Bug #47777 innodb dies with spatial pk: Failing assertion: buf <= original_buf + buf_len
Submitted: 2 Oct 2009 4:42 Modified: 18 Jun 2010 22:48
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: InnoDB storage engine Severity:S1 (Critical)
Version:5.1.39, 5.0, 5.1, next bzr OS:Any
Assigned to: Satya B CPU Architecture:Any

[2 Oct 2009 4:42] Shane Bester
Description:
innodb crashes when handling geometry types:

Version: '5.1.39-enterprise-gpl-advanced'  socket: ''  port: 3306  MySQL Enterprise Server - Advanced Edition (GPL)
091002  6:40:30 [ERROR] Stored ref len is 1, but table ref len is 3
091002  6:40:30  InnoDB: Assertion failure in thread 10888 in file .\row\row0sel.c line 2387
InnoDB: Failing assertion: buf <= original_buf + buf_len
InnoDB: We intentionally generate a memory trap.

mysqld.exe!row_sel_convert_mysql_key_to_innobase()[row0sel.c:2387]
mysqld.exe!ha_innobase::index_read()[ha_innodb.cc:4518]
mysqld.exe!ha_innobase::rnd_pos()[ha_innodb.cc:4964]
mysqld.exe!rr_from_tempfile()[records.cc:409]
mysqld.exe!mysql_update()[sql_update.cc:580]
mysqld.exe!mysql_execute_command()[sql_parse.cc:3025]
mysqld.exe!mysql_parse()[sql_parse.cc:5935]
mysqld.exe!dispatch_command()[sql_parse.cc:1215]
mysqld.exe!do_command()[sql_parse.cc:854]
mysqld.exe!handle_one_connection()[sql_connect.cc:1127]
mysqld.exe!pthread_start()[my_winthread.c:85]
mysqld.exe!_callthreadstart()[thread.c:295]
mysqld.exe!_threadstart()[thread.c:275]
kernel32.dll!BaseThreadStart()

How to repeat:
drop table if exists `t1`;
create table `t1` (`c2` linestring not null, primary key (`c2`(1))) engine=innodb;
insert into `t1` values (geomfromtext('linestring(1 2,3 4,5 6,7 8,9 10)'));
update `t1` set `c2`=GeomFromText("POINT(1 1)");
[2 Oct 2009 5:18] Sveta Smirnova
Thank you for the report.

Verified as described. Repeatable with InnoDB Plugin as well.
[7 Oct 2009 17:25] Jimmy Yang
Innodb treats geometry data as binary BLOB data. However, during position for an update operation, its key value was not treated as so in ha_innobase::store_key_val_for_row(), resulting incorrect key value and length being stored for later update.

The stack:

ha_innobase::store_key_val_for_row
ha_innobase::position
mysql_update
mysql_execute_command

(gdb) print mysql_type
$1 = MYSQL_TYPE_GEOMETRY

Mysql pass in the request for Geometry datatype MYSQL_TYPE_GEOMETRY, so it is not treated as BLOB in innodb now:
 
uint
ha_innobase::store_key_val_for_row(
     .....
     if (mysql_type == MYSQL_TYPE_VARCHAR) {

     } else if (mysql_type == MYSQL_TYPE_TINY_BLOB
                        || mysql_type == MYSQL_TYPE_MEDIUM_BLOB
                        || mysql_type == MYSQL_TYPE_BLOB
                        || mysql_type == MYSQL_TYPE_LONG_BLOB) {
     <=== It should be treated here
     .....
     } else {
                        /* Here we handle all other data types except the
                        true VARCHAR, BLOB and TEXT. Note that the column
                        value we store may be also in a column prefix
                        index. */

     }    

}

Fix is to treat MYSQL_TYPE_GEOMETRY as those of MYSQL_TYPE_*_BLOB.

Thanks
Jimmy
[4 Nov 2009 9:24] Bugs System
Pushed into 5.1.41 (revid:joro@sun.com-20091104092152-qz96bzlf2o1japwc) (version source revid:kristofer.pettersson@sun.com-20091103162305-08l4gkeuif2ozsoj) (merge vers: 5.1.41) (pib:13)
[11 Nov 2009 6:48] Bugs System
Pushed into 6.0.14-alpha (revid:alik@sun.com-20091110093407-rw5g8dys2baqkt67) (version source revid:alik@sun.com-20091109080109-7dxapd5y5pxlu08w) (merge vers: 6.0.14-alpha) (pib:13)
[11 Nov 2009 6:56] Bugs System
Pushed into 5.5.0-beta (revid:alik@sun.com-20091109115615-nuohp02h8mdrz8m2) (version source revid:svoj@sun.com-20091105122958-jyqjx9xus8v4e0yd) (merge vers: 5.5.0-beta) (pib:13)
[11 Nov 2009 16:20] Paul DuBois
Noted in 5.1.41, 5.5.0, 6.0.14.

InnoDB could crash when updating spatial values.
[25 Nov 2009 9:52] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/91550

2851 Satya B	2009-11-25
      Applying InnoDB snapshot 5.0-ss6230, Part 1. Fixes BUG#47777
      
      BUG#47777 - innodb dies with spatial pk: Failing assertion: buf <= original_buf + buf_len
      
      Detailed revision comments:
      
      r6178 | jyang | 2009-11-17 08:52:11 +0200 (Tue, 17 Nov 2009) | 6 lines
      branches/5.0: Merge fix for bug #47777 from branches/5.1 -r6045
      to bracnches/5.0. Treat the Geometry data same as Binary BLOB
      in ha_innobase::store_key_val_for_row(), since the Geometry
      data is stored as Binary BLOB in Innodb.
[2 Dec 2009 8:01] Bugs System
Pushed into 5.0.89 (revid:joro@sun.com-20091202075830-mzl79q7mc1v72pf1) (version source revid:satya.bn@sun.com-20091125093852-vvd29igvjizra4xx) (merge vers: 5.0.89) (pib:13)
[2 Dec 2009 8:07] Bugs System
Pushed into 5.1.42 (revid:joro@sun.com-20091202080033-mndu4sxwx19lz2zs) (version source revid:davi.arnaut@sun.com-20091125130912-d7hrln14ef7y5d7i) (merge vers: 5.1.42) (pib:13)
[7 Dec 2009 16:42] Paul DuBois
Noted in 5.1.40sp1 changelog.
[8 Dec 2009 9:30] Bugs System
Pushed into 5.1.43 (revid:build@mysql.com-20091208092611-pbno5awyb0v38hs7) (version source revid:build@mysql.com-20091208092611-pbno5awyb0v38hs7) (merge vers: 5.1.43) (pib:13)
[16 Dec 2009 8:39] Bugs System
Pushed into 6.0.14-alpha (revid:alik@sun.com-20091216083311-xorsasf5kopjxshf) (version source revid:alik@sun.com-20091215065750-5m04ogppd5l0pol5) (merge vers: 6.0.14-alpha) (pib:14)
[16 Dec 2009 8:46] Bugs System
Pushed into 5.5.0-beta (revid:alik@sun.com-20091216082430-s0gtzibcgkv4pqul) (version source revid:alik@sun.com-20091211070127-kl8uvlrv9cr11kva) (merge vers: 5.5.0-beta) (pib:14)
[16 Dec 2009 8:53] Bugs System
Pushed into mysql-next-mr (revid:alik@sun.com-20091216083231-rp8ecpnvkkbhtb27) (version source revid:alik@sun.com-20091212203859-fx4rx5uab47wwuzd) (merge vers: 5.6.0-beta) (pib:14)
[18 Dec 2009 10:33] Bugs System
Pushed into 5.1.41-ndb-7.1.0 (revid:jonas@mysql.com-20091218102229-64tk47xonu3dv6r6) (version source revid:jonas@mysql.com-20091218095730-26gwjidfsdw45dto) (merge vers: 5.1.41-ndb-7.1.0) (pib:15)
[18 Dec 2009 10:49] Bugs System
Pushed into 5.1.41-ndb-6.2.19 (revid:jonas@mysql.com-20091218100224-vtzr0fahhsuhjsmt) (version source revid:jonas@mysql.com-20091217101452-qwzyaig50w74xmye) (merge vers: 5.1.41-ndb-6.2.19) (pib:15)
[18 Dec 2009 11:04] Bugs System
Pushed into 5.1.41-ndb-6.3.31 (revid:jonas@mysql.com-20091218100616-75d9tek96o6ob6k0) (version source revid:jonas@mysql.com-20091217154335-290no45qdins5bwo) (merge vers: 5.1.41-ndb-6.3.31) (pib:15)
[18 Dec 2009 11:19] Bugs System
Pushed into 5.1.41-ndb-7.0.11 (revid:jonas@mysql.com-20091218101303-ga32mrnr15jsa606) (version source revid:jonas@mysql.com-20091218064304-ezreonykd9f4kelk) (merge vers: 5.1.41-ndb-7.0.11) (pib:15)
[12 Mar 2010 14:13] Bugs System
Pushed into 5.1.44-ndb-7.0.14 (revid:jonas@mysql.com-20100312135944-t0z8s1da2orvl66x) (version source revid:jonas@mysql.com-20100312115609-woou0te4a6s4ae9y) (merge vers: 5.1.44-ndb-7.0.14) (pib:16)
[12 Mar 2010 14:29] Bugs System
Pushed into 5.1.44-ndb-6.2.19 (revid:jonas@mysql.com-20100312134846-tuqhd9w3tv4xgl3d) (version source revid:jonas@mysql.com-20100312060623-mx6407w2vx76h3by) (merge vers: 5.1.44-ndb-6.2.19) (pib:16)
[12 Mar 2010 14:45] Bugs System
Pushed into 5.1.44-ndb-6.3.33 (revid:jonas@mysql.com-20100312135724-xcw8vw2lu3mijrhn) (version source revid:jonas@mysql.com-20100312103652-snkltsd197l7q2yg) (merge vers: 5.1.44-ndb-6.3.33) (pib:16)
[5 May 2010 15:15] Bugs System
Pushed into 5.1.47 (revid:joro@sun.com-20100505145753-ivlt4hclbrjy8eye) (version source revid:vasil.dimov@oracle.com-20100331130613-8ja7n0vh36a80457) (merge vers: 5.1.46) (pib:16)
[6 May 2010 17:16] Paul DuBois
Push resulted from incorporation of InnoDB tree. No changes pertinent to this bug.
Re-closing.
[28 May 2010 5:56] Bugs System
Pushed into mysql-next-mr (revid:alik@sun.com-20100524190136-egaq7e8zgkwb9aqi) (version source revid:vasil.dimov@oracle.com-20100331130613-8ja7n0vh36a80457) (pib:16)
[28 May 2010 6:24] Bugs System
Pushed into 6.0.14-alpha (revid:alik@sun.com-20100524190941-nuudpx60if25wsvx) (version source revid:vasil.dimov@oracle.com-20100331130613-8ja7n0vh36a80457) (merge vers: 5.1.46) (pib:16)
[28 May 2010 6:52] Bugs System
Pushed into 5.5.5-m3 (revid:alik@sun.com-20100524185725-c8k5q7v60i5nix3t) (version source revid:vasil.dimov@oracle.com-20100331130613-8ja7n0vh36a80457) (merge vers: 5.1.46) (pib:16)
[29 May 2010 15:02] Paul DuBois
Push resulted from incorporation of InnoDB tree. No changes pertinent to this bug.
Re-closing.
[15 Jun 2010 8:14] Bugs System
Pushed into 5.5.5-m3 (revid:alik@sun.com-20100615080459-smuswd9ooeywcxuc) (version source revid:mmakela@bk-internal.mysql.com-20100415070122-1nxji8ym4mao13ao) (merge vers: 5.1.47) (pib:16)
[15 Jun 2010 8:31] Bugs System
Pushed into mysql-next-mr (revid:alik@sun.com-20100615080558-cw01bzdqr1bdmmec) (version source revid:mmakela@bk-internal.mysql.com-20100415070122-1nxji8ym4mao13ao) (pib:16)
[17 Jun 2010 11:57] Bugs System
Pushed into 5.1.47-ndb-7.0.16 (revid:martin.skold@mysql.com-20100617114014-bva0dy24yyd67697) (version source revid:vasil.dimov@oracle.com-20100331130613-8ja7n0vh36a80457) (merge vers: 5.1.46) (pib:16)
[17 Jun 2010 12:36] Bugs System
Pushed into 5.1.47-ndb-6.2.19 (revid:martin.skold@mysql.com-20100617115448-idrbic6gbki37h1c) (version source revid:vasil.dimov@oracle.com-20100331130613-8ja7n0vh36a80457) (merge vers: 5.1.46) (pib:16)
[17 Jun 2010 13:23] Bugs System
Pushed into 5.1.47-ndb-6.3.35 (revid:martin.skold@mysql.com-20100617114611-61aqbb52j752y116) (version source revid:vasil.dimov@oracle.com-20100331130613-8ja7n0vh36a80457) (merge vers: 5.1.46) (pib:16)