Bug #58219 segfault in row_search_for_mysql for INSERT SELECT
Submitted: 16 Nov 2010 7:23 Modified: 28 Oct 2013 12:51
Reporter: Jørgen Løland Email Updates:
Status: Can't repeat Impact on me:
None 
Category:MySQL Server: InnoDB storage engine Severity:S3 (Non-critical)
Version:5.5 OS:Any
Assigned to: Marko Mäkelä CPU Architecture:Any

[16 Nov 2010 7:23] Jørgen Løland
Description:
I encountered a segfault in row_search_for_mysql() when running RQG with the WL5004_sql grammar:

#0  0xb779f430 in __kernel_vsyscall ()
#1  0xb7778e93 in __pthread_kill (threadid=2840808304, signo=6)
    at ../nptl/sysdeps/unix/sysv/linux/pthread_kill.c:64
#2  0x086a7c7b in my_write_core (sig=6)
    at /mysql/mysql-5.5-runtime-debugging_rqg/mysys/stacktrace.c:330
#3  0x08170c2a in handle_segfault (sig=6)
    at /mysql/mysql-5.5-runtime-debugging_rqg/sql/mysqld.cc:2511
#4  <signal handler called>
#5  0xb779f430 in __kernel_vsyscall ()
#6  0xb74c64d1 in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#7  0xb74c9932 in *__GI_abort () at abort.c:92
#8  0x08516342 in row_search_for_mysql (buf=0xa002fb0 "\377", mode=1, prebuilt=0xa2732a0, 
    match_mode=0, direction=0)
    at /mysql/mysql-5.5-runtime-debugging_rqg/storage/innobase/row/row0sel.c:3684
#9  0x084ec689 in ha_innobase::index_read (this=0xa002e58, buf=0xa002fb0 "\377", key_ptr=0x0, 
    key_len=0, find_flag=HA_READ_AFTER_KEY)
    at /mysql/mysql-5.5-runtime-debugging_rqg/storage/innobase/handler/ha_innodb.cc:5661
#10 0x084ed035 in ha_innobase::index_first (this=0xa002e58, buf=0xa002fb0 "\377")
    at /mysql/mysql-5.5-runtime-debugging_rqg/storage/innobase/handler/ha_innodb.cc:5963
#11 0x0846a0ee in QUICK_GROUP_MIN_MAX_SELECT::next_prefix (this=0xa08b618)
    at /mysql/mysql-5.5-runtime-debugging_rqg/sql/opt_range.cc:11088
#12 0x084699c1 in QUICK_GROUP_MIN_MAX_SELECT::get_next (this=0xa08b618)
    at /mysql/mysql-5.5-runtime-debugging_rqg/sql/opt_range.cc:10823
#13 0x0847172a in rr_quick (info=0xa3de5a8)
    at /mysql/mysql-5.5-runtime-debugging_rqg/sql/records.cc:335
#14 0x082588e2 in join_init_read_record (tab=0xa3de568)
    at /mysql/mysql-5.5-runtime-debugging_rqg/sql/sql_select.cc:12417
#15 0x08256e30 in sub_select (join=0xa3dceb8, join_tab=0xa3de568, end_of_records=false)
    at /mysql/mysql-5.5-runtime-debugging_rqg/sql/sql_select.cc:11686
#16 0x08256a15 in do_select (join=0xa3dceb8, fields=0xa3de01c, table=0x0, procedure=0x0)
    at /mysql/mysql-5.5-runtime-debugging_rqg/sql/sql_select.cc:11452
#17 0x0824131b in JOIN::exec (this=0xa3dceb8)
    at /mysql/mysql-5.5-runtime-debugging_rqg/sql/sql_select.cc:2396
#18 0x083f6bf6 in subselect_single_select_engine::exec (this=0xa213768)
    at /mysql/mysql-5.5-runtime-debugging_rqg/sql/item_subselect.cc:1989
#19 0x083f16e1 in Item_subselect::exec (this=0xa2136d0)
    at /mysql/mysql-5.5-runtime-debugging_rqg/sql/item_subselect.cc:288
#20 0x083f25b3 in Item_singlerow_subselect::val_int (this=0xa2136d0)
    at /mysql/mysql-5.5-runtime-debugging_rqg/sql/item_subselect.cc:601
#21 0x0838b0b0 in Item::save_in_field (this=0xa2136d0, field=0xa211788, no_conversions=false)
    at /mysql/mysql-5.5-runtime-debugging_rqg/sql/item.cc:5437
#22 0x08477fb2 in sp_eval_expr (thd=0xa6374a50, result_field=0xa211788, expr_item_ptr=0xa2137b0)
    at /mysql/mysql-5.5-runtime-debugging_rqg/sql/sp_head.cc:405
#23 0x084846bb in sp_rcontext::set_return_value (this=0xa3f0c00, thd=0xa6374a50, 
    return_value_item=0xa2137b0)
    at /mysql/mysql-5.5-runtime-debugging_rqg/sql/sp_rcontext.cc:166
#24 0x0847fa33 in sp_instr_freturn::exec_core (this=0xa213790, thd=0xa6374a50, nextp=0xa9532510)
    at /mysql/mysql-5.5-runtime-debugging_rqg/sql/sp_head.cc:3453
#25 0x0847e77f in sp_lex_keeper::reset_lex_and_exec_core (this=0xa2137b8, thd=0xa6374a50, 
    nextp=0xa9532510, open_tables=true, instr=0xa213790)
    at /mysql/mysql-5.5-runtime-debugging_rqg/sql/sp_head.cc:2957
#26 0x0847f9ef in sp_instr_freturn::execute (this=0xa213790, thd=0xa6374a50, nextp=0xa9532510)
    at /mysql/mysql-5.5-runtime-debugging_rqg/sql/sp_head.cc:3431
#27 0x0847aa2d in sp_head::execute (this=0xa211948, thd=0xa6374a50, merge_da_on_success=true)
    at /mysql/mysql-5.5-runtime-debugging_rqg/sql/sp_head.cc:1417
#28 0x0847bdc5 in sp_head::execute_function (this=0xa211948, thd=0xa6374a50, argp=0x0, argcount=0, 
    return_value_fld=0xa211788)
    at /mysql/mysql-5.5-runtime-debugging_rqg/sql/sp_head.cc:1938
#29 0x083d63a0 in Item_func_sp::execute_impl (this=0xa2102d0, thd=0xa6374a50)
    at /mysql/mysql-5.5-runtime-debugging_rqg/sql/item_func.cc:6369
#30 0x083d6190 in Item_func_sp::execute (this=0xa2102d0)
    at /mysql/mysql-5.5-runtime-debugging_rqg/sql/item_func.cc:6298
#31 0x083d8e2f in Item_func_sp::val_int (this=0xa2102d0)
    at /mysql/mysql-5.5-runtime-debugging_rqg/sql/item_func.h:1724
#32 0x0839d648 in Arg_comparator::compare_int_signed (this=0xa210d70)
    at /mysql/mysql-5.5-runtime-debugging_rqg/sql/item_cmpfunc.cc:1471
#33 0x083aacbe in Arg_comparator::compare (this=0xa210d70)
    at /mysql/mysql-5.5-runtime-debugging_rqg/sql/item_cmpfunc.h:88
#34 0x0839e87f in Item_func_eq::val_int (this=0xa210cf8)
    at /mysql/mysql-5.5-runtime-debugging_rqg/sql/item_cmpfunc.cc:1958
#35 0x0837c8e4 in Item::val_bool (this=0xa210cf8)
    at /mysql/mysql-5.5-runtime-debugging_rqg/sql/item.cc:199
#36 0x083a6e73 in Item_cond_and::val_int (this=0xa210ff0)
    at /mysql/mysql-5.5-runtime-debugging_rqg/sql/item_cmpfunc.cc:4515
#37 0x0825688f in do_select (join=0xa3db270, fields=0xa6386cd0, table=0x0, procedure=0x0)
    at /mysql/mysql-5.5-runtime-debugging_rqg/sql/sql_select.cc:11421
#38 0x0824131b in JOIN::exec (this=0xa3db270)
    at /mysql/mysql-5.5-runtime-debugging_rqg/sql/sql_select.cc:2396
#39 0x08241a08 in mysql_select (thd=0xa6374a50, rref_pointer_array=0xa6386d34, tables=0xa20fd00, 
    wild_num=0, fields=..., conds=0xa210ff0, og_num=0, order=0x0, group=0x0, having=0x0, 
    proc_param=0x0, select_options=2416184064, result=0xa211638, unit=0xa6386804, 
    select_lex=0xa6386c3c)
    at /mysql/mysql-5.5-runtime-debugging_rqg/sql/sql_select.cc:2598
#40 0x081f0cc0 in mysql_derived_filling (thd=0xa6374a50, lex=0xa6375eec, orig_table_list=0xa63854e0)
    at /mysql/mysql-5.5-runtime-debugging_rqg/sql/sql_derived.cc:298
#41 0x081f05e7 in mysql_handle_derived (lex=0xa6375eec, 
    processor=0x81f0ad1 <mysql_derived_filling(THD*, LEX*, TABLE_LIST*)>)
    at /mysql/mysql-5.5-runtime-debugging_rqg/sql/sql_derived.cc:60
#42 0x081c28de in open_and_lock_tables (thd=0xa6374a50, tables=0xa63854e0, derived=true, flags=0, 
    prelocking_strategy=0xa9532dac)
    at /mysql/mysql-5.5-runtime-debugging_rqg/sql/sql_base.cc:5381
#43 0x081b67b9 in open_and_lock_tables (thd=0xa6374a50, tables=0xa63854e0, derived=true, flags=0)
    at /mysql/mysql-5.5-runtime-debugging_rqg/sql/sql_base.h:475
#44 0x082115e0 in mysql_execute_command (thd=0xa6374a50)
    at /mysql/mysql-5.5-runtime-debugging_rqg/sql/sql_parse.cc:2879
#45 0x08219126 in mysql_parse (thd=0xa6374a50, 
    rawbuf=0xa63852d0 "INSERT   INTO testdb_S . t1_view1_N  ( `col_int` , `col_int_key` , `pk`  ) SELECT   `col_int` , `col_int_key` , `pk`  FROM testdb_S . t1_base1_S  AS A WHERE `pk` BETWEEN 2 AND 2 + 1 LIMIT 1", length=189, parser_state=0xa9533b90)
    at /mysql/mysql-5.5-runtime-debugging_rqg/sql/sql_parse.cc:5528
----------------------------------------

(gdb) f 8
#8  0x08516342 in row_search_for_mysql (buf=0xa002fb0 "\377", mode=1, prebuilt=0xa2732a0, 
    match_mode=0, direction=0)
    at /mysql/mysql-5.5-runtime-debugging_rqg/storage/innobase/row/row0sel.c:3684
3684		ut_ad(prebuilt->sql_stat_start || trx->conc_state == TRX_ACTIVE);

(gdb) l
3679		if (trx->has_search_latch) {
3680			rw_lock_s_unlock(&btr_search_latch);
3681			trx->has_search_latch = FALSE;
3682		}
3683	
3684		ut_ad(prebuilt->sql_stat_start || trx->conc_state == TRX_ACTIVE);
3685		ut_ad(trx->conc_state == TRX_NOT_STARTED
3686		      || trx->conc_state == TRX_ACTIVE);
3687		ut_ad(prebuilt->sql_stat_start
3688		      || prebuilt->select_lock_type != LOCK_NONE
(gdb) p prebuilt->sql_stat_start
$1 = 0
(gdb) p trx->conc_state
$2 = 0

How to repeat:
Run random query generator with the WL5004_sql.yy grammar found in the RQG repository. The segfault hit me after about a week of testing, so likelihood is pretty low. 

At the moment, I have no reproducible test case other than running the RQG tests.
[28 Dec 2010 10:08] Marko Mäkelä
Can you repeat this with the InnoDB Plugin in MySQL 5.1?
[3 Jan 2011 11:48] Jørgen Løland
Marko: I haven't tried since I don't have the necessary resources. The problem non-trivial to reproduce. We don't have an mtr test case, only seldom crashes when running RQG tests with this command:

 ./runall.pl
--mem
--grammar=conf/runtime/WL5004_sql.yy
--redefine=conf/runtime/WL5004_sql_redefine.yy
--gendata=conf/runtime/WL5004_data.zz
--basedir=(dir with 5.5-bugteam)
--queries=10M
--duration=36000
--threads=30
--reporter=Deadlock,Backtrace,Shutdown
--mysqld=--lock-wait-timeout=1
[28 Oct 2013 12:51] Jørgen Løland
Closing since issue has not been seen in almost 3 years.