Bug #53594 crash/valgrind errors/debug assertion when inserting into compressed table
Submitted: 12 May 2010 9:47 Modified: 24 May 2010 10:40
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Can't repeat Impact on me:
None 
Category:MySQL Server: InnoDB Plugin storage engine Severity:S1 (Critical)
Version:1.0.7 plugin, 5.1.46, 5.5.x OS:Any
Assigned to: Marko Mäkelä CPU Architecture:Any
Tags: compressed, valgrind

[12 May 2010 9:47] Shane Bester 
Description:
5.1.46 with 1.0.7 plugin may crash like this when inserting into a compressed table:

ha_innodb_plugin.dll!memcpy()[memcpy.asm:272]
ha_innodb_plugin.dll!ut_memcpy()[ut0mem.ic:39]
ha_innodb_plugin.dll!rec_copy()[rem0rec.ic:1516]
ha_innodb_plugin.dll!page_cur_insert_rec_low()[page0cur.c:1056]
ha_innodb_plugin.dll!page_cur_insert_rec_zip()[page0cur.c:1278]
ha_innodb_plugin.dll!page_cur_tuple_insert()[page0cur.ic:266]
ha_innodb_plugin.dll!btr_cur_optimistic_insert()[btr0cur.c:1204]
ha_innodb_plugin.dll!row_ins_index_entry_low()[row0ins.c:2085]
ha_innodb_plugin.dll!row_ins_index_entry()[row0ins.c:2164]
ha_innodb_plugin.dll!row_ins_index_entry_step()[row0ins.c:2250]
ha_innodb_plugin.dll!row_ins()[row0ins.c:2381]
ha_innodb_plugin.dll!row_ins_step()[row0ins.c:2494]
ha_innodb_plugin.dll!row_insert_for_mysql()[row0mysql.c:1139]
ha_innodb_plugin.dll!ha_innodb::write_row()[ha_innodb.cc:4706]
mysqld.exe!handler::ha_write_row()[handler.cc:4650]
mysqld.exe!write_record()[sql_insert.cc:1606]
mysqld.exe!mysql_insert()[sql_insert.cc:835]
mysqld.exe!mysql_execute_command()[sql_parse.cc:3183]
mysqld.exe!mysql_parse()[sql_parse.cc:5975]
mysqld.exe!dispatch_command()[sql_parse.cc:1235]
mysqld.exe!do_command()[sql_parse.cc:874]
mysqld.exe!handle_one_connection()[sql_connect.cc:1127]
mysqld.exe!pthread_start()[my_winthread.c:85]
mysqld.exe!_callthreadstart()[thread.c:295]
mysqld.exe!_threadstart()[thread.c:275]
kernel32.dll!BaseThreadStart()

How to repeat:
#start server with plugin options:
#--innodb_file_per_table --innodb-file-format=barracuda
import the attached file.

run server under valgrind or use debug server if no crash happens.
[12 May 2010 9:49] MySQL Verification Team 
testcase

Attachment: bug53594_reduced_testcase.sql (application/octet-stream, text), 3.57 KiB.
[12 May 2010 9:53] MySQL Verification Team 
the problem is seen in valgrind here, using 1.0.7/5.1.46 build:

Invalid read of size 1
at : memcpy (mc_replace_strmem.c:482)
by : page_cur_insert_rec_low (ut0mem.ic:39)
by : page_cur_insert_rec_zip (page0cur.c:1274)
by : btr_cur_optimistic_insert (page0cur.ic:264)
by : row_ins_index_entry_low (row0ins.c:2082)
by : row_ins_step (row0ins.c:2162)
by : row_insert_for_mysql (row0mysql.c:1137)
by : ha_innodb::write_row(unsigned char*) (ha_innodb.cc:4703)
by : handler::ha_write_row(unsigned char*) (handler.cc:4650)
by : write_record(THD*, st_table*, st_copy_info*) (sql_insert.cc:1606)
[12 May 2010 10:00] MySQL Verification Team 
another presentation of this bug is the assertion:

100512 12:00:31  InnoDB: Assertion failure in thread 4728 in file .\btr\btr0cur.c line 3878
InnoDB: Failing assertion: local_len >= BTR_EXTERN_FIELD_REF_SIZE
[12 May 2010 10:30] Valeriy Kravchuk 
Verified just as described. With 5.5.x stack trace is:

>	mysqld.exe!memcpy(unsigned char * dst=0x02440078, unsigned char * src=0x051bcdc1, unsigned long count=6513)  Line 188	
 	mysqld.exe!rec_copy(void * buf=0x02440078, const unsigned char * rec=0x051bcde4, const unsigned long * offsets=0x051bd408)  Line 1514 + 0x14 bytes	
 	mysqld.exe!page_cur_insert_rec_low(unsigned char * current_rec=0x02440063, dict_index_struct * index=0x051b5560, const unsigned char * rec=0x051bcde4, unsigned long * offsets=0x051bd408, mtr_struct * mtr=0x00000000)  Line 1056	
 	mysqld.exe!page_cur_insert_rec_zip(unsigned char * * current_rec=0x05a0dbd0, buf_block_struct * block=0x02381290, dict_index_struct * index=0x051b5560, const unsigned char * rec=0x051bcde4, unsigned long * offsets=0x051bd408, mtr_struct * mtr=0x05a0dc08)  Line 1276 + 0x22 bytes	
 	mysqld.exe!page_cur_tuple_insert(page_cur_struct * cursor=0x05a0dbd0, const dtuple_struct * tuple=0x051a79c0, dict_index_struct * index=0x051b5560, unsigned long n_ext=1, mtr_struct * mtr=0x05a0dc08)  Line 265 + 0xf bytes	
 	mysqld.exe!btr_cur_optimistic_insert(unsigned long flags=0, btr_cur_struct * cursor=0x05a0dbcc, dtuple_struct * entry=0x051a79c0, unsigned char * * rec=0x05a0dbc4, big_rec_struct * * big_rec=0x05a0dbb4, unsigned long n_ext=1, que_thr_struct * thr=0x051a14a8, mtr_struct * mtr=0x05a0dc08)  Line 1198 + 0x18 bytes	
 	mysqld.exe!row_ins_index_entry_low(unsigned long mode=2, dict_index_struct * index=0x00000000, dtuple_struct * entry=0x051a79c0, unsigned long n_ext=0, que_thr_struct * thr=0x00000000)  Line 2084	
 	mysqld.exe!row_ins_index_entry(dict_index_struct * index=0x051b5560, dtuple_struct * entry=0x051a79c0, unsigned long n_ext=0, unsigned long foreign=1, que_thr_struct * thr=0x051a14a8)  Line 2161 + 0x11 bytes	
 	mysqld.exe!row_ins_index_entry_step(ins_node_struct * node=0x00000000, que_thr_struct * thr=0x051a14a8)  Line 2245 + 0x16 bytes	
 	mysqld.exe!row_ins(ins_node_struct * node=0x00000000, que_thr_struct * thr=0x00000000)  Line 2377 + 0x6 bytes	
 	mysqld.exe!row_ins_step(que_thr_struct * thr=0x00000000)  Line 2490	
 	mysqld.exe!row_insert_for_mysql(unsigned char * mysql_rec=0x051a8de8, row_prebuilt_struct * prebuilt=0x051a0048)  Line 1139	
 	mysqld.exe!ha_innobase::write_row(unsigned char * record=0x051a8de8)  Line 4423 + 0xd bytes	
 	mysqld.exe!handler::ha_write_row(unsigned char * buf=0x051a8de8)  Line 4672	
 	mysqld.exe!write_record(THD * thd=0x0237e2e0, TABLE * table=0x0519f138, st_copy_info * info=0x05a0e1c4)  Line 1658 + 0xc bytes	
 	mysqld.exe!mysql_insert(THD * thd=0x0237e2e0, TABLE_LIST * table_list=0x0519b470, List<Item> & fields={...}, List<List<Item> > & values_list={...}, List<Item> & update_fields={...}, List<Item> & update_values={...}, enum_duplicates duplic=DUP_ERROR, bool ignore=true)  Line 864 + 0xc bytes	
 	mysqld.exe!mysql_execute_command(THD * thd=0x0237e2e0)  Line 3110 + 0x36 bytes	
 	mysqld.exe!mysql_parse(THD * thd=0x0237e2e0, const char * inBuf=0x0519b130, unsigned int length=354, const char * * found_semicolon=0x05a0f63c)  Line 5735 + 0x6 bytes	
 	mysqld.exe!dispatch_command(enum_server_command command=COM_QUERY, THD * thd=0x0237e2e0, char * packet=0x05192e59, unsigned int packet_length=354)  Line 1026	
 	mysqld.exe!do_command(THD * thd=0x00000003)  Line 710 + 0xf bytes	
 	mysqld.exe!do_handle_one_connection(THD * thd_arg=0x0237e2e0)  Line 1174 + 0xa bytes	
 	mysqld.exe!handle_one_connection(void * arg=0x0237e2e0)  Line 1113 + 0x6 bytes	
 	mysqld.exe!pthread_start(void * p=0x05187fc0)  Line 61 + 0x3 bytes	
 	mysqld.exe!_callthreadstartex()  Line 348 + 0x6 bytes	
 	mysqld.exe!_threadstartex(void * ptd=0x05196e68)  Line 326 + 0x5 bytes
[24 May 2010 10:40] MySQL Verification Team 
i just confirmed this is fixed in 1.0.8 plugin that comes with 5.1.47.