[MDEV-29653] Assertion `0' failed in Item_cache_row::illegal_method_call on SELECT from Spider table Created: 2022-09-28  Updated: 2022-12-22  Resolved: 2022-12-22

Status: Closed
Project: MariaDB Server
Component/s: Storage Engine - Spider
Affects Version/s: 10.4, 10.5, 10.6, 10.7, 10.8, 10.9, 10.10, 10.11
Fix Version/s: 10.11.2, 10.4.28, 10.5.19, 10.6.12, 10.7.8, 10.8.7, 10.9.5, 10.10.3

Type: Bug Priority: Critical
Reporter: Roel Van de Paar Assignee: Yuchen Pei
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
Relates

 Description    

INSTALL PLUGIN Spider SONAME 'ha_spider.so';
 
CREATE USER Spider@localhost IDENTIFIED BY 'PWD123';
 
CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET '../socket.sock', DATABASE 'test', USER 'Spider', PASSWORD 'PWD123');
 
CREATE TABLE t (c INT) ENGINE=InnoDB;
 
CREATE TABLE ts (c INT) ENGINE=Spider COMMENT='WRAPPER "mysql", srv "srv", TABLE "t"';
 
SELECT 1 FROM ts WHERE ROW(c,c) NOT IN ((0,0),(1,1));

Leads to:

10.11.0 6ebdd3013a18b01dbecec76b870810329eb76586 (Debug)

 
mysqld: /test/10.11_dbg/sql/item.cc:10628: void Item_cache_row::illegal_method_call(const char*): Assertion `0' failed.

10.11.0 6ebdd3013a18b01dbecec76b870810329eb76586 (Debug)

 
Core was generated by `/test/MD190922-mariadb-10.11.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core'.
 
Program terminated with signal SIGABRT, Aborted.
 
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
 
[Current thread is 1 (Thread 0x1467e09c8700 (LWP 1376788))]
 
(gdb) bt
 
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
 
#1  0x00001467f971f859 in __GI_abort () at abort.c:79
 
#2  0x00001467f971f729 in __assert_fail_base (fmt=0x1467f98b5588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x557ab38c73c6 "0", file=0x557ab38ac780 "/test/10.11_dbg/sql/item.cc", line=10628, function=<optimized out>) at assert.c:92
 
#3  0x00001467f9730fd6 in __GI___assert_fail (assertion=assertion@entry=0x557ab38c73c6 "0", file=file@entry=0x557ab38ac780 "/test/10.11_dbg/sql/item.cc", line=line@entry=10628, function=function@entry=0x557ab38af498 "void Item_cache_row::illegal_method_call(const char*)") at assert.c:101
 
#4  0x0000557ab2e46150 in Item_cache_row::illegal_method_call (this=this@entry=0x1467a4017008, method=method@entry=0x557ab38af6a6 "val_str") at /test/10.11_dbg/sql/item.cc:10628
 
#5  0x0000557ab2e51138 in Item_cache_row::val_str (this=this@entry=0x1467a4017008) at /test/10.11_dbg/sql/item.h:7521
 
#6  0x00001467e088cb60 in spider_db_open_item_string (item=item@entry=0x1467a4017008, field=field@entry=0x0, spider=spider@entry=0x1467a4078090, str=str@entry=0x1467a40844a0, alias=alias@entry=0x0, alias_length=alias_length@entry=0, dbton_id=0, use_fields=true, fields=0x1467a40b3740) at /test/10.11_dbg/storage/spider/spd_db_conn.cc:7906
 
#7  0x00001467e088d2e5 in spider_db_open_item_cache (item_cache=item_cache@entry=0x1467a4017008, field=field@entry=0x0, spider=spider@entry=0x1467a4078090, str=str@entry=0x1467a40844a0, alias=alias@entry=0x0, alias_length=alias_length@entry=0, dbton_id=0, use_fields=true, fields=0x1467a40b3740) at /test/10.11_dbg/storage/spider/spd_db_conn.cc:8131
 
#8  0x00001467e088d852 in spider_db_print_item_type (item=0x1467a4017008, field=field@entry=0x0, spider=spider@entry=0x1467a4078090, str=str@entry=0x1467a40844a0, alias=alias@entry=0x0, alias_length=alias_length@entry=0, dbton_id=0, use_fields=true, fields=0x1467a40b3740) at /test/10.11_dbg/storage/spider/spd_db_conn.cc:7422
 
#9  0x00001467e091a140 in spider_db_mbase_util::open_item_func (this=0x1467e097d150 <spider_db_mysql_utility>, item_func=0x1467a4014630, spider=0x1467a4078090, str=0x1467a40844a0, alias=0x0, alias_length=0, use_fields=true, fields=0x1467a40b3740) at /test/10.11_dbg/storage/spider/spd_db_mysql.cc:6612
 
#10 0x00001467e088c16d in spider_db_open_item_func (item_func=item_func@entry=0x1467a4014630, spider=spider@entry=0x1467a4078090, str=str@entry=0x1467a40844a0, alias=alias@entry=0x0, alias_length=alias_length@entry=0, dbton_id=dbton_id@entry=0, use_fields=true, fields=0x1467a40b3740) at /test/10.11_dbg/storage/spider/spd_db_conn.cc:7556
 
#11 0x00001467e088d66b in spider_db_print_item_type (item=item@entry=0x1467a4014630, field=field@entry=0x0, spider=0x1467a4078090, str=str@entry=0x1467a40844a0, alias=alias@entry=0x0, alias_length=alias_length@entry=0, dbton_id=0, use_fields=true, fields=0x1467a40b3740) at /test/10.11_dbg/storage/spider/spd_db_conn.cc:7387
 
#12 0x00001467e0911478 in spider_mbase_handler::append_item_type_part (this=0x1467a4084440, item=0x1467a4014630, alias=0x0, alias_length=0, use_fields=<optimized out>, fields=0x1467a40b3740, sql_type=1) at /test/10.11_dbg/storage/spider/spd_db_mysql.cc:15419
 
#13 0x00001467e0936efc in spider_group_by_handler::init_scan (this=0x1467a4030880) at /test/10.11_dbg/storage/spider/spd_group_by_handler.cc:1318
 
#14 0x0000557ab2bde1fb in Pushdown_query::execute (this=0x1467a4017170, join=join@entry=0x1467a40151b8) at /test/10.11_dbg/sql/group_by_handler.cc:49
 
#15 0x0000557ab2bb0d97 in do_select (procedure=<optimized out>, join=0x1467a40151b8) at /test/10.11_dbg/sql/sql_select.cc:21207
 
#16 JOIN::exec_inner (this=this@entry=0x1467a40151b8) at /test/10.11_dbg/sql/sql_select.cc:4813
 
#17 0x0000557ab2bb1826 in JOIN::exec (this=this@entry=0x1467a40151b8) at /test/10.11_dbg/sql/sql_select.cc:4591
 
#18 0x0000557ab2baf5aa in mysql_select (thd=thd@entry=0x1467a4000d48, tables=0x1467a4013808, fields=@0x1467a4013568: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1467a40137c0, last = 0x1467a40137c0, elements = 1}, <No data fields>}, conds=0x1467a4014630, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2164525824, result=0x1467a4015190, unit=0x1467a4004f80, select_lex=0x1467a40132c8) at /test/10.11_dbg/sql/sql_select.cc:5071
 
#19 0x0000557ab2bafda0 in handle_select (thd=thd@entry=0x1467a4000d48, lex=lex@entry=0x1467a4004ea8, result=result@entry=0x1467a4015190, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.11_dbg/sql/sql_select.cc:582
 
#20 0x0000557ab2b19d94 in execute_sqlcom_select (thd=thd@entry=0x1467a4000d48, all_tables=0x1467a4013808) at /test/10.11_dbg/sql/sql_parse.cc:6261
 
#21 0x0000557ab2b26109 in mysql_execute_command (thd=thd@entry=0x1467a4000d48, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.11_dbg/sql/sql_parse.cc:3945
 
#22 0x0000557ab2b1403c in mysql_parse (thd=thd@entry=0x1467a4000d48, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x1467e09c7330) at /test/10.11_dbg/sql/sql_parse.cc:8037
 
#23 0x0000557ab2b2166d in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x1467a4000d48, packet=packet@entry=0x1467a400aed9 "", packet_length=packet_length@entry=52, blocking=blocking@entry=true) at /test/10.11_dbg/sql/sql_class.h:1345
 
#24 0x0000557ab2b23d97 in do_command (thd=0x1467a4000d48, blocking=blocking@entry=true) at /test/10.11_dbg/sql/sql_parse.cc:1407
 
#25 0x0000557ab2c87fb9 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x557ab4f95b68, put_in_cache=put_in_cache@entry=true) at /test/10.11_dbg/sql/sql_connect.cc:1416
 
#26 0x0000557ab2c884c3 in handle_one_connection (arg=0x557ab4f95b68) at /test/10.11_dbg/sql/sql_connect.cc:1318
 
#27 0x00001467f9c30609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#28 0x00001467f981c133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.4.27 (dbg), 10.5.18 (dbg), 10.6.10 (dbg), 10.7.6 (dbg), 10.8.5 (dbg), 10.9.3 (dbg), 10.10.2 (dbg), 10.11.0 (dbg)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.4.27 (opt), 10.5.18 (opt), 10.6.10 (opt), 10.7.6 (opt), 10.8.5 (opt), 10.9.3 (opt), 10.10.2 (opt), 10.11.0 (opt)

 Comments   
Comment by Roel Van de Paar [ 2022-09-28 ]

Assert/stack is same on all versions observed to crash

0|SIGABRT|Item_cache_row::illegal_method_call|Item_cache_row::val_str|spider_db_open_item_string|spider_db_open_item_cache

Comment by Roel Van de Paar [ 2022-10-04 ]

Another, similar, testcase

INSTALL PLUGIN Spider SONAME 'ha_spider.so';
 
CREATE USER Spider@localhost IDENTIFIED BY 'PWD0';
 
CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET '../socket.sock',DATABASE 'test',user 'Spider',PASSWORD 'PWD0');
 
CREATE TABLE t (c INT);
 
CREATE TABLE t2 (a CHAR(0),b INT) ENGINE=Spider COMMENT='WRAPPER "mysql",srv "srv",TABLE "t"';
 
SELECT 0 FROM t2 WHERE ROW(a, (a,a)) IN ((0, (0,0)),(0, (0,0)));

Comment by Yuchen Pei [ 2022-12-16 ]

mtr testcase:

--echo #
 
--echo # MDEV-29653 Assertion `0' failed in Item_cache_row::illegal_method_call on SELECT from Spider table
 
--echo #
 
 
 
--disable_query_log
 
--disable_result_log
 
--source ../../t/test_init.inc
 
--enable_result_log
 
--enable_query_log
 
 
 
--connection child2_1
 
CREATE DATABASE auto_test_remote;
 
USE auto_test_remote;
 
eval CREATE TABLE t (
 
    c INT
 
) $CHILD2_1_ENGINE $CHILD2_1_CHARSET;
 
 
 
--connection master_1
 
CREATE DATABASE auto_test_local;
 
USE auto_test_local;
 
eval CREATE TABLE ts (
 
    c INT
 
) $MASTER_1_ENGINE COMMENT='table "t", srv "s_2_1"';
 
 
 
SELECT 1 FROM ts WHERE ROW(c,c) NOT IN ((0,0),(1,1));
 
 
 
--connection master_1
 
DROP DATABASE IF EXISTS auto_test_local;
 
 
 
--connection child2_1
 
DROP DATABASE IF EXISTS auto_test_remote;
 
 
 
--disable_query_log
 
--disable_result_log
 
--source ../t/test_deinit.inc
 
--enable_query_log
 
--enable_result_log

Comment by Yuchen Pei [ 2022-12-16 ]

The bug exists in very old commits like 6dce6aecebe6ef78a14cb5c5c5daa8a355551e40 (2019-11) and 69c86abb646361c607a248f079f8fd4e600dcada (2021-01).

Comment by Yuchen Pei [ 2022-12-19 ]

The bug seems to be caused by the item having the wrong result_type(). It is a Item_cache_row, corresponding to the constant row (0, 0), and the result type should be ROW_RESULT, but is actually STRING_RESULT. This causes spider_db_open_item_cache to go into the wrong branch:

int spider_db_open_item_cache(
 
  ...
 
) {
 
  ...
 
 
 
  switch (item_cache->result_type())
 
  {
 
    case STRING_RESULT:
 
      DBUG_RETURN(spider_db_open_item_string(item_cache, field, spider, str,
 
        alias, alias_length, dbton_id, use_fields, fields));
 
    case ROW_RESULT:
 
      {
 
        int error_num;
 
        Item_cache_row *item_cache_row = (Item_cache_row *) item_cache;
 
        uint item_count = item_cache_row->cols() - 1, roop_count;
 
        if (str)
 
        {
 
           ...

The cause for the wrong result type seems to be: when constructing the Item_cache_row corresponding to (0,0), it uses the constructor Item_cache(thd), which calls the constructor of Type_handler_hybrid_field_type with hardcoded type_handler_string: Type_handler_hybrid_field_type(&type_handler_string)

#0  Type_handler_hybrid_field_type::Type_handler_hybrid_field_type (
 
    this=0x7fdf70022560, handler=0x560a837001c0 <type_handler_string>)
 
    at /home/ycp/source/mariadb-server/10.4/src/sql/sql_type.h:6672
 
#1  0x0000560a824dd024 in Item_cache::Item_cache (this=0x7fdf700224e0, 
    thd=0x7fdf7000b6c0)
 
    at /home/ycp/source/mariadb-server/10.4/src/sql/item.h:6828
 
#2  0x0000560a824ddd65 in Item_cache_row::Item_cache_row (this=0x7fdf700224e0, 
    thd=0x7fdf7000b6c0)
 
    at /home/ycp/source/mariadb-server/10.4/src/sql/item.h:7309
 
#3  0x0000560a824c318d in Type_handler_row::Item_get_cache (
 
    this=0x560a837000e8 <type_handler_row>, thd=0x7fdf7000b6c0, 
    item=0x7fdf7001ee80)
 
    at /home/ycp/source/mariadb-server/10.4/src/sql/sql_type.cc:3989
 
#4  0x0000560a821f9deb in Item::get_cache (this=0x7fdf7001ee80, 
    thd=0x7fdf7000b6c0)
 
    at /home/ycp/source/mariadb-server/10.4/src/sql/item.h:1130
 
#5  0x0000560a825fa1e5 in Item::cache_const_expr_transformer (
 
    this=0x7fdf7001ee80, thd=0x7fdf7000b6c0, arg=0x7fdf495cd2cf "")
 
    at /home/ycp/source/mariadb-server/10.4/src/sql/item.cc:7274
 
#6  0x0000560a821b913b in Item::compile (this=0x7fdf7001ee80, 
    thd=0x7fdf7000b6c0, analyzer=
 
    (bool (Item::*)(Item * const, uchar **)) 0x560a825fa01c <Item::cache_const_expr_analyzer(unsigned char**)>, arg_p=0x7fdf495cd250, transformer=
 
    (Item *(Item::*)(Item * const, THD *, uchar *)) 0x560a825fa1ac <Item::cache_const_expr_transformer(THD*, unsigned char*)>, arg_t=0x7fdf495cd2cf "")
 
    at /home/ycp/source/mariadb-server/10.4/src/sql/item.h:1892
 
#7  0x0000560a826515ce in Item_func::compile (this=0x7fdf7001f1b0, 
    thd=0x7fdf7000b6c0, analyzer=
 
    (bool (Item::*)(Item * const, uchar **)) 0x560a825fa01c <Item::cache_const_expr_analyzer(unsigned char**)>, arg_p=0x7fdf495cd2d0, transformer=
 
    (Item *(Item::*)(Item * const, THD *, uchar *)) 0x560a825fa1ac <Item::cache_const_expr_transformer(THD*, unsigned char*)>, arg_t=0x7fdf495cd2cf "")
 
    at /home/ycp/source/mariadb-server/10.4/src/sql/item_func.cc:548
 
#8  0x0000560a8234d3cf in JOIN::cache_const_exprs (this=0x7fdf7001fd98)
 
    at /home/ycp/source/mariadb-server/10.4/src/sql/sql_select.cc:28295
 
#9  0x0000560a82308478 in JOIN::optimize_stage2 (this=0x7fdf7001fd98)
 
    at /home/ycp/source/mariadb-server/10.4/src/sql/sql_select.cc:2613

When it calls result_type() for the Item_cache_row, it uses the type_handler of Type_handler_hybrid_field_type:

(rr) bt
 
#0  Type_handler_hybrid_field_type::type_handler (this=0x7fdf70022560)
 
    at /home/ycp/source/mariadb-server/10.4/src/sql/sql_type.h:6681
 
#1  0x0000560a824dd22a in Item_cache::type_handler (this=0x7fdf700224e0)
 
    at /home/ycp/source/mariadb-server/10.4/src/sql/item.h:6865
 
#2  0x0000560a821c4a53 in Item::result_type (this=0x7fdf700224e0)
 
    at /home/ycp/source/mariadb-server/10.4/src/sql/item.h:1082
 
#3  0x00007fdf49177fa0 in spider_db_open_item_cache (item_cache=0x7fdf700224e0, 
    field=0x0, spider=0x7fdf7011ad68, str=0x7fdf70127e70, alias=0x0, 
    alias_length=0, dbton_id=0, use_fields=true, fields=0x7fdf70032c80)
 
    at /home/ycp/source/mariadb-server/10.4/src/storage/spider/spd_db_conn.cc:9913
 
#4  0x00007fdf4917613c in spider_db_print_item_type (item=0x7fdf700224e0, 
    field=0x0, spider=0x7fdf7011ad68, str=0x7fdf70127e70, alias=0x0, 
    alias_length=0, dbton_id=0, use_fields=true, fields=0x7fdf70032c80)
 
    at /home/ycp/source/mariadb-server/10.4/src/storage/spider/spd_db_conn.cc:9162
 
#5  0x00007fdf4921565d in spider_db_mbase_util::open_item_func (
 
    this=0x7fdf492845a0 <spider_db_mysql_utility>, item_func=0x7fdf7001f1b0, 
    spider=0x7fdf7011ad68, str=0x7fdf70127e70, alias=0x0, alias_length=0, 
    use_fields=true, fields=0x7fdf70032c80)
 
    at /home/ycp/source/mariadb-server/10.4/src/storage/spider/spd_db_mysql.cc:6656
 
#6  0x00007fdf491766cd in spider_db_open_item_func (item_func=0x7fdf7001f1b0, 
    spider=0x7fdf7011ad68, str=0x7fdf70127e70, alias=0x0, alias_length=0, 
    dbton_id=0, use_fields=true, fields=0x7fdf70032c80)
 
    at /home/ycp/source/mariadb-server/10.4/src/storage/spider/spd_db_conn.cc:9304
 
#7  0x00007fdf49175f06 in spider_db_print_item_type (item=0x7fdf7001f1b0, 
    field=0x0, spider=0x7fdf7011ad68, str=0x7fdf70127e70, alias=0x0, 
    alias_length=0, dbton_id=0, use_fields=true, fields=0x7fdf70032c80)
 
    at /home/ycp/source/mariadb-server/10.4/src/storage/spider/spd_db_conn.cc:9114
 
#8  0x00007fdf49236cd8 in spider_mbase_handler::append_item_type_part (
 
    this=0x7fdf70127e10, item=0x7fdf7001f1b0, alias=0x0, alias_length=0, 
    use_fields=true, fields=0x7fdf70032c80, sql_type=1)
 
    at /home/ycp/source/mariadb-server/10.4/src/storage/spider/spd_db_mysql.cc:15845
 
#9  0x00007fdf4923c89f in spider_group_by_handler::init_scan (
 
    this=0x7fdf7016f8a0)
 
    at /home/ycp/source/mariadb-server/10.4/src/storage/spider/spd_group_by_handler.cc:1333
 
...
 
(rr) p m_type_handler
 
$214 = (const Type_handler *) 0x560a837001c0 <type_handler_string>

Comment by Yuchen Pei [ 2022-12-19 ]

This patch fixes the this bug. Running tests to check for regressions...

From a70ac9210a9e9ab59c52f92adb9b11f02816145d Mon Sep 17 00:00:00 2001
 
From: Yuchen Pei <yuchen.pei@mariadb.com>
 
Date: Tue, 20 Dec 2022 10:38:35 +1100
 
Subject: [PATCH] MDEV-29653
 
 
 
---
 
 sql/item.h | 2 +-
 
 1 file changed, 1 insertion(+), 1 deletion(-)
 
 
 
diff --git a/sql/item.h b/sql/item.h
 
index 083bc2261ce..9389250d6ec 100644
 
--- a/sql/item.h
 
+++ b/sql/item.h
 
@@ -7305,7 +7305,7 @@ class Item_cache_row: public Item_cache
 
   bool save_array;
 
 public:
 
   Item_cache_row(THD *thd):
 
-    Item_cache(thd), values(0), item_count(2),
 
+    Item_cache(thd, &type_handler_row), values(0), item_count(2),
 
     save_array(0) {}
 
   
   /*
 
-- 
2.30.2

Comment by Yuchen Pei [ 2022-12-20 ]

I have run the following tests before and after the above patch, based on 10.4 f97f6955bda, and can confirm there are no new failures.

./mysql-test/mtr --parallel=12 --force --max-test-fail=0 --skip-core-file

Comment by Yuchen Pei [ 2022-12-20 ]

https://github.com/MariaDB/server/commit/756db1dc7fa

Comment by Yuchen Pei [ 2022-12-20 ]

serg Can you review this, since it touches some common sql code outside of spider. Feel free to re-assign it to anyone for the review.

Comment by Sergei Golubchik [ 2022-12-20 ]

ok to push, thanks

Comment by Yuchen Pei [ 2022-12-22 ]

Thanks for the review, pushed

Generated at Thu Feb 08 10:10:15 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.