Bug #33033 MySQL/InnoDB crashes with simple select range query
Submitted: 6 Dec 2007 11:21 Modified: 20 Nov 2010 23:27
Reporter: Alexey Stroganov Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Optimizer Severity:S2 (Serious)
Version:6.0.4pre OS:Any
Assigned to: Sergey Petrunya CPU Architecture:Any

[6 Dec 2007 11:21] Alexey Stroganov
Description:
I observe crash of MySQL/InnoDB while running mysql-bench test suite. 

query caused crash:
select * from bench1 where (id3>=5 and id3<=10) or (id3>=1 and id3<=4)

bt:
(gdb) bt
#0  0x00002adf458c94c5 in pthread_kill () from /lib64/libpthread.so.0
#1  0x00000000006457dc in handle_segfault ()
#2  <signal handler called>
#3  0x00002adf46193aa5 in raise () from /lib64/libc.so.6
#4  0x00002adf46194e60 in abort () from /lib64/libc.so.6
#5  0x000000000095c331 in btr_pcur_restore_position (latch_mode=1, cursor=0x2aaaab11fab8, mtr=0x44086e70)
    at ../../storage/innobase/include/buf0buf.ic:225
#6  0x000000000092c5fd in sel_restore_position_for_mysql (same_user_rec=0x44086b30, latch_mode=29395,
    pcur=0x2aaaab11fab8, moves_up=1, mtr=0x44086e70) at row/row0sel.c:2970
#7  0x000000000092cd3c in row_search_for_mysql (buf=0x195a748 "", mode=2, prebuilt=0x2aaaab1238b8,
    match_mode=0, direction=1) at row/row0sel.c:3619
#8  0x00000000008aa7dd in ha_innobase::general_fetch ()
#9  0x0000000000715157 in handler::read_range_next ()
#10 0x00000000008adb89 in ha_innobase::read_range_next ()
#11 0x0000000000713f27 in handler::multi_range_read_next ()
#12 0x0000000000714390 in DsMrr_impl::dsmrr_fill_buffer ()
#13 0x0000000000714259 in DsMrr_impl::dsmrr_init ()
#14 0x00000000008adab4 in ha_innobase::multi_range_read_init ()
#15 0x00000000007009db in QUICK_RANGE_SELECT::reset ()
#16 0x00000000006b0d46 in join_init_read_record ()
#17 0x000000000069e328 in sub_select ()
#18 0x00000000006a92ec in do_select ()
#19 0x00000000006967d7 in JOIN::exec ()
#20 0x0000000000697185 in mysql_select ()
#21 0x00000000006925ac in handle_select ()
#22 0x0000000000659839 in execute_sqlcom_select ()
#23 0x0000000000650f40 in mysql_execute_command ()
#24 0x0000000000656902 in mysql_parse ()
#25 0x000000000064fab6 in dispatch_command ()
#26 0x000000000064f6ff in do_command ()
#27 0x000000000064df66 in handle_one_connection ()
#28 0x00002adf458c5193 in start_thread () from /lib64/libpthread.so.0
#29 0x00002adf4622345d in clone () from /lib64/libc.so.6
#30 0x0000000000000000 in ?? ()

How to repeat:

1. Download attached test case and put it to t/ directory
2. Run it:

./mysql-test-run.pl bug_innodb_select_range
[6 Dec 2007 11:23] Alexey Stroganov
Test case for the bug

Attachment: bug_innodb_select_range.test (application/octet-stream, text), 348 bytes.

[6 Dec 2007 19:44] Calvin Sun
Change to Optimizer team since it is MRR related.
[23 Jan 2008 21:41] Sergey Petrunya
The bug can be observed when DS-MRR is switched off, too.
[23 Jan 2008 21:49] Sergey Petrunya
The problem seems to be more related to index condition pushdown. If I switch it off (by putting return at the top of ha_innobase::idx_cond_push(), there is currently no way to switch it off from SQL layer), the crash doesn't happen, neither with DS-MRR, nor with default MRR implementation.
[24 Jan 2008 0:13] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/41184

ChangeSet@1.2790, 2008-01-24 03:46:18+03:00, sergefp@mysql.com +3 -0
  BUG#33033 "MySQL/InnoDB crashes with simple select range query"
  - If we've walked off the end of the range, still make the 
    btr_pcur_store_position() call. If we're currently filling row 
    prefetch cache (see row_sel_push_cached_row_for_mysql()), we will 
    try to continue doing the scan after we've returned all records from
    the cache, and that is when we'll need correct btr position.
[13 Mar 2008 19:27] Bugs System
Pushed into 6.0.5-alpha
[17 Apr 2008 23:33] Sergey Petrunya
Sure, note for the change log:

The new "index condition pushdown" optimization could cause server crash when used with range access method over an InnoDB table.
[18 Apr 2008 15:34] Paul DuBois
Noted in 6.0.5 changelog.
[16 Aug 2010 6:39] Bugs System
Pushed into mysql-next-mr (revid:alik@sun.com-20100816062819-bluwgdq8q4xysmlg) (version source revid:alik@sun.com-20100816062612-enatdwnv809iw3s9) (pib:20)
[13 Nov 2010 16:04] Bugs System
Pushed into mysql-trunk 5.6.99-m5 (revid:alexander.nozdrin@oracle.com-20101113155825-czmva9kg4n31anmu) (version source revid:vasil.dimov@oracle.com-20100629074804-359l9m9gniauxr94) (merge vers: 5.6.99-m4) (pib:21)
[20 Nov 2010 23:27] Paul DuBois
Noted in 5.6.1 changelog.
[23 Nov 2010 2:13] Paul DuBois
Correction: No 5.6.1 changelog entry. Bug does not appear in any released 5.6.x version.