Bug #42297 Maria: crash in multi-range-read code
Submitted: 23 Jan 2009 10:16 Modified: 7 May 2009 8:30
Reporter: Guilhem Bichot Email Updates:
Status: Closed Impact on me:
Category:MySQL Server: Maria storage engine Severity:S3 (Non-critical)
Version:6.0-maria OS:Linux
Assigned to: Guilhem Bichot
Triage: Triaged: D1 (Critical)

[23 Jan 2009 10:16] Guilhem Bichot
./mtr --force --mysqld=--default-storage-engine=maria t/subselect*.test t/func_in.test
I see several segfaults like this:
/home/mysql_src/bzrrepos/mysql-6.0-maria/sql/mysqld(handle_segfault+0x2f9) [0x8315c57]
/home/mysql_src/bzrrepos/mysql-6.0-maria/sql/mysqld(ha_maria::multi_range_read_next(char**)+0x25) [0x87d5285]
/home/mysql_src/bzrrepos/mysql-6.0-maria/sql/mysqld(JOIN_CACHE_BKA::join_matching_records(bool)+0x1b0) [0x836cd3e]
/home/mysql_src/bzrrepos/mysql-6.0-maria/sql/mysqld(JOIN_CACHE::join_records(bool)+0x6c) [0x836b9d0]
/home/mysql_src/bzrrepos/mysql-6.0-maria/sql/mysqld(sub_select_cache(JOIN*, st_join_table*, bool)+0x73) [0x8398e89]
/home/mysql_src/bzrrepos/mysql-6.0-maria/sql/mysqld(sub_select(JOIN*, st_join_table*, bool)+0x43) [0x8398b99]
/home/mysql_src/bzrrepos/mysql-6.0-maria/sql/mysqld [0x839feac]
/home/mysql_src/bzrrepos/mysql-6.0-maria/sql/mysqld(JOIN::exec()+0x21a1) [0x83bc971]
/home/mysql_src/bzrrepos/mysql-6.0-maria/sql/mysqld(subselect_single_select_engine::exec()+0x4fa) [0x82c76bc]
/home/mysql_src/bzrrepos/mysql-6.0-maria/sql/mysqld(Item_subselect::exec()+0x6a) [0x82cc02c]
/home/mysql_src/bzrrepos/mysql-6.0-maria/sql/mysqld(Item_in_subselect::exec()+0x134) [0x82cc1a4]
/home/mysql_src/bzrrepos/mysql-6.0-maria/sql/mysqld(Item_in_subselect::val_bool()+0x50) [0x82c4e84]
/home/mysql_src/bzrrepos/mysql-6.0-maria/sql/mysqld(Item::val_bool_result()+0x18) [0x825a5f8]
/home/mysql_src/bzrrepos/mysql-6.0-maria/sql/mysqld(Item_in_optimizer::val_int()+0x140) [0x828b638]
/home/mysql_src/bzrrepos/mysql-6.0-maria/sql/mysqld(Item::send(Protocol*, String*)+0x1ae) [0x8247456]
/home/mysql_src/bzrrepos/mysql-6.0-maria/sql/mysqld(Protocol::send_result_set_row(List<Item>*)+0x9e) [0x8307012]
/home/mysql_src/bzrrepos/mysql-6.0-maria/sql/mysqld(select_send::send_data(List<Item>&)+0xc5) [0x82fdc19]
/home/mysql_src/bzrrepos/mysql-6.0-maria/sql/mysqld [0x8390142]
/home/mysql_src/bzrrepos/mysql-6.0-maria/sql/mysqld [0x8398a34]
/home/mysql_src/bzrrepos/mysql-6.0-maria/sql/mysqld(sub_select(JOIN*, st_join_table*, bool)+0x257) [0x8398dad]
/home/mysql_src/bzrrepos/mysql-6.0-maria/sql/mysqld [0x839fe80]
/home/mysql_src/bzrrepos/mysql-6.0-maria/sql/mysqld(JOIN::exec()+0x21a1) [0x83bc971]
/home/mysql_src/bzrrepos/mysql-6.0-maria/sql/mysqld(mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, uns
igned long long, select_result*, st_select_lex_unit*, st_select_lex*)+0x329) [0x83b75c5]
/home/mysql_src/bzrrepos/mysql-6.0-maria/sql/mysqld(handle_select(THD*, LEX*, select_result*, unsigned long)+0x1ec) [0x83bcc82]
/home/mysql_src/bzrrepos/mysql-6.0-maria/sql/mysqld [0x8325de9]
/home/mysql_src/bzrrepos/mysql-6.0-maria/sql/mysqld(mysql_execute_command(THD*)+0x7d5) [0x8326e5d]

How to repeat:
./mtr --force --mysqld=--default-storage-engine=maria t/subselect*.test t/func_in.test
[12 Mar 2009 9:21] Guilhem Bichot
goes away when removing HA_DO_INDEX_COND_PUSHDOWN from ha_maria.h
[13 Mar 2009 13:15] Guilhem Bichot
does not crash anymore (maybe an effect of the recent merge from 6.0-main) but gives wrong results.
[13 Mar 2009 13:16] Guilhem Bichot
for example the func_in test
[13 Mar 2009 14:11] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:


2726 Guilhem Bichot	2009-03-13
      Fix for multiple symptoms sharing the same cause:
      BUG#42297 Maria: crash in multi-range-read code
      BUG#42298 Maria: SELECT with join returns no rows
      BUG#42299 Maria: SELECT using cp1251-table returns no rows
      BUG#42681 Maria returns duplicate rows with range access on 'date type
      BUG#42683 Maria returns wrong results for <= NULL and <> NULL 
      BUG#43527 Maria returns no rows on multi range access with limit clause
      BUG#43530 Maria has Issues with range select <>, < with -ve range values on signed index
      BUG#43552 Maria returned wrong rows with range access on float
      BUG#43620 Maria throws 'Got error 176 from storage engine' on a range query
      BUG#43623 Maria returns no rows with date index on range access >, >=, BETWEEN
     @ mysql-test/suite/maria/r/maria.result
        after fixing the bug, we can see one more row in the result. Ah, if we had paid attention
        to maria.result when we added this straight_join test, we would have caught the bug immediately.
     @ mysql-test/suite/maria/r/maria4.result
     @ mysql-test/suite/maria/t/maria4.test
        test for fixed bugs. All its pieces would fail (errno 176, missing rows, too many rows) without the entire
        bugfix of ma_rkey.c
     @ storage/maria/ma_rkey.c
        Because of missing (), icp_res was inverted compared to the result of
        ma_check_index_cond(), which wasn't desired (0==0 -> 1, 1==0 -> 0). We would go
        to "err:" wrongly and thus pick up the value of my_errno which was left from previous
        functions (for example, 176 left by the ha_tina CSV log write at start of statement!);
        sometimes the errno would be returned to client, sometimes it would just cause
        a matching row to be missed.
        This fixed BUG#42297 BUG#42298. But was not enough for BUG#43552:
        - icp_res==2 was not converted to "key not found", causing non-matching rows to be returned.
        Now the usage of icp_res is closer to ma_rnext.c and ma_rnext_same.c.
[3 Apr 2009 14:52] Bugs System
Pushed into 6.0.11-alpha (revid:guilhem@mysql.com-20090402210815-lu17n4kj8c73cfe8) (version source revid:guilhem@mysql.com-20090313141043-73a6mr7hsrqm3djc) (merge vers: 6.0.11-alpha) (pib:6)
[7 May 2009 8:30] MC Brown
A note has been added to the 6.0.11 changelog: 

Running multi-range queries on Maria tables could cause a crash.