Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-5504

Server crashes in String::length on SELECT with MONTHNAME, GROUP BY, ROLLUP

        Details

        • Type: Bug
        • Status: Closed
        • Priority: Major
        • Resolution: Fixed
        • Affects Version/s: 5.3.12
        • Fix Version/s: 5.3.13
        • Component/s: None
        • Labels:
          None

          Description

          I could only reproduce it on 5.3, not sure whether it is fixed in higher versions or just masked.

          CREATE TABLE t1 (i INT);
INSERT INTO t1 VALUES (1),(2);
SELECT 1 FROM t1 GROUP BY MONTHNAME(0) WITH ROLLUP;

          #3  <signal handler called>
#4  0x000000000059e102 in String::length (this=0x0) at sql_string.h:116
#5  0x0000000000692771 in sortcmp (s=0x7f8d9801ad98, t=0x0, cs=0x1217f00 <my_charset_latin1>) at sql_string.cc:758
#6  0x00000000005d147a in Cached_item_str::cmp (this=0x7f8d9801ad78) at item_buff.cc:88
#7  0x0000000000758d75 in test_if_group_changed (list=...) at sql_select.cc:20558
#8  0x000000000075110e in end_send_group (join=0x7f8d980197a8, join_tab=0x7f8d9801aab8, end_of_records=false) at sql_select.cc:17489
#9  0x000000000074e76e in evaluate_join_record (join=0x7f8d980197a8, join_tab=0x7f8d9801a798, error=0) at sql_select.cc:16469
#10 0x000000000074df85 in sub_select (join=0x7f8d980197a8, join_tab=0x7f8d9801a798, end_of_records=false) at sql_select.cc:16271
#11 0x000000000074d693 in do_select (join=0x7f8d980197a8, fields=0x7f8d98019b38, table=0x0, procedure=0x0) at sql_select.cc:15924
#12 0x000000000072cb6d in JOIN::exec (this=0x7f8d980197a8) at sql_select.cc:2788
#13 0x000000000072d406 in mysql_select (thd=0x31858d8, rref_pointer_array=0x31885c8, tables=0x7f8d98019100, wild_num=0, fields=..., conds=0x0, og_num=1, order=0x0, group=0x7f8d980196b0, having=0x0, proc_param=0x0, select_options=2147764736, result=0x7f8d98019788, unit=0x3187e68, select_lex=0x3188370) at sql_select.cc:3009
#14 0x0000000000723d9d in handle_select (thd=0x31858d8, lex=0x3187dc8, result=0x7f8d98019788, setup_tables_done_option=0) at sql_select.cc:288
#15 0x00000000006b381c in execute_sqlcom_select (thd=0x31858d8, all_tables=0x7f8d98019100) at sql_parse.cc:5172
#16 0x00000000006aabba in mysql_execute_command (thd=0x31858d8) at sql_parse.cc:2305
#17 0x00000000006b6124 in mysql_parse (thd=0x31858d8, rawbuf=0x7f8d98018f40 "SELECT 1 FROM t1 GROUP BY MONTHNAME(0) WITH ROLLUP", length=50, found_semicolon=0x7f8db0145d08) at sql_parse.cc:6173
#18 0x00000000006a83db in dispatch_command (command=COM_QUERY, thd=0x31858d8, packet=0x31ffbd9 "", packet_length=50) at sql_parse.cc:1243
#19 0x00000000006a76f7 in do_command (thd=0x31858d8) at sql_parse.cc:923
#20 0x00000000006a45cb in handle_one_connection (arg=0x31858d8) at sql_connect.cc:1231
#21 0x00007f8db1c730db in start_thread () from /lib64/libpthread.so.0

          revision-id: sanja@askmonty.org-20131218135951-agw2htf09w418t91
revno: 3737
branch-nick: 5.3

            Gliffy Diagrams

              Attachments

                Activity

                Ascending order - Click to sort in descending order
                Hide
                Permalink
                bar Alexander Barkov added a comment -

                The crash happens because Item_func_monthname::is_null() does not work correctly,
                because Item_func_monthname is erroneously derived from Item_func_month.

                In MariaDB-5.5 Item_func_monthname was fixed to derive from Item_str_func,
                which fixed this problem. Backporting of this change from 5.5 to 5.3 should
                fix the problem in 5.3 as well.

                Show
                bar Alexander Barkov added a comment - The crash happens because Item_func_monthname::is_null() does not work correctly, because Item_func_monthname is erroneously derived from Item_func_month. In MariaDB-5.5 Item_func_monthname was fixed to derive from Item_str_func, which fixed this problem. Backporting of this change from 5.5 to 5.3 should fix the problem in 5.3 as well.
                Hide
                Permalink
                bar Alexander Barkov added a comment -

                Fixed in 5.3.13.

                Show
                bar Alexander Barkov added a comment - Fixed in 5.3.13.
                Hide
                Permalink
                dbart Daniel Bartholomew added a comment -

                http://bazaar.launchpad.net/~maria-captains/maria/5.5/revision/2502.567.186

                Show
                dbart Daniel Bartholomew added a comment - http://bazaar.launchpad.net/~maria-captains/maria/5.5/revision/2502.567.186

                  People

                  • Assignee:
                    bar Alexander Barkov
                    Reporter:
                    elenst Elena Stepanova
                  • Votes:
                    0 Vote for this issue
                    Watchers:
                    4 Start watching this issue

                    Dates

                    • Created:
                      Updated:
                      Resolved: