[MDEV-5504] Server crashes in String::length on SELECT with MONTHNAME, GROUP BY, ROLLUP Created: 2014-01-04  Updated: 2014-01-29  Resolved: 2014-01-24

Status: Closed
Project: MariaDB Server
Component/s: None
Affects Version/s: 5.3.12
Fix Version/s: 5.3.13

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Alexander Barkov
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
Relates

 Description   

I could only reproduce it on 5.3, not sure whether it is fixed in higher versions or just masked.

CREATE TABLE t1 (i INT);
 
INSERT INTO t1 VALUES (1),(2);
 
SELECT 1 FROM t1 GROUP BY MONTHNAME(0) WITH ROLLUP;
 

#3  <signal handler called>
 
#4  0x000000000059e102 in String::length (this=0x0) at sql_string.h:116
 
#5  0x0000000000692771 in sortcmp (s=0x7f8d9801ad98, t=0x0, cs=0x1217f00 <my_charset_latin1>) at sql_string.cc:758
 
#6  0x00000000005d147a in Cached_item_str::cmp (this=0x7f8d9801ad78) at item_buff.cc:88
 
#7  0x0000000000758d75 in test_if_group_changed (list=...) at sql_select.cc:20558
 
#8  0x000000000075110e in end_send_group (join=0x7f8d980197a8, join_tab=0x7f8d9801aab8, end_of_records=false) at sql_select.cc:17489
 
#9  0x000000000074e76e in evaluate_join_record (join=0x7f8d980197a8, join_tab=0x7f8d9801a798, error=0) at sql_select.cc:16469
 
#10 0x000000000074df85 in sub_select (join=0x7f8d980197a8, join_tab=0x7f8d9801a798, end_of_records=false) at sql_select.cc:16271
 
#11 0x000000000074d693 in do_select (join=0x7f8d980197a8, fields=0x7f8d98019b38, table=0x0, procedure=0x0) at sql_select.cc:15924
 
#12 0x000000000072cb6d in JOIN::exec (this=0x7f8d980197a8) at sql_select.cc:2788
 
#13 0x000000000072d406 in mysql_select (thd=0x31858d8, rref_pointer_array=0x31885c8, tables=0x7f8d98019100, wild_num=0, fields=..., conds=0x0, og_num=1, order=0x0, group=0x7f8d980196b0, having=0x0, proc_param=0x0, select_options=2147764736, result=0x7f8d98019788, unit=0x3187e68, select_lex=0x3188370) at sql_select.cc:3009
 
#14 0x0000000000723d9d in handle_select (thd=0x31858d8, lex=0x3187dc8, result=0x7f8d98019788, setup_tables_done_option=0) at sql_select.cc:288
 
#15 0x00000000006b381c in execute_sqlcom_select (thd=0x31858d8, all_tables=0x7f8d98019100) at sql_parse.cc:5172
 
#16 0x00000000006aabba in mysql_execute_command (thd=0x31858d8) at sql_parse.cc:2305
 
#17 0x00000000006b6124 in mysql_parse (thd=0x31858d8, rawbuf=0x7f8d98018f40 "SELECT 1 FROM t1 GROUP BY MONTHNAME(0) WITH ROLLUP", length=50, found_semicolon=0x7f8db0145d08) at sql_parse.cc:6173
 
#18 0x00000000006a83db in dispatch_command (command=COM_QUERY, thd=0x31858d8, packet=0x31ffbd9 "", packet_length=50) at sql_parse.cc:1243
 
#19 0x00000000006a76f7 in do_command (thd=0x31858d8) at sql_parse.cc:923
 
#20 0x00000000006a45cb in handle_one_connection (arg=0x31858d8) at sql_connect.cc:1231
 
#21 0x00007f8db1c730db in start_thread () from /lib64/libpthread.so.0
 

revision-id: sanja@askmonty.org-20131218135951-agw2htf09w418t91
 
revno: 3737
 
branch-nick: 5.3



 Comments   
Comment by Alexander Barkov [ 2014-01-24 ]

The crash happens because Item_func_monthname::is_null() does not work correctly,
because Item_func_monthname is erroneously derived from Item_func_month.

In MariaDB-5.5 Item_func_monthname was fixed to derive from Item_str_func,
which fixed this problem. Backporting of this change from 5.5 to 5.3 should
fix the problem in 5.3 as well.

Comment by Alexander Barkov [ 2014-01-24 ]

Fixed in 5.3.13.

Comment by Daniel Bartholomew [ 2014-01-29 ]

http://bazaar.launchpad.net/~maria-captains/maria/5.5/revision/2502.567.186

Generated at Thu Feb 08 07:04:53 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.