Bug #21913 DATE_FORMAT() Crashes mysql server if I use it through mysql-connector-j driver.
Submitted: 29 Aug 2006 23:17 Modified: 14 Sep 2006 13:54
Reporter: Hang Zhao Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S1 (Critical)
Version:mysql 4.1.21 mysql-connector-j 3.1.13 OS:Linux (RHEL4)
Assigned to: Tatiana Azundris Nuernberg

[29 Aug 2006 23:17] Hang Zhao
Description:
mysql 4.1.21 mysql-connector-j 3.1.13

DATE_FORMAT() Crashes mysql server if I use mysql-connector-j driver, the mysqld server will after that.

Directly use DATE_FORMAT() inside mysql client program seems fine (same sql statement).

I can easily reproduce it with a small test case as shown below (TestJDBC.java).

the output from java is:

============================================================================
com.mysql.jdbc.CommunicationsException: Communications link failure due to underlying exception:

** BEGIN NESTED EXCEPTION **

java.io.EOFException

STACKTRACE:

java.io.EOFException
        at com.mysql.jdbc.MysqlIO.readFully(MysqlIO.java:1934)
        at com.mysql.jdbc.MysqlIO.reuseAndReadPacket(MysqlIO.java:2380)
        at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:2909)
        at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:1600)
        at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:1695)
        at com.mysql.jdbc.Connection.execSQL(Connection.java:2998)
        at com.mysql.jdbc.Connection.execSQL(Connection.java:2927)
        at com.mysql.jdbc.Statement.executeQuery(Statement.java:956)
        at TestJDBC.test(TestJDBC.java:46)
        at TestJDBC.main(TestJDBC.java:15)

** END NESTED EXCEPTION **

Last packet sent to the server was 47 ms ago.
        at com.mysql.jdbc.MysqlIO.reuseAndReadPacket(MysqlIO.java:2592)
        at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:2909)
        at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:1600)
        at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:1695)
        at com.mysql.jdbc.Connection.execSQL(Connection.java:2998)
        at com.mysql.jdbc.Connection.execSQL(Connection.java:2927)
        at com.mysql.jdbc.Statement.executeQuery(Statement.java:956)
        at TestJDBC.test(TestJDBC.java:46)
        at TestJDBC.main(TestJDBC.java:15)
TEST FAILED
===============================================================================

The output in mysql error log is:

===============================================================================
mysqld got signal 11;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.
We will try our best to scrape up some info that will hopefully help diagnose
the problem, but since we have already crashed, something is definitely wrong
and this may fail.

key_buffer_size=8388600
read_buffer_size=131072
max_used_connections=1
max_connections=100
threads_connected=1
It is possible that mysqld could use up to
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_connections = 225791 K
bytes of memory
Hope that's ok; if not, decrease some variables in the equation.

thd=0x898cc68
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
Cannot determine thread, fp=0x6e4104, backtrace may not be correct.
Stack range sanity check OK, backtrace follows:
0x8125b50
0xa498b8
0x84a2ac0
0x80f77c0
0x80f8c6d
0x80d129c
0x811bae9
0x816c6d1
0x8165010
0x815cccd
0x815d844
0x8159f72
0x8138741
0x813da4a
0x81373fe
0x8137072
0x8136869
0xa433ae
0x8d5aee
New value of fp=(nil) failed sanity check, terminating stack trace!
Please read http://dev.mysql.com/doc/mysql/en/Using_stack_trace.html and follow instructions on how to resolve the stack trace. Resolved
stack trace is much more helpful in diagnosing the problem, so please do
resolve it
Trying to get some variables.
Some pointers may be invalid and cause the dump to abort...
thd->query at 0x89c4c40 = SELECT DATE_FORMAT(field1,'%b-%e %l:%i%p') as fmtddate, field2 FROM testBug
thd->thread_id=1
The manual page at http://www.mysql.com/doc/en/Crashing.html contains
information that should help you find out what is causing the crash.

Number of processes running now: 0
060829 16:05:15  mysqld restarted
060829 16:05:15  InnoDB: Started; log sequence number 0 43634
/opt/oss/libexec/mysql/mysqld: ready for connections.
Version: '4.1.21-pro-log'  socket: '/opt/oss/var/mysql/mysql.sock'  port: 3306  MySQL Pro (Commercial)
================================================================================

How to repeat:
import com.mysql.jdbc.NonRegisteringDriver;
import com.mysql.jdbc.NotUpdatable;
import com.mysql.jdbc.SQLError;

import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import java.sql.DriverManager;

public class TestJDBC {

    public static void main(String []args) {
        if (test()) {
            System.out.println("TEST PASSED");
        } else {
            System.out.println("TEST FAILED");
        }
    }

    public static boolean test(){
        Statement stmt = null;
        String dbClass = "com.mysql.jdbc.Driver";
        String dbUrl = "jdbc:mysql:///test";
        ResultSet rs = null;
        Connection conn = null;

        try {
            Class.forName(dbClass).newInstance();
            conn = DriverManager.getConnection(dbUrl);
        } catch (Exception ex) {
            ex.printStackTrace();
            return false;
        }
        try {
            stmt = conn.createStatement();
            stmt.executeUpdate("DROP TABLE IF EXISTS testBug");
            stmt.executeUpdate("CREATE TABLE testBug (field1 DATE, field2 VARCHAR(32) CHARACTER SET BINARY)");
            stmt.executeUpdate("INSERT INTO testBug VALUES (NOW(), 'abcd')");
        } catch (SQLException SQLE) {
            SQLE.printStackTrace();
            System.exit(1);
        }
        try {
            rs = stmt.executeQuery("SELECT DATE_FORMAT(field1,'%b-%e %l:%i%p') as fmtddate, field2 FROM testBug");
        } catch (SQLException SQLE) {
            SQLE.printStackTrace();
            return false;
        } finally {
            if (rs != null) {
                try {
                    rs.close();
                } catch (SQLException SQLE) {
                    ;
                }
            }
        }
        if (stmt != null) {
            try {
                stmt.close();
            } catch (SQLException SQLE) {
                ;
            }
        }
        if (conn != null) {
            try {
                conn.close();
        } catch (SQLException SQLE) {
                ;
            }
        }
        return true;
    }

}
[29 Aug 2006 23:20] Hang Zhao
Make the Synopsis more clear
[29 Aug 2006 23:41] Hang Zhao
Make the priority higher.
[30 Aug 2006 12:34] Tonci Grgin
Hi and thanks for your problem report.
Verified as described by reporter.
[30 Aug 2006 13:26] Mark Matthews
Changing to server category as this is a server issue, and changing priority since it's a server crashing bug, given that the following testcase script run w/ the MySQL client crashes the server:

SET NAMES latin1;
SET character_set_results = NULL;
SHOW VARIABLES;
SHOW COLLATION;
SET autocommit=1;

SELECT VERSION();
DROP TABLE IF EXISTS testBug8868;
CREATE TABLE testBug8868 (field1 DATE, field2 VARCHAR(32) CHARACTER SET BINARY);
INSERT INTO testBug8868 VALUES (NOW(), 'abcd');
SELECT DATE_FORMAT(field1,'%b-%e %l:%i%p') as fmtddate, field2 FROM testBug8868
[30 Aug 2006 13:59] Elliot Murphy
(gdb) bt
#0  0x00002aaaab2a3807 in pthread_kill () from /lib/libpthread.so.0
#1  0x00000000006b3f10 in write_core (sig=11) at stacktrace.c:220
#2  0x0000000000584183 in handle_segfault (sig=11) at mysqld.cc:2022
#3  <signal handler called>
#4  0x00000000009c4f52 in my_charset_same (cs1=0xd79600, cs2=0x0)
    at charset.c:37
#5  0x000000000057f994 in String::needs_conversion (arg_length=3,
    from_cs=0xd79600, to_cs=0x0, offset=0x438ec9e8) at sql_string.cc:259
#6  0x000000000057fce1 in String::copy (this=0x438ecb20, str=0xa74f5f "Aug",
    arg_length=3, from_cs=0xd79600, to_cs=0x0, errors=0x438ecb4c)
    at sql_string.cc:340
#7  0x00000000005414a5 in make_date_time (format=0x438ecc10,
    l_time=0x438ecbe0, type=MYSQL_TIMESTAMP_DATE, str=0x438ed070)
    at item_timefunc.cc:515
#8  0x00000000005447e3 in Item_func_date_format::val_str (this=0x1780358,
    str=0x438ed070) at item_timefunc.cc:1682
#9  0x00000000005025d1 in Item::send (this=0x1780358, protocol=0x1753860,
    buffer=0x438ed070) at item.cc:2416
#10 0x00000000005706cf in select_send::send_data (this=0x1780528,
    items=@0x1752ed0) at sql_class.cc:832
#11 0x00000000005dce16 in end_send (join=0x1780540, join_tab=0x1781b08,
    end_of_records=false) at sql_select.cc:6750
#12 0x00000000005d9b55 in do_select (join=0x1780540, fields=0x1752ed0,
    table=0x0, procedure=0x0) at sql_select.cc:6047
#13 0x00000000005ec47e in JOIN::exec (this=0x1780540) at sql_select.cc:1566
#14 0x00000000005ec7fb in mysql_select (thd=0x1752be8,
    rref_pointer_array=0x1752fd8, tables=0x1780480, wild_num=0,
    fields=@0x1752ed0, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0,
    proc_param=0x0, select_options=2189707776, result=0x1780528,
    unit=0x1752c60, select_lex=0x1752e00) at sql_select.cc:1686
#15 0x00000000005ecab2 in handle_select (thd=0x1752be8, lex=0x1752c50,
    result=0x1780528) at sql_select.cc:192
#16 0x000000000059ecef in mysql_execute_command (thd=0x1752be8)
    at sql_parse.cc:2127
#17 0x00000000005a42d0 in mysql_parse (thd=0x1752be8,
    inBuf=0x1780188 "select DATE_FORMAT(f1, '%b-%e %l:%i%p') as fmtddate from test", length=61) at sql_parse.cc:4368
#18 0x00000000005a4d02 in dispatch_command (command=COM_QUERY, thd=0x1752be8,
    packet=0x1777fe9 "", packet_length=62) at sql_parse.cc:1530
#19 0x00000000005a6336 in do_command (thd=0x1752be8) at sql_parse.cc:1331
#20 0x00000000005a66f7 in handle_one_connection (arg=0x1752be8)
    at sql_parse.cc:1063
#21 0x00002aaaab2a00fa in start_thread () from /lib/libpthread.so.0
---Type <return> to continue, or q <return> to quit---
#22 0x00002aaaab845ce2 in clone () from /lib/libc.so.6
#23 0x0000000000000000 in ?? ()
[2 Sep 2006 20:26] Paul Sindelar
I'm also running into this issue.  Here's what I've noticed.

1. It happens on my windows (4.1.21-community-nt) with 3.1.13 & 5.0.3 connectors, but it does NOT happen with 5.0.19-nt server (same machine) with either connector, nor does it happen on my linux db server (4.1.20-log x86_64 redhat-linux-gnu) using either connector.

2. It seems to be dependent upon what you enter for the date value.  For instance, each of these statements will bring down the mysql server.

 SELECT DATE_FORMAT('2006-07-01', '%W') AS d1
 SELECT DATE_FORMAT(now(), '%W') AS d1
 SELECT DATE_FORMAT('20060701', '%W') AS d1
 SELECT DATE_FORMAT(20060701, '%W') AS d1

yet these statements works as expected, and return a null which is the same as the cli

 SELECT DATE_FORMAT('07-01-2006', '%W') AS d1
 SELECT DATE_FORMAT('07012006', '%W') AS d1
[4 Sep 2006 4:16] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/11325

ChangeSet@1.2538, 2006-09-04 06:16:34+02:00, tnurnberg@salvation.intern.azundris.com +3 -0
  Bug#21913: DATE_FORMAT() Crashes mysql server if I use it through mysql-connector-j driver.
  
  Variable character_set_results can legally be NULL (for "no conversion.")
  This could result in a NULL deref that crashed the server.  Fixed.
  
  (Although ran some additional precursory tests to see whether I could break
  anything else, but no breakage so far.)
[4 Sep 2006 7:13] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/11330

ChangeSet@1.2538, 2006-09-04 09:13:40+02:00, tnurnberg@salvation.intern.azundris.com +3 -0
  Bug#21913: DATE_FORMAT() Crashes mysql server if I use it through mysql-connector-j driver.
  
  Variable character_set_results can legally be NULL (for "no conversion.")
  This could result in a NULL deref that crashed the server.  Fixed.
  
  (Although ran some additional precursory tests to see whether I could break
  anything else, but no breakage so far.)
[4 Sep 2006 8:26] Tatiana Azundris Nuernberg
q'd for 5.0.25 in 5.0-maint
[4 Sep 2006 14:37] Magnus BlÄudd
Pushed to 5.0.25
[4 Sep 2006 16:16] Tatiana Azundris Nuernberg
Thank you, Magnus!
Also pushed to 4.1.22 in 4.1-maint
[13 Sep 2006 8:55] Timothy Smith
Pushed to 5.1.12
[14 Sep 2006 13:54] Paul Dubois
Noted in 4.1.22, 5.0.25, 5.1.12 changelogs.
[3 Oct 2006 20:01] Chad MILLER
Available in 5.0.26.
[3 Oct 2006 20:15] Chad MILLER
Available in 5.1.12-beta.
[4 Oct 2006 13:56] Chad MILLER
Available in 4.1.22.