Bug #27294 crash with innodb_locks_unsafe_for_binlog=1
Submitted: 20 Mar 2007 14:58 Modified: 18 Dec 2009 20:26
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: InnoDB storage engine Severity:S1 (Critical)
Version:4.1-bk OS:Any (All)
Assigned to: Timothy Smith
Tags: crash, innodb, innodb_locks_unsafe_for_binlog, lock
Triage: Triaged: D1 (Critical)

[20 Mar 2007 14:58] Shane Bester
Description:
if (srv_locks_unsafe_for_binlog &&
 prebuilt->trx->isolation_level != TRX_ISO_SERIALIZABLE &&
 (lock_type == TL_READ || lock_type == TL_READ_NO_INSERT) &&
 (thd->lex->sql_command == SQLCOM_INSERT_SELECT ||
  thd->lex->sql_command == SQLCOM_UPDATE ||
 thd->lex->sql_command == SQLCOM_CREATE_TABLE)) {

0041F180  cmp         dword ptr [_srv_locks_unsafe_for_binlog (896E64h)],ebx 
0041F186  je          ha_innobase::store_lock+0AEh (41F20Eh) 
0041F18C  mov         esi,dword ptr [edx+8] 
0041F18F  cmp         dword ptr [esi+18h],4 <-----------CRASH---------
0041F193  je          ha_innobase::store_lock+0AEh (41F20Eh) 
0041F195  cmp         eax,1 
0041F198  je          ha_innobase::store_lock+3Fh (41F19Fh) 
0041F19A  cmp         eax,4 
0041F19D  jne         ha_innobase::store_lock+0AEh (41F20Eh) 
0041F19F  mov         esi,dword ptr [edi+2Ch] 
0041F1A2  mov         esi,dword ptr [esi+734h] 
0041F1A8  cmp         esi,6 
0041F1AB  je          ha_innobase::store_lock+57h (41F1B7h) 
0041F1AD  cmp         esi,4 
0041F1B0  je          ha_innobase::store_lock+57h (41F1B7h) 
0041F1B2  cmp         esi,1 
0041F1B5  jne         ha_innobase::store_lock+0AEh (41F20Eh) 

Some variables:

srv_locks_unsafe_for_binlog	0x00000001	unsigned long
thd->lex->sql_command	SQLCOM_INSERT_SELECT	enum_sql_command
lock_type	TL_READ_NO_INSERT	thr_lock_type

How to repeat:
will upload a standalone testcase soon.

Suggested fix:
.
[20 Mar 2007 15:33] Heikki Tuuri
Shane,

is prebuilt->trx NULL?

Heikki
[20 Mar 2007 15:47] Shane Bester
prebuilt value i can't get from debugger, but assembler shows garbage pointer being dereferenced. debug build didn't crash yet..

Attachment: some_5.0.38_debugger_output.txt (text/plain), 3.25 KiB.

[20 Mar 2007 15:51] Heikki Tuuri
This is actually the 5.0 and 4.1 bug that I already found in http://bugs.mysql.com/bug.php?id=21322 but forgot to fix then!
[20 Mar 2007 15:59] Heikki Tuuri
The fix is to add this code to the start of ::store_lock() also in 5.0 (and 4.1):

ha_innodb.cc:
"
        trx_t*          trx;

        /* Note that trx in this function is NOT necessarily prebuilt->trx
        because we call update_thd() later, in ::external_lock()! Failure to
        understand this caused a serious memory corruption bug in 5.1.11. */

        trx = check_trx_exists(ht, thd);
"

and use trx->isolation_level in subsequent code in ::store_lock().

Assigning this to Vasil.

This bug should be fixed in 5.0.
In 5.1 it has been fixed already.
A fix in 4.1 might make sense, if MySQL AB wants to apply the fix there.
[20 Mar 2007 17:23] Heikki Tuuri
Matthias,

if you do not use the Embedded Server Library, then it is enough to edit ha_innodb.cc in /sql.

You should add my code snippet to the start of ha_innobase::store_lock(), and replace the use of 'prebuilt->trx' by plain 'trx' in that function. There seems to be just 1 use of prebuilt->trx, if I looked carefully enough.

Regards,

Heikki
[20 Mar 2007 17:27] Heikki Tuuri
Oops, in 5.0, the code should be:

trx = check_trx_exists(thd);
[20 Mar 2007 17:37] Shane Bester
i confirm the patch in 5.0 stops this specific crash. just tested it twice, successfully.
[21 Mar 2007 7:54] Matthias Albert
is this correct?

Attachment: mysql-5.0.37-patch.txt (text/plain), 1.53 KiB.

[21 Mar 2007 11:08] Matthias Albert
Shane, and my patch is correct? (see my attachment 4 comments before). I will build a new mysql rpm with 5.0.37 for me, if the attached patch is correct.

Regards,

 Matthias
[21 Mar 2007 14:03] Heikki Tuuri
Matthias,

your patch is otherwise correct, but you should make trx a local variable, not a parameter in the function call.

Regards,

Heikki
[12 Jul 2007 17:27] Timothy Smith
Queued to 5.0-maint team tree
[19 Jul 2007 15:48] Bugs System
Pushed into 5.1.21-beta
[19 Jul 2007 15:49] Bugs System
Pushed into 5.0.48
[22 Jul 2007 18:15] Paul Dubois
Noted in 5.0.48, 5.1.21 changelogs.

INSERT INTO ... SELECT caused a crash if
innodb_locks_unsafe_for_binlog was enabled.
[26 Jul 2007 18:01] Shane Bester
crash is not limited to only insert .. select.  It can happen on most queries which modify table.
[7 Aug 2007 14:57] Paul Dubois
Patch applies to 5.0 only. Removing 5.1.21 changelog entry.
[24 May 2008 13:28] Domas Mituzas
the bug is still in 4.1
[1 Dec 2008 19:38] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/60323

2707 Timothy Smith	2008-12-01
      Bug #27294: crash with innodb_locks_unsafe_for_binlog=1
      
      Back-port 5.0 fix to 4.1.  Fix Bug#27294 by using trx returned by
      check_trx_exists() instead of prebuilt->trx. This has been fixed in 5.1 in
      r782.
[1 Dec 2008 20:05] Bugs System
Pushed into 4.1.26  (revid:timothy.smith@sun.com-20081201193704-n2cw456dybo8it9x) (version source revid:timothy.smith@sun.com-20081201193704-n2cw456dybo8it9x) (pib:5)
[1 Dec 2008 20:19] Timothy Smith
A backport of the fix from MySQL 5.0 has been added to MySQL 4.1.25.  (Despite what the comment from the bugs system says, it is fixed in 4.1.25, not 4.1.26.)
[1 Dec 2008 20:22] Paul Dubois
Noted in 4.1.25 changelog.
[27 Jan 2009 6:50] Shane Bester
bug #22778 is a duplicate of this
[4 Nov 2009 9:16] Bugs System
Pushed into 5.0.88 (revid:joro@sun.com-20091104091355-hpz6dwgkrfmokj3k) (version source revid:joro@sun.com-20091027131106-1w5i5wrb27oqewk2) (merge vers: 5.0.88) (pib:13)
[4 Nov 2009 9:26] Bugs System
Pushed into 5.1.41 (revid:joro@sun.com-20091104092152-qz96bzlf2o1japwc) (version source revid:kristofer.pettersson@sun.com-20091103162305-08l4gkeuif2ozsoj) (merge vers: 5.1.41) (pib:13)
[4 Nov 2009 18:03] Paul Dubois
Previous two pushes are null merges. Re-closing.
[11 Nov 2009 6:54] Bugs System
Pushed into 6.0.14-alpha (revid:alik@sun.com-20091110093407-rw5g8dys2baqkt67) (version source revid:alik@sun.com-20091109080109-7dxapd5y5pxlu08w) (merge vers: 6.0.14-alpha) (pib:13)
[11 Nov 2009 7:02] Bugs System
Pushed into 5.5.0-beta (revid:alik@sun.com-20091109115615-nuohp02h8mdrz8m2) (version source revid:alik@sun.com-20091105092041-sp6eyod7sdlfuj3b) (merge vers: 5.5.0-beta) (pib:13)
[12 Nov 2009 3:16] Paul Dubois
Previous two pushes are null merges. Re-closing.
[18 Dec 2009 10:40] Bugs System
Pushed into 5.1.41-ndb-7.1.0 (revid:jonas@mysql.com-20091218102229-64tk47xonu3dv6r6) (version source revid:jonas@mysql.com-20091218095730-26gwjidfsdw45dto) (merge vers: 5.1.41-ndb-7.1.0) (pib:15)
[18 Dec 2009 10:56] Bugs System
Pushed into 5.1.41-ndb-6.2.19 (revid:jonas@mysql.com-20091218100224-vtzr0fahhsuhjsmt) (version source revid:jonas@mysql.com-20091217101452-qwzyaig50w74xmye) (merge vers: 5.1.41-ndb-6.2.19) (pib:15)
[18 Dec 2009 11:10] Bugs System
Pushed into 5.1.41-ndb-6.3.31 (revid:jonas@mysql.com-20091218100616-75d9tek96o6ob6k0) (version source revid:jonas@mysql.com-20091217154335-290no45qdins5bwo) (merge vers: 5.1.41-ndb-6.3.31) (pib:15)
[18 Dec 2009 11:24] Bugs System
Pushed into 5.1.41-ndb-7.0.11 (revid:jonas@mysql.com-20091218101303-ga32mrnr15jsa606) (version source revid:jonas@mysql.com-20091218064304-ezreonykd9f4kelk) (merge vers: 5.1.41-ndb-7.0.11) (pib:15)