[MDEV-9604] crash in Item::save_in_field with empty enum value Created: 2016-02-21  Updated: 2022-10-26  Resolved: 2016-03-23

Status: Closed
Project: MariaDB Server
Component/s: Optimizer
Affects Version/s: 10.1.8, 10.1.11
Fix Version/s: 10.1.13

Type: Bug Priority: Major
Reporter: sbester1 Assignee: Alexander Barkov
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
Relates
relates to MDEV-9777 MyISAM and InnoDB work differently wh... Closed
Sprint: 10.1.13

 Description    

Version: '10.1.11-MariaDB' mariadb.org binary distribution
 
[ERROR] mysqld got exception 0xc0000005 ;
 
mysqld.exe!Item::save_in_field()[item.cc:5908]
 
mysqld.exe!Item::save_in_field_no_warnings()[item.cc:1353]
 
mysqld.exe!Item_bool_func::get_mm_leaf()[opt_range.cc:7794]
 
mysqld.exe!Item_bool_func::get_mm_parts()[opt_range.cc:7611]
 
mysqld.exe!Item_bool_func2_with_rev::get_func_mm_tree()[item_cmpfunc.h:422]
 
mysqld.exe!Item_bool_func::get_full_func_mm_tree()[opt_range.cc:7311]
 
mysqld.exe!Item_bool_func::get_full_func_mm_tree_for_args()[item_cmpfunc.h:180]
 
mysqld.exe!Item_bool_func2_with_rev::get_mm_tree()[item_cmpfunc.h:450]
 
mysqld.exe!SQL_SELECT::test_quick_select()[opt_range.cc:2540]
 
mysqld.exe!get_quick_record_count()[sql_select.cc:3490]
 
mysqld.exe!make_join_statistics()[sql_select.cc:4108]
 
mysqld.exe!JOIN::optimize_inner()[sql_select.cc:1375]
 
mysqld.exe!JOIN::optimize()[sql_select.cc:1036]
 
mysqld.exe!mysql_select()[sql_select.cc:3437]
 
mysqld.exe!handle_select()[sql_select.cc:384]
 
mysqld.exe!execute_sqlcom_select()[sql_parse.cc:5903]
 
mysqld.exe!mysql_execute_command()[sql_parse.cc:2962]
 
mysqld.exe!mysql_parse()[sql_parse.cc:7308]
 
mysqld.exe!dispatch_command()[sql_parse.cc:1491]
 
mysqld.exe!do_command()[sql_parse.cc:1109]
 
mysqld.exe!threadpool_process_request()[threadpool_common.cc:239]
 
mysqld.exe!io_completion_callback()[threadpool_win.cc:568]

How to repeat
---------------

set sql_mode='';
 
drop table if exists t;
 
create table t (a enum('a'),b time,c int,key(b)) engine=innodb;
 
insert into t values ('','00:00:00',0);
 
select 1 from t where (select a from t group by c) = b;



 Comments   
Comment by Elena Stepanova [ 2016-02-21 ]

Thanks for the report.

The problem appeared in 10.1 tree with this revision:

commit 7e29f2d64fb463559a7c9c178ffe899b9bcab113
 
Author: Alexander Barkov <bar@mariadb.org>
 
Date:   Thu Oct 15 18:25:54 2015 +0400
 
 
 
    MDEV-8948 ALTER ... INPLACE does work for BINARY, BLOB

Stack trace from 10.1 commit fd8e846a3b049903706267d58e6d8e61eea97df8

 
#3  <signal handler called>
 
#4  0x000055f291882e98 in String::length (this=0x0) at /src/10.1/sql/sql_string.h:167
 
#5  0x000055f291b975be in Item::save_in_field (this=0x7f3c41454138, field=0x7f3c415982a0, no_conversions=true) at /src/10.1/sql/item.cc:5908
 
#6  0x000055f291b8b94a in Item::save_in_field_no_warnings (this=0x7f3c41454138, field=0x7f3c415982a0, no_conversions=true) at /src/10.1/sql/item.cc:1349
 
#7  0x000055f291ca03d0 in Item_bool_func::get_mm_leaf (this=0x7f3c414543a8, param=0x7f3c57f265e0, field=0x7f3c415982a0, key_part=0x7f3c41465888, type=Item_func::EQ_FUNC, value=0x7f3c41454138) at /src/10.1/sql/opt_range.cc:7788
 
#8  0x000055f291c9f8ee in Item_bool_func::get_mm_parts (this=0x7f3c414543a8, param=0x7f3c57f265e0, field=0x7f3c415982a0, type=Item_func::EQ_FUNC, value=0x7f3c41454138) at /src/10.1/sql/opt_range.cc:7605
 
#9  0x000055f2918e546b in Item_bool_func2_with_rev::get_func_mm_tree (this=0x7f3c414543a8, param=0x7f3c57f265e0, field=0x7f3c415982a0, value=0x7f3c41454138) at /src/10.1/sql/item_cmpfunc.h:421
 
#10 0x000055f291c9e984 in Item_bool_func::get_full_func_mm_tree (this=0x7f3c414543a8, param=0x7f3c57f265e0, field_item=0x7f3c414542b8, value=0x7f3c41454138) at /src/10.1/sql/opt_range.cc:7305
 
#11 0x000055f2918e51b8 in Item_bool_func::get_full_func_mm_tree_for_args (this=0x7f3c414543a8, param=0x7f3c57f265e0, item=0x7f3c414542b8, value=0x7f3c41454138) at /src/10.1/sql/item_cmpfunc.h:180
 
#12 0x000055f2918e5607 in Item_bool_func2_with_rev::get_mm_tree (this=0x7f3c414543a8, param=0x7f3c57f265e0, cond_ptr=0x7f3c414580f8) at /src/10.1/sql/item_cmpfunc.h:449
 
#13 0x000055f291c94006 in SQL_SELECT::test_quick_select (this=0x7f3c414580f0, thd=0x7f3c4e91aa30, keys_to_use=..., prev_tables=0, limit=18446744073709551615, force_quick_range=false, ordered_output=false, remove_false_parts_of_where=true) at /src/10.1/sql/opt_range.cc:2540
 
#14 0x000055f29197f4e1 in get_quick_record_count (thd=0x7f3c4e91aa30, select=0x7f3c414580f0, table=0x7f3c4123f470, keys=0x7f3c41457858, limit=18446744073709551615) at /src/10.1/sql/sql_select.cc:3488
 
#15 0x000055f291981956 in make_join_statistics (join=0x7f3c41454610, tables_list=..., keyuse_array=0x7f3c41454940) at /src/10.1/sql/sql_select.cc:4108
 
#16 0x000055f291977cf6 in JOIN::optimize_inner (this=0x7f3c41454610) at /src/10.1/sql/sql_select.cc:1374
 
#17 0x000055f291976bbc in JOIN::optimize (this=0x7f3c41454610) at /src/10.1/sql/sql_select.cc:1036
 
#18 0x000055f29197f251 in mysql_select (thd=0x7f3c4e91aa30, rref_pointer_array=0x7f3c4e91edc0, tables=0x7f3c41452840, wild_num=0, fields=..., conds=0x7f3c414543a8, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7f3c414545f0, unit=0x7f3c4e91e448, select_lex=0x7f3c4e91eb48) at /src/10.1/sql/sql_select.cc:3437
 
#19 0x000055f291974d89 in handle_select (thd=0x7f3c4e91aa30, lex=0x7f3c4e91e380, result=0x7f3c414545f0, setup_tables_done_option=0) at /src/10.1/sql/sql_select.cc:384
 
#20 0x000055f291945133 in execute_sqlcom_select (thd=0x7f3c4e91aa30, all_tables=0x7f3c41452840) at /src/10.1/sql/sql_parse.cc:5903
 
#21 0x000055f29193b20d in mysql_execute_command (thd=0x7f3c4e91aa30) at /src/10.1/sql/sql_parse.cc:2962
 
#22 0x000055f29194877a in mysql_parse (thd=0x7f3c4e91aa30, rawbuf=0x7f3c41452688 "select 1 from t where (select a from t group by c) = b", length=54, parser_state=0x7f3c57f285e0) at /src/10.1/sql/sql_parse.cc:7303
 
#23 0x000055f291937474 in dispatch_command (command=COM_QUERY, thd=0x7f3c4e91aa30, packet=0x7f3c4ebe2271 "select 1 from t where (select a from t group by c) = b", packet_length=54) at /src/10.1/sql/sql_parse.cc:1488
 
#24 0x000055f2919361a6 in do_command (thd=0x7f3c4e91aa30) at /src/10.1/sql/sql_parse.cc:1109
 
#25 0x000055f291a6b798 in do_handle_one_connection (thd_arg=0x7f3c4e91aa30) at /src/10.1/sql/sql_connect.cc:1349
 
#26 0x000055f291a6b4fc in handle_one_connection (arg=0x7f3c4e91aa30) at /src/10.1/sql/sql_connect.cc:1261
 
#27 0x000055f292171cb6 in pfs_spawn_thread (arg=0x7f3c4e8bfa70) at /src/10.1/storage/perfschema/pfs.cc:1860
 
#28 0x00007f3c57bab0a4 in start_thread () from /lib64/libpthread.so.0

Comment by Alexander Barkov [ 2016-03-21 ]

According to "git bisect", the problem was actually introduced by this commit:

39b46ae934bfa886314f918068d1e195970fe65e is the first bad commit
 
commit 39b46ae934bfa886314f918068d1e195970fe65e
 
Author: Alexander Barkov <bar@mariadb.org>
 
Date:   Wed Sep 9 15:39:09 2015 +0400
 
 
 
    MDEV-8706 Wrong result for SELECT..WHERE time_column=TIMESTAMP'2015-08-30 00:00:00' AND time_column='00:00:00'

Comment by Alexander Barkov [ 2016-03-21 ]

The crash is not repeatable with ENGINE=MyISAM in 10.1.

10.0 does not crash, but works inconsistently:

DROP TABLE IF EXISTS t1;
 
CREATE TABLE t1 (a ENUM('a'), b TIME, c INT, KEY(b)) ENGINE=InnoDB;
 
INSERT INTO t1 VALUES ('','00:00:00',0);
 
SELECT 1 FROM t1 WHERE (SELECT a FROM t1 group by c) = b;
 
ALTER TABLE t1 ENGINE=MyISAM;
 
SELECT 1 FROM t1 WHERE (SELECT a FROM t1 group by c) = b;

  • returns 0 rows with InnoDB in 10.0.23
  • returns 1 row with MyISAM in 10.0.23
Comment by Alexander Barkov [ 2016-03-22 ]

This script:

DROP TABLE IF EXISTS t1;
 
CREATE TABLE t1 (a ENUM('a'), b TIME, c INT, KEY(b)) ENGINE=INNODB;
 
INSERT INTO t1 VALUES ('','00:00:00',0);
 
SELECT * FROM t1 WHERE b='';
 
ALTER TABLE t1 ENGINE=MyISAM;
 
SELECT * FROM t1 WHERE b='';

  • returns 0 rows for InnoDB in 10.0.23.
  • returns 1 row in MyISAM in 10.0.23.
  • returns 0 rows for InnoDB and MyISAM in 10.1.13.
Comment by Alexander Barkov [ 2016-03-22 ]

This script (with no key on t1.b):

DROP TABLE IF EXISTS t1;
 
CREATE TABLE t1 (a ENUM('a'), b TIME, c INT) ENGINE=InnoDB;
 
INSERT INTO t1 VALUES ('','00:00:00',0);
 
SELECT * FROM t1 WHERE b='';
 
ALTER TABLE t1 ENGINE=MyISAM;
 
SELECT * FROM t1 WHERE b='';

  • returns 1 row for InnoDB and MyISAM in 10.0.23
  • returns 0 rows for InnoDB and MyISAM in 10.1.13
Comment by Alexander Barkov [ 2016-03-22 ]

This script:

DROP TABLE IF EXISTS t1;
 
CREATE TABLE t1 (a ENUM('a'), b TIME, c INT, KEY(b)) ENGINE=InnoDB;
 
INSERT INTO t1 VALUES ('','00:00:00',0);
 
SELECT * FROM t1 WHERE a=b;
 
ALTER TABLE t1 ENGINE=MyISAM;
 
SELECT * FROM t1 WHERE a=b;

  • returns 1 row for both InnoDB and MyISAM in 10.0.23
  • returns 1 row for both InnoDB and MyISAM in 10.1.13
Comment by Alexander Barkov [ 2016-03-22 ]

Similar sort of inconsistency is observed with the DATE and DATETIME data types.

Generated at Thu Feb 08 07:35:56 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.