Bug #18501 Server crashes with monthname()
Submitted: 24 Mar 2006 20:30 Modified: 10 May 2006 16:04
Reporter: Brad Jackson Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S1 (Critical)
Version:4.1.15/4.1BK/5.0BK/5.1BK OS:Any (all)
Assigned to: Ramil Kalimullin CPU Architecture:Any

[24 Mar 2006 20:30] Brad Jackson
Description:
My local server was crashing with a large query. After narrowing it down, the monthname() call with a nested call to str_to_date() with a null argument was the cause.

How to repeat:
Run this query to crash the server:

select monthname(str_to_date(null, '%m'))

It also happens with a real table select:

create table bugtest (test char(1));
insert into bugtest values (null), (null);
select monthname(str_to_date(test, '%m')) from bugtest;

It will crash with only one record some of the time, but all the time with two records.

This is the output from the Event Viewer.

Faulting application mysqld-nt.exe, version 0.0.0.0, faulting module mysqld-nt.exe, version 0.0.0.0, fault address 0x00049439.
[24 Mar 2006 22:26] MySQL Verification Team
Thank you for the bug report. I was able to repeat with the server version
4.1.16 on Windows and not with latest Linux source. I will test with the
latest Windows source.

c:\mysql\bin>mysql -uroot db99
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2 to server version: 4.1.16-nt

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> create table bugtest (test char(1));
Query OK, 0 rows affected (0.13 sec)

mysql> insert into bugtest values (null), (null);
Query OK, 2 rows affected (0.00 sec)
Records: 2  Duplicates: 0  Warnings: 0

mysql> select monthname(str_to_date(test, '%m')) from bugtest;
ERROR 2013 (HY000): Lost connection to MySQL server during query
mysql>
[25 Mar 2006 0:21] MySQL Verification Team
This crash only happens with optimized servers (not debug server).
I will test the Linux non-debug server:

c:\mysql\bin>mysqladmin -uroot create db99

c:\mysql\bin>mysql -uroot db99
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 3 to server version: 4.1.19-nt

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> create table bugtest (test char(1));
Query OK, 0 rows affected (0.09 sec)

mysql> insert into bugtest values (null), (null);
Query OK, 2 rows affected (0.00 sec)
Records: 2  Duplicates: 0  Warnings: 0

mysql> select monthname(str_to_date(test, '%m')) from bugtest;
ERROR 2013 (HY000): Lost connection to MySQL server during query
mysql>

CALL STACK for 4.1.19-nt

>	mysqld-nt.exe!Item_func_monthname::val_str(String * str=0x0331f420)  Line 916	C++
 	mysqld-nt.exe!Item::send(Protocol * protocol=0x00d47c28, String * buffer=0x0331f420)  Line 2416 + 0xc	C++
 	mysqld-nt.exe!select_send::send_data(List<Item> & items={...})  Line 829 + 0xb	C++
 	mysqld-nt.exe!end_send(JOIN * join=0x00d5a998, st_join_table * join_tab=0x00d5b7c0, int end_of_records=0)  Line 6638	C++
 	mysqld-nt.exe!sub_select(JOIN * join=0x00d5a998, st_join_table * join_tab=0x00d47c00, int end_of_records=1)  Line 6056 + 0xd	C++
 	mysqld-nt.exe!do_select(JOIN * join=0x00d47588, List<Item> * fields=0x004b6650, st_table * table=0x00d5a6f0, Procedure * procedure=0x38bb5464)  Line 5942 + 0x9	C++
 	mysqld-nt.exe!JOIN::exec()  Line 1501 + 0x2a	C++
 	mysqld-nt.exe!mysql_select(THD * thd=0x00d473d0, Item * * * rref_pointer_array=0x00d4760c, st_table_list * tables=0x00d5a910, unsigned int wild_num=0, List<Item> & fields={...}, Item * conds=0x00000000, unsigned int og_num=0, st_order * order=0x00000000, st_order * group=0x00000000, Item * having=0x00000000, st_order * proc_param=0x00000000, unsigned long select_options=2189707776, select_result * result=0x00d5a988, st_select_lex_unit * unit=0x00d4741c, st_select_lex * select_lex=0x00d5a998)  Line 1623	C++
 	mysqld-nt.exe!handle_select(THD * thd=0x00d473d0, st_lex * lex=0x00d47410, select_result * result=0x00d5a988)  Line 188 + 0x51	C++
 	mysqld-nt.exe!mysql_execute_command(THD * thd=0x00d4741c)  Line 2099 + 0xc	C++
 	mysqld-nt.exe!mysql_parse(THD * thd=0x00d473d0, char * inBuf=0x00d5a688, unsigned int length=54)  Line 4349	C++
 	mysqld-nt.exe!dispatch_command(enum_server_command command=COM_QUERY, THD * thd=0x00d473d0, char * packet=0x00d52659, unsigned int packet_length=55)  Line 1504	C++
 	mysqld-nt.exe!do_command(THD * thd=0x00d473d0)  Line 1315 + 0xd	C++
 	mysqld-nt.exe!handle_one_connection(void * arg=0x00d473d0)  Line 1047 + 0x6	C++
 	mysqld-nt.exe!_win_pthread_setspecific()  + 0x6b	C
 	mysqld-nt.exe!_threadstart(void * ptd=0x00d2ca68)  Line 196 + 0x6	C
 	kernel32.dll!7c80b50b() 	
 	kernel32.dll!7c8399f3() 	
-------------------------------------------------------------------------------------
c:\mysql\bin>mysql -uroot db99
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 3 to server version: 5.0.20-nt-max

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> create table bugtest (test char(1));
Query OK, 0 rows affected (0.11 sec)

mysql> insert into bugtest values (null), (null);
Query OK, 2 rows affected (0.05 sec)
Records: 2  Duplicates: 0  Warnings: 0

mysql> select monthname(str_to_date(test, '%m')) from bugtest;
ERROR 2013 (HY000): Lost connection to MySQL server during query
mysql>
-------------------------------------------------------------------------------------
c:\mysql\bin>mysqladmin -uroot create db99

c:\mysql\bin>mysql -uroot db99
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2 to server version: 5.1.8-beta-nt-max

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> create table bugtest (test char(1));
Query OK, 0 rows affected (0.11 sec)

mysql> insert into bugtest values (null), (null);
Query OK, 2 rows affected (0.01 sec)
Records: 2  Duplicates: 0  Warnings: 0

mysql> select monthname(str_to_date(test, '%m')) from bugtest;
ERROR 2013 (HY000): Lost connection to MySQL server during query
mysql>
[25 Mar 2006 1:38] MySQL Verification Team
Thank you for the bug report and test case. I was able to repeat only
with non-debug servers on Windows versions: 4.1/5.0/5.1.
[25 Apr 2006 8:50] Ramil Kalimullin
The bug is not platform/build specific.
[25 Apr 2006 9:36] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/5460
[27 Apr 2006 13:01] Magnus BlÄudd
Ok to push(after second review)
[10 May 2006 12:09] Ramil Kalimullin
fixed in 4.1.20
[10 May 2006 16:04] Paul DuBois
Noted in 4.1.20 changelog.

<literal>MONTHNAME(STR_TO_DATE(NULL, '%m'))</literal> could
cause a server crash.