Bug #38484 maria: DELETE causes crash or index corruption
Submitted: 31 Jul 2008 10:55 Modified: 7 Nov 2008 15:59
Reporter: Alexey Stroganov Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Maria storage engine Severity:S1 (Critical)
Version:6.0.6-alpha, 6.0.7pre,6.0.7,6.0.8pre OS:Any
Assigned to: Michael Widenius CPU Architecture:Any

[31 Jul 2008 10:55] Alexey Stroganov 
Description:
Test case below extracted from  mysql-bench suite:

table definition:

CREATE TABLE `bench4` (
  `field1` tinyint(4) NOT NULL,
  `field_search` tinyint(4) NOT NULL,
  `field2` mediumint(9) NOT NULL,
  `field3` smallint(6) NOT NULL,
  `field4` char(16) NOT NULL,
  `field5` int(11) NOT NULL,
  `field6` float NOT NULL,
  `field7` double NOT NULL,
  `field8` char(6) NOT NULL,
  `field9` char(6) NOT NULL,
  `field10` char(6) NOT NULL,
  `field11` char(6) NOT NULL,
  `field12` char(6) NOT NULL,
  `field13` char(6) NOT NULL,
  `field14` char(6) NOT NULL,
  `field15` char(6) NOT NULL,
  `field16` char(6) NOT NULL,
  PRIMARY KEY (`field1`,`field2`,`field3`,`field4`,`field5`,`field6`,`field7`,`field8`,`field9`,`field10`,`field11`,`field12`,`field13`,`field14`,`field15`,`field16`),
  KEY `index2` (`field_search`),
  KEY `index3` (`field3`),
  KEY `index4` (`field4`),
  KEY `index5` (`field5`),
  KEY `index6` (`field6`),
  KEY `index7` (`field7`),
  KEY `index8` (`field8`),
  KEY `index9` (`field9`),
  KEY `index10` (`field10`),
  KEY `index11` (`field11`),
  KEY `index12` (`field12`),
  KEY `index13` (`field13`),
  KEY `index14` (`field14`),
  KEY `index15` (`field15`),
  KEY `index16` (`field16`)
) ENGINE=MARIA

for 6.0.6 index corruption happens during population of table with data:
...
Inserted 7455 rows
DBD::mysql::db do failed: Incorrect key file for table 'bench4'; try to repair it 

for 6.0.7 
table should have more than 20000 rows to get an index corruption with such delete statement:

mysql> delete from bench4 where field_search=0;
ERROR 1034 (HY000): Incorrect key file for table 'bench4'; try to repair it

Also I got a crash for 6.0.7pre in case when number of rows in table is 50000:
(gdb) bt
#0  0x00002b2716c4c4c5 in pthread_kill () from /lib64/libpthread.so.0
#1  0x000000000067fd2e in handle_segfault (sig=11) at mysqld.cc:2657
#2  <signal handler called>
#3  0x00002b27172310b2 in memcpy () from /lib64/libc.so.6
#4  0x0000000000a606b9 in _ma_store_bin_pack_key (keyinfo=<value optimized out>, key_pos=<value optimized out>,
    s_temp=0x49888210) at ma_search.c:2332
#5  0x0000000000a84c88 in del (info=0x22784c0, key=0x49891a10, anc_page=24576, anc_buff=0x4988b5b0 "\003", leaf_page=8192,
    leaf_buff=<value optimized out>, leaf_page_link=0x20a6590, keypos=0x4988b5c7 "", next_block=13361152,
    ret_key_buff=0x4988aed0 "") at ma_delete.c:688
#6  0x0000000000a85863 in d_search (info=0x22784c0, key=0x49891a10, comp_flag=<value optimized out>, anc_page=24576,
    anc_buff=0x4988b5b0 "\003", anc_page_link=0x20a6578) at ma_delete.c:459
#7  0x0000000000a851ea in d_search (info=0x22784c0, key=0x49891a10, comp_flag=4, anc_page=704512,
    anc_buff=0x4988e820 "\003", anc_page_link=0x20a6560) at ma_delete.c:415
#8  0x0000000000a85980 in _ma_ck_real_delete (info=0x22784c0, key=0x49891a10, root=0x498919b0) at ma_delete.c:227
#9  0x0000000000a85ad4 in _ma_ck_delete (info=0x22784c0, key=0x49891a10) at ma_delete.c:182
#10 0x0000000000a85d8a in maria_delete (info=0x22784c0, record=0x209e7d8 "�") at ma_delete.c:90
#11 0x0000000000773dbf in handler::ha_delete_row (this=0x209e5e8, buf=0x209e7d8 "�") at handler.cc:5347
#12 0x0000000000719e76 in mysql_delete (thd=0x2065050, table_list=0x20c65c0, conds=0x20c6cf8, order=<value optimized out>,
    limit=18446744073709551378, options=0, reset_auto_increment=false) at sql_delete.cc:295
#13 0x0000000000691fe5 in mysql_execute_command (thd=0x2065050) at sql_parse.cc:3085
#14 0x000000000069450c in mysql_parse (thd=0x2065050, inBuf=0x20c64c8 "delete from bench4 where field_search=0", length=39,
    found_semicolon=0x49894100) at sql_parse.cc:5815
#15 0x00000000006951fd in dispatch_command (command=COM_QUERY, thd=0x2065050,
    packet=0x2074c41 "delete from bench4 where field_search=0", packet_length=<value optimized out>) at sql_parse.cc:1050
#16 0x0000000000695cf7 in do_command (thd=0x2065050) at sql_parse.cc:723
#17 0x0000000000688554 in handle_one_connection (arg=0x2065050) at sql_connect.cc:1153
#18 0x00002b2716c48193 in start_thread () from /lib64/libpthread.so.0
#19 0x00002b271727b45d in clone () from /lib64/libc.so.6

How to repeat:
1. start server 
2. run attached perl script:
perl bug-maria-index-corruption.pl 

you can specify number of rows with --rows option

perl bug-maria-index-corruption.pl --rows=20000
[31 Jul 2008 10:56] Alexey Stroganov 
Test case for the issue

Attachment: bug-maria-index-corruption.pl (application/octet-stream, text), 3.39 KiB.
[24 Aug 2008 13:29] Michael Widenius 
Thank you for your bug report. This issue has been committed to our source repository of that product and will be incorporated into the next release.

The test cases helped to find 2 bugs:
- Forgot to initialize a variable
- In case of underflow() the flags for the page was not properly set.
[13 Sep 2008 20:51] Bugs System 
Pushed into 6.0.7-alpha  (revid:monty@mysql.com-20080824132934-eq2yrvkfsgi8qcw5) (version source revid:hakan@mysql.com-20080725175322-8wgujj5xuzrjz3ke) (pib:3)
[16 Sep 2008 14:27] Alexey Stroganov 
Got crashes with exact the same backtrace for 6.0.7 and 6.0.8pre binaries. It looks like the fix for this issue was not included to 6.0.7 release build. 
But symptoms are exact the same and  for 6.0.8pre with fix. 
Set back to Verified.
[26 Sep 2008 8:30] Michael Widenius 
Fix is in 5.1-maria tree and will be merged to 6.0 shortly
[7 Nov 2008 15:23] Guilhem Bichot 
Alexey, please re-test. Otherwise we can consider it as already fixed.
[7 Nov 2008 15:45] Alexey Stroganov 
Actually there is attached test case that exposed problem so this can be done by anyone :). Yes checked all works ok.
[7 Nov 2008 15:59] Guilhem Bichot 
so if check worked ok (thanks), I close it.