[MDEV-23444] ASAN dynamic-stack-buffer-overflow or Assertion `precision > 0' failed in decimal_bin_size with div_precision_increment=0 - Jira

Details

Type: Bug
Status: Confirmed (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.1(EOL), 10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL), 10.11, 11.0(EOL), 11.6(EOL)
Fix Version/s: 10.5, 10.6, 10.11, 11.4
Component/s: Data Manipulation - Subquery, Data types
Labels:

Description

We have several bugs for precision > 0 failure, but none of them seems to fit here.

SET div_precision_increment= 0;

SELECT * FROM (SELECT AVG(@x := 0)) sq;

10.2 845e3c98
mysqld: /data/src/10.2/strings/decimal.c:1466: decimal_bin_size: Assertion `precision > 0' failed.
200810 21:21:51 [ERROR] mysqld got signal 6 ;

#7 0x00007f982fa2bf12 in __GI___assert_fail (assertion=0x557eeab6ae25 "precision > 0", file=0x557eeab6aba0 "/data/src/10.2/strings/decimal.c", line=1466, function=0x557eeab6b0a0 <__PRETTY_FUNCTION__.11549> "decimal_bin_size") at assert.c:101
#8 0x0000557eea6efac7 in decimal_bin_size (precision=0, scale=0) at /data/src/10.2/strings/decimal.c:1466
#9 0x0000557ee9d61897 in my_decimal_get_binary_size (precision=0, scale=0) at /data/src/10.2/sql/my_decimal.h:263
#10 0x0000557ee9f280b9 in Field_new_decimal::Field_new_decimal (this=0x7f9818006628, len_arg=0, maybe_null_arg=true, name=0x7f9818013580 "AVG(@x := 0)", dec_arg=0 '\000', unsigned_arg=false) at /data/src/10.2/sql/field.cc:3141
#11 0x0000557ee9f2823b in Field_new_decimal::create_from_item (mem_root=0x7f9818009c00, item=0x7f9818013378) at /data/src/10.2/sql/field.cc:3186
#12 0x0000557eea03054f in Item_sum_avg::create_tmp_field (this=0x7f9818013378, group=false, table=0x7f9818009148) at /data/src/10.2/sql/item_sum.cc:1716
#13 0x0000557ee9d45a7e in create_tmp_field (thd=0x7f9818000af0, table=0x7f9818009148, item=0x7f9818013378, type=Item::SUM_FUNC_ITEM, copy_func=0x7f9829d5dca0, from_field=0x7f981800a1e8, default_field=0x7f981800a1d8, group=false, modify_item=false, table_cant_handle_bit_fields=false, make_copy_field=false) at /data/src/10.2/sql/sql_select.cc:16469
#14 0x0000557ee9d472da in create_tmp_table (thd=0x7f9818000af0, param=0x7f9818014250, fields=..., group=0x0, distinct=false, save_sum_fields=true, select_options=2416188160, rows_limit=18446744073709551615, table_alias=0x7f98180135a8 "sq", do_not_open=true, keep_row_order=false) at /data/src/10.2/sql/sql_select.cc:16968
#15 0x0000557ee9dc5d91 in select_union::create_result_table (this=0x7f9818014230, thd_arg=0x7f9818000af0, column_types=0x7f98180130d0, is_union_distinct=false, options=2416188160, alias=0x7f98180135a8 "sq", bit_fields_as_long=false, create_table=false, keep_row_order=false) at /data/src/10.2/sql/sql_union.cc:180
#16 0x0000557ee9cacae9 in mysql_derived_prepare (thd=0x7f9818000af0, lex=0x7f9818004628, derived=0x7f98180135e8) at /data/src/10.2/sql/sql_derived.cc:770
#17 0x0000557ee9cab7fe in mysql_handle_single_derived (lex=0x7f9818004628, derived=0x7f98180135e8, phases=2) at /data/src/10.2/sql/sql_derived.cc:198
#18 0x0000557ee9df0ea2 in TABLE_LIST::handle_derived (this=0x7f98180135e8, lex=0x7f9818004628, phases=2) at /data/src/10.2/sql/table.cc:8118
#19 0x0000557ee9cc21ee in LEX::handle_list_of_derived (this=0x7f9818004628, table_list=0x7f98180135e8, phases=2) at /data/src/10.2/sql/sql_lex.h:3202
#20 0x0000557ee9ccca36 in st_select_lex::handle_derived (this=0x7f9818004e28, lex=0x7f9818004628, phases=2) at /data/src/10.2/sql/sql_lex.cc:3930
#21 0x0000557ee9d1a931 in JOIN::prepare (this=0x7f9818013cd8, tables_init=0x7f98180135e8, wild_num=1, conds_init=0x0, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7f9818004e28, unit_arg=0x7f98180046e8) at /data/src/10.2/sql/sql_select.cc:713
#22 0x0000557ee9d258b0 in mysql_select (thd=0x7f9818000af0, tables=0x7f98180135e8, wild_num=1, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7f9818013cb8, unit=0x7f98180046e8, select_lex=0x7f9818004e28) at /data/src/10.2/sql/sql_select.cc:3811
#23 0x0000557ee9d19b20 in handle_select (thd=0x7f9818000af0, lex=0x7f9818004628, result=0x7f9818013cb8, setup_tables_done_option=0) at /data/src/10.2/sql/sql_select.cc:361
#24 0x0000557ee9ce556c in execute_sqlcom_select (thd=0x7f9818000af0, all_tables=0x7f98180135e8) at /data/src/10.2/sql/sql_parse.cc:6218
#25 0x0000557ee9cdbded in mysql_execute_command (thd=0x7f9818000af0) at /data/src/10.2/sql/sql_parse.cc:3524
#26 0x0000557ee9ce92a3 in mysql_parse (thd=0x7f9818000af0, rawbuf=0x7f9818012458 "SELECT * FROM (SELECT AVG(@x := 0)) sq", length=38, parser_state=0x7f9829d5f610, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:7733
#27 0x0000557ee9cd75cf in dispatch_command (command=COM_QUERY, thd=0x7f9818000af0, packet=0x7f981808cd81 "SELECT * FROM (SELECT AVG(@x := 0)) sq", packet_length=38, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1824
#28 0x0000557ee9cd604a in do_command (thd=0x7f9818000af0) at /data/src/10.2/sql/sql_parse.cc:1377
#29 0x0000557ee9e2c167 in do_handle_one_connection (connect=0x557eecfd0190) at /data/src/10.2/sql/sql_connect.cc:1336
#30 0x0000557ee9e2bed2 in handle_one_connection (arg=0x557eecfd0190) at /data/src/10.2/sql/sql_connect.cc:1241
#31 0x0000557eea642bda in pfs_spawn_thread (arg=0x557eecf1cea0) at /data/src/10.2/storage/perfschema/pfs.cc:1869
#32 0x00007f98319b44a4 in start_thread (arg=0x7f9829d60700) at pthread_create.c:456
#33 0x00007f982fae8d0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97

No obvious problem on a release build; however non-debug ASAN build produces dynamic-stack-buffer-overflow:

10.2 42e1815a non-debug ASAN
==4061520==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7f68240e3ce0 at pc 0x56288d060a08 bp 0x7f68240e3cb0 sp 0x7f68240e3ca0
READ of size 1 at 0x7f68240e3ce0 thread T5
#0 0x56288d060a07 in bin2decimal /data/src/10.2/strings/decimal.c:1359
#1 0x56288be6c252 in binary2my_decimal(unsigned int, unsigned char const, my_decimal, int, int) /data/src/10.2/sql/my_decimal.h:282
#2 0x56288be6c252 in Field_new_decimal::val_decimal(my_decimal*) /data/src/10.2/sql/field.cc:3475
#3 0x56288be76b13 in Field_new_decimal::val_str(String, String) /data/src/10.2/sql/field.cc:3489
#4 0x56288b751e1d in Field::val_str(String*) /data/src/10.2/sql/field.h:878
#5 0x56288b751e1d in Protocol_text::store(Field*) /data/src/10.2/sql/protocol.cc:1258
#6 0x56288b74e9af in Protocol::send_result_set_row(List<Item>*) /data/src/10.2/sql/protocol.cc:992
#7 0x56288b87b3af in select_send::send_data(List<Item>&) /data/src/10.2/sql/sql_class.cc:2731
#8 0x56288ba310d1 in end_send /data/src/10.2/sql/sql_select.cc:20031
#9 0x56288ba760b5 in do_select /data/src/10.2/sql/sql_select.cc:18360
#10 0x56288ba760b5 in JOIN::exec_inner() /data/src/10.2/sql/sql_select.cc:3641
#11 0x56288ba76acd in JOIN::exec() /data/src/10.2/sql/sql_select.cc:3436
#12 0x56288ba76eb7 in mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/src/10.2/sql/sql_select.cc:3836
#13 0x56288ba79882 in handle_select(THD, LEX, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:361
#14 0x56288b9091ab in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6218
#15 0x56288b935e6e in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3527
#16 0x56288b93f8af in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7733
#17 0x56288b9493cb in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1826
#18 0x56288b94dba5 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1380
#19 0x56288bc4b776 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
#20 0x56288bc4bebe in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
#21 0x56288cf0eda8 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
#22 0x7f682ed42608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
#23 0x7f682e91c292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

Address 0x7f68240e3ce0 is located in stack of thread T5
SUMMARY: AddressSanitizer: dynamic-stack-buffer-overflow /data/src/10.2/strings/decimal.c:1359 in bin2decimal
Shadow bytes around the buggy address:
0x0fed84814740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fed84814750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fed84814760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fed84814770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fed84814780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fed84814790: 00 00 00 00 00 00 00 00 ca ca ca ca[cb]cb cb cb
0x0fed848147a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fed848147b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fed848147c0: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00
0x0fed848147d0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x0fed848147e0: 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 f2 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
Thread T5 created by T0 here:
#0 0x7f682f1d6805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
#1 0x56288cf17d8e in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1919
#2 0x56288b724e02 in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1246
#3 0x56288b724e02 in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6518
#4 0x56288b735453 in create_new_thread /data/src/10.2/sql/mysqld.cc:6588
#5 0x56288b735453 in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6846
#6 0x56288b737967 in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6137
#7 0x7f682e8210b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

==4061520==ABORTING

Attachments

Issue Links

relates to

MDEV-25317 Assertion `scale <= precision' failed in decimal_bin_size And Assertion `scale >= 0 && precision > 0 && scale <= precision' failed in decimal_bin_size_inline/decimal_bin_size

Closed

ASAN dynamic-stack-buffer-overflow or Assertion `precision > 0' failed in decimal_bin_size with div_precision_increment=0

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration