MariaDB

Crash in _ma_unpin_all_pages / _ma_search on DELETE with Aria search engine

Bug #614265 reported by Philip Stoev
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MariaDB
Fix Released
High
Michael Widenius
MariaDB 5.1

Bug Description

The following sequence of queries causes a crash in Maria 5.2. MyISAM is not affected

CREATE TABLE X ( f1 DOUBLE , f2 DOUBLE , f3 DOUBLE , f4 DOUBLE , v3 DOUBLE , v4 DOUBLE , KEY ( v3 ) , KEY ( v4 ) ) engine=maria;
REPLACE X ( f2 , f1 ) VALUES ( f2 , 56 ) ;
INSERT X ( f1 , f2 , f3 , f4 ) VALUES ( 0 , f2 , 8 , f3 ) ;
INSERT X ( f4 , f2 ) VALUES ( 4 , 92 ) ;
DELETE FROM X WHERE v3 = 173 OR v4 = 9 ;

backtrace:

#3 0x0826e718 in handle_segfault (sig=11) at mysqld.cc:2727
#4 <signal handler called>
#5 _ma_unpin_all_pages (info=0xb601f800, undo_lsn=0) at ma_key_recover.c:70
#6 0x0853d60d in _ma_search (info=0xb601f800, key=0xb6e4bec8, nextflag=33, pos=8192) at ma_search.c:87
#7 0x0853c6a5 in maria_rkey (info=0xb601f800, buf=0xb5f0c340 "\213", inx=0, key_data=0xb5f54da8 "", keypart_map=1, search_flag=HA_READ_KEY_EXACT)
    at ma_rkey.c:102
#8 0x0852e01d in ha_maria::index_read_map (this=0xb5f46090, buf=0xb5f0c340 "\213", key=0xb5f54da8 "", keypart_map=1, find_flag=HA_READ_KEY_EXACT)
    at ha_maria.cc:2113
#9 0x081a2885 in handler::ha_index_read_map (this=0xb5f46090, buf=0xb5f0c340 "\213", key=0xb5f54da8 "", keypart_map=1, find_flag=HA_READ_KEY_EXACT)
    at sql_class.h:3190
#10 0x083aa651 in handler::read_range_first (this=0xb5f46090, start_key=0xb5f46728, end_key=0xb5f46738, eq_range_arg=true, sorted=false) at handler.cc:4422
#11 0x083aa1f8 in handler::read_multi_range_first (this=0xb5f46090, found_range_p=0xb6e4c07c, ranges=0xb5f46728, range_count=1, sorted=false, buffer=0x0)
    at handler.cc:4296
#12 0x0839256f in QUICK_RANGE_SELECT::get_next (this=0xb5f54c60) at opt_range.cc:8562
#13 0x08382908 in QUICK_ROR_UNION_SELECT::reset (this=0xb5f46688) at opt_range.cc:1596
#14 0x083346c7 in mysql_delete (thd=0x99758e0, table_list=0xb5f44a30, conds=0xb5f45c80, order=0x9977330, limit=18446744073709551615, options=0,
    reset_auto_increment=false) at sql_delete.cc:263
#15 0x0828449f in mysql_execute_command (thd=0x99758e0) at sql_parse.cc:3365
#16 0x0828c81b in mysql_parse (thd=0x99758e0, inBuf=0xb5f3f908 "DELETE FROM X WHERE v3 = 173 OR v4 = 9", length=45, found_semicolon=0xb6e4d22c)
    at sql_parse.cc:6055
#17 0x0827ea17 in dispatch_command (command=COM_QUERY, thd=0x99758e0, packet=0x99778e1 "DELETE FROM X WHERE v3 = 173 OR v4 = 9 ", packet_length=48)
    at sql_parse.cc:1204
#18 0x0827debb in do_command (thd=0x99758e0) at sql_parse.cc:898
#19 0x0827ae7c in handle_one_connection (arg=0x99758e0) at sql_connect.cc:1154
#20 0x00a08919 in start_thread () from /lib/libpthread.so.0
#21 0x001ede5e in clone () from /lib/libc.so.6

bzr version-info:

revision-id: <email address hidden>
date: 2010-08-05 22:56:11 +0300
build-date: 2010-08-06 12:13:51 +0300
revno: 2837
branch-nick: maria-5.2

Philip Stoev (pstoev-askmonty)
Changed in maria:
importance: Undecided → High
milestone: none → 5.2
Revision history for this message
Philip Stoev (pstoev-askmonty) wrote :

UPDATEs are also affected, with a similar stack trace.

summary: - Crash in _ma_search on DELETE with Aria search engine
+ Crash in _ma_unpin_all_pages / _ma_search on DELETE with Aria search
+ engine
Revision history for this message
Philip Stoev (pstoev-askmonty) wrote :

This is regression, not reproducible with maria db 5.1.47

tags: added: regression
Michael Widenius (monty)
Changed in maria:
assignee: nobody → Michael Widenius (monty)
Michael Widenius (monty)
Changed in maria:
milestone: 5.2 → 5.1
Michael Widenius (monty)
Changed in maria:
status: New → Fix Committed
Michael Widenius (monty)
Changed in maria:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.