[#MDEV-27452] TIMESTAMP(0) system field is allowed for certain creation of system-versioned table

Assertion `dec == 6' failure or server crash in Field_timestampf::set_max upon column-specific versioning with wrong timestamp precision

CREATE TABLE t (a INT WITH SYSTEM VERSIONING, s TIMESTAMP GENERATED ALWAYS AS ROW START, e TIMESTAMP GENERATED ALWAYS AS ROW END, PERIOD FOR SYSTEM_TIME (s,e));

INSERT INTO t () VALUES (),();

# Cleanup

DROP TABLE t;

10.3 25f598f5
mysqld: /data/src/10.3/sql/field.cc:5560: virtual void Field_timestampf::set_max(): Assertion `dec == 6' failed.
220109 19:05:27 [ERROR] mysqld got signal 6 ;

#7 0x00007fa36a197662 in __GI___assert_fail (assertion=0x55724dcdaf7f "dec == 6", file=0x55724dcd91d1 "/data/src/10.3/sql/field.cc", line=5560, function=0x55724dcdaf30 "virtual void Field_timestampf::set_max()") at assert.c:101
#8 0x000055724d2159f9 in Field_timestampf::set_max (this=0x7fa35409d3c0) at /data/src/10.3/sql/field.cc:5560
#9 0x000055724d054814 in TABLE::vers_update_fields (this=0x7fa3540ad200) at /data/src/10.3/sql/table.cc:8157
#10 0x000055724ce9a86e in fill_record (thd=0x7fa354000d90, table_arg=0x7fa3540ad200, fields=..., values=..., ignore_errors=false, update=false) at /data/src/10.3/sql/sql_base.cc:8461
#11 0x000055724ce9ace2 in fill_record_n_invoke_before_triggers (thd=0x7fa354000d90, table=0x7fa3540ad200, fields=..., values=..., ignore_errors=false, event=TRG_EVENT_INSERT) at /data/src/10.3/sql/sql_base.cc:8588
#12 0x000055724cee081e in mysql_insert (thd=0x7fa354000d90, table_list=0x7fa354012bb8, fields=..., values_list=..., update_fields=..., update_values=..., duplic=DUP_ERROR, ignore=false) at /data/src/10.3/sql/sql_insert.cc:968
#13 0x000055724cf25340 in mysql_execute_command (thd=0x7fa354000d90) at /data/src/10.3/sql/sql_parse.cc:4504
#14 0x000055724cf30bfa in mysql_parse (thd=0x7fa354000d90, rawbuf=0x7fa354012ad8 "INSERT INTO t () VALUES (),()", length=29, parser_state=0x7fa3641be5b0, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:7870
#15 0x000055724cf1d42f in dispatch_command (command=COM_QUERY, thd=0x7fa354000d90, packet=0x7fa354008f31 "INSERT INTO t () VALUES (),()", packet_length=29, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:1852
#16 0x000055724cf1bded in do_command (thd=0x7fa354000d90) at /data/src/10.3/sql/sql_parse.cc:1398
#17 0x000055724d098602 in do_handle_one_connection (connect=0x5572503a1c40) at /data/src/10.3/sql/sql_connect.cc:1403
#18 0x000055724d09836d in handle_one_connection (arg=0x5572503a1c40) at /data/src/10.3/sql/sql_connect.cc:1308
#19 0x000055724da48090 in pfs_spawn_thread (arg=0x557250446880) at /data/src/10.3/storage/perfschema/pfs.cc:1869
#20 0x00007fa36a330ea7 in start_thread (arg=<optimized out>) at pthread_create.c:477
#21 0x00007fa36a260def in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

==3401257==ERROR: AddressSanitizer: unknown-crash on address 0x6190000820c7 at pc 0x55e40c1a2a71 bp 0x7f6f220274f0 sp 0x7f6f220274e8

WRITE of size 1 at 0x6190000820c7 thread T5

    #0 0x55e40c1a2a70 in Field_timestampf::set_max() /data/src/10.3/sql/field.cc:5564

    #1 0x55e40be80da9 in TABLE::vers_update_fields() /data/src/10.3/sql/table.cc:8157

    #2 0x55e40baa3b1d in fill_record(THD*, TABLE*, List<Item>&, List<Item>&, bool, bool) /data/src/10.3/sql/sql_base.cc:8461

    #3 0x55e40baa4399 in fill_record_n_invoke_before_triggers(THD*, TABLE*, List<Item>&, List<Item>&, bool, trg_event_type) /data/src/10.3/sql/sql_base.cc:8588

    #4 0x55e40bb3bdab in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.3/sql/sql_insert.cc:968

    #5 0x55e40bbd242e in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4504

    #6 0x55e40bbe1847 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7870

    #7 0x55e40bbe653f in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852

    #8 0x55e40bbec2dd in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398

    #9 0x55e40bf07a46 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403

    #10 0x55e40bf082aa in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308

    #11 0x55e40d14bc84 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869

    #12 0x7f6f2ca47ea6 in start_thread nptl/pthread_create.c:477

    #13 0x7f6f2c977dee in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xfddee)

0x6190000820c7 is located 71 bytes inside of 992-byte region [0x619000082080,0x619000082460)

allocated by thread T5 here:

    #0 0x7f6f2d2e9e8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145

    #1 0x55e40d21b942 in my_malloc /data/src/10.3/mysys/my_malloc.c:101

    #2 0x55e40d207e7b in alloc_root /data/src/10.3/mysys/my_alloc.c:251

    #3 0x55e40d208b95 in strmake_root /data/src/10.3/mysys/my_alloc.c:481

    #4 0x55e40be77e04 in open_table_from_share(THD*, TABLE_SHARE*, st_mysql_const_lex_string const*, unsigned int, unsigned int, unsigned int, TABLE*, bool, List<String>*) /data/src/10.3/sql/table.cc:3238

    #5 0x55e40ba8b54c in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/10.3/sql/sql_base.cc:1992

    #6 0x55e40ba94ce9 in open_and_process_table /data/src/10.3/sql/sql_base.cc:3715

    #7 0x55e40ba94ce9 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.3/sql/sql_base.cc:4190

    #8 0x55e40ba9697e in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /data/src/10.3/sql/sql_base.cc:5129

    #9 0x55e40bb39c42 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /data/src/10.3/sql/sql_base.h:503

    #10 0x55e40bb39c42 in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.3/sql/sql_insert.cc:760

    #11 0x55e40bbd242e in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4504

    #12 0x55e40bbe1847 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7870

    #13 0x55e40bbe653f in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852

    #14 0x55e40bbec2dd in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398

    #15 0x55e40bf07a46 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403

    #16 0x55e40bf082aa in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308

    #17 0x55e40d14bc84 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869

    #18 0x7f6f2ca47ea6 in start_thread nptl/pthread_create.c:477

Thread T5 created by T0 here:

    #0 0x7f6f2d2952a2 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:214

    #1 0x55e40d1502da in spawn_thread_v1 /data/src/10.3/storage/perfschema/pfs.cc:1919

    #2 0x55e40b97ae6b in inline_mysql_thread_create /data/src/10.3/include/mysql/psi/mysql_thread.h:1275

    #3 0x55e40b97ae6b in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6666

    #4 0x55e40b98b18d in create_new_thread /data/src/10.3/sql/mysqld.cc:6736

    #5 0x55e40b98b18d in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6994

    #6 0x55e40b98d135 in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6288

    #7 0x7f6f2c8a0d09 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: unknown-crash /data/src/10.3/sql/field.cc:5564 in Field_timestampf::set_max()

Shadow bytes around the buggy address:

  0x0c32800083c0: 00 00 00 00 00 00 00 00 00 f7 00 00 00 00 00 00

  0x0c32800083d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c32800083e0: 00 00 00 00 00 f7 04 f7 f7 f7 f7 f7 fa fa fa fa

  0x0c32800083f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c3280008400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

=>0x0c3280008410: 00 00 00 00 f7 02 f7 00[05]00 05 00 05 f7 00 00

  0x0c3280008420: 00 00 f7 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c3280008430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f7 00

  0x0c3280008440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c3280008450: 00 00 00 00 00 00 00 00 00 00 f7 00 00 00 00 00

  0x0c3280008460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

  Shadow gap:              cc

==3401257==ABORTING

[MDEV-27452] TIMESTAMP(0) system field is allowed for certain creation of system-versioned table Created: 2022-01-09 Updated: 2022-01-13 Resolved: 2022-01-13
Status:	Closed
Project:	MariaDB Server
Component/s:	Versioned Tables
Affects Version/s:	10.3, 10.4, 10.5, 10.6, 10.7
Fix Version/s:	10.3.33, 10.4.23, 10.5.14, 10.6.6, 10.7.2, 10.8.1

[MDEV-27452] TIMESTAMP(0) system field is allowed for certain creation of system-versioned table Created: 2022-01-09 Updated: 2022-01-13 Resolved: 2022-01-13