 'x'))) ;

select 1 from t1 where v1=1 ;

select * from t1;

drop table t1;

create table t1 (v2 int as ( user () like 'x'));

select 1 from t1 order by v2 ;

alter table t1 add i int;

drop table t1;

--echo # MDEV-26437 (duplicate)

create table v0 (v2 int not null,

                 v1 bigint as (case 'x' when current_user() then v2 end));

select v2 as v3 from v0 where v1 like 'x' escape 'x';

insert into v0 (v2) values (-128);

drop table v0;

create table t1 (vi int as (case 'x' when current_user() then 1 end));

select 1 from t1 where vi=1;

show create table t1;

drop table t1;

create table t1 (vi int as (case 'x' when current_user() then 1 end));

select 1 from t1 where vi=1;

select 1 from t1 where vi=1;

drop table t1;

CREATE TABLE t1 (b TIMESTAMP, a int AS (1 IN (dayofmonth (b BETWEEN 'x' AND CURRENT_USER) = b)));

INSERT INTO t1(b) VALUES ('2022-03-17 14:55:37');

SELECT 1 FROM t1 x NATURAL JOIN t1;

CREATE TABLE v0 ( v3 DATE , v2 INT , v1 DATE GENERATED ALWAYS AS ( UNIX_TIMESTAMP ( INET_ATON ( 87 ) ) IN ( 'x' , ASCII ( DATABASE ( ) = 'x' IS NULL ) ) ) ) engine=innodb;

 SELECT v1 , '' , v2 FROM v0 INTO OUTFILE 'x' ;

 SELECT v2 FROM v0 ORDER BY 'x' = ( SELECT v1 WHERE v2 ) ;

10.7 bf8dc0be9e4bc26a57223ea1
Version: '10.7.4-MariaDB-debug-log'
220321 15:24:19 [ERROR] mysqld got signal 11 ;

Server version: 10.7.4-MariaDB-debug-log

sql/signal_handler.cc:226(handle_fatal_signal)[0x556378121e5f]
sigaction.c:0(__restore_rt)[0x7ff4f3dfe3c0]
mysys/my_malloc.c:198(my_free)[0x5563795dc9fc]
sql/keycaches.cc:52(NAMED_ILINK::~NAMED_ILINK())[0x5563774f1ff4]
sql/item.h:5311(Used_tables_and_const_cache::used_tables_and_const_cache_join(Item const*))[0x55637756cf66]
sql/item_func.cc:354(Item_func::fix_fields(THD, Item*))[0x556378275310]
sql/item.h:1144(Item::fix_fields_if_needed(THD, Item*))[0x5563775c57c1]
sql/item_func.cc:347(Item_func::fix_fields(THD, Item*))[0x5563782751ee]
sql/item.h:1144(Item::fix_fields_if_needed(THD, Item*))[0x5563775c57c1]
sql/item_func.cc:347(Item_func::fix_fields(THD, Item*))[0x5563782751ee]
sql/item.h:1144(Item::fix_fields_if_needed(THD, Item*))[0x5563775c57c1]
sql/item_func.cc:347(Item_func::fix_fields(THD, Item*))[0x5563782751ee]
sql/item_cmpfunc.cc:4328(Item_func_in::fix_fields(THD, Item*))[0x556378217ebd]
sql/table.cc:3596(fix_vcol_expr(THD, Virtual_column_info))[0x556377c29fc6]
sql/table.cc:3624(fix_session_vcol_expr(THD, Virtual_column_info))[0x556377c2a5e7]
sql/table.cc:3643(fix_session_vcol_expr_for_read(THD, Field, Virtual_column_info*))[0x556377c2a913]
sql/item.cc:6175(Item_field::fix_fields(THD, Item*))[0x5563781ad897]
sql/item.h:1144(Item::fix_fields_if_needed(THD, Item*))[0x5563775c57c1]
sql/item.h:1148(Item::fix_fields_if_needed_for_scalar(THD, Item*))[0x5563775c57fb]
sql/sql_base.cc:7722(setup_fields(THD, Bounds_checked_array<Item>, List<Item>&, enum_column_usage, List<Item>, List<Item>, bool))[0x5563776eb9a6]
sql/sql_select.cc:1397(JOIN::prepare(TABLE_LIST, Item, unsigned int, st_order, bool, st_order, Item, st_order, st_select_lex, st_select_lex_unit))[0x5563779730dd]
sql/item_subselect.cc:3900(subselect_single_select_engine::prepare(THD*))[0x5563783cfc74]
sql/item_subselect.cc:295(Item_subselect::fix_fields(THD, Item*))[0x5563783aa316]
sql/item.h:1144(Item::fix_fields_if_needed(THD, Item*))[0x5563775c57c1]
sql/item_func.cc:347(Item_func::fix_fields(THD, Item*))[0x5563782751ee]
sql/item.h:1144(Item::fix_fields_if_needed(THD, Item*))[0x5563775c57c1]
sql/item.h:1148(Item::fix_fields_if_needed_for_scalar(THD, Item*))[0x5563775c57fb]
sql/item.h:1157(Item::fix_fields_if_needed_for_order_by(THD, Item*))[0x556377a5726d]
sql/sql_select.cc:25013(find_order_in_list(THD, Bounds_checked_array<Item>, TABLE_LIST, st_order, List<Item>&, List<Item>&, bool, bool, bool))[0x556377a2b363]
sql/sql_select.cc:25060(setup_order(THD, Bounds_checked_array<Item>, TABLE_LIST, List<Item>&, List<Item>&, st_order, bool))[0x556377a2b923]
sql/sql_select.cc:849(setup_without_group(THD, Bounds_checked_array<Item>, TABLE_LIST, List<TABLE_LIST>&, List<Item>&, List<Item>&, Item, st_order, st_order, List<Window_spec>&, List<Item_window_func>&, bool, unsigned int*))[0x55637796c1fd]
sql/sql_select.cc:1403(JOIN::prepare(TABLE_LIST, Item, unsigned int, st_order, bool, st_order, Item, st_order, st_select_lex, st_select_lex_unit))[0x5563779734b2]
sql/sql_select.cc:4984(mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex))[0x5563779999b3]
sql/sql_select.cc:545(handle_select(THD, LEX, select_result*, unsigned long))[0x556377969ef5]
sql/sql_parse.cc:6252(execute_sqlcom_select(THD, TABLE_LIST))[0x556377890990]
sql/sql_parse.cc:3943(mysql_execute_command(THD*, bool))[0x55637787f55f]
sql/sql_parse.cc:8027(mysql_parse(THD, char, unsigned int, Parser_state*))[0x55637789bc2f]
sql/sql_parse.cc:1896(dispatch_command(enum_server_command, THD, char, unsigned int, bool))[0x556377871e66]
sql/sql_parse.cc:1402(do_command(THD*, bool))[0x55637786eb8a]
sql/sql_connect.cc:1418(do_handle_one_connection(CONNECT*, bool))[0x556377d10b07]
sql/sql_connect.cc:1314(handle_one_connection)[0x556377d10393]
perfschema/pfs.cc:2203(pfs_spawn_thread)[0x5563789badfc]
nptl/pthread_create.c:478(start_thread)[0x7ff4f3df2609]
??:0(clone)[0x7ff4f39c3163]

Query (0x6290001092a8): SELECT v2 FROM v0 ORDER BY 'x' = ( SELECT v1 WHERE v2 )

CREATE TABLE t1 (a INT , b DATE AS (1 IN ('x' ,(DATABASE () = 'x' IS NULL) ))) ;

 SELECT b FROM t1;

 SELECT a FROM t1 ORDER BY 'x' = b ;

10.2 421153848f0002c9e9b5e204d4c6
Version: '10.2.44-MariaDB-debug-log'
220321 15:09:43 [ERROR] mysqld got signal 11 ;


Server version: 10.2.44-MariaDB-debug-log

sigaction.c:0(__restore_rt)[0x7fde57ed53c0]
sql/item.h:4134(Item_args::walk_args(bool (Item::)(void), bool, void*))[0x5561a73b5ff3]
sql/item.h:4420(Item_func_or_sum::walk(bool (Item::)(void), bool, void*))[0x5561a73b6b7c]
sql/item.h:4134(Item_args::walk_args(bool (Item::)(void), bool, void*))[0x5561a73b6021]
sql/item.h:4420(Item_func_or_sum::walk(bool (Item::)(void), bool, void*))[0x5561a73b6b7c]
sql/table.cc:6843(TABLE::mark_virtual_col(Field*))[0x5561a7797e97]
sql/sql_base.cc:5315(update_field_dependencies(THD, Field, TABLE*))[0x5561a739ca42]
sql/sql_base.cc:5652(find_field_in_table(THD, TABLE, char const, unsigned int, bool, unsigned int))[0x5561a739f56b]
sql/sql_base.cc:5765(find_field_in_table_ref(THD, TABLE_LIST, char const, unsigned int, char const, char const, char const, Item*, bool, bool, unsigned int, bool, TABLE_LIST**))[0x5561a739ffc8]
sql/sql_base.cc:6058(find_field_in_tables(THD, Item_ident, TABLE_LIST, TABLE_LIST, Item**, find_item_error_report_type, bool, bool))[0x5561a73a18b1]
sql/item.cc:5505(Item_field::fix_fields(THD, Item*))[0x5561a7b5aa51]
sql/item_func.cc:201(Item_func::fix_fields(THD, Item*))[0x5561a7c24103]
sql/sql_select.cc:22736(find_order_in_list(THD, Bounds_checked_array<Item>, TABLE_LIST, st_order, List<Item>&, List<Item>&, bool, bool, bool))[0x5561a75fa69b]
sql/sql_select.cc:22784(setup_order(THD, Bounds_checked_array<Item>, TABLE_LIST, List<Item>&, List<Item>&, st_order, bool))[0x5561a75facc8]
sql/sql_select.cc:665(setup_without_group(THD, Bounds_checked_array<Item>, TABLE_LIST, List<TABLE_LIST>&, List<Item>&, List<Item>&, Item, st_order, st_order, List<Window_spec>&, List<Item_window_func>&, bool, unsigned int*))[0x5561a7556519]
sql/sql_select.cc:812(JOIN::prepare(TABLE_LIST, unsigned int, Item, unsigned int, st_order, bool, st_order, Item, st_order, st_select_lex, st_select_lex_unit))[0x5561a75581ab]
sql/sql_select.cc:3827(mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex))[0x5561a7577592]
sql/sql_select.cc:361(handle_select(THD, LEX, select_result*, unsigned long))[0x5561a7554184]
sql/sql_parse.cc:6271(execute_sqlcom_select(THD, TABLE_LIST))[0x5561a74ca7ef]
sql/sql_parse.cc:3582(mysql_execute_command(THD*))[0x5561a74b7b78]
sql/sql_parse.cc:7793(mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool))[0x5561a74d3d04]
sql/sql_parse.cc:1830(dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool))[0x5561a74acf09]
sql/sql_parse.cc:1381(do_command(THD*))[0x5561a74a9cd4]
sql/sql_connect.cc:1336(do_handle_one_connection(CONNECT*))[0x5561a783640a]
sql/sql_connect.cc:1242(handle_one_connection)[0x5561a7835ccd]
perfschema/pfs.cc:1871(pfs_spawn_thread)[0x5561a8bd6b6a]
nptl/pthread_create.c:478(start_thread)[0x7fde57ec9609]
/lib/x86_64-linux-gnu/libc.so.6(clone+0x43)[0x7fde57637163]

Query (0x62b000000290): SELECT a FROM t1 ORDER BY 'x'= b

Version: '10.6.8-MariaDB-debug-log'

mariadbd: 10.6/src/sql/table.cc:3608: bool fix_session_vcol_expr(THD*, Virtual_column_info*): Assertion `!vcol->expr->fixed()' failed.

220321 15:07:00 [ERROR] mysqld got signal 6 ;

Server version: 10.6.8-MariaDB-debug-log

??:0(__assert_fail)[0x7f219147a006]

sql/table.cc:3609(fix_session_vcol_expr(THD*, Virtual_column_info*))[0x55c13ce0ed75]

sql/table.cc:3628(fix_session_vcol_expr_for_read(THD*, Field*, Virtual_column_info*))[0x55c13ce0f0ff]

sql/item.cc:6175(Item_field::fix_fields(THD*, Item**))[0x55c13d39246d]

sql/item.h:1144(Item::fix_fields_if_needed(THD*, Item**))[0x55c13c7ee1f9]

sql/item_func.cc:347(Item_func::fix_fields(THD*, Item**))[0x55c13d45cbda]

sql/item.h:1144(Item::fix_fields_if_needed(THD*, Item**))[0x55c13c7ee1f9]

sql/item.h:1148(Item::fix_fields_if_needed_for_scalar(THD*, Item**))[0x55c13c7ee233]

sql/item.h:1157(Item::fix_fields_if_needed_for_order_by(THD*, Item**))[0x55c13cc39855]

sql/sql_select.cc:25015(find_order_in_list(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, st_order*, List<Item>&, List<Item>&, bool, bool, bool))[0x55c13cc0c677]

sql/sql_select.cc:25062(setup_order(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, List<Item>&, List<Item>&, st_order*, bool))[0x55c13cc0cc37]

sql/sql_select.cc:849(setup_without_group(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, List<TABLE_LIST>&, List<Item>&, List<Item>&, Item**, st_order*, st_order*, List<Window_spec>&, List<Item_window_func>&, bool*, unsigned int*))[0x55c13cb4d5cd]

sql/sql_select.cc:1403(JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*))[0x55c13cb54882]

sql/sql_select.cc:4986(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55c13cb7ad0f]

sql/sql_select.cc:545(handle_select(THD*, LEX*, select_result*, unsigned long))[0x55c13cb4b2c5]

sql/sql_parse.cc:6255(execute_sqlcom_select(THD*, TABLE_LIST*))[0x55c13cab02d1]

sql/sql_parse.cc:3945(mysql_execute_command(THD*, bool))[0x55c13ca9ee77]

sql/sql_parse.cc:8029(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x55c13cabb594]

sql/sql_parse.cc:1898(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x55c13ca9177d]

sql/sql_parse.cc:1404(do_command(THD*, bool))[0x55c13ca8e4a1]

sql/sql_connect.cc:1418(do_handle_one_connection(CONNECT*, bool))[0x55c13cef629d]

sql/sql_connect.cc:1314(handle_one_connection)[0x55c13cef5b29]

perfschema/pfs.cc:2203(pfs_spawn_thread)[0x55c13dc1bfc2]

nptl/pthread_create.c:478(start_thread)[0x7f2191994609]

??:0(clone)[0x7f2191565163]

Query (0x62b0000c42a8): SELECT a FROM t1 ORDER BY 'x'= b

CREATE TABLE t1 (a INT , b DATE AS (1 IN ('x' ,(DATABASE ()) ))) ;

 SELECT b FROM t1;

 SELECT a FROM t1 ORDER BY 'x' = b ;

Version: '10.6.8-MariaDB-debug-log'

=================================================================

==216379==ERROR: AddressSanitizer: use-after-poison on address 0x62b0000c60a0 at pc 0x5577a2c31f8b bp 0x7ff1edfafcd0 sp 0x7ff1edfafcc0

WRITE of size 4 at 0x62b0000c60a0 thread T11

    #0 0x5577a2c31f8a in base_list::empty() 10.6/src/sql/sql_list.h:159

    #1 0x5577a30539a1 in JOIN::cleanup(bool) 10.6/src/sql/sql_select.cc:14318

    #2 0x5577a305298a in JOIN::join_free() 10.6/src/sql/sql_select.cc:14172

    #3 0x5577a30571cb in return_zero_rows 10.6/src/sql/sql_select.cc:14839

    #4 0x5577a300d83a in JOIN::exec_inner() 10.6/src/sql/sql_select.cc:4674

    #5 0x5577a300ba29 in JOIN::exec() 10.6/src/sql/sql_select.cc:4531

    #6 0x5577a300ff7c in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) 10.6/src/sql/sql_select.cc:5010

    #7 0x5577a2fe02c4 in handle_select(THD*, LEX*, select_result*, unsigned long) 10.6/src/sql/sql_select.cc:545

    #8 0x5577a2f452d0 in execute_sqlcom_select 10.6/src/sql/sql_parse.cc:6255

    #9 0x5577a2f33e76 in mysql_execute_command(THD*, bool) 10.6/src/sql/sql_parse.cc:3945

    #10 0x5577a2f50593 in mysql_parse(THD*, char*, unsigned int, Parser_state*) 10.6/src/sql/sql_parse.cc:8029

    #11 0x5577a2f2677c in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) 10.6/src/sql/sql_parse.cc:1896

    #12 0x5577a2f234a0 in do_command(THD*, bool) 10.6/src/sql/sql_parse.cc:1404

    #13 0x5577a338b29c in do_handle_one_connection(CONNECT*, bool) 10.6/src/sql/sql_connect.cc:1418

    #14 0x5577a338ab28 in handle_one_connection 10.6/src/sql/sql_connect.cc:1312

    #15 0x5577a40b0fc1 in pfs_spawn_thread 10.6/src/storage/perfschema/pfs.cc:2201

    #16 0x7ff1fce3c608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477

    #17 0x7ff1fca0d162 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f162)

0x62b0000c60a0 is located 7840 bytes inside of 24740-byte region [0x62b0000c4200,0x62b0000ca2a4)

allocated by thread T11 here:

    #0 0x7ff1fd3c7808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144

    #1 0x5577a4cfa827 in sf_malloc 10.6/src/mysys/safemalloc.c:126

    #2 0x5577a4cc7a4e in my_malloc 10.6/src/mysys/my_malloc.c:90

    #3 0x5577a4ca30fb in reset_root_defaults 10.6/src/mysys/my_alloc.c:148

    #4 0x5577a2df8b38 in THD::init_for_queries() 10.6/src/sql/sql_class.cc:1406

    #5 0x5577a338a45d in prepare_new_connection_state(THD*) 10.6/src/sql/sql_connect.cc:1240

    #6 0x5577a338aba7 in thd_prepare_connection(THD*) 10.6/src/sql/sql_connect.cc:1333

    #7 0x5577a338b1c2 in do_handle_one_connection(CONNECT*, bool) 10.6/src/sql/sql_connect.cc:1408

    #8 0x5577a338ab28 in handle_one_connection 10.6/src/sql/sql_connect.cc:1312

    #9 0x5577a40b0fc1 in pfs_spawn_thread 10.6/src/storage/perfschema/pfs.cc:2201

    #10 0x7ff1fce3c608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477

Thread T11 created by T0 here:

    #0 0x7ff1fd2f4815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208

    #1 0x5577a40acba8 in my_thread_create 10.6/src/storage/perfschema/my_thread.h:52

    #2 0x5577a40b13b4 in pfs_spawn_thread_v1 10.6/src/storage/perfschema/pfs.cc:2252

    #3 0x5577a2c0ec18 in inline_mysql_thread_create 10.6/src/include/mysql/psi/mysql_thread.h:1139

    #4 0x5577a2c264c9 in create_thread_to_handle_connection(CONNECT*) 10.6/src/sql/mysqld.cc:5934

    #5 0x5577a2c26b45 in create_new_thread(CONNECT*) 10.6/src/sql/mysqld.cc:5993

    #6 0x5577a2c26eb2 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) 10.6/src/sql/mysqld.cc:6055

    #7 0x5577a2c2789f in handle_connections_sockets() 10.6/src/sql/mysqld.cc:6179

    #8 0x5577a2c25cd6 in mysqld_main(int, char**) 10.6/src/sql/mysqld.cc:5829

    #9 0x5577a2c0df3c in main 10.6/src/sql/main.cc:34

    #10 0x7ff1fc9120b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)

SUMMARY: AddressSanitizer: use-after-poison 10.6/src/sql/sql_list.h:159 in base_list::empty()

Shadow bytes around the buggy address:

  0x0c5680010bc0: 00 00 00 00 00 00 f7 00 00 00 00 00 f7 00 00 00

  0x0c5680010bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c5680010be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c5680010bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c5680010c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

=>0x0c5680010c10: 00 f7 f7 f7[f7]f7 f7 f7 00 00 00 00 00 00 00 00

  0x0c5680010c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c5680010c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c5680010c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c5680010c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c5680010c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

  Shadow gap:              cc

==216379==ABORTING

[MDEV-24176] Server crashes after insert in the table with virtual column generated using date_format() and if() Created: 2020-11-09 Updated: 2023-11-24 Resolved: 2022-04-18
Status:	Closed
Project:	MariaDB Server
Component/s:	Virtual Columns
Affects Version/s:	10.2, 10.3, 10.4, 10.5, 10.6, 10.7
Fix Version/s:	10.3.35, 10.4.25, 10.5.16, 10.6.8, 10.7.4, 10.8.3

[MDEV-24176] Server crashes after insert in the table with virtual column generated using date_format() and if() Created: 2020-11-09 Updated: 2023-11-24 Resolved: 2022-04-18