Bug #44950 Cast as char binary results in segmentation fault.
Submitted: 19 May 2009 11:56 Modified: 8 Jul 2009 14:39
Reporter: Øystein Grøvlen Email Updates:
Status: Can't repeat Impact on me:
None 
Category:MySQL Server: Charsets Severity:S3 (Non-critical)
Version:6.0-bzr,5.4 OS:Solaris
Assigned to: Alexey Botchkov CPU Architecture:Any

[19 May 2009 11:56] Øystein Grøvlen 
Description:
Executing the following statement may cause a segmentation fault:

select hex(cast('a' as char(2) binary));

Stack trace:

  [1] __lwp_kill(0x13, 0xb), at 0xfec55687
  [2] _thr_kill(0x13, 0xb, 0xfec80b00, 0xfdbb9180, 0xfe8f3c00, 0xfec7e000), at 0xfec52dee
=>[3] my_write_core(sig = 11), line 309 in "stacktrace.c"
  [4] handle_segfault(sig = 11), line 2711 in "mysqld.cc"
  [5] __sighndlr(0xb, 0x0, 0xfdbb91d0, 0x82d9b82), at 0xfec54a4f
  [6] call_user_handler(0xb, 0x0, 0xfdbb91d0), at 0xfec4ae72
  [7] sigacthandler(0xb, 0x0, 0xfdbb91d0, 0xf, 0x0, 0x807007), at 0xfec4aff2
  ---- called from signal handler with signal 11 (SIGSEGV) ------
  [8] Item_char_typecast::fix_length_and_dec(this = 0xcca5f80), line 2543 in "item_timefunc.cc"
  [9] Item_func::fix_fields(this = 0xcca5f80, thd = 0xca33c50, ref = 0xcca6100), line 200 in "item_func.cc"
  [10] Item_str_func::fix_fields(this = 0xcca5f80, thd = 0xca33c50, ref = 0xcca6100), line 51 in "item_strfunc.cc"
  [11] Item_func::fix_fields(this = 0xcca60a8, thd = 0xca33c50, ref = 0xcca613c), line 173 in "item_func.cc"
  [12] Item_str_func::fix_fields(this = 0xcca60a8, thd = 0xca33c50, ref = 0xcca613c), line 51 in "item_strfunc.cc"
  [13] setup_fields(thd = 0xca33c50, ref_pointer_array = 0xcca6240, fields = CLASS, mark_used_columns = MARK_COLUMNS_READ, sum_func_list = 0xcc74998, allow_sum_func = true), line 6692 in "sql_base.cc"
  [14] JOIN::prepare(this = 0xcc6fc50, rref_pointer_array = 0xca34f20, tables_init = (nil), wild_num = 0, conds_init = (nil), og_num = 0, order_init = (nil), group_init = (nil), having_init = (nil), proc_param_init = (nil), select_lex_arg = 0xca34e1c, unit_arg = 0xca34b80), line 539 in "sql_select.cc"
  [15] mysql_select(thd = 0xca33c50, rref_pointer_array = 0xca34f20, tables = (nil), wild_num = 0, fields = CLASS, conds = (nil), og_num = 0, order = (nil), group = (nil), having = (nil), proc_param = (nil), select_options = 2147764736ULL, result = 0xcca6220, unit = 0xca34b80, select_lex = 0xca34e1c), line 3045 in "sql_select.cc"
  [16] handle_select(thd = 0xca33c50, lex = 0xca34b24, result = 0xcca6220, setup_tables_done_option = 0), line 298 in "sql_select.cc"
  [17] execute_sqlcom_select(thd = 0xca33c50, all_tables = (nil)), line 4964 in "sql_parse.cc"
  [18] mysql_execute_command(thd = 0xca33c50), line 2172 in "sql_parse.cc"
  [19] mysql_parse(thd = 0xca33c50, inBuf = 0xcca5c50 "select hex(cast('a' as char(2) binary))", length = 39U, found_semicolon = 0xfdbbad68), line 5979 in "sql_parse.cc"
  [20] dispatch_command(command = COM_QUERY, thd = 0xca33c50, packet = 0xc9efc49 "select hex(cast('a' as char(2) binary))", packet_length = 39U), line 1064 in "sql_parse.cc"
  [21] do_command(thd = 0xca33c50), line 746 in "sql_parse.cc"
  [22] handle_one_connection(arg = 0xca33c50), line 1146 in "sql_connect.cc"
  [23] _thr_setup(0xfe8f3c00), at 0xfec54662
  [24] _lwp_start(0x13, 0xb, 0x8c0bee0, 0xfdbb9098, 0x8892f58, 0x13), at 0xfec54950

How to repeat:
The above mentioned statement always fails if it is executed first in a session on a newly started server.  If something else has been executed before (e.g., the currently disabled main.cast test), it may not fail.

Suggested fix:
The cause of this problem seems to be that the parser has not initialized lex->charset when create_func_cast() is called.
[19 May 2009 12:13] MySQL Verification Team 
Thank you for the bug report. Verified in Ubuntu 8.10 32-bit:

090519  9:10:39 [Note] dbs/6.0/libexec/mysqld: ready for connections.
Version: '6.0.12-alpha-debug'  socket: '/tmp/mysql.sock'  port: 3306  Source distribution
090519  9:11:08 - mysqld got signal 11 ;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.
We will try our best to scrape up some info that will hopefully help diagnose
the problem, but since we have already crashed, something is definitely wrong
and this may fail.

key_buffer_size=8384512
read_buffer_size=131072
max_used_connections=1
max_threads=151
thread_count=1
connection_count=1
It is possible that mysqld could use up to 
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 337822 K
bytes of memory
Hope that's ok; if not, decrease some variables in the equation.

thd: 0xb948218
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
stack_bottom = 0xa8a6efb0 thread_stack 0x30c00
dbs/6.0/libexec/mysqld(my_print_stacktrace+0x32) [0x89bfbc5]
dbs/6.0/libexec/mysqld(handle_segfault+0x2cd) [0x836752b]
[0xb7f80400]
dbs/6.0/libexec/mysqld(Item_func::fix_fields(THD*, Item**)+0x3da) [0x82cb3c6]
dbs/6.0/libexec/mysqld(Item_str_func::fix_fields(THD*, Item**)+0x1f) [0x82e9cb3]
dbs/6.0/libexec/mysqld(Item_func::fix_fields(THD*, Item**)+0x16f) [0x82cb15b]
dbs/6.0/libexec/mysqld(Item_str_func::fix_fields(THD*, Item**)+0x1f) [0x82e9cb3]
dbs/6.0/libexec/mysqld(setup_fields(THD*, Item**, List<Item>&, enum_mark_columns, List<Item>*, bool)+0x1c9) [0x83c9117]
dbs/6.0/libexec/mysqld(JOIN::prepare(Item***, TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*)+0x2e8) [0x8411bc2]
dbs/6.0/libexec/mysqld(mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*)+0x266) [0x8412eed]
dbs/6.0/libexec/mysqld(handle_select(THD*, LEX*, select_result*, unsigned long)+0x1ec) [0x84188c3]
dbs/6.0/libexec/mysqld [0x83792a2]
dbs/6.0/libexec/mysqld(mysql_execute_command(THD*)+0xa67) [0x837ac42]
dbs/6.0/libexec/mysqld(mysql_parse(THD*, char const*, unsigned int, char const**)+0x22f) [0x8383f0e]
dbs/6.0/libexec/mysqld(dispatch_command(enum_server_command, THD*, char*, unsigned int)+0x9f2) [0x8384a90]
dbs/6.0/libexec/mysqld(do_command(THD*)+0x244) [0x8386036]
dbs/6.0/libexec/mysqld(handle_one_connection+0x11d) [0x8371673]
/lib/tls/i686/cmov/libpthread.so.0 [0xb7f1350f]
/lib/tls/i686/cmov/libc.so.6(clone+0x5e) [0xb7d22a0e]
Trying to get some variables.
Some pointers may be invalid and cause the dump to abort...
thd->query at 0xb974df0 = select hex(cast('a' as char(2) binary))
thd->thread_id=1
thd->killed=NOT_KILLED
The manual page at http://dev.mysql.com/doc/mysql/en/crashing.html contains
information that should help you find out what is causing the crash.
miguel@lara:~$
[3 Jul 2009 17:29] Øystein Grøvlen 
The following change fixes this problem:

=== modified file 'sql/sql_yacc.yy'
--- sql/sql_yacc.yy     2009-06-12 02:01:08 +0000
+++ sql/sql_yacc.yy     2009-07-03 17:27:31 +0000
@@ -5626,7 +5626,11 @@
         | unicode
         | BYTE_SYM { Lex->charset=&my_charset_bin; }
         | charset charset_name opt_bin_mod { Lex->charset=$2; }
-        | BINARY { Lex->type|= BINCMP_FLAG; }
+        | BINARY
+          {
+            Lex->charset= NULL;
+            Lex->type|= BINCMP_FLAG;
+          }
         | BINARY charset charset_name
           {
             Lex->charset= $3;
[8 Jul 2009 14:39] Alexey Botchkov 
As I see, the Oystein's patch was already put into Azalea, so the problem seems to be fixed with this.