Bug #78250 handle_fatal_signal (sig=11) in my_strtod_int
Submitted: 28 Aug 2015 6:14 Modified: 2 Oct 2015 15:52
Reporter: Roel Van de Paar Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Optimizer Severity:S1 (Critical)
Version:5.7.8 (RC2), 5.7.9, 8.0.0 OS:Any
Assigned to: CPU Architecture:Any
Tags: opt

[28 Aug 2015 6:14] Roel Van de Paar
Description:
+bt
#0  0x00007fd027156771 in __pthread_kill (threadid=<optimized out>, signo=11) at ../nptl/sysdeps/unix/sysv/linux/pthread_kill.c:61
#1  0x0000000000761db4 in handle_fatal_signal (sig=11) at /export/home/pb2/build/sb_0-15961582-1437395640.67/mysql-5.7.8-rc/sql/signal_handler.cc:220
#2  <signal handler called>
#3  my_strtod_int (buf=0x7fd02774d2e0 "\370\001", error=0x7fd02774e2dc, se=0x7fd02774e2d0, s00=0x7fcf628ab0300000 <Address 0x7fcf628ab0300000 out of bounds>, buf_size=<optimized out>) at /export/home/pb2/build/sb_0-15961582-1437395640.67/mysql-5.7.8-rc/strings/dtoa.c:1378
#4  my_strtod (str=0x7fcf628ab0300000 <Address 0x7fcf628ab0300000 out of bounds>, end=0x7fd02774e2d0, error=0x7fd02774e2dc) at /export/home/pb2/build/sb_0-15961582-1437395640.67/mysql-5.7.8-rc/strings/dtoa.c:472
#5  0x0000000000781323 in Field_blob::val_real (this=<optimized out>) at /export/home/pb2/build/sb_0-15961582-1437395640.67/mysql-5.7.8-rc/sql/field.cc:8205
#6  0x00000000007b167f in Item_direct_ref::val_real (this=0x7fcf628a28d8) at /export/home/pb2/build/sb_0-15961582-1437395640.67/mysql-5.7.8-rc/sql/item.cc:8528
#7  0x000000000081a978 in Item_func_plus::real_op (this=0x7fcf6282ad10) at /export/home/pb2/build/sb_0-15961582-1437395640.67/mysql-5.7.8-rc/sql/item_func.cc:1699
#8  0x00000000008135f1 in Item_func_numhybrid::val_real (this=0x7fcf6282ad10) at /export/home/pb2/build/sb_0-15961582-1437395640.67/mysql-5.7.8-rc/sql/item_func.cc:1328
#9  0x0000000000ba1cc2 in Item_sum_sum::add (this=0x7fcf6282ae88) at /export/home/pb2/build/sb_0-15961582-1437395640.67/mysql-5.7.8-rc/sql/item_sum.cc:1509
#10 0x0000000000c49d96 in aggregator_add (this=0x7fcf6282ae88) at /export/home/pb2/build/sb_0-15961582-1437395640.67/mysql-5.7.8-rc/sql/item_sum.h:509
#11 reset_and_add (this=0x7fcf6282ae88) at /export/home/pb2/build/sb_0-15961582-1437395640.67/mysql-5.7.8-rc/sql/item_sum.h:414
#12 init_sum_functions (func_ptr=0x7fcf628a9fc8, end_ptr=0x7fcf628a9fd0) at /export/home/pb2/build/sb_0-15961582-1437395640.67/mysql-5.7.8-rc/sql/sql_executor.cc:515
#13 0x0000000000c4ccf0 in end_send_group (join=0x7fcf628a2bb8, qep_tab=<optimized out>, end_of_records=<optimized out>) at /export/home/pb2/build/sb_0-15961582-1437395640.67/mysql-5.7.8-rc/sql/sql_executor.cc:3079
#14 0x0000000000c4f9ec in evaluate_join_record (join=0x7fcf628a2bb8, qep_tab=0x7fcf62937310) at /export/home/pb2/build/sb_0-15961582-1437395640.67/mysql-5.7.8-rc/sql/sql_executor.cc:1630
#15 0x0000000000c50bd0 in sub_select (join=0x7fcf628a2bb8, qep_tab=0x7fcf62937310, end_of_records=<optimized out>) at /export/home/pb2/build/sb_0-15961582-1437395640.67/mysql-5.7.8-rc/sql/sql_executor.cc:1285
#16 0x0000000000c5042a in do_select (join=0x7fcf628a2bb8) at /export/home/pb2/build/sb_0-15961582-1437395640.67/mysql-5.7.8-rc/sql/sql_executor.cc:938
#17 JOIN::exec (this=0x7fcf628a2bb8) at /export/home/pb2/build/sb_0-15961582-1437395640.67/mysql-5.7.8-rc/sql/sql_executor.cc:200
#18 0x0000000000cb8268 in handle_query (thd=0x7fcf62818000, lex=0x7fcf6281a058, result=0x7fcf628a9e98, added_options=1, removed_options=0) at /export/home/pb2/build/sb_0-15961582-1437395640.67/mysql-5.7.8-rc/sql/sql_select.cc:184
#19 0x0000000000c7a483 in execute_sqlcom_select (thd=0x7fcf62818000, all_tables=<optimized out>) at /export/home/pb2/build/sb_0-15961582-1437395640.67/mysql-5.7.8-rc/sql/sql_parse.cc:4843
#20 0x0000000000c7bdbb in mysql_execute_command (thd=0x7fcf62818000) at /export/home/pb2/build/sb_0-15961582-1437395640.67/mysql-5.7.8-rc/sql/sql_parse.cc:2521
#21 0x0000000000c7f7e8 in mysql_parse (thd=0x7fcf62818000, parser_state=<optimized out>) at /export/home/pb2/build/sb_0-15961582-1437395640.67/mysql-5.7.8-rc/sql/sql_parse.cc:5255
#22 0x0000000000c80a82 in dispatch_command (thd=0x7fcf62818000, com_data=0x7fd02774fda0, command=COM_QUERY) at /export/home/pb2/build/sb_0-15961582-1437395640.67/mysql-5.7.8-rc/sql/sql_parse.cc:1272
#23 0x0000000000c81c54 in do_command (thd=0x7fcf62818000) at /export/home/pb2/build/sb_0-15961582-1437395640.67/mysql-5.7.8-rc/sql/sql_parse.cc:852
#24 0x0000000000d486ac in handle_connection (arg=<optimized out>) at /export/home/pb2/build/sb_0-15961582-1437395640.67/mysql-5.7.8-rc/sql/conn_handler/connection_handler_per_thread.cc:300
#25 0x0000000000ee7690 in pfs_spawn_thread (arg=0x7fd01cfeb820) at /export/home/pb2/build/sb_0-15961582-1437395640.67/mysql-5.7.8-rc/storage/perfschema/pfs.cc:2178
#26 0x00007fd027151df5 in start_thread (arg=0x7fd027750700) at pthread_create.c:308
#27 0x00007fd025e1b1ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113

How to repeat:
# mysqld options required for replay: --sql_mode=ONLY_FULL_GROUP_BY
DROP DATABASE test;CREATE DATABASE test;USE test;
SET SESSION TRANSACTION READ WRITE;
create TABLE t1(a int,b blob(1),c blob(1),filler blob(1),primary key(a,b(1)),unique key (a,c(1))) engine=Dummy;
INSERT INTO t1 VALUES(1,2,1,1),(2,4,1,1);
set @@sql_mode="no_table_options";
SET @@global.table_open_cache=-1024;
SELECT * FROM t1 WHERE a=f1();
SELECT a,(SELECT SUM(a + c)FROM (SELECT b as c FROM t1) AS v1) FROM t1;
SELECT a,(SELECT SUM(a + c)FROM (SELECT b as c FROM t1) AS v1) FROM t1;
[28 Aug 2015 7:23] MySQL Verification Team
Hello Roel,

Thank you for the report and test case.
Observed that 5.7.9 and 5.8.0 daily builds are affected.

Thanks,
Umesh
[28 Aug 2015 7:23] MySQL Verification Team
// 5.7.9

bin/mysql_install_db --insecure --basedir=/export/umesh/server/binaries/mysql-advanced-5.7.9 --datadir=/export/umesh/server/binaries/mysql-advanced-5.7.9/78250 -v
bin/mysqld --no-defaults --sql_mode=ONLY_FULL_GROUP_BY --basedir=/export/umesh/server/binaries/mysql-advanced-5.7.9 --datadir=/export/umesh/server/binaries/mysql-advanced-5.7.9/78250 --core-file --socket=/tmp/mysql_ushastry.sock  --port=15000 --log-error=/export/umesh/server/binaries/mysql-advanced-5.7.9/78250/log.err 2>&1 &

[umshastr@hod03]/export/umesh/server/binaries/mysql-advanced-5.7.9: cat docs/INFO_SRC
commit: e4928d41773503a7b93ab0886a1f5efa88a4e4e4
date: 2015-08-26 21:01:11 +0530
build-date: 2015-08-26 18:05:18 +0200
short: e4928d4
branch: mysql-5.7

MySQL source 5.7.9

(gdb) bt
#0  0x00007f953f1c1771 in pthread_kill () from /lib64/libpthread.so.0
#1  0x000000000079f125 in handle_fatal_signal (sig=11) at /export/home2/pb2/build/sb_0-16271286-1440606484.35/mysqlcom-pro-5.7.9/sql/signal_handler.cc:220
#2  <signal handler called>
#3  my_strtod_int (buf_size=3680, buf=0x7f9511d35650 "", error=0x7f9511d364f0, se=0x7f9511d36500, s00=0x7f94d0020bd00000 <Address 0x7f94d0020bd00000 out of bounds>)
    at /export/home2/pb2/build/sb_0-16271286-1440606484.35/mysqlcom-pro-5.7.9/strings/dtoa.c:1378
#4  my_strtod (str=0x7f94d0020bd00000 <Address 0x7f94d0020bd00000 out of bounds>, end=0x7f9511d36500, error=0x7f9511d364f0)
    at /export/home2/pb2/build/sb_0-16271286-1440606484.35/mysqlcom-pro-5.7.9/strings/dtoa.c:472
#5  0x00000000007c8739 in Field_blob::val_real (this=0x7f94d0020858) at /export/home2/pb2/build/sb_0-16271286-1440606484.35/mysqlcom-pro-5.7.9/sql/field.cc:8205
#6  0x00000000007f53ff in Item_direct_ref::val_real (this=0x7f94d09803e8) at /export/home2/pb2/build/sb_0-16271286-1440606484.35/mysqlcom-pro-5.7.9/sql/item.cc:8552
#7  0x0000000000853468 in Item_func_plus::real_op (this=0x7f94d00060f0) at /export/home2/pb2/build/sb_0-16271286-1440606484.35/mysqlcom-pro-5.7.9/sql/item_func.cc:1710
#8  0x000000000084c779 in Item_func_numhybrid::val_real (this=0x7f94d00060f0) at /export/home2/pb2/build/sb_0-16271286-1440606484.35/mysqlcom-pro-5.7.9/sql/item_func.cc:1339
#9  0x0000000000b7b6d8 in Item_sum_sum::add (this=0x7f94d0006268) at /export/home2/pb2/build/sb_0-16271286-1440606484.35/mysqlcom-pro-5.7.9/sql/item_sum.cc:1513
#10 0x0000000000c2ca0f in aggregator_add (this=<optimized out>) at /export/home2/pb2/build/sb_0-16271286-1440606484.35/mysqlcom-pro-5.7.9/sql/item_sum.h:509
#11 reset_and_add (this=0x7f94d0006268) at /export/home2/pb2/build/sb_0-16271286-1440606484.35/mysqlcom-pro-5.7.9/sql/item_sum.h:414
#12 init_sum_functions (end_ptr=0x7f94d0022fe0, func_ptr=0x7f94d0022fd8) at /export/home2/pb2/build/sb_0-16271286-1440606484.35/mysqlcom-pro-5.7.9/sql/sql_executor.cc:514
#13 end_send_group (join=0x7f94d09806c8, qep_tab=<optimized out>, end_of_records=<optimized out>)
    at /export/home2/pb2/build/sb_0-16271286-1440606484.35/mysqlcom-pro-5.7.9/sql/sql_executor.cc:3069
#14 0x0000000000c28b7c in evaluate_join_record (join=join@entry=0x7f94d09806c8, qep_tab=qep_tab@entry=0x7f94d0982830)
    at /export/home2/pb2/build/sb_0-16271286-1440606484.35/mysqlcom-pro-5.7.9/sql/sql_executor.cc:1629
#15 0x0000000000c2dcb9 in sub_select (join=0x7f94d09806c8, qep_tab=0x7f94d0982830, end_of_records=<optimized out>)
    at /export/home2/pb2/build/sb_0-16271286-1440606484.35/mysqlcom-pro-5.7.9/sql/sql_executor.cc:1284
#16 0x0000000000c26ca7 in do_select (join=0x7f94d09806c8) at /export/home2/pb2/build/sb_0-16271286-1440606484.35/mysqlcom-pro-5.7.9/sql/sql_executor.cc:937
#17 JOIN::exec (this=0x7f94d09806c8) at /export/home2/pb2/build/sb_0-16271286-1440606484.35/mysqlcom-pro-5.7.9/sql/sql_executor.cc:199
#18 0x0000000000c9158d in handle_query (thd=thd@entry=0x7f94d0000b50, lex=lex@entry=0x7f94d0002c00, result=result@entry=0x7f94d0022ea8, added_options=added_options@entry=0,
    removed_options=removed_options@entry=0) at /export/home2/pb2/build/sb_0-16271286-1440606484.35/mysqlcom-pro-5.7.9/sql/sql_select.cc:184
#19 0x00000000007621d6 in execute_sqlcom_select (thd=thd@entry=0x7f94d0000b50, all_tables=<optimized out>)
    at /export/home2/pb2/build/sb_0-16271286-1440606484.35/mysqlcom-pro-5.7.9/sql/sql_parse.cc:4941
#20 0x0000000000c56c16 in mysql_execute_command (thd=thd@entry=0x7f94d0000b50, first_level=first_level@entry=true)
    at /export/home2/pb2/build/sb_0-16271286-1440606484.35/mysqlcom-pro-5.7.9/sql/sql_parse.cc:2597
#21 0x0000000000c5a515 in mysql_parse (thd=thd@entry=0x7f94d0000b50, parser_state=parser_state@entry=0x7f9511d377b0)
    at /export/home2/pb2/build/sb_0-16271286-1440606484.35/mysqlcom-pro-5.7.9/sql/sql_parse.cc:5350
#22 0x0000000000c5aeba in dispatch_command (thd=thd@entry=0x7f94d0000b50, com_data=com_data@entry=0x7f9511d37e00, command=COM_QUERY)
    at /export/home2/pb2/build/sb_0-16271286-1440606484.35/mysqlcom-pro-5.7.9/sql/sql_parse.cc:1284
#23 0x0000000000c5c72f in do_command (thd=thd@entry=0x7f94d0000b50) at /export/home2/pb2/build/sb_0-16271286-1440606484.35/mysqlcom-pro-5.7.9/sql/sql_parse.cc:852
#24 0x0000000000d126a0 in handle_connection (arg=arg@entry=0x3b49240)
    at /export/home2/pb2/build/sb_0-16271286-1440606484.35/mysqlcom-pro-5.7.9/sql/conn_handler/connection_handler_per_thread.cc:300
#25 0x0000000001172850 in pfs_spawn_thread (arg=0x3c386b0) at /export/home2/pb2/build/sb_0-16271286-1440606484.35/mysqlcom-pro-5.7.9/storage/perfschema/pfs.cc:2191
#26 0x00007f953f1bcdf3 in start_thread () from /lib64/libpthread.so.0
#27 0x00007f953dc7d47d in clone () from /lib64/libc.so.6
[28 Aug 2015 7:24] MySQL Verification Team
// 5.8.0

bin/mysql_install_db  --insecure --basedir=/export/umesh/server/binaries/mysql-advanced-5.8.0 --datadir=/export/umesh/server/binaries/mysql-advanced-5.8.0/78250 -v
bin/mysqld --no-defaults --sql_mode=ONLY_FULL_GROUP_BY --basedir=/export/umesh/server/binaries/mysql-advanced-5.8.0 --datadir=/export/umesh/server/binaries/mysql-advanced-5.8.0/78250 --core-file --socket=/tmp/mysql_ushastry.sock  --port=15000 --log-error=/export/umesh/server/binaries/mysql-advanced-5.8.0/78250/log.err 2>&1 &

[umshastr@hod03]/export/umesh/server/binaries/mysql-advanced-5.8.0: cat docs/INFO_SRC
commit: 60f15f33d5b04532c4e6d28e8133388fc512a0ff
date: 2015-08-26 16:49:48 +0200
build-date: 2015-08-26 17:01:08 +0200
short: 60f15f3
branch: mysql-trunk

MySQL source 5.8.0

(gdb) bt
#0  0x00007f050ecab771 in pthread_kill () from /lib64/libpthread.so.0
#1  0x00000000008ac6d5 in handle_fatal_signal (sig=11) at /export/home2/pb2/build/sb_0-16270418-1440602177.1/mysqlcom-pro-5.8.0-m17/sql/signal_handler.cc:221
#2  <signal handler called>
#3  my_strtod_int (buf_size=3680, buf=0x7f04e182e650 " \350\202\341\004\177", error=0x7f04e182f4f0, se=0x7f04e182f500, s00=0x7f049497f1000000 <Address 0x7f049497f1000000 out of bounds>)
    at /export/home2/pb2/build/sb_0-16270418-1440602177.1/mysqlcom-pro-5.8.0-m17/strings/dtoa.c:1376
#4  my_strtod (str=0x7f049497f1000000 <Address 0x7f049497f1000000 out of bounds>, end=0x7f04e182f500, error=0x7f04e182f4f0)
    at /export/home2/pb2/build/sb_0-16270418-1440602177.1/mysqlcom-pro-5.8.0-m17/strings/dtoa.c:472
#5  0x00000000009135d9 in Field_blob::val_real (this=0x7f04940264e8) at /export/home2/pb2/build/sb_0-16270418-1440602177.1/mysqlcom-pro-5.8.0-m17/sql/field.cc:8216
#6  0x000000000094380f in Item_direct_ref::val_real (this=0x7f0494980038) at /export/home2/pb2/build/sb_0-16270418-1440602177.1/mysqlcom-pro-5.8.0-m17/sql/item.cc:8560
#7  0x000000000099fb18 in Item_func_plus::real_op (this=0x7f0494006100) at /export/home2/pb2/build/sb_0-16270418-1440602177.1/mysqlcom-pro-5.8.0-m17/sql/item_func.cc:1716
#8  0x00000000009990b9 in Item_func_numhybrid::val_real (this=0x7f0494006100) at /export/home2/pb2/build/sb_0-16270418-1440602177.1/mysqlcom-pro-5.8.0-m17/sql/item_func.cc:1344
#9  0x0000000000cc9098 in Item_sum_sum::add (this=0x7f0494006278) at /export/home2/pb2/build/sb_0-16270418-1440602177.1/mysqlcom-pro-5.8.0-m17/sql/item_sum.cc:1519
#10 0x00000000007de4df in aggregator_add (this=<optimized out>) at /export/home2/pb2/build/sb_0-16270418-1440602177.1/mysqlcom-pro-5.8.0-m17/sql/item_sum.h:510
#11 reset_and_add (this=0x7f0494006278) at /export/home2/pb2/build/sb_0-16270418-1440602177.1/mysqlcom-pro-5.8.0-m17/sql/item_sum.h:415
#12 init_sum_functions (end_ptr=0x7f04940230f0, func_ptr=0x7f04940230e8) at /export/home2/pb2/build/sb_0-16270418-1440602177.1/mysqlcom-pro-5.8.0-m17/sql/sql_executor.cc:529
#13 end_send_group (join=0x7f0494980318, qep_tab=<optimized out>, end_of_records=<optimized out>)
    at /export/home2/pb2/build/sb_0-16270418-1440602177.1/mysqlcom-pro-5.8.0-m17/sql/sql_executor.cc:3077
#14 0x00000000007daf71 in evaluate_join_record (join=join@entry=0x7f0494980318, qep_tab=qep_tab@entry=0x7f0494981f10)
    at /export/home2/pb2/build/sb_0-16270418-1440602177.1/mysqlcom-pro-5.8.0-m17/sql/sql_executor.cc:1637
#15 0x00000000007df687 in sub_select (join=0x7f0494980318, qep_tab=0x7f0494981f10, end_of_records=<optimized out>)
    at /export/home2/pb2/build/sb_0-16270418-1440602177.1/mysqlcom-pro-5.8.0-m17/sql/sql_executor.cc:1292
#16 0x00000000007d9207 in do_select (join=0x7f0494980318) at /export/home2/pb2/build/sb_0-16270418-1440602177.1/mysqlcom-pro-5.8.0-m17/sql/sql_executor.cc:952
#17 JOIN::exec (this=0x7f0494980318) at /export/home2/pb2/build/sb_0-16270418-1440602177.1/mysqlcom-pro-5.8.0-m17/sql/sql_executor.cc:214
#18 0x00000000008227ed in handle_query (thd=thd@entry=0x7f0494000b50, lex=lex@entry=0x7f0494002c18, result=0x7f0494022fb8, added_options=added_options@entry=0,
    removed_options=removed_options@entry=0) at /export/home2/pb2/build/sb_0-16270418-1440602177.1/mysqlcom-pro-5.8.0-m17/sql/sql_select.cc:190
#19 0x000000000074f92b in execute_sqlcom_select (thd=thd@entry=0x7f0494000b50, all_tables=<optimized out>)
    at /export/home2/pb2/build/sb_0-16270418-1440602177.1/mysqlcom-pro-5.8.0-m17/sql/sql_parse.cc:4867
#20 0x00000000007f1cd6 in mysql_execute_command (thd=thd@entry=0x7f0494000b50, first_level=first_level@entry=true)
    at /export/home2/pb2/build/sb_0-16270418-1440602177.1/mysqlcom-pro-5.8.0-m17/sql/sql_parse.cc:2560
#21 0x00000000007f5a65 in mysql_parse (thd=thd@entry=0x7f0494000b50, parser_state=parser_state@entry=0x7f04e18307b0)
    at /export/home2/pb2/build/sb_0-16270418-1440602177.1/mysqlcom-pro-5.8.0-m17/sql/sql_parse.cc:5274
#22 0x00000000007f63aa in dispatch_command (thd=thd@entry=0x7f0494000b50, com_data=com_data@entry=0x7f04e1830e00, command=COM_QUERY)
    at /export/home2/pb2/build/sb_0-16270418-1440602177.1/mysqlcom-pro-5.8.0-m17/sql/sql_parse.cc:1247
#23 0x00000000007f7b9f in do_command (thd=thd@entry=0x7f0494000b50) at /export/home2/pb2/build/sb_0-16270418-1440602177.1/mysqlcom-pro-5.8.0-m17/sql/sql_parse.cc:815
#24 0x00000000008a24d8 in handle_connection (arg=arg@entry=0x4428410)
    at /export/home2/pb2/build/sb_0-16270418-1440602177.1/mysqlcom-pro-5.8.0-m17/sql/conn_handler/connection_handler_per_thread.cc:301
#25 0x000000000119dcb0 in pfs_spawn_thread (arg=0x4507160) at /export/home2/pb2/build/sb_0-16270418-1440602177.1/mysqlcom-pro-5.8.0-m17/storage/perfschema/pfs.cc:2210
#26 0x00007f050eca6df3 in start_thread () from /lib64/libpthread.so.0
#27 0x00007f050d76747d in clone () from /lib64/libc.so.6
(gdb)
[28 Aug 2015 7:26] MySQL Verification Team
// Observed that 5.6.26/27 release builds are not affected
[28 Aug 2015 10:29] MySQL Verification Team
Just to confirm I've verified on release builds of 5.7.9, 5.8.0
[31 Aug 2015 8:52] Guilhem Bichot
Posted by developer:
 
has nothing to do with only_full_group_by (check the testcase: it sets sql_mode to no_table_options).
[4 Sep 2015 3:06] Roel Van de Paar
Updating title
[2 Oct 2015 15:52] Paul DuBois
Noted in 5.7.9, 5.8.0 changelogs.

Subqueries that used a derived table and contained a set function
referring to a column from that derived table might be aggregated in
the wrong query block.
[18 Jun 2016 21:27] Omer Barnir
Posted by developer:
 
Reported version value updated to reflect release name change from 5.8 to 8.0