Drizzle

segfault in Item_char_typecast::fix_length_and_dec, bad cast_cs

Bug #534790 reported by Eric Day on 2010-03-09

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Drizzle	Fix Released	Critical	Brian Aker	Drizzle 2010-04-26
	Cherry	Fix Released	Critical	Brian Aker	Drizzle 2010-04-26

Bug Description

Caught with randgen, getting the following during a test:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fdb9d662910 (LWP 12176)]
drizzled::Item_char_typecast::fix_length_and_dec (this=0x2aa3c08)
    at drizzled/function/time/typecast.cc:185
185 (!my_charset_same(from_cs, cast_cs) && from_cs !=
&my_charset_bin && cast_cs != &my_charset_bin);
(gdb) bt
#0 drizzled::Item_char_typecast::fix_length_and_dec (this=0x2aa3c08)
    at drizzled/function/time/typecast.cc:185
#1 0x0000000000524314 in drizzled::Item_func::fix_fields (this=0x2aa3c08,
    session=0x307a3a0) at drizzled/function/func.cc:172
#2 0x00000000005389f9 in drizzled::Item_str_func::fix_fields (this=0xb160e0,
    session=0x1f8, ref=0x1) at drizzled/function/str/strfunc.cc:46
#3 0x00000000005ecaa0 in drizzled::setup_fields (session=0x307a3a0,
    ref_pointer_array=<value optimized out>, fields=<value optimized out>,
    mark_used_columns=3073393280, sum_func_list=0x0, allow_sum_func=false)
    at drizzled/sql_base.cc:3815
#4 0x00000000006205f2 in drizzled::mysql_update (session=0x307a3a0,
    table_list=0x2aa3790, fields=<value optimized out>,
    values=<value optimized out>, conds=0x2aa3e28,
    order_num=<value optimized out>, order=0x0, limit=18446744073709551615,
    ignore=false) at drizzled/sql_update.cc:182
#5 0x000000000064298a in drizzled::statement::Update::execute (this=0x2be3ca0)
    at drizzled/statement/update.cc:51
#6 0x00000000006054c4 in mysql_execute_command (session=0x307a3a0)
    at drizzled/sql_parse.cc:473
#7 0x0000000000606c45 in drizzled::mysql_parse (session=0x307a3a0,
    inBuf=0x2bd5b48 "UPDATE `table1_innodb_varchar_150_not_null` SET `col_varchar_1024_key` = CONVERT( 'ybtkjkpttdftjvpfgwdleinctcibsanrkxmtskurjkbrfthplegltfvvbmyihkjcrhcfjqsgroeyjvqheofvdcujkgvyanveuqlyhnkwizomgnqqxmcti"..., length=365)
    at drizzled/sql_parse.cc:728
#8 0x00000000006070cd in drizzled::dispatch_command (
    command=<value optimized out>, session=0x307a3a0,
    packet=0x30423b1 "UPDATE `table1_innodb_varchar_150_not_null` SET `col_varchar_1024_key` = CONVERT( 'ybtkjkpttdftjvpfgwdleinctcibsanrkxmtskurjkbrfthplegltfvvbmyihkjcrhcfjqsgroeyjvqheofvdcujkgvyanveuqlyhnkwizomgnqqxmcti"...,
    packet_length=366) at drizzled/sql_parse.cc:216
#9 0x00000000005da54f in drizzled::Session::executeStatement (this=0x307a3a0)
    at drizzled/session.cc:736
#10 0x00000000005dbe32 in drizzled::Session::run (this=0x307a3a0)
    at drizzled/session.cc:592
#11 0x00007fdba44fa352 in MultiThreadScheduler::runSession (
    arg=<value optimized out>) at ./plugin/multi_thread/multi_thread.h:67
#12 session_thread (arg=<value optimized out>)
    at plugin/multi_thread/multi_thread.cc:43
#13 0x00007fdbb70f3a04 in start_thread (arg=<value optimized out>)
    at pthread_create.c:300
(gdb) frame 0
#0 drizzled::Item_char_typecast::fix_length_and_dec (this=0x2aa3c08)
    at drizzled/function/time/typecast.cc:185
185 (!my_charset_same(from_cs, cast_cs) && from_cs != &my_charset_bin && cast_cs != &my_charset_bin);
(gdb) print cast_cs
$1 = (const drizzled::CHARSET_INFO *) 0x1f8
(gdb) print cast_cs->mbmaxlen
Cannot access memory at address 0x28c
(gdb) print *this
$25 = {<drizzled::Item_typecast> = {<drizzled::Item_str_func> = {<drizzled::Item_func> = {<drizzled::Item_result_field> = {<drizzled::Item> = {<drizzled::memory::SqlAlloc> = {<No data fields>}, _vptr.Item = 0x8059d0,
            is_expensive_cache = -1 '\377', str_value = {Ptr = 0x0,
              str_length = 0, Alloced_length = 0, alloced = false,
              str_charset = 0xb102e0}, name = 0x0, name_length = 0,
            orig_name = 0x0, next = 0x2aa3aa8, max_length = 0,
            marker = 0 '\000', decimals = 31 '\037', fixed = false,
            maybe_null = false, null_value = false, unsigned_flag = false,
            with_sum_func = false, is_autogenerated_name = true,
            with_subselect = false, collation = {collation = 0xb102e0,
              derivation = drizzled::DERIVATION_COERCIBLE},
            cmp_context = 4294967295}, result_field = 0x0}, args = 0x2aa3c90,
        tmp_arg = {0x2aa3aa8, 0x0}, allowed_arg_cols = 1, arg_count = 1,
        used_tables_cache = 0, not_null_tables_cache = 0,
        const_item_cache = true}, <No data fields>}, <No data fields>},
  cast_length = -1, cast_cs = 0x1f8, from_cs = 0xb160e0,
  charset_conversion = false, tmp_value = {Ptr = 0x0, str_length = 0,
    Alloced_length = 0, alloced = false, str_charset = 0xb102e0}}

This dereference is causing the segfault. The cast_cs member is invalud, but the rest of the object seems to be intact. The query being run is:

UPDATE `table1_innodb_varchar_150_not_null` SET `col_varchar_1024_key` = CONVERT( 'ybtkjkpttdftjvpfgwdleinctcibsanrkxmtskurjkbrfthplegltfvvbmyihkjcrhcfjqsgroeyjvqheofvdcujkgvyanveuqlyhnkwizomgnqqxmctihkgrzvgoxwzoaoqfhjajxhchyeexglnxgoruczozuiawdckfqxatruutqbytleszhxgopyizrctmefncptaaxhefzenjekskspdwewwowamnl' , CHAR) WHERE `col_varchar_1024_not_null_key` IS NULL

Not sure of the rest of the query context around this, look into randgen for it. Hopefully there is something obvious with the cast_cs member and surrounding object.

Jay Pipes (jaypipes) on 2010-03-09

Changed in drizzle:
status:	New → Confirmed
importance:	Undecided → Critical