Bug #52168 | decimal casting catastrophes: crashes and valgrind errors on simple casts | ||
---|---|---|---|
Submitted: | 18 Mar 2010 9:17 | Modified: | 7 Jul 2010 19:11 |
Reporter: | Shane Bester (Platinum Quality Contributor) | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Server: Data Types | Severity: | S1 (Critical) |
Version: | 5.6.99-m4-debug, 5.5.3-m3 | OS: | Any |
Assigned to: | Øystein Grøvlen | CPU Architecture: | Any |
Tags: | crash, decimal, regression, valgrind |
[18 Mar 2010 9:17]
Shane Bester
[18 Mar 2010 9:19]
MySQL Verification Team
full outputs from valgrind
Attachment: bug52168_5.6.99-m4-valgrind-output.txt (text/plain), 33.45 KiB.
[18 Mar 2010 10:39]
Sveta Smirnova
Thank you for the report. Verified as described. Version 5.1 is not affected.
[28 Mar 2010 17:22]
Guilhem Bichot
regression source: epotemkin@mysql.com-20091201212551-amf9utmatlvsbbar (was fix for Bug#33546: Slowdown on re-evaluation of constant expressions)
[30 Mar 2010 11:51]
Manyi Lu
See also 52122 which might be a duplicate.
[12 Apr 2010 12:56]
Øystein Grøvlen
The reduced test case below, gives valgrind errors on 64-bit Linux, but no crash. (No valgrind errors on my 32-bit Ubuntu laptop for some reason). create table t1 (a int); insert into t1 values (); create table t2(b int); insert into t2 values (),(); select b from t1 join t2 where convert(a, decimal)|convert(b, decimal); drop table t1, t2;
[12 Apr 2010 13:29]
Øystein Grøvlen
The problem is that if a NULL is stored in an Item_cache_decimal object, the associated decimal object is not initialized. However, it is still accessed when val_* methods are called. The following diff fixes the valgrind issue: === modified file 'sql/item.cc' --- sql/item.cc 2010-03-01 10:06:11 +0000 +++ sql/item.cc 2010-04-12 13:03:28 +0000 @@ -7513,7 +7513,7 @@ longlong Item_cache_decimal::val_int() { DBUG_ASSERT(fixed); longlong res; - if (!value_cached && !cache_value()) + if ((!value_cached && !cache_value()) || null_value) return 0; my_decimal2int(E_DEC_FATAL_ERROR, &decimal_value, unsigned_flag, &res); return res;
[13 Apr 2010 7:58]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/105466 3010 oystein.grovlen@sun.com 2010-04-13 Bug#52168 decimal casting catastrophes: crashes and valgrind errors on simple casts The problem is that if a NULL is stored in an Item_cache_decimal object, the associated my_decimal object is not initialized. However, it is still accessed when val_int() is called. The fix is to check for null_value within val_int(), and return without accessing the my_decimal object when the cached value is NULL. Bug#52122 reports the same issue for val_real(), and this patch also includes fixes for val_real() and val_str() and corresponding test cases from that bug report. @ mysql-test/r/type_decimal.result Updated result file with test cases for Bug#52168 and Bug#52122. @ mysql-test/t/type_decimal.test Added test cases for Bug#52168 and Bug#52122. @ sql/item.cc In Item_cache_decimal::val_* methods, check for null_value and return early to avoid accessing an uninitialized my_decimal object.
[13 Apr 2010 8:21]
Øystein Grøvlen
This is bug is a regression on trunk (compared to 5.1). Since it causes server crash on some platforms, I think this should be tagged as SRMR03.
[15 Apr 2010 12:51]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/105735 3019 oystein.grovlen@sun.com 2010-04-15 Bug#52168 decimal casting catastrophes: crashes and valgrind errors on simple casts The problem is that if a NULL is stored in an Item_cache_decimal object, the associated my_decimal object is not initialized. However, it is still accessed when val_int() is called. The fix is to check for null_value within val_int(), and return without accessing the my_decimal object when the cached value is NULL. Bug#52122 reports the same issue for val_real(), and this patch also includes fixes for val_real() and val_str() and corresponding test cases from that bug report. Also, NULL is returned from val_decimal() when value is null. This will avoid that callers access an uninitialized my_decimal object. @ mysql-test/r/type_decimal.result Updated result file with test cases for Bug#52168 and Bug#52122. @ mysql-test/t/type_decimal.test Added test cases for Bug#52168 and Bug#52122. @ sql/item.cc In Item_cache_decimal::val_* methods, check for null_value and return early to avoid accessing an uninitialized my_decimal object.
[28 May 2010 15:31]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/109503 3071 oystein.grovlen@sun.com 2010-05-28 Bug#52168 decimal casting catastrophes: crashes and valgrind errors on simple casts The problem is that if a NULL is stored in an Item_cache_decimal object, the associated my_decimal object is not initialized. However, it is still accessed when val_int() is called. The fix is to check for null_value within val_int(), and return without accessing the my_decimal object when the cached value is NULL. Bug#52122 reports the same issue for val_real(), and this patch also includes fixes for val_real() and val_str() and corresponding test cases from that bug report. Also, NULL is returned from val_decimal() when value is null. This will avoid that callers access an uninitialized my_decimal object. Made similar changes to all other Item_cache classes. Now all val_* methods should return a well defined value when actual value is NULL. @ mysql-test/r/type_decimal.result Updated result file with test cases for Bug#52168 and Bug#52122. @ mysql-test/t/type_decimal.test Added test cases for Bug#52168 and Bug#52122. @ sql/item.cc In Item_cache_*::val_* methods, return a well defined value when actual value is NULL. This is especially important for Item_cache_decimal since otherwise one risk accessing an uninitialized my_decimal object. @ sql/item.h Added method Item_cache::has_value() which returns TRUE if cache object contains a non-null value.
[28 May 2010 15:56]
Øystein Grøvlen
Pushed into mysql-trunk-bugfixing with revid oystein.grovlen@sun.com-20100528153039-cbj04cckk9zy4q6t
[15 Jun 2010 8:17]
Bugs System
Pushed into 5.5.5-m3 (revid:alik@sun.com-20100615080459-smuswd9ooeywcxuc) (version source revid:mmakela@bk-internal.mysql.com-20100415070122-1nxji8ym4mao13ao) (merge vers: 5.1.47) (pib:16)
[15 Jun 2010 8:34]
Bugs System
Pushed into mysql-next-mr (revid:alik@sun.com-20100615080558-cw01bzdqr1bdmmec) (version source revid:mmakela@bk-internal.mysql.com-20100415070122-1nxji8ym4mao13ao) (pib:16)
[7 Jul 2010 19:11]
Paul DuBois
Noted in 5.5.5 changelog. Cast operations on NULL DECIMAL values could cause server crashes or Valgrind warnings.