Bug #38130 | Falcon assertion in IndexNode::expandKey offset + length <= MAX_PHYSICAL_KEY_LEN | ||
---|---|---|---|
Submitted: | 15 Jul 2008 10:35 | Modified: | 15 May 2009 16:17 |
Reporter: | Philip Stoev | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Server: Falcon storage engine | Severity: | S1 (Critical) |
Version: | 6.0-falcon | OS: | Any |
Assigned to: | Lars-Erik Bjørk | CPU Architecture: | Any |
Tags: | F_LIMIT |
[15 Jul 2008 10:35]
Philip Stoev
[15 Jul 2008 14:05]
Philip Stoev
Grammar file for bug 38130
Attachment: bug38130.yy (application/octet-stream, text), 1016 bytes.
[15 Jul 2008 14:08]
Philip Stoev
I just uploaded a gramma file for this bug. To reproduce, please clone the mysql-test-extra-6.0 tree and execute $ cd mysql-test-extra-6.0/mysql-test/gentest $ perl runall.pl \ --basedir=/path/to/mysql-6.0-falcon \ --grammar=/location/of/bug38130.yy \ --engine=falcon \ --mysqld=--falcon_lock_wait_timeout=1 \ --queries=100000 On a dual-core virtualized 1.4ghz it takes 12 min at 10 threads to crash, 141460 queries, 2602 rollbacks, 2558 commits.
[3 Jan 2009 11:37]
Philip Stoev
Still present in 6.0-falcon-team. To reproduce within 5 min, execute: $ perl runall.pl \ --mysqld=--falcon-page-size=4K \ --vardir=/tmp/vardir \ --rows=10000 \ --threads=4 \ --mask=58 \ --queries=1000000 \ --duration=300 \ --basedir=/build/bzr/6.0-falcon-team \ --engine=Falcon \ --grammar=conf/combinations.yy \ --gendata=conf/combinations.zz \ --reporter=Backtrace \ --mysqld=--loose-falcon-lock-wait-timeout=1 \ --mysqld=--log-output=none
[27 Feb 2009 9:39]
Lars-Erik Bjørk
This bug is closely related to bug#42341 The difference seems to be that the garbage, read behind the END_BUCKET node, is not caught in the first consistency check, but in a later check. This crash also disappears when applying the change suggested in the report for bug#42341
[2 Mar 2009 8:17]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/67956 3043 lars-erik.bjork@sun.com 2009-03-02 This is a patch for bug#42341 Falcon assertion (key - (UCHAR*) indexNode < 14) in IndexNode::parseNode and bug#38130 Falcon assertion in IndexNode::expandKey offset + length <= MAX_PHYSICAL_KEY_LENGTH These crashes happen because we are trying to use the data behind the last node in the bucket, when we are walking the index. The reason for this is that the node with the special record number -1 (which indicates END_BUCKET) is the only node in the page. WalkIndex::getNextNode has the following piece of code: int32 WalkIndex::getNextNode(void) { for (;; first = true) { if (first) { first = false; recordNumber = node.getNumber(); if (recordNumber >= 0) return recordNumber; else if (recordNumber == END_LEVEL) return -1; } node.getNext(endNodes); We fail to check if recordNumber == END_BUCKET. In the case of bug#42341, we try to parse some garbage data in IndexNode::parseNode and assert on a consistency check. In the case of bug#38130, we slip through this consistency check, but assert on a second check in IndexNode::expandKey Changing the if from else if (recordNumber == END_LEVEL) to else if (recordNumber == END_LEVEL || recordNumber == END_BUCKET) prevents both crashes. modified file 'storage/falcon/WalkIndex.cpp' ----------------------------------------------- Changed the if to prevent reading behind the END_BUCKET node.
[2 Mar 2009 14:39]
Kevin Lewis
Patch approved
[2 Apr 2009 17:38]
Bugs System
Pushed into 6.0.11-alpha (revid:hky@sun.com-20090402144811-yc5kp8g0rjnhz7vy) (version source revid:christopher.powers@sun.com-20090304040340-b4zoglfws0iswqm1) (merge vers: 6.0.11-alpha) (pib:6)
[15 May 2009 16:17]
MC Brown
Internal/test fix. No changelog entry required.