Bug #21590 Crash during an INSERT in NDB
Submitted: 11 Aug 2006 16:35 Modified: 23 Dec 2006 14:19
Reporter: Marc ALFF Email Updates:
Status: No Feedback Impact on me:
None 
Category:MySQL Cluster: Cluster (NDB) storage engine Severity:S2 (Serious)
Version:5.0.25 OS:Linux (Gentoo Linux AMD64)
Assigned to: CPU Architecture:Any

[11 Aug 2006 16:35] Marc ALFF 
Description:
select version()
5.0.25-debug-log

A crash occurs when executing the following script :

-- source include/have_bdb.inc
-- source include/have_ndb.inc

let $engine_type_1 = BerkeleyDB;
let $engine_type_2 = ndbcluster;

set autocommit=1;

--disable_warnings
drop table if exists t1, t2;
drop function if exists f2_fail;
--enable_warnings

eval create table t1 (a int) engine = $engine_type_1;
eval create table t2 (a int unique) engine = $engine_type_2;

insert into t1 (a) values (1), (2);

delimiter //;

## Cause a failure every time
create function f2_fail(x int) returns int
begin
  insert into t2 (a) values (x);
  insert into t2 (a) values (x);
  return x;
end//

delimiter ;//

set autocommit=1;

## Expecting an error, get a crash
--error ER_DUP_ENTRY
insert into t1 (a) values (f2_fail(1));

/////////////////

The call stack is :

Program received signal SIGSEGV, Segmentation fault.
key_unpack (to=0x4395bc30, table=0x17229f8, idx=64) at key.cc:322
/home/marcsql/TREE/mysql-5.0-sandbox/sql/key.cc:322:9186:beg:0x598b62
(gdb) where
#0  key_unpack (to=0x4395bc30, table=0x17229f8, idx=64) at key.cc:322
#1  0x0000000000669b1e in handler::print_error (this=0x17237d8, error=121, errflag=0) at handler.cc:1761
#2  0x0000000000617c79 in write_record (thd=0x16ec3e8, table=0x17229f8, info=0x4395ca90) at sql_insert.cc:1232
#3  0x0000000000616856 in mysql_insert (thd=0x16ec3e8, table_list=0x1714ea8, fields=@0x171d818, values_list=@0x171d860, update_fields=@0
x171d848, update_values=@0x171d830, duplic=DUP_ERROR, ignore=false) at sql_insert.cc:582
#4  0x00000000005c1f93 in mysql_execute_command (thd=0x16ec3e8) at sql_parse.cc:3357
#5  0x00000000006f175e in sp_instr_stmt::exec_core (this=0x1715398, thd=0x96832c, nextp=0x4395d40c) at sp_head.cc:2487
#6  0x00000000006f1445 in sp_lex_keeper::reset_lex_and_exec_core (this=0x17153d8, thd=0x16ec3e8, nextp=0x4395d40c, open_tables=false, in
str=0x1715398) at sp_head.cc:2363
#7  0x00000000006f161e in sp_instr_stmt::execute (this=0x1715398, thd=0x16ec3e8, nextp=0x4395d40c) at sp_head.cc:2440
#8  0x00000000006ee6c9 in sp_head::execute (this=0x1714208, thd=0x16ec3e8) at sp_head.cc:1052
#9  0x00000000006ef3c1 in sp_head::execute_function (this=0x1714208, thd=0x16ec3e8, argp=0x16f8c88, argcount=1133893376, return_value_fl
d=0x1) at sp_head.cc:1493
#10 0x00000000005581bf in Item_func_sp::execute_impl (this=0x16f8c08, thd=0x16ec3e8, return_value_fld=0x16f9e28) at item_func.cc:4862
#11 0x0000000000558088 in Item_func_sp::execute (this=0x16f8c08, flp=0x16f9e28) at item_func.cc:4820
#12 0x00000000005596d8 in Item_func_sp::val_int (this=0x16f8c08) at item_func.h:1433
#13 0x00000000005393c1 in Item::save_in_field (this=0x16f8c08, field=0x16d4d28, no_conversions=false) at item.cc:4137
#14 0x00000000005f0ebd in fill_record (thd=0x16ec3e8, fields=@0x968325, values=@0x16f8958, ignore_errors=false) at sql_base.cc:4978
#15 0x00000000005f0f7f in fill_record_n_invoke_before_triggers (thd=0x16ec3e8, fields=@0x968325, values=@0x1000, ignore_errors=248, trig
gers=0x0, event=TRG_EVENT_INSERT) at sql_base.cc:5017
#16 0x00000000006166fb in mysql_insert (thd=0x16ec3e8, table_list=0x16f8698, fields=@0x16eccf8, values_list=@0x16ecd40, update_fields=@0
x16ecd28, update_values=@0x16ecd10, duplic=DUP_ERROR, ignore=false) at sql_insert.cc:518
#17 0x00000000005c1f93 in mysql_execute_command (thd=0x16ec3e8) at sql_parse.cc:3357
#18 0x00000000005c7776 in mysql_parse (thd=0x16ec3e8, inBuf=0x16f85d8 "insert into t1 (a) values (f2_fail(1))", length=24036432) at sql_
parse.cc:5831
#19 0x00000000005be7f2 in dispatch_command (command=COM_QUERY, thd=0x16ec3e8, packet=0x16f85fe "", packet_length=39) at sql_parse.cc:176
6
#20 0x00000000005bdfc6 in do_command (thd=0x16ec3e8) at sql_parse.cc:1550
#21 0x00000000005bd2a3 in handle_one_connection (arg=0x96832c) at sql_parse.cc:1181
#22 0x00002aaaaaeea0fa in start_thread () from /lib/tls/libpthread.so.0
#23 0x00002aaaab454ca3 in clone () from /lib/tls/libc.so.6
#24 0x0000000000000000 in ?? ()

//////////

In key_unpack(), the key_part pointer is invalid, causing the crash.

The issue seems specific to ndbcluster, as other engines report an error properly for the same use case.

How to repeat:
See description

Suggested fix:
N/A
[11 Aug 2006 16:44] Marc ALFF 
Fixed severity to S2 (was the default value), changed to P2
[5 Sep 2006 10:31] Hartmut Holzgraefe 
Can't reproduce on linux x86 32bit ...
[5 Sep 2006 11:20] Jonas Oreland 
Marc,

Did you use debug/release compiled ?
[5 Sep 2006 23:57] Marc ALFF 
The build was a debug build (see select version()) on an AMD64 linux box,
from the 5.0 main BK tree (not a team tree).

I suggest trying the mysqltest script given under valgrind (I have not tried).
If any error is reported by valgrind, consider the bug verified (with or without crash).
[23 Nov 2006 14:19] Valeriy Kravchuk 
Sorry for a delay with this report. I was not able to repeat on later 5.0-BK builds. So, please, check current 5.0.32-BK and inform about the results.
[24 Dec 2006 0:00] Bugs System 
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".