From 34c654024cd915d117234a40dd51063d9d4c4d04 Mon Sep 17 00:00:00 2001 From: Monty Date: Mon, 15 Feb 2021 01:33:06 +0200 Subject: [PATCH] MDEV-24855 ER_CRASHED_ON_USAGE or Assertion `length <= column->length' When creating a summary temporary table with bit fields used in the sum expression with several parameters, like GROUP_CONCAT(), the counting of bits needed in the record was wrong. The reason we got an assert in Aria was because the bug caused a memory overwrite in the record and Aria noticed that the data was 'impossible. --- mysql-test/main/group_by.result | 8 ++++++++ mysql-test/main/group_by.test | 12 ++++++++++++ sql/sql_select.cc | 8 +++----- 3 files changed, 23 insertions(+), 5 deletions(-) diff --git a/mysql-test/main/group_by.result b/mysql-test/main/group_by.result index a06c539f27b35..3fc84c2d215e7 100644 --- a/mysql-test/main/group_by.result +++ b/mysql-test/main/group_by.result @@ -2612,6 +2612,14 @@ v 2v,2v NULL 1c,2v,2v DROP TABLE t1,t2; # +# MDEV-24855 ER_CRASHED_ON_USAGE or Assertion `length <= column->length' +# failed in ma_blockrec.c +# +CREATE TABLE t1 (a BIT(5), c BINARY(179)); +INSERT INTO t1 VALUES (b'1100','foo'),(b'0','bar'); +SELECT c, GROUP_CONCAT(CASE NULL WHEN 0 THEN a END, CASE 'foo' WHEN c THEN 1 END) AS f FROM t1 GROUP BY ExtractValue('', '/a'), UUID(); +DROP TABLE t1; +# # MDEV-6129: Server crashes during UNION with ORDER BY field IS NULL # SET sql_mode='ONLY_FULL_GROUP_BY'; diff --git a/mysql-test/main/group_by.test b/mysql-test/main/group_by.test index 15bc179102286..87315e903e9e6 100644 --- a/mysql-test/main/group_by.test +++ b/mysql-test/main/group_by.test @@ -1716,6 +1716,18 @@ FROM t1 JOIN t2 ON c = b GROUP BY b WITH ROLLUP; DROP TABLE t1,t2; +--echo # +--echo # MDEV-24855 ER_CRASHED_ON_USAGE or Assertion `length <= column->length' +--echo # failed in ma_blockrec.c +--echo # + +CREATE TABLE t1 (a BIT(5), c BINARY(179)); +INSERT INTO t1 VALUES (b'1100','foo'),(b'0','bar'); +--disable_result_log +SELECT c, GROUP_CONCAT(CASE NULL WHEN 0 THEN a END, CASE 'foo' WHEN c THEN 1 END) AS f FROM t1 GROUP BY ExtractValue('', '/a'), UUID(); +--enable_result_log +DROP TABLE t1; + --echo # --echo # MDEV-6129: Server crashes during UNION with ORDER BY field IS NULL --echo # diff --git a/sql/sql_select.cc b/sql/sql_select.cc index 01ca12aa3717c..46ddb6a0d3d9d 100644 --- a/sql/sql_select.cc +++ b/sql/sql_select.cc @@ -18504,9 +18504,9 @@ bool Create_tmp_table::add_fields(THD *thd, distinct_record_structure= true; } li.rewind(); - uint uneven_delta= 0; while ((item=li++)) { + uint uneven_delta; current_counter= (((param->hidden_field_count < (fieldnr + 1)) && distinct_record_structure && (!m_with_cycle || @@ -18569,8 +18569,8 @@ bool Create_tmp_table::add_fields(THD *thd, uneven_delta= m_uneven_bit_length; add_field(table, new_field, fieldnr++, param->force_not_null_cols); - uneven_delta= m_uneven_bit_length - uneven_delta; m_field_count[current_counter]++; + m_uneven_bit[current_counter]+= (m_uneven_bit_length - uneven_delta); if (!(new_field->flags & NOT_NULL_FLAG)) { @@ -18651,8 +18651,8 @@ bool Create_tmp_table::add_fields(THD *thd, uneven_delta= m_uneven_bit_length; add_field(table, new_field, fieldnr++, param->force_not_null_cols); - uneven_delta= m_uneven_bit_length - uneven_delta; m_field_count[current_counter]++; + m_uneven_bit[current_counter]+= (m_uneven_bit_length - uneven_delta); if (item->marker == 4 && item->maybe_null) { @@ -18662,7 +18662,6 @@ bool Create_tmp_table::add_fields(THD *thd, if (current_counter == distinct) new_field->flags|= FIELD_PART_OF_TMP_UNIQUE; } - m_uneven_bit[current_counter]+= uneven_delta; } DBUG_ASSERT(fieldnr == m_field_count[other] + m_field_count[distinct]); DBUG_ASSERT(m_blob_count == m_blobs_count[other] + m_blobs_count[distinct]); @@ -18821,7 +18820,6 @@ bool Create_tmp_table::finalize(THD *thd, if (!(field->flags & NOT_NULL_FLAG)) { - recinfo->null_bit= (uint8)1 << (null_counter[current_counter] & 7); recinfo->null_pos= (null_pack_base[current_counter] + null_counter[current_counter]/8);