Description:
while loading data, the mysql client keeped on crash , and the backtrace is :

(gdb) bt
#0  0x0000003ecb938cb9 in __memcpy_ssse3 () from /lib64/libc.so.6
#1  0x0000000000415c67 in String::append (this=0x97e040,
    s=0x2b6d32092010 "INSERT INTO `product_detail` VALUES (939609648,'2013-09-10 22:48:00','Little baby girl   pendant\\r\\n1.stainless steel\\r\\n2. SGS test\\r\\n3.OEM/ODM accept','<p><span style=\\\"font-size: 16px; font-family"..., arg_length=1040328) at /home/ads/build23_6u0_x64/workspace/t-mysql/label/build23_6u0_x64/t-mysql/client/sql_string.cc:391
#2  0x000000000041163d in add_line (interactive=false) at /home/ads/build23_6u0_x64/workspace/t-mysql/label/build23_6u0_x64/t-mysql/client/mysql.cc:2347
#3  read_and_execute (interactive=false) at /home/ads/build23_6u0_x64/workspace/t-mysql/label/build23_6u0_x64/t-mysql/client/mysql.cc:1963
#4  0x0000000000412e7e in main (argc=12, argv=0x152a3a8) at /home/ads/build23_6u0_x64/workspace/t-mysql/label/build23_6u0_x64/t-mysql/client/mysql.cc:1238
(gdb) f 1
#1  0x0000000000415c67 in String::append (this=0x97e040,
    s=0x2b6d32092010 "INSERT INTO `product_detail` VALUES (939609648,'2013-09-10 22:48:00','Little baby girl   pendant\\r\\n1.stainless steel\\r\\n2. SGS test\\r\\n3.OEM/ODM accept','<p><span style=\\\"font-size: 16px; font-family"..., arg_length=1040328) at /home/ads/build23_6u0_x64/workspace/t-mysql/label/build23_6u0_x64/t-mysql/client/sql_string.cc:391
391       memcpy(Ptr+str_length,s,arg_length);
(gdb) p str_length
$46 = 4293927755
(gdb) p arg_length
$47 = 1040328
(gdb) p (unsigned int) (str_length + arg_length)
$48 = 787
(gdb) p (unsigned long) (str_length + arg_length)
$49 = 787
(gdb) p (unsigned long long) (str_length + arg_length)
$50 = realloc(str_length+arg_length)
(gdb) p (unsigned long long) ((unsigned long long )str_length + (unsigned long long)arg_length)
$51 = 4294968083
(gdb) p (unsigned int)-1
$52 = 4294967295

so obviously, str_length + arg_length is larger than (unsigned int)-1,  So if realloc(str_length+arg_length) is called, It will trying to malloc a small memory (here 787 bytes)

How to repeat:
I've checked the code of MySQL5.7.3. And I guess the same issue still exists in the newest  version.

Quoted code from 5.7.3:

client/sql_string.cc
369 bool String::append(const char *s,uint32 arg_length)
……
389   /*
390     For an ASCII compatinble string we can just append.
391   */
392   if (realloc(str_length+arg_length))
393     return TRUE;
394   memcpy(Ptr+str_length,s,arg_length);
395   str_length+=arg_length;
396   return FALSE;
397 }
……

 63 bool String::realloc(uint32 alloc_length)           ----> here the param is unsigned int
 64 {
 65   uint32 len=ALIGN_SIZE(alloc_length+1);
 66   DBUG_ASSERT(len > alloc_length);
 67   if (len <= alloc_length)
 68     return TRUE;

Suggested fix:
using unsigned long long instead of  unsigned int

some description seems dislocation....just ignore it.

---->
(gdb) p (unsigned long long) (str_length + arg_length)
$50 = realloc(str_length+arg_length)

Tweak the realloc arg from uint32 to uint64 is not a good choice.
I wounder why str_length is so big, that is almost reached (uint32)-1? Keep on appending to the same string? If so, lots of problems, especially performance issues.

Thank you for the report.

Verified as described.

Zhai,

I stopped repeating the crash in my environment and could not find my record about how client exactly crashed. Now I only get "ERROR 2006 (HY000): MySQL server has gone away" messages which is not  a bug, because server stops accepting packets from client after its max_allowed_packet reached and closes connection.

Please provide output from your environment in time when crash happens.

No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".