[MDEV-31019] SIGSEGV in Item_func_monthname::val_str and UBSAN: null pointer passed as argument 1, which is declared to never be null in Item_func_monthname::val_str in sql/item_timefunc.cc on SELECT MONTHNAME Created: 2023-04-06  Updated: 2023-04-10  Resolved: 2023-04-07

Status: Closed
Project: MariaDB Server
Component/s: Variables
Affects Version/s: 10.11, 11.0, 11.1
Fix Version/s: 11.1.1, 10.11.3, 11.0.2

Type: Bug Priority: Critical
Reporter: Roel Van de Paar Assignee: Alexander Barkov
Resolution: Fixed Votes: 0
Labels: regression-10.11

Issue Links:
Relates
relates to MDEV-30997 SIGSEGV in __strlen_avx2 | make_date_... Closed

 Description   

New regression. Note that 10.11 (opt) fails with a slightly different stack (Protocol::send_result_set_row), and that the UBSAN stack on opt vs dbg is not indentical.

SET lc_time_names=111;
 
SELECT MONTHNAME('2010-12-12');

Leads to:

11.1.0 2b61ff8f2221745f0a96855a0feb0825c426f993 (Debug)

 
Core was generated by `/test/MD010423-mariadb-11.1.0-linux-x86_64-dbg/bin/mariadbd --no-defaults --cor'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:74
 
[Current thread is 1 (Thread 0x14d6c75af640 (LWP 1242041))]
 
(gdb) bt
 
#0  __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:74
 
#1  0x000055c15ad22b87 in Item_func_monthname::val_str (this=0x14d6340137d8, str=0x14d6c75acf90) at /test/11.1_dbg/sql/item_timefunc.cc:997
 
#2  0x000055c15ab2e5d8 in Type_handler::Item_send_str (this=<optimized out>, item=0x14d6340137d8, protocol=0x14d634001368, buf=<optimized out>) at /test/11.1_dbg/sql/sql_type.cc:7446
 
#3  0x000055c15aa6e105 in Type_handler_string_result::Item_send (this=<optimized out>, item=<optimized out>, protocol=<optimized out>, buf=<optimized out>) at /test/11.1_dbg/sql/sql_type.h:5455
 
#4  0x000055c15a80b5e8 in Item::send (this=0x14d6340137d8, protocol=0x14d634001368, buffer=0x14d6c75acf60) at /test/11.1_dbg/sql/item.h:1235
 
#5  0x000055c15a8411dd in Protocol::send_result_set_row (this=this@entry=0x14d634001368, row_items=row_items@entry=0x14d6340134d8) at /test/11.1_dbg/sql/protocol.cc:1332
 
#6  0x000055c15a8c3a7d in select_send::send_data (this=0x14d6340141c0, items=@0x14d6340134d8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14d634013890, last = 0x14d634013890, elements = 1}, <No data fields>}) at /test/11.1_dbg/sql/sql_class.cc:3102
 
#7  0x000055c15a9b3ac9 in select_result_sink::send_data_with_check (sent=0, u=<optimized out>, items=<optimized out>, this=<optimized out>) at /test/11.1_dbg/sql/sql_class.h:5748
 
#8  JOIN::exec_inner (this=this@entry=0x14d6340141e8) at /test/11.1_dbg/sql/sql_select.cc:4763
 
#9  0x000055c15a9b49c0 in JOIN::exec (this=this@entry=0x14d6340141e8) at /test/11.1_dbg/sql/sql_select.cc:4674
 
#10 0x000055c15a9b2898 in mysql_select (thd=thd@entry=0x14d634000d58, tables=<optimized out>, fields=@0x14d6340134d8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14d634013890, last = 0x14d634013890, elements = 1}, <No data fields>}, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2164525824, result=0x14d6340141c0, unit=0x14d634004fa0, select_lex=0x14d634013218) at /test/11.1_dbg/sql/sql_select.cc:5155
 
#11 0x000055c15a9b301e in handle_select (thd=thd@entry=0x14d634000d58, lex=lex@entry=0x14d634004ec8, result=result@entry=0x14d6340141c0, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/11.1_dbg/sql/sql_select.cc:611
 
#12 0x000055c15a919314 in execute_sqlcom_select (thd=thd@entry=0x14d634000d58, all_tables=0x0) at /test/11.1_dbg/sql/sql_parse.cc:6024
 
#13 0x000055c15a924974 in mysql_execute_command (thd=thd@entry=0x14d634000d58, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/11.1_dbg/sql/sql_parse.cc:3944
 
#14 0x000055c15a92af05 in mysql_parse (thd=thd@entry=0x14d634000d58, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14d6c75ae230) at /test/11.1_dbg/sql/sql_parse.cc:7760
 
#15 0x000055c15a92d099 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14d634000d58, packet=packet@entry=0x14d63400ae49 "", packet_length=packet_length@entry=30, blocking=blocking@entry=true) at /test/11.1_dbg/sql/sql_class.h:242
 
#16 0x000055c15a92eef5 in do_command (thd=0x14d634000d58, blocking=blocking@entry=true) at /test/11.1_dbg/sql/sql_parse.cc:1405
 
#17 0x000055c15aa80cfc in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55c15db5b988, put_in_cache=put_in_cache@entry=true) at /test/11.1_dbg/sql/sql_connect.cc:1416
 
#18 0x000055c15aa80f5b in handle_one_connection (arg=0x55c15db5b988) at /test/11.1_dbg/sql/sql_connect.cc:1318
 
#19 0x000014d6e4740b43 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
 
#20 0x000014d6e47d2a00 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

10.11.3 50c8ef01fc63e32acd38788107ae4029d0f1b9ce (Optimized)

 
Core was generated by `/test/MD290323-mariadb-10.11.3-linux-x86_64-opt/bin/mariadbd --no-defaults --co'.
 
Program terminated with signal SIGSEGV, Segmentation fault. 
#0  __pthread_kill_implementation (no_tid=0, signo=11, threadid=22438654330432)
 
    at ./nptl/pthread_kill.c:44
 
[Current thread is 1 (Thread 0x146868054640 (LWP 1243054))]
 
(gdb) bt
 
#0  __pthread_kill_implementation (no_tid=0, signo=11, threadid=22438654330432) at ./nptl/pthread_kill.c:44
 
#1  __pthread_kill_internal (signo=11, threadid=22438654330432) at ./nptl/pthread_kill.c:78
 
#2  __GI___pthread_kill (threadid=22438654330432, signo=11) at ./nptl/pthread_kill.c:89
 
#3  0x000055827c933828 in handle_fatal_signal (sig=<optimized out>) at /test/10.11_opt/sql/signal_handler.cc:357
 
#4  <signal handler called>
 
#5  __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:74
 
#6  0x000055827ca37712 in Item_func_monthname::val_str (this=0x1467d0010fe0, str=0x146868051960) at /test/10.11_opt/sql/item_timefunc.cc:997
 
#7  0x000055827c88eb38 in Type_handler::Item_send_str (this=<optimized out>, item=<optimized out>, protocol=0x1467d00011f0, buf=<optimized out>) at /test/10.11_opt/sql/sql_type.cc:7446
 
#8  0x000055827c6054fa in Protocol::send_result_set_row (this=this@entry=0x1467d00011f0, row_items=row_items@entry=0x1467d0010cf8) at /test/10.11_opt/sql/protocol.cc:1332
 
#9  0x000055827c682b27 in select_send::send_data (this=0x1467d0011a40, items=@0x1467d0010cf8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1467d0010780, last = 0x1467d0010780, elements = 1}, <No data fields>}) at /test/10.11_opt/sql/sql_class.cc:3103
 
#10 0x000055827c758730 in select_result_sink::send_data_with_check (u=<optimized out>, sent=0, items=<optimized out>, this=<optimized out>) at /test/10.11_opt/sql/sql_class.h:5746
 
#11 select_result_sink::send_data_with_check (sent=0, u=<optimized out>, items=<optimized out>, this=<optimized out>) at /test/10.11_opt/sql/sql_class.h:5736
 
#12 JOIN::exec_inner (this=0x1467d0011aa0) at /test/10.11_opt/sql/sql_select.cc:4701
 
#13 0x000055827c758f19 in JOIN::exec (this=this@entry=0x1467d0011aa0) at /test/10.11_opt/sql/sql_select.cc:4613
 
#14 0x000055827c756fc1 in mysql_select (thd=0x1467d0000c68, tables=0x0, fields=@0x1467d0010cf8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1467d0010780, last = 0x1467d0010780, elements = 1}, <No data fields>}, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x1467d0011a40, unit=0x1467d0004ce8, select_lex=0x1467d0010a40) at /test/10.11_opt/sql/sql_select.cc:5093
 
#15 0x000055827c757714 in handle_select (thd=thd@entry=0x1467d0000c68, lex=lex@entry=0x1467d0004c10, result=result@entry=0x1467d0011a40, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.11_opt/sql/sql_select.cc:581
 
#16 0x000055827c6cf905 in execute_sqlcom_select (thd=0x1467d0000c68, all_tables=0x0) at /test/10.11_opt/sql/sql_parse.cc:6267
 
#17 0x000055827c6de9f0 in mysql_execute_command (thd=0x1467d0000c68, is_called_from_prepared_stmt=<optimized out>) at /test/10.11_opt/sql/sql_parse.cc:3949
 
#18 0x000055827c6e0284 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x1467d0000c68) at /test/10.11_opt/sql/sql_parse.cc:8002
 
#19 mysql_parse (thd=0x1467d0000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.11_opt/sql/sql_parse.cc:7924
 
#20 0x000055827c6e28c2 in dispatch_command (command=COM_QUERY, thd=0x1467d0000c68, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.11_opt/sql/sql_parse.cc:1991
 
#21 0x000055827c6e40a8 in do_command (thd=0x1467d0000c68, blocking=blocking@entry=true) at /test/10.11_opt/sql/sql_parse.cc:1407
 
#22 0x000055827c803c7f in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55827f2bb1e8, put_in_cache=put_in_cache@entry=true) at /test/10.11_opt/sql/sql_connect.cc:1416
 
#23 0x000055827c803f5d in handle_one_connection (arg=0x55827f2bb1e8) at /test/10.11_opt/sql/sql_connect.cc:1318
 
#24 0x000014687fa0ab43 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
 
#25 0x000014687fa9ca00 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

11.0.2 a79abb6517f2fa68b48e61aa3354a0631e3a63f7 (Optimized, UBASAN)

 
2023-04-07 10:57:12 0 [Note] /test/UBASAN_MD250323-mariadb-11.0.2-linux-x86_64-opt/bin/mariadbd: ready for connections.
 
Version: '11.0.2-MariaDB'  socket: '/test/UBASAN_MD250323-mariadb-11.0.2-linux-x86_64-opt/socket.sock'  port: 11678  MariaDB Server
 
/test/11.0_opt_san/sql/item_timefunc.cc:997:38: runtime error: null pointer passed as argument 1, which is declared to never be null
 
    #0 0x5580a0843a5a in Item_func_monthname::val_str(String*) /test/11.0_opt_san/sql/item_timefunc.cc:997
 
    #1 0x5580a22a26d6 in Type_handler::Item_send_str(Item*, Protocol*, st_value*) const /test/11.0_opt_san/sql/sql_type.cc:7446
 
    #2 0x5580a0e13a9c in Protocol::send_result_set_row(List<Item>*) /test/11.0_opt_san/sql/protocol.cc:1332
 
    #3 0x5580a11958aa in select_send::send_data(List<Item>&) /test/11.0_opt_san/sql/sql_class.cc:3102
 
    #4 0x5580a18f88a2 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.0_opt_san/sql/sql_class.h:5748
 
    #5 0x5580a18f88a2 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.0_opt_san/sql/sql_class.h:5738
 
    #6 0x5580a18f88a2 in JOIN::exec_inner() /test/11.0_opt_san/sql/sql_select.cc:4761
 
    #7 0x5580a18fd5b3 in JOIN::exec() /test/11.0_opt_san/sql/sql_select.cc:4672
 
    #8 0x5580a18eb050 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.0_opt_san/sql/sql_select.cc:5153
 
    #9 0x5580a18eebe0 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.0_opt_san/sql/sql_select.cc:611
 
    #10 0x5580a147be40 in execute_sqlcom_select /test/11.0_opt_san/sql/sql_parse.cc:6267
 
    #11 0x5580a14e153c in mysql_execute_command(THD*, bool) /test/11.0_opt_san/sql/sql_parse.cc:3949
 
    #12 0x5580a14f2322 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_opt_san/sql/sql_parse.cc:7999
 
    #13 0x5580a14fffad in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_opt_san/sql/sql_parse.cc:1894
 
    #14 0x5580a1509718 in do_command(THD*, bool) /test/11.0_opt_san/sql/sql_parse.cc:1407
 
    #15 0x5580a1e0ac2c in do_handle_one_connection(CONNECT*, bool) /test/11.0_opt_san/sql/sql_connect.cc:1416
 
    #16 0x5580a1e0d22c in handle_one_connection /test/11.0_opt_san/sql/sql_connect.cc:1318
 
    #17 0x145a54f29b42 in start_thread nptl/pthread_create.c:442
 
    #18 0x145a54fbb9ff  (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)
 
 
 
230407 10:57:13 [ERROR] mysqld got signal 11 ;

11.0.2 a79abb6517f2fa68b48e61aa3354a0631e3a63f7 (Debug, UBASAN)

 
2023-04-07 10:57:39 0 [Note] /test/UBASAN_MD250323-mariadb-11.0.2-linux-x86_64-dbg/bin/mariadbd: ready for connections.
 
Version: '11.0.2-MariaDB-debug'  socket: '/test/UBASAN_MD250323-mariadb-11.0.2-linux-x86_64-dbg/socket.sock'  port: 12441  MariaDB Server
 
/test/11.0_dbg_san/sql/item_timefunc.cc:997:38: runtime error: null pointer passed as argument 1, which is declared to never be null
 
    #0 0x560971984914 in Item_func_monthname::val_str(String*) /test/11.0_dbg_san/sql/item_timefunc.cc:997
 
    #1 0x5609705215a1 in Type_handler::Item_send_str(Item*, Protocol*, st_value*) const /test/11.0_dbg_san/sql/sql_type.cc:7446
 
    #2 0x56096ff6faa2 in Type_handler_string_result::Item_send(Item*, Protocol*, st_value*) const /test/11.0_dbg_san/sql/sql_type.h:5455
 
    #3 0x56096ed1359c in Item::send(Protocol*, st_value*) /test/11.0_dbg_san/sql/item.h:1235
 
    #4 0x56096eecf05c in Protocol::send_result_set_row(List<Item>*) /test/11.0_dbg_san/sql/protocol.cc:1332
 
    #5 0x56096f2989ca in select_send::send_data(List<Item>&) /test/11.0_dbg_san/sql/sql_class.cc:3102
 
    #6 0x56096fa0fb03 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.0_dbg_san/sql/sql_class.h:5748
 
    #7 0x56096fa0fb03 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4761
 
    #8 0x56096fa1657a in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4672
 
    #9 0x56096fa04d38 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.0_dbg_san/sql/sql_select.cc:5153
 
    #10 0x56096fa09193 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.0_dbg_san/sql/sql_select.cc:611
 
    #11 0x56096f588973 in execute_sqlcom_select /test/11.0_dbg_san/sql/sql_parse.cc:6267
 
    #12 0x56096f5e9cce in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3949
 
    #13 0x56096f6195e6 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:7999
 
    #14 0x56096f62937a in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894
 
    #15 0x56096f63717f in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407
 
    #16 0x56096fffb459 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416
 
    #17 0x56096fffc974 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318
 
    #18 0x14c005515b42 in start_thread nptl/pthread_create.c:442
 
    #19 0x14c0055a79ff  (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)
 
 
 
230407 10:57:41 [ERROR] mysqld got signal 11 ;

Bug confirmed present in:
MariaDB: 10.11.3 (dbg), 10.11.3 (opt), 11.0.1 (dbg), 11.0.1 (opt), 11.1.0 (dbg), 11.1.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.3.38 (dbg), 10.3.38 (opt), 10.3.39 (dbg), 10.3.39 (opt), 10.4.29 (dbg), 10.4.29 (opt), 10.5.20 (dbg), 10.5.20 (opt), 10.6.13 (dbg), 10.6.13 (opt), 10.7.8 (dbg), 10.7.8 (opt), 10.8.8 (dbg), 10.8.8 (opt), 10.9.6 (dbg), 10.9.6 (opt), 10.10.4 (dbg), 10.10.4 (opt), 10.11.2 (dbg), 10.11.2 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.40 (dbg), 5.7.40 (opt), 8.0.31 (dbg), 8.0.31 (opt)

 Comments   
Comment by Roel Van de Paar [ 2023-04-06 ]

It may be a good idea to check with (many) other dates after this is patched, as changing the date to another one matters. For example, '2023-01-01' does not crash;

11.1.0 2b61ff8f2221745f0a96855a0feb0825c426f993 (Debug)

 
11.1.0-dbg>SET lc_time_names=111;
 
Query OK, 0 rows affected (0.000 sec)
 
 
 
11.1.0-dbg>SELECT MONTHNAME('2023-01-01');
 
+-------------------------+
 
| MONTHNAME('2023-01-01') |
 
+-------------------------+
 
| იანვარი                 |
 
+-------------------------+
 
1 row in set (0.000 sec)

Comment by Roel Van de Paar [ 2023-04-07 ]

On non-crashing versions, we see:

10.9.6 eec1d6ce3dc9352eae97c11bbcbc506d18d188ef (Debug)

 
10.9.6-dbg>SET lc_time_names=111;
 
ERROR 1649 (HY000): Unknown locale: '111'
 
10.9.6-dbg>SELECT MONTHNAME('2010-12-12');
 
+-------------------------+
 
| MONTHNAME('2010-12-12') |
 
+-------------------------+
 
| December                |
 
+-------------------------+
 
1 row in set (0.000 sec)

Comment by Roel Van de Paar [ 2023-04-07 ]

The additional stacks in this bug have also been resolved by the patch in MDEV-30997

Comment by Roel Van de Paar [ 2023-04-08 ]

Additional testcase & stack. Note that changing the TIMESTAMP to something else than 1040000000, for example 1050000000 stops the bug from reproducing.

SET lc_time_names=111;
 
SET TIMESTAMP=1040000000;
 
SELECT MAKETIME(0,0,0)+MONTHNAME(CURRENT_TIMESTAMP());

Leads to:

11.1.0 2b61ff8f2221745f0a96855a0feb0825c426f993 (Debug)

 
Core was generated by `/test/MD070423-mariadb-11.1.0-linux-x86_64-dbg/bin/mariadbd --no-defaults --cor'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:74
 
[Current thread is 1 (Thread 0x14c30e80e640 (LWP 1322531))]
 
(gdb) bt
 
#0  __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:74
 
#1  0x000056385f4c9b87 in Item_func_monthname::val_str (this=0x14c2d4013b28, str=0x14c30e80be10) at /test/11.1_dbg/sql/item_timefunc.cc:997
 
#2  0x000056385f46f7e3 in Item_str_func::val_real (this=0x14c2d4013b28) at /test/11.1_dbg/sql/item_strfunc.cc:151
 
#3  0x000056385f426dac in Item_func_plus::real_op (this=0x14c2d4013be0) at /test/11.1_dbg/sql/item_func.cc:1103
 
#4  0x000056385f2b9fc8 in Item_func_hybrid_field_type::val_real_from_real_op (this=<optimized out>) at /test/11.1_dbg/sql/item_func.h:853
 
#5  Type_handler_real_result::Item_func_hybrid_field_type_val_real (this=<optimized out>, item=<optimized out>) at /test/11.1_dbg/sql/sql_type.cc:5458
 
#6  0x000056385f3f6949 in Item_func_hybrid_field_type::val_real (this=0x14c2d4013be0) at /test/11.1_dbg/sql/item_func.h:899
 
#7  0x000056385f2d583f in Type_handler::Item_send_double (this=<optimized out>, item=0x14c2d4013be0, protocol=0x14c2d4001368, buf=<optimized out>) at /test/11.1_dbg/sql/sql_type.cc:7508
 
#8  0x000056385f2dc043 in Type_handler_double::Item_send (this=<optimized out>, item=<optimized out>, protocol=<optimized out>, buf=<optimized out>) at /test/11.1_dbg/sql/sql_type.h:6048
 
#9  0x000056385efb25e8 in Item::send (this=0x14c2d4013be0, protocol=0x14c2d4001368, buffer=0x14c30e80bf60) at /test/11.1_dbg/sql/item.h:1235
 
#10 0x000056385efe81dd in Protocol::send_result_set_row (this=this@entry=0x14c2d4001368, row_items=row_items@entry=0x14c2d4013508) at /test/11.1_dbg/sql/protocol.cc:1332
 
#11 0x000056385f06aa7d in select_send::send_data (this=0x14c2d4014610, items=@0x14c2d4013508: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14c2d4013c98, last = 0x14c2d4013c98, elements = 1}, <No data fields>}) at /test/11.1_dbg/sql/sql_class.cc:3102
 
#12 0x000056385f15aac9 in select_result_sink::send_data_with_check (sent=0, u=<optimized out>, items=<optimized out>, this=<optimized out>) at /test/11.1_dbg/sql/sql_class.h:5748
 
#13 JOIN::exec_inner (this=this@entry=0x14c2d4014638) at /test/11.1_dbg/sql/sql_select.cc:4763
 
#14 0x000056385f15b9c0 in JOIN::exec (this=this@entry=0x14c2d4014638) at /test/11.1_dbg/sql/sql_select.cc:4674
 
#15 0x000056385f159898 in mysql_select (thd=thd@entry=0x14c2d4000d58, tables=<optimized out>, fields=@0x14c2d4013508: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14c2d4013c98, last = 0x14c2d4013c98, elements = 1}, <No data fields>}, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2164525824, result=0x14c2d4014610, unit=0x14c2d4004fa0, select_lex=0x14c2d4013248) at /test/11.1_dbg/sql/sql_select.cc:5155
 
#16 0x000056385f15a01e in handle_select (thd=thd@entry=0x14c2d4000d58, lex=lex@entry=0x14c2d4004ec8, result=result@entry=0x14c2d4014610, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/11.1_dbg/sql/sql_select.cc:611
 
#17 0x000056385f0c0314 in execute_sqlcom_select (thd=thd@entry=0x14c2d4000d58, all_tables=0x0) at /test/11.1_dbg/sql/sql_parse.cc:6024
 
#18 0x000056385f0cb974 in mysql_execute_command (thd=thd@entry=0x14c2d4000d58, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/11.1_dbg/sql/sql_parse.cc:3944
 
#19 0x000056385f0d1f05 in mysql_parse (thd=thd@entry=0x14c2d4000d58, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14c30e80d230) at /test/11.1_dbg/sql/sql_parse.cc:7760
 
#20 0x000056385f0d4099 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14c2d4000d58, packet=packet@entry=0x14c2d400ae49 "", packet_length=packet_length@entry=53, blocking=blocking@entry=true) at /test/11.1_dbg/sql/sql_class.h:242
 
#21 0x000056385f0d5ef5 in do_command (thd=0x14c2d4000d58, blocking=blocking@entry=true) at /test/11.1_dbg/sql/sql_parse.cc:1405
 
#22 0x000056385f227cfc in do_handle_one_connection (connect=<optimized out>, connect@entry=0x563863245e58, put_in_cache=put_in_cache@entry=true) at /test/11.1_dbg/sql/sql_connect.cc:1416
 
#23 0x000056385f227f5b in handle_one_connection (arg=0x563863245e58) at /test/11.1_dbg/sql/sql_connect.cc:1318
 
#24 0x000014c33ffb2b43 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
 
#25 0x000014c340044a00 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

Bug confirmed present in:
MariaDB: 11.0.2 (dbg), 11.0.2 (opt), 11.1.0 (dbg), 11.1.0 (opt)

Comment by Roel Van de Paar [ 2023-04-08 ]

Confirmed that this additional testcase is also fixed by the patch in MDEV-30997.
bar Maybe it makes sense to add the additional testcases from this bug report as they produce different stacks?

Comment by Alexander Barkov [ 2023-04-10 ]

Roel, I think the patch covers the problem quite well.

The key point is access outside of the array in this line:

#1  0x000055c15ad22b87 in Item_func_monthname::val_str (this=0x14d6340137d8, str=0x14d6c75acf90) at /test/11.1_dbg/sql/item_timefunc.cc:997

And it repeats in all stack examples above.

I won't mind if you push an additional patch with extra test cases though.

Generated at Thu Feb 08 10:20:40 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.