Bug #54358 READ UNCOMMITTED access failure of off-page DYNAMIC or COMPRESSED columns
Submitted: 9 Jun 2010 7:57 Modified: 11 Jan 2011 0:43
Reporter: Marko Mäkelä Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: InnoDB Plugin storage engine Severity:S2 (Serious)
Version:5.1.48, 5.5 OS:Any
Assigned to: Marko Mäkelä
Tags: crash BLOB UNCOMMITTED
Triage: Triaged: D1 (Critical) / R1 (None/Negligible) / E3 (Medium)

[9 Jun 2010 7:57] Marko Mäkelä
Description:
When an externally stored column is being accessed at the READ UNCOMMITTED isolation level between the time the base record has been inserted to the clustered index B-tree page and the call to btr_store_big_rec_extern_fields(), the READ UNCOMMITTED access will see a zero BLOB pointer.

The zero BLOB pointer will cause an assertion failure at least when accessing the table through a secondary index on a prefix of an externally stored column:

InnoDB: Failing assertion: memcmp(data, field_ref_zero, BTR_EXTERN_FIELD_REF_SIZE)

 #5  0x0000003acbc31d10 in abort () from /lib64/libc.so.6
 #6  0x00002aaaabbcd34f in btr_copy_externally_stored_field_prefix (
     buf=0x4ade8a50 "khd"..., len=768,
     zip_size=2048, data=0x2aaab7aa0a52 "", local_len=0) at btr/btr0cur.c:4739
 #7  0x00002aaaabc7fd53 in row_sel_sec_rec_is_for_blob (mtype=5, prtype=524540,
     mbminlen=1, mbmaxlen=1, clust_field=0x2aaab7aa0a52 "", clust_len=20,
     sec_field=0x2aaabb9f6669 "khd"...,
     sec_len=255, zip_size=2048) at row/row0sel.c:109
 #8  0x00002aaaabc80134 in row_sel_sec_rec_is_for_clust_rec (
     sec_rec=0x2aaabb9f6669 "khd"...,
     sec_index=0x2aab441bf6a8, clust_rec=0x2aaab7aa0a1f "kjgclgrtfu\200",
     clust_index=0x2aab440e70e8) at row/row0sel.c:210
 #9  0x00002aaaabc851a5 in row_sel_get_clust_rec_for_mysql (
     prebuilt=0x2aab4c10b248, sec_index=0x2aab441bf6a8,
     rec=0x2aaabb9f6669 "khd"...,
     thr=0x2aab4c0e8a38, out_rec=0x4ade9ae8, offsets=0x4ade9308,
     offset_heap=0x4ade9638, mtr=0x4ade9640) at row/row0sel.c:2971
 #10 0x00002aaaabc86f09 in row_search_for_mysql (
     buf=0x2aab4c29a390 "\376\244\003", mode=2, prebuilt=0x2aab4c10b248,
     match_mode=0, direction=1) at row/row0sel.c:4263
 #11 0x00002aaaabc1b04b in ha_innodb::general_fetch (this=0x2aab4c29a1a0,
     buf=0x2aab4c29a390 "\376\244\003", direction=1, match_mode=0)
     at handler/ha_innodb.cc:5643
 #12 0x00002aaaabc1b25f in ha_innodb::index_next (this=0x2aab4c29a1a0,
     buf=0x2aab4c29a390 "\376\244\003") at handler/ha_innodb.cc:5683

How to repeat:
Create a DYNAMIC or COMPRESSED table with a secondary index on a column prefix, and try to access the records at READ UNCOMMITTED isolation level while records with off-page columns are being inserted. (Note that updates map to delete+insert when the primary key or off-page columns are updated.)

Suggested fix:
When a zero BLOB pointer is encountered in READ UNCOMMITTED, pretend that the record does not exist, because it has not been fully written yet.
[9 Jun 2010 8:00] Marko Mäkelä
Workaround: Do not use READ UNCOMMITTED when accessing tables that may contain off-page columns.
[9 Jun 2010 8:14] Marko Mäkelä
Because btr_store_big_rec_extern_fields() is holding an x-lock on the clustered index page while it is writing the off-page column data (BLOB) page by page in a sub-mtr, reads of partially written BLOBs should not be possible. READ UNCOMMITTED should always see either a zero BLOB pointer or a fully initialized BLOB.

Using the REDUNDANT or COMPACT row format will prevent the bug from occurring during secondary index lookups. In those formats, a bug could occur when fetching the entire column.

Before the InnoDB Plugin, only REDUNDANT or COMPACT row formats are available, and there are no BLOB pointer validity checks in place. Luckily, even in MySQL 3.23.53 (the first InnoDB release) the BLOB pointer is initialized to zero in the initial INSERT. This should mean that READ UNCOMMITTED could fetch a record where some columns are truncated to 768 bytes (the locally stored prefix).
[29 Jun 2010 12:56] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/112457
[29 Jun 2010 12:56] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/112458
[29 Jun 2010 12:57] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/112460
[29 Jun 2010 12:57] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/112461
[29 Jun 2010 13:19] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/112471
[29 Jun 2010 13:19] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/112472
[30 Jun 2010 9:32] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/112539
[30 Jun 2010 9:32] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/112540
[30 Jun 2010 9:39] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/112544
[30 Jun 2010 9:39] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/112545
[30 Jun 2010 9:53] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/112550
[30 Jun 2010 9:53] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/112551
[30 Jun 2010 9:55] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/112553
[30 Jun 2010 9:56] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/112554
[4 Aug 2010 7:54] Bugs System
Pushed into mysql-trunk 5.5.6-m3 (revid:alik@sun.com-20100731131027-1n61gseejyxsqk5d) (version source revid:alik@sun.com-20100731074942-o840woifuqioxxe4) (merge vers: 5.5.6-m3) (pib:18)
[4 Aug 2010 8:04] Bugs System
Pushed into mysql-trunk 5.6.1-m4 (revid:alik@ibmvm-20100804080001-bny5271e65xo34ig) (version source revid:alik@sun.com-20100731075120-qz9z8c25zum2wgmm) (merge vers: 5.6.99-m4) (pib:18)
[4 Aug 2010 8:20] Bugs System
Pushed into mysql-trunk 5.6.1-m4 (revid:alik@ibmvm-20100804081533-c1d3rbipo9e8rt1s) (version source revid:alik@sun.com-20100731075120-qz9z8c25zum2wgmm) (merge vers: 5.6.99-m4) (pib:18)
[4 Aug 2010 9:01] Bugs System
Pushed into mysql-next-mr (revid:alik@ibmvm-20100804081630-ntapn8bf9pko9vj3) (version source revid:alik@sun.com-20100731075120-qz9z8c25zum2wgmm) (pib:20)
[16 Aug 2010 20:02] John Russell
Adding to change log:

      Querying an InnoDB table using the READ UNCOMMITTED isolation level
      could produce an error, if BLOB or other large columns were being inserted at the same time.
[19 Aug 2010 15:40] Bugs System
Pushed into mysql-5.1 5.1.51 (revid:build@mysql.com-20100819151858-muaaor6jojb5ouzj) (version source revid:build@mysql.com-20100819151858-muaaor6jojb5ouzj) (merge vers: 5.1.51) (pib:20)
[31 Aug 2010 14:11] Sveta Smirnova
Fix exists in version 5.1.50
[14 Oct 2010 8:26] Bugs System
Pushed into mysql-5.1-telco-7.0 5.1.51-ndb-7.0.20 (revid:martin.skold@mysql.com-20101014082627-jrmy9xbfbtrebw3c) (version source revid:martin.skold@mysql.com-20101014082627-jrmy9xbfbtrebw3c) (merge vers: 5.1.51-ndb-7.0.20) (pib:21)
[14 Oct 2010 8:41] Bugs System
Pushed into mysql-5.1-telco-6.3 5.1.51-ndb-6.3.39 (revid:martin.skold@mysql.com-20101014083757-5qo48b86d69zjvzj) (version source revid:martin.skold@mysql.com-20101014083757-5qo48b86d69zjvzj) (merge vers: 5.1.51-ndb-6.3.39) (pib:21)
[14 Oct 2010 8:56] Bugs System
Pushed into mysql-5.1-telco-6.2 5.1.51-ndb-6.2.19 (revid:martin.skold@mysql.com-20101014084420-y54ecj85j5we27oa) (version source revid:martin.skold@mysql.com-20101014084420-y54ecj85j5we27oa) (merge vers: 5.1.51-ndb-6.2.19) (pib:21)
[28 Oct 2010 10:40] Marko Mäkelä
The fix of Bug #54358 was incomplete. I filed Bug #57799 for the fixes that remain to be done.
[5 Dec 2010 12:37] Bugs System
Pushed into mysql-trunk 5.6.1 (revid:alexander.nozdrin@oracle.com-20101205122447-6x94l4fmslpbttxj) (version source revid:alexander.nozdrin@oracle.com-20101205122447-6x94l4fmslpbttxj) (merge vers: 5.6.1) (pib:23)
[15 Dec 2010 5:51] Bugs System
Pushed into mysql-5.1 5.1.55 (revid:sunanda.menon@oracle.com-20101215054055-vgwki317xg1wphhh) (version source revid:sunanda.menon@oracle.com-20101215054055-vgwki317xg1wphhh) (merge vers: 5.1.55) (pib:23)
[16 Dec 2010 22:25] Bugs System
Pushed into mysql-5.5 5.5.9 (revid:jonathan.perkin@oracle.com-20101216101358-fyzr1epq95a3yett) (version source revid:jonathan.perkin@oracle.com-20101216101358-fyzr1epq95a3yett) (merge vers: 5.5.9) (pib:24)