Bug #23651 Server crash calling trigger
Submitted: 25 Oct 2006 22:04 Modified: 30 Nov 2006 20:08
Reporter: Matthew Montgomery Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S1 (Critical)
Version:5.0.26,5.0BK OS:Any (*)
Assigned to: Dmitry Lenev CPU Architecture:Any
Tags: crash, stored procedure, trigger

[25 Oct 2006 22:04] Matthew Montgomery
Description:
MySQL crashes repeatedly within a short period of time, each crash shows the following or similar back trace:

<summary backtrace>
#4  0x0817aeb7 in wait_if_global_read_lock (thd=0xb, abort_on_refresh=107, is_not_commit=128)
    at lock.cc:1241
#5  0xb7f8a2d6 in ?? ()
#6  0x0000000b in ?? ()
#7  <signal handler called>
#8  0x0823a263 in innobase_get_cset_width (cset=1755852528, mbminlen=0x6ab3c5e0,
    mbmaxlen=0x68a82d18) at ha_innodb.cc:674
#9  0x0811070a in Item_field::fix_outer_field (this=0x68a82ff0, thd=0x68a807c8, from_field=0x0,
    reference=0x1) at item.cc:3501

<full backtrace>

#4  0x0817aeb7 in wait_if_global_read_lock (thd=0xb, abort_on_refresh=107, is_not_commit=128)
    at lock.cc:1241
        old_message = 0xb7f0c980 "\200<<AD><FB>"
        result = 245
        need_exit_cond = 41
        _db_func_ = 0x817aeb7 "P\b"
        _db_file_ = 0xb <Address 0xb out of bounds>
        _db_level_ = 138440913
        _db_framep_ = (char **) 0xe16a
#5  0xb7f8a2d6 in ?? ()
No symbol table info available.
#6  0x0000000b in ?? ()
No symbol table info available.
#7  <signal handler called>
No symbol table info available.
#8  0x0823a263 in innobase_get_cset_width (cset=1755852528, mbminlen=0x6ab3c5e0,
    mbmaxlen=0x68a82d18) at ha_innodb.cc:674
        cs = (CHARSET_INFO *) 0x68a82700
#9  0x0811070a in Item_field::fix_outer_field (this=0x68a82ff0, thd=0x68a807c8, from_field=0x0,
    reference=0x1) at item.cc:3501
        place = 8024
        field_found = 104
        upward_lookup = 168
        last_checked_context = (Name_resolution_context *) 0x0
        ref = (Item **) 0x68a807c8
        outer_context = (Name_resolution_context *) 0x0

How to repeat:
Unsure... The crash seems to appear when a TRIGGER is executing a stored procedure.
[26 Oct 2006 11:46] Heikki Tuuri
Matthew,

the resolved stack trace looks nonsensical.

innobase_get_cset_width() can only be called from within the /innobase source code. It is not called from ::fix_outer_field().

Can you get a correctly resolved stack trace so that we can identify where it crashes?

Regards,

Heikki
[28 Oct 2006 7:45] Shane Bester
was able to repeat this crash once. still analyzing.
[1 Nov 2006 11:09] Shane Bester
with 5.0BK debug build, I got assertion before crash:

Version: '5.0.28-debug-log'  socket: '/tmp/mysql.sock'  port: 3306  yes
mysqld: field.cc:3387: virtual longlong Field_long::val_int(): Assertion `table->in_use == _current_thd()' failed.
mysqld got signal 6;
[1 Nov 2006 11:13] Shane Bester
0x80db75b handle_segfault + 417
0x83ce2ed __pthread_sighandler + 173
0x84030d1 __kill + 17
0x83cbbbb __pthread_raise + 27
0x84034a4 abort + 340
0x83feef0 __assert_fail + 224
0x80ba61a Field_long::val_int() + 72
0x807d600 Item_func_sp::val_int() + 56
0x8057968 Item::save_in_field(Field*, bool) + 494
0x8123ff2 fill_record(THD*, List<Item>&, List<Item>&, bool) + 248
0x81240d4 fill_record_n_invoke_before_triggers(THD*, List<Item>&, List<Item>&, bool, Table_triggers_list*, trg_event_type) + 56
0x814ce11 mysql_insert(THD*, st_table_list*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) + 2069
0x80f4d62 mysql_execute_command(THD*) + 10700
0x821d7c9 sp_instr_stmt::exec_core(THD*, unsigned int*) + 17
0x821d49b sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) + 389
0x821d675 sp_instr_stmt::execute(THD*, unsigned int*) + 277
0x8219ed3 sp_head::execute(THD*) + 1425
0x821a6bf sp_head::execute_trigger(THD*, char const*, char const*, st_grant_info*) + 547
0x822b224 Table_triggers_list::process_triggers(THD*, trg_event_type, trg_action_time_type, bool) + 180
0x81240ff fill_record_n_invoke_before_triggers(THD*, List<Item>&, List<Item>&, bool, Table_triggers_list*, trg_event_type) + 99
0x815c45c mysql_update(THD*, st_table_list*, List<Item>&, List<Item>&, Item*, unsigned int, st_order*, unsigned long long, enum_duplicate + 4282
0x80f4a71 mysql_execute_command(THD*) + 9947
0x80fb89e mysql_parse(THD*, char*, unsigned int) + 370
0x80f0ca8 dispatch_command(enum_server_command, THD*, char*, unsigned int) + 1940
0x80f0509 do_command(THD*) + 523
0x80ef6ad handle_one_connection + 799
0x83c91c1 pthread_start_thread + 225
[1 Nov 2006 14:47] Shane Bester
setting as verified.  Will upload instructions to repeat in private section.
[3 Nov 2006 0:51] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/14780

ChangeSet@1.2285, 2006-11-03 03:51:24+03:00, dlenev@mockturtle.local +3 -0
  Proposed fix for bug bug#23651 "Server crashes when trigger which uses
  stored function invoked from different connections".
  
  Invocation of trigger which was using stored function from different
  connections caused server crashes (for non-debug server this happened
  in highly concurrent environment, but debug server failed on assertion
  in relatively simple scenario).
  
  Item_func_sp was not safe to use in triggers (in other words for
  re-execution from different threads) as artificial TABLE object
  pointed by Item_func_sp::dummy_table referenced incorrect THD
  object. To fix the problem we force re-initialization of this
  object for each re-execution of statement.
[13 Nov 2006 8:09] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/15202

ChangeSet@1.2285, 2006-11-13 11:10:49+03:00, dlenev@mockturtle.local +3 -0
  Fix for bug bug#23651 "Server crashes when trigger which uses
  stored function invoked from different connections".
  
  Invocation of trigger which was using stored function from different
  connections caused server crashes (for non-debug server this happened
  in highly concurrent environment, but debug server failed on assertion
  in relatively simple scenario).
  
  Item_func_sp was not safe to use in triggers (in other words for
  re-execution from different threads) as artificial TABLE object
  pointed by Item_func_sp::dummy_table referenced incorrect THD
  object. To fix the problem we force re-initialization of this
  object for each re-execution of statement.
[13 Nov 2006 11:29] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/15215

ChangeSet@1.2358, 2006-11-13 14:30:12+03:00, dlenev@mockturtle.local +1 -0
  Small adjustment after merging fix for bug#23651 "Server crashes when
  trigger which uses stored function invoked from different connections"
  into 5.1.
[30 Nov 2006 1:29] Konstantin Osipov
Fixed in 5.0.32 and 5.1.13
[30 Nov 2006 20:08] Paul Dubois
Noted in 5.0.32, 5.1.14 changelogs.

A trigger that invoked a stored function could cause a server crash
when activated by different client connections.