Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-23444

ASAN dynamic-stack-buffer-overflow or Assertion `precision > 0' failed in decimal_bin_size with div_precision_increment=0

    XMLWordPrintable

    Details

      Description

      We have several bugs for precision > 0 failure, but none of them seems to fit here.

      SET div_precision_increment= 0;
      SELECT * FROM (SELECT AVG(@x := 0)) sq;
      

      10.2 845e3c98

      mysqld: /data/src/10.2/strings/decimal.c:1466: decimal_bin_size: Assertion `precision > 0' failed.
      200810 21:21:51 [ERROR] mysqld got signal 6 ;
       
      #7  0x00007f982fa2bf12 in __GI___assert_fail (assertion=0x557eeab6ae25 "precision > 0", file=0x557eeab6aba0 "/data/src/10.2/strings/decimal.c", line=1466, function=0x557eeab6b0a0 <__PRETTY_FUNCTION__.11549> "decimal_bin_size") at assert.c:101
      #8  0x0000557eea6efac7 in decimal_bin_size (precision=0, scale=0) at /data/src/10.2/strings/decimal.c:1466
      #9  0x0000557ee9d61897 in my_decimal_get_binary_size (precision=0, scale=0) at /data/src/10.2/sql/my_decimal.h:263
      #10 0x0000557ee9f280b9 in Field_new_decimal::Field_new_decimal (this=0x7f9818006628, len_arg=0, maybe_null_arg=true, name=0x7f9818013580 "AVG(@x := 0)", dec_arg=0 '\000', unsigned_arg=false) at /data/src/10.2/sql/field.cc:3141
      #11 0x0000557ee9f2823b in Field_new_decimal::create_from_item (mem_root=0x7f9818009c00, item=0x7f9818013378) at /data/src/10.2/sql/field.cc:3186
      #12 0x0000557eea03054f in Item_sum_avg::create_tmp_field (this=0x7f9818013378, group=false, table=0x7f9818009148) at /data/src/10.2/sql/item_sum.cc:1716
      #13 0x0000557ee9d45a7e in create_tmp_field (thd=0x7f9818000af0, table=0x7f9818009148, item=0x7f9818013378, type=Item::SUM_FUNC_ITEM, copy_func=0x7f9829d5dca0, from_field=0x7f981800a1e8, default_field=0x7f981800a1d8, group=false, modify_item=false, table_cant_handle_bit_fields=false, make_copy_field=false) at /data/src/10.2/sql/sql_select.cc:16469
      #14 0x0000557ee9d472da in create_tmp_table (thd=0x7f9818000af0, param=0x7f9818014250, fields=..., group=0x0, distinct=false, save_sum_fields=true, select_options=2416188160, rows_limit=18446744073709551615, table_alias=0x7f98180135a8 "sq", do_not_open=true, keep_row_order=false) at /data/src/10.2/sql/sql_select.cc:16968
      #15 0x0000557ee9dc5d91 in select_union::create_result_table (this=0x7f9818014230, thd_arg=0x7f9818000af0, column_types=0x7f98180130d0, is_union_distinct=false, options=2416188160, alias=0x7f98180135a8 "sq", bit_fields_as_long=false, create_table=false, keep_row_order=false) at /data/src/10.2/sql/sql_union.cc:180
      #16 0x0000557ee9cacae9 in mysql_derived_prepare (thd=0x7f9818000af0, lex=0x7f9818004628, derived=0x7f98180135e8) at /data/src/10.2/sql/sql_derived.cc:770
      #17 0x0000557ee9cab7fe in mysql_handle_single_derived (lex=0x7f9818004628, derived=0x7f98180135e8, phases=2) at /data/src/10.2/sql/sql_derived.cc:198
      #18 0x0000557ee9df0ea2 in TABLE_LIST::handle_derived (this=0x7f98180135e8, lex=0x7f9818004628, phases=2) at /data/src/10.2/sql/table.cc:8118
      #19 0x0000557ee9cc21ee in LEX::handle_list_of_derived (this=0x7f9818004628, table_list=0x7f98180135e8, phases=2) at /data/src/10.2/sql/sql_lex.h:3202
      #20 0x0000557ee9ccca36 in st_select_lex::handle_derived (this=0x7f9818004e28, lex=0x7f9818004628, phases=2) at /data/src/10.2/sql/sql_lex.cc:3930
      #21 0x0000557ee9d1a931 in JOIN::prepare (this=0x7f9818013cd8, tables_init=0x7f98180135e8, wild_num=1, conds_init=0x0, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7f9818004e28, unit_arg=0x7f98180046e8) at /data/src/10.2/sql/sql_select.cc:713
      #22 0x0000557ee9d258b0 in mysql_select (thd=0x7f9818000af0, tables=0x7f98180135e8, wild_num=1, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7f9818013cb8, unit=0x7f98180046e8, select_lex=0x7f9818004e28) at /data/src/10.2/sql/sql_select.cc:3811
      #23 0x0000557ee9d19b20 in handle_select (thd=0x7f9818000af0, lex=0x7f9818004628, result=0x7f9818013cb8, setup_tables_done_option=0) at /data/src/10.2/sql/sql_select.cc:361
      #24 0x0000557ee9ce556c in execute_sqlcom_select (thd=0x7f9818000af0, all_tables=0x7f98180135e8) at /data/src/10.2/sql/sql_parse.cc:6218
      #25 0x0000557ee9cdbded in mysql_execute_command (thd=0x7f9818000af0) at /data/src/10.2/sql/sql_parse.cc:3524
      #26 0x0000557ee9ce92a3 in mysql_parse (thd=0x7f9818000af0, rawbuf=0x7f9818012458 "SELECT * FROM (SELECT AVG(@x := 0)) sq", length=38, parser_state=0x7f9829d5f610, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:7733
      #27 0x0000557ee9cd75cf in dispatch_command (command=COM_QUERY, thd=0x7f9818000af0, packet=0x7f981808cd81 "SELECT * FROM (SELECT AVG(@x := 0)) sq", packet_length=38, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1824
      #28 0x0000557ee9cd604a in do_command (thd=0x7f9818000af0) at /data/src/10.2/sql/sql_parse.cc:1377
      #29 0x0000557ee9e2c167 in do_handle_one_connection (connect=0x557eecfd0190) at /data/src/10.2/sql/sql_connect.cc:1336
      #30 0x0000557ee9e2bed2 in handle_one_connection (arg=0x557eecfd0190) at /data/src/10.2/sql/sql_connect.cc:1241
      #31 0x0000557eea642bda in pfs_spawn_thread (arg=0x557eecf1cea0) at /data/src/10.2/storage/perfschema/pfs.cc:1869
      #32 0x00007f98319b44a4 in start_thread (arg=0x7f9829d60700) at pthread_create.c:456
      #33 0x00007f982fae8d0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97
      

      No obvious problem on a release build; however non-debug ASAN build produces dynamic-stack-buffer-overflow:

      10.2 42e1815a non-debug ASAN

      ==4061520==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7f68240e3ce0 at pc 0x56288d060a08 bp 0x7f68240e3cb0 sp 0x7f68240e3ca0
      READ of size 1 at 0x7f68240e3ce0 thread T5
          #0 0x56288d060a07 in bin2decimal /data/src/10.2/strings/decimal.c:1359
          #1 0x56288be6c252 in binary2my_decimal(unsigned int, unsigned char const*, my_decimal*, int, int) /data/src/10.2/sql/my_decimal.h:282
          #2 0x56288be6c252 in Field_new_decimal::val_decimal(my_decimal*) /data/src/10.2/sql/field.cc:3475
          #3 0x56288be76b13 in Field_new_decimal::val_str(String*, String*) /data/src/10.2/sql/field.cc:3489
          #4 0x56288b751e1d in Field::val_str(String*) /data/src/10.2/sql/field.h:878
          #5 0x56288b751e1d in Protocol_text::store(Field*) /data/src/10.2/sql/protocol.cc:1258
          #6 0x56288b74e9af in Protocol::send_result_set_row(List<Item>*) /data/src/10.2/sql/protocol.cc:992
          #7 0x56288b87b3af in select_send::send_data(List<Item>&) /data/src/10.2/sql/sql_class.cc:2731
          #8 0x56288ba310d1 in end_send /data/src/10.2/sql/sql_select.cc:20031
          #9 0x56288ba760b5 in do_select /data/src/10.2/sql/sql_select.cc:18360
          #10 0x56288ba760b5 in JOIN::exec_inner() /data/src/10.2/sql/sql_select.cc:3641
          #11 0x56288ba76acd in JOIN::exec() /data/src/10.2/sql/sql_select.cc:3436
          #12 0x56288ba76eb7 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2/sql/sql_select.cc:3836
          #13 0x56288ba79882 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:361
          #14 0x56288b9091ab in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6218
          #15 0x56288b935e6e in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3527
          #16 0x56288b93f8af in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7733
          #17 0x56288b9493cb in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1826
          #18 0x56288b94dba5 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1380
          #19 0x56288bc4b776 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
          #20 0x56288bc4bebe in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
          #21 0x56288cf0eda8 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
          #22 0x7f682ed42608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
          #23 0x7f682e91c292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
       
      Address 0x7f68240e3ce0 is located in stack of thread T5
      SUMMARY: AddressSanitizer: dynamic-stack-buffer-overflow /data/src/10.2/strings/decimal.c:1359 in bin2decimal
      Shadow bytes around the buggy address:
        0x0fed84814740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0fed84814750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0fed84814760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0fed84814770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0fed84814780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      =>0x0fed84814790: 00 00 00 00 00 00 00 00 ca ca ca ca[cb]cb cb cb
        0x0fed848147a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0fed848147b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0fed848147c0: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00
        0x0fed848147d0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
        0x0fed848147e0: 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 f2 f2
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
        Shadow gap:              cc
      Thread T5 created by T0 here:
          #0 0x7f682f1d6805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
          #1 0x56288cf17d8e in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1919
          #2 0x56288b724e02 in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1246
          #3 0x56288b724e02 in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6518
          #4 0x56288b735453 in create_new_thread /data/src/10.2/sql/mysqld.cc:6588
          #5 0x56288b735453 in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6846
          #6 0x56288b737967 in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6137
          #7 0x7f682e8210b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
       
      ==4061520==ABORTING
      

        Attachments

          Activity

            People

            Assignee:
            bar Alexander Barkov
            Reporter:
            elenst Elena Stepanova
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:

                Git Integration