Bug #59632 Assertion failed: arg_length > length
Submitted: 20 Jan 2011 13:16 Modified: 2 Mar 2011 15:33
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Optimizer Severity:S1 (Critical)
Version:5.5.8, 5.5.10, 5.6.1 OS:Any
Assigned to: Tor Didriksen CPU Architecture:Any
Tags: regression

[20 Jan 2011 13:16] Shane Bester
Description:
Version: '5.5.8-debug'  socket: ''  port: 3306  MySQL Community Server - Debug (GPL)
Assertion failed: arg_length > length, file ..\..\mysql-5.5.8\sql\sql_string.cc, line 37
mysqld-debug.exe!my_sigabrt_handler()[my_thr_init.c:521]
mysqld-debug.exe!raise()[winsig.c:590]
mysqld-debug.exe!abort()[abort.c:71]
mysqld-debug.exe!_wassert()[assert.c:163]
mysqld-debug.exe!String::real_alloc()[sql_string.cc:37]
mysqld-debug.exe!String::alloc()[sql_string.h:222]
mysqld-debug.exe!Field_longlong::val_str()[field.cc:3980]
mysqld-debug.exe!Field::val_str()[field.h:159]
mysqld-debug.exe!Protocol_text::store()[protocol.cc:1116]
mysqld-debug.exe!Item_field::send()[item.cc:5996]
mysqld-debug.exe!Protocol::send_result_set_row()[protocol.cc:848]
mysqld-debug.exe!select_send::send_data()[sql_class.cc:1828]
mysqld-debug.exe!end_send()[sql_select.cc:12570]
mysqld-debug.exe!evaluate_join_record()[sql_select.cc:11787]
mysqld-debug.exe!sub_select()[sql_select.cc:11663]
mysqld-debug.exe!do_select()[sql_select.cc:11428]
mysqld-debug.exe!JOIN::exec()[sql_select.cc:2361]
mysqld-debug.exe!mysql_select()[sql_select.cc:2572]
mysqld-debug.exe!handle_select()[sql_select.cc:297]
mysqld-debug.exe!execute_sqlcom_select()[sql_parse.cc:4452]
mysqld-debug.exe!mysql_execute_command()[sql_parse.cc:2046]
mysqld-debug.exe!mysql_parse()[sql_parse.cc:5496]
mysqld-debug.exe!dispatch_command()[sql_parse.cc:1032]
mysqld-debug.exe!do_command()[sql_parse.cc:772]
mysqld-debug.exe!do_handle_one_connection()[sql_connect.cc:745]
mysqld-debug.exe!handle_one_connection()[sql_connect.cc:684]
mysqld-debug.exe!pthread_start()[my_winthread.c:61]
mysqld-debug.exe!_callthreadstartex()[threadex.c:348]
mysqld-debug.exe!_threadstartex()[threadex.c:331]
kernel32.dll!FlsSetValue()

release build of 5.5 didn't crash, and 5.1.54-debug didn't crash so this could be a regression introduced in 5.5.

How to repeat:
#on debug build:

drop table if exists t1;
create table t1(a int)engine=innodb;
insert into t1 values (1);
select distinct convert((select des_decrypt(2,1) as a from t1 where @a:=1 having a),signed) as d
from t1 group by 1;
[20 Jan 2011 14:32] Valeriy Kravchuk
Verified with current mysql-5.5 tree on 32-bit Ubuntu:

openxs@ubuntu:/home2/openxs/dbs/5.5$ bin/mysql --no-defaults -uroot test 
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 6206
Server version: 5.5.10-debug Source distribution

Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> drop table if exists t1;
Query OK, 0 rows affected (0.02 sec)

mysql> create table t1(a int)engine=innodb;
Query OK, 0 rows affected (0.13 sec)

mysql> insert into t1 values (1);
Query OK, 1 row affected (0.01 sec)

mysql> select distinct convert((select des_decrypt(2,1) as a from t1 where @a:=1 having
    -> a),signed) as d
    -> from t1 group by 1;
ERROR 2013 (HY000): Lost connection to MySQL server during query
mysql> exit
Bye
openxs@ubuntu:/home2/openxs/dbs/5.5$ tail -100 data/ubuntu.err 
...
mysqld: /home2/openxs/bzr2/mysql-5.5/sql/sql_string.cc:37: bool String::real_alloc(uint32): Assertion `arg_length > length' failed.
110120 16:29:24 - mysqld got signal 6 ;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.
We will try our best to scrape up some info that will hopefully help diagnose
the problem, but since we have already crashed, something is definitely wrong
and this may fail.

key_buffer_size=8388608
read_buffer_size=131072
max_used_connections=4
max_threads=151
thread_count=1
connection_count=1
It is possible that mysqld could use up to 
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 337966 K
bytes of memory
Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0xac26b70
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
stack_bottom = 0xa90ce348 thread_stack 0x30000
/home2/openxs/dbs/5.5/bin/mysqld(my_print_stacktrace+0x33)[0x84f4f48]
/home2/openxs/dbs/5.5/bin/mysqld(handle_segfault+0x34c)[0x8172e47]
[0xeb8400]
/lib/tls/i686/cmov/libc.so.6(abort+0x182)[0x13da82]
/lib/tls/i686/cmov/libc.so.6(__assert_fail+0xf8)[0x133718]
/home2/openxs/dbs/5.5/bin/mysqld(_ZN6String10real_allocEj+0x51)[0x8289939]
/home2/openxs/dbs/5.5/bin/mysqld(_ZN6String5allocEj+0x37)[0x8187419]
/home2/openxs/dbs/5.5/bin/mysqld(_ZN14Field_longlong7val_strEP6StringS1_+0x58)[0x83571f2]
/home2/openxs/dbs/5.5/bin/mysqld(_ZN5Field7val_strEP6String+0x26)[0x818785c]
/home2/openxs/dbs/5.5/bin/mysqld(_ZN13Protocol_text5storeEP5Field+0x124)[0x8186142]
/home2/openxs/dbs/5.5/bin/mysqld(_ZN10Item_field4sendEP8ProtocolP6String+0x22)[0x8392226]
/home2/openxs/dbs/5.5/bin/mysqld(_ZN8Protocol19send_result_set_rowEP4ListI4ItemE+0xed)[0x818526d]
/home2/openxs/dbs/5.5/bin/mysqld(_ZN11select_send9send_dataER4ListI4ItemE+0xd4)[0x81e367e]
/home2/openxs/dbs/5.5/bin/mysqld[0x825e264]
/home2/openxs/dbs/5.5/bin/mysqld[0x825c439]
/home2/openxs/dbs/5.5/bin/mysqld(_Z10sub_selectP4JOINP13st_join_tableb+0xcd)[0x825c0fd]
/home2/openxs/dbs/5.5/bin/mysqld[0x825bcc4]
/home2/openxs/dbs/5.5/bin/mysqld(_ZN4JOIN4execEv+0x21af)[0x824624d]
/home2/openxs/dbs/5.5/bin/mysqld(_Z12mysql_selectP3THDPPP4ItemP10TABLE_LISTjR4ListIS1_ES2_jP8st_orderSB_S2_SB_yP13select_resultP18st_select_lex_unitP13st_select_lex+0x384)[0x82469bf]
/home2/openxs/dbs/5.5/bin/mysqld(_Z13handle_selectP3THDP3LEXP13select_resultm+0x204)[0x823f58b]
/home2/openxs/dbs/5.5/bin/mysqld[0x821bac1]
/home2/openxs/dbs/5.5/bin/mysqld(_Z21mysql_execute_commandP3THD+0x945)[0x8213d38]
/home2/openxs/dbs/5.5/bin/mysqld(_Z11mysql_parseP3THDPcjP12Parser_state+0x1ff)[0x821db35]
/home2/openxs/dbs/5.5/bin/mysqld(_Z16dispatch_command19enum_server_commandP3THDPcj+0xa56)[0x82116ee]
/home2/openxs/dbs/5.5/bin/mysqld(_Z10do_commandP3THD+0x292)[0x8210a7f]
/home2/openxs/dbs/5.5/bin/mysqld(_Z24do_handle_one_connectionP3THD+0x3f7)[0x82ed932]
/home2/openxs/dbs/5.5/bin/mysqld(handle_one_connection+0x35)[0x82ed530]
/lib/tls/i686/cmov/libpthread.so.0(+0x596e)[0x8c696e]
/lib/tls/i686/cmov/libc.so.6(clone+0x5e)[0x1dda4e]
...
[27 Jan 2011 12:37] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/129757

3280 Tor Didriksen	2011-01-27
      Bug #59632 Assertion failed: arg_length > length
      
      The problem was overflow in max_length when we tried to des_decrypt()
      something which is not the output of des_encrypt()
     @ mysql-test/t/bug59632.test
        New test case.
     @ sql/item_strfunc.h
        In unsigned arithmetic, (1-9) becomes a very large number.
[3 Feb 2011 8:10] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/130301

3300 Tor Didriksen	2011-02-03
      Bug #59632 Assertion failed: arg_length > length
      
      The problem was overflow in max_length when we tried to des_decrypt()
      something which is not the output of des_encrypt()
     @ mysql-test/r/bug59632.result
        New test case.
     @ mysql-test/t/bug59632.test
        New test case.
     @ sql/item_strfunc.h
        Do not subtract the encrypt overhead (9U) if args[0] has length < 9
        (In unsigned arithmetic, (1-9) becomes a very large number)
[3 Feb 2011 9:37] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/130306

3596 Tor Didriksen	2011-02-03 [merge]
      Merge Bug #59632 from 5.5, add unit test
[3 Feb 2011 14:46] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/130324

3300 Tor Didriksen	2011-02-03
      Bug #59632 Assertion failed: arg_length > length
      
      The problem was overflow in max_length when we tried to des_decrypt()
      something which is not the output of des_encrypt()
     @ mysql-test/r/ssl_and_innodb.result
        New test case.
     @ mysql-test/t/ssl_and_innodb.test
        New test case.
     @ sql/item_strfunc.h
        Do not subtract the encrypt overhead (9U) if args[0] has length < 9
        (In unsigned arithmetic, (1-9) becomes a very large number)
[3 Feb 2011 14:49] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/130326

3596 Tor Didriksen	2011-02-03 [merge]
      Merge Bug #59632 from 5.5, add unit test
[7 Feb 2011 10:18] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/130536

3307 Tor Didriksen	2011-02-07
      Bug #59632 Assertion failed: arg_length > length
      
      The problem was overflow in max_length when we tried to des_decrypt()
      something which is not the output of des_encrypt()
     @ mysql-test/r/ssl_and_innodb.result
        New test case.
     @ mysql-test/t/ssl_and_innodb.test
        New test case.
     @ sql/item_strfunc.h
        Do not subtract the encrypt overhead (9U) if args[0] has length < 9
        (In unsigned arithmetic, (1-9) becomes a very large number)
[7 Feb 2011 10:19] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/130538

3602 Tor Didriksen	2011-02-07 [merge]
      Merge Bug #59632 from 5.5, add unit test
[7 Feb 2011 10:19] Bugs System
Pushed into mysql-trunk 5.6.2 (revid:tor.didriksen@oracle.com-20110207101821-2q7lj2rnb1w9fmc0) (version source revid:tor.didriksen@oracle.com-20110207101821-2q7lj2rnb1w9fmc0) (merge vers: 5.6.2) (pib:24)
[7 Feb 2011 10:19] Bugs System
Pushed into mysql-5.5 5.5.10 (revid:tor.didriksen@oracle.com-20110207101746-gdtl07a1puu743yf) (version source revid:tor.didriksen@oracle.com-20110207101746-gdtl07a1puu743yf) (merge vers: 5.5.10) (pib:24)
[7 Feb 2011 13:04] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/130568

3604 Tor Didriksen	2011-02-07
      Bug #59632, post-push fix for unit test.
      
      thd->thread_stack must point to the stack, not free-store.
      
      Also: add an extra 'mysys' to the link command for SERVER_TESTS.
            (it failed to link on debian)
[7 Feb 2011 13:04] Bugs System
Pushed into mysql-trunk 5.6.2 (revid:tor.didriksen@oracle.com-20110207130347-lmjksir7xpbf3sth) (version source revid:tor.didriksen@oracle.com-20110207130347-lmjksir7xpbf3sth) (merge vers: 5.6.2) (pib:24)
[7 Feb 2011 23:55] Bugs System
Pushed into mysql-trunk 5.6.2 (revid:bjorn.munch@oracle.com-20110207235423-p72c50ae0vgdjbdl) (version source revid:bjorn.munch@oracle.com-20110207235423-p72c50ae0vgdjbdl) (merge vers: 5.6.2) (pib:24)
[2 Mar 2011 15:33] Paul DuBois
Noted in 5.5.10, 5.6.2 changelogs.

DES_DECRYPT() could crash if the argument was not produced by
DES_ENCRYPT(). 

CHANGESET - http://lists.mysql.com/commits/130568