Bug #48397 Valgrind / Innodb crash - get_mm_parts () at opt_range.cc:5795
Submitted: 29 Oct 2009 1:29 Modified: 12 Nov 2009 12:02
Reporter: Patrick Crews Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Partitions Severity:S3 (Non-critical)
Version:5.5 WL#3352 OS:Any
Assigned to: Mikael Ronström CPU Architecture:Any
Tags: innodb, memory_corruption, partitioning, valgrind

[29 Oct 2009 1:29] Patrick Crews 
Description:
Crashing bug - UPDATE'ing an Innodb table on a valgrind build crashes due to memory corruption (per valgrind):
UPDATE `PP_M` SET `varchar_5_utf8` = 'u' 
WHERE ( ( ( ( `PP_M` . `int_signed_key` BETWEEN 6 AND ( 6 + 5 ) ) AND `PP_M` . `int_signed` <> 1 ) XOR `PP_M` . `varchar_512_latin1` IN ('u' ) ) AND `PP_M` . `varchar_512_cp932` != 'k' );

Full crash output attached as separate file
*** glibc detected *** <path>/mysql-5.5/sql/mysqld: malloc(): memory corruption: 0x0a848ac8 ***

# 21:12:59 Thread 1 (process 6339):
# 21:12:59 #0  0xb7f26430 in __kernel_vsyscall ()
# 21:12:59 #1  0xb7f081c8 in pthread_kill () from /lib/tls/i686/cmov/libpthread.so.0
# 21:12:59 #2  0x0861f88d in my_write_core (sig=6) at stacktrace.c:310
# 21:12:59 #3  0x0826d94b in handle_segfault (sig=6) at mysqld.cc:2578
# 21:12:59 #4  <signal handler called>
# 21:12:59 #5  0xb7f26430 in __kernel_vsyscall ()
# 21:12:59 #6  0xb7d396d0 in raise () from /lib/tls/i686/cmov/libc.so.6
# 21:12:59 #7  0xb7d3b098 in abort () from /lib/tls/i686/cmov/libc.so.6
# 21:12:59 #8  0xb7d7724d in ?? () from /lib/tls/i686/cmov/libc.so.6
# 21:12:59 #9  0xb7d80276 in ?? () from /lib/tls/i686/cmov/libc.so.6
# 21:12:59 #10 0xb7d819c5 in malloc () from /lib/tls/i686/cmov/libc.so.6
# 21:12:59 #11 0x08603e99 in my_malloc (size=324, my_flags=16) at my_malloc.c:34
# 21:12:59 #12 0x0860487f in alloc_root (mem_root=0xa8413dc4, length=324) at my_alloc.c:158
# 21:12:59 #13 0x0820914f in sql_alloc (Size=308) at thr_malloc.cc:66
# 21:12:59 #14 0x081845d4 in Sql_alloc::operator new (size=308) at ../../sql/sql_list.h:30
# 21:12:59 #15 0x083a29f3 in get_mm_parts (param=0xa8413e10, cond_func=0x99c4288, field=0x97abe68, type=Item_func::GT_FUNC, value=0x9ba68a0, 
# 21:12:59     cmp_type=STRING_RESULT) at opt_range.cc:5795
# 21:12:59 #16 0x083a2d37 in get_ne_mm_tree (param=0xa8413e10, cond_func=0x99c4288, field=0x97abe68, lt_value=0x9ba68a0, gt_value=0x9ba68a0, 
# 21:12:59     cmp_type=STRING_RESULT) at opt_range.cc:5244
# 21:12:59 #17 0x083a2e0e in get_func_mm_tree (param=0xa8413e10, cond_func=0x99c4288, field=0x97abe68, value=0x9ba68a0, cmp_type=STRING_RESULT, inv=false)
# 21:12:59     at opt_range.cc:5277
# 21:12:59 #18 0x083a3689 in get_full_func_mm_tree (param=0xa8413e10, cond_func=0x99c4288, field_item=0x9af5930, value=0x9ba68a0, inv=false) at opt_range.cc:5582
# 21:12:59 #19 0x083a443f in get_mm_tree (param=0xa8413e10, cond=0x99c4288) at opt_range.cc:5768
# 21:12:59 #20 0x083a38c9 in get_mm_tree (param=0xa8413e10, cond=0x97dce78) at opt_range.cc:5624
# 21:12:59 #21 0x083a9f9b in prune_partitions (thd=0x94a7d18, table=0x979e480, pprune_cond=0x97dce78) at opt_range.cc:2753
# 21:12:59 #22 0x083371de in mysql_update (thd=0x94a7d18, table_list=0x94b2cc8, fields=@0x94a8f08, values=@0x94a9154, conds=0x97dce78, order_num=0, order=0x0, 
# 21:12:59     limit=18446744073709551615, handle_duplicates=DUP_ERROR, ignore=false, found_return=0xa84166b0, updated_return=0xa84166a8) at sql_update.cc:321
# 21:12:59 #23 0x082831ff in mysql_execute_command (thd=0x94a7d18) at sql_parse.cc:3097
# 21:12:59 #24 0x0828a55a in mysql_parse (thd=0x94a7d18, 
# 21:12:59     inBuf=0x94b72e0 "UPDATE `PP_M` SET `varchar_5_utf8` = 'u' WHERE ( ( ( ( `PP_M` . `int_signed_key` BETWEEN 6 AND ( 6 + 5 ) ) AND `PP_M` . `int_signed` <> 1 ) XOR `PP_M` . `varchar_512_latin1` IN ('u' ) ) AND `PP_M` . `"..., length=227, found_semicolon=0xa8417080) at sql_parse.cc:6041
# 21:12:59 #25 0x0828b33e in dispatch_command (command=COM_QUERY, thd=0x94a7d18, 
# 21:12:59     packet=0x94a1f51 "UPDATE `PP_M` SET `varchar_5_utf8` = 'u' WHERE ( ( ( ( `PP_M` . `int_signed_key` BETWEEN 6 AND ( 6 + 5 ) ) AND `PP_M` . `int_signed` <> 1 ) XOR `PP_M` . `varchar_512_latin1` IN ('u' ) ) AND `PP_M` . `"..., packet_length=227) at sql_parse.cc:1234
# 21:12:59 #26 0x0828c85f in do_command (thd=0x94a7d18) at sql_parse.cc:867
# 21:12:59 #27 0x0827759d in handle_one_connection (arg=0x94a7d18) at sql_connect.cc:1122
# 21:12:59 #28 0xb7f034ff in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
# 21:12:59 #29 0xb7df249e in clone () from /lib/tls/i686/cmov/libc.so.6 

How to repeat:
MTR Test case.

Run using ./mtr --record --valgrind --mysqld=--loose-innodb <test_name>

The crash output is not exactly the same as seen via the RQG test, but this is the same query / data.

--disable_warnings
DROP TABLE /*! IF EXISTS */ PP_M;
--enable_warnings

CREATE TABLE `PP_M` (
  `varchar_5_utf8` varchar(5) CHARACTER SET utf8 DEFAULT NULL,
  `varchar_512_cp932` varchar(512) CHARACTER SET cp932 DEFAULT NULL,
  `int_signed` int(11) DEFAULT NULL,
  `varchar_512_latin1` varchar(512) DEFAULT NULL,
  `int_signed_key` int(11) DEFAULT NULL,
  `datetime` datetime DEFAULT NULL,
  KEY `int_signed_key` (`int_signed_key`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1
/*!50100 PARTITION BY RANGE  COLUMN_LIST(int_signed,varchar_512_cp932)
SUBPARTITION BY HASH ( to_seconds(`datetime`))
SUBPARTITIONS 3
(PARTITION p0 VALUES LESS THAN (2,_cp932'b') ENGINE = InnoDB,
 PARTITION p1 VALUES LESS THAN (4,_cp932'd') ENGINE = InnoDB,
 PARTITION p2 VALUES LESS THAN (10,_cp932'za') ENGINE = InnoDB) */;
INSERT INTO `PP_M` VALUES ('u','m',NULL,NULL,1,'2003-09-24 00:13:51');
INSERT INTO `PP_M` VALUES ('u',NULL,NULL,NULL,NULL,'2017-07-22 00:00:00');
INSERT INTO `PP_M` VALUES ('u','m',NULL,'i',3,'2003-02-04 21:36:07');
INSERT INTO `PP_M` VALUES ('u','i',0,'r',0,'0000-00-00 00:00:00');
INSERT INTO `PP_M` VALUES ('u','a',NULL,'w',7,'0000-00-00 00:00:00');
INSERT INTO `PP_M` VALUES ('u','u',NULL,'r',7,'0000-00-00 00:00:00');
INSERT INTO `PP_M` VALUES ('u','f',NULL,'u',8,NULL);
INSERT INTO `PP_M` VALUES ('u',NULL,2,'r',3,NULL);
INSERT INTO `PP_M` VALUES ('u','s',NULL,'o',1,NULL);
INSERT INTO `PP_M` VALUES ('u',NULL,NULL,'z',NULL,'0000-00-00 00:00:00');
INSERT INTO `PP_M` VALUES ('u','f',3,'f',0,'2005-07-28 00:00:00');
INSERT INTO `PP_M` VALUES ('u','c',4,'b',0,'2005-08-07 05:12:44');
INSERT INTO `PP_M` VALUES ('u','a',6,NULL,8,'2004-11-18 00:00:00');
INSERT INTO `PP_M` VALUES ('u','g',4,'d',6,'2009-07-15 00:00:00');
INSERT INTO `PP_M` VALUES ('u','l',5,'t',6,'2008-02-18 00:00:00');
INSERT INTO `PP_M` VALUES ('u','h',7,'o',3,NULL);
INSERT INTO `PP_M` VALUES ('u','x',6,'m',2,'0000-00-00 00:00:00');
INSERT INTO `PP_M` VALUES ('u','l',7,'q',8,'0000-00-00 00:00:00');
INSERT INTO `PP_M` VALUES ('u','u',4,'l',NULL,NULL);
INSERT INTO `PP_M` VALUES ('u','x',9,'b',3,'0000-00-00 00:00:00');

UPDATE `PP_M` SET `varchar_5_utf8` = 'u' 
WHERE ( ( ( ( `PP_M` . `int_signed_key` BETWEEN 6 AND ( 6 + 5 ) ) AND `PP_M` . `int_signed` <> 1 ) XOR `PP_M` . `varchar_512_latin1` IN ('u' ) ) AND `PP_M` . `varchar_512_cp932` != 'k' );

DROP TABLE PP_M;
[29 Oct 2009 1:30] Patrick Crews 
Full crash output from the RQG run

Attachment: bug48397_crash_output.txt (text/plain), 25.26 KiB.
[29 Oct 2009 12:08] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/88578

2910 Mikael Ronstrom	2009-10-29
      BUG#48397, set key_part->length to key_part->store_length isn't correct, store_length is a bit longer
      modified:
        sql/opt_range.cc
[5 Nov 2009 6:51] Bugs System 
Pushed into 6.0.14-alpha (revid:mikael@mysql.com-20091104090210-om5lq1v39ppduu0e) (version source revid:mikael@mysql.com-20091030163450-387z4yevx0lrj3fb) (merge vers: 6.0.14-alpha) (pib:13)
[12 Nov 2009 8:19] Bugs System 
Pushed into 5.5.0-beta (revid:alik@sun.com-20091110093229-0bh5hix780cyeicl) (version source revid:mikael@mysql.com-20091029120835-7qnznolyjjwvc94o) (merge vers: 5.5.0-beta) (pib:13)
[12 Nov 2009 12:02] Jon Stephens 
Does not appear in release, closed without further action.