Bug #45152 crash with round() function on longtext column in a derived table
Submitted: 28 May 2009 11:34 Modified: 28 Jun 2009 1:00
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: DML Severity:S1 (Critical)
Version:5.0.54, 5.0.83, 5.1.35, 6.0.12 OS:Any
Assigned to: Sergei Glukhov CPU Architecture:Any

[28 May 2009 11:34] Shane Bester 
Description:
5.1.34 stack trace:

mysqld-debug.exe!String::real_alloc()[sql_string.cc:56]
mysqld-debug.exe!String::alloc()[sql_string.h:203]
mysqld-debug.exe!Field_double::val_str()[field.cc:4525]
mysqld-debug.exe!Item_field::val_str()[item.cc:2008]
mysqld-debug.exe!Item_func_like::val_int()[item_cmpfunc.cc:4326]
mysqld-debug.exe!make_join_select()[sql_select.cc:6048]
mysqld-debug.exe!JOIN::optimize()[sql_select.cc:1045]
mysqld-debug.exe!mysql_select()[sql_select.cc:2364]
mysqld-debug.exe!handle_select()[sql_select.cc:268]
mysqld-debug.exe!execute_sqlcom_select()[sql_parse.cc:4982]
mysqld-debug.exe!mysql_execute_command()[sql_parse.cc:2204]
mysqld-debug.exe!mysql_parse()[sql_parse.cc:5902]
mysqld-debug.exe!dispatch_command()[sql_parse.cc:1216]
mysqld-debug.exe!do_command()[sql_parse.cc:857]
mysqld-debug.exe!handle_one_connection()[sql_connect.cc:1115]
mysqld-debug.exe!pthread_start()[my_winthread.c:85]
mysqld-debug.exe!_callthreadstart()[thread.c:293]
mysqld-debug.exe!_threadstart()[thread.c:277]

How to repeat:
drop table if exists `t1`;
create table `t1`(`a` longtext)engine=myisam;
insert into `t1` values ('a');
select 1 from (select round(`a`) as `a` from `t1`)as `s` where `a` like 'a';
[29 May 2009 13:35] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/75246

2759 Sergey Glukhov	2009-05-29
      Bug#45152 crash with round() function on longtext column in a derived table
      The crash happens due to wrong max_length value which is set on
      Item_func_round::fix_length_and_dec() stage. The value is set to
      args[0]->max_length which is too big in case of LONGTEXT(LONGBLOB) fields.
      The fix is to set max_length using float_length() function.
     @ mysql-test/r/func_math.result
        test result
     @ mysql-test/t/func_math.test
        test case
     @ sql/item_func.cc
        The crash happens due to wrong max_length value which is set on
        Item_func_round::fix_length_and_dec() stage. The value is set to
        args[0]->max_length which is too big in case of LONGTEXT(LONGBLOB) fields.
        The fix is to set max_length using float_length() function.
[2 Jun 2009 7:38] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/75424

2763 Sergey Glukhov	2009-06-02
      Bug#45152 crash with round() function on longtext column in a derived table
      The crash happens due to wrong max_length value which is set on
      Item_func_round::fix_length_and_dec() stage. The value is set to
      args[0]->max_length which is too big in case of LONGTEXT(LONGBLOB) fields.
      The fix is to set max_length using float_length() function.
     @ mysql-test/r/func_math.result
        test result
     @ mysql-test/t/func_math.test
        test case
     @ sql/item_func.cc
        The crash happens due to wrong max_length value which is set on
        Item_func_round::fix_length_and_dec() stage. The value is set to
        args[0]->max_length which is too big in case of LONGTEXT(LONGBLOB) fields.
        The fix is to set max_length using float_length() function.
[16 Jun 2009 8:32] Bugs System 
Pushed into 5.0.84 (revid:gkodinov@mysql.com-20090616082753-kwe0l8uoictxhojf) (version source revid:sergey.glukhov@sun.com-20090602063813-33mh88cz5vpa2jqe) (merge vers: 5.0.83) (pib:6)
[16 Jun 2009 11:05] Bugs System 
Pushed into 5.1.36 (revid:joro@sun.com-20090616102155-3zhezogudt4uxdyn) (version source revid:satya.bn@sun.com-20090602084021-tfgwvkvpamxy7l5q) (merge vers: 5.1.36) (pib:6)
[17 Jun 2009 19:27] Bugs System 
Pushed into 5.4.4-alpha (revid:alik@sun.com-20090616183122-chjzbaa30qopdra9) (version source revid:satya.bn@sun.com-20090602084532-fps1rp81c6nihf2h) (merge vers: 6.0.12-alpha) (pib:11)
[28 Jun 2009 1:00] Paul DuBois 
Noted in 5.0.84, 5.1.36, 5.4.4 changelogs.

Use of ROUND() on a LONGTEXT or LONGBLOB column of a derived table
could cause a server crash.
[10 Aug 2009 17:55] Paul DuBois 
Noted in 5.0.82sp1 changelog.
[10 Aug 2009 18:59] Bugs System 
Pushed into 5.0.85 (revid:build@mysql.com-20090810185326-yr4orhpwq09e3y50) (version source revid:build@mysql.com-20090810185326-yr4orhpwq09e3y50) (merge vers: 5.0.85) (pib:11)
[12 Aug 2009 22:23] Paul DuBois 
Noted in 5.4.2 changelog because next 5.4 version will be 5.4.2 and not 5.4.4.
[14 Aug 2009 23:09] Paul DuBois 
Ignore previous comment about 5.4.2.
[25 Aug 2009 9:23] Bugs System 
Pushed into 5.1.39 (revid:jperkin@sun.com-20090824091334-6ktgrhq218vl7zq1) (version source revid:joerg@mysql.com-20090813203300-nnskc3aofxydzi85) (merge vers: 5.1.39) (pib:11)
[26 Aug 2009 13:46] Bugs System 
Pushed into 5.1.37-ndb-7.0.8 (revid:jonas@mysql.com-20090826132541-yablppc59e3yb54l) (version source revid:jonas@mysql.com-20090826132541-yablppc59e3yb54l) (merge vers: 5.1.37-ndb-7.0.8) (pib:11)
[26 Aug 2009 13:46] Bugs System 
Pushed into 5.1.37-ndb-6.3.27 (revid:jonas@mysql.com-20090826105955-bkj027t47gfbamnc) (version source revid:jonas@mysql.com-20090826105955-bkj027t47gfbamnc) (merge vers: 5.1.37-ndb-6.3.27) (pib:11)
[26 Aug 2009 13:48] Bugs System 
Pushed into 5.1.37-ndb-6.2.19 (revid:jonas@mysql.com-20090825194404-37rtosk049t9koc4) (version source revid:jonas@mysql.com-20090825194404-37rtosk049t9koc4) (merge vers: 5.1.37-ndb-6.2.19) (pib:11)
[27 Aug 2009 16:33] Bugs System 
Pushed into 5.1.35-ndb-7.1.0 (revid:magnus.blaudd@sun.com-20090827163030-6o3kk6r2oua159hr) (version source revid:jonas@mysql.com-20090826132541-yablppc59e3yb54l) (merge vers: 5.1.37-ndb-7.0.8) (pib:11)
[14 Sep 2009 16:06] Bugs System 
Pushed into 5.4.4-alpha (revid:alik@sun.com-20090914155317-m1g9wodmndzdj4l1) (version source revid:alik@sun.com-20090914155317-m1g9wodmndzdj4l1) (merge vers: 5.4.4-alpha) (pib:11)
[1 Oct 2009 5:59] Bugs System 
Pushed into 5.1.39-ndb-6.3.28 (revid:jonas@mysql.com-20091001055605-ap2kiaarr7p40mmv) (version source revid:jonas@mysql.com-20091001055605-ap2kiaarr7p40mmv) (merge vers: 5.1.39-ndb-6.3.28) (pib:11)
[1 Oct 2009 7:25] Bugs System 
Pushed into 5.1.39-ndb-7.0.9 (revid:jonas@mysql.com-20091001072547-kv17uu06hfjhgjay) (version source revid:jonas@mysql.com-20091001071652-irejtnumzbpsbgk2) (merge vers: 5.1.39-ndb-7.0.9) (pib:11)
[1 Oct 2009 13:25] Bugs System 
Pushed into 5.1.39-ndb-7.1.0 (revid:jonas@mysql.com-20091001123013-g9ob2tsyctpw6zs0) (version source revid:jonas@mysql.com-20091001123013-g9ob2tsyctpw6zs0) (merge vers: 5.1.39-ndb-7.1.0) (pib:11)
[5 Oct 2009 10:50] Bugs System 
Pushed into 5.1.39-ndb-6.2.19 (revid:jonas@mysql.com-20091005103850-dwij2dojwpvf5hi6) (version source revid:jonas@mysql.com-20090930185117-bhud4ek1y0hsj1nv) (merge vers: 5.1.39-ndb-6.2.19) (pib:11)
[7 Oct 2009 18:40] Paul DuBois 
The 5.4 fix has been pushed to 5.4.2.