Bug #41927 Query with GET_FORMAT, and REPLACE() to remove apostrophes crashes mysqld
Submitted: 7 Jan 2009 16:51 Modified: 27 Jan 2009 14:10
Reporter: Ian Weatherhogg Email Updates:
Status: Duplicate Impact on me:
None 
Category:MySQL Server: General Severity:S2 (Serious)
Version:5.0, 5.0.68, 5.1, 5.1.30,6.0 OS:Windows (XP Pro sp3)
Assigned to: Assigned Account CPU Architecture:Any
Tags: apostrophe, getformat, REPLACE

[7 Jan 2009 16:51] Ian Weatherhogg 
Description:
This query crashes mysqld-nt when the field "LastName" contains an apostrophe:

select
GET_FORMAT(DATETIME,'iso')),
replace(Lastname,'\'','') as xxyy
from quotebugtest.bugtest;

recreated with versions: 5.1.22, 5.0.51, 5.0.67, 5.0.51
so far NOT recreated with: 5.1.30

Debug details:
Unhandled exception at 0x7c928beb (ntdll.dll) in mysqld-nt.exe:
0xc0000005: Access violation reading location 0x706d0049

free.c, line 103

How to repeat:
1. Start MySql Query Browser
2. File>New Script Tab
3. Paste this:
drop schema if exists quotebugtest;
create schema quotebugtest;
use quotebugtest;
 
CREATE TABLE bugtest (
  `idcol` INTEGER UNSIGNED NOT NULL AUTO_INCREMENT,
  `LastName` VARCHAR(45) NOT NULL,
  PRIMARY KEY (`idcol`)
)
ENGINE = MyISAM;

insert into bugtest(LastName) values ('aaa\'bbb');
 
4. In a resultset tab, paste this:
select
GET_FORMAT(DATETIME,'iso')),
replace(Lastname,'\'','') as xxyy
from quotebugtest.bugtest;
 
...and execute it.
 
MySql should crash.
 
You may need to execute it a few times, and leave it a few minutes if it doesn't crash first time.
[7 Jan 2009 17:21] MySQL Verification Team 
Thank you for the bug report. Sorry I didn't understand the below step:

4. In a resultset tab, paste this:
select
GET_FORMAT(DATETIME,'iso')),
replace(Lastname,'\'','') as xxyy
from quotebugtest.bugtest;

could you please provide a screen-shot?. Thanks in advance.
[7 Jan 2009 17:23] MySQL Verification Team 
affects 5.1.30 too. correct query to run is this:

select GET_FORMAT(DATETIME,'iso'),replace(Lastname,'\'','') as xxyy from bugtest;

Version: '5.1.30-enterprise-gpl-advanced-debug'  socket: ''  port: 3306  MySQL Enterprise Server - Advanced Edition Debug (GPL)
Error: Memory allocated at .\sql_string.cc:82 was overrun, discovered at 'g:\mysql-5.1.30-winbuild\mysql-advanced-gpl-debug-5.1.30-build\sql\sql_string.h:193'
[8 Jan 2009 13:10] Ian Weatherhogg 
Miguel - i assume you're not waiting for feedback from me, as Shane pointed out the mistake in the query in step 4 of my original report?

Please can you let me know asap whether it's the apostrophe-replacing or getformat() or other that is the root cause of the problem, so we can take steps to avoid encountering the bug.

Thanks, Ian
[8 Jan 2009 13:51] MySQL Verification Team 
Thank you for the feedback.
[8 Jan 2009 22:11] MySQL Verification Team 
The release server crashes in the shutdown with the bellow call stack:

c:\dbs>c:\dbs\5.0\bin\mysqld --defaults-file=c:\dbs\5.0\my.ini --standalone --console
090108 20:07:03  InnoDB: Started; log sequence number 0 48481
090108 20:07:03 [Note] c:\dbs\5.0\bin\mysqld: ready for connections.
Version: '5.0.76-nt-log'  socket: ''  port: 3500  Source distribution
090108 20:08:11 [Note] c:\dbs\5.0\bin\mysqld: Normal shutdown

090108 20:08:13 - mysqld got exception 0xc0000005 ;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.
We will try our best to scrape up some info that will hopefully help diagnose
the problem, but since we have already crashed, something is definitely wrong
and this may fail.

key_buffer_size=8384512
read_buffer_size=131072
max_used_connections=1
max_connections=100
threads_connected=0
It is possible that mysqld could use up to
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_connections = 225787 K
bytes of memory
Hope that's ok; if not, decrease some variables in the equation.

thd=00000000
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
7C928BED    ntdll.dll!RtlLookupAtomInAtomTable()
0067428F    mysqld.exe!free()[free.c:103]
004750F3    mysqld.exe!MYSQL_LOG::close()[log.cc:2513]
0047571B    mysqld.exe!MYSQL_LOG::cleanup()[log.cc:432]
0048114F    mysqld.exe!clean_up()[mysqld.cc:1138]
00485E25    mysqld.exe!handle_shutdown()[mysqld.cc:2739]
0058B76B    mysqld.exe!_pthread_start()
006751CF    mysqld.exe!_threadstart()[thread.c:196]
001420A0
The manual page at http://dev.mysql.com/doc/mysql/en/crashing.html contains
information that should help you find out what is causing the crash.
[9 Jan 2009 5:24] MySQL Verification Team 
probably a duplicate of bug #41868 ..
[27 Jan 2009 14:10] Alexey Kopytov 
Duplicate of bug #41868.