Bug #26825 MySQL Server Crashes in high load
Submitted: 3 Mar 2007 18:20 Modified: 23 Mar 2007 7:30
Reporter: Mikael Ronström Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Cluster: Cluster (NDB) storage engine Severity:S3 (Non-critical)
Version:5.1.6-ndb-6.2.0 OS:Linux (Suse 10)
Assigned to: Tomas Ulin CPU Architecture:Any

[3 Mar 2007 18:20] Mikael Ronström 
Description:
When running DBT2 with a high load, the MySQL Server crashed every now and then.
Core showed a failure in check_ndb_connection where Ndb object was corrupted after
return. When recompiling to see if it was due to a compiler bug using the Intel compiler
it did instead crash in get_metadata in Ndb handler after attempting to free using a
non-allocated pointer.

Analysing the code in get_metadata it is possible to call free on a non-initialised variable,
the variable pack_data if either the readfrm call or the packfrm call fails.
In most environments free of a non-existing object is ignored, if the pointer happened to
refer to a memory that was actually allocated this will free a memory that later on can
be allocated and cause that there are two owners of the same data leading to obvious
memory corruption.

How to repeat:
Run DBT2 at a high load on Suse 10, there are however no certainty of failure. I have run this
test for almost a year without getting this problem before. So in order to reproduce it one has
to inject an error return from either readfrm or packfrm.

Suggested fix:
See description:
Initialise pack_data and data to NULL in get_metadata.
[9 Mar 2007 17:25] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/21601
[16 Mar 2007 5:39] Jon Stephens 
Documented fix for ndb-6.1.15 release.
[20 Mar 2007 21:41] Tomas Ulin 
5.1.17
[21 Mar 2007 7:06] Mikael Ronström 
The patch doesn't solve the problem reported in the bug report, it is an unrelated fix in the
commit, so this bug needs to be reopened
[21 Mar 2007 7:34] Tomas Ulin 
patch

Attachment: tmp.patch (text/x-patch), 1.88 KiB.
[21 Mar 2007 23:00] Jon Stephens 
Hi!

This (re)fix will also appear in 5.1.17 main?

What about telco branch?

Thanks.
[22 Mar 2007 13:20] Tomas Ulin 
telco-6.1.6
mysql-5.1.17
mysql-5.0.40
[23 Mar 2007 7:30] Jon Stephens 
Thank you for your bug report. This issue has been committed to our source repository of that product and will be incorporated into the next release.

If necessary, you can access the source repository and build the latest available version, including the bug fix. More information about accessing the source trees is available at

    http://dev.mysql.com/doc/en/installing-source.html

Documented bugfix in 5.0.40, 5.1.17, and mysql-5.1.15-ndb-6.1.6 changelogs.