Bug #59686 crash in String::copy() with time data type
Submitted: 24 Jan 2011 2:48 Modified: 31 Mar 2011 2:57
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Data Types Severity:S1 (Critical)
Version:5.5.6,5.5.10, 5.6.2 OS:Any
Assigned to: Tor Didriksen CPU Architecture:Any
Tags: regression

[24 Jan 2011 2:48] Shane Bester 
Description:
Version: '5.5.8'  socket: ''  port: 3306  MySQL Community Server (GPL)
110124  4:41:03 - mysqld got exception 0xc0000005 ;
mysqld.exe!String::copy()[sql_string.cc:133]
mysqld.exe!Item_cache_str::cache_value()[item.cc:7725]
mysqld.exe!Item_singlerow_subselect::store()[item_subselect.cc:510]
mysqld.exe!select_singlerow_subselect::send_data()[sql_class.cc:2416]
mysqld.exe!end_send_group()[sql_select.cc:12679]
mysqld.exe!sub_select()[sql_select.cc:11641]
mysqld.exe!do_select()[sql_select.cc:11430]
mysqld.exe!JOIN::exec()[sql_select.cc:2361]
mysqld.exe!subselect_single_select_engine::exec()[item_subselect.cc:1997]
mysqld.exe!Item_subselect::exec()[item_subselect.cc:290]
mysqld.exe!Item_singlerow_subselect::val_real()[item_subselect.cc:586]
mysqld.exe!Item_cache_real::cache_value()[item.cc:7611]
mysqld.exe!Item_cache_real::val_real()[item.cc:7620]
mysqld.exe!Arg_comparator::compare_real_fixed()[item_cmpfunc.cc:1441]
mysqld.exe!Item_func_lt::val_int()[item_cmpfunc.cc:2012]
mysqld.exe!Item_func_nop_all::val_int()[item_cmpfunc.cc:365]
mysqld.exe!eval_const_cond()[item_func.cc:78]
mysqld.exe!internal_remove_eq_conds()[sql_select.cc:9512]
mysqld.exe!remove_eq_conds()[sql_select.cc:9611]
mysqld.exe!optimize_cond()[sql_select.cc:9393]
mysqld.exe!JOIN::optimize()[sql_select.cc:918]
mysqld.exe!mysql_select()[sql_select.cc:2556]
mysqld.exe!handle_select()[sql_select.cc:297]
mysqld.exe!execute_sqlcom_select()[sql_parse.cc:4452]
mysqld.exe!mysql_execute_command()[sql_parse.cc:2046]
mysqld.exe!mysql_parse()[sql_parse.cc:5496]
mysqld.exe!dispatch_command()[sql_parse.cc:1035]
mysqld.exe!do_command()[sql_parse.cc:772]
mysqld.exe!do_handle_one_connection()[sql_connect.cc:745]
mysqld.exe!handle_one_connection()[sql_connect.cc:684]
mysqld.exe!pthread_start()[my_winthread.c:61]
mysqld.exe!_callthreadstartex()[threadex.c:348]
mysqld.exe!_threadstartex()[threadex.c:326]
kernel32.dll!FlsSetValue()

5.5.5 and 5.1.56 didn't crash so this is a regression in 5.5.6+

How to repeat:
drop table if exists g3;
create table g3(`a` time)engine=myisam;
insert into g3 values ('00:00:00'),('00:01:00');
select 1 from g3 where 1 < some (select cast(`a` as datetime) from g3);
[24 Jan 2011 3:15] MySQL Verification Team 
another testcase that is nearly identical, but with different stack trace  (presumably due to indexes):

drop table if exists g4;
create table g4(`a` date,`b` int,unique(`b`),unique(`a`),key(`b`))engine=innodb;
insert into g4 values ('2011-05-13',0);
select 1 from g4 where `b`<(select cast(`a` as date) from g4 group by `a`);

Version: '5.5.8'  socket: ''  port: 3306  MySQL Community Server (GPL)
110124  5:08:19 - mysqld got exception 0xc0000005 ;
mysqld.exe!Item::save_in_field()[item.cc:5401]
mysqld.exe!Item::save_in_field_no_warnings()[item.cc:1065]
mysqld.exe!get_mm_leaf()[opt_range.cc:5933]
mysqld.exe!get_mm_parts()[opt_range.cc:5717]
mysqld.exe!get_func_mm_tree()[opt_range.cc:5396]
mysqld.exe!get_full_func_mm_tree()[opt_range.cc:5495]
mysqld.exe!get_mm_tree()[opt_range.cc:5685]
mysqld.exe!SQL_SELECT::test_quick_select()[opt_range.cc:2275]
mysqld.exe!get_quick_record_count()[sql_select.cc:2606]
mysqld.exe!make_join_statistics()[sql_select.cc:3040]
mysqld.exe!JOIN::optimize()[sql_select.cc:1051]
mysqld.exe!mysql_select()[sql_select.cc:2556]
mysqld.exe!handle_select()[sql_select.cc:297]
mysqld.exe!execute_sqlcom_select()[sql_parse.cc:4452]
mysqld.exe!mysql_execute_command()[sql_parse.cc:2046]
mysqld.exe!mysql_parse()[sql_parse.cc:5496]
mysqld.exe!dispatch_command()[sql_parse.cc:1035]
mysqld.exe!do_command()[sql_parse.cc:772]
mysqld.exe!do_handle_one_connection()[sql_connect.cc:745]
mysqld.exe!handle_one_connection()[sql_connect.cc:684]
mysqld.exe!pthread_start()[my_winthread.c:61]
mysqld.exe!_callthreadstartex()[threadex.c:348]
mysqld.exe!_threadstartex()[threadex.c:326]
kernel32.dll!FlsSetValue()
[24 Jan 2011 4:24] Valeriy Kravchuk 
Verified on Mac OS X:

macbook-pro:5.5 openxs$ bin/mysql -uroot test
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1
Server version: 5.5.10-debug Source distribution

Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> drop table if exists g3;
Query OK, 0 rows affected, 1 warning (0.00 sec)

mysql> create table g3(`a` time)engine=myisam;
Query OK, 0 rows affected (0.05 sec)

mysql> insert into g3 values ('00:00:00'),('00:01:00');
Query OK, 2 rows affected (0.00 sec)
Records: 2  Duplicates: 0  Warnings: 0

mysql> select 1 from g3 where 1 < some (select cast(`a` as datetime) from g3);
ERROR 2013 (HY000): Lost connection to MySQL server during query
mysql> 110124 06:22:57 mysqld_safe mysqld restarted

mysql> exit
Bye
macbook-pro:5.5 openxs$ tail -80 data/macbook-pro.err 
key_buffer_size=8388608
read_buffer_size=131072
max_used_connections=1
max_threads=151
thread_count=1
connection_count=1
It is possible that mysqld could use up to 
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 337960 K
bytes of memory
Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x103c200
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
stack_bottom = 0xb077ef30 thread_stack 0x30000
0   mysqld                              0x0036ec71 my_print_stacktrace + 44
1   mysqld                              0x00121206 handle_segfault + 884
2   libSystem.B.dylib                   0x940472bb _sigtramp + 43
3   ???                                 0xffffffff 0x0 + 4294967295
4   mysqld                              0x00049337 _ZN14Item_cache_str11cache_valueEv + 229
5   mysqld                              0x000b93e3 _ZN24Item_singlerow_subselect5storeEjP4Item + 121
6   mysqld                              0x001c9485 _ZN26select_singlerow_subselect9send_dataER4ListI4ItemE + 297
7   mysqld                              0x00247f3c _ZN4JOIN5clearEv + 910
8   mysqld                              0x00249473 _Z10sub_selectP4JOINP13st_join_tableb + 65
9   mysqld                              0x0025952c _ZN4JOIN9join_freeEv + 1610
10  mysqld                              0x0026b392 _ZN4JOIN4execEv + 8740
11  mysqld                              0x000bbc2e _ZN30subselect_single_select_engine4execEv + 1278
12  mysqld                              0x000be2fa _ZN14Item_subselect4execEv + 218
13  mysqld                              0x000ba3c5 _ZN24Item_singlerow_subselect8val_realEv + 93
14  mysqld                              0x0010c3a4 _ZN4Item10val_resultEv + 24
15  mysqld                              0x00041f9e _ZN15Item_cache_real11cache_valueEv + 56
16  mysqld                              0x0005938f _ZN10Item_cache9has_valueEv + 37
17  mysqld                              0x0004387c _ZN15Item_cache_real8val_realEv + 84
18  mysqld                              0x0005fd24 _ZN14Arg_comparator18compare_real_fixedEv + 88
19  mysqld                              0x00070c65 _ZN14Arg_comparator7compareEv + 73
20  mysqld                              0x0006437b _ZN12Item_func_lt7val_intEv + 87
21  mysqld                              0x00064b6f _ZN17Item_func_nop_all7val_intEv + 101
22  mysqld                              0x000891e2 _Z15eval_const_condP4Item + 24
23  mysqld                              0x00253aaf _Z19simple_remove_constP8st_orderP4Item + 2393
24  mysqld                              0x00253ddf _Z15remove_eq_condsP3THDP4ItemPNS1_11cond_resultE + 567
25  mysqld                              0x00258b62 _Z15find_item_equalP10COND_EQUALP5FieldPb + 5432
26  mysqld                              0x00261d42 _ZN4JOIN8optimizeEv + 928
27  mysqld                              0x00266188 _Z12mysql_selectP3THDPPP4ItemP10TABLE_LISTjR4ListIS1_ES2_jP8st_orderSB_S2_SB_yP13select_resultP18st_select_lex_unitP13st_select_lex + 778
28  mysqld                              0x0026b6dd _Z13handle_selectP3THDP3LEXP13select_resultm + 547
29  mysqld                              0x00203bb9 _Z15update_precheckP3THDP10TABLE_LIST + 1075
30  mysqld                              0x00206236 _Z21mysql_execute_commandP3THD + 2864
31  mysqld                              0x0020dfb2 _Z11mysql_parseP3THDPcjP12Parser_state + 644
32  mysqld                              0x0020eb80 _Z16dispatch_command19enum_server_commandP3THDPcj + 2692
33  mysqld                              0x00210044 _Z10do_commandP3THD + 664
34  mysqld                              0x002f451d _Z24do_handle_one_connectionP3THD + 1095
35  mysqld                              0x002f460b handle_one_connection + 37
36  libSystem.B.dylib                   0x9400c095 _pthread_start + 321
37  libSystem.B.dylib                   0x9400bf52 thread_start + 34

Trying to get some variables.
Some pointers may be invalid and cause the dump to abort.
Query (0x10a8c10): select 1 from g3 where 1 < some (select cast(`a` as datetime) from g3)
Connection ID (thread ID): 1
Status: NOT_KILLED
[31 Jan 2011 6:17] MySQL Verification Team 
Another testcase that crashes 5.6.2 and 5.5.10:

select min(timestampadd(month,1>'',from_days('%Z')));
[9 Feb 2011 15:45] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/130900

3326 Tor Didriksen	2011-02-09
      Bug #59686 crash in String::copy() with time data type
      
      The problem was that Item_sum_hybrid::val_xxx() did not propagate null values
      up the expression tree.
     @ mysql-test/r/func_time.result
        New test case.
     @ mysql-test/t/func_time.test
        New test case.
     @ sql/item_sum.cc
        Check for null_value when evaluating sub-items in sub-trees in Item_sum_hybrid::val_xxx()
[10 Feb 2011 12:43] Tor Didriksen 
Split bug in two, see 
Bug #60085 crash in Item::save_in_field() with time data type.
[10 Feb 2011 12:46] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/131037

3322 Tor Didriksen	2011-02-09
      Bug #59686 crash in String::copy() with time data type
      
      The problem was that Item_sum_hybrid::val_xxx() did not propagate null values
      up the expression tree.
     @ mysql-test/r/func_time.result
        New test case.
     @ mysql-test/t/func_time.test
        New test case.
     @ sql/item_sum.cc
        Check for null_value when evaluating sub-items in sub-trees in Item_sum_hybrid::val_xxx()
[11 Feb 2011 9:12] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/131105

3323 Tor Didriksen	2011-02-11
      Bug #59686 crash in String::copy() with time data type
      
      The problem was that Item_sum_hybrid::val_xxx() did not propagate null values
      up the expression tree.
     @ mysql-test/r/func_time.result
        New test case.
     @ mysql-test/t/func_time.test
        New test case.
     @ sql/item_sum.cc
        Check for null_value when evaluating sub-items in sub-trees in Item_sum_hybrid::val_xxx()
[11 Feb 2011 9:16] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/131106

3639 Tor Didriksen	2011-02-11 [merge]
      merge Bug #59686 from 5.5
[3 Mar 2011 0:32] MySQL Verification Team 
Hi Tor.  Does this patch fix the crash and/or assertion from this:

set @a:=(select distinct max(adddate(from_days(convert(1,time)),interval 1 month)));

Release build crashes:

String::copy()[sql_string.cc:133]
Item_cache_str::cache_value()[item.cc:7719]
Item_singlerow_subselect::store()[item_subselect.cc:498]
select_singlerow_subselect::send_data()[sql_class.cc:2450]
end_send_group()[sql_select.cc:12687]
do_select()[sql_select.cc:11409]
JOIN::exec()[sql_select.cc:2362]
subselect_single_select_engine::exec()[item_subselect.cc:1986]
Item_subselect::exec()[item_subselect.cc:275]
Item_singlerow_subselect::val_str()[item_subselect.cc:602]
Item_func_set_user_var::check()[item_func.cc:4529]
set_var_user::check()[set_var.cc:688]
sql_set_variables()[set_var.cc:570]
mysql_execute_command()[sql_parse.cc:3053]
mysql_parse()[sql_parse.cc:5509]
dispatch_command()[sql_parse.cc:1038]
do_command()[sql_parse.cc:772]
do_handle_one_connection()[sql_connect.cc:748]
handle_one_connection()[sql_connect.cc:685]
pthread_start()[my_winthread.c:62]
_callthreadstartex()[threadex.c:348]
_threadstartex()[threadex.c:331]
BaseThreadStart()

And this on debug build:
select distinct max(adddate(from_days(convert(1,time)),interval 1 month));

Version: '5.5.9-debug'  socket: ''  port: 3306  MySQL Community Server - Debug (GPL)
Assertion failed: null_value, file ..\..\mysql-5.5.9\sql\item.cc, line 5844

raise()[winsig.c:597]
abort()[abort.c:78]
_wassert()[assert.c:163]
Item::send()[item.cc:5844]
Protocol::send_result_set_row()[protocol.cc:848]
select_send::send_data()[sql_class.cc:1862]
end_send_group()[sql_select.cc:12687]
do_select()[sql_select.cc:11409]
JOIN::exec()[sql_select.cc:2362]
mysql_select()[sql_select.cc:2573]
handle_select()[sql_select.cc:297]
execute_sqlcom_select()[sql_parse.cc:4472]
mysql_execute_command()[sql_parse.cc:2053]
mysql_parse()[sql_parse.cc:5509]
dispatch_command()[sql_parse.cc:1038]
do_command()[sql_parse.cc:772]
do_handle_one_connection()[sql_connect.cc:748]
handle_one_connection()[sql_connect.cc:685]
pthread_start()[my_winthread.c:62]
_callthreadstartex()[threadex.c:348]
_threadstartex()[threadex.c:331]
BaseThreadStart()(GPL)
Assertion failed: null_value, file ..\..\mysql-5.5.9\sql\item.cc, line 5844
[31 Mar 2011 2:57] Paul DuBois 
Noted in 5.5.10 changelog.

String::copy could crash with time types. 

CHANGESET - http://lists.mysql.com/commits/131106