Bug #46965 crash in ha_innobase::get_auto_increment
Submitted: 27 Aug 2009 20:20 Modified: 18 Mar 2010 18:52
Reporter: Matthias Leich Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: InnoDB storage engine Severity:S3 (Non-critical)
Version: OS:Any
Assigned to: Satya B CPU Architecture:Any
Tags: 5.4

[27 Aug 2009 20:20] Matthias Leich
Description:
--source include/have_innodb.inc

--disable_warnings
DROP TABLE IF EXISTS t1;
--enable_warnings

CREATE TABLE t1  (pk INTEGER AUTO_INCREMENT, PRIMARY KEY (pk)) ENGINE = MyISAM;
ALTER TABLE  t1 ENGINE = InnoDB;
# The next statement causes a crash
INSERT INTO  t1 VALUES (NULL) ,  ('-685113344') ,  (NULL) ;

DROP TABLE t1;

Backtrace from mysql-next-bugfixing:
------------------------------------
#0  0x00007fb65ed4fce6 in pthread_kill () from /lib64/libpthread.so.0
#1  0x0000000000b57ee8 in my_write_core (sig=6) at stacktrace.c:309
#2  0x00000000006ef875 in handle_segfault (sig=6) at mysqld.cc:2738
#3  <signal handler called>
#4  0x00007fb65dc4b5c5 in raise () from /lib64/libc.so.6
#5  0x00007fb65dc4cbb3 in abort () from /lib64/libc.so.6
#6  0x000000000098e02c in ha_innobase::get_auto_increment (this=0x1faf7c0, offset=1, increment=1, nb_desired_values=2, first_value=0x403ace20, nb_reserved_values=0x403ace18)
    at handler/ha_innodb.cc:7749
#7  0x000000000084fae2 in handler::update_auto_increment (this=0x1faf7c0) at handler.cc:2383
#8  0x0000000000992f17 in ha_innobase::write_row (this=0x1faf7c0, record=0x1fafa68 "�") at handler/ha_innodb.cc:3771
#9  0x000000000084bc11 in handler::ha_write_row (this=0x1faf7c0, buf=0x1fafa68 "�") at handler.cc:5548
#10 0x00000000007ae77d in write_record (thd=0x1fa86f8, table=0x1f474d8, info=0x403ad1c0) at sql_insert.cc:1626
#11 0x00000000007b2e3e in mysql_insert (thd=0x1fa86f8, table_list=0x1f455c0, fields=@0x1faabf0, values_list=@0x1faac38, update_fields=@0x1faac20, update_values=@0x1faac08, duplic=DUP_ERROR,
    ignore=false) at sql_insert.cc:834
#12 0x000000000070488b in mysql_execute_command (thd=0x1fa86f8) at sql_parse.cc:3225
#13 0x000000000070a192 in mysql_parse (thd=0x1fa86f8, inBuf=0x1f454a0 "INSERT INTO  t1 VALUES (NULL) ,  ('-685113344') ,  (NULL)", length=57, found_semicolon=0x403aef20) at sql_parse.cc:5950
#14 0x000000000070adb0 in dispatch_command (command=COM_QUERY, thd=0x1fa86f8, packet=0x1f41449 "INSERT INTO  t1 VALUES (NULL) ,  ('-685113344') ,  (NULL) ", packet_length=58) at sql_parse.cc:1062
#15 0x000000000070c254 in do_command (thd=0x1fa86f8) at sql_parse.cc:744
#16 0x00000000006f9703 in handle_one_connection (arg=0x1fa86f8) at sql_connect.cc:1163
#17 0x00007fb65ed4b040 in start_thread () from /lib64/libpthread.so.0
#18 0x00007fb65dcec08d in clone () from /lib64/libc.so.6
#19 0x0000000000000000 in ?? ()

Reaction in mysql-5.1-bugteam late July 2009:
---------------------------------------------
mysqltest: At line 9: query 'INSERT INTO  t1 VALUES (NULL) ,  ('-685113344') ,  (NULL) ' failed: 1467: Failed to read auto-increment value from storage engine

Reaction in mysql-5.0-bugteam late July 2009:
---------------------------------------------
Warnings:
Warning	1264	Out of range value adjusted for column 'pk' at row 3

My environment:
---------------
- mysql-next-bugfixing (5.4) 2009-08-27 --> crash
- mysql-5.1-bugteam late July 2009 --> ok
- mysql-5.0-bugteam late July 2009 --> ok
- ./BUILD/compile-pentium64-debug-max
- Linux OpenSuSE 11.0 (64 Bit)
- Intel Core2Duo

How to repeat:
Please see above
[27 Aug 2009 20:54] Philip Stoev
See bug#34335
[28 Aug 2009 12:25] Matthias Leich
Simplified test:
----------------
--source include/have_innodb.inc

--disable_warnings
DROP TABLE IF EXISTS t1;
--enable_warnings

CREATE TABLE t1  (pk INTEGER AUTO_INCREMENT, PRIMARY KEY (pk)) ENGINE = InnoDB;
# The next statement causes a crash
INSERT INTO  t1 VALUES (NULL) ,  ('-685113344') ,  (NULL) ;

DROP TABLE t1;
[15 Sep 2009 6:53] Calvin Sun
Mattias - could you please check with 5.4.2, or mysql-trunk?
[15 Sep 2009 13:23] Matthias Leich
Hi Calvin,

I get with mysql-trunk (last change 2009-08-29):

CREATE TABLE t1  (pk INTEGER AUTO_INCREMENT, PRIMARY KEY (pk)) ENGINE =
InnoDB;
INSERT INTO  t1 VALUES (NULL) ,  ('-685113344') ,  (NULL) ;
ERROR HY000: Failed to read auto-increment value from storage engine

which is also not satisfying, but at least no crash.

Regards

Matthias
[16 Sep 2009 23:26] Sunny Bains
It doesn't crash for me with 5.1.

mysql> CREATE TABLE t1  (pk INTEGER AUTO_INCREMENT, PRIMARY KEY (pk)) ENGINE = InnoDB;
Query OK, 0 rows affected (0.05 sec)

mysql> INSERT INTO  t1 VALUES (NULL) ,  ('-685113344') ,  (NULL) ;
ERROR 1467 (HY000): Failed to read auto-increment value from storage engine
mysql> Bye

Writing -ve values according to the manual is undefined behavior and as
long as it doesn't crash I see no reason to fix it. One option that was
discussed internally was to mask the -ve value with the max value for the
column type. The results end up looking like this instead of the failure
to read error that we get above.

mysql> CREATE TABLE t1  (pk INTEGER AUTO_INCREMENT, PRIMARY KEY (pk)) ENGINE =
    -> InnoDB;
Query OK, 0 rows affected (0.05 sec)

mysql> INSERT INTO  t1 VALUES (NULL) ,  ('-685113344') ,  (NULL) ;
Query OK, 3 rows affected, 1 warning (1 min 6.39 sec)
Records: 3  Duplicates: 0  Warnings: 1

mysql> select * from t1;
+------------+
| pk         |
+------------+
| -685113344 | 
|          1 | 
| 2147483647 | 
+------------+
3 rows in set (0.00 sec)
[17 Sep 2009 0:23] Sunny Bains
I think there is a possible simple improvement, we should simply ignore -ve values when updating the table's max autoinc counter.
[4 Nov 2009 11:54] Sergey Vojtovich
Pushed into 5.1.41.
[22 Nov 2009 0:57] Paul Dubois
Noted in 5.1.41 changelog.

InnoDB now ignores negative values supplied by a user for an
AUTO_INCREMENT column when calculating the next value to store in the 
data dictionary. Setting AUTO_INCREMENT columns to negative values is
undefined behavior and this change should bring the behavior of
InnoDB closer to what users expect.

Setting report to NDI pending push into 5.5.x+.
[7 Dec 2009 16:40] Paul Dubois
Noted in 5.1.40sp1 changelog.
[18 Mar 2010 17:15] Sergey Vojtovich
This bugfix first appeared in 5.5.0-m2.
[18 Mar 2010 18:52] Paul Dubois
Noted in 5.5.0 changelog.