Description:
I observe crash of MySQL/InnoDB while running mysql-bench test suite. 

query caused crash:
select * from bench1 where (id3>=5 and id3<=10) or (id3>=1 and id3<=4)

bt:
(gdb) bt
#0  0x00002adf458c94c5 in pthread_kill () from /lib64/libpthread.so.0
#1  0x00000000006457dc in handle_segfault ()
#2  <signal handler called>
#3  0x00002adf46193aa5 in raise () from /lib64/libc.so.6
#4  0x00002adf46194e60 in abort () from /lib64/libc.so.6
#5  0x000000000095c331 in btr_pcur_restore_position (latch_mode=1, cursor=0x2aaaab11fab8, mtr=0x44086e70)
    at ../../storage/innobase/include/buf0buf.ic:225
#6  0x000000000092c5fd in sel_restore_position_for_mysql (same_user_rec=0x44086b30, latch_mode=29395,
    pcur=0x2aaaab11fab8, moves_up=1, mtr=0x44086e70) at row/row0sel.c:2970
#7  0x000000000092cd3c in row_search_for_mysql (buf=0x195a748 "", mode=2, prebuilt=0x2aaaab1238b8,
    match_mode=0, direction=1) at row/row0sel.c:3619
#8  0x00000000008aa7dd in ha_innobase::general_fetch ()
#9  0x0000000000715157 in handler::read_range_next ()
#10 0x00000000008adb89 in ha_innobase::read_range_next ()
#11 0x0000000000713f27 in handler::multi_range_read_next ()
#12 0x0000000000714390 in DsMrr_impl::dsmrr_fill_buffer ()
#13 0x0000000000714259 in DsMrr_impl::dsmrr_init ()
#14 0x00000000008adab4 in ha_innobase::multi_range_read_init ()
#15 0x00000000007009db in QUICK_RANGE_SELECT::reset ()
#16 0x00000000006b0d46 in join_init_read_record ()
#17 0x000000000069e328 in sub_select ()
#18 0x00000000006a92ec in do_select ()
#19 0x00000000006967d7 in JOIN::exec ()
#20 0x0000000000697185 in mysql_select ()
#21 0x00000000006925ac in handle_select ()
#22 0x0000000000659839 in execute_sqlcom_select ()
#23 0x0000000000650f40 in mysql_execute_command ()
#24 0x0000000000656902 in mysql_parse ()
#25 0x000000000064fab6 in dispatch_command ()
#26 0x000000000064f6ff in do_command ()
#27 0x000000000064df66 in handle_one_connection ()
#28 0x00002adf458c5193 in start_thread () from /lib64/libpthread.so.0
#29 0x00002adf4622345d in clone () from /lib64/libc.so.6
#30 0x0000000000000000 in ?? ()

How to repeat:

1. Download attached test case and put it to t/ directory
2. Run it:

./mysql-test-run.pl bug_innodb_select_range

Test case for the bug

Attachment: bug_innodb_select_range.test (application/octet-stream, text), 348 bytes.

Change to Optimizer team since it is MRR related.

The bug can be observed when DS-MRR is switched off, too.

The problem seems to be more related to index condition pushdown. If I switch it off (by putting return at the top of ha_innobase::idx_cond_push(), there is currently no way to switch it off from SQL layer), the crash doesn't happen, neither with DS-MRR, nor with default MRR implementation.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/41184

ChangeSet@1.2790, 2008-01-24 03:46:18+03:00, sergefp@mysql.com +3 -0
  BUG#33033 "MySQL/InnoDB crashes with simple select range query"
  - If we've walked off the end of the range, still make the 
    btr_pcur_store_position() call. If we're currently filling row 
    prefetch cache (see row_sel_push_cached_row_for_mysql()), we will 
    try to continue doing the scan after we've returned all records from
    the cache, and that is when we'll need correct btr position.

Pushed into 6.0.5-alpha

Sure, note for the change log:

The new "index condition pushdown" optimization could cause server crash when used with range access method over an InnoDB table.

Noted in 6.0.5 changelog.

Pushed into mysql-next-mr (revid:alik@sun.com-20100816062819-bluwgdq8q4xysmlg) (version source revid:alik@sun.com-20100816062612-enatdwnv809iw3s9) (pib:20)

Pushed into mysql-trunk 5.6.99-m5 (revid:alexander.nozdrin@oracle.com-20101113155825-czmva9kg4n31anmu) (version source revid:vasil.dimov@oracle.com-20100629074804-359l9m9gniauxr94) (merge vers: 5.6.99-m4) (pib:21)

Noted in 5.6.1 changelog.

Correction: No 5.6.1 changelog entry. Bug does not appear in any released 5.6.x version.