Bug #28641 CREATE EVENT with '2038.01.18 03:00:00' let server crash.
Submitted: 24 May 2007 8:10 Modified: 2 Aug 2007 3:46
Reporter: Horst Hunger Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Stored Routines Severity:S1 (Critical)
Version:5.1.19 OS:Linux (suse 10.1)
Assigned to: Kristofer Pettersson CPU Architecture:Any

[24 May 2007 8:10] Horst Hunger 
Description:
The following sql statement let the server crash:

CREATE EVENT ev_create_11365 ON SCHEDULE AT '2038.01.18 03:00:00'
            DO BEGIN ...

This seems to happen with timestamps between the value above and '2038.01.19 06:14:07'. Timestamps beginning with '2038.01.19 06:14:08' are rejected with ER_WRONG_VALUE (1513). See attached test.

The backtrace:

gdb /data0/mysql/mysql-5.1-build/sql/mysqld core.5975
GNU gdb 6.4
Copyright 2005 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i586-suse-linux"...Using host libthread_db library "/lib/libthread_db.so.1".

Core was generated by `/data0/mysql/mysql-5.1-build/sql/mysqld --no-defaults --console --basedir=/data'.
Program terminated with signal 6, Aborted.

warning: Can't read pathname for load map: Eingabe-/Ausgabefehler.
Reading symbols from /lib/libz.so.1...done.
Loaded symbols for /lib/libz.so.1
Reading symbols from /lib/libdl.so.2...done.
Loaded symbols for /lib/libdl.so.2
Reading symbols from /lib/libpthread.so.0...done.
Loaded symbols for /lib/libpthread.so.0
Reading symbols from /lib/libcrypt.so.1...done.
Loaded symbols for /lib/libcrypt.so.1
Reading symbols from /lib/libnsl.so.1...done.
Loaded symbols for /lib/libnsl.so.1
Reading symbols from /lib/libm.so.6...done.
Loaded symbols for /lib/libm.so.6
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /lib/libgcc_s.so.1...done.
Loaded symbols for /lib/libgcc_s.so.1
#0  0xffffe410 in __kernel_vsyscall ()
(gdb) bt
#0  0xffffe410 in __kernel_vsyscall ()
#1  0xb7f2b5f6 in pthread_kill () from /lib/libpthread.so.0
#2  0x0842e4b3 in write_core (sig=6) at stacktrace.c:229
#3  0x08275458 in handle_segfault (sig=6) at mysqld.cc:2237
#4  <signal handler called>
#5  0xffffe410 in __kernel_vsyscall ()
#6  0xb7dbc7d0 in raise () from /lib/libc.so.6
#7  0xb7dbdea3 in abort () from /lib/libc.so.6
#8  0xb7db601b in __assert_fail () from /lib/libc.so.6
#9  0x0843fcd3 in sec_since_epoch (year=2038, mon=1, mday=18, hour=0, min=0, sec=0)
    at tztime.cc:784
#10 0x0843ff8c in sec_since_epoch_TIME (t=0xb74704bc) at tztime.cc:819
#11 0x0845f759 in Event_queue_element::load_from_row (this=0x8a2db00, thd=0x89c46b8,
    table=0x89ff088) at event_data_objects.cc:970
#12 0x08463dc3 in Event_db_repository::load_named_event (this=0x897ae10, thd=0x89c46b8,
    dbname={str = 0x8a10618 "event_test", length = 10}, name=
      {str = 0x8a10628 "ev_create_11365", length = 15}, etn=0x8a2db00)
    at event_db_repository.cc:888
#13 0x084677a2 in Events::create_event (thd=0x89c46b8, parse_data=0x8a103f8,
    if_not_exists=false) at events.cc:412
#14 0x08289e05 in mysql_execute_command (thd=0x89c46b8) at sql_parse.cc:3187
#15 0x0828e12a in mysql_parse (thd=0x89c46b8,
    inBuf=0x8a10238 "CREATE EVENT ev_create_11365 ON SCHEDULE AT '2038.01.18 03:00:00'\n", ' ' <repeats 12 times>, "DO BEGIN\nSET @evname = 'ev_create_11365';\nSET @cnt = 0;\nSELECT count(*) into @cnt from event_log where ev_nm = @evname ;\nI"..., length=274)
    at sql_parse.cc:5314
#16 0x0828ec34 in dispatch_command (command=COM_QUERY, thd=0x89c46b8,
    packet=0x8a081d9 "CREATE EVENT ev_create_11365 ON SCHEDULE AT '2038.01.18 03:00:00'\n", ' ' <repeats 12 times>, "DO BEGIN\nSET @evname = 'ev_create_11365';\nSET @cnt = 0;\nSELECT count(*) into @cnt from event_log where ev_nm = @evname ;\nI"...,
    packet_length=276) at sql_parse.cc:903
#17 0x0828fdf7 in do_command (thd=0x89c46b8) at sql_parse.cc:666
#18 0x0827db22 in handle_one_connection (arg=0x89c46b8) at sql_connect.cc:1091
#19 0xb7f2734b in start_thread () from /lib/libpthread.so.0
#20 0xb7e5165e in clone () from /lib/libc.so.6
(gdb)                                                                               

How to repeat:
Put the test program in the directory "t" and execute

perl mysql-test-run.pl ev_bug1
[24 May 2007 9:44] Valeriy Kravchuk 
Thank you for a problem report. Sorry, but I was not able to repeat the crash with latest 5.1.19-BK:

openxs@suse:~/dbs/5.1/mysql-test> ./mysql-test-run.pl --force bug28641
Logging: ./mysql-test-run.pl --force bug28641
070517 13:27:24 [Warning] Server variable data_file_path of plugin InnoDB was fo
rced to be read-only: string variable without update_func and PLUGIN_VAR_MEMALLO
C flag
070517 13:27:24 [Warning] Server variable data_home_dir of plugin InnoDB was for
ced to be read-only: string variable without update_func and PLUGIN_VAR_MEMALLOC
 flag
070517 13:27:24 [Warning] Server variable flush_method of plugin InnoDB was forc
ed to be read-only: string variable without update_func and PLUGIN_VAR_MEMALLOC
flag
070517 13:27:24 [Warning] Server variable log_arch_dir of plugin InnoDB was forc
ed to be read-only: string variable without update_func and PLUGIN_VAR_MEMALLOC
flag
070517 13:27:24 [Warning] Server variable log_group_home_dir of plugin InnoDB wa
s forced to be read-only: string variable without update_func and PLUGIN_VAR_MEM
ALLOC flag
070517 13:27:24 [Note] /home/openxs/dbs/5.1/libexec/mysqld: Shutdown complete

MySQL Version 5.1.19
Using binlog format 'mixed'
Using ndbcluster when necessary, mysqld supports it
Skipping SSL, mysqld not compiled with SSL
mysql-test-run: WARNING: Could not find all required ndb binaries, all ndb tests
 will fail, use --skip-ndbcluster to skip testing it.
Using MTR_BUILD_THREAD      = 0
Using MASTER_MYPORT         = 9306
Using MASTER_MYPORT1        = 9307
Using SLAVE_MYPORT          = 9308
Using SLAVE_MYPORT1         = 9309
Using SLAVE_MYPORT2         = 9310
Using NDBCLUSTER_PORT       = 9310
Using NDBCLUSTER_PORT_SLAVE = 9311
Using IM_PORT               = 9312
Using IM_MYSQLD1_PORT       = 9313
Using IM_MYSQLD2_PORT       = 9314
Killing Possible Leftover Processes
Removing Stale Files
Creating Directories
Installing Master Database
Installing Master Database
Saving snapshot of installed databases
=======================================================
Starting Tests in the 'main' suite

TEST                           RESULT         TIME (ms)
-------------------------------------------------------

bug28641                       [ fail ]

Errors are (from /home/openxs/dbs/5.1/mysql-test/var/log/mysqltest-time) :
mysqltest: Result length mismatch
(the last lines may be the most important ones)
Below are the diffs between actual and expected results:
-------------------------------------------------------
*** r/bug28641.result   2007-05-17 13:27:22.000000000 +0300
--- r/bug28641.reject   2007-05-17 13:27:25.000000000 +0300
***************
*** 0 ****
--- 1,37 ----
+ DROP SCHEMA IF EXISTS event_test;
+ CREATE SCHEMA event_test;
+ USE event_test;
+ SET GLOBAL event_scheduler = ON;
+ CREATE TABLE event_log (id int KEY AUTO_INCREMENT, ev_nm char(40), ev_cnt int,
 ev_tm timestamp) ENGINE=MyISAM;
+ SET @ev_base_date = 20281224180000;
+ CREATE EVENT ev_create_11364 ON SCHEDULE AT '2038.01.18 02:59:59'
+             DO BEGIN
+ SET @evname = 'ev_create_11364';
+ SET @cnt = 0;
+ SELECT count(*) into @cnt from event_log where ev_nm = @evname ;
+ INSERT INTO event_log VALUES (NULL,@evname,@cnt+1,current_timestamp());
+ END;|
+ CREATE EVENT ev_create_11365 ON SCHEDULE AT '2038.01.18 03:00:00'
+             DO BEGIN
+ SET @evname = 'ev_create_11365';
+ SET @cnt = 0;
+ SELECT count(*) into @cnt from event_log where ev_nm = @evname ;
+ INSERT INTO event_log VALUES (NULL,@evname,@cnt+1,current_timestamp());
+ END;|
+ CREATE EVENT ev_create_11366 ON SCHEDULE AT '2038.01.19 06:14:07'
+             DO BEGIN
+ SET @evname = 'ev_create_11366';
+ SET @cnt = 0;
+ SELECT count(*) into @cnt from event_log where ev_nm = @evname ;
+ INSERT INTO event_log VALUES (NULL,@evname,@cnt+1,current_timestamp());
+ END;|
+ CREATE EVENT ev_create_11366 ON SCHEDULE AT '2038.01.19 06:14:08'
+             DO BEGIN
+ SET @evname = 'ev_create_11366';
+ SET @cnt = 0;
+ SELECT count(*) into @cnt from event_log where ev_nm = @evname ;
+ INSERT INTO event_log VALUES (NULL,@evname,@cnt+1,current_timestamp());
+ END;|
+ ERROR HY000: Incorrect AT value: '2038.01.19 06:14:08'
+ SET GLOBAL event_scheduler = OFF;
+ DROP SCHEMA event_test;
-------------------------------------------------------
Please follow the instructions outlined at
http://www.mysql.com/doc/en/Reporting_mysqltest_bugs.html
to find the reason to this problem and how to report this.

Result from queries before failure can be found in /home/openxs/dbs/5.1/mysql-te
st/var/log/bug28641.log

Stopping All Servers
Restoring snapshot of databases
Resuming Tests

-------------------------------------------------------
Stopping All Servers
Failed 1/1 tests, 0.00% were successful.

The log files in var/log may give you some hint
of what went wrong.
If you want to report this error, please read first the documentation at
http://www.mysql.com/doc/en/MySQL_test_suite.html
The servers were restarted 1 times
Spent 0 seconds actually executing testcases

mysql-test-run in default mode: *** Failing the test(s): bug28641
mysql-test-run: *** ERROR: there were failing test cases

There were no crash.
[6 Jun 2007 8:35] Andrey Hristov 
Verified here with 5.1.20-dev

#0  0xffffe410 in __kernel_vsyscall ()
#1  0x400fb2c1 in raise () from /lib/tls/libc.so.6
#2  0x400fcb75 in abort () from /lib/tls/libc.so.6
#3  0x400f4903 in __assert_fail () from /lib/tls/libc.so.6
#4  0x083bfba2 in sec_since_epoch (year=2038, mon=1, mday=18, hour=0, min=6, 
    sec=6) at tztime.cc:790
#5  0x083bfcaa in sec_since_epoch_TIME (t=0x6) at tztime.cc:818
#6  0x083db9f5 in Event_queue_element::load_from_row (this=0x890cb98, thd=0x0, 
    table=0x88e2a10) at event_data_objects.cc:975
#7  0x083e101f in Event_db_repository::load_named_event (this=0x88b2818, 
    thd=0x88c3c38, dbname=The value of variable 'dbname' is distributed across several
locations, and GDB cannot access its value.

) at event_db_repository.cc:889
#8  0x083e2426 in Events::create_event (thd=0x88c3c38, parse_data=0x89080b8, 
    if_not_exists=false) at events.cc:412
#9  0x0823d3dc in mysql_execute_command (thd=0x88c3c38) at sql_parse.cc:3247
#10 0x08242744 in mysql_parse (thd=0x88c3c38, 
    inBuf=0x8903618 "CREATE EVENT ev_create_11365 ON SCHEDULE AT '2038.01.18 03:00:00'\n", ' ' <repeats 12 times>, "DO BEGIN\nSET @evname = 'ev_create_11365';\nSET @cnt = 0;\nSELECT count(*) into @cnt from event_log where ev_nm = @evname ;\nI"..., length=274, found_semicolon=0x4055af78) at sql_parse.cc:5381
#11 0x08237df0 in dispatch_command (command=COM_QUERY, thd=0x88c3c38, 
    packet=0x88e7cb1 "CREATE EVENT ev_create_11365 ON SCHEDULE AT '2038.01.18 03:00:00'\n", ' ' <repeats 12 times>, "DO BEGIN\nSET @evname = 'ev_create_11365';\nSET @cnt = 0;\nSELECT count(*) into @cnt from event_log where ev_nm = @evname ;
Quit
) at sql_parse.cc:907
#12 0x08237553 in do_command (thd=0x88c3c38) at sql_parse.cc:669
#13 0x0823609f in handle_one_connection (arg=0x0) at sql_connect.cc:1091
#14 0x40053aa7 in start_thread () from /lib/tls/libpthread.so.0
#15 0x4018dc2e in clone () from /lib/tls/libc.so.6
[6 Jun 2007 12:12] Andrey Hristov 
Just 

CREATE EVENT ev_create_11365 ON SCHEDULE AT '2038.01.18 03:00:00'
            DO BEGIN
               SET @evname = 'ev_create_11365';
               SET @cnt = 0;
               SELECT count(*) into @cnt from event_log where ev_nm = @evname ;
               INSERT INTO event_log VALUES (NULL,@evname,@cnt+1,current_timestamp());
               END;|

Causes a segfault. Date handling is not good for 2003-01-17 , 18 and 19
[14 Jun 2007 20:53] Andrey Hristov 
2003 is a typo, I mean 2038
[21 Jun 2007 11:12] Dmitry Lenev 
After short investigation I think that problem stems from the fact that events implementation uses sec_since_epoch_TIME() function which is a thin wrapper
around of sec_since_epoch() function. The latter is private function of code implementating time zone support and therefore makes some assumptions about its arguments which do not hold in general case.

I think that solution to this problem is to use Time_zone_utc::TIME_to_gmt_sec() for "UTC datetime -> time_t" conversions in events code instead of sec_since_epoch_TIME() (indeed we will have to implement it first). Especially since for
"time_t -> UTC datetime" conversions this code already uses Time_zone_utc::gmt_sec_to_TIME() method.

Note that we can't implement Time_zone_utc::TIME_to_gmt_sec() method simply as wrapper to sec_since_epoch() function, since on systems with leap seconds the latter is not inverse of Time_zone_utc::gmt_sec_to_TIME().
[24 Jul 2007 13:44] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/31476

ChangeSet@1.2556, 2007-07-24 15:43:46+02:00, thek@adventure.(none) +7 -0
  Bug#28641 CREATE EVENT with '2038.01.18 03:00:00' let server crash.
  
  Creating an EVENT to be executed at a time close to the end of the 
  allowed range (2038.01.19) would cause the server to crash. The
  expected behavior is to accept all calendar times within the interval
  and reject all other values without crashing.
  
  This patch replaces the function 'sec_to_epoch_TIME' with the Time_zone API.
  This function was broken because it invoked the internal function 'sec_to_epoch'
  without respecting the restrictions on the function parameters. It also was used
  as a reverse function to Time_zone_utc::gmt_sec_to_TIME which it isn't.
[25 Jul 2007 7:44] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/31530

ChangeSet@1.2556, 2007-07-25 09:43:49+02:00, thek@adventure.(none) +7 -0
  Bug#28641 CREATE EVENT with '2038.01.18 03:00:00' let server crash.
  
  Creating an EVENT to be executed at a time close to the end of the allowed
  range (2038.01.19 03:14:07 UTC) would cause the server to crash. The
  expected behavior is to accept all calendar times within the interval and
  reject all other values without crashing.
  
  This patch replaces the function 'sec_to_epoch_TIME' with a Time_zone API call.
  This function was broken because it invoked the internal function 'sec_to_epoch'
  without respecting the restrictions on the function parameters (and this caused
  assertion failure). It also was used as a reverse function to
  Time_zone_utc::gmt_sec_to_TIME which it isn't.
[1 Aug 2007 23:27] Bugs System 
Pushed into 5.1.21-beta
[2 Aug 2007 3:46] Paul DuBois 
Noted in 5.1.21 changelog.