Crash in hp_extract_record() in mysql-55-eb

Bug #783530 reported by Philip Stoev on 2011-05-16
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
percona-projects-qa
High
Laurynas Biveinis

Bug Description

The RQG DDL workload caused the following crash:

# 2011-05-16T18:08:35 #2 0x0000000000555d72 in handle_segfault (sig=11) at /home/philips/bzr/mysql-55-eb/sql/mysqld.cc:2546
# 2011-05-16T18:08:35 #3 <signal handler called>
# 2011-05-16T18:08:35 #4 0x00000035a6e83802 in memcpy () from /lib64/libc.so.6
# 2011-05-16T18:08:35 #5 0x0000000000967d72 in hp_extract_record (info=0x7fa128009650,
# 2011-05-16T18:08:35 record=0x7fa12800a120 "\004\333\003\330\346\310\366\027~\237\"\255\277\244\252\235\365z~\247\251^\366\177\245V\260\315\356\277'\355\324\064\002\n~\355\272\302\003\234_?l\253h\245ϩ\227;\321v-98\264\177\334/\347q\275\\ed\003\030\361^\340_ӷ\370\337\337Xu4\332\372\264\352\237\324\254\351Y.-\256\373\005U_P\037\322\030暯\366ne\177i\257\177\251Uo\364\277Isך\372\177\255\372P'\324۶t\372P\275F\227\206}ce\254\227\226\345\027\262\342\342\367\330\332\355m^\256P\374\313t\364\355\376E>#S\a\371j\247\261\304s\351\311\026\032\253s\353?\242/\003h\016\021\260;\363k{~\233\377",
# 2011-05-16T18:08:35 pos=0x7fa12838b8e0 "\004\005\005\005\006\a\f\b\a\a\a\a\017\v\v\t\f\021\017\022\022\021\017\021\021\023\026\034\027\023\024\032\025\021\021\030!\030\032\035\035\037\037\037\023\027\"$\"\036$\034\036\037\036\377", <incomplete sequence \333>) at /home/philips/bzr/mysql-55-eb/storage/heap/hp_record.c:391
# 2011-05-16T18:08:35 #6 0x00000000009680ff in heap_scan (info=0x7fa12800b070,
# 2011-05-16T18:08:35 record=0x7fa12800a120 "\004\333\003\330\346\310\366\027~\237\"\255\277\244\252\235\365z~\247\251^\366\177\245V\260\315\356\277'\355\324\064\002\n~\355\272\302\003\234_?l\253h\245ϩ\227;\321v-98\264\177\334/\347q\275\\ed\003\030\361^\340_ӷ\370\337\337Xu4\332\372\264\352\237\324\254\351Y.-\256\373\005U_P\037\322\030暯\366ne\177i\257\177\251Uo\364\277Isך\372\177\255\372P'\324۶t\372P\275F\227\206}ce\254\227\226\345\027\262\342\342\367\330\332\355m^\256P\374\313t\364\355\376E>#S\a\371j\247\261\304s\351\311\026\032\253s\353?\242/\003h\016\021\260;\363k{~\233\377") at /home/philips/bzr/mysql-55-eb/storage/heap/hp_scan.c:70
# 2011-05-16T18:08:35 #7 0x0000000000960be9 in ha_heap::rnd_next (this=0x7fa128009d30,
# 2011-05-16T18:08:35 buf=0x7fa12800a120 "\004\333\003\330\346\310\366\027~\237\"\255\277\244\252\235\365z~\247\251^\366\177\245V\260\315\356\277'\355\324\064\002\n~\355\272\302\003\234_?l\253h\245ϩ\227;\321v-98\264\177\334/\347q\275\\ed\003\030\361^\340_ӷ\370\337\337Xu4\332\372\264\352\237\324\254\351Y.-\256\373\005U_P\037\322\030暯\366ne\177i\257\177\251Uo\364\277Isך\372\177\255\372P'\324۶t\372P\275F\227\206}ce\254\227\226\345\027\262\342\342\367\330\332\355m^\256P\374\313t\364\355\376E>#S\a\371j\247\261\304s\351\311\026\032\253s\353?\242/\003h\016\021\260;\363k{~\233\377") at /home/philips/bzr/mysql-55-eb/storage/heap/ha_heap.cc:381
# 2011-05-16T18:08:35 #8 0x000000000085bf39 in rr_sequential (info=0x7fa1683d3ef0) at /home/philips/bzr/mysql-55-eb/sql/records.cc:455
# 2011-05-16T18:08:35 #9 0x000000000069536b in mysql_update (thd=0x2d35250, table_list=0x7fa128004f20, fields=..., values=..., conds=0x7fa128005d80, order_num=0, order=0x0,
# 2011-05-16T18:08:35 limit=18446744073709551357, handle_duplicates=DUP_ERROR, ignore=false, found_return=0x7fa1683d4cd0, updated_return=0x7fa1683d4cc8)
# 2011-05-16T18:08:35 at /home/philips/bzr/mysql-55-eb/sql/sql_update.cc:644
# 2011-05-16T18:08:35 #10 0x00000000005f6f18 in mysql_execute_command (thd=0x2d35250) at /home/philips/bzr/mysql-55-eb/sql/sql_parse.cc:2662
# 2011-05-16T18:08:35 #11 0x00000000005fed7b in mysql_parse (thd=0x2d35250,
# 2011-05-16T18:08:35 rawbuf=0x7fa128004c70 "UPDATE global_2 SET f3 = LOAD_FILE('/home/philips/bzr/randgen-heap/data/earth579kb.jpg') WHERE f4 NOT IN ( 'c' , REPEAT( 'xzhfwssmufnqdahpaietnjxybsengokmacjixcszrbpubccaotyrpxkhtpuvtexgdehjansyudksbnasdwcwgbeghmeafnsehfbnkfeppdvijoikmrfgjxf' , 7 ) )", length=250,
# 2011-05-16T18:08:35 parser_state=0x7fa1683d5630) at /home/philips/bzr/mysql-55-eb/sql/sql_parse.cc:5503
# 2011-05-16T18:08:35 #12 0x00000000005f2cf5 in dispatch_command (command=COM_QUERY, thd=0x2d35250,
# 2011-05-16T18:08:35 packet=0x2d380c1 "UPDATE global_2 SET f3 = LOAD_FILE('/home/philips/bzr/randgen-heap/data/earth579kb.jpg') WHERE f4 NOT IN ( 'c' , REPEAT( 'xzhfwssmufnqdahpaietnjxybsengokmacjixcszrbpubccaotyrpxkhtpuvtexgdehjansyudksbnasdwcwgbeghmeafnsehfbnkfeppdvijoikmrfgjxf' , 7 ) )", packet_length=250)
# 2011-05-16T18:08:35 at /home/philips/bzr/mysql-55-eb/sql/sql_parse.cc:1034
# 2011-05-16T18:08:35 #13 0x00000000005f1f52 in do_command (thd=0x2d35250) at /home/philips/bzr/mysql-55-eb/sql/sql_parse.cc:771
# 2011-05-16T18:08:35 #14 0x00000000006d7beb in do_handle_one_connection (thd_arg=0x2d35250) at /home/philips/bzr/mysql-55-eb/sql/sql_connect.cc:776
# 2011-05-16T18:08:35 #15 0x00000000006d7832 in handle_one_connection (arg=0x2d35250) at /home/philips/bzr/mysql-55-eb/sql/sql_connect.cc:724
# 2011-05-16T18:08:35 #16 0x00000035a7207761 in start_thread () from /lib64/libpthread.so.0
# 2011-05-16T18:08:35 #17 0x00000035a6ee098d in clone () from /lib64/libc.so.6

Philip Stoev (pstoev-askmonty) wrote :

Core + binary:

http://fedora13.selfip.org/var-bug783530.zip

[philips@fedora13 mysql-test]$ bzr version-info
revision-id: <email address hidden>
date: 2011-05-13 20:06:14 -0300
build-date: 2011-05-16 18:12:29 +0300
revno: 3467
branch-nick: mysql-55-eb

Philip Stoev (pstoev-askmonty) wrote :

Partially-simplified test case. May contain queries that are not relevant. Run with valgrind to get the following warning (among others):

==21196== Invalid read of size 1
==21196== at 0x803EDC: hp_extract_record (in /home/philips/bzr/mysql-55-eb-release/sql/mysqld)
==21196== by 0x80443F: heap_scan (in /home/philips/bzr/mysql-55-eb-release/sql/mysqld)
==21196== by 0x7FFA9E: ha_heap::rnd_next(unsigned char*) (in /home/philips/bzr/mysql-55-eb-release/sql/mysqld)
==21196== by 0x745B2E: rr_sequential(READ_RECORD*) (in /home/philips/bzr/mysql-55-eb-release/sql/mysqld)
==21196== by 0x5E6548: mysql_update(THD*, TABLE_LIST*, List<Item>&, List<Item>&, Item*, unsigned int, st_order*, unsigned long long, enum_duplicates, bool,
 unsigned long long*, unsigned long long*) (in /home/philips/bzr/mysql-55-eb-release/sql/mysqld)
==21196== by 0x576CA1: mysql_execute_command(THD*) (in /home/philips/bzr/mysql-55-eb-release/sql/mysqld)
==21196== by 0x57A179: mysql_parse(THD*, char*, unsigned int, Parser_state*) (in /home/philips/bzr/mysql-55-eb-release/sql/mysqld)
==21196== by 0x57B523: dispatch_command(enum_server_command, THD*, char*, unsigned int) (in /home/philips/bzr/mysql-55-eb-release/sql/mysqld)
==21196== by 0x613F12: do_handle_one_connection(THD*) (in /home/philips/bzr/mysql-55-eb-release/sql/mysqld)
==21196== by 0x613FBB: handle_one_connection (in /home/philips/bzr/mysql-55-eb-release/sql/mysqld)
==21196== by 0x7FCCD5: pfs_spawn_thread (in /home/philips/bzr/mysql-55-eb-release/sql/mysqld)
==21196== by 0x35A7207760: start_thread (in /lib64/libpthread-2.12.2.so)
==21196== by 0xFA526FF: ???
==21196== Address 0xbec6a28 is not stack'd, malloc'd or (recently) free'd

Changed in percona-projects-qa:
milestone: none → 5.5.13-eb
Philip Stoev (pstoev-askmonty) wrote :

To run the test case, please use --mysqld=--secure-file-priv=/path/to/randgen where /path/to/randgen is a directory obtained by running "bzr branch lp:randgen"

Reproduced. For the record: in the partially-simplified test cases one has to fix paths to randgen directory.

Changed in percona-projects-qa:
assignee: nobody → Laurynas Biveinis (laurynas-biveinis)
importance: Undecided → High
Changed in percona-projects-qa:
status: New → In Progress

Reduces to the exact same testcase as #783451 to the first Valgrind error. I'm not closing as duplicate; let's re-reduce after fixing the first error.

Changed in percona-projects-qa:
status: In Progress → Triaged

Analyzed/fixed enough to confirm as a duplicate.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Bug attachments