[MDEV-23444] ASAN dynamic-stack-buffer-overflow or Assertion `precision > 0' failed in decimal_bin_size with div_precision_increment=0 Created: 2020-08-10  Updated: 2024-02-01

Status: Confirmed
Project: MariaDB Server
Component/s: Data Manipulation - Subquery, Data types
Affects Version/s: 10.1, 10.2, 10.3, 10.4, 10.5, 10.6, 10.7, 10.8, 10.9, 10.10, 10.11, 11.0
Fix Version/s: 10.4, 10.5, 10.6, 10.11, 11.0, 11.1, 11.2, 11.3, 11.4

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Alexander Barkov
Resolution: Unresolved Votes: 0
Labels: upstream-5.5, upstream-5.6, upstream-5.7, upstream-not-8.0

Issue Links:
Relates
relates to MDEV-25317 Assertion `scale <= precision' failed... Closed

 Description   

We have several bugs for precision > 0 failure, but none of them seems to fit here.

SET div_precision_increment= 0;
 
SELECT * FROM (SELECT AVG(@x := 0)) sq;

10.2 845e3c98

 
mysqld: /data/src/10.2/strings/decimal.c:1466: decimal_bin_size: Assertion `precision > 0' failed.
 
200810 21:21:51 [ERROR] mysqld got signal 6 ;
 
 
 
#7  0x00007f982fa2bf12 in __GI___assert_fail (assertion=0x557eeab6ae25 "precision > 0", file=0x557eeab6aba0 "/data/src/10.2/strings/decimal.c", line=1466, function=0x557eeab6b0a0 <__PRETTY_FUNCTION__.11549> "decimal_bin_size") at assert.c:101
 
#8  0x0000557eea6efac7 in decimal_bin_size (precision=0, scale=0) at /data/src/10.2/strings/decimal.c:1466
 
#9  0x0000557ee9d61897 in my_decimal_get_binary_size (precision=0, scale=0) at /data/src/10.2/sql/my_decimal.h:263
 
#10 0x0000557ee9f280b9 in Field_new_decimal::Field_new_decimal (this=0x7f9818006628, len_arg=0, maybe_null_arg=true, name=0x7f9818013580 "AVG(@x := 0)", dec_arg=0 '\000', unsigned_arg=false) at /data/src/10.2/sql/field.cc:3141
 
#11 0x0000557ee9f2823b in Field_new_decimal::create_from_item (mem_root=0x7f9818009c00, item=0x7f9818013378) at /data/src/10.2/sql/field.cc:3186
 
#12 0x0000557eea03054f in Item_sum_avg::create_tmp_field (this=0x7f9818013378, group=false, table=0x7f9818009148) at /data/src/10.2/sql/item_sum.cc:1716
 
#13 0x0000557ee9d45a7e in create_tmp_field (thd=0x7f9818000af0, table=0x7f9818009148, item=0x7f9818013378, type=Item::SUM_FUNC_ITEM, copy_func=0x7f9829d5dca0, from_field=0x7f981800a1e8, default_field=0x7f981800a1d8, group=false, modify_item=false, table_cant_handle_bit_fields=false, make_copy_field=false) at /data/src/10.2/sql/sql_select.cc:16469
 
#14 0x0000557ee9d472da in create_tmp_table (thd=0x7f9818000af0, param=0x7f9818014250, fields=..., group=0x0, distinct=false, save_sum_fields=true, select_options=2416188160, rows_limit=18446744073709551615, table_alias=0x7f98180135a8 "sq", do_not_open=true, keep_row_order=false) at /data/src/10.2/sql/sql_select.cc:16968
 
#15 0x0000557ee9dc5d91 in select_union::create_result_table (this=0x7f9818014230, thd_arg=0x7f9818000af0, column_types=0x7f98180130d0, is_union_distinct=false, options=2416188160, alias=0x7f98180135a8 "sq", bit_fields_as_long=false, create_table=false, keep_row_order=false) at /data/src/10.2/sql/sql_union.cc:180
 
#16 0x0000557ee9cacae9 in mysql_derived_prepare (thd=0x7f9818000af0, lex=0x7f9818004628, derived=0x7f98180135e8) at /data/src/10.2/sql/sql_derived.cc:770
 
#17 0x0000557ee9cab7fe in mysql_handle_single_derived (lex=0x7f9818004628, derived=0x7f98180135e8, phases=2) at /data/src/10.2/sql/sql_derived.cc:198
 
#18 0x0000557ee9df0ea2 in TABLE_LIST::handle_derived (this=0x7f98180135e8, lex=0x7f9818004628, phases=2) at /data/src/10.2/sql/table.cc:8118
 
#19 0x0000557ee9cc21ee in LEX::handle_list_of_derived (this=0x7f9818004628, table_list=0x7f98180135e8, phases=2) at /data/src/10.2/sql/sql_lex.h:3202
 
#20 0x0000557ee9ccca36 in st_select_lex::handle_derived (this=0x7f9818004e28, lex=0x7f9818004628, phases=2) at /data/src/10.2/sql/sql_lex.cc:3930
 
#21 0x0000557ee9d1a931 in JOIN::prepare (this=0x7f9818013cd8, tables_init=0x7f98180135e8, wild_num=1, conds_init=0x0, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7f9818004e28, unit_arg=0x7f98180046e8) at /data/src/10.2/sql/sql_select.cc:713
 
#22 0x0000557ee9d258b0 in mysql_select (thd=0x7f9818000af0, tables=0x7f98180135e8, wild_num=1, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7f9818013cb8, unit=0x7f98180046e8, select_lex=0x7f9818004e28) at /data/src/10.2/sql/sql_select.cc:3811
 
#23 0x0000557ee9d19b20 in handle_select (thd=0x7f9818000af0, lex=0x7f9818004628, result=0x7f9818013cb8, setup_tables_done_option=0) at /data/src/10.2/sql/sql_select.cc:361
 
#24 0x0000557ee9ce556c in execute_sqlcom_select (thd=0x7f9818000af0, all_tables=0x7f98180135e8) at /data/src/10.2/sql/sql_parse.cc:6218
 
#25 0x0000557ee9cdbded in mysql_execute_command (thd=0x7f9818000af0) at /data/src/10.2/sql/sql_parse.cc:3524
 
#26 0x0000557ee9ce92a3 in mysql_parse (thd=0x7f9818000af0, rawbuf=0x7f9818012458 "SELECT * FROM (SELECT AVG(@x := 0)) sq", length=38, parser_state=0x7f9829d5f610, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:7733
 
#27 0x0000557ee9cd75cf in dispatch_command (command=COM_QUERY, thd=0x7f9818000af0, packet=0x7f981808cd81 "SELECT * FROM (SELECT AVG(@x := 0)) sq", packet_length=38, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1824
 
#28 0x0000557ee9cd604a in do_command (thd=0x7f9818000af0) at /data/src/10.2/sql/sql_parse.cc:1377
 
#29 0x0000557ee9e2c167 in do_handle_one_connection (connect=0x557eecfd0190) at /data/src/10.2/sql/sql_connect.cc:1336
 
#30 0x0000557ee9e2bed2 in handle_one_connection (arg=0x557eecfd0190) at /data/src/10.2/sql/sql_connect.cc:1241
 
#31 0x0000557eea642bda in pfs_spawn_thread (arg=0x557eecf1cea0) at /data/src/10.2/storage/perfschema/pfs.cc:1869
 
#32 0x00007f98319b44a4 in start_thread (arg=0x7f9829d60700) at pthread_create.c:456
 
#33 0x00007f982fae8d0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97

No obvious problem on a release build; however non-debug ASAN build produces dynamic-stack-buffer-overflow:

10.2 42e1815a non-debug ASAN

 
==4061520==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7f68240e3ce0 at pc 0x56288d060a08 bp 0x7f68240e3cb0 sp 0x7f68240e3ca0
 
READ of size 1 at 0x7f68240e3ce0 thread T5
 
    #0 0x56288d060a07 in bin2decimal /data/src/10.2/strings/decimal.c:1359
 
    #1 0x56288be6c252 in binary2my_decimal(unsigned int, unsigned char const*, my_decimal*, int, int) /data/src/10.2/sql/my_decimal.h:282
 
    #2 0x56288be6c252 in Field_new_decimal::val_decimal(my_decimal*) /data/src/10.2/sql/field.cc:3475
 
    #3 0x56288be76b13 in Field_new_decimal::val_str(String*, String*) /data/src/10.2/sql/field.cc:3489
 
    #4 0x56288b751e1d in Field::val_str(String*) /data/src/10.2/sql/field.h:878
 
    #5 0x56288b751e1d in Protocol_text::store(Field*) /data/src/10.2/sql/protocol.cc:1258
 
    #6 0x56288b74e9af in Protocol::send_result_set_row(List<Item>*) /data/src/10.2/sql/protocol.cc:992
 
    #7 0x56288b87b3af in select_send::send_data(List<Item>&) /data/src/10.2/sql/sql_class.cc:2731
 
    #8 0x56288ba310d1 in end_send /data/src/10.2/sql/sql_select.cc:20031
 
    #9 0x56288ba760b5 in do_select /data/src/10.2/sql/sql_select.cc:18360
 
    #10 0x56288ba760b5 in JOIN::exec_inner() /data/src/10.2/sql/sql_select.cc:3641
 
    #11 0x56288ba76acd in JOIN::exec() /data/src/10.2/sql/sql_select.cc:3436
 
    #12 0x56288ba76eb7 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2/sql/sql_select.cc:3836
 
    #13 0x56288ba79882 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:361
 
    #14 0x56288b9091ab in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6218
 
    #15 0x56288b935e6e in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3527
 
    #16 0x56288b93f8af in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7733
 
    #17 0x56288b9493cb in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1826
 
    #18 0x56288b94dba5 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1380
 
    #19 0x56288bc4b776 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
 
    #20 0x56288bc4bebe in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
 
    #21 0x56288cf0eda8 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
 
    #22 0x7f682ed42608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
 
    #23 0x7f682e91c292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
 
 
 
Address 0x7f68240e3ce0 is located in stack of thread T5
 
SUMMARY: AddressSanitizer: dynamic-stack-buffer-overflow /data/src/10.2/strings/decimal.c:1359 in bin2decimal
 
Shadow bytes around the buggy address:
 
  0x0fed84814740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0fed84814750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0fed84814760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0fed84814770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0fed84814780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
=>0x0fed84814790: 00 00 00 00 00 00 00 00 ca ca ca ca[cb]cb cb cb
 
  0x0fed848147a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0fed848147b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0fed848147c0: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00
 
  0x0fed848147d0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0fed848147e0: 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 f2 f2
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
  Shadow gap:              cc
 
Thread T5 created by T0 here:
 
    #0 0x7f682f1d6805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
 
    #1 0x56288cf17d8e in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1919
 
    #2 0x56288b724e02 in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1246
 
    #3 0x56288b724e02 in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6518
 
    #4 0x56288b735453 in create_new_thread /data/src/10.2/sql/mysqld.cc:6588
 
    #5 0x56288b735453 in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6846
 
    #6 0x56288b737967 in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6137
 
    #7 0x7f682e8210b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
 
 
 
==4061520==ABORTING



 Comments   
Comment by Roel Van de Paar [ 2023-01-28 ]

Ran into this one also. Also present in MySQL 5.5-5.7 but not 8.0.

SET SESSION div_precision_increment=0;
 
SELECT * FROM (SELECT WEEKDAY (0)/0) AS a0;

Leads to:

11.0.1 b075191ba8598af6aff5549e6e19f6255aef258a (Debug)

 
mysqld: /test/11.0_dbg/strings/decimal.c:1563: decimal_bin_size: Assertion `precision > 0' failed.

11.0.1 b075191ba8598af6aff5549e6e19f6255aef258a (Debug)

 
Core was generated by `/test/MD090123-mariadb-11.0.1-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
 
Program terminated with signal SIGABRT, Aborted.
 
#0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=22936563738176)
 
    at ./nptl/pthread_kill.c:44
 
[Current thread is 1 (Thread 0x14dc55bbe640 (LWP 861603))]
 
(gdb) bt
 
#0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=22936563738176) at ./nptl/pthread_kill.c:44
 
#1  __pthread_kill_internal (signo=6, threadid=22936563738176) at ./nptl/pthread_kill.c:78
 
#2  __GI___pthread_kill (threadid=22936563738176, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
 
#3  0x000014dc7b488476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
 
#4  0x000014dc7b46e7f3 in __GI_abort () at ./stdlib/abort.c:79
 
#5  0x000014dc7b46e71b in __assert_fail_base (fmt=0x14dc7b623150 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x557f0ac00231 "precision > 0", file=0x557f0abfff68 "/test/11.0_dbg/strings/decimal.c", line=1563, function=<optimized out>) at ./assert/assert.c:92
 
#6  0x000014dc7b47fe96 in __GI___assert_fail (assertion=assertion@entry=0x557f0ac00231 "precision > 0", file=file@entry=0x557f0abfff68 "/test/11.0_dbg/strings/decimal.c", line=line@entry=1563, function=function@entry=0x557f0ac00380 <__PRETTY_FUNCTION__.6> "decimal_bin_size") at ./assert/assert.c:101
 
#7  0x0000557f0a5c078d in decimal_bin_size (precision=<optimized out>, scale=<optimized out>) at /test/11.0_dbg/strings/decimal.c:1563
 
#8  0x0000557f09ea35cf in my_decimal_get_binary_size (scale=<optimized out>, precision=<optimized out>) at /test/11.0_dbg/sql/my_decimal.h:346
 
#9  Field_new_decimal::Field_new_decimal (this=this@entry=0x14dc00007ee0, ptr_arg=ptr_arg@entry=0x0, len_arg=len_arg@entry=0, null_ptr_arg=null_ptr_arg@entry=0x557f0a813d0c "", null_bit_arg=null_bit_arg@entry=1 '\001', unireg_check_arg=unireg_check_arg@entry=Field::NONE, field_name_arg=0x14dc00013e40, dec_arg=0, zero_arg=false, unsigned_arg=false) at /test/11.0_dbg/sql/field.cc:3388
 
#10 0x0000557f09df0eab in Type_handler_newdecimal::make_table_field (this=<optimized out>, root=0x14dc00019608, name=0x14dc00013e40, addr=<optimized out>, attr=@0x14dc00013df8: {<Type_std_attributes> = {<Type_numeric_attributes> = {max_length = 0, decimals = 0, unsigned_flag = false}, collation = {collation = 0x557f0af3e5e0 <my_charset_latin1>, derivation = DERIVATION_NUMERIC, repertoire = MY_REPERTOIRE_ASCII}}, _vptr.Type_all_attributes = 0x557f0ae35e68 <vtable for Item_func_div+16>}, share=<optimized out>) at /test/11.0_dbg/sql/sql_type.cc:3680
 
#11 0x0000557f09e02130 in Type_handler::make_and_init_table_field (this=this@entry=0x557f0b0197a0 <type_handler_newdecimal>, root=root@entry=0x14dc00019608, name=name@entry=0x14dc00013e40, addr=@0x14dc55bbb180: {m_ptr = 0x0, m_null = {m_ptr = 0x557f0a813d0c "", m_offs = 0 '\000'}}, attr=@0x14dc00013df8: {<Type_std_attributes> = {<Type_numeric_attributes> = {max_length = 0, decimals = 0, unsigned_flag = false}, collation = {collation = 0x557f0af3e5e0 <my_charset_latin1>, derivation = DERIVATION_NUMERIC, repertoire = MY_REPERTOIRE_ASCII}}, _vptr.Type_all_attributes = 0x557f0ae35e68 <vtable for Item_func_div+16>}, table=table@entry=0x14dc00019350) at /test/11.0_dbg/sql/sql_type.cc:3567
 
#12 0x0000557f09c63ce3 in Item_result_field::create_tmp_field_ex_from_handler (this=this@entry=0x14dc00013df8, root=root@entry=0x14dc00019608, table=table@entry=0x14dc00019350, src=src@entry=0x14dc55bbb250, param=param@entry=0x14dc55bbb24c, h=0x557f0b0197a0 <type_handler_newdecimal>) at /test/11.0_dbg/sql/sql_select.cc:19223
 
#13 0x0000557f09b16456 in Item_result_field::create_tmp_field_ex (this=0x14dc00013df8, root=0x14dc00019608, table=0x14dc00019350, src=0x14dc55bbb250, param=0x14dc55bbb24c) at /test/11.0_dbg/sql/item.h:3453
 
#14 0x0000557f09c64060 in create_tmp_field (table=table@entry=0x14dc00019350, item=item@entry=0x14dc00013df8, copy_func=copy_func@entry=0x14dc55bbb368, from_field=from_field@entry=0x14dc00019cd8, default_field=0x14dc00019cc8, group=<optimized out>, modify_item=false, table_cant_handle_bit_fields=false, make_copy_field=false) at /test/11.0_dbg/sql/sql_select.cc:19309
 
#15 0x0000557f09c6524f in Create_tmp_table::add_fields (this=this@entry=0x14dc55bbb3c0, thd=thd@entry=0x14dc00000d58, table=table@entry=0x14dc00019350, param=param@entry=0x14dc00015f88, fields=@0x14dc00014708: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14dc00013eb0, last = 0x14dc00013eb0, elements = 1}, <No data fields>}) at /test/11.0_dbg/sql/sql_select.cc:19744
 
#16 0x0000557f09c690b9 in create_tmp_table (thd=thd@entry=0x14dc00000d58, param=param@entry=0x14dc00015f88, fields=@0x14dc00014708: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14dc00013eb0, last = 0x14dc00013eb0, elements = 1}, <No data fields>}, group=group@entry=0x0, distinct=distinct@entry=false, save_sum_fields=save_sum_fields@entry=true, select_options=2201187785472, rows_limit=18446744073709551615, table_alias=0x14dc000147b0, do_not_open=true, keep_row_order=false) at /test/11.0_dbg/sql/sql_select.cc:20390
 
#17 0x0000557f09cee931 in select_unit::create_result_table (this=0x14dc00015f50, thd_arg=0x14dc00000d58, column_types=0x14dc00014708, is_union_distinct=<optimized out>, options=2201187785472, alias=0x14dc000147b0, bit_fields_as_long=false, create_table=false, keep_row_order=false, hidden=0) at /test/11.0_dbg/sql/sql_union.cc:350
 
#18 0x0000557f09bb90b4 in mysql_derived_prepare (thd=0x14dc00000d58, lex=<optimized out>, derived=0x14dc00014768) at /test/11.0_dbg/sql/sql_derived.cc:884
 
#19 0x0000557f09bb740f in mysql_handle_single_derived (lex=lex@entry=0x14dc00004ec0, derived=derived@entry=0x14dc00014768, phases=phases@entry=2) at /test/11.0_dbg/sql/sql_derived.cc:200
 
#20 0x0000557f09d1d479 in TABLE_LIST::handle_derived (this=this@entry=0x14dc00014768, lex=lex@entry=0x14dc00004ec0, phases=phases@entry=2) at /test/11.0_dbg/sql/table.cc:9476
 
#21 0x0000557f09bd626b in LEX::handle_list_of_derived (phases=2, table_list=<optimized out>, this=0x14dc00004ec0) at /test/11.0_dbg/sql/sql_lex.h:4504
 
#22 st_select_lex::handle_derived (this=<optimized out>, lex=0x14dc00004ec0, phases=phases@entry=2) at /test/11.0_dbg/sql/sql_lex.cc:4980
 
#23 0x0000557f09c7547f in JOIN::prepare (this=this@entry=0x14dc000157a0, tables_init=tables_init@entry=0x14dc00014768, conds_init=conds_init@entry=0x0, og_num=og_num@entry=0, order_init=order_init@entry=0x0, skip_order_by=skip_order_by@entry=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x14dc000131e8, unit_arg=0x14dc00004f98) at /test/11.0_dbg/sql/sql_select.cc:1363
 
#24 0x0000557f09c8c72b in mysql_select (thd=thd@entry=0x14dc00000d58, tables=0x14dc00014768, fields=@0x14dc00013488: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14dc00013780, last = 0x14dc00013780, elements = 1}, <No data fields>}, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2164525824, result=0x14dc00015778, unit=0x14dc00004f98, select_lex=0x14dc000131e8) at /test/11.0_dbg/sql/sql_select.cc:5055
 
#25 0x0000557f09c8c91a in handle_select (thd=thd@entry=0x14dc00000d58, lex=lex@entry=0x14dc00004ec0, result=result@entry=0x14dc00015778, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/11.0_dbg/sql/sql_select.cc:581
 
#26 0x0000557f09bf81d3 in execute_sqlcom_select (thd=thd@entry=0x14dc00000d58, all_tables=0x14dc00014768) at /test/11.0_dbg/sql/sql_parse.cc:6265
 
#27 0x0000557f09c03650 in mysql_execute_command (thd=thd@entry=0x14dc00000d58, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/11.0_dbg/sql/sql_parse.cc:3949
 
#28 0x0000557f09c0a934 in mysql_parse (thd=thd@entry=0x14dc00000d58, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14dc55bbd2c0) at /test/11.0_dbg/sql/sql_parse.cc:8000
 
#29 0x0000557f09c0cac8 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14dc00000d58, packet=packet@entry=0x14dc0000ae09 "SELECT * FROM (SELECT WEEKDAY (0)/0) AS a0", packet_length=packet_length@entry=42, blocking=blocking@entry=true) at /test/11.0_dbg/sql/sql_class.h:243
 
#30 0x0000557f09c0e921 in do_command (thd=0x14dc00000d58, blocking=blocking@entry=true) at /test/11.0_dbg/sql/sql_parse.cc:1407
 
#31 0x0000557f09d589ea in do_handle_one_connection (connect=<optimized out>, connect@entry=0x557f0d7060e8, put_in_cache=put_in_cache@entry=true) at /test/11.0_dbg/sql/sql_connect.cc:1416
 
#32 0x0000557f09d58c4e in handle_one_connection (arg=0x557f0d7060e8) at /test/11.0_dbg/sql/sql_connect.cc:1318
 
#33 0x000014dc7b4dab43 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
 
#34 0x000014dc7b56ca00 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

Bug confirmed present in:
MariaDB: 10.3.38 (dbg), 10.4.28 (dbg), 10.5.19 (dbg), 10.6.12 (dbg), 10.7.8 (dbg), 10.8.7 (dbg), 10.9.5 (dbg), 10.10.3 (dbg), 10.11.2 (dbg), 11.0.1 (dbg)
MySQL: 5.5.62 (dbg), 5.6.51 (dbg), 5.7.40 (dbg)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.3.38 (opt), 10.4.28 (opt), 10.5.19 (opt), 10.6.12 (opt), 10.7.8 (opt), 10.8.7 (opt), 10.9.5 (opt), 10.10.3 (opt), 10.11.2 (opt), 11.0.1 (opt)
MySQL: 5.5.62 (opt), 5.6.51 (opt), 5.7.40 (opt), 8.0.31 (dbg), 8.0.31 (opt)

Interestingly, no UB/ASAN issues observed with this particular testcase.

All Stacks/UniqueID's seen (for both testcases) across versions (inc. MySQL) so far:

precision > 0|SIGABRT|Item_func_div::result_precision|Item_func_div::fix_length_and_dec|Item_func::fix_fields|setup_fields
 
precision > 0|SIGABRT|decimal_bin_size|my_decimal_get_binary_size|Field_new_decimal::Field_new_decimal|Type_handler_newdecimal::make_table_field
 
precision > 0|SIGABRT|decimal_bin_size|my_decimal_get_binary_size|Field_new_decimal::set_and_validate_prec|Field_new_decimal::Field_new_decimal
 
scale >= 0 && precision > 0 && scale <= precision|SIGABRT|decimal_bin_size|my_decimal_get_binary_size|Field_new_decimal::Field_new_decimal|Field_new_decimal::create_from_item
 
ASAN|dynamic-stack-buffer-overflow|strings/decimal.c|bin2decimal|my_decimal::my_decimal|Field_new_decimal::val_str|Field::val_str

Based on the last assert, MDEV-25317 may be connected.

Generated at Thu Feb 08 09:22:27 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.