Bug #22934 MySQL 5.0.x and 5.1.x SegFault under NetBSD
Submitted: 3 Oct 2006 13:01 Modified: 19 Nov 2006 14:31
Reporter: Sebastien Petit Email Updates:
Status: No Feedback Impact on me:
None 
Category:MySQL Server Severity:S1 (Critical)
Version:5.0.24a or 5.1.9 OS:NetBSD-3.1
Assigned to: CPU Architecture:Any
Tags: segfault netbsd __bt_search

[3 Oct 2006 13:01] Sebastien Petit 
Description:
Hi,

I don't know if this bug is a NetBSD or MySQL issue, can you tell me how to correct it if this is a mysql bug ?

GNU gdb 5.3nb1
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386--netbsdelf"...(no debugging symbols found)...
(gdb) run --basedir=/usr/pkg/mysql --datadir=/usr/space/mysql --user=mysql --pid-file=/usr/space/mysql/db0.pid --port=3306
Starting program: /usr/pkg/mysql/libexec/mysqld --basedir=/usr/pkg/mysql --datadir=/usr/space/mysql --user=mysql --pid-file=/usr/space/mysql/db0.pid --port=3306
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
[Switching to LWP 9]
0x9fac6ede in __bt_search () from /usr/lib/libc.so.12
(gdb) where
#0  0x9fac6ede in __bt_search () from /usr/lib/libc.so.12
#1  0x9fac99b0 in __dtoa () from /usr/lib/libc.so.12
#2  0x9fac4ef2 in __vfprintf_unlocked () from /usr/lib/libc.so.12
#3  0x9fac4a70 in __vfprintf_unlocked () from /usr/lib/libc.so.12
#4  0x9fab4547 in sprintf () from /usr/lib/libc.so.12
#5  0x080bc871 in Field_double::val_str(String*, String*) ()
#6  0x08060d3e in Field::val_str(String*) ()
#7  0x080d6e87 in Protocol_simple::store(Field*) ()
#8  0x0805c1a2 in Item_field::send(Protocol*, String*) ()
#9  0x080cdda5 in select_send::send_data(List<Item>&) ()
#10 0x0813f9ee in end_send(JOIN*, st_join_table*, bool) ()
#11 0x0813e24f in evaluate_join_record(JOIN*, st_join_table*, int, char*) ()
#12 0x0813e00c in sub_select(JOIN*, st_join_table*, bool) ()
#13 0x0813dc77 in do_select(JOIN*, List<Item>*, st_table*, Procedure*) ()
#14 0x0812e182 in JOIN::exec() ()
#15 0x0812e59f in mysql_select(THD*, Item***, st_table_list*, unsigned, List<Item>&, Item*, unsigned, st_order*, st_order*, Item*, st_order*, unsigned long, select_result*, st_select_lex_unit*, st_select_lex*) ()
#16 0x0812a224 in handle_select(THD*, st_lex*, select_result*, unsigned long)
    ()
#17 0x080f40cf in mysql_execute_command(THD*) ()
#18 0x080fb8e8 in mysql_parse(THD*, char*, unsigned) ()
#19 0x080f2608 in dispatch_command(enum_server_command, THD*, char*, unsigned)
---Type <return> to continue, or q <return> to quit---
    ()
#20 0x080f1f86 in do_command(THD*) ()
#21 0x080f146a in handle_one_connection ()
#22 0x9fbdd17d in pthread_create () from /usr/lib/libpthread.so.0
(gdb) quit

This bug is reproductible, if you have multiple select on tables and you do mysqldump -C -q -e -A multiple times... The same trace appear at each segfault
I try to replace sprintf with snprintf and to_length argument but the bug appear  again... Here is the new trace with snprintf:

GNU gdb 5.3nb1
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386--netbsdelf"...(no debugging symbols found)...
(gdb) run --basedir=/usr/pkg/mysql --datadir=/usr/space/mysql --user=mysql --pid-file=/usr/space/mysql/db0.pid --port=3306
Starting program: /usr/pkg/mysql/libexec/mysqld --basedir=/usr/pkg/mysql --datadir=/usr/space/mysql --user=mysql --pid-file=/usr/space/mysql/db0.pid --port=3306
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
[Switching to LWP 7]
0x9fac6ede in __bt_search () from /usr/lib/libc.so.12
(gdb) where
#0  0x9fac6ede in __bt_search () from /usr/lib/libc.so.12
#1  0x9fac99b0 in __dtoa () from /usr/lib/libc.so.12
#2  0x9fac4ef2 in __vfprintf_unlocked () from /usr/lib/libc.so.12
#3  0x9fac4a70 in __vfprintf_unlocked () from /usr/lib/libc.so.12
#4  0x9fac137c in snprintf () from /usr/lib/libc.so.12
#5  0x080bc874 in Field_double::val_str(String*, String*) ()
#6  0x08060d3e in Field::val_str(String*) ()
#7  0x080d6e87 in Protocol_simple::store(Field*) ()
#8  0x0805c1a2 in Item_field::send(Protocol*, String*) ()
#9  0x080cdda5 in select_send::send_data(List<Item>&) ()
#10 0x0813f9ee in end_send(JOIN*, st_join_table*, bool) ()
#11 0x0813e24f in evaluate_join_record(JOIN*, st_join_table*, int, char*) ()
#12 0x0813e040 in sub_select(JOIN*, st_join_table*, bool) ()
#13 0x0813dc77 in do_select(JOIN*, List<Item>*, st_table*, Procedure*) ()
#14 0x0812e182 in JOIN::exec() ()
#15 0x0812e59f in mysql_select(THD*, Item***, st_table_list*, unsigned, List<Item>&, Item*, unsigned, st_order*, st_order*, Item*, st_order*, unsigned long, select_result*, st_select_lex_unit*, st_select_lex*) ()
#16 0x0812a224 in handle_select(THD*, st_lex*, select_result*, unsigned long)
    ()
#17 0x080f40cf in mysql_execute_command(THD*) ()
#18 0x080fb8e8 in mysql_parse(THD*, char*, unsigned) ()
#19 0x080f2608 in dispatch_command(enum_server_command, THD*, char*, unsigned)
---Type <return> to continue, or q <return> to quit---
    ()
#20 0x080f1f86 in do_command(THD*) ()
#21 0x080f146a in handle_one_connection ()
#22 0x9fbdd17d in pthread_create () from /usr/lib/libpthread.so.0
(gdb) quit
The program is running.  Exit anyway? (y or n) y

How to repeat:
run mysqldump -C -q -e -A multiple times with concurrency selects 

Suggested fix:
Don't know at this time
[3 Oct 2006 13:09] Sebastien Petit 
This is mysql 5.0.24a and 5.1.9 (and not 5.1.24a)
[3 Oct 2006 13:46] Valeriy Kravchuk 
Thank you for a problem report. Please, send your my.cnf content and error log.
[19 Oct 2006 14:31] Valeriy Kravchuk 
With the following settings:

tmp_table_size	= 64M
key_buffer = 16k
sort_buffer_size = 8M
read_buffer_size = 8M
read_rnd_buffer_size = 4M
myisam_sort_buffer_size = 1M
query_cache_size= 64M
...
innodb_buffer_pool_size = 1500M
innodb_additional_mem_pool_size = 20M
innodb_log_buffer_size = 16M

and 100 concurrent connections (default for max_connections) you may easily use up to:

1500M + 20M + 16M + 64M + 100*(8+8+4+1)M = 3700M

even without temporary tables. So, I am not sure it is not simple out-of-memory issue. Please, try to repeat with a newer version, 5.0.26, and, in case of similar problem, check how many concurrent connections do you really have.
[20 Nov 2006 0:00] Bugs System 
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".