Bug #54007 assert in ha_myisam::index_next , HANDLER
Submitted: 26 May 2010 20:29 Modified: 14 Oct 2010 15:33
Reporter: Matthias Leich Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S3 (Non-critical)
Version:5.1.47,5.6.99-m4 OS:Any
Assigned to: Ramil Kalimullin
Tags: assert, debug, handler
Triage: Triaged: D1 (Critical)

[26 May 2010 20:29] Matthias Leich
Description:
The assert happens in ha_myisam.cc line 1596:
---------------------------------------------
int ha_myisam::index_next(uchar *buf)
{
  MYSQL_INDEX_READ_ROW_START(table_share->db.str, table_share->table_name.str);
  DBUG_ASSERT(inited==INDEX);   <------------
  ha_statistic_increment(&SSV::ha_read_next_count);
  int error=mi_rnext(file,buf,active_index);
  table->status=error ? STATUS_NOT_FOUND: 0;
  MYSQL_INDEX_READ_ROW_DONE(error);
  return error;
}

My script:
----------
--disable_warnings
DROP TABLE IF EXISTS t1;
--enable_warnings
CREATE TABLE t1  ( pk INT , PRIMARY KEY (pk));
HANDLER t1 OPEN AS handler_a;
HANDLER handler_a READ FIRST;
HANDLER handler_a READ `PRIMARY` NEXT;

DROP TABLE t1;

Result on mysql-next-mr revno: 3145 2010-05-20
----------------------------------------------
...
main.ml002                               [ fail ]
...
CURRENT_TEST: main.ml002
mysqltest: At line 7: query 'HANDLER handler_a READ `PRIMARY` NEXT' failed: 2013: Lost connection to MySQL server during query
...
100526 23:21:55 - mysqld got signal 6 ;
...
Thread 1 (process 8274):
#0  0x00007fd13d611ce6 in pthread_kill () from /lib64/libpthread.so.0
#1  0x00000000009fb071 in my_write_core (sig=6) at .../mysys/stacktrace.c:326
#2  0x000000000053c680 in handle_segfault (sig=6) at .../sql/mysqld.cc:2786
#3  <signal handler called>
#4  0x00007fd13c8295c5 in raise () from /lib64/libc.so.6
#5  0x00007fd13c82abb3 in abort () from /lib64/libc.so.6
#6  0x00007fd13c8221e9 in __assert_fail () from /lib64/libc.so.6
#7  0x0000000000960c08 in ha_myisam::index_next (this=0x1298a58, buf=0x1298be8 '\217' <repeats 16 times>, "\b\214)\001") at .../storage/myisam/ha_myisam.cc:1596
#8  0x00000000005ae84f in mysql_ha_read (thd=0x120ec38, tables=0x129f790, mode=RNEXT, keyname=0x129fca0 "PRIMARY", key_expr=0x0, ha_rkey_mode=HA_READ_KEY_EXACT, cond=0x0, select_limit_cnt=1, offset_limit_cnt=0)
    at .../sql/sql_handler.cc:634
#9  0x00000000005d0c30 in mysql_execute_command (thd=0x120ec38) at .../sql/sql_parse.cc:4027
#10 0x00000000005d2d49 in mysql_parse (thd=0x120ec38, inBuf=0x129f608 "HANDLER handler_a READ `PRIMARY` NEXT", length=37, parser_state=0x40b3b960) at .../sql/sql_parse.cc:5801
#11 0x00000000005d3948 in dispatch_command (command=COM_QUERY, thd=0x120ec38, packet=0x1293559 "", packet_length=37) at .../sql/sql_parse.cc:1085
#12 0x00000000005d4de4 in do_command (thd=0x120ec38) at .../sql/sql_parse.cc:771
#13 0x00000000006a013e in do_handle_one_connection (thd_arg=0x120ec38) at .../sql/sql_connect.cc:1188
#14 0x00000000006a0203 in handle_one_connection (arg=0x120ec38) at .../sql/sql_connect.cc:1127
#15 0x000000000094590b in pfs_spawn_thread (arg=0x12720f8) at .../storage/perfschema/pfs.cc:1011
#16 0x00007fd13d60d040 in start_thread () from /lib64/libpthread.so.0
#17 0x00007fd13c8ca08d in clone () from /lib64/libc.so.6
#18 0x0000000000000000 in ?? ()

MySQL 5.1.47 compiled with debug shows the same assert.

How to repeat:
See above
[9 Jun 2010 10:45] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/110598

3423 Ramil Kalimullin	2010-06-09
      Fix for bug #54007: assert in ha_myisam::index_next, HANDLER
      
      Problem: the server missed the fact that one can read from 
      2 indexes alternately using HANDLER interface.
      
      Fix: check if the same (initialized) index is involved
      reading next/prev values from the index.
     @ mysql-test/r/handler_myisam.result
        Fix for bug #54007: assert in ha_myisam::index_next, HANDLER
          - test result.
     @ mysql-test/t/handler_myisam.test
        Fix for bug #54007: assert in ha_myisam::index_next, HANDLER
          - test case.
     @ sql/sql_handler.cc
        Fix for bug #54007: assert in ha_myisam::index_next, HANDLER
          - check if we use the same (initialized) index 
        to read next/prev values from the index.
[17 Jun 2010 6:14] Bugs System
Pushed into 5.5.5-m3 (revid:alexey.kopytov@sun.com-20100615145247-8bj0vmuqlotbqsn9) (version source revid:ramil@mysql.com-20100611153657-7k2txd2n1wkxgyfs) (merge vers: 5.5.5-m3) (pib:16)
[17 Jun 2010 6:17] Bugs System
Pushed into mysql-next-mr (revid:alik@sun.com-20100615150216-cubqoyn1fj9b6a2p) (version source revid:alik@sun.com-20100615081608-4ieksdrefamsw3v9) (pib:16)
[19 Jul 2010 14:34] Bugs System
Pushed into 5.1.49 (revid:build@mysql.com-20100719143034-omcma40sblwmay3x) (version source revid:alexey.kopytov@sun.com-20100611194401-9aqieq6tja0oifvd) (merge vers: 5.1.48) (pib:16)
[21 Jul 2010 14:15] Paul Dubois
Noted in 5.1.49, 5.5.5 changelogs.

The server could crash if there were alternate reads from two indexes
on a table using the HANDLER interface.
[26 Jul 2010 18:29] Paul Dubois
Closing. Changelog entry will become public when the bug report becomes public.
[14 Oct 2010 8:35] Bugs System
Pushed into mysql-5.1-telco-7.0 5.1.51-ndb-7.0.20 (revid:martin.skold@mysql.com-20101014082627-jrmy9xbfbtrebw3c) (version source revid:vasil.dimov@oracle.com-20100531152341-x2d4hma644icamh1) (merge vers: 5.5.5-m3) (pib:21)
[14 Oct 2010 8:50] Bugs System
Pushed into mysql-5.1-telco-6.3 5.1.51-ndb-6.3.39 (revid:martin.skold@mysql.com-20101014083757-5qo48b86d69zjvzj) (version source revid:vasil.dimov@oracle.com-20100531152341-x2d4hma644icamh1) (merge vers: 5.5.5-m3) (pib:21)
[14 Oct 2010 9:05] Bugs System
Pushed into mysql-5.1-telco-6.2 5.1.51-ndb-6.2.19 (revid:martin.skold@mysql.com-20101014084420-y54ecj85j5we27oa) (version source revid:vasil.dimov@oracle.com-20100531152341-x2d4hma644icamh1) (merge vers: 5.5.5-m3) (pib:21)
[14 Oct 2010 15:33] Jon Stephens
Already documented in the 5.1.49 changelog; no new changelog entries required. Setting back to Closed state.
[3 Nov 2010 15:41] Paul Dubois
CVE-2010-3681