Bug #6608 MySQL server crash in some query
Submitted: 13 Nov 2004 19:16 Modified: 16 Nov 2004 9:46
Reporter: Adul Tanthuvanit Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S1 (Critical)
Version:4.1.7 OS:Windows (Windows, Linux)
Assigned to: Alexander Barkov CPU Architecture:Any

[13 Nov 2004 19:16] Adul Tanthuvanit
Description:
#Table Structure
CREATE TABLE `download` (
  `id` int(11) NOT NULL auto_increment,
  `url` varchar(200) NOT NULL default '',
  `name` varchar(250) NOT NULL default '',
  `type` int(11) NOT NULL default '0',
  `website` varchar(250) NOT NULL default '',
  `adddate` date NOT NULL default '0000-00-00',
  `size` varchar(20) NOT NULL default '',
  `movieid` int(11) NOT NULL default '0',
  `musicid` int(11) NOT NULL default '0',
  `star` varchar(20) NOT NULL default '',
  `download` int(11) NOT NULL default '0',
  `lastweek` int(11) NOT NULL default '0',
  `thisweek` int(11) NOT NULL default '0',
  `page` varchar(250) NOT NULL default '',
  PRIMARY KEY  (`id`),
  UNIQUE KEY `url` (`url`)
) TYPE=InnoDB;

#Data
INSERT INTO `download` VALUES (1,'http://www.siamzone.com/download/download/000001-frodo_1024.jpg','The Lord of the Rings Wallpapers',1,'http://www.lordoftherings.net','2002-01-22','',448,0,'',3805,0,0,'');
INSERT INTO `download` VALUES (2,'http://www.othemovie.com/OScreenSaver1.EXE','O Screensaver',2,'','2002-01-22','',491,0,'',519,0,0,'');
INSERT INTO `download` VALUES (3,'http://www.siamzone.com/download/download/000003-jasonx2(800x600).jpg','Jason X Wallpapers',1,'','2002-05-31','',579,0,'',1091,0,0,'');

#Collation
tis620_thai_ci

Test #1 : Create InnoDB table and insert data = Crash
Test #2 : Create InooDB table and insert first 2 rows of data = Normal
Test #3 : Create MyISAM table and insert data = Normal
Test #4 : Create MyISAM table and insert data and Alter table to InnoDB = Crash (Sometime Normal)
Test #5 : From #4 (Normal case), try to delete records id 3 = Crash
Test #6 : From #3, try to delete records id 3 = Normal

How to repeat:
As above.... 

Suggested fix:
I don't know..
[14 Nov 2004 11:25] Adul Tanthuvanit
After many time of crash... The InnoDB data file is corrupted and can't access anymore.
[14 Nov 2004 17:15] Heikki Tuuri
Hi!

I am able to repeat this in 4.1.8 with the statements at the end of this comment. The crash happens in the third INSERT.

mysql> INSERT INTO `download` VALUES
    -> (3,'http://www.siamzone.com/download/download/000003-jasonx2(800x600).jpg
','Jaso
    '> n X Wallpapers',1,'','2002-05-31','',579,0,'',1091,0,0,'');

The bug is probably that the function below allocates a, then changes the value of a with the operator ++, and then tries to free a!

Regards,

Heikki

ctype-tis620.c:

  uint length;
  int res= 0;
  int alloced= 0;

  a= buf;
  if ((a_length + b_length +2) > (int) sizeof(buf))
  {
    a= (uchar*) malloc(a_length+b_length);
    alloced= 1;
  }

  b= a + a_length+1;
  memcpy((char*) a, (char*) a0, a_length);
  a[a_length]= 0;       /* if length(a0)> len1, need to put 'end of string' */
  memcpy((char *)b, (char *)b0, b_length);
  b[b_length]= 0;       /* put end of string */
  a_length= thai2sortable(a, a_length);
  b_length= thai2sortable(b, b_length);

  end= a + (length= min(a_length, b_length));
  while (a < end)
  {
    if (*a++ != *b++)
    {
      res= ((int) a[-1] - (int) b[-1]);
      goto ret;
    }
  }
  if (a_length != b_length)
  {
    int swap= 0;
    /*
      Check the next not space character of the longer key. If it's < ' ',
      then it's smaller than the other key.
    */
    if (a_length < b_length)
    {
      /* put shorter key in s */
      a_length= b_length;
      a= b;
      swap= -1;                                 /* swap sign of result */
    }
    for (end= a + a_length-length; a < end ; a++)
    {
      if (*a != ' ')
      {
        res= ((int) *a - (int) ' ') ^ swap;
        goto ret;
      }
    }
  }

ret:

  if (alloced)
    free(a);
  return res;
}

heikki@hundin:~/mysql-4.1/sql> gdb mysqld
GNU gdb 6.0
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu"...
(gdb) run
Starting program: /home/heikki/mysql-4.1/sql/mysqld
[New Thread 16384 (LWP 28648)]
041114 18:39:49 [Warning] You have enabled the binary log, but you haven't set s
erver-id to a non-zero value: we force server id to 1; updates will be logged to
 the binary log, but connections from slaves will not be accepted.
[New Thread 32769 (LWP 28650)]
[New Thread 16386 (LWP 28651)]
[New Thread 32771 (LWP 28652)]
[New Thread 49156 (LWP 28653)]
[New Thread 65541 (LWP 28654)]
041114 18:39:50  InnoDB: Database was not shut down normally!
InnoDB: Starting crash recovery.
InnoDB: Reading tablespace information from the .ibd files...
InnoDB: Restoring possible half-written data pages from the doublewrite
InnoDB: buffer...
041114 18:39:52  InnoDB: Starting log scan based on checkpoint at
InnoDB: log sequence number 1 1649190630.
InnoDB: Doing recovery: scanned up to log sequence number 1 1649190630
InnoDB: Last MySQL binlog file position 0 79, file name ./binlog.000021
041114 18:39:52  InnoDB: Flushing modified pages from the buffer pool...
[New Thread 81926 (LWP 28655)]
[New Thread 98311 (LWP 28656)]
[New Thread 114696 (LWP 28657)]
041114 18:39:52  InnoDB: Started; log sequence number 1 1649190630
[New Thread 131081 (LWP 28658)]
041114 18:39:53 [Warning] mysql.user table is not updated to new password format
; Disabling new password usage until mysql_fix_privilege_tables is run
/home/heikki/mysql-4.1/sql/mysqld: ready for connections.
Version: '4.1.8-debug-log'  socket: '/home/heikki/bugsocket'  port: 3307  Source
 distribution
[New Thread 147466 (LWP 28701)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 147466 (LWP 28701)]
0x4018e52d in _int_free () from /lib/i686/libc.so.6
(gdb) bt
#0  0x4018e52d in _int_free () from /lib/i686/libc.so.6
#1  0x4018d22f in free () from /lib/i686/libc.so.6
#2  0x08364b04 in my_strnncollsp_tis620 (cs=0x84ae020,
    a0=0x3be435f0 <Address 0x3be435f0 out of bounds>, a_length=146015688,
    b0=0x3be435f0 <Address 0x3be435f0 out of bounds>, b_length=63)
    at ctype-tis620.c:621
#3  0x081ff51a in innobase_mysql_cmp (mysql_type=253, charset_number=18,
    a=0x40249a20 "", a_length=69, b=0x40249a20 "", b_length=63)
    at ha_innodb.cc:1902
#4  0x082e332e in cmp_whole_field (type=0x4044108c,
    a=0x8b566bc "http://www.siamzone.com/download/download/000003-jasonx2(800x60
0).jpg", ' ' <repeats 131 times>..., a_length=69,
    b=0x48400085 "http://www.siamzone.com/download/download/000001-frodo_1024.jp
g\200", b_length=1212153989) at rem0cmp.c:280
#5  0x082e365f in cmp_dtuple_rec_with_match (dtuple=0x40441068,
    rec=0x48400085 "http://www.siamzone.com/download/download/000001-frodo_1024.
jpg\200", matched_fields=0x4e7e5d10, matched_bytes=0x4e7e5d14) at rem0cmp.c:544
#6  0x082e00df in page_cur_search_with_match (page=0x48400000 "\027Ý\t\035",
    tuple=0x40441068, mode=4, iup_matched_fields=0x4e7e5d88,
    iup_matched_bytes=0x4e7e5d8c, ilow_matched_fields=0x4e7e5d90,
    ilow_matched_bytes=0x4e7e5d94, cursor=0x4e7e6240) at page0cur.c:332
#7  0x0828f07d in btr_cur_search_to_nth_level (index=0x4043f468, level=0,
    tuple=0x40441068, mode=4, latch_mode=2, cursor=0x4e7e623c,
    has_search_latch=0, mtr=0x4e7e5ddc) at btr0cur.c:473
#8  0x0826e9b3 in row_ins_index_entry_low (mode=2, index=0x4043f468,
    entry=0x40441068, ext_vec=0x0, n_ext_vec=0, thr=0x404406c0)
    at row0ins.c:1835
#9  0x0826ef90 in row_ins_index_entry (index=0x4043f468, entry=0x40441068,
    ext_vec=0x0, n_ext_vec=0, thr=0x404406c0) at row0ins.c:1992
#10 0x0826f0ee in row_ins_index_entry_step (node=0x4043fe70, thr=0x3be435f0)
    at row0ins.c:2071
#11 0x0826f261 in row_ins (node=0x4043fe70, thr=0x404406c0) at row0ins.c:2203
#12 0x0826f36e in row_ins_step (thr=0x404406c0) at row0ins.c:2307
#13 0x082708f2 in row_insert_for_mysql (
    mysql_rec=0x3be435f0 <Address 0x3be435f0 out of bounds>,
    prebuilt=0x4043ea68) at row0mysql.c:926
#14 0x082004d6 in ha_innobase::write_row(char*) (this=0x8b48820,
    record=0x8b566b8 "\003") at ha_innodb.cc:2484
#15 0x081bc02e in write_record(st_table*, st_copy_info*) (table=0x8b3ff88,
    info=0x4e7e65bc) at sql_insert.cc:588
#16 0x081bb540 in mysql_insert(THD*, st_table_list*, List<Item>&, List<List<Item
> >&, List<Item>&, List<Item>&, enum_duplicates) (thd=0x8b473b8,
    table_list=0x8b453d0, fields=@0x8b476c8, values_list=@0x8b476e0,
    update_fields=@0x8b47548, update_values=@0x8b476d4, duplic=DUP_ERROR)
    at sql_insert.cc:307
#17 0x0817b81f in mysql_execute_command(THD*) (thd=0x8b473b8)
    at sql_parse.cc:2703
#18 0x0817ed59 in mysql_parse(THD*, char*, unsigned) (thd=0x8b473b8,
    inBuf=0x8b452a0 "INSERT INTO `download` VALUES\n(3,'http://www.siamzone.com/
download/download/000003-jasonx2(800x600).jpg','Jaso\nn X Wallpapers',1,'','2002
-05-31','',579,0,'',1091,0,0,'')", length=146043892) at sql_parse.cc:4063
#19 0x08178287 in dispatch_command(enum_server_command, THD*, char*, unsigned)
    (command=COM_QUERY, thd=0x8b473b8,
    packet=0x8b41269 "INSERT INTO `download` VALUES\n(3,'http://www.siamzone.com
/download/download/000003-jasonx2(800x600).jpg','Jaso\nn X Wallpapers',1,'','200
2-05-31','',579,0,'',1091,0,0,'')", packet_length=170) at sql_parse.cc:1466
#20 0x08177b93 in do_command(THD*) (thd=0x8b473b8) at sql_parse.cc:1280
#21 0x0817707b in handle_one_connection (arg=0x3be435f0) at sql_parse.cc:1024
#22 0x40062f60 in pthread_start_thread () from /lib/i686/libpthread.so.0
---Type <return> to continue, or q <return> to quit---
#23 0x400630fe in pthread_start_thread_event () from /lib/i686/libpthread.so.0
#24 0x401f5327 in clone () from /lib/i686/libc.so.6
(gdb)

CREATE TABLE `download` (
  `id` int(11) NOT NULL auto_increment,
  `url` varchar(200) NOT NULL default '',
  `name` varchar(250) NOT NULL default '',
  `type` int(11) NOT NULL default '0',
  `website` varchar(250) NOT NULL default '',
  `adddate` date NOT NULL default '0000-00-00',
  `size` varchar(20) NOT NULL default '',
  `movieid` int(11) NOT NULL default '0',
  `musicid` int(11) NOT NULL default '0',
  `star` varchar(20) NOT NULL default '',
  `download` int(11) NOT NULL default '0',
  `lastweek` int(11) NOT NULL default '0',
  `thisweek` int(11) NOT NULL default '0',
  `page` varchar(250) NOT NULL default '',
  PRIMARY KEY  (`id`),
  UNIQUE KEY `url` (`url`)
) TYPE=InnoDB DEFAULT CHARACTER SET tis620
COLLATE tis620_thai_ci;

INSERT INTO `download` VALUES
(1,'http://www.siamzone.com/download/download/000001-frodo_1024.jpg','The Lord
of the Rings
Wallpapers',1,'http://www.lordoftherings.net','2002-01-22','',448,0,'',3805,0,0,
'');
INSERT INTO `download` VALUES (2,'http://www.othemovie.com/OScreenSaver1.EXE','O
Screensaver',2,'','2002-01-22','',491,0,'',519,0,0,'');
INSERT INTO `download` VALUES
(3,'http://www.siamzone.com/download/download/000003-jasonx2(800x600).jpg','Jaso
n X Wallpapers',1,'','2002-05-31','',579,0,'',1091,0,0,'');
[16 Nov 2004 5:59] Adul Tanthuvanit
Which version of MySQL will be included this fix?
[16 Nov 2004 9:46] Sergei Golubchik
it's fixed in 4.1.8