Bug #110407 mysqld crashed when execute a prepared query against partitioned table
Submitted: 17 Mar 2023 5:30 Modified: 17 Mar 2023 7:45
Reporter: huahua xu Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Partitions Severity:S6 (Debug Builds)
Version:8.0.32 OS:Linux
Assigned to: CPU Architecture:x86

[17 Mar 2023 5:30] huahua xu
Description:
mysqld crashed when I execute a prepared query against partitioned table.

mysqld: /root/mysql-server/sql/item.cc:4224: virtual String* Item_param::val_str(String*): Assertion `param_state() != NO_VALUE' failed.
2023-03-17T05:20:37Z UTC - mysqld got signal 6 ;
Most likely, you have hit a bug, but this error can also be caused by malfunctioning hardware.
BuildID[sha1]=4de861162265ad2f96649da5a952d76bd950f9cd
Thread pointer: 0x7fe9c80066d0
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
stack_bottom = 7fe9a44eda30 thread_stack 0x100000
/root/mysql-server/build80/runtime_output_directory/mysqld(my_print_stacktrace(unsigned char const*, unsigned long)+0x43) [0x4a375ff]
/root/mysql-server/build80/runtime_output_directory/mysqld(print_fatal_signal(int)+0x3a2) [0x362c42f]
/root/mysql-server/build80/runtime_output_directory/mysqld(handle_fatal_signal+0x75) [0x362c632]
/lib64/libpthread.so.0(+0xf630) [0x7fe9fc0b3630]
/lib64/libc.so.6(gsignal+0x37) [0x7fe9fa8093d7]
/lib64/libc.so.6(abort+0x148) [0x7fe9fa80aac8]
/lib64/libc.so.6(+0x2f1a6) [0x7fe9fa8021a6]
/lib64/libc.so.6(+0x2f252) [0x7fe9fa802252]
/root/mysql-server/build80/runtime_output_directory/mysqld(Item_param::val_str(String*)+0x86) [0x38219da]
/root/mysql-server/build80/runtime_output_directory/mysqld(Item::get_date_from_string(MYSQL_TIME*, unsigned int)+0x53) [0x3817fa5]
/root/mysql-server/build80/runtime_output_directory/mysqld(Item_param::get_date(MYSQL_TIME*, unsigned int)+0x101) [0x38212b9]
/root/mysql-server/build80/runtime_output_directory/mysqld(Item::val_date_temporal()+0x54) [0x38144ea]
/root/mysql-server/build80/runtime_output_directory/mysqld(get_datetime_value(THD*, Item***, Item**, Item const*, bool*)+0x97) [0x3847154]
/root/mysql-server/build80/runtime_output_directory/mysqld(in_datetime::set(unsigned int, Item*)+0x61) [0x3852481]
/root/mysql-server/build80/runtime_output_directory/mysqld(in_vector::fill(Item**, unsigned int)+0x5d) [0x38516cb]
/root/mysql-server/build80/runtime_output_directory/mysqld(Item_func_in::populate_bisection(THD*)+0x7c) [0x3856294]
/root/mysql-server/build80/runtime_output_directory/mysqld() [0x3ab63bb]
/root/mysql-server/build80/runtime_output_directory/mysqld() [0x3ab793c]
/root/mysql-server/build80/runtime_output_directory/mysqld() [0x3ab7e7a]
/root/mysql-server/build80/runtime_output_directory/mysqld(get_mm_tree(THD*, RANGE_OPT_PARAM*, unsigned long, unsigned long, unsigned long, bool, Item*)+0x8a4) [0x3ab8954]
/root/mysql-server/build80/runtime_output_directory/mysqld(prune_partitions(THD*, TABLE*, Query_block*, Item*)+0x352) [0x3ab3dc8]
/root/mysql-server/build80/runtime_output_directory/mysqld(Query_block::apply_local_transforms(THD*, bool)+0x325) [0x3456203]
/root/mysql-server/build80/runtime_output_directory/mysqld(Query_block::prepare(THD*, mem_root_deque<Item*>*)+0x175c) [0x345583c]
/root/mysql-server/build80/runtime_output_directory/mysqld(Sql_cmd_select::prepare_inner(THD*)+0x241) [0x3483eb5]
/root/mysql-server/build80/runtime_output_directory/mysqld(Sql_cmd_dml::prepare(THD*)+0x46c) [0x34838f8]
/root/mysql-server/build80/runtime_output_directory/mysqld(Prepared_statement::prepare_query(THD*)+0x545) [0x3442485]
/root/mysql-server/build80/runtime_output_directory/mysqld(Prepared_statement::prepare(THD*, char const*, unsigned long, Item_param**)+0x732) [0x34457d0]
/root/mysql-server/build80/runtime_output_directory/mysqld(mysql_sql_stmt_prepare(THD*)+0x235) [0x3443601]
/root/mysql-server/build80/runtime_output_directory/mysqld(mysql_execute_command(THD*, bool)+0x1146) [0x33fe475]
/root/mysql-server/build80/runtime_output_directory/mysqld(dispatch_sql_command(THD*, Parser_state*)+0x756) [0x34049df]
/root/mysql-server/build80/runtime_output_directory/mysqld(dispatch_command(THD*, COM_DATA const*, enum_server_command)+0x15a8) [0x33fa943]
/root/mysql-server/build80/runtime_output_directory/mysqld(do_command(THD*)+0x5bd) [0x33f89d3]
/root/mysql-server/build80/runtime_output_directory/mysqld() [0x361745f]
/root/mysql-server/build80/runtime_output_directory/mysqld() [0x52b52f0]
/lib64/libpthread.so.0(+0x7ea5) [0x7fe9fc0abea5]
/lib64/libc.so.6(clone+0x6d) [0x7fe9fa8d19fd]

Trying to get some variables.
Some pointers may be invalid and cause the dump to abort.
Query (7fe9c8158d38): select * from t2 where created_at in (?, ?)
Connection ID (thread ID): 7
Status: NOT_KILLED

The manual page at http://dev.mysql.com/doc/mysql/en/crashing.html contains
information that should help you find out what is causing the crash.

How to repeat:
SET @p1 = '2023-02-03', @p2='2023-02-25';

CREATE TABLE t2 (
    created_at DATE
) 
PARTITION BY RANGE (DAYOFMONTH(created_at)) (
    PARTITION p1 VALUES LESS THAN (16), 
    PARTITION p2 VALUES LESS THAN MAXVALUE
);

INSERT INTO t2 VALUES (@p1), (@p2);

SET @s = "select * from t2 where created_at in (?, ?)";

PREPARE stmt FROM @s;

Suggested fix:
I suspect that the bug is related to to the commit: https://github.com/mysql/mysql-server/commit/85008494bef26a11478370b88f83c63faee23d5b
[17 Mar 2023 6:48] MySQL Verification Team
Hello huahua xu,

Thank you for the report and test case.
I can confirm that with the provided test case 8.0.32 debug build is affected(release/opt build not crashing). Could you please confirm whether you are seeing the issue on release or debug build? If the release build is built using source then we would like to see the cmake options used for the build. Thank you.

regards,
Umesh
[17 Mar 2023 6:49] MySQL Verification Team
# release build - not affected (doesn't matter sql_mode )

rm -rf 110407/
bin/mysqld --no-defaults --initialize-insecure --basedir=$PWD --datadir=$PWD/110407 --log-error-verbosity=3
bin/mysqld_safe --no-defaults --mysqld-version='' --basedir=$PWD --datadir=$PWD/110407 --core-file --socket=/tmp/mysql.sock  --port=3306 --log-error=$PWD/110407/log.err --mysqlx-port=33330 --mysqlx-socket=/tmp/mysql_x_ushastry.sock --log-error-verbosity=3  --secure-file-priv="" --local-infile=1  2>&1 &

bin/mysql -uroot -S /tmp/mysql.sock
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 7
Server version: 8.0.32 MySQL Community Server - GPL

Copyright (c) 2000, 2023, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> create database test;
Query OK, 1 row affected (0.00 sec)

mysql> use test
Database changed
mysql> SET @p1 = '2023-02-03', @p2='2023-02-25';
Query OK, 0 rows affected (0.00 sec)

mysql>
mysql> CREATE TABLE t2 (
    ->     created_at DATE
    -> )
    -> PARTITION BY RANGE (DAYOFMONTH(created_at)) (
    ->     PARTITION p1 VALUES LESS THAN (16),
    ->     PARTITION p2 VALUES LESS THAN MAXVALUE
    -> );
Query OK, 0 rows affected (0.04 sec)

mysql>
mysql> INSERT INTO t2 VALUES (@p1), (@p2);
Query OK, 2 rows affected (0.00 sec)
Records: 2  Duplicates: 0  Warnings: 0

mysql>
mysql> SET @s = "select * from t2 where created_at in (?, ?)";
Query OK, 0 rows affected (0.00 sec)

mysql>
mysql> PREPARE stmt FROM @s;
Query OK, 0 rows affected, 2 warnings (0.00 sec)
Statement prepared

mysql> show warnings;
+---------+------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Level   | Code | Message                                                                                                                                                      |
+---------+------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Warning | 1292 | Incorrect datetime value: '\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' |
| Warning | 1292 | Incorrect datetime value: '\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' |
+---------+------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
[17 Mar 2023 6:51] MySQL Verification Team
# debug build - affected

rm -rf 110407/
bin/mysqld --no-defaults --initialize-insecure --basedir=$PWD --datadir=$PWD/110407 --log-error-verbosity=3
bin/mysqld_safe --no-defaults --mysqld-version=debug --basedir=$PWD --datadir=$PWD/110407 --core-file --socket=/tmp/mysql.sock  --port=3306 --log-error=$PWD/110407/log.err --mysqlx-port=33330 --mysqlx-socket=/tmp/mysql_x_ushastry.sock --log-error-verbosity=3  --secure-file-priv="" --local-infile=1 2>&1 &

 bin/mysql -uroot -S /tmp/mysql.sock
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 7
Server version: 8.0.32-debug MySQL Community Server - GPL - Debug

Copyright (c) 2000, 2023, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> create database test;
Query OK, 1 row affected (0.01 sec)

mysql> use test
Database changed
mysql> SET @p1 = '2023-02-03', @p2='2023-02-25';
Query OK, 0 rows affected (0.00 sec)

mysql>
mysql> CREATE TABLE t2 (
    ->     created_at DATE
    -> )
    -> PARTITION BY RANGE (DAYOFMONTH(created_at)) (
    ->     PARTITION p1 VALUES LESS THAN (16),
    ->     PARTITION p2 VALUES LESS THAN MAXVALUE
    -> );
Query OK, 0 rows affected (0.08 sec)

mysql>
mysql> INSERT INTO t2 VALUES (@p1), (@p2);
Query OK, 2 rows affected (0.01 sec)
Records: 2  Duplicates: 0  Warnings: 0

mysql>
mysql> SET @s = "select * from t2 where created_at in (?, ?)";
Query OK, 0 rows affected (0.00 sec)

mysql>
mysql> PREPARE stmt FROM @s;
ERROR 2013 (HY000): Lost connection to MySQL server during query

-bt

#0  0x00007f7b6f48baa1 in pthread_kill () from /lib64/libpthread.so.0
#1  0x0000000003fce8c8 in my_write_core(int) ()
#2  0x00000000032810c2 in handle_fatal_signal ()
#3  <signal handler called>
#4  0x00007f7b6d94c387 in raise () from /lib64/libc.so.6
#5  0x00007f7b6d94da78 in abort () from /lib64/libc.so.6
#6  0x00007f7b6d9451a6 in __assert_fail_base () from /lib64/libc.so.6
#7  0x00007f7b6d945252 in __assert_fail () from /lib64/libc.so.6
#8  0x00000000033d0912 in Item_param::val_str(String*) ()
#9  0x00000000033c6333 in Item::get_date_from_string(MYSQL_TIME*, unsigned int) ()
#10 0x00000000033c656f in Item_param::get_date(MYSQL_TIME*, unsigned int) ()
#11 0x00000000033c48a3 in Item::val_date_temporal() ()
#12 0x00000000033eb0e4 in get_datetime_value(THD*, Item***, Item**, Item const*, bool*) ()
#13 0x00000000033efa00 in in_datetime::set(unsigned int, Item*) ()
#14 0x00000000033e7639 in in_vector::fill(Item**, unsigned int) ()
#15 0x00000000033e7bcd in Item_func_in::populate_bisection(THD*) ()
#16 0x000000000357bef2 in get_func_mm_tree_from_in_predicate(THD*, RANGE_OPT_PARAM*, unsigned long, unsigned long, bool, Item*, Item_func_in*, bool) ()
#17 0x000000000357cda3 in get_func_mm_tree(THD*, RANGE_OPT_PARAM*, unsigned long, unsigned long, bool, Item*, Item_func*, Item*, bool) ()
#18 0x000000000357d18d in get_full_func_mm_tree(THD*, RANGE_OPT_PARAM*, unsigned long, unsigned long, unsigned long, bool, Item*, Item_func*, Item*, bool) ()
#19 0x000000000357d853 in get_mm_tree(THD*, RANGE_OPT_PARAM*, unsigned long, unsigned long, unsigned long, bool, Item*) [clone .localalias] ()
#20 0x000000000357a55f in prune_partitions(THD*, TABLE*, Query_block*, Item*) ()
#21 0x0000000003155699 in Query_block::apply_local_transforms(THD*, bool) [clone .localalias] ()
#22 0x000000000315a3f8 in Query_block::prepare(THD*, mem_root_deque<Item*>*) ()
#23 0x000000000316619b in Sql_cmd_select::prepare_inner(THD*) ()
#24 0x000000000316f985 in Sql_cmd_dml::prepare(THD*) ()
#25 0x000000000313e2e0 in Prepared_statement::prepare_query(THD*) ()
#26 0x000000000313eaa8 in Prepared_statement::prepare(THD*, char const*, unsigned long, Item_param**) ()
#27 0x000000000313fdd7 in mysql_sql_stmt_prepare(THD*) ()
#28 0x000000000310e491 in mysql_execute_command(THD*, bool) ()
#29 0x00000000031128c6 in dispatch_sql_command(THD*, Parser_state*) ()
#30 0x0000000003113dd9 in dispatch_command(THD*, COM_DATA const*, enum_server_command) ()
#31 0x000000000311596d in do_command(THD*) ()
#32 0x000000000327312c in handle_connection ()
#33 0x00000000047fb036 in pfs_spawn_thread ()
#34 0x00007f7b6f486ea5 in start_thread () from /lib64/libpthread.so.0
#35 0x00007f7b6da14b2d in clone () from /lib64/libc.so.6
(gdb)

-error log

2023-03-17T06:28:27.275522Z 0 [System] [MY-010931] [Server] /export/home/tmp/ushastry/mysql-8.0.32/bin/mysqld-debug: ready for connections. Version: '8.0.32-debug'  socket: '/tmp/mysql.sock'  port: 3306  MySQL Community Server - GPL - Debug.
mysqld-debug: ../../mysql-8.0.32/sql/item.cc:4224: virtual String* Item_param::val_str(String*): Assertion `param_state() != NO_VALUE' failed.
2023-03-17T06:45:33Z UTC - mysqld got signal 6 ;
Most likely, you have hit a bug, but this error can also be caused by malfunctioning hardware.
BuildID[sha1]=a77614dc361beb79027a600bc825cb5e1c54c9b2
Thread pointer: 0x7f7aa8000dc0
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
[17 Mar 2023 7:45] huahua xu
hi,

The cmake options used for the build is:

cmake .. -DCMAKE_BUILD_TYPE=Debug -DCMAKE_INSTALL_PREFIX=/usr/local/mysql -DDEFAULT_CHARSET=utf8mb4 -DENABLED_LOCAL_INFILE=ON -DWITH_DEBUG=1 -DWITH_INNODB_MEMCACHED=ON -DWITH_SSL=system -DWITH_INNOBASE_STORAGE_ENGINE=1 -DWITH_FEDERATED_STORAGE_ENGINE=1 -DWITH_BLACKHOLE_STORAGE_ENGINE=1 -DWITH_ARCHIVE_STORAGE_ENGINE=1 -DWITHOUT_EXAMPLE_STORAGE_ENGINE=1 -DWITH_PERFSCHEMA_STORAGE_ENGINE=1 -DCOMPILATION_COMMENT="zsd edition" -DWITH_BOOST=/root/boost_1_77_0 -DMYSQL_UNIX_ADDR=/data/mysql-data/mysql.sock -DSYSCONFDIR=/data/mysql-data
[17 Mar 2023 9:21] MySQL Verification Team
Thank you for confirming that its debug build.

regards,
Umesh
[21 Jul 2023 8:48] MySQL Verification Team
This issue seems to be fixed since 8.0.33+ as I'm not seeing any issues on 8.0.33/8.0.34 release/debug/ASAN builds.

-
 ./mtr bug110407 --nocheck-testcases --debug-server
Logging: ./mtr  bug110407 --nocheck-testcases --debug-server
MySQL Version 8.0.34
Checking supported features
 - Binaries are debug compiled
Using 'all' suites
Collecting tests
Checking leftover processes
Removing old var directory
Creating var directory '/export/home/tmp/ushastry/mysql-8.0.34/mysql-test/var'
Installing system database
Using parallel: 1

==============================================================================
                  TEST NAME                       RESULT  TIME (ms) COMMENT
------------------------------------------------------------------------------
SET @p1 = '2023-02-03', @p2='2023-02-25';
CREATE TABLE t2 (
created_at DATE
)
PARTITION BY RANGE (DAYOFMONTH(created_at)) (
PARTITION p1 VALUES LESS THAN (16),
PARTITION p2 VALUES LESS THAN MAXVALUE
);
INSERT INTO t2 VALUES (@p1), (@p2);
SET @s = "select * from t2 where created_at in (?, ?)";
[ 50%] main.bug110407                            [ pass ]     96
[100%] shutdown_report                           [ pass ]

---
 ./mtr bug110407 --nocheck-testcases --debug-server
Logging: ./mtr  bug110407 --nocheck-testcases --debug-server
MySQL Version 8.0.33
Checking supported features
 - Binaries are debug compiled
Using 'all' suites
Collecting tests
Checking leftover processes
 - found old pid 3530 in 'mysqld.1.pid', killing it...
   process did not exist!
Removing old var directory
 - WARNING: Using the 'mysql-test/var' symlink
Creating var directory '/export/home/tmp/ushastry/mysql-8.0.33/mysql-test/var'
Installing system database
Using parallel: 1

==============================================================================
                  TEST NAME                       RESULT  TIME (ms) COMMENT
------------------------------------------------------------------------------
SET sql_mode='';
SET @p1 = '2023-02-03', @p2='2023-02-25';
CREATE TABLE t2 (
created_at DATE
)
PARTITION BY RANGE (DAYOFMONTH(created_at)) (
PARTITION p1 VALUES LESS THAN (16),
PARTITION p2 VALUES LESS THAN MAXVALUE
);
INSERT INTO t2 VALUES (@p1), (@p2);
SET @s = "select * from t2 where created_at in (?, ?)";
[ 50%] main.bug110407                            [ pass ]     49
[100%] shutdown_report                           [ pass ]

Will try to find which closest bug fix also fixed this issue.