Bug #46425 crash in Diagnostics_area::set_ok_status , empty statement, DELETE IGNORE
Submitted: 28 Jul 2009 10:15 Modified: 12 Mar 2010 17:37
Reporter: Matthias Leich Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S3 (Non-critical)
Version:5.1,5.4 OS:Any
Assigned to: Magne Mæhre CPU Architecture:Any
Tags: crash

[28 Jul 2009 10:15] Matthias Leich 
Description:
RQG test
--------
Data creation grammar:
$tables = {
   rows => [ 1 ]
};

$fields = {
   types => [ 'int' ],
   indexes => [undef],
   null => [undef],
   default => [undef],
   sign => [undef],
   charsets => ['latin1']
};

$data = {
   numbers => [ 'digit' ],
   strings => [ 'letter' ],
   blobs => [ 'data' ],
   temporals => [undef]
}

test grammar:
query:
   DELETE IGNORE FROM t1                                |
   CREATE TABLE t1 AS SELECT * FROM table1_int_autoinc  |
   CREATE TABLE t1 As SELECT * FROM table1_int_autoinc  |
   # This statement sequence with an empty statement causes the crash when running the DELETE.
     CREATE TRIGGER tr1 AFTER DELETE ON t1 FOR EACH ROW BEGIN INSERT INTO t1 SELECT * FROM t1 AS A ; END ;          ; DROP TRIGGER tr1 ;
   # This statement sequence with "SELECT 1" instead of the empty statement is harmless.
   # CREATE TRIGGER tr1 AFTER DELETE ON t1 FOR EACH ROW BEGIN INSERT INTO t1 SELECT * FROM t1 AS A ; END ; SELECT 1 ; DROP TRIGGER tr1 ;

backtrace:
# 12:09:45 Thread 1 (process 13866):
# 12:09:45 #0  0x00007f5386b65ce6 in pthread_kill () from /lib64/libpthread.so.0
# 12:09:45 #1  0x0000000000b5466c in my_write_core (sig=6) at stacktrace.c:309
# 12:09:45 #2  0x00000000006ecf81 in handle_segfault (sig=6) at mysqld.cc:2718
# 12:09:45 #3  <signal handler called>
# 12:09:45 #4  0x00007f5385a615c5 in raise () from /lib64/libc.so.6
# 12:09:45 #5  0x00007f5385a62bb3 in abort () from /lib64/libc.so.6
# 12:09:45 #6  0x00007f5385a5a1e9 in __assert_fail () from /lib64/libc.so.6
# 12:09:45 #7  0x00000000007bd528 in Diagnostics_area::set_ok_status (this=0x1ff86b8, thd=0x1ff5d48, affected_rows_arg=1, last_insert_id_arg=0, message_arg=0x0) at sql_error.cc:358
# 12:09:45 #8  0x00000000006005ce in my_ok (thd=0x1ff5d48, affected_rows=1, id=0, message=0x0) at sql_class.h:2490
# 12:09:45 #9  0x00000000007ca065 in mysql_delete (thd=0x1ff5d48, table_list=0x200c788, conds=0x0, order=0x1ff7cd8, limit=18446744073709551615, options=0, reset_auto_increment=false) at sql_delete.cc:439
# 12:09:45 #10 0x00000000007021b5 in mysql_execute_command (thd=0x1ff5d48) at sql_parse.cc:3349
# 12:09:45 #11 0x000000000070743e in mysql_parse (thd=0x1ff5d48, inBuf=0x200c480 "DELETE IGNORE FROM t1", length=21, found_semicolon=0x413d9f30) at sql_parse.cc:5942
# 12:09:45 #12 0x000000000070805c in dispatch_command (command=COM_QUERY, thd=0x1ff5d48, packet=0x20006a9 "DELETE IGNORE FROM t1", packet_length=21) at sql_parse.cc:1061
# 12:09:45 #13 0x000000000070953a in do_command (thd=0x1ff5d48) at sql_parse.cc:743
# 12:09:45 #14 0x00000000006f68b3 in handle_one_connection (arg=0x1ff5d48) at sql_connect.cc:1158
# 12:09:45 #15 0x00007f5386b61040 in start_thread () from /lib64/libpthread.so.0
# 12:09:45 #16 0x00007f5385b0208d in clone () from /lib64/libc.so.6
# 12:09:45 #17 0x0000000000000000 in ?? ()

My environment:
- MySQL azalea (5.4) 2009-07-23
  ./BUILD/compile-pentium64-debug-max
- Linux OpenSuSE 11.0 (64 Bit)
- Intel Core2Duo

How to repeat:
Please use the grammars above.
My command line was:
perl runall.pl --mem \
--basedir=/work2/6.0/azalea/ --threads=1 \
--queries=20000 --debug \
--grammar=<test grammar> \
--gendata=<data creation grammar> \
--seed=1
[28 Jul 2009 10:39] Matthias Leich 
1. I get the same crash with debug compiled
   mysql-5.1-bugteam 2009-07-27 .
2. At least MySQL azalea (5.4) not debug compiled
   does not crash.

IMHO the reason for the crash is somehow caused by
the mixup of the failing statements.
   It is to be expected that several statements get
   error responses. Snip from my server log:
   ...
   CREATE TABLE t1 AS SELECT * FROM table1_int_autoinc
      I assume success
   CREATE TABLE t1 AS SELECT * FROM table1_int_autoinc
      I assume error.
   CREATE TABLE t1 AS SELECT * FROM table1_int_autoinc
      I assume error
   CREATE TRIGGER tr1 AFTER DELETE ON t1 FOR EACH ROW BEGIN INSERT INTO t1 SELECT * FROM t1 AS A ; END ; ; DROP TRIGGER tr1
      I assume success except an error for the
      empty statement.
   CREATE TABLE t1 As SELECT * FROM table1_int_autoinc
      I assume error
   CREATE TRIGGER tr1 AFTER DELETE ON t1 FOR EACH ROW BEGIN INSERT INTO t1 SELECT * FROM t1 AS A ; END ; ; DROP TRIGGER tr1
      I assume success except an error for the
      empty statement.
   CREATE TABLE t1 AS SELECT * FROM table1_int_autoinc
      I assume error
   CREATE TABLE t1 AS SELECT * FROM table1_int_autoinc
      ...
   CREATE TABLE t1 AS SELECT * FROM table1_int_autoinc
      ...
   CREATE TABLE t1 As SELECT * FROM table1_int_autoinc
      ...
   CREATE TABLE t1 AS SELECT * FROM table1_int_autoinc
      ...
   DELETE IGNORE FROM t1
      crash

If I remove the IGNORE from the DELETE than the crash
disappears.
[28 Jul 2009 11:04] Matthias Leich 
Similar crash with a bit modified test grammar:
query:
   DELETE IGNORE FROM t1                                |
   CREATE TABLE t1 AS SELECT * FROM table1_int_autoinc  |
   CREATE TABLE t1 As SELECT * FROM table1_int_autoinc  |
   CREATE TRIGGER tr1 AFTER DELETE ON t1 FOR EACH ROW BEGIN INSERT INTO t1 SELECT * FROM t1 AS A ; END ;
   # If I add the DROP TRIGGER than the crash disappears
   # CREATE TRIGGER tr1 AFTER DELETE ON t1 FOR EACH ROW BEGIN INSERT INTO t1 SELECT * FROM t1 AS A ; END ; DROP TRIGGER tr1 ;
[9 Oct 2009 14:21] Konstantin Osipov 
Magne, could you please verify it's a duplicate of one of the other IGNORE bugs you have in 'Patch Pending'?
Thank you, 
-kostja
[27 Oct 2009 20:36] Magne Mæhre 
This is simple mtr test case that triggers the bug:

#
# Bug #46425 crash in Diagnostics_area::set_ok_status , 
#            empty statement, DELETE IGNORE
#

CREATE table t1 (i INTEGER);

INSERT INTO t1 VALUES (1);

--delimiter |

CREATE TRIGGER tr1 AFTER DELETE ON t1 FOR EACH ROW 
BEGIN 
  INSERT INTO t1 SELECT * FROM t1 AS A;
END |

--delimiter ;

DELETE IGNORE FROM t1;

 
DROP TABLE t1;
[27 Oct 2009 21:06] Konstantin Osipov 
Very simple test case that leads to a crash, please re-triage.
[27 Oct 2009 21:07] Konstantin Osipov 
should be 51mru at least.
[27 Oct 2009 21:28] Konstantin Osipov 
Patch:
=== modified file 'sql/sql_delete.cc'
--- sql/sql_delete.cc   2009-10-16 10:29:42 +0000
+++ sql/sql_delete.cc   2009-10-27 21:05:49 +0000
@@ -426,7 +426,8 @@ cleanup:
   }
   DBUG_ASSERT(transactional_table || !deleted || thd->transaction.stmt.modified_non_trans_table);
   free_underlaid_joins(thd, select_lex);
-  if (error < 0 || (thd->lex->ignore && !thd->is_fatal_error))
+  if (error < 0 || (thd->lex->ignore && !thd->is_error() &&
+                    !thd->is_fatal_error))
   {
     /*
       If a TRUNCATE TABLE was issued, the number of rows should be reported as
[11 Nov 2009 22:06] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/90171

3196 Magne Mahre	2009-11-11
      Bug #46425 crash in Diagnostics_area::set_ok_status , empty statement, 
                 DELETE IGNORE
      
      The ER_CANT_UPDATE_USED_TABLE_IN_SF_OR_TRG error was set in the
      diagnostics area when it happened, but the DELETE cleanup code
      never checked for a non-fatal error condition, thus trying to
      set diag.area to "ok".  This triggered an assert checking that
      the diag.area was empty.
      
      The fix was to test if there existed a non-fatal error condition
      (thd->is_error()9 before ok'ing the operation.
[18 Nov 2009 9:32] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/90813

3203 Magne Mahre	2009-11-18
      Bug #46425 crash in Diagnostics_area::set_ok_status , empty statement, 
                 DELETE IGNORE
      
      The ER_CANT_UPDATE_USED_TABLE_IN_SF_OR_TRG error was set in the
      diagnostics area when it happened, but the DELETE cleanup code
      never checked for a non-fatal error condition, thus trying to
      set diag.area to "ok".  This triggered an assert checking that
      the diag.area was empty.
      
      The fix was to test if there existed a non-fatal error condition
      (thd->is_error() before ok'ing the operation.
[18 Nov 2009 9:52] Magne Mæhre 
Pushed and merged to 5.1-bugteam and -pe
[2 Dec 2009 8:04] Bugs System 
Pushed into 5.1.42 (revid:joro@sun.com-20091202080033-mndu4sxwx19lz2zs) (version source revid:davi.arnaut@sun.com-20091125130912-d7hrln14ef7y5d7i) (merge vers: 5.1.42) (pib:13)
[15 Dec 2009 17:14] Paul DuBois 
Noted in 5.1.42 changelog.

The IGNORE clause on a DELETE statement masked an SQL statement error
that occurred during trigger processing. 

Setting report to NDI pending push to 5.5.x+.
[16 Dec 2009 8:37] Bugs System 
Pushed into 6.0.14-alpha (revid:alik@sun.com-20091216083311-xorsasf5kopjxshf) (version source revid:alik@sun.com-20091214191830-wznm8245ku8xo702) (merge vers: 6.0.14-alpha) (pib:14)
[16 Dec 2009 8:44] Bugs System 
Pushed into 5.5.0-beta (revid:alik@sun.com-20091216082430-s0gtzibcgkv4pqul) (version source revid:alexey.kopytov@sun.com-20091124083136-iqm136jm31sfdwg3) (merge vers: 5.5.0-beta) (pib:14)
[16 Dec 2009 8:50] Bugs System 
Pushed into mysql-next-mr (revid:alik@sun.com-20091216083231-rp8ecpnvkkbhtb27) (version source revid:alik@sun.com-20091212203859-fx4rx5uab47wwuzd) (merge vers: 5.6.0-beta) (pib:14)
[16 Dec 2009 16:34] Paul DuBois 
Noted in 5.5.1, 6.0.14 changelogs.
[12 Mar 2010 14:09] Bugs System 
Pushed into 5.1.44-ndb-7.0.14 (revid:jonas@mysql.com-20100312135944-t0z8s1da2orvl66x) (version source revid:jonas@mysql.com-20100312115609-woou0te4a6s4ae9y) (merge vers: 5.1.44-ndb-7.0.14) (pib:16)
[12 Mar 2010 14:25] Bugs System 
Pushed into 5.1.44-ndb-6.2.19 (revid:jonas@mysql.com-20100312134846-tuqhd9w3tv4xgl3d) (version source revid:jonas@mysql.com-20100312060623-mx6407w2vx76h3by) (merge vers: 5.1.44-ndb-6.2.19) (pib:16)
[12 Mar 2010 14:39] Bugs System 
Pushed into 5.1.44-ndb-6.3.33 (revid:jonas@mysql.com-20100312135724-xcw8vw2lu3mijrhn) (version source revid:jonas@mysql.com-20100312103652-snkltsd197l7q2yg) (merge vers: 5.1.44-ndb-6.3.33) (pib:16)