Bug #59241 invalid memory read in do_div_mod with doubly assigned variables
Submitted: 31 Dec 2010 9:36 Modified: 29 Jan 2011 23:11
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: DML Severity:S2 (Serious)
Version:5.6.2, 5.5 OS:Any
Assigned to: Tor Didriksen CPU Architecture:Any
Tags: regression
Triage: Triaged: D1 (Critical)

[31 Dec 2010 9:36] Shane Bester
Description:
5.6.2 from mysql-trunk:

Invalid read of size 8
at: do_div_mod (decimal.c:2107)
by: decimal_div (decimal.c:2363)
by: my_decimal_div (my_decimal.h:427)
by: Item_func_int_div::val_int (item_func.cc:1607)
by: Item::send (item.cc:5968)
by: Protocol::send_result_set_row (protocol.cc:848)
by: select_send::send_data (sql_class.cc:1866)
by: JOIN::exec (sql_select.cc:2794)
by: mysql_select (sql_select.cc:3554)
by: handle_select (sql_select.cc:323)
by: execute_sqlcom_select (sql_parse.cc:4513)
by: mysql_execute_command (sql_parse.cc:2096)
by: mysql_parse (sql_parse.cc:5550)
by: dispatch_command(sql_parse.cc:1078)
by: do_command (sql_parse.cc:815)
by: do_handle_one_connection (sql_connect.cc:748)
by: handle_one_connection (sql_connect.cc:684)
by: start_thread (pthread_create.c:301)
Address 0xf4bc5d0 is 16 bytes inside a block of size 64 free'd
at: realloc (vg_replace_malloc.c:476)
by: my_realloc (my_malloc.c:101)
by: update_hash (item_func.cc:4342)
by: Item_func_set_user_var::update_hash (item_func.cc:4376)
by: Item_func_set_user_var::update (item_func.cc:4641)
by: Item_func_set_user_var::val_str (item_func.cc:4685)
by: Item_func_set_user_var::check (item_func.cc:4542)
by: Item_func_set_user_var::val_decimal (item_func.cc:4693)
by: Item_func_int_div::val_int(item_func.cc:1603)
by: Item::send (item.cc:5968)
by: Protocol::send_result_set_row (protocol.cc:848)
by: select_send::send_data (sql_class.cc:1866)
by: JOIN::exec (sql_select.cc:2794)
by: mysql_select (sql_select.cc:3554)
by: handle_select (sql_select.cc:323)
by: execute_sqlcom_select (sql_parse.cc:4513)
by: mysql_execute_command (sql_parse.cc:2096)
by: mysql_parse (sql_parse.cc:5550)
by: dispatch_command (sql_parse.cc:1078)
by: do_command (sql_parse.cc:815)
by: do_handle_one_connection (sql_connect.cc:748)
by: handle_one_connection (sql_connect.cc:684)
by: start_thread (pthread_create.c:301)

How to repeat:
#run mysqld in valgrind, then:

select ((@`a`:=@`b`:=ceil(@@session.max_error_count)) div (@`b`:=@`a`:=get_format(datetime,'usa')));
[31 Dec 2010 12:15] Sveta Smirnova
Thank you for the report.

Verified as described.
[5 Jan 2011 14:45] Øystein Grøvlen
This issue was introduced by the fix for Bug#8457.

It also exists in 5.5 branch (probably since 5.5.3).
Hence, I guess it it should be retriaged.
[11 Jan 2011 21:41] Omer Barnir
triage: change from SR56RC to SR55MRU as exists there as well
[13 Jan 2011 11:38] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/128637

3498 Tor Didriksen	2011-01-13
      Bug #59241 invalid memory read in do_div_mod with doubly assigned variables
      
      Fix: copy my_decimal by value, to avoid dangling pointers.
     @ mysql-test/r/func_math.result
        New test case.
     @ mysql-test/t/func_math.test
        New test case.
     @ sql/item_cmpfunc.cc
        No need to call fix_buffer_pointer() anymore.
     @ sql/item_func.cc
        Copy my_decimal by value, to avoid dangling pointers.
     @ sql/my_decimal.h
        Implement proper copy constructor and assignment operator for my_decimal.
     @ sql/sql_analyse.cc
        No need to call fix_buffer_pointer() anymore.
     @ strings/decimal.c
        Remove #line directive: it messes up TAGS and it confuses gdb when debugging.
     @ unittest/gunit/CMakeLists.txt
        New unit test.
     @ unittest/gunit/my_decimal-t.cc
        Unit test for my_decimal copy constructor and assignment operator.
[14 Jan 2011 9:05] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/128702

3242 Tor Didriksen	2011-01-14
      Bug #59241 invalid memory read in do_div_mod with doubly assigned variables
      
      Fix: copy my_decimal by value, to avoid dangling pointers.
     @ mysql-test/r/func_math.result
        New test case.
     @ mysql-test/t/func_math.test
        New test case.
     @ sql/item_cmpfunc.cc
        No need to call fix_buffer_pointer() anymore.
     @ sql/item_func.cc
        Copy my_decimal by value, to avoid dangling pointers.
     @ sql/my_decimal.h
        Implement proper copy constructor and assignment operator for my_decimal.
     @ sql/sql_analyse.cc
        No need to call fix_buffer_pointer() anymore.
     @ strings/decimal.c
        Remove #line directive: it messes up TAGS and it confuses gdb when debugging.
[14 Jan 2011 9:29] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/128703

3504 Tor Didriksen	2011-01-14 [merge]
      Merge Bug #59241 from 5.5
     @ unittest/gunit/CMakeLists.txt
        New unit test.
     @ unittest/gunit/my_decimal-t.cc
        Unit test for my_decimal copy constructor and assignment operator.
[14 Jan 2011 9:31] Tor Didriksen
pushed to 5.5 and trunk
[14 Jan 2011 9:31] Bugs System
Pushed into mysql-trunk 5.6.2 (revid:tor.didriksen@oracle.com-20110114092911-2vu7p7obkao0cfiy) (version source revid:tor.didriksen@oracle.com-20110114092911-2vu7p7obkao0cfiy) (merge vers: 5.6.2) (pib:24)
[14 Jan 2011 9:31] Bugs System
Pushed into mysql-5.5 5.5.9 (revid:tor.didriksen@oracle.com-20110114090514-n2ixo8vof6sqxuih) (version source revid:tor.didriksen@oracle.com-20110114090514-n2ixo8vof6sqxuih) (merge vers: 5.5.9) (pib:24)
[14 Jan 2011 12:21] Shane Bester
Tor, did this fix cause bug #59498 ?
[20 Jan 2011 19:28] Paul Dubois
Noted in 5.5.9, 5.6.2 changelogs.

For DIV expressions, assignment of the result to multiple variables
could cause a server crash.
[4 Jun 2013 19:08] Paul Dubois
Noted in 5.1.71 changelog.