Bug #41894 Segment violation in BKA for some settings/queries
Submitted: 6 Jan 2009 13:20 Modified: 20 Nov 2010 23:26
Reporter: Bernt Marius Johnsen Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Optimizer Severity:S2 (Serious)
Version:6.0.9, mysql-6.0-bka-preview OS:Linux
Assigned to: Igor Babaev CPU Architecture:Any

[6 Jan 2009 13:20] Bernt Marius Johnsen
Description:
For DBT3 scale factor 10, MyISAM storage engine, and with the following settings:

set join_cache_level=7;
set join_buffer_size=1024*1024;

The following query crashes the server with SIGSEGV:

select nation, o_year, sum(amount) as sum_profit
  from
  (
    select n_name as nation, substr(o_orderdate, 1, 4) as o_year,
           l_extendedprice * (1 - l_discount) - ps_supplycost * l_quantity
             as amount
    from part, supplier, lineitem, partsupp, orders, nation
      where s_suppkey = l_suppkey and ps_suppkey = l_suppkey and
            ps_partkey = l_partkey and p_partkey = l_partkey and
            o_orderkey = l_orderkey and s_nationkey = n_nationkey and
            p_name like '%green%'
  ) as profit
group by nation, o_year
order by nation, o_year desc
limit 5;

For other values of join_cache_level and join_buffer_size it seems ok. Stack trace attached.

How to repeat:
Repeat with the given settings and query on DBT3 scale factor 10.
[6 Jan 2009 13:20] Bernt Marius Johnsen
Stack trace

Attachment: crash.txt (text/plain), 5.68 KiB.

[8 Jan 2009 1:51] Igor Babaev
This bug can be reproduced with the following commands:

CREATE TABLE t1 (a int NOT NULL AUTO_INCREMENT PRIMARY KEY,
                 b varchar(127) DEFAULT NULL);

INSERT INTO t1(a) VALUES (1);
INSERT INTO t1(b) SELECT b FROM t1;
INSERT INTO t1(b) SELECT b FROM t1;
INSERT INTO t1(b) SELECT b FROM t1;
INSERT INTO t1(b) SELECT b FROM t1;
INSERT INTO t1(b) SELECT b FROM t1;
INSERT INTO t1(b) SELECT b FROM t1;
INSERT INTO t1(b) SELECT b FROM t1;
INSERT INTO t1(b) SELECT b FROM t1;
INSERT INTO t1(b) SELECT b FROM t1;
INSERT INTO t1(b) SELECT b FROM t1;
INSERT INTO t1(b) SELECT b FROM t1;
INSERT INTO t1(b) SELECT b FROM t1;
INSERT INTO t1(b) SELECT b FROM t1;
INSERT INTO t1(b) SELECT b FROM t1;

CREATE TABLE t2 (a int NOT NULL PRIMARY KEY, b varchar(127) DEFAULT NULL);
INSERT INTO t2 SELECT * FROM t1;

CREATE TABLE t3 (a int NOT NULL PRIMARY KEY, b varchar(127) DEFAULT NULL);
INSERT INTO t3 SELECT * FROM t1;

set join_cache_level=7;
set join_buffer_size=1024*1024;

mysql> SELECT COUNT(t1.b), COUNT(t2.b), COUNT(t3.b) FROM t1,t2,t3
    ->   WHERE t1.a=t2.a AND t2.a=t3.a AND
    ->         t1.b IS NULL AND t2.b IS NULL AND t3.b IS NULL;
ERROR 2013 (HY000): Lost connection to MySQL server during query

This causes a crash of the server:

Version: '6.0.10-alpha-debug'  socket: '/tmp/mysql.sock'  port: 3306  Source distribution
[New Thread 0xaa46b790 (LWP 3591)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xaa46b790 (LWP 3591)]
0xb7cddf04 in memcmp () from /lib/libc.so.6
(gdb) up
#1  0xef86d020 in ?? ()
(gdb) up
#2  0xa99675b8 in ?? ()
(gdb) up
#3  0x00000004 in ?? ()
(gdb) up
#4  0x083a5175 in JOIN_CACHE_BKA_UNIQUE::put_record (this=0x9ebd4e0) at sql_join_cache.cc:2557
[8 Jan 2009 5:47] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/62650

2760 Igor Babaev	2009-01-07
      Fixed bug #41894.
      The size of offset for key entries in the hash table used for
      a join buffer of level 7/8 may be underestimated. This could 
      cause a crash of the server.
      This happened when the size of the buffer was big enough to
      contain such number of records of variable length that the size
      of the memory occupied by key entries in total exceeded 2^16.
[11 Jan 2009 14:52] Bugs System
Pushed into 6.0.10-alpha (revid:sergefp@mysql.com-20090110105650-he9xy4221tbn5y70) (version source revid:sergefp@mysql.com-20090110105650-he9xy4221tbn5y70) (merge vers: 6.0.10-alpha) (pib:6)
[14 Jan 2009 1:02] Paul DuBois
Noted in 6.0.10 changelog.

Internal misconfiguration of the hash table used for the join buffer
could cause a server crash.
[16 Aug 2010 6:32] Bugs System
Pushed into mysql-next-mr (revid:alik@sun.com-20100816062819-bluwgdq8q4xysmlg) (version source revid:alik@sun.com-20100816062612-enatdwnv809iw3s9) (pib:20)
[13 Nov 2010 16:10] Bugs System
Pushed into mysql-trunk 5.6.99-m5 (revid:alexander.nozdrin@oracle.com-20101113155825-czmva9kg4n31anmu) (version source revid:vasil.dimov@oracle.com-20100629074804-359l9m9gniauxr94) (merge vers: 5.6.99-m4) (pib:21)
[20 Nov 2010 23:26] Paul DuBois
Noted in 5.6.1 changelog.
[23 Nov 2010 2:13] Paul DuBois
Correction: No 5.6.1 changelog entry. Bug does not appear in any released 5.6.x version.