Bug #57279 updatexml dies with: Assertion failed: str_arg[length] == 0
Submitted: 6 Oct 2010 10:58 Modified: 13 Dec 2010 5:42
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: XML functions Severity:S1 (Critical)
Version:5.1.51-debug, 5.5.7-debug OS:Any
Assigned to: Alexander Barkov CPU Architecture:Any

[6 Oct 2010 10:58] Shane Bester
Description:
Version: '5.1.51-enterprise-gpl-advanced-debug'  socket: ''  port: 3306  MySQL Enterprise Server - Advanced Edition Debug (GPL)
Assertion failed: str_arg[length] == 0, file .\item.cc, line 5305

mysqld-debug.exe!my_sigabrt_handler()[mysqld.cc:2086]
mysqld-debug.exe!raise()[winsig.c:597]
mysqld-debug.exe!abort()[abort.c:78]
mysqld-debug.exe!_wassert()[assert.c:212]
mysqld-debug.exe!Item_float::Item_float()[item.cc:5305]
mysqld-debug.exe!my_xpath_parse_Number()[item_xmlfunc.cc:2363]
mysqld-debug.exe!my_xpath_parse_PrimaryExpr()[item_xmlfunc.cc:1863]
mysqld-debug.exe!my_xpath_parse_FilterExpr()[item_xmlfunc.cc:2011]
mysqld-debug.exe!my_xpath_parse_FilterExpr_opt_slashes_RelativeLocationPath()[item_xmlfunc.cc:1968]
mysqld-debug.exe!my_xpath_parse_PathExpr()[item_xmlfunc.cc:1987]
mysqld-debug.exe!my_xpath_parse_UnionExpr()[item_xmlfunc.cc:1931]
mysqld-debug.exe!my_xpath_parse_UnaryExpr()[item_xmlfunc.cc:2317]
mysqld-debug.exe!my_xpath_parse_MultiplicativeExpr()[item_xmlfunc.cc:2274]
mysqld-debug.exe!my_xpath_parse_AdditiveExpr()[item_xmlfunc.cc:2226]
mysqld-debug.exe!my_xpath_parse_RelationalExpr()[item_xmlfunc.cc:2184]
mysqld-debug.exe!my_xpath_parse_EqualityExpr()[item_xmlfunc.cc:2123]
mysqld-debug.exe!my_xpath_parse_AndExpr()[item_xmlfunc.cc:2058]
mysqld-debug.exe!my_xpath_parse_OrExpr()[item_xmlfunc.cc:2027]
mysqld-debug.exe!my_xpath_parse()[item_xmlfunc.cc:2560]
mysqld-debug.exe!Item_xml_str_func::fix_length_and_dec()[item_xmlfunc.cc:2599]
mysqld-debug.exe!Item_func::fix_fields()[item_func.cc:199]
mysqld-debug.exe!Item_str_func::fix_fields()[item_strfunc.cc:63]
mysqld-debug.exe!setup_fields()[sql_base.cc:7552]
mysqld-debug.exe!JOIN::prepare()[sql_select.cc:521]
mysqld-debug.exe!mysql_select()[sql_select.cc:2504]
mysqld-debug.exe!handle_select()[sql_select.cc:269]
mysqld-debug.exe!execute_sqlcom_select()[sql_parse.cc:5127]
mysqld-debug.exe!mysql_execute_command()[sql_parse.cc:2292]
mysqld-debug.exe!mysql_parse()[sql_parse.cc:6055]
mysqld-debug.exe!dispatch_command()[sql_parse.cc:1262]
mysqld-debug.exe!do_command()[sql_parse.cc:888]
mysqld-debug.exe!handle_one_connection()[sql_connect.cc:1136]
mysqld-debug.exe!pthread_start()[my_winthread.c:85]
mysqld-debug.exe!_callthreadstart()[thread.c:295]
mysqld-debug.exe!_threadstart()[thread.c:277]
kernel32.dll!BaseThreadStart()

How to repeat:
#on debug build:
select updatexml(null,(lpad(0.1111E-15,'2011',1)),1) ;
[6 Oct 2010 11:22] MySQL Verification Team
Thank you for the bug report.

Version: '5.6.99-m5-Win X64-debug'  socket: ''  port: 3540  Source distribution
Assertion failed: str_arg[length] == 0, file .\item.cc, line 5600
101006  8:19:04 - mysqld got exception 0x80000003 ;
<cut>
key_buffer_size=8388608
read_buffer_size=131072
max_used_connections=1
max_threads=151
thread_count=1
connection_count=1
It is possible that mysqld could use up to 
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 338390 K
bytes of memory
Hope that's ok; if not, decrease some variables in the equation.

thd: 0x34cefa0
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
000000013F8E38C5    mysqld.exe!my_sigabrt_handler()[my_thr_init.c:521]
000000013F9E0E52    mysqld.exe!raise()[winsig.c:597]
000000013F9F1FF3    mysqld.exe!abort()[abort.c:78]
000000013F9E3525    mysqld.exe!_wassert()[assert.c:346]
000000013F472FC9    mysqld.exe!Item_float::Item_float()[item.cc:5600]
000000013F5E34DE    mysqld.exe!my_xpath_parse_Number()[item_xmlfunc.cc:2371]
000000013F5E3067    mysqld.exe!my_xpath_parse_PrimaryExpr()[item_xmlfunc.cc:1871]
000000013F5E2FFD    mysqld.exe!my_xpath_parse_FilterExpr()[item_xmlfunc.cc:2019]
000000013F5E2F1E    mysqld.exe!my_xpath_parse_FilterExpr_opt_slashes_RelativeLocationPath()[item_xmlfunc.cc:1976]
000000013F5E259B    mysqld.exe!my_xpath_parse_PathExpr()[item_xmlfunc.cc:1995]
000000013F5E245D    mysqld.exe!my_xpath_parse_UnionExpr()[item_xmlfunc.cc:1939]
000000013F5E23C0    mysqld.exe!my_xpath_parse_UnaryExpr()[item_xmlfunc.cc:2325]
000000013F5E2153    mysqld.exe!my_xpath_parse_MultiplicativeExpr()[item_xmlfunc.cc:2282]
000000013F5E1F8D    mysqld.exe!my_xpath_parse_AdditiveExpr()[item_xmlfunc.cc:2234]
000000013F5E1D57    mysqld.exe!my_xpath_parse_RelationalExpr()[item_xmlfunc.cc:2192]
000000013F5E1277    mysqld.exe!my_xpath_parse_EqualityExpr()[item_xmlfunc.cc:2131]
000000013F5E116E    mysqld.exe!my_xpath_parse_AndExpr()[item_xmlfunc.cc:2066]
000000013F5E105E    mysqld.exe!my_xpath_parse_OrExpr()[item_xmlfunc.cc:2035]
000000013F5E09BF    mysqld.exe!my_xpath_parse()[item_xmlfunc.cc:2568]
000000013F5E0779    mysqld.exe!Item_xml_str_func::fix_length_and_dec()[item_xmlfunc.cc:2607]
000000013F3F66F5    mysqld.exe!Item_func::fix_fields()[item_func.cc:221]
000000013F486281    mysqld.exe!Item_str_func::fix_fields()[item_strfunc.cc:117]
000000013F3A9F61    mysqld.exe!setup_fields()[sql_base.cc:7740]
000000013F5153A5    mysqld.exe!JOIN::prepare()[sql_select.cc:576]
000000013F51E9DC    mysqld.exe!mysql_select()[sql_select.cc:3480]
000000013F514AA3    mysqld.exe!handle_select()[sql_select.cc:322]
000000013F4A10AE    mysqld.exe!execute_sqlcom_select()[sql_parse.cc:4562]
000000013F4995BE    mysqld.exe!mysql_execute_command()[sql_parse.cc:2166]
000000013F4A36F5    mysqld.exe!mysql_parse()[sql_parse.cc:5591]
000000013F496E00    mysqld.exe!dispatch_command()[sql_parse.cc:1133]
000000013F496356    mysqld.exe!do_command()[sql_parse.cc:802]
000000013F3771ED    mysqld.exe!do_handle_one_connection()[sql_connect.cc:1201]
000000013F376F97    mysqld.exe!handle_one_connection()[sql_connect.cc:1141]
000000013F8E270B    mysqld.exe!pthread_start()[my_winthread.c:62]
000000013F9F8415    mysqld.exe!_callthreadstartex()[threadex.c:348]
000000013F9F83E8    mysqld.exe!_threadstartex()[threadex.c:331]
000000007769BE3D    kernel32.dll!BaseThreadInitThunk()
00000000777D6A51    ntdll.dll!RtlUserThreadStart()
Trying to get some variables.
Some pointers may be invalid and cause the dump to abort...
thd->query at 0000000003560D00=select updatexml(null,(lpad(0.1111E-15,'2011',1)),1)
thd->thread_id=1
thd->killed=NOT_KILLED
[18 Nov 2010 11:59] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/124241

3509 Alexander Barkov	2010-11-18
       Bug#57279 updatexml dies with: Assertion failed: str_arg[length] == 0
      
        Problem: crash in Item_float constructor on DBUG_ASSERT due
        to not null-terminated string parameter.
      
        Fix: making Item_float::Item_float non-null-termintated parameter safe:
        - Using temporary buffer when generating error
        - Using set_name() instead of direct name initialization
[18 Nov 2010 13:27] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/124249

3509 Alexander Barkov	2010-11-18
      Bug#57279 updatexml dies with: Assertion failed: str_arg[length] == 0
      
      Problem: crash in Item_float constructor on DBUG_ASSERT due
      to not null-terminated string parameter.
      
      Fix: making Item_float::Item_float non-null-termintated parameter safe:
      - Using temporary buffer when generating error
      
      modified:
        @ mysql-test/r/xml.result
        @ mysql-test/t/xml.test
        @ sql/item.cc
[18 Nov 2010 14:03] Alexander Barkov
Pushed into:
mysql-5.1-bugteam [5.1.54]
mysql-5.5-bugteam [5.5.8]
mysql-trunk-bugteam [5.6.1-m5]
[22 Nov 2010 15:22] Jon Stephens
Documented bugfix in the 5.1.54, 5.5.8, and 5.6.1 changelogs as follows:

        Passing a string that was not null-terminated to UpdateXML() or
        ExtractValue() caused the server to fail with an assertion.

Closed.
[24 Nov 2010 10:51] Jon Stephens
Already documented in 5.5, setting back to Closed.
[5 Dec 2010 12:40] Bugs System
Pushed into mysql-trunk 5.6.1 (revid:alexander.nozdrin@oracle.com-20101205122447-6x94l4fmslpbttxj) (version source revid:alexander.nozdrin@oracle.com-20101205122447-6x94l4fmslpbttxj) (merge vers: 5.6.1) (pib:23)
[13 Dec 2010 5:42] Jon Stephens
No new changelog entries required; returning to Closed state.
[15 Dec 2010 5:51] Bugs System
Pushed into mysql-5.1 5.1.55 (revid:sunanda.menon@oracle.com-20101215054055-vgwki317xg1wphhh) (version source revid:sunanda.menon@oracle.com-20101215054055-vgwki317xg1wphhh) (merge vers: 5.1.55) (pib:23)
[16 Dec 2010 22:30] Bugs System
Pushed into mysql-5.5 5.5.9 (revid:jonathan.perkin@oracle.com-20101216101358-fyzr1epq95a3yett) (version source revid:jonathan.perkin@oracle.com-20101216101358-fyzr1epq95a3yett) (merge vers: 5.5.9) (pib:24)