Bug #32125 Database crash due to ha_innodb.cc:3896: ulint convert_search_mode_to_innobase
Submitted: 5 Nov 2007 20:44 Modified: 25 Feb 2011 23:52
Reporter: Artem Russakovskii Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: InnoDB storage engine Severity:S1 (Critical)
Version:5.1.16-17, 5.1.23-BK, 5.0.44 OS:Any
Assigned to: Vasil Dimov CPU Architecture:Any
Tags: backport_050050SP1, convert_search_mode_to_innobase, crash, MySQL
Triage: D2 (Serious)

[5 Nov 2007 20:44] Artem Russakovskii
Description:
Complete server crash and restart occurs if specific conditions below are met. This situation is occurring on 5.1.16 and 5.1.17 but I don't think there's a fix out even for the latest versions.

This may be related but I don't think is a duplicate of bug #31435 (http://bugs.mysql.com/bug.php?id=31435).

Here's the output of the crash immediately after a specific query is issued:

mysqld: ha_innodb.cc:3896: ulint convert_search_mode_to_innobase(ha_rkey_function): Assertion `0' failed.
mysqld got signal 6;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.
We will try our best to scrape up some info that will hopefully help diagnose
the problem, but since we have already crashed, something is definitely wrong
and this may fail.

key_buffer_size=33554432
read_buffer_size=2093056
max_used_connections=1
max_connections=1024
threads_connected=1
It is possible that mysqld could use up to 
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_connections = 2125816 K
bytes of memory
Hope that's ok; if not, decrease some variables in the equation.

thd: 0x8c17d30
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
Cannot determine thread, fp=0x76bea724, backtrace may not be correct.
Stack range sanity check OK, backtrace follows:
0x81df310
0xffffe410
0xb7e61b75
0xb7e59903
0x834560f
0x828eb73
0x828e746
0x828a30e
0x8287688
0x822ca65
0x822d61a
0x82292d7
0x822c78a
0x8228526
0x81fe7e4
0x81f8717
0x81ffe00
0x81f7022
0x81f6b74
0x81f6037
0xb7fc1aa7
0xb7ef2c2e
New value of fp=(nil) failed sanity check, terminating stack trace!
Please read http://dev.mysql.com/doc/mysql/en/using-stack-trace.html and follow instructions on how to resolve the stack trace. Resolved
stack trace is much more helpful in diagnosing the problem, so please do 
resolve it
Trying to get some variables.
Some pointers may be invalid and cause the dump to abort...
thd->query at 0x8c62bf8 = select * from test.test where contains(foo, 'bar')
thd->thread_id=1
The manual page at http://www.mysql.com/doc/en/Crashing.html contains
information that should help you find out what is causing the crash.

Number of processes running now: 0
071105 20:28:40  mysqld restarted
071105 20:28:40  InnoDB: Database was not shut down normally!
InnoDB: Starting crash recovery.
InnoDB: Reading tablespace information from the .ibd files...
InnoDB: Restoring possible half-written data pages from the doublewrite
InnoDB: buffer...
071105 20:28:40  InnoDB: Starting log scan based on checkpoint at
InnoDB: log sequence number 1 3183052624.
InnoDB: Doing recovery: scanned up to log sequence number 1 3183052624
InnoDB: Last MySQL binlog file position 0 55730640, file name ./mysql-bin.000028
071105 20:28:41  InnoDB: Started; log sequence number 1 3183052624
071105 20:28:41 [Note] Recovering after a crash using mysql-bin
071105 20:28:41 [Note] Starting crash recovery...
071105 20:28:41 [Note] Crash recovery finished.
071105 20:28:41 [Note] /usr/sbin/mysqld: ready for connections.
Version: '5.1.16-beta-log'  socket: '/var/lib/mysql/mysql.sock'  port: 3306  MySQL Community Server (GPL)
071105 20:28:41 [Note] SCHEDULER: Loaded 0 events

How to repeat:
mysql> CREATE TABLE `test` (
  `id` int(10) unsigned NOT NULL AUTO_INCREMENT PRIMARY KEY,
  `foo` text NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
Query OK, 0 rows affected

mysql> SELECT * FROM test WHERE CONTAINS(foo, 'bar');
Empty set

mysql> ALTER TABLE test ADD INDEX (foo(100));
Query OK, 0 rows affected
Records: 0  Duplicates: 0  Warnings: 0

mysql> SELECT * FROM test WHERE CONTAINS(foo, 'bar');
ERROR 2013 : Lost connection to MySQL server during query

Complete server crash occurs at this point, as pasted in the description. Seems like it's related to an index on foo, the fact that the table is InnoDB, and the fact that the query is trying to use CONTAINS. It should not, however, crash the server.

Suggested fix:
A bugfix in convert_search_mode_to_innobase function of InnoDB.
[6 Nov 2007 9:21] Daniel Bartlett
I can replicate this issue on 5.0.44 (64bit Arch).
[6 Nov 2007 9:56] Daniel Bartlett
I can also replicate this on 4.1.20 (32bit Arch)
[6 Nov 2007 11:50] Valeriy Kravchuk
Thank you for a bug report. Verified just as described with latest 5.1.23-BK on Linux. Resolved stack trace:

openxs@linux:~/dbs/5.1> nm -n libexec/mysqld > /tmp/mysqld51.sym
openxs@linux:~/dbs/5.1> bin/resolve_stack_dump -s /tmp/mysqld51.sym -n 32125.st
ack
0x8214bd9 handle_segfault + 681
0xffffe410 _end + -142228388
0x40150b75 _end + 932899777
0x40148903 _end + 932866383
0x83ccaed _ZN11ha_innobase16records_in_rangeEjP12st_key_rangeS1_ + 621
0x82e767a _Z16check_quick_keysP5PARAMjP7SEL_ARGPhjiS3_ji + 1322
0x82e80e5 _Z20get_key_scans_paramsP5PARAMP8SEL_TREEbbd + 869
0x82f0a3a _ZN10SQL_SELECT17test_quick_selectEP3THD6BitmapILj64EEymb + 2586
[6 Nov 2007 14:32] Heikki Tuuri
I think also Marko saw this assertion failure recently.

Assigning this to Vasil.
[13 Nov 2007 10:09] Artem Russakovskii
Apparently this has been flagged as a vulnerability: http://www.securityfocus.com/bid/26353/info. Just FYI for you guys.
[13 Nov 2007 19:56] Piotr Gasidlo
One sugestion. I wonder if there is possibility to not public exploits in critical bugs reports (special field in bug submit form, that will be published after bug will be fixed in comunity version or patch will be available to public). Also the "founder" could be wise not to public or send full disclouse reports before bug will be fixed. In my company we host few tousands of freehost user's database, and yesterday one of them run this exploit and give as 1.5h of server downtime. Using above example. Thanks to binlogs we traced him, but we do not have 100% guarantee that another script kiddie want play "hacker" again.
[14 Nov 2007 9:59] Marko Mäkelä
Can storage engines somehow advertise to MySQL which search modes they support? InnoDB should of course refuse to handle such queries without crashing the server, but it would be even better if the query optimizer knew that a table scan will be needed.
[14 Nov 2007 12:28] Heikki Tuuri
Vasil has a patch that converts spatial search modes to BTR_CUR_UNSUPP and avoid the crash.
[14 Nov 2007 12:47] Vasil Dimov
Patch

Attachment: convert_search_mode_to_innobase.diff (application/octet-stream, text), 2.44 KiB.

[14 Nov 2007 12:50] Vasil Dimov
Sorry for the delay! The attached patch:

http://bugs.mysql.com/file.php?id=7788

has been applied to the InnoDB 5.1 repository and will be included in the next MySQL 5.1 release.
[14 Nov 2007 12:54] Vasil Dimov
Some comments on the patch:

It results in error being returned to the client, instead of a server crash:

mysql> select * from t where contains(c, 'abcd');
ERROR 1464 (HY000): The used table type doesn't support SPATIAL indexes
mysql> 

This is not very nice but is the only thing InnoDB can do (other than implementing SPATIAL indexes).

If this is handled in the MySQL layer then the correct result can be returned using a table scan instead of returning error.
[14 Nov 2007 14:53] Norbert Tretkowski
Since 5.0 is also affected (and probably more often used in production environments), it would be nice to have a patch for it too.
[14 Nov 2007 16:36] Alexey Belanov
Any news to 5.0 patching issues? sql/ha_innodb.cc have similar code.
[14 Nov 2007 17:08] Piotr Gasidlo
I've created patch for 5.0.45, but have not tested it yet.
[14 Nov 2007 17:08] Piotr Gasidlo
Untested patch for 5.0.45

Attachment: 99_convert_search_mode_to_innobase.dpatch (application/octet-stream, text), 5.23 KiB.

[15 Nov 2007 13:52] Vasil Dimov
Patch against MySQL 5.0.45. This patch has been applied to the InnoDB 5.0 repository and will be included in the next  5.0.x

Attachment: convert_search_mode_to_innobase-5.0.diff (application/octet-stream, text), 3.35 KiB.

[15 Nov 2007 14:51] Lukas Kuzmiak
Patch works on last mysql gentoo ebuild version 5.0.44-r1. Thanks to Vasil.
[16 Nov 2007 13:30] Marko Mäkelä
Sent innodb-5.1-ss2093.tar.gz to MySQL
Sent innodb-5.0-ss2095.tar.gz to MySQL
[19 Nov 2007 4:11] Robin Johnson
The 5.1 patch included here does not compile when applied to 5.1.22, due to DB_UNSUPPORTED not being defined:
x86_64-pc-linux-gnu-g++ -DHAVE_CONFIG_H -I. -I../../include -I../../include -I../../include -I../../regex -I../../storage/innobase/include -I../../sql -I.    -O2 -pipe -DHAVE_ERRNO_AS_DEFINE=1 -fno-exceptions -fno-strict-aliasing -felide-constructors -fno-rtti -fno-implicit-templates   -fno-implicit-templates -fno-exceptions -fno-rtti -MT libinnobase_a-ha_innodb.o -MD -MP -MF .deps/libinnobase_a-ha_innodb.Tpo -c -o libinnobase_a-ha_innodb.o `test -f 'handler/ha_innodb.cc' || echo './'`handler/ha_innodb.cc
mv -f .deps/libinnobase_a-trx0undo.Tpo .deps/libinnobase_a-trx0undo.Po
mv -f .deps/libinnobase_a-ut0ut.Tpo .deps/libinnobase_a-ut0ut.Po
mv -f .deps/libinnobase_a-ut0wqueue.Tpo .deps/libinnobase_a-ut0wqueue.Po
handler/ha_innodb.cc: In function 'int convert_error_code_to_mysql(int, THD*)':
handler/ha_innodb.cc:682: error: 'DB_UNSUPPORTED' was not declared in this scope
handler/ha_innodb.cc: In member function 'virtual int ha_innobase::index_read(uchar*, const uchar*, uint, ha_rkey_function)':
handler/ha_innodb.cc:4133: error: 'DB_UNSUPPORTED' was not declared in this scope
make[2]: *** [libinnobase_a-ha_innodb.o] Error 1

Does somebody else have a version of the patch that applies and works for 5.1.22?
[20 Nov 2007 8:41] Sergei Golubchik
CVE-2007-5925
[20 Nov 2007 19:23] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/38162

ChangeSet@1.2632, 2007-11-20 12:23:18-07:00, tsmith@ramayana.hindu.god +3 -0
  Applied InnoDB snapshot innodb-5.1-ss2093
  
  Fixes the following bug:
  
  - Bug #32125: Database crash due to ha_innodb.cc:3896: ulint convert_search_mode_to_innobase
  
    When unknown find_flag is encountered in convert_search_mode_to_innobase()
    do not call assert(0); instead queue a MySQL error using my_error() and
    return the error code PAGE_CUR_UNSUPP. Change the functions that call
    convert_search_mode_to_innobase() to handle that error code by "canceling"
    execution and returning appropriate error code further upstream.
[20 Nov 2007 20:01] Timothy Smith
Patch queued to 5.0-, 5.1-, and 6.0-build team trees.
[21 Nov 2007 18:53] Bugs System
Pushed into 5.0.54
[21 Nov 2007 18:54] Bugs System
Pushed into 5.1.23-rc
[21 Nov 2007 18:54] Bugs System
Pushed into 6.0.4-alpha
[1 Dec 2007 6:06] Calvin Sun
Vasil - please provide doc info. Thanks!
[6 Dec 2007 7:12] Artem Russakovskii
Why has this been set private?
[11 Dec 2007 20:39] Paul Dubois
Noted in 5.0.54, 5.1.23, 6.0.4 changelogs.

InnoDB does not support SPATIAL indexes, but could crash when asked
to handle one. Now an error is returned.
[5 May 2010 15:14] Bugs System
Pushed into 5.1.47 (revid:joro@sun.com-20100505145753-ivlt4hclbrjy8eye) (version source revid:vasil.dimov@oracle.com-20100331130613-8ja7n0vh36a80457) (merge vers: 5.1.46) (pib:16)
[6 May 2010 3:05] Paul Dubois
Push resulted from incorporation of InnoDB tree. No changes pertinent to this bug. Re-closing.
[28 May 2010 5:52] Bugs System
Pushed into mysql-next-mr (revid:alik@sun.com-20100524190136-egaq7e8zgkwb9aqi) (version source revid:vasil.dimov@oracle.com-20100331130613-8ja7n0vh36a80457) (pib:16)
[28 May 2010 6:21] Bugs System
Pushed into 6.0.14-alpha (revid:alik@sun.com-20100524190941-nuudpx60if25wsvx) (version source revid:vasil.dimov@oracle.com-20100331130613-8ja7n0vh36a80457) (merge vers: 5.1.46) (pib:16)
[28 May 2010 6:49] Bugs System
Pushed into 5.5.5-m3 (revid:alik@sun.com-20100524185725-c8k5q7v60i5nix3t) (version source revid:vasil.dimov@oracle.com-20100331130613-8ja7n0vh36a80457) (merge vers: 5.1.46) (pib:16)
[29 May 2010 15:08] Paul Dubois
Push resulted from incorporation of InnoDB tree. No changes pertinent to this bug.
Re-closing.
[17 Jun 2010 11:53] Bugs System
Pushed into 5.1.47-ndb-7.0.16 (revid:martin.skold@mysql.com-20100617114014-bva0dy24yyd67697) (version source revid:vasil.dimov@oracle.com-20100331130613-8ja7n0vh36a80457) (merge vers: 5.1.46) (pib:16)
[17 Jun 2010 12:30] Bugs System
Pushed into 5.1.47-ndb-6.2.19 (revid:martin.skold@mysql.com-20100617115448-idrbic6gbki37h1c) (version source revid:vasil.dimov@oracle.com-20100331130613-8ja7n0vh36a80457) (merge vers: 5.1.46) (pib:16)
[17 Jun 2010 13:18] Bugs System
Pushed into 5.1.47-ndb-6.3.35 (revid:martin.skold@mysql.com-20100617114611-61aqbb52j752y116) (version source revid:vasil.dimov@oracle.com-20100331130613-8ja7n0vh36a80457) (merge vers: 5.1.46) (pib:16)