Details
-
Bug
-
Status: Confirmed (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.5, 10.6, 10.11, 10.1(EOL), 10.2(EOL), 10.3(EOL), 10.4(EOL), 10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL), 11.0(EOL)
Description
We have several bugs for precision > 0 failure, but none of them seems to fit here.
SET div_precision_increment= 0; |
SELECT * FROM (SELECT AVG(@x := 0)) sq; |
10.2 845e3c98 |
mysqld: /data/src/10.2/strings/decimal.c:1466: decimal_bin_size: Assertion `precision > 0' failed.
|
200810 21:21:51 [ERROR] mysqld got signal 6 ;
|
 |
#7 0x00007f982fa2bf12 in __GI___assert_fail (assertion=0x557eeab6ae25 "precision > 0", file=0x557eeab6aba0 "/data/src/10.2/strings/decimal.c", line=1466, function=0x557eeab6b0a0 <__PRETTY_FUNCTION__.11549> "decimal_bin_size") at assert.c:101
|
#8 0x0000557eea6efac7 in decimal_bin_size (precision=0, scale=0) at /data/src/10.2/strings/decimal.c:1466
|
#9 0x0000557ee9d61897 in my_decimal_get_binary_size (precision=0, scale=0) at /data/src/10.2/sql/my_decimal.h:263
|
#10 0x0000557ee9f280b9 in Field_new_decimal::Field_new_decimal (this=0x7f9818006628, len_arg=0, maybe_null_arg=true, name=0x7f9818013580 "AVG(@x := 0)", dec_arg=0 '\000', unsigned_arg=false) at /data/src/10.2/sql/field.cc:3141
|
#11 0x0000557ee9f2823b in Field_new_decimal::create_from_item (mem_root=0x7f9818009c00, item=0x7f9818013378) at /data/src/10.2/sql/field.cc:3186
|
#12 0x0000557eea03054f in Item_sum_avg::create_tmp_field (this=0x7f9818013378, group=false, table=0x7f9818009148) at /data/src/10.2/sql/item_sum.cc:1716
|
#13 0x0000557ee9d45a7e in create_tmp_field (thd=0x7f9818000af0, table=0x7f9818009148, item=0x7f9818013378, type=Item::SUM_FUNC_ITEM, copy_func=0x7f9829d5dca0, from_field=0x7f981800a1e8, default_field=0x7f981800a1d8, group=false, modify_item=false, table_cant_handle_bit_fields=false, make_copy_field=false) at /data/src/10.2/sql/sql_select.cc:16469
|
#14 0x0000557ee9d472da in create_tmp_table (thd=0x7f9818000af0, param=0x7f9818014250, fields=..., group=0x0, distinct=false, save_sum_fields=true, select_options=2416188160, rows_limit=18446744073709551615, table_alias=0x7f98180135a8 "sq", do_not_open=true, keep_row_order=false) at /data/src/10.2/sql/sql_select.cc:16968
|
#15 0x0000557ee9dc5d91 in select_union::create_result_table (this=0x7f9818014230, thd_arg=0x7f9818000af0, column_types=0x7f98180130d0, is_union_distinct=false, options=2416188160, alias=0x7f98180135a8 "sq", bit_fields_as_long=false, create_table=false, keep_row_order=false) at /data/src/10.2/sql/sql_union.cc:180
|
#16 0x0000557ee9cacae9 in mysql_derived_prepare (thd=0x7f9818000af0, lex=0x7f9818004628, derived=0x7f98180135e8) at /data/src/10.2/sql/sql_derived.cc:770
|
#17 0x0000557ee9cab7fe in mysql_handle_single_derived (lex=0x7f9818004628, derived=0x7f98180135e8, phases=2) at /data/src/10.2/sql/sql_derived.cc:198
|
#18 0x0000557ee9df0ea2 in TABLE_LIST::handle_derived (this=0x7f98180135e8, lex=0x7f9818004628, phases=2) at /data/src/10.2/sql/table.cc:8118
|
#19 0x0000557ee9cc21ee in LEX::handle_list_of_derived (this=0x7f9818004628, table_list=0x7f98180135e8, phases=2) at /data/src/10.2/sql/sql_lex.h:3202
|
#20 0x0000557ee9ccca36 in st_select_lex::handle_derived (this=0x7f9818004e28, lex=0x7f9818004628, phases=2) at /data/src/10.2/sql/sql_lex.cc:3930
|
#21 0x0000557ee9d1a931 in JOIN::prepare (this=0x7f9818013cd8, tables_init=0x7f98180135e8, wild_num=1, conds_init=0x0, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7f9818004e28, unit_arg=0x7f98180046e8) at /data/src/10.2/sql/sql_select.cc:713
|
#22 0x0000557ee9d258b0 in mysql_select (thd=0x7f9818000af0, tables=0x7f98180135e8, wild_num=1, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7f9818013cb8, unit=0x7f98180046e8, select_lex=0x7f9818004e28) at /data/src/10.2/sql/sql_select.cc:3811
|
#23 0x0000557ee9d19b20 in handle_select (thd=0x7f9818000af0, lex=0x7f9818004628, result=0x7f9818013cb8, setup_tables_done_option=0) at /data/src/10.2/sql/sql_select.cc:361
|
#24 0x0000557ee9ce556c in execute_sqlcom_select (thd=0x7f9818000af0, all_tables=0x7f98180135e8) at /data/src/10.2/sql/sql_parse.cc:6218
|
#25 0x0000557ee9cdbded in mysql_execute_command (thd=0x7f9818000af0) at /data/src/10.2/sql/sql_parse.cc:3524
|
#26 0x0000557ee9ce92a3 in mysql_parse (thd=0x7f9818000af0, rawbuf=0x7f9818012458 "SELECT * FROM (SELECT AVG(@x := 0)) sq", length=38, parser_state=0x7f9829d5f610, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:7733
|
#27 0x0000557ee9cd75cf in dispatch_command (command=COM_QUERY, thd=0x7f9818000af0, packet=0x7f981808cd81 "SELECT * FROM (SELECT AVG(@x := 0)) sq", packet_length=38, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1824
|
#28 0x0000557ee9cd604a in do_command (thd=0x7f9818000af0) at /data/src/10.2/sql/sql_parse.cc:1377
|
#29 0x0000557ee9e2c167 in do_handle_one_connection (connect=0x557eecfd0190) at /data/src/10.2/sql/sql_connect.cc:1336
|
#30 0x0000557ee9e2bed2 in handle_one_connection (arg=0x557eecfd0190) at /data/src/10.2/sql/sql_connect.cc:1241
|
#31 0x0000557eea642bda in pfs_spawn_thread (arg=0x557eecf1cea0) at /data/src/10.2/storage/perfschema/pfs.cc:1869
|
#32 0x00007f98319b44a4 in start_thread (arg=0x7f9829d60700) at pthread_create.c:456
|
#33 0x00007f982fae8d0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97
|
No obvious problem on a release build; however non-debug ASAN build produces dynamic-stack-buffer-overflow:
10.2 42e1815a non-debug ASAN |
==4061520==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7f68240e3ce0 at pc 0x56288d060a08 bp 0x7f68240e3cb0 sp 0x7f68240e3ca0
|
READ of size 1 at 0x7f68240e3ce0 thread T5
|
#0 0x56288d060a07 in bin2decimal /data/src/10.2/strings/decimal.c:1359
|
#1 0x56288be6c252 in binary2my_decimal(unsigned int, unsigned char const*, my_decimal*, int, int) /data/src/10.2/sql/my_decimal.h:282
|
#2 0x56288be6c252 in Field_new_decimal::val_decimal(my_decimal*) /data/src/10.2/sql/field.cc:3475
|
#3 0x56288be76b13 in Field_new_decimal::val_str(String*, String*) /data/src/10.2/sql/field.cc:3489
|
#4 0x56288b751e1d in Field::val_str(String*) /data/src/10.2/sql/field.h:878
|
#5 0x56288b751e1d in Protocol_text::store(Field*) /data/src/10.2/sql/protocol.cc:1258
|
#6 0x56288b74e9af in Protocol::send_result_set_row(List<Item>*) /data/src/10.2/sql/protocol.cc:992
|
#7 0x56288b87b3af in select_send::send_data(List<Item>&) /data/src/10.2/sql/sql_class.cc:2731
|
#8 0x56288ba310d1 in end_send /data/src/10.2/sql/sql_select.cc:20031
|
#9 0x56288ba760b5 in do_select /data/src/10.2/sql/sql_select.cc:18360
|
#10 0x56288ba760b5 in JOIN::exec_inner() /data/src/10.2/sql/sql_select.cc:3641
|
#11 0x56288ba76acd in JOIN::exec() /data/src/10.2/sql/sql_select.cc:3436
|
#12 0x56288ba76eb7 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2/sql/sql_select.cc:3836
|
#13 0x56288ba79882 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:361
|
#14 0x56288b9091ab in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6218
|
#15 0x56288b935e6e in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3527
|
#16 0x56288b93f8af in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7733
|
#17 0x56288b9493cb in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1826
|
#18 0x56288b94dba5 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1380
|
#19 0x56288bc4b776 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
|
#20 0x56288bc4bebe in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
|
#21 0x56288cf0eda8 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
|
#22 0x7f682ed42608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
|
#23 0x7f682e91c292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
|
 |
Address 0x7f68240e3ce0 is located in stack of thread T5
|
SUMMARY: AddressSanitizer: dynamic-stack-buffer-overflow /data/src/10.2/strings/decimal.c:1359 in bin2decimal
|
Shadow bytes around the buggy address:
|
0x0fed84814740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0fed84814750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0fed84814760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0fed84814770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0fed84814780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
=>0x0fed84814790: 00 00 00 00 00 00 00 00 ca ca ca ca[cb]cb cb cb
|
0x0fed848147a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0fed848147b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0fed848147c0: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00
|
0x0fed848147d0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0fed848147e0: 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 f2 f2
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
Shadow gap: cc
|
Thread T5 created by T0 here:
|
#0 0x7f682f1d6805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
|
#1 0x56288cf17d8e in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1919
|
#2 0x56288b724e02 in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1246
|
#3 0x56288b724e02 in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6518
|
#4 0x56288b735453 in create_new_thread /data/src/10.2/sql/mysqld.cc:6588
|
#5 0x56288b735453 in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6846
|
#6 0x56288b737967 in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6137
|
#7 0x7f682e8210b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
|
 |
==4061520==ABORTING
|
Attachments
Issue Links
- relates to
-
MDEV-25317 Assertion `scale <= precision' failed in decimal_bin_size And Assertion `scale >= 0 && precision > 0 && scale <= precision' failed in decimal_bin_size_inline/decimal_bin_size
- Closed