Bug #54465 | assert: field_types == 0 || field_types[field_pos] == MYSQL_TYPE_LONGLONG | ||
---|---|---|---|
Submitted: | 13 Jun 2010 10:06 | Modified: | 15 Oct 2010 10:56 |
Reporter: | Shane Bester (Platinum Quality Contributor) | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Server: DML | Severity: | S1 (Critical) |
Version: | 5.0.91, 5.1.47, 5.5.3, 5.5.5-m3 | OS: | Any |
Assigned to: | Alexey Kopytov | CPU Architecture: | Any |
[13 Jun 2010 10:06]
Shane Bester
[13 Jun 2010 10:09]
MySQL Verification Team
just to clarify, i was able to crash release build server with a larger testcase, but debug got same assertion. so, this is a serious bug.
[13 Jun 2010 10:09]
Valeriy Kravchuk
Verified just as described, also - with current mysql-trunk from bzr: Version: '5.5.5-m3-debug' socket: '/tmp/mysql.sock' port: 3306 Source distribution Assertion failed: (field_types == 0 || field_types[field_pos] == MYSQL_TYPE_LONGLONG), function store_longlong, file protocol.cc, line 1079. 100613 13:08:17 - mysqld got signal 6 ;
[17 Jun 2010 8:15]
MySQL Verification Team
another very similar testcase: drop table if exists `t1`; create table `t1`(`a` int)engine=myisam; insert into `t1` values (0),(0); select min((select 1 from `t1` group by @@server_id)) from `t1` `t2`,`t1` order by `t1`.`a`;
[27 Aug 2010 9:45]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/116970 3491 Alexey Kopytov 2010-08-27 Bug #54465: assert: field_types == 0 || field_types[field_pos] == MYSQL_TYPE_LONGLONG A MIN/MAX() function with a subquery as its argument could lead to a debug assertion on debug builds or wrong data on release ones. The problem was a combination of the following factors: - Item_sum_hybrid::fix_fields() might use the argument (args[0]) to calculate 'hybrid_field_type' which was later used to decide how the data should be sent to the client. - Item_sum::make_field() might use the argument again to calculate the field's type when sending result set metadata to the client. - The argument could be changed in between these two calls via Item::set_arg() leading to inconsistent metadata being reported. Here is what was happening for the bug's test case: 1. Item_sum_hybrid::fix_fields() calculates hybrid_field_type as MYSQL_TYPE_LONGLONG based on args[0] which is an Item::SUBSELECT_ITEM at that time. 2. A temporary table is created to execute the query. create_tmp_field_from_item() creates a Field_long object according to the subselect's max_length. 3. The subselect item in Item_sum_hybrid is replaced by the Item_field object referencing the newly created Field_long. 4. Item_sum::make_field() rightfully returns the MYSQL_TYPE_LONG type when calculating the result set metadata. 5. When sending the actual data, Item::send() relies on the virtual field_type() function which in our case returns previously calculated hybrid_field_type == MYSQL_TYPE_LONGLONG. It looks like the only solution is to never refer to the argument's metadata after the result metadata has been calculated in fix_fields(), since the argument itself may be different by then. In this sense, Item_sum::make_field() should never be used, because it may rely on the argument's metadata and is only called after fix_fields(). The "default" implementation in Item::make_field() should be used instead as it relies only on field_type(), but not on the argument's type. Fixed by removing Item_sum::make_field() so that the superclass implementation Item::make_field() is always used. @ mysql-test/r/func_group.result Added a test case for bug #54465. @ mysql-test/t/func_group.test Added a test case for bug #54465. @ sql/item_sum.cc Removed Item_sum::make_field() so that the superclass implementation Item::make_field() is always used. @ sql/item_sum.h Removed Item_sum::make_field() so that the superclass implementation Item::make_field() is always used.
[1 Sep 2010 13:13]
Bugs System
Pushed into mysql-trunk 5.6.1-m4 (revid:alik@sun.com-20100901130501-4g2k86dub29auj8y) (version source revid:alik@sun.com-20100901130012-9bmmvzcnnw6n5rw6) (merge vers: 5.6.1-m4) (pib:21)
[1 Sep 2010 13:14]
Bugs System
Pushed into mysql-next-mr (revid:alik@sun.com-20100901130614-pgop3m80rmutewxn) (version source revid:alik@sun.com-20100901130033-8k19cjn6n2blm3py) (pib:21)
[1 Sep 2010 13:15]
Bugs System
Pushed into mysql-5.5 5.5.7-m3 (revid:alik@sun.com-20100901125952-4hsrosoa0xreionr) (version source revid:alik@sun.com-20100901125952-4hsrosoa0xreionr) (merge vers: 5.5.7-m3) (pib:21)
[2 Sep 2010 0:52]
Paul DuBois
Noted in 5.1.51, 5.5.7, 5.6.1 changelogs. MIN() or MAX() with a subquery argument could raise a debug assertion for debug builds or return incorrect data for nondebug builds.
[28 Sep 2010 8:48]
Bugs System
Pushed into mysql-5.1 5.1.52 (revid:sunanda.menon@sun.com-20100928083322-wangbv97uobu7g66) (version source revid:sunanda.menon@sun.com-20100928083322-wangbv97uobu7g66) (merge vers: 5.1.52) (pib:21)
[14 Oct 2010 8:38]
Bugs System
Pushed into mysql-5.1-telco-7.0 5.1.51-ndb-7.0.20 (revid:martin.skold@mysql.com-20101014082627-jrmy9xbfbtrebw3c) (version source revid:martin.skold@mysql.com-20101014082627-jrmy9xbfbtrebw3c) (merge vers: 5.1.51-ndb-7.0.20) (pib:21)
[14 Oct 2010 8:53]
Bugs System
Pushed into mysql-5.1-telco-6.3 5.1.51-ndb-6.3.39 (revid:martin.skold@mysql.com-20101014083757-5qo48b86d69zjvzj) (version source revid:martin.skold@mysql.com-20101014083757-5qo48b86d69zjvzj) (merge vers: 5.1.51-ndb-6.3.39) (pib:21)
[14 Oct 2010 9:09]
Bugs System
Pushed into mysql-5.1-telco-6.2 5.1.51-ndb-6.2.19 (revid:martin.skold@mysql.com-20101014084420-y54ecj85j5we27oa) (version source revid:martin.skold@mysql.com-20101014084420-y54ecj85j5we27oa) (merge vers: 5.1.51-ndb-6.2.19) (pib:21)
[15 Oct 2010 10:56]
Jon Stephens
Already documented in the 5.1.51 changelog. No new changelog entries required. Reverting to Closed state.