Description:
Version: '5.5.6-rc-debug'  socket: ''  port: 3306  MySQL Community Server - Debug (GPL)
Assertion failed: dst > buf, file ..\..\mysql-5.5.6-rc\sql\item_strfunc.cc, line 2333

 my_sigabrt_handler()[my_thr_init.c:521]
 raise()[winsig.c:597]
 abort()[abort.c:78]
 _wassert()[assert.c:163]
 Item_func_format::val_str_ascii()[item_strfunc.cc:2333]
 Item_str_ascii_func::val_str()[item_strfunc.cc:76]
 Item_str_func::val_int()[item_strfunc.cc:161]
 Item_func_substr::fix_length_and_dec()[item_strfunc.cc:1417]
 Item_func::fix_fields()[item_func.cc:220]
 Item_str_func::fix_fields()[item_strfunc.cc:117]
 Item_func::fix_fields()[item_func.cc:192]
 setup_fields()[sql_base.cc:7720]
 JOIN::prepare()[sql_select.cc:549]
 mysql_select()[sql_select.cc:2520]
 handle_select()[sql_select.cc:296]
 execute_sqlcom_select()[sql_parse.cc:4565]
 mysql_execute_command()[sql_parse.cc:2175]
 mysql_parse()[sql_parse.cc:5594]
 dispatch_command()[sql_parse.cc:1142]
 do_command()[sql_parse.cc:811]
 do_handle_one_connection()[sql_connect.cc:1191]
 handle_one_connection()[sql_connect.cc:1131]
 pthread_start()[my_winthread.c:62]
 _callthreadstartex()[threadex.c:348]
 _threadstartex()[threadex.c:331]
 BaseThreadStart()

How to repeat:
import the attached select query on a debug 5.5 build

valgrind errors like this on release build:

Invalid read of size 4
at 0x6C4060: Item_func_format::val_str_ascii(String*) (item_strfunc.cc:2328)
by 0x6BCBA8: Item_str_ascii_func::val_str(String*) (item_strfunc.cc:76)
by 0x6C390C: Item_str_func::val_int() (item_strfunc.cc:161)
<cut>

Verified with current mysql-5.5 tree on Ubuntu 10.04:

openxs@ubuntu:~/dbs/5.5$ bin/mysql --no-defaults -uroot --socket=/tmp/vk.sock test < ~/Desktop/bug57209_query.sql 
ERROR 2013 (HY000) at line 1: Lost connection to MySQL server during query
openxs@ubuntu:~/dbs/5.5$ 101004 12:25:39 mysqld_safe Number of processes running now: 0
101004 12:25:39 mysqld_safe mysqld restarted

openxs@ubuntu:~/dbs/5.5$ tail -100 var/ubuntu.err 
InnoDB: Mutexes and rw_locks use GCC atomic builtins
InnoDB: Compressed tables use zlib 1.2.3
101004 12:25:12  InnoDB: highest supported file format is Barracuda.
101004 12:25:13 InnoDB 1.1.2 started; log sequence number 1595675
101004 12:25:13 [Note] Event Scheduler: Loaded 0 events
101004 12:25:13 [Note] /home/openxs/dbs/5.5/libexec/mysqld: ready for connections.
Version: '5.5.7-rc-debug'  socket: '/tmp/vk.sock'  port: 9999  Source distribution
mysqld: item_strfunc.cc:2333: virtual String* Item_func_format::val_str_ascii(String*): Assertion `dst > buf' failed.
101004 12:25:39 - mysqld got signal 6 ;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.
We will try our best to scrape up some info that will hopefully help diagnose
the problem, but since we have already crashed, something is definitely wrong
and this may fail.

key_buffer_size=8388608
read_buffer_size=131072
max_used_connections=1
max_threads=151
thread_count=1
connection_count=1
It is possible that mysqld could use up to 
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 337925 K
bytes of memory
Hope that's ok; if not, decrease some variables in the equation.

thd: 0xabe5990
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
stack_bottom = 0xa92b935c thread_stack 0x30000
/home/openxs/dbs/5.5/libexec/mysqld(my_print_stacktrace+0x26)[0x863a838]
/home/openxs/dbs/5.5/libexec/mysqld(handle_segfault+0x2dd)[0x827be54]
[0xb56400]
/lib/tls/i686/cmov/libc.so.6(abort+0x182)[0x13da82]
/lib/tls/i686/cmov/libc.so.6(__assert_fail+0xf8)[0x133718]
/home/openxs/dbs/5.5/libexec/mysqld(_ZN16Item_func_format13val_str_asciiEP6String+0x543)[0x820a089]
/home/openxs/dbs/5.5/libexec/mysqld(_ZN19Item_str_ascii_func7val_strEP6String+0x62)[0x8202ba8]
/home/openxs/dbs/5.5/libexec/mysqld(_ZN13Item_str_func7val_intEv+0x84)[0x820301e]
/home/openxs/dbs/5.5/libexec/mysqld(_ZN16Item_func_substr18fix_length_and_decEv+0xbe)[0x82071a8]
/home/openxs/dbs/5.5/libexec/mysqld(_ZN9Item_func10fix_fieldsEP3THDPP4Item+0x3c6)[0x81d81a0]
/home/openxs/dbs/5.5/libexec/mysqld(_ZN13Item_str_func10fix_fieldsEP3THDPP4Item+0x21)[0x8202d17]
/home/openxs/dbs/5.5/libexec/mysqld(_ZN9Item_func10fix_fieldsEP3THDPP4Item+0x14a)[0x81d7f24]
/home/openxs/dbs/5.5/libexec/mysqld(_Z12setup_fieldsP3THDPP4ItemR4ListIS1_E17enum_mark_columnsPS5_b+0x1dc)[0x82e9916]
/home/openxs/dbs/5.5/libexec/mysqld(_ZN4JOIN7prepareEPPP4ItemP10TABLE_LISTjS1_jP8st_orderS7_S1_S7_P13st_select_lexP18st_select_lex_unit+0x2d8)[0x82fbdac]
/home/openxs/dbs/5.5/libexec/mysqld(_Z12mysql_selectP3THDPPP4ItemP10TABLE_LISTjR4ListIS1_ES2_jP8st_orderSB_S2_SB_yP13select_resultP18st_select_lex_unitP13st_select_lex+0x25f)[0x8302666]
/home/openxs/dbs/5.5/libexec/mysqld(_Z13handle_selectP3THDP3LEXP13select_resultm+0x1c2)[0x82fb6f8]
/home/openxs/dbs/5.5/libexec/mysqld[0x829501f]
/home/openxs/dbs/5.5/libexec/mysqld(_Z21mysql_execute_commandP3THD+0x9d0)[0x828d668]
/home/openxs/dbs/5.5/libexec/mysqld(_Z11mysql_parseP3THDPcjP12Parser_state+0x1d6)[0x8296ea5]
/home/openxs/dbs/5.5/libexec/mysqld(_Z16dispatch_command19enum_server_commandP3THDPcj+0x9ce)[0x828b10f]
/home/openxs/dbs/5.5/libexec/mysqld(_Z10do_commandP3THD+0x242)[0x828a547]
/home/openxs/dbs/5.5/libexec/mysqld(_Z24do_handle_one_connectionP3THD+0x199)[0x82887b1]
/home/openxs/dbs/5.5/libexec/mysqld(handle_one_connection+0x28)[0x8288611]
/lib/tls/i686/cmov/libpthread.so.0(+0x596e)[0x7f296e]
/lib/tls/i686/cmov/libc.so.6(clone+0x5e)[0x1dda4e]
Trying to get some variables.
Some pointers may be invalid and cause the dump to abort...
thd->query at 0xabdec80 = select
coalesce(
        greatest(
                char(
                        polygon(1586258458E48,4592623E-42,0,23304) 
                        using cp1256
                     ),
                maketime(
                        polygonfromwkb(@@global.max_join_size,(
                                multilinestring(null,1239561,0.6954E-36,0.5796E32)
                                )
                        ),
                        strcmp(-11091,-1119562816),
                        des_decrypt(@@global.auto_increment_offset,
                                (linestring(-2134099618,0E-31,-1507416184E-60,-810351548,null))
                        )
                 ),
                 coalesce((
                        greatest(
                                soundex(0E66),
                                831 + 0E50,
                                multipoint(-16392,0E-84,-72,0,0E-16),
                                @@global.max_user_connections
                         )
                        ),
   
thd->thread_id=1
thd->killed=NOT_KILLED
...

Simplified query:
select ( format(( concat_ws((5445796E25),(5306463),(30837))),
                ( period_diff((0.2286),(2989582)))))
;

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/120193

3096 Tor Didriksen	2010-10-07
      Bug#57209 valgrind + Assertion failed: dst > buf
      
      Buffer overrun when trying to format DBL_MAX
     @ mysql-test/r/func_math.result
        Add test case for Bug#57209
     @ mysql-test/t/func_math.test
        Add test case for Bug#57209
     @ sql/item_strfunc.cc
        Allocate a larger buffer for the result.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/120349

3221 Tor Didriksen	2010-10-07
      Bug#57209 valgrind + Assertion failed: dst > buf
      
      Buffer overrun when trying to format DBL_MAX
     @ mysql-test/r/func_math.result
        Add test case for Bug#57209
     @ mysql-test/t/func_math.test
        Add test case for Bug#57209
     @ sql/item_strfunc.cc
        Allocate a larger buffer for the result.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/120355

3221 Tor Didriksen	2010-10-08
      Bug#57209 valgrind + Assertion failed: dst > buf
      
      Buffer overrun when trying to format DBL_MAX
     @ mysql-test/r/func_math.result
        Add test case for Bug#57209
     @ mysql-test/t/func_math.test
        Add test case for Bug#57209
     @ sql/item_strfunc.cc
        Allocate a larger buffer for the result.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/120357

3222 Tor Didriksen	2010-10-08
      Bug#57209 valgrind + Assertion failed: dst > buf
      
      Buffer overrun when trying to format DBL_MAX
     @ mysql-test/r/func_math.result
        Add test case for Bug#57209
     @ mysql-test/t/func_math.test
        Add test case for Bug#57209
     @ sql/item_strfunc.cc
        Allocate a larger buffer for the result.

Pushed to 5.5-bugteam and trunk-merge

another testcase:
select format(export_set(-1,1,-4.5982494838248E+18,1),1);

Noted in 5.5.7 changelog.

A buffer overrun could occur when formatting DBL_MAX numbers.

Pushed into mysql-5.5 5.5.7-rc (revid:sunanda.menon@sun.com-20101109182959-otkxq8vo2dcd13la) (version source revid:sunanda.menon@sun.com-20101109182959-otkxq8vo2dcd13la) (merge vers: 5.5.7-rc) (pib:21)

Pushed into mysql-trunk 5.6.99-m5 (revid:alexander.nozdrin@oracle.com-20101113155825-czmva9kg4n31anmu) (version source revid:alexander.nozdrin@oracle.com-20101113152450-2zzcm50e7i4j35v7) (merge vers: 5.6.1-m4) (pib:21)

Pushed into mysql-next-mr (revid:alexander.nozdrin@oracle.com-20101113160336-atmtmfb3mzm4pz4i) (version source revid:vasil.dimov@oracle.com-20100629074804-359l9m9gniauxr94) (pib:21)