Bug #32421 mysqlbinlog crashes server when sending row-based binlog events
Submitted: 15 Nov 2007 20:55 Modified: 28 Jan 2008 8:53
Reporter: Guilhem Bichot Email Updates:
Status: Duplicate Impact on me:
None 
Category:MySQL Server: Row Based Replication ( RBR ) Severity:S3 (Non-critical)
Version:5.1-bk OS:Linux
Assigned to: Assigned Account CPU Architecture:Any

[15 Nov 2007 20:55] Guilhem Bichot 
Description:
My tree is a few weeks old.
Under certain circumstances, I see repeatable segmentation fault of mysqld:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1219826800 (LWP 11543)]
0x082f83ae in unpack_row (rli=0x8902c08, table=0x890dba8, colcnt=1, 
    row_data=0x89051f8 "รพ\006", cols=0x890e9ec, row_end=0x890ea50, 
    master_reclength=0x890ea18) at rpl_utility.h:195
195         DBUG_ASSERT(index < m_size);
when piping into it BINLOG statements produced by mysqlbinlog

How to repeat:
[INS 21:54 /m/mysql-5.1-maint/mysql-test $] cat t/bug.test
-- source include/have_binlog_format_row.inc

create table t(a int) engine=myisam;
insert into t values(1);
insert into t select a+1 from t;
insert into t select a+1 from t;
insert into t select a+1 from t;
insert into t select a+1 from t;
insert into t select a+1 from t;
insert into t select a+1 from t;
insert into t select a+1 from t;
insert into t select a+1 from t;
insert into t select a+1 from t;
insert into t select a+1 from t;
insert into t select a+1 from t;
insert into t select a+1 from t;

[INS 21:57 /m/mysql-5.1-maint/mysql-test $] cat t/bug-master.opt
-O max_binlog_size=4096

then
./mtr --record --mem --mysqld=--binlog-format=row bug --gdb
This runs the test and creates six binlogs.
Transform these binlogs into plain text:
../client/mysqlbinlog var/log/master-bin.00000* > a
Now connect to mysqld (still alive as we used --gdb):
../client/mysql -uroot -S var/tmp/master.soc -e "drop table test.t"
(this drop is needed because the binlog contains a CREATE)
and then
../client/mysql -uroot -S var/tmp/master.sock < ./a
I see the crash during execution of one BINLOG statement.
[22 Nov 2007 11:11] Sveta Smirnova 
Thank you for the report.

Verified as described.

bt on Linux:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1220482128 (LWP 2715)]
0x08293fad in unpack_row ()
(gdb) bt
#0  0x08293fad in unpack_row ()
#1  0x082860a9 in Rows_log_event::write_row ()
#2  0x08286301 in Write_rows_log_event::do_exec_row ()
#3  0x082873d2 in Rows_log_event::do_apply_event ()
#4  0x0832218c in mysql_client_binlog_statement ()
#5  0x081ed712 in mysql_execute_command ()
#6  0x081f4d7f in mysql_parse ()
#7  0x081f5323 in dispatch_command ()
#8  0x081f6424 in do_command ()
#9  0x081e780f in handle_one_connection ()
#10 0x0045fbd4 in start_thread () from /lib/libpthread.so.0
#11 0x003b74fe in clone () from /lib/libc.so.6

bt on Mac:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
[Switching to process 25486 thread 0x2013]
0x00629d38 in table_def::field_metadata (this=0x0, index=0) at rpl_utility.h:195
195         DBUG_ASSERT(index < m_size);
(gdb) bt
#0  0x00629d38 in table_def::field_metadata (this=0x0, index=0) at rpl_utility.h:195
#1  0x001a5a28 in unpack_row (rli=0x5870200, table=0x5813818, colcnt=1, row_data=0x5873a18 "?\006", cols=0x4505450, row_end=0x45054b4, master_reclength=0x450547c) at rpl_record.cc:249
#2  0x0062961e in Rows_log_event::unpack_current_row (this=0x4505418, rli=0x5870200) at log_event.h:2320
#3  0x00195253 in Rows_log_event::write_row (this=0x4505418, rli=0x5870200, overwrite=true) at log_event.cc:7167
#4  0x00195c4f in Write_rows_log_event::do_exec_row (this=0x4505418, rli=0x5870200) at log_event.cc:7339
#5  0x00199b5f in Rows_log_event::do_apply_event (this=0x4505418, rli=0x5870200) at log_event.cc:6144
#6  0x0062fe57 in Log_event::apply_event (this=0x4505418, rli=0x5870200) at log_event.h:843
#7  0x00285c05 in mysql_client_binlog_statement (thd=0x5825818) at sql_binlog.cc:176
#8  0x000d5315 in mysql_execute_command (thd=0x5825818) at sql_parse.cc:4410
#9  0x000d5996 in mysql_parse (thd=0x5825818, inBuf=0x586c428 "BINLOG '\n1WJFRxcBAAAADwQAAHkEAAAAAB", 'A' <repeats 11 times>, "f/+BgAAAP4HAAAA/gYAAAD+BwAAAP4HAAAA/ggA\nAAD+BQAAAP4GAAAA/gYAAAD+BwAAAP4GAAAA/gcAAAD+BwAAAP4IAAAA/gYAAAD+BwAAAP4HAAAA\n/ggAAAD+BwAAAP4IAAAA/ggAAAD+CQAAAP4FA"..., length=2187, found_semicolon=0xb0061dcc) at sql_parse.cc:5487
#10 0x000d6676 in dispatch_command (command=COM_QUERY, thd=0x5825818, packet=0x444b019 "BINLOG '\n1WJFRxcBAAAADwQAAHkEAAAAAB", 'A' <repeats 11 times>, "f/+BgAAAP4HAAAA/gYAAAD+BwAAAP4HAAAA/ggA\nAAD+BQAAAP4GAAAA/gYAAAD+BwAAAP4GAAAA/gcAAAD+BwAAAP4IAAAA/gYAAAD+BwAAAP4HAAAA\n/ggAAAD+BwAAAP4IAAAA/ggAAAD+CQAAAP4FA"..., packet_length=2187) at sql_parse.cc:991
#11 0x000d78e6 in do_command (thd=0x5825818) at sql_parse.cc:725
#12 0x000c42d9 in handle_one_connection (arg=0x5825818) at sql_connect.cc:1107
#13 0x90024227 in _pthread_body ()
[28 Jan 2008 8:52] Zhenxing He 
duplicate of bug#27779, and already been fixed