Bug #88121 MySQL crashes in btr_pcur_restore_position_func at btr0pcur.cc
Submitted: 17 Oct 2017 12:38 Modified: 17 Oct 2017 13:11
Reporter: kfpanda kf Email Updates:
Status: Can't repeat Impact on me:
None 
Category:MySQL Server: InnoDB storage engine Severity:S2 (Serious)
Version:5.6.37 OS:Linux
Assigned to: CPU Architecture:Any

[17 Oct 2017 12:38] kfpanda kf
Description:
#0  0x00007f4fb1834741 in pthread_kill () from /lib64/libpthread.so.0
#1  0x0000000000ab7236 in my_write_core (sig=6) at /sda/src/rds-mysql/mysys/stacktrace.c:424
#2  0x0000000000734894 in handle_fatal_signal (sig=6) at /sda/src/rds-mysql/sql/signal_handler.cc:230
#3  <signal handler called>
#4  0x00007f4fb063e5f7 in raise () from /lib64/libc.so.6
#5  0x00007f4fb063fce8 in abort () from /lib64/libc.so.6
#6  0x0000000000d34e28 in btr_pcur_restore_position_func (latch_mode=1, cursor=0x7f4f402a6b08, file=0x1046928 "/sda/src/rds-mysql/storage/innobase/row/row0sel.cc", line=3308, mtr=0x7f4f8798e790) at /sda/src/rds-mysql/storage/innobase/btr/btr0pcur.cc:238
#7  0x0000000000ca8617 in sel_restore_position_for_mysql (same_user_rec=0x7f4f8798ec88, latch_mode=1, pcur=0x7f4f402a6b08, moves_up=1, mtr=0x7f4f8798e790) at /sda/src/rds-mysql/storage/innobase/row/row0sel.cc:3308
#8  0x0000000000caa404 in row_search_for_mysql (buf=0x7f4f402647b8 "\377\002", mode=1, prebuilt=0x7f4f402a6a88, match_mode=0, direction=1) at /sda/src/rds-mysql/storage/innobase/row/row0sel.cc:4248
#9  0x0000000000b97cfe in ha_innobase::general_fetch (this=0x7f4f402644f0, buf=0x7f4f402647b8 "\377\002", direction=1, match_mode=0) at /sda/src/rds-mysql/storage/innobase/handler/ha_innodb.cc:7944
#10 0x0000000000b97f2b in ha_innobase::index_next (this=0x7f4f402644f0, buf=0x7f4f402647b8 "\377\002") at /sda/src/rds-mysql/storage/innobase/handler/ha_innodb.cc:8007
#11 0x000000000064905d in handler::ha_index_next (this=0x7f4f402644f0, buf=0x7f4f402647b8 "\377\002") at /sda/src/rds-mysql/sql/handler.cc:2816
#12 0x0000000000650c7d in handler::read_range_next (this=0x7f4f402644f0) at /sda/src/rds-mysql/sql/handler.cc:6767
#13 0x000000000064ed03 in handler::multi_range_read_next (this=0x7f4f402644f0, range_info=0x7f4f8798eff0) at /sda/src/rds-mysql/sql/handler.cc:5853
#14 0x000000000064fbaa in DsMrr_impl::dsmrr_next (this=0x7f4f40264778, range_info=0x7f4f8798eff0) at /sda/src/rds-mysql/sql/handler.cc:6233
#15 0x0000000000ba5364 in ha_innobase::multi_range_read_next (this=0x7f4f402644f0, range_info=0x7f4f8798eff0) at /sda/src/rds-mysql/storage/innobase/handler/ha_innodb.cc:17137
#16 0x000000000097403e in QUICK_RANGE_SELECT::get_next (this=0x7f4f4c1560c0) at /sda/src/rds-mysql/sql/opt_range.cc:10644
#17 0x000000000098d568 in rr_quick (info=0x7f4f4c0c4e68) at /sda/src/rds-mysql/sql/records.cc:369
#18 0x00000000007b3f44 in sub_select (join=0x7f4f4c005ba0, join_tab=0x7f4f4c0c4dd8, end_of_records=false) at /sda/src/rds-mysql/sql/sql_executor.cc:1262
#19 0x00000000007b392e in do_select (join=0x7f4f4c005ba0) at /sda/src/rds-mysql/sql/sql_executor.cc:936
#20 0x00000000007b18cd in JOIN::exec (this=0x7f4f4c005ba0) at /sda/src/rds-mysql/sql/sql_executor.cc:194
#21 0x0000000000812b3f in mysql_execute_select (thd=0x1936580, select_lex=0x1938b38, free_join=true) at /sda/src/rds-mysql/sql/sql_select.cc:1101
#22 0x0000000000812e31 in mysql_select (thd=0x1936580, tables=0x7f4f4c005058, wild_num=1, fields=..., conds=0x7f4f4c0057d8, order=0x1938d00, group=0x1938c38, having=0x0, select_options=203301376, result=0x7f4f4c005b78, unit=0x19384f0, select_lex=0x1938b38)
    at /sda/src/rds-mysql/sql/sql_select.cc:1222
#23 0x0000000000810f2a in handle_select (thd=0x1936580, result=0x7f4f4c005b78, setup_tables_done_option=0) at /sda/src/rds-mysql/sql/sql_select.cc:110
#24 0x00000000007ea8fc in execute_sqlcom_select (thd=0x1936580, all_tables=0x7f4f4c005058) at /sda/src/rds-mysql/sql/sql_parse.cc:5237
#25 0x00000000007e3182 in mysql_execute_command (thd=0x1936580) at /sda/src/rds-mysql/sql/sql_parse.cc:2695
#26 0x00000000007ed408 in mysql_parse (thd=0x1936580, rawbuf=0x7f4f4c004e00 "SELECT * FROM t1  WHERE c1 < '2010-00-01 00:00:00' ORDER BY c1 LIMIT 2", length=70, parser_state=0x7f4f879905e0) at /sda/src/rds-mysql/sql/sql_parse.cc:6489
#27 0x00000000007e0182 in dispatch_command (command=COM_QUERY, thd=0x1936580, packet=0x24711b1 "", packet_length=71) at /sda/src/rds-mysql/sql/sql_parse.cc:1377
#28 0x00000000007df1b4 in do_command (thd=0x1936580) at /sda/src/rds-mysql/sql/sql_parse.cc:1040
#29 0x00007f4f96431930 in threadpool_process_request (thd=0x1936580) at /sda/src/rds-mysql/plugin/threadpool/threadpool_common.cc:321
#30 0x00007f4f964345c8 in handle_event (connection=0x21f0630) at /sda/src/rds-mysql/plugin/threadpool/threadpool_unix.cc:1611
#31 0x00007f4f96434825 in worker_main (param=0x7f4f9663a600 <all_groups+2048>) at /sda/src/rds-mysql/plugin/threadpool/threadpool_unix.cc:1664
#32 0x0000000000b65735 in pfs_spawn_thread (arg=0x21e6000) at /sda/src/rds-mysql/storage/perfschema/pfs.cc:1860
#33 0x00007f4fb182fdc5 in start_thread () from /lib64/libpthread.so.0
#34 0x00007f4fb06ff21d in clone () from /lib64/libc.so.6

How to repeat:
DROP DATABASE test;CREATE DATABASE test;USE test;
CREATE TABLE t1(c1 INT KEY)ENGINE=InnoDB;#NOERROR
ALTER TABLE t1 MODIFY c1 BIGINT;#NOERROR
XA START '123';#NOERROR
INSERT INTO t1 VALUES(0xF4DD);#NOERROR
INSERT INTO t1 VALUES(STR_TO_DATE('2000 10 000000','%Y %h %f'));#NOERROR
INSERT INTO t1 VALUES(3456);#ERROR: 1044 - Access denied for user0@0to database 'information_schema'
insert INTO t1 values(0xE8),(0xE9),(0xEA),(0xEB),(0xEC),(0xED),(0xEE),(0xEF);#ERROR: 1044 - Access denied for user0@0to database 'information_schema'
insert INTO t1 values('2004-04-01 00:00:00');#ERROR: 1044 - Access denied for user0@0to database 'information_schema'
insert into t1 values("100000000.0");#ERROR: 1044 - Access denied for user0@0to database 'information_schema'
insert INTO t1 values('5000000000');#ERROR: 1044 - Access denied for user0@0to database 'information_schema'
INSERT INTO t1 VALUES(0xAAE1);#ERROR: 1044 - Access denied for user0@0to database 'information_schema'
INSERT INTO t1 VALUES(0xA6BA);#ERROR: 1044 - Access denied for user0@0to database 'information_schema'
INSERT INTO t1 VALUES(connection_id());#ERROR: 1044 - Access denied for user0@0to database 'information_schema'
INSERT INTO t1 VALUES(0xA2E6),(0xA2E7);#NOERROR
INSERT INTO t1 VALUES(0xAFAB);#NOERROR
set global innodb_limit_optimistic_insert_debug=2;#NOERROR
INSERT INTO t1 VALUES(112.233e4);#NOERROR
INSERT INTO t1 VALUES();#ERROR: 1366 - Incorrect INT value:0for c 'c1' at row 1
insert ignore INTO t1 values(15),(0);#NOERROR
INSERT INTO t1 VALUES(0xA2B7);#NOERROR
INSERT INTO t1 VALUES('1970-01-01 00:00:01.000099');#ERROR: 1265 - Data truncated for c 'c1' at row 1
insert INTO t1 values(30);#NOERROR
delete FROM t1;#NOERROR
INSERT INTO t1 VALUES(-200101018385959.000000);#NOERROR
INSERT INTO t1 VALUES(0xA6EE);#NOERROR
insert into t1 values(0xF0BFBFBF);#NOERROR
INSERT INTO t1 VALUES(0xA6E0);#NOERROR
INSERT INTO t1 VALUES(0xA9B8);#NOERROR
INSERT INTO t1 VALUES(44),(45),(46);#NOERROR
INSERT INTO t1 VALUES(0xABAF);#NOERROR
INSERT INTO t1 VALUES('2001-01-01 00:00:02.000004');#NOERROR
set sql_buffer_result=1;#NOERROR
insert into t1 values('test1'),('test2');#ERROR: 1062 - Duplicate entry 0 for key0
insert INTO t1 values(0x0069),(0x0049),(0x00EC),(0x00CC),(0x1EC9),(0x1EC8),(0x0129),(0x0128),(0x00ED),(0x00CD),(0x1ECB),(0x1ECA);#NOERROR
INSERT INTO t1 VALUES(10);#ERROR: 1062 - Duplicate entry '10' for key0
INSERT INTO t1 VALUES(0xABC4);#NOERROR
DELETE t4 FROM t1,t1 AS t4;#NOERROR
INSERT INTO t1 VALUES();#NOERROR
INSERT INTO t1 values(1),(2);#NOERROR
insert INTO t1 values(1e30),(-1e30);#NOERROR
INSERT INTO t1 VALUES('-1234.1e2 ');#NOERROR
DELETE FROM t1 WHERE c1>=5 LIMIT 1;#ERROR: 2006 - MySQL server has gone away
SELECT * FROM t1 WHERE c1<'2010-00-01 00:00:00';
[17 Oct 2017 12:57] kfpanda kf
If it is not reproduced once, it can be executed many times.
The description after the statement can be ignored
[17 Oct 2017 13:11] Umesh Shastry
Hello!

Thank you for the report and test case.
I'm seeing the reported issue with 5.6.37 debug build but it is not repeatable with latest 5.6.38 debug build. I could not locate any internal/community bug confirming this. Please could you try with 5.6.38 and confirm us if you are still seeing the issue? If you can provide more information, feel free to add it to this bug and change the status back to 'Open'.

Thank you for your interest in MySQL.

Thanks,
Umesh
[17 Oct 2017 13:12] Umesh Shastry
test results

Attachment: 88121.results (application/octet-stream, text), 23.43 KiB.