1berry/MariaDB-server
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Bug #14500557 CRASH WHEN USING LONG INNODB INDEXES

Browse Source 
The ha_innobase table handler contained two search key buffers
(srch_key_val1, srch_key_val2) of fixed size used to store the search
key.  The size of these buffers where fixed at
REC_VERSION_56_MAX_INDEX_COL_LEN + 2.  But this size is not sufficient
to hold the search key.  Hence the following assert in
row_sel_convert_mysql_key_to_innobase() failed.

2438                 /* Storing may use at most data_len bytes of buf */
2439 
2440                 if (UNIV_LIKELY(!is_null)) {
2441                         ut_a(buf + data_len <= original_buf + buf_len);
2442                         row_mysql_store_col_in_innobase_format(
2443                                 dfield, buf,
2444                                 FALSE, /* MySQL key value format col */
2445                                 key_ptr + data_offset, data_len,
2446                                 dict_table_is_comp(index->table));
2447                         buf += data_len;
2448                 }

The buffer size is now calculated with the formula
MAX_KEY_LENGTH + MAX_REF_PARTS*2.  This properly takes into account
the extra bytes needed to store the length for each column.  An index
can contain a maximum of MAX_REF_PARTS columns in it, and for each
column 2 bytes are needed to store length.  

rb://1238 approved by Marko and Vasil Dimov.
This commit is contained in:
Annamalai Gurusami 2012-09-04 14:33:56 +05:30
parent 4473cf902a
commit 9d41d7c57b
2 changed files with 8 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
storage/innobase/handler/ha_innodb.h
View File

@ -80,12 +80,13 @@ class ha_innobase: public handler
uchar* upd_buf; /*!< buffer used in updates */
ulint upd_buf_size; /*!< the size of upd_buf in bytes */
uchar srch_key_val1[REC_VERSION_56_MAX_INDEX_COL_LEN + 2];
uchar srch_key_val2[REC_VERSION_56_MAX_INDEX_COL_LEN + 2];
uchar srch_key_val1[MAX_KEY_LENGTH + MAX_REF_PARTS*2];
uchar srch_key_val2[MAX_KEY_LENGTH + MAX_REF_PARTS*2];
/*!< buffers used in converting
search key values from MySQL format
to InnoDB format. "+ 2" for the two
bytes where the length is stored */
to InnoDB format. For each column
2 bytes are used to store length,
hence MAX_REF_PARTS*2. */
Table_flags int_table_flags;
uint primary_key;
ulong start_of_scan; /*!< this is set to 1 when we are

3
storage/innobase/row/row0sel.c
View File

@ -2487,6 +2487,9 @@ row_sel_convert_mysql_key_to_innobase(
dfield++;
}
DBUG_EXECUTE_IF("innodb_srch_key_buffer_full",
ut_a(buf == (original_buf + buf_len)););
ut_a(buf <= original_buf + buf_len);
/* We set the length of tuple to n_fields: we assume that the memory