Bug #32726 crash with cast in order by clause and cp932 charset
Submitted: 26 Nov 2007 15:38 Modified: 9 Jan 2008 14:49
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Charsets Severity:S1 (Critical)
Version:4.1.22, 5.0.50, 5.1.23 OS:Any
Assigned to: Ramil Kalimullin CPU Architecture:Any
Tags: cp932

[26 Nov 2007 15:38] Shane Bester 
Description:
See also bug#31070 whose testcase no longer crashes. Hence I open new bug.

Stack trace:
mysqld.exe!my_mb_wc_cp932               
mysqld.exe!copy_and_convert             
mysqld.exe!String::copy                 
mysqld.exe!Item_char_typecast::val_str  
mysqld.exe!Item::str_result             
mysqld.exe!make_sortkey                 
mysqld.exe!find_all_keys                
mysqld.exe!filesort                     
mysqld.exe!create_sort_index            
mysqld.exe!JOIN::exec                   
mysqld.exe!mysql_select                 
mysqld.exe!handle_select                
mysqld.exe!execute_sqlcom_select        
mysqld.exe!mysql_execute_command        
mysqld.exe!mysql_parse                  
mysqld.exe!dispatch_command             
mysqld.exe!do_command                   
mysqld.exe!handle_one_connection        
mysqld.exe!pthread_start                
mysqld.exe!_callthreadstart             
mysqld.exe!_threadstart                 

How to repeat:
drop table if exists `t1`;
create table `t1` (`c` set('a') character set cp932 collate cp932_bin not null) engine=myisam;
insert into `t1` values (),(),();
select 1 from `t1` order by cast(`c` as char(1));
[26 Nov 2007 15:51] MySQL Verification Team 
Seems only cp932 charset causes the crash. See also:

drop table if exists `t1`;
create table `t1` (`c` set('a') character set cp932 collate cp932_japanese_ci not null) engine=myisam;
insert into `t1` values (),(),();
select 1 from `t1` order by cast(`c` as char(1));
[26 Nov 2007 17:07] Hartmut Holzgraefe 
Verified on latest 5.1, linux gdb backtrace:

(gdb) bt
#0  0xffffe410 in __kernel_vsyscall ()
#1  0x4003b8b8 in pthread_kill () from /lib/tls/libpthread.so.0
#2  0x08408fc2 in write_core (sig=11) at stacktrace.c:240
#3  0x0827c2f0 in handle_segfault (sig=11) at mysqld.cc:2293
#4  <signal handler called>
#5  0x086a8d7c in my_mb_wc_cp932 (cs=0x88a8540, pwc=0x4177e738, s=0x0, e=0x0) at ctype-cp932.c:5363
#6  0x082784d5 in copy_and_convert (to=0x8ffc2a0 '�' <repeats 28 times>, "h4z\025\020", to_length=0, to_cs=0x8979520, from=0x0, from_length=0, 
    from_cs=0x88a8540, errors=0x4177e800) at sql_string.cc:804
#7  0x082786a5 in String::copy (this=0x4177e8a8, str=0x0, arg_length=0, from_cs=0x88a8540, to_cs=0x8979520, errors=0x4177e800)
    at sql_string.cc:348
#8  0x0821eba3 in Item_char_typecast::val_str (this=0x9008d00, str=0x4177e8a8) at item_timefunc.cc:2416
#9  0x081d003d in Item::str_result (this=0x9008d00, tmp=0x4177e8a8) at item.h:729
#10 0x08391c92 in make_sortkey (param=0x4177ec4c, to=0x8ffc2a0 '�' <repeats 28 times>, "h4z\025\020", ref_pos=0x4177e9e8 "") at filesort.cc:724
#11 0x08392bb7 in find_all_keys (param=0x4177ec4c, select=0x900a598, sort_keys=0x8ffc268, buffpek_pointers=0x4177eac4, tempfile=0x4177eb88, 
    indexfile=0x0) at filesort.cc:553
#12 0x08394841 in filesort (thd=0x8fbb910, table=0x8fdf880, sortorder=0x900a6a0, s_length=1, select=0x900a598, max_rows=18446744073709551615, 
    sort_positions=false, examined_rows=0x4177eda0) at filesort.cc:234
#13 0x08301de1 in create_sort_index (thd=0x8fbb910, join=0x9008e40, order=0x9008da0, filesort_limit=18446744073709551615, 
    select_limit=18446744073709551615, is_order_by=false) at sql_select.cc:13135
#14 0x0830fb49 in JOIN::exec (this=0x9008e40) at sql_select.cc:2080
#15 0x08310240 in mysql_select (thd=0x8fbb910, rref_pointer_array=0x8fbcacc, tables=0x9008a78, wild_num=0, fields=@0x8fbca68, conds=0x0, 
    og_num=1, order=0x9008da0, group=0x0, having=0x0, proc_param=0x0, select_options=2147764736, result=0x9008e30, unit=0x8fbc76c, 
    select_lex=0x8fbc9d4) at sql_select.cc:2313
#16 0x0831056b in handle_select (thd=0x8fbb910, lex=0x8fbc710, result=0x9008e30, setup_tables_done_option=0) at sql_select.cc:263
#17 0x0828a642 in execute_sqlcom_select (thd=0x8fbb910, all_tables=0x9008a78) at sql_parse.cc:4549
#18 0x0829048c in mysql_execute_command (thd=0x8fbb910) at sql_parse.cc:1886
#19 0x0829912f in mysql_parse (thd=0x8fbb910, inBuf=0x9008930 "select 1 from `t1` order by cast(`c` as char(1))", length=48, 
    found_semicolon=0x41780310) at sql_parse.cc:5462
#20 0x08299c44 in dispatch_command (command=COM_QUERY, thd=0x8fbb910, packet=0x90008d1 "select 1 from `t1` order by cast(`c` as char(1))", 
    packet_length=49) at sql_parse.cc:958
#21 0x0829add7 in do_command (thd=0x8fbb910) at sql_parse.cc:717
#22 0x08288c45 in handle_one_connection (arg=0x8fbb910) at sql_connect.cc:1099
#23 0x40038297 in start_thread () from /lib/tls/libpthread.so.0
#24 0x4018a37e in clone () from /lib/tls/libc.so.6
#25 0x41780bb0 in ?? ()
[26 Nov 2007 17:10] Hartmut Holzgraefe 
gdb "bt full" output

Attachment: bt-full.txt (text/plain), 13.51 KiB.
[28 Nov 2007 6:55] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/38668

ChangeSet@1.2591, 2007-11-28 10:55:13+04:00, ramil@mysql.com +9 -0
  Fix for bug #32726: crash with cast in order by clause and cp932 charset
    - fix for #31070 (missed during merging) applied for cp932 charset.
    - tests/results adjusted.
[28 Nov 2007 10:14] Alexander Barkov 
The patch http://lists.mysql.com/commits/38668 is ok to push.
[12 Dec 2007 23:00] Bugs System 
Pushed into 6.0.5-alpha
[12 Dec 2007 23:02] Bugs System 
Pushed into 5.1.23-rc
[12 Dec 2007 23:03] Bugs System 
Pushed into 5.0.54
[9 Jan 2008 14:49] Paul DuBois 
Noted in 5.0.54, 5.1.23, 6.0.5 changelogs.

Use of the cp932 character set with CAST() in an ORDER BY clause
could cause a server crash.