Bug #31249 | Assertion `!table || (!table->write_set || bitmap_is_set(table->write_set, fiel | ||
---|---|---|---|
Submitted: | 27 Sep 2007 16:38 | Modified: | 22 Oct 2007 23:55 |
Reporter: | Shane Bester (Platinum Quality Contributor) | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Server: Data Types | Severity: | S1 (Critical) |
Version: | 5.1 | OS: | Any |
Assigned to: | Ramil Kalimullin | CPU Architecture: | Any |
Tags: | assertion, crash |
[27 Sep 2007 16:38]
Shane Bester
[4 Oct 2007 16:22]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/34911 ChangeSet@1.2528, 2007-10-04 21:21:58+05:00, ramil@mysql.com +3 -0 Fix for bug #31249: Assertion `!table || (!table->write_set || bitmap_is_set(table->write_set, fiel Problem: creating a temporary table we allocate the group buffer if needed followed by table bitmaps (see create_tmp_table()). Reserving less memory for the group buffer than actually needed (used) for values retrieval may lead to overlapping with followed bitmaps in the memory pool that in turn leads to unpredictable consequences. As we use Item->max_length sometimes to calculate group buffer size, it must be set to proper value. In this particular case Item_datetime_typecast::max_length is too small. Fix: set Item_datetime_typecast::max_length properly.
[9 Oct 2007 9:37]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/35183 ChangeSet@1.2528, 2007-10-09 14:37:21+05:00, ramil@mysql.com +4 -0 Fix for bug #31249: Assertion `!table || (!table->write_set || bitmap_is_set(table->write_set, fiel Problem: creating a temporary table we allocate the group buffer if needed followed by table bitmaps (see create_tmp_table()). Reserving less memory for the group buffer than actually needed (used) for values retrieval may lead to overlapping with followed bitmaps in the memory pool that in turn leads to unpredictable consequences. As we use Item->max_length sometimes to calculate group buffer size, it must be set to proper value. In this particular case Item_datetime_typecast::max_length is too small. Another problem is that we use max_length to calculate the group buffer key length for items represented as DATE/TIME fields which is superfluous. Fix: set Item_datetime_typecast::max_length properly, accurately calculate the group buffer key length for items represented as DATE/TIME fields in the buffer.
[9 Oct 2007 17:40]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/35215 ChangeSet@1.2530, 2007-10-09 22:40:22+05:00, ramil@mysql.com +2 -0 metadata test of bug # 31249: problem with convert(..., datetime) removed as PS protocol gives slightly different metadata.
[18 Oct 2007 21:35]
Bugs System
Pushed into 5.1.23-beta
[18 Oct 2007 21:36]
Bugs System
Pushed into 5.0.52
[22 Oct 2007 23:55]
Paul DuBois
Noted in 5.0.52, 5.1.23 changelogs. Allocation of an insufficiently large group-by buffer following creation of a temporary table could lead to a server crash.