Bug #57209 valgrind + Assertion failed: dst > buf in format function with huge double vals
Submitted: 4 Oct 2010 7:47 Modified: 16 Nov 2010 2:06
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Data Types Severity:S1 (Critical)
Version:5.5.7 OS:Any
Assigned to: Tor Didriksen CPU Architecture:Any
Tags: format(), regression, valgrind

[4 Oct 2010 7:47] Shane Bester
Description:
Version: '5.5.6-rc-debug'  socket: ''  port: 3306  MySQL Community Server - Debug (GPL)
Assertion failed: dst > buf, file ..\..\mysql-5.5.6-rc\sql\item_strfunc.cc, line 2333

 my_sigabrt_handler()[my_thr_init.c:521]
 raise()[winsig.c:597]
 abort()[abort.c:78]
 _wassert()[assert.c:163]
 Item_func_format::val_str_ascii()[item_strfunc.cc:2333]
 Item_str_ascii_func::val_str()[item_strfunc.cc:76]
 Item_str_func::val_int()[item_strfunc.cc:161]
 Item_func_substr::fix_length_and_dec()[item_strfunc.cc:1417]
 Item_func::fix_fields()[item_func.cc:220]
 Item_str_func::fix_fields()[item_strfunc.cc:117]
 Item_func::fix_fields()[item_func.cc:192]
 setup_fields()[sql_base.cc:7720]
 JOIN::prepare()[sql_select.cc:549]
 mysql_select()[sql_select.cc:2520]
 handle_select()[sql_select.cc:296]
 execute_sqlcom_select()[sql_parse.cc:4565]
 mysql_execute_command()[sql_parse.cc:2175]
 mysql_parse()[sql_parse.cc:5594]
 dispatch_command()[sql_parse.cc:1142]
 do_command()[sql_parse.cc:811]
 do_handle_one_connection()[sql_connect.cc:1191]
 handle_one_connection()[sql_connect.cc:1131]
 pthread_start()[my_winthread.c:62]
 _callthreadstartex()[threadex.c:348]
 _threadstartex()[threadex.c:331]
 BaseThreadStart()

How to repeat:
import the attached select query on a debug 5.5 build
[4 Oct 2010 7:49] MySQL Verification Team
valgrind errors like this on release build:

Invalid read of size 4
at 0x6C4060: Item_func_format::val_str_ascii(String*) (item_strfunc.cc:2328)
by 0x6BCBA8: Item_str_ascii_func::val_str(String*) (item_strfunc.cc:76)
by 0x6C390C: Item_str_func::val_int() (item_strfunc.cc:161)
<cut>
[4 Oct 2010 9:27] Valeriy Kravchuk
Verified with current mysql-5.5 tree on Ubuntu 10.04:

openxs@ubuntu:~/dbs/5.5$ bin/mysql --no-defaults -uroot --socket=/tmp/vk.sock test < ~/Desktop/bug57209_query.sql 
ERROR 2013 (HY000) at line 1: Lost connection to MySQL server during query
openxs@ubuntu:~/dbs/5.5$ 101004 12:25:39 mysqld_safe Number of processes running now: 0
101004 12:25:39 mysqld_safe mysqld restarted

openxs@ubuntu:~/dbs/5.5$ tail -100 var/ubuntu.err 
InnoDB: Mutexes and rw_locks use GCC atomic builtins
InnoDB: Compressed tables use zlib 1.2.3
101004 12:25:12  InnoDB: highest supported file format is Barracuda.
101004 12:25:13 InnoDB 1.1.2 started; log sequence number 1595675
101004 12:25:13 [Note] Event Scheduler: Loaded 0 events
101004 12:25:13 [Note] /home/openxs/dbs/5.5/libexec/mysqld: ready for connections.
Version: '5.5.7-rc-debug'  socket: '/tmp/vk.sock'  port: 9999  Source distribution
mysqld: item_strfunc.cc:2333: virtual String* Item_func_format::val_str_ascii(String*): Assertion `dst > buf' failed.
101004 12:25:39 - mysqld got signal 6 ;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.
We will try our best to scrape up some info that will hopefully help diagnose
the problem, but since we have already crashed, something is definitely wrong
and this may fail.

key_buffer_size=8388608
read_buffer_size=131072
max_used_connections=1
max_threads=151
thread_count=1
connection_count=1
It is possible that mysqld could use up to 
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 337925 K
bytes of memory
Hope that's ok; if not, decrease some variables in the equation.

thd: 0xabe5990
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
stack_bottom = 0xa92b935c thread_stack 0x30000
/home/openxs/dbs/5.5/libexec/mysqld(my_print_stacktrace+0x26)[0x863a838]
/home/openxs/dbs/5.5/libexec/mysqld(handle_segfault+0x2dd)[0x827be54]
[0xb56400]
/lib/tls/i686/cmov/libc.so.6(abort+0x182)[0x13da82]
/lib/tls/i686/cmov/libc.so.6(__assert_fail+0xf8)[0x133718]
/home/openxs/dbs/5.5/libexec/mysqld(_ZN16Item_func_format13val_str_asciiEP6String+0x543)[0x820a089]
/home/openxs/dbs/5.5/libexec/mysqld(_ZN19Item_str_ascii_func7val_strEP6String+0x62)[0x8202ba8]
/home/openxs/dbs/5.5/libexec/mysqld(_ZN13Item_str_func7val_intEv+0x84)[0x820301e]
/home/openxs/dbs/5.5/libexec/mysqld(_ZN16Item_func_substr18fix_length_and_decEv+0xbe)[0x82071a8]
/home/openxs/dbs/5.5/libexec/mysqld(_ZN9Item_func10fix_fieldsEP3THDPP4Item+0x3c6)[0x81d81a0]
/home/openxs/dbs/5.5/libexec/mysqld(_ZN13Item_str_func10fix_fieldsEP3THDPP4Item+0x21)[0x8202d17]
/home/openxs/dbs/5.5/libexec/mysqld(_ZN9Item_func10fix_fieldsEP3THDPP4Item+0x14a)[0x81d7f24]
/home/openxs/dbs/5.5/libexec/mysqld(_Z12setup_fieldsP3THDPP4ItemR4ListIS1_E17enum_mark_columnsPS5_b+0x1dc)[0x82e9916]
/home/openxs/dbs/5.5/libexec/mysqld(_ZN4JOIN7prepareEPPP4ItemP10TABLE_LISTjS1_jP8st_orderS7_S1_S7_P13st_select_lexP18st_select_lex_unit+0x2d8)[0x82fbdac]
/home/openxs/dbs/5.5/libexec/mysqld(_Z12mysql_selectP3THDPPP4ItemP10TABLE_LISTjR4ListIS1_ES2_jP8st_orderSB_S2_SB_yP13select_resultP18st_select_lex_unitP13st_select_lex+0x25f)[0x8302666]
/home/openxs/dbs/5.5/libexec/mysqld(_Z13handle_selectP3THDP3LEXP13select_resultm+0x1c2)[0x82fb6f8]
/home/openxs/dbs/5.5/libexec/mysqld[0x829501f]
/home/openxs/dbs/5.5/libexec/mysqld(_Z21mysql_execute_commandP3THD+0x9d0)[0x828d668]
/home/openxs/dbs/5.5/libexec/mysqld(_Z11mysql_parseP3THDPcjP12Parser_state+0x1d6)[0x8296ea5]
/home/openxs/dbs/5.5/libexec/mysqld(_Z16dispatch_command19enum_server_commandP3THDPcj+0x9ce)[0x828b10f]
/home/openxs/dbs/5.5/libexec/mysqld(_Z10do_commandP3THD+0x242)[0x828a547]
/home/openxs/dbs/5.5/libexec/mysqld(_Z24do_handle_one_connectionP3THD+0x199)[0x82887b1]
/home/openxs/dbs/5.5/libexec/mysqld(handle_one_connection+0x28)[0x8288611]
/lib/tls/i686/cmov/libpthread.so.0(+0x596e)[0x7f296e]
/lib/tls/i686/cmov/libc.so.6(clone+0x5e)[0x1dda4e]
Trying to get some variables.
Some pointers may be invalid and cause the dump to abort...
thd->query at 0xabdec80 = select
coalesce(
        greatest(
                char(
                        polygon(1586258458E48,4592623E-42,0,23304) 
                        using cp1256
                     ),
                maketime(
                        polygonfromwkb(@@global.max_join_size,(
                                multilinestring(null,1239561,0.6954E-36,0.5796E32)
                                )
                        ),
                        strcmp(-11091,-1119562816),
                        des_decrypt(@@global.auto_increment_offset,
                                (linestring(-2134099618,0E-31,-1507416184E-60,-810351548,null))
                        )
                 ),
                 coalesce((
                        greatest(
                                soundex(0E66),
                                831 + 0E50,
                                multipoint(-16392,0E-84,-72,0,0E-16),
                                @@global.max_user_connections
                         )
                        ),
   
thd->thread_id=1
thd->killed=NOT_KILLED
...
[6 Oct 2010 14:03] Tor Didriksen
Simplified query:
select ( format(( concat_ws((5445796E25),(5306463),(30837))),
                ( period_diff((0.2286),(2989582)))))
;
[7 Oct 2010 8:15] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/120193

3096 Tor Didriksen	2010-10-07
      Bug#57209 valgrind + Assertion failed: dst > buf
      
      Buffer overrun when trying to format DBL_MAX
     @ mysql-test/r/func_math.result
        Add test case for Bug#57209
     @ mysql-test/t/func_math.test
        Add test case for Bug#57209
     @ sql/item_strfunc.cc
        Allocate a larger buffer for the result.
[8 Oct 2010 8:54] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/120349

3221 Tor Didriksen	2010-10-07
      Bug#57209 valgrind + Assertion failed: dst > buf
      
      Buffer overrun when trying to format DBL_MAX
     @ mysql-test/r/func_math.result
        Add test case for Bug#57209
     @ mysql-test/t/func_math.test
        Add test case for Bug#57209
     @ sql/item_strfunc.cc
        Allocate a larger buffer for the result.
[8 Oct 2010 9:52] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/120355

3221 Tor Didriksen	2010-10-08
      Bug#57209 valgrind + Assertion failed: dst > buf
      
      Buffer overrun when trying to format DBL_MAX
     @ mysql-test/r/func_math.result
        Add test case for Bug#57209
     @ mysql-test/t/func_math.test
        Add test case for Bug#57209
     @ sql/item_strfunc.cc
        Allocate a larger buffer for the result.
[8 Oct 2010 10:28] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/120357

3222 Tor Didriksen	2010-10-08
      Bug#57209 valgrind + Assertion failed: dst > buf
      
      Buffer overrun when trying to format DBL_MAX
     @ mysql-test/r/func_math.result
        Add test case for Bug#57209
     @ mysql-test/t/func_math.test
        Add test case for Bug#57209
     @ sql/item_strfunc.cc
        Allocate a larger buffer for the result.
[8 Oct 2010 11:46] Tor Didriksen
Pushed to 5.5-bugteam and trunk-merge
[10 Oct 2010 8:13] MySQL Verification Team
another testcase:
select format(export_set(-1,1,-4.5982494838248E+18,1),1);
[20 Oct 2010 2:06] Paul DuBois
Noted in 5.5.7 changelog.

A buffer overrun could occur when formatting DBL_MAX numbers.
[9 Nov 2010 19:45] Bugs System
Pushed into mysql-5.5 5.5.7-rc (revid:sunanda.menon@sun.com-20101109182959-otkxq8vo2dcd13la) (version source revid:sunanda.menon@sun.com-20101109182959-otkxq8vo2dcd13la) (merge vers: 5.5.7-rc) (pib:21)
[13 Nov 2010 16:06] Bugs System
Pushed into mysql-trunk 5.6.99-m5 (revid:alexander.nozdrin@oracle.com-20101113155825-czmva9kg4n31anmu) (version source revid:alexander.nozdrin@oracle.com-20101113152450-2zzcm50e7i4j35v7) (merge vers: 5.6.1-m4) (pib:21)
[13 Nov 2010 16:33] Bugs System
Pushed into mysql-next-mr (revid:alexander.nozdrin@oracle.com-20101113160336-atmtmfb3mzm4pz4i) (version source revid:vasil.dimov@oracle.com-20100629074804-359l9m9gniauxr94) (pib:21)