Bug #37690 join_buffer_size = 0 + use of JOIN_CACHE_BKA_UNIQUE crash mysqld
Submitted: 27 Jun 2008 11:30 Modified: 22 Nov 2010 1:15
Reporter: Tatiana Azundris Nuernberg Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Optimizer Severity:S3 (Non-critical)
Version:6.0-bka-preview OS:Any
Assigned to: Igor Babaev CPU Architecture:Any
Triage: Triaged: D3 (Medium)

[27 Jun 2008 11:30] Tatiana Azundris Nuernberg
Description:
For sufficiently small join-buffers, get_size_of_rec_offset() may render values < 2, in which case some variables never get initialised in JOIN_CACHE_BKA_UNIQUE::init(). This usually leads to a crash soon after when bzero() is called with a random length-argument.

How to repeat:
set join_buffer_size=0;

and run a query that will use a join-buffer

Suggested fix:
int JOIN_CACHE_BKA_UNIQUE::init()
{
  ...
  /* Calculate the minimal possible value of size_of_key_ofs greater than 1 */  
  for (size_of_key_ofs= 2;
       size_of_key_ofs <= max(2, get_size_of_rec_offset());
       size_of_key_ofs+= 2)
  {
[3 Jul 2008 5:21] Igor Babaev
This bug can be reproduced as follows:

mysql> CREATE TABLE t1 (a int, b int, INDEX idx(b));
Query OK, 0 rows affected (0.07 sec)

mysql> CREATE TABLE t2 (a int, b int, INDEX idx(a));
Query OK, 0 rows affected (0.05 sec)

mysql> INSERT INTO t1 VALUES (5,30), (3,20), (7,40), (2,10), (8,30), (1,10), (4,20);
Query OK, 7 rows affected (0.01 sec)
Records: 7  Duplicates: 0  Warnings: 0

mysql> INSERT INTO t2 VALUES (7,10), (1,20), (2,20), (8,20), (8,10), (1,20);
Query OK, 6 rows affected (0.00 sec)
Records: 6  Duplicates: 0  Warnings: 0

mysql> INSERT INTO t2 VALUES (1,10), (4,20), (3,20), (7,20), (7,10), (1,20);
Query OK, 6 rows affected (0.00 sec)
Records: 6  Duplicates: 0  Warnings: 0

mysql>
mysql> set join_buffer_size=32;
Query OK, 0 rows affected, 1 warning (0.00 sec)

mysql> set join_cache_level=8;
Query OK, 0 rows affected (0.00 sec)

mysql>
mysql> EXPLAIN SELECT * FROM t1,t2 WHERE t1.a=t2.a AND t1.b >= 30;
+----+-------------+-------+------+---------------+------+---------+-----------+------+-------------------+
| id | select_type | table | type | possible_keys | key  | key_len | ref       | rows | Extra             |
+----+-------------+-------+------+---------------+------+---------+-----------+------+-------------------+
|  1 | SIMPLE      | t1    | ALL  | idx           | NULL | NULL    | NULL      |    7 | Using where       |
|  1 | SIMPLE      | t2    | ref  | idx           | idx  | 5       | test.t1.a |    2 | Using join buffer |
+----+-------------+-------+------+---------------+------+---------+-----------+------+-------------------+
2 rows in set (0.00 sec)

mysql> SELECT * FROM t1,t2 WHERE t1.a=t2.a AND t1.b >= 30;
ERROR 2013 (HY000): Lost connection to MySQL server during query

While on the server side we have:
Breakpoint 1, JOIN_CACHE_BKA_UNIQUE::init (this=0x937c018) at sql_select.cc:18935
(gdb) cont

Program received signal SIGSEGV, Segmentation fault.
0x0835f611 in JOIN_CACHE_BKA_UNIQUE::cleanup_hash_table (this=0x937c018) at sql_select.cc:19258
[4 Jul 2008 3:25] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/48992

2637 Igor Babaev	2008-07-03
      Fixed bug #37690 in the BKA code.
      Wrong choice of the upper limit value in a 'for' statement
      within the JOIN_CACHE_BKA_UNIQUE::init function caused
      crashes for executed queries if the size of the join buffer
      was set less than 256.
[4 Jul 2008 13:30] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/49014

2637 Igor Babaev	2008-07-04
      Fixed bug #37690 in the BKA code.
      Wrong choice of the upper limit value in a 'for' statement
      within the JOIN_CACHE_BKA_UNIQUE::init function caused
      crashes for executed queries if the size of the join buffer
      was set less than 256.
[4 Jul 2008 15:26] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/49022

2637 Igor Babaev	2008-07-04
      Fixed bug #37690 in the BKA code.
      Wrong choice of the upper limit value in a 'for' statement
      within the JOIN_CACHE_BKA_UNIQUE::init function caused
      crashes for executed queries if the size of the join buffer
      was set less than 256.
[4 Jul 2008 15:28] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/49023

2637 Igor Babaev	2008-07-04
      Fixed bug #37690 in the BKA code.
      Wrong choice of the upper limit value in a 'for' statement
      within the JOIN_CACHE_BKA_UNIQUE::init function caused
      crashes for executed queries if the size of the join buffer
      was set less than 256.
[14 Dec 2008 11:07] Bugs System
Pushed into 6.0.5-alpha  (revid:igor@mysql.com-20080704132747-vz7jkjp4w7uztxa8) (version source revid:igor@mysql.com-20080704132747-vz7jkjp4w7uztxa8) (pib:5)
[14 Jan 2009 0:37] Paul Dubois
Correction: This is pushed into 6.0.9.
[14 Jan 2009 0:46] Paul Dubois
Noted in 6.0.9 changelog.

For queries executed with the batched-key access method, an incorrect
value of an internal parameter caused server crashes if
join_buffer_size was less then 256.
[16 Aug 2010 6:31] Bugs System
Pushed into mysql-next-mr (revid:alik@sun.com-20100816062819-bluwgdq8q4xysmlg) (version source revid:alik@sun.com-20100816062612-enatdwnv809iw3s9) (pib:20)
[13 Nov 2010 16:04] Bugs System
Pushed into mysql-trunk 5.6.99-m5 (revid:alexander.nozdrin@oracle.com-20101113155825-czmva9kg4n31anmu) (version source revid:vasil.dimov@oracle.com-20100629074804-359l9m9gniauxr94) (merge vers: 5.6.99-m4) (pib:21)
[22 Nov 2010 1:15] Paul Dubois
Noted in 5.6.1 changelog.
[23 Nov 2010 2:28] Paul Dubois
Correction: No 5.6.1 changelog entry. Bug does not appear in any released 5.6.x version.